-1. Search for each of the following application IDs. If no existing application is found, follow the *Resolution* steps to create the service principal or re-register the namespace.

-If application ID *2565bd9d-da50-47d4-8b85-4c97f669dc36* is missing from your Azure AD directory, use Azure AD PowerShell to complete the following steps. For more information, see [Azure AD PowerShell](/powershell/azure/active-directory/install-adv2).

-Azure AD Application Proxy offers the following security benefits:

-An API that look up and resolve DIDs using the ```did:web``` or the ```did:ion``` methods and return the DID Document Object (DDO). The DDO includes DPKI metadata associated with the DID such as public keys and service endpoints.

-Alice requests Woodgrove Inc for a proof of employment verifiable credential. Woodgrove Inc attests Alice's identity and issues a signed verfiable credential that Alice can accept and store in her digital wallet application. Alice can now present this verifiable credential as a proof of employement on the Proseware site. After a succesfull presentation of the credential, Prosware offers discount to Alice and the transaction is logged in Alice's wallet application so that she can track where and to whom she has presented her proof of employment verifiable credential.

-**issuer** ΓÇô The issuer is an organization that creates an issuance solution requesting information from a user. The information is used to verify the userΓÇÖs identity. For example, Woodgrove, Inc. has an issuance solution that enables them to create and distribute verifiable credentials (VCs) to all their employees. The employee uses the Authenticator app to sign in with their username and password, which passes an ID token to the issuing service. Once Woodgrove, Inc. validates the ID token submitted, the issuance solution creates a VC that includes claims about the employee and is signed with Woodgrove, Inc. DID. The employee now has a verifiable credential that is signed by their employer, which includes the employees DID as the subject DID.

-**user** ΓÇô The user is the person or entity that is requesting a VC. For example, Alice is a new employee of Woodgrove, Inc. and was previously issued her proof of employment verifiable credential. When Alice needs to provide proof of employment in order to get a discount at Proseware, she can grant access to the credential in her Authenticator app by signing a verifiable presentation that proves Alice is the owner of the DID. Proseware is able to validate the credential was issued by Woodgrove, Inc.and Alice is the owner of the credential.

-**verifier** ΓÇô The verifier is a company or entity who needs to verify claims from one or more issuers they trust. For example, Proseware trusts Woodgrove, Inc. does an adequate job of verifying their employeesΓÇÖ identity and issuing authentic and valid VCs. When Alice tries to order the equipment she needs for her job, Proseware will use open standards such as SIOP and Presentation Exchange to request credentials from the User proving they are an employee of Woodgrove, Inc. For example, Proseware might provide Alice a link to a website with a QR code she scans with her phone camera. This initiates the request for a specific VC, which Authenticator will analyze and give Alice the ability to approve the request to prove her employment to Proseware. Proseware can use the verifiable credentials service API or SDK, to verify the authenticity of the verifiable presentation. Based on the information provided by Alice they give Alice the discount. If other companies and organizations know that Woodgrove, Inc. issues VCs to their employees, they can also create a verifier solution and use the Woodgrove, Inc. verifiable credential to provide special offers reserved for Woodgrove, Inc. employees.

- "manifest": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert1",

-1. Copy or download the DID document being displayed in the box

-1. Upload the file to your webserver. The DID document JSON file needs to be uploaded to location /.well-known/did.json on your webserver.

-The DID document in the did.json file needs to be republished if you changed the Linked Domain or if you rotate your signing keys.

-The portal verifies that the `did.json` is reachable and correct when you click the [**Refresh registration status** button](#how-do-i-register-my-website-id). You should also consider verifying that you can request that URL in a browser to avoid errors like not using https, bad SSL certificate or URL not being public. If the did.json file can be requested anonymously in a browser, without warnings or errors, the portal will not be able to complete the **Refresh registration status** step either.

-

- "manifest": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert",

-| `error`| error | When the `code` property value is `Issuance_error`, this property contains information about the error.|

-| `fetch_contract_error*`| Unable to fetch the verifiable credential contract. This error usually happens when the API can't fetch the manifest you specify in the request payload [RequestIssuance object](#issuance-request-payload).|

-| `issuance_service_error*` | The Verifiable Credentials service isn't able to validate requirements, or something went wrong in Verifiable Credentials.|

-GET /authorize?client_id=<client-id>&redirect_uri=portableidentity%3A%2F%2Fverify&response_mode=query&response_type=code&scope=openid&state=12345&nonce=12345 HTTP/1.1

- * **External identities** ΓÇô self-service: When external identities sign up to the target system through self-service (for example, a B2C application) the attributes in the VC can be used to populate the initial attributes of the user account. The VC attributes can also be used to find out if a profile already exists.

- * To create a new user in Azure AD, the RP website can use a service principal that is granted the MS Graph scope of User.ReadWrite.All to create users, and the scope UserAuthenticationMethod.ReadWrite.All to reset authentication method

- * To invite users to Azure AD using B2B collaboration, the RP website can use a service principal that is granted the MS Graph scope of User.Invite.All to create invitations.

-* Grant the RP website the ability to use a service principal granted the MS Graph scope UserAuthenticationMethod.ReadWrite.All to reset authentication methods. DonΓÇÖt grant the User.ReadWrite.All, which enables the ability to create and delete users.

-* Determine if an expired VC has meaning in your application; if so check the value of the ΓÇ£expΓÇ¥ claim (the expiration time) of the VC as part of the authorization checks. One example where expiration is not relevant is requiring a government-issued document such as a driverΓÇÖs license to validate if the subject is older than 18. The date of birth claim is valid, even if the VC is expired.

- * Consider using the ΓÇ£subΓÇ¥ claim as an immutable identifier of the user. This is an opaque unique attribute that will be constant for a given subject/RP pair.

-The `Configuration.Validation` provides information about the presented credentials should be validated. It contains the following properties:

-| `validateLinkedDomain` | Boolean | Determines if the linked domain should be validated. Default is `false`. Setting this flag to `false` means you as a Relying Party application accept credentials from unverified linked domain. Setting this flag to `true` means the linked domain will be validated and only verified domains will be accepted. |

-|`attestations`| [idTokenAttestation](#idtokenattestation-type) and/or [idTokenHintAttestation](#idtokenhintattestation-type) and/or [verifiablePresentationAttestation](#verifiablepresentationattestation-type) and/or [selfIssuedAttestation](#selfissuedattestation-type) |

-|`validityInterval` | number | represents the lifespan of the credential |

-|`vc`| vcType array | types for this contract |

-When you sign in the user from within Authenticator, you can use the returned ID token from the OIDC compatible provider as input.

-| `redirectUri` | string | redirect uri to use when obtaining the ID token MUST BE vcclient://openid/ |

-| `trustedIssuers` | optional string (array) | a list of DIDs allowed to issue the verifiable credential for this contract. This property is only used for specific scenarios where the `idtoken` hint can come from another issuer |

-This flow uses the IDTokenHint, which is provided as payload through the Request REST API. The mapping is the same as for the ID Token attestation.

-| `trustedIssuers` | optional string (array) | a list of DIDs allowed to issue the verifiable credential for this contract. This property is only used for specific scenarios where the idtoken hint can come from another issuer |

-When you want the user to present another VC as input for a new issued VC. The wallet will allow the user to select the VC during issuance.

- "CredentialManifest": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"

-Microsoft Entra Verified ID is a decentralized identity solution that helps you safeguard your organization. The service allows you to issue and verify credentials. Issuers can use the Verified ID service to issue their own customized verifiable credentials. Verifiers can use the service's free REST API to easily request and accept verifiable credentials in their apps and services.

-1. Select **+ Add Access Policy** and select the service principal **Verifiable Credentials Service Request** with AppId **3db474b9-6a0c-4840-96ac-1fceb342124**.

- Verified ID needs to get access tokens to issue and verify. To get access tokens, register a web application and grant API permission for the API Verified ID Request Service that you set up in the previous step.

-1. Search for the service principal that you created earlier, **Verifiable Credentials Service Request**, and select it.

- - https://contoso.com/.well-known/did.json

- - https://contoso.com/.well-known/did-configuration.json.

-In [Issue Microsoft Entra Verified ID credentials from an application](verifiable-credentials-configure-issuer.md), you learn how to issue and verify credentials by using the same Azure Active Directory (Azure AD) tenant. In this tutorial, you go over the steps needed to present and verify your first verifiable credential: a verified credential expert card.

- "CredentialManifest": " https://verifiedid.did.msidentity.com/v1.0/987654321-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"

-1. Go to the ION Explorer and paste the DID in the search box

-### I can not use ngrok, what do I do?

-The tutorials for deploying and running the [samples](verifiable-credentials-configure-issuer.md#prerequisites) describes the use of the `ngrok` tool as an application proxy. This tool is sometimes blocked by IT admins from being used in corporate networks. An alternative is to deploy the sample to [Azure AppServices](../../app-service/overview.md) and run it in the cloud. The following links helps you deploy the respective sample to Azure AppServices. The Free pricing tier will be sufficient for hosting the sample. For each tutorial, you need to start by first creating the Azure AppService instance, then skip creating the app since you already have an app and then continue the tutorial with deploying it.

-Regardless of which language of the sample you are using, they will pickup the Azure AppService hostname (https://something.azurewebsites.net/) and use it as the public endpoint. You don't need to configure something extra to make it work. If you make changes to the code or configuration, you need to redeploy the sample to Azure AppServices. Troubleshooting/debugging will not be as easy as running the sample on your local machine, where traces to the console window shows you errors, but you can achieve almost the same by using the [Log Stream](../../app-service/troubleshoot-diagnostic-logs.md#stream-logs).

- - Introducing Managed Credentials, Managed Credentials are verifiable credentials that no longer use of Azure Storage to store the [display & rules JSON definitions](rules-and-display-definitions-model.md). Their display and rule definitions are different from earlier versions.

- "client_id": "",

- "redirect_uri": ""

-| telemetry.logs.local | `none` | Enables local logging. Value can be `none`, `auto`, `localsyslog`, `rfc5424`, `journal`, `json` |

-description: Data residency and information about Azure Arc-enabled servers.

-# Azure Arc-enabled servers: Data residency

-This article explains the concept of data residency and how it applies to Azure Arc-enabled servers.

-Azure Arc-enabled servers is **[available](https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc)** in the **United States, Europe, United Kingdom, Australia, and Asia Pacific**.

-## Data residency

-Azure Arc-enabled servers store [Azure VM extension](manage-vm-extensions.md) configuration settings (that is, property values) the extension requires specifying before attempting to enable on the connected machine. For example, when you enable the Log Analytics VM extension, it asks for the Log Analytics **workspace ID** and **primary key**.

-Metadata information about the connected machine is also collected by the Azure Connected Machine agent and sent to Azure. A full list of metadata collected is available in the [instance metadata documentation](agent-overview.md#instance-metadata).

-Azure Arc-enabled servers allow you to specify the region where your data is stored. Microsoft may replicate to other regions for data resiliency, but Microsoft does not replicate or move data outside the geography. This data is stored in the region where the Azure Arc machine resource is configured. For example, if the machine is registered with Arc in the East US region, this data is stored in the US region.

-> [!NOTE]

-> For South East Asia, your data is not replicated outside of this region.

-For more information about our regional resiliency and compliance support, see [Azure geography](https://azure.microsoft.com/global-infrastructure/geographies/).

-## Next steps

-Learn more about designing for [Azure resiliency](/azure/architecture/reliability/architect).

-| Azure VM | Log Analytics agent VM extension for Windows/Linux | Agent is automatically upgraded [after the VM model changes](../../virtual-machines/extensions/features-linux.md#how-agents-and-extensions-are-updated), unless you configured your Azure Resource Manager template to opt out by setting the property _autoUpgradeMinorVersion_ to **false**. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. Major version upgrade is always manual. See [VirtualMachineExtensionInner.AutoUpgradeMinorVersion Property](https://docs.azure.cn/dotnet/api/microsoft.azure.management.compute.fluent.models.virtualmachineextensioninner.autoupgrademinorversion?view=azure-dotnet). |

- -TypeHandlerVersion latestVersion

- -EnableAutomaticUpgrade $true

->The billable data volume calculation is substantially smaller than the size of the entire incoming JSON-packaged event. On average across all event types, the billed size is about 25% less than the incoming data size. This can be up to 50% for small events. It is essential to understand this calculation of billed data size when estimating costs and comparing to other pricing models.

-### Threat intelligence limits

-### Watchlist limits

- **Consumption**

- **Standard**

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp env create `

- --name $CONTAINERAPPS_ENVIRONMENT `

- --resource-group $RESOURCE_GROUP `

- --location $LOCATION

-Choose a name for `STORAGE_ACCOUNT`. Storage account names must be *unique within Azure* and be from 3 to 24 characters in length containing numbers and lowercase letters only.

-STORAGE_ACCOUNT="<storage account name>"

-# [PowerShell](#tab/powershell)

-```powershell

-$STORAGE_ACCOUNT="<storage account name>"

- --name $STORAGE_ACCOUNT \

-# [PowerShell](#tab/powershell)

-```powershell

-$STORAGE_ACCOUNT = New-AzStorageAccount `

- -Name $STORAGE_ACCOUNT_NAME `

- -ResourceGroupName $RESOURCE_GROUP `

- -Location $LOCATION `

- -SkuName Standard_RAGRS `

- -Kind StorageV2

-QUEUE_CONNECTION_STRING=`az storage account show-connection-string -g $RESOURCE_GROUP --name $STORAGE_ACCOUNT --query connectionString --out json | tr -d '"'`

-# [PowerShell](#tab/powershell)

-```azurecli

- $QUEUE_CONNECTION_STRING=(az storage account show-connection-string -g $RESOURCE_GROUP --name $STORAGE_ACCOUNT_NAME --query connectionString --out json) -replace '"',''

- --name "myqueue" \

- --account-name $STORAGE_ACCOUNT \

-# [PowerShell](#tab/powershell)

-```powershell

-$queue = New-AzStorageQueue ΓÇôName "myqueue" `

- -Context $STORAGE_ACCOUNT.Context

-# [PowerShell](#tab/powershell)

-```azurecli

-$queueMessage = [Microsoft.Azure.Storage.Queue.CloudQueueMessage]::new("Hello Queue Reader App")

-$queue.CloudQueue.AddMessageAsync($QueueMessage)

-# [PowerShell](#tab/powershell)

-```powershell

-$params = @{

- environment_name = $CONTAINERAPPS_ENVIRONMENT

- location = $LOCATION

- queueconnection=$QUEUE_CONNECTION_STRING

-New-AzResourceGroupDeployment `

- -ResourceGroupName $RESOURCE_GROUP `

- -TemplateParameterObject $params `

- -TemplateFile ./queue.json `

- -SkipTemplateParameterPrompt

-The container app runs as a background process. As messages arrive from the Azure Storage Queue, the application creates log entries in Log analytics. You must wait a few minutes for the analytics to arrive for the first time before you are able to query the logged data.

- --analytics-query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'queuereader' and Log_s contains 'Message ID'" \

-# [PowerShell](#tab/powershell)

-```powershell

-$LOG_ANALYTICS_WORKSPACE_CLIENT_ID=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv)

-$queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $LOG_ANALYTICS_WORKSPACE_CLIENT_ID -Query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'queuereader' and Log_s contains 'Message ID'"

-Once you are done, run the following command to delete the resource group that contains your Container Apps resources.

-# [PowerShell](#tab/powershell)

-```powershell

-Remove-AzResourceGroup -Name $RESOURCE_GROUP -Force

-This command deletes the entire resource group including the Container Apps instance, storage account, Log Analytics workspace, and any other resources in the resource group.

-When defining a Dapr component via YAML, you'll pass your component manifest into the Azure CLI. When configuring multiple components, you'll need to create a separate YAML file and run the Azure CLI command for each component.

-For example, deploy a `pubsub.yaml` component using the following command:

-This resource defines a Dapr component called `dapr-pubsub` via Bicep. The Dapr component is defined as a child resource of your Container Apps environment. To define multiple components, you can add a `daprComponent` resource for each Dapr component.

-The `dapr-pubsub` component is scoped to the Dapr-enabled container apps with app IDs `publisher-app` and `subscriber-app`:

-A Dapr component is defined as a child resource of your Container Apps environment. To define multiple components, you can add a `daprComponent` resource for each Dapr component.

-This resource defines a Dapr component called `dapr-pubsub` via ARM. The `dapr-pubsub` component will be scoped to the Dapr-enabled container apps with app IDs `publisher-app` and `subscriber-app`:

-Now that you've learned about Dapr and some of the challenges it solves, try [Deploying a Dapr application to Azure Container Apps using the Azure CLI][dapr-quickstart] or [Azure Resource Manager][dapr-arm-quickstart].

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp env create `

- --name $CONTAINERAPPS_ENVIRONMENT `

- --resource-group $RESOURCE_GROUP `

- --location $LOCATION

-For details on how to provide values for any of these parameters to the `create` command, run `az containerapp create --help`.

-If you are using Azure Container Registry (ACR), you can login to your registry and forego the need to use the `--registry-username` and `--registry-password` parameters in the `az containerapp create` command and eliminate the need to set the REGISTRY_USERNAME and REGISTRY_PASSWORD variables.

-```azurecli

-az acr login --name <REGISTRY_NAME>

-```

-# [PowerShell](#tab/powershell)

-```powershell

-az acr login --name <REGISTRY_NAME>

-```

-# [Bash](#tab/bash)

-If you have logged in to ACR, you can omit the `--registry-username` and `--registry-password` parameters in the `az containerapp create` command.

-# [PowerShell](#tab/powershell)

-```powershell

-$CONTAINER_IMAGE_NAME=<CONTAINER_IMAGE_NAME>

-$REGISTRY_SERVER=<REGISTRY_SERVER>

-$REGISTRY_USERNAME=<REGISTRY_USERNAME>

-$REGISTRY_PASSWORD=<REGISTRY_PASSWORD>

-If you have logged in to ACR, you can omit the `--registry-username` and `--registry-password` parameters in the `az containerapp create` command.

-```powershell

-az containerapp create `

- --name my-container-app `

- --resource-group $RESOURCE_GROUP `

- --image $CONTAINER_IMAGE_NAME `

- --environment $CONTAINERAPPS_ENVIRONMENT `

- --registry-server $REGISTRY_SERVER `

- --registry-username $REGISTRY_USERNAME `

- --registry-password $REGISTRY_PASSWORD

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp create `

- --image <REGISTRY_CONTAINER_NAME> `

- --name my-container-app `

- --resource-group $RESOURCE_GROUP `

- --environment $CONTAINERAPPS_ENVIRONMENT

-If you have enabled ingress on your container app, you can add `--query properties.configuration.ingress.fqdn` to the `create` command to return the public URL for the application.

-To verify a successful deployment, you can query the Log Analytics workspace. You might have to wait 5ΓÇô10 minutes after deployment for the analytics to arrive for the first time before you are able to query the logs.

-After about 5-10 minutes has passed, use the following steps to view logged messages.

-# [PowerShell](#tab/powershell)

-```powershell

-$LOG_ANALYTICS_WORKSPACE_CLIENT_ID=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv)

-az monitor log-analytics query `

- --workspace $LOG_ANALYTICS_WORKSPACE_CLIENT_ID `

- --analytics-query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'my-container-app' | project ContainerAppName_s, Log_s, TimeGenerated" `

- --out table

-az group delete \

- --name $RESOURCE_GROUP

-# [PowerShell](#tab/powershell)

-```powershell

-az group delete `

- --name $RESOURCE_GROUP

-To create the environment, run the following command:

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp env create `

- --name $CONTAINERAPPS_ENVIRONMENT `

- --resource-group $RESOURCE_GROUP `

- --location $LOCATION

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp create `

- --name my-container-app `

- --resource-group $RESOURCE_GROUP `

- --environment $CONTAINERAPPS_ENVIRONMENT `

- --image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest `

- --target-port 80 `

- --ingress 'external' `

- --query properties.configuration.ingress.fqdn

-```

-> Make sure the value for the `--image` parameter is in lower case.

-By setting `--ingress` to `external`, you make the container app available to public requests.

-The `create` command returned the fully qualified domain name for the container app. Copy this location to a web browser and see the following message:

-az group delete \

- --name $RESOURCE_GROUP

-# [PowerShell](#tab/powershell)

-```powershell

-Remove-AzResourceGroup -Name $RESOURCE_GROUP -Force

-Individual container apps are deployed to an Azure Container Apps environment. To create the environment, run the following command:

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp env create `

- --name $CONTAINERAPPS_ENVIRONMENT `

- --resource-group $RESOURCE_GROUP `

- --location "$LOCATION"

-Choose a name for `STORAGE_ACCOUNT`. Storage account names must be *unique within Azure*, from 3 to 24 characters in length and must contain numbers and lowercase letters only.

-STORAGE_ACCOUNT="<storage account name>"

-# [PowerShell](#tab/powershell)

-```powershell

-$STORAGE_ACCOUNT="<storage account name>"

-Set the `STORAGE_ACCOUNT_CONTAINER` name.

-# [PowerShell](#tab/powershell)

-```powershell

-$STORAGE_ACCOUNT_CONTAINER="mycontainer"

- --name $STORAGE_ACCOUNT \

-# [PowerShell](#tab/powershell)

-```azurecli

-az storage account create `

- --name $STORAGE_ACCOUNT `

- --resource-group $RESOURCE_GROUP `

- --location "$LOCATION" `

- --sku Standard_RAGRS `

- --kind StorageV2

-STORAGE_ACCOUNT_KEY=`az storage account keys list --resource-group $RESOURCE_GROUP --account-name $STORAGE_ACCOUNT --query '[0].value' --out tsv`

-# [PowerShell](#tab/powershell)

-```azurecli

-$STORAGE_ACCOUNT_KEY=(az storage account keys list --resource-group $RESOURCE_GROUP --account-name $STORAGE_ACCOUNT --query '[0].value' --out tsv)

- value: mycontainer

- echo $STORAGE_ACCOUNT

-If you've changed the `STORAGE_ACCOUNT_CONTAINER` variable from its original value, `mycontainer`, replace the value of `containerName` with your own value.

-If you need to add multiple components, create a separate YAML file for each component and run the `az containerapp env dapr-component set` command multiple times to add each component. For more information about configuring Dapr components, see [Configure Dapr components](dapr-overview.md#configure-dapr-components).

-# [Bash](#tab/bash)

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp env dapr-component set `

- --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP `

- --dapr-component-name statestore `

- --yaml statestore.yaml

-Your state store is configured using the Dapr component described in *statestore.yaml*. The component is scoped to a container app named `nodeapp` and isn't available to other container apps.

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp create `

- --name nodeapp `

- --resource-group $RESOURCE_GROUP `

- --environment $CONTAINERAPPS_ENVIRONMENT `

- --image dapriosamples/hello-k8s-node:latest `

- --target-port 3000 `

- --ingress 'internal' `

- --min-replicas 1 `

- --max-replicas 1 `

- --enable-dapr `

- --dapr-app-id nodeapp `

- --dapr-app-port 3000 `

- --env-vars 'APP_PORT=3000'

-This command deploys:

-* the service (Node) app server on `--target-port 3000` (the app port)

-* its accompanying Dapr sidecar configured with `--dapr-app-id nodeapp` and `--dapr-app-port 3000'` for service discovery and invocation

-# [PowerShell](#tab/powershell)

-```azurecli

-az containerapp create `

- --name pythonapp `

- --resource-group $RESOURCE_GROUP `

- --environment $CONTAINERAPPS_ENVIRONMENT `

- --image dapriosamples/hello-k8s-python:latest `

- --min-replicas 1 `

- --max-replicas 1 `

- --enable-dapr `

- --dapr-app-id pythonapp

-This command deploys `pythonapp` that also runs with a Dapr sidecar that is used to look up and securely call the Dapr sidecar for `nodeapp`. As this app is headless there's no `--target-port` to start a server, nor is there a need to enable ingress.

-1. Select on the file.

-# [PowerShell](#tab/powershell)

-```azurecli

-$LOG_ANALYTICS_WORKSPACE_CLIENT_ID=`

-(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv)

-az monitor log-analytics query `

- --workspace $LOG_ANALYTICS_WORKSPACE_CLIENT_ID `

- --analytics-query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'nodeapp' and (Log_s contains 'persisted' or Log_s contains 'order') | project ContainerAppName_s, Log_s, TimeGenerated | sort by TimeGenerated | take 5" `

- --out table

-```console

-az group delete \

- --resource-group $RESOURCE_GROUP

-# [PowerShell](#tab/powershell)

-```azurecli

-az group delete `

- --resource-group $RESOURCE_GROUP

-This command deletes the resource group that includes all of the resources created in this tutorial.

-# [PowerShell](#tab/powershell)

-```powershell

-$VNET_NAME="my-custom-vnet"

- --name infrastructure \

-# [PowerShell](#tab/powershell)

-```powershell

-az network vnet create `

- --resource-group $RESOURCE_GROUP `

- --name $VNET_NAME `

- --location $LOCATION `

- --address-prefix 10.0.0.0/16

-```powershell

-az network vnet subnet create `

- --resource-group $RESOURCE_GROUP `

- --vnet-name $VNET_NAME `

- --name infrastructure-subnet `

- --address-prefixes 10.0.0.0/23

-# [PowerShell](#tab/powershell)

-```powershell

-$INFRASTRUCTURE_SUBNET=(az network vnet subnet show --resource-group $RESOURCE_GROUP --vnet-name $VNET_NAME --name infrastructure-subnet --query "id" -o tsv)

-# [PowerShell](#tab/powershell)

-```powershell

-az containerapp env create `

- --name $CONTAINERAPPS_ENVIRONMENT `

- --resource-group $RESOURCE_GROUP `

- --location "$LOCATION" `

- --infrastructure-subnet-resource-id $INFRASTRUCTURE_SUBNET `

- --internal-only

-```

-# [PowerShell](#tab/powershell)

-```powershell

-$ENVIRONMENT_DEFAULT_DOMAIN=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.defaultDomain -o tsv)

-```

-```powershell

-$ENVIRONMENT_STATIC_IP=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.staticIp -o tsv)

-```powershell

-$VNET_ID=(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query id -o tsv)

-# [PowerShell](#tab/powershell)

-```powershell

-az network private-dns zone create `

- --resource-group $RESOURCE_GROUP `

- --name $ENVIRONMENT_DEFAULT_DOMAIN

-```powershell

-az network private-dns link vnet create `

- --resource-group $RESOURCE_GROUP `

- --name $VNET_NAME `

- --virtual-network $VNET_ID `

- --zone-name $ENVIRONMENT_DEFAULT_DOMAIN -e true

-```powershell

-az network private-dns record-set a add-record `

- --resource-group $RESOURCE_GROUP `

- --record-set-name "*" `

- --ipv4-address $ENVIRONMENT_STATIC_IP `

- --zone-name $ENVIRONMENT_DEFAULT_DOMAIN

-There are three optional networking parameters you can choose to define when calling `containerapp env create`. Use these options when you have a peered VNET with separate address ranges. Explicitly configuring these ranges ensures the addresses used by the Container Apps environment doesn't conflict with other ranges in the network infrastructure.

-You must either provide values for all three of these properties, or none of them. If they arenΓÇÖt provided, the CLI generates the values for you.

-az group delete \

- --name $RESOURCE_GROUP

-# [PowerShell](#tab/powershell)

-```azurecli

-az group delete `

- --name $RESOURCE_GROUP

-# [PowerShell](#tab/powershell)

-```powershell

-$VNET_NAME="my-custom-vnet"

-# [PowerShell](#tab/powershell)

-```powershell

-az network vnet create `

- --resource-group $RESOURCE_GROUP `

- --name $VNET_NAME `

- --location $LOCATION `

- --address-prefix 10.0.0.0/16

-```powershell

-az network vnet subnet create `

- --resource-group $RESOURCE_GROUP `

- --vnet-name $VNET_NAME `

- --name infrastructure-subnet `

- --address-prefixes 10.0.0.0/23

-# [PowerShell](#tab/powershell)

-```powershell

-$INFRASTRUCTURE_SUBNET=(az network vnet subnet show --resource-group $RESOURCE_GROUP --vnet-name $VNET_NAME --name infrastructure-subnet --query "id" -o tsv)

-# [PowerShell](#tab/powershell)

-```powershell

-az containerapp env create `

- --name $CONTAINERAPPS_ENVIRONMENT `

- --resource-group $RESOURCE_GROUP `

- --location "$LOCATION" `

- --infrastructure-subnet-resource-id $INFRASTRUCTURE_SUBNET

-```

-With your environment created using a custom virtual network, you can now deploy container apps using the `az containerapp create` command.

-# [PowerShell](#tab/powershell)

-```powershell

-$ENVIRONMENT_DEFAULT_DOMAIN=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query defaultDomain -o tsv)

-```

-```powershell

-$ENVIRONMENT_STATIC_IP=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query staticIp -o tsv)

-```powershell

-$VNET_ID=(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query id -o tsv)

-# [PowerShell](#tab/powershell)

-```powershell

-az network private-dns zone create `

- --resource-group $RESOURCE_GROUP `

- --name $ENVIRONMENT_DEFAULT_DOMAIN

-```powershell

-az network private-dns link vnet create `

- --resource-group $RESOURCE_GROUP `

- --name $VNET_NAME `

- --virtual-network $VNET_ID `

- --zone-name $ENVIRONMENT_DEFAULT_DOMAIN -e true

-```powershell

-az network private-dns record-set a add-record `

- --resource-group $RESOURCE_GROUP `

- --record-set-name "*" `

- --ipv4-address $ENVIRONMENT_STATIC_IP `

- --zone-name $ENVIRONMENT_DEFAULT_DOMAIN

-There are three optional networking parameters you can choose to define when calling `containerapp env create`. Use these options when you have a peered VNET with separate address ranges. Explicitly configuring these ranges ensures the addresses used by the Container Apps environment doesn't conflict with other ranges in the network infrastructure.

-You must either provide values for all three of these properties, or none of them. If they arenΓÇÖt provided, the CLI generates the values for you.

-az group delete \

- --name $RESOURCE_GROUP

-# [PowerShell](#tab/powershell)

-```azurecli

-az group delete `

- --name $RESOURCE_GROUP

-The relevant API documentation is available in [the Adaptive application Controls section of Defender for Cloud's API docs](/rest/api/defenderforcloud/adaptiveapplicationcontrols).

-You can also manage your email notifications through the supplied REST API. For full details see the [SecurityContacts API documentation](/rest/api/defenderforcloud/securitycontacts).

-For another example of using the securityCenter property, see [this section of the REST API documentation](/rest/api/defenderforcloud/assessmentsmetadata/createinsubscription#examples).

-Yes. The results are under [Sub-Assessments REST API](/rest/api/defenderforcloud/subassessments/list/). Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.

-

-Yes. The results are under [Sub-Assessments REST API](/rest/api/defenderforcloud/subassessments/list/). Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.

-Learn more at [JIT network access policies](/rest/api/defenderforcloud/jitnetworkaccesspolicies).

-Learn more at [JIT network access policies](/rest/api/defenderforcloud/jitnetworkaccesspolicies).

-You can now access your score via the [secure score API](/rest/api/defenderforcloud/securescores/). The API methods provide the flexibility to query the data and build your own reporting mechanism of your secure scores over time. For example:

-You can now access your score via the [secure score API](/rest/api/defenderforcloud/securescores/) (currently in preview). The API methods provide the flexibility to query the data and build your own reporting mechanism of your secure scores over time. For example, you can use the **Secure Scores** API to get the score for a specific subscription. In addition, you can use the **Secure Score Controls** API to list the security controls and the current score of your subscriptions.

-## March 2022

-Updates in March include:

-### Global availability of Secure Score for AWS and GCP environments

-The cloud security posture management capabilities provided by Microsoft Defender for Cloud, has now added support for your AWS and GCP environments within your Secure Score.

-Enterprises can now view their overall security posture, across various environments, such as Azure, AWS and GCP.

-The Secure Score page has been replaced with the Security posture dashboard. The Security posture dashboard allows you to view an overall combined score for all of your environments, or a breakdown of your security posture based on any combination of environments that you choose.

-The Recommendations page has also been redesigned to provide new capabilities such as: cloud environment selection, advanced filters based on content (resource group, AWS account, GCP project and more), improved user interface on low resolution, support for open query in resource graph, and more. You can learn more about your overall [security posture](secure-score-security-controls.md) and [security recommendations](review-security-recommendations.md).

-### Deprecated the recommendations to install the network traffic data collection agent

-Changes in our roadmap and priorities have removed the need for the network traffic data collection agent. The following two recommendations and their related policies were deprecated.

-|Recommendation |Description |Severity |

-||||

-| Network traffic data collection agent should be installed on Linux virtual machines|Defender for Cloud uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |Medium |

-| Network traffic data collection agent should be installed on Windows virtual machines |Defender for Cloud uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations, and specific network threats. |Medium |

-### Defender for Containers can now scan for vulnerabilities in Windows images (preview)

-Defender for Container's image scan now supports Windows images that are hosted in Azure Container Registry. This feature is free while in preview, and will incur a cost when it becomes generally available.

-Learn more in [Use Microsoft Defender for Container to scan your images for vulnerabilities](defender-for-containers-usage.md).

-### New alert for Microsoft Defender for Storage (preview)

-To expand the threat protections provided by Microsoft Defender for Storage, we've added a new preview alert.

-Threat actors use applications and tools to discover and access storage accounts. Microsoft Defender for Storage detects these applications and tools so that you can block them and remediate your posture.

-This preview alert is called `Access from a suspicious application`. The alert is relevant to Azure Blob Storage, and ADLS Gen2 only.

-| Alert (alert type) | Description | MITRE tactic | Severity |

-|--|--|--|--|

-| **PREVIEW - Access from a suspicious application**<br>(Storage.Blob_SuspiciousApp) | Indicates that a suspicious application has successfully accessed a container of a storage account with authentication.<br>This might indicate that an attacker has obtained the credentials necessary to access the account, and is exploiting it. This could also be an indication of a penetration test carried out in your organization.<br>Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2 | Initial Access | Medium |

-### Configure email notifications settings from an alert

-A new section has been added to the alert User Interface (UI) which allows you to view and edit who will receive email notifications for alerts that are triggered on the current subscription.

-Learn how to [Configure email notifications for security alerts](configure-email-notifications.md).

-### Deprecated preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses

-The following preview alert has been deprecated:

-|Alert name| Description|

-|-||

-|**PREVIEW - Activity from a risky IP address**<br>(ARM.MCAS_ActivityFromAnonymousIPAddresses)|Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.<br>These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.<br>Requires an active Microsoft Defender for Cloud Apps license.|

-A new alert has been created that provides this information and adds to it. In addition, the newer alerts (ARM_OperationFromSuspiciousIP, ARM_OperationFromSuspiciousProxyIP) don't require a license for Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security).

-See more alerts for [Resource Manager](alerts-reference.md#alerts-resourcemanager).

-### Moved the recommendation Vulnerabilities in container security configurations should be remediated from the secure score to best practices

-The recommendation `Vulnerabilities in container security configurations should be remediated` has been moved from the secure score section to best practices section.

-The current user experience only provides the score when all compliance checks have passed. Most customers have difficulties with meeting all the required checks. We're working on an improved experience for this recommendation, and once released the recommendation will be moved back to the secure score.

-### Deprecated the recommendation to use service principals to protect your subscriptions

-As organizations move away from using management certificates to manage their subscriptions, and [our recent announcement that we're retiring the Cloud Services (classic) deployment model](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/), we deprecated the following Defender for Cloud recommendation and its related policy:

-|Recommendation |Description |Severity |

-||||

-| Service principals should be used to protect your subscriptions instead of Management Certificates | Management certificates allow anyone who authenticates with them to manage the subscription(s) they're associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. <br />(Related policy: [Service principals should be used to protect your subscriptions instead of management certificates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f6646a0bd-e110-40ca-bb97-84fcee63c414)) |Medium |

-Learn more:

-### Legacy implementation of ISO 27001 replaced with new ISO 27001:2013 initiative

-The legacy implementation of ISO 27001 has been removed from Defender for Cloud's regulatory compliance dashboard. If you're tracking your ISO 27001 compliance with Defender for Cloud, onboard the new ISO 27001:2013 standard for all relevant management groups or subscriptions.

-### Deprecated Microsoft Defender for IoT device recommendations

-Microsoft Defender for IoT device recommendations is no longer visible in Microsoft Defender for Cloud. These recommendations are still available on Microsoft Defender for IoT's Recommendations page.

-The following recommendations are deprecated:

-| Assessment key | Recommendations |

-|--|--|

-| 1a36f14a-8bd8-45f5-abe5-eef88d76ab5b: IoT Devices | Open Ports On Device |

-| ba975338-f956-41e7-a9f2-7614832d382d: IoT Devices | Permissive firewall rule in the input chain was found |

-| beb62be3-5e78-49bd-ac5f-099250ef3c7c: IoT Devices | Permissive firewall policy in one of the chains was found |

-| d5a8d84a-9ad0-42e2-80e0-d38e3d46028a: IoT Devices | Permissive firewall rule in the output chain was found |

-| 5f65e47f-7a00-4bf3-acae-90ee441ee876: IoT Devices | Operating system baseline validation failure |

-|a9a59ebb-5d6f-42f5-92a1-036fd0fd1879: IoT Devices | Agent sending underutilized messages |

-| 2acc27c6-5fdb-405e-9080-cb66b850c8f5: IoT Devices | TLS cipher suite upgrade needed |

-|d74d2738-2485-4103-9919-69c7e63776ec: IoT Devices | Auditd process stopped sending events |

-### Deprecated Microsoft Defender for IoT device alerts

-All of Microsoft's Defender for IoT device alerts are no longer visible in Microsoft Defender for Cloud. These alerts are still available on Microsoft Defender for IoT's Alert page, and in Microsoft Sentinel.

-### Posture management and threat protection for AWS and GCP released for general availability (GA)

-Learn how to protect and connect your [AWS environment](quickstart-onboard-aws.md) and [GCP organization](quickstart-onboard-gcp.md) with Microsoft Defender for Cloud.

-### Registry scan for Windows images in ACR added support for national clouds

-Registry scan for Windows images is now supported in Azure Government and Azure China 21Vianet. This addition is currently in preview.

-Learn more about our [feature's availability](supported-machines-endpoint-solutions-clouds-containers.md).

-You can access your score via the secure score API. The API methods provide the flexibility to query the data and build your own reporting mechanism of your secure scores over time. For example, you can use the [Secure Scores API](/rest/api/defenderforcloud/securescores) to get the score for a specific subscription. In addition, you can use the [Secure Score Controls API](/rest/api/defenderforcloud/securescorecontrols) to list the security controls and the current score of your subscriptions.

-1. From the top of the page, select **Manage compliance policies**. The Policy Management page appears.

-1. To add the standards relevant to your organization, expand the **Industry & regulatory standards** section and select **Add more standards**.

-> Microsoft Graph API's (MGA) ability to send events to Event Grid (a generally available service) is in private preview. In the following steps, you will follow instructions from [Node.js](https://github.com/microsoftgraph/nodejs-webhooks-sample), [Java](https://github.com/microsoftgraph/java-spring-webhooks-sample), and[.NET Core](https://github.com/microsoftgraph/aspnetcore-webhooks-sample) Webhook samples to enable flow of events from Microsoft Graph API. At some point in the sample, you will have an application registered with Azure AD. Email your application ID to <a href="mailto:ask.graph.and.grid@service.microsoft.com?subject=Please allow my application ID">mailto:ask.graph.and.grid@service.microsoft.com?subject=Please allow my Azure AD application with ID to send events through Graph API</a> so that the Microsoft Graph API team can add your application ID to allow list to use this new capability.

-* Before you can configure configure security headers, you must first create a Front Door. For more information, see [Quickstart: Create a Front Door](create-front-door-portal.md).

-* [Azure Az PowerShell module](/powershell/azure/install-Az-ps).

-## Lab Services require non-admin user for labs

-|**Audit**|Labs show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when non-admin accounts is not used while creating the lab.|

-| Purpose | Source service tag or IP addresses | Source ports | Destination service tag or IP addresses | Destination ports | Notes |

-|||--|--|-|-|

-| Intersubnet communication within virtual network | Address space for the virtual network with ISE subnets | * | Address space for the virtual network with ISE subnets | * | Required for traffic to flow *between* the subnets in your virtual network. <p><p>**Important**: For traffic to flow between the *components* in each subnet, make sure that you open all the ports within each subnet. |

-| Both: <p>Communication to your logic app <p><p>Runs history for logic app| Internal ISE: <br>**VirtualNetwork** <p><p>External ISE: **Internet** or see **Notes** | * | **VirtualNetwork** | 443 | Rather than use the **Internet** service tag, you can specify the source IP address for these items: <p><p>- The computer or service that calls any request triggers or webhooks in your logic app <p>- The computer or service from where you want to access logic app runs history <p><p>**Important**: Closing or blocking this port prevents calls to logic apps that have request triggers or webhooks. You're also prevented from accessing inputs and outputs for each step in runs history. However, you're not prevented from accessing logic app runs history.|

-| Azure Logic Apps designer - dynamic properties | **LogicAppsManagement** | * | **VirtualNetwork** | 454 | Requests come from the Azure Logic Apps access endpoint's [inbound IP addresses](logic-apps-limits-and-config.md#inbound) for that region. <p><p>**Important**: If you're working with Azure Government cloud, the **LogicAppsManagement** service tag won't work. Instead, you have to provide the Azure Logic Apps [inbound IP addresses](logic-apps-limits-and-config.md#azure-government-inbound) for Azure Government. |

-| Network health check | **LogicApps** | * | **VirtualNetwork** | 454 | Requests come from the Azure Logic Apps access endpoint's [inbound IP addresses](logic-apps-limits-and-config.md#inbound) and [outbound IP addresses](logic-apps-limits-and-config.md#outbound) for that region. <p><p>**Important**: If you're working with Azure Government cloud, the **LogicApps** service tag won't work. Instead, you have to provide both the Azure Logic Apps [inbound IP addresses](logic-apps-limits-and-config.md#azure-government-inbound) and [outbound IP addresses](logic-apps-limits-and-config.md#azure-government-outbound) for Azure Government. |

-| Connector deployment | **AzureConnectors** | * | **VirtualNetwork** | 454 | Required to deploy and update connectors. Closing or blocking this port causes ISE deployments to fail and prevents connector updates and fixes. <p><p>**Important**: If you're working with Azure Government cloud, the **AzureConnectors** service tag won't work. Instead, you have to provide the [managed connector outbound IP addresses](logic-apps-limits-and-config.md#azure-government-outbound) for Azure Government. |

-| App Service Management dependency | **AppServiceManagement** | * | **VirtualNetwork** | 454, 455 ||

-| Communication from Azure Traffic Manager | **AzureTrafficManager** | * | **VirtualNetwork** | Internal ISE: 454 <p><p>External ISE: 443 ||

-| Both: <p>Connector policy deployment <p>API Management - management endpoint | **APIManagement** | * | **VirtualNetwork** | 3443 | For connector policy deployment, port access is required to deploy and update connectors. Closing or blocking this port causes ISE deployments to fail and prevents connector updates and fixes. |

-| Access Azure Cache for Redis Instances between Role Instances | **VirtualNetwork** | * | **VirtualNetwork** | 6379 - 6383, plus see **Notes**| For ISE to work with Azure Cache for Redis, you must open these [outbound and inbound ports described by the Azure Cache for Redis FAQ](../azure-cache-for-redis/cache-how-to-premium-vnet.md#outbound-port-requirements). |

-|||||||

-| Purpose | Source service tag or IP addresses | Source ports | Destination service tag or IP addresses | Destination ports | Notes |

-|||--|--|-|-|

-| Intersubnet communication within virtual network | Address space for the virtual network with ISE subnets | * | Address space for the virtual network with ISE subnets | * | Required for traffic to flow *between* the subnets in your virtual network. <p><p>**Important**: For traffic to flow between the *components* in each subnet, make sure that you open all the ports within each subnet. |

-| Communication from your logic app | **VirtualNetwork** | * | Internet | 443, 80 | This rule is required for Secure Socket Layer (SSL) certificate verification. This check is for various internal and external sites, which is the reason that the Internet is required as the destination. |

-| Communication from your logic app | **VirtualNetwork** | * | Varies based on destination | Varies based on destination | Destination ports vary based on the endpoints for the external services with which your logic app needs to communicate. <p><p>For example, the destination port is port 25 for an SMTP service, port 22 for an SFTP service, and so on. |

-| Azure Active Directory | **VirtualNetwork** | * | **AzureActiveDirectory** | 80, 443 ||

-| Azure Storage dependency | **VirtualNetwork** | * | **Storage** | 80, 443, 445 ||

-| Connection management | **VirtualNetwork** | * | **AppService** | 443 ||

-| Publish diagnostic logs & metrics | **VirtualNetwork** | * | **AzureMonitor** | 443 ||

-| Azure SQL dependency | **VirtualNetwork** | * | **SQL** | 1433 ||

-| Azure Resource Health | **VirtualNetwork** | * | **AzureMonitor** | 1886 | Required for publishing health status to Resource Health. |

-| Dependency from Log to Event Hub policy and monitoring agent | **VirtualNetwork** | * | **EventHub** | 5672 ||

-| Access Azure Cache for Redis Instances between Role Instances | **VirtualNetwork** | * | **VirtualNetwork** | 6379 - 6383, plus see **Notes**| For ISE to work with Azure Cache for Redis, you must open these [outbound and inbound ports described by the Azure Cache for Redis FAQ](../azure-cache-for-redis/cache-how-to-premium-vnet.md#outbound-port-requirements). |

-| DNS name resolution | **VirtualNetwork** | * | IP addresses for any custom Domain Name System (DNS) servers on your virtual network | 53 | Required only when you use custom DNS servers on your virtual network |

-|||||||

-| Azure resource groups | **When resource is deleted** |

-| Azure virtual machines | Additionally: <p>- **Power off Virtual Machine** <br>- **Start Virtual Machine** |

-| Azure Storage accounts | Additionally: <p>- **Delete old blobs** |

-| Azure Cosmos DB | Additionally, <p>- **Send query result via email** |

-|||

-This article shows how to create an example automated integration workflow that runs in the *single-tenant* Azure Logic Apps environment by using Visual Studio Code with the **Azure Logic Apps (Standard)** extension. The logic app that you create with this extension is based on the **Logic App (Standard)** resource type, which provides the following capabilities:

-* You can locally run and test logic app workflows in the Visual Studio Code development environment.

-* You can deploy the **Logic App (Standard)** resource type directly to the single-tenant Azure Logic Apps environment or anywhere that Azure Functions can run, including containers, due to the Azure Logic Apps containerized runtime.

-For more information about the single-tenant Azure Logic Apps offering, review [Single-tenant versus multi-tenant and integration service environment](single-tenant-overview-compare.md).

- Or, in the Visual Studio Code status bar, select your Azure account.

-Before you run and test your logic app workflow by starting a debugging session, you can set [breakpoints](https://code.visualstudio.com/docs/editor/debugging#_breakpoints) inside the **workflow.json** file for each workflow. No other setup is required.

- "FUNCTIONS_WORKER_RUNTIME": "dotnet",

- "FUNCTIONS_WORKER_RUNTIME": "dotnet",

- "FUNCTIONS_WORKER_RUNTIME": "dotnet",

-This article describes the steps to follow for deploying such logic apps to protected private storage accounts. For more information, review [Use private endpoints for Azure Storage](../storage/common/storage-private-endpoints.md).

-1. After deployment finishes, enable VNet integration between your logic app and the private endpoints on the virtual network that connects to your storage account.

- `C:\psping {storage-account-host-name}.file.core.windows.net:443`

- 1. Check that the VNet integration is set up correctly with the appropriate VNET and subnet in your logic app.

-1. For your agent job, find and add the **Azure Resource Group Deployment** task.

- 

-description: Add XSLT maps to transform XML in workflows with Azure Logic Apps and the Enterprise Integration Pack.

-# Add XSLT maps to transform XML in workflows with Azure Logic Apps

-To convert XML between formats, your logic app workflow can use maps with the **Transform XML** action. A map is an XML document that uses Extensible Stylesheet Language Transformation (XSLT) language to describe how to convert data from XML to another format. The map consists of a source XML schema as input and a target XML schema as output. You can define a basic transformation, such as copying a name and address from one document to another. Or, you can create more complex transformations using the out-of-the-box map operations. You can manipulate or control data by using different built-in functions, such as string manipulations, conditional assignments, arithmetic expressions, date time formatters, and even looping constructs.

-> [!NOTE]

-> Azure Logic Apps allocates finite memory for processing XML transformations. If you create logic apps based on the

-> [**Logic App (Consumption)** resource type](logic-apps-overview.md#resource-type-and-host-environment-differences),

-> and your map or payload transformations have high memory consumption, such transformations might fail, resulting in

-> out of memory errors. To avoid this scenario, consider these options:

->

-> * Edit your maps or payloads to reduce memory consumption.

->

-> * Create your logic apps using the [**Logic App (Standard)** resource type](logic-apps-overview.md#resource-type-and-host-environment-differences) instead.

->

-> These workflows run in single-tenant Azure Logic Apps, which offers dedicated and flexible options for compute and memory resources.

-> However, the Standard logic app resource type currently doesn't support referencing external assemblies from maps. Also, only Extensible

-> Stylesheet Language Transformation (XSLT) 1.0 is currently supported.

-If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overview.md)? For more information about B2B enterprise integration, review [B2B enterprise integration workflows with Azure Logic Apps and Enterprise Integration Pack](logic-apps-enterprise-integration-overview.md).

-* To create maps, you can use the following tools:

- > [!IMPORTANT]

- > [!NOTE]

-* An [integration account resource](logic-apps-enterprise-integration-create-integration-account.md) where you define and store artifacts, such as trading partners, agreements, certificates, and so on, for use in your enterprise integration and B2B workflows. This resource has to meet the following requirements:

- * Is associated with the same Azure subscription as your logic app resource.

- * Exists in the same location or Azure region as your logic app resource where you plan to use the **Transform XML** action.

- * If you use the [**Logic App (Consumption)** resource type](logic-apps-overview.md#resource-type-and-host-environment-differences), you have to [link your integration account to your logic app resource](logic-apps-enterprise-integration-create-integration-account.md#link-account) before you can use your artifacts in your workflow.

- To create and add maps for use in **Logic App (Consumption)** workflows, you don't need a logic app resource yet. However, when you're ready to use those maps in your workflows, your logic app resource requires a linked integration account that stores those maps.

- * If you use the [**Logic App (Standard)** resource type](logic-apps-overview.md#resource-type-and-host-environment-differences), you need an existing logic app resource because you don't store maps in your integration account. Instead, you can directly add maps to your logic app resource using either the Azure portal or Visual Studio Code. Only XSLT 1.0 is currently supported. You can then use these maps across multiple workflows within the *same logic app resource*.

- You still need an integration account to store other artifacts, such as partners, agreements, and certificates, along with using the [AS2](logic-apps-enterprise-integration-as2.md), [X12](logic-apps-enterprise-integration-x12.md), and [EDIFACT](logic-apps-enterprise-integration-edifact.md) operations. However, you don't need to link your logic app resource to your integration account, so the linking capability doesn't exist. Your integration account still has to meet other requirements, such as using the same Azure subscription and existing in the same location as your logic app resource.

- > [!NOTE]

- > Currently, only the **Logic App (Consumption)** resource type supports [RosettaNet](logic-apps-enterprise-integration-rosettanet.md) operations.

- > The **Logic App (Standard)** resource type doesn't include [RosettaNet](logic-apps-enterprise-integration-rosettanet.md) operations.

-* While **Logic App (Consumption)** supports referencing external assemblies from maps, **Logic App (Standard)** currently doesn't support this capability. Referencing an assembly enables direct calls from XSLT maps to custom .NET code.

- * You need a 64-bit assembly. The transform service runs a 64-bit process, so 32-bit assemblies aren't supported. If you have the source code for a 32-bit assembly, recompile the code into a 64-bit assembly. If you don't have the source code, but you obtained the binary from a third-party provider, get the 64-bit version from that provider. For example, some vendors provide assemblies in packages that have both 32-bit and 64-bit versions. If you have the option, use the 64-bit version instead.

- * You have to upload *both the assembly and the map* in a specific order to your integration account. Make sure you [*upload your assembly first*](#add-assembly), and then upload the map that references the assembly.

- * If your assembly is [2 MB or smaller](#smaller-map), you can add your assembly and map to your integration account *directly* from the Azure portal. However, if your assembly or map is bigger than 2 MB but not bigger than the [size limit for assemblies or maps](logic-apps-limits-and-config.md#artifact-capacity-limits), you can use an Azure blob container where you can upload your assembly and that container's location. That way, you can provide that location later when you add the assembly to your integration account. For this task, you need these items:

- | Item | Description |

- ||-|

- | [Azure storage account](../storage/common/storage-account-overview.md) | In this account, create an Azure blob container for your assembly. Learn [how to create a storage account](../storage/common/storage-account-create.md). |

- | Blob container | In this container, you can upload your assembly. You also need this container's content URI location when you add the assembly to your integration account. Learn how to [create a blob container](../storage/blobs/storage-quickstart-blobs-portal.md). |

- | [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) | This tool helps you more easily manage storage accounts and blob containers. To use Storage Explorer, either [download and install Azure Storage Explorer](https://www.storageexplorer.com/). Then, connect Storage Explorer to your storage account by following the steps in [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md). To learn more, see [Quickstart: Create a blob in object storage with Azure Storage Explorer](../storage/blobs/quickstart-storage-explorer.md). <p>Or, in the Azure portal, select your storage account. From your storage account menu, select **Storage Explorer**. |

- |||

- * To add larger maps for the **Logic App (Consumption)** resource type, you can also use the [Azure Logic Apps REST API - Maps](/rest/api/logic/maps/createorupdate). However, for the **Logic App (Standard)** resource type, the Azure Logic Apps REST API is currently unavailable.

-## Limits

-* With **Logic App (Standard)**, no limits exist for map file sizes.

-* With **Logic App (Consumption)**, limits exist for integration accounts and artifacts such as maps. For more information, review [Limits and configuration information for Azure Logic Apps](logic-apps-limits-and-config.md#integration-account-limits).

-## Add referenced assemblies (Consumption resource only)

-<a name="create-maps"></a>

-## Create maps

-To create an Extensible Stylesheet Language Transformation (XSLT) document that you can use as a map, you can use Visual Studio 2015 or 2019 to create an integration project by using the [Enterprise Integration SDK](https://aka.ms/vsmapsandschemas). In this project, you can build an integration map file, which lets you visually map items between two XML schema files. After you build this project, you get an XSLT document. For limits on map quantities in integration accounts, review [Limits and configuration for Azure Logic Apps](logic-apps-limits-and-config.md#artifact-number-limits).

-Your map must have the following attributes and a `CDATA` section that contains the call to the assembly code:

-* `name` is the custom assembly name.

-* `namespace` is the namespace in your assembly that includes the custom code.

-The following example shows a map that references an assembly named `XslUtilitiesLib` and calls the `circumference` method from the assembly.

-```xml

-<?xml version="1.0" encoding="UTF-8"?>

-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:my-scripts">

-<msxsl:script language="C#" implements-prefix="user">

- <msxsl:assembly name="XsltHelperLib"/>

- <msxsl:using namespace="XsltHelpers"/>

- <![CDATA[public double circumference(int radius){ XsltHelper helper = new XsltHelper(); return helper.circumference(radius); }]]>

-</msxsl:script>

-<xsl:template match="data">

-<circles>

- <xsl:for-each select="circle">

- <circle>

- <xsl:copy-of select="node()"/>

- <circumference>

- <xsl:value-of select="user:circumference(radius)"/>

- </circumference>

- </circle>

- </xsl:for-each>

-</circles>

-</xsl:template>

-</xsl:stylesheet>

-```

-## Tools and capabilities for maps

-* When you create a map using Visual Studio and the [Enterprise Integration SDK](https://aka.ms/vsmapsandschemas), you work with a graphical representation of the map, which shows all the relationships and links you create.

-* You can make a direct data copy between the XML schemas that you use to create the map. The [Enterprise Integration SDK](https://aka.ms/vsmapsandschemas) for Visual Studio includes a mapper that makes this task as simple as drawing a line that connects the elements in the source XML schema with their counterparts in the target XML schema.

-* Operations or functions for multiple maps are available, including string functions, date time functions, and so on.

-* To add a sample XML message, you can use the map testing capability. With just one gesture, you can test the map you created, and review the generated output.

-<a name="add-map"></a>

-## Add maps

-### [Consumption](#tab/consumption)

-1. On the **Maps** pane, select **Add**.

-1. Continue to add either a map [up to 2 MB](#smaller-map) or [more than 2 MB](#larger-map).

-#### Add maps up to 2 MB

-#### Add maps more than 2 MB

-Currently, to add larger maps, use the [Azure Logic Apps REST API - Maps](/rest/api/logic/maps/createorupdate).

-### [Standard](#tab/standard)

-Workflow actions such as **Flat File** and **XML Validation** require a schema to perform their tasks. For example, the **XML Validation** action requires an XML schema to check that documents use valid XML and have the expected data in the predefined format. This schema is a business document that's represented in XML using the [XML Schema Definition (XSD)](https://www.w3.org/TR/xmlschema11-1/) and uses the .xsd file name extension. The **Flat File** actions use a schema to encode and decode XML content.

- > [!IMPORTANT]

- > [!NOTE]

- * If your schema is bigger than 2 MB but not bigger than the [size limit for schemas](logic-apps-limits-and-config.md#artifact-capacity-limits), you'll need an Azure storage account where you can upload your schema. Then, to add that schema to your integration account, you can then link to your storage account from your integration account. For this task, the following table describes the items you need:

- To add larger schemas, you can also use the [Azure Logic Apps REST API - Schemas](/rest/api/logic/schemas/create-or-update). However, for Standard workflows, the Azure Logic Apps REST API is currently unavailable.

-To add larger schemas for Consumption workflows to use, you can upload your schema to an Azure blob container in your Azure storage account. Your steps for adding schemas differ based whether your blob container has public read access. So first, check whether or not your blob container has public read access by following these steps: [Set public access level for blob container](../vs-azure-tools-storage-explorer-blobs.md#set-the-public-access-level-for-a-blob-container)

-These steps apply only if you want to add a schema directly to your Standard logic app resource. Otherwise, [add the schema to your integration account](#add-schema-integration-account).

-# As a developer, I want to connect to my single-tenant logic app workflows with virtual networks using private endpoints and virtual network integration.

-# Secure traffic between single-tenant Standard logic apps and Azure virtual networks using private endpoints

-In addition to the [virtual network setup in the top-level prerequisites](#prerequisites), you need to have a new or existing single-tenant based logic app workflow that starts with a built-in trigger that can receive requests.

-For more information, review the following documentation:

-#### Copy the endpoint URL

-### Considerations for inbound traffic through private endpoints

- For GitHub integration to work, remove the `WEBSITE_RUN_FROM_PACKAGE` setting from your logic app or set the value to `0`.

-<a name="set-up-outbound"></a>

-## Set up outbound traffic using virtual network integration

-To secure outbound traffic from your logic app, you can integrate your logic app with a virtual network. First, create and test an example workflow. You can then set up virtual network integration.

-> [!IMPORTANT]

-> You can't change the subnet size after assignment, so use a subnet that's large enough to accommodate

-> the scale that your app might reach. To avoid any issues with subnet capacity, use a `/26` subnet with 64 addresses.

-> If you create the subnet for virtual network integration with the Azure portal, you must use `/27` as the minimum subnet size.

-1. On the **Networking** pane, on the **Outbound traffic** card, select **VNet integration**.

-> [!IMPORTANT]

-> For the Azure Logic Apps runtime to work, you need to have an uninterrupted connection to the backend storage.

-> If the backend storage is exposed to the virtual network through a private endpoint, make sure that the following port is open:

->

-> | Source port | Direction | Protocol | Source / Destination | Purpose |

-> |-|--|-|-||

-> | 443 | Outbound | TCP | Private endpoint / Storage account | Storage account |

-> | 445 | Outbound | TCP | Private endpoint / Subnet integrated with Standard logic app | Server Message Block (SMB) File Share |

-> ||||||

->

->

-> For Azure-hosted managed connectors to work, you need to have an uninterrupted connection to the managed API service.

-> With virtual network integration, make sure that no firewall or network security policy blocks these connections.

-### Considerations for outbound traffic through virtual network integration

-If your virtual network uses a network security group (NSG), user-defined route table (UDR), or a firewall, make sure that the virtual network allows outbound connections to [all managed connector IP addresses](/connectors/common/outbound-ip-addresses#azure-logic-apps) in the corresponding region. Otherwise, Azure-managed connectors won't work.

-Setting up virtual network integration affects only outbound traffic. To secure inbound traffic, which continues to use the App Service shared endpoint, review [Set up inbound traffic through private endpoints](#set-up-inbound).

-For more information, review the following documentation:

-description: Learn how to assign multiple IP addresses to a virtual machine using the Azure portal | Resource Manager.

-This article explains how to create a virtual machine (VM) through the Azure Resource Manager deployment model using the Azure portal. Multiple IP addresses cannot be assigned to resources created through the classic deployment model. To learn more about Azure deployment models, read the [Understand deployment models](../../azure-resource-manager/management/deployment-models.md) article.

-## <a name = "create"></a>Create a VM with multiple IP addresses

-If you want to create a VM with multiple IP addresses, or a static private IP address, you must create it using PowerShell or the Azure CLI. To learn how, click the PowerShell or CLI options at the top of this article. You can create a VM with a single dynamic private IP address and (optionally) a single public IP address. Use the portal by following the steps in the [Create a Windows VM](../../virtual-machines/windows/quick-create-portal.md) or [Create a Linux VM](../../virtual-machines/linux/quick-create-portal.md) articles. After you create the VM, you can change the IP address type from dynamic to static and add additional IP addresses using the portal by following steps in the [Add IP addresses to a VM](#add) section of this article.

-## <a name="add"></a>Add IP addresses to a VM

-You can add private and public IP addresses to an Azure network interface by completing the steps that follow. The examples in the following sections assume that you already have a VM with the three IP configurations described in the [scenario](#scenario), but it's not required.

-### <a name="coreadd"></a>Core steps

-1. Browse to the Azure portal at https://portal.azure.com and sign into it, if necessary.

-2. In the portal, click **More services** > type *virtual machines* in the filter box, and then click **Virtual machines**.

-3. In the **Virtual machines** pane, click the VM you want to add IP addresses to. Navigate to **Networking** Tab. Click **Network interface** on the page. As shown in the picture below:

- 

-4. In the **Network interface** pane, click the **IP configurations**.

-5. In the pane that appears for the NIC you selected, click **IP configurations**. Click **Add**, complete the steps in one of sections that follow, based on the type of IP address you want to add, and then click **OK**.

-### Add a private IP address

-Complete the following steps to add a new private IP address:

-1. Complete the steps in the [Core steps](#coreadd) section of this article and ensure you are on the **IP configurations** section of the VM Network Interface. Review the subnet shown as default (such as 10.0.0.0/24).

-2. Click **Add**. In the **Add IP configuration** pane that appears, create an IP configuration named *IPConfig-4* with a new *Static* private IP address by picking a new number for the final octet, then click **OK**. (For the 10.0.0.0/24 subnet, an example IP would be *10.0.0.7*.)

- > [!NOTE]

- > When adding a static IP address, you must specify an unused, valid address on the subnet the NIC is connected to. If the address you select is not available, the portal displays an X for the IP address and you must select a different one.

-3. Once you click OK, the pane closes and you see the new IP configuration listed. Click **OK** to close the **Add IP configuration** pane.

-4. You can click **Add** to add additional IP configurations, or close all open blades to finish adding IP addresses.

-5. Add the private IP addresses to the VM operating system by completing the steps in the [Add IP addresses to a VM operating system](#os-config) section of this article.

-### Add a public IP address

-A public IP address is added by associating a public IP address resource to either a new IP configuration or an existing IP configuration.

-> Public IP addresses have a nominal fee. To learn more about IP address pricing, read the [IP address pricing](https://azure.microsoft.com/pricing/details/ip-addresses) page. There is a limit to the number of public IP addresses that can be used in a subscription. To learn more about the limits, read the [Azure limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#networking-limits) article.

->

-### <a name="create-public-ip"></a>Create a public IP address resource

-A public IP address is one setting for a public IP address resource. If you have a public IP address resource that is not currently associated to an IP configuration that you want to associate to an IP configuration, skip the following steps and complete the steps in one of the sections that follow, as you require. If you don't have an available public IP address resource, complete the following steps to create one:

-1. Browse to the Azure portal at https://portal.azure.com and sign into it, if necessary.

-3. In the portal, click **Create a resource** > **Networking** > **Public IP address**.

-4. In the **Create public IP address** pane that appears, enter a **Name**, select an **IP address assignment** type, a **Subscription**, a **Resource group**, and a **Location**, then click **Create**, as shown in the following picture:

- 

-5. Complete the steps in one of the sections that follow to associate the public IP address resource to an IP configuration.

-#### Associate the public IP address resource to a new IP configuration

-1. Complete the steps in the [Core steps](#coreadd) section of this article.

-2. Click **Add**. In the **Add IP configuration** pane that appears, create an IP configuration named *IPConfig-4*. Enable the **Public IP address** and select an existing, available public IP address resource from the **Choose public IP address** pane that appears.

- Once you've selected the public IP address resource, click **OK** and the pane closes. If you don't have an existing public IP address, you can create one by completing the steps in the [Create a public IP address resource](#create-public-ip) section of this article.

-3. Review the new IP configuration. Even though a private IP address wasn't explicitly assigned, one was automatically assigned to the IP configuration, because all IP configurations must have a private IP address.

-4. You can click **Add** to add additional IP configurations, or close all open blades to finish adding IP addresses.

-5. Add the private IP address to the VM operating system by completing the steps for your operating system in the [Add IP addresses to a VM operating system](#os-config) section of this article. Do not add the public IP address to the operating system.

-#### Associate the public IP address resource to an existing IP configuration

-1. Complete the steps in the [Core steps](#coreadd) section of this article.

-2. Click the IP configuration you want to add the public IP address resource to.

-3. In the IPConfig pane that appears, click **IP address**.

-4. In the **Choose public IP address** pane that appears, select a public IP address.

-5. Click **Save** and the panes close. If you don't have an existing public IP address, you can create one by completing the steps in the [Create a public IP address resource](#create-public-ip) section of this article.

-3. Review the new IP configuration.

-4. You can click **Add** to add additional IP configurations, or close all open blades to finish adding IP addresses. Do not add the public IP address to the operating system.

-> After you change the IP address configuration, you must restart the VM for the changes to take effect in the VM.