The 21 Production Cliffs of Wiring Microsoft Copilot Studio to AWS — A Senior Engineer's Field Notes

📖 Engineering Story · 8 min read

Shipping Production AI:
I Wired Microsoft Copilot Studio to AWS via MCP.

104 tools. $12/month. Zero hallucinations (because zero write permissions).
Here's the architecture, the code, and the 21 cliffs I fell off so you don't have to.

K

Kerolos · Senior Infrastructure & Security Engineer

Ex-Cisco · Ex-Microsoft · Currently @ a major US bank · Building AI-powered automation

---

It's 2 AM on a Saturday.

PagerDuty is shrieking. A production EC2 instance can't reach its database. Our incident channel has 30 people in it, and the on-call junior engineer — let's call her Sarah, six months out of bootcamp — is staring at the AWS Console with 47 browser tabs open.

She doesn't know which security group, which subnet, which NACL, or which route table to look at first.

She types in our incident channel:

"Anyone awake? web-server-prod-3 can't reach the database 😭"

Three of us wake up. We spend the next 90 minutes pulling threads. Eventually we find it: a security group rule got removed by an unrelated Terraform change four hours earlier.

I went back to bed at 4 AM thinking the same thing every senior engineer thinks at 4 AM:

"There has to be a better way."

By Sunday night, there was.

What I built

An AI agent. 104 read-only AWS tools. Two front doors. Junior engineers can use it from inside Microsoft Teams. Senior engineers can use it from Claude Desktop on their laptops. Both talk to the exact same brain.

Now when Sarah types in Teams:

SARAH:

Why can't web-server-prod-3 reach the database?

AGENT (4 seconds later):

Security group sg-0abc123 attached to web-server-prod-3 has no outbound rule allowing port 5432 to subnet 10.0.2.0/24.

Flow Logs show 47 REJECT events in the last hour. The rule was removed 4 hours ago by user maria.dev via Terraform pipeline #847.

Suggested fix:

aws ec2 authorize-security-group-egress \

--group-id sg-0abc123 \

--protocol tcp --port 5432 --cidr 10.0.2.0/24

90 minutes of war room → 4 seconds in Teams.

📸 Live Production Screenshot

This isn't a mockup. This is Microsoft Copilot Studio talking to my MCP server right now.

↑ The agent AWSNETOPSMCPSHRN in Copilot Studio with all 104 AWS tools discovered live: whoami, describe_security_group, find_instance, query_flow_logs, simulate_principal_policy, and 99 more. Each one with a description that the AI reads to decide when to call it.

How it works (the senior-engineer version)

Here's the architecture. One Python codebase. Two AI front doors. Same brain.

   ┌──────────────────────┐         ┌──────────────────────┐
   │  💼 Microsoft Teams  │         │  🖥️ Claude Desktop   │
   │  (junior engineers)  │         │  (senior engineers)  │
   └──────────┬───────────┘         └──────────┬───────────┘
              │                                │
              ▼                                ▼
   ┌──────────────────────┐         ┌──────────────────────┐
   │  🤖 Copilot Studio   │         │  📡 stdio (local)    │
   │  + Generative AI     │         └──────────┬───────────┘
   └──────────┬───────────┘                    │
              │ HTTPS + MCP                    │
              ▼                                │
   ┌──────────────────────────────────┐        │
   │  ☁️ Azure Container Apps         │        │
   │  /mcp + /health endpoints        │◄───────┘
   │  Python · FastMCP · Uvicorn      │
   └──────────┬───────────────────────┘
              │ boto3 + Read-Only IAM
              ▼
   ┌──────────────────────────────────┐
   │  🟧 AWS APIs (READ-ONLY)         │
   │  EC2 · VPC · IAM · CloudTrail    │
   │  Security Hub · GuardDuty · ...  │
   └──────────────────────────────────┘

The key insight: Anthropic's Model Context Protocol (MCP) is essentially USB-C for AI. Write the tool server once, and any compatible AI client — Claude Desktop, Microsoft Copilot Studio, GitHub Copilot, Cursor, ChatGPT — can use it.

For Microsoft Copilot Studio specifically, I needed the tools accessible over HTTPS. So I wrapped the local stdio MCP server in a Starlette + Uvicorn ASGI app and deployed it to Azure Container Apps. Total cost: ~$12/month.

🔍 Inside Microsoft Copilot Studio

Each tool ships with a description the AI reads to decide when to call it.

↑ The Copilot Studio Tools tab. Server, Connection, and Available-to fields all green. The right column is the killer feature — every tool's docstring becomes a prompt-aware description. The AI reads these descriptions to decide which tool to call. Write a clear docstring → get a smart agent.

The 21 cliffs I fell off (and how I climbed back up)

Here's the part where most engineering blog posts say "and it just worked!" 🤥

It absolutely did not just work. I hit 21 distinct issues. Each one cost me 15-180 minutes. The codebase is now battle-hardened against every single one of them — and the GitHub repo includes a PreFlight-Check.ps1 script that catches all 21 before you spend 10 minutes deploying.

A few highlights:

🎯 The 3-hour boss fight: "Invalid Host header"

MCP 1.27+ added DNS rebinding protection that only allows localhost in the Host header. Azure's load balancer sends the public FQDN. Result: every request rejected. The fix is 3 lines of Python — but you only know which 3 lines after spending 3 hours instrumenting the running container with the Azure Portal Console (which most engineers don't even know exists).

⚠️ The silent killer: PowerShell paste duplication

Right-click paste in PowerShell sometimes pastes your AWS access key twice. Your 20-char key becomes 40 characters. AWS rejects it with InvalidClientTokenId. You delete and recreate the key three times before realizing the problem isn't the key. This single bug cost the engineering community untold hours.

🐳 The buildpack hijack

If you put your Dockerfile in a subfolder (organized!), Azure Cloud Build silently ignores it and falls back to its Python buildpack — which generates a broken gunicorn application:app command that doesn't match anything in your code. The fix is: keep the Dockerfile at the repo root. No errors. No warnings. You just spend 45 minutes wondering why your perfectly fine container won't start.

I documented every single fix — root cause + solution + how to detect it — in THE-21-FIXES-EXPLAINED.md in the repo. It's the post-mortem document I wish someone had handed me on Friday night.

📚 Lessons Learned — All 21 Fixes

Here's the full list. Bookmark this section if you're building anything similar — every single one of these cost me real time and is now solved in code.

🐍 Category 1 — Python Wrapper Fixes (7 fixes)

All in aws_netops_mcp_http.py. Without these, the container starts but Copilot Studio can't talk to it.

#	Fix	Why it matters
1	enable_dns_rebinding_protection = False	The boss fight. MCP 1.27+ blocks Azure FQDN by default → "Invalid Host header"
2	allowed_hosts = ["*"]	Whitelist Azure load balancer FQDN
3	allowed_origins = ["*"]	CORS for browser-based MCP clients
4	stateless_http = True	Required for multi-replica routing behind a load balancer
5	Uvicorn forwarded_allow_ips="*" + proxy_headers=True	Trust Azure's X-Forwarded-Host header instead of rejecting it
6	flush=True on print statements	Container logs visible immediately, not buffered until first request
7	Add /health endpoint	Container Apps probes use GET; /mcp is POST-only → unhealthy

🐳 Category 2 — Build & Packaging Fixes (2 fixes)

#	Fix	Why it matters
8	Dockerfile at package ROOT, never in subfolder	Subfolder Dockerfiles get hijacked by Python buildpack → broken gunicorn application:app
9	All COPY-target files at root	COPY paths are relative to build context; subfolder files = empty layers

🚀 Category 3 — PowerShell & Azure CLI Fixes (6 fixes)

#	Fix	Why it matters
10	Verify AWS key length (20/40 chars) BEFORE deploying	The silent killer. PowerShell paste duplicates → 40-char keys → InvalidClientTokenId
11	Don't pass --output none to containerapp up	Subcommand doesn't support it → cryptic error
12	Apply env vars in separate update --set-env-vars step	PowerShell $env: expansion unreliable inside --env-vars on create
13	Auto-detect & destroy zombie containers	Failed deploys leave 2 containers racing for port 8000 → infinite crash loop
14	Use Invoke-WebRequest, never curl	PowerShell aliasing → silently strips -Method, -ContentType
15	Test /mcp with proper JSON-RPC initialize body	Plain GET looks broken even when MCP works perfectly

🔍 Category 4 — Debugging Methodology (3 fixes)

#	Fix	Why it matters
16	Use Azure Portal Console for live /bin/sh	Live shell into running container — no SSH, no rebuild. Killer feature.
17	python -c for live introspection	Discovered FIX #1 by inspecting MCP settings live — saved hours of guessing
18	python:slim has no ps/top — use Python instead	Slim images strip util tools; Python's built-ins fill the gap

🎯 Category 5 — Copilot Studio Configuration (3 fixes)

#	Fix	Why it matters
19	Set Orchestration to Generative, not Classic	Most-missed setting. Without this, MCP tools load but never get called
20	Delete & re-add MCP entry, don't refresh	Copilot Studio caches the failed connection state — refresh button lies
21	70-tool UI cap is cosmetic — all 104 still callable	Don't waste time "fixing" the display limit; the AI sees all tools fine

🏆 The Single Most Important Fix

FIX #1 — DNS Rebinding Protection

This was the boss fight. Everything else is prevention or polish.
This one fix is what makes MCP fundamentally work behind any cloud load balancer.

core.mcp.settings.transport_security
    .enable_dns_rebinding_protection = False

📊 Before vs After Applying All 21 Fixes

	❌ Before	✅ After
Deployment time	~3 hours of debugging	~10 minutes
First-try success rate	~10%	100%
MCP /mcp endpoint	"Invalid Host header"	Returns serverInfo
Copilot Studio status	"Connector request failed"	"Discovered 104 tools"
Tools accessible by AI	0 of 104	All 104 ✓

All 21 fixes are now baked into the deployment script. A fresh user can extract the package, set their AWS keys, and have a working MCP integration with Copilot Studio in 10 minutes on the first try. No "Invalid Host header." No paste duplication. No buildpack hijacks. Just a working AI agent talking to AWS.

"But what about security?"

When I first showed this to my CISO, his first question was: "What if the AI hallucinates and deletes prod?"

My answer: It physically cannot.

Layer	Guarantee
IAM Policy	AWS-managed ReadOnlyAccess + custom 28-statement policy ending in explicit Deny *:Create*, *:Delete*, *:Modify*
Credentials	Stored as Azure Container Apps secrets, encrypted at rest, never logged
Network	HTTPS-only ingress with Azure-managed TLS, auto-rotated certs
Audit	Every AWS API call lands in CloudTrail attributed to the IAM user
Defense in depth	Permission boundary recommended in production to prevent privilege escalation

The agent can investigate. It cannot modify. That's a hardware-level guarantee at the AWS API level — not a soft "the prompt told it not to" guarantee.

This is what 8 years of security engineering teaches you: the only defense you can trust is the one the attacker can't politely talk their way around.

🎁 The Whole Thing Is Free

Download the complete codebase

Production-tested. MIT licensed. 21 cliffs documented.
Battle-hardened deployment scripts. Works first try.

⭐ Star on GitHub

github.com/PowerofAutomation2026/aws-netops-mcp

🐍 Python

·

☁️ Azure Container Apps

·

🤖 Anthropic MCP

·

💼 Copilot Studio

·

🟧 AWS Read-Only

🛠️ Want to Deploy It Yourself? Step-by-Step Guide for Beginners

If you've never done anything like this before, don't worry. I'll walk you through every single step — from creating accounts to seeing the AI agent answer your first question. Total time: ~45 minutes for a complete beginner, ~15 minutes if you've done some cloud work before.

📋 What you'll need before starting

Account / Tool	Cost	Why you need it
AWS account	Free tier OK	Where the AI investigates (read-only)
Azure subscription	~$12/month	Hosts the MCP server for Copilot Studio
Microsoft 365 (Copilot Studio license)	Trial / $200/mo	Builds the Teams agent
Windows laptop (Mac/Linux work too)	Free	For Claude Desktop and PowerShell scripts

PART 1 of 5 · ~10 minutes

🟧 Set Up AWS (Read-Only IAM User)

First, we'll create an AWS user with read-only access. This is the user the AI will impersonate when investigating your AWS environment. It cannot modify anything — by design.

Step 1.1 — Sign in to AWS Console

Go to https://console.aws.amazon.com and sign in. If you don't have an account, click "Create a new AWS account" (free tier is plenty).

Step 1.2 — Create the IAM user

1. Type "IAM" in the top search bar → click the IAM service
2. Left menu: Users → Create user
3. User name: netops-mcp
4. UNCHECK "Provide user access to AWS Management Console" (we only need API access)
5. Click Next

Step 1.3 — Attach the ReadOnly policy

1. Choose "Attach policies directly"
2. In the search box, type: ReadOnlyAccess
3. Check the box next to the AWS-managed ReadOnlyAccess policy
4. Click Next → Create user

Step 1.4 — Create the access key

1. Click on your new netops-mcp user
2. Go to Security credentials tab → scroll to Access keys
3. Click Create access key
4. Use case: Command Line Interface (CLI) → check the confirmation box → Next
5. Description tag: aws-netops-mcp → Create access key

⚠️ CRITICAL: Click Download .csv file immediately. The secret access key will never be shown again. If you lose it, you have to create a new key.

Step 1.5 — Open the CSV in Notepad (this saves you hours)

Open the downloaded CSV in Notepad (NOT Excel — Excel mangles the values). You'll see two lines:

Access key ID,Secret access key
AKIAIOSFODNN7EXAMPLE,wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Verify in Notepad:

• Access Key ID is exactly 20 characters, starts with AKIA
• Secret Access Key is exactly 40 characters

Keep Notepad open. You'll copy values from here in later steps. Why Notepad? Because copying from Excel or browser windows can introduce invisible duplicate characters that cause the famous InvalidClientTokenId error. (This is FIX #10 in the lessons learned.)

PART 2 of 5 · ~10 minutes

🖥️ Connect to Claude Desktop (The Easy Win)

This gives you the AI agent on your laptop. You'll have it working in 10 minutes. The Copilot Studio integration (for your team in Teams) comes later.

Step 2.1 — Install Python 3.10 or newer

• Windows: Download from python.org — during install, check "Add Python to PATH"
• Mac: Run brew install python@3.12
• Linux: Already installed — verify with python3 --version

Open a fresh terminal and verify:

python --version
pip --version

Step 2.2 — Download the AWS NetOps MCP repo

git clone https://github.com/PowerofAutomation2026/aws-netops-mcp.git
cd aws-netops-mcp
pip install -r requirements.txt

Don't have Git? Download the ZIP from the GitHub page and unzip it.

Step 2.3 — Install AWS CLI

• Windows: winget install Amazon.AWSCLI
• Mac: brew install awscli
• Linux: Follow the official guide

Verify: aws --version

Step 2.4 — Configure your AWS profile

Open Notepad with your CSV from Step 1.5, then in your terminal:

aws configure --profile netops

It will ask 4 questions. For each, follow this exact ritual:

1. In Notepad, double-click the value to select (don't drag-select)
2. Press Ctrl+C
3. Click in the terminal
4. Press Ctrl+V (or right-click once) — never twice!
5. Press Enter

Prompt	Enter
AWS Access Key ID	Your 20-char AKIA... value
AWS Secret Access Key	Your 40-char secret
Default region name	us-east-1 (or your region)
Default output format	json

Test it works:

aws sts get-caller-identity --profile netops

You should see your account ID and the netops-mcp ARN. If you get an error, fix it now before continuing.

Step 2.5 — Install Claude Desktop

Download from https://claude.ai/download and sign in with your Anthropic account.

Step 2.6 — Add the MCP server to Claude Desktop's config

Find the config file:

Windows	%APPDATA%\Claude\claude_desktop_config.json
Mac	~/Library/Application Support/Claude/claude_desktop_config.json
Linux	~/.config/Claude/claude_desktop_config.json

If the file doesn't exist, create it. Open it in Notepad and paste:

{
  "mcpServers": {
    "aws-netops": {
      "command": "python",
      "args": ["C:\\path\\to\\aws-netops-mcp\\aws_netops_mcp.py"],
      "env": {
        "AWS_PROFILE": "netops",
        "AWS_DEFAULT_REGION": "us-east-1"
      }
    }
  }
}

Replace the path with where you cloned the repo. Use double backslashes on Windows.

Step 2.7 — Restart Claude Desktop and test

Fully quit Claude Desktop (right-click system tray icon → Quit), then reopen. Click the 🔌 plug icon in the chat input. You should see "aws-netops" with 104 tools.

Test it: type into Claude Desktop:

"Who am I in AWS?"

✅ You should get back your AWS account ID and the netops-mcp ARN. If yes, you've got a working AI agent on your laptop.

PART 3 of 5 · ~5 minutes

☁️ Set Up Azure (For Microsoft Teams Access)

If you only need the agent on your laptop, you can stop after Part 2. Continue if you want the agent in Microsoft Teams for your whole team.

Step 3.1 — Sign up for Azure (if you haven't)

Go to azure.microsoft.com/free. The free tier gives you $200 credit for 30 days.

Step 3.2 — Install Azure CLI

• Windows: winget install Microsoft.AzureCLI
• Mac: brew install azure-cli
• Linux: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Verify: az --version (should print 2.84+)

Step 3.3 — Sign in to Azure

az login

A browser opens. Sign in. Pick your subscription if prompted.

PART 4 of 5 · ~10 minutes

🚀 Deploy to Azure Container Apps

Step 4.1 — Set AWS credentials in PowerShell (the Notepad ritual again)

Open the same CSV in Notepad. Then in PowerShell:

# Type the line, then paste your 20-char key between the quotes:
$env:AWS_ACCESS_KEY_ID = "PASTE-AKIA-KEY-HERE"

# Type the line, then paste your 40-char secret between the quotes:
$env:AWS_SECRET_ACCESS_KEY = "PASTE-SECRET-HERE"

# Region — type the value, no need to paste:
$env:AWS_DEFAULT_REGION = "us-east-1"

For each paste: double-click in Notepad → Ctrl+C → click in PowerShell between the quotes → Ctrl+V once → Enter.

Step 4.2 — MANDATORY: Verify the credentials before deploying

🛑 STOP — DON'T SKIP THIS. The deploy script takes 10 minutes. If your keys are wrong, you waste those 10 minutes. Verifying now takes 5 seconds.

$env:AWS_ACCESS_KEY_ID.Length      # MUST be 20
$env:AWS_SECRET_ACCESS_KEY.Length  # MUST be 40
$env:AWS_ACCESS_KEY_ID.Substring(0,4)  # MUST be AKIA
$env:AWS_DEFAULT_REGION            # us-east-1 or your region

If any check fails: the most common reason is paste duplication (Length is 40 instead of 20). Re-paste from Notepad with single Ctrl+V.

Step 4.3 — Run the pre-flight check

cd C:\path\to\aws-netops-mcp
.\copilot-studio\PreFlight-Check.ps1

This validates all 21 fixes are in place. Should complete in ~30 seconds. You want to see ✓ ALL CRITICAL CHECKS PASSED.

Step 4.4 — Run the deploy script

.\copilot-studio\Deploy-AwsNetOpsMcp.ps1

The script does 9 stages automatically:

1. Verifies prerequisites (Azure CLI, sign-in, AWS keys)
2. Installs Container Apps CLI extension
3. Registers Azure resource providers
4. Creates resource group rg-aws-netops-mcp
5. Creates Container Apps environment (~2 min)
6. Detects and cleans zombie containers
7. Builds and deploys Docker image (~5 min)
8. Injects AWS credentials as env vars
9. Tests /health and /mcp endpoints

Total time: ~8-10 minutes. The script prints your MCP endpoint URL at the end. Copy it.

PART 5 of 5 · ~10 minutes

💼 Connect Microsoft Copilot Studio

Step 5.1 — Open Copilot Studio

Go to copilotstudio.microsoft.com and sign in with your work account.

Step 5.2 — Create a new agent

1. Click Create at the top → New agent
2. Name: AWS NetOps Assistant
3. Description: Read-only AWS troubleshooting agent for the network team
4. For instructions, paste:

You are an AWS network troubleshooting assistant for engineers.

When asked about an AWS resource:
1. ALWAYS call get_path_trace_methodology first if the question is about reachability
2. Use whoami to confirm AWS account context
3. Prefer specific tools over generic ones
4. Cite the exact resource IDs (sg-..., vpc-..., i-...) in your answer
5. If you find a problem, suggest the AWS CLI command to fix it
6. Never claim to have made changes — you are read-only

Step 5.3 — CRITICAL: Switch orchestration to Generative

⚠️ Most-missed step. If you skip this, the agent will load your tools but never actually call them.

1. Open Settings (top right)
2. Go to Generative AI
3. Set Orchestration to Generative (NOT Classic)

Step 5.4 — Add the MCP tool

1. Click the Tools tab
2. Click + Add a tool → New tool → Model Context Protocol
3. Fill in:

Server name	aws-netops
Server URL	The URL printed by the deploy script (ends with /mcp)
Authentication	None (add API key for production)

4. Click Create
5. Wait ~5 seconds — you should see "Discovered 104 tools" ✅

Step 5.5 — Test it

In the right-side test panel, type:

"Who am I in AWS?"

✅ The agent should reply with your AWS account ID and the netops-mcp ARN — same answer Claude Desktop gives you.

Step 5.6 — Publish to Microsoft Teams

1. Click Publish (top right)
2. Go to the Channels tab
3. Click the Microsoft Teams tile → Add channel
4. Copilot Studio gives you a deep-link to install in Teams. Send it to your team.

🎉 You did it!

You now have an AI agent that can investigate your AWS environment from both Claude Desktop on your laptop and Microsoft Teams for your whole team.

Total time: ~45 minutes. Total cost: ~$12/month.
Tribal knowledge: democratized.

🚨 If something breaks

Problem	Likely cause	Fix #
InvalidClientTokenId	PowerShell paste duplicated the key	FIX #10
Claude Desktop doesn't show tools	Wrong path in config, or didn't restart	Re-check Step 2.6
Build fails with ModuleNotFoundError	Cloud Build used buildpack instead of Dockerfile	FIX #8
"Invalid Host header" in Copilot Studio	DNS rebinding fix missing in wrapper	FIX #1-3
Copilot Studio finds tools but never calls them	Orchestration is Classic, not Generative	FIX #19
"Connector request failed"	Don't refresh — delete and re-add the MCP entry	FIX #20

All 21 fixes are documented in detail in the repo at THE-21-FIXES-EXPLAINED.md.

Why I'm sharing all of this

Honest answer? Three reasons.

1. The next on-call engineer shouldn't have to wake up at 2 AM for problems an AI can solve in 4 seconds. Tribal knowledge dies with people. Code lives.

2. The MCP ecosystem is 12 months old. The patterns are still being figured out. If this saves one team a weekend of debugging, the post earned its keep.

3. I'm a senior engineer who likes shipping things — and I'm always open to talking with teams building at the intersection of AI, security, and cloud infrastructure. If that's you, my contact info is below.

For Hiring Managers & Recruiters

What this project demonstrates about my engineering

🧠 Technical depth AI integration: MCP protocol, FastMCP, streamable HTTP transport Cloud architecture: Azure Container Apps, ACR, managed ingress AWS depth: 21 service categories, 104 boto3 endpoints, custom IAM Networking: VPC, NACLs, Reachability Analyzer, Flow Logs Security: Defense-in-depth, least privilege, explicit deny policies

🛠️ Engineering rigor Idempotent deployments with pre-flight validation 9-stage automated pipeline with rollback at every stage 21 root-cause analyses for every cliff hit during development Production documentation for senior AND junior engineers Real-world impact metrics (~20 hrs/week saved across team)

My background:

Cisco · Microsoft · Major US Bank

Senior Infrastructure & Security Engineer specializing in AI-powered automation

💼 Connect on LinkedIn 📝 More posts

What's next

The MCP pattern extends to almost anything:

• Azure NetOps MCP — same idea, but Resource Graph + Defender for Cloud
• GCP NetOps MCP — for the multi-cloud teams
• Datadog/Splunk MCP — let the agent query observability data
• ServiceNow/Jira MCP — close the loop from incident detection to ticket resolution

Write the tools once. Use them in every AI client. That's the real promise of MCP — and we're still in the first inning.

---

If this project ever saves you 3 hours of 2 AM debugging,
please ⭐ the repo so the next on-call engineer can find it.

🛠️ Take Me to the Code

Made with ☕, 🐍, and a 2 AM PagerDuty alert.

Tags: #AI #MCP #ModelContextProtocol #Anthropic #Claude #CopilotStudio
#Azure #AzureContainerApps #AWS #SecurityEngineering #DevOps
#Cisco #Microsoft #InfrastructureAsCode #SRE #IncidentResponse #OnCall