+| Use Secure Cookie | **Yes** | **Yes** allows Application Proxy to include the Secure flag in HTTP response headers. Secure Cookies enhances security by transmitting cookies over a TLS secured channel such as HTTPS. This prevents cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. | Use **Yes** because of the additional security benefits.|

+1. Add the **Client App** column if it isn't shown by clicking on **Columns** > **Client App**.

+1. Select **Add filters** > **Client App** > choose all of the legacy authentication protocols and select **Apply**.

+> [!CAUTION]

+> If your organization uses BitLocker drive encryption, you should ensure that BitLocker recovery keys are either backed up or no longer needed before deleting devices. Failure to do this may cause loss of data.

+If your device is under control of Intune or any other MDM solution, retire the device in the management system before disabling or deleting it. For more information, see the article [Remove devices by using wipe, retire, or manually unenrolling the device](/mem/intune/remote-actions/devices-wipe).

+[!NOTE] Microsoft is aware that customers with certain tenant configurations may be unable to successfully delete their Azure AD organization. We are working to address this problem. In the meantime, if needed, you can contact Microsoft support for details about the issue.

+B2B guest users are not supported in Microsoft Teams shared channels. For access to shared channels see [B2B direct connect.](b2b-direct-connect-overview.md)

+* [B2B collaboration user claims mapping](claims-mapping.md)

+ Title: Automate identity provisioning to applications introduction

+description: Learn to design solutions to automatically provision identities in hybrid environments to provide application access.

+ - it-pro

+ - seodec18

+ - kr2b-contr-experiment

+# Introduction

+The article helps architects, Microsoft partners, and IT professionals with information addressing identity [provisioning](https://www.gartner.com/en/information-technology/glossary/user-provisioning) needs in their organizations, or the organizations they're working with. The content focuses on automating user provisioning for access to applications across all systems in your organization.

+Employees in an organization rely on many applications to perform their work. These applications often require IT admins or application owners to provision accounts before an employee can start accessing them. Organizations also need to manage the lifecycle of these accounts and keep them up to date with the latest information and remove accounts when users don't require them anymore.

+The Azure AD provisioning service automates your identity lifecycle and keeps identities in sync across trusted source systems (like HR systems) and applications that users need access to. It enables you to bring users into Azure AD and provision them into the various applications that they require. The provisioning capabilities are foundational building blocks that enable rich governance and lifecycle workflows. For [hybrid](../hybrid/whatis-hybrid-identity.md) scenarios, the Azure AD agent model connects to on-premises or IaaS systems, and includes components such as the Azure AD provisioning agent, Microsoft Identity Manager (MIM), and Azure AD Connect.

+Thousands of organizations are running Azure AD cloud-hosted services, with its hybrid components delivered on-premises, for provisioning scenarios. Microsoft invests in cloud-hosted and on-premises functionality, including MIM and Azure AD Connect sync, to help organizations provision users in their connected systems and applications. This article focuses on how organizations can use Azure AD to address their provisioning needs and make clear which technology is most right for each scenario.

+

+ Use the following table to find content specific to your scenario. For example, if you want employee and contractor identities management from an HR system to Active Directory Domain Services (AD DS) or Azure Active Directory (Azure AD), follow the link to *Connect identities with your system of record*.

+| What | From | To | Read |

+| - | - | - | - |

+| Employees and contractors| HR systems| AD and Azure AD| [Connect identities with your system of record](automate-provisioning-to-applications-solutions.md) |

+| Existing AD users and groups| AD| Azure AD| [Synchronize identities between Azure AD and Active Directory](automate-provisioning-to-applications-solutions.md) |

+| Users, groups| Azure AD| SaaS and on-prem apps| [Automate provisioning to non-Microsoft applications](../governance/entitlement-management-organization.md) |

+| Access rights| Azure AD Identity Governance| SaaS and on-prem apps| [Entitlement management](../governance/entitlement-management-overview.md) |

+| Existing users and groups| AD, SaaS and on-prem apps| Identity governance (so I can review them)| [Azure AD Access reviews](../governance/access-reviews-overview.md) |

+| Non-employee users (with approval)| Other cloud directories| SaaS and on-prem apps| [Connected organizations](../governance/entitlement-management-organization.md) |

+| Users, groups| Azure AD| Managed AD domain| [Azure AD Domain Services](https://azure.microsoft.com/services/active-directory-ds/) |

+## Example topologies

+Organizations vary greatly in the applications and infrastructure that they rely on to run their business. Some organizations have all their infrastructure in the cloud, relying solely on SaaS applications, while others have invested deeply in on-premises infrastructure over several years. The three topologies below depict how Microsoft can meet the needs of a cloud only customer, hybrid customer with basic provisioning requirements, and a hybrid customer with advanced provisioning requirements.

+### Cloud only

+In this example, the organization has a cloud HR system such as Workday or SuccessFactors, uses Microsoft 365 for collaboration, and SaaS apps such as ServiceNow and Zoom.

+

+1. The Azure AD provisioning service imports users from the cloud HR system and creates an account in Azure AD, based on business rules that the organization defines.

+1. The user complete sets up the suitable authentication methods, such as the authenticator app, Fast Identity Online 2 (FIDO2)/Windows Hello for Business (WHfB) keys via [Temporary Access Pass](../authentication/howto-authentication-temporary-access-pass.md) and then signs into Teams. This Temporary Access Pass was automatically generated for the user through Azure AD Life Cycle Workflows.

+1. The Azure AD provisioning service creates accounts in the various applications that the user needs, such as ServiceNow and Zoom. The user is able to request the necessary devices they need and start chatting with their teams.

+### Hybrid-basic

+In this example, the organization has a mix of cloud and on-premises infrastructure. In addition to the systems mentioned above, the organization relies on SaaS applications and on-premises applications that are both AD integrated and non-AD integrated.

+

+1. The Azure AD provisioning service imports the user from Workday and creates an account in AD DS, enabling the user to access AD-integrated applications.

+2. Azure AD Connect Cloud Sync provisions the user into Azure AD, which enables the user to access SharePoint Online and their OneDrive files.

+3. The Azure AD provisioning service detects a new account was created in Azure AD. It then creates accounts in the SaaS and on-premises applications the user needs access to.

+### Hybrid-advanced

+In this example, the organization has users spread across multiple on-premises HR systems and cloud HR. They have large groups and device synchronization requirements.

+

+1. MIM imports user information from each HR stem. MIM determines which users are needed for those employees in different directories. MIM provisions those identities in AD DS.

+2. Azure AD Connect Sync then synchronizes those users and groups to Azure AD and provides users access to their resources.

+## Next steps

+* [Solutions to automate user provisioning to applications](automate-provisioning-to-applications-solutions.md)

+ Title: Solutions to automate identity provisioning to applications

+description: Learn to design solutions to automatically provision identities based on various scenarios.

+ - it-pro

+ - seodec18

+ - kr2b-contr-experiment

+# Solutions

+This article presents solutions that enable you to:

+* Connect identities with your system of record

+* Synchronize identities between Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD)

+* Automate provisioning of users into non-Microsoft applications

+## Connect identities with your system of record

+In most designs, the human resources (HR) system is the source-of-authority for newly created digital identities. The HR system is often the starting point for many provisioning processes. For example, if a new user joins a company, they have a record in the HR system. That user likely needs an account to access Microsoft 365 services such as Teams and SharePoint, or non-Microsoft applications.

+### Synchronizing identities with cloud HR

+The Azure AD provisioning service enables organizations to [bring identities from popular HR systems](../app-provisioning/what-is-hr-driven-provisioning.md) (examples: [Workday](../saas-apps/workday-inbound-tutorial.md) and [SuccessFactors](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)), into Azure AD directly, or into AD DS. This provisioning capability enables new hires to access the resources they need from the first day of work.

+### On-premises HR + joining multiple data sources

+To create a full user profile for an employee identity, organizations often merge information from multiple HR systems, databases, and other user data stores. MIM provides a rich set of [connectors](https://learn.microsoft.com/microsoft-identity-manager/supported-management-agents) and integration solutions interoperating with heterogeneous platforms.

+MIM offers [rule extension](/previous-versions/windows/desktop/forefront-2010/ms698810(v=vs.100)?redirectedfrom=MSDN) and [workflow capabilities](https://microsoft.github.io/MIMWAL/) features for advanced scenarios requiring data transformation and consolidation from multiple sources. These connectors, rule extensions, and workflow capabilities enable organizations to aggregate user data in the MIM metaverse to form a single identity for each user. The identity can be [provisioned into downstream systems](/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms) such as AD DS.

+

+## Synchronize identities between Active Directory Domain Services (AD DS) and Azure AD

+As customers move applications to the cloud, and integrate with Azure AD, users often need accounts in Azure AD, and AD to access the applications for their work. Here are five common scenarios in which objects need to be synchronized between AD and Azure AD.

+The scenarios are divided by the direction of synchronization needed, and are listed, one through five. Use the table following the scenarios to determine what technical solution provides the synchronization.

+Use the numbered sections in the next two section to cross reference the following table.

+**Synchronize identities from AD into Azure AD**

+1. For users in AD that need access to Office 365 or other applications that are connected to Azure AD, Azure AD Connect cloud sync is the first solution to explore. It provides a lightweight solution to create users in Azure AD, manage password rests, and synchronize groups. Configuration and management are primarily done in the cloud, minimizing your on-premises footprint. It provides high-availability and automatic failover, ensuring password resets and synchronization continue, even if there's an issue with on-premises servers.

+1. For complex, large-scale AD to Azure AD sync needs such as synchronizing groups over 50,000 and device sync, customers can use Azure AD Connect sync to meet their needs.

+**Synchronize identities from Azure AD into AD**

+As customers transition identity management to the cloud, more users and groups are created directly in Azure AD. However, they still need a presence on-premises in AD DS to access various resources.

+3. When an external user from a partner organization is created in Azure AD using B2B, MIM can automatically provision them [into AD](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario) and give those guests access to on-premises Windows-Integrated Authentication or Kerberos-based applications.

+1. When a group is created in Azure AD, it can be automatically synchronized to AD DS using [Azure AD Connect sync](../hybrid/how-to-connect-group-writeback-v2.md).

+1. When users need access to cloud apps that still rely on legacy access protocols (for example, LDAP and Kerberos/NTLM), [Azure AD Domain Services](https://azure.microsoft.com/services/active-directory-ds/) synchronizes identities between Azure AD and a managed AD domain.

+|No.| What | From | To | Technology |

+| - | - | - | - | - |

+| 1 |Users, groups| AD DS| Azure AD| [Azure AD Connect Cloud Sync](https://learn.microsoft.com/azure/active-directory/cloud-sync/what-is-cloud-sync) |

+| 2 |Users, groups, devices| AD DS| Azure AD| [Azure AD Connect Sync](https://learn.microsoft.com/azure/active-directory/hybrid/whatis-azure-ad-connect) |

+| 3 |Groups| Azure AD| AD DS| [Azure AD Connect Sync](../hybrid/how-to-connect-group-writeback-v2.md) |

+| 4 |Guest accounts| Azure AD| AD DS| [MIM](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario) |

+| 5 |Users, groups| Azure AD| Managed AD| [Azure AD Domain Services](https://azure.microsoft.com/services/active-directory-ds/) |

+The table depicts common scenarios and the recommended technology.

+## Automate provisioning users into non-Microsoft applications

+After identities are in Azure AD through HR-provisioning or Azure AD Connect Could Sync / Azure AD Connect Sync, the employee can use the identity to access Teams, SharePoint, and Microsoft 365 applications. However, employees still need access to many Microsoft applications to perform their work.

+

+### Automate provisioning to apps and clouds that support the SCIM standard

+Azure AD supports the System for Cross-Domain Identity Management ([SCIM 2.0](https://aka.ms/scimoverview)) standard and integrates with hundreds of popular SaaS applications such as [Dropbox](../saas-apps/dropboxforbusiness-provisioning-tutorial.md) and [Atlassian](../saas-apps/atlassian-cloud-provisioning-tutorial.md) or other clouds such as [Amazon Web Services (AWS)](../saas-apps/aws-single-sign-on-provisioning-tutorial.md), [Google Cloud](../saas-apps/g-suite-provisioning-tutorial.md). Application developers can use the System for Cross-Domain Identity Management (SCIM) user management API to automate provisioning users and groups between Azure AD and your application.

+

+In addition to the pre-integrated gallery applications, Azure AD supports provisioning to SCIM enabled line of business applications, whether hosted [on-premises](../app-provisioning/on-premises-scim-provisioning.md) or in the cloud. The Azure AD provisioning service creates users and groups in these applications, and manages updates such as when a user is promoted or leaves the company).

+[Learn more about provisioning to SCIM enabled applications](../app-provisioning/use-scim-to-provision-users-and-groups.md)

+### Automate provisioning to SQL and LDAP based applications

+ Many applications don't support the SCIM standard, and customers have historically used connectors developed for MIM to connect to them. The Azure AD provisioning service supports reusing connectors developed for MIM and provisioning users into applications that rely on an LDAP user store or a SQL database.

+[Learn more about on-premises application provisioning](../app-provisioning/user-provisioning.md)

+### Use integrations developed by partners

+Many applications may not yet support SCIM or rely on SQL / LDAP databases. Microsoft partners have developed SCIM gateways that allow you to synchronize users between Azure AD and various systems such as mainframes, HR systems, and legacy databases. In the image below, the SCIM Gateways are built and managed by partners.

+

+[Learn more about partner driven integrations](../app-provisioning/partner-driven-integrations.md)

+### Manage local app passwords

+Many applications have a local authentication store and a UI that only checks the userΓÇÖs supplied credentials against that store. As a result, these applications can't support Multi Factor Authentication (MFA) through Azure AD and pose a security risk. Microsoft recommends enabling single sign-on and MFA for all your applications. Based on our studies, your account is more than 99.9% less likely to be compromised if you [use MFA](https://aka.ms/securitysteps). However, in cases where the application canΓÇÖt externalize authentication, customers can use MIM to sync password changes to these applications.

+

+[Learn more about the MIM password change notification service](/microsoft-identity-manager/infrastructure/mim2016-password-management)

+### Define and provision access for a user based on organizational data

+MIM enables you to import organizational data such as job codes and locations. That information can then be used to automatically set up access rights for that user.

+

+### Automate common business workflows

+After users are provisioned into Azure AD, use Lifecycle Workflows (LCW) to automate appropriate actions at key moments in a userΓÇÖs lifecycle such as joiner, mover, and leaver. These custom workflows can be triggered by Azure AD LCW automatically, or on demand to enable or disable accounts, generate Temporary Access Passes, update Teams and/or group membership, send automated emails, and trigger a Logic App. This can help organizations ensure:

+* **Joiner**: When a user joins the organization, they're ready to go on day one. They have the correct access to the information and applications they need. They have the required hardware necessary to do their job.

+* **Leaver**: When users leave the company for various reasons (termination, separation, leave of absence or retirement), have their access revoked in a timely manner.

+[Learn more about Azure AD Lifecycle Workflows](https://learn.microsoft.com/azure/active-directory/governance/what-are-lifecycle-workflows)

+> [!Note]

+> For scenarios not covered by LCW, customers can leverage the extensibility of [Logic Applications](../..//logic-apps/logic-apps-overview.md).

+### Reconcile changes made directly in the target system

+Organizations often need a complete audit trail of what users have access to applications containing data subject to regulation. To provide an audit trail, any access provided to a user directly must be traceable through the system of record. MIM provides the [reconciliation capabilities](/microsoft-identity-manager/mim-how-provision-users-adds) to detect changes made directly in a target system and roll back the changes. In addition to detecting changes in target applications, MIM can import identities from third party applications to Azure AD. These applications often augment the set of user records that originated in the HR system.

+### Next steps

+1. Automate provisioning with any of your applications that are in the [Azure AD app gallery](../saas-apps/tutorial-list.md), support [SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md), [SQL](../app-provisioning/on-premises-sql-connector-configure.md), or [LDAP](../app-provisioning/on-premises-ldap-connector-configure.md).

+2. Evaluate [Azure AD Cloud Sync](../cloud-sync/what-is-cloud-sync.md) for synchronization between AD DS and Azure AD

+3. Use the [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for complex provisioning scenarios

+## How do custom security attributes compare with directory extensions?

+Here are some ways that custom security attributes compare with [directory extensions](../develop/active-directory-schema-extensions.md):

+- Directory extensions cannot be used for authorization scenarios and attributes because the access control for the extension attributes is tied to the Azure AD object. Custom security attributes can be used for authorization and attributes needing access control because the custom security attributes can be managed and protected through separate permissions.

+- Directory extensions are tied to an application and share the lifecycle of an application. Custom security attributes are tenant wide and not tied to an application.

+- Directory extensions support assigning a single value to an attribute. Custom security attributes support assigning multiple values to an attribute.

+## Microsoft Graph APIs

+

+You can manage custom security attributes programmatically using Microsoft Graph APIs. For more information, see [Overview of custom security attributes using the Microsoft Graph API](/graph/api/resources/custom-security-attributes-overview).

+You can use an API client such as [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) or Postman to more easily try the Microsoft Graph APIs for custom security attributes.

+Microsoft has modeled five states of transformation that commonly align with the business goals of customers. As the goals of customers mature, it's typical for them to shift from one state to the next at a pace that suits their resources and culture.

+| 410 | IMDS is going through updates | IMDS will be available within 70 seconds |

+It's recommended to retry if you receive a 404, 429, or 5xx error code (see [Error handling](#error-handling) above). If you receive a 410 error, it indicates that IMDS is going through updates and will be available in a maximum of 70 seconds.

+> [Permissions Management Administrator](#permissions-management-administrator) | Can manage all aspects of Permissions Management. | af78dc32-cf4d-46f9-ba4e-4428526346b5 |

+## Permissions Management Administrator

+Assign the Permissions Management Administrator role to users who need to do the following tasks:

+- Manage all aspects of Entry Permissions Management, when the service is present

+Learn more about Permissions Management roles and polices at [View information about roles/policies](../cloud-infrastructure-entitlement-management/how-to-view-role-policy.md).

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Entra Permissions Management |

+ Title: 'Tutorial: Azure AD SSO integration with Broker groupe Achat Solutions'

+description: Learn how to configure single sign-on between Azure Active Directory and Broker groupe Achat Solutions.

+# Tutorial: Azure AD SSO integration with Broker groupe Achat Solutions

+In this tutorial, you'll learn how to integrate Broker groupe Achat Solutions with Azure Active Directory (Azure AD). When you integrate Broker groupe Achat Solutions with Azure AD, you can:

+* Control in Azure AD who has access to Broker groupe Achat Solutions.

+* Enable your users to be automatically signed-in to Broker groupe Achat Solutions with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Broker groupe Achat Solutions single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Broker groupe Achat Solutions supports **SP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Broker groupe Achat Solutions from the gallery

+To configure the integration of Broker groupe Achat Solutions into Azure AD, you need to add Broker groupe Achat Solutions from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Broker groupe Achat Solutions** in the search box.

+1. Select **Broker groupe Achat Solutions** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about Office 365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true).

+## Configure and test Azure AD SSO for Broker groupe Achat Solutions

+Configure and test Azure AD SSO with Broker groupe Achat Solutions using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Broker groupe Achat Solutions.

+To configure and test Azure AD SSO with Broker groupe Achat Solutions, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Broker groupe Achat Solutions SSO](#configure-broker-groupe-achat-solutions-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Broker groupe Achat Solutions test user](#create-broker-groupe-achat-solutions-test-user)** - to have a counterpart of B.Simon in Broker groupe Achat Solutions that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Broker groupe Achat Solutions** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+

+ a. In the **Reply URL** text box, type the URL:

+ `https://id.awsolutions.fr/auth/realms/awsolutions`

+ b. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://app.marcoweb.fr/Marco?idp_hint=<INSTANCENAME>`

+

+ > [!NOTE]

+ > This value is not real. Update this value with the actual Sign-on URL. Contact [Broker groupe Achat Solutions Client support team](mailto:devops@achatsolutions.fr) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Broker groupe Achat Solutions.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Broker groupe Achat Solutions**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Broker groupe Achat Solutions SSO

+To configure single sign-on on **Broker groupe Achat Solutions** side, you need to send the **App Federation Metadata Url** to [Broker groupe Achat Solutions support team](mailto:devops@achatsolutions.fr). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Broker groupe Achat Solutions test user

+In this section, you create a user called Britta Simon at Broker groupe Achat Solutions. Work with [Broker groupe Achat Solutions support team](mailto:devops@achatsolutions.fr) to add the users in the Broker groupe Achat Solutions platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Broker groupe Achat Solutions Sign-on URL where you can initiate the login flow.

+* Go to Broker groupe Achat Solutions Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Broker groupe Achat Solutions tile in the My Apps, this will redirect to Broker groupe Achat Solutions Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Broker groupe Achat Solutions you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with Confluence SAML SSO by Microsoft'

+# Tutorial: Azure AD SSO integration with Confluence SAML SSO by Microsoft

+- An Azure AD subscription.

+- Confluence server application installed on a Windows 64-bit server (on-premises or on the cloud IaaS infrastructure).

+- Confluence server is HTTPS enabled.

+- Confluence server is reachable on internet particularly to Azure AD Login page for authentication and should able to receive the token from Azure AD.

+- Admin credentials are set up in Confluence.

+- WebSudo is disabled in Confluence.

+- Test user created in the Confluence server application.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-on URL. Port is optional in case itΓÇÖs a named URL. These values are received during the configuration of Confluence plugin, which is explained later in the tutorial.

+ 

+ `https://auth.factset.com/sp/ACS.saml2`

+1. On the navigation menu on the left, select **Settings**, then **Authentication security**.

+1. Click on the checkbox **Require SAML authentication**

+1. Enter the Sign-on URL. This URL is the Login URL that you copied from AAD above.

+ `https://auth.<Environment>.headspace.com/login/callback?connection=<CustomerConnectionName>`

+ c. In the **Sign on URL** textbox, type the URL:

+ `https://headspace.com/sso-login`

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Headspace Client support team](mailto:ecosystem-integration-squad@headspace.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+Once you configure Headspace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ 

+ Title: 'Tutorial: Azure AD SSO integration with JIRA SAML SSO by Microsoft'

+# Tutorial: Azure AD SSO integration with JIRA SAML SSO by Microsoft

+- JIRA Core and Software 6.4 to 8.22.1 or JIRA Service Desk 3.0 to 4.22.1 should installed and configured on Windows 64-bit version.

+- JIRA server is HTTPS enabled.

+- JIRA server is reachable on the Internet particularly to the Azure AD login page for authentication and should able to receive the token from Azure AD.

+- Admin credentials are set up in JIRA.

+- WebSudo is disabled in JIRA.

+- Test user created in the JIRA server application.

+* JIRA Core and Software: 6.4 to 8.22.1.

+* JIRA Service Desk 3.0 to 4.22.1.

+* JIRA also supports 5.2. For more details, click [Microsoft Azure Active Directory single sign-on for JIRA 5.2](jira52microsoft-tutorial.md).

+* JIRA SAML SSO by Microsoft supports **SP** initiated SSO.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ 

+ * For cloud SSO: `https://keepersecurity.com/api/rest/sso/ext_login/<CLOUD_INSTANCE_ID>`

+ d. For **Sign out URL**, type a URL using one of the following patterns:

+ * For cloud SSO: `https://keepersecurity.com/api/rest/sso/saml/slo/<CLOUD_INSTANCE_ID>`

+ * There is no configuration for on-premises SSO.

+1. On **Set up Single Sign-On with SAML**, in the **SAML Signing Certificate** section, select **Download**. This downloads **Federation Metadata XML** from the options per your requirement, and saves it on your computer.

+1. On **Set up Keeper Password Manager**, copy the appropriate URLs, per your requirement.

+ Title: 'Tutorial: Azure AD SSO integration with Trakstar Learn'

+description: Learn how to configure single sign-on between Azure Active Directory and Trakstar Learn (Mindflash).

+# Tutorial: Azure AD SSO integration with Trakstar Learn

+In this tutorial, you'll learn how to integrate Trakstar Learn (Mindflash) with Azure Active Directory (Azure AD). When you integrate Learn with Azure AD, you can:

+* Control in Azure AD who has access to Learn.

+* Enable your users to be automatically signed-in to Learn with their Azure AD accounts.

+* Trakstar Learn single sign-on (SSO) enabled subscription.

+* Learn supports **SP** initiated SSO.

+## Add Learn from the gallery

+To configure the integration of Learn into Azure AD, you need to add Learn from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **Trakstar Learn** in the search box. Trakstar Learn was formerly Mindlfash.

+1. Select **Trakstar Learn** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Learn

+Configure and test Azure AD SSO with Learn using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Learn.

+To configure and test Azure AD SSO with Learn, perform the following steps:

+1. **[Configure Trakstar Learn SSO](#configure-trakstar-learn-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Trakstar Learn test user](#create-trakstar-learn-test-user)** - to have a counterpart of B.Simon in Trakstar Learn that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **Trakstar Learn** application integration page, find the **Manage** section and select **single sign-on**.

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Trakstar Learn Client support team](mailto:learn@trakstar.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up Trakstar Learn** section, copy the appropriate URL(s) as per your requirement.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Learn.

+1. In the applications list, select **Trakstar Learn**.

+## Configure Trakstar Learn SSO

+To configure single sign-on on **Trakstar Learn** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Trakstar Learn support team](mailto:learn@trakstar.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Trakstar Learn test user

+In order to enable Azure AD users to log into Learn, they must be provisioned into Learn. In the case of Learn, provisioning is a manual task.

+### To provision a user account, perform the following steps:

+1. Log in to your **Trakstar Learn** company site as an administrator.

+>You can use any other Learn user account creation tools or APIs provided by Learn to provision Azure AD user accounts.

+* Click on **Test this application** in Azure portal. This will redirect to Learn Sign on URL where you can initiate the login flow.

+* Go to Learn Sign on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Trakstar Learn tile in the My Apps, this will redirect to Learn Sign on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+Once you configure Trakstar Learn you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Atlassian Jira/Confluence admin guide - Azure Active Directory'

+* Jira Core and Software: 6.0 to 8.22.1.

+* Jira Service Desk: 3.0.0 to 4.22.1.

+* JIRA also supports 5.2. For more details, click [Microsoft Azure Active Directory single sign-on for JIRA 5.2](./jira52microsoft-tutorial.md).

+* Confluence: 5.0 to 5.10.

+* Confluence: 6.0.1 to 6.15.9.

+* Confluence: 7.0.1 to 7.19.0.

+* Jira Core and Software: 6.0 to 8.22.1.

+* Jira Service Desk: 3.0.0 to 4.22.1.

+* JIRA also supports 5.2. For more details, click [Microsoft Azure Active Directory single sign-on for JIRA 5.2](./jira52microsoft-tutorial.md).

+* Confluence: 5.0 to 5.10.

+* Confluence: 6.0.1 to 6.15.9.

+* Confluence: 7.0.1 to 7.19.0.

+ `https://<SUBDOMAIN>.sciforma.net/sciforma`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://<SUBDOMAIN>.sciforma.net/sciforma/saml/post`

+ c. In the **Sign on URL** text box, type a URL using the following pattern:

+ > Please use **Identifier** and **Reply URL** values from [Choose a shortname for your Workspace in Sketch](#choose-a-shortname-for-your-workspace-in-sketch) section.

+ Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+To configure single sign-on on **workhub** side, you need to send the downloaded **Certificate (Base64)**, and appropriate copied URLs from Azure portal to [workhub support team](mailto:support_work@bitkey.jp). They set this setting to have the SAML SSO connection set properly on both sides.

+In this section, you create a user called Britta Simon at workhub. Work with [workhub support team](mailto:support_work@bitkey.jp) to add the users in the workhub platform. Users must be created and activated before you use single sign-on.

+Azure Active Directory (Azure AD) provides the capabilities necessary to implement the recommendations from memorandum 22-09. It also provides broad identity controls that support Zero Trust initiatives. Today, If your agency uses Microsoft Office 365 or Azure, you already have Azure AD as an identity provider (IdP) and you can connect your applications and resources to Azure AD as your enterprise-wide identity system.

+[Azure AD B2B collaboration](../external-identities/what-is-b2b.md) helps you meet the requirement to facilitate integration/collaboration among agencies. Whether the users reside in different Microsoft tenant in the same cloud, [tenant on another microsoft cloud](../external-identities/b2b-government-national-clouds.md), or a [non Azure AD tenant (SAML/WS-Fed identity provider)](..//external-identities/direct-federation.md).

+Azure AD cross-tenant access settings allow agencies to manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds. It does this by:

+- Granular settings to control access for external users including enforcement of multifactor authentication (MFA) and device signal.

+* [Azure Virtual Desktop](https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-azure-active-directory-join)

+>

+## Azure AD integration

+Enhance your AKS cluster security with Azure AD integration. Built on decades of enterprise identity management, Azure AD is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. With Azure AD, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security.

+

+With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster.

+1. To obtain a `kubectl` configuration context, a user runs the [az aks get-credentials][az-aks-get-credentials] command.

+1. When a user interacts with the AKS cluster with `kubectl`, they're prompted to sign in with their Azure AD credentials.

+This approach provides a single source for user account management and password credentials. The user can only access the resources as defined by the cluster administrator.

+Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [Open ID connect documentation][openid-connect]. From inside of the Kubernetes cluster, [Webhook Token Authentication][webhook-token-docs] is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster.

+### Webhook and API server

+

+As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:

+1. `kubectl` uses the Azure AD client application to sign in users with [OAuth 2.0 device authorization grant flow](../active-directory/develop/v2-oauth2-device-code.md).

+2. Azure AD provides an access_token, id_token, and a refresh_token.

+3. The user makes a request to `kubectl` with an access_token from `kubeconfig`.

+4. `kubectl` sends the access_token to API Server.

+5. The API Server is configured with the Auth WebHook Server to perform validation.

+6. The authentication webhook server confirms the JSON Web Token signature is valid by checking the Azure AD public signing key.

+7. The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API.

+8. A response is sent to the API Server with user information such as the user principal name (UPN) claim of the access token, and the group membership of the user based on the object ID.

+9. The API performs an authorization decision based on the Kubernetes Role/RoleBinding.

+10. Once authorized, the API server returns a response to `kubectl`.

+11. `kubectl` provides feedback to the user.

+Learn how to integrate AKS with Azure AD with our [AKS-managed Azure AD integration how-to guide](managed-aad.md).

+## AKS service permissions

+When creating a cluster, AKS generates or modifies resources it needs (like VMs and NICs) to create and run the cluster on behalf of the user. This identity is distinct from the cluster's identity permission, which is created during cluster creation.

+### Identity creating and operating the cluster permissions

+The following permissions are needed by the identity creating and operating the cluster.

+> [!div class="mx-tableFixed"]

+> | Permission | Reason |

+> |||

+> | `Microsoft.Compute/diskEncryptionSets/read` | Required to read disk encryption set ID. |

+> | `Microsoft.Compute/proximityPlacementGroups/write` | Required for updating proximity placement groups. |

+> | `Microsoft.Network/applicationGateways/read` <br/> `Microsoft.Network/applicationGateways/write` <br/> `Microsoft.Network/virtualNetworks/subnets/join/action` | Required to configure application gateways and join the subnet. |

+> | `Microsoft.Network/virtualNetworks/subnets/join/action` | Required to configure the Network Security Group for the subnet when using a custom VNET.|

+> | `Microsoft.Network/publicIPAddresses/join/action` <br/> `Microsoft.Network/publicIPPrefixes/join/action` | Required to configure the outbound public IPs on the Standard Load Balancer. |

+> | `Microsoft.OperationalInsights/workspaces/sharedkeys/read` <br/> `Microsoft.OperationalInsights/workspaces/read` <br/> `Microsoft.OperationsManagement/solutions/write` <br/> `Microsoft.OperationsManagement/solutions/read` <br/> `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` | Required to create and update Log Analytics workspaces and Azure monitoring for containers. |

+### AKS cluster identity permissions

+The following permissions are used by the AKS cluster identity, which is created and associated with the AKS cluster. Each permission is used for the reasons below:

+> [!div class="mx-tableFixed"]

+> | Permission | Reason |

+> |||

+> | `Microsoft.ContainerService/managedClusters/*` <br/> | Required for creating users and operating the cluster

+> | `Microsoft.Network/loadBalancers/delete` <br/> `Microsoft.Network/loadBalancers/read` <br/> `Microsoft.Network/loadBalancers/write` | Required to configure the load balancer for a LoadBalancer service. |

+> | `Microsoft.Network/publicIPAddresses/delete` <br/> `Microsoft.Network/publicIPAddresses/read` <br/> `Microsoft.Network/publicIPAddresses/write` | Required to find and configure public IPs for a LoadBalancer service. |

+> | `Microsoft.Network/publicIPAddresses/join/action` | Required for configuring public IPs for a LoadBalancer service. |

+> | `Microsoft.Network/networkSecurityGroups/read` <br/> `Microsoft.Network/networkSecurityGroups/write` | Required to create or delete security rules for a LoadBalancer service. |

+> | `Microsoft.Compute/disks/delete` <br/> `Microsoft.Compute/disks/read` <br/> `Microsoft.Compute/disks/write` <br/> `Microsoft.Compute/locations/DiskOperations/read` | Required to configure AzureDisks. |

+> | `Microsoft.Storage/storageAccounts/delete` <br/> `Microsoft.Storage/storageAccounts/listKeys/action` <br/> `Microsoft.Storage/storageAccounts/read` <br/> `Microsoft.Storage/storageAccounts/write` <br/> `Microsoft.Storage/operations/read` | Required to configure storage accounts for AzureFile or AzureDisk. |

+> | `Microsoft.Network/routeTables/read` <br/> `Microsoft.Network/routeTables/routes/delete` <br/> `Microsoft.Network/routeTables/routes/read` <br/> `Microsoft.Network/routeTables/routes/write` <br/> `Microsoft.Network/routeTables/write` | Required to configure route tables and routes for nodes. |

+> | `Microsoft.Compute/virtualMachines/read` | Required to find information for virtual machines in a VMAS, such as zones, fault domain, size, and data disks. |

+> | `Microsoft.Compute/virtualMachines/write` | Required to attach AzureDisks to a virtual machine in a VMAS. |

+> | `Microsoft.Compute/virtualMachineScaleSets/read` <br/> `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read` <br/> `Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read` | Required to find information for virtual machines in a virtual machine scale set, such as zones, fault domain, size, and data disks. |

+> | `Microsoft.Network/networkInterfaces/write` | Required to add a virtual machine in a VMAS to a load balancer backend address pool. |

+> | `Microsoft.Compute/virtualMachineScaleSets/write` | Required to add a virtual machine scale set to a load balancer backend address pools and scale out nodes in a virtual machine scale set. |

+> | `Microsoft.Compute/virtualMachineScaleSets/delete` | Required to delete a virtual machine scale set to a load balancer backend address pools and scale down nodes in a virtual machine scale set. |

+> | `Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write` | Required to attach AzureDisks and add a virtual machine from a virtual machine scale set to the load balancer. |

+> | `Microsoft.Network/networkInterfaces/read` | Required to search internal IPs and load balancer backend address pools for virtual machines in a VMAS. |

+> | `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read` | Required to search internal IPs and load balancer backend address pools for a virtual machine in a virtual machine scale set. |

+> | `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipconfigurations/publicipaddresses/read` | Required to find public IPs for a virtual machine in a virtual machine scale set. |

+> | `Microsoft.Network/virtualNetworks/read` <br/> `Microsoft.Network/virtualNetworks/subnets/read` | Required to verify if a subnet exists for the internal load balancer in another resource group. |

+> | `Microsoft.Compute/snapshots/delete` <br/> `Microsoft.Compute/snapshots/read` <br/> `Microsoft.Compute/snapshots/write` | Required to configure snapshots for AzureDisk. |

+> | `Microsoft.Compute/locations/vmSizes/read` <br/> `Microsoft.Compute/locations/operations/read` | Required to find virtual machine sizes for finding AzureDisk volume limits. |

+### Additional cluster identity permissions

+When creating a cluster with specific attributes, you will need the following additional permissions for the cluster identity. Since these permissions are not automatically assigned, you must add them to the cluster identity after it's created.

+> [!div class="mx-tableFixed"]

+> | Permission | Reason |

+> |||

+> | `Microsoft.Network/networkSecurityGroups/write` <br/> `Microsoft.Network/networkSecurityGroups/read` | Required if using a network security group in another resource group. Required to configure security rules for a LoadBalancer service. |

+> | `Microsoft.Network/virtualNetworks/subnets/read` <br/> `Microsoft.Network/virtualNetworks/subnets/join/action` | Required if using a subnet in another resource group such as a custom VNET. |

+> | `Microsoft.Network/routeTables/routes/read` <br/> `Microsoft.Network/routeTables/routes/write` | Required if using a subnet associated with a route table in another resource group such as a custom VNET with a custom route table. Required to verify if a subnet already exists for the subnet in the other resource group. |

+> | `Microsoft.Network/virtualNetworks/subnets/read` | Required if using an internal load balancer in another resource group. Required to verify if a subnet already exists for the internal load balancer in the resource group. |

+> | `Microsoft.Network/privatednszones/*` | Required if using a private DNS zone in another resource group such as a custom privateDNSZone. |

+## AKS Node Access

+By default Node Access is not required for AKS. The following access is needed for the node if a specific component is leveraged.

+| Access | Reason |

+|||

+| `kubelet` | Required for customer to grant MSI access to ACR. |

+| `http app routing` | Required for write permission to "random name".aksapp.io. |

+| `container insights` | Required for customer to grant permission to the Log Analytics workspace. |

+## Considerations and limitations

+* Azure Analysis Services does not support the use of One-Time Password for B2B users

+

+[Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md)

+ > [!NOTE]

+ > Open products aren't listed in the developer portal for developers to learn about or subscribe to. They're visible only to the **Administrators** group. You'll need to use another mechanism to inform developers about APIs that can be accessed without a subscription key.

+ Title: Deploy Azure API Management instance to multiple Azure regions

+description: Learn how to deploy a Premium tier Azure API Management instance to multiple Azure regions to improve API gateway availability.

+# Deploy an Azure API Management instance to multiple Azure regions

+Azure API Management supports multi-region deployment, which enables API publishers to add regional API gateways to an existing API Management instance in one or more supported Azure regions. Multi-region deployment helps reduce request latency perceived by geographically distributed API consumers and improves service availability if one region goes offline.

+When adding a region, you configure:

+* The number of scale [units](upgrade-and-scale.md) that region will host.

+* Optional [zone redundancy](../availability-zones/migrate-api-mgt.md), if that region supports it.

+* [Virtual network](virtual-network-concepts.md) settings in the added region, if networking is configured in the existing region or regions.

+## About multi-region deployment

+* If you haven't created an API Management service instance, see [Create an API Management service instance](get-started-create-service-instance.md). Select the Premium service tier.

+* If your API Management instance is deployed in a virtual network, ensure that you set up a virtual network, subnet, and public IP address in the location that you plan to add. See [virtual network prerequisites](api-management-using-with-vnet.md#prerequisites).

+## <a name="add-region"> </a>Deploy API Management service to an additional region

+1. In the Azure portal, navigate to your API Management service and select **Locations** from the left menu.

+1. Select the added location from the dropdown list.

+1. Optionally select one or more [**Availability zones**](../availability-zones/migrate-api-mgt.md).

+## <a name="remove-region"> </a>Remove an API Management service region

+1. In the Azure portal, navigate to your API Management service and select **Locations** from the left menu.

+2. For the location you would like to remove, select the context menu using the **...** button at the right end of the table. Select **Delete**.

+3. Confirm the deletion and select **Save** to apply the changes.

+By default, each API routes requests to a single backend service URL. Even if you've configured Azure API Management gateways in various regions, the API gateway will still forward requests to the same backend service, which is deployed in only one region. In this case, the performance gain will come only from responses cached within Azure API Management in a region specific to the request; contacting the backend across the globe may still cause high latency.

+To take advantage of geographical distribution of your system, you should have backend services deployed in the same regions as Azure API Management instances. Then, using policies and `@(context.Deployment.Region)` property, you can route the traffic to local instances of your backend.

+> [!TIP]

+> Optionally set the `disableGateway` property in a regional gateway to disable routing of API traffic there. For example, temporarily disable a regional gateway when testing or updating a regional backend service.

+1. Navigate to your Azure API Management instance and select **APIs** from the left menu.

+3. Select **Code editor** from the arrow dropdown in the **Inbound processing**.

+ For example, the following XML file would work for West US and East Asia regions:

+ <set-backend-service base-url="http://contoso-backend-us.com/" />

+ <set-backend-service base-url="http://contoso-backend-asia.com/" />

+ <set-backend-service base-url="http://contoso-backend-other.com/" />

+API Management routes the requests to a regional gateway based on [the lowest latency](../traffic-manager/traffic-manager-routing-methods.md#performance). Although it isn't possible to override this setting in API Management, you can use your own Traffic Manager with custom routing rules.

+1. If you're using a custom domain, [use it with the Traffic Manager](../traffic-manager/traffic-manager-point-internet-domain.md) instead of the API Management service.

+## Virtual networking

+This section provides considerations for multi-region deployments when the API Management instance is injected in a virtual network.

+* Configure each regional network independently. The [connectivity requirements](virtual-network-reference.md) such as required network security group rules for a virtual network in an added region are the same as those for a network in the primary region.

+* Virtual networks in the different regions don't need to be peered.

+### IP addresses

+* A public virtual IP address is created in every region added with a virtual network. For virtual networks in either [external mode](api-management-using-with-vnet.md) or [internal mode](api-management-using-with-internal-vnet.md), this public IP address is required for management traffic on port `3443`.

+ * **External VNet mode** - The public IP addresses are also required to route public HTTP traffic to the API gateways.

+ * **Internal VNet mode** - A private IP address is also created in every region added with a virtual network. Use these addresses to connect within the network to the API Management endpoints in the primary and secondary regions.

+### Routing

+* **External VNet mode** - Routing of public HTTP traffic to the regional gateways is handled automatically, in the same way it is for a non-networked API Management instance.

+* **Internal VNet mode** - Private HTTP traffic isn't routed or load-balanced to the regional gateways by default. Users own the routing and are responsible for bringing their own solution to manage routing and private load balancing across multiple regions. Example solutions include Azure Application Gateway and Azure Traffic Manager.

+## Next steps

+* Learn more about [zone redundancy](../availability-zones/migrate-api-mgt.md) to improve the availability of an API Management instance in a region.

+* For more information about virtual networks and API Management, see:

+ * [Connect to a virtual network using Azure API Management](api-management-using-with-vnet.md)

+ * [Connect to a virtual network in internal mode using Azure API Management](api-management-using-with-internal-vnet.md)

+ * [IP addresses of API Management](api-management-howto-ip-addresses.md)

+ Title: Configure Azure Front Door in front of Azure API Management

+description: Learn how to front your API Management instance with Azure Front Door Standard/Premium to provide global HTTPS load balancing, TLS offloading, dynamic request acceleration, and other capabilities.

+# Configure Front Door Standard/Premium in front of Azure API Management

+Azure Front Door is a modern application delivery network platform providing a secure, scalable content delivery network (CDN), dynamic site acceleration, and global HTTP(s) load balancing for your global web applications. When used in front of API Management, Front Door can provide TLS offloading, end-to-end TLS, load balancing, response caching of GET requests, and a web application firewall, among other capabilities. For a full list of supported features, see [What is Azure Front Door?](../frontdoor/front-door-overview.md)

+This article shows how to:

+* Set up an Azure Front Door Standard/Premium profile in front of a publicly accessible Azure API Management instance: either non-networked, or injected in a virtual network in [external mode](api-management-using-with-vnet.md).

+* Restrict API Management to accept API traffic only from Azure Front Door.

+## Prerequisites

+* An API Management instance.

+ * If you choose to use a network-injected instance, it must be deployed in an external VNet. (Virtual network injection is supported in the Developer and Premium service tiers.)

+* Import one or more APIs to your API Management instance to confirm routing through Front Door.

+## Configure Azure Front Door

+### Create profile

+For steps to create an Azure Front Door Standard/Premium profile, see [Quickstart: Create an Azure Front Door profile - Azure portal](../frontdoor/create-front-door-portal.md). For this article, you may choose a Front Door Standard profile. For a comparison of Front Door Standard and Front Door Premium, see [Tier comparison](../frontdoor/standard-premium/tier-comparison.md).

+Configure the following Front Door settings that are specific to using the gateway endpoint of your API Management instance as a Front Door origin. For an explanation of other settings, see the Front Door quickstart.

+|Setting |Value |

+|||

+| **Origin type** | Select **API Management** |

+| **Origin hostname** | Select the hostname of your API Management instance, for example, *myapim*.azure-api.net |

+| **Caching** | Select **Enable caching** for Front Door to [cache static content](../frontdoor/front-door-caching.md?pivots=front-door-standard-premium) |

+| **Query string caching behavior** | Select **Use Query String** |

+### Update default origin group

+After the profile is created, update the default origin group to include an API Management health probe.

+1. In the [portal](https://portal.azure.com), go to your Front Door profile.

+1. In the left menu, under **Settings** select **Origin groups** > **default-origin-group**.

+1. In the **Update origin group** window, configure the following **Health probe** settings and select **Update**:

+

+ |Setting |Value |

+ |||

+ |**Status** | Select **Enable health probes** |

+ |**Path** | Enter `/status-0123456789abcdef` |

+ |**Protocol** | Select **HTTPS** |

+ |**Method** | Select **GET** |

+ |**Interval (in seconds)** | Enter **30** |

+

+ :::image type="content" source="media/front-door-api-management/update-origin-group.png" alt-text="Screenshot of updating the default origin group in the portal.":::

+### Update default route

+We recommend updating the default route that's associated with the API Management origin group to use HTTPS as the forwarding protocol.

+1. In the [portal](https://portal.azure.com), go to your Front Door profile.

+1. In the left menu, under **Settings** select **Origin groups**.

+1. Expand **default-origin-group**.

+1. In the context menu (**...**) of **default-route**, select **Configure route**.

+1. Set **Accepted protocols** to **HTTP and HTTPS**.

+1. Enable **Redirect all traffic to use HTTPS**.

+1. Set **Forwarding protocol** to **HTTPS only** and then select **Update**.

+### Test the configuration

+Test the Front Door profile configuration by calling an API hosted by API Management. First, call the API directly through the API Management gateway to ensure that the API is reachable. Then, call the API through Front Door. To test, you can use a command line client such as `curl` for the calls, or a tool such as [Postman](https://www.getpostman.com).

+### Call an API directly through API Management

+In the following example, an operation in the Demo Conference API hosted by the API Management instance is called directly using Postman. In this example, the instance's hostname is in the default `azure-api.net` domain, and a valid subscription key is passed using a request header. A successful response shows `200 OK` and returns the expected data:

+### Call an API directly through Front Door

+In the following example, the same operation in the Demo Conference API is called using the Front Door endpoint configured for your instance. The endpoint's hostname in the `azurefd.net` domain is shown in the portal on the **Overview** page of your Front Door profile. A successful response shows `200 OK` and returns the same data as in the previous example:

+## Restrict incoming traffic to API Management instance

+Use API Management policies to ensure that your API Management instance accepts traffic only from Azure Front Door. You can accomplish this restriction using one or both of the [following methods](../frontdoor/front-door-faq.yml#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-):

+1. Restrict incoming IP addresses to your API Management instances

+1. Restrict traffic based on the value of the `X-Azure-FDID` header

+### Restrict incoming IP addresses

+You can configure an inbound [ip-filter](/api-management-access-restriction-policies.md#CheckHTTPHeader) policy in API Management to allow only Front Door-related traffic, which includes:

+* **Front Door's backend IP address space** - Allow IP addresses corresponding to the *AzureFrontDoor.Backend* section in [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519).

+ > [!NOTE]

+ > If your API Management instance is deployed in an external virtual network, accomplish the same restriction by adding an inbound network security group rule in the subnet used for your API Management instance. Configure the rule to allow HTTPS traffic from source service tag *AzureFrontDoor.Backend* on port 443.

+* **Azure infrastructure services** - Allow IP addresses 168.63.129.16 and 169.254.169.254.

+### Check Front Door header

+Requests routed through Front Door include headers specific to your Front Door configuration. You can configure the [check-header](/api-management-access-restriction-policies.md#CheckHTTPHeader) policy to filter incoming requests based on the unique value of the `X-Azure-FDID` HTTP request header that is sent to API Management. This header value is the **Front Door ID**, which is shown in the portal on the **Overview** page of the Front Door profile.

+In the following policy example, the Front Door ID is specified using a [named value](api-management-howto-properties.md) named `FrontDoorId`.

+```xml

+<check-header name="X-Azure-FDID" failed-check-httpcode="403" failed-check-error-message="Invalid request." ignore-case="false">

+ <value>{{FrontDoorId}}</value>

+</check-header>

+```

+Requests that aren't accompanied by a valid `X-Azure-FDID` header return a `403 Forbidden` response.

+## (Optional) Configure Front Door for developer portal

+Optionally, configure the API Management instance's developer portal as an endpoint in the Front Door profile. While the managed developer portal is already fronted by an Azure-managed CDN, you might want to take advantage of Front Door features such as a WAF.

+The following are high level steps to add an endpoint for the developer portal to your profile:

+* To add an endpoint and configure a route, see [Configure and endpoint with Front Door manager](../frontdoor/how-to-configure-endpoints.md).

+* When adding the route, add an origin group and origin settings to represent the developer portal:

+ * **Origin type** - Select **Custom**

+ * **Host name** - Enter the developer portal's hostname, for example, *myapim*.developer.azure-api.net

+For more information and details about settings, see [How to configure an origin for Azure Front Door](../frontdoor/how-to-configure-origin.md#create-a-new-origin-group).

+> [!NOTE]

+> If you've configured an [Azure AD](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md) identity provider for the developer portal, you need to update the corresponding app registration with an additional redirect URL to Front Door. In the app registration, add the URL for the developer portal endpoint configured in your Front Door profile.

+## Next steps

+* To automate deployments of Front Door with API Management, see the template [Front Door Standard/Premium with API Management origin](https://azure.microsoft.com/resources/templates/front-door-standard-premium-api-management-external/)

+* Learn how to deploy [Web Application Firewall (WAF)](../web-application-firewall/afds/afds-overview.md) on Azure Front Door to protect the API Management instance from malicious attacks.

+ Title: Ensure reliability of your Azure API Management instance

+description: Learn how to use Azure reliability features including availability zones and multiregion deployments to make your Azure API Management service instance resilient to cloud failures.

+# Ensure API Management availability and reliability

+This article introduces service capabilities and considerations to ensure that your API Management instance continues to serve API requests if Azure outages occur.

+API Management supports the following key service capabilities that are recommended for [reliable and resilient](../availability-zones/overview.md) Azure solutions. Use them individually, or together, to improve the availability of your API Management solution:

+* **Availability zones**, to provide resilience to datacenter-level outages

+* **Multi-region deployment**, to provide resilience to regional outages

+> [!NOTE]

+> API Management supports availability zones and multi-region deployment in the **Premium** service tier.

+## Availability zones

+Azure [availability zones](../availability-zones/az-overview.md) are physically separate locations within an Azure region that are tolerant to datacenter-level failures. Each zone is composed of one or more datacenters equipped with independent power, cooling, and networking infrastructure. To ensure resiliency, a minimum of three separate availability zones are present in all availability zone-enabled regions.

+Enabling [zone redundancy](../availability-zones/migrate-api-mgt.md) for an API Management instance in a supported region provides redundancy for all [service components](api-management-key-concepts.md#api-management-components): gateway, management plane, and developer portal. Azure automatically replicates all service components across the zones that you select.

+When you enable zone redundancy in a region, consider the number of API Management scale [units](upgrade-and-scale.md) that need to be distributed. Minimally, configure the same number of units as the number of availability zones, or a multiple so that the units are distributed evenly across the zones. For example, if you select 3 availability zones in a region, you could have 3 units so that each zone hosts one unit.

+> [!NOTE]

+> Use the [capacity](api-management-capacity.md) metric and your own testing to decide on the number of scale units that will provide the gateway performance for your needs. Learn more about [scaling and upgrading](upgrade-and-scale.md) your service instance.

+## Multi-region deployment

+## Combine availability zones and multi-region deployment

+The combination of availability zones for redundancy within a region, and multi-region deployments to improve the gateway availability if there is a regional outage, helps enhance both the reliability and performance of your API Management instance.

+Examples:

+* Use availability zones to improve the resilience of the primary region in a multi-region deployment

+* Distribute scale units across availability zones and regions to enhance regional gateway performance

+## SLA considerations

+API Management provides an SLA of 99.99% when you deploy at least one unit in two or more availability zones or regions. For more information, see [Pricing](https://azure.microsoft.com/pricing/details/api-management/).

+> [!NOTE]

+> While Azure continually strives for highest possible resiliency in SLA for the cloud platform, you must define your own target SLAs for other components of your solution.

+## Backend availability

+Depending on where and how your backend services are hosted, you may need to set up redundant backends in different regions to meet your requirements for service availability. You can manage regional backends and handle failover through API Management to maintain availability. For example:

+* In multi-region deployments, use [policies to route requests](api-management-howto-deploy-multi-region.md#-route-api-calls-to-regional-backend-services) through regional gateways to regional backends.

+* Configure policies to route requests conditionally to different backends if there is backend failure in a particular region.

+* Use caching to reduce failing calls.

+For details, see the blog post [Back-end API redundancy with Azure API Manager](https://devblogs.microsoft.com/premier-developer/back-end-api-redundancy-with-azure-api-manager/).

+## Next steps

+* Learn more about [resiliency in Azure](../availability-zones/overview.md)

+* Learn more about [designing reliable Azure applications](/azure/architecture/framework/resiliency/app-design)

+* Read [API Management and reliability](/azure/architecture/framework/services/networking/api-management/reliability) in the Azure Well-Architected Framework

+> In the Premium service tier, you can optionally configure availability zones and a virtual network in a selected location. For more information, see [Deploy API Management service to an additional location](api-management-howto-deploy-multi-region.md).

+* Azure reserves five IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets).

+ * Two IP addresses per unit of Basic, Standard, or Premium SKU, or

+#### Examples

+* For Basic, Standard, or Premium SKUs:

+ * **/29 subnet**: 8 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 0 remaining IP addresses left for scaling units.

+

+ * **/28 subnet**: 16 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 8 remaining IP addresses left for four scale-out units (2 IP addresses/scale-out unit) for a total of five units. **This subnet efficiently maximizes Basic and Standard SKU scale-out limits.**

+

+ * **/27 subnet**: 32 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 24 remaining IP addresses left for twelve scale-out units (2 IP addresses/scale-out unit) for a total of thirteen units. **This subnet efficiently maximizes the soft-limit Premium SKU scale-out limit.**

+

+ * **/26 subnet**: 64 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 56 remaining IP addresses left for twenty-eight scale-out units (2 IP addresses/scale-out unit) for a total of twenty-nine units. It is possible, with an Azure Support ticket, to scale the Premium SKU past twelve units. If you foresee such high demand, consider the /26 subnet.

+

+ * **/25 subnet**: 128 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 120 remaining IP addresses left for sixty scale-out units (2 IP addresses/scale-out unit) for a total of sixty-one units. This is an extremely large, theoretical number of scale-out units.

+The following example uses the `--src-url` parameter to specify the URL of an Azure Storage account that the web app should pull the WAR from.

+az webapp deploy --resource-group <group-name> --name <app-name> --src-url "https://storagesample.blob.core.windows.net/sample-container/myapp.war?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3 --type war

+>[!NOTE]

+> Windows Containers uses an additional IP address per app for each App Service plan instance, and you need to size the subnet accordingly. If your App Service Environment has for example 2 Windows Container App Service plans each with 25 instances and each with 5 apps running, you will need 300 IP addresses and additional addresses to support horizontal (up/down) scale.

+Because subnet size can't be changed after assignment, use a subnet that's large enough to accommodate whatever scale your app might reach. To avoid any issues with subnet capacity, use a `/26` with 64 addresses. When you're creating subnets in Azure portal as part of integrating with the virtual network, a minimum size of /27 is required. If the subnet already exists before integrating through the portal you can use a /28 subnet.

+>[!NOTE]

+> Windows Containers uses an additional IP address per app for each App Service plan instance, and you need to size the subnet accordingly. If you have for example 10 Windows Container App Service plan instances with 4 apps running, you will need 50 IP addresses and additional addresses to support horizontal (up/down) scale.

+| `WEBSITES_ENABLE_APP_SERVICE_STORAGE` | Set to `true` to enable the `/home` directory to be shared across scaled instances. The default is `true` for custom containers. ||

+> [!IMPORTANT]

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+> [!IMPORTANT]

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+ Title: Azure Automation migration to managed identity FAQ

+description: This article gives answers to frequently asked questions when you're migrating from Run As account to managed identity

+#Customer intent: As an implementer, I want answers to various questions.

+# Frequently asked questions when migrating from Run As account to managed identities

+This Microsoft FAQ is a list of commonly asked questions when you're migrating from Run As account to Managed Identity. If you have any other questions about the capabilities, go to the [discussion forum](https://aka.ms/retirement-announcement-automation-runbook-start-using-managed-identities) and post your questions. When a question is frequently asked, we add it to this article so that it benefits all.

+## How long will you support Run As account?

+

+Automation Run As account will be supported for the next one year until **September 30, 2023**. While we continue to support existing users, we recommend all new users to use Managed identities as the preferred way of runbook authentication. Existing users can still create the Run As account, see the account properties and renew the certificate upon expiration till **January 30, 2023**. After this date, you won't be able to create a Run As account from the Azure portal. You will still be able to create a Run As account through [PowerShell script](/azure/automation/create-run-as-account#create-account-using-powershell) until the supported time of one year. You can [use this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/RunAsAccountAssessAndRenew.ps1) to renew the certificate post **January 30, 2023** until **September 30, 2023**. This script will assess automation account which has configured Run As accounts and renews the certificate if the user chooses to do so. On confirmation, it will renew the key credentials of Azure-AD App and upload new self-signed certificate to the Azure-AD App.

+## Will existing runbooks that use the Run As account be able to authenticate?

+Yes, they will be able to authenticate and there will be no impact to the existing runbooks using Run As account.

+## How can I renew the existing Run as accounts post January 30, 2023 when portal support to renew the account to removed?

+You can [use this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/RunAsAccountAssessAndRenew.ps1) to renew the Run As account certificate post January 30, 2023 until September 30, 2023.

+## Can Run As account still be created post September 30, 2023 when Run As account will retire?

+Yes, you can still create the Run As account using the [PowerShell script](../automation/create-run-as-account.md#create-account-using-powershell). However, this would be an unsupported scenario.

+## Can Run As accounts still be renewed post September 30, 2023 when Run As account will retire?

+You can [use this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/RunAsAccountAssessAndRenew.ps1) to renew the Run As account certificate post September 30, 2023 when Run As account will retire. However, it would be an unsupported scenario.

+## Will the runbooks that still use the Run As account be able to authenticate even after September 30, 2023?

+Yes, the runbooks will be able to authenticate until the Run As account certificate expires.

+## What is managed identity?

+Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications can use managed identities to obtain Azure AD tokens without managing credentials, secrets, certificates or keys.

+For more information about managed identities in Azure AD, see [Managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/overview).

+## What can I do with a managed identity in Automation accounts?

+An Azure Automation managed identity from Azure Active Directory (Azure AD) allows your runbook to access other Azure AD-protected resources easily. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. Key benefits are:

+- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.

+- Managed identities eliminate the management overhead associated with managing Run As account in your runbook code. You can access resources via a managed identity of an Automation account from a runbook without worrying about creating the service principal, Run As Certificate, Run As Connection and so on.

+- You donΓÇÖt have to renew the certificate used by the Automation Run As account.

+

+## Are Managed identities more secure than Run As account?

+Run As account creates an Azure AD app used to manage the resources within the subscription through a certificate having contributor access at the subscription level by default. A malicious user could use this certificate to perform a privileged operation against resources in the subscription leading to potential vulnerabilities. Run As accounts also have a management overhead associated that involves creating a service principal, RunAsCertificate, RunAsConnection, certificate renewal and so on.

+Managed identities eliminate this overhead by providing a secure method for the users to authenticate and access resources that support Azure AD authentication without worrying about any certificate or credential management.

+## Can managed identity be used for both cloud and hybrid jobs?

+Azure Automation supports [System-assigned managed identities](/azure/automation/automation-security-overview#managed-identities) for both cloud and Hybrid jobs. Currently, Azure Automation [User-assigned managed identities](/azure/automation/automation-security-overview#managed-identities-preview) can only be used for cloud jobs only and cannot be used for jobs run on a Hybrid Worker.

+## Can I use Run as account for new Automation account?

+Yes, only in a scenario when Managed identities aren't supported for specific on-premises resources. We'll allow the creation of Run As account through [PowerShell script](/azure/automation/create-run-as-account#create-account-using-powershell).

+## How can I migrate from existing Run As account to managed identities?

+Follow the steps mentioned in [migrate Run As accounts to Managed identity](/azure/automationmigrate-run-as-accounts-managed-identity).

+## How do I see the runbooks that are using Run As account and know what permissions are assigned to the Run As account?

+Use the [script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/Check-AutomationRunAsAccountRoleAssignments.ps1) here to find out which Automation accounts are using Run As account. If your Azure Automation accounts contain a Run As account, it will by default, have the built-in contributor role assigned to it. You can use this script to check the role assignments of your Azure Automation Run As accounts and determine if their role assignment is the default one or if it has been changed to a different role definition.

+## Next steps

+If your question isn't answered here, you can refer to the following sources for more questions and answers.

+- [Azure Automation](https://docs.microsoft.com/answers/topics/azure-automation.html)

+- [Feedback forum](https://feedback.azure.com/d365community/forum/721a322e-bd25-ec11-b6e6-000d3a4f0f1c)

+> [!IMPORTANT]

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+> [!IMPORTANT]

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+> [!IMPORTANT]

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+> [!IMPORTANT]

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+> [!IMPORTANT]

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+ Title: Migrate run as accounts to managed identity in Azure Automation account

+description: This article describes how to migrate from run as accounts to managed identity.

+# Migrate from existing Run As accounts to managed identity

+> [!IMPORTANT]

+> Azure Automation Run As Account will retire on **September 30, 2023**, and there will be no support provided beyond this date. From now through **September 30, 2023**, you can continue to use the Azure Automation Run As Account. However, we recommend you to transition to [managed identities](/automation-security-overview.md#managed-identities) before **September 30, 2023**.

+See the [frequently asked questions](/automation/automation-managed-identity.md) for more information about migration cadence and support timeline for Run As account creation and certificate renewal.

+ Run As accounts in Azure Automation provide authentication for managing Azure Resource Manager resources or resources deployed on the classic deployment model. Whenever a Run As account is created, an Azure AD application is registered, and a self-signed certificate will be generated which will be valid for one year. This adds an overhead of renewing the certificate every year before it expires to prevent the Automation account to stop working.

+Automation accounts can now be configured to use [Managed Identity](/automation/automation-security-overview.md#managed-identities) which is the default option when an Automation account is created. With this feature, Automation account can authenticate to Azure resources without the need to exchange any credentials, hence removing the overhead of renewing the certificate or managing the service principal.

+Managed identity can be [system assigned]( /automation/enable-managed-identity-or-automation) or [user assigned](/automation/add-user-assigned-identity). However, when a new Automation account is created, a system assigned managed identity is enabled.

+## Prerequisites

+Ensure the following to migrate from the Run As account to Managed identities:

+1. Create a [system-assigned](enable-managed-identity-for-automation.md) or [user-assigned](add-user-assigned-identity.md), or both types of managed identities. To learn more about the differences between the two types of managed identities, see [Managed Identity Types](/active-directory/managed-identities-azure-resources/overview#managed-identity-types).

+ > [!NOTE]

+ > - User-assigned identities are supported for cloud jobs only. It isn't possible to use the Automation Account's User Managed Identity on a Hybrid Runbook Worker. To use hybrid jobs, you must create a System-assigned identities.

+ > - There are two ways to use the Managed Identities in Hybrid Runbook Worker scripts. Either the System-assigned Managed Identity for the Automation account **OR** VM Managed Identity for an Azure VM running as a Hybrid Runbook Worker.

+ > - Both the VM's User-assigned Managed Identity or the VM's system assigned Managed Identity will **NOT** work in an Automation account that is configured with an Automation account Managed Identity. When you enable the Automation account Managed Identity, you can only use the Automation Account System-Assigned Managed Identity and not the VM Managed Identity. For more information, see [Use runbook authentication with managed identities](/automation/automation-hrw-run-runbooks?tabs=sa-mi#runbook-auth-managed-identities).

+1. Assign same role to the managed identity to access the Azure resources matching the Run As account. Follow the steps in [Check role assignment for Azure Automation Run As account](/automation/manage-run-as-account#check-role-assignment-for-azure-automation-run-as-account).

+Ensure that you don't assign high privilege permissions like Contributor, Owner and so on to Run as account. Follow the RBAC guidelines to limit the permissions from the default Contributor permissions assigned to Run As account using this [script](/azure/automation/manage-runas-account#limit-run-as-account-permissions).

+ For example, if the Automation account is only required to start or stop an Azure VM, then the permissions assigned to the Run As account needs to be only for starting or stopping the VM. Similarly, assign read-only permissions if a runbook is reading from blob storage. Read more about [Azure Automation security guidelines](/azure/automation/automation-security-guidelines#authentication-certificate-and-identities).

+## Migrate from Automation Run As account to Managed Identity

+To migrate from an Automation Run As account to a Managed Identity for your runbook authentication, follow the steps below:

+

+1. Change the runbook code to use managed identity. We recommend that you test the managed identity to verify if the runbook works as expected by creating a copy of your production runbook to use managed identity. Update your test runbook code to authenticate by using the managed identities. This ensures that you don't override the AzureRunAsConnection in your production runbook and break the existing Automation. After you are sure that the runbook code executes as expected using the Managed Identities, update your production runbook to use managed identities.

+ For Managed Identity support, use the Az cmdlet Connect-AzAccount cmdlet. use the Az cmdlet `Connect-AzAccount` cmdlet. See [Connect-AzAccount](/powershell/module/az.accounts/Connect-AzAccount) in the PowerShell reference.

+ - If you are using Az modules, update to the latest version following the steps in the [Update Azure PowerShell modules](automation-update-azure-modules.md#update-az-modules) article.

+ - If you are using AzureRM modules, Update `AzureRM.Profile` to latest version and replace using `Add-AzureRMAccount` cmdlet with `Connect-AzureRMAccount ΓÇôIdentity`.

+

+ Follow the sample scripts below to know the change required to the runbook code to use Managed Identities

+1. Once you are sure that the runbook is executing successfully by using managed identities, you can safely [delete the Run as account](/azure/automation/delete-run-as-account) if the Run as account is not used by any other runbook.

+## Sample scripts

+Following are the examples of a runbook that fetches the ARM resources using the Run As Account (Service Principal) and managed identity.

+# [Run As account](#tab/run-as-account)

+```powershell

+ $connectionName = "AzureRunAsConnection"

+ try

+ {

+ # Get the connection "AzureRunAsConnection "

+ $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName

+ "Logging in to Azure..."

+ Add-AzureRmAccount `

+ -ServicePrincipal `

+ -TenantId $servicePrincipalConnection.TenantId `

+ -ApplicationId $servicePrincipalConnection.ApplicationId `

+ -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

+ }

+ catch {

+ if (!$servicePrincipalConnection)

+ {

+ $ErrorMessage = "Connection $connectionName not found."

+ throw $ErrorMessage

+ } else{

+ Write-Error -Message $_.Exception

+ throw $_.Exception

+ }

+ }

+ #Get all ARM resources from all resource groups

+ $ResourceGroups = Get-AzureRmResourceGroup

+ foreach ($ResourceGroup in $ResourceGroups)

+ {

+ Write-Output ("Showing resources in resource group " + $ResourceGroup.ResourceGroupName)

+ $Resources = Find-AzureRmResource -ResourceGroupNameContains $ResourceGroup.ResourceGroupName | Select ResourceName, ResourceType

+ ForEach ($Resource in $Resources)

+ {

+ Write-Output ($Resource.ResourceName + " of type " + $Resource.ResourceType)

+ }

+ Write-Output ("")

+ }

+ ```

+# [System-assigned Managed identity](#tab/sa-managed-identity)

+>[!NOTE]

+> Enable appropriate RBAC permissions to the system identity of this automation account. Otherwise, the runbook may fail.

+ ```powershell

+ {

+ "Logging in to Azure..."

+ Connect-AzAccount -Identity

+ }

+ catch {

+ Write-Error -Message $_.Exception

+ throw $_.Exception

+ }

+ #Get all ARM resources from all resource groups

+ $ResourceGroups = Get-AzResourceGroup

+ foreach ($ResourceGroup in $ResourceGroups)

+ {

+ Write-Output ("Showing resources in resource group " + $ResourceGroup.ResourceGroupName)

+ $Resources = Get-AzResource -ResourceGroupName $ResourceGroup.ResourceGroupName

+ foreach ($Resource in $Resources)

+ {

+ Write-Output ($Resource.Name + " of type " + $Resource.ResourceType)

+ }

+ Write-Output ("")

+ }

+ ```

+# [User-assigned Managed identity](#tab/ua-managed-identity)

+```powershell

+{

+ "Logging in to Azure..."

+$identity = Get-AzUserAssignedIdentity -ResourceGroupName <myResourceGroup> -Name <myUserAssignedIdentity>

+Connect-AzAccountΓÇ»-IdentityΓÇ»-AccountIdΓÇ»$identity.ClientId

+}

+catch {

+ Write-Error -Message $_.Exception

+ throw $_.Exception

+}

+#Get all ARM resources from all resource groups

+$ResourceGroups = Get-AzResourceGroup

+foreach ($ResourceGroup in $ResourceGroups)

+{

+ Write-Output ("Showing resources in resource group " + $ResourceGroup.ResourceGroupName)

+ $Resources = Get-AzResource -ResourceGroupName $ResourceGroup.ResourceGroupName

+ foreach ($Resource in $Resources)

+ {

+ Write-Output ($Resource.Name + " of type " + $Resource.ResourceType)

+ }

+ Write-Output ("")

+}

+```

+## Graphical runbooks

+### How to check if Run As account is used in Graphical Runbooks

+To check if Run As account is used in Graphical Runbooks:

+1. Check each of the activities within the runbook to see if they use the Run As Account when calling any logon cmdlets/aliases. For example, `Add-AzRmAccount/Connect-AzRmAccount/Add-AzAccount/Connect-AzAccount`

+

+ :::image type="content" source="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-inline.png" alt-text="Screenshot to check if graphical runbook uses Run As." lightbox="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-expanded.png":::

+1. Examine the parameters used by the cmdlet.

+ :::image type="content" source="./medilet":::

+1. For use with the Run As account, it will use the *ServicePrinicipalCertificate* parameter set *ApplicationId* and *Certificate Thumbprint* will be from the RunAsAccountConnection.

+ :::image type="content" source="./media/migrate-run-as-account-managed-identity/parameter-sets-inline.png" alt-text="Screenshot to check the parameter sets." lightbox="./media/migrate-run-as-account-managed-identity/parameter-sets-expanded.png":::

+

+### How to edit graphical Runbook to use managed identity

+You must test the managed identity to verify if the Graphical runbook is working as expected by creating a copy of your production runbook to use the managed identity and updating your test graphical runbook code to authenticate by using the managed identity. You can add this functionality to a graphical runbook by adding `Connect-AzAccount` cmdlet.

+Listed below is an example to guide on how a graphical runbook that uses Run As account uses managed identities:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Open the Automation account and select **Process Automation**, **Runbooks**.

+1. Here, select a runbook. For example, select *Start Azure V2 VMs* runbook either from the list and select **Edit** or go to **Browse Gallery** and select *start Azure V2 VMs*.

+ :::image type="content" source="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png" alt-text="Screenshot of edit graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-expanded.png":::

+1. Replace, Run As connection that uses `AzureRunAsConnection`and connection asset that internally uses PowerShell `Get-AutomationConnection` cmdlet with `Connect-AzAccount` cmdlet.

+1. Connect to Azure that uses `Connect-AzAccount` to add the identity support for use in the runbook using `Connect-AzAccount` activity from the `Az.Accounts` cmdlet that uses the PowerShell code to connect to identity.

+ :::image type="content" source="./media/migrate-run-as-account-managed-identity/add-functionality-inline.png" alt-text="Screenshot of add functionality to graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/add-functionality-expanded.png":::

+1. Select **Code** to enter the following code to pass the identity.

+```powershell-interactive

+try

+{

+ Write-Output ("Logging in to Azure...")

+ Connect-AzAccount -Identity

+}

+catch {

+ Write-Error -Message $_.Exception

+ throw $_.Exception

+}

+```

+For example, in the runbook `Start Azure V2 VMs` in the runbook gallery, you must replace `Get Run As Connection` and `Connect to Azure` activities with `Connect-AzAccount` cmdlet activity.

+For more information, see sample runbook name *AzureAutomationTutorialWithIdentityGraphical* that gets created with the Automation account.

+## Next steps

+- Review the Frequently asked questions for [Migrating to Managed Identities](automation-managed-identity-faq.md).

+- If your runbooks aren't completing successfully, review [Troubleshoot Azure Automation managed identity issues](troubleshoot/managed-identity.md).

+- Learn more about system assigned managed identity, see [Using a system-assigned managed identity for an Azure Automation account](enable-managed-identity-for-automation.md)

+- Learn more about user assigned managed identity, see [Using a user-assigned managed identity for an Azure Automation account]( add-user-assigned-identity.md)

+- For an overview of Azure Automation account security, see [Automation account authentication overview](automation-security-overview.md).

+

+## July 2022

+### Support for Run As accounts

+**Type:** Plan for change

+Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities.Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+- Added support for Ubuntu 22.04

+* Ubuntu 16.04, 18.04, 20.04, and 22.04 LTS

+> [!NOTE]

+For more information, see [Azure Cache for Redis with Azure Private Link](cache-private-link.md).

+- Firewall rules configuration is available for all Basic, Standard, and Premium tiers.

+- Firewall rules configuration isn't available for Enterprise nor Enterprise Flash tiers.

+Configuration and management of Azure Cache for Redis instances is managed by Microsoft, which disables the following commands. If you try to invoke them, you receive an error message similar to `"(error) ERR unknown command"`.

+- [Monitor Azure Cache for Redis](cache-how-to-monitor.md)

+Managed identity for storage is only used with the import/export feature and persistence feature at present, which limits its use to the Premium tier of Azure Cache for Redis.

+Managed identity for storage is not supported on caches that have a dependency on Cloud Services (classic). For more information on how to check on whether your cache is using Cloud Services (classi), see [How do I know if a cache is affected?](cache-faq.yml#how-do-i-know-if-a-cache-is-affected).

+ Title: Add a custom WebGL layer to a map

+description: How to add a custom WebGL layer to a map using the Azure Maps Web SDK.

+# Add a custom WebGL layer to a map

+The Azure Maps Web SDK supports creating custom layers

+using [WebGL][getting_started_with_webgl]. WebGL is based

+on [OpenGL ES][OpenGL ES] and enables rendering 2D and 3D

+graphics in web browsers.

+Using WebGL, you can build high-performance interactive

+graphics that render in the browser in real-time that support

+scenarios like simulations, data visualization, animations and

+3D modeling.

+Developers can access the WebGL context of the map during

+rendering and use custom WebGL layers to integrate with other

+libraries such as [three.js][threejs] and [deck.gl][deckgl]

+to provide enriched and interactive content on the map.

+## Add a WebGL layer

+Before you can add a WebGL layer to a map, you need to have an object

+that implements the `WebGLRenderer` interface. First, create a WebGL

+layer by providing an `id` and `renderer` object to the constructor,

+then add the layer to the map to have it rendered.

+The following sample code demonstrates how to add a WebGL layer to a map:

+```js

+var myRenderer = {

+ /**

+ * Either "2d" or "3d". Defaults to "2d".

+ * - "3d" to use the depth buffer and share it with other layers

+ * - "2d" to add a layer with no depth. If you need to use the depth buffer for a "2d"

+ * layer you must use an offscreen framebuffer and the prerender method.

+ */

+ renderingMode: "2d",

+ /**

+ * Optional method called when the layer has been added to the Map.

+ * This gives the layer a chance to initialize gl resources and register event listeners.

+ * @param map The Map this custom layer was just added to.

+ * @param gl The gl context for the map.

+ */

+ onAdd: function (map, gl) {},

+ /**

+ * Optional method called when the layer has been removed from the Map.

+ * This gives the layer a chance to clean up gl resources and event listeners.

+ * @param map The Map this custom layer was just added to.

+ * @param gl The gl context for the map.

+ */

+ onRemove: function (map, gl) {},

+ /**

+ * Optional method called during a render frame to allow a layer to prepare resources

+ * or render into a texture.

+ *

+ * The layer cannot make any assumptions about the current GL state and must bind a framebuffer before rendering.

+ *

+ * @param gl The map's gl context.

+ * @param matrix The map's camera matrix.

+ */

+ prerender: function (gl, matrix) {},

+ /**

+ * Required. Called during a render frame allowing the layer to draw into the GL context.

+ *

+ * The layer can assume blending and depth state is set to allow the layer to

+ * properly blend and clip other layers. The layer cannot make any other

+ * assumptions about the current GL state.

+ *

+ * If the layer needs to render to a texture, it should implement the prerender

+ * method to do this and only use the render method for drawing directly into the

+ * main framebuffer.

+ *

+ * The blend function is set to gl.blendFunc(gl.ONE, gl.ONE_MINUS_SRC_ALPHA).

+ * This expects colors to be provided in premultiplied alpha form where the r, g and b

+ * values are already multiplied by the a value. If you are unable to provide colors in

+ * premultiplied form you may want to change the blend function to

+ * gl.blendFuncSeparate(gl.SRC_ALPHA, gl.ONE_MINUS_SRC_ALPHA, gl.ONE, gl.ONE_MINUS_SRC_ALPHA).

+ *

+ * @param gl The map's gl context.

+ * @param matrix The map's camera matrix.

+ */

+ render: function (gl, matrix) {}

+};

+

+//Add the layer to the map.

+map.layers.add(new atlas.layer.WebGLLayer("layerId", { renderer: myRenderer }));

+```

+> [!NOTE]

+> The `WebGLLayer` class supports the `minZoom`, `maxZoom`, and `visible` layer options.

+```js

+//Add the layer to the map with layer options.

+map.layers.add(new atlas.layer.WebGLLayer("layerId",

+ {

+ renderer: myRenderer,

+ minZoom: 10,

+ maxZoom: 22,

+ visible: true

+ }

+));

+```

+This sample renders a triangle on the map using a WebGL layer.

+<!-- Insert example here -->

+

+The map's camera matrix is used to project spherical Mercator point to

+gl coordinates. Mercator point \[0, 0\] represents the top left corner

+of the Mercator world and \[1, 1\] represents the bottom right corner.

+When the `renderingMode` is `"3d"`, the z coordinate is conformal.

+A box with identical x, y, and z lengths in Mercator units would be

+rendered as a cube.

+The `MercatorPoint` class has `fromPosition`, `fromPositions`, and

+`toFloat32Array` static methods that can be used to convert a geospatial

+Position to a Mercator point. Similarly the `toPosition` and `toPositions`

+methods can be used to project a Mercator point to a Position.

+## Render a 3D model

+Use a WebGL layer to render 3D models. The following example shows how

+to load a [glTF][glTF] file and render it on the map using [three.js][threejs].

+You need to add the following script files.

+```html

+<script src="https://unpkg.com/three@0.102.0/build/three.min.js"></script>

+<script src="https://unpkg.com/three@0.102.0/examples/js/loaders/GLTFLoader.js"></script>

+```

+This sample renders an animated 3D parrot on the map.

+<!-- Insert example here -->

+

+The `onAdd` function loads a `.glb` file into memory and instantiates

+three.js objects such as Camera, Scene, Light, and a `THREE.WebGLRenderer`.

+The `render` function calculates the projection matrix of the camera

+and renders the model to the scene.

+>[!TIP]

+>

+> - To have a continuous and smooth animation, you can trigger the repaint of

+a single frame by calling `map.triggerRepaint()` in the `render` function.

+> - To enable anti-aliasing simply set `antialias` to `true` as

+one of the style options while creating the map.

+## Render a deck.gl layer

+A WebGL layer can be used to render layers from the [deck.gl][deckgl]

+library. The following sample demonstrates the data visualization of

+people migration flow in the United States from county to county

+within a certain time range.

+You need to add the following script file.

+```html

+<script src="https://unpkg.com/deck.gl@8.8.9/dist.min.js"></script>

+```

+Define a layer class that extends `atlas.layer.WebGLLayer`.

+```js

+class DeckGLLayer extends atlas.layer.WebGLLayer {

+ constructor(options) {

+ super(options.id);

+ //Create an instance of deck.gl layer

+ this._mbLayer = new deck.MapboxLayer(options);

+ //Create a renderer

+ const deckGLRenderer = {

+ renderingMode: "3d",

+ onAdd: (map, gl) => {

+ this._mbLayer.onAdd?.(map["map"], gl);

+ },

+ onRemove: (map, gl) => {

+ this._mbLayer.onRemove?.(map["map"], gl);

+ },

+ prerender: (gl, matrix) => {

+ this._mbLayer.prerender?.(gl, matrix);

+ },

+ render: (gl, matrix) => {

+ this._mbLayer.render(gl, matrix);

+ }

+ };

+ this.setOptions({ renderer: deckGLRenderer });

+ }

+}

+```

+This sample renders an arc-layer from the [deck.gl][deckgl] library.

+

+## Next steps

+Learn more about the classes and methods used in this article:

+> [!div class="nextstepaction"]

+> [WebGLLayer][WebGLLayer]

+> [!div class="nextstepaction"]

+> [WebGLLayerOptions][WebGLLayerOptions]

+> [!div class="nextstepaction"]

+> [WebGLRenderer interface][WebGLRenderer interface]

+> [!div class="nextstepaction"]

+> [MercatorPoint][MercatorPoint]

+[getting_started_with_webgl]: https://developer.mozilla.org/en-US/docs/web/api/webgl_api/tutorial/getting_started_with_webgl

+[threejs]: https://threejs.org/

+[deckgl]: https://deck.gl/

+[glTF]: https://www.khronos.org/gltf/

+[OpenGL ES]: https://www.khronos.org/opengles/

+[WebGLLayer]: /javascript/api/azure-maps-control/atlas.layer.webgllayer

+[WebGLLayerOptions]: /javascript/api/azure-maps-control/atlas.webgllayeroptions

+[WebGLRenderer interface]: /javascript/api/azure-maps-control/atlas.webglrenderer

+[MercatorPoint]: /javascript/api/azure-maps-control/atlas.data.mercatorpoint

+| OpenSUSE 15 | X | | |

+>[!NOTE]

+>Machines and appliances that run heavily customized or stripped-down versions of the above distributions and hosted solutions that disallow customization by the user are not supported. Azure Monitor and legacy agents rely on various packages and other baseline functionality that is often removed from such systems, and their installation may require some environmental modifications considered to be disallowed by the appliance vendor. For instance, [GitHub Enterprise Server](https://docs.github.com/en/enterprise-server/admin/overview/about-github-enterprise-server) is not supported due to heavy customization as well as [documented, license-level disallowance](https://docs.github.com/en/enterprise-server/admin/overview/system-overview#operating-system-software-and-patches) of operating system modification.

+Leave product feedback for the engineering team on [UserVoice](https://feedback.azure.com/d365community/forum/3887dc70-2025-ec11-b6e6-000d3a4f09d0).

+# Using Azure Monitor Application Insights with Spring Boot

+There are two options for enabling Application Insights Java with Spring Boot: JVM argument and programmatically.

+## Enabling with JVM argument

+### Configuration

+See [configuration options](./java-standalone-config.md).

+## Enabling programmatically

+To enable Application Insights Java programmatically, you must add the following dependency:

+And invoke the `attach()` method of the `com.microsoft.applicationinsights.attach.ApplicationInsights` class

+in the first line of your `main()` method.

+> The invocation must be at the beginning of the `main` method.

+### Configuration

+> [!NOTE]

+> Spring's `application.properties` or `application.yaml` files are not supported as

+> as sources for Application Insights Java configuration.

+Programmatic enablement supports all the same [configuration options](./java-standalone-config.md)

+as the JVM argument enablement, with the following differences below.

+#### Configuration file location

+By default, when enabling Application Insights Java programmatically, the configuration file `applicationinsights.json`

+will be read from the classpath.

+See [configuration file path configuration options](./java-standalone-config.md#configuration-file-path)

+to change this location.

+#### Self-diagnostic log file location

+By default, when enabling Application Insights Java programmatically, the `applicationinsights.log` file containing

+the agent logs will be located in the directory from where the JVM is launched (user directory).

+See [self-diagnostic configuration options](./java-standalone-config.md#self-diagnostics) to change this location.

+ "connectionString": "...",

+ "connectionString": "..."

+The file should contain only the connection string and nothing else.

+ "connectionString": "..."

+ "connectionString": "..."

+ "connectionString": "...",

+- Make a feature request at the [Azure Feedback Forum](https://feedback.azure.com/d365community/forum/3887dc70-2025-ec11-b6e6-000d3a4f09d0).

+Azure Monitor provides several ways to interact with metrics, including charting them in the Azure portal, accessing them through the REST API, or querying them by using PowerShell or the Azure CLI (Command Line Interface).

+## Units of measure in metrics charts

+Azure monitor metrics uses SI based prefixes. Metrics will only be using IEC prefixes if the resource provider has chosen an appropriate unit for a metric.

+For ex: The resource provider Network interface (resource name: rarana-vm816) has no metric unit defined for "Packets Sent". The prefix used for the metric value here is k representing kilo (1000), a SI prefix.

+

+The resource provider Storage account (resource name: ibabichvm) has metric unit defined for "Blob Capacity" as bytes. Hence, the prefix used is mebi (1024^2), an IEC prefix.

+

+SI uses decimal

+| Value | abbreviation | SI |

+|::|::|:-:|

+| 1000 | k | kilo |

+| 1000^2 | M | mega |

+| 1000^3 | G | giga |

+| 1000^4 | T | tera |

+| 1000^5 | P | peta |

+| 1000^6 | E | exa |

+| 1000^7 | Z | zetta |

+| 1000^8 | Y | yotta |

+IEC uses binary

+|Value | abbreviation| IEC |Legacy| |

+|:-:|:--:|::|:-:|::|

+|1024 | Ki |kibi | K | kilo|

+|1024^2| Mi |mebi | M | mega|

+|1024^3| Gi |gibi | G | giga|

+|1024^4| Ti |tebi | T | tera|

+|1024^5| Pi |pebi | - | |

+|1024^6| Ei |exbi | - | |

+|1024^7| Zi |zebi | - | |

+|1024^8| Yi |yobi | - | |

+* You cannot create a standard volume from the snapshot of a basic volume.

+* Conversion between Basic and Standard networking features in either direction is not currently supported.

+* The AD connection admin account supports Kerberos AES-128 and Kerberos AES-256 encryption types for authentication with AD DS for Azure NetApp Files machine account creation (for example, AD domain join operations).

+ If you set both AES-128 and AES-256 Kerberos encryption on the admin account of the AD connection, the highest level of encryption supported by your AD DS will be used.

+* If you have a requirement to enable and disable certain Kerberos encryption types for Active Directory computer accounts for domain-joined Windows hosts used with Azure NetApp Files, you must use the Group Policy `Network Security: Configure Encryption types allowed for Kerberos`.

+ Do not set the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes`. Doing this will break Kerberos authentication with Azure NetApp Files for the Windows host where this registry key was manually set.

+ >[!NOTE]

+ >The default policy setting for `Network Security: Configure Encryption types allowed for Kerberos` is `Not Defined`. When this policy setting is set to `Not Defined`, all encryption types except DES will be available for Kerberos encryption. You have the option to enable support for only certain Kerberos encryption types (for example, `AES128_HMAC_SHA1` or `AES256_HMAC_SHA1`). However, the default policy should be sufficient in most cases when enabling AES encryption support with Azure NetApp Files.

+ For more information, refer to [Network security: Configure encryption types allowed for Kerberos](/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos) or [Windows Configurations for Kerberos Supported Encryption Types](/archive/blogs/openspecification/windows-configurations-for-kerberos-supported-encryption-type)

+* For more information, refer to the [Set-ADUser documentation](/powershell/module/activedirectory/set-aduser).

+* [Visual Studio 2019 or later](https://www.visualstudio.com). The examples in this tutorial use Visual Studio 2022.

+This article describes the lambda functions to use in Bicep. [Lambda expressions (or lambda functions)](https://learn.microsoft.com/dotnet/csharp/language-reference/operators/lambda-expressions) are essentially blocks of code that can be passed as an argument. They can take multiple parameters, but are resticted to a single line of code. In Bicep, lambda expression is in this format:

+ If a resource group's region is temporarily unavailable, you can't update resources in the resource group because the metadata is unavailable. The resources in other regions will still function as expected, but you can't update them. This condition doesn't apply to global resources like Azure Content Delivery Network, Azure DNS, Azure DNS Private Zones, Azure Traffic Manager, and Azure Front Door.

+## Key Vault in private network

+If you have configured [Private Endpoint](../private-link/private-endpoint-overview.md) to your Key Vault, Azure SignalR Service cannot access the Key Vault via public network. You need to set up a [Shared Private Endpoint](./howto-shared-private-endpoints-key-vault.md) to let Azure SignalR Service access your Key Vault via private network.

+After you create a Shared Private Endpoint, you can create a custom certificate as usual. **You don't have to change the domain in Key Vault URI**. For example, if your Key Vault base URI is `https://contoso.vault.azure.net`, you still use this URI to configure custom certificate.

+You don't have to explicitly allow Azure SignalR Service IPs in Key Vault firewall settings. For more info, see [Key Vault private link diagnostics](../key-vault/general/private-link-diagnostics.md).

+ Title: Access Key Vault in private network through Shared Private Endpoints

+description: How to access key vault in private network through Shared Private Endpoints

+# Access Key Vault in private network through Shared Private Endpoints

+Azure SignalR Service can access your Key Vault in private network through Shared Private Endpoints. In this way you don't have to expose your Key Vault on public network.

+ :::image type="content" alt-text="Diagram showing architecture of shared private endpoint." source="media\howto-shared-private-endpoints-key-vault\shared-private-endpoint-overview.png" :::

+## Shared Private Link Resources Management

+Private endpoints of secured resources that are created through Azure SignalR Service APIs are referred to as *shared private link resources*. This is because you're "sharing" access to a resource, such as an Azure Key Vault, that has been integrated with the [Azure Private Link service](https://azure.microsoft.com/services/private-link/). These private endpoints are created inside Azure SignalR Service execution environment and aren't directly visible to you.

+> [!NOTE]

+> The examples in this article are based on the following assumptions:

+> * The resource ID of this Azure SignalR Service is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/signalr/contoso-signalr_.

+> * The resource ID of Azure Key Vault is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv_.

+The rest of the examples show how the *contoso-signalr* service can be configured so that its outbound calls to Key Vault go through a private endpoint rather than public network.

+### Step 1: Create a shared private link resource to the Key Vault

+#### [Azure portal](#tab/azure-portal)

+1. In the Azure portal, go to your Azure SignalR Service resource.

+1. In the menu pane, select **Networking**. Switch to **Private access** tab.

+1. Click **Add shared private endpoint**.

+ :::image type="content" alt-text="Screenshot of shared private endpoints management." source="media\howto-shared-private-endpoints-key-vault\portal-shared-private-endpoints-management.png" lightbox="media\howto-shared-private-endpoints-key-vault\portal-shared-private-endpoints-management.png" :::

+1. Fill in a name for the shared private endpoint.

+1. Select the target linked resource either by selecting from your owned resources or by filling a resource ID.

+1. Click **Add**.

+ :::image type="content" alt-text="Screenshot of adding a shared private endpoint." source="media\howto-shared-private-endpoints-key-vault\portal-shared-private-endpoints-add.png" :::

+1. The shared private endpoint resource will be in **Succeeded** provisioning state. The connection state is **Pending** approval at target resource side.

+ :::image type="content" alt-text="Screenshot of an added shared private endpoint." source="media\howto-shared-private-endpoints-key-vault\portal-shared-private-endpoints-added.png" lightbox="media\howto-shared-private-endpoints-key-vault\portal-shared-private-endpoints-added.png" :::

+#### [Azure CLI](#tab/azure-cli)

+You can make the following API call with the [Azure CLI](/cli/azure/) to create a shared private link resource:

+```dotnetcli

+az rest --method put --uri https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/signalr/contoso-signalr/sharedPrivateLinkResources/kv-pe?api-version=2021-06-01-preview --body @create-pe.json

+```

+The contents of the *create-pe.json* file, which represent the request body to the API, are as follows:

+```json

+{

+ "name": "contoso-kv",

+ "properties": {

+ "privateLinkResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv",

+ "groupId": "vault",

+ "requestMessage": "please approve"

+ }

+}

+```

+The process of creating an outbound private endpoint is a long-running (asynchronous) operation. As in all asynchronous Azure operations, the `PUT` call returns an `Azure-AsyncOperation` header value that looks like the following:

+```plaintext

+"Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/signalr/contoso-signalr/operationStatuses/c0786383-8d5f-4554-8d17-f16fcf482fb2?api-version=2021-06-01-preview"

+```

+You can poll this URI periodically to obtain the status of the operation.

+If you're using the CLI, you can poll for the status by manually querying the `Azure-AsyncOperationHeader` value,

+```dotnetcli

+az rest --method get --uri https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/signalr/contoso-signalr/operationStatuses/c0786383-8d5f-4554-8d17-f16fcf482fb2?api-version=2021-06-01-preview

+```

+Wait until the status changes to "Succeeded" before proceeding to the next steps.

+--

+### Step 2a: Approve the private endpoint connection for the Key Vault

+#### [Azure portal](#tab/azure-portal)

+1. In the Azure portal, select the **Networking** tab of your Key Vault and navigate to **Private endpoint connections**. After the asynchronous operation has succeeded, there should be a request for a private endpoint connection with the request message from the previous API call.

+ :::image type="content" alt-text="Screenshot of the Azure portal, showing the Private endpoint connections pane." source="media\howto-shared-private-endpoints-key-vault\portal-key-vault-approve-private-endpoint.png" :::

+1. Select the private endpoint that Azure SignalR Service created. Click **Approve**.

+ Make sure that the private endpoint connection appears as shown in the following screenshot. It could take one to two minutes for the status to be updated in the portal.

+ :::image type="content" alt-text="Screenshot of the Azure portal, showing an Approved status on the Private endpoint connections pane." source="media\howto-shared-private-endpoints-key-vault\portal-key-vault-approved-private-endpoint.png" :::

+#### [Azure CLI](#tab/azure-cli)

+1. List private endpoint connections.

+ ```dotnetcli

+ az network private-endpoint-connection list -n <key-vault-resource-name> -g <key-vault-resource-group-name> --type 'Microsoft.KeyVault/vaults'

+ ```

+ There should be a pending private endpoint connection. Note down its ID.

+ ```json

+ [

+ {

+ "id": "<id>",

+ "location": "",

+ "name": "",

+ "properties": {

+ "privateLinkServiceConnectionState": {

+ "actionRequired": "None",

+ "description": "Please approve",

+ "status": "Pending"

+ }

+ }

+ }

+ ]

+ ```

+1. Approve the private endpoint connection.

+ ```dotnetcli

+ az network private-endpoint-connection approve --id <private-endpoint-connection-id>

+ ```

+--

+### Step 2b: Query the status of the shared private link resource

+It takes minutes for the approval to be propagated to Azure SignalR Service. You can check the state using either Azure portal or Azure CLI.

+#### [Azure portal](#tab/azure-portal)

+ :::image type="content" alt-text="Screenshot of an approved shared private endpoint." source="media\howto-shared-private-endpoints-key-vault\portal-shared-private-endpoints-approved.png" lightbox="media\howto-shared-private-endpoints-key-vault\portal-shared-private-endpoints-approved.png" :::

+#### [Azure CLI](#tab/azure-cli)

+```dotnetcli

+az rest --method get --uri https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/signalr/contoso-signalr/sharedPrivateLinkResources/func-pe?api-version=2021-06-01-preview

+```

+This would return a JSON, where the connection state would show up as "status" under the "properties" section.

+```json

+{

+ "name": "contoso-kv",

+ "properties": {

+ "privateLinkResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv",

+ "groupId": "vaults",

+ "requestMessage": "please approve",

+ "status": "Approved",

+ "provisioningState": "Succeeded"

+ }

+}

+```

+If the "Provisioning State" (`properties.provisioningState`) of the resource is `Succeeded` and "Connection State" (`properties.status`) is `Approved`, it means that the shared private link resource is functional and Azure SignalR Service can communicate over the private endpoint.

+--

+At this point, the private endpoint between Azure SignalR Service and Azure Key Vault is established.

+Now you can configure features like custom domain as usual. **You don't have to use a special domain for Key Vault**. DNS resolution is automatically handled by Azure SignalR Service.

+## Next steps

+Learn more:

+> * The resource ID of upstream Azure Function is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.Web/sites/contoso-func_.

+- [Azure NetApp Files with Azure VMware Solution](netapp-files-with-azure-vmware-solution.md) - You can use Azure NetApp Files to migrate and run the most demanding enterprise file-workloads in the cloud: databases, and general purpose computing applications, with no code changes. Azure NetApp Files volumes can be attached to virtual machines and can also be connected as data stores directly to Azure VMware Solution. This functionality is in preview.

+## Data Residency and Customer Data

+Azure VMware Solution does not store customer data.

+* The file size of images must be less than 500 MB (4 MB for the free tier) and dimensions at least 50 x 50 pixels and at most 10000 x 10000 pixels. PDF files do not have a dimensions limit.

+| Conversation PII | 40,000 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements).|

+You can control the none intent threshold from UI through the project settings, by changing the none intent threshold value. The values can be between 0.0 and 1.0. Also, you can change this threshold from the APIs by changing the *confidenceThreshold* in settings object. Learn more about [none intent](./concepts/none-intent.md#none-score-threshold)

+Alternatively, you can search for "Azure.AI.Language.Conversations" in the NuGet package manager and install the latest release.

+4. Replace the project and deployment parameters to **Orchestrator** and **Testing** as below if they are not set already.

+string projectName = "Orchestrator";

+string deploymentName = "Testing";

+Setting the service configuration flag IsInferenceExplainabilityEnabled in your service configuration enables Personalizer to include feature values and weights in the Rank API response. To update your current service configuration, use the [Service Configuration ΓÇô Update API](/rest/api/personalizer/1.1preview1/service-configuration/update?tabs=HTTP). In the JSON request body, include your current service configuration and add the additional entry: `ΓÇ£IsInferenceExplainabilityEnabledΓÇ¥: true`. If you donΓÇÖt know your current service configuration, you can obtain it from the [Service Configuration ΓÇô Get API](/rest/api/personalizer/1.1preview1/service-configuration/get?tabs=HTTP)

+In the example above, three action IDs are returned in the _ranking_ collection along with their respective probabilities scores. The action with the largest probability is the _best action_ as determined by the model trained on data sent to the Personalizer APIs, which in this case is `"id": "EntertainmentArticle"`. The action ID can be seen again in the _inferenceExplanation_ collection, along with the feature names and scores determined by the model for that action and the features and values sent to the Rank API.

+### September 2022

+* Personalizer Inference Explainabiltiy is now available as a Public Preview. Enabling inference explainability returns feature scores on every Rank API call, providing insight into how influential each feature is to the actions chosen by your Personalizer model. [Learn more about Inference Explainability] (concepts-features#inference-explainability).

+* Personalizer SDK now available in [Java](https://search.maven.org/artifact/com.azure/azure-ai-personalizer/1.0.0-beta.1/jar) and [Javascript](https://www.npmjs.com/package/@azure-rest/ai-personalizer).

+ --context https://github.com/$GIT_USER/acr-build-helloworld-node.git#master \

+ "contextPath": "https://github.com/gituser/acr-build-helloworld-node#master",

+ "repositoryUrl": "https://github.com/gituser/acr-build-helloworld-node#master",

+git push origin master

+In consistent prefix, updates made as single document writes see eventual consistency. Updates made as a batch within a transaction, are returned consistent to the transaction in which they were committed. Write operations within a transaction of multiple documents are always visible together.

+Assume two write operations are performed on documents Doc1 and Doc2, within transactions T1 and T2. When client does a read in any replica, the user will see either ΓÇ£Doc1 v1 and Doc2 v1ΓÇ¥ or ΓÇ£ Doc1 v2 and Doc2 v2ΓÇ¥, but never ΓÇ£Doc1 v1 and Doc2 v2ΓÇ¥ or ΓÇ£Doc1 v2 and Doc2 v1ΓÇ¥ for the same read or query operation.

+Below are the consistency guarantees for Consistent Prefix within a transaction context (single document writes see eventual consistency):

+ Title: Configure cross-tenant customer-managed keys for your Azure Cosmos DB account with Azure Key Vault (preview)

+description: Learn how to configure encryption with customer-managed keys for Azure Cosmos DB using an Azure Key Vault that resides in a different tenant.

+# Configure cross-tenant customer-managed keys for your Azure Cosmos DB account with Azure Key Vault (preview)

+Data stored in your Azure Cosmos DB account is automatically and seamlessly encrypted with service-managed keys managed by Microsoft. However, you can choose to add a second layer of encryption with keys you manage. These keys are known as customer-managed keys (or CMK). Customer-managed keys are stored in an Azure Key Vault instance.

+This article walks through how to configure encryption with customer-managed keys at the time that you create an Azure Cosmos DB account. In this example cross-tenant scenario, the Azure Cosmos DB account resides in a tenant managed by an Independent Software Vendor (ISV) referred to as the service provider. The key used for encryption of the Azure Cosmos DB account resides in a key vault in a different tenant that is managed by the customer.

+## About the preview

+To use the preview, you must register for the Azure Active Directory federated client identity feature in the service provider's tenant. Follow these instructions to register with Azure PowerShell or Azure CLI:

+### [Portal](#tab/azure-portal)

+Not yet supported.

+### [PowerShell](#tab/azure-powershell)

+To register with Azure PowerShell, use the [Register-AzProviderFeature](/powershell/module/az.resources/register-azproviderfeature) cmdlet.

+```azurepowershell

+$parameters = @{

+ FeatureName = "FederatedClientIdentity"

+ ProviderNamespace = "Microsoft.Storage"

+}

+Register-AzProviderFeature @parameters

+```

+To check the status of your registration, use [Get-AzProviderFeature](/powershell/module/az.resources/get-azproviderfeature).

+```azurepowershell

+$parameters = @{

+ FeatureName = "FederatedClientIdentity"

+ ProviderNamespace = "Microsoft.Storage"

+}

+Get-AzProviderFeature @parameters

+```

+After your registration is approved, you must re-register the Azure Storage resource provider. To re-register the resource provider with PowerShell, use [Register-AzResourceProvider](/powershell/module/az.resources/register-azresourceprovider).

+```azurepowershell

+$parameters = @{

+ ProviderNamespace = "Microsoft.Storage"

+}

+Register-AzResourceProvider @parameters

+```

+### [Azure CLI](#tab/azure-cli)

+To register with Azure CLI, use the [az feature register](/cli/azure/feature#az-feature-register) command.

+```azurecli

+az feature register \

+ --name FederatedClientIdentity \

+ --namespace Microsoft.Storage

+```

+To check the status of your registration with Azure CLI, use [az feature show](/cli/azure/feature#az-feature-show).

+```azurecli

+az feature show \

+ --name FederatedClientIdentity \

+ --namespace Microsoft.Storage

+```

+After your registration is approved, you must re-register the Azure Storage resource provider. To re-register the resource provider with Azure CLI, use [az provider register](/cli/azure/provider#az-provider-register).

+```azurecli

+az provider register \

+ --namespace 'Microsoft.Storage'

+```

+> [!IMPORTANT]

+> Using cross-tenant customer-managed keys with Azure Cosmos DB encryption is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Create a new Azure Cosmos DB account encrypted with a key from a different tenant

+> [!NOTE]

+> Cross-tenant customer-managed keys with Azure Cosmos DB encryption PREVIEW is not compatible with Continuous Backup or Azure Synapse link features.

+Up to this point, you've configured the multi-tenant application on the service provider's tenant. You've also installed the application on the customer's tenant and configured the key vault and key on the customer's tenant. Next you can create an Azure Cosmos DB account on the service provider's tenant and configure customer-managed keys with the key from the customer's tenant.

+When creating an Azure Cosmos DB account with customer-managed keys, we must ensure that it has access to the keys the customer used. In single-tenant scenarios, either give direct key vault access to the Azure Cosmos DB principal or use a specific managed identity. In a cross-tenant scenario, we can no longer depend on direct access to the key vault as it is in another tenant managed by the customer. This constraint is the reason in the previous sections we created a cross-tenant application and registered a managed identity inside the application to give it access to the customer's key vault. This managed identity, coupled with the cross-tenant application ID, is what we'll use when creating the cross-tenant CMK Azure Cosmos DB Account. For more information, see the [Phase 3 - The service provider encrypts data in an Azure resource using the customer-managed key](#phase-3the-service-provider-encrypts-data-in-an-azure-resource-using-the-customer-managed-key) section of this article.

+Whenever a new version of the key is available in the key vault, it will be automatically updated on the Azure Cosmos DB account.

+## Using Azure Resource Manager JSON templates

+Deploy an ARM template with the following specific parameters:

+> [!NOTE]

+> If you are recreating this sample in one of your Azure Resource Manager templates, use an `apiVersion` of `2022-05-15`.

+| Parameter | Description | Example value |

+| | | |

+| `keyVaultKeyUri` | Identifier of the customer-managed key residing in the service provider's key vault. | `https://my-vault.vault.azure.com/keys/my-key` |

+| `identity` | Object specifying that the managed identity should be assigned to the Azure Cosmos DB account. | `"identity":{"type":"UserAssigned","userAssignedIdentities":{"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity":{}}}` |

+| `defaultIdentity` | Combination of the resource ID of the managed identity and the application ID of the multi-tenant Azure Active Directory application. | `UserAssignedIdentity=/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity&FederatedClientId=11111111-1111-1111-1111-111111111111` |

+Here's an example of a template segment with the three parameters configured:

+```json

+{

+ "kind": "GlobalDocumentDB",

+ "location": "East US 2",

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity": {}

+ }

+ },

+ "properties": {

+ "locations": [

+ {

+ "locationName": "East US 2",

+ "failoverPriority": 0,

+ "isZoneRedundant": false

+ }

+ ],

+ "databaseAccountOfferType": "Standard",

+ "keyVaultKeyUri": "https://my-vault.vault.azure.com/keys/my-key",

+ "defaultIdentity": "UserAssignedIdentity=/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity&FederatedClientId=11111111-1111-1111-1111-111111111111"

+ }

+}

+```

+> [!IMPORTANT]

+> This feature is not yet supported in Azure PowerShell, Azure CLI, or the Azure portal.

+You can't configure customer-managed keys with a specific version of the key version when you create a new Azure Cosmos DB account. The key itself must be passed with no versions and no trailing backslashes.

+To Revoke or Disable customer-managed keys, see [configure customer-managed keys for your Azure Cosmos DB account with Azure Key Vault](how-to-setup-customer-managed-keys.md)

+## See also

+- [Configure customer-managed keys for your Azure Cosmos account with Azure Key Vault](how-to-setup-cmk.md)

+To join this program and assess your full eligibility, all you have to do is to fill [this survey](https://aka.ms/cosmosdb-high-storage-low-throughput-program). The Azure Cosmos DB team will then follow up and proceed with your onboarding.

+ if(items.length != 1) throw 'Unable to find metadata document';

+ var metadataItem = items[0];

+ // update metadata

+ metadataItem.createdItems += 1;

+ metadataItem.createdNames += " " + createdItem.id;

+ var accept = container.replaceDocument(metadataItem._self,

+ metadataItem, function(err, itemReplaced) {

+ if(err) throw "Unable to update metadata, abort";

+ });

+ if(!accept) throw "Unable to update metadata, abort";

+ return;

+ Title: Create and manage Azure Cosmos DB with terraform

+description: Use terraform to create and configure Azure Cosmos DB for Core (SQL) API

+# Manage Azure Cosmos DB Core (SQL) API resources with terraform

+In this article, you learn how to use terraform to deploy and manage your Azure Cosmos DB accounts, databases, and containers.

+This article shows terraform samples for Core (SQL) API accounts.

+> [!IMPORTANT]

+>

+> * Account names are limited to 44 characters, all lowercase.

+> * To change the throughput (RU/s) values, redeploy the terraform file with updated RU/s.

+> * When you add or remove locations to an Azure Cosmos account, you can't simultaneously modify other properties. These operations must be done separately.

+> * To provision throughput at the database level and share across all containers, apply the throughput values to the database options property.

+To create any of the Azure Cosmos DB resources below, copy the example into a new terraform file (main.tf) or alternatively, have 2 separate files for resources (main.tf) and variables (variables.tf). Be sure to include the azurerm provider either in the main terraform file or split out to a separate providers file. All examples can be found on the [terraform samples repository](https://github.com/Azure/terraform).

+<a id="create-autoscale"></a>

+## Azure Cosmos account with autoscale throughput

+Create an Azure Cosmos account in two regions with options for consistency and failover, with database and container configured for autoscale throughput that has most index policy options enabled.

+### main.tf

+### variables.tf

+<a id="create-analytical-store"></a>

+## Azure Cosmos account with analytical store

+Create an Azure Cosmos account in one region with a container with Analytical TTL enabled and options for manual or autoscale throughput.

+### main.tf

+### variables.tf

+<a id="create-manual"></a>

+## Azure Cosmos account with standard provisioned throughput

+Create an Azure Cosmos account in two regions with options for consistency and failover, with database and container configured for standard throughput that has most policy options enabled.

+### main.tf

+### variables.tf

+<a id="create-sproc"></a>

+## Azure Cosmos DB container with server-side functionality

+Create an Azure Cosmos account, database and container with a stored procedure, trigger, and user-defined function.

+### main.tf

+### variables.tf

+<a id="create-rbac"></a>

+## Azure Cosmos DB account with Azure AD and RBAC

+Create an Azure Cosmos account, a natively maintained Role Definition, and a natively maintained Role Assignment for an Azure Active Directory identity.

+### main.tf

+### variables.tf

+<a id="free-tier"></a>

+## Free tier Azure Cosmos DB account

+Create a free-tier Azure Cosmos account and a database with shared throughput that can be shared with up to 25 containers.

+### main.tf

+### variables.tf

+## Next steps

+Here are some additional resources:

+* [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli)

+* [Terraform Azure Tutorial](https://learn.hashicorp.com/collections/terraform/azure-get-started)

+* [Terraform tools](https://www.terraform.io/docs/terraform-tools)

+* [Azure Provider Terraform documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)

+* [Terraform documentation](https://www.terraform.io/docs)

+ Title: Quickstart - Create an Azure Cosmos DB and a container using Terraform

+description: Quickstart showing how to an Azure Cosmos database and a container using Terraform

+tags: azure-resource-manager, terraform

+#Customer intent: As a database admin who is new to Azure, I want to use Azure Cosmos DB to store and manage my data.

+# Quickstart: Create an Azure Cosmos DB and a container using Terraform

+Azure Cosmos DB is MicrosoftΓÇÖs fast NoSQL database with open APIs for any scale. You can use Azure Cosmos DB to quickly create and query key/value databases, document databases, and graph databases. Without a credit card or an Azure subscription, you can set up a free [Try Azure Cosmos DB account](https://aka.ms/trycosmosdb). This quickstart focuses on the process of deployments via Terraform to create an Azure Cosmos database and a container within that database. You can later store data in this container.

+## Prerequisites

+An Azure subscription or free Azure Cosmos DB trial account

+- [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]

+Terraform should be installed on your local computer. Installation instructions can be found [here](https://learn.hashicorp.com/tutorials/terraform/install-cli).

+## Review the Terraform File

+The Terraform files used in this quickstart can be found on the [terraform samples repository](https://github.com/Azure/terraform). Please create the below 3 files: providers.tf, main.tf and variables.tf. Variables can be set in command line or alternatively with a terraforms.tfvars file.

+### Provider Terraform File

+### Main Terraform File

+### Variables Terraform File

+Three Cosmos DB resources are defined in the main terraform file.

+- [Microsoft.DocumentDB/databaseAccounts](/azure/templates/microsoft.documentdb/databaseaccounts): Create an Azure Cosmos account.

+- [Microsoft.DocumentDB/databaseAccounts/sqlDatabases](/azure/templates/microsoft.documentdb/databaseaccounts/sqldatabases): Create an Azure Cosmos database.

+- [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers](/azure/templates/microsoft.documentdb/databaseaccounts/sqldatabases/containers): Create an Azure Cosmos container.

+## Deploy via terraform

+1. Save the terraform files as main.tf, variables.tf and providers.tf to your local computer.

+2. Login to your terminal via Azure CLI or Powershell

+3. Deploy via Terraform commands

+ - terraform init

+ - terraform plan

+ - terraform apply

+## Validate the deployment

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group "your resource group name"

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName "your resource group name"

+```

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place.

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name "your resource group name"

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name "your resource group name"

+```

+## Next steps

+In this quickstart, you created an Azure Cosmos account, a database and a container via terraform and validated the deployment. To learn more about Azure Cosmos DB and Terraform, continue on to the articles below.

+- Read an [Overview of Azure Cosmos DB](../introduction.md).

+- Learn more about [Terraform](https://www.terraform.io/intro).

+- Learn more about [Azure Terraform Provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs).

+- [Manage Cosmos DB with Terraform](manage-with-terraform.md)

+- Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.

+ - If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md).

+ - If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md).

+ Title: Terraform samples for Azure Cosmos DB Core (SQL API)

+description: Use Terraform to create and configure Azure Cosmos DB.

+# Terraform for Azure Cosmos DB

+This article shows Terraform samples for Core (SQL) API accounts.

+## Core (SQL) API

+|**Sample**|**Description**|

+|||

+|[Create an Azure Cosmos account, database, container with autoscale throughput](manage-with-terraform.md#create-autoscale) | Create a Core (SQL) API account in two regions, a database and container with autoscale throughput. |

+|[Create an Azure Cosmos account, database, container with analytical store](manage-with-terraform.md#create-analytical-store) | Create a Core (SQL) API account in one region with a container configured with Analytical TTL enabled and option to use manual or autoscale throughput. |

+|[Create an Azure Cosmos account, database, container with standard (manual) throughput](manage-with-terraform.md#create-manual) | Create a Core (SQL) API account in two regions, a database and container with standard throughput. |

+|[Create an Azure Cosmos account, database and container with a stored procedure, trigger and UDF](manage-with-terraform.md#create-sproc) | Create a Core (SQL) API account in two regions with a stored procedure, trigger and UDF for a container. |

+|[Create an Azure Cosmos account with Azure AD identity, Role Definitions and Role Assignment](manage-with-terraform.md#create-rbac) | Create a Core (SQL) API account with Azure AD identity, Role Definitions and Role Assignment on a Service Principal. |

+|[Create a free-tier Azure Cosmos account](manage-with-terraform.md#free-tier) | Create an Azure Cosmos DB Core (SQL) API account on free-tier. |

+## Next steps

+Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.

+* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

+* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

+When the SDK initializes with a configuration that specifies regional preference, it will first obtain the account information including the available regions from the global endpoint. It will then apply an intersection of the configured regional preference and the account's available regions and use the order in the regional preference to prioritize the result.

+If the regional preference configuration contains regions that aren't an available region in the account, the values will be ignored. If these invalid regions are [added later to the account](#adding-a-region-to-an-account), the SDK will use them if they're higher in the preference configuration.

+| Single write region | Preferred region with highest order | Primary region |

+| Multiple write regions | Preferred region with highest order | Preferred region with highest order |

+ :::image type="content" source="media/tutorial-data-flow/orchestrate.png" alt-text="Screenshot that shows the data factory home page with the Orchestrate button highlighted.":::

+* Create a pipeline with a copy activity.

+AdventureWorks is a fictional sports equipment retailer that is used to demo Microsoft applications. In this case, they're being used as an example for how to use Synapse Pipelines to map retail data to the Retail database template for further analysis within Azure Synapse.

+The template is designed to require minimal configuration. From the template overview page you can see a preview of the initial starting configuration of the pipeline, and select **Open pipeline** to create the resources in your own workspace. You'll get a notification that all 31 resources in the template have been created, and can review these before committing or publishing them. You'll find the below components of the template:

+The AdventureWorks dataset in Excel format can be downloaded from this [GitHub site](https://github.com/kromerm/adfdataflowdocs/blob/master/sampledat).

+* Data flow sources. If you used different column or table names than what were provided in the example schema, you'll need to step through the data flows to verify that the columns are mapped correctly.

+Many times, when processing data for ETL jobs, you'll need to change the column names before writing the results. Sometimes this is needed to align column names to a well-known target schema. Other times, you may need to set column names at runtime based on evolving schemas. In this tutorial, you'll learn how to use data flows to set column names for your destination files and database tables dynamically using external configuration files and parameters.

+1. In the **Adding Data Flow** pop-up, select **Create new Data Flow** and then name your data flow **DynaCols**. Select Finish when done.

+1. Select on the source transformation and call it ```movies1```.

+1. Select the new button next to dataset in the bottom panel.

+1. Add a second source, which we'll use to source the configuration JSON file to look up field mappings.

+1. Set this source setting to ```array of documents```.

+1. Add a third source and call it ```movies2```. Configure this exactly the same as ```movies1```.

+In this first scenario, you'll set output column names in your data flow by setting the column mapping based on matching incoming fields with a parameter that is a string array of columns and match each array index with the incoming column ordinal position. When executing this data flow from a pipeline, you'll be able to set different column names on each pipeline execution by sending in this string array parameter to the data flow activity.

+1. Select on the parameters tab

+1. We're going to change the first three column names to the new names defined in the parameter

+1. To do this, add three rule-based mapping entries in the bottom pane

+1. Select on the Inspect and Data Preview tabs of the Select transformation to view the new column name values ```(a,b,c)``` replace the original movie, title, genres column names

+### Look up columns names from cached sink

+1. Go back to the data flow designer and edit the data flow create above. Select on the ```movies2``` source transformation.

+1. Select on the Data Preview and Inspect tabs in the Select transformation and you should now see the new column names from the external mapping file.

+1. Select **Open Azure Data Factory Studio** to launch the Data Factory UI in a separate tab.

+ :::image type="content" source="./media/tutorial-data-flow/orchestrate.png" alt-text="Screenshot that shows the data factory home page with the Orchestrate button highlighted.":::

+ :::image type="content" source="./media/tutorial-data-flow/orchestrate.png" alt-text="Screenshot that shows the data factory home page with the Orchestrate button highlighted.":::

+After your data factory is created, open its overview page in the Azure portal. Select the **Open Azure Data Factory Studio** tile to open the **Let's get started** page on a separate tab. There, you can continue to create your Azure-SSIS IR.

+ :::image type="content" source="./media/doc-common-process/configure-ssis-button.png" alt-text="Screenshot that shows the Azure Data Factory home page.":::

+1. Select your ADF with Azure-SSIS IR in the list. You see the home page for your ADF. Select the **Open Azure Data Factory Studio** tile. You see ADF UI on a separate tab.

+ :::image type="content" source="./media/tutorial-data-flow/orchestrate.png" alt-text="Screenshot that shows the data factory home page with the Orchestrate button highlighted.":::

+ :::image type="content" source="./media/tutorial-data-flow/orchestrate.png" alt-text="Screenshot that shows the data factory home page with the Orchestrate button highlighted.":::

+

+All group identifiers (emails) will be of form {groupType}.{serviceName|resourceName}.{permission}@{partition}.{domain}.com. A group naming convention has been adopted such that the group's name should start with the word "data." for data groups; "service." for service groups; and "users." for user groups. An exception is when a data partition is provisioned. When a data partition is created, so is a corresponding group-for example, for data partition `opendes`, the group `users@opendes.dataservices.energy` is created.

+## Permissions and roles

+# How to manage legal tags

+In this article, you'll know how to manage legal tags in your Microsoft Energy Data Services Preview instance. A Legal tag is the entity that represents the legal status of data in the Microsoft Energy Data Services Preview instance. Legal tag is a collection of properties that governs how data can be ingested and consumed. A legal tag is required for data to be [ingested](concepts-csv-parser-ingestion.md) into your Microsoft Energy Data Services Preview instance. It's also required for the [consumption](concepts-index-and-search.md) of the data from your Microsoft Energy Data Services Preview instance. Legal tags are defined at a data partition level individually.

+While in Microsoft Energy Data Services Preview instance, [entitlement service](concepts-entitlements.md) defines access to data for a given user(s), legal tag defines the overall access to the data across users. A user may have access to manage the data within a data partition however, they may not be able to do so-until certain legal requirements are fulfilled.

+The Create Legal Tag api, internally appends data-partition-id to legal tag name if it isn't already present. For instance, if request has name as: ```legal-tag```, then the create legal tag name would be ```<instancename>-<data-partition-id>-legal-tag```

+# How to manage users

+In this article, you'll know how to manage users in Microsoft Energy Data Services Preview. It uses the [entitlements API](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/tree/master/) and acts as a group-based authorization system for data partitions within Microsoft Energy Data Service instance. For more information about Microsoft Energy Data Services Preview entitlements, see [entitlement services](concepts-entitlements.md).

+Create a Microsoft Energy Data Services Preview instance using the tutorial at [How to create Microsoft Energy Data Services Preview instance](quickstart-create-microsoft-energy-data-services-instance.md).

+You will need to pass parameters for generating the access token, which you'll need to make valid calls to the Entitlements API of your Microsoft Energy Data Services Preview instance. You will also need these parameters for different user management requests to the Entitlements API. Hence Keep the following values handy for these actions.

+> [!IMPORTANT]

+Sometimes called an application password, a `client-secret` is a string value your app can use in place of a certificate to identity itself. Navigate to *App Registrations*. Once there, open 'Certificates & secrets' under the *Manage* section. Create a `client-secret` for the `client-id` that you used to create your Microsoft Energy Data Services Preview instance, you can add one now by clicking on *New Client Secret*. Record the secret's `value` for use in your client application code.

+> [!CAUTION]

+- One option is to navigate *Data Partitions* menu item under the Advanced section of your Microsoft Energy Data Services Preview UI.

+- Another option is by clicking on the *view* below the *data partitions* field in the essentials pane of your Microsoft Energy Data Services Preview *Overview* page.

+You can manage user's access to your Microsoft Energy Data Services instance or data partitions. As a prerequisite for this step, you need to find the 'object-id' (OID) of the user(s) first.

+The value to be sent for the param **"email"** is the **Object_ID (OID)** of the user and not the user's email

+The value to be sent for the param **"email"** is the **Object_ID (OID)** of the user and not the user's email

+As stated above, **DO NOT** delete the OWNER of a group unless you have another OWNER that can manage users in that group.

+ "subject": "/caller/8:acs:98e4cbef-70e7-4733-8594-063c4a72d711_00000014-2033-438d-1000-343a0d006e10/recipient/8:acs:98e4cbef-70e7-4733-8594-063c4a72d711_00000014-1889-f3a7-6a0b-343a0d0061f3",

+ "to": {

+ "kind": "communicationUser",

+ "rawId": "8:acs:98e4cbef-70e7-4733-8594-063c4a72d711_00000014-1889-f3a7-6a0b-343a0d0061f3",

+ "communicationUser": {

+ "id": "8:acs:98e4cbef-70e7-4733-8594-063c4a72d711_00000014-1889-f3a7-6a0b-343a0d0061f3"

+ }

+ },

+ "kind": "communicationUser",

+ "rawId": "8:acs:98e4cbef-70e7-4733-8594-063c4a72d711_00000014-2033-438d-1000-343a0d006e10",

+ "communicationUser": {

+ "id": "8:acs:98e4cbef-70e7-4733-8594-063c4a72d711_00000014-2033-438d-1000-343a0d006e10"

+ }

+ },

+> Microsoft Graph API's (MGA) ability to send events to Event Grid (a generally available service) is in private preview. In the following steps, you will follow instructions from [Node.js](https://github.com/microsoftgraph/nodejs-webhooks-sample), [Java](https://github.com/microsoftgraph/java-spring-webhooks-sample), and[.NET Core](https://github.com/microsoftgraph/aspnetcore-webhooks-sample) Webhook samples to enable flow of events from Microsoft Graph API. At some point in the sample, you will have an application registered with Azure AD. Email your application ID to <a href="mailto:ask-graph-and-grid@microsoft.com?subject=Please allow my application ID">mailto:ask-graph-and-grid@service.microsoft.com?subject=Please allow my Azure AD application with ID to send events through Graph API</a> so that the Microsoft Graph API team can add your application ID to allow list to use this new capability.

+* Create a Windows virtual machine and install the following components:

+ * [Java Development Kit (JDK) 1.7+](/azure/developer/java/fundamentals/java-support-on-azure).

+ * [Download](https://maven.apache.org/download.cgi) and [install](https://maven.apache.org/install.html) a Maven binary archive.

+ * [Git](https://www.git-scm.com/)

+1. Enable a system-assigned managed identity for the virtual machine. For more information about configuring managed identity on a VM, see [Configure managed identities for Azure resources on a VM using the Azure portal](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity). Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

+ :::image type="content" source="./media/event-hubs-quickstart-kafka-enabled-event-hubs/enable-identity-vm.png" alt-text="Screenshot of the Identity tab of a virtual machine page in the Azure portal.":::

+1. Using the **Access control** page of the Event Hubs namespace you created, assign **Azure Event Hubs Data Owner** role to the VM's managed identity.

+Azure Event Hubs supports using Azure Active Directory (Azure AD) to authorize requests to Event Hubs resources. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, or an application service principal.

+ 1. In the Azure portal, navigate to your Event Hubs namespace. Go to "Access Control (IAM)" in the left navigation.

+ 2. Select + Add and select `Add role assignment`.

+

+ :::image type="content" source="./media/event-hubs-quickstart-kafka-enabled-event-hubs/add-role-assignment-menu.png" alt-text="Screenshot of the Access Control page of an Event Hubs namespace.":::

+ 1. In the Role tab, select **Azure Event Hubs Data Owner**, and select the **Next** button.

+

+ :::image type="content" source="./media/event-hubs-quickstart-kafka-enabled-event-hubs/select-event-hubs-owner-role.png" alt-text="Screenshot showing the selection of the Azure Event Hubs Data Owner role.":::

+ 1. In the **Members** tab, select the **Managed Identity** in the **Assign access to** section.

+ 1. Select the **+Select members** link.

+ 1. On the **Select managed identities** page, follow these steps:

+ 1. Select the **Azure subscription** that has the VM.

+ 1. For **Managed identity**, select **Virtual machine**

+ 1. Select your virtual machine's managed identity.

+ 1. Click **Select** at the bottom of the page.

+

+ :::image type="content" source="./media/event-hubs-quickstart-kafka-enabled-event-hubs/add-vm-identity.png" alt-text="Screenshot showing the Add role assignment -> Select managed identities page.":::

+ 1. Select **Review + Assign**.

+ :::image type="content" source="./media/event-hubs-quickstart-kafka-enabled-event-hubs/review-assign.png" alt-text="Screenshot showing the Add role assignment page with role assigned to VM's managed identity.":::

+1. Restart the VM and log in back to the VM for which you configured the managed identity.

+1. Clone the [Azure Event Hubs for Kafka repository](https://github.com/Azure/azure-event-hubs-for-kafka).

+1. Navigate to `azure-event-hubs-for-kafka/tutorials/oauth/java/managedidentity/consumer`.

+1. Switch to the `src/main/resources/` folder, and open `consumer.config`. Replace `namespacename` with the name of your Event Hubs namespace.

+ ```xml

+ bootstrap.servers=NAMESPACENAME.servicebus.windows.net:9093

+ security.protocol=SASL_SSL

+ sasl.mechanism=OAUTHBEARER

+ sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;

+ sasl.login.callback.handler.class=CustomAuthenticateCallbackHandler;

+ ```

+ > [!NOTE]

+ > You can find all the OAuth samples for Event Hubs for Kafka [here](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth).

+7. Switch back to the **Consumer** folder where the pom.xml file is and, and run the consumer code and process events from event hub using your Kafka clients:

+ ```java

+ mvn clean package

+ mvn exec:java -Dexec.mainClass="TestConsumer"

+ ```

+1. Launch another command prompt window, and navigate to `azure-event-hubs-for-kafka/tutorials/oauth/java/managedidentity/producer`.

+1. Switch to the `src/main/resources/` folder, and open `producer.config`. Replace `mynamespace` with the name of your Event Hubs namespace.

+4. Switch back to the **Producer** folder where the `pom.xml` file is and, run the producer code and stream events into Event Hubs:

+

+ ```shell

+ mvn clean package

+ mvn exec:java -Dexec.mainClass="TestProducer"

+ ```

+ You should see messages about events sent in the producer window. Now, check the consumer app window to see the messages that it receives from the event hub.

+ :::image type="content" source="./media/event-hubs-quickstart-kafka-enabled-event-hubs/producer-consumer-output.png" alt-text="Screenshot showing the Producer and Consumer app windows showing the events.":::

+You can verify that captured files were created in the Azure Storage account using tools such as [Azure Storage Explorer][Azure Storage Explorer]. You can download files locally to work on them.

+ Alternatively, users can manually input their seeds. Defender EASM accepts domains, IP blocks, hosts, email contacts, ASNs, and WhoIs organizations as seed values. You can also specify entities to exclude from asset discovery to ensure they are not added to your inventory if detected. For example, this is useful for organizations that have subsidiaries that will likely be connected to their central infrastructure, but do not belong to your organization.

+- [Understanding dashboards](understanding-dashboards.md)

+- [Understanding asset details](understanding-asset-details.md)

+You can now refine and update Firewall rules and policies with confidence in just a few steps in the Azure portal. You have granular control to define your own custom rules for an enhanced security and compliance posture. You can automate rule and policy management to reduce the risks associated with a manual process.<br><br>

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE57NCC]

+ using this Resource Provider mode use effects _audit_, _deny_, and _disabled_. Use

+- `Microsoft.Kubernetes.Data` for Azure Policy components that target [Azure Arc-enabled Kubernetes clusters](../../../aks/intro-kubernetes.md) resources such as pods, containers, and ingresses.

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+To store profiles in Azure API for FHIR, you can `PUT` the `StructureDefinition` with the profile content in the body of the request. An update or a conditional update are both good methods to store profiles on the FHIR service. Use the conditional update if you are unsure which to use.

+Standard `PUT`: `PUT http://<your Azure API for FHIR base URL>/StructureDefinition/profile-id`

+**or**

+Conditional update: `PUT http://<your Azure API for FHIR base URL>/StructureDefinition?url=http://sample-profile-url`

+"url": "http://sample-profile-url"

+PUT https://myAzureAPIforFHIR.azurehealthcareapis.com/StructureDefinition?url=http://hl7.org/fhir/us/core/StructureDefinition/us-core-allergyintolerance

+For example, if you save a US Core Patient profile, which starts like this:

+To store profiles in Azure API for FHIR, you can `PUT` the `StructureDefinition` with the profile content in the body of the request. A standard `PUT` or a conditional update are both good methods to store profiles on the FHIR service. Use the conditional update if you are unsure which to use.

+Standard `PUT`: `PUT http://<your Azure API for FHIR base URL>/StructureDefinition/profile-id`

+**or**

+Conditional update: `PUT http://<your Azure API for FHIR base URL>/StructureDefinition?url=http://sample-profile-url`

+"url": "http://sample-profile-url"

+PUT https://myAzureAPIforFHIR.azurehealthcareapis.com/StructureDefinition?url=http://hl7.org/fhir/us/core/StructureDefinition/us-core-allergyintolerance

+ :::image type="content" source="media/howto-manage-users-roles/manage-users.png" alt-text="Screenshot of manage users page in IoT Central." lightbox="media/howto-manage-users-roles/manage-users.png":::

+ :::image type="content" source="media/howto-manage-users-roles/add-user.png" alt-text="Screenshot to add a user and select a role." lightbox="media/howto-manage-users-roles/add-user.png":::

+## Integrate with DevOps pipelines

+Continuous integration and continuous delivery (CI/CD) refers to the process of developing and delivering software in short, frequent cycles using automation pipelines. You can use Azure DevOps pipelines to automate the build, test, and deployment of IoT Central application configurations.

+To learn more, see [Integrate IoT Central into your Azure DevOps CI/CD pipeline](howto-integrate-with-devops.md).

+> The items you see in the left pane depend on your user role. Learn more about [managing users and roles](howto-manage-users-roles.md).

+ :::image type="content" source="media/overview-iot-central-tour/navigation-bar.png" alt-text="left pane":::

+

+ **Devices** lets you manage all your devices.

+ **Device groups** lets you view and create collections of devices specified by a query. Device groups are used through the application to perform bulk operations.

+ **Device templates** lets you create and manage the characteristics of devices that connect to your application.

+ **Data explorer** exposes rich capabilities to analyze historical trends and correlate various telemetries from your devices.

+ **Dashboards** displays all application and personal dashboards.

+ **Jobs** lets you manage your devices at scale by running bulk operations.

+ **Rules** lets you create and edit rules to monitor your devices. Rules are evaluated based on device data and trigger customizable actions.

+ **Data export** lets you configure a continuous export to external services such as storage and queues.

+ **Permissions** lets you manage an organization's users, devices and data.

+ **Application** lets you manage your application's settings, billing, users, and roles.

+ **Customization** lets you customize your application appearance.

+ **IoT Central Home** lets you jump back to the IoT Central app manager.

+

+ :::column-end:::

+IoT Central applications are fully hosted by Microsoft, which reduces the administration overhead of managing your applications. Administrators manage access to your application with [user roles and permissions](howto-administer.md).

+Below actions will be blocked with upcoming release, if these permissions are not set:

+1. Go to [Device Update releases](https://github.com/Azure/iot-hub-device-update/releases) in GitHub and select the **Assets** dropdown list. Download `Tutorial_IoTEdge_PackageUpdate.zip` by selecting it. Extract the contents of the folder to discover a sample APT manifest (sample-1.0.2-aziot-edge-apt-manifest.json) and its corresponding import manifest (sample-1.0.2-aziot-edge-importManifest.json).

+This article shows you how to use an Azure Resource Manager template to create an IoT Hub and a [consumer group](https://learn.microsoft.com/azure/event-hubs/event-hubs-features#consumer-groups), using Azure PowerShell. Resource Manager templates are JSON files that define the resources you need to deploy for your solution. For more information about developing Resource Manager templates, see the [Azure Resource Manager documentation](../azure-resource-manager/index.yml).

+## Prerequisites

+[Azure PowerShell module](/powershell/azure/install-az-ps) or [Azure Cloud Shell](https://learn.microsoft.com/azure/cloud-shell/overview)

+Azure Cloud Shell is useful if you don't want to install the PowerShell module locally, as Cloud Shell performs from a browser.

+## Create an IoT hub

+The [Resource Manager JSON template](https://azure.microsoft.com/resources/templates/iothub-with-consumergroup-create/) used in this article is one of many templates from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/). The JSON template creates an Azure Iot hub with three endpoints (eventhub, cloud-to-device, and messaging) and a consumer group. For more information on the Iot Hub template schema, see [Microsoft.Devices (IoT Hub) resource types](https://learn.microsoft.com/azure/templates/microsoft.devices/iothub-allversions).

+Use the following PowerShell command to create a resource group which is then used to create an IoT hub. The JSON template is used in `-TemplateUri`.

+To run the following PowerShell script, select **Try it** to open the Azure Cloud Shell. Copy the script, paste into your shell, then press enter. Answer the prompts. These prompts will help you to create a new resource, choose a region, and create a new IoT hub. Once answered, a confirmation of your IoT hub prints to the console.

+$location = Read-Host -Prompt "Enter the location (for example: centralus)"

+ Title: Upgrading from basic Load Balancer - Guidance

+description: Upgrade guidance for migrating basic Load Balancer to standard Load Balancer

+#customer-intent: As an cloud engineer with basic Load Balancer services, I need guidance and direction on migrating my workloads off basic to standard SKUs

+# Upgrading from basic Load Balancer - Guidance

+In this article, we'll discuss guidance for upgrading your Basic Load Balancer instances to Standard Load Balancer. Standard Load Balancer is recommended for all production instances and provides many [key differences](#basic-load-balancer-sku-vs-standard-load-balancer-sku) to your infrastructure.

+## Steps to complete the upgrade

+We recommend the following approach for upgrading to Standard Load Balancer:

+1. Learn about some of the [key differences](#basic-load-balancer-sku-vs-standard-load-balancer-sku) between Basic Load Balancer and Standard Load Balancer.

+1. Identify the Basic Load Balancer to upgrade.

+1. Create a migration plan for planned downtime.

+1. Perform migration with [automated PowerShell scripts](#upgrade-using-automated-scripts) for your scenario or create a new Standard Load Balancer with the Basic Load Balancer configurations.

+1. Verify your application and workloads are receiving traffic through the Standard Load Balancer. Then delete your Basic Load Balancer resource.

+## Basic Load Balancer SKU vs. standard Load Balancer SKU

+This section lists out some key differences between these two Load Balancer SKUs.

+| Feature | Standard Load Balancer SKU | Basic Load Balancer SKU |

+| - | - | - |

+| **Backend type** | IP based, NIC based | NIC based |

+| **Protocol** | TCP, UDP | TCP, UDP |

+| **[Frontend IP configurations](../azure-resource-manager/management/azure-subscription-service-limits.md#load-balancer)** | Supports up to 600 configurations | Supports up to 200 configurations |

+| **[Backend pool size](../azure-resource-manager/management/azure-subscription-service-limits.md#load-balancer)** | Supports up to 1000 instances | Supports up to 300 instances |

+| **Backend pool endpoints** | Any virtual machines or virtual machine scale sets in a single virtual network | Virtual machines in a single availability set or virtual machine scale set |

+| **[Health probe types](load-balancer-custom-probe-overview.md#probe-types)** | TCP, HTTP, HTTPS | TCP, HTTP |

+| **[Health probe down behavior](load-balancer-custom-probe-overview.md#probe-down-behavior)** | TCP connections stay alive on an instance probe down and on all probes down | TCP connections stay alive on an instance probe down. All TCP connections end when all probes are down |

+| **Availability zones** | Zone-redundant and zonal frontends for inbound and outbound traffic | Not available |

+| **Diagnostics** | [Azure Monitor multi-dimensional metrics](load-balancer-standard-diagnostics.md) | Not supported |

+| **HA Ports** | [Available for Internal Load Balancer](load-balancer-ha-ports-overview.md) | Not available |

+| **Secure by default** | Closed to inbound flows unless allowed by a network security group. Internal traffic from the virtual network to the internal load balancer is allowed. | Open by default. Network security group optional. |

+| **Outbound Rules** | [Declarative outbound NAT configuration](load-balancer-outbound-connections.md#outboundrules) | Not available |

+| **TCP Reset on Idle** | Available on any rule | Not available |

+| **[Multiple front ends](load-balancer-multivip-overview.md)** | Inbound and [outbound](load-balancer-outbound-connections.md) | Inbound only |

+| **Management Operations** | Most operations < 30 seconds | Most operations 60-90+ seconds |

+| **SLA** | [99.99%](https://azure.microsoft.com/support/legal/sla/load-balancer/v1_0/) | Not available |

+| **Global VNet Peering Support** | Standard ILB is supported via Global VNet Peering | Not supported |

+| **[NAT Gateway Support](../virtual-network/nat-gateway/nat-overview.md)** | Both Standard ILB and Standard Public Load Balancer are supported via Nat Gateway | Not supported |

+| **[Private Link Support](../private-link/private-link-overview.md)** | Standard ILB is supported via Private Link | Not supported |

+| **[Global tier (Preview)](cross-region-overview.md)** | Standard Load Balancer supports the Global tier for Public LBs enabling cross-region load balancing | Not supported |

+For information on limits, see [Load Balancer limits](../azure-resource-manager/management/azure-subscription-service-limits.md#load-balancer).

+## Upgrade using automated scripts

+Use these PowerShell scripts to help with upgrading from Basic to Standard SKU:

+- [Upgrading a basic to standard public load balancer](upgrade-basic-standard.md)

+- [Upgrade from Basic Internal to Standard Internal](upgrade-basicInternal-standard.md)

+- [Upgrade an internal basic load balancer - Outbound connections required](upgrade-internalbasic-to-publicstandard.md)

+## Next Steps

+For guidance on upgrading basic Public IP addresses to Standard SKUs, see:

+> [!div class="nextstepaction"]

+> [Upgrading a Basic Public IP to Standard Public IP - Guidance](../virtual-network/ip-services/public-ip-basic-upgrade-guidance.md)

+ Title: Migrating from NIC to IP-based backend pools

+description: This article covers migrating a load balancer from NIC-based backend pools to IP-based backend pools for virtual machines and virtual machine scale sets.

+# Migrating from NIC to IP-based backend pools

+In this article, you'll learn how to migrate a load balancer with NIC-based backend pools to use IP-based backend pools with virtual machines and virtual machine scale sets

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An existing standard Load Balancer in the subscription, with NIC-based backend pools.

+## What is IP-based Load Balancer

+IP-based load balancers reference the private IP address of the resource in the backend pool rather than the resourceΓÇÖs NIC. IP-based load balancers enable the pre-allocation of private IP addresses in a backend pool, without having to create the backend resources themselves in advance.

+## Migrating NIC-based virtual machine backend pools too IP-based

+To migrate a load balancer with NIC-based backend pools to IP-based with VMs (not virtual machine scale sets instances) in the backend pool, you can utilize the following migration REST API.

+```http

+POST URL: https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/loadBalancers/{lbName}/migrateToIpBased?api-version=2022-01-01

+```

+### URI Parameters

+| Name | In | Required | Type | Description |

+|- | - | - | - | - |

+|Sub | Path | True | String | The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call. |

+| Rg | Path | True | String | The name of the resource group. |

+| LbName | Path | True | String | The name of the load balancer. |

+| api-version | Query | True | String | Client API Version |

+### Request Body

+| Name | Type | Description |

+| - | - | - |

+| Backend Pools | String | A list of backend pools to migrate. Note if request body is specified, all backend pools will be migrated. |

+A full example using the CLI to migrate all backend pools in a load balancer is shown here:

+```azurecli-interactive

+az rest ΓÇôm post ΓÇôu ΓÇ£https://management.azure.com/subscriptions/MySubscriptionId/resourceGroups/MyResourceGroup/providers/Microsoft.Network/loadBalancers/MyLB/migrateToIpBased?api-version=2022-01-01ΓÇ¥

+```

+A full example using the CLI to migrate a set of specific backend pool in a load balancer is shown below. To migrate a specific group of backend pools from NIC-based to IP-based, you can pass in a list of the backend pool names in the request body:

+```azurecli-interactive

+az rest ΓÇôm post ΓÇôu ΓÇ£https://management.azure.com/subscriptions/MySubscriptionId/resourceGroups/MyResourceGroup/providers/Microsoft.Network/loadBalancers/MyLB/migrateToIpBased?api-version=2022-01-01ΓÇ¥

+-b {\"Pools\":[\"MyBackendPool\"]}

+```

+## Upgrading LB with virtual machine scale sets attached

+To upgrade a NIC-based load balancer to IP based load balancer with virtual machine scale sets in the backend pool, follow the following steps:

+1. Configure the upgrade policy of the virtual machine scale sets to be automatic. If the upgrade policy isn't set to automatic, all virtual machine scale sets instances must be upgraded after calling the migration API.

+1. Using the AzureΓÇÖs migration REST API, upgrade the NIC based LB to an IP based LB. If a manual upgrade policy is in place, upgrade all VMs in the virtual machine scale sets before step 3.

+1. Remove the reference of the load balancer from the network profile of the virtual machine scale sets, and update the VM instances to reflect the changes.

+A full example using the CLI is shown here:

+```azurecli-interactive

+az rest ΓÇôm post ΓÇôu ΓÇ£https://management.azure.com/subscriptions/MySubscriptionId/resourceGroups/MyResourceGroup/providers/Microsoft.Network/loadBalancers/MyLB/migrateToIpBased?api-version=2022-01-01ΓÇ¥

+az virtual machine scale sets update --resource-group MyResourceGroup --name MyVMSS --remove virtualMachineProfile.networkProfile.networkInterfaceConfigurations[0].ipConfigurations[0].loadBalancerBackendAddressPools

+```

+## Next Steps

+See [Monitoring Load Balancer data reference](monitor-load-balancer-reference.md) for detailed information on the metrics and logs metrics created by Load Balancer.

+ Title: Upgrade from Basic to Standard for Virtual Machine Scale Sets

+description: This article shows you how to upgrade a load balancer from basic to standard SKU for Virtual Machine Scale Sets.

+# Upgrade a basic load balancer used with Virtual Machine Scale Sets

+[Azure Standard Load Balancer](load-balancer-overview.md) offers a rich set of functionality and high availability through zone redundancy. To learn more about Load Balancer SKU, see [comparison table](./skus.md#skus).

+This article introduces a PowerShell module that creates a Standard Load Balancer with the same configuration as the Basic Load Balancer along with the associated Virtual Machine Scale Set.

+## Upgrade Overview

+An Azure PowerShell module is available to upgrade from Basic load balancer to a Standard load balancer along with moving the associated virtual machine scale set. The PowerShell module performs the following functions:

+- Verifies that the provided Basic load balancer scenario is supported for upgrade.

+- Backs up the Basic load balancer and virtual machine scale set configuration, enabling retry on failure or if errors are encountered.

+- For public load balancers, updates the front end public IP address(es) to Standard SKU and static assignment as required.

+- Upgrade the Basic load balancer configuration to a new Standard load balancer, ensuring configuration and feature parity.

+- Upgrade virtual machine scale set backend pool members from the Basic load balancer to the standard load balancer.

+- Creates and associates a network security group with the virtual machine scale set to ensure load balanced traffic reaches backend pool members, following Standard load balancer's move to a default-deny network policy.

+- Logs the upgrade operation for easy audit and failure recovery.

+### Unsupported Scenarios

+- Basic load balancers with a virtual machine scale set backend pool member that is also a member of a backend pool on a different load balancer

+- Basic load balancers with backend pool members that aren't a virtual machine scale set

+- Basic load balancers with only empty backend pools

+- Basic load balancers with IPV6 frontend IP configurations

+- Basic load balancers with a virtual machine scale set backend pool member configured with 'Flexible' orchestration mode

+- Basic load balancers with a virtual machine scale set backend pool member where one or more virtual machine scale set instances have ProtectFromScaleSetActions Instance Protection policies enabled

+- Migrating a Basic load balancer to an existing Standard load balancer

+### Prerequisites

+- Install the latest version of [PowerShell](/powershell/scripting/install/installing-powershell)

+- Determine whether you have the latest Az PowerShell module installed (8.2.0)

+ - Install the latest Az PowerShell module](/powershell/azure/install-az-ps)

+## Install the 'AzureBasicLoadBalancerUpgrade' module

+Install the module from [PowerShell gallery](https://www.powershellgallery.com/packages/AzureBasicLoadBalancerUpgrade)

+```powershell

+PS C:\> Install-Module -Name AzureBasicLoadBalancerUpgrade -Scope CurrentUser -Repository PSGallery -Force

+```

+## Use the module

+1. Use `Connect-AzAccount` to connect to the required Azure AD tenant and Azure subscription

+ ```powershell

+ PS C:\> Connect-AzAccount -Tenant <TenantId> -Subscription <SubscriptionId>

+ ```

+2. Find the Load Balancer you wish to upgrade. Record its name and resource group name.

+3. Examine the module parameters:

+ - *BasicLoadBalancerName [string] Required* - This parameter is the name of the existing Basic load balancer you would like to upgrade

+ - *ResourceGroupName [string] Required* - This parameter is the name of the resource group containing the Basic load balancer

+ - *RecoveryBackupPath [string] Optional* - This parameter allows you to specify an alternative path in which to store the Basic load balancer ARM template backup file (defaults to the current working directory)

+ - *FailedMigrationRetryFilePathLB [string] Optional* - This parameter allows you to specify a path to a Basic load balancer backup state file when retrying a failed upgrade (defaults to current working directory)

+ - *FailedMigrationRetryFilePathVMSS [string] Optional* - This parameter allows you to specify a path to a virtual machine scale set backup state file when retrying a failed upgrade (defaults to current working directory)

+4. Run the Upgrade command.

+### Example: upgrade a basic load balancer to a standard load balancer with the same name, providing the basic load balancer name and resource group

+```powershell

+PS C:\> Start-AzBasicLoadBalancerUpgrade -ResourceGroupName <load balancer resource group name> -BasicLoadBalancerName <existing basic load balancer name>

+```

+### Example: upgrade a basic load balancer to a standard load balancer with the same name, providing the basic load object through the pipeline

+```powershell

+PS C:\> Get-AzLoadBalancer -Name <basic load balancer name> -ResourceGroup <Basic load balancer resource group name> | Start-AzBasicLoadBalancerUpgrade

+```

+### Example: upgrade a basic load balancer to a standard load balancer with the specified name, displaying logged output on screen

+```powershell

+PS C:\> Start-AzBasicLoadBalancerUpgrade -ResourceGroupName <load balancer resource group name> -BasicLoadBalancerName <existing basic load balancer name> -StandardLoadBalancerName <new standard load balancer name> -FollowLog

+```

+### Example: upgrade a basic load balancer to a standard load balancer with the specified name and store the basic load balancer backup file at the specified path

+```powershell

+PS C:\> Start-AzBasicLoadBalancerUpgrade -ResourceGroupName <load balancer resource group name> -BasicLoadBalancerName <existing basic load balancer name> -StandardLoadBalancerName <new standard load balancer name> -RecoveryBackupPath C:\BasicLBRecovery

+```

+### Example: retry a failed upgrade (due to error or script termination) by providing the Basic load balancer and virtual machine scale set backup state file

+```powerhsell

+PS C:\> Start-AzBasicLoadBalancerUpgrade -FailedMigrationRetryFilePathLB C:\RecoveryBackups\State_mybasiclb_rg-basiclbrg_20220912T1740032148.json -FailedMigrationRetryFilePathVMSS C:\RecoveryBackups\VMSS_myVMSS_rg-basiclbrg_20220912T1740032148.json

+```

+## Common Questions

+### Will the module migrate my frontend IP address to the new Standard load balancer?

+Yes, for both public and internal load balancers, the module ensures that front end IP addresses are maintained. For public IPs, the IP is converted to a static IP prior to migration (if necessary). For internal front ends, the module will attempt to reassign the same IP address freed up when the Basic load balancer was deleted; if the private IP isn't available the script will fail. In this scenario, remove the virtual network connected device that has claimed the intended front end IP and rerun the module with the `-FailedMigrationRetryFilePathLB <BasicLoadBalancerbackupFilePath> -FailedMigrationRetryFilePathVMSS <VMSSBackupFile>` parameters specified.

+### How long does the Upgrade take?

+The upgrade normally takes a few minutes for the script to finish. The following factors may lead to longer upgrade times:

+- Complexity of your load balancer configuration

+- Number of backend pool members

+- Instance count of associated Virtual Machine Scale Sets.

+Keep the downtime in mind and plan for failover if necessary.

+### Does the script migrate my backend pool members from my basic load balancer to the newly created standard load balancer?

+Yes. The Azure PowerShell script migrates the virtual machine scale set to the newly created public or private standard load balancer.

+### Which load balancer components are migrated?

+The script migrates the following from the Basic load balancer to the Standard load balancer:

+**Public Load Balancer:**

+- Public frontend IP configuration

+ - Converts the public IP to a static IP, if dynamic

+ - Updates the public IP SKU to Standard, if Basic

+ - Upgrade all associated public IPs to the new Standard load balancer

+- Health Probes:

+ - All probes will be migrated to the new Standard load balancer

+- Load balancing rules:

+ - All load balancing rules will be migrated to the new Standard load balancer

+- Inbound NAT Rules:

+ - All NAT rules will be migrated to the new Standard load balancer

+- Outbound Rules:

+ - Basic load balancers don't support configured outbound rules. The script will create an outbound rule in the Standard load balancer to preserve the outbound behavior of the Basic load balancer. For more information about outbound rules, see [Outbound rules](/azure/load-balancer/outbound-rules).

+- Network security group

+ - Basic load balancer doesn't require a network security group to allow outbound connectivity. In case there's no network security group associated with the virtual machine scale set, a new network security group will be created to preserve the same functionality. This new network security group will be associated to the virtual machine scale set backend pool member network interfaces. It will allow the same load balancing rules ports and protocols and preserve the outbound connectivity.

+- Backend pools:

+ - All backend pools will be migrated to the new Standard load balancer

+ - All virtual machine scale set network interfaces and IP configurations will be migrated to the new Standard load balancer

+ - If a virtual machine scale set is using Rolling Upgrade policy, the script will update the virtual machine scale set upgrade policy to "Manual" during the migration process and revert it back to "Rolling" after the migration is completed.

+**Internal Load Balancer:**

+- Private frontend IP configuration

+ - Converts the public IP to a static IP, if dynamic

+ - Updates the public IP SKU to Standard, if Basic

+- Health Probes:

+ - All probes will be migrated to the new Standard load balancer

+- Load balancing rules:

+ - All load balancing rules will be migrated to the new Standard load balancer

+- Inbound NAT Rules:

+ - All NAT rules will be migrated to the new Standard load balancer

+- Backend pools:

+ - All backend pools will be migrated to the new Standard load balancer

+ - All virtual machine scale set network interfaces and IP configurations will be migrated to the new Standard load balancer

+ - If there's a virtual machine scale set using Rolling Upgrade policy, the script will update the virtual machine scale set upgrade policy to "Manual" during the migration process and revert it back to "Rolling" after the migration is completed.

+>[!NOTE]

+> Network security group are not configured as part of Internal Load Balancer upgrade. To learn more about NSGs, see [Network security groups](/azure/virtual-network/network-security-groups-overview)

+### What happens if my upgrade fails mid-migration?

+The module is designed to accommodate failures, either due to unhandled errors or unexpected script termination. The failure design is a 'fail forward' approach, where instead of attempting to move back to the Basic load balancer, you should correct the issue causing the failure (see the error output or log file), and retry the migration again, specifying the `-FailedMigrationRetryFilePathLB <BasicLoadBalancerbackupFilePath> -FailedMigrationRetryFilePathVMSS <VMSSBackupFile>` parameters. For public load balancers, because the Public IP Address SKU has been updated to Standard, moving the same IP back to a Basic load balancer won't be possible. The basic failure recovery procedure is:

+ 1. Address the cause of the migration failure. Check the log file `Start-AzBasicLoadBalancerUpgrade.log` for details

+ 1. [Remove the new Standard load balancer](/azure/load-balancer/update-load-balancer-with-vm-scale-set) (if created). Depending on which stage of the migration failed, you may have to remove the Standard load balancer reference from the virtual machine scale set network interfaces (IP configurations) and health probes in order to remove the Standard load balancer and try again.

+ 1. Locate the basic load balancer state backup file. This will either be in the directory where the script was executed, or at the path specified with the `-RecoveryBackupPath` parameter during the failed execution. The file will be named: `State_<basicLBName>_<basicLBRGName>_<timestamp>.json`

+ 1. Rerun the migration script, specifying the `-FailedMigrationRetryFilePathLB <BasicLoadBalancerbackupFilePath> -FailedMigrationRetryFilePathVMSS <VMSSBackupFile>` parameters instead of -BasicLoadBalancerName or passing the Basic load balancer over the pipeline

+## Next steps

+[Learn about Azure Load Balancer](load-balancer-overview.md)

+* [Train models with the v2 CLI and SDK (preview)](how-to-train-model.md)

+For more information on using a customer-managed key with ACI, see [Encrypt deployment data](../container-instances/container-instances-encrypt-data.md).

+If you're deploying [MLFlow models](how-to-train-model.md), there's no need to provide a scoring script and execution environment, as both are autogenerated.

+* [Train models](how-to-train-model.md)

+### Python SDK

+After submitting a training run, a [Run](/python/api/azureml-core/azureml.core.run%28class%29) object is returned. The `properties` attribute of this object contains the logged git information. For example, the following code retrieves the commit hash:

+```python

+run.properties['azureml.git.commit']

+```

+ * [Train models with the CLI (v2)](how-to-train-model.md)

+ * [Train models with the Azure ML Python SDK v2 (preview)](how-to-train-model.md)

+ - If authentication is made using a user identity, then it's important to know *which* user is trying to access storage. For more information on authenticating a _user_, see [authentication for Azure Machine Learning](how-to-setup-authentication.md). For more information on service-level authentication, see [authentication between AzureML and other services](how-to-identity-based-service-authentication.md).

+If you prefer to submit training jobs with the Azure Machine learning CLI v2 extension, see [Train models](how-to-train-model.md).

+## Set up your workspace

+To connect to a workspace, you need to provide a subscription, resource group and workspace name. These details are used in the `MLClient` from `azure.ai.ml` to get a handle to the required Azure Machine Learning workspace.

+In the following example, the default Azure authentication is used along with the default workspace configuration or from any `config.json` file you might have copied into the folders structure. If no `config.json` is found, then you need to manually introduce the subscription_id, resource_group and workspace when creating `MLClient`.

+- A. Providing your training data and MLTable definition file from your local folder and it will be automatically uploaded into the cloud (default Workspace Datastore)

+If you don't explicitly specify a `validation_data` or `n_cross_validation` parameter, automated ML applies default techniques to determine how validation is performed. This determination depends on the number of rows in the dataset assigned to your `training_data` parameter.

+[Learn more about creating compute with the Python SDKv2 (or CLIv2).](./how-to-train-model.md).

+Before you can submit your automated ML job, you need to determine the kind of machine learning problem you're solving. This problem determines which function your automated ML job uses and what model algorithms it applies.

+Automated machine learning tries different models and algorithms during the automation and tuning process. As a user, there's no need for you to specify the algorithm.

+Threshold-dependent metrics, like `accuracy`, `recall_score_weighted`, `norm_macro_recall`, and `precision_score_weighted` may not optimize as well for datasets that are small, have large class skew (class imbalance), or when the expected metric value is very close to 0.0 or 1.0. In those cases, `AUC_weighted` can be a better choice for the primary metric. After automated ML completes, you can choose the winning model based on the metric best suited to your business needs.

+- For Text classification, multi-label currently 'Accuracy' is the only primary metric supported.

+The main difference between `r2_score` and `normalized_root_mean_squared_error` is the way they're normalized and their meanings. `normalized_root_mean_squared_error` is root mean squared error normalized by range and can be interpreted as the average error magnitude for prediction. `r2_score` is mean squared error normalized by an estimate of variance of data. It's the proportion of variation that can be captured by the model.

+However, currently no primary metrics for regression addresses relative difference. All of `r2_score`, `normalized_mean_absolute_error`, and `normalized_root_mean_squared_error` treat a $20k prediction error the same for a worker with a $30k salary as a worker making $20M, if these two data points belongs to the same dataset for regression, or the same time series specified by the time series identifier. While in reality, predicting only $20k off from a $20M salary is very close (a small 0.1% relative difference), whereas $20k off from $30k isn't close (a large 67% relative difference). To address the issue of relative difference, one can train a model with available primary metrics, and then select the model with best `mean_absolute_percentage_error` or `root_mean_squared_log_error`.

+No&nbsp;criteria | If you don't define any exit parameters the experiment continues until no further progress is made on your primary metric.

+`timeout`| Defines how long, in minutes, your experiment should continue to run. If not specified, the default job's total timeout is 6 days (8,640 minutes). To specify a timeout less than or equal to 1 hour (60 minutes), make sure your dataset's size isn't greater than 10,000,000 (rows times column) or an error results. <br><br> This timeout includes setup, featurization and training runs but doesn't include the ensembling and model explainability runs at the end of the process since those actions need to happen once all the trials (children jobs) are done.

+Submit the experiment to run and generate a model. With the `MLClient` created in the prerequisites, you can run the following command in the workspace.

+Remove any existing installation of the `ml` extension and also the CLI v1 `azure-cli-ml` extension:

+- [Train models using CLI (v2)](how-to-train-model.md)

+* [Submit a training run](./how-to-train-model.md)

+* Use the compute resource to [submit a training run](how-to-train-model.md).

+In this article, you learn how to create and run [machine learning pipelines](concept-ml-pipelines.md) by using the Azure CLI and components (for more, see [What is an Azure Machine Learning component?](concept-component.md)). You can create pipelines without using components, but components offer the greatest amount of flexibility and reuse. AzureML Pipelines may be defined in YAML and run from the CLI, authored in Python, or composed in AzureML Studio Designer with a drag-and-drop UI. This document focuses on the CLI.

+In this article, you'll learn how to create and run [machine learning pipelines](concept-ml-pipelines.md) by using the Azure Machine Learning studio and [Components](concept-component.md). You can create pipelines without using components, but components offer better amount of flexibility and reuse. Azure ML Pipelines may be defined in YAML and [run from the CLI](how-to-create-component-pipelines-cli.md), [authored in Python](how-to-create-component-pipeline-python.md), or composed in Azure ML Studio Designer with a drag-and-drop UI. This document focuses on the AzureML studio designer UI.

+from azure.ai.ml.entities._datastore.credentials import AccountKeyCredentials

+ name="blob_protocol_example",

+ credentials=AccountKeyCredentials(

+ account_key="XXXxxxXXXxXXXXxxXXXXXxXXXXXxXxxXxXXXxXXXxXXxxxXXxxXXXxXxXXXxxXxxXXXXxxxxxXXxxxxxxXXXxXXX"

+ ),

+from azure.ai.ml.entities._datastore.credentials import SasTokenCredentials

+ name="blob_sas_example",

+ credentials=SasTokenCredentials(

+ sas_token= "?xx=XXXX-XX-XX&xx=xxxx&xxx=xxx&xx=xxxxxxxxxxx&xx=XXXX-XX-XXXXX:XX:XXX&xx=XXXX-XX-XXXXX:XX:XXX&xxx=xxxxx&xxx=XXxXXXxxxxxXXXXXXXxXxxxXXXXXxxXXXXXxXXXXxXXXxXXxXX"

+ ),

+from azure.ai.ml.entities._datastore.credentials import ServicePrincipalCredentials

+ name="adls_gen2_example",

+ credentials=ServicePrincipalCredentials(

+ tenant_id= "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",

+ client_id= "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",

+ client_secret= "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",

+ ),

+from azure.ai.ml.entities._datastore.credentials import AccountKeyCredentials

+ name="file_example",

+ credentials=AccountKeyCredentials(

+ account_key= "XXXxxxXXXxXXXXxxXXXXXxXXXXXxXxxXxXXXxXXXxXXxxxXXxxXXXxXxXXXxxXxxXXXXxxxxxXXxxxxxxXXXxXXX"

+ ),

+from azure.ai.ml.entities._datastore.credentials import SasTokenCredentials

+ name="file_sas_example",

+ credentials=SasTokenCredentials(

+ sas_token="?xx=XXXX-XX-XX&xx=xxxx&xxx=xxx&xx=xxxxxxxxxxx&xx=XXXX-XX-XXXXX:XX:XXX&xx=XXXX-XX-XXXXX:XX:XXX&xxx=xxxxx&xxx=XXxXXXxxxxxXXXXXXXxXxxxXXXXXxxXXXXXxXXXXxXXXxXXxXX"

+ ),

+from azure.ai.ml.entities._datastore.credentials import ServicePrincipalCredentials

+ name="adls_gen1_example",

+ credentials=ServicePrincipalCredentials(

+ tenant_id= "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",

+ client_id= "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",

+ client_secret= "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",

+ ),

+1. Models need to be registered in the Azure Machine Learning workspace to be deployed. Deployment of unregistered models isn't supported. To create a model in Azure Machine Learning, open the Models page in Azure Machine Learning. Select **Register model** and select where your model is located. Fill out the required fields, and then select __Register__.

+2. To create an endpoint deployment, use either the __endpoints__ or __models__ page:

+This section helps you understand how to deploy models to an online endpoint once you've completed your [training job](how-to-train-model.md). Models logged in a run are stored as artifacts. If you have used `mlflow.autolog()` in your training script, you'll see model artifacts generated in the job's output. You can use `mlflow.autolog()` for several common ML frameworks to log model parameters, performance metrics, model artifacts, and even feature importance graphs.

+For more information, see [Train models](how-to-train-model.md). Also see the [training job samples](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/single-step) in the GitHub repository.

+1. Models need to be registered in the Azure Machine Learning workspace to be deployed. Deployment of unregistered models isn't supported. You can register the model directly from the job's output using the Azure ML CLI (v2), the Azure ML SDK for Python (v2) or Azure Machine Learning studio.

+ Use the Azure ML CLI v2 to create a model from a training job output. In the following example, a model named `$MODEL_NAME` is registered using the artifacts of a job with ID `$RUN_ID`. The path where the model is stored is `$MODEL_PATH`.

+ For more information on how data access is authenticated, see the [Data administration](how-to-administrate-data-authentication.md) article.

+For more information on how to use environments in jobs, see [Train models](how-to-train-model.md).

+- [Train models (create jobs)](how-to-train-model.md)

+We recommend migrating the code for creating jobs to v2. You can see [how to train models](how-to-train-model.md) and the [job YAML references](reference-yaml-job-command.md) for authoring jobs in v2 YAMLs.

+We recommend migrating the code for creating models. For more information, see [How to train models](how-to-train-model.md).

+* [Train models](how-to-train-model.md)

+For more information on using a customer-managed key with ACI, see [Encrypt deployment data](../container-instances/container-instances-encrypt-data.md).

+ Title: Train ML models

+description: Configure and submit Azure Machine Learning jobs to train your models using the SDK, CLI, etc.

+# Train models with Azure Machine Learning CLI, SDK, and REST API

+Azure Machine Learning provides multiple ways to submit ML training jobs. In this article, you'll learn how to submit jobs using the following methods:

+* Azure CLI extension for machine learning: The `ml` extension, also referred to as CLI v2.

+* Python SDK v2 for Azure Machine Learning.

+* REST API: The API that the CLI and SDK are built on.

+> [!IMPORTANT]

+> SDK v2 is currently in public preview.

+> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Prerequisites

+* An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/).

+* An Azure Machine Learning workspace. If you don't have one, you can use the steps in the [Quickstart: Create Azure ML resources](quickstart-create-resources.md) article.

+# [Python SDK](#tab/python)

+To use the __SDK__ information, install the Azure Machine Learning [SDK v2 for Python](https://aka.ms/sdk-v2-install).

+# [Azure CLI](#tab/azurecli)

+To use the __CLI__ information, install the [Azure CLI and extension for machine learning](how-to-configure-cli.md).

+# [REST API](#tab/restapi)

+To use the __REST API__ information, you need the following items:

+- A __service principal__ in your workspace. Administrative REST requests use [service principal authentication](how-to-setup-authentication.md#use-service-principal-authentication).

+- A service principal __authentication token__. Follow the steps in [Retrieve a service principal authentication token](./how-to-manage-rest.md#retrieve-a-service-principal-authentication-token) to retrieve this token.

+- The __curl__ utility. The curl program is available in the [Windows Subsystem for Linux](/windows/wsl/install-win10) or any UNIX distribution.

+ > [!TIP]

+ > In PowerShell, `curl` is an alias for `Invoke-WebRequest` and `curl -d "key=val" -X POST uri` becomes `Invoke-WebRequest -Body "key=val" -Method POST -Uri uri`.

+ >

+ > While it is possible to call the REST API from PowerShell, the examples in this article assume you are using Bash.

+- The [jq](https://stedolan.github.io/jq/) utility for processing JSON. This utility is used to extract values from the JSON documents that are returned from REST API calls.

+### Clone the examples repository

+The code snippets in this article are based on examples in the [Azure ML examples GitHub repo](https://github.com/azure/azureml-examples). To clone the repository to your development environment, use the following command:

+```bash

+git clone --depth 1 https://github.com/Azure/azureml-examples

+```

+> [!TIP]

+> Use `--depth 1` to clone only the latest commit to the repository, which reduces time to complete the operation.

+## Example job

+The examples in this article use the iris flower dataset to train an MLFlow model.

+## Train in the cloud

+When training in the cloud, you must connect to your Azure Machine Learning workspace and select a compute resource that will be used to run the training job.

+### 1. Connect to the workspace

+> [!TIP]

+> Use the tabs below to select the method you want to use to train a model. Selecting a tab will automatically switch all the tabs in this article to the same tab. You can select another tab at any time.

+# [Python SDK](#tab/python)

+To connect to the workspace, you need identifier parameters - a subscription, resource group, and workspace name. You'll use these details in the `MLClient` from the `azure.ai.ml` namespace to get a handle to the required Azure Machine Learning workspace. To authenticate, you use the [default Azure authentication](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python&preserve-view=true). Check this [example](https://github.com/Azure/azureml-examples/blob/v2samplesreorg/sdk/python/jobs/configuration.ipynb) for more details on how to configure credentials and connect to a workspace.

+```python

+#import required libraries

+from azure.ai.ml import MLClient

+from azure.identity import DefaultAzureCredential

+#Enter details of your AzureML workspace

+subscription_id = '<SUBSCRIPTION_ID>'

+resource_group = '<RESOURCE_GROUP>'

+workspace = '<AZUREML_WORKSPACE_NAME>'

+#connect to the workspace

+ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)

+```

+# [Azure CLI](#tab/azurecli)

+When using the Azure CLI, you need identifier parameters - a subscription, resource group, and workspace name. While you can specify these parameters for each command, you can also set defaults that will be used for all the commands. Use the following commands to set default values. Replace `<subscription ID>`, `<AzureML workspace name>`, and `<resource group>` with the values for your configuration:

+```azurecli

+az account set --subscription <subscription ID>

+az configure --defaults workspace=<AzureML workspace name> group=<resource group>

+```

+# [REST API](#tab/restapi)

+The REST API examples in this article use `$SUBSCRIPTION_ID`, `$RESOURCE_GROUP`, `$LOCATION`, and `$WORKSPACE` placeholders. Replace the placeholders with your own values as follows:

+* `$SUBSCRIPTION_ID`: Your Azure subscription ID.

+* `$RESOURCE_GROUP`: The Azure resource group that contains your workspace.

+* `$LOCATION`: The Azure region where your workspace is located.

+* `$WORKSPACE`: The name of your Azure Machine Learning workspace.

+* `$COMPUTE_NAME`: The name of your Azure Machine Learning compute cluster.

+Administrative REST requests a [service principal authentication token](how-to-manage-rest.md#retrieve-a-service-principal-authentication-token). You can retrieve a token with the following command. The token is stored in the `$TOKEN` environment variable:

+```azurecli

+TOKEN=$(az account get-access-token --query accessToken -o tsv)

+```

+The service provider uses the `api-version` argument to ensure compatibility. The `api-version` argument varies from service to service. Set the API version as a variable to accommodate future versions:

+### 2. Create a compute resource for training

+An AzureML compute cluster is a fully managed compute resource that can be used to run the training job. In the following examples, a compute cluster named `cpu-compute` is created.

+# [Python SDK](#tab/python)

+[!notebook-python[] (~/azureml-examples-v2samplesreorg/sdk/python/jobs/configuration.ipynb?name=create-cpu-compute)]

+# [Azure CLI](#tab/azurecli)

+```azurecli

+az ml compute create -n cpu-cluster --type amlcompute --min-instances 0 --max-instances 4

+```

+# [REST API](#tab/restapi)

+```bash

+curl -X PUT \

+ "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/computes/$COMPUTE_NAME?api-version=$API_VERSION" \

+ -H "Authorization:Bearer $TOKEN" \

+ -H "Content-Type: application/json" \

+ -d '{

+ "location": "'$LOCATION'",

+ "properties": {

+ "computeType": "AmlCompute",

+ "properties": {

+ "vmSize": "Standard_D2_V2",

+ "vmPriority": "Dedicated",

+ "scaleSettings": {

+ "maxNodeCount": 4,

+ "minNodeCount": 0,

+ "nodeIdleTimeBeforeScaleDown": "PT30M"

+ }

+ }

+ }

+}'

+```

+> [!TIP]

+> While a response is returned after a few seconds, this only indicates that the creation request has been accepted. It can take several minutes for the cluster creation to finish.

+### 4. Submit the training job

+# [Python SDK](#tab/python)

+To run this script, you'll use a `command`. The command will be run by submitting it as a `job` to Azure ML.

+[!notebook-python[] (~/azureml-examples-v2samplesreorg/sdk/python/jobs/single-step/lightgbm/iris/lightgbm-iris-sweep.ipynb?name=create-command)]

+[!notebook-python[] (~/azureml-examples-v2samplesreorg/sdk/python/jobs/single-step/lightgbm/iris/lightgbm-iris-sweep.ipynb?name=run-command)]

+In the above examples, you configured:

+- `code` - path where the code to run the command is located

+- `command` - command that needs to be run

+- `environment` - the environment needed to run the training script. In this example, we use a curated or ready-made environment provided by AzureML called `AzureML-lightgbm-3.2-ubuntu18.04-py37-cpu`. We use the latest version of this environment by using the `@latest` directive. You can also use custom environments by specifying a base docker image and specifying a conda yaml on top of it.

+- `inputs` - dictionary of inputs using name value pairs to the command. The key is a name for the input within the context of the job and the value is the input value. Inputs are referenced in the `command` using the `${{inputs.<input_name>}}` expression. To use files or folders as inputs, you can use the `Input` class.

+For more information, see the [reference documentation](/python/api/azure-ai-ml/azure.ai.ml#azure-ai-ml-command).

+When you submit the job, a URL is returned to the job status in the AzureML studio. Use the studio UI to view the job progress. You can also use `returned_job.status` to check the current status of the job.

+# [Azure CLI](#tab/azurecli)

+The `az ml job create` command used in this example requires a YAML job definition file. The contents of the file used in this example are:

+In the above, you configured:

+- `code` - path where the code to run the command is located

+- `command` - command that needs to be run

+- `inputs` - dictionary of inputs using name value pairs to the command. The key is a name for the input within the context of the job and the value is the input value. Inputs are referenced in the `command` using the `${{inputs.<input_name>}}` expression.

+- `environment` - the environment needed to run the training script. In this example, we use a curated or ready-made environment provided by AzureML called `AzureML-sklearn-0.24-ubuntu18.04-py37-cpu`. We use the latest version of this environment by using the `@latest` directive. You can also use custom environments by specifying a base docker image and specifying a conda yaml on top of it.

+To submit the job, use the following command. The run ID (name) of the training job is stored in the `$run_id` variable:

+```azurecli

+run_id=$(az ml job create -f jobs/single-step/scikit-learn/iris/job.yml --query name -o tsv)

+```

+You can use the stored run ID to return information about the job. The `--web` parameter opens the AzureML studio web UI where you can drill into details on the job:

+# [REST API](#tab/restapi)

+As part of job submission, the training scripts and data must be uploaded to a cloud storage location that your AzureML workspace can access. These examples don't cover the uploading process. For information on using the Blob REST API to upload files, see the [Put Blob](/rest/api/storageservices/put-blob) reference.

+1. Create a versioned reference to the training data. In this example, the data is located at `https://azuremlexamples.blob.core.windows.net/datasets/iris.csv`. In your workspace, you might upload the file to the default storage for your workspace:

+ ```bash

+ DATA_VERSION=$RANDOM

+ curl --location --request PUT "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/data/iris-data/versions/$DATA_VERSION?api-version=$API_VERSION" \

+ --header "Authorization: Bearer $TOKEN" \

+ --header "Content-Type: application/json" \

+ --data-raw "{

+ \"properties\": {

+ \"description\": \"Iris dataset\",

+ \"dataType\": \"uri_file\",

+ \"dataUri\": \"https://azuremlexamples.blob.core.windows.net/datasets/iris.csv\"

+ }

+ }"

+ ```

+1. Register a versioned reference to the training script for use with a job. In this case, the script would be located at `https://azuremlexamples.blob.core.windows.net/testjob`. This `testjob` is the folder in Blob storage that contains the training script and any dependencies needed by the script. In the following example, the ID of the versioned training code is returned and stored in the `$TRAIN_CODE` variable:

+ ```bash

+ TRAIN_CODE=$(curl --location --request PUT "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/codes/train-lightgbm/versions/1?api-version=$API_VERSION" \

+ --header "Authorization: Bearer $TOKEN" \

+ --header "Content-Type: application/json" \

+ --data-raw "{

+ \"properties\": {

+ \"description\": \"Train code\",

+ \"codeUri\": \"https://larrystore0912.blob.core.windows.net/azureml-blobstore-c8e832ae-e49c-4084-8d28-5e6c88502655/testjob\"

+ }

+ }" | jq -r '.id')

+ ```

+1. Create the environment that the cluster will use to run the training script. In this example, we use a curated or ready-made environment provided by AzureML called `AzureML-lightgbm-3.2-ubuntu18.04-py37-cpu`. The following command retrieves a list of the environment versions, with the newest being at the top of the collection. `jq` is used to retrieve the ID of the latest (`[0]`) version, which is then stored into the `$ENVIRONMENT` variable.

+ ```bash

+ ENVIRONMENT=$(curl --location --request GET "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/environments/AzureML-lightgbm-3.2-ubuntu18.04-py37-cpu/versions?api-version=$API_VERSION" --header "Authorization: Bearer $TOKEN" | jq -r .value[0].id)

+ ```

+1. Finally, submit the job. The following example shows how to submit the job, reference the training code ID, environment ID, URL for the input data, and the ID of the compute cluster. The job output location will be stored in the `$JOB_OUTPUT` variable:

+ > [!TIP]

+ > The job name must be unique. In this example, `uuidgen` is used to generate a unique value for the name.

+ ```bash

+ run_id=$(uuidgen)

+ curl --location --request PUT "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/jobs/$run_id?api-version=$API_VERSION" \

+ --header "Authorization: Bearer $TOKEN" \

+ --header "Content-Type: application/json" \

+ --data-raw "{

+ \"properties\": {

+ \"jobType\": \"Command\",

+ \"codeId\": \"$TRAIN_CODE\",

+ \"command\": \"python main.py --iris-csv \$AZURE_ML_INPUT_iris\",

+ \"environmentId\": \"$ENVIRONMENT\",

+ \"inputs\": {

+ \"iris\": {

+ \"jobInputType\": \"uri_file\",

+ \"uri\": \"https://azuremlexamples.blob.core.windows.net/datasets/iris.csv\"

+ }

+ },

+ \"experimentName\": \"lightgbm-iris\",

+ \"computeId\": \"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/computes/$COMPUTE_NAME\"

+ }

+ }"

+ ```

+## Register the trained model

+The following examples demonstrate how to register a model in your AzureML workspace.

+# [Python SDK](#tab/python)

+> [!TIP]

+> The `name` property returned by the training job is used as part of the path to the model.

+```python

+from azure.ai.ml.entities import Model

+from azure.ai.ml.constants import ModelType

+run_model = Model(

+ path="azureml://jobs/{}/outputs/artifacts/paths/model/".format(returned_job.name),

+ name="run-model-example",

+ description="Model created from run.",

+ type=ModelType.MLFLOW

+)

+ml_client.models.create_or_update(run_model)

+```

+# [Azure CLI](#tab/azurecli)

+> [!TIP]

+> The name (stored in the `$run_id` variable) is used as part of the path to the model.

+# [REST API](#tab/restapi)

+> [!TIP]

+> The name (stored in the `$run_id` variable) is used as part of the path to the model.

+```bash

+curl --location --request PUT "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/models/sklearn/versions/1?api-version=$API_VERSION" \

+--header "Authorization: Bearer $TOKEN" \

+--header "Content-Type: application/json" \

+--data-raw "{

+ \"properties\": {

+ \"modelType\": \"mlflow_model\",

+ \"modelUri\":\"runs:/$run_id/model\"

+ }

+}"

+```

+## Next steps

+Now that you have a trained model, learn [how to deploy it using an online endpoint](how-to-deploy-managed-online-endpoints.md).

+For more examples, see the [AzureML examples](https://github.com/azure/azureml-examples) GitHub repository.

+For more information on the Azure CLI commands, Python SDK classes, or REST APIs used in this article, see the following reference documentation:

+* [Azure CLI `ml` extension](/cli/azure/ml)

+* [Python SDK](/python/api/azure-ai-ml/azure.ai.ml)

+* [REST API](/rest/api/azureml/)

+There are many ways to create a training job with Azure Machine Learning. You can use the CLI (see [Train models (create jobs)](how-to-train-model.md)), the REST API (see [Train models with REST (preview)](how-to-train-with-rest.md)), or you can use the UI to directly create a training job. In this article, you'll learn how to use your own data and code to train a machine learning model with the job creation UI in Azure Machine Learning studio.

+* Understanding of what a job is in Azure Machine Learning. See [how to train models]how-to-train-model.md).

+* [Train models (create jobs) with the CLI, SDK, and REST API](how-to-train-model.md)

+Use the [Azure Machine Learning](how-to-train-model.md) to submit a remote run. When using the Azure Machine Learning CLI (v2), the MLflow tracking URI and experiment name are set automatically and directs the logging from MLflow to your workspace. Learn more about [logging Azure Machine Learning experiments with MLflow](how-to-use-mlflow-cli-runs.md)

+ + [Train models](how-to-train-model.md)

+- [Set up an Azure Machine Learning workspace](quickstart-create-resources.md)

+- [Tutorial: Build a first machine learning project](tutorial-1st-experiment-hello-world.md)

+- [How to run training jobs(how-to-train-model.md)

+## Data schema for online scoring

+In this section, we document the input data format required to make predictions using a deployed model.

+The following is the input format needed to generate predictions on any task using task-specific model endpoint.

+```json

+{

+ "input_data": {

+ "columns": [

+ "image"

+ ],

+ "data": [

+ "image_in_base64_string_format"

+ ]

+ }

+}

+This json is a dictionary with outer key `input_data` and inner keys `columns`, `data` as described in the following table. The endpoint accepts a json string in the above format and converts it into a dataframe of samples required by the scoring script. Each input image in the `request_json["input_data"]["data"]` section of the json is a [base64 encoded string](https://docs.python.org/3/library/base64.html#base64.encodebytes).

+| Key | Description |

+| -- |-|

+| `input_data`<br> (outer key) | It is an outer key in json request. `input_data` is a dictionary that accepts input image samples <br>`Required, Dictionary` |

+| `columns`<br> (inner key) | Column names to use to create dataframe. It accepts only one column with `image` as column name.<br>`Required, List` |

+| `data`<br> (inner key) | List of base64 encoded images <br>`Required, List`|

+After we [deploy the mlflow model](how-to-auto-train-image-models.md#register-and-deploy-model), we can use the following code snippet to get predictions for all tasks.

+[!Notebook-python[] (~/azureml-examples-v2samplesreorg/sdk/python/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=create_inference_request)]

+[!Notebook-python[] (~/azureml-examples-v2samplesreorg/sdk/python/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=dump_inference_request)]

+[!Notebook-python[] (~/azureml-examples-v2samplesreorg/sdk/python/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=invoke_inference)]

+Predictions made on model endpoints follow different structure depending on the task type. This section explores the output data formats for multi-class, multi-label image classification, object detection, and instance segmentation tasks.

+The following schemas are applicable when the input request contains one image.

+[

+ {

+ "filename": "/tmp/tmppjr4et28",

+ "probs": [

+ 2.098e-06,

+ 4.783e-08,

+ 0.999,

+ 8.637e-06

+ ],

+ "labels": [

+ "can",

+ "carton",

+ "milk_bottle",

+ "water_bottle"

+ ]

+ }

+]

+[

+ {

+ "filename": "/tmp/tmpsdzxlmlm",

+ "probs": [

+ 0.997,

+ 0.960,

+ 0.982,

+ 0.025

+ ],

+ "labels": [

+ "can",

+ "carton",

+ "milk_bottle",

+ "water_bottle"

+ ]

+ }

+]

+[

+ {

+ "filename": "/tmp/tmpdkg2wkdy",

+ "boxes": [

+ {

+ "box": {

+ "topX": 0.224,

+ "topY": 0.285,

+ "bottomX": 0.399,

+ "bottomY": 0.620

+ },

+ "label": "milk_bottle",

+ "score": 0.937

+ {

+ "box": {

+ "topX": 0.664,

+ "topY": 0.484,

+ "bottomX": 0.959,

+ "bottomY": 0.812

+ },

+ "label": "can",

+ "score": 0.891

+ {

+ "box": {

+ "topX": 0.423,

+ "topY": 0.253,

+ "bottomX": 0.632,

+ "bottomY": 0.725

+ },

+ "label": "water_bottle",

+ "score": 0.876

+ }

+ ]

+ }

+]

+[

+ {

+ "filename": "/tmp/tmpi8604s0h",

+ "boxes": [

+ {

+ "box": {

+ "topX": 0.679,

+ "topY": 0.491,

+ "bottomX": 0.926,

+ "bottomY": 0.810

+ },

+ "label": "can",

+ "score": 0.992,

+ "polygon": [

+ [

+ 0.82, 0.811, 0.771, 0.810, 0.758, 0.805, 0.741, 0.797, 0.735, 0.791, 0.718, 0.785, 0.715, 0.778, 0.706, 0.775, 0.696, 0.758, 0.695, 0.717, 0.698, 0.567, 0.705, 0.552, 0.706, 0.540, 0.725, 0.520, 0.735, 0.505, 0.745, 0.502, 0.755, 0.493

+ ]

+ ]

+ },

+ {

+ "box": {

+ "topX": 0.220,

+ "topY": 0.298,

+ "bottomX": 0.397,

+ "bottomY": 0.601

+ },

+ "label": "milk_bottle",

+ "score": 0.989,

+ "polygon": [

+ [

+ 0.365, 0.602, 0.273, 0.602, 0.26, 0.595, 0.263, 0.588, 0.251, 0.546, 0.248, 0.501, 0.25, 0.485, 0.246, 0.478, 0.245, 0.463, 0.233, 0.442, 0.231, 0.43, 0.226, 0.423, 0.226, 0.408, 0.234, 0.385, 0.241, 0.371, 0.238, 0.345, 0.234, 0.335, 0.233, 0.325, 0.24, 0.305, 0.586, 0.38, 0.592, 0.375, 0.598, 0.365

+ ]

+ ]

+ },

+ {

+ "box": {

+ "topX": 0.433,

+ "topY": 0.280,

+ "bottomX": 0.621,

+ "bottomY": 0.679

+ },

+ "label": "water_bottle",

+ "score": 0.988,

+ "polygon": [

+ [

+ 0.576, 0.680, 0.501, 0.680, 0.475, 0.675, 0.460, 0.625, 0.445, 0.630, 0.443, 0.572, 0.440, 0.560, 0.435, 0.515, 0.431, 0.501, 0.431, 0.433, 0.433, 0.426, 0.445, 0.417, 0.456, 0.407, 0.465, 0.381, 0.468, 0.327, 0.471, 0.318

+ ]

+ ]

+ }

+ ]

+ }

+]

+* [Train models with the CLI (v2)](how-to-train-model.md)

+ Title: Service limits

+description: Service limits used for capacity planning and maximum limits on requests and responses for Azure Machine Learning.

+ms.metadata: product-dependency

+# Service limits in Azure Machine Learning

+This section lists basic limits and throttling thresholds in Azure Machine Learning.

+> [!IMPORTANT]

+> Azure Machine Learning doesn't store or process your data outside of the region where you deploy.

+## Workspaces

+| Limit | Value |

+| | |

+| Workspace name | 2-32 characters |

+## Runs

+| Limit | Value |

+| | |

+| Runs per workspace | 10 million |

+| RunId/ParentRunId | 256 characters |

+| DataContainerId | 261 characters |

+| DisplayName |256 characters|

+| Description |5,000 characters|

+| Number of properties |50 |

+| Length of property key |100 characters |

+| Length of property value |1,000 characters |

+| Number of tags |50 |

+| Length of tag key |100 |

+| Length of tag value |1,000 characters |

+| CancelUri / CompleteUri / DiagnosticsUri |1,000 characters |

+| Error message length |3,000 characters |

+| Warning message length |300 characters |

+| Number of input datasets |200 |

+| Number of output datasets |20 |

+## Metrics

+| Limit | Value |

+| | |

+| Metric names per run |50|

+| Metric rows per metric name |10 million|

+| Columns per metric row |15|

+| Metric column name length |255 characters |

+| Metric column value length |255 characters |

+| Metric rows per batch uploaded | 250 |

+> [!NOTE]

+> If you are hitting the limit of metric names per run because you are formatting variables into the metric name, consider instead to use a row metric where one column is the variable value and the second column is the metric value.

+## Artifacts

+| Limit | Value |

+| | |

+| Number of artifacts per run |10 million|

+| Max length of artifact path |5,000 characters |

+## Limit increases

+Some limits can be increased for individual workspaces. To learn how to increase these limits, see ["Manage and increase quotas for resources"](how-to-manage-quotas.md)

+## Next steps

+- Learn how increase resource quotas in ["Manage and increase quotas for resources"](how-to-manage-quotas.md).

+> * [v2 (preview)](../how-to-train-model.md)

+ Title: Model explainability in automated ML (preview)

+description: Learn how to get explanations for how your automated ML model determines feature importance and makes predictions when using the Azure Machine Learning SDK.

+# Interpretability: Model explainability in automated ML (preview)

+In this article, you learn how to get explanations for automated machine learning (automated ML) models in Azure Machine Learning using the Python SDK. Automated ML helps you understand feature importance of the models that are generated.

+All SDK versions after 1.0.85 set `model_explainability=True` by default. In SDK version 1.0.85 and earlier versions users need to set `model_explainability=True` in the `AutoMLConfig` object in order to use model interpretability.

+In this article, you learn how to:

+- Perform interpretability during training for best model or any model.

+- Enable visualizations to help you see patterns in data and explanations.

+- Implement interpretability during inference or scoring.

+## Prerequisites

+- Interpretability features. Run `pip install azureml-interpret` to get the necessary package.

+- Knowledge of building automated ML experiments. For more information on how to use the Azure Machine Learning SDK, complete this [object detection model tutorial](../tutorial-auto-train-image-models.md) or see how to [configure automated ML experiments](../how-to-configure-auto-train.md).

+## Interpretability during training for the best model

+Retrieve the explanation from the `best_run`, which includes explanations for both raw and engineered features.

+> [!NOTE]

+> Interpretability, model explanation, is not available for the TCNForecaster model recommended by Auto ML forecasting experiments.

+### Download the engineered feature importances from the best run

+You can use `ExplanationClient` to download the engineered feature explanations from the artifact store of the `best_run`.

+```python

+from azureml.interpret import ExplanationClient

+client = ExplanationClient.from_run(best_run)

+engineered_explanations = client.download_model_explanation(raw=False)

+print(engineered_explanations.get_feature_importance_dict())

+```

+### Download the raw feature importances from the best run

+You can use `ExplanationClient` to download the raw feature explanations from the artifact store of the `best_run`.

+```python

+from azureml.interpret import ExplanationClient

+client = ExplanationClient.from_run(best_run)

+raw_explanations = client.download_model_explanation(raw=True)

+print(raw_explanations.get_feature_importance_dict())

+```

+## Interpretability during training for any model

+When you compute model explanations and visualize them, you're not limited to an existing model explanation for an AutoML model. You can also get an explanation for your model with different test data. The steps in this section show you how to compute and visualize engineered feature importance based on your test data.

+### Retrieve any other AutoML model from training

+```python

+automl_run, fitted_model = local_run.get_output(metric='accuracy')

+```

+### Set up the model explanations

+Use `automl_setup_model_explanations` to get the engineered and raw explanations. The `fitted_model` can generate the following items:

+- Featured data from trained or test samples

+- Engineered feature name lists

+- Findable classes in your labeled column in classification scenarios

+The `automl_explainer_setup_obj` contains all the structures from above list.

+```python

+from azureml.train.automl.runtime.automl_explain_utilities import automl_setup_model_explanations

+automl_explainer_setup_obj = automl_setup_model_explanations(fitted_model, X=X_train,

+ X_test=X_test, y=y_train,

+ task='classification')

+```

+### Initialize the Mimic Explainer for feature importance

+To generate an explanation for automated ML models, use the `MimicWrapper` class. You can initialize the MimicWrapper with these parameters:

+- The explainer setup object

+- Your workspace

+- A surrogate model to explain the `fitted_model` automated ML model

+The MimicWrapper also takes the `automl_run` object where the engineered explanations will be uploaded.

+```python

+from azureml.interpret import MimicWrapper

+# Initialize the Mimic Explainer

+explainer = MimicWrapper(ws, automl_explainer_setup_obj.automl_estimator,

+ explainable_model=automl_explainer_setup_obj.surrogate_model,

+ init_dataset=automl_explainer_setup_obj.X_transform, run=automl_run,

+ features=automl_explainer_setup_obj.engineered_feature_names,

+ feature_maps=[automl_explainer_setup_obj.feature_map],

+ classes=automl_explainer_setup_obj.classes,

+ explainer_kwargs=automl_explainer_setup_obj.surrogate_model_params)

+```

+### Use Mimic Explainer for computing and visualizing engineered feature importance

+You can call the `explain()` method in MimicWrapper with the transformed test samples to get the feature importance for the generated engineered features. You can also sign in to [Azure Machine Learning studio](https://ml.azure.com/) to view the explanations dashboard visualization of the feature importance values of the generated engineered features by automated ML featurizers.

+```python

+engineered_explanations = explainer.explain(['local', 'global'], eval_dataset=automl_explainer_setup_obj.X_test_transform)

+print(engineered_explanations.get_feature_importance_dict())

+```

+For models trained with automated ML, you can get the best model using the `get_output()` method and compute explanations locally. You can visualize the explanation results with `ExplanationDashboard` from the `raiwidgets` package.

+```python

+best_run, fitted_model = remote_run.get_output()

+from azureml.train.automl.runtime.automl_explain_utilities import AutoMLExplainerSetupClass, automl_setup_model_explanations

+automl_explainer_setup_obj = automl_setup_model_explanations(fitted_model, X=X_train,

+ X_test=X_test, y=y_train,

+ task='regression')

+from interpret.ext.glassbox import LGBMExplainableModel

+from azureml.interpret.mimic_wrapper import MimicWrapper

+explainer = MimicWrapper(ws, automl_explainer_setup_obj.automl_estimator, LGBMExplainableModel,

+ init_dataset=automl_explainer_setup_obj.X_transform, run=best_run,

+ features=automl_explainer_setup_obj.engineered_feature_names,

+ feature_maps=[automl_explainer_setup_obj.feature_map],

+ classes=automl_explainer_setup_obj.classes)

+

+pip install interpret-community[visualization]

+engineered_explanations = explainer.explain(['local', 'global'], eval_dataset=automl_explainer_setup_obj.X_test_transform)

+print(engineered_explanations.get_feature_importance_dict()),

+from raiwidgets import ExplanationDashboard

+ExplanationDashboard(engineered_explanations, automl_explainer_setup_obj.automl_estimator, datasetX=automl_explainer_setup_obj.X_test_transform)

+

+raw_explanations = explainer.explain(['local', 'global'], get_raw=True,

+ raw_feature_names=automl_explainer_setup_obj.raw_feature_names,

+ eval_dataset=automl_explainer_setup_obj.X_test_transform)

+print(raw_explanations.get_feature_importance_dict()),

+from raiwidgets import ExplanationDashboard

+ExplanationDashboard(raw_explanations, automl_explainer_setup_obj.automl_pipeline, datasetX=automl_explainer_setup_obj.X_test_raw)

+```

+### Use Mimic Explainer for computing and visualizing raw feature importance

+You can call the `explain()` method in MimicWrapper with the transformed test samples to get the feature importance for the raw features. In the [Machine Learning studio](https://ml.azure.com/), you can view the dashboard visualization of the feature importance values of the raw features.

+```python

+raw_explanations = explainer.explain(['local', 'global'], get_raw=True,

+ raw_feature_names=automl_explainer_setup_obj.raw_feature_names,

+ eval_dataset=automl_explainer_setup_obj.X_test_transform,

+ raw_eval_dataset=automl_explainer_setup_obj.X_test_raw)

+print(raw_explanations.get_feature_importance_dict())

+```

+## Interpretability during inference

+In this section, you learn how to operationalize an automated ML model with the explainer that was used to compute the explanations in the previous section.

+### Register the model and the scoring explainer

+Use the `TreeScoringExplainer` to create the scoring explainer that'll compute the engineered feature importance values at inference time. You initialize the scoring explainer with the `feature_map` that was computed previously.

+Save the scoring explainer, and then register the model and the scoring explainer with the Model Management Service. Run the following code:

+```python

+from azureml.interpret.scoring.scoring_explainer import TreeScoringExplainer, save

+# Initialize the ScoringExplainer

+scoring_explainer = TreeScoringExplainer(explainer.explainer, feature_maps=[automl_explainer_setup_obj.feature_map])

+# Pickle scoring explainer locally

+save(scoring_explainer, exist_ok=True)

+# Register trained automl model present in the 'outputs' folder in the artifacts

+original_model = automl_run.register_model(model_name='automl_model',

+ model_path='outputs/model.pkl')

+# Register scoring explainer

+automl_run.upload_file('scoring_explainer.pkl', 'scoring_explainer.pkl')

+scoring_explainer_model = automl_run.register_model(model_name='scoring_explainer', model_path='scoring_explainer.pkl')

+```

+### Create the conda dependencies for setting up the service

+Next, create the necessary environment dependencies in the container for the deployed model. Please note that azureml-defaults with version >= 1.0.45 must be listed as a pip dependency, because it contains the functionality needed to host the model as a web service.

+```python

+from azureml.core.conda_dependencies import CondaDependencies

+azureml_pip_packages = [

+ 'azureml-interpret', 'azureml-train-automl', 'azureml-defaults'

+]

+myenv = CondaDependencies.create(conda_packages=['scikit-learn', 'pandas', 'numpy', 'py-xgboost<=0.80'],

+ pip_packages=azureml_pip_packages,

+ pin_sdk_version=True)

+with open("myenv.yml","w") as f:

+ f.write(myenv.serialize_to_string())

+with open("myenv.yml","r") as f:

+ print(f.read())

+```

+### Create the scoring script

+Write a script that loads your model and produces predictions and explanations based on a new batch of data.

+```python

+%%writefile score.py

+import joblib

+import pandas as pd

+from azureml.core.model import Model

+from azureml.train.automl.runtime.automl_explain_utilities import automl_setup_model_explanations

+def init():

+ global automl_model

+ global scoring_explainer

+ # Retrieve the path to the model file using the model name

+ # Assume original model is named automl_model

+ automl_model_path = Model.get_model_path('automl_model')

+ scoring_explainer_path = Model.get_model_path('scoring_explainer')

+ automl_model = joblib.load(automl_model_path)

+ scoring_explainer = joblib.load(scoring_explainer_path)

+def run(raw_data):

+ data = pd.read_json(raw_data, orient='records')

+ # Make prediction

+ predictions = automl_model.predict(data)

+ # Setup for inferencing explanations

+ automl_explainer_setup_obj = automl_setup_model_explanations(automl_model,

+ X_test=data, task='classification')

+ # Retrieve model explanations for engineered explanations

+ engineered_local_importance_values = scoring_explainer.explain(automl_explainer_setup_obj.X_test_transform)

+ # Retrieve model explanations for raw explanations

+ raw_local_importance_values = scoring_explainer.explain(automl_explainer_setup_obj.X_test_transform, get_raw=True)

+ # You can return any data type as long as it is JSON-serializable

+ return {'predictions': predictions.tolist(),

+ 'engineered_local_importance_values': engineered_local_importance_values,

+ 'raw_local_importance_values': raw_local_importance_values}

+```

+### Deploy the service

+Deploy the service using the conda file and the scoring file from the previous steps.

+```python

+from azureml.core.webservice import Webservice

+from azureml.core.webservice import AciWebservice

+from azureml.core.model import Model, InferenceConfig

+from azureml.core.environment import Environment

+aciconfig = AciWebservice.deploy_configuration(cpu_cores=1,

+ memory_gb=1,

+ tags={"data": "Bank Marketing",

+ "method" : "local_explanation"},

+ description='Get local explanations for Bank marketing test data')

+myenv = Environment.from_conda_specification(name="myenv", file_path="myenv.yml")

+inference_config = InferenceConfig(entry_script="score_local_explain.py", environment=myenv)

+# Use configs and models generated above

+service = Model.deploy(ws,

+ 'model-scoring',

+ [scoring_explainer_model, original_model],

+ inference_config,

+ aciconfig)

+service.wait_for_deployment(show_output=True)

+```

+### Inference with test data

+Inference with some test data to see the predicted value from AutoML model, currently supported only in Azure Machine Learning SDK. View the feature importances contributing towards a predicted value.

+```python

+if service.state == 'Healthy':

+ # Serialize the first row of the test data into json

+ X_test_json = X_test[:1].to_json(orient='records')

+ print(X_test_json)

+ # Call the service to get the predictions and the engineered explanations

+ output = service.run(X_test_json)

+ # Print the predicted value

+ print(output['predictions'])

+ # Print the engineered feature importances for the predicted value

+ print(output['engineered_local_importance_values'])

+ # Print the raw feature importances for the predicted value

+ print('raw_local_importance_values:\n{}\n'.format(output['raw_local_importance_values']))

+```

+## Visualize to discover patterns in data and explanations at training time

+You can visualize the feature importance chart in your workspace in [Azure Machine Learning studio](https://ml.azure.com). After your AutoML run is complete, select **View model details** to view a specific run. Select the **Explanations** tab to see the visualizations in the explanation dashboard.

+[](./media/how-to-machine-learning-interpretability-automl/automl-explanation.png#lightbox)

+For more information on the explanation dashboard visualizations and specific plots, please refer to the [how-to doc on interpretability](../how-to-machine-learning-interpretability-aml.md).

+## Next steps

+For more information about how you can enable model explanations and feature importance in areas other than automated ML, see [more techniques for model interpretability](../how-to-machine-learning-interpretability.md).

+ Title: Use private Python packages

+description: Learn how to securely work with private Python packages from your Azure Machine Learning environments.

+# Use private Python packages with Azure Machine Learning

+In this article, learn how to use private Python packages securely within Azure Machine Learning. Use cases for private Python packages include:

+ * You've developed a private package that you don't want to share publicly.

+ * You want to use a curated repository of packages stored within an enterprise firewall.

+The recommended approach depends on whether you have few packages for a single Azure Machine Learning workspace, or an entire repository of packages for all workspaces within an organization.

+The private packages are used through [Environment](/python/api/azureml-core/azureml.core.environment.environment) class. Within an environment, you declare which Python packages to use, including private ones. To learn about environment in Azure Machine Learning in general, see [How to use environments](how-to-use-environments.md).

+## Prerequisites

+ * The [Azure Machine Learning SDK for Python](/python/api/overview/azure/ml/install)

+ * An [Azure Machine Learning workspace](../quickstart-create-resources.md)

+## Use small number of packages for development and testing

+For a small number of private packages for a single workspace, use the static [`Environment.add_private_pip_wheel()`](/python/api/azureml-core/azureml.core.environment.environment#add-private-pip-wheel-workspace--file-path--exist-ok-false-) method. This approach allows you to quickly add a private package to the workspace, and is well suited for development and testing purposes.

+Point the file path argument to a local wheel file and run the ```add_private_pip_wheel``` command. The command returns a URL used to track the location of the package within your Workspace. Capture the storage URL and pass it the `add_pip_package()` method.

+```python

+whl_url = Environment.add_private_pip_wheel(workspace=ws,file_path = "my-custom.whl")

+myenv = Environment(name="myenv")

+conda_dep = CondaDependencies()

+conda_dep.add_pip_package(whl_url)

+myenv.python.conda_dependencies=conda_dep

+```

+Internally, Azure Machine Learning service replaces the URL by secure SAS URL, so your wheel file is kept private and secure.

+## Use a repository of packages from Azure DevOps feed

+If you're actively developing Python packages for your machine learning application, you can host them in an Azure DevOps repository as artifacts and publish them as a feed. This approach allows you to integrate the DevOps workflow for building packages with your Azure Machine Learning Workspace. To learn how to set up Python feeds using Azure DevOps, read [Get Started with Python Packages in Azure Artifacts](/azure/devops/artifacts/quickstarts/python-packages)

+This approach uses Personal Access Token to authenticate against the repository. The same approach is applicable to other repositories

+with token based authentication, such as private GitHub repositories.

+ 1. [Create a Personal Access Token (PAT)](/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?tabs=preview-page#create-a-pat) for your Azure DevOps instance. Set the scope of the token to __Packaging > Read__.

+ 2. Add the Azure DevOps URL and PAT as workspace properties, using the [Workspace.set_connection](/python/api/azureml-core/azureml.core.workspace.workspace#set-connection-name--category--target--authtype--value-) method.

+ ```python

+ from azureml.core import Workspace

+

+ pat_token = input("Enter secret token")

+ ws = Workspace.from_config()

+ ws.set_connection(name="connection-1",

+ category = "PythonFeed",

+ target = "https://pkgs.dev.azure.com/<MY-ORG>",

+ authType = "PAT",

+ value = pat_token)

+ ```

+ 3. Create an Azure Machine Learning environment and add Python packages from the feed.

+

+ ```python

+ from azureml.core import Environment

+ from azureml.core.conda_dependencies import CondaDependencies

+

+ env = Environment(name="my-env")

+ cd = CondaDependencies()

+ cd.add_pip_package("<my-package>")

+ cd.set_pip_option("--extra-index-url https://pkgs.dev.azure.com/<MY-ORG>/_packaging/<MY-FEED>/pypi/simple")")

+ env.python.conda_dependencies=cd

+ ```

+The environment is now ready to be used in training runs or web service endpoint deployments. When building the environment, Azure Machine Learning service uses the PAT to authenticate against the feed with the matching base URL.

+## Use a repository of packages from private storage

+You can consume packages from an Azure storage account within your organization's firewall. The storage account can hold a curated set of packages or an internal mirror of publicly available packages.

+To set up such private storage, see [Secure an Azure Machine Learning workspace and associated resources](../how-to-secure-workspace-vnet.md#secure-azure-storage-accounts). You must also [place the Azure Container Registry (ACR) behind the VNet](../how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr).

+> [!IMPORTANT]

+> You must complete this step to be able to train or deploy models using the private package repository.

+After completing these configurations, you can reference the packages in the Azure Machine Learning environment definition by their full URL in Azure blob storage.

+## Next steps

+ * Learn more about [enterprise security in Azure Machine Learning](../concept-enterprise-security.md)

+This article answers common questions about Azure Migrate. If you've questions after you read this article, you can post them in the [Azure Migrate forum](https://aka.ms/AzureMigrateForum). You also can review these articles:

+Classic Azure Migrate is retiring in Feb 2024. After Feb 2024, classic version of Azure Migrate will no longer be supported, and the inventory metadata in the classic project will be deleted. You can't upgrade projects or components in the previous version to the new version. You need to [create a new Azure Migrate project](create-manage-projects.md), and [add assessment and migration tools](./create-manage-projects.md) to it. Use the tutorials to understand how to use the assessment and migration tools available. If you had a Log Analytics workspace attached to a classic project, you can attach it to a project of current version after you delete the classic project.

+## What does Azure Migrate do to ensure data residency?

+When you create a project, you select a geography of your choice. The project and related resources are created in one of the regions in the geography, as allocated by the Azure Migrate service.

+See the metadata storage locations for each geography [here](migrate-support-matrix.md#public-cloud).

+Azure Migrate doesn't move or store customer data outside of the region allocated, guaranteeing data residency and resiliency in the same geography.

+## Does Azure Migrate offer Backup and Disaster Recovery?

+Azure Migrate is classified as customer managed Disaster Recovery, which means Azure Migrate doesn't offer to recover data from an alternate region and offer it to customers when the project region isn't available.

+While using different capabilities, it's recommended that you export the software inventory, dependency analysis, and assessment report for an offline backup.

+In the event of a regional failure or outage in the Azure region that your project is created in:

+- You may not be able to access your Azure Migrate projects, assessments, and other reports for the duration of the outage. However, you can use the offline copies that you've exported.

+- Any in-progress replication and/or migration will be paused and you might have to restart it post the outage.

+For zone-redundant HA, while there is no major performance impact for read workloads across availability zones, there might be up to 40 percent drop in write-query latency. The increase in write-latency is due to synchronous replication across Availability zone. The write latency impact is generally twice in zone redundant HA compared to the same zone HA. For same-zone HA, because the primary and the standby replica is in the same zone, the replication latency and consequently the synchronous write latency is lower. In summary, if write-latency is more critical for you compared to availability, you may want to choose same-zone HA but if availability and resiliency of your data is more critical for you at the expense of write-latency drop, you must choose zone-redundant HA. To measure the accurate impact of the latency drop in HA setup, we recommend you to perform performance testing for your workload to take an informed decision.</br>

+> Users will not be able to browse to the asset using the Azure Portal or Storage explorer if the only permission granted is read/modify access at the file or folder level of the storage account.

+> [!CAUTION]

+> Folder level permission is required to access data in ADLS Gen 2 using PowerBI.

+> Additionally, resource sets are not supported by self-service policies. Hence, folder level permission needs to be granted to access resource set files such as CSV or parquet.

+|Maximum number of self-service policies, per account|3K|3K|

+1. Review the status of imported files and the number of invalid indicator entries.The valid/invalid indicator count is updated once the file is processed. Please wait for the import to complete to get the updated count of valid/invalid indicators.

+East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, Southeast Asia, Australia East, Canada Central, Canada East, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, Switzerland North, China East 2 (Mooncake), China North 2 (Mooncake), and China North 3 (Mooncake). [Learn More](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud)

+East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, Southeast Asia, Australia East, Canada Central, Canada East, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, and Switzerland North.

+Use the following steps to prepare your project.

+Use the following steps to bind your app.

+| [all](blobfuse2-commands-mount-all.md) | Mounts all Azure blob containers in a specified storage account |

+| config-file | string | ./config.yaml | The path to the configuration file where the account credentials are provided. |

+| [mount](blobfuse2-commands-mount.md) | Mounts an Azure blob storage container as a filesystem in Linux or lists mounted file systems |

+| [mountv1](blobfuse2-commands-mountv1.md) | Mounts a blob container using legacy BlobFuse configuration and CLI parameters |

+| [unmount](blobfuse2-commands-unmount.md) | Unmounts a BlobFuse2-mounted file system |

+| [completion](blobfuse2-commands-completion.md) | Generates an autocompletion script for BlobFuse2 for the specified shell |

+| [secure](blobfuse2-commands-secure.md) | Encrypts or decrypts a configuration file, or gets or sets values in an encrypted configuration file |

+| [version](blobfuse2-commands-version.md) | Displays the current version of BlobFuse2 |

+| [help](blobfuse2-commands-help.md) | Gives help information about any command |

+ Title: How to use BlobFuse2 Health Monitor to gain insights into BlobFuse2 mount activities and resource usage (preview) | Microsoft Docs

+description: How to use BlobFuse2 Health Monitor to gain insights into BlobFuse2 mount activities and resource usage (preview).

+# Use Health Monitor to gain insights into BlobFuse2 mounts (preview)

+This article provides references to assist in deploying and using BlobFuse2 Health Monitor to gain insights into BlobFuse2 mount activities and resource usage.

+> [!IMPORTANT]

+> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

+> This preview version is provided without a service level agreement, and might not suitable for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

+>

+> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

+> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

+You can use BlobFuse2 Health Monitor to:

+- Get statistics about internal activities related to BlobFuse2 mounts

+- Monitor CPU, memory, and network usage by BlobFuse2 mount processes

+- Track file cache usage and events

+## BlobFuse2 Health Monitor Resources

+During the preview of BlobFuse2, refer to [the BlobFuse2 Health Monitor README on GitHub](https://github.com/Azure/azure-storage-fuse/blob/main/tools/health-monitor/README.md) for full details on how to deploy and use Health Monitor. The README file describes:

+- What Health Monitor collects

+- How to set it up in the configuration file used for mounting a storage container

+- The name, location, and contents of the output

+## See also

+- [What is BlobFuse2? (preview)](blobfuse2-what-is.md)

+- [BlobFuse2 configuration reference (preview)](blobfuse2-configuration.md)

+- [How to mount an Azure blob storage container on Linux with BlobFuse2 (preview)](blobfuse2-how-to-deploy.md)

+ wget https://github.com/Azure/azure-storage-fuse/releases/download/blobfuse2-2.0.0-preview.3/blobfuse2-2.0.0-preview.3-Ubuntu-22.04-x86-64.deb

+ sudo dpkg -i blobfuse2-2.0.0-preview.3-Ubuntu-22.04-x86-64.deb

+- [Use Health Monitor to gain insights into BlobFuse2 mount activities and resource usage (preview)](blobfuse2-health-monitor.md)

+This article provides references to assist in troubleshooting BlobFuse2 issues during the preview.

+## The troubleshooting guide (TSG)

+During the preview of BlobFuse2, refer to [The BlobFuse2 Troubleshooting Guide (TSG) on GitHub](https://github.com/Azure/azure-storage-fuse/blob/main/TSG.md)

+- [Use Health Monitor to gain insights into BlobFuse2 mount activities and resource usage (preview)](blobfuse2-health-monitor.md)

+- Gain insights into mount activities and resource usage using BlobFuse2 Health Monitor

+- [Use Health Monitor to gain insights into BlobFuse2 mount activities and resource usage (preview)](blobfuse2-health-monitor.md)

+## Client settings

+To transfer files to or from Azure storage via client applications, see the following recommended client settings.

+- WinSCP

+ - Under the **Preferences** dialog, under **Transfer** - **Endurance**, select **Disable** to disable the **Enable transfer resume/transfer to temporary filename** option.

+

+ > [!CAUTION]

+ > Leaving this option enabled can cause failures or degraded performance during large file uploads.

+

+- Under the **Preferences** dialog, under **Logging**, if the **Enable session logging on level** is checked, select **Reduced** or **Normal**.

+> [!CAUTION]

+> Logging level **Debug 1** or **Debug 2** significantly reduces session operation performance.

+## Impact of setting the access level on the web container

+ Title: How to mount Azure Blob storage as a file system on Linux with BlobFuse v1 | Microsoft Docs

+description: Learn how to mount an Azure Blob storage container with BlobFuse v1, a virtual file system driver on Linux.

+# How to mount Blob storage as a file system with BlobFuse v1

+> [!IMPORTANT]

+> [BlobFuse2](blobfuse2-what-is.md) is the latest version of BlobFuse and has many significant improvements over the version discussed in this article, BlobFuse v1. To learn about the improvements made in BlobFuse2, see [the list of BlobFuse2 enhancements](blobfuse2-what-is.md#blobfuse2-enhancements). BlobFuse2 is currently in preview and might not be suitable for production workloads.

+> This article is about the original version of BlobFuse. It is simply referred to as "BlobFuse" in many cases, but is also referred to as "BlobFuse v1" in this and other articles to distinguish it from the next generation of BlobFuse, BlobFuse2.

+This guide shows you how to use BlobFuse v1, and mount a Blob storage container on Linux and access data. To learn more about BlobFuse, see the [readme](https://github.com/Azure/azure-storage-fuse) and [wiki](https://github.com/Azure/azure-storage-fuse/wiki).

+## Install BlobFuse v1 on Linux

+BlobFuse is published in the Linux repo for Ubuntu versions: 16.04, 18.04, and 20.04, RHELversions: 7.5, 7.8, 7.9, 8.0, 8.1, 8.2, CentOS versions: 7.0, 8.0, Debian versions: 9.0, 10.0, SUSE version: 15, Oracle Linux 8.1. Run this command to make sure that you have one of those versions deployed:

+### Install BlobFuse v1

+# Quickstart: Azure Blob Storage client library for Python

+Get started with the Azure Blob Storage client library for Python to manage blobs and containers. Follow steps to install the package and try out example code for basic tasks.

+[API reference documentation](/python/api/azure-storage-blob) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/storage/azure-storage-blob) | [Package (PyPi)](https://pypi.org/project/azure-storage-blob/) | [Samples](../common/storage-samples-python.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#blob-samples)

+- An Azure account with an active subscription - [create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+- An Azure Storage account - [create a storage account](../common/storage-account-create.md).

+1. In a console window (such as PowerShell, cmd, or bash), create a new directory for the project.

+From the project directory, install the Azure Blob Storage client library for Python package by using the `pip install` command.

+This command installs the Azure Blob Storage for Python package and libraries on which it depends. In this case, the only dependency is the Azure core library for Python.

+From the project directory, follow steps to create the basic structure of the app:

+1. Add `import` statements, create the structure for the program, and include basic exception handling, as shown below

+The following diagram shows the relationship between these resources:

+- [Get the connection string](#get-the-connection-string-for-authentication)

+### Get the connection string for authentication

+The app pauses for user input by calling `input()` before it deletes the blob, container, and local files. Verify that the resources were created correctly before they're deleted.

+Before you begin the cleanup process, check your *data* folder for the two files. You can compare them and observe that they're identical.

+## Clean up resources

+After you've verified the files and finished testing, press the **Enter** key to delete the test files along with the container you created in the storage account.

+Many Azure services support passwordless connections through Azure AD and Role Based Access control (RBAC). These techniques provide robust security features and can be implemented using `DefaultAzureCredential` from the Azure Identity client libraries.

+`DefaultAzureCredential` supports multiple authentication methods and automatically determines which should be used at runtime. This approach enables your app to use different authentication methods in different environments (local dev vs. production) without implementing environment-specific code.

+The order and locations in which `DefaultAzureCredential` searches for credentials can be found in the [Azure Identity library overview](/dotnet/api/overview/azure/Identity-readme#defaultazurecredential) and varies between languages. For example, when working locally with .NET, `DefaultAzureCredential` will generally authenticate using the account the developer used to sign-in to Visual Studio. When the app is deployed to Azure, `DefaultAzureCredential` will automatically switch to use a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview). No code changes are required for this transition.

+ ```dotnetcli

+ dotnet add package Azure.Identity

+ ```

+ ```csharp

+ using Azure.Identity;

+ ```

+ ```csharp

+ // TODO: Update <storage-account-name> placeholder to your account name

+ var blobServiceClient = new BlobServiceClient(

+ new Uri("https://<storage-account-name>.blob.core.windows.net"),

+ new DefaultAzureCredential());

+ ```

+1. Make sure to update the storage account name in the URI of your `BlobServiceClient`. You can find the storage account name on the overview page of the Azure portal.

+ :::image type="content" source="../blobs/media/storage-quickstart-blobs-dotnet/storage-account-name.png" alt-text="Screenshot showing how to find the storage account name.":::

+Once your application is configured to use passwordless connections and runs locally, the same code can authenticate to Azure services after it is deployed to Azure. For example, an application deployed to an Azure App Service instance that has a managed identity enabled can connect to Azure Storage.

+1. On the main overview page of your App Service, select **Service Connector** from the left navigation.

+ * **Service type**: Choose **Storage blob**.

+ * **Subscription**: Select the subscription you would like to use.

+ * **Connection Name**: Enter a name for your connection, such as *connector_appservice_blob*.

+ * **Client type**: Leave the default value selected or choose the specific client you'd like to use.

+ Select **Next: Authentication**.

+ :::image type="content" source="media/migration-create-identity-small.png" alt-text="Screenshot showing how to create a system assigned managed identity." lightbox="media/migration-create-identity.png":::

+### [Azure App Service](#tab/app-service)

+1. On the main overview page of your Azure App Service instance, select **Identity** from the left navigation.

+ :::image type="content" source="media/migration-create-identity-small.png" alt-text="Screenshot showing how to create a system assigned managed identity." lightbox="media/migration-create-identity.png":::

+### [Azure Spring Apps](#tab/spring-apps)

+1. On the main overview page of your Azure Spring Apps instance, select **Identity** from the left navigation.

+ :::image type="content" source="media/storage-migrate-credentials/spring-apps-identity.png" alt-text="Screenshot showing how to enable managed identity for Azure Spring Apps.":::

+### [Azure Container Apps](#tab/container-apps)

+1. On the main overview page of your Azure Container Apps instance, select **Identity** from the left navigation.

+ :::image type="content" source="media/storage-migrate-credentials/container-apps-identity.png" alt-text="Screenshot showing how to enable managed identity for Azure Container Apps.":::

+### [Azure virtual machines](#tab/virtual-machines)

+1. On the main overview page of your virtual machine, select **Identity** from the left navigation.

+ :::image type="content" source="media/storage-migrate-credentials/virtual-machine-identity.png" alt-text="Screenshot showing how to enable managed identity for virtual machines.":::

+You can use Service Connector to create a connection between an Azure compute hosting environment and a target service using the Azure CLI. The CLI automatically handles creating a managed identity and assigns the proper role, as explained in the [portal instructions](#create-the-managed-identity-using-the-azure-portal).

+If you're using an Azure App Service, use the `az webapp connection` command:

+az webapp connection create storage-blob \

+ --resource-group <resource-group-name> \

+ --name <webapp-name> \

+ --target-resource-group <target-resource-group-name> \

+ --account <target-storage-account-name> \

+ --system-identity

+If you're using Azure Spring Apps, use `the az spring-cloud connection` command:

+az spring-cloud connection create storage-blob \

+ --resource-group <resource-group-name> \

+ --service <service-instance-name> \

+ --app <app-name> \

+ --deployment <deployment-name> \

+ --target-resource-group <target-resource-group> \

+ --account <target-storage-account-name> \

+ --system-identity

+If you're using Azure Container Apps, use the `az containerapp connection` command:

+az containerapp connection create storage-blob \

+ --resource-group <resource-group-name> \

+ --name <containerapp-name> \

+ --target-resource-group <target-resource-group-name> \

+ --account <target-storage-account-name> \

+ --system-identity

+### [Azure App Service](#tab/app-service-identity)

+You can assign a managed identity to an Azure App Service instance with the [az webapp identity assign](/cli/azure/webapp/identity) command.

+az webapp identity assign \

+ --resource-group <resource-group-name> \

+ --name <webapp-name>

+### [Azure Spring Apps](#tab/spring-apps-identity)

+You can assign a managed identity to an Azure Spring Apps instance with the [az spring app identity assign](/cli/azure/spring/app/identity) command.

+az spring app identity assign \

+ --resource-group <resource-group-name> \

+ --name <app-name> \

+ --service <service-name>

+### [Azure Container Apps](#tab/container-apps-identity)

+You can assign a managed identity to an Azure Container Apps instance with the [az containerapp identity assign](/cli/azure/containerapp/identity) command.

+az containerapp identity assign \

+ --resource-group <resource-group-name> \

+ --name <app-name>

+### [Azure virtual machines](#tab/virtual-machines-identity)

+You can assign a managed identity to a virtual machine with the [az vm identity assign](/cli/azure/vm/identity) command.

+az vm identity assign \

+ --resource-group <resource-group-name> \

+ --name <virtual-machine-name>

+### [Azure Kubernetes Service](#tab/aks-identity)

+You can assign a managed identity to an Azure Kubernetes Service (AKS) instance with the [az aks update](/cli/azure/aks) command.

+az vm identity assign \

+ --resource-group <resource-group-name> \

+ --name <virtual-machine-name>

+Next, you need to grant permissions to the managed identity you created to access your storage account. You can do this by assigning a role to the managed identity, just like you did with your local development user.

+If you connected your services using the Service Connector you do not need to complete this step. The necessary configurations were handled for you:

+ :::image type="content" source="media/migration-add-role-small.png" alt-text="Screenshot showing how to add a role to a managed identity." lightbox="media/migration-add-role.png":::

+ :::image type="content" source="media/migration-select-identity-small.png" alt-text="Screenshot showing how to select the assigned managed identity." lightbox="media/migration-select-identity.png":::

+1. Select **Next** a couple times until you're able to select **Review + assign** to finish the role assignment.

+az storage account show \

+ --resource-group '<your-resource-group-name>' \

+ --name '<your-storage-account-name>' \

+ --query id

+az role assignment create \

+ --assignee "<your-username>" \

+ --role "Storage Blob Data Contributor" \

+ --scope "<your-resource-id>"

+* For more information on authorizing access with managed identity, visit [Authorize access to blob data with managed identities for Azure resources](/azure/storage/blobs/authorize-managed-identity).

+* [Authorize with Azure roles](/azure/storage/blobs/authorize-access-azure-active-directory)

+* To learn more about .NET Core, see [Get started with .NET in 10 minutes](https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/intro).

+* To learn more about authorizing from a web application, visit [Authorize from a native or web application](/azure/storage/common/storage-auth-aad-app)

+ Title: Control what a user can do at the directory and file level - Azure Files

+description: Learn how to configure Windows ACLs for directory and file level permissions for AD DS authentication to Azure file shares, allowing you to take advantage of granular access control.

+# Part three: configure directory and file level permissions over SMB

+Before you begin this article, make sure you've completed the previous article, [Assign share-level permissions to an identity](storage-files-identity-ad-ds-assign-permissions.md), to ensure that your share-level permissions are in place with Azure role-based access control (RBAC).

+After you assign share-level permissions, you must first connect to the Azure file share using the storage account key and then configure Windows access control lists (ACLs), also known as NTFS permissions, at the root, directory, or file level. While share-level permissions act as a high-level gatekeeper that determines whether a user can access the share, Windows ACLs operate at a more granular level to control what operations the user can do at the directory or file level.

+Both share-level and file/directory level permissions are enforced when a user attempts to access a file/directory, so if there's a difference between either of them, only the most restrictive one will be applied. For example, if a user has read/write access at the file level, but only read at a share level, then they can only read that file. The same would be true if it was reversed: if a user had read/write access at the share-level, but only read at the file-level, they can still only read the file.

+Azure Files supports the full set of basic and advanced Windows ACLs. You can view and configure Windows ACLs on directories and files in an Azure file share by connecting to the share and then using Windows File Explorer, running the Windows [icacls](/windows-server/administration/windows-commands/icacls) command, or the [Set-ACL](/powershell/module/microsoft.powershell.security/set-acl) command.

+## Connect to the Azure file share

+Run the PowerShell script below or [use the Azure portal](storage-files-quick-create-use-windows.md#map-the-azure-file-share-to-a-windows-drive) to connect to the Azure file share using the storage account key and map it to drive Z: on Windows. If Z: is already in use, replace it with an available drive letter. The script will check to see if this storage account is accessible via TCP port 445, which is the port SMB uses. Remember to replace the placeholder values with your own values. For more information, see [Use an Azure file share with Windows](storage-how-to-use-files-windows.md).

+> You might see the **Full Control** ACL applied to a role already. This typically already offers the ability to assign permissions. However, because there are access checks at two levels (the share level and the file/directory level), this is restricted. Only users who have the **SMB Elevated Contributor** role and create a new file or directory can assign permissions on those new files or directories without using the storage account key. All other file/directory permission assignment requires connecting to the share using the storage account key first.

+```powershell

+if ($connectTestResult.TcpTestSucceeded) {

+ cmd.exe /C "cmdkey /add:`"<storage-account-name>.file.core.windows.net`" /user:`"localhost\<storage-account-name>`" /pass:`"<storage-account-key>`""

+ New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\<file-share-name>"

+} else {

+ Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."

+If you experience issues connecting to Azure Files on Windows, refer to [this troubleshooting tool](https://azure.microsoft.com/blog/new-troubleshooting-diagnostics-for-azure-files-mounting-errors-on-windows/).

+After you've connected to your Azure file share, you must configure the Windows ACLs. You can do this using either Windows File Explorer or [icacls](/windows-server/administration/windows-commands/icacls).

+icacls <mapped-drive-letter>: /grant <user-upn>:(f)

+Use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory. If you're not able to load the AD domain information correctly in Windows File Explorer, this is likely due to trust configuration in your on-premises AD environment. The client machine wasn't able to reach the AD domain controller registered for Azure Files authentication. In this case, [use icacls](#configure-windows-acls-with-icacls) for configuring Windows ACLs.

+1. Select **OK**.

+1. In the **Security** tab, select all permissions you want to grant your new user.

+1. Select **Apply**.

+Now that the feature is enabled and configured, continue to the next article to learn how to mount your Azure file share from a domain-joined VM.

+1. Use [Start-HcsUpdate](/powershell/module/hcs/start-hcsupdate?view=winserver2012r2-ps&preserve-view=true) to update the device. For detailed steps, see [Install regular updates via Windows PowerShell](storsimple-update-device.md#to-install-regular-updates-via-windows-powershell-for-storsimple). This update is non-disruptive.

+To learn more about how to create an Azure Data Explorer cluster by using the Azure portal, visit: [Quickstart: Create an Azure Data Explorer cluster and database](/azure/data-explorer/create-cluster-database-portal/)

+> Azure Data Explorer from Azure Stream Analytics supports output to Synapse Data Explorer clusters. To write to your synapse data explorer clusters, you have to specify the url of your cluster in the configuration blade in for Azure Data Explorer output in your Azure Stream Analytics job.

+## Other Scenarios and limitations

+* The name of the columns and data type should match between Azure Stream Analytics SQL query and Azure Data Explorer table. Note that the comparison is case sensitive.

+* Columns that exist in your Azure Data explorer clusters but are missing in ASA are ignored while columns that are missing in Azure Stream raise an error.

+* The order of your columns in your ASA query does not matter. Order is determined by the schema of the ADX table.

+All the [windowing](/stream-analytics-query/windowing-azure-stream-analytics) operations output results at the **end** of the window. Note that when you start a stream analytics job, you can specify the *Job output start time* and the system will automatically fetch previous events in the incoming streams to output the first window at the specified time; for example when you start with the *Now* option, it will start to emit data immediately.

+The output of the window will be a single event based on the aggregate function used. The output event will have the time stamp of the end of the window and all window functions are defined with a fixed length.

+[**Hopping**](/stream-analytics-query/hopping-window-azure-stream-analytics) window functions hop forward in time by a fixed period. It may be easy to think of them as Tumbling windows that can overlap and be emitted more often than the window size. Events can belong to more than one Hopping window result set. To make a Hopping window the same as a Tumbling window, specify the hop size to be the same as the window size.

+

+You can filter the list of pipeline runs to the ones you're interested in. The filters at the top of the screen allow you to specify a field on which you'd like to filter. You can view pipeline run data for the last 45 days. If you want to store pipeline run data for more than 45 days, set up your own diagnostic logging with [Azure monitor](../../data-factory/monitor-using-azure-monitor.md).

+#### GetSecret()

+`TokenLibrary.GetSecret("<AZURE KEY VAULT NAME>", "<SECRET KEY>" [, <LINKED SERVICE NAME>])`

+To retrieve a secret from Azure Key Vault, use the **TokenLibrary.GetSecret()** function.

+val connectionString: String = TokenLibrary.GetSecret("<AZURE KEY VAULT NAME>", "<SECRET KEY>", "<LINKED SERVICE NAME>")

+connection_string = token_library.GetSecret("<AZURE KEY VAULT NAME>", "<SECRET KEY>", "<LINKED SERVICE NAME>")

+1. Paste the following script and select **Run** to create the master key for your target Synapse SQL database.

+ Title: Understanding multimedia redirection on Azure Virtual Desktop - Azure

+description: An overview of multimedia redirection on Azure Virtual Desktop (preview).

+# Understanding multimedia redirection for Azure Virtual Desktop

+> [!IMPORTANT]

+> Multimedia redirection on Azure Virtual Desktop is currently in preview.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Multimedia redirection (MMR) gives you smooth video playback while watching videos in a browser in Azure Virtual Desktop. Multimedia redirection redirects the media content from Azure Virtual Desktop to your local machine for faster processing and rendering. Both Microsoft Edge and Google Chrome support this feature.

+> [!NOTE]

+> Multimedia redirection isn't supported on Azure Virtual Desktop for Microsoft 365 Government (GCC), GCC-High environments, and Microsoft 365 DoD.

+>

+> Multimedia redirection on Azure Virtual Desktop is only available for the [Windows Desktop client, version 1.2.3573 or later](/windows-server/remote/remote-desktop-services/clients/windowsdesktop-whatsnew). on Windows 11, Windows 10, or Windows 10 IoT Enterprise devices.

+>

+> The preview version of multimedia redirection for Azure Virtual Desktop has restricted playback to sites we've tested.

+## Websites that work with multimedia redirection

+The following list shows websites that are known to work with MMR. MMR works with these sites by default.

+ :::column span="":::

+ - AnyClip

+ - AWS Training

+ - BBC

+ - Big Think

+ - Brightcove

+ - CNBC

+ - Coursera

+ - Daily Mail

+ - Facebook

+ - Fidelity

+ :::column-end:::

+ :::column span="":::

+ - Flashtalking

+ - Fox Sports

+ - Fox Weather

+ - IMDB

+ - Infosec Institute

+ - LinkedIn Learning

+ - Microsoft Learn

+ - Microsoft Stream

+ - Pluralsight

+ - Reddit

+ - Reuters

+ :::column-end:::

+ :::column span="":::

+ - Skillshare

+ - The Guardian

+ - Twitch

+ - Udemy

+ - UMU

+ - U.S. News

+ - Vidazoo

+ - Vimeo

+ - Yahoo

+ - Yammer

+ - YouTube (including sites with embedded YouTube videos).

+ :::column-end:::

+Microsoft Teams live events aren't media-optimized for Azure Virtual Desktop and Windows 365 when using the native Teams app. However, if you use Teams live events with a supported browser, MMR is a workaround that provides smoother Teams live events playback on Azure Virtual Desktop. MMR supports Enterprise Content Delivery Network (ECDN) for Teams live events.

+### The multimedia redirection status icon

+To quickly tell if multimedia redirection is active in your browser, we've added the following icon states:

+| Icon State | Definition |

+|--|--|

+| :::image type="content" source="./media/mmr-extension-unsupported.png" alt-text="The MMR extension icon greyed out, indicating that the website can't be redirected or the extension isn't loading."::: | A greyed out icon means that multimedia content on the website can't be redirected or the extension isn't loading. |

+| :::image type="content" source="./media/mmr-extension-disconnect.png" alt-text="The MMR extension icon with a red square with an x that indicates the client can't connect to multimedia redirection."::: | The red square with an "X" inside of it means that the client can't connect to multimedia redirection. You may need to uninstall and reinstall the extension, then try again. |

+| :::image type="content" source="./media/mmr-extension-supported.png" alt-text="The MMR extension icon with no status applied."::: | The default icon appearance with no status applied. This icon state means that multimedia content on the website can be redirected and is ready to use. |

+| :::image type="content" source="./media/mmr-extension-playback.png" alt-text="The MMR extension icon with a green square with a play button icon inside of it, indicating that multimedia redirection is working."::: | The green square with a play button icon inside of it means that the extension is currently redirecting video playback. |

+| :::image type="content" source="./media/mmr-extension-webrtc.png" alt-text="The MMR extension icon with a green square with telephone icon inside of it, indicating that multimedia redirection is working."::: | The green square with a phone icon inside of it means that the extension is currently redirecting a WebRTC call. |

+Selecting the icon in your browser will display a pop-up menu where it lists the features supported on the current page, you can select to enable or disable multimedia redirection on all websites, and collect logs. It also lists the version numbers for each component of the service.

+You can use the icon to check the status of the extension by following the directions in [Check the extension status](multimedia-redirection.md#check-the-extension-status).

+## Support during public preview

+If you run into issues while using the public preview version of multimedia redirection, we recommend contacting [Microsoft Azure support](https://azure.microsoft.com/support/plans/).

+## Next steps

+To learn how to use this feature, see [Multimedia redirection for Azure Virtual Desktop (preview)](multimedia-redirection.md).

+To troubleshoot issues or view known issues, see [our troubleshooting article](troubleshoot-multimedia-redirection.md).

+If you're interested in video streaming on other parts of Azure Virtual Desktop, check out [Teams for Azure Virtual Desktop](teams-on-avd.md).

+ Title: Use multimedia redirection on Azure Virtual Desktop - Azure

+description: How to use multimedia redirection on Azure Virtual Desktop (preview).

+# Use multimedia redirection on Azure Virtual Desktop (preview)

+> Multimedia redirection on Azure Virtual Desktop is currently in preview.

+This article will show you how to use multimedia redirection (MMR) for Azure Virtual Desktop (preview) with Microsoft Edge or Google Chrome browsers. For more information about how multimedia redirection works, see [Understanding multimedia redirection for Azure Virtual Desktop](multimedia-redirection-intro.md).

+> [!NOTE]

+> Multimedia redirection isn't supported on Azure Virtual Desktop for Microsoft 365 Government (GCC), GCC-High environments, and Microsoft 365 DoD.

+>Multimedia redirection on Azure Virtual Desktop is only available for the Windows Desktop client on Windows 11, Windows 10, or Windows 10 IoT Enterprise devices. Multimedia redirection requires the [Windows Desktop client, version 1.2.3573 or later](/windows-server/remote/remote-desktop-services/clients/windowsdesktop-whatsnew). For more information, see [Prerequisites](#prerequisites).

+## Prerequisites

+Before you can use multimedia redirection on Azure Virtual Desktop, you'll need the following things:

+- An Azure Virtual Desktop deployment.

+- Microsoft Edge or Google Chrome installed on your session hosts.

+- Microsoft Visual C++ Redistributable 2015-2022, version 14.32.31332.0 or later installed on your session hosts. You can download the latest version from [Microsoft Visual C++ Redistributable latest supported downloads](/cpp/windows/latest-supported-vc-redist).

+- Windows Desktop client, version 1.2.3573 or later on Windows 11, Windows 10, or Windows 10 IoT Enterprise devices. This includes the multimedia redirection plugin (`C:\Program Files\Remote Desktop\MsMmrDVCPlugin.dll`), which is required on the client device. Your device must meet the [hardware requirements for Teams on a Windows PC](/microsoftteams/hardware-requirements-for-the-teams-app#hardware-requirements-for-teams-on-a-windows-pc/).

+## Install the multimedia redirection extension

+For multimedia redirection to work, there are two parts to install on your session hosts: the host component and the browser extension for Edge or Chrome. You install the host component and browser extension from an MSI file, and you can also get and install the browser extension from Microsoft Edge Add-ons or the Chrome Web Store, depending on which browser you're using.

+### Install the host component

+To install the host component on your session hosts, you can install the MSI manually on each session host or use your enterprise deployment tool with `msiexec`. To install the MSI manually, you'll need to:

+1. Sign in to a session host as a local administrator.

+1. Download the [MMR host MSI installer](https://aka.ms/avdmmr/msi).

+1. Open the file that you downloaded to run the setup wizard.

+1. Follow the prompts. Once it's completed, select **Finish**.

+### Install the browser extension

+Next, you'll need to install the browser extension. This is installed on session hosts where you already have Edge or Chrome available. Installing the host component also installs the browser extension. Users will see a prompt that says **New Extension added**. In order to use the app, they'll need to enable the extension. A user can enable the extension by doing the following:

+1. Sign in to Azure Virtual Desktop and open Edge or Chrome.

+1. At the prompt to enable the extension, select **Turn on extension**. Users should also pin the extension so that they can see from the icon if multimedia redirection is connected.

+ :::image type="content" source="./media/mmr-extension-enable.png" alt-text="A screenshot of the prompt to enable the extension.":::

+ >[!IMPORTANT]

+ >If the user selects **Remove extension**, it will be removed from the browser and they will need to add it from Microsoft Edge Add-ons or the Chrome Web Store. To install it again, see [Installing the browser extension manually](#install-the-browser-extension-manually).

+You can also automate installing the browser extension from Microsoft Edge Add-ons or the Chrome Web Store for all users by [using Group Policy](#install-the-browser-extension-using-group-policy).

+Using Group Policy has the following benefits:

+- You can install the extension silently and without user interaction.

+- You can restrict which websites use multimedia redirection.

+- You can pin the extension icon in Google Chrome by default.

+#### Install the browser extension manually

+If you need to install the browser extension separately, you can download it from Microsoft Edge Add-ons or the Chrome Web Store.

+To install the multimedia redirection extension manually, follow these steps:

+1. Sign in to Azure Virtual Desktop.

+1. In your browser, open one of the following links, depending on which browser you're using:

+ - For **Microsoft Edge**: [Microsoft Multimedia Redirection Extension](https://microsoftedge.microsoft.com/addons/detail/wvd-multimedia-redirectio/joeclbldhdmoijbaagobkhlpfjglcihd)

+ - For **Google Chrome**: [Microsoft Multimedia Redirection Extension](https://chrome.google.com/webstore/detail/wvd-multimedia-redirectio/lfmemoeeciijgkjkgbgikoonlkabmlno)

+1. Install the extension by selecting **Get** (for Microsoft Edge) or **Add to Chrome** (for Google Chrome), then at the additional prompt, select **Add extension**. Once the installation is finished, you'll see a confirmation message saying that you've successfully added the extension.

+#### Install the browser extension using Group Policy

+You can install the multimedia redirection extension using Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or using the Local Group Policy Editor for each session host. This process will change depending on which browser you're using.

+# [Edge](#tab/edge)

+1. Download and install the Microsoft Edge administrative template by following the directions in [Configure Microsoft Edge policy settings on Windows devices](/deployedge/configure-microsoft-edge.md#1-download-and-install-the-microsoft-edge-administrative-template)

+1. Next, decide whether you want to configure Group Policy centrally from your domain or locally for each session host:

+

+ - To configure it from an AD Domain, open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.

+

+ - To configure it locally, open the **Local Group Policy Editor** on the session host.

+1. Go to **Computer Configuration** > **Administrative Templates** > **Microsoft Edge** > **Extensions**.

+1. Open the policy setting **Configure extension management settings** and set it to **Enabled**.

+1. In the field for **Configure extension management settings**, enter the following:

+ ```json

+ { "joeclbldhdmoijbaagobkhlpfjglcihd": { "installation_mode": "force_installed", "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx" } }

+ ```

+ You can specify additional parameters to allow or block specific domains. For example, to only allow *youtube.com*, enter the following:

+ ```json

+ { "joeclbldhdmoijbaagobkhlpfjglcihd": { "installation_mode": "force_installed", "runtime_allowed_hosts": [ "*://*.youtube.com" ], "runtime_blocked_hosts": [ "*://*" ], "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx" } }

+ ```

+1. Apply the changes by running the following command in Command Prompt or PowerShell on each session host:

+ ```cmd

+ gpupdate /force

+ ```

+# [Google Chrome](#tab/google-chrome)

+1. Download and install the Google Chrome administrative template by following the instructions in [Set Chrome Browser policies on managed PCs](https://support.google.com/chrome/a/answer/187202#zippy=%2Cwindows)

+1. Next, decide whether you want to configure Group Policy centrally from your domain or locally for each session host:

+

+ - To configure it from an AD Domain, open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.

+

+ - To configure it locally, open the **Local Group Policy Editor** on the session host.

+1. Go to **Computer Configuration** > **Administrative Templates** > **Microsoft Edge** > **Extensions**.

+1. Open the policy setting **Configure extension management settings** and set it to **Enabled**.

+1. In the field for **Configure extension management settings**, enter the following:

+ ```json

+ { "lfmemoeeciijgkjkgbgikoonlkabmlno": { "installation_mode": "force_installed", "update_url": "https://clients2.google.com/service/update2/crx" } }

+ ```

+ You can specify additional parameters to allow or block specific domains. For example, to only allow *youtube.com* and pin the extension to the toolbar, enter the following:

+ ```json

+ { "lfmemoeeciijgkjkgbgikoonlkabmlno": { "installation_mode": "force_installed", "runtime_allowed_hosts": [ "*://*.youtube.com" ], "runtime_blocked_hosts": [ "*://*" ], "toolbar_pin": "force_pinned", "update_url": "https://clients2.google.com/service/update2/crx" } }

+ ```

+1. Apply the changes by running the following command in Command Prompt or PowerShell on each session host:

+ ```cmd

+ gpupdate /force

+ ```

+## Configure the Remote Desktop client

+During the preview, you'll need to configure the Remote Desktop client to use Insider features. To learn more about the Insiders program, see [Windows Desktop client for admins](/windows-server/remote/remote-desktop-services/clients/windowsdesktop-admin#configure-user-groups).

+To enable Insider features:

+1. Add the following registry key and value:

+ - **Key**: HKLM\\Software\\Microsoft\\MSRDC\\Policies

+ - **Type**: REG_SZ

+ - **Name**: ReleaseRing

+ - **Data**: insider

+ You can do this with PowerShell. On your local device, open an elevated PowerShell prompt and run the following commands:

+ ```powershell

+ New-Item -Path "HKLM:\SOFTWARE\Microsoft\MSRDC\Policies" -Force

+ New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\MSRDC\Policies" -Name ReleaseRing -PropertyType String -Value insider -Force

+ ```

+1. Restart your local device.

+1. Open the Remote Desktop client. The title in the top left-hand corner should be **Remote Desktop (Insider)**:

+ :::image type="content" source="./media/remote-desktop-client-windows-insider.png" alt-text="A screenshot of the Remote Desktop client with Insider features enabled. The title is highlighted in a red box.":::

+## Check the extension status

+You can check the extension status by visiting a website with media content, such as one from the list at [Websites that work with multimedia redirection](multimedia-redirection-intro.md#websites-that-work-with-multimedia-redirection), and hovering your mouse cursor over [the multimedia redirection extension icon](multimedia-redirection-intro.md#the-multimedia-redirection-status-icon) in the extension bar on the top-right corner of your browser. A message will appear and tell you about the current status, as shown in the following screenshot.

+Another way you can check the extension status is by selecting the extension icon, then selecting **Features supported on this website** from the drop-down menu to see whether the website supports the redirection extension.

+## Teams live events

+To use multimedia redirection with Teams live events:

+1. Sign in to Azure Virtual Desktop.

+1. Open the link to the Teams live event in either the Edge or Chrome browser.

+1. Make sure you can see a green check mark next to the [multimedia redirection status icon](multimedia-redirection-intro.md#the-multimedia-redirection-status-icon). If the green check mark is there, MMR is enabled for Teams live events.

+1. Select **Watch on the web instead**. The Teams live event should automatically start playing in your browser. Make sure you only select **Watch on the web instead**, as shown in the following screenshot. If you use the native Teams app, MMR won't work.

+ :::image type="content" source="./media/teams-live-events.png" alt-text="A screenshot of the 'Watch the live event in Microsoft Teams' page. The status icon and 'watch on the web instead' options are highlighted in red.":::

+For more information about multimedia redirection and how it works, see [What is multimedia redirection for Azure Virtual Desktop? (preview)](multimedia-redirection-intro.md).

+To troubleshoot issues or view known issues, see [our troubleshooting article](troubleshoot-multimedia-redirection.md).

+If you're interested in learning more about using Teams for Azure Virtual Desktop, check out [Teams for Azure Virtual Desktop](teams-on-avd.md).

+Today's threat landscape requires designs with security approaches in mind. Ideally, you'll want to build a series of security mechanisms and controls layered throughout your computer network to protect your data and network from being compromised or attacked. This type of security design is what the United States Cybersecurity and Infrastructure Security Agency (CISA) calls "defense in depth".

+- Azure Virtual Desktop session hosts that supported the nested virtualization capability. To check if a specific VM size supports nested virtualization, navigate to the description page matching your VM size from [Sizes for virtual machines in Azure](/azure/virtual-machines/sizes-general.md).

+### Encrypt your VM

+Encrypt your VM with [managed disk encryption options](../virtual-machines/disk-encryption-overview.md) to protect stored data from unauthorized access.

+We recommend enabling vTPM to use remote attestation on your VMs. With vTPM enabled, you can also enable BitLocker functionality with Azure Disk Encryption, which provides full-volume encryption to protect data at rest. Any features using vTPM will result in secrets bound to the specific VM. When users connect to the Azure Virtual Desktop service in a pooled scenario, users can be redirected to any VM in the host pool. Depending on how the feature is designed this may have an impact.

+- Windows 11 Enterprise

+- Windows 11 Enterprise multi-session

+- Windows 11 Enterprise

+- Windows 11 Enterprise multi-session

+- An [Azure Virtual Desktop host pool](create-host-pools-azure-marketplace.md).

+- Session host pool VMs configured and registered with the Azure Virtual Desktop service.

+- A user with the [Contributor role](../role-based-access-control/role-assignments-portal.md) assigned on the Azure subscription.

+- A Log Analytics workspace (optional).

+1. From the start menu, run **Registry Editor** as an administrator. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams`. Create the Teams key if it doesn't already exist.

+ | Name | Type | Data/Value |

+ ||--|-|

+ | IsWVDEnvironment | DWORD | 1 |

+Alternatively, you can create the registry entry by running the following commands from an elevated PowerShell session:

+```powershell

+New-Item -Path "HKLM:\SOFTWARE\Microsoft\Teams" -Force

+New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Teams" -Name IsWVDEnvironment -PropertyType DWORD -Value 1 -Force

+```

+- The Teams desktop client in Azure Virtual Desktop environments doesn't support creating live events, but you can join live events. For now, we recommend you create live events from the [Teams web client](https://teams.microsoft.com) in your remote session instead. When watching a live event in the browser, [enable multimedia redirection (MMR) for Teams live events](multimedia-redirection.md#teams-live-events) for smoother playback.

+### Access client logs

+You might need the client logs when investigating an issue.

+To retrieve the client logs:

+1. Ensure no sessions are active and the client process isn't running in the background by right-clicking on the **Remote Desktop** icon in the system tray and selecting **Disconnect all sessions**.

+1. Open **File Explorer**.

+1. Navigate to the **%temp%\DiagOutputDir\RdClientAutoTrace** folder.

+Below you will find different methods used to read the client logs.

+#### Event Viewer

+1. Navigate to the Start menu, Control Panel, System and Security, and select **view event logs** under "Windows Tools".

+1. Once the **Event Viewer** is op