-This guide provides key concepts and instructions for containerization of Linux apps in App Service. If are new to Azure App Service, follow the [custom container quickstart](quickstart-custom-container.md) and [tutorial](tutorial-custom-container.md) first. There's also a [multi-container app quickstart](quickstart-multi-container.md) and [tutorial](tutorial-multi-container-app.md). For sidecar containers (preview), see [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md).

-> [Tutorial: Multi-container WordPress app](tutorial-multi-container-app.md)

-description: Take the first steps toward working with Azure App Service. This is a longer description that meets the length requirement.

-| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add SSL certificate](./configure-ssl-certificate.md)|

-| **Connect to a database** | - [.NET with Azure SQL Database](./app-service-web-tutorial-dotnet-sqldatabase.md)<br>- [.NET Core with Azure SQL DB](./tutorial-dotnetcore-sqldb-app.md)|

-| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add SSL certificate](./configure-ssl-certificate.md)|

-| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add SSL certificate](./configure-ssl-certificate.md)|

-| **Custom containers** |- [Multi-container](./quickstart-multi-container.md)<br>- [Sidecar containers](tutorial-custom-container-sidecar.md)|

-description: Get started with multi-container apps on Azure App Service by deploying your first multi-container app.

-keywords: azure app service, web app, linux, docker, compose, multicontainer, multi-container, web app for containers, multiple containers, container, wordpress, azure db for mysql, production database with containers

-# Create a multi-container (preview) app using a Docker Compose configuration

-> [!NOTE]

-> Sidecar containers (preview) will succeed multi-container apps in App Service. To get started, see [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md).

-[Web App for Containers](overview.md#app-service-on-linux) provides a flexible way to use Docker images. This quickstart shows how to deploy a multi-container app (preview) to Web App for Containers in the [Cloud Shell](../cloud-shell/overview.md) using a Docker Compose configuration.

-![Sample multi-container app on Web App for Containers][1]

-This article requires version 2.0.32 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

-## Download the sample

-For this quickstart, you use the compose file from [Docker](https://docs.docker.com/samples/wordpress/). The configuration file can be found at [Azure Samples](https://github.com/Azure-Samples/multicontainerwordpress).

-[!code-yml[Main](../../azure-app-service-multi-container/docker-compose-wordpress.yml)]

-In the Cloud Shell, create a quickstart directory and then change to it.

-```bash

-mkdir quickstart

-cd $HOME/quickstart

-```

-Next, run the following command to clone the sample app repository to your quickstart directory. Then change to the `multicontainerwordpress` directory.

-```bash

-git clone https://github.com/Azure-Samples/multicontainerwordpress

-cd multicontainerwordpress

-```

-## Create a resource group

-In the Cloud Shell, create a resource group with the [`az group create`](/cli/azure/group#az-group-create) command. The following example creates a resource group named *myResourceGroup* in the *South Central US* location. To see all supported locations for App Service on Linux in **Standard** tier, run the [`az appservice list-locations --sku S1 --linux-workers-enabled`](/cli/azure/appservice#az-appservice-list-locations) command.

-```azurecli-interactive

-az group create --name myResourceGroup --location "South Central US"

-```

-You generally create your resource group and the resources in a region near you.

-When the command finishes, a JSON output shows you the resource group properties.

-## Create an Azure App Service plan

-In the Cloud Shell, create an App Service plan in the resource group with the [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) command.

-The following example creates an App Service plan named `myAppServicePlan` in the **Standard** pricing tier (`--sku S1`) and in a Linux container (`--is-linux`).

-```azurecli-interactive

-az appservice plan create --name myAppServicePlan --resource-group myResourceGroup --sku S1 --is-linux

-```

-When the App Service plan has been created, the Azure CLI shows information similar to the following example:

-<pre>

-{

- "adminSiteName": null,

- "appServicePlanName": "myAppServicePlan",

- "geoRegion": "South Central US",

- "hostingEnvironmentProfile": null,

- "id": "/subscriptions/0000-0000/resourceGroups/myResourceGroup/providers/Microsoft.Web/serverfarms/myAppServicePlan",

- "kind": "linux",

- "location": "South Central US",

- "maximumNumberOfWorkers": 1,

- "name": "myAppServicePlan",

- &lt; JSON data removed for brevity. &gt;

- "targetWorkerSizeId": 0,

- "type": "Microsoft.Web/serverfarms",

- "workerTierName": null

-}

-</pre>

-## Create a Docker Compose app

-> [!NOTE]

-> Docker Compose on Azure App Services currently has a limit of 4,000 characters when converted to Base64 at this time.

-In your Cloud Shell terminal, create a multi-container [web app](overview.md#app-service-on-linux) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp#az-webapp-create) command. Don't forget to replace _\<app_name>_ with a unique app name (valid characters are `a-z`, `0-9`, and `-`).

-```azurecli

-az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app_name> --multicontainer-config-type compose --multicontainer-config-file compose-wordpress.yml

-```

-When the web app has been created, the Azure CLI shows output similar to the following example:

-<pre>

-{

- "additionalProperties": {},

- "availabilityState": "Normal",

- "clientAffinityEnabled": true,

- "clientCertEnabled": false,

- "cloningInfo": null,

- "containerSize": 0,

- "dailyMemoryTimeQuota": 0,

- "defaultHostName": "&lt;app_name&gt;.azurewebsites.net",

- "enabled": true,

- &lt; JSON data removed for brevity. &gt;

-}

-</pre>

-### Browse to the app

-Browse to the deployed app at (`http://<app_name>.azurewebsites.net`). The app may take a few minutes to load. If you receive an error, allow a few more minutes then refresh the browser.

-![Sample multi-container app on Web App for Containers][1]

-**Congratulations**, you've created a multi-container app in Web App for Containers.

-## Next steps

-> [!div class="nextstepaction"]

-> [Tutorial: Multi-container WordPress app](tutorial-multi-container-app.md)

-> [!div class="nextstepaction"]

-> [Configure a custom container](configure-custom-container.md)

-> [!div class="nextstepaction"]

-> [Secure with custom domain and certificate](tutorial-secure-domain-certificate.md)

-<!--Image references-->

-[1]: media/tutorial-multi-container-app/azure-multi-container-wordpress-install.png

-description: Learn how to use build a multi-container app on Azure App Service that contains a WordPress app and a MySQL container, and configure the WordPress app.

-keywords: azure app service, web app, linux, docker, compose, multicontainer, multi-container, web app for containers, multiple containers, container, wordpress, azure db for mysql, production database with containers

-# Tutorial: Create a multi-container (preview) app in Web App for Containers

-> [!NOTE]

-> Sidecar containers (preview) will succeed multi-container apps in App Service. To get started, see [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md).

-[Web App for Containers](overview.md#app-service-on-linux) provides a flexible way to use Docker images. In this tutorial, you'll learn how to create a multi-container app using WordPress and MySQL. You'll complete this tutorial in Cloud Shell, but you can also run these commands locally with the [Azure CLI](/cli/azure/install-azure-cli) command-line tool (2.0.32 or later).

-In this tutorial, you learn how to:

-> [!div class="checklist"]

-> * Convert a Docker Compose configuration to work with Web App for Containers

-> * Deploy a multi-container app to Azure

-> * Add application settings

-> * Use persistent storage for your containers

-> * Connect to Azure Database for MySQL

-> * Troubleshoot errors

-## Prerequisites

-To complete this tutorial, you need experience with [Docker Compose](https://docs.docker.com/compose/).

-## Download the sample

-For this tutorial, you use the compose file from [Docker](https://docs.docker.com/samples/wordpress/), but you'll modify it to include Azure Database for MySQL, persistent storage, and Redis. The configuration file can be found at [Azure Samples](https://github.com/Azure-Samples/multicontainerwordpress). In the sample below, note that `depends_on` is an **unsupported option** and is ignored. For supported configuration options, see [Docker Compose options](configure-custom-container.md#docker-compose-options).

-[!code-yml[Main](../../azure-app-service-multi-container/docker-compose-wordpress.yml)]

-In Cloud Shell, create a tutorial directory and then change to it.

-```bash

-mkdir tutorial

-cd tutorial

-```

-Next, run the following command to clone the sample app repository to your tutorial directory. Then change to the `multicontainerwordpress` directory.

-```bash

-git clone https://github.com/Azure-Samples/multicontainerwordpress

-cd multicontainerwordpress

-```

-## Create a resource group

-In Cloud Shell, create a resource group with the [`az group create`](/cli/azure/group#az-group-create) command. The following example creates a resource group named *myResourceGroup* in the *South Central US* location. To see all supported locations for App Service on Linux in **Standard** tier, run the [`az appservice list-locations --sku S1 --linux-workers-enabled`](/cli/azure/appservice#az-appservice-list-locations) command.

-```azurecli-interactive

-az group create --name myResourceGroup --location "South Central US"

-```

-You generally create your resource group and the resources in a region near you.

-When the command finishes, a JSON output shows you the resource group properties.

-## Create an Azure App Service plan

-In Cloud Shell, create an App Service plan in the resource group with the [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) command.

-<!-- [!INCLUDE [app-service-plan](app-service-plan-linux.md)] -->

-The following example creates an App Service plan named `myAppServicePlan` in the **Standard** pricing tier (`--sku S1`) and in a Linux container (`--is-linux`).

-```azurecli-interactive

-az appservice plan create --name myAppServicePlan --resource-group myResourceGroup --sku S1 --is-linux

-```

-When the App Service plan has been created, Cloud Shell shows information similar to the following example:

-<pre>

-{

- "adminSiteName": null,

- "appServicePlanName": "myAppServicePlan",

- "geoRegion": "South Central US",

- "hostingEnvironmentProfile": null,

- "id": "/subscriptions/0000-0000/resourceGroups/myResourceGroup/providers/Microsoft.Web/serverfarms/myAppServicePlan",

- "kind": "linux",

- "location": "South Central US",

- "maximumNumberOfWorkers": 1,

- "name": "myAppServicePlan",

- &lt; JSON data removed for brevity. &gt;

- "targetWorkerSizeId": 0,

- "type": "Microsoft.Web/serverfarms",

- "workerTierName": null

-}

-</pre>

-### Docker Compose with WordPress and MySQL containers

-## Create a Docker Compose app

-In your Cloud Shell, create a multi-container [web app](overview.md) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp#az-webapp-create) command. Don't forget to replace _\<app-name>_ with a unique app name.

-```azurecli-interactive

-az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app-name> --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml

-```

-When the web app has been created, Cloud Shell shows output similar to the following example:

-<pre>

-{

- "additionalProperties": {},

- "availabilityState": "Normal",

- "clientAffinityEnabled": true,

- "clientCertEnabled": false,

- "cloningInfo": null,

- "containerSize": 0,

- "dailyMemoryTimeQuota": 0,

- "defaultHostName": "&lt;app-name&gt;.azurewebsites.net",

- "enabled": true,

- &lt; JSON data removed for brevity. &gt;

-}

-</pre>

-### Browse to the app

-Browse to the deployed app at (`http://<app-name>.azurewebsites.net`). The app may take a few minutes to load. If you receive an error, allow a few more minutes then refresh the browser. If you're having trouble and would like to troubleshoot, review [container logs](#find-docker-container-logs).

-![Sample multi-container app on Web App for Containers][1]

-**Congratulations**, you've created a multi-container app in Web App for Containers. Next you'll configure your app to use Azure Database for MySQL. Don't install WordPress at this time.

-## Connect to production database

-It's not recommended to use database containers in a production environment. The local containers aren't scalable. Instead, you'll use Azure Database for MySQL which can be scaled.

-### Create an Azure Database for MySQL server

-Create an Azure Database for MySQL server with the [`az mysql server create`](/cli/azure/mysql/server#az-mysql-server-create) command.

-In the following command, substitute your MySQL server name where you see the _&lt;mysql-server-name>_ placeholder (valid characters are `a-z`, `0-9`, and `-`). This name is part of the MySQL server's hostname (`<mysql-server-name>.database.windows.net`), it needs to be globally unique.

-```azurecli-interactive

-az mysql server create --resource-group myResourceGroup --name <mysql-server-name> --location "South Central US" --admin-user adminuser --admin-password My5up3rStr0ngPaSw0rd! --sku-name B_Gen5_1 --version 5.7

-```

-Creating the server may take a few minutes to complete. When the MySQL server is created, Cloud Shell shows information similar to the following example:

-<pre>

-{

- "administratorLogin": "adminuser",

- "administratorLoginPassword": null,

- "fullyQualifiedDomainName": "&lt;mysql-server-name&gt;.database.windows.net",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers/&lt;mysql-server-name&gt;",

- "location": "southcentralus",

- "name": "&lt;mysql-server-name&gt;",

- "resourceGroup": "myResourceGroup",

- ...

-}

-</pre>

-### Configure server firewall

-Create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule#az-mysql-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.

-```azurecli-interactive

-az mysql server firewall-rule create --name allAzureIPs --server <mysql-server-name> --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0

-```

-> [!TIP]

-> You can be even more restrictive in your firewall rule by [using only the outbound IP addresses your app uses](overview-inbound-outbound-ips.md#find-outbound-ips).

->

-### Create the WordPress database

-```azurecli-interactive

-az mysql db create --resource-group myResourceGroup --server-name <mysql-server-name> --name wordpress

-```

-When the database has been created, Cloud Shell shows information similar to the following example:

-<pre>

-{

- "additionalProperties": {},

- "charset": "latin1",

- "collation": "latin1_swedish_ci",

- "id": "/subscriptions/12db1644-4b12-4cab-ba54-8ba2f2822c1f/resourceGroups/myResourceGroup/providers/Microsoft.DBforMySQL/servers/&lt;mysql-server-name&gt;/databases/wordpress",

- "name": "wordpress",

- "resourceGroup": "myResourceGroup",

- "type": "Microsoft.DBforMySQL/servers/databases"

-}

-</pre>

-### Configure database variables in WordPress

-To connect the WordPress app to this new MySQL server, you'll configure a few WordPress-specific environment variables, including the SSL CA path defined by `MYSQL_SSL_CA`. The [Baltimore CyberTrust Root](https://www.digicert.com/digicert-root-certificates.htm) from [DigiCert](https://www.digicert.com/) is provided in the [custom image](#use-a-custom-image-for-mysql-tlsssl-and-other-configurations) below.

-To make these changes, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated.

-```azurecli-interactive

-az webapp config appsettings set --resource-group myResourceGroup --name <app-name> --settings WORDPRESS_DB_HOST="<mysql-server-name>.mysql.database.azure.com" WORDPRESS_DB_USER="adminuser" WORDPRESS_DB_PASSWORD="My5up3rStr0ngPaSw0rd!" WORDPRESS_DB_NAME="wordpress" MYSQL_SSL_CA="BaltimoreCyberTrustroot.crt.pem"

-```

-When the app setting has been created, Cloud Shell shows information similar to the following example:

-<pre>

-[

- {

- "name": "WORDPRESS_DB_HOST",

- "slotSetting": false,

- "value": "&lt;mysql-server-name&gt;.mysql.database.azure.com"

- },

- {

- "name": "WORDPRESS_DB_USER",

- "slotSetting": false,

- "value": "adminuser"

- },

- {

- "name": "WORDPRESS_DB_NAME",

- "slotSetting": false,

- "value": "wordpress"

- },

- {

- "name": "WORDPRESS_DB_PASSWORD",

- "slotSetting": false,

- "value": "My5up3rStr0ngPaSw0rd!"

- },

- {

- "name": "MYSQL_SSL_CA",

- "slotSetting": false,

- "value": "BaltimoreCyberTrustroot.crt.pem"

- }

-]

-</pre>

-For more information on environment variables, see [Configure environment variables](configure-custom-container.md#configure-environment-variables).

-### Use a custom image for MySQL TLS/SSL and other configurations

-By default, TLS/SSL is used by Azure Database for MySQL. WordPress requires additional configuration to use TLS/SSL with MySQL. The WordPress 'official image' doesn't provide the additional configuration, but a [custom image](https://github.com/Azure-Samples/multicontainerwordpress) has been prepared for your convenience. In practice, you would add desired changes to your own image.

-The custom image is based on the 'official image' of [WordPress from Docker Hub](https://hub.docker.com/_/wordpress/). The following changes have been made in this custom image for Azure Database for MySQL:

-* [Adds Baltimore Cyber Trust Root Certificate file for SSL to MySQL.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L61)

-* [Uses App Setting for MySQL SSL Certificate Authority certificate in WordPress wp-config.php.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L163)

-* [Adds WordPress define for MYSQL_CLIENT_FLAGS needed for MySQL SSL.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L164)

-The following changes have been made for Redis (to be used in a later section):

-* [Adds PHP extension for Redis v4.0.2.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/Dockerfile#L35)

-* [Adds unzip needed for file extraction.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L71)

-* [Adds Redis Object Cache 1.3.8 WordPress plugin.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L74)

-* [Uses App Setting for Redis host name in WordPress wp-config.php.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L162)

-To use the custom image, you'll update your docker-compose-wordpress.yml file. In Cloud Shell, open a text editor and change the `image: wordpress` to use `image: mcr.microsoft.com/azuredocs/multicontainerwordpress`. You no longer need the database container. Remove the `db`, `environment`, `depends_on`, and `volumes` section from the configuration file. Your file should look like the following code:

-```yaml

-version: '3.3'

- wordpress:

- image: mcr.microsoft.com/azuredocs/multicontainerwordpress

- ports:

- - "8000:80"

- restart: always

-```

-### Update app with new configuration

-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az-webapp-config-container-set) command. Don't forget to replace _\<app-name>_ with the name of the web app you created earlier.

-```azurecli-interactive

-az webapp config container set --resource-group myResourceGroup --name <app-name> --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml

-```

-When the app has been reconfigured, Cloud Shell shows information similar to the following example:

-<pre>

-[

- {

- "name": "DOCKER_CUSTOM_IMAGE_NAME",

- "value": "COMPOSE|dmVyc2lvbjogJzMuMycKCnNlcnZpY2VzOgogICB3b3JkcHJlc3M6CiAgICAgaW1hZ2U6IG1zYW5nYXB1L3dvcmRwcmVzcwogICAgIHBvcnRzOgogICAgICAgLSAiODAwMDo4MCIKICAgICByZXN0YXJ0OiBhbHdheXM="

- }

-]

-</pre>

-### Browse to the app

-Browse to the deployed app at (`http://<app-name>.azurewebsites.net`). The app is now using Azure Database for MySQL.

-![Sample multicontainer app on Web App for Containers][1]

-## Add persistent storage

-Your multi-container is now running in Web App for Containers. However, if you install WordPress now and restart your app later, you'll find that your WordPress installation is gone. This happens because your Docker Compose configuration currently points to a storage location inside your container. The files installed into your container don't persist beyond app restart. In this section, you'll [add persistent storage](configure-custom-container.md#use-persistent-shared-storage) to your WordPress container.

-### Configure environment variables

-To use persistent storage, you'll enable this setting within App Service. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated.

-```azurecli-interactive

-az webapp config appsettings set --resource-group myResourceGroup --name <app-name> --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=TRUE

-```

-When the app setting has been created, Cloud Shell shows information similar to the following example:

-<pre>

-[

- &lt; JSON data removed for brevity. &gt;

- {

- "name": "WORDPRESS_DB_NAME",

- "slotSetting": false,

- "value": "wordpress"

- },

- {

- "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",

- "slotSetting": false,

- "value": "TRUE"

- }

-]

-</pre>

-### Modify configuration file

-In the Cloud Shell, open the file `docker-compose-wordpress.yml` in a text editor.

-The `volumes` option maps the file system to a directory within the container. `${WEBAPP_STORAGE_HOME}` is an environment variable in App Service that is mapped to persistent storage for your app. You'll use this environment variable in the volumes option so that the WordPress files are installed into persistent storage instead of the container. Make the following modifications to the file:

-In the `wordpress` section, add a `volumes` option so it looks like the following code:

-```yaml

-version: '3.3'

- wordpress:

- image: mcr.microsoft.com/azuredocs/multicontainerwordpress

- volumes:

- - ${WEBAPP_STORAGE_HOME}/site/wwwroot:/var/www/html

- ports:

- - "8000:80"

- restart: always

-```

-### Update app with new configuration

-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az-webapp-config-container-set) command. Don't forget to replace _\<app-name>_ with a unique app name.

-```azurecli-interactive

-az webapp config container set --resource-group myResourceGroup --name <app-name> --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml

-```

-After your command runs, it shows output similar to the following example:

-<pre>

-[

- {

- "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",

- "slotSetting": false,

- "value": "TRUE"

- },

- {

- "name": "DOCKER_CUSTOM_IMAGE_NAME",

- "value": "COMPOSE|dmVyc2lvbjogJzMuMycKCnNlcnZpY2VzOgogICBteXNxbDoKICAgICBpbWFnZTogbXlzcWw6NS43CiAgICAgdm9sdW1lczoKICAgICAgIC0gZGJfZGF0YTovdmFyL2xpYi9teXNxbAogICAgIHJlc3RhcnQ6IGFsd2F5cwogICAgIGVudmlyb25tZW50OgogICAgICAgTVlTUUxfUk9PVF9QQVNTV09SRDogZXhhbXBsZXBhc3MKCiAgIHdvcmRwcmVzczoKICAgICBkZXBlbmRzX29uOgogICAgICAgLSBteXNxbAogICAgIGltYWdlOiB3b3JkcHJlc3M6bGF0ZXN0CiAgICAgcG9ydHM6CiAgICAgICAtICI4MDAwOjgwIgogICAgIHJlc3RhcnQ6IGFsd2F5cwogICAgIGVudmlyb25tZW50OgogICAgICAgV09SRFBSRVNTX0RCX1BBU1NXT1JEOiBleGFtcGxlcGFzcwp2b2x1bWVzOgogICAgZGJfZGF0YTo="

- }

-]

-</pre>

-### Browse to the app

-Browse to the deployed app at (`http://<app-name>.azurewebsites.net`).

-The WordPress container is now using Azure Database for MySQL and persistent storage.

-## Add Redis container

- The WordPress 'official image' does not include the dependencies for Redis. These dependencies and additional configuration needed to use Redis with WordPress have been prepared for you in this [custom image](https://github.com/Azure-Samples/multicontainerwordpress). In practice, you would add desired changes to your own image.

-The custom image is based on the 'official image' of [WordPress from Docker Hub](https://hub.docker.com/_/wordpress/). The following changes have been made in this custom image for Redis:

-* [Adds PHP extension for Redis v4.0.2.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/Dockerfile#L35)

-* [Adds unzip needed for file extraction.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L71)

-* [Adds Redis Object Cache 1.3.8 WordPress plugin.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L74)

-* [Uses App Setting for Redis host name in WordPress wp-config.php.](https://github.com/Azure-Samples/multicontainerwordpress/blob/5669a89e0ee8599285f0e2e6f7e935c16e539b92/docker-entrypoint.sh#L162)

-Add the redis container to the bottom of the configuration file so it looks like the following example:

-```yaml

-version: '3.3'

- wordpress:

- image: mcr.microsoft.com/azuredocs/multicontainerwordpress

- ports:

- - "8000:80"

- restart: always

- redis:

- image: mcr.microsoft.com/oss/bitnami/redis:6.0.8

- environment:

- - ALLOW_EMPTY_PASSWORD=yes

- restart: always

-```

-### Configure environment variables

-To use Redis, you'll enable this setting, `WP_REDIS_HOST`, within App Service. This is a *required setting* for WordPress to communicate with the Redis host. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated.

-```azurecli-interactive

-az webapp config appsettings set --resource-group myResourceGroup --name <app-name> --settings WP_REDIS_HOST="redis"

-```

-When the app setting has been created, Cloud Shell shows information similar to the following example:

-<pre>

-[

- &lt; JSON data removed for brevity. &gt;

- {

- "name": "WORDPRESS_DB_USER",

- "slotSetting": false,

- "value": "adminuser"

- },

- {

- "name": "WP_REDIS_HOST",

- "slotSetting": false,

- "value": "redis"

- }

-]

-</pre>

-### Update app with new configuration

-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az-webapp-config-container-set) command. Don't forget to replace _\<app-name>_ with a unique app name.

-```azurecli-interactive

-az webapp config container set --resource-group myResourceGroup --name <app-name> --multicontainer-config-type compose --multicontainer-config-file compose-wordpress.yml

-```

-After your command runs, it shows output similar to the following example:

-<pre>

-[

- {

- "name": "DOCKER_CUSTOM_IMAGE_NAME",

- "value": "COMPOSE|dmVyc2lvbjogJzMuMycKCnNlcnZpY2VzOgogICBteXNxbDoKICAgICBpbWFnZTogbXlzcWw6NS43CiAgICAgdm9sdW1lczoKICAgICAgIC0gZGJfZGF0YTovdmFyL2xpYi9teXNxbAogICAgIHJlc3RhcnQ6IGFsd2F5cwogICAgIGVudmlyb25tZW50OgogICAgICAgTVlTUUxfUk9PVF9QQVNTV09SRDogZXhhbXBsZXBhc3MKCiAgIHdvcmRwcmVzczoKICAgICBkZXBlbmRzX29uOgogICAgICAgLSBteXNxbAogICAgIGltYWdlOiB3b3JkcHJlc3M6bGF0ZXN0CiAgICAgcG9ydHM6CiAgICAgICAtICI4MDAwOjgwIgogICAgIHJlc3RhcnQ6IGFsd2F5cwogICAgIGVudmlyb25tZW50OgogICAgICAgV09SRFBSRVNTX0RCX1BBU1NXT1JEOiBleGFtcGxlcGFzcwp2b2x1bWVzOgogICAgZGJfZGF0YTo="

- }

-]

-</pre>

-### Browse to the app

-Browse to the deployed app at (`http://<app-name>.azurewebsites.net`).

-Complete the steps and install WordPress.

-### Connect WordPress to Redis

-Sign in to WordPress admin. In the left navigation, select **Plugins**, and then select **Installed Plugins**.

-![Select WordPress Plugins][2]

-Show all plugins here

-In the plugins page, find **Redis Object Cache** and click **Activate**.

-![Activate Redis][3]

-Click on **Settings**.

-![Click on Settings][4]

-Click the **Enable Object Cache** button.

-![Click the 'Enable Object Cache' button][5]

-WordPress connects to the Redis server. The connection **status** appears on the same page.

-![WordPress connects to the Redis server. The connection **status** appears on the same page.][6]

-**Congratulations**, you've connected WordPress to Redis. The production-ready app is now using **Azure Database for MySQL, persistent storage, and Redis**. You can now scale out your App Service Plan to multiple instances.

-## Find Docker Container logs

-If you run into issues using multiple containers, you can access the container logs by browsing to: `https://<app-name>.scm.azurewebsites.net/api/logs/docker`.

-You'll see output similar to the following example:

-<pre>

-[

- {

- "machineName":"RD00XYZYZE567A",

- "lastUpdated":"2018-05-10T04:11:45Z",

- "size":25125,

- "href":"https://&lt;app-name&gt;.scm.azurewebsites.net/api/vfs/LogFiles/2018_05_10_RD00XYZYZE567A_docker.log",

- "path":"/home/LogFiles/2018_05_10_RD00XYZYZE567A_docker.log"

- }

-]

-</pre>

-You see a log for each container and an additional log for the parent process. Copy the respective `href` value into the browser to view the log.

-## Next steps

-In this tutorial, you learned how to:

-> [!div class="checklist"]

-> * Convert a Docker Compose configuration to work with Web App for Containers

-> * Deploy a multi-container app to Azure

-> * Add application settings

-> * Use persistent storage for your containers

-> * Connect to Azure Database for MySQL

-> * Troubleshoot errors

-Advance to the next tutorial to learn how to secure your app with a custom domain and certificate.

-> [!div class="nextstepaction"]

-> [Secure with custom domain and certificate](tutorial-secure-domain-certificate.md)

-Or, check out other resources:

-<!--Image references-->

-[1]: ./media/tutorial-multi-container-app/azure-multi-container-wordpress-install.png

-[2]: ./media/tutorial-multi-container-app/wordpress-plugins.png

-[3]: ./media/tutorial-multi-container-app/activate-redis.png

-[4]: ./media/tutorial-multi-container-app/redis-settings.png

-[5]: ./media/tutorial-multi-container-app/enable-object-cache.png

-[6]: ./media/tutorial-multi-container-app/redis-connected.png

-2. Copy the public IP address, and then paste it into the address bar of your browser. Such as, http:\//52.188.72.175:8080.

- ingressClassName: azure-application-gateway

- serviceName: test-agic-app-service

- servicePort: 80

-To learn how to identify Azure Arc-enabled servers enabled machine that doesn't have the Log Analytics agent installed, continue to the tutorial:

-|Log Analytics Agent |log_analytics_agent |

-To connect hybrid machines to Azure, you install the [Azure Connected Machine agent](agent-overview.md) on each machine. This agent doesn't replace the Azure [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) / [Azure Monitor Agent](../../azure-monitor/agents/azure-monitor-agent-overview.md). The Log Analytics agent or Azure Monitor Agent for Windows and Linux is required in order to:

- * Collect other log data, such as performance data and events, from the operating system or workloads running on the machine with the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). This data is stored in a [Log Analytics workspace](../../azure-monitor/logs/log-analytics-workspace-overview.md).

-1. Remove any VM extensions deployed to the Azure VM, such as the Log Analytics agent. While Azure Arc-enabled servers support many of the same extensions as Azure VMs, the Azure Connected Machine agent can't manage VM extensions already deployed to the VM.

-description: Learn to send SignalR Service messages from Azure Functions.

-1. Navigate to *src/main/java/org/example/functions/HttpTriggerFunction.java* to see the code generated. Beside line 24, you should see a green **Run** button. Select it and then select **Run 'Functions-azur...'**. You should see your function app running locally with a few logs.

-The following features of Azure OpenAI are available in Azure Government:

-|Feature|Azure OpenAI|

-|--|--|

-|Models available|US Gov Arizona:<br>&nbsp;&nbsp;&nbsp;GPT-4o (2024-05-13)&nbsp;&nbsp;&nbsp;GPT-4 (1106-Preview)<br>&nbsp;&nbsp;&nbsp;GPT-3.5-Turbo (0125)&nbsp;&nbsp;&nbsp;GPT-3.5-Turbo (1106)<br>&nbsp;&nbsp;&nbsp;text-embedding-ada-002 (version 2)<br><br>US Gov Virginia:<br>&nbsp;&nbsp;&nbsp;GPT-4o (2024-05-13)&nbsp;&nbsp;&nbsp;GPT-4 (1106-Preview)<br>&nbsp;&nbsp;&nbsp;GPT-3.5-Turbo (0125)<br>&nbsp;&nbsp;&nbsp;text-embedding-ada-002 (version 2)<br><br>Learn more about the different capabilities of each model in [Azure OpenAI Service models](/azure/ai-services/openai/concepts/models)|

-|Virtual network support & private link support| Yes. |

-| Connect your data | Available in US Gov Virginia and Arizona. Virtual network and private links are supported. Deployment to a web app or a copilot in Copilot Studio is not supported. |

-|Managed Identity|Yes, via Microsoft Entra ID|

-|UI experience|**Azure portal** for account & resource management<br>**Azure OpenAI Studio** for model exploration|

-|Abuse Monitoring|Not all features of Abuse Monitoring are enabled for AOAI in Azure Government. You will be responsible for implementing reasonable technical and operational measures to detect and mitigate any use of the service in violation of the Product Terms. [Automated Content Classification and Filtering](/azure/ai-services/openai/concepts/content-filter) remains enabled by default for Azure Government.|

-|Data Storage|In AOAI, customer data is only stored at rest as part of our Finetuning solution. Since Finetuning is not enabled within Azure Gov, there is no customer data stored at rest in Azure Gov associated with AOAI. However, Customer Managed Keys (CMK) can still be enabled in Azure Gov to support use of the same policies in Azure Gov as in Public cloud. Note also that if Finetuning is enabled in Azure Gov in the future, any existing CMK deployment would be applied to that data at that time.|

-**Next steps**

-* To request quota increases for the pay-as-you-go consumption model, apply at [https://aka.ms/AOAIGovQuota](https://aka.ms/AOAIGovQuota)

-* If modified content filters are required, apply at [https://aka.ms/AOAIGovModifyContentFilter](https://aka.ms/AOAIGovModifyContentFilter)

-* [Azure Monitor Agent supported operating systems and environments](./azure-monitor-agent-requirements.md)

-1. Navigate to the **Azure Monitor** page in the Azure portal, and select **Workbooks**.

-This video provides an overview of reliability and resilience options available for Log Analytics workspaces:

-> [!VIDEO https://www.youtube.com/embed/CYspm1Yevx8?cc_load_policy=1&cc_lang_pref=auto]

-|AppInsightsPortalExtension|[Workbooks](../visualize/workbooks-data-sources.md#logs) or [Application insights](../app/app-insights-overview.md).|

-## Logs

-With workbooks, you can query logs from the following sources:

-* Azure Monitor Logs (Application Insights resources and Log Analytics workspaces)

-To make a query control that uses this data source, use the **Query type** dropdown and select **Azure Resource Graph**. Then select the subscriptions to target. Use **Query control** to add the Resource Graph KQL subset that selects an interesting resource subset.

-To make a query control that uses this data source, use the **Data source** dropdown and select **Azure Resource Manager**. Provide the appropriate parameters, such as **Http method**, **url path**, **headers**, **url parameters**, and **body**. Azure Resource Manager data source is intended to be used as a data source to power data *visualizations*; as such, it does not support `PUT` or `PATCH` operations. The data source supports the following HTTP methods, with these expecations and limitations:

-* `GETARRAY` - for ARM APIs that may return multiple "pages" of results using the ARM standard `nextLink` or `@odata.nextLink` style response (See [Async operations, throttling, and paging](/rest/api/azure/#async-operations-throttling-and-paging), this method will make followup calls to the API for each `nextLink`, and merge those results into an array of results.

-> The Azure Resource Manager data source only supports results that return a 200 `OK` response, indicating the result is synchronous. APIs returning asynchronous results with 202 `ACCEPTED` asynchronous result and a header with a result URL are not supported.

-The JSON provider allows you to create a query result from static JSON content. It's most commonly used in parameters to create dropdown parameters of static values. Simple JSON arrays or objects will automatically be converted into grid rows and columns. For more specific behaviors, you can use the **Results** tab and JSONPath settings to configure columns.

-With workbooks, you can query different data sources. Workbooks also provide simple controls that you can use to merge or join data to provide rich insights. The *merge* control is the way to achieve it. A single merge data source can do many merges in one step. For example, a *single* merge data source can merge results from a step using Azure Resource Graph with Azure Metrics, and then merge that result with another step using the Azure Resource Manager data source in one query item.

-> A single merge step can merge many data sources at once. There's rarely a case where a merge data source will reference another merge data source.

-### Combine alerting data with Log Analytics VM performance data

-To avoid automatically making calls to untrusted hosts when you use templates, you need to mark the used hosts as trusted. You can either select **Add as trusted** or add it as a trusted host in workbook settings. These settings will be saved in [browsers that support IndexDb with web workers](https://caniuse.com/#feat=indexeddb).

-Azure Monitor has functionality that proactively monitors the availability and performance of Windows or Linux guest operating systems. Azure Monitor models key components and their relationships, criteria for how to measure the health of those components, and which components alert you when an unhealthy condition is detected. With workbooks, you can use this information to create rich interactive reports.

-The Azure role-based access control (RBAC) provider allows you to check permissions on resources. It's most commonly used in parameters to check if the correct RBACs are set up. A use case would be to create a parameter to check deployment permission and then notify the user if they don't have deployment permission.

-Simple JSON arrays or objects will automatically be converted into grid rows and columns or text with a `hasPermission` column with either true or false. The permission is checked on each resource and then either `or` or `and` to get the result. The [operations or actions](../../role-based-access-control/resource-provider-operations.md) can be a string or an array.

- 1. **Get data from**: `JSON`

-You can reference dropdown parameters.

-1. Run the query to see the results. Optionally, render it as a chart.

-## Parameter value, label, selection, and group

-The query used in the preceding dynamic dropdown parameter returns a list of values that are rendered faithfully in the dropdown list. But what if you wanted a different display name or one of the names to be selected? Dropdown parameters use value, label, selection, and group columns for this functionality.

-The following sample shows how to get a list of Application Insights dependencies whose display names are styled with an emoji, has the first one selected, and is grouped by operation names:

-```kusto

-dependencies

-| summarize by operation_Name, name

-| where name !contains ('.')

-| order by name asc

-| serialize Rank = row_number()

-| project value = name, label = strcat('🌐 ', name), selected = iff(Rank == 1, true, false), group = operation_Name

-```

-<!-- convertborder later -->

-| `{DependencyName:value}` | The selected value | GET fabrikamaccount |

-You can specify the format of the result set via the **Delimiter** and **Quote with** settings. The default returns the values as a collection in the form of **a**, **b**, **c**. You can also limit the number of selections.

-The KQL referencing the parameter needs to change to work with the format of the result. The most common way to enable it is via the `in` operator.

-Dropdown parameters also allow you to specify special values that will also appear in the dropdown:

-### Special casing All

-When you select the **All** option, an extra field appears, which allows you to specify that a special value will be used for the parameter if the **All** option is selected. This special value is useful for cases where "All" could be a large number of items and could generate a very large query.

-If all items are selected, the value of `Selection` is `[]`, producing an empty array for the `selection` variable in the query. If no values are selected, the value of `Selection` will be an empty string, also resulting in an empty array. If any values are selected, they are formatted inside the dynamic part of the query, causing the array to have those values. You can then test for `array_length` of 0 to have the filter not apply or use the `in` operator to filter on the values in the array.

- "thumbprint": "ABC"

-The Azure Web PubSub service helps you to easily build real-time web messaging applications. In this tutorial, you'll learn how to subscribe to the service using WebSocket API and publish messages using the Web PubSub service SDK.

-> * Create a Web PubSub subscriber client to receive messages using standard WebSocket protocol

-> * Create a Web PubSub publisher client to publish messages using Web PubSub service SDK

-If creating the project on a local machine, you'll need to install the dependencies for the language you're using:

-Use the Azure CLI [az webpubsub create](/cli/azure/webpubsub#az-webpubsub-create) command to create a Web PubSub in the resource group you've created. The following command creates a _Free_ Web PubSub resource under resource group `myResourceGroup` in `EastUS`:

-The output of this command shows properties of the newly created resource. Take note of the two properties listed below:

-1. Replace the code in the `Program.cs` with the following code that will connect to the service:

-1. Run the following command replacing `<Web-PubSub-connection-string>` with the connection string you copied earlier. If you are using Windows command shell, you can use `set` instead of `export`.

-Create a publisher using the Azure Web PubSub SDK to publish a message to the connected client. For this project, you'll need to open another command shell.

-1. Check the command shell of the subscriber to see that it received the message:

-1. Use Azure Web PubSub SDK to publish a message to the service. Create a `publish.js` file with the below code:

-1. To send a message, run the following command replacing `<Web-PubSub-connection-string>` with the connection string you copied earlier. If you are using Windows command shell, you can use `set` instead of `export`.

-1. Use the Azure Web PubSub SDK to publish a message to the service. Create a `publish.py` file with the below code:

-1. Go to the `pubsub` directory. Use Maven to create a publisher console app `webpubsub-quickstart-publisher` and go to the *webpubsub-quickstart-publisher* directory:

-1. To send a message, go to the *webpubsub-quickstart-publisher* directory and run the project using the following command. Replace the `<Web-PubSub-connection-string>` with the connection string you copied earlier.

-If you aren't planning to continue using Azure Cloud Shell, you can avoid accumulating costs by deleting the resource group that contains the associated the storage account. The resource group is named `cloud-shell-storage-<your-region>`. Run the following command, replacing `<CloudShellResourceGroup>` with the Cloud Shell group name.

-| WA-GUEST-OS-7.41_202405-01 | June 1, 2024 | Post 7.44 |

-| WA-GUEST-OS-6.71_202405-01 | June 1, 2024 | Post 6.74 |

-| WA-GUEST-OS-5.95_202405-01 | June 1, 2024 | Post 5.98 |

-| WA-GUEST-OS-4.131_202405-01 | June 1, 2024 | Post 4.134 |

-| WA-GUEST-OS-3.139_202405-01 | June 1, 2024 | Post 3.142 |

-| WA-GUEST-OS-2.151_202405-01 | June 1, 2024 | Post 2.154 |

- "frequency": <<Minute, Hour, Day, Week, Year>>,

- During an active attack, customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis. For more information, see [Azure DDoS Rapid Response](ddos-rapid-response.md).

-This article lists the known issues for [Azure Firewall](overview.md). It is updated as issues are resolved.

-|Threat intelligence alerts may get masked|Network rules with destination 80/443 for outbound filtering masks threat intelligence alerts when configured to alert only mode.|Create outbound filtering for 80/443 using application rules. Or, change the threat intelligence mode to **Alert and Deny**.|

-|Azure Firewall DNAT doesn't work for private IP destinations|Azure Firewall DNAT support is limited to Internet egress/ingress. DNAT doesn't currently work for private IP destinations. For example, spoke to spoke.|A fix is being investigated.<br><br>Private DNAT is currently in private preview. Watch the [Azure Firewall preview features](firewall-preview.md) article for the public preview announcement.|

-|With secured virtual hubs, availability zones can only be configured during deployment.| You can't configure Availability Zones after a firewall with secured virtual hubs has been deployed.|This is by design.|

-|Outbound SMTP traffic on TCP port 25 is blocked|Outbound email messages that are sent directly to external domains (like `outlook.com` and `gmail.com`) on TCP port 25 can be blocked by the Azure platform. This is the default platform behavior in Azure, Azure Firewall doesn't introduce any more specific restriction. |Use authenticated SMTP relay services, which typically connect through TCP port 587, but also supports other ports. For more information, see [Troubleshoot outbound SMTP connectivity problems in Azure](../virtual-network/troubleshoot-outbound-smtp-connectivity.md).<br><br>Another option is to deploy Azure Firewall in a standard Enterprise Agreement (EA) subscription. Azure Firewall in an EA subscription can communicate with public IP addresses using outbound TCP port 25. Currently, it may also work in other subscription types, but it's not guaranteed to work. For private IP addresses like virtual networks, VPNs, and Azure ExpressRoute, Azure Firewall supports an outbound connection on TCP port 25.

-|SNAT port exhaustion|Azure Firewall currently supports 2496 ports per Public IP address per backend Virtual Machine Scale Set instance. By default, there are two Virtual Machine Scale Set instances. So, there are 4992 ports per flow (destination IP, destination port and protocol (TCP or UDP). The firewall scales up to a maximum of 20 instances. |This is a platform limitation. You can work around the limits by configuring Azure Firewall deployments with a minimum of five public IP addresses for deployments susceptible to SNAT exhaustion. This increases the SNAT ports available by five times. Allocate from an IP address prefix to simplify downstream permissions. For a more permanent solution, you can deploy a NAT gateway to overcome the SNAT port limits. This approach is supported for virtual network deployments. <br /><br /> For more information, see [Scale SNAT ports with Azure Virtual Network NAT](integrate-with-nat-gateway.md).|

-|Outbound Passive FTP may not work for Firewalls with multiple public IP addresses, depending on your FTP server configuration.|Passive FTP establishes different connections for control and data channels. When a Firewall with multiple public IP addresses sends data outbound, it randomly selects one of its public IP addresses for the source IP address. FTP may fail when data and control channels use different source IP addresses, depending on your FTP server configuration.|An explicit SNAT configuration is planned. In the meantime, you can configure your FTP server to accept data and control channels from different source IP addresses (see [an example for IIS](/iis/configuration/system.applicationhost/sites/sitedefaults/ftpserver/security/datachannelsecurity)). Alternatively, consider using a single IP address in this situation.|

-|Inbound Passive FTP may not work depending on your FTP server configuration |Passive FTP establishes different connections for control and data channels. Inbound connections on Azure Firewall are SNATed to one of the firewall private IP addresses to ensure symmetric routing. FTP may fail when data and control channels use different source IP addresses, depending on your FTP server configuration.|Preserving the original source IP address is being investigated. In the meantime, you can configure your FTP server to accept data and control channels from different source IP addresses.|

-|Configuration updates may take five minutes on average|An Azure Firewall configuration update can take three to five minutes on average, and parallel updates aren't supported.|A fix is being investigated.|

-|Azure Firewall uses SNI TLS headers to filter HTTPS and MSSQL traffic|If browser or server software doesn't support the Server Name Indicator (SNI) extension, you can't connect through Azure Firewall.|If browser or server software doesn't support SNI, then you may be able to control the connection using a network rule instead of an application rule. See [Server Name Indication](https://wikipedia.org/wiki/Server_Name_Indication) for software that supports SNI.|

-| Error encountered when creating more than 2000 rule collections. | The maximal number of NAT/Application or Network rule collections is 2000 (Resource Manager limit). | This is a current limitation. |

-|Physical zone 2 in Japan East is unavailable for firewall deployments.|You canΓÇÖt deploy a new firewall with physical zone 2. Additionally, if you stop an existing firewall which is deployed in physical zone 2, it cannot be restarted. For more information, see [Physical and logical availability zones](../reliability/availability-zones-overview.md#physical-and-logical-availability-zones).|For new firewalls, deploy with the remaining availability zones or use a different region. To configure an existing firewall, see [How can I configure availability zones after deployment?](firewall-faq.yml#how-can-i-configure-availability-zones-after-deployment).

-|QUIC/HTTP3|QUIC is the new major version of HTTP. It's a UDP-based protocol over 80 (PLAN) and 443 (SSL). FQDN/URL/TLS inspection won't be supported.|Configure passing UDP 80/443 as network rules.|

-|Certificate Propagation|After a CA certificate is applied on the firewall, it may take between 5-10 minutes for the certificate to take effect.|A fix is being investigated.|

-description: Learn about Azure Firewall preview features that are currently publicly available.

-### Auto-learn SNAT routes (preview)

-You can configure Azure Firewall to auto-learn both registered and private ranges every 30 minutes. For information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md#auto-learn-snat-routes-preview).

-Inbound Internet connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in [Filter inbound traffic with Azure Firewall DNAT using the Azure portal](../firewall/tutorial-firewall-dnat.md). NAT rules are applied in priority before network rules. If a match is found, the traffic is translated according to the DNAT rule and allowed by the firewall. So the traffic isn't subject to any further processing by other network rules. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards.

-# Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal

-You can configure Azure Firewall policy Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the *rule collection action* is set to **DNAT**. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).

-1. For **Destination**, type the firewall public IP address.

-# Filter inbound Internet traffic with Azure Firewall DNAT using the Azure portal

-You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to **Dnat**. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private/public IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).

-1. For **Destination Addresses**, type the firewall's public IP address.

- and the creator is given an "Owner" role assignment. Management group service allows this ability

- so that role assignments aren't needed at the root level. No users have access to the Root

- Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to

- start using management groups, we allow the creation of the initial management groups at the root

- level.

- and the creator is given an "Owner" role assignment. Management group service allows this ability

- so that role assignments aren't needed at the root level. No users have access to the Root

- Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to

- start using management groups, we allow the creation of the initial management groups at the root

- level.

- and the creator is given an "Owner" role assignment. Management group service allows this ability

- so that role assignments aren't needed at the root level. No users have access to the Root

- Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to

- start using management groups, we allow the creation of the initial management groups at the root

- level.

- and the creator is given an "Owner" role assignment. Management group service allows this ability

- so that role assignments aren't needed at the root level. No users have access to the Root

- Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to

- start using management groups, we allow the creation of the initial management groups at the root

- level.

- and the creator is given an "Owner" role assignment. Management group service allows this ability

- so that role assignments aren't needed at the root level. No users have access to the Root

- Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to

- start using management groups, we allow the creation of the initial management groups at the root

- level.

- and the creator is given an "Owner" role assignment. Management group service allows this ability

- so that role assignments aren't needed at the root level. No users have access to the Root

- Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to

- start using management groups, we allow the creation of the initial management groups at the root

- level.

- and the creator is given an "Owner" role assignment. Management group service allows this ability

- so that role assignments aren't needed at the root level. No users have access to the Root

- Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to

- start using management groups, we allow the creation of the initial management groups at the root

- level.

- and the creator is given an "Owner" role assignment. Management group service allows this ability

- so that role assignments aren't needed at the root level. No users have access to the Root

- Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to

- start using management groups, we allow the creation of the initial management groups at the root

- level.

-at the directory level. Initially, the [Microsoft Entra Global Administrator needs to elevate

-themselves](../../role-based-access-control/elevate-access-global-admin.md) to the User Access

-### Enable Azure monitor agent using Portal

-#### Approach 1:

-#### Approach 2:

-If you build multiple dashboards to monitor your HDInsight clusters, you need to adjust the query behind the table once you enable the new Azure Monitor integration. The table name or the field name might change in the new integration, but all the information you have in old integration is included.

-> New Azure Monitor experience is available in all the regions as a preview feature.

->

-You must include at least one application configuration and at most two in the `applications` array. Each application configuration has values that validate access token claims and an array that defines the permissions for the application to access FHIR resources.

-To get started, fork the IoT Central CI/CD GitHub repository and then clone your fork to your local machine:

- "type": "connectionString",

- "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourexportaccount;AccountKey=*****;EndpointSuffix=core.windows.net",

-1. If your application uses data exports, add secrets for the destinations to the production key vault. The config file doesn't contain any actual secrets for your destination, the secrets are stored in your key vault.

- "displayName": "Blob Storage Destination",

- "type": "blobstorage@v1",

- "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=********;EndpointSuffix=core.windows.net",

- "containerName": "central-data"

-* `connectionString`: The connection string for accessing the destination resource.

-* `containerName`: For a blob storage destination, the name of the container where data should be written.

- "type": "connectionString",

- "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;EndpointSuffix=core.windows.net",

- "type": "connectionString",

- "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;EndpointSuffix=core.windows.net",

- "type": "connectionString",

- "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=********;EndpointSuffix=core.windows.net",

- "containerName": "central-data"

-You can use this call to perform an incremental update to an export. The sample request body looks like the following example that updates the `connectionString` of a destination:

- "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=********;EndpointSuffix=core.windows.net"

- "type": "connectionString",

- "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;EndpointSuffix=core.windows.net",

- "containerName": "central-data"

- "id": "8dbcdb53-c6a7-498a-a976-a824b694c150",

- "displayName": "Blob Storage Destination",

- "type": "blobstorage@v1",

- "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=********;EndpointSuffix=core.windows.net",

- "containerName": "central-data",

- "status": "waiting"

- - Install the latest [Az PowerShell module](/powershell/azure/install-azure-powershell)

-Install the module from [PowerShell gallery](https://www.powershellgallery.com/packages/AzureBasicLoadBalancerUpgrade)

-PS C:\> Install-Module -Name AzureBasicLoadBalancerUpgrade -Scope CurrentUser -Repository PSGallery -Force

-1. Use `Connect-AzAccount` to connect to Azure, specifying the Basic Load Balancer's subscription ID if you have more than one subscription.

- PS C:\> Connect-AzAccount -Subscription <SubscriptionId>

-4. Run the Upgrade command.

-PS C:\> Start-AzBasicLoadBalancerUpgrade -ResourceGroupName <loadBalancerRGName> -BasicLoadBalancerName <basicLBName> -validateScenarioOnly

-PS C:\> Start-AzBasicLoadBalancerUpgrade -ResourceGroupName <loadBalancerRGName> -BasicLoadBalancerName <basicLBName>

-PS C:\> Start-AzBasicLoadBalancerUpgrade -ResourceGroupName <loadBalancerRGName> -BasicLoadBalancerName <basicLBName> -StandardLoadBalancerName <newStandardLBName> -FollowLog

-PS C:\> Start-AzBasicLoadBalancerUpgrade -ResourceGroupName <loadBalancerRGName> -BasicLoadBalancerName <basicLBName> -StandardLoadBalancerName <newStandardLBName> -RecoveryBackupPath C:\BasicLBRecovery

-PS C:\> Start-AzBasicLoadBalancerUpgrade -validateCompletedMigration -StandardLoadBalancerName <newStandardLBName> -basicLoadBalancerStatePath C:\RecoveryBackups\State_mybasiclb_rg-basiclbrg_20220912T1740032148.json

-PS C:\> $multiLBConfig = @(

-PS C:\> Start-AzBasicLoadBalancerUpgrade -MultiLBConfig $multiLBConfig

-PS C:\> Start-AzBasicLoadBalancerUpgrade -FailedMigrationRetryFilePathLB C:\RecoveryBackups\State_mybasiclb_rg-basiclbrg_20220912T1740032148.json -FailedMigrationRetryFilePathVMSS C:\RecoveryBackups\VMSS_myVMSS_rg-basiclbrg_20220912T1740032148.json

-PS C:\> Start-AzBasicLoadBalancerUpgrade -FailedMigrationRetryFilePathLB C:\RecoveryBackups\State_mybasiclb_rg-basiclbrg_20220912T1740032148.json

-| `APP_KIND` | `workflowApp` | Sets the app type for the Azure resource. |

->| Azure API Management (Microsoft.ApiManagement/service) | gateway | privatelink.azure-api.net | azure-api.net |

- | [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md?tabs=azure-portal) | A workspace within the subscription that is being **monitored** and is used as the **scope for rule execution**. Select from the dropdown or create a new workspace. If you create a new workspace, use it for all alerts in your subscription. |

- | [Managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp) | Select from the dropdown, or **Create New**. Managed Identity should have **read permissions** to the Subscription (to read Usage data from ARG) and Log Analytics workspace that is chosen(to read the log alerts). |

- | [Estimated cost](https://azure.microsoft.com/pricing/details/monitor/) |Estimated cost is automatically calculated cost associated with running this **new alert rule** against your quota. See [Azure Monitor cost and usage](../azure-monitor/cost-usage.md) for more information. |

-| West US 3 | Switzerland North | | | |

-| Qatar | Qatar Central |

-| Mexico | Mexico Central |

-| Poland | Poland Central |

-| Austria | Austria East (Coming soon) |

-description: Learn how to ingest Microsoft's threat intelligence into your Sentinel workspace to generate high fidelity alerts and incidents.

-#customer intent: As a SOC admin, I want to utilize the best threat intelligence from Microsoft, so I can generate high fidelity alerts and incidents.

-Bring public, open source and high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace with the MDTI data connectors. With a simple one-click setup, use the TI from the standard and premium MDTI data connectors to monitor, alert and hunt.

-> The Microsoft Defender Threat Intelligence data connector and the Premium Microsoft Defender Threat Intelligence data connector are currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-For more information about the benefits of the standard and premium MDTI data connectors, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-indicators-to-microsoft-sentinel-with-the-microsoft-defender-threat-intelligence-data-connector).

-## Install the Threat Intelligence solution in Microsoft Sentinel

-To import threat indicators into Microsoft Sentinel from standard and premium MDTI, follow these steps:

-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Content management**, select **Content hub**. <br>For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Content management** > **Content hub**.

-## Enable the Microsoft Defender Threat Intelligence data connector

-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Data connectors**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Configuration** > **Data connectors**.

-1. Find and select the Microsoft Defender Threat Intelligence data connector > **Open connector page** button.

- :::image type="content" source="mediti-data-connector/premium-microsoft-defender-threat-intelligence-data-connector-config.png":::

-1. Enable the feed by selecting the **Connect** button

- :::image type="content" source="mediti-data-connector/microsoft-defender-threat-intelligence-data-connector-connect.png":::

-1. When MDTI indicators start populating the Microsoft Sentinel workspace, the connector status displays **Connected**.

-At this point, the ingested indicators are now available for use in the *TI map...* analytics rules. For more information, see [Use threat indicators in analytics rules](use-threat-indicators-in-analytics-rules.md).

-Find the new indicators in the **Threat intelligence** blade or directly in **Logs** by querying the **ThreatIntelligenceIndicator** table. For more information, see [Work with threat indicators](work-with-threat-indicators.md).

-In this document, you learned how to connect Microsoft Sentinel to Microsoft's threat intelligence feed with the MDTI data connector. To learn more about Microsoft Defender for Threat Intelligence see the following articles.

-#customer intent: As a SOC admin, I want to use a Threat Intelligence Platform solution to ingest threat intelligence, so I can generate alerts incidents.

->[!NOTE]

-> This data connector is on a path for deprecation. More details will be published on the precise timeline. Use the new threat intelligence upload indicators API data connector for new solutions going forward.

-> For more information, see [Connect your threat intelligence platform to Microsoft Sentinel with the upload indicators API](connect-threat-intelligence-upload-api.md).

-Many organizations use threat intelligence platform (TIP) solutions to aggregate threat indicator feeds from various sources. From the aggregated feed, the data is curated to apply to security solutions such as network devices, EDR/XDR solutions, or SIEMs such as Microsoft Sentinel. The **Threat Intelligence Platforms data connector** allows you to use these solutions to import threat indicators into Microsoft Sentinel.

-Because the TIP data connector works with the [Microsoft Graph Security tiIndicators API](/graph/api/resources/tiindicator) to accomplish this, you can use the connector to send indicators to Microsoft Sentinel (and to other Microsoft security solutions like Microsoft Defender XDR) from any other custom threat intelligence platform that can communicate with that API.

-Learn more about [Threat Intelligence](understand-threat-intelligence.md) in Microsoft Sentinel, and specifically about the [threat intelligence platform products](threat-intelligence-integration.md#integrated-threat-intelligence-platform-products) that can be integrated with Microsoft Sentinel.

-## Prerequisites

-Follow these steps to import threat indicators to Microsoft Sentinel from your integrated TIP or custom threat intelligence solution:

-1. Obtain an Application ID and Client Secret from your Microsoft Entra ID

-2. Input this information into your TIP solution or custom application

-3. Enable the Threat Intelligence Platforms data connector in Microsoft Sentinel

-## Sign up for an Application ID and Client secret from your Microsoft Entra ID

-Whether you are working with a TIP or with a custom solution, the tiIndicators API requires some basic information to allow you to connect your feed to it and send it threat indicators. The three pieces of information you need are:

-You can get this information from your Microsoft Entra ID through a process called **App Registration** which includes the following three steps:

-1. From the Azure portal, navigate to the **Microsoft Entra ID** service.

-1. Select **App Registrations** from the menu and select **New registration**.

-1. Choose a name for your application registration, select the **Single tenant** radio button, and select **Register**.

- :::image type="content" source="media/connect-threat-intelligence-tip/threat-intel-register-application.png" alt-text="Register an application":::

-1. From the resulting screen, copy the **Application (client) ID** and **Directory (tenant) ID** values. These are the first two pieces of information youΓÇÖll need later to configure your TIP or custom solution to send threat indicators to Microsoft Sentinel. The third, the **Client secret**, comes later.

-1. Go back to the main page of the **Microsoft Entra ID** service.

-1. Select **App Registrations** from the menu and select your newly registered app.

-1. Select **API Permissions** from the menu and select the **Add a permission** button.

-1. On the **Select an API** page, select the **Microsoft Graph** API and then choose from a list of Microsoft Graph permissions.

-1. At the prompt "What type of permissions does your application require?" select **Application permissions**. This is the type of permissions used by applications authenticating with App ID and App Secrets (API Keys).

-1. Select **ThreatIndicators.ReadWrite.OwnedBy** and select **Add permissions** to add this permission to your appΓÇÖs list of permissions.

- :::image type="content" source="media/connect-threat-intelligence-tip/threat-intel-api-permissions-1.png" alt-text="Specify permissions":::

- :::image type="content" source="media/connect-threat-intelligence-tip/threat-intel-api-permissions-2.png" alt-text="Grant consent":::

-1. Once consent has been granted to your app, you should see a green check mark under **Status**.

-Now that your app has been registered and permissions have been granted, you can get the last thing on your list - a client secret for your app.

-1. Go back to the main page of the **Microsoft Entra ID** service.

-1. Select **App Registrations** from the menu and select your newly registered app.

-1. Select **Certificates & secrets** from the menu and select the **New client secret** button to receive a secret (API key) for your app.

- :::image type="content" source="media/connect-threat-intelligence-tip/threat-intel-client-secret.png" alt-text="Get client secret":::

-1. Select the **Add** button and **copy the client secret**.

- > You must copy the **client secret** before leaving this screen. You cannot retrieve this secret again if you navigate away from this page. You will need this value when you configure your TIP or custom solution.

-You now have all three pieces of information you need to configure your TIP or custom solution to send threat indicators to Microsoft Sentinel.

-1. Enter these values in the configuration of your integrated TIP or custom solution where required.

-1. For the target product, specify **Azure Sentinel**. (Specifying "Microsoft Sentinel" will result in an error.)

-Once this configuration is complete, threat indicators will be sent from your TIP or custom solution, through the **Microsoft Graph tiIndicators API**, targeted at Microsoft Sentinel.

-## Enable the Threat Intelligence Platforms data connector in Microsoft Sentinel

-The last step in the integration process is to enable the **Threat Intelligence Platforms data connector** in Microsoft Sentinel. Enabling the connector is what allows Microsoft Sentinel to receive the threat indicators sent from your TIP or custom solution. These indicators will be available to all Microsoft Sentinel workspaces for your organization. Follow these steps to enable the Threat Intelligence Platforms data connector for each workspace:

-For more information about how to manage the solution components, see [Discover and deploy out-of-the-box content](sentinel-solutions-deploy.md).

-1. To configure the TIP data connector, select **Configuration** > **Data connectors**.

-1. Find and select the **Threat Intelligence Platforms** data connector > **Open connector page** button.

- :::image type="content" source="media/connect-threat-intelligence-tip/tip-data-connector-config.png" alt-text="Screenshot displaying the data connectors page with the TIP data connector listed." lightbox="media/connect-threat-intelligence-tip/tip-data-connector-config.png":::

-1. As you've already completed the app registration and configured your TIP or custom solution to send threat indicators, the only step left is to select the **Connect** button.

-Within a few minutes, threat indicators should begin flowing into this Microsoft Sentinel workspace. You can find the new indicators in the **Threat intelligence** blade, accessible from the Microsoft Sentinel navigation menu.

-In this document, you learned how to connect your threat intelligence platform to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles.

-description: Learn how to connect your threat intelligence platform (TIP) or custom feed using the upload indicators API to Microsoft Sentinel.

-#customer intent: As a SOC admin, I want to connect my Threat Intelligence Platform with the upload indicators API to ingest threat intelligence, so I can utilize the benefits of this updated API.

-# Connect your threat intelligence platform to Microsoft Sentinel with the upload indicators API

-Many organizations use threat intelligence platform (TIP) solutions to aggregate threat indicator feeds from various sources. From the aggregated feed, the data is curated to apply to security solutions such as network devices, EDR/XDR solutions, or SIEMs such as Microsoft Sentinel. The **Threat Intelligence Upload Indicators API** allows you to use these solutions to import threat indicators into Microsoft Sentinel. The upload indicators API ingests threat intelligence indicators into Microsoft Sentinel without the need of the data connector. The data connector only mirrors the instructions for connecting to the API endpoint detailed in this article and the supplemental API reference document [Microsoft Sentinel upload indicators API](upload-indicators-api.md).

-For more information about threat intelligence, see [Threat Intelligence](understand-threat-intelligence.md).

-> The Microsoft Sentinel **Threat Intelligence Upload Indicators API** is in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-**See also**: [Connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds](connect-threat-intelligence-taxii.md)

-## Prerequisites

-1. Register a Microsoft Entra application and record its application ID.

-1. Assign your Microsoft Entra application the Microsoft Sentinel contributor role or equivalent.

-The [default user role permissions](../active-directory/fundamentals/users-default-permissions.md#restrict-member-users-default-permissions) allow users to create application registrations. If this setting has been switched to **No**, you'll need permission to manage applications in Microsoft Entra ID. Any of the following Microsoft Entra roles include the required permissions:

-Once you've registered your application, record its Application (client) ID from the application's **Overview** tab.

-## Generate and record client secret

-Now that your application has been registered, generate and record a client secret.

-The upload indicators API ingests threat indicators at the workspace level and allows a least privilege role of Microsoft Sentinel contributor.

-1. From the Azure portal, go to Log Analytics workspaces.

-1. In the **Role** tab, select the **Microsoft Sentinel Contributor** role > **Next**.

-1. **Select members**. By default, Microsoft Entra applications aren't displayed in the available options. To find your application, search for it by name.

- :::image type="content" source="media/connect-threat-intelligence-upload-api/assign-role.png" alt-text="Screenshot showing the Microsoft Sentinel contributor role assigned to the application at the workspace level.":::

-1. **Select** > **Review + assign**.

-## Install the Threat Intelligence upload indicators API data connector in Microsoft Sentinel (optional)

-Install the **Threat Intelligence Upload Indicators API** data connector to see the API connection instructions from your Microsoft Sentinel workspace.

-For more information about how to manage the solution components, see [Discover and deploy out-of-the-box content](sentinel-solutions-deploy.md).

-1. The data connector is now visible in **Configuration** > **Data Connectors**. Open the data connector page to find more information on configuring your application with this API.

- :::image type="content" source="media/connect-threat-intelligence-upload-api/upload-api-data-connector.png" alt-text="Screenshot displaying the data connectors page with the upload API data connector listed." lightbox="media/connect-threat-intelligence-upload-api/upload-api-data-connector.png":::

-## Configure your TIP solution or custom application

-The following configuration information required by the upload indicators API:

-1. Submit the indicators to the Microsoft Sentinel upload API. To learn more about the upload indicators API, see the reference document [Microsoft Sentinel upload indicators API](upload-indicators-api.md).

-1. Within a few minutes, threat indicators should begin flowing into your Microsoft Sentinel workspace. Find the new indicators in the **Threat intelligence** blade, accessible from the Microsoft Sentinel navigation menu.

-1. The data connector status reflects the **Connected** status and the **Data received** graph is updated once indicators are submitted successfully.

- :::image type="content" source="media/connect-threat-intelligence-upload-api/upload-api-data-connector-connected.png" alt-text="Screenshot showing upload indicators API data connector in the connected state." lightbox="media/connect-threat-intelligence-upload-api/upload-api-data-connector-connected.png":::

-In this document, you learned how to connect your threat intelligence platform to Microsoft Sentinel. To learn more about using threat indicators in Microsoft Sentinel, see the following articles.

-Microsoft Sentinel gives you a few different ways to [use threat intelligence feeds](work-with-threat-indicators.md) to enhance your security analysts' ability to detect and prioritize known threats.

-> If you have multiple workspaces in the same tenant, such as for [Managed Security Service Providers (MSSPs)](mssp-protect-intellectual-property.md), it may be more cost effective to connect threat indicators only to the centralized workspace.

->

-To connect to TAXII threat intelligence feeds, follow the instructions to [connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds](connect-threat-intelligence-taxii.md), together with the data supplied by each vendor. You may need to contact the vendor directly to obtain the necessary data to use with the connector.

-### Accenture Cyber Threat Intelligence

-### Cyware Threat Intelligence eXchange (CTIX)

-One component of Cyware's threat intelligence platform, CTIX, is actioning intel with a TAXII feed for your SIEM. In the case of Microsoft Sentinel, follow the instructions here:

-To connect to Threat Intelligence Platform (TIP) feeds, see [connect Threat Intelligence platforms to Microsoft Sentinel](connect-threat-intelligence-tip.md). See the following solutions to learn what additional information is needed.

-### MISP Open Source Threat Intelligence Platform

-### Recorded Future Security Intelligence Platform

-### ThreatQuotient Threat Intelligence Platform

-Besides being used to import threat indicators, threat intelligence feeds can also serve as a source to enrich the information in your incidents and provide more context to your investigations. The following feeds serve this purpose, and provide Logic App playbooks to use in your [automated incident response](automate-responses-with-playbooks.md). Find these enrichment sources in the **Content hub**.

-### RiskIQ Passive Total

-### Virus Total

-## Next steps

-In this document, you learned how to connect your threat intelligence provider to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles.

-Microsoft Sentinel is a cloud native Security Information and Event Management (SIEM) solution with the ability to quickly pull threat intelligence from numerous sources.

-Cyber threat intelligence (CTI) is information describing existing or potential threats to systems and users. This intelligence takes many forms, from written reports detailing a particular threat actor's motivations, infrastructure, and techniques, to specific observations of IP addresses, domains, file hashes, and other artifacts associated with known cyber threats. CTI is used by organizations to provide essential context to unusual activity, so security personnel can quickly take action to protect their people, information, and assets. CTI can be sourced from many places, such as open-source data feeds, threat intelligence-sharing communities, commercial intelligence feeds, and local intelligence gathered in the course of security investigations within an organization.

-For SIEM solutions like Microsoft Sentinel, the most common forms of CTI are threat indicators, also known as Indicators of Compromise (IoC) or Indicators of Attack (IoA). Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called *tactical threat intelligence* because it's applied to security products and automation in large scale to detect potential threats to an organization and protect against them. Use threat indicators in Microsoft Sentinel, to detect malicious activity observed in your environment and provide context to security investigators to inform response decisions.

-Integrate threat intelligence (TI) into Microsoft Sentinel through the following activities:

-Microsoft enriches all imported threat intelligence indicators with [GeoLocation and WhoIs data](#view-your-geolocation-and-whois-data-enrichments-public-preview), which is displayed together with other indicator details.

-Threat Intelligence also provides useful context within other Microsoft Sentinel experiences such as **Hunting** and **Notebooks**. For more information, see [Jupyter Notebooks in Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/using-threat-intelligence-in-your-jupyter-notebooks/ba-p/860239) and [Tutorial: Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel](notebook-get-started.md).

-Just like all the other event data in Microsoft Sentinel, threat indicators are imported using data connectors. Here are the data connectors in Microsoft Sentinel provided specifically for threat indicators.

-

-Use any of these data connectors in any combination together, depending on where your organization sources threat indicators. All three of these are available in **Content hub** as part of the **Threat Intelligence** solution. For more information about this solution, see the Azure Marketplace entry [Threat Intelligence](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-threatintelligence-taxii?tab=Overview).

-Also, see this catalog of [threat intelligence integrations](threat-intelligence-integration.md) available with Microsoft Sentinel.

-### Add threat indicators to Microsoft Sentinel with the Microsoft Defender Threat Intelligence data connector

-Bring public, open source and high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace with the MDTI data connectors. With a simple one-click setup, use the TI from the standard and premium MDTI data connectors to monitor, alert and hunt.

-The freely available MDTI threat analytics rule gives you a taste of what the premium MDTI data connector provides. However with matching analytics, only indicators that match the rule are actually ingested into your environment. The premium MDTI data connector brings the premium TI and allows analytics for more data sources with greater flexibility and understanding of that threat intelligence. Here's a table showing what to expect when you license and enable the premium MDTI data connector.

-| Public indicators of compromise (IOCs) | |

-For more information see the following articles:

-Many organizations use threat intelligence platform (TIP) solutions to aggregate threat indicator feeds from various sources. From the aggregated feed, the data is curated to apply to security solutions such as network devices, EDR/XDR solutions, or SIEMs such as Microsoft Sentinel. The **Threat Intelligence Upload Indicators API** data connector allows you to use these solutions to import threat indicators into Microsoft Sentinel.

-This data connector utilizes a new API and offers the following improvements:

-For more information, see [Connect your threat intelligence platform using upload indicators API](connect-threat-intelligence-upload-api.md)

-### Add threat indicators to Microsoft Sentinel with the Threat Intelligence Platforms data connector

-Much like the existing upload indicators API data connector, the **Threat Intelligence Platform data connector** uses an API allowing your TIP or custom solution to send indicators into Microsoft Sentinel. However, this data connector is now on a path for deprecation. We recommend new solutions to take advantage of the optimizations the upload indicators API has to offer.

-The TIP data connector works with the [Microsoft Graph Security tiIndicators API](/graph/api/resources/tiindicator). It can also be used by any custom threat intelligence platform that communicates with the tiIndicators API to send indicators to Microsoft Sentinel (and to other Microsoft security solutions like Microsoft Defender XDR).

-The most widely adopted industry standard for the transmission of threat intelligence is a [combination of the STIX data format and the TAXII protocol](https://oasis-open.github.io/cti-documentation/). If your organization obtains threat indicators from solutions that support the current STIX/TAXII version (2.0 or 2.1), use the **Threat Intelligence - TAXII** data connector to bring your threat indicators into Microsoft Sentinel. The Threat Intelligence - TAXII data connector enables a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.

-**To import STIX-formatted threat indicators to Microsoft Sentinel from a TAXII server**:

-1. Obtain the TAXII server API Root and Collection ID

-1. Enable the Threat Intelligence - TAXII data connector in Microsoft Sentinel

-View and manage your indicators in the **Threat Intelligence** page. Sort, filter, and search your imported threat indicators without even writing a Log Analytics query.

-Perform two of the most common threat intelligence tasks: indicator tagging and creating new indicators related to security investigations. Create or edit the threat indicators directly within the Threat Intelligence page when you only need to quickly manage a few.

-Tagging threat indicators is an easy way to group them together to make them easier to find. Typically, you might apply tags to an indicator related to a particular incident, or representing threats from a particular known actor or well-known attack campaign. Once you search for the indicators you want to work with, tag them individually, or multi-select indicators and tag them all at once with one or more tags. Since tagging is free-form, a recommended practice is to create standard naming conventions for threat indicator tags.

-Validate your indicators and view your successfully imported threat indicators from the Microsoft Sentinel enabled log analytics workspace. The **ThreatIntelligenceIndicator** table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features such as **Analytics** and **Workbooks**.

-Here is an example view of a basic query for threat indicators.

-TI indicators are ingested into the **ThreatIntelligenceIndicator** table of your log analytics workspace as read-only. Anytime an indicator is updated, a new entry in the **ThreatIntelligenceIndicator** table is created. Only the most current indicator is displayed in the **Threat Intelligence** page however. Microsoft Sentinel de-duplicates indicators based on the **IndicatorId** and **SourceSystem** properties and chooses the indicator with the newest **TimeGenerated[UTC]**.

-The **IndicatorId** property is generated using the STIX indicator ID. When indicators are imported or created from non-STIX sources, the **IndicatorId** is generated by the *Source* and *Pattern* of the indicator.

-For more details on viewing and managing your threat indicators, see [Work with threat indicators in Microsoft Sentinel](work-with-threat-indicators.md#view-your-threat-indicators-in-microsoft-sentinel).

-### View your GeoLocation and WhoIs data enrichments (Public preview)

-Microsoft enriches IP and domain indicators with extra GeoLocation and WhoIs data, providing more context for investigations where the selected indicator of compromise (IOC) is found.

-View GeoLocation and WhoIs data on the **Threat Intelligence** pane for those types of threat indicators imported into Microsoft Sentinel.

-For example, use GeoLocation data to find details like *Organization* or *Country* for an IP indicator, and WhoIs data to find data like *Registrar* and *Record creation* data from a domain indicator.

-The most important use case for threat indicators in SIEM solutions like Microsoft Sentinel is to power analytics rules for threat detection. These indicator-based rules compare raw events from your data sources against your threat indicators to detect security threats in your organization. In Microsoft Sentinel **Analytics**, you create analytics rules that run on a schedule and generate security alerts. The rules are driven by queries, along with configurations that determine how often the rule should run, what kind of query results should generate security alerts and incidents, and optionally trigger an automated response.

-While you can always create new analytics rules from scratch, Microsoft Sentinel provides a set of built-in rule templates, created by Microsoft security engineers, to leverage your threat indicators. These built-in rule templates are based on the type of threat indicators (domain, email, file hash, IP address, or URL) and data source events you want to match. Each template lists the required sources needed for the rule to function. This makes it easy to determine if the necessary events are already imported in Microsoft Sentinel.

-By default, when these built-in rules are triggered, an alert will be created. In Microsoft Sentinel, the alerts generated from analytics rules also generate security incidents which can be found in **Incidents** under **Threat Management** on the Microsoft Sentinel menu. Incidents are what your security operations teams will triage and investigate to determine the appropriate response actions. Find detailed information in this [Tutorial: Investigate incidents with Microsoft Sentinel](./investigate-cases.md).

-For more details on using threat indicators in your analytics rules, see [Use threat intelligence to detect threats](use-threat-indicators-in-analytics-rules.md).

-Microsoft provides access to its threat intelligence through the **Microsoft Defender Threat Intelligence Analytics** rule. For more information on how to take advantage of this rule which generates high fidelity alerts and incidents, see [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md)

-Workbooks provide powerful interactive dashboards that give you insights into all aspects of Microsoft Sentinel, and threat intelligence is no exception. Use the built-in **Threat Intelligence workbook** to visualize key information about your threat intelligence, and easily customize the workbook according to your business needs. Create new dashboards combining many different data sources so to visualize your data in unique ways. Since Microsoft Sentinel workbooks are based on Azure Monitor workbooks, there is already extensive documentation available, and many more templates. A great place to start is this article on how to [Create interactive reports with Azure Monitor workbooks](../azure-monitor/visualize/workbooks-overview.md).

-There is also a rich community of [Azure Monitor workbooks on GitHub](https://github.com/microsoft/Application-Insights-Workbooks) to download additional templates and contribute your own templates.

-For more details on using and customizing the Threat Intelligence workbook, see [Work with threat indicators in Microsoft Sentinel](work-with-threat-indicators.md#workbooks-provide-insights-about-your-threat-intelligence).

-## Next steps

-In this document, you learned about the threat intelligence capabilities of Microsoft Sentinel, including the Threat Intelligence blade. For practical guidance on using Microsoft Sentinel's threat intelligence capabilities, see the following articles:

-#Customer intent: As a SOC analyst, I want to connect the threat intelligence available to analytics rules so I can generate alerts and incidents.

-Power your analytics rules with your threat indicators to automatically generate alerts based on the threat intelligence you've integrated.

-Below is an example of how to enable and configure a rule to generate security alerts using the threat indicators you've imported into Microsoft Sentinel. For this example, use the rule template called **TI map IP entity to AzureActivity**. This rule will match any IP address-type threat indicator with all your Azure Activity events. When a match is found, an **alert** will be generated along with a corresponding **incident** for investigation by your security operations team. This particular analytics rule requires the **Azure Activity** data connector (to import your Azure subscription-level events), and one or both of the **Threat Intelligence** data connectors (to import threat indicators). This rule will also trigger from imported indicators or manually created ones.

-1. From the [Azure portal](https://portal.azure.com/), navigate to the **Microsoft Sentinel** service.

-1. Choose the **workspace** to which you imported threat indicators using the **Threat Intelligence** data connectors and Azure activity data using the **Azure Activity** data connector.

-1. Select **Analytics** from the **Configuration** section of the Microsoft Sentinel menu.

-1. Select the **Rule templates** tab to see the list of available analytics rule templates.

-1. Find the rule titled **TI map IP entity to AzureActivity** and ensure you have connected all the required data sources as shown below.

- :::image type="content" source="media/work-with-threat-indicators/threat-intel-required-data-sources.png" alt-text="Screenshot of required data sources for the TI map IP entity to AzureActivity analytics rule.":::

-1. Select the **TI map IP entity to AzureActivity** rule and then select **Create rule** to open a rule configuration wizard. Configure the settings in the wizard and then select **Next: Set rule logic >**.

- :::image type="content" source="media/work-with-threat-indicators/threat-intel-create-analytics-rule.png" alt-text="Screenshot of the create analytics rule configuration wizard.":::

-1. The rule logic portion of the wizard has been pre-populated with the following items:

- - The query that will be used in the rule.

- - Entity mappings, which tell Microsoft Sentinel how to recognize entities like Accounts, IP addresses, and URLs, so that **incidents** and **investigations** understand how to work with the data in any security alerts generated by this rule.

- - Match any IP address threat indicators from the **ThreatIntelligenceIndicator** table with any IP address found in the last one hour of events from the **AzureActivity** table.

- - Generate a security alert if the query results are greater than zero, meaning if any matches are found.

-

- - The rule is enabled.

- You can leave the default settings or change them to meet your requirements, and you can define incident-generation settings on the **Incident settings** tab. For more information, see [Create custom analytics rules to detect threats](detect-threats-custom.md). When you are finished, select the **Automated response** tab.

-1. Configure any automation you'd like to trigger when a security alert is generated from this analytics rule. Automation in Microsoft Sentinel is done using combinations of **automation rules** and **playbooks** powered by Azure Logic Apps. To learn more, see this [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](./tutorial-respond-threats-playbook.md). When finished, select the **Next: Review >** button to continue.

-1. When you see the message that the rule validation has passed, select the **Create** button and you are finished.

-Find your enabled rules in the **Active rules** tab of the **Analytics** section of Microsoft Sentinel. Edit, enable, disable, duplicate, or delete the active rule from there. The new rule runs immediately upon activation, and then runs on its defined schedule.

-According to the default settings, each time the rule runs on its schedule, any results found will generate a security alert. Security alerts in Microsoft Sentinel can be viewed in the **Logs** section of Microsoft Sentinel, in the **SecurityAlert** table under the **Microsoft Sentinel** group.

-In Microsoft Sentinel, the alerts generated from analytics rules also generate security incidents, which can be found in **Incidents** under **Threat Management** on the Microsoft Sentinel menu. Incidents are what your security operations teams will triage and investigate to determine the appropriate response actions. You can find detailed information in this [Tutorial: Investigate incidents with Microsoft Sentinel](./investigate-cases.md).

-> Since analytic rules constrain lookups beyond 14 days, Microsoft Sentinel refreshes indicators every 12 days to make sure they are available for matching purposes through the analytic rules.

-For more information, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-indicators-to-microsoft-sentinel-with-the-microsoft-defender-threat-intelligence-data-connector).

-3. On the **Advanced** tab, under **Blob storage**, set the **Access tier** to either *Hot* or *Cool*. The default setting is *Hot*.

-3. Locate the **Blob access tier (default)** setting, and select either *Hot* or *Cool*. The default setting is *Hot*, if you have not previously set this property.

-If a blob's access tier is inferred from the default account access tier setting, then the Azure portal displays the access tier as **Hot (inferred)** or **Cool (inferred)**.

-A blob that doesn't have an explicitly assigned tier infers its tier from the default account access tier setting. If a blob's access tier is inferred from the default account access tier setting, then the Azure portal displays the access tier as **Hot (inferred)** or **Cool (inferred)**.

-> The cold tier and the archive tier are not supported as the default access tier for a storage account.

-### Limitations and known issues

-### Required versions of REST, SDKs, and tools

-Local users must use either a password or a Secure Shell (SSH) private key credential for authentication. You can have a maximum of 2,000 local users for a storage account.

-## Version 18.2.0.0

- - We're reducing the time it takes for the new server endpoint to be ready to use. When a new server endpoint is provisioned, it could take hours and sometime days for the server to be ready to use. With our latest improvements, we've substantially shortened this duration for a more efficient setup process.

- - The improvement applies to the following scenarios, when the server endpoint location is empty (no files or directories):

- - Creating the first server endpoint of new sync topology after data is copied to the Azure File Share.

- - Adding a new empty server endpoint to an existing sync topology.

- - How to get started: Sign up for the public preview [here](https://forms.office.com/r/gCLr1PDZKL).

- - Sync upload performance has improved, and performance numbers will be posted when they are available. This improvement will mainly benefit file share migrations (initial upload) and high churn events on the server in which a large number of files need to be uploaded, for example ACL changes.

-### Evaluation Tool

- - Sync upload performance has improved (performance numbers to be posted in the near future). This improvement will mainly benefit file share migrations (initial upload) and high churn events on the server in which a large number of files need to be uploaded.

- - Azure File Sync now supports an expanded list of characters. This expansion allows for users to create and sync SMB file shares with file and directory names on par with NTFS file system, for valid Unicode characters. For more information on unsupported characters, refer to the documentation [here](/troubleshoot/azure/azure-storage/file-sync-troubleshoot-sync-errors?toc=%2Fazure%2Fstorage%2Ffile-sync%2Ftoc.json&tabs=portal1%2Cazure-portal#handling-unsupported-characters).

- - You can now configure an alert if a server is in low disk space mode. To learn more, see [Monitor Azure File Sync](file-sync-monitoring.md).

-### Evaluation Tool

- - Azure File Sync is now a zone-redundant service, which means an outage in a zone has limited impact while improving the service resiliency to minimize customer impact. To fully use this improvement, configure your storage accounts to use zone-redundant storage (ZRS) or Geo-zone redundant storage (GZRS) replication. To learn more about different redundancy options for your storage accounts, see [Azure Files redundancy](../files/files-redundancy.md).

- - Azure File Sync uses the [Windows USN journal](/windows/win32/fileio/change-journals) feature on Windows Server to immediately detect files that were changed and upload them to the Azure file share. If files changed are missed due to journal wrap or other issues, the files won't sync to the Azure file share until the changes are detected. Azure File Sync has a server change enumeration job that runs every 24 hours on the server endpoint path to detect changes that were missed by the USN journal. If you don't want to wait until the next server change enumeration job runs, you can now use the `Invoke-StorageSyncServerChangeDetection` PowerShell cmdlet to immediately run server change enumeration on a server endpoint path.

- To immediately run server change enumeration on a server endpoint path, run the following PowerShell commands:

- ```powershell

- Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

- Invoke-StorageSyncServerChangeDetection -ServerEndpointPath <path>

- ```

- > [!NOTE]

- > By default, the server change enumeration scan will only check the modified timestamp. To perform a deeper check, use the -DeepScan parameter.

-### Server endpoint

-### Cloud tiering

-description: Learn how to configure single sign-on for an Azure Virtual Desktop environment using Microsoft Entra ID authentication.

-# Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID authentication

-This article walks you through the process of configuring single sign-on (SSO) for Azure Virtual Desktop using Microsoft Entra ID authentication. When you enable single sign-on, users authenticate to Windows using a Microsoft Entra ID token. This token enables the use of passwordless authentication and third-party identity providers that federate with Microsoft Entra ID when connecting to a session host, making the sign-in experience seamless.

-Single sign-on using Microsoft Entra ID authentication also provides a seamless experience for Microsoft Entra ID-based resources inside the session. For more information on using passwordless authentication within a session, see [In-session passwordless authentication](authentication.md#in-session-passwordless-authentication).

-### Disconnection when the session is locked

-When single sign-on is enabled and the remote session is locked, either by the user or by policy, the session is instead disconnected and a dialog is shown to let users know they were disconnected. Users can choose the **Reconnect** option from the dialog when they are ready to connect again. This is done for security reasons and to ensure full support of passwordless authentication. Disconnecting the session provides the following benefits:

-If you prefer to show the remote lock screen instead of disconnecting the session, your session hosts must use the following operating systems:

-You can configure the session lock behavior of your session hosts by using Intune, Group Policy, or the registry.

-# [Intune](#tab/intune)

-To configure the session lock experience using Intune, follow these steps. This process creates an Intune [settings catalog](/mem/intune/configuration/settings-catalog) policy.

-1. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com/).

-1. Select **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy**.

-1. Enter the following properties:

- - **Platform**: Select **Windows 10 and later**.

- - **Profile type**: Select **Settings catalog**.

-1. Select **Create**.

-1. In **Basics**, enter the following properties:

- - **Name**: Enter a descriptive name for the profile. Name your profile so you can easily identify it later.

- - **Description**: Enter a description for the profile. This setting is optional, but recommended.

-1. Select **Next**.

-1. In **Configuration settings**, select **Add settings**. Then:

- 1. In the settings picker, expand **Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security**.

- 1. Select the **Disconnect remote session on lock for Microsoft identity platform authentication** setting.

- 1. Close the settings picker.

-1. Configure the setting to "Disabled" to show the remote lock screen when the session locks.

-1. Select **Next**.

-1. (Optional) Add the **Scope tags**. For more information about scope tags in Intune, see [Use RBAC roles and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).

-1. Select **Next**.

-1. For the **Assignments** tab, select the devices, or groups to receive the profile, then select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).

-1. On the **Review + create** tab, review the configuration information, then select **Create**.

-1. Once the policy configuration is created, the setting will take effect after the session hosts sync with Intune and users initiate a new session.

-# [Group Policy](#tab/group-policy)

-To configure the session lock experience using Group Policy, follow these steps.

-1. Open **Local Group Policy Editor** from the Start menu or by running `gpedit.msc`.

-1. Browse to the following policy section:

- - `Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security`

-1. Select the **Disconnect remote session on lock for Microsoft identity platform authentication** policy.

-1. Set the policy to **Disabled** to show the remote lock screen when the session locks.

-1. Select **OK** to save your changes.

-1. Once the policy is configured, it will take effect after the user initiates a new session.

-> [!TIP]

-> To configure the Group Policy centrally on Active Directory Domain Controllers using Windows Server 2019 or Windows Server 2016, copy the `terminalserver.admx` and `terminalserver.adml` administrative template files from a session host to the [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) on the domain controller.

-# [Registry](#tab/registry)

-To configure the session lock experience using the registry on a session host, follow these steps.

-1. Open **Registry Editor** from the Start menu or by running `regedit.exe`.

-1. Set the following registry key and its value.

- - **Key**: `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services`

- - **Type**: `REG_DWORD`

- - **Value name**: `fdisconnectonlockmicrosoftidentity`

- - **Value data**: Enter a value from the following table:

- | Value Data | Description |

- |--|--|

- | `0` | Show the remote lock screen. |

- | `1` | Disconnect the session. |

-In environments with an Active Directory Domain Services (AD DS) and hybrid user accounts, the default *Password Replication Policy* on read-only domain controllers denies password replication for members of *Domain Admins* and *Administrators* security groups. This policy prevents these administrator accounts from signing in to Microsoft Entra hybrid joined hosts and might keep prompting them to enter their credentials. It also prevents administrator accounts from accessing on-premises resources that use Kerberos authentication from Microsoft Entra joined hosts. We don't recommend connecting to a remote session using an account that is a domain administrator.

- - [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator)

- If your Microsoft Entra hybrid joined session hosts are in a different Active Directory domain than your user accounts, there must be a two-way trust between the two domains. Without the two-way trust, connections will fall back to older authentication protocols.

-| Microsoft Remote Desktop | a4a365df-50f1-4397-bc59-1a1564b8bb9c |

-| Windows Cloud Login | 270efc09-cd0d-444b-a71f-39af4910ec45 |

-By default when single sign-on is enabled, users will see a dialog to allow the Remote Desktop connection when connecting to a new session host. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If users see this dialogue to allow the Remote Desktop connection, they can select **Yes** to connect.

-Applications in the Microsoft Store are updated frequently and often install automatically. The directory path for an application installed from the Microsoft Store includes the version number, which changes each time an application is updated. If an update happens automatically, the path changes and the application is no longer available to users. You can publish applications using the Windows `shell:appsFolder` location in the format `shell:AppsFolder\<PackageFamilyName>!<AppId>`, which doesn't use the `.exe` file or the directory path with the version number. This method ensures that the application location is always correct.

-New Teams is installed as an `MSIX` package, which is a format used for applications from the Microsoft Store. The directory path for an application installed from the Microsoft Store includes the version number, which changes each time an application is updated. To publish new Teams as a RemoteApp, follow the steps in [Publish Microsoft Store applications](publish-applications-stream-remoteapp.md#publish-microsoft-store-applications).

- "Instance0":"104.45.18.186",

- "Instance1":"104.45.13.195"

- "IPAddress":"66.193.205.122"

- "Instance0":"104.45.18.187",

- "Instance1":"104.45.13.195"

- "IPAddress":"182.71.123.228"

- "Instance0":"104.45.18.187",

- "Instance1":"104.45.13.195"

-Make sure that the data in the certificate doesn't contain invalid characters, such as line breaks (carriage returns). The entire value should be one long line. The following text is a sample of the certificate:

-```text

-MIIC5zCCAc+gAwIBAgIQFSwsLuUrCIdHwI3hzJbdBjANBgkqhkiG9w0BAQsFADAW

-MRQwEgYDVQQDDAtQMlNSb290Q2VydDAeFw0xNzA2MTUwMjU4NDZaFw0xODA2MTUw

-MzE4NDZaMBYxFDASBgNVBAMMC1AyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEF

-AAOCAQ8AMIIBCgKCAQEAz8QUCWCxxxTrxF5yc5uUpL/bzwC5zZ804ltB1NpPa/PI

-sa5uwLw/YFb8XG/JCWxUJpUzS/kHUKFluqkY80U+fAmRmTEMq5wcaMhp3wRfeq+1

-G9OPBNTyqpnHe+i54QAnj1DjsHXXNL4AL1N8/TSzYTm7dkiq+EAIyRRMrZlYwije

-407ChxIp0stB84MtMShhyoSm2hgl+3zfwuaGXoJQwWiXh715kMHVTSj9zFechYd7

-5OLltoRRDyyxsf0qweTFKIgFj13Hn/bq/UJG3AcyQNvlCv1HwQnXO+hckVBB29wE

-sF8QSYk2MMGimPDYYt4ZM5tmYLxxxvGmrGhc+HWXzMeQIDAQABozEwLzAOBgNVHQ8B

-Af8EBAMCAgQwHQYDVR0OBBYEFBE9zZWhQftVLBQNATC/LHLvMb0OMA0GCSqGSIb3

-DQEBCwUAA4IBAQB7k0ySFUQu72sfj3BdNxrXSyOT4L2rADLhxxxiK0U6gHUF6eWz

-/0h6y4mNkg3NgLT3j/WclqzHXZruhWAXSF+VbAGkwcKA99xGWOcUJ+vKVYL/kDja

-gaZrxHlhTYVVmwn4F7DWhteFqhzZ89/W9Mv6p180AimF96qDU8Ez8t860HQaFkU6

-2Nw9ZMsGkvLePZZi78yVBDCWMogBMhrRVXG/xQkBajgvL5syLwFBo2kWGdC+wyWY

-U/Z+EK9UuHnn3Hkq/vXEzRVsYuaxchta0X2UNRzRq+o706l+iyLTpe6fnvW6ilOi

-e8Jcej7mzunzyjz4chN0/WVF94MtxbUkLkqP

-```