-1. Add **Microsoft.AzureActiveDirectory** as a resource provider for the Azure subscription your're using ([learn more](../azure-resource-manager/management/resource-providers-and-types.md?WT.mc_id=Portal-Microsoft_Azure_Support#register-resource-provider-1)):

-When using a phone for multi-factor authentication (MFA), the mobile phone is used to verify the user identity. To [add](/graph/api/authentication-post-phonemethods) a new phone number programatically, [update](/graph/api/b2cauthenticationmethodspolicy-update), [get](/graph/api/b2cauthenticationmethodspolicy-get), or [delete](/graph/api/phoneauthenticationmethod-delete) the phone number, use MS Graph API [phone authentication method](/graph/api/resources/phoneauthenticationmethod).

-# AADCloudSyncTools PowerShell Module for Azure AD Connect cloud sync

-The AADCloudSyncTools module provides a set of useful tools that you can use to help manage your Azure AD Connect Cloud Sync deployments.

-The following prerequisites are required:

-To install and use AADCloudSyncTools module use the following steps:

-1. Open Windows PowerShell with administrative privileges

-2. Type or copy and paste the following: `Import-module -Name "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"`

-3. Hit enter.

-4. To verify the module was imported, enter or copy and paste the following: `Get-module AADCloudSyncTools`

-5. You should now see information about the module.

-6. Next, to install the AADCloudSyncTools module pre-requisites run: `Install-AADCloudSyncToolsPrerequisites`

-7. On the first run, the PoweShellGet module will be installed if not present. To load the new PowershellGet module close the PowerShell Window and open a new PowerShell session with administrative privileges.

-8. Import the module again using step 2.

-9. Run `Install-AADCloudSyncToolsPrerequisites` to install the MSAL and AzureAD modules

-11. All prerequisites should be successfully installed

- 

-12. Every time you want to use AADCloudSyncTools module in new PowerShell session, enter or copy and paste the following:

-```

-Import-module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"

-```

-## AADCloudSyncTools Cmdlets

-Uses the MSAL.PS module to request a token for the Azure AD administrator to access Microsoft Graph

-Exports and packages all the troubleshooting data in a compressed file, as follows:

- 1. Sets verbose tracing and starts collecting data from the provisioning agent (same as `Start-AADCloudSyncToolsVerboseLogs`)

- <br>You can find these trace logs in the folder `C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace` </br>

- 2. Stops data collection after 3 minutes and disables verbose tracing (same as `Stop-AADCloudSyncToolsVerboseLogs`)

- <br>You can specify a different duration with `-TracingDurationMins` or completely skip verbose tracing with `-SkipVerboseTrace` </br>

- 3. Collects Event Viewer Logs for the last 24 hours

- 4. Compresses all the agent logs, verbose logs and event viewer logs into a compressed zip file under the User's Documents folder

- <br>You can specify a different output folder with `-OutputPath <folder path>` </br>

-Shows Azure AD Tenant details and internal variables state

-Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job information.

-Can be also called using the specific Sync Job ID as a parameter.

-Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job's Schedule.

-Can be also called using the specific Sync Job ID as a parameter.

-Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job's Schema.

-Uses Graph to get the Synchronization Job's Schema for the provided Sync Job ID and outputs all filter group's scopes.

-Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job's Settings.

-Can be also called using the specific Sync Job ID as a parameter.

-Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job's Status.

-Can be also called using the specific Sync Job ID as a parameter.

-Uses Graph to get the Service Principal(s) for AD2AAD and/or SyncFabric.

-Without parameters, will only return AD2AAD Service Principal(s).

-Checks for the presence of PowerShellGet v2.2.4.1 or later and Azure AD and MSAL.PS modules and installs these if missing.

-Invokes a Web request for the URI, Method and Body specified as parameters

-Uses Azure AD PowerShell to delete the current account (if present) and resets the Sync Account authentication with a new synchronization account in Azure AD.

-Restarts a full synchronization.

-Continues synchronization from the previous watermark.

-Modifies the 'AADConnectProvisioningAgent.exe.config' to enable verbose tracing and restarts the AADConnectProvisioningAgent service

-You can use -SkipServiceRestart to prevent service restart but any config changes will not take effect. You can find these trace logs in the folder C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace.

-Modifies the 'AADConnectProvisioningAgent.exe.config' to disable verbose tracing and restarts the AADConnectProvisioningAgent service.

-You can use -SkipServiceRestart to prevent service restart but any config changes will not take effect.

-Pauses synchronization.

-Organizations can use this control to require Azure AD to pass device information to the selected cloud apps. The device information enables the cloud apps to know whether a connection is started from a compliant or domain-joined device and alter the session experience. This control only supports SharePoint Online and Exchange Online as selected cloud apps. When selected, the cloud app uses the device information to provide users, depending on the device state, with a limited (when the device isn't managed) or full experience (when the device is managed and compliant).

-For more information on the use and configuration of app enforced restrictions, see the following articles:

-Conditional Access App Control uses a reverse proxy architecture and is uniquely integrated with Azure AD Conditional Access. Azure AD Conditional Access allows you to enforce access controls on your organizationΓÇÖs apps based on certain conditions. The conditions define who (user or group of users) and what (which cloud apps) and where (which locations and networks) a Conditional Access policy is applied to. After youΓÇÖve determined the conditions, you can route users to [Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) where you can protect data with Conditional Access App Control by applying access and session controls.

-Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. Access and session policies are used within the Defender for Cloud Apps portal to further refine filters and set actions to be taken on a user. With the access and session policies, you can:

-[Continuous access evaluation](concept-continuous-access-evaluation.md) is auto enabled as part of an organization's Conditional Access policies. For organizations who wish to disable or strictly enforce continuous access evaluation, this configuration is now an option within the session control within Conditional Access. Continuous access evaluation policies can be scoped to all users or specific users and groups. Admins can make the following selections while creating a new policy or while editing an existing Conditional Access policy.

- - Non-CAE capable clients will not be allowed to access CAE-capable services.

- - Access will be rejected when client's IP address seen by resource provider isn't in the Conditional Access's allowed range.

-> [!NOTE]

-> You should only enable strict enforcement after you ensure that all the client applications support CAE and you have included all your IP addresses seen by Azure AD and the resource providers, like Exchange online and Azure Resource Mananger, in your location policy under Conditional Access. Otherwise, users in your tenants could be blocked.

-If resilience defaults are disabled, access is denied once existing sessions expire.ΓÇï For more information, see the article [Conditional Access: Resilience defaults](resilience-defaults.md).

-### Conditional Access policy evaluation (preview)

-### User condition change flow (Preview)

-## Enable or disable CAE (Preview)

-CAE setting has been moved to under the Conditional Access blade. New CAE customers will be able to access and toggle CAE directly when creating Conditional Access policies. However, some existing customers will need to go through migration before they can begin to access CAE through Conditional Access.

-Customers who have configured CAE settings under Security before have to migrate these setting to a new Conditional Access policy. Use the steps that follow to migrate your CAE settings to a Conditional Access policy.

-1. Browse to **Azure Active Directory** > **Security** > **Continuous access evaluation (preview)**.

-1. Browse to **Conditional Access** and you will find a new policy named **CA policy created from CAE settings** with your settings configured. Administrators can choose to customize this policy or create their own to replace it.

-### Strict enforcement

-With the latest CAE setting under Conditional Access, strict enforcement is a new feature that allows for enhanced security based on two factors: IP address variation and client capability. This functionality can be enabled while customizing CAE options for a given policy. By turning on strict enforcement, CAE will revoke access upon detecting any instances of either [IP address variation](#ip-address-variation) or a lack of CAE [client capability](#client-capabilities).

-> [!NOTE]

-> You should only enable strict enforcement after you ensure that all the client applications support CAE and you have included all your IP addresses seen by Azure AD and the resource providers, like Exchange online and Azure Resource Mananger, in your location policy under Conditional Access. Otherwise, you could be blocked.

-If you enable a user right after disabling, there's some latency before the account is recognized as enabled in downstream Microsoft services.

-> Policy can be applied to single tenant service principals that have been registered in your tenant.

-> Third party SaaS and multi-tenanted apps are out of scope.

-> Managed identities are not covered by policy.

-[Continuous Access Evaluation](../conditional-access/concept-continuous-access-evaluation.md) (CAE) is an Azure AD feature that allows access tokens to be revoked based on [critical events](../conditional-access/concept-continuous-access-evaluation.md#critical-event-evaluation) and [policy evaluation](../conditional-access/concept-continuous-access-evaluation.md#conditional-access-policy-evaluation-preview) rather than relying on token expiry based on lifetime. For some resource APIs, because risk and policy are evaluated in real time, this can increase token lifetime up to 28 hours. These long-lived tokens will be proactively refreshed by the Microsoft Authentication Library (MSAL), increasing the resiliency of your applications.

-An error response looks like this:

-| [Create more than one global administrator](../roles/security-emergency-access.md) | Assign at least two cloud-only permanent global administrator accounts for use in an emergency. These accounts aren't be used daily and should have long and complex passwords. | Azure AD Free |

-[Common recommended identity and device access policies](/microsoft-365/enterprise/identity-access-policies)

-[Continuous Access Evaluation (CAE)](../conditional-access/concept-continuous-access-evaluation.md) is a recent development that can increase application security and resilience with long-lived tokens. CAE is an emerging industry standard being developed in the Shared Signals and Events Working Group of the OpenID Foundation. With CAE, an access token can be revoked based on [critical events](../conditional-access/concept-continuous-access-evaluation.md#critical-event-evaluation) and [policy evaluation](../conditional-access/concept-continuous-access-evaluation.md#conditional-access-policy-evaluation-preview), rather than relying on a short token lifetime. For some resource APIs, because risk and policy are evaluated in real time, CAE can substantially increase token lifetime up to 28 hours. As resource APIs and applications adopt CAE, Microsoft Identity will be able to issue access tokens that are revocable and are valid for extended periods of time. These long-lived tokens will be proactively refreshed by MSAL.

-We fixed a bug in version 2.0.88.0 where, under certain conditions, linked mailboxes of disabled users and mailboxes of certain resource objects, were getting deleted.

-## Deployment scenarios

-## BIG-IP deployment methods

-## Deployment modes

-Several methods exist for configuring a BIG-IP for this scenario,

-including two wizard-based options or an advanced configuration.

-This tutorial covers the advanced approach, which provides a more flexible way of implementing secure hybrid access by manually creating all BIG-IP configuration objects. You would also use this approach for scenarios not covered by the Guided configuration.

->All example strings or values referenced throughout this article

-should be replaced with those for your actual environment.

-Setting up a SAML federation trust between BIG-IP APM and Azure AD is one of the first step in implementing secure hybrid access. It establishes the integration required for BIG-IP to hand off pre-authentication and [conditional

-Your application is now published and accessible via Secure Hybrid Access, either directly via its URL or through Microsoft's application portals.

-Failure to access the secure hybrid access protected application could be down to any number of potential factors, including a

-## Big-IP deployment methods

-## Configuration methods

-* End-to-end SSO between Azure AD and BIG-IP published services

-* Manage identities and access from a single control plane - [The Azure portal](https://portal.azure.com/)

-## BIG-IP deployment methods

-## BIG-IP deployment methods

- name: hdd

-provisioner: kubernetes.io/azure-disk

- skuname: Standard_LRS

-> Azure Files support premium storage in AKS clusters that run Kubernetes 1.13 or higher, minimum premium file share is 100GB

-provisioner: kubernetes.io/azure-file

-provisioner: kubernetes.io/azure-file

-> AKS clusters created prior to May 2019 have certificates that expire after two years. Any cluster created after May 2019 or any cluster that has its certificates rotated have Cluster CA certificates that expire after 30 years. All other AKS certificates, which use the Cluster CA to for signing, will expire after two years and are automatically rotated during AKS version upgrade. To verify when your cluster was created, use `kubectl get nodes` to see the *Age* of your node pools.

-### Upgrade an AKS cluster with OIDC Issuer

-To upgrade a cluster to use OIDC Issuer.

-* Using template-driven deployment options, like [Azure Resource Manager templates](kubernetes-walkthrough-rm-template.md) and Terraform

-[conf-com-node]: ../confidential-computing/confidential-nodes-aks-overview.md

-provisioner: kubernetes.io/azure-disk

- cachingmode: None

-| * / [80], 443 | Inbound | TCP | INTERNET / VIRTUAL_NETWORK | **Client communication to API Management** | External only |

-| * / 3443 | Inbound | TCP | ApiManagement / VIRTUAL_NETWORK | **Management endpoint for Azure portal and PowerShell** | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / Storage | **Dependency on Azure Storage** | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal |

-| * / 1433 | Outbound | TCP | VIRTUAL_NETWORK / SQL | **Access to Azure SQL endpoints** | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureKeyVault | **Access to Azure Key Vault** | External & Internal |

-| * / 5671, 5672, 443 | Outbound | TCP | VIRTUAL_NETWORK / Event Hub | Dependency for [Log to Event Hub policy](api-management-howto-log-event-hubs.md) and monitoring agent (optional) | External & Internal |

-| * / 445 | Outbound | TCP | VIRTUAL_NETWORK / Storage | Dependency on Azure File Share for [GIT](api-management-configuration-repository-git.md) (optional) | External & Internal |

-| * / 443, 12000 | Outbound | TCP | VIRTUAL_NETWORK / AzureCloud | Health and Monitoring Extension (optional) | External & Internal |

-| * / 1886, 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureMonitor | Publish [Diagnostics Logs and Metrics](api-management-howto-use-azure-monitor.md), [Resource Health](../service-health/resource-health-overview.md), and [Application Insights](api-management-howto-app-insights.md) (optional) | External & Internal |

-| * / 25, 587, 25028 | Outbound | TCP | VIRTUAL_NETWORK / INTERNET | Connect to SMTP Relay for sending e-mail (optional) | External & Internal |

-| * / 6381 - 6383 | Inbound & Outbound | TCP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Access Redis Service for [Cache](api-management-caching-policies.md) policies between machines (optional) | External & Internal |

-| * / 4290 | Inbound & Outbound | UDP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Sync Counters for [Rate Limit](api-management-access-restriction-policies.md#LimitCallRateByKey) policies between machines (optional) | External & Internal |

-| * / 6390 | Inbound | TCP | AZURE_LOAD_BALANCER / VIRTUAL_NETWORK | **Azure Infrastructure Load Balancer** | External & Internal |

-| * / [80], 443 | Inbound | TCP | INTERNET / VIRTUAL_NETWORK | **Client communication to API Management** | External only |

-| * / 3443 | Inbound | TCP | ApiManagement / VIRTUAL_NETWORK | **Management endpoint for Azure portal and PowerShell** | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / Storage | **Dependency on Azure Storage** | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) dependency (optional) | External & Internal |

-| * / 1433 | Outbound | TCP | VIRTUAL_NETWORK / SQL | **Access to Azure SQL endpoints** | External & Internal |

-| * / 5671, 5672, 443 | Outbound | TCP | VIRTUAL_NETWORK / Event Hub | Dependency for [Log to Event Hub policy](api-management-howto-log-event-hubs.md) and monitoring agent (optional)| External & Internal |

-| * / 445 | Outbound | TCP | VIRTUAL_NETWORK / Storage | Dependency on Azure File Share for [GIT](api-management-configuration-repository-git.md) (optional) | External & Internal |

-| * / 443, 12000 | Outbound | TCP | VIRTUAL_NETWORK / AzureCloud | Health and Monitoring Extension & Dependency on Event Grid (if events notification activated) (optional) | External & Internal |

-| * / 1886, 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureMonitor | Publish [Diagnostics Logs and Metrics](api-management-howto-use-azure-monitor.md), [Resource Health](../service-health/resource-health-overview.md), and [Application Insights](api-management-howto-app-insights.md) (optional) | External & Internal |

-| * / 25, 587, 25028 | Outbound | TCP | VIRTUAL_NETWORK / INTERNET | Connect to SMTP Relay for sending e-mail (optional) | External & Internal |

-| * / 6381 - 6383 | Inbound & Outbound | TCP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Access Redis Service for [Cache](api-management-caching-policies.md) policies between machines (optional) | External & Internal |

-| * / 4290 | Inbound & Outbound | UDP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Sync Counters for [Rate Limit](api-management-access-restriction-policies.md#LimitCallRateByKey) policies between machines (optional) | External & Internal |

-| * / * | Inbound | TCP | AZURE_LOAD_BALANCER / VIRTUAL_NETWORK | **Azure Infrastructure Load Balancer** (required for Premium SKU, optional for other SKUs) | External & Internal |

-NSG rules allowing outbound connectivity to Storage, SQL, and Event Hubs service tags may use the regional versions of those tags corresponding to the region containing the API Management instance (for example, **Storage.WestUS** for an API Management instance in the West US region). In multi-region deployments, the NSG in each region should allow traffic to the service tags for that region and the primary region.

- You're not required to allow inbound requests from service tag `AZURE_LOAD_BALANCER` for the Developer SKU, since only one compute unit is deployed behind it. However, inbound connectivity from `AZURE_LOAD_BALANCER` becomes **critical** when scaling to a higher SKU, such as Premium, because failure of the health probe from load balancer then blocks all inbound access to the control plane and data plane.

- * Azure SQL

- * Azure Event Hub

-First, the script deploys a lightweight Azure Arc appliance, called Azure Arc resource bridge (preview), as a virtual machine running in your vCenter environment. Then, it installs a VMware cluster extension to provide a continuous connection between your vCenter Server and Azure Arc.

- - The preferred solution is to break up your data into related smaller values.

- - See the post [What is the ideal value size range for redis? Is 100 KB too large?](https://groups.google.com/forum/#!searchin/redis-db/size/redis-db/n7aa2A4DZDs/3OeEPHSQBAAJ) for details on why smaller values are recommended.

- - More bandwidth on your client or server VM may reduce data transfer times for larger responses.

- - Compare your current network usage on both machines to the limits of your current VM size. More bandwidth on only the server or only on the client may not be enough.

- - Use a round-robin approach to make requests over different connection objects.

-Some Redis operations, like the [KEYS](https://redis.io/commands/keys) command, are expensive and should be avoided. For some considerations around long running commands, see [long-running commands](cache-troubleshoot-server.md#long-running-commands)

-description: Learn how to resolve common client-side issues with Azure Cache for Redis such as Redis client memory pressure, traffic burst, high CPU, limited bandwidth, large requests or large response size.

-<!-- [Large request or response size](#large-request-or-response-size) -->

-Memory pressure on the client machine leads to all kinds of performance problems that can delay processing of responses from the cache. When memory pressure hits, the system may page data to disk. This _page faulting_ causes the system to slow down significantly.

-Bursts of traffic combined with poor `ThreadPool` settings can result in delays in processing data already sent by the Redis Server but not yet consumed on the client side.

-Monitor how your `ThreadPool` statistics change over time using [an example `ThreadPoolLogger`](https://github.com/JonCole/SampleCode/blob/master/ThreadPoolMonitor/ThreadPoolLogger.cs). You can use `TimeoutException` messages from StackExchange.Redis like below to further investigate:

-```output

- System.TimeoutException: Timeout performing EVAL, inst: 8, mgr: Inactive, queue: 0, qu: 0, qs: 0, qc: 0, wr: 0, wq: 0, in: 64221, ar: 0,

- IOCP: (Busy=6,Free=999,Min=2,Max=1000), WORKER: (Busy=7,Free=8184,Min=2,Max=8191)

-```

-In the preceding exception, there are several issues that are interesting:

-You can [configure your `ThreadPool` Settings](cache-management-faq.yml#important-details-about-threadpool-growth) to make sure that your thread pool scales up quickly under burst scenarios.

-High client CPU usage indicates the system can't keep up with the work it's been asked to do. Even though the cache sent the response quickly, the client may fail to process the response in a timely fashion.

-Monitor the client's system-wide CPU usage using metrics available in the Azure portal or through performance counters on the machine. Be careful not to monitor *process* CPU because a single process can have low CPU usage but the system-wide CPU can be high. Watch for spikes in CPU usage that correspond with timeouts. High CPU may also cause high `in: XXX` values in `TimeoutException` error messages as described in the [Traffic burst](#traffic-burst) section.

-> [!NOTE]

-> StackExchange.Redis 1.1.603 and later includes the `local-cpu` metric in `TimeoutException` error messages. Ensure you using the latest version of the [StackExchange.Redis NuGet package](https://www.nuget.org/packages/StackExchange.Redis/). There are bugs constantly being fixed in the code to make it more robust to timeouts so having the latest version is important.

->

-To mitigate a client's high CPU usage:

-Depending on the architecture of client machines, they may have limitations on how much network bandwidth they have available. If the client exceeds the available bandwidth by overloading network capacity, then data isn't processed on the client side as quickly as the server is sending it. This situation can lead to timeouts.

-Monitor how your Bandwidth usage change over time using [an example `BandwidthLogger`](https://github.com/JonCole/SampleCode/blob/master/BandWidthMonitor/BandwidthLogger.cs). This code may not run successfully in some environments with restricted permissions (like Azure web sites).

-To mitigate, reduce network bandwidth consumption or increase the client VM size to one with more network capacity.

-<!--

-## Large request or response Size

-A large request/response can cause timeouts. As an example, suppose your timeout value configured on your client is 1 second. Your application requests two keys (for example, 'A' and 'B') at the same time (using the same physical network connection). Most clients support request "pipelining", where both requests 'A' and 'B' are sent one after the other without waiting for their responses. The server sends the responses back in the same order. If response 'A' is large, it can eat up most of the timeout for later requests.

-In the following example, request 'A' and 'B' are sent quickly to the server. The server starts sending responses 'A' and 'B' quickly. Because of data transfer times, response 'B' must wait behind response 'A' times out even though the server responded quickly.

-```console

-|-- 1 Second Timeout (A)-|

-|-Request A-|

- |-- 1 Second Timeout (B) -|

- |-Request B-|

- |- Read Response A --|

- |- Read Response B-| (**TIMEOUT**)

-```

-This request/response is a difficult one to measure. You could instrument your client code to track large requests and responses.

-Resolutions for large response sizes are varied but include:

-1. Optimize your application for a large number of small values, rather than a few large values.

- - The preferred solution is to break up your data into related smaller values.

- - See the post [What is the ideal value size range for redis? Is 100 KB too large?](https://groups.google.com/forum/#!searchin/redis-db/size/redis-db/n7aa2A4DZDs/3OeEPHSQBAAJ) for details on why smaller values are recommended.

-1. Increase the size of your VM to get higher bandwidth capabilities

- - More bandwidth on your client or server VM may reduce data transfer times for larger responses.

- - Compare your current network usage on both machines to the limits of your current VM size. More bandwidth on only the server or only on the client may not be enough.

-1. Increase the number of connection objects your application uses.

- - Use a round-robin approach to make requests over different connection objects.

- -->

-

-Client connections reaching the maximum for the cache can cause failures in client requests for connections beyond the maximum, and can also cause high server CPU usage on the cache due to processing repeated reconnection attempts.

-High client connections may indicate a connection leak in client code. Connections may not be getting re-used or closed properly. Review client code for connection use.

-If the high connections are all legitimate and required client connections, upgrading your cache to a size with a higher connection limit may be required.

-Azure Cache for Redis doesn't randomly delete keys after they've been stored in memory. However, it does remove keys in response to expiration or eviction policies and to explicit key-deletion commands. Keys that have been written to the primary node in a Premium or Standard Azure Cache for Redis instance also might not be available on a replica right away. Data is replicated from the primary to the replica in an asynchronous and non-blocking manner.

-```

-You can also look at diagnostic metrics for your cache, to see if there's a correlation between when the key went missing and a spike in expired keys. See the Appendix of [Debugging Redis Keyspace Misses](https://gist.github.com/JonCole/4a249477142be839b904f7426ccccf82#appendix) for information about using keyspace notifications or **MONITOR** to debug these types of issues.

-```

-```

-Any Azure Cache for Redis instance in the Standard or Premium tier is configured with a primary node and at least one replica. Data is copied from the primary to a replica asynchronously by using a background process. The [redis.io](https://redis.io/topics/replication) website describes how Redis data replication works in general. For scenarios where clients write to Redis frequently, partial data loss can occur because this replication is not guaranteed to be instantaneous. For example, if the primary goes down *after* a client writes a key to it, but *before* the background process has a chance to send that key to the replica, the key is lost when the replica takes over as the new primary.

-Clients can call the [FLUSHDB](https://redis.io/commands/flushdb) command to remove all keys in a *single* database or [FLUSHALL](https://redis.io/commands/flushall) to remove all keys from *all* databases in a Redis cache. To find out whether keys have been flushed, use the [INFO](https://redis.io/commands/info) command. The `Commandstats` section shows whether either **FLUSH** command has been called:

-```

-Azure Cache for Redis uses the **db0** database by default. If you switch to another database (for example, **db1**) and try to read keys from it, Azure Cache for Redis won't find them there. Every database is a logically separate unit and holds a different dataset. Use the [SELECT](https://redis.io/commands/select) command to use other available databases and look for keys in each of them.

-Redis is an in-memory data store. Data is kept on the physical or virtual machines that host the Redis cache. An Azure Cache for Redis instance in the Basic tier runs on only a single virtual machine (VM). If that VM is down, all data that you've stored in the cache is lost.

-description: Learn how to resolve common server-side issues with Azure Cache for Redis, such as memory pressure, high CPU, long running commands, or bandwidth limitations.

-# Troubleshoot Azure Cache for Redis server-side issues

-This section discusses troubleshooting issues that occur because of a condition on an Azure Cache for Redis or the virtual machine(s) hosting it.

-## Memory pressure on Redis server

-Memory pressure on the server side leads to all kinds of performance problems that can delay processing of requests. When memory pressure hits, the system may page data to disk. This _page faulting_ causes the system to slow down significantly. There are several possible causes of this memory pressure:

-## High CPU usage or server load

-A high server load or CPU usage means the server can't process requests in a timely fashion. The server might be slow to respond and unable to keep up with request rates.

-[Monitor metrics](cache-how-to-monitor.md#view-metrics-with-azure-monitor-metrics-explorer) such as CPU or server load. Watch for spikes in CPU usage that correspond with timeouts.

-There are several changes you can make to mitigate high server load:

-Some Redis commands are more expensive to execute than others. The [Redis commands documentation](https://redis.io/commands) shows the time complexity of each command. Because Redis command processing is single-threaded, a command that takes time to run blocks all others that come after it. Review the commands that you're issuing to your Redis server to understand their performance impacts. For instance, the [KEYS](https://redis.io/commands/keys) command is often used without knowing that it's an O(N) operation. You can avoid KEYS by using [SCAN](https://redis.io/commands/scan) to reduce CPU spikes.

-Using the [SLOWLOG GET](https://redis.io/commands/slowlog-get) command, you can measure expensive commands being executed against the server.

-

-Different cache sizes have different network bandwidth capacities. If the server exceeds the available bandwidth, then data won't be sent to the client as quickly. Clients requests could time out because the server can't push data to the client fast enough.

-The "Cache Read" and "Cache Write" metrics can be used to see how much server-side bandwidth is being used. You can [view these metrics](cache-how-to-monitor.md#view-metrics-with-azure-monitor-metrics-explorer) in the portal.

-To mitigate situations where network bandwidth usage is close to maximum capacity:

-description: Learn how to resolve common timeout issues with Azure Cache for Redis, such as redis server patching and StackExchange.Redis timeout exceptions.

-# Troubleshoot Azure Cache for Redis timeouts

-This section discusses troubleshooting timeout issues that occur when connecting to Azure Cache for Redis.

-## Redis server patching

-Azure Cache for Redis regularly updates its server software as part of the managed service functionality that it provides. This [patching](cache-failover.md) activity takes place largely behind the scene. During the failovers when Redis server nodes are being patched, Redis clients connected to these nodes can experience temporary timeouts as connections are switched between these nodes. For more information on the side-effects patching can have on your application and how to improve its handling of patching events, see [How does a failover affect my client application](cache-failover.md#how-does-a-failover-affect-my-client-application).

-## StackExchange.Redis timeout exceptions

-StackExchange.Redis uses a configuration setting named `synctimeout` for synchronous operations with a default value of 5000 ms. If a synchronous call doesnΓÇÖt complete in this time, the StackExchange.Redis client throws a timeout error similar to the following example:

- System.TimeoutException: Timeout performing MGET 2728cc84-58ae-406b-8ec8-3f962419f641, inst: 1,mgr: Inactive, queue: 73, qu=6, qs=67, qc=0, wr=1/1, in=0/0 IOCP: (Busy=6, Free=999, Min=2,Max=1000), WORKER (Busy=7,Free=8184,Min=2,Max=8191)

-This error message contains metrics that can help point you to the cause and possible resolution of the issue. The following table contains details about the error message metrics.

-| Error message metric | Details |

-| | |

-| `inst` |In the last time slice: 0 commands have been issued |

-| `mgr` |The socket manager is doing `socket.select`, which means it's asking the OS to indicate a socket that has something to do. The reader isn't actively reading from the network because it doesn't think there's anything to do |

-| `queue` |There are 73 total in-progress operations |

-| `qu` |6 of the in-progress operations are in the unsent queue and haven't yet been written to the outbound network |

-| `qs`|67 of the in-progress operations have been sent to the server but a response isn't yet available. The response could be `Not yet sent by the server` or `sent by the server but not yet processed by the client.` |

-| `qc` |Zero of the in-progress operations have seen replies but haven't yet been marked as complete because they're waiting on the completion loop |

-| `wr` |There's an active writer (meaning the six unsent requests aren't being ignored) bytes/activewriters |

-| `in` |There are no active readers and zero bytes are available to be read on the NIC bytes/activereaders |

-In the preceding exception example, the `IOCP` and `WORKER` sections each include a `Busy` value that is greater than the `Min` value. The difference means that you should adjust your `ThreadPool` settings. You can [configure your ThreadPool settings](cache-management-faq.yml#important-details-about-threadpool-growth) to ensure that your thread pool scales up quickly under burst scenarios.

-You can use the following steps to eliminate possible root causes.

-1. As a best practice, make sure you're using the ForceReconnect pattern to detect and replace stalled connections as described in the article [Connection resilience](cache-best-practices-connection.md#using-forcereconnect-with-stackexchangeredis).

- For more information on using StackExchange.Redis, see [Connect to the cache using StackExchange.Redis](cache-dotnet-how-to-use-azure-redis-cache.md#connect-to-the-cache).

-1. Ensure that your server and the client application are in the same region in Azure. For example, you might be getting timeouts when your cache is in East US but the client is in West US and the request doesn't complete within the `synctimeout` interval or you might be getting timeouts when you're debugging from your local development machine.

- ItΓÇÖs highly recommended to have the cache and in the client in the same Azure region. If you have a scenario that includes cross region calls, you should set the `synctimeout` interval to a value higher than the default 5000-ms interval by including a `synctimeout` property in the connection string. The following example shows a snippet of a connection string for StackExchange.Redis provided by Azure Cache for Redis with a `synctimeout` of 8000 ms.

- ```output

- synctimeout=8000,cachename.redis.cache.windows.net,abortConnect=false,ssl=true,password=...

- ```

-1. Ensure you using the latest version of the [StackExchange.Redis NuGet package](https://www.nuget.org/packages/StackExchange.Redis/). There are bugs constantly being fixed in the code to make it more robust to timeouts so having the latest version is important.

-1. If your requests are bound by bandwidth limitations on the server or client, it takes longer for them to complete and can cause timeouts. To see if your timeout is because of network bandwidth on the server, see [Server-side bandwidth limitation](cache-troubleshoot-server.md#server-side-bandwidth-limitation). To see if your timeout is because of client network bandwidth, see [Client-side bandwidth limitation](cache-troubleshoot-client.md#client-side-bandwidth-limitation).

-1. Are you getting CPU bound on the server or on the client?

- - Check if you're getting bound by CPU on your client. High CPU could cause the request to not be processed within the `synctimeout` interval and cause a request to time out. Moving to a larger client size or distributing the load can help to control this problem.

- - Check if you're getting CPU bound on the server by monitoring the CPU [cache performance metric](cache-how-to-monitor.md#available-metrics-and-reporting-intervals). Requests coming in while Redis is CPU bound can cause those requests to time out. To address this condition, you can distribute the load across multiple shards in a premium cache, or upgrade to a larger size or pricing tier. For more information, see [Server-side bandwidth limitation](cache-troubleshoot-server.md#server-side-bandwidth-limitation).

-1. Are there commands taking long time to process on the server? Long-running commands that are taking long time to process on the redis-server can cause timeouts. For more information about long-running commands, see [Long-running commands](cache-troubleshoot-server.md#long-running-commands). You can connect to your Azure Cache for Redis instance using the redis-cli client or the [Redis Console](cache-configure.md#redis-console). Then, run the [SLOWLOG](https://redis.io/commands/slowlog) command to see if there are requests slower than expected. Redis Server and StackExchange.Redis are optimized for many small requests rather than fewer large requests. Splitting your data into smaller chunks may improve things here.

- For information on connecting to your cache's TLS/SSL endpoint using redis-cli and stunnel, see the blog post [Announcing ASP.NET Session State Provider for Redis Preview Release](https://devblogs.microsoft.com/aspnet/announcing-asp-net-session-state-provider-for-redis-preview-release/).

-1. High Redis server load can cause timeouts. You can monitor the server load by monitoring the `Redis Server Load` [cache performance metric](cache-how-to-monitor.md#available-metrics-and-reporting-intervals). A server load of 100 (maximum value) signifies that the redis server has been busy, with no idle time, processing requests. To see if certain requests are taking up all of the server capability, run the SlowLog command, as described in the previous paragraph. For more information, see High CPU usage / Server Load.

-1. Was there any other event on the client side that could have caused a network blip? Common events include: scaling the number of client instances up or down, deploying a new version of the client, or autoscale enabled. In our testing, we have found that autoscale or scaling up/down can cause outbound network connectivity to be lost for several seconds. StackExchange.Redis code is resilient to such events and reconnects. While reconnecting, any requests in the queue can time out.

-1. Was there a large request preceding several small requests to the cache that timed out? The parameter `qs` in the error message tells you how many requests were sent from the client to the server, but haven't processed a response. This value can keep growing because StackExchange.Redis uses a single TCP connection and can only read one response at a time. Even though the first operation timed out, it doesn't stop more data from being sent to or from the server. Other requests will be blocked until the large request is finished and can cause time outs. One solution is to minimize the chance of timeouts by ensuring that your cache is large enough for your workload and splitting large values into smaller chunks. Another possible solution is to use a pool of `ConnectionMultiplexer` objects in your client, and choose the least loaded `ConnectionMultiplexer` when sending a new request. Loading across multiple connection objects should prevent a single timeout from causing other requests to also time out.

-1. If you're using `RedisSessionStateProvider`, ensure you have set the retry timeout correctly. `retryTimeoutInMilliseconds` should be higher than `operationTimeoutInMilliseconds`, otherwise no retries occur. In the following example `retryTimeoutInMilliseconds` is set to 3000. For more information, see [ASP.NET Session State Provider for Azure Cache for Redis](cache-aspnet-session-state-provider.md) and [How to use the configuration parameters of Session State Provider and Output Cache Provider](https://github.com/Azure/aspnet-redis-providers/wiki/Configuration).

- ```xml

- <add

- name="AFRedisCacheSessionStateProvider"

- type="Microsoft.Web.Redis.RedisSessionStateProvider"

- host="enbwcache.redis.cache.windows.net"

- port="6380"

- accessKey="…"

- ssl="true"

- databaseId="0"

- applicationName="AFRedisCacheSessionState"

- connectionTimeoutInMilliseconds = "5000"

- operationTimeoutInMilliseconds = "1000"

- retryTimeoutInMilliseconds="3000" />

- ```

-1. Check memory usage on the Azure Cache for Redis server by [monitoring](cache-how-to-monitor.md#available-metrics-and-reporting-intervals) `Used Memory RSS` and `Used Memory`. If an eviction policy is in place, Redis starts evicting keys when `Used_Memory` reaches the cache size. Ideally, `Used Memory RSS` should be only slightly higher than `Used memory`. A large difference means there's memory fragmentation (internal or external). When `Used Memory RSS` is less than `Used Memory`, it means part of the cache memory has been swapped by the operating system. If this swapping occurs, you can expect some significant latencies. Because Redis doesn't have control over how its allocations are mapped to memory pages, high `Used Memory RSS` is often the result of a spike in memory usage. When Redis server frees memory, the allocator takes the memory but it may or may not give the memory back to the system. There may be a discrepancy between the `Used Memory` value and memory consumption as reported by the operating system. Memory may have been used and released by Redis but not given back to the system. To help mitigate memory issues, you can do the following steps:

- - Upgrade the cache to a larger size so that you aren't running against memory limitations on the system.

- - Set expiration times on the keys so that older values are evicted proactively.

- - Monitor the `used_memory_rss` cache metric. When this value approaches the size of their cache, you're likely to start seeing performance issues. Distribute the data across multiple shards if you're using a premium cache, or upgrade to a larger cache size.

- For more information, see [Memory pressure on Redis server](cache-troubleshoot-server.md#memory-pressure-on-redis-server).

-## Heartbeat

-By default, Application Insights Java 3.x sends a heartbeat metric once every 15 minutes.

-If you are using the heartbeat metric to trigger alerts, you can increase the frequency of this heartbeat:

-```json

-{

- "heartbeat": {

- "intervalSeconds": 60

- }

-}

-```

-> [!NOTE]

-> You cannot increase the interval to longer than 15 minutes,

-> because the heartbeat data is also used to track Application Insights usage.

-## HTTP Proxy

-If your application is behind a firewall and cannot connect directly to Application Insights

-(see [IP addresses used by Application Insights](./ip-addresses.md)),

-you can configure Application Insights Java 3.x to use an HTTP proxy:

-```json

-{

- "proxy": {

- "host": "myproxy",

- "port": 8080

- }

-}

-```

-Application Insights Java 3.x also respects the global `https.proxyHost` and `https.proxyPort` system properties

-if those are set (and `http.nonProxyHosts` if needed).

-[//]: # "NOTE OpenTelemetry support is in private preview until OpenTelemetry API reaches 1.0"

-[//]: # "## Support for OpenTelemetry API pre-1.0 releases"

-[//]: # "Support for pre-1.0 versions of OpenTelemetry API is opt-in, because the OpenTelemetry API is not stable yet"

-[//]: # "and so each version of the agent only supports a specific pre-1.0 versions of OpenTelemetry API"

-[//]: # "(this limitation will not apply once OpenTelemetry API 1.0 is released)."

-[//]: # "```json"

-[//]: # "{"

-[//]: # " \"preview\": {"

-[//]: # " \"openTelemetryApiSupport\": true"

-[//]: # " }"

-[//]: # "}"

-[//]: # "```"

-## Instrumentation keys overrides (preview)

-This feature is in preview, starting from 3.2.3.

-Instrumentation key overrides allow you to override the [default instrumentation key](#connection-string), for example:

-* Set one instrumentation key for one http path prefix `/myapp1`.

-* Set another instrumentation key for another http path prefix `/myapp2/`.

- "preview": {

- "instrumentationKeyOverrides": [

- {

- "httpPathPrefix": "/myapp1",

- "instrumentationKey": "12345678-0000-0000-0000-0FEEDDADBEEF"

- },

- {

- "httpPathPrefix": "/myapp2",

- "instrumentationKey": "87654321-0000-0000-0000-0FEEDDADBEEF"

- }

- ]

-| &lt;Help&nbsp;Link&gt; | A URL that links to troubleshooting documentation (this page). |

-> Several of the troubleshooting steps assume that your application has direct control of the Snippet &lt;script /&gt; tag and it's configuration that are returned as part of the hosting HTML page. If you don't then those identified steps will not apply for your scenario.

-> src: "https://js.monitor.azure.com/scripts/b/ai.2.min.js",<br />

-> cfg:{<br />

-> instrumentationKey: "INSTRUMENTATION_KEY"<br />

-> }});<br />

-> cfg:{<br />

-> instrumentationKey: "INSTRUMENTATION_KEY",<br />

-> loggingLevelConsole: 2<br />

-> }});<br />

-If it still fails to initialize, try enabling the ```enableDebug``` configuration setting. This will cause all internal errors to be thrown as an exception (which will cause telemetry to be lost). As this is a developer only setting it will probably get noisy with exceptions getting thrown as part of some internal checks, so you will need to review each exception to determine which issue is causing the SDK to fail. Use the non-minified version of the script (note the extension below it's ".js" and not ".min.js") otherwise the exceptions will be unreadable.

-> src: "https://js.monitor.azure.com/scripts/b/ai.2.min.js",<br />

-> cfg:{<br />

-> instrumentationKey: "INSTRUMENTATION_KEY",<br />

-> enableDebug: true<br />

-> }});<br />

-If there are any associated changes with the event, you'll see a list of changes that you can select. This opens up the **Change history (Preview)** page. On this page you see the changes to the resource. In the following example, you can see not only that the VM changed sizes, but what the previous VM size was before the change and what it was changed to. To learn more about change history, see [Get resource changes](../../governance/resource-graph/how-to/get-resource-changes.md).

-Send the Activity Log to Azure Event Hubs to send entries outside of Azure, for example to a third-party SIEM or other log analytics solutions. Activity log events from event hubs are consumed in JSON format with a `records` element containing the records in each payload. The schema depends on the category and is described in [Schema from storage account and event hubs](activity-log-schema.md).

-Send the Activity Log to an Azure Storage account for audit, static analysis, or backup if you want to retain your log data longer than the Activity Log retention period. There is no need to set up Azure storage unless you need to retain the entries for one of these reasons.

-When you send the Activity log to Azure, a storage container is created in the storage account as soon as an event occurs. The blobs in the container use the following naming convention:

-Each event is stored in the PT1H.json file with the following format that uses a common top level schema but is otherwise unique for each category as described in [Activity log schema](activity-log-schema.md).

-This section describes legacy methods for collecting the Activity log that were used prior to diagnostic settings. If you're using these methods, you should consider transitioning to diagnostic settings which provide better functionality and consistency with resource logs.

-Log profiles are the legacy method for sending the Activity log to Azure storage or event hubs. Use the following procedure to continue working with a log profile or to disable it in preparation for migrating to a diagnostic setting.

- | serviceBusRuleId |No |Service Bus Rule ID for the Service Bus namespace you would like to have event hubs created in. This is a string with the format: `{service bus resource ID}/authorizationrules/{key name}`. |

- | RetentionInDays |Yes |Number of days for which events should be retained in the storage account, between 1 and 365. A value of zero stores the logs indefinitely. |

-Following is a sample PowerShell script to create a log profile that writes the Activity Log to both a storage account and event hub.

- $resourceGroupName = "<resource group name your event hub belongs to>"

- $eventHubNamespace = "<event hub namespace>"

- # Build the storage account Id from the settings above

- az monitor log-profiles create --name "default" --location null --locations "global" "eastus" "westus" --categories "Delete" "Write" "Action" --enabled false --days 0 --service-bus-rule-id "/subscriptions/<YOUR SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP NAME>/providers/Microsoft.EventHub/namespaces/<EVENT HUB NAME SPACE>/authorizationrules/RootManageSharedAccessKey"

-The columns in the following table have been deprecated in the updated schema. They still exist in *AzureActivity* but they will have no data. The replacement for these columns are not new, but they contain the same data as the deprecated column. They are in a different format, so you may need to modify log queries that use them.

-> [!IMPORTANT]

-The Azure Log Analytics monitoring solution will be deprecated soon and replaced by a workbook using the updated schema in the Log Analytics workspace. You can still use the solution if you already have it enabled, but it can only be used if you're collecting the Activity log using legacy settings.

-Click the **Azure Activity Logs** tile to open the **Azure Activity Logs** view. The view includes the visualization parts in the following table. Each part lists up to 10 items matching that parts's criteria for the specified time range. You can run a log query that returns all matching records by clicking **See all** at the bottom of the part.

-You will soon no longer be able to add the Activity Logs Analytics solution to your subscription using the Azure portal. You can add it using the following procedure with a Resource Manager template.

-| AnotherOperationInProgress | Wait for concurrent operation to complete. | |

-| AuthorizationFailed | Your account or service principal doesn't have sufficient access to complete the deployment. Check the role your account belongs to, and its access for the deployment scope.<br><br>You might receive this error when a required resource provider isn't registered. | [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md)<br><br>[Resolve registration](error-register-resource-provider.md) |

-| BadRequest | You sent deployment values that don't match what is expected by Resource Manager. Check the inner status message for help with troubleshooting. | [Template reference](/azure/templates/) <br><br> [Supported locations](../templates/resource-location.md) |

-| Conflict | You're requesting an operation that isn't allowed in the resource's current state. For example, disk resizing is allowed only when creating a VM or when the VM is deallocated. | |

-| DnsRecordInUse | The DNS record name must be unique. Enter a different name. | |

-| ImageNotFound | Check VM image settings. | |

-| InUseSubnetCannotBeDeleted | This error can occur when you try to update a resource, if the request process deletes and creates the resource. Make sure to specify all unchanged values. | [Update resource](/azure/architecture/guide/azure-resource-manager/advanced-templates/update-resource) |

-| InvalidAuthenticationTokenTenant | Get access token for the appropriate tenant. You can only get the token from the tenant that your account belongs to. | |

-| InvalidContentLink | You've most likely attempted to link to a nested template that isn't available. Double check the URI you provided for the nested template. If the template exists in a storage account, make sure the URI is accessible. You might need to pass a SAS token. Currently, you can't link to a template that is in a storage account behind an [Azure Storage firewall](../../storage/common/storage-network-security.md). Consider moving your template to another repository, like GitHub. | [Linked templates](../templates/linked-templates.md) |

-| InvalidDeploymentLocation | When deploying at the subscription level, you've provided a different location for a previously used deployment name. | [Subscription level deployments](../templates/deploy-to-subscription.md) |

-| InvalidParameter | One of the values you provided for a resource doesn't match the expected value. This error can result from many different conditions. For example, a password may be insufficient, or a blob name may be incorrect. The error message should indicate which value needs to be corrected. | |

-| InvalidRequestContent | The deployment values either include values that aren't recognized, or required values are missing. Confirm the values for your resource type. | [Template reference](/azure/templates/) |

-| InvalidRequestFormat | Enable debug logging when running the deployment, and verify the contents of the request. | [Debug logging](enable-debug-logging.md) |

-| InvalidResourceLocation | Provide a unique name for the storage account. | [Resolve storage account name](error-storage-account-name.md) |

-| InvalidResourceNamespace | Check the resource namespace you specified in the **type** property. | [Template reference](/azure/templates/) |

-| InvalidResourceReference | The resource either doesn't yet exist or is incorrectly referenced. Check whether you need to add a dependency. Verify that your use of the **reference** function includes the required parameters for your scenario. | [Resolve dependencies](error-not-found.md) |

-| InvalidResourceType | Check the resource type you specified in the **type** property. | [Template reference](/azure/templates/) |

-| InvalidSubscriptionRegistrationState | Register your subscription with the resource provider. | [Resolve registration](error-register-resource-provider.md) |

-| InvalidTemplateDeployment <br> InvalidTemplate | Check your template syntax for errors. | [Resolve invalid template](error-invalid-template.md) |

-| LinkedAuthorizationFailed | Check if your account belongs to the same tenant as the resource group that you're deploying to. | |

-| LinkedInvalidPropertyId | The resource ID for a resource isn't resolved. Check that you provided all required values for the resource ID. For example, subscription ID, resource group name, resource type, parent resource name (if needed), and resource name. | |

-| LocationRequired | Provide a location for the resource. | [Set location](../templates/resource-location.md) |

-| MissingRegistrationForLocation | Check resource provider registration status and supported locations. | [Resolve registration](error-register-resource-provider.md) |

-| MissingSubscriptionRegistration | Register your subscription with the resource provider. | [Resolve registration](error-register-resource-provider.md) |

-| NoRegisteredProviderFound | Check resource provider registration status. | [Resolve registration](error-register-resource-provider.md) |

-| NotFound | You might be attempting to deploy a dependent resource in parallel with a parent resource. Check if you need to add a dependency. | [Resolve dependencies](error-not-found.md) |

-| OperationNotAllowed | The deployment is attempting an operation that exceeds the quota for the subscription, resource group, or region. If possible, revise your deployment to stay within the quotas. Otherwise, consider requesting a change to your quotas. | [Resolve quotas](error-resource-quota.md) |

-| ParentResourceNotFound | Make sure a parent resource exists before creating the child resources. | [Resolve parent resource](error-parent-resource.md) |

-| PrivateIPAddressInReservedRange | The specified IP address includes an address range required by Azure. Change IP address to avoid reserved range. | [IP addresses](../../virtual-network/ip-services/public-ip-addresses.md) |

-| PrivateIPAddressNotInSubnet | The specified IP address is outside of the subnet range. Change IP address to fall within subnet range. | [IP addresses](../../virtual-network/ip-services/public-ip-addresses.md) |

-| PropertyChangeNotAllowed | Some properties can't be changed on a deployed resource. When updating a resource, limit your changes to permitted properties. | [Update resource](/azure/architecture/guide/azure-resource-manager/advanced-templates/update-resource) |

-| ResourceGroupBeingDeleted | Wait for deletion to complete. | |

-| ResourceGroupNotFound | Check the name of the target resource group for the deployment. The target resource group must already exist in your subscription. Check your subscription context. | [Azure CLI](/cli/azure/account?#az_account_set) [PowerShell](/powershell/module/Az.Accounts/Set-AzContext) |

-| ResourceNotFound | Your deployment references a resource that can't be resolved. Verify that your use of the **reference** function includes the parameters required for your scenario. | [Resolve references](error-not-found.md) |

-| ResourceQuotaExceeded | The deployment is trying to create resources that exceed the quota for the subscription, resource group, or region. If possible, revise your infrastructure to stay within the quotas. Otherwise, consider requesting a change to your quotas. | [Resolve quotas](error-resource-quota.md) |

-| SkuNotAvailable | Select SKU (such as VM size) that is available for the location you've selected. | [Resolve SKU](error-sku-not-available.md) |

-| StorageAccountAlreadyExists <br> StorageAccountAlreadyTaken | Provide a unique name for the storage account. | [Resolve storage account name](error-storage-account-name.md) |

-| StorageAccountNotFound | Check the subscription, resource group, and name of the storage account that you're trying to use. | |

-| SubnetsNotInSameVnet | A virtual machine can only have one virtual network. When deploying several NICs, make sure they belong to the same virtual network. | [Multiple NICs](../../virtual-machines/windows/multiple-nics.md) |

-| SubscriptionNotFound | A specified subscription for deployment can't be accessed. It could be the subscription ID is wrong, the user deploying the template doesn't have adequate permissions to deploy to the subscription, or the subscription ID is in the wrong format. When using nested deployments to [deploy across scopes](../templates/deploy-to-resource-group.md), provide the GUID for the subscription. | |

-| TooManyTargetResourceGroups | Reduce number of resource groups for a single deployment. | [Cross scope deployment](../templates/deploy-to-resource-group.md) |

-To understand backup storage costs, go to **Cost Management + Billing** in the Azure portal, select **Cost Management**, and then select **Cost analysis**. Select the desired subscription as the **Scope**, and then filter for the time period and service that you're interested in.

-Add a filter for **Service name**, and then select **sql database** in the drop-down list. Use the **meter subcategory** filter to choose the billing counter for your service. For a single database or an elastic database pool, select **single/elastic pool PITR backup storage**. For a managed instance, select **mi PITR backup storage**. The **Storage** and **compute** subcategories might interest you as well, but they're not associated with backup storage costs.

- >[!NOTE]

- > Meters are only visible for counters that are currently in use. If a counter is not available, it is likely that the category is not currently being used. For example, managed instance counters will not be present for customers who do not have a managed instance deployed. Likewise, storage counters will not be visible for resources that are not consuming storage.

-> The error message "The elastic pool has reached its storage limit" indicates that the database objects have been allocated enough space to meet the elastic pool storage limit, but there may be unused space in the data space allocation. Consider increasing the elastic pool's storage limit, or as a short-term solution, freeing up data space using the [**Reclaim unused allocated space**](#reclaim-unused-allocated-space) section below. You should also be aware of the potential negative performance impact of shrinking database files, see [**Rebuild indexes**](#rebuild-indexes) section below.

-### Shrinking data files

-In Azure SQL Database, to shrink files you can use the `DBCC SHRINKDATABASE` or `DBCC SHRINKFILE` commands:

- - Each `DBCC SHRINKFILE` command can run in parallel with other `DBCC SHRINKFILE` commands to shrink the database faster, at the expense of higher resource usage and a higher chance of blocking user queries, if they are executing during shrink.

- - If the tail of the file does not contain data, it can reduce allocated file size much faster by specifying the TRUNCATEONLY argument. This does not require data movement within the file.

-In Azure SQL Database, a database may have one or more data files. Additional data files can only be created automatically. To determine file layout of your database, query the `sys.database_files` catalog view using the following sample script:

- CAST(max_size AS bigint) * 8 / 1024. AS max_size_mb

-GO

-Execute a shrink against one file only via the `DBCC SHRINKFILE` command, for example:

-You should also be aware of the potential negative performance impact of shrinking database files, see the [Rebuild indexes](#rebuild-indexes) section below.

-```tsql

-Alternatively, auto-shrink can be enabled for a database. However, auto shrink can be less effective in reclaiming file space than `DBCC SHRINKDATABASE` and `DBCC SHRINKFILE`.

-Auto-shrink can be helpful in the specific scenario where an elastic pool contains many databases that experience significant growth and reduction in data file space used. This is not a common scenario.

-To enable auto-shrink, execute the following command while connected to your database (not in the master database).

-### <a name="rebuild-indexes"></a> Index maintenance before or after shrink

-After a shrink operation is completed against data files, indexes may become fragmented and lose their performance optimization effectiveness for certain workloads, such as queries using large scans. If performance degradation occurs after the shrink operation is complete, consider index maintenance to rebuild indexes.

-If page density in the database is low, a shrink will take longer because it will have to move more pages in each data file. Microsoft recommends determining average page density before executing shrink commands. If page density is low, rebuild or reorganize indexes to increase page density before running shrink. For more information, including a sample script to determine page density, see [Optimize index maintenance to improve query performance and reduce resource consumption](/sql/relational-databases/indexes/reorganize-and-rebuild-indexes).

-For many people, SQLite provides their first experience of databases and SQL programming. It's inclusion in many operating systems and popular applications makes SQLite one the most widely deployed and used database engines in the world. And because it is likely the first database engine many people use, it can often end up as a central part of projects or applications. In such cases where the project or application outgrows the initial SQLite implementation, developers may need to migrate their data to a reliable, centralized data store.

-> Geo-restore is available only for SQL databases or managed instances configured with geo-redundant [backup storage](automated-backups-overview.md#backup-storage-redundancy).

-## Built-in Azure Policy definitions for Video Analyzer

-},

-|height|The height of the OCR rectangle|

-|top|The top location in px|

-|left| The left location in px|

-|width|The width of the OCR rectangle|

- "width": 400,

-* __Tensorflow__ for __Android__.

-* **TensorflowJS** for JavaScript frameworks like React, Angular, and Vue. This will run on both **Android** and **iOS** devices.

-* [Use your Tensorflow model with Python](export-model-python.md)

-* See the sample for [Tensorflow model in an Android application](https://github.com/Azure-Samples/cognitive-services-android-customvision-sample) for real-time image classification on Android.

-> We are retiring the standard/non-neural training tier of custom voice on February 29, 2024. During the retiring period (3/1/2021 - 2/29/2024), existing standard tier users can continue to use their non-neural models created, but all new users who sign up for speech resources from **3/1/2021** should move to the neural tier/custom neural voice. After 2/29/2024, all standard/non-neural custom voices will no longer be supported.

-> We are retiring the standard voices on August 31, 2024. During the retiring period (9/1/2021 - 8/31/2024), existing standard voice users can continue to use standard voices, but all new users who sign up for speech resources from **9/1/2021** should choose [neural voice names](language-support.md#prebuilt-neural-voices) in your speech synthesis request. After 8/31/2024, the standard voices will no longer be supported in your speech synthesis request.

-> We are retiring the standard/non-neural training tier of custom voice on February 29, 2024. During the retiring period (3/1/2021 - 2/29/2024), existing standard tier users can continue to use their non-neural models created, but all new users who sign up for speech resources from **3/1/2021** should move to the neural tier/custom neural voice. After 2/29/2024, all standard/non-neural custom voices will no longer be supported.

-> We are retiring the standard voices on August 31, 2024. During the retiring period (9/1/2021 - 8/31/2024), existing standard voice users can continue to use standard voices, but all new users who sign up for speech resources from **9/1/2021** should choose [neural voice names](language-support.md#prebuilt-neural-voices) in your speech synthesis request. After 8/31/2024, the standard voices will no longer be supported in your speech synthesis request.

-| Canada East | 4 | 16 | 4 | 16 | 50 | N/A | N |

-description: Learn about SQL operators such as equality, comparison, and logical operators supported by Azure Cosmos DB.

-# Operators in Azure Cosmos DB

-This article details the various operators supported by Azure Cosmos DB.

-## Equality and Comparison Operators

-The following table shows the result of equality comparisons in the SQL API between any two JSON types.

-| **Op** | **Undefined** | **Null** | **Boolean** | **Number** | **String** | **Object** | **Array** |

-|||||||||

-| **Undefined** | Undefined | Undefined | Undefined | Undefined | Undefined | Undefined | Undefined |

-| **Null** | Undefined | **Ok** | Undefined | Undefined | Undefined | Undefined | Undefined |

-| **Boolean** | Undefined | Undefined | **Ok** | Undefined | Undefined | Undefined | Undefined |

-| **Number** | Undefined | Undefined | Undefined | **Ok** | Undefined | Undefined | Undefined |

-| **String** | Undefined | Undefined | Undefined | Undefined | **Ok** | Undefined | Undefined |

-| **Object** | Undefined | Undefined | Undefined | Undefined | Undefined | **Ok** | Undefined |

-| **Array** | Undefined | Undefined | Undefined | Undefined | Undefined | Undefined | **Ok** |

-For comparison operators such as `>`, `>=`, `!=`, `<`, and `<=`, comparison across types or between two objects or arrays produces `Undefined`.

-If the result of the scalar expression is `Undefined`, the item isn't included in the result, because `Undefined` doesn't equal `true`.

-For example, the following query's comparison between a number and string value produces `Undefined`. Therefore, the filter does not include any results.

-```sql

-SELECT *

-FROM c

-WHERE 7 = 'a'

-```

-## Logical (AND, OR and NOT) operators

-Logical operators operate on Boolean values. The following tables show the logical truth tables for these operators:

-**OR operator**

-Returns `true` when either of the conditions is `true`.

-| | **True** | **False** | **Undefined** |

-| | | | |

-| **True** |True |True |True |

-| **False** |True |False |Undefined |

-| **Undefined** |True |Undefined |Undefined |

-**AND operator**

-Returns `true` when both expressions are `true`.

-| | **True** | **False** | **Undefined** |

-| | | | |

-| **True** |True |False |Undefined |

-| **False** |False |False |False |

-| **Undefined** |Undefined |False |Undefined |

-**NOT operator**

-Reverses the value of any Boolean expression.

-| | **NOT** |

-| | |

-| **True** |False |

-| **False** |True |

-| **Undefined** |Undefined |

-**Operator Precedence**

-The logical operators `OR`, `AND`, and `NOT` have the precedence level shown below:

-| **Operator** | **Priority** |

-| | |

-| **NOT** |1 |

-| **AND** |2 |

-| **OR** |3 |

-## * operator

-The special operator * projects the entire item as is. When used, it must be the only projected field. A query like `SELECT * FROM Families f` is valid, but `SELECT VALUE * FROM Families f` and `SELECT *, f.id FROM Families f` are not valid.

-## ? and ?? operators

-You can use the Ternary (?) and Coalesce (??) operators to build conditional expressions, as in programming languages like C# and JavaScript.

-You can use the ? operator to construct new JSON properties on the fly. For example, the following query classifies grade levels into `elementary` or `other`:

-```sql

- SELECT (c.grade < 5)? "elementary": "other" AS gradeLevel

- FROM Families.children[0] c

-```

-You can also nest calls to the ? operator, as in the following query:

-```sql

- SELECT (c.grade < 5)? "elementary": ((c.grade < 9)? "junior": "high") AS gradeLevel

- FROM Families.children[0] c

-```

-As with other query operators, the ? operator excludes items if the referenced properties are missing or the types being compared are different.

-Use the ?? operator to efficiently check for a property in an item when querying against semi-structured or mixed-type data. For example, the following query returns `lastName` if present, or `surname` if `lastName` isn't present.

-```sql

- SELECT f.lastName ?? f.surname AS familyName

- FROM Families f

-```

-## Next steps

- Represents an operator that is applied to a single value. See [Operators](sql-query-operators.md) section for details.

- Represents an operator that is applied to two values. See [Operators](sql-query-operators.md) section for details.

-You can learn about [supported operators](sql-query-operators.md) and their behavior for `null` and `undefined` values.

-Watch the video [How to set up Connectors for AWS in Cost Management](https://www.youtube.com/watch?v=Jg5KC1cx5cA) to learn more about how to set up AWS report integration. To watch other videos, visit the [Cost Management YouTube channel](https://www.youtube.com/c/AzureCostManagement).

->[!VIDEO https://www.youtube.com/embed/Jg5KC1cx5cA]

-3. In **Review Policy**, enter a name for the new policy. Check that you entered the correct information, and then select **Create Policy**.

-4. Go back to the previous tab and refresh your browser's webpage. On the search bar, search for your new policy.

-5. Select **Next: Review**.

-6. Enter a name for the new role. Check that you entered the correct information, and then select **Create Role**.

- Note the role ARN and the external ID used in the preceding steps when you created the role. You'll use them later when you set up the Cost Management connector.

-The policy JSON should resemble the following example. Replace _bucketname_ with the name of your S3 bucket.

-```JSON

-"organizations:ListAccounts",

- "ce:*",

- "cur:DescribeReportDefinitions"

-Azure Data Box protects the device unlock key (also known as the device password), which is used to lock a device, via an encryption key. By default, this encryption key is a Microsoft managed key. For additional control, you can use a customer-managed key.

- 9. Select **Save** to save the updated **Encryption type** settings.

- <!--Probably need new screen from recent order. Can you provide one? I can't create an order using CMK with the subscription I'm using.-->

-To change the identity used to manage access to the customer-managed key for this order, follow these steps:

-| SsemUserErrorEncryptionKeyDisabled| Could not fetch the passkey as the customer managed key is disabled.| Yes, by enabling the key version.|

-| SsemUserErrorEncryptionKeyExpired| Could not fetch the passkey as the customer managed key has expired.| Yes, by enabling the key version.|

-| SsemUserErrorKeyDetailsNotFound| Could not fetch the passkey as the customer managed key could not be found.| If you deleted the key vault, you can't recover the customer-managed key. If you migrated the key vault to a different tenant, see [Change a key vault tenant ID after a subscription move](../key-vault/general/move-subscription.md). If you deleted the key vault:<ol><li>Yes, if it is in the purge-protection duration, using the steps at [Recover a key vault](../key-vault/general/key-vault-recovery.md?tabs=azure-powershell#key-vault-powershell).</li><li>No, if it is beyond the purge-protection duration.</li></ol><br>Else if the key vault underwent a tenant migration, yes, it can be recovered using one of the below steps: <ol><li>Revert the key vault back to the old tenant.</li><li>Set `Identity = None` and then set the value back to `Identity = SystemAssigned`. This deletes and recreates the identity once the new identity has been created. Enable `Get`, `Wrap`, and `Unwrap` permissions to the new identity in the key vault's Access policy.</li></ol> |

-| SsemUserErrorKeyVaultBadRequestException | Applied a customer managed key but the key access has not been granted or has been revoked, or unable to access key vault due to firewall being enabled. | Add the identity selected to your key vault to enable access to the customer managed key. If key vault has firewall enabled, switch to a system assigned identity and then add a customer managed key. For more information, see how to [Enable the key](#enable-key). |

-| SsemUserErrorKeyVaultDetailsNotFound| Could not fetch the passkey as the associated key vault for the customer managed key could not be found. | If you deleted the key vault, you can't recover the customer-managed key. If you migrated the key vault to a different tenant, see [Change a key vault tenant ID after a subscription move](../key-vault/general/move-subscription.md). If you deleted the key vault:<ol><li>Yes, if it is in the purge-protection duration, using the steps at [Recover a key vault](../key-vault/general/key-vault-recovery.md?tabs=azure-powershell#key-vault-powershell).</li><li>No, if it is beyond the purge-protection duration.</li></ol><br>Else if the key vault underwent a tenant migration, yes, it can be recovered using one of the below steps: <ol><li>Revert the key vault back to the old tenant.</li><li>Set `Identity = None` and then set the value back to `Identity = SystemAssigned`. This deletes and recreates the identity once the new identity has been created. Enable `Get`, `Wrap`, and `Unwrap` permissions to the new identity in the key vault's Access policy.</li></ol> |

-| SsemUserErrorSystemAssignedIdentityAbsent | Could not fetch the passkey as the customer managed key could not be found.| Yes, check if: <ol><li>Key vault still has the MSI in the access policy.</li><li>Identity is of type System assigned.</li><li>Enable Get, Wrap and Unwrap permissions to the identity in the key vaultΓÇÖs Access policy.</li></ol>|

-| SsemUserErrorUserAssignedLimitReached | Adding new User Assigned Identity failed as you have reached the limit on the total number of user assigned identities that can be added. | Please retry the operation with fewer user identities or remove some user assigned identities from the resource before retrying. |

-| SsemUserErrorCrossTenantIdentityAccessForbidden | Managed identity access operation failed. <br> Note: This is for the scenario when subscription is moved to different tenant. Customer has to manually move the identity to new tenant. PFA mail for more details. | Please move the identity selected to the new tenant under which the subscription is present. For more information, see how to [Enable the key](#enable-key). |

-| SsemUserErrorKekUserIdentityNotFound | Applied a customer managed key but the user assigned identity that has access to the key was not found in the active directory. <br> Note: This is for the case when user identity is deleted from Azure.| Please try adding a different user assigned identity selected to your key vault to enable access to the customer managed key. For more information, see how to [Enable the key](#enable-key). |

-| SsemUserErrorUserAssignedIdentityAbsent | Could not fetch the passkey as the customer managed key could not be found. | Could not access the customer managed key. Either the User Assigned Identity (UAI) associated with the key is deleted or the UAI type has changed. |

-| SsemUserErrorCrossTenantIdentityAccessForbidden | Managed identity access operation failed. <br> Note: This is for the scenario when subscription is moved to different tenant. Customer has to manually move the identity to new tenant. PFA mail for more details. | Please try adding a different user assigned identity selected to your key vault to enable access to the customer managed key. For more information, see how to [Enable the key](#enable-key).|

-| SsemUserErrorKeyVaultBadRequestException | Applied a customer managed key but the key access has not been granted or has been revoked, or unable to access key vault due to firewall being enabled. | Add the identity selected to your key vault to enable access to the customer managed key. If key vault has firewall enabled, switch to a system assigned identity and then add a customer managed key. For more information, see how to [Enable the key](#enable-key). |

-| Generic error | Could not fetch the passkey.| This is a generic error. Contact Microsoft Support to troubleshoot the error and determine the next steps.|

-Azure Data Box is a hybrid solution that allows you to import your on-premises data into Azure in a quick, easy, and reliable way. You transfer your data to a Microsoft-supplied 80-TB (usable capacity) storage device, and then ship the device back. This data is then uploaded to Azure.

-This tutorial describes how you can order an Azure Data Box. In this tutorial, you learn about:

-We use Azure CLI through Windows PowerShell for the tutorial, but you are free to choose either option.

-* Install [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. Alternatively, you may [install using MSI](https://aka.ms/installazurecliwindows).

-Before you can use the Azure Data Box CLI commands, you need to install the extension. Azure CLI extensions give you access to experimental and pre-release commands that have not yet shipped as part of the core CLI. For more information about extensions, see [Use extensions with Azure CLI](/cli/azure/azure-cli-extensions-overview).

-You will need to have Windows PowerShell version 6.2.4 or higher installed. To find out what version of PowerShell you have installed, run: `$PSVersionTable`.

-You will see the following output:

-You will need to install the Azure PowerShell modules to use Azure PowerShell to order an Azure Data Box. To install the Azure PowerShell modules:

-1. Write down your settings for your Data Box order. These settings include your personal/business information, subscription name, device information, and shipping information. You will need to use these settings as parameters when running the CLI command to create the Data Box order. The following table shows the parameter settings used for `az databox job create`:

- |name| The name of the order you are creating. | "mydataboxorder"|

- |sku| The specific Data Box device you are ordering. Valid values are: "DataBox", "DataBoxDisk", and "DataBoxHeavy"| "DataBox" |

-2. Write down your settings for your Data Box order. These settings include your personal/business information, subscription name, device information, and shipping information. You will need to use these settings as parameters when running the PowerShell command to create the Data Box order. The following table shows the parameter settings used for [New-AzDataBoxJob](/powershell/module/az.databox/New-AzDataBoxJob).

- |Name [Required]| The name of the order you are creating. | "mydataboxorder"|

- |DataBoxType [Required]| The specific Data Box device you are ordering. Valid values are: "DataBox", "DataBoxDisk", and "DataBoxHeavy"| "DataBox" |

-After you have placed the order, you can track the status of the order from Azure portal. Go to your Data Box order and then go to **Overview** to view the status. The portal shows the order in **Ordered** state.

-To cancel an Azure Data Box order, run [`az databox job cancel`](/cli/azure/databox/job#az_databox_job_cancel). You are required to specify your reason for canceling the order.

-If you have canceled an Azure Data Box order, you can run [`az databox job delete`](/cli/azure/databox/job#az_databox_job_delete) to delete the order.

-To cancel an Azure Data Box order, run [Stop-AzDataBoxJob](/powershell/module/az.databox/stop-azdataboxjob). You are required to specify your reason for canceling the order.

- - For the 40 Gbps cable, device end of the cable needs to be QSFP+.

- - For the 10 Gbps cable, you need an SFP+ cable that plugs into a 10 G switch on one end, with a QSFP+ to SFP+ adapter (or the QSA adapter) for the end that plugs into the device.

-|**Possible loss of data detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised. This behavior was seen [x]] times today on the following machines: [Machine names]|-|Medium|

-|**Possible loss of data detected**<br>(VM_DataEgressArtifacts)|Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they have compromised.|Collection, Exfiltration|Medium|

-| **Account added to sudo group (Preview)**<br>(K8S.NODE_NewSudoerAccount) | Analysis of host data indicates that a user was added to the sudoers group, which enables its members to run commands with high privileges. | PrivilegeEscalation | Low |

-| **Behavior similar to ransomware detected (Preview)**<br>(K8S.NODE_LinuxRansomwareArtifacts) | Analysis of processes running within a container detected the execution of files that have resemblance to known ransomware that can prevents users from accessing their system or personal files and demand a ransom payment to regain access. | Execution | High |

-| **Burst of log deletions may indicate actions of an attacker (Preview)**<br>(K8S.NODE_SystemLogRemovalBurst) | Analysis of host/device data detected a large number of system log files being removed. Attackers often perform this for defense evasion. | DefenseEvasion | Low |

-| **Container with a miner image detected (Preview)**<br>(K8S.NODE_MinerInContainerImage) | Machine logs indicate execution of a Docker container that ran an image associated with digital currency mining. | Execution | High |

-| **Exploitation of Xorg vulnerability (Preview)**<br>(K8S.NODE_XorgExploit) | Analysis of processes running within a container detected the use of Xorg with suspicious arguments. Attackers may use this technique in privilege escalation attempts. | PrivilegeEscalation, Exploitation | Medium |

-| **Manipulation of scheduled tasks detected (Preview)**<br>(K8S.NODE_CronJobAccess) | Analysis of host/device data detected possible manipulation of scheduled tasks. Attackers will often add scheduled tasks to machines they have compromised to gain persistence. | Persistence | Informational |

-| **Possible attempt to disable auditd logging detected (Preview)**<br>(K8S.NODE_AuditDLoggingDisabled) | The Linux Audit system provides a way to track security-relevant information on the system. It records as much information about the events that are happening on your system as possible. Disabling auditd logging could hamper discovering violations of security policies used on the system. | DefenseEvasion | Low |

-| **Possible manipulation of PostgreSQL database (Preview)**<br>(K8S.NODE_SuspectPostGreAdministration) | Analysis of processes running within a container detected the possible manipulation of authorization rules associated with a PostgreSQL database. It is possible to insert new lines into the pg_hba.conf file that will change how users access the database. | PrivilegeEscalation, Execution | Low |

-| **Potential crypto coin miner started (Preview)**<br>(K8S.NODE_CryptoCoinMinerExecution) | Analysis of processes running within a container detected a process being started in a way normally associated with digital currency mining. | Execution | Medium |

-| **Python encoded downloader detected (Preview)**<br>(K8S.NODE_RemoteEncodedPythonDownload) | Analysis of processes running within a container detected the execution of encoded Python that downloads and runs code from a remote location. This may be an indication of malicious activity. | Exploitation | Low |

-| **Shellcode detected (Preview)**<br>(K8S.NODE_ShellcodeOnCommandLine) | Analysis of processes running within a container detected shellcode being generated from a command line. This command line could be legitimate activity, or an indication of a compromise. | Execution, Exploitation | Medium |

-| **Suspicious kernel module detected (Preview)**<br>(K8S.NODE_SharedObjectLoadedAsKM) | Analysis of host/device data detected a shared object file being loaded as a kernel module. This could be legitimate activity, or an indication that one of your machines has been compromised. | Persistence, DefenseEvasion | Medium |

-| **Suspicious password access (Preview)**<br>(K8S.NODE_SuspectPasswordFileAccess) | Analysis of processes running within a container detected suspicious access to encrypted user passwords. | Persistence | Informational |

-| **Suspicious shell script detected (Preview)**<br>(K8S.NODE_ScriptGeneratedFromCommandLine) | Analysis of processes running within a container detected a shell script being generated from the command line. This process could be legitimate activity, or an indication of a compromise. | Persistence | Medium |

-| **Suspicious use of DNS over HTTPS (Preview)**<br>(K8S.NODE_SuspiciousDNSOverHttps) | Analysis of processes running within a container indicates the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites. | DefenseEvasion, Exfiltration | Medium |

-| **Unusual access to bash history file (Preview)**<br>(K8S.NODE_ReadingHistoryFile) | Analysis of processes running within a container indicates an abnormal access to commands history file by the specified user account. | CredentialAccess | Informational |

-| **Unusual access to Bash profile file (Preview)**<br>(K8S.NODE_BashProfileAccess) | Analysis of host data indicates that a Bash Profile file was accessed by the specified user account. | Persistence | Low |

-Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. Its main features are:

- Microsoft Defender for Cloud will automatically onboard your machines to Microsoft Defender for Endpoint. Onboarding might take up to 24 hours.

-### [**Linux**)](#tab/linux)

- Onboarding might take up to 1 hour.

-> If you delete the MDE.Windows extension, it will not remove Microsoft Defender for Endpoint. to 'offboard', see [Offboard Windows servers.](/microsoft-365/security/defender-endpoint/configure-server-endpoints).

-If you would like to be added to the Microsoft Defender for IoT device builders email distribution list, to get updates on new features, and release notes, send an email to: [defender_micro_agent@microsoft.com](mailto:defender_micro_agent@microsoft.com)

-description: See how to write authentication code in a client application

-First, complete the setup steps in [Set up an instance and authentication](how-to-set-up-instance-portal.md). This setup will ensure that you have an Azure Digital Twins instance and that your user has access permissions. After that setup, you're ready to write client app code.

-1. Include the SDK package `Azure.DigitalTwins.Core` and the `Azure.Identity` package in your project. Depending on your tools of choice, you can include the packages using the Visual Studio package manager or the `dotnet` command line tool.

-description: See how to create an Azure AD app registration, as an authentication option for client apps, using the CLI.

-Next, read about authentication mechanisms, including one that uses app registrations and others that do not:

-description: See how to create an Azure AD app registration, as an authentication option for client apps, using the Azure portal.

-description: See how to enable private access for Azure Digital Twins solutions with Private Link.

-This article describes the different ways to [enable Private Link with a private endpoint for an Azure Digital Twins instance](concepts-security.md#private-network-access-with-azure-private-link-preview) (currently in preview). Configuring a private endpoint for your Azure Digital Twins instance enables you to secure your Azure Digital Twins instance and eliminate public exposure, as well as avoid data exfiltration from your [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md).

-If you want to set up Private Link as part of the instance's initial setup, you'll need to use the Azure portal. If you want to enable Private Link on an instance after it's been created, you can use either the Azure portal or the Azure CLI. Any of these creation methods will give the same configuration options and the same end result for your instance.

-> For more details about setting up Private Link resources, see Private Link documentation for the [Azure portal](../private-link/create-private-endpoint-portal.md), [Azure CLI](../private-link/create-private-endpoint-cli.md), [Azure Resource Manager](../private-link/create-private-endpoint-template.md), or [PowerShell](../private-link/create-private-endpoint-powershell.md).

- This will add a section called **Private endpoint connections** where you can configure the details of your private endpoint. Select the **+ Add** button to continue.

-1. This will return you to the **Networking** tab of the Azure Digital Twins instance setup. Verify that your new endpoint is visible under **Private endpoint connections**.

-You cannot add a Private Link endpoint during instance creation using the Azure CLI.

-1. In the **Basics** tab, enter or select the **Subscription** and **Resource group** of your project, and a **Name** and **Region** for your endpoint. The region needs to be the same as the region for the VNet you're using.

-1. In the **Resource** tab, enter or select this information:

-1. In theΓÇ»**Configuration** tab, enter or select this information:

-1. In the **Review + create** tab, review your selections and select theΓÇ»**Create** button.

-Here is an example that uses the command to create a private endpoint, with only the required parameters.

-### Get additional Private Link information

-You can get additional information about the Private Link status of your instance with the [az dt network private-link](/cli/azure/dt/network/private-link) commands. Operations include:

-This policy allows you to restrict API access to Private Link connections only. When the public network access flag is set to *disabled*, all REST API calls to the Azure Digital Twins instance data plane from the public cloud will return `403, Unauthorized`. Alternatively, when the policy is set to *disabled* and a request is made through a private endpoint, the API call will succeed.

-You can update the value of the network flag using the [Azure portal](https://portal.azure.com), [Azure CLI](/cli/azure/) or [ARMClient command tool](https://github.com/projectkudu/ARMClient).

-ΓÇ»

-armclient loginΓÇ»

-armclient PATCH /subscriptions/<your-Azure-subscription-ID>/resourceGroups/<your-resource-group>/providers/Microsoft.DigitalTwins/digitalTwinsInstances/<your-Azure-Digital-Twins-instance>?api-version=2020-12-01 "{ 'properties': { 'publicNetworkAccess': 'disabled' } }"ΓÇ»

-To **enable** public network access:ΓÇ»

-ΓÇ»

-armclient loginΓÇ»

-armclient PATCH /subscriptions/<your-Azure-subscription-ID>/resourceGroups/<your-resource-group>/providers/Microsoft.DigitalTwins/digitalTwinsInstances/<your-Azure-Digital-Twins-instance>?api-version=2020-12-01 "{ 'properties': { 'publicNetworkAccess': 'enabled' } }" 

-description: See how to stream Azure Digital Twins telemetry to clients using Azure SignalR

- - Event grid topic

-Next, subscribe the *broadcast* Azure function to the **event grid topic** you created during the [tutorial prerequisite](how-to-integrate-azure-signalr.md#prerequisites). This action will allow telemetry data to flow from the thermostat67 twin through the event grid topic and to the function. From here, the function can broadcast the data to all the clients.

-To broadcast the data, you'll create an **Event subscription** from your event grid topic to your *broadcast* Azure function as an endpoint.

-In the [Azure portal](https://portal.azure.com/), navigate to your event grid topic by searching for its name in the top search bar. Select *+ Event Subscription*.

- - Fill in your **Subscription**, **Resource group**, **Function app**, and **Function** (*broadcast*). Some of these fields may auto-populate after selecting the subscription.

-Using the Azure Cloud Shell or local Azure CLI, you can delete all Azure resources in a resource group with the [az group delete](/cli/azure/group#az_group_delete) command. Removing the resource group will also remove...

-* the Azure Digital Twins instance (from the end-to-end tutorial)

-* the IoT hub and the hub device registration (from the end-to-end tutorial)

-* the event grid topic and associated subscriptions

-* the Azure Functions app, including all three functions and associated resources like storage

-* the Azure SignalR instance

-description: See how to connect Logic Apps to Azure Digital Twins, using a custom connector

-In this article, you'll use the [Azure portal](https://portal.azure.com) to **create a custom connector** that can be used to connect Logic Apps to an Azure Digital Twins instance. You'll then **create a logic app** that uses this connection for an example scenario, in which events triggered by a timer will automatically update a twin in your Azure Digital Twins instance.

-First, download a custom Azure Digital Twins Swagger that has been modified to work with Logic Apps. Navigate to the sample at [Azure Digital Twins custom Swaggers (Logic Apps connector) sample](/samples/azure-samples/digital-twins-custom-swaggers/azure-digital-twins-custom-swaggers/) and select the **Browse code** button underneath the title to go to the GitHub repo for the sample. Get the sample on your machine by by selecting the selecting the **Code** button followed by **Download ZIP**.

-description: See how to use Azure Functions to create a function that can use the twin graph and Azure Digital Twins notifications to update an Azure Maps indoor map.

- * You'll be extending this twin with an additional endpoint and route. You'll also be adding another function to your function app from that tutorial.

-First, you'll create a route in Azure Digital Twins to forward all twin update events to an event grid topic. Then, you'll use a function to read those update messages and update a feature stateset in Azure Maps.

-1. Create an event grid topic, which will receive events from your Azure Digital Twins instance.

-2. Create an endpoint to link your event grid topic to Azure Digital Twins.

-description: See how to set up event routes from Azure Digital Twins to Azure Time Series Insights.

-Before creating the event hubs, you'll first create an event hub namespace that will receive events from your Azure Digital Twins instance. You can either use the Azure CLI instructions below, or use the Azure portal by following [Create an event hub using Azure portal](../event-hubs/event-hubs-create.md). To see what regions support event hubs, visit [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=event-hubs).

-You'll be using this event hubs namespace to hold the two event hubs that are needed for this article:

-The second event hub you'll create in this article is the **time series hub**. This is an event hub that will stream the Azure Digital Twins events to Time Series Insights.

-1. First, create a new function app project in Visual Studio. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#create-an-azure-functions-project).

-5. Publish the project with the *ProcessDTUpdatetoTSI.cs* function to a function app in Azure. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#publish-to-azure).

-In this section, you'll set up Time Series Insights instance to receive data from your time series hub. For more details about this process, see [Set up an Azure Time Series Insights Gen2 PAYG environment](../time-series-insights/tutorial-set-up-environment.md). Follow the steps below to create a time series insights environment.

-2. In the explorer, you will see the twins in the Azure Digital Twins instance shown on the left. Select the twin you've edited properties for, choose the property you've changed, and select **Add**.

-description: See how to manage a graph of digital twins by connecting them with relationships.

-The heart of Azure Digital Twins is the [twin graph](concepts-twins-graph.md) representing your whole environment. The twin graph is made of individual digital twins connected via **relationships**.

-This article focuses on managing relationships and the graph as a whole; to work with individual digital twins, see [Manage digital twins](how-to-manage-twin.md).

-The types of relationships that can be created from one (source) twin to another (target) twin are defined as part of the source twin's [DTDL model](concepts-models.md#relationships). You can create an instance of a relationship by using the `CreateOrReplaceRelationshipAsync()` SDK call with twins and relationship details that comply with the DTDL definition.

-This means that you can express several different types of relationships between two twins at once. For example, Twin A can have both a *stored* relationship and *manufactured* relationship with Twin B.

-## Create graph from a CSV file

-Consider the following data table, describing a set of digital twins and relationships.

-|  Model ID | Twin ID (must be unique) | Relationship name  | Target twin ID  | Twin init data |

-| dtmi:example:Room;1 | Room1 | | | {"Temperature": 80} |

-| dtmi:example:Room;1 | Room0 | | | {"Temperature": 70} |

-description: See how to set up and manage endpoints and event routes for Azure Digital Twins data

-In Azure Digital Twins, you can route [event notifications](concepts-event-notifications.md) to downstream services or connected compute resources. This is done by first setting up **endpoints** that can receive the events. You can then create [event routes](concepts-route-events.md) that specify which events generated by Azure Digital Twins are delivered to which endpoints.

-These are the supported types of endpoints that you can create for your instance:

-To link an endpoint to Azure Digital Twins, the event grid topic, event hub, or Service Bus topic that you're using for the endpoint needs to exist already.

-| Event Grid endpoint | [event grid topic](../event-grid/custom-event-quickstart-portal.md#create-a-custom-topic)<br/>*event schema must be Event Grid Schema or Cloud Event Schema v1.0 |

-Once you have created the endpoint resources, you can use them for an Azure Digital Twins endpoint.

-1. From the instance menu, select _Endpoints_. Then from the *Endpoints* page that follows, select *+ Create an endpoint*. This will open the *Create an endpoint* page, where you'll fill in the fields in the following steps.

- 1. For Event Hub and Service Bus endpoints only, you must select an **Authentication type**. You can use key-based authentication with a pre-created authorization rule, or identity-based authentication if you'll be using the endpoint with a [managed identity](concepts-security.md#managed-identity-for-accessing-other-resources) for your Azure Digital Twins instance.

- :::image type="content" source="media/how-to-manage-routes/create-endpoint-event-hub-authentication.png" alt-text="Screenshot of creating an endpoint of type Event Hub in the Azure portal." lightbox="media/how-to-manage-routes/create-endpoint-event-hub-authentication.png":::

-Now the event grid, event hub, or Service Bus topic is available as an endpoint inside of Azure Digital Twins, under the name you chose for the endpoint. You'll typically use that name as the target of an **event route**, which you'll create [later in this article](#create-an-event-route).

-After successfully running these commands, the event grid, event hub, or Service Bus topic will be available as an endpoint inside of Azure Digital Twins, under the name you supplied with the `--endpoint-name` argument. You'll typically use that name as the target of an **event route**, which you'll create [later in this article](#create-an-event-route).

-* the Azure resource ID of your Azure Digital Twins instance

-* an endpoint name

-* an endpoint type

-* the endpoint resource's namespace

-* the name of the event hub or Service Bus topic

-* the location of your Azure Digital Twins instance

-1. This will generate several SAS and connection string values at the bottom of the same page, underneath the setting selections. Scroll down to view the values, and use the *Copy to clipboard* icon to copy the **SAS token** value. Save it to use later.

-In order to create an endpoint with dead-lettering enabled, you must use the [CLI commands](/cli/azure/dt) or [control plane APIs](/rest/api/digital-twins/controlplane/endpoints/digitaltwinsendpoint_createorupdate) to create your endpoint, rather than the Azure portal.

-For instructions on how to do this with the Azure CLI, switch to the CLI tab for this section.

-Add this parameter to the end of the endpoint creation commands from the [Create the endpoint](#create-the-endpoint) section earlier to create an endpoint of your desired type that has dead-lettering enabled.

-Alternatively, you can create dead letter endpoints using the [Azure Digital Twins control plane APIs](concepts-apis-sdks.md#overview-control-plane-apis) instead of the CLI. To do this, view the [DigitalTwinsEndpoint documentation](/rest/api/digital-twins/controlplane/endpoints/digitaltwinsendpoint_createorupdate) to see how to structure the request and add the dead letter parameters.

-* the Azure resource ID of your Azure Digital Twins instance

-* an endpoint name

-* an endpoint type

-* the endpoint resource's namespace

-* the name of the event hub or Service Bus topic

-* **dead letter SAS URI** details: storage account name, container name

-* the location of your Azure Digital Twins instance

-Here is an example of a dead-letter message for a [twin create notification](concepts-event-notifications.md#digital-twin-lifecycle-notifications):

-**Prerequisite**: You need to create endpoints as described earlier in this article before you can move on to creating a route. You can proceed to creating an event route once your endpoints are finished setting up.

-If there is no route name, no messages are routed outside of Azure Digital Twins.

-If there is a route name and the filter is `true`, all messages are routed to the endpoint.

-If there is a route name and a different filter is added, messages will be filtered based on the filter.

-For the route to be enabled, you must also **Add an event route filter** of at least `true`. (Leaving the default value of `false` will create the route, but no events will be sent to it.) To do this, toggle the switch for the _Advanced editor_ to enable it, and write `true` in the *Filter* box.

-`CreateOrReplaceEventRouteAsync` is the SDK call that is used to add an event route. Here is an example of its usage:

-After enabling the minimal filter of `true`, endpoints will receive a variety of events from Azure Digital Twins:

-To add an event filter while you are creating an event route, use the "Add an event route filter" section of the *Create an event route* page.

-This will auto-populate the filter text box with the text of the filter you've selected:

- :::image type="content" source="media/how-to-manage-routes/create-event-route-filter-basic-2.png" alt-text="Screenshot of creating an event route with a basic filter in the Azure portal, highlighting the auto-populated filter text after selecting the events.":::

-Alternatively, you can use the advanced filter option to write your own custom filters.

-| Subject | A description of the event in the context of the event source above | `subject = '<subject>'` | Here are the possible subject values: <br>**For notifications**: The subject is `<twin-ID>` <br> or a URI format for subjects, which are uniquely identified by multiple parts or IDs:<br>`<twin-ID>/relationships/<relationship-ID>`<br> **For telemetry**: The subject is the component path (if the telemetry is emitted from a twin component), such as `comp1.comp2`. If the telemetry is not emitted from a component, then its subject field is empty. |

-| Spec version | The version of the event schema you are using | `specversion = '<version>'` | The version must be `1.0`. This indicates the CloudEvents schema version 1.0 |

-description: See how to move an Azure Digital Twins instance from one Azure region to another.

-If you need to move your Azure Digital Twins instance from one region to another, the current process is to recreate your resources in the new region. Once the resources have been recreated in the new region, the original resources are deleted. At the end of this process, you'll be working with a new Azure Digital Twins instance that's identical to the first, except for the updated location.

-This article provides guidance on how to do a complete move and copy over everything you'll need to make the new instance match the original.

-These views confirm that your models, twins, and graph were re-uploaded to the new instance in the target region.

-description: See how to set up an automated process to provision and retire IoT devices in Azure Digital Twins using Device Provisioning Service (DPS).

-# Auto-manage devices in Azure Digital Twins using Device Provisioning Service (DPS)

-* an **Azure Digital Twins instance**. Follow the instructions in [Set up an instance and authentication](how-to-set-up-instance-portal.md) to create an Azure digital twins instance. Gather the instance's **_host name_** in the Azure portal ([instructions](how-to-set-up-instance-portal.md#verify-success-and-collect-important-values)).

-* an **IoT hub**. For instructions, see the "Create an IoT Hub" section of [the IoT Hub quickstart](../iot-hub/quickstart-send-telemetry-cli.md).

-* an [Azure function](../azure-functions/functions-overview.md) that updates digital twin information based on IoT Hub data. Follow the instructions in [Ingest IoT hub data](how-to-ingest-iot-hub-data.md) to create this Azure function. Gather the function **_name_** to use it in this article.

-* [Auto-provision device using Device Provisioning Service](#auto-provision-device-using-device-provisioning-service)

-* [Auto-retire device using IoT Hub lifecycle events](#auto-retire-device-using-iot-hub-lifecycle-events)

-## Auto-provision device using Device Provisioning Service

-In this section, you'll be attaching Device Provisioning Service to Azure Digital Twins to auto-provision devices through the path below. This diagram is an excerpt from the full architecture shown [earlier](#solution-architecture).

-4. DPS registers the device with an IoT hub, and populates the device's desired twin state.

-The following sections walk through the steps to set up this auto-provision device flow.

-* **Subscription**: Your Azure subscription is auto-populated. Make sure it's the right subscription.

-## Auto-retire device using IoT Hub lifecycle events

-In this section, you'll be attaching IoT Hub lifecycle events to Azure Digital Twins to auto-retire devices through the path below. This diagram is an excerpt from the full architecture shown [earlier](#solution-architecture).

-The following sections walk through the steps to set up this auto-retire device flow.

-3. Select **+ Add** and choose **Event hubs** to add an event hubs type endpoint.

- * **Endpoint**: Choose the event hubs endpoint you created earlier from the dropdown.

-2. You'll see a device with the device registration ID you chose in the [first half of this article](#auto-provision-device-using-device-provisioning-service). You can also choose any other device to delete, as long as it has a twin in Azure Digital Twins so you can verify that the twin is automatically deleted after the device is deleted.

-Using the Azure Cloud Shell or local Azure CLI, you can delete all Azure resources in a resource group with the [az group delete](/cli/azure/group#az_group_delete) command. This command removes the resource group; the Azure Digital Twins instance; the IoT hub and the hub device registration; the event grid topic and associated subscriptions; the event hubs namespace and both Azure Functions apps, including associated resources like storage.

-description: See how to create a function in Azure for propagating events through the twin graph.

-This article shows how to **send events from twin to twin**, so that when one digital twin in the graph is updated, related twins in the graph that are affected by this information can update accordingly. This will help you create a fully-connected Azure Digital Twins graph, where data that arrives into Azure Digital Twins from external sources like IoT Hub is propagated through the entire graph.

-To set up this twin-to-twin event handling, you'll create an [Azure function](../azure-functions/functions-overview.md) that watches for twin life cycle events. The function recognizes which events should affect other twins in the graph, and uses the event data to update the affected twins accordingly.

-Optionally, you may want to set up [automatic telemetry ingestion through IoT Hub](how-to-ingest-iot-hub-data.md) for your twins as well. This is not required in order to send data from twin to twin, but it's an important piece of a complete solution where the twin graph is driven by live telemetry.

-1. First, create an Azure Functions project in Visual Studio on your machine. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#create-an-azure-functions-project).

-Next, subscribe your Azure function to the Event Grid endpoint you created earlier. This will ensure that data can flow from an updated twin through the Event Grid topic to the function, which can use the event information to update other twins as needed.

-To do this, you'll create an **Event Grid subscription** that sends data from the Event Grid topic that you created earlier to your Azure function.

-description: Understand how to use the features of Azure Digital Twins Explorer

-This will bring up the **Azure Digital Twins URL modal**, where you can enter the host name of another Azure Digital Twins instance after the *https://* to connect to that instance.

-You can use the **Query Explorer** panel to perform [queries](concepts-query-language.md) on your graph.

-Enter the query you want to run and select the **Run Query** button. This will load the query results in the **Twin Graph** panel.

-If the query result includes something that is not currently being shown in the **Twin Graph** panel, the element will be added onto the existing view.

-Once the query has been saved, it is available to select from the **Saved Queries** dropdown menu to easily run it again.

-To view the property values of a twin or a relationship, select the twin or relationship in the **Twin Graph** and use the **Toggle property inspector** button to expand the **Twin Properties** or **Relationship Properties** panel, respectively. This panel will display all the properties associated with the element, along with their values. It also includes default values for properties that have not yet been set.

-* **One or many models used by the twin are missing**. As a result, all the properties associated with that model will be flagged as "missing" in the Twin Properties panel. This can happen if the model has been deleted since the twin was created.

-* **Some properties on the twin are not part of the twin's model**. Only these properties will be flagged as "missing" in the Twin Properties panel. This can happen if the model for the twin has been replaced or changed since the properties were set, and the properties no longer exist in the most recent version of the model.

-To do this, right-click a twin in the graph, and choose **Get relationships**. This brings up a **Relationship Information** modal displaying the [JSON representation](concepts-twins-graph.md#relationship-json-format) of all incoming and outgoing relationships.

-If you choose a property that isn't present on every twin, any twins in the graph that do not have that property will display with an asterisk (*) followed by their `$dtId` value.

-To indicate which types of relationships to follow when expanding, use the **Expansion Direction** button. This allows you to select from just incoming, just outgoing, or both incoming and outgoing relationships.

-To hide a twin or relationship, right-click it in the **Twin Graph** window. This will bring up a menu with options to hide the element or other related elements.

-Once the two twins are simultaneously selected, right-click the target twin. This will bring up a menu with an option to **Add relationships** between them.

-This will bring up the **Create Relationship** dialog, which shows the source twin and target twin of the relationship, followed by a **Relationship** dropdown menu that contains the types of relationship that the source twin can have (defined in its DTDL model). Select an option for the relationship type, and **Save** the new relationship.

-To delete a twin or a relationship, right-click it in the **Twin Graph** window. This will bring up a menu with an option to delete the element.

-To see the full definition of a model, find that model in the **Models** pane and select the menu dots next to the model name. Then, select **View Model**. This will display a **Model Information** modal showing the raw DTDL definition of the model.

-First, use the following instructions to set the image file names before uploading. This enables Azure Digital Twins Explorer to automatically assign the images to the correct models after upload.

-However, you can manually refresh the panel at any time to reload the list of all models in your Azure Digital Twins instance. To do this, select the **Refresh models** icon.

-You can use the import feature to add twins, relationships, and models to your instance. This can be useful for creating many twins, relationships, and/or models at once.

-* The **custom Excel-based format** described in the remainder of this section. This allows you to upload twins and relationships.

-* The **JSON-based format** generated on [graph export](#export-graph-and-models). This can contain twins, relationships, and/or models.

-| *Optional*<br>The DTMI model ID for a twin that should be created.<br><br>You can leave this column blank for a row if you want that row to create only a relationship (no twins). | *Required*<br>The unique ID for a twin.<br><br>If a new twin is being created in this row, this will be the ID of the new twin.<br>If there is relationship information in the row, this ID will be used as the **target** of the relationship. | *Optional*<br>The ID of a twin that should be the **source** twin for a new relationship.<br><br>You can leave this column blank for a row if you want that row to create only a twin (no relationships). | *Optional*<br>The name for the new relationship to create. The relationship direction will be **from** the twin in column C **to** the twin in column B. | *Optional*<br>A JSON string containing property settings for the twin to be created. The properties must match those defined in the model from column A. |

-Here is an example .xlsx file creating a small graph of two floors and two rooms.

-You can view this file and additional .xlsx graph examples in the [Azure Digital Twins Explorer repository](https://github.com/Azure-Samples/digital-twins-explorer/tree/main/client/examples) on GitHub.

-To begin, use the [Query Explorer](#query-your-digital-twin-graph) panel to run a query that selects the twins and relationships that you want to download. This will populate them in the Twin Graph panel.

-Here is an example of a URL with the placeholder values filled in:

-You may want to share an environment and specify a query to execute upon landing, to highlight a subgraph or custom view for a teammate. To do this, start with the URL for the environment and add the query text to the URL as a querystring parameter:

-description: See how to implement tags on digital twins

-Tags are first added as properties within the [model](concepts-models.md) that describes a digital twin. That property is then set on the twin when it is created based on the model. After that, the tags can be used in [queries](concepts-query-language.md) to identify and filter your twins.

-Here is an excerpt from a twin model implementing a marker tag as a property:

-Here is a code example on how to set marker `tags` for a twin using the [.NET SDK](/dotnet/api/overview/azure/digitaltwins/client?view=azure-dotnet&preserve-view=true):

-Here is a query to get all twins that have been tagged as "red":

-You can also combine tags for more complex queries. Here is a query to get all twins that are round, and not red:

-Here is an excerpt from a twin model implementing a value tag as a property:

-Here is a query to get all entities that are small (value tag), and not red:

-description: This article shows processes for exporting and deleting personal data in Azure Digital Twins.

-Azure Digital Twins is a developer platform for creating secure digital representations of a business environment. Representations are driven by live state data from data sources selected by users.

-Many of the digital twins in Azure Digital Twins do not directly represent personal entitiesΓÇötypical objects represented might be an office meeting room, or a factory floor. However, users may consider some entities to be personally identifiable, and at their discretion may maintain their own asset or inventory tracking methods that tie digital twins to individuals. Azure Digital Twins manages and stores all data associated with digital twins as if it were personal data.

-Azure Digital Twins stores the [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) **object ID** of users with access to the environment. Azure Digital Twins in the Azure portal displays user email addresses, but these email addresses are not stored within Azure Digital Twins. They are dynamically looked up in Azure Active Directory, using the Azure Active Directory object ID.

-Azure Digital Twins administrators can use the Azure portal to delete data related to users. It is also possible to perform delete operations on individual digital twins using the Azure Digital Twins REST APIs. For more information about the APIs available, see [Azure Digital Twins REST APIs documentation](/rest/api/azure-digitaltwins/).

-## Links to additional documentation

-description: Tutorial to build an Azure Digital Twins scenario using the Azure CLI

-* the instance's **_host name_**

-* the **Azure subscription** that you used to create the instance.

-Models are similar to classes in object-oriented programming languages; they provide user-defined templates for [digital twins](concepts-twins-graph.md) to follow and instantiate later. They are written in a JSON-like language called **Digital Twins Definition Language (DTDL)**, and can define a twin's *properties*, *telemetry*, *relationships*, and *components*.

-After designing models, you need to upload them to your Azure Digital Twins instance. This configures your Azure Digital Twins service instance with your own custom domain vocabulary. Once you have uploaded the models, you can create twin instances that use them.

-1. To add models using Cloud Shell, you'll need to upload your model files to Cloud Shell's storage so the files will be available when you run the Cloud Shell command that uses them. To do this, select the "Upload/Download files" icon and choose "Upload".

-1. Verify the models were created with the [az dt model list](/cli/azure/dt/model#az_dt_model_list) command as shown below. This will print a list of all models that have been uploaded to the Azure Digital Twins instance with their full information.

-Re-run the `az dt model create` command to try re-uploading one of the same models you just uploaded, for a second time:

-As models cannot be overwritten, this will now return an error code of `ModelIdAlreadyExists`.

-To create a digital twin, you use the [az dt twin create](/cli/azure/dt/twin#az_dt_twin_create) command. You must reference the model that the twin is based on, and can optionally define initial values for any properties in the model. You do not have to pass any relationship information at this stage.

-1. Run this code in the Cloud Shell to create several twins, based on the Room model you updated earlier and another model, Floor. Recall that Room has three properties, so you can provide arguments with the initial values for these. (Initializing property values is optional in general, but they're needed for this tutorial.)

- Look for the room0, room1, floor0, and floor1 twins in the results. Here is an excerpt showing part of the result of this query.

-The types of relationships that you can create from one twin to another are defined within the [models](#model-a-physical-environment-with-dtdl) that you uploaded earlier. The [model definition for Floor](https://github.com/azure-Samples/digital-twins-samples/blob/master/AdtSampleApp/SampleClientApp/Models/Floor.json) specifies that floors can have a type of relationship called *contains*. This makes it possible to create a *contains*-type relationship from each Floor twin to the corresponding room that it contains.

-A main feature of Azure Digital Twins is the ability to [query](concepts-query-language.md) your twin graph easily and efficiently to answer questions about your environment. In the Azure CLI, this is done with the [az dt twin query](/cli/azure/dt/twin#az_dt_twin_query) command.

- This allows you to take stock of your environment at a glance, and make sure everything is represented as you want it to be within Azure Digital Twins. The result of this is an output containing each digital twin with its details. Here is an excerpt:

- You can restrict your query to twins of a certain type, to get more specific information about what's represented. The result of this shows room0 and room1, but does **not** show floor0 or floor1 (since they are floors, not rooms).

- You can query the graph based on properties to answer a variety of questions, including finding outliers in your environment that might need attention. Other comparison operators (*<*,*>*, *=*, or *!=*) are also supported. room1 shows up in the results here, because it has a temperature of 80.

-| **Amsterdam2** | [Interxion AMS8](https://www.interxion.com/Locations/amsterdam/schiphol/) | 1 | West Europe | 10G, 100G | BICS, British Telecom, CenturyLink Cloud Connect, Colt, DE-CIX, Equinix, euNetworks, GÉANT, Interxion, NOS, NTT Global DataCenters EMEA, Orange, Vodafone |

-To see sample device code that handles failovers in various programing languages, see [IoT high availability clients](https://github.com/iot-for-all/iot-central-high-availability-clients).

-The default *organization dashboard* is the page that loads when you first go to your application. As an administrator, you can create additional organization dashboards that are associated with a specific organization. An organization dashboard is only visible to users who have access to the organization the dashboard is associated with. Only users in a role that has [organization dashboard permissions](howto-manage-users-roles.md#customizing-the-app) can create, edit, and delete organization dashboards.

-All users can create their own *personal dashboards*. Users can switch between organization dashboards and personal dashboards.

-The following screenshot shows the dashboard in an application created from the **Custom Application** template. If you're in a role with the appropriate permissions, you can customize the default dashboard. To create a new dashboard, select **+ New dashboard** in the upper-left corner of the page:

-In the **Create dashboard** panel, give your dashboard a name and select either **Organization** or **Personal** as the dashboard type. If you're creating an organization dashboard, choose the [organization](howto-create-organizations.md) the dashboard is associated with. An organization dashboard and its tiles only show the devices that are visible to the organization and any of its sub-organizations.

-If you're an administrator, you can create a personal dashboard or an organization dashboard. Users see the organization dashboards associated with the organization they are assigned to. All users can create personal dashboards, that only they can see.

-Enter a title and select the type of dashboard you want to create. [Add tiles](#add-tiles) to customize your dashboard.

-The following screenshot shows the dashboard in an application created from the **Custom application** template. To customize the current dashboard, select **Edit**. To add a personal or organization dashboard, select **New dashboard**:

-After you select **Edit** or **New dashboard**, the dashboard is in *edit* mode. You can use the tools in the **Edit dashboard** panel to add tiles to the dashboard. You can customize and remove tiles on the dashboard itself. For example, to add a line chart tile to track telemetry values reported by one or more devices over time:

-

-1. To configure the tile, select its **gear** button. Enter a **Title** and select a **Device Group**. In the **Devices** list, select the devices to show on the tile.

- :::image type="content" source="media/howto-manage-dashboards/device-details.png" alt-text="Screenshot that shows adding a tile to a dashboard.":::

-1. After you finish adding and customizing tiles on the dashboard, select **Save**. Doing so takes you out of edit mode.

-* The **ruler** button on a tile lets you change the visualization. Visualizations include line chart, bar chart, pie chart, last known value (LKV), key performance indicator (KPI), heat map, and map.

-* The **gear** button lets you configure the visualization. For example, for a line chart you can choose to show the legend and axes and choose the time range to plot.

-| Markdown | Markdown tiles are clickable tiles that display a heading and description text formatted in Markdown. The URL can be a relative link to another page in the application or an absolute link to an external site.|

-| Image | Image tiles display a custom image and can be clickable. The URL can be a relative link to another page in the application or an absolute link to an external site.|

-| Label | Label tiles display custom text on a dashboard. You can choose the size of the text. Use a label tile to add relevant information to the dashboard, like descriptions, contact details, or Help.|

-| Count | Count tiles display the number of devices in a device group.|

-| Map (telemetry) | Map tiles display the location of one or more devices on a map. You can also display up to 100 points of a device's location history. For example, you can display a sampled route of where a device has been in the past week.|

-| Map (property) | Map tiles display the location of one or more devices on a map.|

-| KPI | KPI tiles display aggregate telemetry values for one or more devices over a time period. For example, you can use them to show the maximum temperature and pressure reached for one or more devices during the past hour.|

-| Line chart | Line chart tiles plot one or more aggregate telemetry values for one or more devices over a time period. For example, you can display a line chart to plot the average temperature and pressure of one or more devices during the past hour.|

-| Bar chart | Bar chart tiles plot one or more aggregate telemetry values for one or more devices over a time period. For example, you can display a bar chart to show the average temperature and pressure of one or more devices during the past hour.|

-| Pie chart | Pie chart tiles display one or more aggregate telemetry values for one or more devices over a time period.|

-| Heat map | Heat map tiles display information, represented in colors, about one or more devices.|

-| Last known value | Last known value tiles display the latest telemetry values for one or more devices. For example, you can use this tile to display the most recent temperature, pressure, and humidity values for one or more devices. |

-| Event history | Event history tiles display the events for a device over a time period. For example, you can use them to show all the valve open and valve close events for one or more devices during the past hour.|

-| Property | Property tiles display the current values for properties and cloud properties for one or more devices. For example, you can use this tile to display device properties like the manufacturer or firmware version. |

-| State chart | State chart tiles plot changes for one or more devices over a time period. For example, you can use this tile to display properties like the temperature changes for a device. |

-| Event chart | Event chart tiles display telemetry events for one or more devices over a time period. For example, you can use this tile to display properties like the temperature changes for a device. |

-| State history | State history tiles list and display status changes for state telemetry.|

-| External content | External content tiles allow you to load content from an external source. |

-By default, line charts show data over a range of time. The selected time range is split into 50 equally sized partitions. The device data is then aggregated per partition to give 50 data points over the selected time range. If you want to view raw data, you can change your selection to view the last 100 values. To change the time range or to select raw data visualization, use the **Display range** dropdown list in the **Configure chart** panel:

-For tiles that display aggregate values, select the **gear** button next to the telemetry type in the **Configure chart** panel to choose the aggregation. You can choose average, sum, maximum, minimum, or count.

-For numeric KPI, LKV, and property tiles, you can use conditional formatting to customize the color of the tile based on its value. To add conditional formatting, select **Configure** on the tile and then select the **Conditional formatting** button next to the value you want to customize:

-This feature is available on the KPI, LKV, and property tiles. It lets you adjust font size, choose decimal precision, abbreviate numeric values (for example, format 1,700 as 1.7K), or wrap string values on their tiles.

- 1. On the **Connect Virtual Hard Disk** page, select **Use an existing virtual hard disk**. Browse to the location for the **Kali-Linux-{version}-vmware-amd64.vmdk** file created in the previous step, and select **Next**.

-## Set up a nested VM with Metasploitable Image

- 1. Go to [https://github.com/Azure/azure-devtestlab/](https://github.com/Azure/azure-devtestlab/).

-The Azure cloud provides several types of pipeline, each with a different purpose. The following table lists the different pipelines and what they are used for:

-+ Data preparation including importing, validating and cleaning, munging and transformation, normalization, and staging

-+ Training configuration including parameterizing arguments, filepaths, and logging / reporting configurations

-+ Training and validating efficiently and repeatedly. Efficiency might come from specifying specific data subsets, different hardware compute resources, distributed processing, and progress monitoring

-+ Deployment, including versioning, scaling, provisioning, and access control

-Independent steps allow multiple data scientists to work on the same pipeline at the same time without over-taxing compute resources. Separate steps also make it easy to use different compute types/sizes for each step.

-After the pipeline is designed, there is often more fine-tuning around the training loop of the pipeline. When you rerun a pipeline, the run jumps to the steps that need to be rerun, such as an updated training script. Steps that do not need to be rerun are skipped.

-With pipelines, you may choose to use different hardware for different tasks. Azure coordinates the various [compute targets](concept-azure-machine-learning-architecture.md) you use, so your intermediate data seamlessly flows to downstream compute targets.

-You can [track the metrics for your pipeline experiments](./how-to-log-view-metrics.md) directly in Azure portal or your [workspace landing page (preview)](https://ml.azure.com). After a pipeline has been published, you can configure a REST endpoint, which allows you to rerun the pipeline from any platform or stack.

-In short, all of the complex tasks of the machine learning lifecycle can be helped with pipelines. Other Azure pipeline technologies have their own strengths. [Azure Data Factory pipelines](../data-factory/concepts-pipelines-activities.md) excels at working with data and [Azure Pipelines](https://azure.microsoft.com/services/devops/pipelines/) is the right tool for continuous integration and deployment. But if your focus is machine learning, Azure Machine Learning pipelines are likely to be the best choice for your workflow needs.

-Many programming ecosystems have tools that orchestrate resource, library, or compilation dependencies. Generally, these tools use file timestamps to calculate dependencies. When a file is changed, only it and its dependents are updated (downloaded, recompiled, or packaged). Azure Machine Learning pipelines extend this concept. Like traditional build tools, pipelines calculate dependencies between steps and only perform the necessary recalculations.

-The dependency analysis in Azure Machine Learning pipelines is more sophisticated than simple timestamps though. Every step may run in a different hardware and software environment. Data preparation might be a time-consuming process but not need to run on hardware with powerful GPUs, certain steps might require OS-specific software, you might want to use [distributed training](how-to-train-distributed-gpu.md), and so forth.

-Azure Machine Learning automatically orchestrates all of the dependencies between pipeline steps. This orchestration might include spinning up and down Docker images, attaching and detaching compute resources, and moving data between the steps in a consistent and automatic manner.

-## Building pipelines with the Python SDK

-In the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/install), a pipeline is a Python object defined in the `azureml.pipeline.core` module. A [Pipeline](/python/api/azureml-pipeline-core/azureml.pipeline.core.pipeline%28class%29) object contains an ordered sequence of one or more [PipelineStep](/python/api/azureml-pipeline-core/azureml.pipeline.core.builder.pipelinestep) objects. The `PipelineStep` class is abstract and the actual steps will be of subclasses such as [EstimatorStep](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.estimatorstep), [PythonScriptStep](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.pythonscriptstep), or [DataTransferStep](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.datatransferstep). The [ModuleStep](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.modulestep) class holds a reusable sequence of steps that can be shared among pipelines. A `Pipeline` runs as part of an `Experiment`.

-An Azure machine learning pipeline is associated with an Azure Machine Learning workspace and a pipeline step is associated with a compute target available within that workspace. For more information, see [Create and manage Azure Machine Learning workspaces in the Azure portal](./how-to-manage-workspace.md) or [What are compute targets in Azure Machine Learning?](./concept-compute-target.md).

-### A simple Python Pipeline

-This snippet shows the objects and calls needed to create and run a `Pipeline`:

-```python

-ws = Workspace.from_config()

-blob_store = Datastore(ws, "workspaceblobstore")

-compute_target = ws.compute_targets["STANDARD_NC6"]

-experiment = Experiment(ws, 'MyExperiment')

-input_data = Dataset.File.from_files(

- DataPath(datastore, '20newsgroups/20news.pkl'))

-prepped_data_path = OutputFileDatasetConfig(name="output_path")

-dataprep_step = PythonScriptStep(

- name="prep_data",

- script_name="dataprep.py",

- source_directory="prep_src",

- compute_target=compute_target,

- arguments=["--prepped_data_path", prepped_data_path],

- inputs=[input_dataset.as_named_input('raw_data').as_mount() ]

- )

-prepped_data = prepped_data_path.read_delimited_files()

-train_step = PythonScriptStep(

- name="train",

- script_name="train.py",

- compute_target=compute_target,

- arguments=["--prepped_data", prepped_data],

- source_directory="train_src"

-)

-steps = [ dataprep_step, train_step ]

-pipeline = Pipeline(workspace=ws, steps=steps)

-pipeline_run = experiment.submit(pipeline)

-pipeline_run.wait_for_completion()

-```

-The snippet starts with common Azure Machine Learning objects, a `Workspace`, a `Datastore`, a [ComputeTarget](/python/api/azureml-core/azureml.core.computetarget), and an `Experiment`. Then, the code creates the objects to hold `input_data` and `prepped_data_path`. The `input_data` is an instance of [FileDataset](/python/api/azureml-core/azureml.data.filedataset) and the `prepped_data_path` is an instance of [OutputFileDatasetConfig](/python/api/azureml-core/azureml.data.output_dataset_config.outputfiledatasetconfig). For `OutputFileDatasetConfig` the default behavior is to copy the output to the `workspaceblobstore` datastore under the path `/dataset/{run-id}/{output-name}`, where `run-id` is the Run's ID and `output-name` is an autogenerated value if not specified by the developer.

-The data preparation code (not shown), writes delimited files to `prepped_data_path`. These outputs from the data preparation step are passed as `prepped_data` to the training step.

-The array `steps` holds the two `PythonScriptStep`s, `dataprep_step` and `train_step`. Azure Machine Learning will analyze the data dependency of `prepped_data` and run `dataprep_step` before `train_step`.

-Then, the code instantiates the `Pipeline` object itself, passing in the workspace and steps array. The call to `experiment.submit(pipeline)` begins the Azure ML pipeline run. The call to `wait_for_completion()` blocks until the pipeline is finished.

-To learn more about connecting your pipeline to your data, see the articles [Data access in Azure Machine Learning](concept-data.md) and [Moving data into and between ML pipeline steps (Python)](how-to-move-data-in-out-of-pipelines.md).

-## Building pipelines with the designer

-Developers who prefer a visual design surface can use the Azure Machine Learning designer to create pipelines. You can access this tool from the **Designer** selection on the homepage of your workspace. The designer allows you to drag and drop steps onto the design surface.

-When you visually design pipelines, the inputs and outputs of a step are displayed visibly. You can drag and drop data connections, allowing you to quickly understand and modify the dataflow of your pipeline.

-

-## Key advantages

-The key advantages of using pipelines for your machine learning workflows are:

-|Key advantage|Description|

-|:-:|--|

-|**Unattended&nbsp;runs**|Schedule steps to run in parallel or in sequence in a reliable and unattended manner. Data preparation and modeling can last days or weeks, and pipelines allow you to focus on other tasks while the process is running. |

-|**Heterogenous compute**|Use multiple pipelines that are reliably coordinated across heterogeneous and scalable compute resources and storage locations. Make efficient use of available compute resources by running individual pipeline steps on different compute targets, such as HDInsight, GPU Data Science VMs, and Databricks.|

-|**Reusability**|Create pipeline templates for specific scenarios, such as retraining and batch-scoring. Trigger published pipelines from external systems via simple REST calls.|

-|**Tracking and versioning**|Instead of manually tracking data and result paths as you iterate, use the pipelines SDK to explicitly name and version your data sources, inputs, and outputs. You can also manage scripts and data separately for increased productivity.|

-| **Modularity** | Separating areas of concerns and isolating changes allows software to evolve at a faster rate with higher quality. |

-|**Collaboration**|Pipelines allow data scientists to collaborate across all areas of the machine learning design process, while being able to concurrently work on pipeline steps.|

-Azure Machine Learning pipelines are a powerful facility that begins delivering value in the early development stages. The value increases as the team and project grows. This article has explained how pipelines are specified with the Azure Machine Learning Python SDK and orchestrated on Azure. You've seen some simple source code and been introduced to a few of the `PipelineStep` classes that are available. You should have a sense of when to use Azure Machine Learning pipelines and how Azure runs them.

-+ Learn how to [create your first pipeline](./how-to-create-machine-learning-pipelines.md).

-+ Learn how to [run batch predictions on large data](tutorial-pipeline-batch-scoring-classification.md ).

-# [Azure CLI](#tab/azure-cli)

-The Azure CLI [extension 1.0 for machine learning](reference-azure-machine-learning-cli.md) provides the [az ml workspace create](/cli/azure/ml/workspace#az_ml_workspace_create) command. The following parameters for this command can be used to create a workspace with a private network, but it requires an existing virtual network:

-# [Azure CLI](#tab/azure-cli)

-# [Azure CLI](#tab/azure-cli)

-# [Azure CLI](#tab/azure-cli)

-For more information on building pipelines with the SDK, see [What are Azure Machine Learning pipelines](concept-ml-pipelines.md#building-pipelines-with-the-python-sdk).

-**Description**: An environment for deep learning with Tensorflow containing the AzureML Python SDK and additional python packages.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign-in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Analyze** > **Usage**.

-1. Select the **Metered usage anomalies** tab.

- [](./media/anomaly-detection/metered-usage-anomalies.png#lightbox)<br>

- ***Figure 1: Metered usage anomalies tab***

-1. For any usage anomalies detected against metered billing, as a publisher you will be asked to investigate and confirm if the anomaly is true or not. Select **Mark as anomaly** to confirm the diagnosis.

- [](./media/anomaly-detection/mark-as-anomaly.png#lightbox)<br>

- ***Figure 2: Mark as an anomaly dialog box***

-1. If you believe that the overage usage anomaly we detected is not genuine, you can provide that feedback by selecting **Not an anomaly** for the Partner Center flagged anomaly on the particular overage usage.

- [](./media/anomaly-detection/why-is-it-not-an-anomaly.png#lightbox)

- ***Figure 3: Why is it not an anomaly? dialog box***

-1. You can scroll down the page to see an inventory list of unacknowledged anomalies. The list provides an inventory of anomalies that you have not acknowledged. You can choose to mark any of the Partner Center flagged anomalies as genuine or false.

- [](./media/anomaly-detection/unacknowledged-anomalies.png#lightbox)<br>

- ***Figure 4: Partner Center unacknowledged anomalies list***

- By default, flagged anomalies that have an estimated financial impact greater than 100 USD are shown in Partner Center. However, you can select **All** from the **Estimated financial impact of anomaly** list to see all flagged anomalies.

- :::image type="content" source="./media/anomaly-detection/all-anomalies.png" alt-text="Screenshot of all metered usage anomalies for the selected offer.":::

-1. You would also see an anomaly action log that shows the actions you took on the overage usages. In the action log, you will be able to see which overage usage events were marked as genuine or false.

- [](./media/anomaly-detection/anomaly-action-log.png#lightbox)<br>

- ***Figure 5: Anomaly action log***

-1. Partner Center analytics will not support restatement of overage usage events in the export reports. Partner Center lets you enter the corrected overage usage for an anomaly and the details are passed on to Microsoft teams for investigation. Based on the investigation, Microsoft will issue credit refunds to the overcharged customer, as appropriate. When you select any of the flagged anomalies, you can select **Mark as anomaly** to mark the usage overage anomaly as genuine.

- [](./media/anomaly-detection/new-reported-usage.png#lightbox)<br>

- ***Figure: 6: Mark as anomaly dialog box***

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Overview**.

-1. On the Overview page, select **+ New offer** > **Azure Application**.

- 

-1. In the **New offer** dialog box, enter an **Offer ID**. This is a unique identifier for each offer in your account. This ID is visible in the URL of the commercial marketplace listing and Azure Resource Manager templates, if applicable. For example, if you enter test-offer-1 in this box, the offer web address will be `https://azuremarketplace.microsoft.com/marketplace/../test-offer-1`.

- * Each offer in your account must have a unique offer ID.

- * Use only lowercase letters and numbers. It can include hyphens and underscores, but no spaces, and is limited to 50 characters.

- * The Offer ID can't be changed after you select **Create**.

-1. Enter an **Offer alias**. This is the name used for the offer in Partner Center.

- * This name is only visible in Partner Center and itΓÇÖs different from the offer name and other values shown to customers.

- * The Offer alias can't be changed after you select **Create**.

-1. To generate the offer and continue, select **Create**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to the commercial marketplace in [Partner Center](https://partner.microsoft.com/dashboard/commercial-marketplace/overview).

-1. On the **Overview** page, select the offer you want to publish.

-1. In the upper-right corner of the portal, select **Review and publish**.

-1. Make sure that the **Status** column for each page says **Complete**. The three possible statuses are as follows:

- - **Not started** ΓÇô The page is incomplete.

- - **Incomplete** ΓÇô The page is missing required information or has errors that need to be fixed. You'll need to go back to the page and update it.

- - **Complete** ΓÇô The page is complete. All required data has been provided and there are no errors.

-1. If any of the pages have a status other than **Complete**, select the page name, correct the issue, save the page, and then select **Review and publish** again to return to this page.

-1. After all the pages are complete, in the **Notes for certification** box, provide testing instructions to the certification team to ensure that your app is tested correctly. Provide any supplementary notes helpful for understanding your app.

-1. To start the publishing process for your offer, select **Publish**. The **Offer overview** page appears and shows the offer's **Publish status**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Overview**.

-1. In the **Offers** section, select the offer you want to see.

-1. On the **Offer overview** page, in the **Marketplace programs** section the **Microsoft Azure consumption commitment** status will show either _Enrolled_ or _Not Enrolled_.

- :::image type="content" source="media/azure-benefit/enrolled.png" alt-text="Screenshot of the Offer overview page in Partner Center that shows the Microsoft Azure Consumption Commitment status.":::

- ***Figure 1: Offer that is enrolled in the MACC program***

-> [!NOTE]

-> MACC program status for offers published to Azure Marketplace is updated weekly on Mondays. This means that if you publish an offer that meets the eligibility requirements for the MACC program, the status in Partner Center will not show the Enrolled status until the following Monday.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-2. In the left-nav menu, select **Commercial Marketplace** > **Overview**.

-3. On the Overview page, select **+ New offer** > **Azure Container**.

- :::image type="content" source="media/azure-container/new-offer-azure-container.png" alt-text="The left pane menu options and the 'New offer' button.":::

-> [!IMPORTANT]

-> After an offer is published, any edits you make to it in Partner Center appear on Azure Marketplace only after you republish the offer. Be sure to always republish an offer after changing it.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-2. On the left pane, select **Commercial Marketplace** > **Overview**.

-3. On the **Overview** page, select **+ New offer** > **Azure Virtual Machine**.

- 

-> [!NOTE]

-> After an offer is published, any edits you make to it in Partner Center appear on Azure Marketplace only after you republish the offer. Be sure to always republish an offer after making changes to it.

-Enter an **Offer ID**. This is a unique identifier for each offer in your account.

-Enter an **Offer alias**. The offer alias is the name that's used for the offer in Partner Center.

-Select **Create** to generate the offer and continue. Partner Center opens the **Offer setup** page.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Overview**.

- > [!TIP]

- > If you donΓÇÖt see **Commercial Marketplace** in the left-navigation, [create a commercial marketplace account in Partner Center](create-account.md) and make sure your account is enrolled in the commercial marketplace program.

-1. On the **Overview** tab, select the offer you want to co-sell.

- > [!NOTE]

- > You can configure co-sell for a new offer thatΓÇÖs not yet published or with an offer thatΓÇÖs already published.

-1. In the menu on the left, select **Co-sell with Microsoft**.

- [](./media/co-sell/co-sell-with-microsoft-tab.png#lightbox)

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-If you do not have an offer already in the commercial marketplace to merge a solution in OCP GTM with you will first need to create AND PUBLISH an offer in the commercial marketplace (this will retain its co-sell status, incentives, and referral pipeline.)

-1. Create a draft offer in commercial marketplace

- 1. Select **+ New Offer**

- :::image type="content" source="media/co-sell-migrate/new-offer.png" alt-text="New Offer display":::

- 2. Complete the required information in each tab.

- ΓÇó The **Learn more** links and tooltips will guide you through the requirements and details.

- ΓÇó Optionally, complete the **Resell through CSPs** page (in the left-nav menu below) to resell through the Cloud Solution Provider (CSP) program.

- :::image type="content" source="media/co-sell-migrate/offer-setup-nav.png" alt-text="Displays the Offer Setup page with overview options highlighted.":::

- 3. Select **Save Draft**.

- - For detailed instructions on the information you need to provide before your offer can be published, read the appropriate [publishing guide](./publisher-guide-by-offer-type.md).

- - Review the eligibility requirements in the corresponding article for your offer type to finalize the selection and configuration of your offer.

- - Review the publishing patterns for each online store for examples on how your solution maps to an offer type and configuration.

- - [Offer listing best practices - Microsoft commercial marketplace | Microsoft Docs](./gtm-offer-listing-best-practices.md)

- > [!TIP]

- > We recommend that you *do not fill out* the data in the **Co-sell with Microsoft** tab. To save you time we will take care of populating this data for you with your existing collateral in OCP GTM during the merge process.

- After the merge is complete you can return to the Co-sell with Microsoft tab and make updates if needed. For more information, see [Configure co-sell for a commercial marketplace offer](./co-sell-configure.md).

-1. When complete, select **Review and publish**.

- :::image type="content" source="media/co-sell-migrate/co-sell-with-ms.png" alt-text="Co-Sell with Microsoft page is displayed with options highlighted":::

-1. After reviewing all submitted information, select **Publish** to submit your draft offer for certification review. [Learn more about the certification phase](./review-publish-offer.md).:::image type="content" source="media/co-sell-migrate/review-and-publish.png" alt-text="Displays the Review and Publish page.":::

-1. Track the status of your submission on the Overview tab.

- :::image type="content" source="media/co-sell-migrate/offer-overview-tab.png" alt-text="Dispalys overview tab":::

-1. We will notify you when our certification review is complete. If we provide actionable feedback, address it, then select **Publish** to initiate a recertification.

-1. Once your offer passes certification, preview the offer with the link provided and make any final adjustments you may want. When you're ready, select **Go live** (see button above) to publish your offer to relevant commercial marketplace storefront(s).

-1. **Continue to Scenario 2 below to complete the merge process.**

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Overview**.

-1. In the **Offer alias** column, select the offer you want. The co-sell status is shown in the Marketplace Programs section of the page.

- [](./media/co-sell/co-sell-status.png#lightbox)

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Overview**.

-1. On the Overview tab, select **+ New offer** > **Consulting service**.

- 

-1. In the **New offer** dialog box, enter an **Offer ID**. This ID is visible in the URL of the commercial marketplace listing. For example, if you enter test-offer-1 in this box, the offer web address will be `https://azuremarketplace.microsoft.com/marketplace/../test-offer-1`.

- * Each offer in your account must have a unique offer ID.

- * Use only lowercase letters and numbers. The offer ID can include hyphens and underscores, but no spaces, and is limited to 50 characters.

- * The offer ID can't be changed after you select **Create**.

-1. Enter an **Offer alias**. This is the name used for the offer in Partner Center. It isn't visible in the online stores and is different from the offer name shown to customers.

-1. To generate the offer and continue, select **Create**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Overview**.

-1. On the Overview tab, select **+ New offer** > **Managed Service**.

- :::image type="content" source="./media/new-offer-managed-service.png" alt-text="Illustrates the left-navigation menu.":::

-1. In the **New offer** dialog box, enter an **Offer ID**. This is a unique identifier for each offer in your account. This ID is visible in the URL of the commercial marketplace listing and Azure Resource Manager templates, if applicable. For example, if you enter test-offer-1 in this box, the offer web address will be `https://azuremarketplace.microsoft.com/marketplace/../test-offer-1`.

- - Each offer in your account must have a unique offer ID.

- - Use only lowercase letters and numbers. It can include hyphens and underscores, but no spaces, and is limited to 50 characters.

- - The Offer ID can't be changed after you select **Create**.

-1. Enter an **Offer alias**. This is the name used for the offer in Partner Center. It isn't visible in the online stores and is different from the offer name shown to customers.

-1. To generate the offer and continue, select **Create**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Overview**.

-1. On the **Overview** tab, select **+ New offer** > **Software as a Service**.

- :::image type="content" source="./media/new-offer-saas.png" alt-text="Illustrates the left-navigation menu and the New offer list.":::

-1. In the **New offer** dialog box, enter an **Offer ID**. This ID is visible in the URL of the commercial marketplace listing and Azure Resource Manager templates, if applicable. For example, if you enter **test-offer-1** in this box, the offer web address will be `https://azuremarketplace.microsoft.com/marketplace/../test-offer-1`.

- + Each offer in your account must have a unique offer ID.

- + Use only lowercase letters and numbers. It can include hyphens and underscores, but no spaces, and is limited to 50 characters.

- + The offer ID can't be changed after you select **Create**.

-1. Enter an **Offer alias**. This is the name used for the offer in Partner Center.

- + This name isn't visible in the commercial marketplace and itΓÇÖs different from the offer name and other values shown to customers.

- + The offer alias can't be changed after you select **Create**.

-1. To generate the offer and continue, select **Create**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-nav, select **Commercial Marketplace** > **Analyze** > **Customers**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-You can find a month range selection at the top-right corner of each page. Customize the output of the **Customers** page graphs by selecting a month range based on the past 6, or 12 months, or by selecting a custom month range with a maximum duration of 12 months. The default month range (computation period) is six months.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-nav, select **Commercial Marketplace** > **Analyze** > **Downloads**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-[](media/downloads-dashboard/download-reports.png#lightbox)

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-nav menu, select **Commercial Marketplace** > **Overview**.

-1. On the Overview page, select **+ New offer** > **Dynamics 365 Business central**.

- :::image type="content" source="media/dynamics-365/new-offer-dynamics-365-business-central.png" alt-text="The left pane menu options and the 'New offer' button.":::

-> [!IMPORTANT]

-> After an offer is published, any edits you make to it in Partner Center appear on Microsoft AppSource only after you republish the offer. Be sure to always republish an offer after changing it.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-2. In the left-nav menu, select **Commercial Marketplace** > **Overview**.

-3. On the Overview page, select **+ New offer** > **Dynamics 365 apps on Dataverse and Power Apps**.

- :::image type="content" source="media/dynamics-365/new-offer-dynamics-365-customer-engagement.png" alt-text="Shows the left pane menu options and the 'New offer' button with Customer Engagement select.":::

-> [!IMPORTANT]

-> After an offer is published, any edits you make to it in Partner Center appear on Microsoft AppSource only after you republish the offer. Be sure to always republish an offer after changing it.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. In the **Plan name** box, the name you provided earlier for this plan appears here. You can change it at any time. This name will appear in the commercial marketplace as the title of your offer's software plan.

-1. In the **Plan description** box, explain what makes this software plan unique and any differences from other plans within your offer. This description may contain up to 500 characters.

-1. Select **Save draft**, and then in the top-left, select **Plan overview**.

- :::image type="content" source="./media/third-party-license/bronze-plan.png" alt-text="Screenshot shows the Plan overview link on the Plan listing page of an offer in Partner Center.":::

-1. To create another plan for this offer, at the top of the **Plan overview** page, select **+ Create new plan**. Then repeat the steps in the [Create a plan](#create-a-plan) section. Otherwise, if you're done creating plans, go to the next section: Copy the Service IDs.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

- :::image type="content" source="./media/third-party-license/service-id.png" alt-text="Screenshot of the Plan overview page. The service ID for the plan is highlighted.":::

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-nav menu, select **Commercial Marketplace** > **Overview**.

-1. On the Overview page, select **+ New offer** > **Dynamics 365 Operations Apps**.

- :::image type="content" source="media/dynamics-365/new-offer-dynamics-365-operations.png" alt-text="The left pane menu options and the 'New offer' button.":::

-> [!IMPORTANT]

-> After an offer is published, any edits you make to it in Partner Center appear on Microsoft AppSource only after you republish the offer. Be sure to always republish an offer after changing it.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Record a video and upload the address to the hosting site of your choice. Follow these guidelines:

- - Viewable by the Microsoft certification team.

- - Less than 20 minutes long.

- - Includes up to three core functionality highlights of your solution in the Dynamics 365 environment.

- > [!NOTE]

- > It is acceptable to use an existing marketing video if it meets the guidelines.

-2. Take the following screenshots of the [LCS](https://lcs.dynamics.com/) environment that match the offer or solution you want to publish. They must be clear enough for the certification team to read the text. Save the screenshots as JPG files.

- 1. Go to **LCS** > **Business Process Modeler** > **Project library**. Take screenshots of all the Process steps. Include the **Diagrams** and **Reviewed** columns, as shown here:

- :::image type="content" source="media/dynamics-365-operations/project-library.png" alt-text="Shows the project library window.":::

- 2. Go to **LCS** > **Solution Management** > **Test Solution Package**. Take screenshots that include the package overview and contents shown in these examples:

- | Field | Image |

- | | |

- | Package overview | [](media/dynamics-365-operations/package-overview.png#lightbox) |

- | <ul><li>Solution approvers</li></ul> | [](media/dynamics-365-operations/solution-approvers.png#lightbox) |

- | Package contents<ul><li>Model</li><li>Software deployable package</li></ul> | [](media/dynamics-365-operations/package-contents-1.png#lightbox) |

- | <ul><li>GER configuration</li><li>Database backup</li></ul><br>Artifacts are not required in the **GER configuration** section. | [](media/dynamics-365-operations/package-contents-2.png#lightbox) |

- | <ul><li>Power BI report model</li><li>BPM artifact</li></ul><br>Artifacts are not required in the **Power BI** section. | [](media/dynamics-365-operations/package-contents-3.png#lightbox) |

- | <ul><li>Process data package</li><li>Solution license agreement and privacy policy</li></ul><br>The **GER configuration** and **Power BI report model** sections are optional to include for operations offers. | [](media/dynamics-365-operations/package-contents-4.png#lightbox) |

- To learn more about each section of the LCS portal, see the [LCS User Guide](/dynamics365/fin-ops-core/dev-itpro/lifecycle-services/lcs-user-guide).

-3. Upload to Partner Center.

- 1. Create a text document that includes the demo video address and screenshots, or save the screenshots as separate JPG files.

- 2. Add the text and images to a .zip file in [Partner Center](https://go.microsoft.com/fwlink/?linkid=2165290) on the offer's **Supplemental content** tab.

- [](media/dynamics-365-operations/supplemental-content.png#lightbox)

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Return to [Partner Center](https://go.microsoft.com/fwlink/?linkid=2166002).

-1. Select the **Overview** tab in the left-nav menu bar.

-1. Select the offer.

-1. Select **Review and publish**.

-1. Select **Go live** to make your offer publicly available.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-nav, select **Commercial Marketplace** > **Analyze** > **Marketplace insights**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-You can find a month range selection at the top-right corner of each page. Customize the output of the **Marketplace Insights** page graphs by selecting a month range based on the past 6, or 12 months, or by selecting a custom month range with a maximum duration of 12 months. The default month range (computation period) is six months.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-2. In the left-nav menu, select **Commercial Marketplace** > **Overview**.

-3. On the Overview page, select **+ New offer** > **IoT Edge module**.

- :::image type="content" source="media/iot-edge/new-offer-iot-edge.png" alt-text="The left pane menu options and the 'New offer' button.":::

-> [!IMPORTANT]

-> After an offer is published, any edits you make to it in Partner Center appear on Azure Marketplace only after you republish the offer. Be sure to always republish an offer after changing it.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-To check license usage of ISV apps in Partner Center, do the following:

-1. Sign in to [Partner Center](https://go.microsoft.com/fwlink/?linkid=2165507).

-1. In the left-navigation menu, select **Commercial Marketplace** > **Analyze** > **License**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-If you have not already done so, you (or your organization's administrator) should access the [account settings](https://go.microsoft.com/fwlink/?linkid=2165291) for your Partner Center account.

-1. Sign in to the [commercial marketplace dashboard](https://go.microsoft.com/fwlink/?linkid=2165290) in Partner Center with the account you want to access. If youΓÇÖre part of multiple accounts and have signed in with a different, you can [switch accounts](switch-accounts.md).

-1. In the top-right, select **Settings** (gear icon), and then select **Account settings**.

- :::image type="content" source="media/manage-accounts/settings-account.png" alt-text="Screenshot showing the Account Settings option in Partner Center.":::

-1. Under **Account settings**, select **Legal**, then the **Developer** tab to view details related to your commercial marketplace account.

- :::image type="content" source="media/manage-accounts/developer-tab.png" alt-text="Screenshot showing the Developer tab." lightbox="media/manage-accounts/developer-tab.png":::

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Go to the [commercial marketplace overview](https://partner.microsoft.com/dashboard/commercial-marketplace/overview) page in Partner Center.

-1. In the **Profile** section, next to **Payout Profile**, select **Update**.

- > [!NOTE]

- > In you don't see the **Payout and tax** section in the left menu, contact your global admin or account admin for permissions.

-1. For more information about setting up your payout profile, see [Set up your payout account and tax forms](/partner-center/set-up-your-payout-account).

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home) with your work account.

-1. In the menu on the upper-right of the page, select the **Support** icon. The **Help and support** pane appears on the right side of the page.

-1. For help with the commercial marketplace, select **Commercial Marketplace**.

- 

-1. In the **Problem summary** box, enter **commercial marketplace > metered billing**.

-1. In the **Problem type** box, select one of the following:

- - **Commercial Marketplace > Metered Billing > Wrong usage sent for Azure Applications offer**

- - **Commercial Marketplace > Metered Billing > Wrong usage sent for SaaS offer**

-1. Under **Next step**, select **Review solutions**.

-1. Review the recommended documents, if any or select **Provide issue details** to submit a support ticket.

-For more publisher support options, see [Support for the commercial marketplace program in Partner Center](../support.md).

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the [Commercial Marketplace dashboard](https://partner.microsoft.com/dashboard/commercial-marketplace/overview) in Partner Center, expand the **[Analyze](https://partner.microsoft.com/dashboard/commercial-marketplace/analytics/summary)** section and select **Revenue**.

- :::image type="content" source="./media/revenue-dashboard/revenue-dashboard-nav.png" alt-text="Illustrates the Revenue dashboard link in the left nav of the Partner Center Home page.":::

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-nav, select **Commercial Marketplace** > **Analyze** > **Summary**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-You can find a month range selection at the top-right corner of each page. Customize the output of the **Summary** page graphs by selecting a month range based on the past 3, 6, or 12 months, or by selecting a custom month range with a maximum duration of 12 months. The default month range (computation period) is six months.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in with your work account. If you have not yet done so, you will need to [create a Partner Center account](create-account.md).

-1. In the menu on the upper-right of the page, select the **Support** icon. The **Help and support** pane appears on the right side of the page.

-1. For help with the commercial marketplace, select **Commercial Marketplace**.

- 

-1. In the **Problem summary** box, enter a brief description of the issue.

-1. In the **Problem type** box, do one of the following:

- - **Option 1**: Enter keywords such as: Marketplace, Azure app, SaaS offer, account management, lead management, deployment issue, payout, or co-sell offer migration. Then select a problem type from the recommended list that appears.

- - **Option 2**: Select **Browse topics** from the **Category** list and then select **Commercial Marketplace**. Then select the appropriate **Topic** and **Subtopic**.

-1. After you have found the topic of your choice, select **Review Solutions**.

- 

-The following options are shown:

- 

-If you cannot find your answer in the self help, select **Provide issue details**. Complete all required fields to speed up the resolution process, then select **Submit**.

->[!Note]

->If you have not signed in to Partner Center, you may be required to sign in before you can create a ticket.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-To review your open and closed tickets, in the left-navigation menu, select **Commercial Marketplace** > **Support**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-You can check to see if you are part of multiple accounts by the presence of the *account picker* in the left navigation menu, as seen highlighted in the following screenshot.

-[  ](./media/manage-accounts/account-picker.png#lightbox)

-If you don't see the *account picker*, you are part of one account only. You can find the details of this account on the **Account settings** > **Organization profile** > **Legal** > **Developer** tab in Partner Center.

-When you select this picker, all the accounts that you are a part of appear as a list. You can then select any of them to switch to that account. After you switch, everything in Partner Center appears in the context of that account.

-> [!NOTE]

-> Partner Center uses [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) for multi-user account access and management. Your organization's Azure AD is automatically associated with your Partner Center account as part of the enrollment process.

-In the following example, the signed-in user is part of the three highlighted accounts. The user can switch between them by clicking on an account.

-[  ](./media/manage-accounts/account-picker-two.png#lightbox)

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/commercial-marketplace/overview).

-2. If you can't access the above link, you need to submit a request [here](https://appsource.microsoft.com/partners/list-an-app) to publish your application. Once we review the request, you will be granted access to start the publish process.

-3. Find an existing **Dynamics 365 apps on Dataverse and Power Apps** offer or create a new **Dynamics 365 apps on Dataverse and Power Apps** offer.

-4. Select the **Enable a test drive** check box and select a **Type of test drive** (see bullet below), then select **Save**.

- [](media/test-drive/enable-test-drive-check-box.png#lightbox)

- - **Type of test drive** ΓÇô Choose **Dynamics 365 apps on Dataverse and Power Apps**. This indicates that Microsoft will host and maintain the service that performs the test drive user provisioning and deprovisioning.

-5. Grant Microsoft AppSource permission to provision and deprovision test drive users in your tenant using [these instructions](./test-drive-azure-subscription-setup.md). In this step, you will generate the **Azure AD App ID** and **Azure AD App Key** values mentioned below.

-6. Complete these fields on the **Test drive technical configuration** page.

- [](media/test-drive/technical-config-details.png#lightbox)

- - **Max concurrent test drives** ΓÇô The number of concurrent users that can have an active test drive running at the same time. Each user will consume a Dynamics license while their test drive is active, so ensure you have at least this many Dynamics licenses available for test drive users. We recommended 3 to 5.

- - **Test drive duration** ΓÇô The number of hours the user's test drive will be active. After the time has expired, the user will be deprovisioned from your tenant. We recommended 2-24 hours depending on the complexity of your app. The user can always request another test drive if they run out of time and want to access the test drive again.

- - **Instance URL**

- - *Customer Engagement* ΓÇô The URL the test drive user will be sent to when they start the test drive. This is typically the URL of your Dynamics 365 instance on which your app and sample data is installed. Example value: `https://testdrive.crm.dynamics.com`.

- - *Canvas App (Power Apps)*

- 1. Open the **PowerApps portal** page and sign in.

- 2. Select **Apps** and then the ellipses at the app.

- 4. Select **Details**.

- 5. Copy the **Web link** from the **Details** tab:

- [  ](./media/test-drive/testdrive-canvas-app.png#lightbox)

- - **Instance web API URL**

- - *Customer Engagement* ΓÇô The Web API URL for your Dynamics 365 Instance. Retrieve this value by signing into your Microsoft Dynamics 365 instance, selecting **Setting** > **Customization** > **Developer Resources** > **Instance Web API**, and copying the address (URL). Example value:

- :::image type="content" source="./media/test-drive/sample-web-api-url.png" alt-text="An example of Instance Web API.":::

- - *Canvas App (Power Apps)* ΓÇô If you are not using CE/Dataverse as a backend to your Canvas App, use `https://localhost` as a placeholder.

- - **Role name**

- - *Customer Engagement* ΓÇô The name of the custom Dynamics 365 security role you created for test drive or you can use an existing role. A new role should have minimum required privileges added to the role to sign into a Customer Engagement instance. Refer to [Minimum privileges required to sign into Microsoft Dynamics 365](https://community.dynamics.com/crm/b/crminogic/archive/2016/11/24/minimum-privileges-required-to-login-microsoft-dynamics-365). This is the role that will be assigned to users during their test drive. Example value: `testdriverole`.

- - *Canvas App (Power Apps)* ΓÇô Use "NA" when not using CE/Dataverse as the backend data source.

-

- > [!IMPORTANT]

- > Ensure the security group check is not added. This allows the user to be synced to the Customer Engagement instance.

- - **Azure Active Directory tenant ID** ΓÇô The ID of the Azure tenant for your Dynamics 365 instance. To retrieve this value, sign in to Azure portal and navigate to **Azure Active Directory** > **Properties** and copy the directory ID. Example value: 172f988bf-86f1-41af-91ab-2d7cd01112341.

- - **Azure Active Directory tenant name** ΓÇô The name of the Azure Tenant for your Dynamics 365 Instance. Use the format `<tenantname>.onmicrosoft.com`. Example Value: `testdrive.onmicrosoft.com`.

- - **Azure Active Directory application ID** ΓÇô The ID of the Azure Active Directory (AD) app you created in Step 5. Example value: `53852862-a2ae-4e43-9461-faa49650a096`.

- - **Azure Active Directory application client secret** ΓÇô Secret for the Azure AD app created in Step 5. Example value: `IJUgaIOfq9b9LbUjeQmzNBW4VGn6grr1l/n3aMrnfdk=`.

-7. Provide the marketplace listing details. Select **Language** to see further required fields.

- [  ](./media/test-drive/marketplace-listing-details-workspaces.png#lightbox)

- - **Description** ΓÇô An overview of your test drive. This text will be shown to the user while the test drive is being provisioned. This field supports HTML if you want to provide formatted content (required).

- - **User manual** ΓÇô A PDF user manual that helps test drive users understand how to use your app (required).

- - **Test drive demo video** ΓÇô A video that showcases your app (optional).

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://go.microsoft.com/fwlink/?linkid=2165507).

-2. If you can't access the above link, you need to submit a request [here](https://appsource.microsoft.com/partners/list-an-app) to publish your application. Once we review the request, you will be granted access to start the publish process.

-3. Find an existing **Dynamics 365 Operations Apps** offer or create a new **Dynamics 365 Operations Apps** offer.

-4. Select the **Enable a test drive** check box and select a **Type of test drive** (see bullet below), then select **Save draft**.

- [](media/test-drive/enable-test-drive-check-box-operations.png#lightbox)

- - **Type of test drive** ΓÇô Choose **Dynamics 365 Operations Apps** option. This means Microsoft will host and maintain the service that performs the test drive user provisioning and deprovisioning.

-5. Grant Microsoft AppSource permission to provision and deprovision test drive users in your tenant using [these instructions](https://github.com/Microsoft/AppSource/blob/master/Microsoft%20Hosted%20Test%20Drive/Setup-your-Azure-subscription-for-Dynamics365-Microsoft-Hosted-Test-Drives.md). In this step, you will generate the **Azure AD App ID** and **Azure AD App Key** values mentioned below.

-6. Complete these fields on the **Test drive technical configuration** page.

- [](media/test-drive/technical-config-details.png#lightbox)

- - **Max concurrent test drives** ΓÇô The number of concurrent users that can have an active test drive running at the same time. Each user will consume a Dynamics license while their test drive is active, so ensure you have at least this many Dynamics licenses available for test drive users. We recommended 3 to 5.

- - **Test drive duration** ΓÇô The number of hours the user's test drive will be active. After the time has expired, the user will be deprovisioned from your tenant. We recommended 2-24 hours depending on the complexity of your app. The user can always request another test drive if they run out of time and want to access the test drive again.

- - **Instance URL** ΓÇô The URL the test drive user will be sent to when they start the test drive. This is typically the URL of your Dynamics 365 instance on which your app and sample data is installed. Example value: `https://testdrive.crm.dynamics.com`.

- - **Azure Active Directory tenant ID** ΓÇô The ID of the Azure tenant for your Dynamics 365 instance. To retrieve this value, sign in to Azure portal and navigate to **Azure Active Directory** > **Properties** and copy the directory ID. Example value: 172f988bf-86f1-41af-91ab-2d7cd01112341.

- - **Azure Active Directory tenant name** ΓÇô The name of the Azure Tenant for your Dynamics 365 Instance. Use the format `<tenantname>.onmicrosoft.com`. Example Value: `testdrive.onmicrosoft.com`.

- - **Azure Active Directory application ID** ΓÇô The ID of the Azure Active Directory (AD) app you created in Step 5. Example value: `53852862-a2ae-4e43-9461-faa49650a096`.

- - **Azure Active Directory application client secret** ΓÇô Secret for the Azure AD app created in Step 5. Example value: `IJUgaIOfq9b9LbUjeQmzNBW4VGn6grr1l/n3aMrnfdk=`.

- - **Trial Legal Entity** ΓÇô Provide a Legal Entity to assign a trial user. You can create a new one at [Create or modify a legal entity](/dynamicsax-2012/appuser-itpro/create-or-modify-a-legal-entity).

- - **Role name** ΓÇô The AOT name (Application Object Tree) of the custom Dynamics 365 security role you created for test drive. This is the role that will be assigned to users during their test drive.

- :::image type="content" source="./media/test-drive/security-config.png" alt-text="The security configuration page.":::

-7. Provide the marketplace listing details. Select **Language** to see further required fields.

- [](media/test-drive/marketplace-listing-details.png#lightbox)

- - **Description** ΓÇô An overview of your test drive. This text will be shown to the user while the test drive is being provisioned. This field supports HTML if you want to provide formatted content.

- - **User manual** ΓÇô A PDF user manual that helps test drive users understand how to use your app.

- - **Test drive demo video** ΓÇô A video that showcases your app (optional).

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to the commercial marketplace dashboard in [Partner Center](https://partner.microsoft.com/dashboard/commercial-marketplace/overview).

-1. On the **Overview** page, select the offer you want to publish.

-1. In the upper-right corner of the portal, select **Review and publish**.

-1. Make sure that the **Status** column for each page says **Complete**. The three possible statuses are as follows:

- - **Not started** ΓÇô The page is incomplete.

- - **Incomplete** ΓÇô The page is missing required information or has errors that need to be fixed. You'll need to go back to the page and update it.

- - **Complete** ΓÇô The page is complete. All required data has been provided and there are no errors.

-1. If any of the pages have a status other than **Complete**, select the page name, correct the issue, save the page, and then select **Review and publish** again to return to this page.

-1. After all the pages are complete, in the **Notes for certification** box, provide testing instructions to the certification team to ensure that your app is tested correctly. Provide any supplementary notes helpful for understanding your app.

-1. To start the publishing process for your offer, select **Publish**. The **Offer overview** page appears and shows the offer's **Publish status**.

-Your offer's publish status will change as it moves through the publication process. For detailed information on this process, see [Validation and publishing steps](review-publish-offer.md#validation-and-publishing-steps).

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/home).

-1. In the left-nav, select **Commercial Marketplace** > **Analyze** > **Usage**.

-#### [Workspaces view](#tab/workspaces-view)

-#### [Current view](#tab/current-view)

-You can find a month range selection at the top-right corner of each page. Customize the output of the **Usage** page graphs by selecting a month range based on the past 6 or 12 months, or by selecting a custom month range with a maximum duration of 12 months. The default month range (computation period) is six months.

-description: Provides an overview of the Azure Migrate appliance used in server discovery, assessment and migration.

-The appliance can be deployed using a couple of methods:

-**Data collection frequency** | Configuration metadata is collected and sent every 30 minutes. <br/><br/> Performance metadata is collected every 20 seconds and is aggregated to send a data point to Azure every 10 minutes. <br/><br/> Software inventory data is sent to Azure once every 12 hours. <br/><br/> Agentless dependency data is collected every 5 mins, aggregated on appliance and sent to Azure every 6 hours. <br/><br/> The SQL Server configuration data is updated once every 24 hours and the performance data is captured every 30 seconds. <br/><br/> The web apps configuration data is updated once every 24 hours. Performance data is not captured for web apps.| Configuration metadata is collected and sent every 30 mins. <br/><br/> Performance metadata is collected every 30 seconds and is aggregated to send a data point to Azure every 10 minutes.| Configuration metadata is collected and sent every 30 mins. <br/><br/> Performance metadata is collected every 5 minutes and is aggregated to send a data point to Azure every 10 minutes.

-* [Create regularly running tasks and workflows with Azure Logic Apps](../connectors/connectors-native-recurrence.md)

-# Rebuild an index in Azure Cognitive Search

-This article explains how to rebuild an Azure Cognitive Search index, the circumstances under which rebuilds are required, and recommendations for mitigating the impact of rebuilds on ongoing query requests.

-A *rebuild* refers to dropping and recreating the physical data structures associated with an index, including all field-based inverted indexes. In Azure Cognitive Search, you cannot drop and recreate individual fields. To rebuild an index, all field storage must be deleted, recreated based on an existing or revised index schema, and then repopulated with data pushed to the index or pulled from external sources.

-It's common to rebuild indexes during development when you are iterating over index design, but you might also need to rebuild a production-level index to accommodate structural changes, such as adding complex types or adding fields to suggesters.

-## "Rebuild" versus "refresh"

-Rebuild should not be confused with refreshing the contents of an index with new, modified, or deleted documents. Refreshing a search corpus is almost a given in every search app, with some scenarios requiring up-to-the-minute updates (for example, when a search corpus needs to reflect inventory changes in an online sales app).

-As long as you are not changing the structure of the index, you can refresh an index using the same techniques that you used to load the index initially:

-* For push-mode indexing, call [Add, Update or Delete Documents](/rest/api/searchservice/addupdate-or-delete-documents) to push the changes to an index.

-* For indexers, you can [schedule indexer execution](search-howto-schedule-indexers.md) and use change-tracking or timestamps to identify the delta. If updates must be reflected faster than what a scheduler can manage, you can use push-mode indexing instead.

-Drop and recreate an index if any of the following conditions are true.

-+ Set a **searchAnalyzer** on an existing field

-+ Add a new analyzer definition in an index

-Indexers can be invoked in three ways: on demand, on a schedule, or when the [indexer is created](/rest/api/searchservice/create-indexer), assuming it's not created in "disabled" mode.

-The new **IoT OT Threat Monitoring with Defender for IoT** solution available in the [Microsoft Sentinel content hub](sentinel-solutions-catalog.md#microsoft) provides further support for the Microsoft Sentinel integration with Microsoft Defender for IoT, bridging gaps between IT and OT security challenges, and empowering SOC teams with enhanced abilities to efficiently and effectively detect and respond to OT threats.

-Red Hat Enterprise Linux | 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6,[7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9](https://support.microsoft.com/help/4578241/), [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609/), [8.3](https://support.microsoft.com/help/4597409/), 8.4, 8.5

-ZRS | Supported | ZRS Managed disks are supported. If the source VM has one or more ZRS managed disks, Site Recovery ensures the target VM also has the same configuration of disks. If the source managed disks are of a different type, they cannot be converted to ZRS managed disks at target, and vice versa.

-Linux Red Hat Enterprise | 5.2 to 5.11</b><br/> 6.1 to 6.10</b> </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9 Beta version](https://support.microsoft.com/help/4578241/), [7.9](https://support.microsoft.com/help/4590304/) </br> [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), 8.4, 8.5 <br/> Few older kernels on servers running Red Hat Enterprise Linux 5.2-5.11 & 6.1-6.10 do not have [Linux Integration Services (LIS) components](https://www.microsoft.com/download/details.aspx?id=55106) pre-installed. If in-built LIS components are missing, ensure to install the [components](https://www.microsoft.com/download/details.aspx?id=55106) before enabling replication for the machines to boot in Azure.

-# Known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage (preview)

-SFTP support for Azure Blob Storage currently limits its cryptographic algorithm support in accordance to the Microsoft Security Development Lifecycle (SDL). We strongly recommend that customers utilize SDL approved algorithms to securely access their data. More details can be found [here](/security/sdl/cryptographic-recommendations)

-description: Learn how to enable SFTP support for your Azure Blob Storage account so that you can directly connect to your Azure Storage account by using an SFTP client.

-4. In the **Preview features** page, select the **SFTP support for Azure Blob Storage** feature, and then select **Register**.

-2. Locate the **SFTP support for Azure Blob Storage** feature and make sure that **Registered** appears in the **State** column.

-# SSH File Transfer Protocol (SFTP) support for Azure Blob Storage (preview)

-Now, with SFTP support for Azure Blob Storage, you can enable an SFTP endpoint for Blob Storage accounts with a single setting. Then you can set up local user identities for authentication to transfer data securely without the need to do any additional work.

-This article describes SFTP support for Azure Blob Storage. To learn how to enable SFTP for your storage account, see [Connect to Azure Blob Storage by using the SSH File Transfer Protocol (SFTP) (preview)](secure-file-transfer-protocol-support-how-to.md).

-| Standard general-purpose v1 | Blob, Queue, and Table storage, Azure Files | LRS/GRS/RA-GRS | Resource Manager, Classic | General-purpose v1 accounts may not have the latest features or the lowest per-gigabyte pricing. Consider using for these scenarios:<br /><ul><li>Your applications require the Azure [classic deployment model](../../azure-portal/supportability/classic-deployment-model-quota-increase-requests.md).</li><li>Your applications are transaction-intensive or use significant geo-replication bandwidth, but don't require large capacity. In this case, general-purpose v1 may be the most economical choice.</li><li>You use a version of the Azure Storage REST API that is earlier than 2014-02-14 or a client library with a version lower than 4.x, and you can't upgrade your application.</li></ul> |

-icacls <mounted-drive-letter>: /grant <user-email>:(f)

-Retrieve a list of tables in the storage account using [Get-AzStorageTable](/powershell/module/azure.storage/Get-AzureStorageTable).

-To perform operations on a table, you need a reference to the specific table. Get a reference using [Get-AzStorageTable](/powershell/module/azure.storage/Get-AzureStorageTable).

-The current attestation service is using Vitis 2020.2 from Xilinx, on Jan 10th 2022, weΓÇÖll be moving to Vitis 2021.1, the change should be transparent to most users. Once your designs are ΓÇ£attestedΓÇ¥ using Vitis 2021.1, you should be moving to XRT2021.1. Xilinx will publish new marketplace images based on XRT 2021.1.

-[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Coming soon<br>

-description: Learn how to create and configure a Linux VM to sign in using Azure Active Directory authentication.

-# Deprecated: Login to a Linux virtual machine in Azure with Azure Active Directory using device code flow authentication

-> [!CAUTION]

-> **The public preview feature described in this article was deprecated August 15, 2021.**

->

-> This feature is being replaced with the ability to use Azure AD based SSH using openSSH certificate-based authentication. This feature is now generally available! For more information see the article, [Login to a Linux virtual machine in Azure with Azure Active Directory using SSH certificate-based authentication](../../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md). To migrate from the old version to this version, see [Migration from previous preview](../../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md#migration-from-previous-preview)

-To improve the security of Linux virtual machines (VMs) in Azure, you can integrate with Azure Active Directory (AD) authentication. When you use Azure AD authentication for Linux VMs, you centrally control and enforce policies that allow or deny access to the VMs. This article shows you how to create and configure a Linux VM to use Azure AD authentication.

-There are many benefits of using Azure AD authentication to log in to Linux VMs in Azure, including:

- - You can use your corporate AD credentials to log in to Azure Linux VMs. There is no need to create local administrator accounts and manage credential lifetime.

- - By reducing your reliance on local administrator accounts, you do not need to worry about credential loss/theft, users configuring weak credentials etc.

- - The password complexity and password lifetime policies configured for your Azure AD directory help secure Linux VMs as well.

- - To further secure login to Azure virtual machines, you can configure multi-factor authentication.

- - The ability to log in to Linux VMs with Azure Active Directory also works for customers that use [Federation Services](../../active-directory/hybrid/how-to-connect-fed-whatis.md).

-## Supported Azure regions and Linux distributions

-The following Linux distributions are currently supported during the preview of this feature:

-| Distribution | Version |

-| | |

-| CentOS | CentOS 6, CentOS 7 |

-| Debian | Debian 9 |

-| openSUSE | openSUSE Leap 42.3 |

-| RedHat Enterprise Linux | RHEL 6, RHEL 7 |

-| SUSE Linux Enterprise Server | SLES 12 |

-| Ubuntu Server | Ubuntu 14.04 LTS, Ubuntu Server 16.04, and Ubuntu Server 18.04 |

-> [!IMPORTANT]

-> The preview is not supported in Azure Government or sovereign clouds.

->

-> It's not supported to use this extension on Azure Kubernetes Service (AKS) clusters. For more information, see [Support policies for AKS](../../aks/support-policies.md).

-If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version 2.0.31 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli).

-## Network requirements

-To enable Azure AD authentication for your Linux VMs in Azure, you need to ensure your VMs network configuration permits outbound access to the following endpoints over TCP port 443:

-* https:\//login.microsoftonline.com

-* https:\//login.windows.net

-* https:\//device.login.microsoftonline.com

-* https:\//pas.windows.net

-* https:\//management.azure.com

-* https:\//packages.microsoft.com

-> [!NOTE]

-> Currently, Azure network security groups can't be configured for VMs enabled with Azure AD authentication.

-## Create a Linux virtual machine

-Create a resource group with [az group create](/cli/azure/group#az_group_create), then create a VM with [az vm create](/cli/azure/vm#az_vm_create) using a supported distro and in a supported region. The following example deploys a VM named *myVM* that uses *Ubuntu 16.04 LTS* into a resource group named *myResourceGroup* in the *southcentralus* region. In the following examples, you can provide your own resource group and VM names as needed.

-```azurecli-interactive

-az group create --name myResourceGroup --location southcentralus

-az vm create \

- --resource-group myResourceGroup \

- --name myVM \

- --image UbuntuLTS \

- --admin-username azureuser \

- --generate-ssh-keys

-```

-It takes a few minutes to create the VM and supporting resources.

-## Install the Azure AD login VM extension

-> [!NOTE]

-> If deploying this extension to a previously created VM ensure the machine has at least 1GB of memory allocated else the extension will fail to install

-To log in to a Linux VM with Azure AD credentials, install the Azure Active Directory login VM extension. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. Use [az vm extension set](/cli/azure/vm/extension#az_vm_extension_set) to install the *AADLoginForLinux* extension on the VM named *myVM* in the *myResourceGroup* resource group:

-```azurecli-interactive

-az vm extension set \

- --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH \

- --name AADLoginForLinux \

- --resource-group myResourceGroup \

- --vm-name myVM

-```

-The *provisioningState* of *Succeeded* is shown once the extension is successfully installed on the VM. The VM needs a running VM agent to install the extension. For more information, see [VM Agent Overview](../extensions/agent-windows.md).

-## Configure role assignments for the VM

-Azure role-based access control (Azure RBAC) policy determines who can log in to the VM. Two Azure roles are used to authorize VM login:

-> [!NOTE]

-> To allow a user to log in to the VM over SSH, you must assign either the *Virtual Machine Administrator Login* or *Virtual Machine User Login* role. The Virtual Machine Administrator Login and Virtual Machine User Login roles use dataActions and thus cannot be assigned at management group scope. Currently these roles can only be assigned at the subscription, resource group or resource scope. An Azure user with the *Owner* or *Contributor* roles assigned for a VM do not automatically have privileges to log in to the VM over SSH.

-The following example uses [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) to assign the *Virtual Machine Administrator Login* role to the VM for your current Azure user. The username of your active Azure account is obtained with [az account show](/cli/azure/account#az_account_show), and the *scope* is set to the VM created in a previous step with [az vm show](/cli/azure/vm#az_vm_show). The scope could also be assigned at a resource group or subscription level, and normal Azure RBAC inheritance permissions apply. For more information, see [Azure RBAC](../../role-based-access-control/overview.md)

-```azurecli-interactive

-username=$(az account show --query user.name --output tsv)

-vm=$(az vm show --resource-group myResourceGroup --name myVM --query id -o tsv)

-az role assignment create \

- --role "Virtual Machine Administrator Login" \

- --assignee $username \

- --scope $vm

-```

-> [!NOTE]

-> If your AAD domain and logon username domain do not match, you must specify the object ID of your user account with the *--assignee-object-id*, not just the username for *--assignee*. You can obtain the object ID for your user account with [az ad user list](/cli/azure/ad/user#az_ad_user_list).

-For more information on how to use Azure RBAC to manage access to your Azure subscription resources, see using the [Azure CLI](../../role-based-access-control/role-assignments-cli.md), [Azure portal](../../role-based-access-control/role-assignments-portal.md), or [Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md).

-## Using Conditional Access

-You can enforce Conditional Access policies such as multi-factor authentication or user sign-in risk check before authorizing access to Linux VMs in Azure that are enabled with Azure AD sign in. To apply Conditional Access policy, you must select "Microsoft Azure Linux Virtual Machine Sign-In" app from the cloud apps or actions assignment option and then use Sign-in risk as a condition and/or require multi-factor authentication as a grant access control.

-> [!WARNING]

-> Per-user Enabled/Enforced Azure AD Multi-Factor Authentication is not supported for VM sign-in.

-## Log in to the Linux virtual machine

-First, view the public IP address of your VM with [az vm show](/cli/azure/vm#az_vm_show):

-```azurecli-interactive

-az vm show --resource-group myResourceGroup --name myVM -d --query publicIps -o tsv

-```

-Log in to the Azure Linux virtual machine using your Azure AD credentials. The `-l` parameter lets you specify your own Azure AD account address. Replace the example account with your own. Account addresses should be entered in all lowercase. Replace the example IP address with the public IP address of your VM from the previous command.

-```console

-ssh -l azureuser@contoso.onmicrosoft.com 10.11.123.456

-```

-You are prompted to sign in to Azure AD with a one-time use code at [https://microsoft.com/devicelogin](https://microsoft.com/devicelogin). Copy and paste the one-time use code into the device login page.

-When prompted, enter your Azure AD login credentials at the login page.

-The following message is shown in the web browser when you have successfully authenticated: `You have signed in to the Microsoft Azure Linux Virtual Machine Sign-In application on your device.`

-Close the browser window, return to the SSH prompt, and press the **Enter** key.

-You are now signed in to the Azure Linux virtual machine with the role permissions as assigned, such as *VM User* or *VM Administrator*. If your user account is assigned the *Virtual Machine Administrator Login* role, you can use `sudo` to run commands that require root privileges.

-## Sudo and AAD login

-The first time that you run sudo, you will be asked to authenticate a second time. If you don't want to have to authenticate again to run sudo, you can edit your sudoers file `/etc/sudoers.d/aad_admins` and replace this line:

-```bash

-%aad_admins ALL=(ALL) ALL

-```

-With this line:

-```bash

-%aad_admins ALL=(ALL) NOPASSWD:ALL

-```

-## Troubleshoot sign-in issues

-Some common errors when you try to SSH with Azure AD credentials include no Azure roles assigned, and repeated prompts to sign in. Use the following sections to correct these issues.

-### Access denied: Azure role not assigned

-If you see the following error on your SSH prompt, verify that you have configured Azure RBAC policies for the VM that grants the user either the *Virtual Machine Administrator Login* or *Virtual Machine User Login* role:

-```output

-login as: azureuser@contoso.onmicrosoft.com

-Using keyboard-interactive authentication.

-To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code FJX327AXD to authenticate. Press ENTER when ready.

-Using keyboard-interactive authentication.

-Access denied: to sign-in you be assigned a role with action 'Microsoft.Compute/virtualMachines/login/action', for example 'Virtual Machine User Login'

-Access denied

-```

-> [!NOTE]

-> If you are running into issues with Azure role assignments, see [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#azure-role-assignments-limit).

-### Continued SSH sign-in prompts

-If you successfully complete the authentication step in a web browser, you may be immediately prompted to sign in again with a fresh code. This error is typically caused by a mismatch between the sign-in name you specified at the SSH prompt and the account you signed in to Azure AD with. To correct this issue:

-### Other limitations

-Users that inherit access rights through nested groups or role assignments aren't currently supported. The user or group must be directly assigned the [required role assignments](#configure-role-assignments-for-the-vm). For example, the use of management groups or nested group role assignments won't grant the correct permissions to allow the user to sign in.

-## Preview feedback

-Share your feedback about this preview feature or report issues using it on the [Azure AD feedback forum](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789)

-## Next steps

-For more information on Azure Active Directory, see [What is Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md)

-[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Not Supported<br>

-Virtual WAN provides large-scale site-to-site connectivity and is built for throughput, scalability, and ease of use. When you connect a site to a Virtual WAN VPN gateway, it is different from a regular virtual network gateway that uses a gateway type 'VPN'. Similarly, when you connect an ExpressRoute circuit to a Virtual WAN hub, it uses a different resource for the ExpressRoute gateway than the regular virtual network gateway that uses gateway type 'ExpressRoute'.

-The Application Gateway WAF comes pre-configured with CRS 3.0 by default. But you can choose to use CRS 3.2, 3.1, or 2.2.9 instead.