+First, create an Azure AD service principal by using a specific application ID named *Domain Controller Services*. The ID value is *2565bd9d-da50-47d4-8b85-4c97f669dc36* for global Azure and *6ba9a5d4-8456-4118-b521-9c5ca10cdf84* for other Azure clouds. Don't change this application ID.

+The following complete PowerShell script combines all of the tasks shown in this article. Copy the script and save it to a file with a `.ps1` extension. For Azure Global, use AppId value *2565bd9d-da50-47d4-8b85-4c97f669dc36*. For other Azure clouds, use AppId value *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. Run the script in a local PowerShell console or the [Azure Cloud Shell][cloud-shell].

+New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"

+# How to use additional context in Microsoft Authenticator notifications (Preview) - Authentication methods policy

+This topic covers how to improve the security of user sign-in by adding the application name and geographic location of the sign-in to Microsoft Authenticator push and passwordless notifications.

+## Enable additional context using Graph API

+>[!NOTE]

+>In Graph Explorer, ensure you've consented to the **Policy.Read.All** and **Policy.ReadWrite.AuthenticationMethod** permissions.

+You can enable and disable application name and geographic location separately. Under featureSettings, you can use the following mapping for the following features:

+- Application name: displayAppInformationRequiredState

+- Geographic location: displayLocationInformationRequiredState

+Identify your single target group for each of the features. Then use the following API endpoint to change the displayAppInformationRequiredState or displayLocationInformationRequiredState properties under featureSettings to **enabled** and include or exclude the groups you want::

+`https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator`

+>[!NOTE]

+>For Passwordless phone sign-in, the Authenticator app does not retrieve policy information just in time for each sign-in request. Instead, the Authenticator app does a best effort retrieval of the policy once every 7 days. We understand this limitation is less than ideal and are working to optimize the behavior. In the meantime, if you want to force a policy update to test using additional context with Passwordless phone sign-in, you can remove and re-add the account in the Authenticator app.

+### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties

+**PROPERTIES**

+| Property | Type | Description |

+|||-|

+| id | String | The authentication method policy identifier. |

+| state | authenticationMethodState | Possible values are: **enabled**<br>**disabled** |

+

+**RELATIONSHIPS**

+| Relationship | Type | Description |

+|--||-|

+| includeTargets | [microsoftAuthenticatorAuthenticationMethodTarget](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget) collection | A collection of users or groups who are enabled to use the authentication method. |

+| featureSettings | [microsoftAuthenticatorFeatureSettings](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget) collection | A collection of Microsoft Authenticator features. |

+

+### MicrosoftAuthenticator includeTarget properties

+

+**PROPERTIES**

+| Property | Type | Description |

+|-||-|

+| authenticationMode | String | Possible values are:<br>**any**: Both passwordless phone sign-in and traditional second factor notifications are allowed.<br>**deviceBasedPush**: Only passwordless phone sign-in notifications are allowed.<br>**push**: Only traditional second factor push notifications are allowed. |

+| id | String | Object ID of an Azure AD user or group. |

+| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.|

+### MicrosoftAuthenticator featureSettings properties

+

+**PROPERTIES**

+| Property | Type | Description |

+|-||-|

+| numberMatchingRequiredState | authenticationMethodFeatureConfiguration | Require number matching for MFA notifications. Value is ignored for phone sign-in notifications. |

+| displayAppInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown application name in Microsoft Authenticator notification. |

+| displayLocationInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown geographic location context in Microsoft Authenticator notification. |

+### Authentication Method Feature Configuration properties

+**PROPERTIES**

+| Property | Type | Description |

+|-||-|

+| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br>You can only exclude one group for each feature.|

+| includeTarget | featureTarget | A single entity that is included in this feature. <br>You can only include one group for each feature.|

+| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |

+### Feature Target properties

+**PROPERTIES**

+| Property | Type | Description |

+|-||-|

+| id | String | ID of the entity targeted. |

+| targetType | featureTargetType | The kind of entity targeted, such as group, role, or administrative unit. The possible values are: ΓÇÿgroupΓÇÖ, 'administrativeUnitΓÇÖ, ΓÇÿroleΓÇÖ, unknownFutureValueΓÇÖ. |

+### Example of how to enable additional context for all users

+In **featureSettings**, change **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled**.

+The value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we'll use **any**, but if you do not want to allow passwordless, use **push**.

+You might need to PATCH the entire schema to prevent overwriting any previous configuration. In that case, do a GET first, update only the relevant fields, and then PATCH. The following example shows how to update **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.

+Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the application name or geographic location. Users who aren't enabled for Microsoft Authenticator won't see these features.

+```json

+//Retrieve your existing policy via a GET.

+//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.

+//Change the Query to PATCH and Run query

+

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "displayAppInformationRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "all_users"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ },

+ "displayLocationInformationRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "all_users"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any",

+ }

+ ]

+}

+```

+

+

+### Example of how to enable application name and geographic location for separate groups

+

+In **featureSettings**, change **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled.**

+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.

+You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.

+Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the application name or geographic location. Users who aren't enabled for Microsoft Authenticator won't see these features.

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "displayAppInformationRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "44561710-f0cb-4ac9-ab9c-e6c394370823"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ },

+ "displayLocationInformationRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "a229e768-961a-4401-aadb-11d836885c11"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any",

+ }

+ ]

+}

+```

+

+To verify, RUN GET again and verify the ObjectID:

+```http

+GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

+```

+### Example of how to disable application name and only enable geographic location

+

+In **featureSettings**, change the state of **displayAppInformationRequiredState** to **default** or **disabled** and **displayLocationInformationRequiredState** to **enabled.**

+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.

+You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.

+Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the application name or geographic location. Users who aren't enabled for Microsoft Authenticator won't see these features.

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "displayAppInformationRequiredState": {

+ "state": "disabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "44561710-f0cb-4ac9-ab9c-e6c394370823"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ },

+ "displayLocationInformationRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "a229e768-961a-4401-aadb-11d836885c11"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any",

+ }

+ ]

+}

+```

+### Example of how to exclude a group from application name and geographic location

+

+In **featureSettings**, change the states of **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** to from **default** to **enabled.**

+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.

+In addition, for each of the features, you will change the id of the excludeTarget to the ObjectID of the group from the Azure AD portal. This will exclude that group from seeing application name or geographic location.

+You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.

+Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the application name or geographic location. Users who aren't enabled for Microsoft Authenticator won't see these features.

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "displayAppInformationRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "44561710-f0cb-4ac9-ab9c-e6c394370823"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "5af8a0da-5420-4d69-bf3c-8b129f3449ce"

+ }

+ },

+ "displayLocationInformationRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "a229e768-961a-4401-aadb-11d836885c11"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "b6bab067-5f28-4dac-ab30-7169311d69e8"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any",

+ }

+ ]

+}

+```

+### Example of removing the excluded group

+

+In **featureSettings**, change the states of **displayAppInformationRequiredState** from **default** to **enabled.**

+You need to change the **id** of the **excludeTarget** to `00000000-0000-0000-0000-000000000000`.

+You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.

+Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the application name or geographic location. Users who aren't enabled for Microsoft Authenticator won't see these features.

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ " displayAppInformationRequiredState ": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": " 00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any"

+ }

+ ]

+}

+```

+## Turn off additional context

+To turn off additional context, you'll need to PATCH **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **enabled** to **disabled**/**default**. You can also turn off just one of the features.

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "displayAppInformationRequiredState": {

+ "state": "disabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "44561710-f0cb-4ac9-ab9c-e6c394370823"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ },

+ "displayLocationInformationRequiredState": {

+ "state": "disabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "a229e768-961a-4401-aadb-11d836885c11"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any",

+ }

+ ]

+}

+```

+## Enable additional context in the portal

+To enable application name or geographic location in the Azure AD portal, complete the following steps:

+This topic covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security. Number matching can be enabled by using the Azure portal or Microsoft Graph API.

+When a user goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification.

+>[!NOTE]

+>In Graph Explorer, ensure you've consented to the **Policy.Read.All** and **Policy.ReadWrite.AuthenticationMethod** permissions.

+Identify your single target group for the schema configuration. Then use the following API endpoint to change the numberMatchingRequiredState property under featureSettings to **enabled** and include or exclude groups:

+```http

+https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

+```

+### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties

+**PROPERTIES**

+| Property | Type | Description |

+|||-|

+| id | String | The authentication method policy identifier. |

+| state | authenticationMethodState | Possible values are: **enabled**<br>**disabled** |

+

+**RELATIONSHIPS**

+| Relationship | Type | Description |

+|--||-|

+| includeTargets | [microsoftAuthenticatorAuthenticationMethodTarget](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget?view=graph-rest-beta&preserve-view=true) collection | A collection of users or groups who are enabled to use the authentication method |

+| featureSettings | [microsoftAuthenticatorFeatureSettings](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget) collection | A collection of Microsoft Authenticator features. |

+

+### MicrosoftAuthenticator includeTarget properties

+

+**PROPERTIES**

+| Property | Type | Description |

+|-||-|

+| authenticationMode | String | Possible values are:<br>**any**: Both passwordless phone sign-in and traditional second factor notifications are allowed.<br>**deviceBasedPush**: Only passwordless phone sign-in notifications are allowed.<br>**push**: Only traditional second factor push notifications are allowed. |

+| id | String | Object ID of an Azure AD user or group. |

+| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.|

+### MicrosoftAuthenticator featureSettings properties

+

+**PROPERTIES**

+| Property | Type | Description |

+|-||-|

+| numberMatchingRequiredState | authenticationMethodFeatureConfiguration | Require number matching for MFA notifications. Value is ignored for phone sign-in notifications. |

+| displayAppInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown application name in Microsoft Authenticator notification. |

+| displayLocationInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown geographic location context in Microsoft Authenticator notification. |

+### Authentication Method Feature Configuration properties

+**PROPERTIES**

+| Property | Type | Description |

+|-||-|

+| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br> Please note: You will be able to only exclude one group for number matching. |

+| includeTarget | featureTarget | A single entity that is included in this feature. <br> Please note: You will be able to only set one group for number matching. |

+| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |

+### Feature Target properties

+**PROPERTIES**

+| Property | Type | Description |

+|-||-|

+| id | String | ID of the entity targeted. |

+| targetType | featureTargetType | The kind of entity targeted, such as group, role, or administrative unit. The possible values are: ΓÇÿgroupΓÇÖ, 'administrativeUnitΓÇÖ, ΓÇÿroleΓÇÖ, unknownFutureValueΓÇÖ. |

+>[!NOTE]

+>Number matching can be enabled only for a single group.

+### Example of how to enable number matching for all users

+In **featureSettings**, you will need to change the **numberMatchingRequiredState** from **default** to **enabled**.

+Note that the value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we will use **any**, but if you do not want to allow passwordless, use **push**.

+>[!NOTE]

+>For passwordless users, enabling or disabling number matching has no impact because it's already part of the passwordless experience.

+You might need to patch the entire schema to prevent overwriting any previous configuration. In that case, do a GET first, update only the relevant fields, and then PATCH. The following example only shows the update to the **numberMatchingRequiredState** under **featureSettings**.

+Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the number match requirement. Users who aren't enabled for Microsoft Authenticator won't see the feature.

+```json

+//Retrieve your existing policy via a GET.

+//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.

+//Change the Query to PATCH and Run query

+

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "numberMatchingRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "all_users"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any",

+ }

+ ]

+}

+

+```

+

+To confirm this has applied, please run the GET request below using the endpoint below.

+```http

+GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

+```

+

+### Example of how to enable number matching for a single group

+

+In **featureSettings**, you will need to change the **numberMatchingRequiredState** value from **default** to **enabled.**

+Inside the **includeTarget**, you will need to change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.

+You need to PATCH the entire configuration to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **numberMatchingRequiredState**.

+Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the number match requirement. Users who aren't enabled for Microsoft Authenticator won't see the feature.

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "numberMatchingRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any"

+ }

+ ]

+}

+```

+

+To verify, RUN GET again and verify the ObjectID

+```http

+GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

+```

+

+### Example of removing the excluded group from number matching

+In **featureSettings**, you will need to change the **numberMatchingRequiredState** value from **default** to **enabled.**

+You need to change the **id** of the **excludeTarget** to `00000000-0000-0000-0000-000000000000`.

+You need to PATCH the entire configuration to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **numberMatchingRequiredState**.

+Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will be excluded from the number match requirement. Users who aren't enabled for Microsoft Authenticator won't see the feature.

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "numberMatchingRequiredState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": " 00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any"

+ }

+ ]

+}

+```

+## Turn off number matching

+To turn number matching off, you will need to PATCH remove **numberMatchingRequiredState** from **enabled** to **disabled**/**default**.

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "featureSettings": {

+ "numberMatchingRequiredState": {

+ "state": "default",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": " 00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any"

+ }

+ ]

+}

+```

+## Enable number matching in the portal

+To enable number matching in the Azure AD portal, complete the following steps:

+[Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)

+ Title: Join a new Windows 10 device with Azure AD during the out of box experience

+description: How users can set up Azure AD Join during OOBE.

+# Azure AD join a new Windows device during the out of box experience

+Starting in Windows 10 users can join new Windows devices to Azure AD during the first-run out-of-box experience (OOBE). This functionality enables you to distribute shrink-wrapped devices to your employees or students.

+This functionality pairs well with mobile device management platforms like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and tools like [Windows Autopilot](/mem/autopilot/windows-autopilot) to ensure devices are configured according to your standards.

+To Azure AD join a Windows device, the device registration service must be configured to enable you to register devices. For more information about prerequisites, see the article [How to: Plan your Azure AD join implementation](azureadjoin-plan.md).

+> [!TIP]

+> Windows Home Editions do not support Azure AD join. These editions can still access many of the benefits by using [Azure AD registration](concept-azure-ad-register.md).

+>

+> For information about how complete Azure AD registration on a Windows device see the support article [Register your personal device on your work or school network](https://support.microsoft.com/account-billing/register-your-personal-device-on-your-work-or-school-network-8803dd61-a613-45e3-ae6c-bd1ab25bf8a8).

+## Join a new Windows 11 device to Azure AD

+Your device may restart several times as part of the setup process. Your device must be connected to the Internet to complete Azure AD join.

+1. Turn on your new device and start the setup process. Follow the prompts to set up your device.

+1. When prompted **How would you like to set up this device?**, select **Set up for work or school**.

+ :::image type="content" source="media/azuread-joined-devices-frx/windows-11-first-run-experience-work-or-school.png" alt-text="Screenshot of Windows 11 out-of-box experience showing the option to set up for work or school.":::

+1. On the **Let's set things up for your work or school** page, provide the credentials that your organization provided.

+ 1. Optionally you can choose to **Sign in with a security key** if one was provided to you.

+ 1. If your organization requires it, you may be prompted to perform multifactor authentication.

+ :::image type="content" source="media/azuread-joined-devices-frx/windows-11-first-run-experience-device-sign-in-info.png" alt-text="Screenshot of Windows 11 out-of-box experience showing the sign-in experience.":::

+1. Continue to follow the prompts to set up your device.

+1. Azure AD checks if an enrollment in mobile device management is required and starts the process.

+ 1. Windows registers the device in the organizationΓÇÖs directory in Azure AD and enrolls it in mobile device management, if applicable.

+1. If you sign in with a managed user account, Windows takes you to the desktop through the automatic sign-in process. Federated users are directed to the Windows sign-in screen to enter your credentials.

+ :::image type="content" source="media/azuread-joined-devices-frx/windows-11-first-run-experience-complete-automatic-sign-in-desktop.png" alt-text="Screenshot of Windows 11 at the desktop after first run experience Azure AD joined.":::

+For more information about the out-of-box experience, see the support article [Join your work device to your work or school network](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973).

+To verify whether a device is joined to your Azure AD, review the **Access work or school** dialog on your Windows device found in **Settings** > **Accounts**. The dialog should indicate that you're connected to Azure AD, and provides information about areas managed by your IT staff.

+- [What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)

+- [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot)

+- [Passwordless authentication options for Azure Active Directory](../authentication/concept-authentication-passwordless.md)

+- **KeySignTest**: If the value is *PASSED*, the device keys are in good health. If KeySignTest fails, the device is usually marked for recovery. The next sign-in will trigger the recovery flow and re-register the device. For hybrid Azure AD-joined devices, the recovery is silent. While the devices are Azure AD-joined or Azure AD registered, they'll prompt for user authentication to recover and re-register the device, if necessary.

+>This information last updated on September 22nd, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Microsoft 365 A3 for faculty | M365EDU_A3_FACULTY | 4b590615-0888-425a-a965-b3bf7789848d | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>CDS_O365_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>MDE_LITE (292cc034-7b7c-4950-aaf5-943befd3f1d4)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MINECRAFT_EDUCATION_EDITION (4c246bbc-f513-4311-beff-eba54c353256)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SCHOOL_DATA_SYNC_P2 (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>VIVA_LEARNING_SEEDED (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a)<br/>UNIVERSAL_PRINT_01 (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Virtualization Rights for Windows 10 (E3/E5+VDA) (e7c91390-7625-45be-94e0-e16907e03118)<br/>WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>INTUNE_EDU (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>POWER_VIRTUAL_AGENTS_O365_P2 (041fe683-03e4-45b6-b1af-c0cdc516daee) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Azure Rights Management (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Common Data Service for Teams (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics ΓÇô Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>Information Protection for Office 365 - Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>Microsoft 365 Apps for enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Defender for Endpoint Plan 1 (292cc034-7b7c-4950-aaf5-943befd3f1d4)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Minecraft Education Edition (4c246bbc-f513-4311-beff-eba54c353256)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>Office 365 Cloud App Security (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Project for Office (Plan E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>School Data Sync (Plan 2) (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SharePoint (Plan 2) for Education (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Viva Learning Seeded (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a)<br/>Universal Print (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Windows 10/11 Enterprise (e7c91390-7625-45be-94e0-e16907e03118)<br/>Windows Update for Business Deployment Service (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Information Protection Premium P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>Common Data Service (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Intune for Education (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Power Virtual Agents for Office 365 (041fe683-03e4-45b6-b1af-c0cdc516daee) |

+| Microsoft 365 A3 for students | M365EDU_A3_STUDENT | 7cfd9a2b-e110-4c39-bf20-c6a3f36a3121 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>CDS_O365_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>MDE_LITE (292cc034-7b7c-4950-aaf5-943befd3f1d4)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MINECRAFT_EDUCATION_EDITION (4c246bbc-f513-4311-beff-eba54c353256)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SCHOOL_DATA_SYNC_P2 (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a)<br/>UNIVERSAL_PRINT_01 (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Virtualization Rights for Windows 10 (E3/E5+VDA) (e7c91390-7625-45be-94e0-e16907e03118)<br/>WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>INTUNE_EDU (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>POWER_VIRTUAL_AGENTS_O365_P2 (041fe683-03e4-45b6-b1af-c0cdc516daee) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Azure Rights Management (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Common Data Service for Teams (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics ΓÇô Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>Information Protection for Office 365 - Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>Microsoft 365 Apps for enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Defender for Endpoint Plan 1 (292cc034-7b7c-4950-aaf5-943befd3f1d4)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Minecraft Education Edition (4c246bbc-f513-4311-beff-eba54c353256)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Cloud App Security (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Project for Office (Plan E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>School Data Sync (Plan 2) (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SharePoint (Plan 2) for Education (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a)<br/>Universal Print (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Windows 10/11 Enterprise (e7c91390-7625-45be-94e0-e16907e03118)<br/>Windows Update for Business Deployment Service (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Information Protection Premium P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>Common Data Service (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Intune for Education (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Power Virtual Agents for Office 365 (041fe683-03e4-45b6-b1af-c0cdc516daee) |

+| Microsoft 365 A3 student use benefits | M365EDU_A3_STUUSEBNFT | 18250162-5d87-4436-a834-d795c15c80f3 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MINECRAFT_EDUCATION_EDITION (4c246bbc-f513-4311-beff-eba54c353256)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SCHOOL_DATA_SYNC_P2 (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a)<br/>UNIVERSAL_PRINT_NO_SEEDING (b67adbaf-a096-42c9-967e-5a84edbe0086)<br/>Virtualization Rights for Windows 10 (E3/E5+VDA) (e7c91390-7625-45be-94e0-e16907e03118)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>INTUNE_EDU (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Azure Rights Management (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection for Office 365 - Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Microsoft 365 Apps for enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Minecraft Education Edition (4c246bbc-f513-4311-beff-eba54c353256)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Cloud App Security (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Project for Office (Plan E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>School Data Sync (Plan 2) (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SharePoint (Plan 2) for Education (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a)<br/>Universal Print Without Seeding (b67adbaf-a096-42c9-967e-5a84edbe0086)<br/>Windows 10/11 Enterprise (e7c91390-7625-45be-94e0-e16907e03118)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Common Data Service (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Intune for Education (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9) |

+| Microsoft 365 A3 - Unattended License for students use benefit | M365EDU_A3_STUUSEBNFT_RPA1 | 1aa94593-ca12-4254-a738-81a5972958e8 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>OFFICESUBSCRIPTION_unattended (8d77e2d9-9e28-4450-8431-0def64078fc5)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MINECRAFT_EDUCATION_EDITION (4c246bbc-f513-4311-beff-eba54c353256)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SCHOOL_DATA_SYNC_P2 (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a)<br/>UNIVERSAL_PRINT_NO_SEEDING (b67adbaf-a096-42c9-967e-5a84edbe0086)<br/>Virtualization Rights for Windows 10 (E3/E5+VDA) (e7c91390-7625-45be-94e0-e16907e03118)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>INTUNE_EDU (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics ΓÇô Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>Information Protection for Office 365 - Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Microsoft 365 Apps for Enterprise (Unattended) (8d77e2d9-9e28-4450-8431-0def64078fc5)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Minecraft Education Edition (4c246bbc-f513-4311-beff-eba54c353256)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Cloud App Security (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Project for Office (Plan E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>School Data Sync (Plan 2) (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SharePoint (Plan 2) for Education (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a)<br/>Universal Print Without Seeding (b67adbaf-a096-42c9-967e-5a84edbe0086)<br/>Windows 10/11 Enterprise (e7c91390-7625-45be-94e0-e16907e03118)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Information Protection Premium P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>Common Data Service (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Intune for Education (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9) |

+# Quickstart: Create a group with members and view all groups and members in Azure Active Directory

+You can view your organization's existing groups and group members using the Azure portal. Groups are used to manage users that all need the same access and permissions for potentially restricted apps and services.

+In this quickstart, youΓÇÖll set up a new group and assign members to the group. Then you'll view your organization's group and assigned members. Throughout this guide, you'll create a user and group that you can use in other Azure AD Fundamentals quickstarts and tutorials.

+1. Go to **Azure Active Directory** > **Groups**.

+1. Select **New group**.

+1. Complete the **Group** page:

+1. Select **Create**.

+A user must exist before being added as a group member, so you'll need to create a new user. For this quickstart, we've added a user named _Alain Charon_. Check the "Custom domain names" tab first to get the verified domain name in which to create users. For more information about creating a user, see [How to add or delete users](add-users-azure-active-directory.md).

+1. Go to **Azure Active Directory** > **Users**.

+1. Select **New user**.

+1. Complete the **User** page:

+1. Copy the auto-generated password provided in the **Password** box and select **Create**.

+Now that you have a group and a user, you can add _Alain Charon_ as a member to the _MDM policy - West_ group. For more information about adding group members, see the [Manage groups](how-to-manage-groups.md) article.

+1. Go to **Azure Active Directory** > **Groups**.

+- Go to **Azure Active Directory** > **Groups**.

+ 

+## Search for a group

+ 

+1. Select the group **MDM policy ΓÇô West**.

+1. View the group info on the **MDM policy - West Overview** page, including the number of members of that group.

+ 

+Select **Members** from the **Manage** area, and then review the complete list of member names assigned to that specific group, including _Alain Charon_.

+

+The group you just created is used in other articles in the Azure AD Fundamentals documentation. If you'd rather not use this group, you can delete it and its assigned members using the following steps:

+1. Select the **MDM policy - West** group.

+1. Select **Delete**.

+ 

+Microsoft paid cloud services, such as Microsoft 365, Enterprise Mobility + Security, Dynamics 365, and other similar products, require licenses. These licenses are assigned to each user who needs access to these services. To manage licenses, administrators use one of the management portals (Office or Azure) and PowerShell cmdlets. Azure AD is the underlying infrastructure that supports identity management for all Microsoft cloud services. Azure AD stores information about license assignment states for users.

+Azure AD includes group-based licensing, which allows you to assign one or more product licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are removed. This licensing management eliminates the need for automating license management via PowerShell to reflect changes in the organization and departmental structure on a per-user basis.

+- Licenses can be assigned to any security group in Azure AD. Security groups can be synced from on-premises, by using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md). You can also create security groups directly in Azure AD (also called cloud-only groups), or automatically via the [Azure AD dynamic group feature](../enterprise-users/groups-create-rule.md).

+* [PowerShell examples for group-based licensing in Azure Active Directory](../enterprise-users/licensing-ps-examples.md)

+ Title: Learn about groups and group membership - Azure Active Directory | Microsoft Docs

+description: Information about Azure Active Directory groups and access rights

+# Learn about groups and access rights in Azure Active Directory

+Azure Active Directory (Azure AD) provides several ways to manage access to resources, applications, and tasks. With Azure AD groups, you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Azure AD resources to only those users who need access is one of the core security principals of [Zero Trust](/security/zero-trust/zero-trust-overview). This article provides an overview of how groups and access rights can be used together to make managing your Azure AD users easier while also applying security best practices.

+Azure AD lets you use groups to manage access to applications, data, and resources. Resources can be:

+- Part of the Azure AD organization, such as permissions to manage objects through roles in Azure AD

+- External to the organization, such as for Software as a Service (SaaS) apps

+- Azure services

+- SharePoint sites

+- On-premises resources

+Some groups can't be managed in the Azure AD portal:

+- Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.

+- Distribution lists and mail-enabled security groups are managed only in Exchange admin center or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to manage these groups.

+## What to know before creating a group

+There are two group types and three group membership types. Review the options to find the right combination for your scenario.

+### Group types:

+**Security:** Used to manage user and computer access to shared resources.

+For example, you can create a security group so that all group members have the same set of security permissions. Members of a security group can include users, devices, other groups, and [service principals](../fundamentals/service-accounts-principal.md), which define access policy and permissions. Owners of a security group can include users and service principals.

+**Microsoft 365:** Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.

+This option also lets you give people outside of your organization access to the group. Members of a Microsoft 365 group can only include users. Owners of a Microsoft 365 group can include users and service principals. For more info about Microsoft 365 Groups, see [Learn about Microsoft 365 Groups](https://support.office.com/article/learn-about-office-365-groups-b565caa1-5c40-40ef-9915-60fdb2d97fa2).

+### Membership types:

+- **Assigned:** Lets you add specific users as members of a group and have unique permissions.

+- **Dynamic user:** Lets you use dynamic membership rules to automatically add and remove members. If a member's attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rules requirements (is removed).

+- **Dynamic device:** Lets you use dynamic group rules to automatically add and remove devices. If a device's attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added), or no longer meets the rules requirements (is removed).

+ > [!IMPORTANT]

+ > You can create a dynamic group for either devices or users, but not for both. You can't create a device group based on the device owners' attributes. Device membership rules can only reference device attributions. For more info about creating a dynamic group for users and devices, see [Create a dynamic group and check status](../enterprise-users/groups-create-rule.md)

+## What to know before adding access rights to a group

+After creating an Azure AD group, you need to grant it the appropriate access. Each application, resource, and service that requires access permissions needs to be managed separately because the permissions for one may not be the same as another. Grant access using the [principle of least privilege](../develop/secure-least-privileged-access.md) to help reduce the risk of attack or a security breach.

+### How access management in Azure AD works

+Azure AD helps you give access to your organization's resources by providing access rights to a single user or to an entire Azure AD group. Using groups lets the resource owner or Azure AD directory owner assign a set of access permissions to all the members of the group. The resource or directory owner can also give management rights to someone such as a department manager or a help desk administrator, letting that person add and remove members. For more information about how to manage group owners, see the [Manage groups](how-to-manage-groups.md) article.

+

+### Ways to assign access rights

+After creating a group, you need to decide how to assign access rights. Explore the ways to assign access rights to determine the best process for your scenario.

+- **Direct assignment.** The resource owner directly assigns the user to the resource.

+- **Group assignment.** The resource owner assigns an Azure AD group to the resource, which automatically gives all of the group members access to the resource. Group membership is managed by both the group owner and the resource owner, letting either owner add or remove members from the group. For more information about managing group membership, see the [Manage groups](how-to-manage-groups.md) article.

+- **Rule-based assignment.** The resource owner creates a group and uses a rule to define which users are assigned to a specific resource. The rule is based on attributes that are assigned to individual users. The resource owner manages the rule, determining which attributes and values are required to allow access the resource. For more information, see [Create a dynamic group and check status](../enterprise-users/groups-create-rule.md).

+- **External authority assignment.** Access comes from an external source, such as an on-premises directory or a SaaS app. In this situation, the resource owner assigns a group to provide access to the resource and then the external source manages the group members.

+ 

+### Can users join groups without being assigned?

+The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up the group to automatically accept all users that join or to require approval.

+After a user requests to join a group, the request is forwarded to the group owner. If it's required, the owner can approve the request and the user is notified of the group membership. If you have multiple owners and one of them disapproves, the user is notified, but isn't added to the group. For more information and instructions about how to let your users request to join groups, see [Set up Azure AD so users can request to join groups](../enterprise-users/groups-self-service-management.md).

+## Next steps

+- [Create and manage Azure AD groups and group membership](how-to-manage-groups.md)

+- [Learn about group-based licensing in Azure AD](active-directory-licensing-whatis-azure-portal.md)

+- [Manage access to SaaS apps using groups](../enterprise-users/groups-saasapps.md)

+- [Manage dynamic rules for users in a group](../enterprise-users/groups-create-rule.md)

+- [Learn about Privileged Identity Management for Azure AD roles](../../active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)

+ Title: How to manage groups - Azure Active Directory | Microsoft Docs

+description: Instructions about how to manage Azure AD groups and group membership.

+# Manage Azure Active Directory groups and group membership

+Azure Active Directory (Azure AD) groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services. Instead of adding special permissions to individual users, you create a group that applies the special permissions to every member of that group.

+This article covers basic group scenarios where a single group is added to a single resource and users are added as members to that group. For more complex scenarios like dynamic memberships and rule creation, see the [Azure Active Directory user management documentation](../enterprise-users/index.yml).

+Before adding groups and members, [learn about groups and membership types](concept-learn-about-groups.md) to help you decide which options to use when you create a group.

+## Create a basic group and add members

+You can create a basic group and add your members at the same time using the Azure Active Directory (Azure AD) portal. Azure AD roles that can manage groups include **Groups Administrator**, **User Administrator**, **Privileged Role Administrator**, or **Global Administrator**. Review the [appropriate Azure AD roles for managing groups](../roles/delegate-by-task.md#groups)

+To create a basic group and add members:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Active Directory** > **Groups** > **New group**.

+ 

+1. Select a **Group type**. For more information on group types, see the [learn about groups and membership types](concept-learn-about-groups.md) article.

+ - Selecting the **Microsoft 365** Group type enables the **Group email address** option.

+1. Enter a **Group name.** Choose a name that you'll remember and that makes sense for the group. A check will be performed to determine if the name is already in use. If the name is already in use, you'll be asked to change the name of your group.

+1. **Group email address**: Only available for Microsoft 365 group types. Enter an email address manually or use the email address built from the Group name you provided.

+

+1. **Group description.** Add an optional description to your group.

+1. Switch the **Azure AD roles can be assigned to the group** setting to yes to use this group to assign Azure AD roles to members.

+ - This option is only available with Premium P1 or P2 licenses.

+ - You must have the **Privileged Role Administrator** or **Global Administrator** role.

+ - Enabling this option automatically selects **Assigned** as the Membership type.

+ - The ability to add roles while creating the group is added to the process.

+ - [Learn more about role-assignable groups](../roles/groups-create-eligible.md).

+1. Select a **Membership type.** For more information on membership types, see the [learn about groups and membership types](concept-learn-about-groups.md) article.

+1. Optionally add **Owners** or **Members**. Members and owners can be added after creating your group.

+ 1. Select the link under **Owners** or **Members** to populate a list of every user in your directory.

+ 1. Choose users from the list and then select the **Select** button at the bottom of the window.

+ 

+1. Select **Create**. Your group is created and ready for you to manage other settings.

+### Turn off group welcome email

+A welcome notification is sent to all users when they're added to a new Microsoft 365 group, regardless of the membership type. When an attribute of a user or device changes, all dynamic group rules in the organization are processed for potential membership changes. Users who are added then also receive the welcome notification. You can turn off this behavior in [Exchange PowerShell](/powershell/module/exchange/users-and-groups/Set-UnifiedGroup).

+## Add or remove members and owners

+Members and owners can be added to and removed from existing Azure AD groups. The process is the same for members and owners. You'll need the **Groups Administrator** or **User Administrator** role to add and remove members and owners.

+Need to add multiple members at one time? Learn about the [add members in bulk](../enterprise-users/groups-bulk-import-members.md) option.

+### Add members or owners of a group:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Active Directory** > **Groups**.

+1. Select the group you need to manage.

+1. Select either **Members** or **Owners**.

+ 

+1. Select **+ Add** (members or owners).

+1. Scroll through the list or enter a name in the search box. You can choose multiple names at one time. When you're ready, select the **Select** button.

+ The **Group Overview** page updates to show the number of members who are now added to the group.

+### Remove members or owners of a group:

+1. Go to **Azure Active Directory** > **Groups**.

+1. Select the group you need to manage.

+1. Select either **Members** or **Owners**.

+1. Check the box next to a name from the list and select the **Remove** button.

+ 

+## Edit group settings

+Using Azure AD, you can edit a group's name, description, or membership type. You'll need the **Groups Administrator** or **User Administrator** role to edit a group's settings.

+To edit your group settings:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Active Directory** > **Groups**. The **Groups - All groups** page appears, showing all of your active groups.

+1. Scroll through the list or enter a group name in the search box. Select the group you need to manage.

+1. Select **Properties** from the side menu.

+ 

+1. Update the **General settings** information as needed, including:

+ - **Group name.** Edit the existing group name.

+

+ - **Group description.** Edit the existing group description.

+ - **Group type.** You can't change the type of group after it's been created. To change the **Group type**, you must delete the group and create a new one.

+

+ - **Membership type.** Change the membership type. If you enabled the **Azure AD roles can be assigned to the group** option, you can't change the membership type. For more info about the available membership types, see the [learn about groups and membership types](concept-learn-about-groups.md) article.

+

+ - **Object ID.** You can't change the Object ID, but you can copy it to use in your PowerShell commands for the group. For more info about using PowerShell cmdlets, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-v2-cmdlets.md).

+## Add or remove a group from another group

+You can add an existing Security group to another Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time. You'll need the **Groups Administrator** or **User Administrator** role to edit group membership.

+We currently don't support:

+- Adding groups to a group synced with on-premises Active Directory.

+- Adding Security groups to Microsoft 365 groups.

+- Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.

+- Assigning apps to nested groups.

+- Applying licenses to nested groups.

+- Adding distribution groups in nesting scenarios.

+- Adding security groups as members of mail-enabled security groups.

+- Adding groups as members of a role-assignable group.

+### Add a group to another group

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Active Directory** > **Groups**.

+1. On the **Groups - All groups** page, search for and select the group you want to become a member of another group.

+ >[!Note]

+ >You only can add your group as a member to one other group at a time. Wildcard characters aren't supported in the **Select Group** search box.

+1. On the group Overview page, select **Group memberships** from the side menu.

+1. Select **+ Add memberships**.

+1. Locate the group you want your group to be a member of and choose **Select**.

+ For this exercise, we're adding "MDM policy - West" to the "MDM policy - All org" group, so "MDM - policy - West" inherits all the properties and configurations of the "MDM policy - All org" group.

+ 

+Now you can review the "MDM policy - West - Group memberships" page to see the group and member relationship.

+For a more detailed view of the group and member relationship, select the parent group name (MDM policy - All org) and take a look at the "MDM policy - West" page details.

+### Remove a group from another group

+You can remove an existing Security group from another Security group; however, removing the group also removes any inherited attributes and properties for its members.

+1. On the **Groups - All groups** page, search for and select the group you need to remove as a member of another group.

+1. On the group Overview page, select **Group memberships**.

+1. Select the parent group from the **Group memberships** page.

+1. Select **Remove**.

+ For this exercise, we're now going to remove "MDM policy - West" from the "MDM policy - All org" group.

+ 

+## Delete a group

+You can delete an Azure AD group for any number of reasons, but typically it will be because you:

+- Chose the incorrect **Group type** option.

+- Created a duplicate group by mistake.

+- No longer need the group.

+To delete a group you'll need the **Groups Administrator** or **User Administrator** role.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Go to **Azure Active Directory** > **Groups**.

+3. Search for and select the group you want to delete.

+4. Select **Delete**.

+ The group is deleted from your Azure Active Directory tenant.

+## Next steps

+- [Learn about groups and assigning access rights to groups](concept-learn-about-groups.md)

+- [Manage groups using PowerShell commands](../enterprise-users/groups-settings-v2-cmdlets.md)

+- [Manage dynamic rules for users in a group](../enterprise-users/groups-create-rule.md)

+- [Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory](../enterprise-users/licensing-group-advanced.md#limitations-and-known-issues)

+- [Associate or add an Azure subscription to Azure Active Directory](active-directory-how-subscriptions-associated-directory.md)

+## February 2022

+

+

+### General Availability - France digital accessibility requirement

+**Type:** Plan for change

+**Service category:** Other

+**Product capability:** End User Experiences

+

+This change provides users who are signing into Azure Active Directory on iOS, Android, and Web UI flavors information about the accessibility of Microsoft's online services via a link on the sign-in page. This ensures that the France digital accessibility compliance requirements are met. The change will only be available for French language experiences.[Learn more](https://www.microsoft.com/fr-fr/accessibility/accessibilite/accessibility-statement)

+

+

+### General Availability - Downloadable access review history report

+**Type:** New feature

+**Service category:** Access Reviews

+**Product capability:** Identity Governance

+

+With Azure Active Directory (Azure AD) Access Reviews, you can create a downloadable review history to help your organization gain more insight. The report pulls the decisions that were taken by reviewers when a report is created. These reports can be constructed to include specific access reviews, for a specific time frame, and can be filtered to include different review types and review results.[Learn more](../governance/access-reviews-downloadable-review-history.md)

+

+

+### Public Preview of Identity Protection for Workload Identities

+**Type:** New feature

+**Service category:** Identity Protection

+**Product capability:** Identity Security & Protection

+

+Azure AD Identity Protection is extending its core capabilities of detecting, investigating, and remediating identity-based risk to workload identities. This allows organizations to better protect their applications, service principals, and managed identities. We are also extending Conditional Access so you can block at-risk workload identities. [Learn more](../identity-protection/concept-workload-identity-risk.md)

+

+

+### Public Preview - Cross-tenant access settings for B2B collaboration

+**Type:** New feature

+**Service category:** B2B

+**Product capability:** Collaboration

+

+Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now youΓÇÖll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. [Learn more](../external-identities/cross-tenant-access-overview.md)

+

+

+### Public preview - Create Azure AD access reviews with multiple stages of reviewers

+**Type:** New feature

+**Service category:** Access Reviews

+**Product capability:** Identity Governance

+

+Use multi-stage reviews to create Azure AD access reviews in sequential stages, each with its own set of reviewers and configurations. Supports multiple stages of reviewers to satisfy scenarios such as: independent groups of reviewers reaching quorum, escalations to other reviewers, and reducing burden by allowing for later stage reviewers to see a filtered-down list. For public preview, multi-stage reviews are only supported on reviews of groups and applications. [Learn more](../governance/create-access-review.md)

+

+

+### New Federated Apps available in Azure AD Application gallery - February 2022

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** Third Party Integration

+

+In February 2022 we added the following 20 new applications in our App gallery with Federation support:

+[Embark](../saas-apps/embark-tutorial.md), [FENCE-Mobile RemoteManager SSO](../saas-apps/fence-mobile-remotemanager-sso-tutorial.md), [カオナビ](../saas-apps/kao-navi-tutorial.md), [Adobe Identity Management (OIDC)](../saas-apps/adobe-identity-management-tutorial.md), [AppRemo](../saas-apps/appremo-tutorial.md), [Live Center](https://livecenter.norkon.net/Login), [Offishall](https://app.offishall.io/), [MoveWORK Flow](https://www.movework-flow.fm/login), [Cirros SL](https://www.cirros.net/), [ePMX Procurement Software](https://azure.epmxweb.com/admin/index.php?), [Vanta O365](https://app.vanta.com/connections), [Hubble](../saas-apps/hubble-tutorial.md), [Medigold Gateway](https://gateway.medigoldcore.com), [クラウドログ](../saas-apps/crowd-log-tutorial.md),[Amazing People Schools](../saas-apps/amazing-people-schools-tutorial.md), [Salus](https://salus.com/login), [XplicitTrust Network Access](https://console.xplicittrust.com/#/dashboard), [Spike Email - Mail & Team Chat](https://spikenow.com/web/), [AltheaSuite](https://planmanager.altheasuite.com/), [Balsamiq Wireframes](../saas-apps/balsamiq-wireframes-tutorial.md).

+You can also find the documentation of all the applications from here: [https://aka.ms/AppsTutorial](../saas-apps/tutorial-list.md),

+For listing your application in the Azure AD app gallery, please read the details here: [https://aka.ms/AzureADAppRequest](../manage-apps/v2-howto-app-gallery-listing.md)

+

+

+### Two new MDA detections in Identity Protection

+**Type:** New feature

+**Service category:** Identity Protection

+**Product capability:** Identity Security & Protection

+

+Identity Protection has added two new detections from Microsoft Defender for Cloud Apps, (formerly MCAS). The Mass Access to Sensitive Files detection detects anomalous user activity, and the Unusual Addition of Credentials to an OAuth app detects suspicious service principal activity.[Learn more](../identity-protection/concept-identity-protection-risks.md)

+

+

+### Public preview - New provisioning connectors in the Azure AD Application Gallery - February 2022

+**Type:** New feature

+**Service category:** App Provisioning

+**Product capability:** 3rd Party Integration

+

+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

+- [BullseyeTDP](../saas-apps/bullseyetdp-provisioning-tutorial.md)

+- [GitHub Enterprise Managed User (OIDC)](../saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial.md)

+- [Gong](../saas-apps/gong-provisioning-tutorial.md)

+- [LanSchool Air](../saas-apps/lanschool-air-provisioning-tutorial.md)

+- [ProdPad](../saas-apps/prodpad-provisioning-tutorial.md)

+For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

+

+

+### General Availability - Privileged Identity Management (PIM) role activation for SharePoint Online enhancements

+**Type:** Changed feature

+**Service category:** Privileged Identity Management

+**Product capability:** Privileged Identity Management

+

+We've improved the Privileged Identity management (PIM) time to role activation for SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should be able to use your permissions right away in SharePoint Online. This change will roll out in stages, so you might not yet see these improvements in your organization. [Learn more](../privileged-identity-management/pim-how-to-activate-role.md)

+

+- [Create workflow (lifecycle workflow)](/graph/api/identitygovernance-lifecycleworkflowscontainer-post-workflows?view=graph-rest-beta)

+- [Delete workflow (lifecycle workflow)](/graph/api/identitygovernance-workflow-delete?view=graph-rest-beta)

+> Currently, automatic synchronization of the employeeLeaveDateTime attribute for HR Inbound scenarios is not available. To take advantaged of leaver scenarios, you can set the employeeLeaveDateTime manually. Manually setting the attribute can be done in the portal or with Graph. For more information see [User profile in Azure](../fundamentals/active-directory-users-profile-azure-portal.md) and [Update user](/graph/api/user-update?view=graph-rest-beta&tabs=http).

+- [workflow: activate (run a workflow on-demand)](/graph/api/identitygovernance-workflow-activate?view=graph-rest-beta)

+|Parameter |Display String |Description |Admin Consent Required |

+ Title: 'Tutorial: Azure AD SSO integration with AsignetSSOIntegration'

+description: Learn how to configure single sign-on between Azure Active Directory and AsignetSSOIntegration.

+# Tutorial: Azure AD SSO integration with AsignetSSOIntegration

+In this tutorial, you'll learn how to integrate AsignetSSOIntegration with Azure Active Directory (Azure AD). When you integrate AsignetSSOIntegration with Azure AD, you can:

+* Control in Azure AD who has access to AsignetSSOIntegration.

+* Enable your users to be automatically signed-in to AsignetSSOIntegration with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* AsignetSSOIntegration single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* AsignetSSOIntegration supports **SP** and **IDP** initiated SSO.

+## Add AsignetSSOIntegration from the gallery

+To configure the integration of AsignetSSOIntegration into Azure AD, you need to add AsignetSSOIntegration from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **AsignetSSOIntegration** in the search box.

+1. Select **AsignetSSOIntegration** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for AsignetSSOIntegration

+Configure and test Azure AD SSO with AsignetSSOIntegration using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AsignetSSOIntegration.

+To configure and test Azure AD SSO with AsignetSSOIntegration, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure AsignetSSOIntegration SSO](#configure-asignetssointegration-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create AsignetSSOIntegration test user](#create-asignetssointegration-test-user)** - to have a counterpart of B.Simon in AsignetSSOIntegration that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **AsignetSSOIntegration** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://trim.corp.microsoft.com/sso.ashx`

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up AsignetSSOIntegration** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to AsignetSSOIntegration.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **AsignetSSOIntegration**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure AsignetSSOIntegration SSO

+To configure single sign-on on **AsignetSSOIntegration** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [AsignetSSOIntegration support team](mailto:us@asignet.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create AsignetSSOIntegration test user

+In this section, you create a user called Britta Simon in AsignetSSOIntegration. Work with [AsignetSSOIntegration support team](mailto:us@asignet.com) to add the users in the AsignetSSOIntegration platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to AsignetSSOIntegration Sign-on URL where you can initiate the login flow.

+* Go to AsignetSSOIntegration Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the AsignetSSOIntegration for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the AsignetSSOIntegration tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AsignetSSOIntegration for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure AsignetSSOIntegration you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with FourKites SAML2.0 SSO for Tracking'

+description: Learn how to configure single sign-on between Azure Active Directory and FourKites SAML2.0 SSO for Tracking.

+# Tutorial: Azure AD SSO integration with FourKites SAML2.0 SSO for Tracking

+In this tutorial, you'll learn how to integrate FourKites SAML2.0 SSO for Tracking with Azure Active Directory (Azure AD). When you integrate FourKites SAML2.0 SSO for Tracking with Azure AD, you can:

+* Control in Azure AD who has access to FourKites SAML2.0 SSO for Tracking.

+* Enable your users to be automatically signed-in to FourKites SAML2.0 SSO for Tracking with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* FourKites SAML2.0 SSO for Tracking single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* FourKites SAML2.0 SSO for Tracking supports **SP** and **IDP** initiated SSO.

+* FourKites SAML2.0 SSO for Tracking supports **Just In Time** user provisioning.

+## Add FourKites SAML2.0 SSO for Tracking from the gallery

+To configure the integration of FourKites SAML2.0 SSO for Tracking into Azure AD, you need to add FourKites SAML2.0 SSO for Tracking from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **FourKites SAML2.0 SSO for Tracking** in the search box.

+1. Select **FourKites SAML2.0 SSO for Tracking** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for FourKites SAML2.0 SSO for Tracking

+Configure and test Azure AD SSO with FourKites SAML2.0 SSO for Tracking using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FourKites SAML2.0 SSO for Tracking.

+To configure and test Azure AD SSO with FourKites SAML2.0 SSO for Tracking, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure FourKites SAML2.0 SSO for Tracking SSO](#configure-fourkites-saml20-sso-for-tracking-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create FourKites SAML2.0 SSO for Tracking test user](#create-fourkites-saml20-sso-for-tracking-test-user)** - to have a counterpart of B.Simon in FourKites SAML2.0 SSO for Tracking that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **FourKites SAML2.0 SSO for Tracking** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type one of the following URLs:

+

+ | **Sign-on URL**|

+ |-|

+ | `https://upsgff.fourkites.com` |

+ | `https://upsgff-staging.fourkites.com` |

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FourKites SAML2.0 SSO for Tracking.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **FourKites SAML2.0 SSO for Tracking**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure FourKites SAML2.0 SSO for Tracking SSO

+To configure single sign-on on **FourKites SAML2.0 SSO for Tracking** side, you need to send the **App Federation Metadata Url** to [FourKites SAML2.0 SSO for Tracking support team](mailto:support@fourkites.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create FourKites SAML2.0 SSO for Tracking test user

+In this section, a user called B.Simon is created in FourKites SAML2.0 SSO for Tracking. FourKites SAML2.0 SSO for Tracking supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in FourKites SAML2.0 SSO for Tracking, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to FourKites SAML2.0 SSO for Tracking Sign-on URL where you can initiate the login flow.

+* Go to FourKites SAML2.0 SSO for Tracking Sign-on URL directly and initiate the login flow from there.

+### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the FourKites SAML2.0 SSO for Tracking for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the FourKites SAML2.0 SSO for Tracking tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the FourKites SAML2.0 SSO for Tracking for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure FourKites SAML2.0 SSO for Tracking you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ >[!NOTE]

+ >All the required fields (for example, first name, last name and email) are required to be filled in Azure AD in order get the auto provision work without any issue.

+ Title: 'Tutorial: Azure AD SSO integration with NICE CXone'

+description: Learn how to configure single sign-on between Azure Active Directory and NICE CXone.

+# Tutorial: Azure AD SSO integration with NICE CXone

+In this tutorial, you'll learn how to integrate NICE CXone with Azure Active Directory (Azure AD). When you integrate NICE CXone with Azure AD, you can:

+* Control in Azure AD who has access to NICE CXone.

+* Enable your users to be automatically signed-in to NICE CXone with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* NICE CXone single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* NICE CXone supports **SP** initiated SSO.

+## Add NICE CXone from the gallery

+To configure the integration of NICE CXone into Azure AD, you need to add NICE CXone from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **NICE CXone** in the search box.

+1. Select **NICE CXone** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for NICE CXone

+Configure and test Azure AD SSO with NICE CXone using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at NICE CXone.

+To configure and test Azure AD SSO with NICE CXone, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure NICE CXone SSO](#configure-nice-cxone-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create NICE CXone test user](#create-nice-cxone-test-user)** - to have a counterpart of B.Simon in NICE CXone that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **NICE CXone** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using one of the following patterns:

+ | **Identifier** |

+ |-|

+ | `https://cxone.niceincontact,com/<guid>` |

+ | `https://cxone-gov.niceincontact.com/<guid>` |

+ b. In the **Reply URL** textbox, type a URL using one of the following patterns:

+

+ | **Reply URL** |

+ ||

+ | `https://cxone.niceincontact.com/auth/authorize?tenantId=<guid>` |

+ | `https://cxone-gov.niceincontact.com/auth/authorize?tenantId=<guid>` |

+ c. In the **Sign-on URL** text box, type one of the following URLs:

+ | **Sign-on URL** |

+ |-|

+ | `https://cxone.niceincontact.com` |

+ | `https://cxone-gov.niceincontact.com` |

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [NICE CXone support team](https://www.nice.com/services/customer-support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up NICE CXone** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to NICE CXone.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **NICE CXone**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure NICE CXone SSO

+To configure single sign-on on **NICE CXone** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [NICE CXone support team](https://www.nice.com/services/customer-support). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create NICE CXone test user

+In this section, you create a user called Britta Simon at NICE CXone. Work with [NICE CXone support team](https://www.nice.com/services/customer-support) to add the users in the NICE CXone platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to NICE CXone Sign-on URL where you can initiate the login flow.

+* Go to NICE CXone Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the NICE CXone tile in the My Apps, this will redirect to NICE CXone Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure NICE CXone you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+When onboarding users you can remove the need for error prone manual onboarding steps by using Verified ID with A10TIX account onboarding. Verified IDs can be used to digitally onboard employees, students, citizens, or others to securely access resources and services. For example, rather than an employee needing to go to a central office to activate an employee badge, they can use a Verified ID to verify their identity to activate a badge that is delivered to them remotely. Rather than a citizen receiving a code they must redeem to access governmental services, they can use a Verified ID to prove their identity and gain access. Learn more about [account onboarding](https://docs.microsoft.com/azure/active-directory/verifiable-credentials/plan-verification-solution#account-onboarding).

+ [ ](./media/verified-id-partner-au10tix/select-issuers.png#lightbox)

+Verifiable Credentials can be used to onboard employees, students, citizens, or others to access services. For example, rather than an employee needing to go to a central office to activate an employee badge, they can use a verifiable credential to verify their identity to activate a badge that is delivered to them remotely. Rather than a citizen receiving a code they must redeem to access governmental services, they can use a VC to prove their identity and gain access. Learn more about [account onboarding](https://docs.microsoft.com/azure/active-directory/verifiable-credentials/plan-verification-solution#account-onboarding).

+ [ ](./media/verified-id-partner-lexisnexis/select-issuer.png#lightbox)

+Construct an HTTP POST request to the Request Service REST API.

+If you need to add the outbound IP addresses used by your Consumption tier instance to an allowlist, you can add the instance's data center (Azure region) to an allowlist. You can [download a JSON file that lists IP addresses for all Azure data centers](https://www.microsoft.com/download/details.aspx?id=56519). Then find the JSON fragment that applies to the region that your instance runs in.

+For example, the following JSON fragment is what the allowlist for Western Europe might look like:

+```json

+{

+ "name": "AzureCloud.westeurope",

+ "id": "AzureCloud.westeurope",

+ "properties": {

+ "changeNumber": 9,

+ "region": "westeurope",

+ "platform": "Azure",

+ "systemService": "",

+ "addressPrefixes": [

+ "13.69.0.0/17",

+ "13.73.128.0/18",

+ ... Some IP addresses not shown here

+ "213.199.180.192/27",

+ "213.199.183.0/24"

+ ]

+ }

+}

+```

+For information about when this file is updated and when the IP addresses change, expand the **Details** section of the [Download Center page](https://www.microsoft.com/en-us/download/details.aspx?id=56519).

+ Title: Set up basic authentication to developer portal

+description: Learn how to set up user accounts with username and password authentication to the developer portal in Azure API Management.

+# Configure users of the developer portal to authenticate using usernames and passwords

+In the developer portal for Azure API Management, the default authentication method for users is to provide a username and password. In this article, learn how to set up users with basic authentication credentials to the developer portal.

+## Prerequisites

+- Complete the [Create an Azure API Management instance](get-started-create-service-instance.md) quickstart.

+## Confirm the username and password provider

+By default, the username and password *identity provider* is enabled in the developer portal. To confirm this setting:

+1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**.

+1. In the **Provider type** list, confirm that **Username and password** appears.

+If the provider isn't already enabled, you can add it:

+1. In the left menu of your API Management instance, under **Developer portal**, select **Identities** > **+ Add**.

+1. Under **Type**, select **Username and password**, and then select **Add**.

+## Add a username and password

+There are two ways to add a username and password for authentication to the developer portal:

+* An API publisher can add a user through the Azure portal, or with equivalent Azure tools such as the [New-AzApiManagementUser](/powershell/module/az.apimanagement/new-azapimanagementuser) Azure PowerShell cmdlet. For steps to use the portal, see [How to manage user accounts in Azure API Management](api-management-howto-create-or-invite-developers.md).

+ :::image type="content" source="media/developer-portal-basic-authentication/add-user-portal.png" alt-text="Screenshot showing how to add a user in the Azure portal.":::

+* An API consumer (developer) can sign up directly in the developer portal, using the **Sign up** page.

+ :::image type="content" source="media/developer-portal-basic-authentication/developer-portal-sign-up-page.png" alt-text="Screenshot of the sign-up page in the developer portal.":::

+> [!NOTE]

+> API Management enforces password strength requirements including password length. When you add a user in the Azure portal, the password must be at least 6 characters long. When a developer signs up or resets a password through the developer portal, the password must be at least 8 characters long.

+## Delete the username and password provider

+If you've configured another identity provider for the developer portal such as [Azure AD](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md), you might want to delete the username and password provider.

+Deleting the identity provider prevents adding users to use username and password authentication. Existing users configured for basic authentication are also prevented from signing into the developer portal.

+1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**.

+1. In the **Provider type** list, select **Username and password**. In the context menu (**...**), select **Delete**.

+> [!TIP]

+> If you want to disable all sign up or sign in functionality in the developer portal, see [How do I disable sign up in the developer portal?](developer-portal-faq.md#how-do-i-disable-sign-up-in-the-developer-portal)

+## Next steps

+For steps to add other identity providers for developer sign-up to the developer portal, see:

+- [Authorize developer accounts by using Azure Active Directory in Azure API Management](api-management-howto-aad.md)

+- [Authorize developer accounts by using Azure Active Directory B2C in Azure API Management](api-management-howto-aad-b2c.md)

+| telemetry.logs.local | `none` | Enables local logging. Value can be `none`, `auto`, `localsyslog`, `rfc5424`, `journal`, `json` |

+> Outbound SMTP connectivity (port 25) is supported for App Service Environment v3. The supportability is determined by a setting on the subscription where the virtual network is deployed. For virtual networks/subnets created before 1. August 2022 you need to initiate a temporary configuration change to the virtual network/subnet for the setting to be synchronized from the subscription. An example could be to add a temporary subnet, associate/dissociate an NSG temporarily or configure a service endpoint temporarily. For more information and troubleshooting see [Troubleshoot outbound SMTP connectivity problems in Azure](../../virtual-network/troubleshoot-outbound-smtp-connectivity.md).

+- **Dedicated host App Service Environment v3**: With a dedicated host deployment, you're charged for two dedicated hosts per our pricing when you create the App Service Environment v3 and then, as you scale, you're charged a specialized Isolated v2 rate per vCore. I1v2 uses two vCores, I2v2 uses four vCores, and I3v2 uses eight vCores per instance.

+When all traffic routing is enabled, all outbound traffic is sent into your virtual network. If all traffic routing isn't enabled, only private traffic (RFC1918) and service endpoints configured on the integration subnet will be sent into the virtual network, and outbound traffic to the internet will go through the same channels as normal.

+If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider), but it will also automatically be registered when creating the first web app in a subscription.

+Through application routing or configuration routing options, you can configure what traffic will be sent through the virtual network integration. Traffic is only subject to [network routing](#network-routing) if it's sent through the virtual network integration.

+Application routing applies to traffic that is sent from your app after it has been started. See [configuration routing](#configuration-routing) for traffic during startup. When you configure application routing, you can either route all traffic or only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) into your virtual network. You configure this behavior through the **Route All** setting. If **Route All** is disabled, your app only routes private traffic into your virtual network. If you want to route all your outbound app traffic into your virtual network, make sure that **Route All** is enabled.

+> Outbound SMTP connectivity (port 25) is supported for App Service when the SMTP traffic is routed through the virtual network integration. The supportability is determined by a setting on the subscription where the virtual network is deployed. For virtual networks/subnets created before 1. August 2022 you need to initiate a temporary configuration change to the virtual network/subnet for the setting to be synchronized from the subscription. An example could be to add a temporary subnet, associate/dissociate an NSG temporarily or configure a service endpoint temporarily. For more information and troubleshooting see [Troubleshoot outbound SMTP connectivity problems in Azure](../virtual-network/troubleshoot-outbound-smtp-connectivity.md).

+When you're using virtual network integration, you can configure how parts of the configuration traffic are managed. By default, configuration traffic will go directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.

+Route tables and network security groups only apply to traffic routed through the virtual network integration. See [application routing](#application-routing) and [configuration routing](#configuration-routing) for details. Routes won't affect replies to inbound app requests and inbound rules in an NSG don't apply to your app because virtual network integration affects only outbound traffic from your app. To control inbound traffic to your app, use the Access Restrictions feature.

+When configuring network security groups or route tables that affect outbound traffic, you must make sure you consider your application dependencies. Application dependencies include endpoints that your app needs during runtime. Besides APIs and services the app is calling, this could also be derived endpoints like certificate revocation list (CRL) check endpoints and identity/authentication endpoint, for example Azure Active Directory. If you're using [continuous deployment in App Service](./deploy-continuous-deployment.md), you might also need to allow endpoints depending on type and language. Specifically for [Linux continuous deployment](https://github.com/microsoft/Oryx/blob/main/doc/hosts/appservice.md#network-dependencies), you'll need to allow `oryx-cdn.microsoft.io:443`.

+* Allows the same virtual network to be used by multiple apps in an App Service plan without affecting the total number that can be used by an App Service plan. If you have six apps using the same virtual network in the same App Service plan that counts as one virtual network being used.

+* SLA on the gateway can affect the overall [SLA](https://azure.microsoft.com/support/legal/sla/).

+|Data extraction | Key-value pairs, tables, selection marks, coordinates, and signatures | Key-value pairs, selection marks and tables|

+|Custom neural| Γ£ö| Γ£ö | Γ£ö | **n/a** | **n/a** |

+When creating new Automation jobs, you might experience a delay or failure of job creation. Scheduled jobs will automatically be retired, and jobs executed through the portal can be retired if you see a failure.

+This is because of the high load from customers' runbooks using the Automation service in the West Europe region.

+Perform the following action if it is feasible as per your requirement and environment to reduce the chance of failure:

+- If youΓÇÖre using the top of the hour for the job creation (at 12:00, 1:00, 2:00, and so on.), typically on the hour, or half hour, we recommend that you move the job start time to five minutes before or after the hour/half hour. This is because a most of the customers use the beginning of the hour for job execution which drastically increases the load on the service, while the load is relatively low at the other time slots.

+> [!NOTE]

+> - It is important to specify `--license-type DisasterRecovery` **during** the Azure Arc SQL MI creation. This will allow the DR instance to be seeded from the primary instance in the primary data center. Updating this property post deployment will not have the same effect.

+ Title: Resize persistent volume claim (PVC) for Azure Arc-enabled data services volume

+description: Explains how to resize a persistent volume claim for a volume used for Azure Arc-enabled data services.

+# Resize persistent volume to increase size

+This article explains how to resize an existing persistent volume to increase its size by editing the `PersistentVolumeClaim` (PVC) object.

+> [!NOTE]

+> Resizing PVCs using this method only works your `StorageClass` supports `AllowVolumeExpansion=True`.

+When you deploy an Azure Arc enabled SQL managed instance, you can configure the size of the persistent volume (PV) for `data`, `logs`, `datalogs`, and `backups`. The deployment creates these volumes based on the values set by parameters `--volume-size-data`, `--volume-size-logs`, `--volume-size-datalogs`, and `--volume-size-backups`. When these volumes become full, you will need to resize the `PersistentVolumes`. Azure Arc enabled SQL Managed Instance is deployed as part of a `StatefulSet` for both General Purpose or Business Critical service tiers. Kubernetes supports automatic resizing for persistent volumes but not for volumes attached to `StatefulSet`.

+Following are the steps to resize persistent volumes attached to `StatefulSet`:

+1. Scale the `StatefulSet` replicas to 0

+2. Patch the PVC to the new size

+3. Scale the `StatefulSet` replicas back to the original size

+During the patching of `PersistentVolumeClaim`, the status of the persistent volume claim will likely change from: `Attached` to `Resizing` to `FileSystemResizePending` to `Attached`. The exact states will depend on the storage provisioner.

+> [!NOTE]

+> Ensure the managed instance is in a healthy state before you proceed. Run `kubectl get sqlmi -n <namespace>` and check the status of the managed instance.

+## 1. Scale the `StatefulSet` replicas to 0

+There is one `StatefulSet` deployed for each Arc SQL MI. The number of replicas in the `StatefulSet` is equal to the number of replicas in the Arc SQL MI. For General Purpose service tier, this is 1. For Business Critical service tier it could be 1, 2 or 3 depending on how many replicas were specified. Run the below command to get the number of `StatefulSet` replicas if you have a Business Critical instance.

+```console

+kubectl get sts --namespace <namespace>

+```

+For example, if the namespace is `arc`, run:

+```console

+kubectl get sts --namespace arc

+```

+Notice the number of stateful sets under the `READY` column for the SQL managed instance(s).

+Run the below command to scale the `StatefulSet` replicas to 0:

+```console

+kubectl scale statefulsets <statefulset> --namespace <namespace> --replicas= <number>

+```

+For example:

+```console

+kubectl scale statefulsets sqlmi1 --namespace arc --replicas=0

+```

+## 2. Patch the PVC to the new size

+Run the below command to get the name of the `PersistentVolumeClaim` which needs to be resized:

+```console

+kubectl get pvc --namespace <namespace>

+```

+For example:

+```console

+kubectl get pvc --namespace arc

+```

+Once the stateful `StatefulSet` replicas have completed scaling down to 0, patch the `StatefulSet`. Run the following command:

+```console

+$newsize='{\"spec\":{\"resources\":{\"requests\":{\"storage\":\"<newsize>Gi\"}}}}'

+kubectl patch pvc <name of PVC> --namespace <namespace> --type merge --patch $newsize

+```

+For example: the following command will resize the data PVC to 50Gi.

+```console

+$newsize='{\"spec\":{\"resources\":{\"requests\":{\"storage\":\"50Gi\"}}}}'

+kubectl patch pvc data-a6gt3be7mrtq60eao0gmgxgd-sqlmi1-0 --namespace arcns --type merge --patch $newsize

+```

+## 3. Scale the `StatefulSet` replicas to original size

+Once the resize completes, scale the `StatefulSet` replicas back to its original size by running the below command:

+```console

+kubectl scale statefulsets <statefulset> --namespace <namespace> --replicas= <number>

+```

+For example: The below command sets the `StatefulSet` replicas to 3.

+```

+kubectl scale statefulsets sqlmi1 --namespace arc --replicas=3

+```

+Ensure the Arc enabled SQL managed instance is back to ready status by running:

+```console

+kubectl get sqlmi -A

+```

+## See also

+[Sizing Guidance](sizing-guidance.md)

+Connect-AzAccount

+| **Service** | **FedRAMP High** | **DoD IL2** |

+| **Service** | **FedRAMP High** | **DoD IL2** |

+| **Service** | **FedRAMP High** | **DoD IL2** |

+| **Service** | **FedRAMP High** | **DoD IL2** |

+> Container insights support for Windows Server 2022 operating system and AKS for ARM nodes is in public preview.

+[aks-release-notes]: https://github.com/Azure/AKS/releases

+>[!NOTE]

+> Dependency agent is not supported for Azure Virtual Machines with Ampere Altra ARMΓÇôbased processors.

+If you want to stop monitoring your VMs for a while or remove VM insights entirely, see [Disable monitoring of your VMs in VM insights](../vm/vminsights-optout.md).

+1. Stop the Steps Recorder and save the recording.

+1. Package the browser trace HAR file, console output, and screen recording files in a compressed format such as .zip.

+1. Share the compressed file with Microsoft support by [using the **File upload** option in your support request](supportability/how-to-manage-azure-support-request.md#upload-files).

+1. Package the browser trace HAR file, console output, and screen recording files in a compressed format such as .zip.

+1. Share the compressed file with Microsoft support by [using the **File upload** option in your support request](supportability/how-to-manage-azure-support-request.md#upload-files).

+1. Stop the Steps Recorder on Windows or the screen recording on Mac, and save the recording.

+1. Package the browser trace HAR file, console output, and screen recording files in a compressed format such as .zip.

+1. Share the compressed file with Microsoft support by [using the **File upload** option in your support request](supportability/how-to-manage-azure-support-request.md#upload-files).

+1. Complete the **problem details** so that we have more information about your issue. If possible, tell us when the problem started and any steps to reproduce it. You can optionally upload one file (or a compressed file such as .zip that contains multiple files), such as a log file or [browser trace](../capture-browser-trace.md). For more information on file uploads, see [File upload guidelines](how-to-manage-azure-support-request.md#file-upload-guidelines).

+You can use the file upload option to upload a diagnostic file, such as a [browser trace](../capture-browser-trace.md) or any other files that you think are relevant to a support request.

+1. On the **Support Request** page, select the **File upload** box, then browse to find your file and select **Upload**.

+- You can't upload more than one file. To include multiple different files, package them together in a compressed format such as .zip.

+- A cannot-delete lock on a **Virtual Machine** that is protected by **Site Recovery** prevents certain resource links related to Site Recovery from being removed properly when you remove the protection or disable replication. If you plan to re-protect the VM later, you need to remove the lock prior to disabling protection. In case you miss to remove the lock, you need to follow certain steps to clean up the stale links before you can re-protect the VM. For more information, see [Troubleshoot Azure VM replication](../../site-recovery/azure-to-azure-troubleshoot-errors.md#replication-not-enabled-on-vm-with-stale-resources-error-code-150226).

+- App Service Environments can't be moved to a new resource group or subscription. However, you can move a web app and app service plan to a new subscription without moving the App Service Environment.

+ Title: Optimize costs for Azure Backup Storage with reserved capacity

+description: This article explains about how to optimize costs for Azure Backup Storage with reserved capacity.

+# Optimize costs for Azure Backup Storage with reserved capacity

+You can save money on backup storage costs for the vault-standard tier using Azure Backup Storage reserved capacity. Azure Backup Storage reserved capacity offers you a discount on capacity for backup data stored for the vault-standard tier when you commit to a reservation for either one year or three years. A reservation provides a fixed amount of backup storage capacity for the term of the reservation.

+Azure Backup Storage reserved capacity can significantly reduce your capacity costs for Azure Backup data. The cost savings achieved depend on the duration of your reservation, the total capacity you choose to reserve, and the vault tier, and type of redundancy you've chosen for your vault. Reserved capacity provides a billing discount and doesn't affect the state of your Azure Backup Storage resources.

+For information about Azure Backup pricing, see [Azure Backup pricing page](https://azure.microsoft.com/pricing/details/backup/).

+## Reservation terms for Azure Storage

+The following sections describe the terms of an Azure Backup Storage reservation.

+#### Reservation capacity

+You can purchase Azure Backup Storage reserved capacity in units of 100 TiB and 1 PiB per month for a one-year or three-year term.

+#### Reservation scope

+Azure Backup Storage reserved capacity is available for a single subscription, multiple subscriptions (shared scope), and management groups.

+- When scoped to a single subscription, the reservation discount is applied only to the selected subscription.

+- When scoped to multiple subscriptions, the reservation discount is shared across those subscriptions within your billing context.

+- When scoped to management group, the reservation discount is shared across the subscriptions that are a part of management group and billing scope.

+When you purchase Azure Backup Storage reserved capacity, you can use your reservation for backup data stored in the vault-standard tier only. A reservation is applied to your usage within the purchased scope and canΓÇÖt be limited to a specific storage account, container, or object within the subscription.

+An Azure Backup Storage reservation covers only the amount of data that's stored in a subscription or shared resource group. Early deletion, operations, bandwidth, and data transfer charges arenΓÇÖt included in the reservation. As soon as you purchase a reservation, you're charged for the capacity charges that match the reservation attributes at the discount rates, instead of pay-as-you-go rates. For more information on Azure reservations, see [What are Azure Reservations?](../cost-management-billing/reservations/save-compute-costs-reservations.md)

+#### Supported account types, tiers, and redundancy options

+Azure Backup Storage reserved capacity is available for backup data stored in the vault-standard tier.

+LRS, GRS, and RA-GRS redundancies are supported for reservations. For more information about redundancy options, see [Azure Storage redundancy](../storage/common/storage-redundancy.md).

+>[!Note]

+>Azure Backup Storage reserved capacity isn't applicable for Protected Instance cost. It's also not applicable to vault-archive tier.

+#### Security requirements for purchase

+To purchase reserved capacity:

+- You must be in the Owner role for at least one Enterprise or individual subscription with pay-as-you-go rates.

+- For Enterprise subscriptions, the policy to add reserved instances must be enabled. For direct EA agreements, the Reserved Instances policy must be enabled in the Azure portal. For indirect EA agreements, the Add Reserved Instances policy must be enabled in the EA portal. Or, if those policy settings are disabled, you must be an EA Admin on the subscription.

+- For the Cloud Solution Provider (CSP) program, only admin agents or sales agents can purchase Azure Backup Blob Storage reserved capacity.

+## Determine required capacity before purchase

+When you purchase an Azure Backup Storage reservation, you must choose the reservationΓÇÖs region, vault tier, and redundancy option. Your reservation is valid only for data stored in that region, vault tier, and redundancy level. For example, you purchase a reservation for data in US West for the vault-standard tier using geo-redundant storage (GRS). You can't use the same reservation for data in US East, or data in locally redundant storage (LRS). However, you can purchase another reservation for your additional needs.

+Reservations are currently available for 100 TiB or 1 PiB blocks, with higher discounts for 1 PiB blocks. When you purchase a reservation in the Azure portal, Microsoft may provide you with recommendations based on your previous usage to help determine which reservation you should purchase.

+## Purchase Azure Backup Storage reserved capacity

+You can purchase Azure Backup Storage reserved capacity through the [Azure portal](https://portal.azure.com/). Pay for the reservation up front or with monthly payments. For more information about purchasing with monthly payments, see [Purchase Azure reservations with up front or monthly payments](../cost-management-billing/reservations/prepare-buy-reservation.md).

+For help with identifying the reservation terms that are right for your scenario, see [Understand how reservation discounts are applied to Azure Backup storage](backup-azure-reserved-pricing-overview.md).

+To purchase reserved capacity, follow these steps:

+1. Go to the [Purchase reservations](https://portal.azure.com/#blade/Microsoft_Azure_Reservations/CreateBlade/referrer/Browse_AddCommand) pane in the Azure portal.

+1. Select **Azure Backup** to purchase a new reservation.

+1. Enter required information as described in the following table:

+ :::image type="content" source="./media/backup-azure-reserved-pricing/purchase-reserved-capacity-enter-information.png" alt-text="Screenshot showing the information to enter to purchase reservation capability for Azure Backup Storage.":::

+ | Field | Description |

+ | | |

+ | Scope | Indicates the number of subscriptions you can use for the billing benefit associated with the reservation. It also controls how the reservation is applied to specific subscriptions. <br><br> If you select Shared, the reservation discount is applied to Azure Backups Storage capacity in any subscription within your billing context. The billing context is based on how you signed up for Azure. If you're an enterprise customer, the shared scope is the enrollment and includes all subscriptions within the enrollment. If you're a pay-as-you-go customer, the shared scope includes all individual subscriptions with pay-as-you-go rates created by the account administrator. <br><br> If you select Single subscription, the reservation discount is applied to Azure Backup Storage capacity in the selected subscription. <br><br> If you select Single resource group, the reservation discount is applied to Azure Backup Storage capacity in the selected subscription and the selected resource group within that subscription. <br><br> If you select Management group, the reservation discount is applied to the matching resource in the list of subscriptions that are a part of both the management group and billing scope. To buy a reservation for a management group, you must have at least read permission on the management group and be a reservation owner or reservation purchaser on the billing subscription. <br><br> You can change the reservation scope after you purchase the reservation. |

+ | Subscription | The subscription that's used to pay for the Azure Backup Storage reservation. The payment method on the selected subscription is used in charging the costs. The subscription must be one of the following types: <br><br> - **Enterprise Agreement (offer numbers: MS-AZR-0017P or MS-AZR-0148P)**: For an Enterprise subscription, the charges are deducted from the enrollment's Azure Prepayment (previously called monetary commitment) balance or charged as overage. <br><br> - **Individual subscription with pay-as-you-go rates (offer numbers: MS-AZR-0003P or MS-AZR-0023P)**: For an individual subscription with pay-as-you-go rates, the charges are billed to the credit card or invoice payment method on the subscription. <br><br> - Microsoft Customer Agreement subscriptions <br><br> - CSP subscriptions. |

+ | Region | The region where the reservation is in effect. |

+ | Vault tier | The vault tier for which the reservation is in effect. Currently, only reservations for vault-standard tier are supported. |

+ | Redundancy | The redundancy option for the reservation. Options include LRS, GRS, and RA-GRS. For more information about redundancy options, see [Azure Storage redundancy](../storage/common/storage-redundancy.md). |

+ | Billing frequency | Indicates how often the account is billed for the reservation. Options include Monthly or Upfront. |

+ | Size | The amount of capacity to reserve. |

+ | Term | One year or three years. |

+1. After you select the parameters for your reservation, the Azure portal displays the cost. The portal also shows the discount percentage over pay-as-you-go billing.

+1. In the **Purchase reservations** pane, review the total cost of the reservation.

+ You can also provide a name for the reservation.

+ :::image type="content" source="./media/backup-azure-reserved-pricing/purchase-reserved-capacity-review-total-cost-inline.png" alt-text="Screenshot showing the Purchase reservation pane to review the total cost of the reservation." lightbox="./media/backup-azure-reserved-pricing/purchase-reserved-capacity-review-total-cost-expanded.png":::

+After you purchase a reservation, it's automatically applied to any existing Azure Backup Storage data that matches the terms of the reservation. If you haven't created any Azure Backup Storage data yet, the reservation will apply whenever you create a resource that matches the terms of the reservation. In either case, the term of the reservation begins immediately after a successful purchase.

+## Exchange or refund a reservation

+You can exchange or refund a reservation, with certain limitations. These limitations are described in the following sections.

+To exchange or refund a reservation, follow these steps:

+1. Go to the reservation details in the Azure portal.

+1. Select **Exchange or Refund**, and follow the instructions to submit a support request.

+You'll receive an email confirmation when the request is processed. For more information about Azure Reservations policies, see [Self-service exchanges and refunds for Azure Reservations](../cost-management-billing/reservations/exchange-and-refund-azure-reservations.md).

+## Exchange a reservation

+Exchanging a reservation enables you to receive a prorated refund based on the unused portion of the reservation. You can then apply the refund to the purchase price of a new Azure Backup Storage reservation.

+There's no limit on the number of exchanges you can make. Additionally, there's no fee associated with an exchange. The new reservation that you purchase must be of equal or greater value than the prorated credit from the original reservation. An Azure Backup Storage reservation can be exchanged only for another Azure Backup Storage reservation, and not for a reservation for any other Azure service.

+## Refund a reservation

+You may cancel an Azure Backup Storage reservation at any time. When you cancel, you'll receive a prorated refund based on the remaining term of the reservation. The maximum refund per year is *$50,000*.

+Cancelling a reservation immediately terminates the reservation and returns the remaining months to Microsoft. The remaining prorated balance, minus the fee, will be refunded to your original form of purchase.

+## Expiration of a reservation

+When a reservation expires, any Azure Backup Storage capacity that you've used under that reservation is billed at the pay-as-you go rate. Reservations don't renew automatically.

+You'll receive an email notification 30 days prior to the expiration of the reservation, and again on the expiration date. To continue taking advantage of the cost savings that a reservation provides, renew it no later than the expiration date.

+>[!Note]

+>If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).

+## Next steps

+- [What are Azure Reservations?](../cost-management-billing/reservations/save-compute-costs-reservations.md)

+- [Understand how reservation discounts are applied to Azure Backup storage](backup-azure-reserved-pricing-overview.md).

+ Title: Reservation discounts for Azure Backup storage

+description: This article explains about how reservation discounts are applied to Azure Backup storage.

+# Understand how reservation discounts are applied to Azure Backup storage

+Azure Backup enables you to save money on backup storage costs using Reserved capacity pricing. After you purchase reserved capacity, the reservation discount is automatically applied to the backup storage that matches the terms of the reservation.

+>[!Note]

+>The reservation discount applies to storage capacity only.

+- For more information about Azure Backup Storage reserved capacity, see [Optimize costs for Azure Backup storage with reserved capacity](backup-azure-reserved-pricing-optimize-cost.md).

+- For information about Azure Backup storage pricing, see [Azure Backup pricing page](https://azure.microsoft.com/pricing/details/backup/).

+## How's the reservation discount applied?

+The reserved capacity discount applies to supported backup storage resources on an hourly basis. The reserved capacity discount is a use-it-or-lose-it discount. If you don't have any backup storage that meets the terms of the reservation for a given hour, then you lose a reservation quantity for that hour. You can't carry forward the unused reserved hours.

+When you delete the backup storage, the reservation discount automatically applies to another matching backup storage in the specified scope. If there's no matching backup storage in the specified scope, the reserved hours are lost.

+## Discount examples

+The following examples show how the reserved capacity discount applies, depending on the deployments.

+For example, you've purchased 100 TiB of reserved capacity in the *US West 2* region for a *1-year* term. Your reservation is for locally redundant storage (LRS) blob storage in the vault-standard tier.

+For the cost of the reservation, you can either pay the full amount up front or pay fixed monthly installments per month for the next 12 months. If you've signed up for a monthly reservation payment plan, you may encounter the following scenarios if you under-use or overuse your reserved capacity.

+### Underuse of your capacity

+As an example, in each hour within the reservation period, if you used only 80 TiB of your 100 TiB reserved capacity, the remaining 20 TiB isn't applied for that hour and it doesn't get carried forward.

+### Overuse of your capacity

+As an example, in each hour within the reservation period, if you've used 101 TiB of backup storage capacity, the reservation discount applies to 100 TiB of your data, and the remaining 1 TiB is charged at pay-as-you-go rates for that hour. If in the next hour your usage changes to 100 TiB, then all usage is covered by the reservation.

+>[!Note]

+>For further support, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).

+## Next steps

+- [Optimize costs for Azure Backup storage with reserved capacity](backup-azure-reserved-pricing-optimize-cost.md).

+- [What are Azure Reservations?](../cost-management-billing/reservations/save-compute-costs-reservations.md)

+### <a name="dns"></a>Does Azure Bastion support Private Link?"

+No, Azure Bastion does not currently support private link.

+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |

+| | | | | |

+| Rel 22-08 | [5016623] | Latest Cumulative Update(LCU) | [6.45] | Aug 9, 2022 |

+| Rel 22-08 | [5016618] | IE Cumulative Updates | [2.127], [3.117], [4.105] | Aug 9, 2022 |

+| Rel 22-08 | [5016627] | Latest Cumulative Update(LCU) | [7.15] | Aug 9, 2022 |

+| Rel 22-08 | [5016622] | Latest Cumulative Update(LCU) | [5.71] | Aug 9, 2022 |

+| Rel 22-08 | [5013637] | .NET Framework 3.5 Security and Quality Rollup | [2.127] | Aug 9, 2022 |

+| Rel 22-08 | [5013644] | .NET Framework 4.6.2 Security and Quality Rollup | [2.127] | May 10, 2022 |

+| Rel 22-08 | [5013638] | .NET Framework 3.5 Security and Quality Rollup | [4.107] | Jun 14, 2022 |

+| Rel 22-08 | [5013643] | .NET Framework 4.6.2 Security and Quality Rollup | [4.107] | May 10, 2022 |

+| Rel 22-08 | [5013635] | .NET Framework 3.5 Security and Quality Rollup | [3.114] | Aug 9, 2022 |

+| Rel 22-08 | [5013642] | .NET Framework 4.6.2 Security and Quality Rollup | [3.114] | May 10, 2022 |

+| Rel 22-08 | [5013641] | .NET Framework 3.5 and 4.7.2 Cumulative Update | [6.47] | May 10, 2022 |

+| Rel 22-08 | [5013630] | .NET Framework 4.8 Security and Quality Rollup | [7.15] | May 10, 2022 |

+| Rel 22-08 | [5016676] | Monthly Rollup | [2.127] | Aug 9, 2022 |

+| Rel 22-08 | [5016672] | Monthly Rollup | [3.114] | Aug 9, 2022 |

+| Rel 22-08 | [5016681] | Monthly Rollup | [4.107] | Aug 9, 2022 |

+| Rel 22-08 | [5016263] | Servicing Stack update | [3.114] | Jul 12, 2022 |

+| Rel 22-08 | [5016264] | Servicing Stack update | [4.107] | Jul 12, 2022 |

+| Rel 22-08 | [4578013] | OOB Standalone Security Update | [4.107] | Aug 19, 2020 |

+| Rel 22-08 | [5017095] | Servicing Stack update | [5.71] | Aug 9, 2022 |

+| Rel 22-08 | [5016057] | Servicing Stack update | [2.127] | Jul 12, 2022 |

+| Rel 22-08 | [4494175] | Microcode | [5.71] | Sep 1, 2020 |

+| Rel 22-08 | [4494174] | Microcode | [6.47] | Sep 1, 2020 |

+[2.127]: ./cloud-services-guestos-update-matrix.md#family-2-releases

+[3.114]: ./cloud-services-guestos-update-matrix.md#family-3-releases

+[4.107]: ./cloud-services-guestos-update-matrix.md#family-4-releases

+[5.71]: ./cloud-services-guestos-update-matrix.md#family-5-releases

+[6.47]: ./cloud-services-guestos-update-matrix.md#family-6-releases

+[7.15]: ./cloud-services-guestos-update-matrix.md#family-7-releases

+###### **September 2, 2022**

+The August Guest OS has released.

+| WA-GUEST-OS-7.15_202208-01 | September 2, 2022 | Post 7.17 |

+|~~WA-GUEST-OS-7.13_202206-01~| July 11, 2022 | September 2, 2022 |

+| WA-GUEST-OS-6.47_202208-01 | September 2, 2022 | Post 6.49 |

+|~~WA-GUEST-OS-6.45_202206-01~| July 11, 2022 | September 2, 2022 |

+| WA-GUEST-OS-5.71_202208-01 | September 2, 2022 | Post 5.73 |

+|~~WA-GUEST-OS-5.69_202206-01~~| July 11, 2022 | September 2, 2022 |

+| WA-GUEST-OS-4.107_202208-01 | September 2, 2022 | Post 4.109 |

+|~~WA-GUEST-OS-4.105_202206-02~~| July 11, 2022 | September 2, 2022 |

+| WA-GUEST-OS-3.114_202208-01 | September 2, 2022 | Post 3.116 |

+|~~WA-GUEST-OS-3.112_202206-02~~| July 11, 2022 | September 2, 2022 |

+| WA-GUEST-OS-2.127_202208-01 | September 2, 2022 | Post 2.129 |

+|~~WA-GUEST-OS-2.125_202206-02~~| July 11, 2022 | September 2, 2022 |

+You can use phrase lists with the [Speech Studio](speech-studio-overview.md), [Speech SDK](quickstarts/setup-platform.md), or [Speech Command Line Interface (CLI)](spx-overview.md). The [Batch transcription API](batch-transcription.md) doesn't support phrase lists.

+You can use phrase lists with both standard and [custom speech](custom-speech-overview.md). There are some situations where training a custom model that includes phrases is likely the best option to improve accuracy. For example, in the following cases you would use Custom Speech:

+## Speech SDK demo

+The following video shows how to install the [Speech SDK for C#](quickstarts/setup-platform.md) and write a simple .NET console application for speech-to-text.

+> [!VIDEO c20d3b0c-e96a-4154-9299-155e27db7117]

+## Use Azure key vault to securely access credentials

+You can [use Azure Key Vault](./use-key-vault.md) to securely develop Cognitive Services applications. Key Vault enables you to store your authentication credentials in the cloud, and reduces the chances that secrets may be accidentally leaked, because you won't store security information in your application.

+Authentication is done via Azure Active Directory. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault.

+- **Adversarial use**: consider establishing a process to detect and act on malicious manipulation. There are actors that will take advantage of machine learning and AI systems' ability to learn from their environment. With coordinated attacks, they can artificially fake patterns of behavior that shift the data and AI models toward their goals. If your use of Personalizer could influence important choices, make sure you have the appropriate means to detect and mitigate these types of attacks in place.

+- **Opt out**: Consider providing a control for users to opt out of receiving personalized recommendations. For these users, the Personalizer Rank API will not be called from your application. Instead, your application can use an alternative mechanism for deciding what action is taken. For example, by opting out of personalized recommendations and choosing the default or baseline action, the user would experience the action that would be taken without Personalizer's recommendation. Alternatively, your application can use recommendations based on aggregate or population-based measures (e.g., now trending, top 10 most popular, etc.).

+ Title: Develop Azure Cognitive Services applications with Key Vault

+description: Learn how to develop Cognitive Services applications securely by using Key Vault.

+zone_pivot_groups: programming-languages-set-twenty-eight

+# Develop Azure Cognitive Services applications with Key Vault

+Use this article to learn how to develop Cognitive Services applications securely by using [Azure Key Vault](/azure/key-vault/general/overview).

+Key Vault reduces the chances that secrets may be accidentally leaked, because you won't store security information in your application.

+## Prerequisites

+* A valid Azure subscription - [Create one for free](https://azure.microsoft.com/free)

+* [Visual Studio IDE](https://visualstudio.microsoft.com/vs/)

+* An [Azure Key Vault](/azure/key-vault/general/quick-create-portal)

+* [A multi-service resource or a resource for a specific service](./cognitive-services-apis-create-account.md)

+* A valid Azure subscription - [Create one for free](https://azure.microsoft.com/free).

+* [Python 3.7 or later](https://www.python.org/)

+* [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps)

+* An [Azure Key Vault](/azure/key-vault/general/quick-create-portal)

+* [A multi-service resource or a resource for a specific service](./cognitive-services-apis-create-account.md)

+* A valid Azure subscription - [Create one for free](https://azure.microsoft.com/free).

+* [Java Development Kit (JDK) version 8 or above](/azure/developer/java/fundamentals/)

+* [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps)

+* An [Azure Key Vault](/azure/key-vault/general/quick-create-portal)

+* [A multi-service resource or a resource for a specific service](./cognitive-services-apis-create-account.md)

+* A valid Azure subscription - [Create one for free](https://azure.microsoft.com/free).

+* [Current Node.js v14 LTS or later](https://nodejs.org/)

+* [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps)

+* An [Azure Key Vault](/azure/key-vault/general/quick-create-portal)

+* [A multi-service resource or a resource for a specific service](./cognitive-services-apis-create-account.md)

+> [!NOTE]

+> Review the documentation and quickstart articles for the Cognitive Service you're using to get an understanding of:

+> * The credentials and other information you will need to send API calls.

+> * The packages and code you will need to run your application.

+## Get your credentials from your Cognitive Services resource

+Before you add your credential information to your Azure key vault, you need to retrieve them from your Cognitive Services resource. For example, if your service needs a key and endpoint you would find them using the following steps:

+1. Navigate to your Azure resource in the [Azure portal](https://portal.azure.com/).

+1. From the collapsible menu on the left, select **Keys and Endpoint**.

+ :::image type="content" source="language-service/custom-text-classification/media/get-endpoint-azure.png" alt-text="A screenshot showing the key and endpoint page in the Azure portal." lightbox="language-service/custom-text-classification/media/get-endpoint-azure.png":::

+Some Cognitive Services require different information to authenticate API calls, such as a key and region. Make sure to retrieve this information before continuing on.

+## Add your credentials to your key vault

+For your application to retrieve and use your credentials to authenticate API calls, you will need to add them to your [key vault secrets](/azure/key-vault/secrets/about-secrets).

+Repeat these steps to generate a secret for each required resource credential. For example, a key and endpoint. These secret names will be used later to authenticate your application.

+1. Open a new browser tab or window. Navigate to your key vault in the <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesSpeechServices" title="Go to Azure portal" target="_blank">Azure portal</a>.

+1. From the collapsible menu on the left, select **Objects** > **Secrets**.

+1. Select **Generate/Import**.

+ :::image type="content" source="media/key-vault/store-secrets.png" alt-text="A screenshot showing the key vault key page in the Azure portal." lightbox="media/key-vault/store-secrets.png":::

+1. On the **Create a secret** screen, enter the following values:

+ |Name | Value |

+ |||

+ |Upload options | Manual |

+ |Name | A secret name for your key or endpoint. For example: "CognitiveServicesKey" or "CognitiveServicesEndpoint" |

+ |Value | Your Azure Cognitive Services resource key or endpoint. |

+ Later your application will use the secret "Name" to securely access the "Value".

+1. Leave the other values as their defaults. Select **Create**.

+ >[!TIP]

+ > Make sure to remember the names that you set for your secrets, as you'll use them later in your application.

+You should now have named secrets for your resource information.

+## Create an environment variable for your key vault's name

+We recommend creating an environment variable for your Azure key vault's name. Your application will read this environment variable at runtime to retrieve your key and endpoint information.

+To set environment variables, use one the following commands. `KEY_VAULT_NAME` with the name of the environment variable, and replace `Your-Key-Vault-Name` with the name of your key vault, which will be stored in the environment variable.

+# [Azure CLI](#tab/azure-cli)

+Create and assign persisted environment variable, given the value.

+```CMD

+setx KEY_VAULT_NAME="Your-Key-Vault-Name"

+```

+In a new instance of the **Command Prompt**, read the environment variable.

+```CMD

+echo %KEY_VAULT_NAME%

+```

+# [PowerShell](#tab/powershell)

+Create and assign a persisted environment variable. Replace `Your-Key-Vault-Name` with the name of your key vault.

+```powershell

+[System.Environment]::SetEnvironmentVariable('KEY_VAULT_NAME', 'Your-Key-Vault-Name', 'User')

+```

+In a new instance of the **Windows PowerShell**, read the environment variable.

+```powershell

+[System.Environment]::GetEnvironmentVariable('KEY_VAULT_NAME')

+```

+## Authenticate to Azure using Visual Studio

+Developers using Visual Studio 2017 or later can authenticate an Azure Active Directory account through Visual Studio. This enables you to access secrets in your key vault by signing into your Azure subscription from within the IDE.

+To authenticate in Visual Studio, select **Tools** from the top navigation menu, and select **Options**. Navigate to the **Azure Service Authentication** option to sign in with your user name and password.

+## Authenticate using the command line

+## Create a new C# application

+Using the Visual Studio IDE, create a new .NET Core console app. This will create a "Hello World" project with a single C# source file: `program.cs`.

+Install the following client libraries by right-clicking on the solution in the **Solution Explorer** and selecting **Manage NuGet Packages**. In the package manager that opens select **Browse** and search for the following libraries, and select **Install** for each:

+* `Azure.Security.KeyVault.Secrets`

+* `Azure.Identity`

+## Import the example code

+Copy the following example code into your `program.cs` file. Replace `Your-Key-Secret-Name` and `Your-Endpoint-Secret-Name` with the secret names that you set in your key vault.

+```csharp

+using System;

+using System.Threading.Tasks;

+using Azure;

+using Azure.Identity;

+using Azure.Security.KeyVault.Secrets;

+using System.Net;

+namespace key_vault_console_app

+{

+ class Program

+ {

+ static async Task Main(string[] args)

+ {

+ //Name of your key vault

+ var keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");

+ //variables for retrieving the key and endpoint from your key vault.

+ //Set these variables to the names you created for your secrets

+ const string keySecretName = "Your-Key-Secret-Name";

+ const string endpointSecretName = "Your-Endpoint-Secret-Name";

+ //Endpoint for accessing your key vault

+ var kvUri = $"https://{keyVaultName}.vault.azure.net";

+ var keyVaultClient = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

+ Console.WriteLine($"Retrieving your secrets from {keyVaultName}.");

+ //Key and endpoint secrets retrieved from your key vault

+ var keySecret = await keyVaultClient.GetSecretAsync(keySecretName);

+ var endpointSecret = await keyVaultClient.GetSecretAsync(endpointSecretName);

+ Console.WriteLine($"Your key secret value is: {keySecret.Value.Value}");

+ Console.WriteLine($"Your endpoint secret value is: {endpointSecret.Value.Value}");

+ Console.WriteLine("Secrets retrieved successfully");

+

+ }

+ }

+}

+```

+## Run the application

+Run the application by selecting the **Debug** button at the top of Visual studio. Your key and endpoint secrets will be retrieved from your key vault.

+## Send a test Language service call (optional)

+If you're using a multi-service resource or Language resource, you can update [your application](#create-a-new-c-application) by following these steps to send an example Named Entity Recognition call by retrieving a key and endpoint from your key vault.

+1. Install the `Azure.AI.TextAnalytics` library by right-clicking on the solution in the **Solution Explorer** and selecting **Manage NuGet Packages**. In the package manager that opens select **Browse** and search for the following libraries, and select **Install** for each:

+1. Add the following directive to the top of your `program.cs` file.

+ ```csharp

+ using Azure.AI.TextAnalytics;

+ ```

+

+1. Add the following code sample to your application.

+

+ ```csharp

+ // Example method for extracting named entities from text

+ private static void EntityRecognitionExample(string keySecret, string endpointSecret)

+ {

+ //String to be sent for Named Entity Recognition

+ var exampleString = "I had a wonderful trip to Seattle last week.";

+

+ AzureKeyCredential azureKeyCredential = new AzureKeyCredential(keySecret);

+ Uri endpoint = new Uri(endpointSecret);

+ var languageServiceClient = new TextAnalyticsClient(endpoint, azureKeyCredential);

+

+ Console.WriteLine($"Sending a Named Entity Recognition (NER) request");

+ var response = languageServiceClient.RecognizeEntities(exampleString);

+ Console.WriteLine("Named Entities:");

+ foreach (var entity in response.Value)

+ {

+ Console.WriteLine($"\tText: {entity.Text},\tCategory: {entity.Category},\tSub-Category: {entity.SubCategory}");

+ Console.WriteLine($"\t\tScore: {entity.ConfidenceScore:F2},\tLength: {entity.Length},\tOffset: {entity.Offset}\n");

+ }

+ }

+ ```

+3. Add the following code to call `EntityRecognitionExample()` from your main method, with your key and endpoint values.

+ ```csharp

+ EntityRecognitionExample(keySecret.Value.Value, endpointSecret.Value.Value);

+ ```

+4. Run the application.

+## Authenticate your application

+## Create a python application

+Create a new folder named `keyVaultExample`. Then use your preferred code editor to create a file named `program.py` inside the newly created folder.

+### Install Key Vault and Language service packages

+1. In a terminal or command prompt, navigate to your project folder and install the Azure Active Directory identity library:

+

+ ```terminal

+ pip install azure-identity

+ ```

+1. Install the Key Vault secrets library:

+ ```terminal

+ pip install azure-keyvault-secrets

+ ```

+## Import the example code

+Add the following code sample to the file named `program.py`. Replace `Your-Key-Secret-Name` and `Your-Endpoint-Secret-Name` with the secret names that you set in your key vault.

+```python

+import os

+from azure.keyvault.secrets import SecretClient

+from azure.identity import DefaultAzureCredential

+from azure.core.credentials import AzureKeyCredential

+keyVaultName = os.environ["KEY_VAULT_NAME"]

+# Set these variables to the names you created for your secrets

+keySecretName = "Your-Key-Secret-Name"

+endpointSecretName = "Your-Endpoint-Secret-Name"

+# URI for accessing key vault

+KVUri = f"https://{keyVaultName}.vault.azure.net"

+# Instantiate the client and retrieve secrets

+credential = DefaultAzureCredential()

+kv_client = SecretClient(vault_url=KVUri, credential=credential)

+print(f"Retrieving your secrets from {keyVaultName}.")

+retrieved_key = kv_client.get_secret(keySecretName).value

+retrieved_endpoint = kv_client.get_secret(endpointSecretName).value

+print(f"Your secret key value is {retrieved_key}.")

+print(f"Your secret endpoint value is {retrieved_endpoint}.")

+```

+## Run the application

+Use the following command to run the application. Your key and endpoint secrets will be retrieved from your key vault.

+```terminal

+python ./program.py

+```

+## Send a test Language service call (optional)

+If you're using a multi-service resource or Language resource, you can update [your application](#create-a-python-application) by following these steps to send an example Named Entity Recognition call by retrieving a key and endpoint from your key vault.

+1. Install the Language service library:

+ ```console

+ pip install azure-ai-textanalytics==5.1.0

+ ```

+1. Add the following code to your application

+ ```python

+ from azure.ai.textanalytics import TextAnalyticsClient

+ # Authenticate the key vault secrets client using your key and endpoint

+ azure_key_credential = AzureKeyCredential(retrieved_key)

+ # Now you can use key vault credentials with the Language service

+ language_service_client = TextAnalyticsClient(

+ endpoint=retrieved_endpoint,

+ credential=azure_key_credential)

+ # Example of recognizing entities from text

+

+ print("Sending NER request")

+

+ try:

+ documents = ["I had a wonderful trip to Seattle last week."]

+ result = language_service_client.recognize_entities(documents = documents)[0]

+ print("Named Entities:\n")

+ for entity in result.entities:

+ print("\tText: \t", entity.text, "\tCategory: \t", entity.category, "\tSubCategory: \t", entity.subcategory,

+ "\n\tConfidence Score: \t", round(entity.confidence_score, 2), "\tLength: \t", entity.length, "\tOffset: \t", entity.offset, "\n")

+

+ except Exception as err:

+ print("Encountered exception. {}".format(err))

+ ```

+1. Run the application.

+## Authenticate your application

+## Create a java application

+In your preferred IDE, create a new Java console application project, and create a class named `Example`.

+## Add dependencies

+In your project, add the following dependencies to your `pom.xml` file.

+```xml

+<dependencies>

+

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-security-keyvault-secrets</artifactId>

+ <version>4.2.3</version>

+ </dependency>

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity</artifactId>

+ <version>1.2.0</version>

+ </dependency>

+ </dependencies>

+```

+## Import the example code

+Copy the following code into a file named `Example.java`. Replace `Your-Key-Secret-Name` and `Your-Endpoint-Secret-Name` with the secret names that you set in your key vault.

+```java

+import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.azure.security.keyvault.secrets.SecretClient;

+import com.azure.security.keyvault.secrets.SecretClientBuilder;

+import com.azure.core.credential.AzureKeyCredential;

+public class Example {

+ public static void main(String[] args) {

+ String keyVaultName = System.getenv("KEY_VAULT_NAME");

+ String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";

+ //variables for retrieving the key and endpoint from your key vault.

+ //Set these variables to the names you created for your secrets

+ String keySecretName = "Your-Key-Secret-Name";

+ String endpointSecretName = "Your-Endpoint-Secret-Name";

+ //Create key vault secrets client

+ SecretClient secretClient = new SecretClientBuilder()

+ .vaultUrl(keyVaultUri)

+ .credential(new DefaultAzureCredentialBuilder().build())

+ .buildClient();

+ //retrieve key and endpoint from key vault

+ String keyValue = secretClient.getSecret(keySecretName).getValue();

+ String endpointValue = secretClient.getSecret(endpointSecretName).getValue();

+ System.out.printf("Your secret key value is: %s", keyValue)

+ System.out.printf("Your secret endpoint value is: %s", endpointValue)

+ }

+}

+```

+## Send a test Language service call (optional)

+If you're using a multi-service resource or Language resource, you can update [your application](#create-a-java-application) by following these steps to send an example Named Entity Recognition call by retrieving a key and endpoint from your key vault.

+1. In your application, add the following dependency:

+ ```xml

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-ai-textanalytics</artifactId>

+ <version>5.1.12</version>

+ </dependency>

+ ```

+1. add the following import statements to your file.

+ ```java

+ import com.azure.ai.textanalytics.models.*;

+ import com.azure.ai.textanalytics.TextAnalyticsClientBuilder;

+ import com.azure.ai.textanalytics.TextAnalyticsClient;

+ ```

+1. Add the following code to the `main()` method in your application:

+ ```java

+

+ TextAnalyticsClient languageClient = new TextAnalyticsClientBuilder()

+ .credential(new AzureKeyCredential(keyValue))

+ .endpoint(endpointValue)

+ .buildClient();

+

+ // Example for recognizing entities in text

+ String text = "I had a wonderful trip to Seattle last week.";

+

+ for (CategorizedEntity entity : languageClient.recognizeEntities(text)) {

+ System.out.printf(

+ "Recognized entity: %s, entity category: %s, entity sub-category: %s, score: %s, offset: %s, length: %s.%n",

+ entity.getText(),

+ entity.getCategory(),

+ entity.getSubcategory(),

+ entity.getConfidenceScore(),

+ entity.getOffset(),

+ entity.getLength());

+ }

+ ```

+1. Run your application

+## Authenticate your application

+## Create a new Node.js application

+Create a Node.js application that uses your key vault.

+In a terminal, create a folder named `key-vault-js-example` and change into that folder:

+```terminal

+mkdir key-vault-js-example && cd key-vault-js-example

+```

+Initialize the Node.js project:

+```terminal

+npm init -y

+```

+### Install Key Vault and Language service packages

+1. Using the terminal, install the Azure Key Vault secrets library, [@azure/keyvault-secrets](https://www.npmjs.com/package/@azure/keyvault-secrets) for Node.js.

+ ```terminal

+ npm install @azure/keyvault-secrets

+ ```

+1. Install the Azure Identity library, [@azure/identity](https://www.npmjs.com/package/@azure/identity) package to authenticate to a Key Vault.

+ ```terminal

+ npm install @azure/identity

+ ```

+## Import the code sample

+Add the following code sample to a file named `index.js`. Replace `Your-Key-Secret-Name` and `Your-Endpoint-Secret-Name` with the secret names that you set in your key vault.

+```javascript

+const { SecretClient } = require("@azure/keyvault-secrets");

+const { DefaultAzureCredential } = require("@azure/identity");

+// Load the .env file if it exists

+const dotenv = require("dotenv");

+dotenv.config();

+async function main() {

+ const credential = new DefaultAzureCredential();

+ const keyVaultName = process.env["KEY_VAULT_NAME"];

+ const url = "https://" + keyVaultName + ".vault.azure.net";

+ const kvClient = new SecretClient(url, credential);

+ // Set these variables to the names you created for your secrets

+ const keySecretName = "Your-Key-Secret-Name";

+ const endpointSecretName = "Your-Endpoint-Secret-Name";

+ console.log("Retrieving secrets from ", keyVaultName);

+ const retrievedKey = await (await kvClient.getSecret(keySecretName)).value;

+ const retrievedEndpoint = await (await kvClient.getSecret(endpointSecretName)).value;

+ console.log("Your secret key value is: ", retrievedKey);

+ console.log("Your secret endpoint value is: ", retrievedEndpoint);

+}

+main().catch((error) => {

+ console.error("An error occurred:", error);

+ process.exit(1);

+});

+```

+## Run the sample application

+Use the following command to run the application. Your key and endpoint secrets will be retrieved from your key vault.

+```terminal

+node index.js

+```

+## Send a test Language service call (optional)

+If you're using a multi-service resource or Language resource, you can update [your application](#create-a-new-nodejs-application) by following these steps to send an example Named Entity Recognition call by retrieving a key and endpoint from your key vault.

+1. Install the Azure Cognitive Service for Language library, [@azure/ai-text-analytics](https://www.npmjs.com/package/@azure/ai-text-analytics/) to send API requests to the [Language service](./language-service/overview.md).

+ ```terminal

+ npm install @azure/ai-text-analytics@5.1.0

+ ```

+2. Add the following code to your application:

+ ```javascript

+ const { TextAnalyticsClient, AzureKeyCredential } = require("@azure/ai-text-analytics");

+ // Authenticate the language client with your key and endpoint

+ const languageClient = new TextAnalyticsClient(retrievedEndpoint, new AzureKeyCredential(retrievedKey));

+ // Example for recognizing entities in text

+ console.log("Sending NER request")

+ const entityInputs = [

+ "I had a wonderful trip to Seattle last week."

+ ];

+ const entityResults = await languageClient.recognizeEntities(entityInputs);

+ entityResults.forEach(document => {

+ console.log(`Document ID: ${document.id}`);

+ document.entities.forEach(entity => {

+ console.log(`\tName: ${entity.text} \tCategory: ${entity.category} \tSubcategory: ${entity.subCategory ? entity.subCategory : "N/A"}`);

+ console.log(`\tScore: ${entity.confidenceScore}`);

+ });

+ });

+ ```

+3. Run the application.

+## Next steps

+* See [What are Cognitive Services](./what-are-cognitive-services.md) for available features you can develop along with [Azure key vault](/key-vault/general).

+* For additional information on secure application development, see:

+ * [Best practices for using Azure Key Vault](/key-vault/general/best-practices)

+ * [Cognitive Services security](cognitive-services-security.md)

+ * [Azure security baseline for Cognitive Services](/security/benchmark/azure/baselines/cognitive-services-security-baseline?toc=/azure/cognitive-services/TOC.json)

+

+Toll-free and geographic numbers are eligible for porting. Follow the ["New Port In Request" instructions](https://github.com/Azure/Communication/blob/master/special-order-numbers.md) to submit your port request

+> **Unmixed audio recording** is still in a **Private Preview**.

+ Title: Set up alerts in Azure Container Apps

+description: Set up alerts to monitor your container app.

+# Set up alerts in Azure Container Apps

+Azure Monitor alerts notify you so that you can respond quickly to critical issues. There are two types of alerts that you can define:

+- [Metric alerts](../azure-monitor/alerts/alerts-metric-overview.md) based on Azure Monitor metric data

+- [Log alerts](../azure-monitor/alerts/alerts-unified-log.md) based on Azure Monitor Log Analytics data

+You can create alert rules from metric charts in the metric explorer and from queries in Log Analytics. You can also define and manage alerts from the **Monitor>Alerts** page. To learn more about alerts, refer to [Overview of alerts in Microsoft Azure](../azure-monitor/alerts/alerts-overview.md).

+The **Alerts** page in the **Monitoring** section on your container app page displays all of your app's alerts. You can filter the list by alert type, resource, time and severity. You can also modify and create new alert rules from this page.

+## Create metric alert rules

+When you create alerts rules based on a metric chart in the metrics explorer, alerts are triggered when the metric data matches alert rule conditions. For more information about creating metrics charts, see [Using metrics explorer](metrics.md#using-metrics-explorer)

+After creating a metric chart, you can create a new alert rule.

+1. Select **New alert rule**. The **Create an alert rule** page is opened to the **Condition** tab. Here you'll find a *condition* that is populated with the metric chart settings.

+1. Select the condition.

+ :::image type="content" source="media/observability/metrics-alert-create-condition.png" alt-text="Screenshot of the metric explorer alert rule editor. A condition is automatically created based on the chart settings.":::

+1. Modify the **Alert logic** section to set the alert criteria. You can set the alert to trigger when the metric value is greater than, less than, or equal to a threshold value. You can also set the alert to trigger when the metric value is outside of a range of values.

+ :::image type="content" source="media/observability/screenshot-configure-alert-signal-logic.png" alt-text="Screenshot of the configure alert signal logic in Azure Container Apps.":::

+1. Select **Done**.

+1. You can add more conditions to the alert rule by selecting **Add condition** on the **Create an alert rule** page.

+1. Select the **Details** tab.

+1. Enter a name and description for the alert rule.

+1. Select **Review + create**.

+1. Select **Create**.

+ :::image type="content" source="media/observability/screenshot-alert-details-dialog.png" alt-text="Screen shot of the alert details configuration page.":::

+### Add conditions to an alert rule

+To add more conditions to your alert rule:

+1. Select **Alerts** from the left side menu of your container app page.

+1. Select **Alert rules** from the top menu.

+1. Select an alert from the table.

+1. Select **Add condition** in the **Condition** section.

+1. Select from the metrics listed in the **Select a signal** pane.

+ :::image type="content" source="media/observability/metrics-alert-select-a-signal.png" alt-text="Screenshot of the metric explorer alert rule editor showing the Select a signal pane.":::

+1. Configure the settings for your alert condition. For more information about configuring alerts, see [Manage metric alerts](../azure-monitor/alerts/alerts-metric.md).

+ You can receive individual alerts for specific revisions or replicas by enabling alert splitting and selecting **Revision** or **Replica** from the **Dimension name** list.

+Example of selecting a dimension to split an alert.

+ To learn more about configuring alerts, visit [Create a metric alert for an Azure resource](../azure-monitor/alerts/tutorial-metric-alert.md)

+## Create log alert rules

+You can create log alerts from queries in Log Analytics. When you create an alert rule from a query, the query is run at set intervals triggering alerts when the log data matches the alert rule conditions. To learn more about creating log alert rules, see [Manage log alerts](../azure-monitor/alerts/alerts-log.md).

+To create an alert rule:

+1. First, create and run a query to validate the query.

+1. Select **New alert rule**.

+1. The **Create an alert rule** editor is opened to the **Condition** tab, which is populated with your log query.

+ :::image type="content" source="media/observability/log-alerts-rule-editor.png" alt-text="Screenshot of the Log Analytics alert rule editor.":::

+1. Configure the settings in the **Measurement** section

+ :::image type="content" source="media/observability/screenshot-metrics-alerts-measurements.png" alt-text="Screen shot of metrics Create an alert rule measurement section.":::

+1. Optionally, you can enable alert splitting in the alert rule to send individual alerts for each dimension you select in the **Split by dimensions** section of the editor.

+ :::image type="content" source="media/observability/log-alerts-splitting.png" alt-text="Screenshot of the Create an alert rule Split by dimensions section":::

+1. Enter the threshold criteria in the**Alert logic** section.

+ :::image type="content" source="media/observability/log-alert-alert-logic.png" alt-text="Screenshot of the Create an alert rule Alert logic section.":::

+1. Select the **Details** tab.

+1. Enter a name and description for the alert rule.

+1. Select **Review + create**.

+1. Select **Create**.

+> [!div class="nextstepaction"]

+> [View log streams from the Azure portal](log-streaming.md)

+ Title: Connect to a container console in Azure Container Apps

+description: Connect to a container console in your container app.

+# Connect to a container console in Azure Container Apps

+Connecting to a container's console is useful when you want to troubleshoot your application inside a container. Azure Container Apps lets you connect to a container's console using the Azure portal or the Azure CLI.

+## Azure portal

+To connect to a container's console in the Azure portal, follow these steps.

+1. Select **Console** in the **Monitoring** menu group from your container app page in the Azure portal.

+1. Select the revision, replica and container you want to connect to.

+1. Choose to access your console via bash, sh, or a custom executable. If you choose a custom executable, it must be available in the container.

+## Azure CLI

+Use the `az containerapp exec` command to connect to a container console. Select **Ctrl-D** to exit the console.

+For example, connect to a container console in a container app with a single container using the following command. Replace the \<placeholders\> with your container app's values.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp exec \

+ --name <ContainerAppName> \

+ --resource-group <ResourceGroup>

+```

+# [PowerShell](#tab/powershell)

+```azurecli

+az containerapp exec `

+ --name <ContainerAppName> `

+ --resource-group <ResourceGroup>

+```

+To connect to a container console in a container app with multiple revisions, replicas, and containers include the following parameters in the `az containerapp exec` command.

+| Argument | Description |

+|-|-|

+| `--revision` | The revision names of the container to connect to. |

+| `--replica` | The replica name of the container to connect to. |

+| `--container` | The container name of the container to connect to. |

+You can get the revision names with the `az containerapp revision list` command. Replace the \<placeholders\> with your container app's values.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp revision list \

+ --name <ContainerAppName> \

+ --resource-group <ResourceGroup> \

+ --query "[].name"

+```

+# [PowerShell](#tab/powershell)

+```azurecli

+az containerapp revision list `

+ --name <ContainerAppName> `

+ --resource-group <ResourceGroup> `

+ --query "[].name"

+```

+Use the `az containerapp replica list` command to get the replica and container names. Replace the \<placeholders\> with your container app's values.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp replica list \

+ --name <ContainerAppName> \

+ --resource-group <ResourceGroup> \

+ --revision <RevisionName> \

+ --query "[].{Containers:properties.containers[].name, Name:name}"

+```

+# [PowerShell](#tab/powershell)

+```azurecli

+az containerapp replica list `

+ --name <ContainerAppName> `

+ --resource-group <ResourceGroup> `

+ --revision <RevisionName> `

+ --query "[].{Containers:properties.containers[].name, Name:name}"

+```

+Connect to the container console with the `az containerapp exec` command. Replace the \<placeholders\> with your container app's values.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp exec \

+ --name <ContainerAppName> \

+ --resource-group <ResourceGroup> \

+ --revision <RevisionName> \

+ --replica <ReplicaName> \

+ --container <ContainerName>

+```

+# [PowerShell](#tab/powershell)

+```azurecli

+az containerapp exec `

+ --name <ContainerAppName> `

+ --resource-group <ResourceGroup> `

+ --revision <RevisionName> `

+ --replica <ReplicaName> `

+ --container <ContainerName>

+```

+> [!div class="nextstepaction"]

+> [View log streams from the Azure portal](log-streaming.md)

+1. Begin by cloning the [sample repository]((https://github.com/azure-samples/containerapps-albumapi-javascript) to your machine using the following command.

+ ```bash

+ git clone https://github.com/Azure-Samples/containerapps-albumapi-javascript.git

+ ```

+ > [!NOTE]

+ > This tutorial uses a JavaScript project, but the steps are language agnostic.

+1. Open Visual Studio Code.

+1. Select **F1** to open the command palette.

+1. Select **File > Open Folder...** and select the folder where you cloned the sample project.

+1. Select **F1** to open the command palette.

+1. Select **Azure: Sign In** and follow the prompts to authenticate.

+1. Once signed in, return to Visual Studio Code.

+Docker images contain the source code and dependencies necessary to run an application. This sample project includes a Dockerfile used to build the application's container. Since you can build and publish the image for your app directly in Azure, a local Docker installation isn't required.

+Container images are stored inside container registries. You can create a container registry and upload an image of your app in a single workflow using Visual Studio Code.

+1. In the _Explorer_ window, expand the _src_ folder to reveal the Dockerfile.

+1. Right select on the Dockerfile, and select **Build Image in Azure**.

+ This action opens the command palette and prompts you to define a container tag.

+1. Enter a tag for the container. Accept the default, which is the project name with the *latest* suffix.

+1. Select **+ Create new registry**, or if you already have a registry you'd like to use, select that item and skip to creating and deploying to the container app.

+1. Enter a unique name for the new registry such as `msdocscapps123`, where `123` are unique numbers of your own choosing, and then select enter.

+ Container registry names must be globally unique across all over Azure.

+1. Select **Basic** as the SKU.

+1. Choose **+ Create new resource group**, or select an existing resource group you'd like to use.

+ For a new resource group, enter a name such as `msdocscontainerapps`, and press enter.

+1. Select the location that is nearest to you. Select **Enter** to finalize the workflow, and Azure begins creating the container registry and building the image.

+ This process may take a few moments to complete.

+Once the registry is created and the image is built successfully, you're ready to create the container app to host the published image.

+## Create and deploy to the container app

+The Azure Container Apps extension for Visual Studio Code enables you to choose existing Container Apps resources, or create new ones to deploy your applications to. In this scenario, you create a new Container App environment and container app to host your application. After installing the Container Apps extension, you can access its features under the Azure control panel in Visual Studio Code.

+### Create the Container Apps environment

+Every container app must be part of a Container Apps environment. An environment provides an isolated network for one or more container apps, making it possible for them to easily invoke each other. You'll need to create an environment before you can create the container app itself.

+1. Select <kbd>F1</kbd> to open the command palette.

+1. Enter **Azure Container Apps: Create Container Apps Environment...** and enter the following values as prompted by the extension.

+ | Prompt | Value |

+ |--|--|

+ | Name | Enter **my-aca-environment** |

+ | Region | Select the region closest to you |

+Once you issue this command, Azure begins to create the environment for you. This process may take a few moments to complete. Creating a container app environment also creates a log analytics workspace for you in Azure.

+1. Select <kbd>F1</kbd> to open the command palette.

+1. Enter **Azure Container Apps: Create Container App...** and enter the following values as prompted by the extension.

+ | Prompt | Value | Remarks |

+ |--|--|--|

+ | Environment | Select **my-aca-environment** | |

+ | Name | Enter **my-container-app** | |

+ | Container registry | Select **Azure Container Registries**, then select the registry you created as you published the container image. | |

+ | Repository | Select the container registry repository where you published the container image. | |

+ | Tag | Select **latest** | |

+ | Environment variables | Select **Skip for now** | |

+ | Ingress | Select **Enable** | |

+ | HTTP traffic type | Select **External** | |

+ | Port | Enter **3500** | You set this value to the port number that your container uses. |

+During this process, Visual Studio Code and Azure create the container app for you. The published Docker image you created earlier is also be deployed to the app. Once this process finishes, Visual Studio Code displays a notification with a link to browse to the site. Select this link, and to view your app in the browser.

+You can also append the `/albums` path at the end of the app URL to view data from a sample API request.

+Azure Container Apps allows you to expose your container app to the public web by enabling ingress. When you enable ingress, you don't need to create an Azure Load Balancer, public IP address, or any other Azure resources to enable incoming HTTPS requests.

+Ingress is an application-wide setting. Changes to ingress settings apply to all revisions simultaneously, and don't generate new revisions.

+| `external` | When enabled, the environment is assigned a public IP and fully qualified domain name (FQDN) for external ingress and an internal IP and FQDN for internal ingress. When disabled, only an internal IP/FQDN is created. |`true` for external visibility, `false` for internal visibility (default) | Yes |

+| `allowInsecure` | Allows insecure traffic to your container app. | `false` (default), `true`<br><br>If set to `true`, HTTP requests to port 80 aren't automatically redirected to port 443 using HTTPS, allowing insecure connections. | No |

+ Title: Monitor logs in Azure Container Apps with Log Analytics

+description: Monitor your container app logs with Log Analytics

+# Monitor logs in Azure Container Apps with Log Analytics

+Azure Container Apps is integrated with Azure Monitor Log Analytics to monitor and analyze your container app's logs. Each Container Apps environment includes a Log Analytics workspace that provides a common place to store the system and application log data from all container apps running in the environment.

+Log entries are accessible by querying Log Analytics tables through the Azure portal or a command shell using the [Azure CLI](/cli/azure/monitor/log-analytics).

+There are two types of logs for Container Apps.

+- Console logs, which are emitted by your app.

+- System logs, which are emitted by the Container Apps service.

+## System Logs

+The Container Apps service provides system log messages at the container app level. System logs emit the following messages:

+| Source | Type | Message |

+||||

+| Dapr | Info | Successfully created dapr component \<component-name\> with scope \<dapr-component-scope\> |

+| Dapr | Info | Successfully updated dapr component \<component-name\> with scope \<component-type\> |

+| Dapr | Error | Error creating dapr component \<component-name\> |

+| Volume Mounts | Info | Successfully mounted volume \<volume-name\> for revision \<revision-scope\> |

+| Volume Mounts | Error | Error mounting volume \<volume-name\> |

+| Domain Binding | Info | Successfully bound Domain \<domain\> to the container app \<container app name\> |

+| Authentication | Info | Auth enabled on app. Creating authentication config |

+| Authentication | Info | Auth config created successfully |

+| Traffic weight | Info | Setting a traffic weight of \<percentage>% for revision \<revision-name\\> |

+| Revision Provisioning | Info | Creating a new revision: \<revision-name\> |

+| Revision Provisioning | Info | Successfully provisioned revision \<name\> |

+| Revision Provisioning | Info| Deactivating Old revisions since 'ActiveRevisionsMode=Single' |

+| Revision Provisioning | Error | Error provisioning revision \<revision-name>. ErrorCode: \<[ErrImagePull]\|[Timeout]\|[ContainerCrashing]\> |

+The system log data is accessible by querying the `ContainerAppSystemlogs_CL` table. The most used Container Apps specific columns in the table are:

+| Column | Description |

+|||

+| `ContainerAppName_s` | Container app name |

+| `EnvironmentName_s` | Container Apps environment name |

+| `Log_s` | Log message |

+| `RevisionName_s` | Revision name |

+## Console Logs

+Console logs originate from the `stderr` and `stdout` messages from the containers in your container app and Dapr sidecars. You can view console logs by querying the `ContainerAppConsolelogs_CL` table.

+> [!TIP]

+> Instrumenting your code with well-defined log messages can help you to understand how your code is performing and to debug issues. To learn more about best practices refer to [Design for operations](/azure/architecture/guide/design-principles/design-for-operations).

+The most commonly used Container Apps specific columns in ContainerAppConsoleLogs_CL include:

+|Column |Description |

+|||

+| `ContainerAppName_s` | Container app name |

+| `ContainerGroupName_g` | Replica name |

+| `ContainerId_s` | Container identifier |

+| `ContainerImage_s` | Container image name |

+| `EnvironmentName_s` | Container Apps environment name |

+| `Log_s` | Log message |

+| `RevisionName_s` | Revision name |

+## Query Log with Log Analytics

+Log Analytics is a tool in the Azure portal that you can use to view and analyze log data. Using Log Analytics, you can write Kusto queries and then sort, filter, and visualize the results in charts to spot trends and identify issues. You can work interactively with the query results or use them with other features such as alerts, dashboards, and workbooks.

+### Azure portal

+Start Log Analytics from **Logs** in the sidebar menu on your container app page. You can also start Log Analytics from **Monitor>Logs**.

+You can query the logs using the tables listed in the **CustomLogs** category **Tables** tab. The tables in this category are the `ContainerAppSystemlogs_CL` and `ContainerAppConsolelogs_CL` tables.

+Below is a Kusto query that displays console log entries for the container app named *album-api*.

+```kusto

+ContainerAppConsoleLogs_CL

+| where ContainerAppName_s == 'album-api'

+| project Time=TimeGenerated, AppName=ContainerAppName_s, Revision=RevisionName_s, Container=ContainerName_s, Message=Log_s

+| take 100

+```

+Below is a Kusto query that displays system log entries for the container app named *album-api*.

+```kusto

+ContainerAppSystemLogs_CL

+| where ContainerAppName_s == 'album-api'

+| project Time=TimeGenerated, EnvName=EnvironmentName_s, AppName=ContainerAppName_s, Revision=RevisionName_s, Message=Log_s

+| take 100

+```

+For more information regarding Log Analytics and log queries, see the [Log Analytics tutorial](../azure-monitor/logs/log-analytics-tutorial.md).

+### Azure CLI/PowerShell

+Container Apps logs can be queried using the [Azure CLI](/cli/azure/monitor/log-analytics).

+These example Azure CLI queries output a table containing log records for the container app name **album-api**. The table columns are specified by the parameters after the `project` operator. The `$WORKSPACE_CUSTOMER_ID` variable contains the GUID of the Log Analytics workspace.

+This example queries the `ContainerAppConsoleLogs_CL` table:

+# [Bash](#tab/bash)

+```azurecli

+az monitor log-analytics query --workspace $WORKSPACE_CUSTOMER_ID --analytics-query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'album-api' | project Time=TimeGenerated, AppName=ContainerAppName_s, Revision=RevisionName_s, Container=ContainerName_s, Message=Log_s, LogLevel_s | take 5" --out table

+```

+# [PowerShell](#tab/powershell)

+```powershell

+$queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $WORKSPACE_CUSTOMER_ID -Query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'album-api' | project Time=TimeGenerated, AppName=ContainerAppName_s, Revision=RevisionName_s, Container=ContainerName_s, Message=Log_s, LogLevel_s | take 5"

+$queryResults.Results

+```

+This example queries the `ContainerAppSystemLogs_CL` table:

+# [Bash](#tab/bash)

+```azurecli

+az monitor log-analytics query --workspace $WORKSPACE_CUSTOMER_ID --analytics-query "ContainerAppSystemLogs_CL | where ContainerAppName_s == 'album-api' | project Time=TimeGenerated, AppName=ContainerAppName_s, Revision=RevisionName_s, Message=Log_s, LogLevel_s | take 5" --out table

+```

+# [PowerShell](#tab/powershell)

+```powershell

+$queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $WORKSPACE_CUSTOMER_ID -Query "ContainerAppSystemLogs_CL | where ContainerAppName_s == 'album-api' | project Time=TimeGenerated, AppName=ContainerAppName_s, Revision=RevisionName_s, Message=Log_s, LogLevel_s | take 5"

+$queryResults.Results

+```

+For more information about using Azure CLI to view container app logs, see [Viewing Logs](monitor.md#viewing-logs).

+## Next steps

+> [!div class="nextstepaction"]

+> [View log streams from the Azure portal](log-streaming.md)

+ Title: View log streams in Azure Container Apps

+description: View your container app's log stream.

+# View log streams in Azure Container Apps

+While developing and troubleshooting your container app, it's important to see a container's logs in real-time. Container Apps lets you view a stream of your container's `stdout` and `stderr` log messages through the Azure portal or the Azure CLI.

+## Azure portal

+View a container app's log stream in the Azure portal with these steps.

+1. Navigate to your container app in the Azure portal.

+1. Select **Log stream** under the *Monitoring* section on the sidebar menu.

+1. If you have multiple revisions, replicas, or containers, you can select from the pull-down menus to choose a container. If your app has only one container, you can skip this step.

+After a container is selected, the log stream is displayed in the viewing pane.

+## Azure CLI

+You can view a container's log stream from the Azure CLI with the `az containerapp logs show` command. You can use these arguments to:

+- View previous log entries with the `--tail` argument.

+- View a live stream with the `--follow`argument.

+Use `Ctrl/Cmd-C` to stop the live stream.

+For example, you can list the last 50 container log entries in a container app with a single container using the following command.

+This example live streams a container's log entries.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp logs show \

+ --name <ContainerAppName> \

+ --resource-group <ResourceGroup> \

+ --tail 50

+```

+# [PowerShell](#tab/powershell)

+```azurecli

+az containerapp logs show `

+ --name <ContainerAppName> `

+ --resource-group <ResourceGroup> `

+ --tail 50

+```

+To connect to a container console in a container app with multiple revisions, replicas, and containers include the following parameters in the `az containerapp logs show` command.

+| Argument | Description |

+|-|-|

+| `--revision` | The revision name of the container to connect to. |

+| `--replica` | The replica name of the container to connect to. |

+| `--container` | The container name of the container to connect to. |

+You can get the revision names with the `az containerapp revision list` command. Replace the \<placeholders\> with your container app's values.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp revision list \

+ --name <ContainerAppName> \

+ --resource-group <ResourceGroup> \

+ --query "[].name"

+```

+# [PowerShell](#tab/powershell)

+```azurecli

+az containerapp revision list `

+ --name <ContainerAppName> `

+ --resource-group <ResourceGroup> `

+ --query "[].name"

+```

+Use the `az containerapp replica list` command to get the replica and container names. Replace the \<placeholders\> with your container app's values.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp replica list \

+ --name <ContainerAppName> \

+ --resource-group <ResourceGroup> \

+ --revision <RevisionName> \

+ --query "[].{Containers:properties.containers[].name, Name:name}"

+```

+# [PowerShell](#tab/powershell)

+```azurecli

+az containerapp replica list `

+ --name <ContainerAppName> `

+ --resource-group <ResourceGroup> `

+ --revision <RevisionName> `

+ --query "[].{Containers:properties.containers[].name, Name:name}"

+```

+Stream the container logs with the `az container app show` command. Replace the \<placeholders\> with your container app's values.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp logs show \

+ --name <ContainerAppName> \

+ --resource-group <ResourceGroup> \

+ --revision <RevisionName> \

+ --replica <ReplicaName> \

+ --container <ContainerName> \

+ --follow

+```

+# [PowerShell](#tab/powershell)

+```azurecli

+az containerapp logs show `

+ --name <ContainerAppName> `

+ --resource-group <ResourceGroup> `

+ --revision <RevisionName> `

+ --replica <ReplicaName> `

+ --container <ContainerName> `

+ --follow

+```

+Enter **Ctrl-C** to stop the log stream.

+> [!div class="nextstepaction"]

+> [View log streams from the Azure portal](log-streaming.md)

+ Title: Monitor Azure Container Apps metrics

+description: Monitor your running apps metrics

+# Monitor Azure Container Apps metrics

+Azure Monitor collects metric data from your container app at regular interval to help you gain insights into the performance and health of your container app.

+The metrics explorer in the Azure portal allows you to visualize the data. You can also retrieve raw metric data through the [Azure CLI](/cli/azure/monitor/metrics) and Azure [PowerShell cmdlets](/powershell/module/az.monitor/get-azmetric).

+## Available metrics

+Container Apps provides these metrics.

+|Title | Description | Metric ID |Unit |

+|||||

+|CPU usage nanocores | CPU usage in nanocores (1,000,000,000 nanocores = 1 core) | UsageNanoCores| nanocores|

+|Memory working set bytes |Working set memory used in bytes |WorkingSetBytes |bytes|

+|Network in bytes|Network received bytes|RxBytes|bytes|

+|Network out bytes|Network transmitted bytes|TxBytes|bytes|

+|Requests|Requests processed|Requests|n/a|

+|Replica count| Number of active replicas| Replicas | n/a |

+|Replica Restart Count| Number of replica restarts | RestartCount | n/a |

+The metrics namespace is `microsoft.app/containerapps`.

+## Metrics snapshots

+Select the **Monitoring** tab on your app's **Overview** page to display charts showing your container app's current CPU, memory, and network utilization.

+From this view, you can pin one or more charts to your dashboard or select a chart to open it in the metrics explorer.

+## Using metrics explorer

+The Azure Monitor metrics explorer lets you create charts from metric data to help you analyze your container app's resource and network usage over time. You can pin charts to a dashboard or in a shared workbook.

+1. Open the metrics explorer in the Azure portal by selecting **Metrics** from the sidebar menu on your container app's page. To learn more about metrics explorer, go to [Getting started with metrics explorer](../azure-monitor/essentials/metrics-getting-started.md).

+1. Create a chart by selecting **Metric**. You can modify the chart by changing aggregation, adding more metrics, changing time ranges and intervals, adding filters, and applying splitting.

+### Add filters

+Optionally, you can create filters to limit the data shown based on revisions and replicas. To create a filter:

+1. Select **Add filter**.

+1. Select a revision or replica from the **Property** list.

+1. Select values from the **Value** list.

+ :::image type="content" source="media/observability/metrics-add-filter.png" alt-text="Screenshot of the metrics explorer showing the chart filter options.":::

+### Split metrics

+When your chart contains a single metric, you can choose to split the metric information by revision or replica with the exceptions:

+* The *Replica count* metric can only split by revision.

+* The *Requests* metric can also be split by status code and status code category.

+To split by revision or replica:

+1. Select **Apply splitting**

+1. Select **Revision** or **Replica** from the **Values** drop-down list.

+1. You can set the limit of the number of revisions or replicas to display in the chart. The default is 10.

+1. You can set Sort order to **Ascending** or **Descending**. The default is **Descending**.

+### Add scopes

+You can add more scopes to view metrics across multiple container apps.

+> [!div class="nextstepaction"]

+> [Set up alerts in Azure Container Apps](alerts.md)

+ Title: Write and view application logs in Azure Container Apps

+description: Learn write and view logs in Azure Container Apps.

+```powershell

+$LOG_ANALYTICS_WORKSPACE_CLIENT_ID = (Get-AzOperationalInsightsWorkspace -ResourceGroupName $RESOURCE_GROUP -Name $LOG_ANALYTICS_WORKSPACE).CustomerId

+```powershell

+$queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $LOG_ANALYTICS_WORKSPACE_CLIENT_ID -Query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'my-container-app' | project ContainerAppName_s, Log_s, TimeGenerated | take 3"

+$queryResults.Results

+> [Monitor logs in Azure Container Apps with Log Analytics](log-monitoring.md)

+Azure Container Apps provides several built-in observability features that together give you a holistic view of your container appΓÇÖs health throughout its application lifecycle. These features help you monitor and diagnose the state of your app to improve performance and respond to trends and critical problems.

+|Feature |Description |

+|[Log streaming](log-streaming.md) | View streaming console logs from a container in near real-time. |

+|[Container console](container-console.md) | Connect to the Linux console in your containers to debug your application from inside the container. |

+|[Azure Monitor metrics](metrics.md)| View and analyze your application's compute and network usage through metric data. |

+|[Azure Monitor Log Analytics](log-monitoring.md) | Run queries to view and analyze your app's system and application logs. |

+|[Azure Monitor alerts](alerts.md) | Create and manage alerts to notify you of events and conditions based on metric and log data.|

+>[!NOTE]

+> While not a built-in feature, [Azure Monitor's Application Insights](../azure-monitor/app/app-insights-overview.md) is a powerful tool to monitor your web and background applications. Although Container Apps doesn't support the Application Insights auto-instrumentation agent, you can instrument your application code using Application Insights SDKs.

+## Application lifecycle observability

+With Container Apps observability features, you can monitor your app throughout the development-to-production lifecycle. The following sections describe the most effective monitoring features for each phase.

+### Development and test

+- [Log streaming](log-streaming.md): View real-time log streams from your containers.

+- [Container console](container-console.md): Access the container console to debug your application.

+### Deployment

+Once you deploy your container app, continuous monitoring helps you quickly identify problems that may occur around error rates, performance, and resource consumption.

+Azure Monitor gives you the ability to track your app with the following features:

+- [Azure Monitor metrics](metrics.md): Monitor and analyze key metrics.

+- [Azure Monitor alerts](alerts.md): Receive alerts for critical conditions.

+- [Azure Monitor Log Analytics](log-monitoring.md): View and analyze application logs.

+### Maintenance

+Container Apps manages updates to your container app by creating [revisions](revisions.md). You can run multiple revisions concurrently in blue green deployments or to perform A/B testing. These observability features will help you monitor your app across revisions:

+- [Azure Monitor metrics](metrics.md): Monitor and compare key metrics for multiple revisions.

+- [Azure Monitor alerts](alerts.md): Receive individual alerts per revision.

+- [Azure Monitor Log Analytics](log-monitoring.md): View, analyze and compare log data for multiple revisions.

+1. Register the `Microsoft.OperationalInsights` provider for the Azure Monitor Log Analytics workspace if you haven't used it before.

+### Proxy authentication failures

+If you see errors that show as HTTP 407:

+```

+Response status code does not indicate success: ProxyAuthenticationRequired (407);

+```

+This error isn't generated by the SDK nor it's coming from the Cosmos DB Service. This is an error related to networking configuration. A proxy in your network configuration is most likely missing the required proxy authentication. If you're not expecting to be using a proxy, reach out to your network team. If you *are* using a proxy, make sure you're setting the right [WebProxy](/dotnet/api/system.net.webproxy) configuration on [CosmosClientOptions.WebProxy](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.webproxy) when creating the client instance.

+## Writing data to a lookup field via alternative keys

+To write data into a lookup field using alternate key columns, follow this guidance and example:

+1. Ensure your source contains all the lookup key columns.

+2. The alternate key columns must be mapped to the column with the special naming pattern `{lookup_field_name}@{alternate_key_column_name}`. The column doesn't exist in Dynamics. It's used to indicate that this column is used to look up the record in the target entity.

+3. Go to **Mapping** tab in the sink transformation of mapping data flows. Select the alternate key as output columns under the Lookup field. The value after indicates the key columns of this alternate key.

+ :::image type="content" source="./media/connector-dynamics-crm-office-365/select-alternate-key-columns.png" alt-text="Screenshot shows selecting alternate key columns.":::

+4. Once selected, the alternate key columns will automatically display in below.

+ :::image type="content" source="./media/connector-dynamics-crm-office-365/connector-dynamics-lookup-field-column-mapping-alternate-key-1.png" alt-text="Screenshot shows mapping columns to lookup fields via alternate keys step 1.":::

+5. Map your input columns on left with the output columns.

+ :::image type="content" source="./media/connector-dynamics-crm-office-365/connector-dynamics-lookup-field-column-mapping-alternate-key-2.png" alt-text="Screenshot shows mapping columns to lookup fields via alternate keys step 2.":::

+> [!Note]

+> Currently this is only supported in mapping data flows.

+description: Learn how to troubleshoot issues with the Azure Synapse Analytics, Azure SQL Database, and SQL Server connectors in Azure Data Factory and Azure Synapse Analytics.

+ - has-adal-ref

+ - synapse

+- **Recommendation**: Validate and fix the SQL server linked service.

+- **Recommendation**: Check the table to make sure that a primary key or a unique index is created.

+ `ErrorCode=FailedDbOperation,Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,

+ Message=Error happened when loading data into Azure Synapse Analytics.,

+ Source=Microsoft.DataTransfer.ClientLibrary,Type=System.Data.SqlClient.SqlException,

+ `ErrorCode=FailedDbOperation,Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,

+ Message=Error happened when loading data into Azure Synapse Analytics.,

+ Source=Microsoft.DataTransfer.ClientLibrary,Type=System.Data.SqlClient.SqlException,

+ Details: Exception: Microsoft.SqlServer.DataWarehouse.DataMovement.Common.ExternalAccess.HdfsAccessException,

+- **Resolution**:

+- **Resolution**: Upgrade the Azure SQL Database performance tier to fix the issue.

+## SQL table can't be found

+- **Symptoms**: An error occurs when you copy data into an on-premises Azure SQL Server table.

+- **Cause**: The SQL table schema definition has one or more columns with less length than expected.

+ 1. To troubleshoot which rows have the issue, apply SQL sink [fault tolerance](./copy-activity-fault-tolerance.md), especially `redirectIncompatibleRowSettings`.

+ > [!NOTE]

+ > Fault tolerance might require additional execution time, which could lead to higher costs.

+ 1. Double-check the redirected data against the SQL table schema column length to see which columns need to be updated.

+ 1. Update the table schema accordingly.

+## Error code: Msg 105208

+- **Symptoms**: Error code: `Error code: Msg 105208, Level 16, State 1, Line 1 COPY statement failed with the following error when validating value of option 'FROM': '105200;COPY statement failed because the value for option 'FROM' is invalid.'`

+- **Cause**: Currently, ingesting data using the COPY command into an Azure Storage account that is using the new DNS partitioning feature results in an error. DNS partition feature enables customers to create up to 5000 storage accounts per subscription.

+- **Resolutions**: Provision a storage account in a subscription that does not use the new [Azure Storage DNS partition feature](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466) (currently in Public Preview).

+2. Select the new Azure Function activity on the canvas if it is not already selected, and its **Settings** tab, to edit its details.

+3. If you do not already have an Azure Function linked service defined, select New to create a new one. In the new Azure Function linked service pane, choose your existing Azure Function App url and provide a Function Key.

+4. After selecting the Azure Function linked service, provide the function name and other details to complete the configuration.

+| **Property** | **Description** | **Required** |

+| - | | |

+| Type | The type property must be set to: **AzureFunction** | Yes |

+| Function app url | URL for the Azure Function App. Format is `https://<accountname>.azurewebsites.net`. This URL is the value under **URL** section when viewing your Function App in the Azure portal | Yes |

+| Function key | Access key for the Azure Function. Click on the **Manage** section for the respective function, and copy either the **Function Key** or the **Host key**. Find out more here: [Azure Functions HTTP triggers and bindings](../azure-functions/functions-bindings-http-webhook-trigger.md#authorization-keys) | Yes |

+| Authentication | The authentication method used for calling the Azure Function. The supported values are 'System-assigned managed identity' or 'anonymous'. | Yes |

+| **Property** | **Description** | **Allowed values** | **Required** |

+| -- | | -- | -- |

+| Name | Name of the activity in the pipeline | String | Yes |

+| Type | Type of activity is ΓÇÿAzureFunctionActivityΓÇÖ | String | Yes |

+| Linked service | The Azure Function linked service for the corresponding Azure Function App | Linked service reference | Yes |

+| Function name | Name of the function in the Azure Function App that this activity calls | String | Yes |

+| Method | REST API method for the function call | String Supported Types: "GET", "POST", "PUT" | Yes |

+| Header | Headers that are sent to the request. For example, to set the language and type on a request: "headers": { "Accept-Language": "en-us", "Content-Type": "application/json" } | String (or expression with resultType of string) | No |

+| Body | Body that is sent along with the request to the function api method | String (or expression with resultType of string) or object. | Required for PUT/POST methods |

+See the schema of the request payload in [Request payload schema](control-flow-web-activity.md#request-payload-schema) section.

+## Timeout and long-running functions

+| [Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties) | [Avro](format-avro.md#mapping-data-flow-properties) <br>[Delimited text](format-delimited-text.md#mapping-data-flow-properties) <br>[Delta](format-delta.md) <br>[JSON](format-json.md#mapping-data-flow-properties) <br/>[ORC](format-orc.md#mapping-data-flow-properties)<br>[Parquet](format-parquet.md#mapping-data-flow-properties) | Γ£ô/Γ£ô <br>Γ£ô/Γ£ô <br>-/Γ£ô <br>Γ£ô/Γ£ô <br>Γ£ô/Γ£ô<br>Γ£ô/Γ£ô |

+| [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#mapping-data-flow-properties) | [Avro](format-avro.md#mapping-data-flow-properties) <br/>[Common Data Model](format-common-data-model.md#sink-properties)<br>[Delimited text](format-delimited-text.md#mapping-data-flow-properties) <br>[Delta](format-delta.md) <br>[JSON](format-json.md#mapping-data-flow-properties) <br/>[ORC](format-orc.md#mapping-data-flow-properties)<br/>[Parquet](format-parquet.md#mapping-data-flow-properties) | Γ£ô/Γ£ô <br>-/Γ£ô <br>Γ£ô/Γ£ô <br>-/Γ£ô <br>Γ£ô/Γ£ô<br>Γ£ô/Γ£ô <br>Γ£ô/Γ£ô |

+Azure Dedicated HSM is a specialized service that addresses unique requirements for a specific type of large-scale organization. As a result, it's expected that the bulk of Azure customers will not fit the profile of use for this service. Many will find the Azure Key Vault or Azure Managed HSM service to be more appropriate and cost effective. To help you decide if it's a fit for your requirements, we've identified the following criteria.

+> Customers must have a assigned Microsoft Account Manager and meet the monetary requirement of five million ($5M) USD or greater in overall committed Azure revenue annually to qualify for onboarding and use of Azure Dedicated HSM.

+ Title: Tutorial deploys into an existing virtual network using the Azure CLI - Azure Dedicated HSM | Microsoft Docs

+Azure Dedicated HSM provides a physical device for sole customer use, with complete administrative control and full management responsibility. The use of physical devices creates the need for Microsoft to control device allocation to ensure capacity is managed effectively. As a result, within an Azure subscription, the Dedicated HSM service won't normally be visible for resource provisioning. Any Azure customer requiring access to the Dedicated HSM service, must first contact their Microsoft account executive to request registration for the Dedicated HSM service. Only once this process completes successfully will provisioning be possible.

+Azure Dedicated HSM is not currently available in the Azure portal. All interaction with the service will be via command-line or using PowerShell. This tutorial will use the command-line (CLI) interface in the Azure Cloud Shell. If you're new to the Azure CLI, follow getting started instructions here: [Azure CLI 2.0 Get Started](/cli/azure/get-started-with-azure-cli).

+- You have an assigned Microsoft Account Manager and meet the monetary requirement of five million ($5M) USD or greater in overall committed Azure revenue annually to qualify for onboarding and use of Azure Dedicated HSM.

+- You have been through the Azure Dedicated HSM registration process and been approved for use of the service. If not, then contact your Microsoft account representative for details.

+- You have created a Resource Group for these resources and the new ones deployed in this tutorial will join that group.

+- You have already created the necessary virtual network, subnet, and virtual machines as per the diagram above and now want to integrate 2 HSMs into that deployment.

+All instructions below assume that you've already navigated to the Azure portal and you have opened the Cloud Shell (select "\>\_" towards the top right of the portal).

+You'll also now be able to see the resources using the [Azure resource explorer](https://resources.azure.com/). Once in the explorer, expand "subscriptions" on the left, expand your specific subscription for Dedicated HSM, expand "resource groups", expand the resource group you used and finally select the "resources" item.

+The IP Address of the VM could also be used in place of the DNS name in the above command. If the command is successful, it will prompt for a password, and you should enter that. Once logged on to the virtual machine, you can sign in to the HSM using the private IP address found in the portal for the network interface resource associated with the HSM.

+If successful you'll be prompted for a password. The default password is PASSWORD and the HSM will first ask you to change your password so set a strong password and use whatever mechanism your organization prefers to store the password and prevent loss.

+When you're connected to the HSM using ssh, run the following command to ensure the HSM is operational.

+At this point, you've allocated all resources for a highly available, two HSM deployment and validated access and operational state. Any further configuration or testing involves more work with the HSM device itself. For this, you should follow the instructions in the Thales Luna 7 HSM Administration Guide chapter 7 to initialize the HSM and create partitions. All documentation and software are available directly from Thales for download once you are registered in the [Thales customer support portal](https://supportportal.thalesgroup.com/csm) and have a Customer ID. Download Client Software version 7.2 to get all required components.

+If you've finished with just the HSM device, then it can be deleted as a resource and returned to the free pool. The obvious concern when doing this is any sensitive customer data that is on the device. The best way to "zeroize" a device is to get the HSM admin password wrong three times (note: this is not appliance admin, it's the actual HSM admin). As a safety measure to protect key material, the device can't be deleted as an Azure resource until it is in the zeroized state.

+If you've finished with all resources in this resource group, then you can remove them all with the following command:

+After completing the steps in the tutorial, Dedicated HSM resources are provisioned and you have a virtual network with necessary HSMs, and further network components to enable communication with the HSM. You're now in a position to complement this deployment with more resources as required by your preferred deployment architecture. For more information on helping plan your deployment, see the Concepts documents.

+ Title: Tutorial deploys into an existing virtual network using PowerShell - Azure Dedicated HSM | Microsoft Docs

+The Azure Dedicated HSM Service provides a physical device for sole customer use, with complete administrative control and full management responsibility. Due to providing physical hardware, Microsoft must control how those devices are allocated to ensure capacity is managed effectively. As a result, within an Azure subscription, the Dedicated HSM service won't normally be visible for resource provisioning. Any Azure customer requiring access to the Dedicated HSM service, must first contact their Microsoft account executive to request registration for the Dedicated HSM service. Only once this process completes successfully will provisioning be possible.

+Azure Dedicated HSM is not currently available in the Azure portal, therefore all interaction with the service will be via command-line or using PowerShell. This tutorial will use PowerShell in the Azure Cloud Shell. If you're new to PowerShell, follow getting started instructions here: [Azure PowerShell Get Started](/powershell/azure/get-started-azureps).

+- You have an assigned Microsoft Account Manager and meet the monetary requirement of five million ($5M) USD or greater in overall committed Azure revenue annually to qualify for onboarding and use of Azure Dedicated HSM.

+All instructions below assume that you've already navigated to the Azure portal and you've opened the Cloud Shell (select ΓÇ£\>\_ΓÇ¥ towards the top right of the portal).

+As mentioned above, any provisioning activity requires that the Dedicated HSM service is registered for your subscription. To validate that, run the following PowerShell command in the Azure portal Cloud Shell.

+The command should return a status of ΓÇ£RegisteredΓÇ¥ (as shown below) before you proceed any further. If you're not registered for this service, please contact your Microsoft account representative.

+The associated Resource Manager template file will create six resources with this information:

+Once parameter values are set, the files need to be uploaded to Azure portal Cloud Shell file share for use. In the Azure portal, click the ΓÇ£\>\_ΓÇ¥ Cloud Shell symbol top right and this will make the bottom portion of the screen a command environment. The options for this are BASH and PowerShell and you should select BASH if not already set.

+Once the files are uploaded, you're ready to create resources.

+You'll also now be able to see the resources using the [Azure resource explorer](https://resources.azure.com/). Once in the explorer, expand ΓÇ£subscriptionsΓÇ¥ on the left, expand your specific subscription for Dedicated HSM, expand ΓÇ£resource groupsΓÇ¥, expand the resource group you used and finally select the ΓÇ£resourcesΓÇ¥ item.

+If successful you'll be prompted for a password. The default password is PASSWORD. The HSM will ask you to change your password so set a strong password and use whatever mechanism your organization prefers to store the password and prevent loss.

+When you're connected to the HSM device using ssh, run the following command to ensure the HSM is operational.

+At this point, you've allocated all resources for a highly available, two HSM deployment and validated access and operational state. Any further configuration or testing involves more work with the HSM device itself. For this, you should follow the instructions in the Thales Luna 7 HSM Administration Guide chapter 7 to initialize the HSM and create partitions. All documentation and software are available directly from Thales for download once you're registered in the [Thales customer support portal](https://supportportal.thalesgroup.com/csm) and have a Customer ID. Download Client Software version 7.2 to get all required components.

+If you've finished with just the HSM device, then it can be deleted as a resource and returned to the free pool. The obvious concern when doing this is any sensitive customer data that is on the device. The best way to "zeroize" a device is to get the HSM admin password wrong three times (note: this is not appliance admin, it's the actual HSM admin). As a safety measure to protect key material, the device can't be deleted as an Azure resource until it is in the zeroized state.

+If you want to remove the HSM resource in Azure, you can use the following command replacing the "$" variables with your unique parameters:

+After completing the steps in the tutorial, Dedicated HSM resources are provisioned and available in your virtual network. You're now in a position to complement this deployment with more resources as required by your preferred deployment architecture. For more information on helping plan your deployment, see the Concepts documents. A design with two HSMs in a primary region addressing availability at the rack level, and two HSMs in a secondary region addressing regional availability is recommended. The template file used in this tutorial can easily be used as a basis for a two HSM deployment but needs to have its parameters modified to meet your requirements.

+ Title: Configure security headers with Azure Front Door Standard/Premium Rule Set

+# Configure security headers with Azure Front Door Standard/Premium Rule Set

+ | Name | hdi-prilink-cluster-restproxy |

+ | Name | hdi-prilink-cluster-restproxy |

+> New Azure Monitor experience is available in all the regions as a preview feature.

+> New Azure Monitor experience is only available in all the regions as a preview feature. It is recommended to place both the HDInsight cluster and the Log Analytics workspace in the same region for better performance.

+Creating new clusters with classic Azure Monitor integration is not available after Jan 1, 2023.

+ Title: Register a client application for the DICOM service in Azure Active Directory

+description: How to register a client application for the DICOM service in Azure Active Directory.

+# Register a client application for the DICOM service in Azure Active Directory

+In this article, you'll learn how to register a client application for the DICOM service. You can find more information on [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md).

+## Register a new application

+1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory**.

+2. Select **App registrations**.

+[  ](media/register-application-one.png#lightbox)

+3. Select **New registration**.

+4. For Supported account types, select **Accounts in this organization directory only**. Leave the other options as is.

+[  ](media/register-application-two.png#lightbox)

+5. Select **Register**.

+## Application ID (client ID)

+After registering a new application, you can find the application (client) ID and Directory (tenant) ID from the overview menu option. Make a note of the values for use later.

+[  ](media/register-application-three.png#lightbox)

+## Authentication setting: confidential vs. public

+Select **Authentication** to review the settings. The default value for **Allow public client flows** is "No".

+If you keep this default value, the application registration is a **confidential client application** and a certificate or secret is required.

+[  ](media/register-application-five.png#lightbox)

+If you change the default value to "Yes" for the "Allow public client flows" option in the advanced setting, the application registration is a **public client application** and a certificate or secret isn't required. The "Yes" value is useful when you want to use the client application in your mobile app or a JavaScript app where you don't want to store any secrets.

+For tools that require a redirect URL, select **Add a platform** to configure the platform.

+>[!NOTE]

+>

+>For Postman, select **Mobile and desktop applications**. Enter "https://www.getpostman.com/oauth2/callback" in the **Custom redirect URIs** section. Select the **Configure** button to save the setting.

+[  ](media/register-application-five-bravo.png#lightbox)

+## Certificates & secrets

+Select **Certificates & Secrets** and select **New Client Secret**.

+Add and then copy the secret value.

+[  ](media/register-application-six.png#lightbox)

+Optionally, you can upload a certificate (public key) and use the Certificate ID, a GUID value associated with the certificate. For testing purposes, you can create a self-signed certificate using tools such as the PowerShell command line, `New-SelfSignedCertificate`, and then export the certificate from the certificate store.

+## API permissions

+The following steps are required for the DICOM service. In addition, user access permissions or role assignments for the Azure Health Data Services are managed through RBAC. For more details, visit [Configure Azure RBAC for Azure Health Data Services](./../configure-azure-rbac.md).

+1. Select the **API permissions** blade.

+ [  ](./media/dicom-add-apis-permissions.png#lightbox)

+2. Select **Add a permission**.

+ Add a permission to the DICOM service by searching for **Azure API for DICOM** under **APIs my organization** uses.

+ [  ](./media/dicom-search-apis-permissions.png#lightbox)

+ The search result for Azure API for DICOM will only return if you've already deployed the DICOM service in the workspace.

+ If you're referencing a different resource application, select your DICOM API Resource Application Registration that you created previously under **APIs my organization**.

+3. Select scopes (permissions) that the confidential client application will ask for on behalf of a user. Select **Dicom.ReadWrite**, and then select **Add permissions**.

+ [  ](./media/dicom-select-scopes-new.png#lightbox)

+Your application registration is now complete.

+## Next steps

+In this article, you learned how to register a client application for the DICOM service in the Azure AD. Additionally, you learned how to add a secret and API permissions to Azure Health Data Services. For more information about DICOM service, see

+>[!div class="nextstepaction"]

+>[Overview of the DICOM service](dicom-services-overview.md)

+## Manage Configuration File in storage account

+You will need to create a container for the de-identified export in your ADLS Gen2 account and specify the `<<container_name>>` in the API request as shown above. Additionally, you will need to place the JSON config file with the anonymization rules inside the container and specify the `<<config file name>>` in the API request (see below).

+## Manage Configuration File in ACR

+It's recommended that you host the export configuration files on Azure Container Registry(ACR). It takes the following steps similar as [hosting templates in ACR for $convert-data](convert-data.md#host-your-own-templates).

+1. Push the configuration files to your Azure Container Registry.

+2. Enable Managed Identity on your FHIR service instance.

+3. Provide access of the ACR to the FHIR service Managed Identity.

+4. Register the ACR servers in the FHIR service. You can use the portal to open "Artifacts" blade under "Transform and transfer data" section to add the ACR server.

+5. Optionally configure ACR firewall for secure access.

+## Using the `$export` endpoint for de-identifying data

+ `https://<<FHIR service base URL>>/$export?_container=<<container_name>>&_anonymizationConfigCollectionReference=<<ACR image reference>>&_anonymizationConfig=<<config file name>>&_anonymizationConfigEtag=<<ETag on storage>>`

+| _\_container_|exportContainer|Required|Name of container within the configured storage account where the data will be exported. |

+| _\_anonymizationConfigCollectionReference_|"myacr.azurecr.io/deidconfigs:default"|Optional|Reference to an OCI image on ACR containing de-id configuration files for de-id export (such as stu3-config.json, r4-config.json). The ACR server of the image should be registered within the FHIR service. (Format: `<RegistryServer>/<imageName>@<imageDigest>`, `<RegistryServer>/<imageName>:<imageTag>`) |

+| _\_anonymizationConfig_ |`anonymizationConfig.json`|Required|Name of the configuration file. See the configuration file format [here](https://github.com/microsoft/FHIR-Tools-for-Anonymization#configuration-file-format). If _\_anonymizationConfigCollectionReference_ is provided, we will search and use this file from the specified image. Otherwise, we will search and use this file inside a container named **anonymization** within the configured ADLS Gen2 account.|

+| _\_anonymizationConfigEtag_|"0x8D8494A069489EC"|Optional|Etag of the configuration file which can be obtained from the blob property in Azure Storage Explorer. Specify this parameter only if the configuration file is stored in Azure storage account. If you use ACR to host the configuration file, you should not include this parameter.|

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+> [!TIP]

+ Title: IotJsonPathContentTemplate mappings in MedTech service device mapping - Azure Health Data Services

+description: This article describes how to use IotJsonPathContentTemplate mappings with MedTech service device mapping.

+This article describes how to use IoTJsonPathContentTemplate mappings with the MedTech service [device mapping](how-to-use-device-mappings.md).

+If you're using Azure IoT Hub Device SDKs, you can still use the JsonPathContentTemplate, assuming that you're using custom properties in the message body for the device identity or measurement timestamp.

+{

+ "templateType": "IotJsonPathContentTemplate",

+ "template": {

+ "typeName": "heartrate",

+ "typeMatchExpression": "$..[?(@Body.heartRate)]"

+ "values": [

+ {

+ "required": "true",

+ "valueExpression": "$.Body.heartRate",

+ "valueName": "hr"

+ }

+ ]

+ }

+}

+ "templateType": "IotJsonPathContentTemplate",

+ "template": {

+ {

+ },

+ {

+ }

+ }

+In this article, you learned how to use IotJsonPathContentTemplate mappings with the MedTech service device mapping. To learn how to use MedTech service FHIR destination mapping, see

+>[How to use FHIR destination mapping](how-to-use-fhir-mappings.md)

+FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+ [  ](dicom/media/dicom-add-apis-permissions.png#lightbox)

+ If you're using Azure Health Data Services, you'll add a permission to the DICOM service by searching for **Azure API for DICOM** under **APIs my organization** uses.

+ [  ](dicom/media/dicom-search-apis-permissions.png#lightbox)

+ The search result for Azure API for DICOM will only return if you've already deployed the DICOM service in the workspace.

+ [  ](dicom/media/dicom-select-scopes.png#lightbox)

+>>Use grant_type of client_credentials or authentication_code when trying to obtain an access token for the DICOM service. For more details, visit [Using DICOM with cURL](dicom/dicomweb-standard-apis-curl.md).

+> [!NOTE]

+> Only users in a role that have the necessary permissions can view, create, edit, and delete queries. To learn more, see [Manage users and roles in your IoT Central application](howto-manage-users-roles.md).

+**Data explorer permissions**

+| Name | Dependencies |

+| - | -- |

+| View | None <br/> Other dependencies: View device groups, device templates, device instances |

+| Update | View <br/> Other dependencies: View device groups, device templates, device instances |

+| Create | View, Update <br/> Other dependencies: View device groups, device templates, device instances |

+| Delete | View <br/> Other dependencies: View device groups, device templates, device instances |

+| Full Control | View, Update, Create, Delete <br/> Other dependencies: View device groups, device templates, device instances |

+ "value": "<ModuleStoragePath>"

+1. For both IoT Edge hub and IoT Edge agent, add binds to connect a local directory on the host machine to a directory in the module. For example, for version 1.1:

+Or, you can configure the local storage directly in the deployment manifest. For example, for version 1.1:

+Replace `<HostStoragePath>` and `<ModuleStoragePath>` with your host and module storage path; both values must be an absolute path. If using version 1.3, update each image version with `1.3`. For example, `mcr.microsoft.com/azureiotedge-agent:1.3`.

+ Title: How to create nested Azure IoT Edge device hierarchies

+description: Step by step adaptable manual instructions on how to create a hierarchy of IoT Edge devices.

+# Connect Azure IoT Edge devices together to create a hierarchy (nested edge)

+This article provides instructions for establishing a trusted connection between an IoT Edge gateway and a downstream IoT Edge device. This setup is also known as "nested edge".

+> Based on feedback, the prior translation-based preview of IoT Edge integration with Kubernetes has been discontinued and will not be made generally available. An exception being Azure Stack Edge devices where translation-based Kubernetes integration will be supported until IoT Edge v1.1 is maintained (Dec 2022).

+| since | string | Only return logs since this time, as an rfc3339 timestamp, UNIX timestamp, or a duration (days (d) hours (h) minutes (m)). For example, a duration for one day, 12 hours, and 30 minutes can be specified as *1 day 12 hours 30 minutes* or *1d 12h 30m*. If both `tail` and `since` are specified, the logs are retrieved using the `since` value first. Then, the `tail` value is applied to the result, and the final result is returned. OPTIONAL. |

+| until | string | Only return logs before the specified time, as an rfc3339 timestamp, UNIX timestamp, or duration (days (d) hours (h) minutes (m)). For example, a duration 90 minutes can be specified as *90 minutes* or *90m*. If both `tail` and `since` are specified, the logs are retrieved using the `since` value first. Then, the `tail` value is applied to the result, and the final result is returned. OPTIONAL. |

+| since | string | Only return logs since this time, as an rfc3339 timestamp, UNIX timestamp, or a duration (days (d) hours (h) minutes (m)). For example, a duration for one day, 12 hours, and 30 minutes can be specified as *1 day 12 hours 30 minutes* or *1d 12h 30m*. OPTIONAL. |

+| until | string | Only return logs before the specified time, as an rfc3339 timestamp, UNIX timestamp, or duration (days (d) hours (h) minutes (m)). For example, a duration 90 minutes can be specified as *90 minutes* or *90m*. OPTIONAL. |

+1. Test the module by sending a message by running the following command in a **Git Bash** or **WSL Bash** shell. You cannot run the `curl` command from a PowerShell or command prompt.

+ ```bash

+ curl --header "Content-Type: application/json" --request POST --data '{"inputName": "input1","data":"hello world"}' http://localhost:53000/api/v1/messages

+ ```

+ If you get the error *unmatched close brace/bracket in URL*, try the following command instead:

+

+ ```bash

+ curl --header "Content-Type: application/json" --request POST --data "{\"inputName\": \"input1\", \"data\", \"hello world\"}" http://localhost:53000/api/v1/messages

+ ```

+

+## Prerequisites

+* [Azure Az PowerShell module](/powershell/azure/install-Az-ps).

+ > The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade. For more information see the [migration guide](../active-directory/develop/msal-migration.md).

+Since you've deployed an IoT hub using the resource provider REST API, you may want to explore further:

+- Create a public IP for the NAT gateway

+- Create a virtual network for the backend virtual machines

+- Create a network security group to define inbound connections to your virtual network

+- Create an Azure Bastion host to securely manage the virtual machines in the backend pool

+## Create a public IP address

+Use [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress) to create a public IP address for the NAT gateway.

+```azurepowershell-interactive

+## Create public IP address for NAT gateway and place IP in variable ##

+$gwpublicip = @{

+ Name = 'myNATgatewayIP'

+ ResourceGroupName = 'CreatePubLBQS-rg'

+ Location = 'eastus'

+ Sku = 'Standard'

+ AllocationMethod = 'static'

+ Zone = 1,2,3

+}

+$gwpublicip = New-AzPublicIpAddress @gwpublicip

+```

+To create a zonal public IP address in zone 1, use the following command:

+```azurepowershell-interactive

+## Create a zonal public IP address for NAT gateway and place IP in variable ##

+$gwpublicip = @{

+ Name = 'myNATgatewayIP'

+ ResourceGroupName = 'CreatePubLBQS-rg'

+ Location = 'eastus'

+ Sku = 'Standard'

+ AllocationMethod = 'static'

+ Zone = 1

+}

+$gwpublicip = New-AzPublicIpAddress @gwpublicip

+```

+ PublicIpAddress = $gwpublicip

+$bastionip = @{

+$bastionip = New-AzPublicIpAddress @bastionip

+ PublicIpAddress = $bastionip

+ Your integration account name can contain only letters, numbers, hyphens (-), underscores (_), parentheses (()), and periods (.).

+Before you send XML content to a business partner in a business-to-business (B2B) scenario, you might want to encode that content first. If you receive encoded XML content, you'll need to decode that content first. When you're building a logic app workflow in Azure Logic Apps, you can encode and decode flat files by using the **Flat File** built-in connector actions and a flat file schema for encoding and decoding. You can use **Flat File** actions in multi-tenant Consumption logic app workflows and single-tenant Standard logic app workflows.

+>

+> In Standard logic app workflows, the **Flat File** actions are currently in preview.

+While no **Flat File** triggers are available, you can use any trigger or action to feed the source XML content into your workflow. For example, you can use a built-in connector trigger, a managed or Azure-hosted connector trigger available for Azure Logic Apps, or even another app.

+This article shows how to add the **Flat File** encoding and decoding actions to your workflow.

+* Add a **Flat File** encoding or decoding action to your workflow.

+* Select the schema that you want to use.

+For more information, review the following documentation:

+* [Consumption versus Standard logic apps](logic-apps-overview.md#resource-type-and-host-environment-differences)

+* [Integration account built-in connectors](../connectors/built-in.md#integration-account-built-in)

+* [Built-in connectors overview for Azure Logic Apps](../connectors/built-in.md)

+* [Managed or Azure-hosted connectors in Azure Logic Apps](/connectors/connector-reference/connector-reference-logicapps-connectors)

+* The logic app workflow, blank or existing, where you want to use the **Flat File** action.

+ If you have a blank workflow, use any trigger that you want to start the workflow. This example uses the Request trigger.

+* Your logic app resource and workflow. Flat file operations don't have any triggers available, so your workflow has to minimally include a trigger. For more information, review the following documentation:

+ * [Quickstart: Create your first Consumption logic app workflow with multi-tenant Azure Logic Apps](quickstart-create-first-logic-app-workflow.md)

+ * [Create a Standard logic app workflow with single-tenant Azure Logic Apps](create-single-tenant-workflows-azure-portal.md)

+* A flat file schema for encoding and decoding the XML content. For more information, [Add schemas to use with workflows in Azure Logic Apps](logic-apps-enterprise-integration-schemas.md).

+* Based on whether you're working on a Consumption or Standard logic app workflow, you'll need an [integration account resource](logic-apps-enterprise-integration-create-integration-account.md). Usually, you need this resource when you want to define and store artifacts for use in enterprise integration and B2B workflows.

+ > [!IMPORTANT]

+ >

+ > To work together, both your integration account and logic app resource must exist in the same Azure subscription and Azure region.

+ * If you're working on a Consumption logic app workflow, your logic app resource requires a [link to your integration account](logic-apps-enterprise-integration-create-integration-account.md?tabs=consumption#link-account).

+ * If you're working on a Standard logic app workflow, you can link your logic app resource to your integration account, upload schemas directly to your logic app resource, or both, based on the following scenarios:

+ * If you already have an integration account with the artifacts that you need or want to use, you can link your integration account to multiple Standard logic app resources where you want to use the artifacts. That way, you don't have to upload schemas to each individual logic app. For more information, review [Link your logic app resource to your integration account](logic-apps-enterprise-integration-create-integration-account.md?tabs=standard#link-account).

+ * The **Flat File** built-in connector lets you select a schema that you previously uploaded to your logic app resource or to a linked integration account, but not both. You can then use this artifact across all child workflows within the same logic app resource.

+ So, if you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option. Either way, you can use these artifacts across all child workflows within the same logic app resource.

+## Limitations

+* In your flat file schema, make sure the contained XML groups don't have excessive numbers of the `max count` property set to a value *greater than 1*. Avoid nesting an XML group with a `max count` property value greater than 1 inside another XML group with a `max count` property greater than 1.

+* When Azure Logic Apps parses the flat file schema, and whenever the schema allows the choice of the next fragment, Azure Logic Apps generates a *symbol* and a *prediction* for that fragment. If the schema allows too many such constructs, for example, more than 100,000, the schema expansion becomes excessively large, which consumes too much resources and time.

+## Upload schema

+After you create your schema, you now have to upload the schema based on the following scenario:

+* If you're working on a Consumption logic app workflow, [add your schema to your integration account](logic-apps-enterprise-integration-schemas.md?tabs=consumption#add-schema).

+* If you're working on a Standard logic app workflow, you can [add your schema to your integration account](logic-apps-enterprise-integration-schemas.md?tabs=consumption#add-schema), or [add your schema to your logic app resource](logic-apps-enterprise-integration-schemas.md?tabs=standard#add-schema).

+## Add a Flat File encoding action

+### [Consumption](#tab/consumption)

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer, if not already open.

+1. If your workflow doesn't have a trigger or any other actions that your workflow needs, add those operations first. Flat File operations don't have any triggers available.

+ This example continues with the Request trigger named **When a HTTP request is received**.

+1. On the workflow designer, under the step where you want to add the Flat File action, select **New step**.

+1. Under the **Choose an operation** search box, select **Built-in**. In the search box, enter **flat file**.

+1. From the actions list, select the action named **Flat File Encoding**.

+ 

+1. In the action's **Content** property, provide the output from the trigger or a previous action that you want to encode by following these steps:

+ 1. Click inside the **Content** box so that the dynamic content list appears.

+ 1. From the dynamic content list, select the flat file content that you want to encode.

+

+ For this example, from the dynamic content list, under **When a HTTP request is received**, select the **Body** token, which represents the body content output from the trigger.

+ 

+ > [!NOTE]

+ >

+ > You can also directly enter the content to encode in the **Content** box.

+1. From the **Schema Name** list, select your schema.

+ 

+ >

+ > If the schema list is empty, either your logic app resource isn't linked to your

+ > integration account or your integration account doesn't contain any schema files.

+ When you're done, your action looks similar to the following:

+ 

+1. To add other optional parameters to the action, select those parameters from the **Add new parameter** list.

+ | Parameter | Value | Description |

+ |--|-|-|

+ | **Mode of empty node generation** | **ForcedDisabled** or **HonorSchemaNodeProperty** or **ForcedEnabled** | The mode to use for empty node generation in flat file encoding |

+ | **XML Normalization** | **Yes** or **No** | The setting to enable or disable XML normalization in flat file encoding |

+1. Save your workflow. On the designer toolbar, select **Save**.

+### [Standard](#tab/standard)

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer, if not already open.

+1. If your workflow doesn't have a trigger or any other actions that your workflow needs, add those operations first. Flat File operations don't have any triggers available.

+ This example continues with the Request trigger named **When a HTTP request is received**.

+1. On the designer, under the step where you want to add the Flat File action, select the plus sign (**+**), and then select **Add an action**.

+1. On the **Add an action** pane that appears, under the search box, select **Built-in**.

+1. In the search box, enter **flat file**. From the actions list, select the action named **Flat File Encoding**.

+ 

+1. In the action's **Content** property, provide the output from the trigger or a previous action that you want to encode by following these steps:

+ 1. Click inside the **Content** box so that the dynamic content list appears.

+ 1. From the dynamic content list, select the flat file content that you want to encode.

+

+ For this example, from the dynamic content list, under **When a HTTP request is received**, select the **Body** token, which represents the body content output from the trigger.

+ 

+1. From the **Source** list, select either **LogicApp** or **IntegrationAccount** as your schema source.

+ This example continues by selecting **IntegrationAccount**.

+ 

+ >

+ > If the schema list is empty, either your logic app resource isn't linked to your

+ > integration account, your integration account doesn't contain any schema files,

+ > or your logic app resource doesn't contain any schema files.

+## Add a Flat File decoding action

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer, if not already open.

+1. If your workflow doesn't have a trigger or any other actions that your workflow needs, add those operations first. Flat File operations don't have any triggers available.

+ This example continues with the Request trigger named **When a HTTP request is received**.

+1. On the workflow designer, under the step where you want to add the Flat File action, select **New step**.

+1. Under the **Choose an operation** search box, select **Built-in**. In the search box, enter **flat file**.

+1. From the actions list, select the action named **Flat File Decoding**.

+ 

+1. In the action's **Content** property, provide the output from the trigger or a previous action that you want to decode by following these steps:

+ 1. Click inside the **Content** box so that the dynamic content list appears.

+ 1. From the dynamic content list, select the flat file content that you want to encode.

+

+ For this example, from the dynamic content list, under **When a HTTP request is received**, select the **Body** token, which represents the body content output from the trigger.

+ 

+ > [!NOTE]

+ >

+ > select **See more** next to the **When a HTTP request is received** section label.

+ > You can also directly enter the content to encode in the **Content** box.

+1. From the **Schema Name** list, select your schema.

+ 

+ >

+ > If the schema list is empty, either your logic app resource isn't linked to your

+ > integration account or your integration account doesn't contain any schema files.

+ When you're done, your action looks similar to the following:

+ 

+1. Save your workflow. On the designer toolbar, select **Save**.

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer, if not already open.

+1. If your workflow doesn't have a trigger or any other actions that your workflow needs, add those operations first. Flat File operations don't have any triggers available.

+ This example continues with the Request trigger named **When a HTTP request is received**.

+1. On the designer, under the step where you want to add the Flat File action, select the plus sign (**+**), and then select **Add an action**.

+1. On the **Add an action** pane that appears, under the search box, select **Built-in**.

+1. In the search box, enter **flat file**. From the actions list, select the action named **Flat File Decoding**.

+ 

+1. In the action's **Content** property, provide the output from the trigger or a previous action that you want to decode by following these steps:

+ 1. Click inside the **Content** box so that the dynamic content list appears.

+ 1. From the dynamic content list, select the flat file content that you want to encode.

+

+ For this example, from the dynamic content list, under **When a HTTP request is received**, select the **Body** token, which represents the body content output from the trigger.

+ 

+1. From the **Source** list, select either **LogicApp** or **IntegrationAccount** as your schema source.

+ This example continues by selecting **IntegrationAccount**.

+ 

+ >

+ > If the schema list is empty, either your logic app resource isn't linked to your

+ > integration account, your integration account doesn't contain any schema files,

+ > or your logic app resource doesn't contain any schema files.

+## Test your workflow

+1. By using [Postman](https://www.getpostman.com/postman) or a similar tool and the `POST` method, send a call to the Request trigger's URL, which appears in the Request trigger's **HTTP POST URL** property, and include the XML content that you want to encode or decode in the request body.

+1. After your workflow finishes running, go to the workflow's run history, and examine the Flat File action's inputs and outputs.

+While no **Liquid** triggers are available, you can use any trigger or action to feed the source JSON or XML content into your workflow. For example, you can use a built-in connector trigger, a managed or Azure-hosted connector trigger available for Azure Logic Apps, or even another app.

+ * The **Liquid** built-in connector lets you select a map that you previously uploaded to your logic app resource or to a linked integration account, but not both. You can then use these artifacts across all child workflows within the *same logic app resource*.

+1. From the **Map** list, select your Liquid template.

+ > If the maps list is empty, either your logic app resource isn't linked to your

+ > integration account or your integration account doesn't contain any map files.

+1. Save your workflow. On the designer toolbar, select **Save**.

+ > [!NOTE]

+ >

+ > If the **Body** property doesn't appear in the dynamic content list,

+ > select **See more** next to the **When a HTTP request is received** section label.

+ > You can also directly enter the content to decode in the **Content** box.

+1. Save your workflow. On the designer toolbar, select **Save**.

+1. By using [Postman](https://www.getpostman.com/postman) or a similar tool and the `POST` method, send a call to the Request trigger's URL, which appears in the Request trigger's **HTTP POST URL** property, and include the JSON input to transform, for example:

+ Title: Add schemas to use with workflows

+description: Add schemas for workflows in Azure Logic Apps.

+# Add schemas to use with workflows with Azure Logic Apps

+Workflow actions such as **Flat File** and **XML Validation** require a schema to perform their tasks. For example, the **XML Validation** action requires an XML schema to check that documents use valid XML and have the expected data in the predefined format. This schema is a business document that's represented in XML using the [XML Schema Definition (XSD)](https://www.w3.org/TR/xmlschema11-1/) and uses the .xsd file name extension. The **Flat File** actions use a schema to encode and decode XML content.

+This article shows how to add a schema to your integration account. If you're working with a Standard logic app workflow, you can also add a schema directly to your logic app resource.

+* The schema file that you want to add. To create schemas, you can use the following tools:

+* Based on whether you're working on a Consumption or Standard logic app workflow, you'll need an [integration account resource](logic-apps-enterprise-integration-create-integration-account.md). Usually, you need this resource when you want to define and store artifacts for use in enterprise integration and B2B workflows.

+ > [!IMPORTANT]

+ >

+ > To work together, both your integration account and logic app resource must exist in the same Azure subscription and Azure region.

+ * If you're working on a Consumption logic app workflow, you'll need an [integration account that's linked to your logic app resource](logic-apps-enterprise-integration-create-integration-account.md?tabs=consumption#link-account).

+ * If you're working on a Standard logic app workflow, you can link your integration account to your logic app resource, upload schemas directly to your logic app resource, or both, based on the following scenarios:

+ * If you already have an integration account with the artifacts that you need or want to use, you can link your integration account to multiple Standard logic app resources where you want to use the artifacts. That way, you don't have to upload schemas to each individual logic app. For more information, review [Link your logic app resource to your integration account](logic-apps-enterprise-integration-create-integration-account.md?tabs=standard#link-account).

+ * The **Flat File** built-in connector lets you select a schema that you previously uploaded to your logic app resource or to a linked integration account, but not both. You can then use this artifact across all child workflows within the same logic app resource.

+ So, if you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option. Either way, you can use these artifacts across all child workflows within the same logic app resource.

+## Limitations

+* Limits apply to the number of artifacts, such as schemas, per integration account. For more information, review [Limits and configuration information for Azure Logic Apps](logic-apps-limits-and-config.md#integration-account-limits).

+* Based on whether you're working on a Consumption or Standard logic app workflow, schema file size limits might apply.

+ * If you're working with Standard workflows, no limits apply to schema file sizes.

+ * If you're working with Consumption workflows, the following limits apply:

+ * If your schema is [2 MB or smaller](#smaller-schema), you can add your schema to your integration account *directly* from the Azure portal.

+ * If your schema is bigger than 2 MB but not bigger than the [size limit for schemas](logic-apps-limits-and-config.md#artifact-capacity-limits), you'll need an Azure storage account where you can upload your schema. Then, to add that schema to your integration account, you can then link to your storage account from your integration account. For this task, the following table describes the items you need:

+ | Item | Description |

+ ||-|

+ | [Azure storage account](../storage/common/storage-account-overview.md) | In this account, create an Azure blob container for your schema. Learn [how to create a storage account](../storage/common/storage-account-create.md). |

+ | Blob container | In this container, you can upload your schema. You also need this container's content URI later when you add the schema to your integration account. Learn how to [create a blob container](../storage/blobs/storage-quickstart-blobs-portal.md). |

+ | [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) | This tool helps you more easily manage storage accounts and blob containers. To use Storage Explorer, choose a step: <br><br>- In the Azure portal, select your storage account. From your storage account menu, select **Storage Explorer**. <br><br>- For the desktop version, [download and install Azure Storage Explorer](https://www.storageexplorer.com/). Then, connect Storage Explorer to your storage account by following the steps in [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md). To learn more, see [Quickstart: Create a blob in object storage with Azure Storage Explorer](../storage/blobs/quickstart-storage-explorer.md). |

+ To add larger schemas, you can also use the [Azure Logic Apps REST API - Schemas](/rest/api/logic/schemas/create-or-update). However, for Standard workflows, the Azure Logic Apps REST API is currently unavailable.

+* Usually, when you're using an integration account with your workflow, you add the schema to that account. However, if you're referencing or importing a schema that's not in your integration account, you might receive the following error when you use the element `xsd:redefine`:

+* If you're working with a Consumption workflow, you must add your schema to a linked integration account.

+* If you're working with a Standard workflow, you have the following options:

+ * Add your schema to a linked integration account. You can share the schema and integration account across multiple Standard logic app resources and their child workflows.

+ * Add your schema directly to your logic app resource. However, you can only share that schema across child workflows in the same logic app resource.

+<a name="add-schema-integration-account"></a>

+### Add schema to integration account

+1. In the main Azure search box, enter **integration accounts**, and select **Integration accounts**.

+For Consumption workflows, based on your schema's file size, now follow the steps for uploading a schema that's either [up to 2 MB](#smaller-schema) or [more than 2 MB, up to 8 MB](#larger-schema).

+To add larger schemas for Consumption workflows to use, you can upload your schema to an Azure blob container in your Azure storage account. Your steps for adding schemas differ based whether your blob container has public read access. So first, check whether or not your blob container has public read access by following these steps: [Set public access level for blob container](../vs-azure-tools-storage-explorer-blobs.md#set-the-public-access-level-for-a-blob-container)

+### Add schema to Standard logic app resource

+These steps apply only if you want to add a schema directly to your Standard logic app resource. Otherwise, [add the schema to your integration account](#add-schema-integration-account).

+The following steps apply only if you're updating a schema that you added to your logic app resource. Otherwise, follow the Consumption steps for updating a schema in your integration account.

+The following steps apply only if you're deleting a schema that you added to your logic app resource. Otherwise, follow the Consumption steps for deleting a schema from your integration account.

+ - If you exclude disks, they won't be present on the Azure VM after migration.

+ - You can exclude disks if the mobility agent is already installed on that server. [Learn more](../site-recovery/exclude-disks-replication.md#exclude-limitations).

+

+ - **Will modifying session level database variables impact restoration?**

+| Korea Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+This topic highlights log sources to consider configuring for Basic Logs when they're stored in Log Analytics tables. Before configuring tables as Basic Logs, [compare log data plans (preview)](../azure-monitor/logs/log-analytics-workspace-overview.md#log-data-plans-preview).

+ Title: Manage custom content with repository connections

+description: This article explains custom Sentinel content like GitHub or Azure DevOps repositories that can utilize source control features.

+#Customer intent: As a SOC collaborator or MSSP analyst, I want to manage dynamic Sentinel workspace content based on source control repositories for continuous integration and continuous delivery (CI/CD). Specifically as an MSSP content manager, I want to deploy one solution to many customer workspaces and still be able to tailor custom content for their environments.

+# Manage custom content with Microsoft Sentinel repositories (public preview)

+The Microsoft Sentinel repositories feature provides a central experience for the deployment and management of Sentinel content as code. Repositories allow connections to an external source control for continuous integration / continuous delivery (CI/CD). This automation removes the burden of manual processes to update and deploy your custom content across workspaces. For more information on Sentinel content, see [About Microsoft Sentinel content and solutions](sentinel-solutions.md).

+> [!IMPORTANT]

+> The Microsoft Sentinel **Repositories** feature is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+## Plan your repository connection

+Microsoft Sentinel repositories require careful planning to ensure you have the proper permissions from your workspace to the repository (repo) you want connected. Only connections to GitHub and Azure DevOps repositories with contributor access are currently supported. The Microsoft Sentinel application will need authorization to your repo and have Actions enabled for GitHub and Pipelines enabled for Azure DevOps.

+Repositories require an **Owner** role in the resource group that contains your Microsoft Sentinel workspace. This role is required to create the connection between Microsoft Sentinel and your source control repository. If you're' unable to use the Owner role in your environment, you can instead use the combination of **User Access Administrator** and **Sentinel Contributor** roles to create the connection.

+If you find content in a public repository where you *aren't* a contributor, you'll need to get that content into your repo first. You can do that with an import, fork, or clone of the content to a repo where you're a contributor. Then you can connect your repo to your Sentinel workspace. For more information, see [Deploy custom content from your repository](ci-cd.md).

+### Validate your content

+The following Microsoft Sentinel content types can be deployed through a repository connection:

+- Analytics rules

+- Automation rules

+- Hunting queries

+- Parsers

+- Playbooks

+- Workbooks

+> [!TIP]

+> This article does *not* describe how to create these types of content from scratch. For more information, see the relevant [Microsoft Sentinel GitHub wiki](https://github.com/Azure/Azure-Sentinel/wiki#get-started) for each content type.

+>

+ Repositories content needs to be stored as [ARM templates](/azure/azure-resource-manager/templates/overview). The repositories deployment pipeline doesn't validate the content except to confirm it's in the correct JSON format.

+The first step to validate your content is to test it within Microsoft Sentinel. You can also apply the [Microsoft Sentinel GitHub validation process](https://github.com/Azure/Azure-Sentinel/wiki#test-your-contribution) and tools to complement your validation process.

+A sample repository is available with ARM templates for each of the content types listed above. The repo also demonstrates how to use advanced features of repository connections. For more information, see [Sentinel CICD repositories sample](https://github.com/SentinelCICD/RepositoriesSampleContent).

+### Maximum connections and deployments

+- Each Microsoft Sentinel workspace is currently limited to **five repository connections**.

+- Each Azure resource group is limited to **800 deployments** in its deployment history. If you have a high volume of ARM template deployments in your resource group(s), you may see the `Deployment QuotaExceeded` error. For more information, see [DeploymentQuotaExceeded](/azure/azure-resource-manager/templates/deployment-quota-exceeded) in the Azure Resource Manager templates documentation.

+## Improve performance with smart deployments

+The **smart deployments** feature is a back-end capability that improves performance by actively tracking modifications made to the content files of a connected repository. It uses a CSV file within the '.sentinel' folder in your repository to audit each commit. The workflow avoids redeploying content that hasn't been modified since the last deployment. This process improves your deployment performance and prevents tampering with unchanged content in your workspace, such as resetting dynamic schedules of your analytics rules.

+Smart deployments are enabled by default on newly created connections. If you prefer all source control content to be deployed every time a deployment is triggered, regardless of whether that content was modified or not, you can modify your workflow to disable smart deployments. For more information, see [Customize the deployment workflow](ci-cd.md#customize-the-deployment-workflow).

+ > [!NOTE]

+ > This capability was launched in public preview on April 20th, 2022. Connections created prior to launch would need to be updated or recreated for smart deployments to be turned on.

+ >

+## Consider deployment customization options

+Even with smart deployments enabled, the default behavior is to push all the updated content from the connected repository branch. If the default configuration for your content deployment from GitHub or Azure DevOps doesn't meet all your requirements, you can modify the experience to fit your needs.

+For example, you may want to:

+- turn off smart deployments

+- configure different deployment triggers

+- deploy content only from a specific root folder for a given workspace

+- schedule the workflow to run periodically

+- combine different workflow events together

+- prioritize content to be evaluated before the entire repo is enumerated for valid ARM templates

+For more details on how to implement these customizations, see [Customize the deployment workflow](ci-cd.md#customize-the-deployment-workflow).

+## Next steps

+Get more examples and step by step instructions on deploying Microsoft Sentinel repositories.

+- [Sentinel CICD sample repository](https://github.com/SentinelCICD/RepositoriesSampleContent)

+- [Deploy custom content from your repository](ci-cd.md)

+- [Automate Sentinel integration with DevOps](/azure/architecture/example-scenario/devops/automate-sentinel-integration#microsoft-sentinel-repositories)

+description: This article describes how to create connections with a GitHub or Azure DevOps repository where you can manage your custom content and deploy it to Microsoft Sentinel.

+#Customer intent: As a SOC collaborator or MSSP analyst, I want to know how to connect my source control repositories for continuous integration and continuous delivery (CI/CD). Specifically as an MSSP content manager, I want to know how to deploy one solution to many customer workspaces and still be able to tailor custom content for their environments.

+When creating custom content, you can manage it from your own Microsoft Sentinel workspaces, or an external source control repository. This article describes how to create and manage connections between Microsoft Sentinel and GitHub or Azure DevOps repositories. Managing your content in an external repository allows you to make updates to that content outside of Microsoft Sentinel, and have it automatically deployed to your workspaces. For more information, see [Update custom content with repository connections](ci-cd-custom-content.md).

+> [!IMPORTANT]

+> The Microsoft Sentinel **Repositories** feature is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Microsoft Sentinel currently supports connections to GitHub and Azure DevOps repositories. Before connecting your Microsoft Sentinel workspace to your source control repository, make sure that you have:

+- An **Owner** role in the resource group that contains your Microsoft Sentinel workspace *or* a combination of **User Access Administrator** and **Sentinel Contributor** roles to create the connection

+- Contributor access to your GitHub or Azure DevOps repository

+- Actions enabled for GitHub and Pipelines enabled for Azure DevOps

+- Ensure custom content files you want to deploy to your workspaces are in relevant [Azure Resource Manager (ARM) templates](../azure-resource-manager/templates/index.yml).

+For more information, see [Validate your content](ci-cd-custom-content.md#validate-your-content)

+The default workflow only deploys content that has been modified since the last deployment based on commits to the repository. But you may want to turn off smart deployments or perform other customizations. For example, you can configure different deployment triggers, or deploy content exclusively from a specific root folder.

+ The workflow file is the YML file starting with `sentinel-deploy-xxxxx.yml`. Open that file and the workflow name is shown in the first line and has the following default naming convention: `Deploy Content to <workspace-name> [<deployment-id>]`.

+ - **To disable smart deployments**:

+ The smart deployments behavior is separate from the deployment trigger discussed above. Navigate to the `jobs` section of your workflow. Switch the `smartDeployment` default value from `true` to `false`. This will turn off the smart deployments functionality and all future deployments for this connection will redeploy all the repository's relevant content files to the connected workspace(s) once this change is committed.

+ This default configuration means that a deployment workflow is triggered anytime that content is pushed to any part of the branch.

+ - **To disable smart deployments**:

+ The smart deployments behavior is separate from the deployment trigger discussed above. Navigate to the `ScriptArguments` section of your pipeline. Switch the `smartDeployment` default value from `true` to `false`. This will turn off the smart deployments functionality and all future deployments for this connection will redeploy all the repository's relevant content files to the connected workspace(s) once this change is committed.

+ This default configuration means that a deployment pipeline is triggered anytime that content is pushed to any part of the `main` branch.

+## Edit content

+After you've successfully created a connection to your source control repository, anytime content in that repository is modified or added, the modified content is deployed to all connected Microsoft Sentinel workspaces.

+## Delete content

+Deleting content from your repository doesn't delete it from your Microsoft Sentinel workspace. If you want to remove content that was deployed through repositories, make sure to delete it from both your repository and Sentinel. For example, set a filter for the content based on source name to make is easier to identify content from repositories.

+## Repositories limits

+## Threat intelligence limits

+## Watchlist limits

+## Configure the clients to retrieve Kerberos tickets

+- Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#kerberos-cloudkerberosticketretrievalenabled)

+- Configure this group policy on the client(s): `Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon`

+- Create the following registry value on the client(s): `reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1`

+## Prerequisites

+Here are the prerequisites for the quickstart:

+- Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/).

+- [Visual Studio Code](https://code.visualstudio.com/).

+2. From **Extensions** on the left pane, search for **Azure Stream Analytics** and select **Install** on the **Azure Stream Analytics Tools** extension.

+ :::image type="content" source="./media/quick-create-visual-studio-code/install-extension.png" alt-text="Screenshot showing the Extensions page of Visual Studio Code with an option to install Stream Analytics extension.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/enabled-extensions.png" alt-text="Screenshot showing the Azure Stream Analytics extension in the list of enabled extensions.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/azure-sign-in.png" alt-text="Screenshot showing how to sign in to Azure.":::

+2. You may need to select a subscription as showing in the following image:

+ :::image type="content" source="./media/quick-create-visual-studio-code/select-subscription.png" alt-text="Screenshot showing the selection of an Azure subscription.":::

+3. Keep Visual Studio Code open.

+ > [!NOTE]

+ > The Azure Stream Analytics Tools extension will automatically sign you in the next time if you don't sign out.

+ > If your account has two-factor authentication, we recommend that you use phone authentication rather than using a PIN.

+ > If you have issues with listing resources, signing out and signing in again usually helps. To sign out, enter the command `Azure: Sign Out`.

+ :::image type="content" source="./media/quick-create-visual-studio-code/create-resource-iot-hub-menu.png" alt-text="Screenshot showing the Create Resource page for Iot Hub.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/create-iot-hub.png" alt-text="Screenshot showing the IoT Hub page for creation.":::

+4. Select **Next: Networking** at the bottom of the page to move to the **Networking** page of the creation wizard.

+1. On the **Networking** page, select **Next: Management** at the bottom of the page.

+1. On the **Management** page, for **Pricing and scale tier**, select **F1: Free tier**, if it's still available on your subscription. If the free tier is unavailable, choose the lowest pricing tier available. For more information, see [Azure IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub/).

+1. After the creation is successful, select **Go to resource** to navigate to the **IoT Hub** page for your IoT hub.

+1. On the **IoT Hub** page, select **Devices** under **Device management** on the left menu, and then select **Add Device** as shown in the image.

+ :::image type="content" source="./media/quick-create-visual-studio-code/add-device-menu.png" alt-text="Screenshot showing the Add Device button on the Devices page.":::

+1. On your IoT hub's navigation menu, select **Add** under **IoT devices**. Add an ID for **Device ID**, and select **Save**.

+ :::image type="content" source="./media/quick-create-visual-studio-code/add-device-iot-hub.png" alt-text="Screenshot showing the Add Device page.":::

+1. After the device is saved, select the device from the list. If it doesn't show up in the list, move to another page and switch back to the **Devices** page.

+ :::image type="content" source="./media/quick-create-visual-studio-code/select-device.png" alt-text="Screenshot showing the selection of the device on the Devices page.":::

+8. Copy the string in **Connection string (primary key)** and save it to a notepad to use later.

+ :::image type="content" source="./media/quick-create-visual-studio-code/save-iot-device-connection-string.png" alt-text="Screenshot showing the primary connection string of the device you created.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/ras-pi-connection-string.png" lightbox="./media/quick-create-visual-studio-code/ras-pi-connection-string.png" alt-text="Screenshot showing the Raspberry Pi Azure IoT Online Simulator with output.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/create-storage-account-menu.png" alt-text="Screenshot showing the Create storage account menu.":::

+2. In the **Create storage account** pane, enter a storage account name, location, and resource group. Choose the same location and resource group as the IoT hub that you created. Then select **Review** to create the account. Then, select **Create** to create the storage account. After the resource is created, select **Go to resource** to navigate to the **Storage account** page.

+ :::image type="content" source="./media/quick-create-visual-studio-code/create-storage-account.png" alt-text="Screenshot showing the Create storage account page.":::

+3. On the **Storage account** page, select **Containers** on the left menu, and then select **+ Container** on the command bar.

+ :::image type="content" source="./media/quick-create-visual-studio-code/add-blob-container-menu.png" alt-text="Screenshot showing the Containers page.":::

+4. From the **New container** page, provide a **name** for your container, leave **Public access level** as **Private (no anonymous access)**, and select **OK**.

+ :::image type="content" source="./media/quick-create-visual-studio-code/create-blob-container.png" alt-text="Screenshot showing the creation of a blob container page.":::

+1. In Visual Studio Code, select **View** -> **Command palette** on the menu to open the command palette.

+ :::image type="content" source="./media/quick-create-visual-studio-code/view-command-palette.png" alt-text="Screenshot showing the View -> Command palette menu.":::

+1. Then enter **ASA** and select **ASA: Create New Project**.

+ :::image type="content" source="./media/quick-create-visual-studio-code/create-new-project.png" alt-text="Screenshot showing the selection of ASA: Create New Project in the command palette.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/create-project-name.png" alt-text="Screenshot showing entering an ASA project name.":::

+3. The new project is added to your workspace. A Stream Analytics project consists of three folders: **Inputs**, **Outputs**, and **Functions**. It also has the query script **(*.asaql)**, a **JobConfig.json** file, and an **asaproj.json** configuration file. You may need to select **Explorer** button on the left menu of the Visual Studio Code to see the explorer.

+ :::image type="content" source="./media/quick-create-visual-studio-code/asa-project-files.png" alt-text="Screenshot showing Stream Analytics project files in Visual Studio Code.":::

+ > [!Note]

+ > When you're adding inputs and outputs from the command palette, the corresponding paths are added to **asaproj.json** automatically. If you add or remove inputs or outputs on disk directly, you need to manually add or remove them from **asaproj.json**. You can choose to put the inputs and outputs in one place and then reference them in different jobs by specifying the paths in each **asaproj.json** file.

+ :::image type="content" source="./media/quick-create-visual-studio-code/query.png" lightbox="./media/quick-create-visual-studio-code/query.png" alt-text="Screenshot showing the transformation query.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/add-input-from-inputs-folder.png" lightbox="./media/quick-create-visual-studio-code/add-input-from-inputs-folder.png" alt-text="Screenshot showing the ASA: Add input menu in Visual Studio Code.":::

+ Or select **Ctrl+Shift+P** (or **View** -> **Command palette** menu) to open the command palette and enter **ASA: Add Input**.

+ :::image type="content" source="./media/quick-create-visual-studio-code/add-input.png" lightbox="./media/quick-create-visual-studio-code/add-input.png" alt-text="Screenshot showing the ASA: Add input in the command palette of Visual Studio Code.":::

+

+ :::image type="content" source="./media/quick-create-visual-studio-code/iot-hub.png" lightbox="./media/quick-create-visual-studio-code/iot-hub.png" alt-text="Screenshot showing the selection of your IoT hub in VS Code command palette.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/asa-script.png" lightbox="./media/quick-create-visual-studio-code/asa-script.png" alt-text="Screenshot showing the selection of your Stream Analytics script in VS Code command palette.":::

+4. Choose **Select from your Azure Subscriptions** from the drop-down menu, and then press **ENTER**.

+ :::image type="content" source="./media/quick-create-visual-studio-code/add-input-select-subscription.png" lightbox="./media/quick-create-visual-studio-code/add-input-select-subscription.png" alt-text="Screenshot showing the selection of your Azure subscription in VS Code command palette.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/configure-input.png" lightbox="./media/quick-create-visual-studio-code/configure-input.png" alt-text="Screenshot showing the launch of CodeLens feature in VS Code.":::

+ After you select a subscription, **select an IoT hub** if you have multiple hubs in that subscription.

+ :::image type="content" source="./media/quick-create-visual-studio-code/select-iot-hub.png" lightbox="./media/quick-create-visual-studio-code/select-iot-hub.png" alt-text="Screenshot showing the selection of your IoT hub in VS Code.":::

+ > [!IMPORTANT]

+ > Make sure that the name of the input is **Input** as the query expect it.

+2. Choose **Data Lake Storage Gen2/Blob Storage** for the sink type.

+5. Edit **BlobStorage** by using the following values. Keep default values for fields not mentioned here. Use the **CodeLens** feature to help you select an Azure subscription and storage account name from a drop-down list or manually enter values.

+ |Storage Account| &lt;Name of your storage account&gt; |Choose or enter the name of your storage account. Storage account names are automatically detected if they're created in the same subscription.|

+ :::image type="content" source="./media/quick-create-visual-studio-code/configure-output.png" lightbox="./media/quick-create-visual-studio-code/configure-output.png" alt-text="Screenshot showing the configuration of output for the Stream Analytics job.":::

+ > [!IMPORTANT]

+ > Make sure that the name of the output is **Output** as the query expect it.

+## Compile the script

+Script compilation checks syntax and generates the Azure Resource Manager templates for automatic deployment. There are two ways to trigger script compilation:

+ :::image type="content" source="./media/quick-create-visual-studio-code/compile-script-1.png" lightbox="./media/quick-create-visual-studio-code/compile-script-1.png" alt-text="Screenshot showing the compilation of script option from the command palette.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/compile-script-2.png" lightbox="./media/quick-create-visual-studio-code/compile-script-2.png" alt-text="Screenshot showing the compilation of script option from the Stream Analytics explorer in VS Code.":::

+After compilation, you can see results in the **Output** window. You can find the two generated Azure Resource Manager templates in the **Deploy** subfolder in your project folder. These two files are used for automatic deployment.

+5. Select **Publish to Azure**. You can find the logs in the output window.

+6. When your job is created, you can see it in **Stream Analytics Explorer**. See the image in the next section.

+2. Select **Start** from the **Cloud view** page (OR) right-click the job name in Stream Analytics explorer, and select **Start** from the context menu.

+ :::image type="content" source="./media/quick-create-visual-studio-code/start-asa-job-vs-code.png" lightbox="./media/quick-create-visual-studio-code/start-asa-job-vs-code.png" alt-text="Screenshot showing the Start job button in the Cloud view page.":::

+ :::image type="content" source="./media/quick-create-visual-studio-code/output-files.png" lightbox="./media/quick-create-visual-studio-code/output-files.png" alt-text="Screenshot showing the output file in the Blob container.":::

+ Download and open the file to see output.

+ ```json

+ {"messageId":11,"deviceId":"Raspberry Pi Web Client","temperature":28.165519323167562,"humidity":76.875393581654379,"EventProcessedUtcTime":"2022-09-01T22:53:58.1015921Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:52:57.6250000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:52:57.6290000Z"}}

+ {"messageId":14,"deviceId":"Raspberry Pi Web Client","temperature":29.014941877871451,"humidity":64.93477299527828,"EventProcessedUtcTime":"2022-09-01T22:53:58.2421545Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:53:03.6100000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:53:03.6140000Z"}}

+ {"messageId":17,"deviceId":"Raspberry Pi Web Client","temperature":28.032846241745975,"humidity":66.146114343897338,"EventProcessedUtcTime":"2022-09-01T22:53:58.2421545Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:53:19.5960000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:53:19.5830000Z"}}

+ {"messageId":18,"deviceId":"Raspberry Pi Web Client","temperature":30.176185593576143,"humidity":72.697359909427419,"EventProcessedUtcTime":"2022-09-01T22:53:58.2421545Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:53:21.6120000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:53:21.6140000Z"}}

+ {"messageId":20,"deviceId":"Raspberry Pi Web Client","temperature":27.851894248213021,"humidity":71.610229530268214,"EventProcessedUtcTime":"2022-09-01T22:53:58.2421545Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:53:25.6270000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:53:25.6140000Z"}}

+ {"messageId":21,"deviceId":"Raspberry Pi Web Client","temperature":27.718624694772238,"humidity":66.540445035685153,"EventProcessedUtcTime":"2022-09-01T22:53:58.2421545Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:53:48.0820000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:53:48.0830000Z"}}

+ {"messageId":22,"deviceId":"Raspberry Pi Web Client","temperature":27.7849054424326,"humidity":74.300662748167085,"EventProcessedUtcTime":"2022-09-01T22:54:09.3393532Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:54:09.2390000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:54:09.2400000Z"}}

+ {"messageId":28,"deviceId":"Raspberry Pi Web Client","temperature":30.839892925680324,"humidity":76.237611741451786,"EventProcessedUtcTime":"2022-09-01T22:54:47.8053253Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:54:47.6180000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:54:47.6150000Z"}}

+ {"messageId":29,"deviceId":"Raspberry Pi Web Client","temperature":30.561040300759053,"humidity":78.3845172058103,"EventProcessedUtcTime":"2022-09-01T22:54:49.8070489Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:54:49.6030000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:54:49.5990000Z"}}

+ {"messageId":31,"deviceId":"Raspberry Pi Web Client","temperature":28.163585438418679,"humidity":60.0511571297096,"EventProcessedUtcTime":"2022-09-01T22:55:25.1528729Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:55:24.9050000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:55:24.9120000Z"}}

+ {"messageId":32,"deviceId":"Raspberry Pi Web Client","temperature":31.00503387156985,"humidity":78.68821066044552,"EventProcessedUtcTime":"2022-09-01T22:55:43.2652127Z","PartitionId":3,"EventEnqueuedUtcTime":"2022-09-01T22:55:43.0480000Z","IoTHub":{"MessageId":null,"CorrelationId":null,"ConnectionDeviceId":"MyASAIoTDevice","ConnectionDeviceGenerationId":"637976642928634103","EnqueuedTime":"2022-09-01T22:55:43.0520000Z"}}

+ ```

+

+This quickstart shows you how to create a Stream Analytics job in the Azure portal. In this quickstart, you define a Stream Analytics job that reads real-time streaming data and filters messages with a temperature greater than 27. Your Stream Analytics job will read data from IoT Hub, transform the data, and write the output data to a container in blob storage. The input data used in this quickstart is generated by a Raspberry Pi online simulator.

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/).

+2. Select **Create a resource**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/create-resource-menu.png" alt-text="Screenshot showing the Create a resource menu.":::

+1. On the **Create a resource** page, select **Internet of Things** > **IoT Hub**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/iot-hub-menu.png" alt-text="Screenshot showing the IoT Hub menu on the Create a resource page.":::

+1. On **IoT Hub** page, follow these steps:

+ 1. For **Subscription**, select your Azure subscription.

+ 1. For **Resource group**, select an existing resource group or create a new resource group.

+ 1. For **IoT hub name**, enter a name for your IoT hub.

+ 1. For **Region**, select the region that's closest to you.

+ 1. Select **Next: Networking** at the bottom of the page.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/create-iot-hub.png" alt-text="Screenshot showing the IoT Hub page for creation.":::

+4. On the **Networking** page, select **Next: Management** at the bottom of the page.

+1. On the **Management** page, for **Pricing and scale tier**, select **F1: Free tier**, if it's still available on your subscription. For more information, see [IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub/).

+1. After the resource (IoT hub) is created, select **Go to resource** to navigate to the IoT Hub page.

+1. On the **IoT Hub** page, select **Devices** on the left menu, and then select **+ Add device**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/add-device-button.png" lightbox="./media/stream-analytics-quick-create-portal/add-device-button.png" alt-text="Screenshot showing the Add device button on the Devices page.":::

+7. Enter a **Device ID** and click **Save**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/add-device-iot-hub.png" alt-text="Screenshot showing the Create a device page.":::

+8. Once the device is created, you should see the device from the **IoT devices** list. Select **Refresh** button on the page if you don't see it.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/device-list.png" lightbox="./media/stream-analytics-quick-create-portal/device-list.png" alt-text="Screenshot showing the list of devices.":::

+1. Select your device from the list.

+1. On the device page, select the copy button next to **Connection string - primary key**, and save it to a notepad to use later.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/save-iot-device-connection-string.png" lightbox="./media/stream-analytics-quick-create-portal/save-iot-device-connection-string.png" alt-text="Screenshot showing the copy button next to device connection string.":::

+2. In the **Create storage account** pane, enter a storage account name, location, and resource group. Choose the same location and resource group as the IoT Hub you created. Then click **Review** at the bottom of the page.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/create-storage-account.png" alt-text="Screenshot showing the Create a storage account page.":::

+3. On the **Review** page, review your settings, and select **Create** to create the account.

+1. After the resource is created, select **Go to resource** to navigate to the **Storage account** page.

+1. On the **Storage account** page, select **Containers** on the left menu, and then select **+ Container**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/add-container-menu.png" alt-text="Screenshot showing the Add container menu on the Containers page.":::

+4. On the **New container** page, provide a name for your container, such as *container1*, and select **Create**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/create-blob-container.png" alt-text="Screenshot showing the **Add container** page.":::

+1. On a separate tab of the same browser window or in a separate browser window, sign in to the [Azure portal](https://portal.azure.com).

+1. On the **New Stream Analytics job** page, follow these steps:

+ 1. For **Subscription**, select your Azure subscription.

+ 1. For **Resource group**, select the same resource that you used earlier in this quickstart.

+ 1. For **Name**, enter a name for the job. Stream Analytics job name can contain alphanumeric characters, hyphens, and underscores only and it must be between 3 and 63 characters long.

+ 1. For **Hosting environment**, confirm that **Cloud** is selected. Stream Analytics jobs can be deployed to cloud or edge. Cloud allows you to deploy to Azure cloud, and the **Edge** option allows you to deploy to an IoT Edge device.

+ 1. For **Stream units**, select **1**. Streaming units represent the computing resources that are required to execute a job. To learn about scaling streaming units, refer to [understanding and adjusting streaming units](stream-analytics-streaming-unit-consumption.md) article.

+ 1. Select **Review + create** at the bottom of the page.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/create-asa-job.png" alt-text="Screenshot showing the **New Stream Analytics job** page.":::

+5. On the **Review + create** page, review settings, and select **Create** to create a Stream Analytics page.

+1. On the deployment page, select **Go to resource** to navigate to the **Stream Analytics job** page.

+In this section, you'll configure an IoT Hub device input to the Stream Analytics job. Use the IoT Hub you created in the previous section of the quickstart.

+1. On the **Stream Analytics job** page, select **Input** under **Job topology** on the left menu.

+1. On the **Inputs** page, select **Add stream input** > **IoT Hub**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/add-input-menu.png" lightbox="./media/stream-analytics-quick-create-portal/add-input-menu.png" alt-text="Screenshot showing the **Inputs** page with **Add stream input** > **IoT Hub** menu selected.**.":::

+3. On the **IoT Hub** page, follow these steps:

+ 1. For **Input alias**, enter **IoTHubInput**.

+ 1. For **Subscription**, select the subscription that has the IoT hub you created earlier. This quickstart assumes that you've created the IoT hub in the same subscription.

+ 1. For **IoT Hub**, select your IoT hub.

+ 1. Select **Save** to save the input settings for the Stream Analytics job.

+

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/configure-asa-input.png" alt-text="Screenshot showing the New input page to enter input IoT hub information.":::

+1. Now, select **Outputs** under **Job topology** on the left menu.

+1. On the **Outputs** page, select **Add** > **Blob storage/ADLS Gen2**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/add-output-menu.png" alt-text="Screenshot showing the **Outputs** page with **Add** -> **Blob storage** option selected on the menu.":::

+1. On the **New output** page for **Blob storage/ADLS Gen2**, follow these steps:

+ 1. For **Output alias**, enter **BlobOutput**.

+ 1. For **Subscription**, select the subscription that has the Azure storage account you created earlier. This quickstart assumes that you've created the Storage account in the same subscription.

+ 1. For **Storage account**, select your Storage account.

+ 1. For **Container**, select your blob container if it isn't already selected.

+ 1. For **Authentication mode**, select **Connection string**.

+ 1. Select **Save** at the bottom of the page to save the output settings.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/configure-asa-output.png" alt-text="Screenshot showing the **New output** page to enter input Azure storage account information.":::

+1. Now, select **Query** under **Job topology** on the left menu.

+1. Enter the following query into the query window. In this example, the query reads the data from IoT Hub and copies it to a new file in the blob.

+1. Select **Save query** on the toolbar.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/add-asa-query.png" lightbox="./media/stream-analytics-quick-create-portal/add-asa-query.png" alt-text="Screenshot showing the **Query** page with the sample query.":::

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/ras-pi-connection-string.png" lightbox="./media/stream-analytics-quick-create-portal/ras-pi-connection-string.png" alt-text="Screenshot showing the **Raspberry Pi Azure IoT Online Simulator** page with the sample query.":::

+1. Return to the job overview page in the Azure portal, and select **Start**.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/start-job-menu.png" alt-text="Screenshot showing the **Overview** page with **Start** button selected.":::

+1. On the **Start job** page, confirm that **Now** is selected for **Job output start time**, and then select **Start** at the bottom of the page.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/start-job-page.png" alt-text="Screenshot showing the **Start job** page.":::

+1. After few minutes, in the portal, find the storage account & the container that you've configured as output for the job. You can now see the output file in the container. The job takes a few minutes to start for the first time, after it's started, it will continue to run as the data arrives.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/output-file-blob-container.png" lightbox="./media/stream-analytics-quick-create-portal/output-file-blob-container.png" alt-text="Screenshot showing the **Container** page with the sample output file.":::

+1. Select the file, and then on the **Blob** page, select **Edit** to view contents in the file.

+ :::image type="content" source="./media/stream-analytics-quick-create-portal/check-asa-results.png" lightbox="./media/stream-analytics-quick-create-portal/check-asa-results.png" alt-text="Screenshot showing the sample output file.":::

+When no longer needed, delete the resource group, the Stream Analytics job, and all related resources. Deleting the job avoids billing the streaming units consumed by the job. If you're planning to use the job in future, you can stop it and restart it later when you need. If you aren't going to continue to use this job, delete all resources created by this quickstart by using the following steps:

+

+The Spark `default` database is available in the serverless SQL pool context as a lake database called `default`.

+ Title: Grant permissions to managed identity in Synapse workspace

+description: An article that explains how to configure permissions for managed identity in Azure Synapse workspace.

+> [!NOTE]

+> This workspace managed identity will be referred to as managed identity through the rest of this document.

+An ADLS Gen2 storage account is required to create an Azure Synapse workspace. To successfully launch Spark pools in Azure Synapse workspace, the Azure Synapse managed identity needs the *Storage Blob Data Contributor* role on this storage account. Pipeline orchestration in Azure Synapse also benefits from this role.

+In Azure portal, open the ADLS Gen2 storage account and select **Overview** from the left navigation. You'll only need to assign The *Storage Blob Data Contributor* role at the container or filesystem level. Select **Containers**.

+

+ > [!NOTE]

+ :::image type="content" source="../../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of the add role assignment page in the Azure portal.":::

+You should see your managed identity listed under the **Storage Blob Data Contributor** section with the *Storage Blob Data Contributor* role assigned to it.

+#### Alternative to Storage Blob Data Contributor role

+Instead of granting yourself a Storage Blob Data Contributor role, you can also grant more granular permissions on a subset of files.

+All users who need access to some data in this container also must have EXECUTE permission on all parent folders up to the root (the container).

+Learn more about how to [set ACLs in Azure Data Lake Storage Gen2](../../storage/blobs/data-lake-storage-explorer-acl.md).

+> [!NOTE]

+> Execute permission on the container level must be set within Data Lake Storage Gen2.

+> Permissions on the folder can be set within Azure Synapse.

+If you want to query data2.csv in this example, the following permissions are needed:

+ - Execute permission on container

+ - Execute permission on folder1

+ - Read permission on data2.csv

+1. Sign in to Azure Synapse with an admin user that has full permissions on the data you want to access.

+1. In the data pane, right-click the file and select **Manage access**.

+ :::image type="content" source="../sql/media/resources-self-help-sql-on-demand/manage-access.png" alt-text="Screenshot that shows the manage access option.":::

+1. Select at least **Read** permission. Enter the user's UPN or object ID, for example, user@contoso.com. Select **Add**.

+1. Grant read permission for this user.

+ :::image type="content" source="../sql/media/resources-self-help-sql-on-demand/grant-permission.png" alt-text="Screenshot that shows granting read permissions.":::

+> [!NOTE]

+> For guest users, this step needs to be done directly with Azure Data Lake because it can't be done directly through Azure Synapse.

+- [Best practices for dedicated SQL pools](../sql/best-practices-dedicated-sql-pool.md)

+- [Troubleshoot serverless SQL pool in Azure Synapse Analytics](../sql/resources-self-help-sql-on-demand.md)

+- [Azure Synapse Analytics frequently asked questions](../overview-faq.yml)

+ Title: "Tutorial load data from Azure Data Lake Storage"

+* A Data Lake Storage account. See [Get started with Azure Data Lake Storage](../../data-lake-store/data-lake-store-get-started-portal.md?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json). For this storage account, you will need to configure or specify one of the following credentials to load: A storage account key, shared access signature (SAS) key, an Azure Directory Application user, or an Azure AD user that has the appropriate Azure role to the storage account.

+* Currently, ingesting data using the COPY command into an Azure Storage account that is using the new [Azure Storage DNS partition feature](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466) results in an error. Provision a storage account in a subscription that does not use DNS partitioning for this tutorial.

+Connect to your dedicated SQL pool and create the target table you will load to. In this example, we are creating a product dimension table.

+COPY INTO [dbo].[DimProduct]

+--The column list allows you map, omit, or reorder input file columns to target table columns.

+ ProductKey default -1 1,

+ ProductLabel default 'myStringDefaultWhenNull' 2,

+ ProductName default 'myStringDefaultWhenNull' 3

+WITH

+- [COPY quickstart for a single table](./quickstart-bulk-load-copy-tsql.md)

+| Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456) | This error occurs when an Azure AD user tries to connect to the `master` database, but does not have a user in `master`. To correct this issue, either specify the dedicated SQL pool (formerly SQL DW) you wish to connect to at connection time or add the user to the `master` database. For more information, see [Security overview](sql-data-warehouse-overview-manage-security.md). |

+| The server principal "MyUserName" is not able to access the database `master` under the current security context. Cannot open user default database. Login failed. Login failed for user 'MyUserName'. (Microsoft SQL Server, Error: 916) | This error occurs when an Azure AD user tries to connect to the `master` database, but does not have a user in `master`. To correct this issue, either specify the dedicated SQL pool (formerly SQL DW) you wish to connect to at connection time or add the user to the `master` database. For more information, see [Security overview](sql-data-warehouse-overview-manage-security.md). |

+| Blocked by Firewall | Dedicated SQL pools (formerly SQL DW) are protected by firewalls to ensure only known IP addresses have access to a database. The firewalls are secure by default, which means that you must explicitly enable and IP address or range of addresses before you can connect. To configure your firewall for access, follow the steps in [Configure server firewall access for your client IP](create-data-warehouse-portal.md) in the [Provisioning instructions](create-data-warehouse-portal.md). |

+|Msg 105208, Level 16, State 1, Line 1 COPY statement failed with the following error when validating value of option 'FROM': '105200;COPY statement failed because the value for option 'FROM' is invalid.'|Currently, ingesting data using the COPY command into an Azure Storage account that is using the new DNS partitioning feature results in an error. DNS partition feature enables customers to create up to 5000 storage accounts per subscription. To resolve, provision a storage account in a subscription that does not use the new [Azure Storage DNS partition feature](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466) (currently in Public Preview).|

+| `tempdb` space issues | [Monitor TempDB](sql-data-warehouse-manage-monitor.md#monitor-tempdb) space usage. Common causes for running out of `tempdb` space are:<br>- Not enough resources allocated to the query causing data to spill to `tempdb`. See [Workload management](resource-classes-for-workload-management.md) <br>- Statistics are missing or out of date causing excessive data movement. See [Maintaining table statistics](sql-data-warehouse-tables-statistics.md) for details on how to create statistics<br>- `tempdb` space is allocated per service level. [Scaling your dedicated SQL pool (formerly SQL DW)](sql-data-warehouse-manage-compute-overview.md#scaling-compute) to a higher DWU setting allocates more `tempdb` space.|

+| Poor query performance as a result of poor index quality | Some times queries can slow down because of [Poor columnstore index quality](sql-data-warehouse-tables-index.md#causes-of-poor-columnstore-index-quality). For more information, see [Rebuild indexes to improve segment quality](sql-data-warehouse-tables-index.md#rebuild-indexes-to-improve-segment-quality). |

+| Help with managing tables | See the [Table overview](sql-data-warehouse-tables-overview.md) article for help with managing your tables. For more information, see [Table data types](sql-data-warehouse-tables-data-types.md), [Distributing a table](sql-data-warehouse-tables-distribute.md), [Indexing a table](sql-data-warehouse-tables-index.md), [Partitioning a table](sql-data-warehouse-tables-partition.md), [Maintaining table statistics](sql-data-warehouse-tables-statistics.md) and [Temporary tables](sql-data-warehouse-tables-temporary.md). |

+description: Recommendations and best practices for working with serverless SQL pool.

+> [!TIP]

+Make sure your Azure Cosmos DB analytical storage is placed in the same region as an Azure Synapse workspace. Cross-region queries might cause huge latencies. Use the region property in the connection string to explicitly specify the region where the analytical store is placed (see [Query Azure Cosmos DB by using serverless SQL pool](query-cosmos-db-analytical-store.md#overview)): `account=<database account name>;database=<database name>;region=<region name>'`

+The data types you use in your query affect performance and concurrency. You can get better performance if you follow these guidelines:

+```sql

+ SELECT

+ FROM

+ OPENROWSET(

+ BULK ''https://sqlondemandstorage.blob.core.windows.net/parquet/taxi/*/*/*'',

+ FORMAT=''PARQUET''

+ ) AS nyc';

+```sql

+FROM

+ OPENROWSET(

+ BULK 'https://azureopendatastorage.blob.core.windows.net/nyctlc/yellow/puYear=2018/puMonth=*/*.snappy.parquet',

+ FORMAT='PARQUET'

+ )

+ WITH (

+ vendorID varchar(4), -- we used length of 4 instead of the inferred 8000

+ tpepPickupDateTime datetime2,

+ passengerCount int

+ ) AS nyc;

+> [!TIP]

+## Query Azure data

+Serverless SQL pools enable you to query data in Azure Storage or Azure Cosmos DB by using [external tables and the OPENROWSET function](develop-storage-files-overview.md). Make sure that you have proper [permission set up](develop-storage-files-overview.md#permissions) on your storage.

+### Query CSV data

+Learn how to [query a single CSV file](query-single-csv-file.md) or [folders and multiple CSV files](query-folders-multiple-csv-files.md). You can also [query partitioned files](query-specific-files.md)

+### Query Parquet data

+Learn how to [query Parquet files](query-parquet-files.md) with [nested types](query-parquet-nested-types.md). You can also [query partitioned files](query-specific-files.md).

+### Query Delta Lake

+Learn how to [query Delta Lake files](query-delta-lake-format.md) with [nested types](query-parquet-nested-types.md).

+### Query Azure Cosmos DB data

+Learn how to [query Azure Cosmos DB analytical store](query-cosmos-db-analytical-store.md). You can use an [online generator](https://htmlpreview.github.io/?https://github.com/Azure-Samples/Synapse/blob/main/SQL/tools/cosmosdb/generate-openrowset.html) to generate the WITH clause based on a sample Azure Cosmos DB document. You can [create views](create-use-views.md#cosmosdb-view) on top of Azure Cosmos DB containers.

+### Query JSON data

+Learn how to [query JSON files](query-json-files.md). You can also [query partitioned files](query-specific-files.md).

+### Create views, tables, and other database objects

+Learn how to create and use [views](create-use-views.md) and [external tables](create-use-external-tables.md) or set up [row-level security](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/how-to-implement-row-level-security-in-serverless-sql-pools/ba-p/2354759).

+If you have [partitioned files](query-specific-files.md), make sure you use [partitioned views](create-use-views.md#partitioned-views).

+### Copy and transform data (CETAS)

+Learn how to [store query results to storage](create-external-table-as-select.md) by using the CETAS command.

+- Review the [troubleshooting serverless SQL pools](resources-self-help-sql-on-demand.md) article for solutions to common problems.

+- If you're working with a dedicated SQL pool rather than serverless SQL pool, see [Best practices for dedicated SQL pools](best-practices-dedicated-sql-pool.md) for specific guidance.

+- [Azure Synapse Analytics frequently asked questions](../overview-faq.yml)

+- [Grant permissions to workspace managed identity](../security/how-to-grant-workspace-managed-identity-permissions.md)

+# Troubleshoot serverless SQL pool in Azure Synapse Analytics

+Instead of [granting yourself a Storage Blob Data Contributor role](../security/how-to-grant-workspace-managed-identity-permissions.md), you can also grant more granular permissions on a subset of files.

+> [!NOTE]

+ :::image type="content" source="./media/resources-self-help-sql-on-demand/manage-access.png" alt-text="Screenshot that shows the manage access option.":::

+ :::image type="content" source="./media/resources-self-help-sql-on-demand/grant-permission.png" alt-text="Screenshot that shows granting read permissions.":::

+> [!NOTE]

+If you are using the Azure Synapse Link for Dataverse to read the linked DataVerse tables, you need to use Azure AD account to access the linked data using the serverless SQL pool. For more information, see [Azure Synapse Link for Dataverse with Azure Data Lake](/powerapps/maker/data-platform/azure-synapse-link-data-lake).

+If you try to use a SQL login to read an external table that is referencing the DataVerse table, you will get the following error: `External table '???' is not accessible because content of directory cannot be listed.`

+from openrowset(BULK 'https://.....core.windows.net/.../_delta_log/*.json',FORMAT='csv', FIELDQUOTE = '0x0b', FIELDTERMINATOR ='0x0b',ROWTERMINATOR = '0x0b')

+If this query fails, the caller doesn't have permission to read the underlying storage files.

+- To optimize your query, see [Performance best practices for serverless SQL pool](./best-practices-serverless-sql-pool.md).

+Unclosed quotation mark after the character string

+The error "Could not allocate tempdb space while transferring data from one distribution to another" is returned when the query execution engine can't process data and transfer it between the nodes that are executing the query. It's a special case of the generic [query fails because it cannot be executed due to current resource constraints](#query-fails-because-it-cant-be-executed-due-to-current-resource-constraints) error. This error is returned when the resources allocated to the `tempdb` database are insufficient to run the query.

+Id,first name,

+ )

+ [ID] SMALLINT,

+ [Text] VARCHAR (1) COLLATE Latin1_General_BIN2

+```sql

+```sql

+ )

+ [ID] SMALLINT,

+ [Text] VARCHAR (7) COLLATE Latin1_General_BIN2

+`{"READ_OPTIONS":["ALLOW_INCONSISTENT_READS"]}`.

+Id, first name,

+```sql

+ )

+ [ID] SMALLINT,

+ [Firstname] VARCHAR (25) COLLATE Latin1_General_BIN2

+ )

+ [ID] VARCHAR(100),

+ [Firstname] VARCHAR (25) COLLATE Latin1_General_BIN2

+Id, first name,

+> [!TIP]

+Id,first name,

+ )

+ [ID] VARCHAR(100),

+ [Firstname] VARCHAR (25) COLLATE Latin1_General_BIN2

+| ID | Firstname |

+| - |- |

+| 1,Adam | NULL |

+| 2,Bob | NULL |

+| 3,Charles | NULL |

+| 4,David | NULL |

+| 5,Eva | NULL |

+ )

+ [ID] VARCHAR(100),

+ [Firstname] VARCHAR (25) COLLATE Latin1_General_BIN2

+```

+| ID | Firstname |

+| - |- |

+| 1 | Adam |

+| 2 | Bob |

+| 3 | Charles |

+| 4 | David |

+| 5 | Eva |

+ PassengerCount INT,

+ SumTripDistance INT,

+SumTripDistance INT,

+ PassengerCount INT,

+ SumTripDistance FLOAT,

+- This issue can also occur with the Delta format. The query might succeed on retry because there's a new version of the table and the deleted file isn't queried again.

+This error can occur when reading data from Azure Synapse Link for Dataverse, when Synapse Link is syncing data to the lake and the data is being queried at the same time. The product group has a goal to improve this behavior.

+### Partitione column returns NULL values

+### <a id="#inserting-value-to-batch-for-column-type-datetime2-failed"></a>Insert value to batch for column type DATETIME2 failed

+Inspect the minimum value in the file by using Spark, and check that some dates are less than 0001-01-03. If you stored the files by using Spark 2.4, the datetime values before are written by using the Julian calendar that isn't aligned with the proleptic Gregorian calendar used in serverless SQL pools.

+deltaTable = DeltaTable.forPath(spark,

+- You can't create objects in `master` and `lakehouse` or Spark databases.

+> [!NOTE]

+If your query fails with the error message "Failed to execute query. Error: CREATE EXTERNAL TABLE/DATA SOURCE/DATABASE SCOPED CREDENTIAL/FILE FORMAT is not supported in master database," it means that the `master` database in serverless SQL pool doesn't support the creation of:

+ 1. Execute a CREATE statement in the context of <DATABASE_NAME>, which failed earlier for the `master` database.

+ CREATE EXTERNAL FILE FORMAT [SynapseParquetFormat]

+If you're trying to create SQL objects, users, or change permissions in a database, you might get errors like "Operation is not allowed for a replicated database." This error might be returned when you try to modify a Lake database that's [shared with Spark pool](../metadat). The Lake databases that are replicated from the Apache Spark pool are managed by Synapse and you cannot create objects like in SQL Databases by using T-SQL.

+### <a id="resolving-azure-cosmos-db-path-has-failed-with-error"></a>Resolve: Azure Cosmos DB path has failed with error

+### <a id="#resolving-delta-logs-failed"></a>Resolve Delta logs failed

+The following error indicates that serverless SQL pool cannot resolve Delta logs: `Resolving Delta logs on path '%ls' failed with error: Cannot parse json object from log folder.`

+The most common cause is that `last_checkpoint_file` in `_delta_log` folder is larger than 200 bytes due to the `checkpointSchema` field added in Spark 3.3.

+Following a longer period of inactivity, serverless SQL pool will be deactivated. The activation happens automatically on the first next activity, such as the first connection attempt. The activation process might take a bit longer than a single connection attempt interval, so the error message is displayed. Retrying the connection attempt should be enough.

+If you want to create a role assignment for a service principal identifier (SPI) or Azure AD app by using another SPI, or you've already created one and it fails to sign in, you'll probably receive the following error: `Login error: Login failed for user '<token-identified principal>'.`

+For service principals, sign-in should be created with an application ID as a security ID (SID) not with an object ID. There's a known limitation for service principals, which prevents Azure Synapse from fetching the application ID from Microsoft Graph when it creates a role assignment for another SPI or app.

+The solution is to use the cmdlet `New-AzSynapseRoleAssignment` with `-ObjectId "parameter"`. In that parameter field, provide the application ID instead of the object ID by using the workspace admin Azure service principal credentials.

+## Next steps

+- [Best practices for serverless SQL pool in Azure Synapse Analytics](best-practices-serverless-sql-pool.md)

+- [Azure Synapse Analytics frequently asked questions](../overview-faq.yml)

+- [Store query results to storage using serverless SQL pool in Azure Synapse Analytics](create-external-table-as-select.md)

+| **SAP S/4HANA 2021, Fully-Activated Appliance** December 20 2021 | [Create Appliance](https://cal.sap.com/registration?sguid=b8a9077c-f0f7-47bd-977c-70aa6a6a2aa7&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+|This appliance contains SAP S/4HANA 2021 (SP00) with pre-activated SAP Best Practices for SAP S/4HANA core functions, and further scenarios for Service, Master Data Governance (MDG), Transportation Mgmt. (TM), Portfolio Mgmt. (PPM), Human Capital Management (HCM), Analytics, Migration Cockpit, and more. User access happens via SAP Fiori, SAP GUI, SAP HANA Studio, Windows remote desktop, or the backend operating system for full administrative access. | [Details]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/b8a9077c-f0f7-47bd-977c-70aa6a6a2aa7) |

+This is important step to optimize the integration with the cluster and improve the detection when a cluster failover is needed. It is highly recommended to configure the SAPHanaSR Python hook.

+1. **[A]** Install the SAP HANA resource agents on **all nodes**. Make sure to enable a repository that contains the package. You don't need to enable additional repositories, if using RHEL 8.x HA-enabled image.

+ ```bash

+ # Enable repository that contains SAP HANA resource agents

+ sudo subscription-manager repos --enable="rhel-sap-hana-for-rhel-7-server-rpms"

+

+ sudo yum install -y resource-agents-sap-hana

+ ```

+2. **[A]** Install the HANA "system replication hook". The hook needs to be installed on both HANA DB nodes.

+ > The Python hook can only be implemented for HANA 2.0.

+3. **[A]** The cluster requires sudoers configuration on each cluster node for <sid\>adm. In this example that is achieved by creating a new file. Execute the commands as `root`.

+4. **[A]** Start SAP HANA on both nodes. Execute as <sid\>adm.

+5. **[1]** Verify the hook installation. Execute as <sid\>adm on the active HANA system replication site.

+## Create SAP HANA cluster resources

+Create the HANA topology. Run the following commands on one of the Pacemaker cluster nodes:

+This article provides guidance on how to troubleshoot and resolve common outbound connectivity issues with your NAT gateway resource, as well as best practices on how to design applications to use outbound connections efficiently.

+Common SNAT exhaustion issues with NAT gateway typically have to do with the configurations on the NAT gateway, such as:

+Each public IP address provides 64,512 SNAT ports for connecting outbound with NAT gateway. From those available SNAT ports, NAT gateway can support up to 50,000 concurrent connections to the same destination endpoint. If outbound connections are dropping because SNAT ports are being exhausted, then NAT gateway may not be scaled out enough to handle the workload. Additional Public IP addresses on NAT gateway may be required in order to provide more SNAT ports for outbound connectivity.

+The table below describes two common outbound connectivity failure scenarios due to scalability issues as well as how to validate and mitigate these issues:

+| You're experiencing contention for SNAT ports and SNAT port exhaustion during periods of high usage. | You run the following [metrics](nat-metrics.md) in Azure Monitor: **Total SNAT Connection**: "Sum" aggregation shows high connection volume. "Failed" connection state shows transient or persistent failures over time. **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume. | Add more public IP addresses or public IP prefixes as need (assign up to 16 IP addresses in total to your NAT gateway). This addition will provide more SNAT port inventory and allow you to scale your scenario further. |

+| You've already assigned 16 IP addresses to your NAT gateway and still are experiencing SNAT port exhaustion. | Attempt to add more IP addresses fails. Total number of IP addresses from public IP address or public IP prefix resources exceeds a total of 16. | Distribute your application environment across multiple subnets and provide a NAT gateway resource for each subnet. |

+>It is important to understand why SNAT exhaustion occurs. Make sure you are using the right patterns for scalable and reliable scenarios. Adding more SNAT ports to a scenario without understanding the cause of the demand should be a last resort. If you do not understand why your scenario is applying pressure on SNAT port inventory, adding more SNAT portsby adding more IP addresses will only delay the same exhaustion failure as your application scales. You may be masking other inefficiencies and anti-patterns. See [best practices for efficient use of outbound connections](#best-practices-for-efficient-use-of-outbound-connections) for additional guidance.

+The NAT gateway TCP idle timeout timer is set to 4 minutes by default but is configurable up to 120 minutes. If the timer is setting is set to a higher value than the default, NAT gateway will hold on to flows longer, and can create [extra pressure on SNAT port inventory](/azure/virtual-network/nat-gateway/nat-gateway-resource#timers). The table below describes a scenario where a long TCP idle timeout timer is causing SNAT exhaustion and provides possible mitigation steps to take:

+| You want to ensure that TCP connections stay active for long periods of time without going idle and timing out. You increase the TCP idle timeout timer setting. After a period of time, you start to notice that connection failures occur more often. You suspect that you may be exhausting your inventory of SNAT ports since connections are holding on to them longer. | You check the following [NAT gateway metrics](nat-metrics.md) in Azure Monitor to determine if SNAT port exhaustion is happening: **Total SNAT Connection**: "Sum" aggregation shows high connection volume. "Failed" connection state shows transient or persistent failures over time. **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume. | You have a few possible mitigation steps that you can take to resolve SNAT port exhaustion: </br></br> **Reduce the TCP idle timeout** to a lower value to free up SNAT port inventory earlier. The TCP idle timeout timer can't be set lower than 4 minutes. </br></br> Consider **[asynchronous polling patterns](/azure/architecture/patterns/async-request-reply)** to free up connection resources for other operations. </br></br> **Use TCP keepalives or application layer keepalives** to avoid intermediate systems timing out. For examples, see [.NET examples](/dotnet/api/system.net.servicepoint.settcpkeepalive). </br></br> For connections to Azure PaaS services, use **[Private Link](../../private-link/private-link-overview.md)**. Private Link eliminates the need to use public IPs of your NAT gateway, which frees up more SNAT ports for outbound connections to the internet. |

+As described in the [TCP timers](#tcp-idle-timeout-timers-set-higher-than-the-default-value) section above, TCP keepalives should be used to refresh idle flows and reset the idle timeout. TCP keepalives only need to be enabled from one side of a connection in order to keep a connection alive from both sides. When a TCP keepalive is sent from one side of a connection, the other side automatically sends an ACK packet. The idle timeout timer is then reset on both sides of the connection. To learn more, see [Timer considerations](/azure/virtual-network/nat-gateway/nat-gateway-resource#timer-considerations).

+| You notice that UDP traffic is dropping connections that need to be maintained for long periods of time. | You check the following [NAT gateway metrics](nat-metrics.md) in Azure Monitor, **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume. | A few possible mitigation steps that can be taken: - **Enable UDP keepalives**. Keep in mind that when a UDP keepalive is enabled, it's only active for one direction in a connection, so the connection can still time out from going idle on the other side of a connection. To prevent a UDP connection from idle time-out, UDP keepalives should be enabled for both directions in a connection flow. - **Application layer keepalives** can also be used to refresh idle flows and reset the idle timeout. Check the server side for what options exist for application specific keepalives. |

+Use NAT gateway [metrics](nat-metrics.md) in Azure monitor to diagnose connection issues:

+* Check for [SNAT exhaustion](#snat-exhaustion-due-to-nat-gateway-configuration).