+1. Record the acceptance of the terms of use and the date of acceptance by using the Graph API and extended attributes. You can do so by using both built-in user flows and custom policies. We recommend that you create and use the **extension_termsOfUseConsentDateTime** and **extension_termsOfUseConsentVersion** attributes.

+2. Create a required check box labeled "Accept Terms of Use," and record the result during sign-up. You can do so by using both built-in user flows and custom policies.

+3. Azure AD B2C stores the terms of use agreement and the user's acceptance. You can use the Graph API to query for the status of any user by reading the extension attribute that's used to record the response (for example, read **termsOfUseTestUpdateDateTime**). You can do so by using both built-in user flows and custom policies.

+Azure Active Directory (Azure AD) stores customer data in a geographical location based on the address an organization provides when subscribing to a Microsoft online service such as Microsoft 365 or Azure. For information on where your customer data is stored, see [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) in the Microsoft Trust Center.

+* [What is Identity Protection?](../identity-protection/overview-identity-protection.md)

+2. **NPS Server** connects to Active Directory Domain Services (AD DS) to perform the primary authentication for the RADIUS requests and, upon success, passes the request to any installed extensions.

+ >

+ > As a workaround, you can run the [CrpUsernameStuffing script](https://github.com/OneMoreNate/CrpUsernameStuffing) to forward RADIUS attributes that are configured in the Network Access Policy and allow MFA when the user's authentication method requires the use of a One-Time Passcode (OTP), such as SMS, a Microsoft Authenticator passcode, or a hardware FOB.

+- **Provisioning agent**: The Azure AD Connect cloud provisioning agent is the same agent as Workday inbound and built on the same server-side technology as app proxy and Pass Through Authentication. It requires an outbound connection only and agents are auto-updated.

+The above scenario, can be configured using *All users* accessing the *Microsoft Azure Management* cloud app with **Filter for devices** condition in include mode using the following rule **device.trustType -ne "ServerAD" -or device.isCompliant -ne True** and for *Access controls*, **Block**.

+- This example would create a policy that blocks access to Microsoft Azure Management cloud app from unmanaged or non-compliant devices.

+> Not all client app and resource provider combinations are supported. See table below. The first column of this table refers to web applications launched via web browser (i.e. PowerPoint launched in web browser) while the remaining four columns refer to native applications running on each platform described. Additionally, references to "Office" encompass Word, Excel, and PowerPoint.

+- Require employees or guests to accept your terms of use policy before registering security information in Azure AD Multi-Factor Authentication (MFA).

+- Require employees to accept your terms of use policy before registering security information in Azure AD self-service password reset (SSPR).

+- Help meeting privacy regulations.

+Once you've completed your terms of use policy document, use the following procedure to add it.

+1. To require end users to view the terms of use policy before accepting them, set **Require users to expand the terms of use** to **On**.

+1. To require end users to accept your terms of use policy on every device they're accessing from, set **Require users to consent on every device** to **On**. Users may be required to install other applications if this option is enabled. For more information, see [Per-device terms of use](#per-device-terms-of-use).

+1. If you want to expire terms of use policy consents on a schedule, set **Expire consents** to **On**. When set to On, two more schedule settings are displayed.

+ For example, if you set the expire starting on date to **Jan 1** and frequency to **Monthly**, this is how expirations might occur for two users:

+1. Use the **Duration before re-acceptance required (days)** setting to specify the number of days before the user must reaccept the terms of use policy. This allows users to follow their own schedule. For example, if you set the duration to **30** days, this is how expirations might occur for two users:

+ It is possible to use the **Expire consents** and **Duration before re-acceptance required (days)** settings together, but typically you use one or the other.

+ | **Access to cloud apps for all users** | A Conditional Access policy will be created for all users and all cloud apps. This policy impacts the Azure portal. Once this is created, you'll be required to sign out and sign in. |

+If you want to view more activity, Azure AD terms of use policies include audit logs. Each user consent triggers an event in the audit logs that is stored for **30 days**. You can view these logs in the portal or download as a .csv file.

+ If you click a log, a pane appears with more activity details.

+Users are only required to accept the terms of use policy once, and they won't see the terms of use policy again on later sign-ins.

+Users can review and see the terms of use policies that they've accepted by using the following procedure.

+ - **Name** ΓÇô this is the internal name of the ToU that isn't shared with end users

+1. Once you're done, click **Save** to save your changes.

+6. There's also a toggle option here **Require reaccept** if you want to require your users to accept this new version the next time they sign in. If you require your users to reaccept, next time they try to access the resource defined in your conditional access policy they'll be prompted to accept this new version. If you donΓÇÖt require your users to reaccept, their previous consent will stay current and only new users who haven't consented before or whose consent expires will see the new version. Until the session expires, **Require reaccept** not require users to accept the new TOU. If you want to ensure reaccept, delete and recreate or create a new TOU for this case.

+7. Once you've uploaded your new pdf and decided on reaccept, click Add at the bottom of the pane.

+8. You'll now see the most recent version under the Document column.

+2. To see who has currently accepted the ToU, click on the number under the **Accepted** column for the ToU you want.

+1. In the Add terms of use language pane, upload your localized PDF, and select the language.

+The **Require users to consent on every device** setting enables you to require end users to accept your terms of use policy on every device they're accessing from. The end user will be required to register their device in Azure AD. When the device is registered, the device ID is used to enforce the terms of use policy on each device.

+Supported platforms and software.

+- The Intune Enrollment app isn't supported. Ensure that it's excluded from any Conditional Access policy requiring Terms of Use policy.

+- Azure AD B2B users aren't supported.

+If the user's device isn't joined, they'll receive a message that they need to join their device. Their experience will be dependent on the platform and software.

+If a user is using Windows 10 and Microsoft Edge, they receive a message similar to the following to [join their device](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973#to-join-an-already-configured-windows-10-device).

+If they're using Chrome, they'll be prompted to install the [Windows 10 Accounts extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji).

+If a user is using an iOS device, they'll be prompted to install the [Microsoft Authenticator app](https://apps.apple.com/us/app/microsoft-authenticator/id983156458).

+If a user is using an Android device, they'll be prompted to install the [Microsoft Authenticator app](https://play.google.com/store/apps/details?id=com.azure.authenticator).

+If a user is using browser that isn't supported, they'll be asked to use a different browser.

+- When the admin explicitly deletes the ToU. When this change happens, all the acceptance records associated with that specific ToU are also deleted.

+Conditional Access policies take effect immediately. When this happens, the administrator will start to see ΓÇ£sad cloudsΓÇ¥ or "Azure AD token issues". The administrator must sign out and sign in to satisfy the new policy.

+Terms of use policies will only be displayed when the user has a guest account in Azure AD. SharePoint Online currently has an [ad hoc external sharing recipient experience](/sharepoint/what-s-new-in-sharing-in-targeted-release) to share a document or a folder that doesn't require the user to have a guest account. In this case, a terms of use policy isn't displayed.

+You can configure a Conditional Access policy for the Azure Information Protection app and require a terms of use policy when a user accesses a protected document. This configuration will trigger a terms of use policy before a user accessing a protected document for the first time.

+You can configure a Conditional Access policy for the Microsoft Intune Enrollment app and require a terms of use policy before enrollment of a device in Intune. For more information, see the Read [Choosing the right Terms solution for your organization blog post](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409).

+A: Yes, end users are able to select hyperlinks to other pages but links to sections within the document are not supported. Also, hyperlinks in terms of use policy PDFs do not work when accessed from the Azure AD MyApps/MyAccount portal.

+A: Yes. Currently there are 108 different languages an administrator can configure for a single terms of use policy. An administrator can upload multiple PDF documents and tag those documents with a corresponding language (up to 108). When end users sign in, we look at their browser language preference and display the matching document. If there's no match, we display the default document, which is the first document that is uploaded.

+A: The user is blocked from getting access to the application. The user would have to sign in again and accept the terms to get access.

+A: If you've configured both Azure AD terms of use and [Intune terms and conditions](/intune/terms-and-conditions-create), the user will be required to accept both. For more information, see the [Choosing the right Terms solution for your organization blog post](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409).

+A: Terms of use utilize the following endpoints for authentication: https://tokenprovider.termsofuse.identitygovernance.azure.com and https://account.activedirectory.windowsazure.com. If your organization has an allowlist of URLs for enrollment, you will need to add these endpoints to your allowlist, along with the Azure AD endpoints for sign-in.

+- [Quickstart: Require terms of use to be accepted before accessing cloud apps](require-tou.md)

+### Exception types

+[MsalClientException](/dotnet/api/microsoft.identity.client.msalexception) is thrown when the library itself detects an error state, such as a bad configuration.

+[MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception) is thrown when the Identity Provider (AAD) returns an error. It is a translation of the server error.

+[MsalUIRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception) is type of [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception) and indicates that user interaction is required, for example because MFA is required or because the user has changed their password and a token cannot be acquired silently.

+### Processing exceptions

+If [MsalUIRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception) is thrown, it is an indication that an interactive flow needs to happen for the user to resolve the issue. In public client apps such as desktop and mobile app, this is resolved by calling `AcquireTokenInteractive` which displays a browser. In confidential client apps, web apps should redirect the user to the authorization page, and web APIs should return an HTTP status code and header indicative of the authentication failure (401 Unauthorized and a WWW-Authenticate header).

+| [MsalUiRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception) | AADSTS50079: The user is required to use [multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md).| There is no mitigation. If MFA is configured for your tenant and Azure Active Directory (AAD) decides to enforce it, fall back to an interactive flow such as `AcquireTokenInteractive`.|

+Instead, you can use the [Authorize(Roles = "role")] attributes on the controller or an action (or a razor page).

+[Authorize(Roles = "role")]

+Non-persistent versions use a collection of desktops that users can access on an as needed basis. These non-persistent desktops are reverted to their original state, in Windows current¹ this change happens when a virtual machine goes through a shutdown/restart/OS reset process and in Windows down-level² this change happens when a user signs out.

+It's important to ensure organizations manage stale devices that are created because frequent device registration without having a proper strategy for device lifecycle management.

+⁵ **Non-Persistence support for Windows current** requires other consideration as documented below in guidance section. This scenario requires Windows 10 1803, Windows Server 2019, or Windows Server (Semi-annual channel) starting version 1803

+⁶ **Non-Persistence support for Windows down-level** requires other consideration as documented below in guidance section.

+When deploying non-persistent VDI, Microsoft recommends organizations implement the guidance below. Failure to do so will result in your directory having lots of stale Hybrid Azure AD joined devices that were registered from your non-persistent VDI platform resulting in increased pressure on your tenant quota and risk of service interruption because of running out of tenant quota.

+- If you're relying on the System Preparation Tool (sysprep.exe) and if you're using a pre-Windows 10 1809 image for installation, make sure that image isn't from a device that is already registered with Azure AD as hybrid Azure AD joined.

+- If you're relying on a Virtual Machine (VM) snapshot to create more VMs, make sure that snapshot isn't from a VM that is already registered with Azure AD as Hybrid Azure AD join.

+- Active Directory Federation Services (AD FS) supports instant join for non-persistent VDI and Hybrid Azure AD Join.

+- Create and use a prefix for the display name (for example, NPVDI-) of the computer that indicates the desktop as non-persistent VDI-based.

+ - Implement **autoworkplacejoin /leave** command as part of logoff script. This command should be triggered in the context of the user, and should be executed before the user has logged off completely and network connectivity exists.

+- For Windows current in a Federated environment (for example, AD FS):

+ - Once you have a strategy to identify your non-persistent Hybrid Azure AD joined devices (such as using computer display name prefix), you should be more aggressive on the cleanup of these devices to ensure your directory doesn't get consumed with lots of stale devices.

+> Ensure you're running Windows 10, version 1803 or higher.

+- If you're relying on the System Preparation Tool (sysprep.exe) and if you're using a pre-Windows 10 1809 image for installation, make sure that image isn't from a device that is already registered with Azure AD as hybrid Azure AD joined.

+- If you're relying on a Virtual Machine (VM) snapshot to create more VMs, make sure that snapshot isn't from a VM that is already registered with Azure AD as Hybrid Azure AD join.

+We recommend you to implement process for [managing stale devices](manage-stale-devices.md). This process will ensure your directory doesn't get consumed with lots of stale devices if you periodically reset your VMs.

+For information about where Azure AD and other Microsoft services' data is located, see the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center.

+> Microsoft products, services, and third-party applications that integrate with Azure AD have access to Customer Data. Evaluate each product, service, and application you use to determine how Customer Data is processed by that specific product, service, and application, and whether they meet your company's data storage requirements. For more information about Microsoft services' data residency, see the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center.

+## Azure role-based access control (Azure RBAC)

+Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource. For more information, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md#where-is-azure-rbac-data-stored).

+Identity data is stored by Azure AD in a geographical location based on the address provided by your organization when it subscribed for a Microsoft Online service such as Microsoft 365 and Azure. For information on where your identity data is stored, you can use the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center.

+## Azure role-based access control (Azure RBAC)

+Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource. For more information, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md#where-is-azure-rbac-data-stored).

+For more information about Microsoft services' data residency, see the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center.

+| Anomalous Token | Offline | This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. ***NOTE:** Anomalous token is tuned to incur more noise than other detections at the same risk level. This tradeoff is chosen to increase the likelihood of detecting replayed tokens that may otherwise go unnoticed. Because this is a high noise detection, there is a higher than normal chance that some of the sessions flagged by this detection are false positives. We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. If the location, application, IP address, User Agent, or other characteristics are unexpected for the user, the tenant admin should consider this as an indicator of potential token replay*. |

+* [What is single sign-on?](what-is-single-sign-on.md)

+ Title: How managed identities for Azure resources work with Azure virtual machines

+> [!NOTE]

+> The tokens which your application receives are cached by the underlying infrastructure, which means that any changes to the managed identity's roles can take significant time to take effect. For more information, see [Limitation of using managed identities for authorization](managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).

+> [!NOTE]

+> The tokens which your application receives are cached by the underlying infrastructure, which means that any changes to the managed identity's roles can take significant time to take effect. For more information, see [Limitation of using managed identities for authorization](managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).

+description: Step-by-step instructions and examples for using managed identities for Azure resources on virtual machines to acquire an OAuth access token.

+Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

+| `api-version` | A query string parameter, indicating the API version for the IMDS endpoint. Use API version `2018-02-01` or greater. |

+| 5xx Transient error from service. | The managed identities for Azure resources subsystem or Azure Active Directory returned a transient error. | It is safe to retry after waiting for at least 1 second. If you retry too quickly or too often, IMDS and/or Azure AD may return a rate limit error (429).|

+| 500 Internal server error | unknown | Failed to retrieve token from the Active directory. For details see logs in *\<file path\>* | Verify that managed identities for Azure resources is enabled on the VM. See [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md) if you need assistance with VM configuration.<br><br>Also verify that your HTTP GET request URI is formatted correctly, particularly the resource URI specified in the query string. See the "Sample request" in the preceding REST section for an example, or [Azure services that support Azure AD authentication](./services-support-managed-identities.md) for a list of services and their respective resource IDs.

+Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication without having credentials in your code.

+Managed identities provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

+ - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.

+By setting this property, the VM updates with the correct managed identities for Azure resources URI, and then you should be able to start the VM.

+- Assigning user-assigned managed identities to resources: You need write permissions over the resource. For example, for virtual machines you need `Microsoft.Compute/virtualMachines/write`. You will also need `Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action` action over the user-assigned identity. This action is included in the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) built-in role.

+4. In the policy rule section, paste:

+- If system assigned managed identity is enabled and no identity is specified in the request, Azure Instance Metadata Service (IMDS) defaults to the system assigned managed identity.

+No. If you move a subscription to another directory, you have to manually re-create them and grant Azure role assignments again.

+### Are tokens cached after they are issued for a managed identity?

+Managed identity tokens are cached by the underlying Azure infrastructure for performance and resiliency purposes: the back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's permissions to take effect, for example. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. For more information, see [Limitation of using managed identities for authorization](managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).

+## Limitation of using managed identities for authorization

+Using Azure AD **groups** for granting access to services is a great way to simplify the authorization process. The idea is simple ΓÇô grant permissions to a group and add identities to the group so that they inherit the same permissions. This is a well-established pattern from various on-premises systems and works well when the identities represent users. Another option to control authorization in Azure AD is by using [App Roles](../develop/howto-add-app-roles-in-azure-ad-apps.md), which allows you to declare **roles** that are specific to an app (rather than groups, which are a global concept in the directory). You can then [assign app roles to managed identities](how-to-assign-app-role-managed-identity-powershell.md) (as well as users or groups).

+In both cases, for non-human identities such as Azure AD Applications and Managed identities, the exact mechanism of how this authorization information is presented to the application is not ideally suited today. Today's implementation with Azure AD and Azure Role Based Access Control (Azure RBAC) uses access tokens issued by Azure AD for authentication of each identity. If the identity is added to a group or role, this is expressed as claims in the access token issued by Azure AD. Azure RBAC uses these claims to further evaluate the authorization rules for allowing or denying access.

+Given that the identity's groups and roles are claims in the access token, any authorization changes do not take effect until the token is refreshed. For a human user that's typically not a problem, because a user can acquire a new access token by logging out and in again (or waiting for the token lifetime to expire, which is 1 hour by default). Managed identity tokens on the other hand are cached by the underlying Azure infrastructure for performance and resiliency purposes: the back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's group or role membership to take effect. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. If you change a managed identityΓÇÖs group or role membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access.

+If this delay is not acceptable for your requirements, consider alternatives to using groups or roles in the token. To ensure that changes to permissions for managed identities take effect quickly, we recommend that you group Azure resources using a [user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azcli) with permissions applied directly to the identity, instead of adding to or removing managed identities from an Azure AD group that has permissions. A user-assigned managed identity can be used like a group because it can be assigned to one or more Azure resources to use it. The assignment operation can be controlled using the [Managed identity contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) and [Managed identity operator role](../../role-based-access-control/built-in-roles.md#managed-identity-operator).

+ - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.

+Managed identities are identities that your code can use to request access tokens to authenticate to resource APIs that support Azure AD authentication. In this tutorial, your code will access the Azure Resource Manager API.

+4. In the terminal window, use CURL to make a request to the Azure Instance Metadata Service (IMDS) identity endpoint to get an access token for Azure Resource Manager.  

+To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To enable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM during its creation, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+description: Step-by-step instructions for configuring managed identities for Azure resources on an Azure VM using the Azure portal.

+To enable system-assigned managed identity on a VM during its creation, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To remove system-assigned managed identity from a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+# Configure managed identities for Azure resources on a virtual machine scale set (virtual machine scale set) using the Azure portal

+Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

+ - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.

+To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+ > Creating user-assigned managed identities only supports alphanumeric, underscore and hyphen (0-9 or a-z or A-Z, \_ or -) characters. Additionally, name should be limited from 3 to 128 character length for the assignment to VM/VMSS to work properly. For more information, see [FAQs and known issues](known-issues.md)

+ - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.

+To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+- [Create, list, or delete a user-assigned managed identities using REST API calls](how-to-manage-ua-identity-rest.md)

+description: Step-by-step instructions for configuring a system and user-assigned managed identities on an Azure virtual machine scale set using CURL to make REST API calls.

+Managed identities for Azure resources provide Azure services with an automatically managed system identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

+- [Create, list, or delete a user-assigned managed identity using REST API calls](how-to-manage-ua-identity-rest.md)

+description: Step-by-step instructions for configuring and using managed identities for Azure resources on an Azure VM, using an Azure SDK.

+Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory (AD). You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

+Azure supports multiple programming platforms through a series of [Azure SDKs](https://azure.microsoft.com/downloads). Several of them have been updated to support managed identities for Azure resources, and provide corresponding samples to demonstrate usage. This list is updated as other support is added:

+As with the Azure portal and scripting, [Azure Resource Manager](../../azure-resource-manager/management/overview.md) templates allow you to deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based, including:

+To enable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To remove system-assigned managed identity from a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Azure AD directory role assignments are required.

+To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.

+ The following example shows you how to remove all user-assigned managed identities from a VM with no system-assigned managed identities:

+4. When you're done, the following sections should added to the resource section of your template and should resemble the example shown below:

+> [!IMPORTANT]

+> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

+Next, add a secret to the Key Vault, so you can retrieve it later using code running in your VM. In this tutorial, we are using PowerShell but the same concepts apply to any code executing in this virtual machine.

+3. In the terminal window, use CURL to make a request to the local managed identities for Azure resources endpoint to get an access token for Azure Key Vault.  

+4. **Deployment model** and **Account kind** should be set to "Resource Manager" and "General purpose", respectively.

+Create a sample blob file to upload to your blob storage container. On a Linux VM, you can do this with the following command.

+4. **Deployment model** and **Account kind** should be set to "Resource Manager" and "General purpose", respectively.

+Create a sample blob file to upload to your blob storage container. On a Linux VM, you can do this with the following command.

+- Use [Azure Cloud Shell](~/articles/cloud-shell/overview.md) either from the Azure portal, or via the **Try It** button, located in the top-right corner of each code block.

+4. Under **New container**, enter a name for the container and under **Public access level** keep the default value.

+3. In the terminal window, use CURL to make a request to the local Managed Identity endpoint to get an access token for Azure Storage.

+In addition to the NuGet packages above, you also need to enable **Include prerelease** and then add **Azure.ResourceManager.CosmosDB**.

+Next, add a secret to the Key Vault, so you can retrieve it later using code running in your VM. In this tutorial, we are using PowerShell but the same concepts apply to any code executing in this virtual machine.

+SQL DB requires unique Azure AD display names. With this, the Azure AD accounts such as users, groups and Service Principals (applications), and VM names enabled for managed identity must be uniquely defined in AAD regarding their display names. SQL DB checks the Azure AD display name during T-SQL creation of such users and if it is not unique, the command fails requesting to provide a unique Azure AD display name for a given account.

+Alternatively, a quick way to test the end-to-end setup without having to write and deploy an app on the VM is using PowerShell.

+ Next, create, and send a query to the server. Remember to replace the value for TABLE.

+You can also download the blob you uploaded, using the `Get-AzStorageBlobContent` PowerShell cmdlet:

+ - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.

+This section shows how to grant your user-assigned identity access to a Resource Group in Azure Resource Manager. Managed identities for Azure resources provide identities that your code can use to request access tokens to authenticate to resource APIs that support Azure AD authentication. In this tutorial, your code will access the Azure Resource Manager API.

+Use the access token retrieved in the previous step to access Azure Resource Manager, and read the properties of the Resource Group you granted your user-assigned identity access. Replace `<SUBSCRIPTION ID>` with the subscription ID of your environment.

+Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $userObj.ObjectId} }

+Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }

+ if($member.OdataType -eq "#microsoft.graph.group")

+ Get-AzureADGroup -ObjectId $member.Id

+- Confluence: 7.0.1 to 7.15.0

+- JIRA Core and Software 6.4 to 8.21 or JIRA Service Desk 3.0 to 4.21.0 should installed and configured on Windows 64-bit version

+* JIRA Core and Software: 6.4 to 8.21

+* JIRA Service Desk 3.0 to 4.21.0

+> | `Microsoft.Compute/virtualMachineScaleSets/delete` | Required to delete a virtual machine scale set to a load balancer backend address pools and scale down nodes in a virtual machine scale set. |

+# Tutorial: Create and publish a product

+In Azure API Management, a [*product*](api-management-terminology.md#term-definitions) contains one or more APIs, a usage quota, and the terms of use. After a product is published, developers can subscribe to the product and begin to use the product's APIs.

+1. In the left navigation pane, select **Products** > **+ Add**.

+ :::image type="content" source="media/api-management-howto-add-products/add-product-portal.png" alt-text="Add product in Azure portal":::

+1. In the **Add product** window, enter values described in the following table to create your product.

+ :::image type="content" source="media/api-management-howto-add-products/add-product.png" alt-text="Add product window":::

+ | Published | Select **Published** if you want to publish the product. Before the APIs in a product can be called, the product must be published. By default, new products are unpublished, and are visible only to the **Administrators** group. |

+ | Subscription count limit | Optionally, limit the count of multiple simultaneous subscriptions. |

+ | Legal terms | You can include the terms of use for the product, which subscribers must accept to use the product. |

+1. Select **Create** to create your new product.

+ | `--subscriptions-limit` | Optionally, limit the count of multiple simultaneous subscriptions.|

+ | `--legal-terms` | You can include the terms of use for the product, which subscribers must accept to use the product. |

+Products are associations of one or more APIs. You can include many APIs and offer them to developers through the developer portal. During the product creation, you can add one or more existing APIs. You can also add APIs to the product later, either from the Products **Settings** page or while creating an API.

+Developers must first subscribe to a product to get access to the API. When they subscribe, they get a subscription key that is good for any API in that product. If you created the API Management instance, you're an administrator already, so you're subscribed to every product by default.

+1. Select a product, and then select **APIs**.

+1. Select **+ Add API**.

+1. Select one or more APIs, and then **Select**.

+1. From the Azure portal menu, select **Create a resource**. You can also select **Create a resource** on the Azure **Home** page.

+ :::image type="content" source="media/get-started-create-service-instance/create-resource.png" alt-text="Select Create a resource.":::

+1. On the **Create a resource** page, select **Integration** > **API Management**.

+ :::image type="content" source="media/get-started-create-service-instance/create-resource-page.png" alt-text="Screenshot of New Azure API Management instance.":::

+1. In the **Create API Management** page, enter settings.

+ :::image type="content" source="media/get-started-create-service-instance/create-api-management-instance-1.png" alt-text="Create API Management instance.":::

+ | **Region** | Select a geographic region near you from the available API Management service locations. |

+ | **Resource name** | A unique name for your API Management service. The name can't be changed later. The service name refers to both the service and the corresponding Azure resource. <br/> The service name is used to generate a default domain name: *\<name\>.azure-api.net.* If you would like to configure a custom domain name later, see [Configure a custom domain](configure-custom-domain.md). |

+ | **Organization name** | The name of your organization. This name is used in many places, including the title of the developer portal and sender of notification emails. |

+1. Select **Review + create**.

+ > It can take 30 to 40 minutes to create and activate an API Management service in this tier. To quickly find a newly created service, select **Pin to dashboard**.

+ :::image type="content" source="media/get-started-create-service-instance/get-started-create-service-instance-created-1.png" alt-text="API Management instance.":::

+When no longer needed, you can remove the resource group and all the related resources by following these steps:

+ :::image type="content" source="media/get-started-create-service-instance/resource-groups.png" alt-text="Resource group navigation.":::

+ :::image type="content" source="media/get-started-create-service-instance/resource-group-page.png" alt-text="Select your resource group.":::

+1. On the resource group page, select **Delete resource group**.

+ :::image type="content" source="media/get-started-create-service-instance/delete-resource-group.png" alt-text="Delete resource group.":::

+description: In this tutorial, you use API Management to set a policy on an API. The policy returns a mocked response even if the backend isn't available to send real responses.

+Backend APIs are imported into an API Management (APIM) API or created and managed manually. The steps in this tutorial, show you how to:

+This method lets developers continue with the implementation and testing of the API Management instance even if the backend isn't available to send real responses.

+The ability to mock up responses is useful in many scenarios:

+> * Create a test API

+## Create a test API

+The steps in this section show how to create an HTTP API with no backend.

+1. Sign in to the Azure portal, and then navigate to your API Management instance.

+1. Select **APIs** > **+ Add API** > **HTTP** tile.

+ :::image type="content" source="media/mock-api-responses/http-api.png" alt-text="Define a HTTP API":::

+1. In the **Create an HTTP API** window, select **Full**.

+1. Ensure that **Managed** is selected for **Gateways**.

+ :::image type="content" source="media/mock-api-responses/create-http-api.png" alt-text="Create an HTTP API":::

+An API exposes one or more operations. In this section, you'll add an operation to the HTTP API you created. Calling the operation after completing the steps in this section triggers an error. After you complete the steps in the [Enable response mocking](#enable-response-mocking) section, you'll get no errors.

+ :::image type="content" source="media/mock-api-responses/frontend-window.png" alt-text="Frontend window":::

+ :::image type="content" source="media/mock-api-responses/add-response.png" alt-text="Add response to the API operation":::

+ :::image type="content" source="media/mock-api-responses/add-representation.png" alt-text="Add representation to the API operation":::

+Although not required for this example, you can configure more settings for an API operation on other tabs, including:

+|**Query** | Add query parameters. Besides providing a name and description, you can also provide values that are assigned to a query parameter. You can mark one of the values as default (optional). |

+1. Select the test operation that you added.

+ :::image type="content" source="media/mock-api-responses/add-policy.png" alt-text="Add processing policy" border="false":::

+ :::image type="content" source="media/mock-api-responses/set-mocking-response.png" alt-text="Set mocking response":::

+ > A yellow bar with the text **Mocking is enabled** displays. This indicates that the responses returned from API Management are mocked by the [mocking policy](api-management-advanced-policies.md#mock-response) and aren't produced by the backend.

+1. Ensure that the **Test call** API is selected, and then select **Send** to make a test call.

+ :::image type="content" source="media/mock-api-responses/test-mock-api.png" alt-text="Test the mocked API":::

+ :::image type="content" source="media/mock-api-responses/http-response.png" alt-text="Mock HTTP response":::

+Microsoft and Adoptium builds of OpenJDK are provided and supported on App Service for Java 8, 11, and 17. These binaries are provided as a no-cost, multi-platform, production-ready distribution of the OpenJDK for Azure. They contain all the components for building and runnning Java SE applications. For local development or testing, you can install the Microsoft build of OpenJDK from the [downloads page](https://docs.microsoft.com/java/openjdk/download). The table below describes the new Java versions included in the January 2022 App Service platform release:

+| Java Version | Linux | Windows |

+|--||-|

+| Java 8 | 1.8.0_312 (Zulu) * | 1.8.0_312 (Adoptium) |

+| Java 11 | 11.0.13 (MSFT) | 11.0.13 (MSFT) |

+| Java 17 | 17.0.1 (MSFT) | 17.0.1 (MSFT) |

+\* In following releases, Java 8 on Linux will be distributed from Adoptium builds of the OpenJDK.

+If you are [pinned](#choosing-a-java-runtime-version) to an older minor version of Java your site may be using the [Zulu for Azure](https://www.azul.com/downloads/azure-only/zulu/) binaries provided through [Azul Systems](https://www.azul.com/). You can continue to use these binaries for your site, but any security patches or improvements will only be available in new versions of the OpenJDK, so we recommend that you periodically update your Web Apps to a later version of Java.

+Patches and fixes for major security vulnerabilities will be released as soon as they become available in Microsoft builds of the OpenJDK. A "major" vulnerability is defined by a base score of 9.0 or higher on the [NIST Common Vulnerability Scoring System, version 2](https://nvd.nist.gov/vuln-metrics/cvss).

+Community support for Java 7 will terminate on July 29th, 2022 and [Java 7 will be retired from App Service](https://azure.microsoft.com/updates/transition-to-java-11-or-8-by-29-july-2022/) at that time. If you have a web app runnning on Java 7, please upgrade to Java 8 or 11 before July 29th.

+- [Reasons to move to Java 11](https://docs.microsoft.com/java/openjdk/reasons-to-move-to-java-11?toc=/azure/developer/java/fundamentals/toc.json&bc=/azure/developer/breadcrumb/toc.json)

+- [Java 7 migration guide](https://docs.microsoft.com/java/openjdk/transition-from-java-7-to-java-8?toc=/azure/developer/java/fundamentals/toc.json&bc=/azure/developer/breadcrumb/toc.json)

+Product support for the [Microsoft Build of OpenJDK](https://docs.microsoft.com/java/openjdk/download) is available through Microsoft when developing for Azure or [Azure Stack](https://azure.microsoft.com/overview/azure-stack/) with a [qualified Azure support plan](https://azure.microsoft.com/support/plans/).

+ // MSGraphUser is a DTO class being used to hold User information from the graph service client call

+|Path pattern |Is supported? |

+After you have updated the role using the script below, it is also advised that you rotate the subscription keys on your resource. This is in case your keys have been compromised by the exploit above, and somebody is actually using your resource with subscription key authentication without your consent. Rotating the keys will render the previous keys invalid and deny any further access. For customers using Azure AD authentication, which should be everyone per current Immersive Reader SDK implementation, rotating the keys will have no impact on the Immersive Reader service, since Azure AD access tokens are used for authentication, not the subscription key. Rotating the subscription keys is just another precaution.

+You can rotate the subscription keys on the [Azure portal](https://portal.azure.com). Navigate to your resource and then to the `Keys and Endpoint` blade. At the top, there are buttons to `Regenerate Key1` and `Regenerate Key2`.

+### Use Azure PowerShell environment to update your Immersive Reader resource Role assignment

+ ```Update-ImmersiveReaderRoleAssignment```<br>

+ ``` -SubscriptionName 'MyOrganizationSubscriptionName'```<br>

+ ``` -ResourceGroupName 'MyResourceGroupName'```<br>

+ ``` -ResourceName 'MyOrganizationImmersiveReader'```<br>

+ ``` -AADAppIdentifierUri 'https://MyOrganizationImmersiveReaderAADApp'```<br>

+* Explore the [Immersive Reader SDK](https://github.com/microsoft/immersive-reader-sdk) and the [Immersive Reader SDK Reference](./reference.md)

+> [!NOTE]

+> The exception to the task hub sharing rule is if you are configuring your app for regional disaster recovery. See the [disaster recovery and geo-distribution](durable-functions-disaster-recovery-geo-distribution.md) article for more information.

+| WEBSITE_NODE_DEFAULT_VERSION | Only needed if using the `node` language stack, specifies the [version](/azure/azure-functions/functions-reference-node#node-version) to use | `~14` |

+ "value": "~14"

+ "value": "~14"

+ "value": "~14"

+ "value": "~14"

+ "value": "~14"

+| Python | `python\|3.7` |

+| JavaScript | `node\|14` |

+| .NET | `dotnet\|3.1` |

+ "value": "~14"

+ "linuxFxVersion": "node|14"

+ "value": "~14"

+Microsoft and [Adoptium](https://adoptium.net/) builds of OpenJDK are provided and supported on Functions for Java 8 and 11. These binaries are provided as a no-cost, multi-platform, production-ready distribution of the OpenJDK for Azure. They contain all the components for building and runnning Java SE applications. The table below describes the new Java versions that Function apps will begin using with the January 2022 Functions platform release:

+| Java Version | Linux | Windows |

+|--||-|

+| Java 8 | 1.8.0_302 (Adoptium) | 1.8.0_302 (Adoptium) |

+| Java 11 | 11.0.12 (MSFT) | 11.0.12 (MSFT) |

+For local development or testing, you can download the [Microsoft build of OpenJDK](https://docs.microsoft.com/java/openjdk/download) or [Adoptium Temurin](https://adoptium.net/?variant=openjdk8&jvmVariant=hotspot) binaries for free. [Azure support](https://azure.microsoft.com/support/) for issues with the JDKs and function apps is available with a [qualified support plan](https://azure.microsoft.com/support/plans/).

+If you would like to continue using the Zulu for Azure binaries on your Function app, please [configure your app accordingly](https://github.com/Azure/azure-functions-java-worker/wiki/Customize-JVM-to-use-Zulu). You can continue to use the Azul binaries for your site, but any security patches or improvements will only be available in new versions of the OpenJDK, so we recommend that you eventually remove this configuration so that your Function apps use the latest available version of Java.

+ > You can host your functions on a Consumption, Premium, or App Service plan. If you are testing behind a V-Net or testing non public endpoints then you will need to use the premium plan in place of the consumption. Select your plan on the **Hosting** tab. Please ensure the latest .NET version is selected when creating the Function App.

+## Release notes

+### 2.8.42

+- Updated ApplicationInsights .NET/.NET Core SDK to 2.18.1-redfield.

+### 2.8.41

+- Added ASP.NET Core Auto-Instrumentation feature.

+JMX metrics collection can be configured by adding a ```"jmxMetrics"``` section to the applicationinsights.json file. You can specify the name of the metric the way you want it to appear in Azure portal in application insights resource. Object name and attribute are required for each of the metrics you want collected.

+You nailed it - you must know the object names and the attributes, those properties are different for various libraries, frameworks, and application servers, and are often not well documented. Luckily, it's easy to find exactly what JMX metrics are supported for your particular environment.

+To view the available metrics, set the self-diagnostics level to `DEBUG` in your `applicationinsights.json` configuration file, for example:

+```json

+{

+ "selfDiagnostics": {

+ "level": "DEBUG"

+ }

+}

+```

+The available JMX metrics, with the object names and attribute names will appear in the application insights log file.

+The output in the log file will look similar to the example below. In some cases the list can be quite extensive.

+> [!div class="mx-imgBorder"]

+> 

+## Configuration example

+Knowing what metrics are available, you can configure the agent to collect those. The first one is an example of a nested metric - `LastGcInfo` that has several properties, and we want to capture the `GcThreadCount`.

+## Types of collected metrics and available configuration options?

+> [!div class="mx-imgBorder"]

+> 

+When deploying a diagnostic setting, you receive an error message, similar to *Metric category 'xxxx' is not supported*. You may receive this error even though your previous deployment succeeded.

+The problem occurs when using a Resource Manager template, REST API, Azure CLI, or Azure PowerShell. Diagnostic settings created via the Azure portal are not affected as only the supported category names are presented.

+ Title: Create & deploy template specs in Bicep

+description: Describes how to create template specs in Bicep and share them with other users in your organization.

+# Azure Resource Manager template specs in Bicep

+A template spec is a resource type for storing an Azure Resource Manager template (ARM template) or a Bicep file in Azure for later deployment. Bicep files are transpiled into ARM JSON templates before they are stored. This resource type enables you to share ARM templates with other users in your organization. Just like any other Azure resource, you can use Azure role-based access control (Azure RBAC) to share the template spec.

+[**Microsoft.Resources/templateSpecs**](/azure/templates/microsoft.resources/templatespecs) is the resource type for template specs. It consists of a main template and any number of linked templates. Azure securely stores template specs in resource groups. Both the main template and the linked templates must be in JSON. Template Specs support [versioning](#versioning).

+To deploy the template spec, you use standard Azure tools like PowerShell, Azure CLI, Azure portal, REST, and other supported SDKs and clients. You use the same commands as you would for the template or the Bicep file.

+> [!NOTE]

+> To use template specs in Bicep with Azure PowerShell, you must install [version 6.3.0 or later](/powershell/azure/install-az-ps). To use it with Azure CLI, use [version 2.27.0 or later](/cli/azure/install-azure-cli).

+When designing your deployment, always consider the lifecycle of the resources and group the resources that share similar lifecycle into a single template spec. For instance, your deployments include multiple instances of Cosmos DB with each instance containing its own databases and containers. Given the databases and the containers donΓÇÖt change much, you want to create one template spec to include a Cosmo DB instance and its underlying databases and containers. You can then use conditional statements in your Bicep along with copy loops to create multiple instances of these resources.

+The choice between template specs and [private module registries](./private-module-registry.md) is mostly a matter of preference. If you're deploying templates or Bicep files without other project artifacts, template specs are an easier option. If you're deploying project artifacts with the templates or Bicep files, you can integrate the private registry with your development work and then more easily deploy all of it from the registry.

+### Microsoft Learn

+To learn more about template specs, and for hands-on guidance, see [Publish libraries of reusable infrastructure code by using template specs](/learn/modules/arm-template-specs) on **Microsoft Learn**.

+## Why use template specs?

+Template specs provide the following benefits:

+* You use standard ARM templates or Bicep files for your template spec.

+* You manage access through Azure RBAC, rather than SAS tokens.

+* Users can deploy the template spec without having write access to the Bicep file.

+* You can integrate the template spec into existing deployment process, such as PowerShell script or DevOps pipeline.

+Template specs enable you to create canonical templates and share them with teams in your organization. The template specs are secure because they're available to Azure Resource Manager for deployment, but not accessible to users without the correct permission. Users only need read access to the template spec to deploy its template, so you can share the template without allowing others to modify it.

+If you currently have your templates in a GitHub repo or storage account, you run into several challenges when trying to share and use the templates. To deploy the template, you need to either make the template publicly accessible or manage access with SAS tokens. To get around this limitation, users might create local copies, which eventually diverge from your original template. Template specs simplify sharing templates.

+The templates you include in a template spec should be verified by administrators in your organization to follow the organization's requirements and guidance.

+## Create template spec

+The following example shows a simple Bicep file for creating a storage account in Azure.

+```bicep

+@allowed([

+ 'Standard_LRS'

+ 'Standard_GRS'

+ 'Standard_ZRS'

+ 'Premium_LRS'

+])

+param storageAccountType string = 'Standard_LRS'

+resource stg 'Microsoft.Storage/storageAccounts@2021-04-01' = {

+ name: 'store${uniqueString(resourceGroup().id)}'

+ location: resourceGroup().location

+ sku: {

+ name: storageAccountType

+ }

+ kind:'StorageV2'

+}

+```

+Create a template spec by using:

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+New-AzTemplateSpec -Name storageSpec -Version 1.0a -ResourceGroupName templateSpecsRg -Location westus2 -TemplateFile ./mainTemplate.bicep

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+az ts create \

+ --name storageSpec \

+ --version "1.0a" \

+ --resource-group templateSpecRG \

+ --location "westus2" \

+ --template-file "./mainTemplate.bicep"

+```

+You can also create template specs by using Bicep files. However the content of `mainTemplate` must be in JSON. The following template creates a template spec to deploy a storage account:

+```bicep

+param templateSpecName string = 'CreateStorageAccount'

+param templateSpecVersionName string = '0.1'

+param location string = resourceGroup().location

+resource createTemplateSpec 'Microsoft.Resources/templateSpecs@2021-05-01' = {

+ name: templateSpecName

+ location: location

+ properties: {

+ description: 'A basic templateSpec - creates a storage account.'

+ displayName: 'Storage account (Standard_LRS)'

+ }

+}

+resource createTemplateSpecVersion 'Microsoft.Resources/templateSpecs/versions@2021-05-01' = {

+ parent: createTemplateSpec

+ name: templateSpecVersionName

+ location: location

+ properties: {

+ mainTemplate: {

+ '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'

+ 'contentVersion': '1.0.0.0'

+ 'parameters': {

+ 'storageAccountType': {

+ 'type': 'string'

+ 'defaultValue': 'Standard_LRS'

+ 'allowedValues': [

+ 'Standard_LRS'

+ 'Standard_GRS'

+ 'Standard_ZRS'

+ 'Premium_LRS'

+ ]

+ }

+ }

+ 'resources': [

+ {

+ 'type': 'Microsoft.Storage/storageAccounts'

+ 'apiVersion': '2019-06-01'

+ 'name': 'store$uniquestring(resourceGroup().id)'

+ 'location': resourceGroup().location

+ 'kind': 'StorageV2'

+ 'sku': {

+ 'name': '[parameters(\'storageAccountType\')]'

+ }

+ }

+ ]

+ }

+ }

+}

+```

+The JSON template embedded in the Bicep file needs to make these changes:

+* Remove the commas at the end of the lines.

+* Replace double quotes to single quotes.

+* Escape the single quotes within the expressions. For example, **'name': '[parameters(&#92;'storageAccountType&#92;')]'**.

+* To access the parameters and variables defined in the Bicep file, you can directly use the parameter names and the variable names. To access the parameters and variables defined in `mainTemplate`, you still need to use the ARM JSON template syntax. For example, **'name': '[parameters(&#92;'storageAccountType&#92;')]'**.

+* Use the Bicep syntax to call Bicep functions. For example, **'location': resourceGroup().location**.

+You can view all template specs in your subscription by using:

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+Get-AzTemplateSpec

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+az ts list

+```

+You can view details of a template spec, including its versions with:

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+Get-AzTemplateSpec -ResourceGroupName templateSpecsRG -Name storageSpec

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+az ts show \

+ --name storageSpec \

+ --resource-group templateSpecRG \

+ --version "1.0a"

+```

+## Deploy template spec

+After you've created the template spec, users with **read** access to the template spec can deploy it. For information about granting access, see [Tutorial: Grant a group access to Azure resources using Azure PowerShell](../../role-based-access-control/tutorial-role-assignments-group-powershell.md).

+Template specs can be deployed through the portal, PowerShell, Azure CLI, or as a Bicep module in a larger template deployment. Users in an organization can deploy a template spec to any scope in Azure (resource group, subscription, management group, or tenant).

+Instead of passing in a path or URI for a Bicep file, you deploy a template spec by providing its resource ID. The resource ID has the following format:

+**/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Resources/templateSpecs/{template-spec-name}/versions/{template-spec-version}**

+Notice that the resource ID includes a version name for the template spec.

+For example, you deploy a template spec with the following command.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+$id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/templateSpecsRG/providers/Microsoft.Resources/templateSpecs/storageSpec/versions/1.0a"

+New-AzResourceGroupDeployment `

+ -TemplateSpecId $id `

+ -ResourceGroupName demoRG

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/templateSpecsRG/providers/Microsoft.Resources/templateSpecs/storageSpec/versions/1.0a"

+az deployment group create \

+ --resource-group demoRG \

+ --template-spec $id

+```

+In practice, you'll typically run `Get-AzTemplateSpec` or `az ts show` to get the ID of the template spec you want to deploy.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+$id = (Get-AzTemplateSpec -Name storageSpec -ResourceGroupName templateSpecsRg -Version 1.0a).Versions.Id

+New-AzResourceGroupDeployment `

+ -ResourceGroupName demoRG `

+ -TemplateSpecId $id

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+id = $(az ts show --name storageSpec --resource-group templateSpecRG --version "1.0a" --query "id")

+az deployment group create \

+ --resource-group demoRG \

+ --template-spec $id

+```

+You can also open a URL in the following format to deploy a template spec:

+```url

+https://portal.azure.com/#create/Microsoft.Template/templateSpecVersionId/%2fsubscriptions%2f{subscription-id}%2fresourceGroups%2f{resource-group-name}%2fproviders%2fMicrosoft.Resources%2ftemplateSpecs%2f{template-spec-name}%2fversions%2f{template-spec-version}

+```

+## Parameters

+Passing in parameters to template spec is exactly like passing parameters to a Bicep file. Add the parameter values either inline or in a parameter file.

+To pass a parameter inline, use:

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+New-AzResourceGroupDeployment `

+ -TemplateSpecId $id `

+ -ResourceGroupName demoRG `

+ -StorageAccountType Standard_GRS

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+az deployment group create \

+ --resource-group demoRG \

+ --template-spec $id \

+ --parameters storageAccountType='Standard_GRS'

+```

+To create a local parameter file, use:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "StorageAccountType": {

+ "value": "Standard_GRS"

+ }

+ }

+}

+```

+And, pass that parameter file with:

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+New-AzResourceGroupDeployment `

+ -TemplateSpecId $id `

+ -ResourceGroupName demoRG `

+ -TemplateParameterFile ./mainTemplate.parameters.json

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+az deployment group create \

+ --resource-group demoRG \

+ --template-spec $id \

+ --parameters "./mainTemplate.parameters.json"

+```

+## Versioning

+When you create a template spec, you provide a version name for it. As you iterate on the template code, you can either update an existing version (for hotfixes) or publish a new version. The version is a text string. You can choose to follow any versioning system, including semantic versioning. Users of the template spec can provide the version name they want to use when deploying it.

+## Use tags

+[Tags](../management/tag-resources.md) help you logically organize your resources. You can add tags to template specs by using Azure PowerShell and Azure CLI:

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+New-AzTemplateSpec `

+ -Name storageSpec `

+ -Version 1.0a `

+ -ResourceGroupName templateSpecsRg `

+ -Location westus2 `

+ -TemplateFile ./mainTemplate.bicep `

+ -Tag @{Dept="Finance";Environment="Production"}

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+az ts create \

+ --name storageSpec \

+ --version "1.0a" \

+ --resource-group templateSpecRG \

+ --location "westus2" \

+ --template-file "./mainTemplate.bicep" \

+ --tags Dept=Finance Environment=Production

+```

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+Set-AzTemplateSpec `

+ -Name storageSpec `

+ -Version 1.0a `

+ -ResourceGroupName templateSpecsRg `

+ -Location westus2 `

+ -TemplateFile ./mainTemplate.bicep `

+ -Tag @{Dept="Finance";Environment="Production"}

+```

+# [CLI](#tab/azure-cli)

+```azurecli

+az ts update \

+ --name storageSpec \

+ --version "1.0a" \

+ --resource-group templateSpecRG \

+ --location "westus2" \

+ --template-file "./mainTemplate.bicep" \

+ --tags Dept=Finance Environment=Production

+```

+When creating or modifying a template spec with the version parameter specified, but without the tag/tags parameter:

+* If the template spec exists and has tags, but the version doesn't exist, the new version inherits the same tags as the existing template spec.

+When creating or modifying a template spec with both the tag/tags parameter and the version parameter specified:

+* If both the template spec and the version don't exist, the tags are added to both the new template spec and the new version.

+* If the template spec exists, but the version doesn't exist, the tags are only added to the new version.

+* If both the template spec and the version exist, the tags only apply to the version.

+When modifying a template with the tag/tags parameter specified but without the version parameter specified, the tags is only added to the template spec.

+## Link to template specs

+After creating a template spec, you can link to that template spec in a Bicep module. For more information, see [File in template spec](./modules.md#path-to-module).

+## Next steps

+To learn more about template specs, and for hands-on guidance, see [Publish libraries of reusable infrastructure code by using template specs](/learn/modules/arm-template-specs) on **Microsoft Learn**.

+| Australia Central | Yes | |

+| Australia East | Yes | Yes |

+| Central US | Yes | |

+| Germany West Central | | Yes |

+| Japan East | Yes | |

+| Korea Central | Yes | |

+| North Europe | Yes | |

+| UK South | Yes | |

+|**Verify permissions for your Azure account** | Your Azure account needs Contributor or Owner permissions on the Azure subscription, permissions to register Azure Active Directory (Azure AD) apps, and User Access Administrator permissions on the Azure subscription to create a Key Vault, to create a VM, and to write to an Azure managed disk. |

+ Title: Complete migration using a distributed availability group

+description: Use a distributed availability group to complete the migration of your SQL Server databases to SQL Server on Azure VMs.

+# Complete migration using a distributed AG

+Use a [distributed availability group (AG)](/sql/database-engine/availability-groups/windows/distributed-availability-groups) to migrate your databases from SQL Server to SQL Server on Azure Virtual Machines (VMs).

+This article assumes you've already configured your distributed ag for either your [standalone databases](sql-server-distributed-availability-group-migrate-standalone-instance.md) or your [availability group databases](sql-server-distributed-availability-group-migrate-ag.md) and now you're ready to finalize the migration to SQL Server on Azure VMs.

+## Monitor migration

+Use Transact-SQL (T-SQL) to monitor the progress of your migration.

+Run the following script on the global primary and the forwarder and validate that the state for `synchronization_state_desc` for the primary availability group (**OnPremAG**) and the secondary availability group (**AzureAG**) is `SYNCHRONIZED`. Confirm that the the `synchronization_state_desc` for the distributed AG (**DAG**) is synchronizing and the `last_hardened_lsn` is the same per database on both the global primary and the forwarder.

+If not, rerun the query on both sides every 5 seconds or so until it is the case.

+Use the following script to monitor the migration:

+```sql

+SELECT ag.name

+ , drs.database_id

+ , db_name(drs.database_id) as database_name

+ , drs.group_id

+ , drs.replica_id

+ , drs.synchronization_state_desc

+ , drs.last_hardened_lsn

+FROM sys.dm_hadr_database_replica_states drs

+INNER JOIN sys.availability_groups ag on drs.group_id = ag.group_id;

+```

+## Complete migration

+Once you've validated the states of the availability group and the distributed ag, you're ready to complete the migration. This consists of failing over the distributed ag to the forwarder (the target SQL Server in Azure), and then cutting over the application to the new primary on the Azure side.

+To failover your distributed availability group, review [failover to secondary availability group](/sql/database-engine/availability-groups/windows/configure-distributed-availability-groups#failover).

+After the failover, update the connection string of your application to connect to the new primary replica in Azure. At this point, you can choose to maintain the distributed availability group, or use `DROP AVAILABILITY GROUP [DAG]` on the both the source and target SQL Server instances to drop it.

+If your domain controller is on the source side, validate that your target SQL Server VMs in Azure have joined the domain before abandoning the source SQL Server instances. Do not delete the domain controller on the source side until you [create a domain](../../virtual-machines/windows/availability-group-manually-configure-prerequisites-tutorial-multi-subnet.md#create-domain-controllers) on the source side in Azure and add your SQL Server VMs to this new domain.

+## Next steps

+For a tutorial showing you how to migrate a database to SQL Server on Azure Virtual Machines using the T-SQL RESTORE command, seeΓÇ»[Migrate a SQL Server database to SQL Server on a virtual machine](../../virtual-machines/windows/migrate-to-vm-from-sql-server.md).

+For information about SQL Server on Azure Virtual Machines, see the [Overview](../../virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md).

+For information about connecting apps to SQL Server on Azure Virtual Machines, seeΓÇ»[Connect applications](../../virtual-machines/windows/ways-to-connect-to-sql.md).

+ Title: Use distributed AG to migrate availability group

+description: Learn to use a distributed availability group (AG) to migrate a database (or multiple databases) from a source SQL Server Always On availability group to a target SQL Server on Azure VM.

+# Use distributed AG to migrate availability group

+Use a [distributed availability group (AG)](/sql/database-engine/availability-groups/windows/distributed-availability-groups) to migrate databases in an Always On availability group while maintaining high availability and disaster recovery (HADR) support post migration on your SQL Server on Azure Virtual Machines (VMs).

+Once you've validated your source SQL Server instances meet the [prerequisites](sql-server-distributed-availability-group-migrate-prerequisites.md), follow the steps in this article to create a distributed availability between your existing availability group, and your target availability group on your SQL Server on Azure VMs.

+This article is intended for databases participating in an availability group, and requires a Windows Server Failover Cluster (WSFC) and an availability group listener. It's also possible to [migrate databases from a standalone SQL Server instance](sql-server-distributed-availability-group-migrate-standalone-instance.md).

+## Initial setup

+The first step is to create your SQL Server VMs in Azure. You can do so by using the [Azure portal](../../virtual-machines/windows/sql-vm-create-portal-quickstart.md), [Azure PowerShell](../../virtual-machines/windows/sql-vm-create-powershell-quickstart.md), or an [ARM template](../../virtual-machines/windows/create-sql-vm-resource-manager-template.md).

+Be sure to configure your SQL Server VMs according to the [prerequisites](sql-server-distributed-availability-group-migrate-prerequisites.md). Choose between a single subnet deployment, which relies on an Azure Load Balancer or distributed network name to route traffic to your availability group listener, or a multi-subnet deployment which does not have such a requirement. The multi-subnet deployment is recommended. To learn more, see [connectivity](../../virtual-machines/windows/availability-group-overview.md#connectivity).

+For simplicity, join your target SQL Server VMs to the same domain as your source SQL Server instances. Otherwise, join your target SQL Server VM to a domain that's federated with the domain of your source SQL Server instances.

+To use automatic seeding to create your distributed availability group (DAG), the instance name for the global primary (source) of the DAG must match the instance name of the forwarder (target) of the DAG. If there is an instance name mismatch between the global primary and forwarder, then you must use manual seeding to create the DAG, and manually add any additional database files in the future.

+This article uses the following example parameters:

+- Database name: **Adventureworks**

+- Source machine names : **OnPremNode1** (global primary in DAG), **OnPremNode2**

+- Source SQL Server instance names: **MSSQLSERVER**, **MSSQLSERVER**

+- Source availability group name : **OnPremAg**

+- Source availability group listener name: **OnPremAG_LST**

+- Target SQL Server VM names: **SQLVM1** (forwarder in DAG), **SQLVM2**

+- Target SQL Server on Azure VM instance names: **MSSQLSERVER**, **MSSQLSERVER**

+- Target availability group name: **AzureAG**

+- Source availability group listener name: **AzureAG_LST**

+- Endpoint name: **Hadr_endpoint**

+- Distributed availability group name: **DAG**

+- Domain name: **Contoso**

+## Create endpoints

+Use Transact-SQL (T-SQL) to create endpoints on both your two source instances (**OnPremNode1**, **OnPremNode2**) and target SQL Server instances (**SQLVM1**, **SQLVM2**).

+If you already have an availability group configured on the source instances, only run this script on the two target instances.

+To create your endpoints, run this T-SQL script on both source and target servers:

+```sql

+CREATE ENDPOINT [Hadr_endpoint]

+ STATE=STARTED

+ AS TCP (LISTENER_PORT = 5022, LISTENER_IP = ALL)

+FOR DATA_MIRRORING (

+ ROLE = ALL,

+ AUTHENTICATION = WINDOWS NEGOTIATE,

+ ENCRYPTION = REQUIRED ALGORITHM AES

+)

+GO

+```

+Domain accounts automatically have access to endpoints, but service accounts may not automatically be part of the sysadmin group and may not have connect permission. To manually grant the SQL Server service account connect permission to the endpoint, run the following T-SQL script on both servers:

+```sql

+GRANT CONNECT ON ENDPOINT::[Hadr_endpoint] TO [<your account>]

+```

+## Create source AG

+Since a distributed availability group is a special availability group that spans across two individual availability groups, you first need to create an availability group on the two source SQL Server instances.

+If you already have an availability group on your source instances, skip this section.

+Use Transact-SQL (T-SQL) to create an availability group (**OnPremAG**) between your two source instances (**OnPremNode1**, **OnPremNode2**) for the example **Adventureworks** database.

+To create the availability group on the source instances, run this script on the source primary replica (**OnPremNode1**):

+```sql

+CREATE AVAILABILITY GROUP [OnPremAG]

+WITH ( AUTOMATED_BACKUP_PREFERENCE = PRIMARY,

+ DB_FAILOVER = OFF,

+ DTC_SUPPORT = NONE,

+FOR DATABASE [Adventureworks]

+REPLICA ON

+ N'OnPremNode1' WITH (ENDPOINT_URL = N'TCP://OnPremNode1.contoso.com:5022',

+ FAILOVER_MODE = AUTOMATIC,

+ AVAILABILITY_MODE = SYNCHRONOUS_COMMIT,

+ SEEDING_MODE = AUTOMATIC,

+ SECONDARY_ROLE(ALLOW_CONNECTIONS = NO)),

+ N'OnPremNode2' WITH (ENDPOINT_URL = N'TCP://OnPremNode2.contoso.com:5022',

+ FAILOVER_MODE = AUTOMATIC,

+ AVAILABILITY_MODE = SYNCHRONOUS_COMMIT,

+ SEEDING_MODE = AUTOMATIC,

+ SECONDARY_ROLE(ALLOW_CONNECTIONS = NO));

+```

+Next, to join the secondary replica (**OnPremNode2**) to the availability group (**OnPremAg**).

+To join the availability group, run this script on the source secondary replica:

+```sql

+ALTER AVAILABILITY GROUP [OnPremAG] JOIN;

+GO

+ALTER AVAILABILITY GROUP [OnPremAG] GRANT CREATE ANY DATABASE;

+GO

+```

+Finally, create the listener for your global forwarder availability group (**OnPremAG**).

+To create the listener, run this script on the source primary replica:

+```sql

+USE [master]

+GO

+ALTER AVAILABILITY GROUP [OnPremAG]

+ADD LISTENER N'OnPremAG_LST' (

+WITH IP ((<available static ip>, <mask>)

+, PORT=60173);

+GO

+```

+## Create target AG

+You also need to create an availability group on the target SQL Server VMs as well.

+If you already have an availability group configured between your SQL Server instances in Azure, skip this section.

+Use Transact-SQL (T-SQL) to create an availability group (**AzureAG**) on the target SQL Server instances (**SQLVM1** and **SQLVM2**).

+To create the availability group on the target, run this script on the target primary replica:

+```sql

+CREATE AVAILABILITY GROUP [AzureAG]

+FOR

+ REPLICA ON N'SQLVM1' WITH (ENDPOINT_URL = N'TCP://SQLVM1.contoso.com:5022',

+ FAILOVER_MODE = MANUAL,

+ AVAILABILITY_MODE = SYNCHRONOUS_COMMIT,

+ BACKUP_PRIORITY = 50,

+ SECONDARY_ROLE(ALLOW_CONNECTIONS = NO),

+ SEEDING_MODE = AUTOMATIC),

+N'SQLVM2' WITH (ENDPOINT_URL = N'TCP://SQLVM2.contoso.com:5022',

+ FAILOVER_MODE = MANUAL,

+ AVAILABILITY_MODE = SYNCHRONOUS_COMMIT,

+ BACKUP_PRIORITY = 50,

+ SECONDARY_ROLE(ALLOW_CONNECTIONS = NO),

+ SEEDING_MODE = AUTOMATIC);

+GO

+```

+Next, join the target secondary replica (**SQLVM2**) to the availability group (**AzureAG**).

+Run this script on the target secondary replica:

+```sql

+ALTER AVAILABILITY GROUP [AzureAG] JOIN;

+GO

+ALTER AVAILABILITY GROUP [AzureAG] GRANT CREATE ANY DATABASE;

+GO

+```

+Finally, create a listener (**AzureAG_LST**) for your target availability group (**AzureAG**). If you deployed your SQL Server VMs to multiple subnets, create your listener using Transact-SQL. If you deployed your SQL Server VMs to a single subnet, configure either an [Azure Load Balancer](../../virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure.md), or a [distributed network name](../../virtual-machines/windows/availability-group-distributed-network-name-dnn-listener-configure.md) for your listener.

+To create your listener, run this script on the primary replica of the availability group in Azure.

+```sql

+ALTER AVAILABILITY GROUP [AzureAG]

+ADD LISTENER N'AzureAG_LST' (

+WITH IP

+( (N'<primary replica's secondary ip >', N'<primary mask>'), (N'<secondary replica's secondary ip>', N'<secondary mask>') )

+, PORT=<port number you set>);

+GO

+```

+## Create distributed AG

+After you have your source (**OnPremAG**) and target (**AzureAG**) availability groups configured, create your distributed availability group to span both individual availability groups.

+Use Transact-SQL on the source SQL Server global primary (**OnPremNode1**) and AG (**OnPremAG**) to create the distributed availability group (**DAG**).

+To create the distributed AG on the source, run this script on the source global primary:

+```sql

+CREATE AVAILABILITY GROUP [DAG]

+ WITH (DISTRIBUTED)

+ AVAILABILITY GROUP ON

+ 'OnPremAG' WITH

+ (

+ LISTENER_URL = 'tcp://OnPremAG_LST.contoso.com:5022',

+ AVAILABILITY_MODE = ASYNCHRONOUS_COMMIT,

+ FAILOVER_MODE = MANUAL,

+ SEEDING_MODE = AUTOMATIC

+ ),

+ 'AzureAG' WITH

+ (

+ LISTENER_URL = 'tcp://AzureAG_LST.contoso.com:5022',

+ AVAILABILITY_MODE = ASYNCHRONOUS_COMMIT,

+ FAILOVER_MODE = MANUAL,

+ SEEDING_MODE = AUTOMATIC

+ );

+GO

+```

+>[!NOTE]

+> The seeding mode is set to `AUTOMATIC` as the version of SQL Server on the target and source is the same. If your SQL Server target is a higher version, or if your global primary and forwarder have different instance names, then create the distributed ag, and join the secondary AG to the distributed ag with **SEEDING_MODE** set to `MANUAL`. Then manually restore your databases from the source to the target SQL Server instance. Review [upgrading versions during migration](/sql/database-engine/availability-groups/windows/distributed-availability-groups#cautions-when-using-distributed-availability-groups-to-migrate-to-higher-sql-server-versions) to learn more.

+After your distributed AG is created, join the target AG (**AzureAG**) on the target forwarder instance (**SQLVM1**) to the distributed AG (**DAG**).

+To join the target AG to the distributed AG, run this script on the target forwarder:

+```sql

+ALTER AVAILABILITY GROUP [DAG]

+ JOIN

+ AVAILABILITY GROUP ON

+ 'OnPremAG' WITH

+ (

+ LISTENER_URL = 'tcp://OnPremAG_LST.contoso.com:5022',

+ AVAILABILITY_MODE = ASYNCHRONOUS_COMMIT,

+ FAILOVER_MODE = MANUAL,

+ SEEDING_MODE = AUTOMATIC

+ ),

+ 'AzureAG' WITH

+ (

+ LISTENER_URL = 'tcp://AzureAG_LST.contoso.com:5022',

+ AVAILABILITY_MODE = ASYNCHRONOUS_COMMIT,

+ FAILOVER_MODE = MANUAL,

+ SEEDING_MODE = AUTOMATIC

+ );

+GO

+```

+If you need to cancel, pause, or delay synchronization between the source and target availability groups (such as, for example, performance issues), run this script on the source global primary instance (**OnPremNode1**):

+```sql

+ALTER AVAILABILITY GROUP [DAG]

+ MODIFY

+ AVAILABILITY GROUP ON

+ 'AzureAG' WITH

+ ( SEEDING_MODE = MANUAL );

+```

+To learn more, review [cancel automatic seeding to forwarder](/sql/database-engine/availability-groups/windows/configure-distributed-availability-groups#cancel-automatic-seeding-to-forwarder).

+## Next steps

+After your distributed availability group is created, you are ready to [complete the migration](sql-server-distributed-availability-group-complete-migration.md).

+ Title: "Prerequisites: Migrate to SQL Server VM using distributed AG"

+description: Review the prerequisites to migrate your SQL Server to SQL Server on Azure VMs using a distributed availability group.

+# Prerequisites: Migrate to SQL Server VM using distributed AG

+Use a [distributed availability group (AG)](/sql/database-engine/availability-groups/windows/distributed-availability-groups) to migrate either a [standalone instance](sql-server-distributed-availability-group-migrate-standalone-instance.md) of SQL Server or an [Always On availability group](sql-server-distributed-availability-group-migrate-ag.md) to SQL Server on Azure Virtual Machines (VMs).

+This article describes the prerequisites to prepare your source and target environments to migrate your SQL Server instance or availability group to SQL Server VMs using a distributed ag.

+Migrating a database (or multiple databases) from a standalone instance using a distributed availability group is a simple solution that does not require a Windows Server Failover Cluster, or an availability group listener on either the source or the target. Migrating an availability group requires a cluster, and a listener on both source and target.

+## Source SQL Server

+To migrate your instance or availability group, your source SQL Server should meet the following prerequisites:

+- For a standalone instance migration, the minimum supported version is SQL Server 2017. For an availability group migration, SQL Server 2016 or later is supported.

+- Your SQL Server edition should be enterprise.

+- You must enable the [Always On feature](/sql/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server).

+- The databases you intend to migrate have been backed up in full mode.

+- If you already have an availability group, it must be in a healthy state. If you create an availability group as part of this process, it must be in a healthy state before you start the migration.

+- Ports used by the SQL Server instance (1433 by default) and the database mirroring endpoint (5022 by default) must be open in the firewall. To migrate databases in an availability group, make sure the port used by the listener is also open in the firewall.

+## Target SQL Server VM

+Before your target SQL Server VMs are ready for migration, make sure they meet the following prerequisites:

+- The Azure account performing the migration is assigned as the owner or contributor to the resource group that contains target the SQL Server VMs.

+- To use automatic seeding to create your distributed availability group (DAG), the instance name for the global primary (source) of the DAG must match the instance name of the forwarder (target) of the DAG. If there is an instance name mismatch between the global primary and forwarder, then you must use manual seeding to create the DAG, and manually add any additional database files in the future.

+- For simplicity, the target SQL Server instance should match the version of the source SQL Server instance. If you choose to upgrade during the migration process by using a higher version of SQL Server on the target, then you will need to manually seed your database rather than relying on autoseeding as is provided in this series of articles. Review [Migrate to higher SQL Server versions](/sql/database-engine/availability-groups/windows/distributed-availability-groups#cautions-when-using-distributed-availability-groups-to-migrate-to-higher-sql-server-versions) for more details.

+- The SQL Server edition should be enterprise.

+- You must enable the [Always On feature](/sql/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server).

+- Ports used by the SQL Server instance (1433 by default) and the database mirroring endpoint (5022 by default) must be open in the firewall. To migrate databases in an availability group, make sure the port used by the listener is also open in the firewall.

+## Connectivity

+The source and target SQL Server instance must have an established network connection.

+If the source SQL Server instance is located on an on-premises network, configure a [Site-to-site VPN connection](/microsoft-365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network) or an [Azure ExpressRoute connection](../../../expressroute/expressroute-introduction.md) between the on-premises network and the virtual network where your target SQL Server VM resides.

+If your source SQL Server instance is located on an Azure virtual network that is different than the target SQL Server VM, then configure [virtual network peering](../../../virtual-network/virtual-network-peering-overview.md).

+## Authentication

+To simplify authentication between your source and target SQL Server instance, join both servers to the same domain, preferably with the domain being on the source side and apply domain-based authentication. Since this is the recommended approach, the steps in this tutorial series assume both source and target SQL Server instance are part of the same domain.

+If the source and target servers are part of different domains, configure [federation](../../../active-directory/hybrid/whatis-fed.md) between the two domains, or configure a [domain-independent availability group](../../virtual-machines/windows/availability-group-clusterless-workgroup-configure.md).

+## Next steps

+Once you have configured both source and target environment to meet the prerequisites, you're ready to migrate either your [standalone instance](sql-server-distributed-availability-group-migrate-standalone-instance.md) of SQL Server or an [Always On availability group](sql-server-distributed-availability-group-migrate-ag.md) to your target SQL Server VM(s).

+ Title: Use distributed AG to migrate databases from a standalone instance

+description: Learn to use a distributed availability group (AG) to migrate a database (or multiple databases) from a standalone instance of SQL Server to a target SQL Server on Azure VM.

+# Use distributed AG to migrate databases from a standalone instance

+Use a [distributed availability group (AG)](/sql/database-engine/availability-groups/windows/distributed-availability-groups) to migrate a database (or multiple databases) from a standalone instance of SQL Server to SQL Server on Azure Virtual Machines (VMs).

+Once you've validated your source SQL Server instance meets the [prerequisites](sql-server-distributed-availability-group-migrate-prerequisites.md), follow the steps in this article to create an availability group on your standalone SQL Server instance and migrate your database (or group of databases) to your SQL Server VM in Azure.

+This article is intended for databases on a standalone instance of SQL Server. This solution does not require a Windows Server Failover Cluster (WSFC) or an availability group listener. It's also possible to [migrate databases in an availability group](sql-server-distributed-availability-group-migrate-ag.md).

+## Initial setup

+The first step is to create your SQL Server VM in Azure. You can do so by using the [Azure portal](../../virtual-machines/windows/sql-vm-create-portal-quickstart.md), [Azure PowerShell](../../virtual-machines/windows/sql-vm-create-powershell-quickstart.md), or an [ARM template](../../virtual-machines/windows/create-sql-vm-resource-manager-template.md).

+Be sure to configure your SQL Server VM according to the [prerequisites](sql-server-distributed-availability-group-migrate-prerequisites.md).

+For simplicity, join your target SQL Server VM to the same domain as your source SQL Server. Otherwise, join your target SQL Server VM to a domain that's federated with the domain of your source SQL Server.

+To use automatic seeding to create your distributed availability group (DAG), the instance name for the global primary (source) of the DAG must match the instance name of the forwarder (target) of the DAG. If there is an instance name mismatch between the global primary and forwarder, then you must use manual seeding to create the DAG, and manually add any additional database files in the future.

+This article uses the following example parameters:

+- Database name: **Adventureworks**

+- Source machine name (global primary in DAG): **OnPremNode**

+- Source SQL Server instance name: **MSSQLSERVER**

+- Source availability group name: **OnPremAg**

+- Target SQL Server VM name (forwarder in DAG): **SQLVM**

+- Target SQL Server on Azure VM instance name: **MSSQLSERVER**

+- Target availability group name: **AzureAG**

+- Endpoint name: **Hadr_endpoint**

+- Distributed availability group name: **DAG**

+- Domain name: **Contoso**

+## Create endpoints

+Use Transact-SQL (T-SQL) to create endpoints on both your source (**OnPremNode**) and target (**SQLVM**) SQL Server instances.

+To create your endpoints, run this T-SQL script on both source and target servers:

+```sql

+CREATE ENDPOINT [Hadr_endpoint]

+ STATE=STARTED

+ AS TCP (LISTENER_PORT = 5022, LISTENER_IP = ALL)

+FOR DATA_MIRRORING (

+ ROLE = ALL,

+ AUTHENTICATION = WINDOWS NEGOTIATE,

+ ENCRYPTION = REQUIRED ALGORITHM AES

+)

+GO

+```

+Domain accounts automatically have access to endpoints, but service accounts may not automatically be part of the sysadmin group and may not have connect permission. To manually grant the SQL Server service account connect permission to the endpoint, run the following T-SQL script on both servers:

+```sql

+GRANT CONNECT ON ENDPOINT::[Hadr_endpoint] TO [<your account>]

+```

+## Create source AG

+Since a distributed availability group is a special availability group that spans across two individual availability groups, you first need to create an availability group on the source SQL Server instance. If you already have an availability group that you would like to maintain in Azure, then [migrate your availability group](sql-server-distributed-availability-group-migrate-ag.md) instead.

+Use Transact-SQL (T-SQL) to create an availability group (**OnPremAg**) on the source (**OnPremNode**) instance for the example **Adventureworks** database.

+To create the availability group, run this script on the source:

+```sql

+CREATE AVAILABILITY GROUP [OnPremAG]

+ WITH (AUTOMATED_BACKUP_PREFERENCE = PRIMARY,

+ DB_FAILOVER = OFF,

+ DTC_SUPPORT = NONE,

+ CLUSTER_TYPE=NONE,

+ FOR DATABASE [Adventureworks]

+REPLICA ON N'OnPremNode'

+WITH (ENDPOINT_URL = N'TCP://OnPremNode.contoso.com:5022', FAILOVER_MODE = MANUAL,

+AVAILABILITY_MODE = SYNCHRONOUS_COMMIT,

+SEEDING_MODE = AUTOMATIC, SECONDARY_ROLE(ALLOW_CONNECTIONS = NO));

+GO

+```

+## Create target AG

+You also need to create an availability group on the target SQL Server VM as well.

+Use Transact-SQL (T-SQL) to create an availability group (**AzureAG**) on the target (**SQLVM**) instance.

+To create the availability group, run this script on the target:

+```sql

+CREATE AVAILABILITY GROUP [AzureAG]

+ WITH (AUTOMATED_BACKUP_PREFERENCE = PRIMARY,

+ DB_FAILOVER = OFF,

+ DTC_SUPPORT = NONE,

+ CLUSTER_TYPE=NONE,

+ REQUIRED_SYNCHRONIZED_SECONDARIES_TO_COMMIT = 0)

+FOR REPLICA ON N'SQLVM'

+WITH (ENDPOINT_URL = N'TCP://SQLVM.contoso.com:5022', FAILOVER_MODE = MANUAL,

+AVAILABILITY_MODE = SYNCHRONOUS_COMMIT,

+SEEDING_MODE = AUTOMATIC,SECONDARY_ROLE(ALLOW_CONNECTIONS = NO));

+GO

+```

+## Create distributed AG

+After you have your source (**OnPremAG**) and target (**AzureAG**) availability groups configured, create your distributed availability group to span both individual availability groups.

+Use Transact-SQL on the source SQL Server instance (**OnPremNode**) and AG (**OnPremAG**) to create the distributed availability group (**DAG**).

+To create the distributed AG, run this script on the source:

+```sql

+CREATE AVAILABILITY GROUP [DAG]

+ WITH (DISTRIBUTED)

+ AVAILABILITY GROUP ON

+ 'OnPremAG' WITH

+ (

+ LISTENER_URL = 'tcp://OnPremNode.contoso.com:5022',

+ AVAILABILITY_MODE = ASYNCHRONOUS_COMMIT,

+ FAILOVER_MODE = MANUAL,

+ SEEDING_MODE = AUTOMATIC

+ ),

+ 'AzureAG' WITH

+ (

+ LISTENER_URL = 'tcp://SQLVM.contoso.com:5022',

+ AVAILABILITY_MODE = ASYNCHRONOUS_COMMIT,

+ FAILOVER_MODE = MANUAL,

+ SEEDING_MODE = AUTOMATIC

+ );

+GO

+```

+>[!NOTE]

+> The seeding mode is set to `AUTOMATIC` as the version of SQL Server on the target and source is the same. If your SQL Server target is a higher version, or if your global primary and forwarder have different instance names, then create the distributed ag, and join the secondary AG to the distributed ag with **SEEDING_MODE** set to `MANUAL`. Then manually restore your databases from the source to the target SQL Server instance. Review [upgrading versions during migration](/sql/database-engine/availability-groups/windows/distributed-availability-groups#cautions-when-using-distributed-availability-groups-to-migrate-to-higher-sql-server-versions) to learn more.

+After your distributed AG is created, join the target AG (**AzureAG**) on the target instance (**SQLVM**) to the distributed AG (**DAG**).

+To join the target AG to the distributed AG, run this script on the target:

+```sql

+ALTER AVAILABILITY GROUP [DAG]

+JOIN

+AVAILABILITY GROUP ON

+ 'OnPremAG' WITH

+ (LISTENER_URL = 'tcp://OnPremNode.contoso.com:5022',

+ AVAILABILITY_MODE = ASYNCHRONOUS_COMMIT,

+ FAILOVER_MODE = MANUAL,

+ SEEDING_MODE = AUTOMATIC

+ ),

+ 'AzureAG' WITH

+ (LISTENER_URL = 'tcp://SQLVM.contoso.com:5022',

+ AVAILABILITY_MODE = ASYNCHRONOUS_COMMIT,

+ FAILOVER_MODE = MANUAL,

+ SEEDING_MODE = AUTOMATIC

+ );

+GO

+```

+If you need to cancel, pause, or delay synchronization between the source and target availability groups (such as, for example, performance issues), run this script on the source global primary instance (**OnPremNode**):

+```sql

+ALTER AVAILABILITY GROUP [DAG]

+ MODIFY

+ AVAILABILITY GROUP ON

+ 'AzureAG' WITH

+ ( SEEDING_MODE = MANUAL );

+```

+To learn more, review [cancel automatic seeding to forwarder](/sql/database-engine/availability-groups/windows/configure-distributed-availability-groups#cancel-automatic-seeding-to-forwarder).

+## Next steps

+After your distributed availability group is created, you are ready to [complete the migration](sql-server-distributed-availability-group-complete-migration.md).

+**Verify permissions for your Azure account** | Your Azure account needs Contributor or Owner permissions on the Azure subscription, permissions to register Azure Active Directory (Azure AD) apps, and User Access Administrator permissions on the Azure subscription to create a Key Vault, to create a VM, and to write to an Azure managed disk.

+| **[Distributed availability group](sql-server-distributed-availability-group-migrate-prerequisites.md)** | SQL Server 2016| SQL Server 2016 | [Azure VM storage limit](../../../index.yml) | A [distributed availability group](/sql/database-engine/availability-groups/windows/distributed-availability-groups) is a special type of availability group that spans two separate availability groups. The availability groups that participate in a distributed availability group do not need to be in the same location and include cross-domain support. <br /><br /> This method minimizes downtime, use when you have an availability group configured on-premises. <br /><br /> **Automation & scripting**: [T-SQL](/sql/t-sql/statements/alter-availability-group-transact-sql) |

+## January 2022

+| **Migrate with distributed AG** | It's now possible to migrate your database(s) from a [standalone instance](../../migration-guides/virtual-machines/sql-server-distributed-availability-group-migrate-standalone-instance.md) of SQL Server or an [entire availability group](../../migration-guides/virtual-machines/sql-server-distributed-availability-group-migrate-ag.md) over to SQL Server on Azure VMs using a distributed availability group! See the [prerequisites](../../migration-guides/virtual-machines/sql-server-distributed-availability-group-migrate-prerequisites.md) to get started. |

+## 2021

+| **Deployment configuration improvements** | It's now possible to configure the following options when deploying your SQL Server VM from an Azure Marketplace image: System database location, number of tempdb data files, collation, max degree of parallelism, min and max server memory settings, and optimize for ad hoc workloads. Review [Deploy SQL Server VM](create-sql-vm-portal.md) to learn more. |

+| **Automated backup improvements** | The possible maximum automated backup retention period has changed from 30 days to 90, and you're now able to choose a specific container within the storage account. Review [automated backup](automated-backup.md) to learn more. |

+| **Tempdb configuration** | You can now modify tempdb settings directly from the [SQL virtual machines](manage-sql-vm-portal.md) blade in the Azure portal, such as increasing the size, and adding data files. |

+| **Eliminate need for HADR Azure Load Balancer or DNN** | Deploy your SQL Server VMs to multiple subnets to eliminate the dependency on the Azure Load Balancer or distributed network name (DNN) to route traffic to your high availability / disaster recovery (HADR) solution! See the [multi-subnet availability group](availability-group-manually-configure-prerequisites-tutorial-multi-subnet.md) tutorial, or [prepare SQL Server VM for FCI](failover-cluster-instance-prepare-vm.md#subnets) article to learn more. |

+| **SQL Assessment** | It's now possible to assess the health of your SQL Server VM in the Azure portal using [SQL Assessment](sql-assessment-for-sql-vm.md) to surface recommendations that improve performance, and identify missing best practices configurations. This feature is currently in preview. |

+| **Migrate high availability to VM** | Azure Migrate brings support to lift and shift your entire high availability solution to SQL Server on Azure VMs! Bring your [availability group](../../migration-guides/virtual-machines/sql-server-availability-group-to-sql-on-azure-vm.md) or your [failover cluster instance](../../migration-guides/virtual-machines/sql-server-failover-cluster-instance-to-sql-on-azure-vm.md) to SQL Server VMs using Azure Migrate today!

+Update-AzSqlVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName -SqlManagementType Full

+## Create the Video Analyzer account

+## Run the module as a local user

+### Create and use a local user account

+### Grant permissions to device storage

+| | Contributor | Resource group in which VM will be deployed | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Resources/subscriptions/resourceGroups/write Microsoft.DomainRegistration/domains/write, Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action |

+ }

+ },

+ }

+ ]

+ }

+# Create tasks to prepare and complete jobs on Batch compute nodes

+An Azure Batch job often requires some form of setup before its tasks are executed. It also may require post-job maintenance when its tasks are completed. For example, you might need to download common task input data to your compute nodes, or upload task output data to Azure Storage after the job completes. You can use **job preparation** and **job release** tasks to perform these operations.

+ Title: Create an Azure Batch pool without public IP addresses (preview)

+description: Learn how to create an Azure Batch pool without public IP addresses.

+# Create an Azure Batch pool without public IP addresses (preview)

+> [!IMPORTANT]

+> Support for pools without public IP addresses in Azure Batch is currently in public preview for the following regions: France Central, East Asia, West Central US, South Central US, West US 2, East US, North Europe, East US 2, Central US, West Europe, North Central US, West US, Australia East, Japan East, Japan West.

+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+> On June 11, 2020, Microsoft announced that it will not sell facial recognition technology to police departments in the United States until strong regulation, grounded in human rights, has been enacted. As such, customers may not use facial recognition features or functionality included in Azure Services, such as Face or Video Indexer, if a customer is, or is allowing use of such services by or for, a police department in the United States. When you create a new Face resource, you must acknowledge and agree in the Azure Portal that you will not use the service by or for a police department in the United States and that you have reviewed the Responsible AI documentation and will use this service in accordance with it.

+ Title: Export knowledge bases - QnA Maker

+description: Exporting a knowledge base requires exporting from one knowledge base, then importing into another.

+# Move a knowledge base using export-import

+You may want to create a copy of your knowledge base for several reasons:

+* Copy a knowledge base from QnA Maker GA to Custom question answering

+* To implement a backup and restore process

+* Integrate with your CI/CD pipeline

+* When you wish to move your data to different regions

+## Prerequisites

+> * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.

+> * A [QnA Maker resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource.

+> * Set up a new [QnA Maker service](../How-To/set-up-qnamaker-service-azure.md)

+## Export a knowledge base

+1. Sign in to [QnA Maker portal](https://qnamaker.ai).

+1. Select the knowledge base you want to move.

+1. On the **Settings** page, you have the options to export **QnAs**, **Synonyms**, or **Knowledge Base Replica**. You can choose to download the data in .tsv/.xlsx.

+ 1. **QnAs**: When exporting QnAs, all QnA pairs (with questions, answers, metadata, follow-up prompts, and the data source names) are downloaded. The QnA IDs that are exported with the questions and answers may be used to update a specific QnA pair using the [update API](/rest/api/cognitiveservices/qnamaker/knowledgebase/update). The QnA ID for a specific QnA pair remains unchanged across multiple export operations.

+ 2. **Synonyms**: You can export Synonyms that have been added to the knowledge base.

+ 4. **Knowledge Base Replica**: If you want to download the entire knowledge base with synonyms and other settings, you can choose this option.

+## Import a knowledge base

+1. Click **Create a knowledge base** from the top menu of the qnamaker.ai portal and then create an _empty_ knowledge base by not adding any URLs or files. Set the name of your choice for the new knowledge base and then ClickΓÇ»**Create your KB**.

+1. In this new knowledge base, open the **Settings** tab and and under _Import knowledge base_ select one of the following options: **QnAs**, **Synonyms**, or **Knowledge Base Replica**.

+ 1. **QnAs**: This option imports all QnA pairs. **The QnA pairs created in the new knowledge base shall have the same QnA ID as present in the exported file**. You can refer [SampleQnAs.xlsx](https://aka.ms/qnamaker-sampleqnas), [SampleQnAs.tsv](https://aka.ms/qnamaker-sampleqnastsv) to import QnAs.

+ 2. **Synonyms**: This option can be used to import synonyms to the knowledge base. You can refer [SampleSynonyms.xlsx](https://aka.ms/qnamaker-samplesynonyms), [SampleSynonyms.tsv](https://aka.ms/qnamaker-samplesynonymstsv) to import synonyms.

+ 3. **Knowledge Base Replica**: This option can be used to import KB replica with QnAs, Synonyms and Settings. You can refer [KBReplicaSampleExcel](https://aka.ms/qnamaker-samplereplica), [KBReplicaSampleTSV](https://aka.ms/qnamaker-samplereplicatsv) for more details. If you also want to add unstructured content to the replica, refer [CustomQnAKBReplicaSample](https://aka.ms/qnamaker-samplev2replica).

+ Either QnAs or Unstructured content is required when importing replica. Unstructured documents are only valid for Custom question answering.

+ Synonyms file is not mandatory when importing replica.

+ Settings file is mandatory when importing replica.

+ |Settings|Update permitted when importing to QnA Maker KB?|Update permitted when importing to Custom question answering KB?|

+ |:--|--|--|

+ |DefaultAnswerForKB|No|Yes|

+ |EnableActiveLearning (True/False)|Yes|No|

+ |EnableMultiTurnExtraction (True/False)|Yes|Yes|

+ |DefaultAnswerforMultiturn|Yes|Yes|

+ |Language|No|No|

+1. **Test** the new knowledge base using the Test panel. Learn how to [test your knowledge base](../How-To/test-knowledge-base.md).

+1. **Publish** the knowledge base and create a chat bot. Learn how to [publish your knowledge base](../Quickstarts/create-publish-knowledge-base.md#publish-the-knowledge-base).

+ > [!div class="mx-imgBorder"]

+ > 

+## Programmatically export a knowledge base from QnA Maker

+The export/import process is programmatically available using the following REST APIs:

+**Export**

+* [Download knowledge base API](/rest/api/cognitiveservices/qnamaker4.0/knowledgebase/download)

+**Import**

+* [Replace API (reload with same knowledge base ID)](/rest/api/cognitiveservices/qnamaker4.0/knowledgebase/replace)

+* [Create API (load with new knowledge base ID)](/rest/api/cognitiveservices/qnamaker4.0/knowledgebase/create)

+## Chat logs

+There is no way to export chat logs, since the new knowledge base uses Application Insights for storing chat logs.

+## Next steps

+> [!div class="nextstepaction"]

+> [Edit a knowledge base](../How-To/edit-knowledge-base.md)

+| [Computer Vision][cv-containers] | **Read OCR** ([image](https://hub.docker.com/_/microsoft-azure-cognitive-services-vision-read)) | The Read OCR container allows you to extract printed and handwritten text from images and documents with support for JPEG, PNG, BMP, PDF, and TIFF file formats. For more information, see the [Read API documentation](./computer-vision/overview-ocr.md). | Generally Available. |

+* Deployment name

+* You will also need the deployment name.

+* [Search your app with with the Cognitive Search SDK](../../../../search/search-howto-dotnet-sdk.md#run-queries)

+| [Network Traversal Sample]( https://github.com/Azure-Samples/communication-services-network-traversal-hero) | Sample app demonstrating network traversal functionality | Node.js

+| [countAll](data-flow-expression-functions.md#countAll) | Gets the aggregate count of values including NULLs. |

+| [countAllDistinct](data-flow-expression-functions.md#countAllDistinct) | Gets the aggregate count of distinct values of a set of columns including NULLs. |

+<a name="countAll" ></a>

+### <code>countAll</code>

+<code><b>countAll([<i>&lt;value1&gt;</i> : any]) => long</b></code><br/><br/>

+Gets the aggregate count of values including nulls.

+* ``countAll(custId)``

+* ``countAll()``

+___

+<a name="countAllDistinct" ></a>

+### <code>countAllDistinct</code>

+<code><b>countAllDistinct(<i>&lt;value1&gt;</i> : any, [<i>&lt;value2&gt;</i> : any], ...) => long</b></code><br/><br/>

+Gets the aggregate count of distinct values of a set of columns including nulls.

+* ``countAllDistinct(custId, custName)``

+___

+[Learn how to use Expression Builder](concepts-data-flow-expression-builder.md).

+# Quickstart: Use the Copy Data tool in the Azure Data Factory Studio to copy data

+# Quickstart: Create a data factory by using the Azure portal and Azure Data Factory Studio

+| **Communication with suspicious domain identified by threat intelligence**<br>(AzureDNS_ThreatIntelSuspectDomain) | Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised. | Initial Access, Persistence, Execution, Command And Control, Exploitation | Medium |

+|**Communication with suspicious domain identified by threat intelligence**<br>(AzureDNS_ThreatIntelSuspectDomain) | Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised. | Initial Access, Persistence, Execution, Command And Control, Exploitation | Medium |

+| **Communication with suspicious domain identified by threat intelligence**<br>(AzureDNS_ThreatIntelSuspectDomain) | Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised. | Initial Access, Persistence, Execution, Command And Control, Exploitation | Medium |

+| **Communication with suspicious domain identified by threat intelligence**<br>(AzureDNS_ThreatIntelSuspectDomain) | Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised. | Initial Access | Medium |

+For **auto provisioning**, the specific role required depends on the extension you're deploying. For full details, check the tab for the specific extension in the [availability table on the auto provisioning quick start page](enable-data-collection.md#availability).

+- [Communication with suspicious domain alert expanded to included known Log4Shell-related domains](#communication-with-suspicious-domain-alert-expanded-to-included-known-log4shell-related-domains)

+- ['Copy alert JSON' button added to security alert details pane](#copy-alert-json-button-added-to-security-alert-details-pane)

+- [Renamed two recommendations](#renamed-two-recommendations)

+### Communication with suspicious domain alert expanded to included known Log4Shell-related domains

+The following alert was previously only available to organizations who'd enabled the [Microsoft Defender for DNS](defender-for-dns-introduction.md) plan.

+With this update, the alert will also show for subscriptions with the [Microsoft Defender for servers](defender-for-servers-introduction.md) or [Defender for App Service](defender-for-app-service-introduction.md) plan enabled.

+In addition, [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684) has expanded the list of known malicious domains to include domains associated with exploiting the widely publicised vulnerabilities associated with Log4j.

+| Alert (alert type) | Description | MITRE tactics | Severity |

+|-|-|:--:|-|

+| **Communication with suspicious domain identified by threat intelligence**<br>(AzureDNS_ThreatIntelSuspectDomain) | Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised. | Initial Access / Persistence / Execution / Command And Control / Exploitation | Medium |

+### 'Copy alert JSON' button added to security alert details pane

+To help our users quickly share an alert's details with others (for example, SOC analysts, resource owners, and developers) we've added the capability to easily extract all the details of a specific alert with one button from the security alert's details pane.

+The new **Copy alert JSON** button puts the alertΓÇÖs details, in JSON format, into the user's clipboard.

+### Renamed two recommendations

+For consistency with other recommendation names, we've renamed the following two recommendations:

+- Recommendation to resolve vulnerabilities discovered in running container images

+ - Previous name: Vulnerabilities in running container images should be remediated (powered by Qualys)

+ - New name: Running container images should have vulnerability findings resolved

+- Recommendation to enable diagnostic logs for Azure App Service

+ - Previous name: Diagnostic logs should be enabled in App Service

+ - New name: Diagnostic logs in App Service should be enabled

+ Title: Use ARM templates to create multi-VM environments and PaaS resources

+description: Learn how to use Azure Resource Manager (ARM) templates to create multi-VM, platform-as-a-service (PaaS) environments and resources in Azure DevTest Labs.

+# Use ARM templates to create DevTest Labs environments

+Azure multi-tier web apps or SharePoint farms use multiple virtual machines (VMs) with platform-as-a-service (PaaS) resources installed. You can provision these PaaS resources and infrastructure-as-a-service (IaaS) VMs in Azure DevTest Labs by using [Azure Resource Manager (ARM)](../azure-resource-manager/templates/syntax.md) environment templates.

+Multi-VM ARM environment templates use the [Microsoft.Compute/virtualmachines](/azure/templates/microsoft.compute/virtualmachines) resource type. Lab users can use the templates to easily and consistently deploy multiple VMs with preinstalled resources as a single environment. The VMs created with this resource type appear under their environments in the lab's **My environments** list.

+

+You can configure DevTest Labs to load ARM environment templates directly from public or private Git source control repositories. Lab users can then create environments by selecting the templates in the Azure portal, just as they select individual [VM base images](devtest-lab-comparing-vm-base-image-types.md) to create VMs.

+VMs in the same environment share the same lifecycle, and lab users can manage the VMs together. You can track the cost of lab environments and PaaS resources, just as you track costs for individual lab VMs.

+To learn more about the benefits of using ARM templates to deploy, update, or delete multiple lab resources and VMs as a single environment, see [Benefits of using Resource Manager templates](../azure-resource-manager/management/overview.md#the-benefits-of-using-resource-manager).

+Consider these limitations when using ARM environment templates in DevTest Labs:

+- VM auto-shutdown doesn't apply to PaaS resources.

+- Not all lab policies are evaluated when deploying ARM templates. Policies that aren't evaluated include number of VMs per lab user, number of premium VMs per user, and number of premium desks per user. For example, your lab policy might limit users to only five VMs apiece. However, a user can deploy an ARM environment template that creates dozens of VMs.

+<a name="create-your-own-template-repositories"></a>

+<a name="configure-your-own-template-repositories"></a>

+## Use public and private template repositories

+Azure DevTest Labs has a [public ARM template repository](https://github.com/Azure/azure-devtestlab/tree/master/Environments) that includes pre-authored environment templates for Azure Web Apps, an Azure Service Fabric cluster, and development SharePoint farms. The templates have minimal input parameters, for a smooth getting started experience with PaaS resources.

+You can use the public environment templates as-is, or customize them to suit your needs. To suggest revisions or additions to the public templates, submit pull requests against the open-source [GitHub public template repository](https://github.com/Azure/azure-devtestlab/tree/master/Environments)

+You can also [store environment templates in your own Git repositories](devtest-lab-use-resource-manager-template.md#store-arm-templates-in-git-repositories), and [connect those repositories to your lab](devtest-lab-use-resource-manager-template.md#add-template-repositories-to-labs) to make your templates available to all lab users.

+## Enable and configure public environments

+DevTest Labs users don't have to connect to the public template repository externally to use the environment templates. You can enable and configure lab access to the public repository so lab users can access the templates directly from the Azure portal.

+### Enable public environments when you create a lab

+To enable public environment repository access for a lab, make sure **On** is selected in the **Public environments** field when you create the lab. The setting is **On** by default.

+

+### Enable or disable public environments for existing labs

+Existing labs, and labs you create with some ARM templates, might not have public environments enabled. To enable or disable the public environment repository for existing labs:

+1. From the lab's **Overview** page in the Azure portal, select **Configuration and policies** in the left navigation.

+1. On the **Configuration and policies** page, select **Public environments** under **Virtual machine bases** in the left navigation.

+1. Under **Enable Public Environments for this lab**, select **Yes** to enable or **No** to disable public environments.

+### Select available public environment templates

+If you enable public environments, all the environment templates in the repository are available by default. Deselect specific environments to make them unavailable to lab users.

+

+<a name="create-environments-from-templates-in-the-azure-portal"></a>

+## Create environments from templates

+Once you enable the public environment repository or [add a private template repository](devtest-lab-use-resource-manager-template.md#add-template-repositories-to-labs) to your lab, lab users can use the repository templates to create environments.

+To create an environment from a template:

+1. On the lab's **Overview** page, select **Add** from the top toolbar.

+1. On the **Choose a base** page, select the ARM environment template to use. The available environment templates appear first in the list of bases.

+ 

+1. On the **Add** screen, enter an **Environment name**. The ARM template defines the rest of the input fields. As necessary, enter values for input fields that the template *azuredeploy.parameters.json* file defines as blank or default.

+ - For `secure string` parameters, you can use secrets from Azure Key Vault. To learn how to store secrets in a key vault and use them when creating lab resources, see [Store secrets in Azure Key Vault](devtest-lab-store-secrets-in-key-vault.md).

+ - In ARM template files, the `GEN-UNIQUE`, `GEN-UNIQUE-[N]`, `GEN-SSH-PUB-KEY`, and `GEN-PASSWORD` parameter values generate blank input fields for users to input values.

+ 

+1. Select **Add** to create the environment.

+ The environment starts provisioning immediately. You can see the provisioning status under **My environments** on the lab **Overview** page. Provisioning an environment can take a long time.

+1. Once the environment is created, expand the environment under **My environments** to see the list of VMs that the template provisioned.

+ 

+ The deployment creates a new resource group to provision all the environment resources that the ARM template defined. Select the environment name under **My environments** to view the resource group and all the resources the template created.

+ 

+1. Select an environment VM to see available actions for the VM, such as managing configuration, schedules, and policies.

+ 

+## Configure environment user rights

+By default, lab users have **Reader** role in environments, so they can't change environment resources. For example, users can't stop or start resources. To give lab users **Contributor** role so they can edit environment resources:

+1. On the lab's **Overview** page, select **Configuration and policies** from the left navigation.

+1. On the **Configuration and policies** page, select **Lab settings** in the left navigation.

+1. In the **Lab settings** pane, under **Environment access** > **Resource group user rights**, select **Contributor**, and then select **Save**.

+ 

+<a name="automate-deployment-of-environments"></a>

+## Automate environment creation

+If you need to create multiple environments for development or testing scenarios, you can automate environment deployment with Azure PowerShell or Azure CLI.

+You can use the Azure CLI command [az deployment group create](/cli/azure/deployment/group#az_deployment_group_create) to create environments. For more information, see [Deploy resources with Resource Manager templates and Azure CLI](../azure-resource-manager/templates/deploy-cli.md).

+Lab owners and administrators can use Azure PowerShell to create VMs and environments from ARM templates.

+To automate ARM environment template deployment with Azure PowerShell:

+1. Have an ARM environment template [checked in to a Git repository](devtest-lab-use-resource-manager-template.md#configure-your-own-template-repositories), and the repository [added to the lab](devtest-lab-use-resource-manager-template.md#add-template-repositories-to-labs).

+1. Save the following PowerShell script to your computer as *deployenv.ps1*. This script calls the ARM template to create the environment in the lab.

+ # ID of the Azure subscription for the lab

+ # Name of the lab in which to create the environment

+ # Name of the template repository connected to the lab

+ # Name of the environment to create in the lab

+ # the string in $Params will be "-param_TestVMName MyVMName".

+ # Sign in to Azure, or comment out this statement to completely automate environment creation.

+ # Get the user ID to use later in the script.

+ # Get the lab location.

+ # Get information about the repository connected to the lab.

+ # Get information about the ARM template base for the environment.

+ # Build the template parameters by using parameter names and values.

+ # Extract the custom parameters from $Params and format them as name/value pairs.

+ # Create an object to hold the necessary template properties.

+ # Deploy the environment in the lab by using the New-AzResource command.

+1. Run the script, using your own values to replace the example values for:

+ - `SubscriptionId`

+ - `LabName`

+ - `ResourceGroupName`

+ - `RepositoryName`

+ - `TemplateName` (template folder in the Git repository)

+ - `EnvironmentName`

+ ./deployenv.ps1 -SubscriptionId "000000000-0000-0000-0000-0000000000000" -LabName "mydevtestlab" -ResourceGroupName "mydevtestlabRG000000" -RepositoryName "myRepository" -TemplateName "ARM template folder name" -EnvironmentName "myNewEnvironment"

+- [Public ARM environment template repository](https://github.com/Azure/azure-devtestlab/tree/master/Environments)

+- [Azure quickstart template gallery](https://github.com/Azure/azure-quickstart-templates)

+ Title: Create and deploy labs with Azure Resource Manager (ARM) templates

+description: Learn how Azure DevTest Labs uses Azure Resource Manager (ARM) templates to create and configure lab virtual machines (VMs) and environments.

+# Azure Resource Manager (ARM) templates in Azure DevTest Labs

+Azure DevTest Labs can use Azure Resource Manager (ARM) templates for many tasks, from creating and provisioning labs and virtual machines (VMs) to adding users.

+In DevTest Labs, you can:

+- [Use an ARM quickstart template](#arm-quickstart-templates) to deploy a lab with a virtual machine (VM).

+- Create your own ARM templates to use for various tasks. Follow the steps at [Create and deploy ARM templates](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md), and modify the example templates for your needs.

+- Access the public [DevTest Labs GitHub repository](https://github.com/Azure/azure-devtestlab) for preconfigured [ARM templates](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/QuickStartTemplates) and [scripts](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/Scripts) that you can use as-is or customize.

+- [Connect public and private template repositories to DevTest Labs](devtest-lab-use-resource-manager-template.md#add-template-repositories-to-labs), so lab users can use the templates to create and manage their own resources and environments.

+- [Use an ARM template from any available Azure VM base image](devtest-lab-use-resource-manager-template.md) to create more VMs or custom images.

+- [Use ARM environment templates](devtest-lab-create-environment-from-arm.md) to create multi-VM infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) DevTest Labs environments.

+- [Use ARM templates with Azure PowerShell or Azure CLI automation](#arm-template-automation) to create, deploy, and manage labs, environments, and VMs.

+## Single-VM and environment templates

+DevTest Labs often uses ARM templates to create VMs. There are two methods for creating VMs in DevTest Labs. Each method is used for different scenarios and requires different permissions. The ARM template's `resource` property declares the method to use.

+### Microsoft.Compute/virtualmachines environment templates

+ARM templates that use the [Microsoft.Compute/virtualmachines](/azure/templates/microsoft.compute/virtualmachines) resource type provision multiple lab VMs and PaaS resources in a single environment, such as a SharePoint farm. Lab users can use these templates to create multiple-VM environments. VMs created with this resource type appear under the environments in the lab's **My environments** list.

+For more information and instructions for configuring and using environment templates, see [Use ARM templates to create DevTest Labs environments](devtest-lab-create-environment-from-arm.md).

+### Microsoft.DevTestLab/labs/virtualmachines single-VM templates

+ARM templates that use the [Microsoft.DevTestLab/labs/virtualmachines](/azure/templates/microsoft.devtestlab/2018-09-15/labs/virtualmachines) resource type provision individual VM configurations. Each VM created with this resource type appears as a separate item in the lab's **My virtual machines** list. To create and deploy VMs with these templates, you can [use a quickstart template](#arm-quickstart-templates) from the Azure portal. You can also [automate VM deployment](#arm-template-automation) with Azure PowerShell or Azure CLI.

+## ARM quickstart templates

+To use an ARM template to quickly create a DevTest Labs lab with a Windows Server VM, follow the instructions at [Quickstart: Use an ARM template to create a lab in DevTest Labs](create-lab-windows-vm-template.md).

+Or to access DevTest Labs quickstart template from the Azure portal:

+1. In the Azure portal, search for and select **Deploy a custom template**.

+1. On the **Custom deployment** screen, make sure **Quickstart template** is selected, and select the dropdown arrow next to **Quickstart template (disclaimer)**.

+1. Type *devtest* in the filter box, and then select the **dtl-create-lab-windows-vm-claimed** template or other quickstart template from the popup list.

+1. Select **Select template**. You can also select **Edit template** to modify the template.

+## ARM template automation

+Lab administrators can deploy ARM templates with Azure CLI or Azure PowerShell to automate VM creation and management.

+In Azure CLI, use the commands [az lab vm create](/cli/azure/lab/vm#az_lab_vm_create) and [az deployment group create](/cli/azure/deployment/group#az_deployment_group_create) to automate VM creation with ARM templates. For more information and instructions, see [Deploy resources with Resource Manager templates and Azure CLI](../azure-resource-manager/templates/deploy-cli.md).

+In Azure PowerShell, use [New-AzResource](/powershell/module/az.resources/new-azresource) and [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment) to provision VMs with ARM templates.

+Lab administrators can deploy ARM templates to create claimable lab VMs or image factory golden images. Provisioning VMs with PowerShell requires administrator permissions. Lab users can then use the custom images to create VM instances. For more information and instructions, see [Create a DevTest Labs VM with Azure PowerShell](devtest-lab-vm-powershell.md).

+You can automate several other common DevTest Labs tasks by using ARM templates with PowerShell:

+- [Create a custom image from a VHD file using PowerShell](devtest-lab-create-custom-image-from-vhd-using-powershell.md)

+- [Upload a VHD file to a lab's storage account using PowerShell](devtest-lab-upload-vhd-using-powershell.md)

+- [Add an external user to a lab using PowerShell](devtest-lab-add-devtest-user.md#add-an-external-user-to-a-lab-using-powershell)

+- [Create a lab custom role using PowerShell](devtest-lab-grant-user-permissions-to-specific-lab-policies.md#creating-a-lab-custom-role-using-powershell)

+Lab administrators can also automate ARM environment template deployment, to fully manage development and test environments. For information and instructions, see [Automate environment creation](devtest-lab-create-environment-from-arm.md#automate-environment-creation).

+## Next steps

+- [Best practices for creating Azure Resource Manager templates](../azure-resource-manager/templates/best-practices.md) has guidelines and suggestions for creating reliable, easy-to-use ARM templates.

+- [Deploy resources with Resource Manager templates and Azure PowerShell](../azure-resource-manager/templates/deploy-powershell.md) has general information about using Azure PowerShell with ARM templates.

+- The public [DevTest Labs GitHub repository](https://github.com/Azure/azure-devtestlab) has preconfigured [quickstart ARM templates](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/QuickStartTemplates), [PowerShell scripts](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/Scripts), [artifacts](https://github.com/Azure/azure-devtestlab/tree/master/Artifacts), and [environments](https://github.com/Azure/azure-devtestlab/tree/master/Environments) that you can use as-is or customize for your needs.

+- You can explore more ARM templates in the [Azure Quickstart template gallery](https://github.com/Azure/azure-quickstart-templates).

+ Title: Create VMs by using ARM templates

+description: Learn how to view, edit, save, and store ARM virtual machine (VM) templates, and connect template repositories to Azure DevTest Labs.

+# Use ARM templates to create DevTest Labs virtual machines

+You can use Azure Resource Manager (ARM) templates to create preconfigured Azure virtual machines (VMs) in Azure DevTest Labs.

+Single-VM ARM templates use the [Microsoft.DevTestLab/labs/virtualmachines](/azure/templates/microsoft.devtestlab/2018-09-15/labs/virtualmachines) resource type. Each VM created with this resource type appears as a separate item in the lab's **My virtual machines** list.

+You can create your own single-VM ARM templates, access the public [DevTest Labs GitHub repository](https://github.com/Azure/azure-devtestlab) for preconfigured templates, or modify existing ARM templates to meet your needs. Lab users can use your ARM templates to create and deploy Azure VMs.

+This article describes how to:

+- View, edit, and save ARM templates for Azure VMs.

+- Store ARM templates in source control repositories.

+- Connect ARM template repositories to Azure DevTest Labs so lab users can access the templates.

+## View, edit, and save ARM templates for VMs

+You can customize and use an ARM template from any Azure VM base to deploy more of the same VM type in DevTest Labs.

+1. On your lab's **Overview** page, select **Add** on the top toolbar.

+1. On the **Choose a base** page, select the type of VM you want.

+1. On the **Create lab resource** page, configure settings and add desired artifacts to your template VM.

+1. On the **Advanced Settings** tab, select **View ARM template**.

+1. Copy and [save the ARM template](#store-arm-templates-in-git-repositories) to use for creating more VMs.

+ 

+1. If you want to create an instance of the VM now, on the **Basic Settings** tab, select **Create**.

+### Set VM expiration date

+For scenarios such as training, demos, and trials, you might want to delete VMs automatically after a certain date so they don't keep incurring costs. When you create a lab VM from the Azure portal, you can set an expiration date by specifying the **Expiration date** property on the **Advanced settings** tab. For an ARM template that defines the `expirationDate` property, see [Creates a new virtual machine in a Lab with a specified expiration date](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/QuickStartTemplates/101-dtl-create-vm-username-pwd-customimage-with-expiration).

+<a name="configure-your-own-template-repositories"></a>

+<a name="create-your-own-template-repositories"></a>

+## Store ARM templates in Git repositories

+As a best practice for infrastructure as code and configuration as code, store your ARM templates in source control. DevTest Labs can load your ARM templates directly from your GitHub or Azure Repos source control repository. You can then use the templates throughout your release cycle, from development through test to production environments.

+Use the following file structure to store an ARM template in a source control repository:

+- Name the main template file *azuredeploy.json*.

+- To reuse the ARM template, you need to update the `parameters` section of *azuredeploy.json*. You can create a *parameter.json* file that customizes just the parameters, without having to edit the main template file. Name this parameter file *azuredeploy.parameters.json*.

+ 

+ In the parameters file, you can use the parameters `_artifactsLocation` and `_artifactsLocationSasToken` to construct a `parametersLink` URI value for automatically managing nested templates. For more information about nested templates, see [Deploy nested Azure Resource Manager templates for testing environments](deploy-nested-template-environments.md).

+- You can define metadata that specifies the template display name and description in a file named *metadata.json*.

+ ```json

+ {

+ "itemDisplayName": "<template name>",

+ "description": "<template description>"

+ }

+ ```

+The following screenshot shows a typical ARM template folder structure in a repository.

+

+## Add template repositories to labs

+Add your template repositories to your lab so all lab users can access the templates.

+1. On the lab's **Overview** page, select **Configuration and policies** from the left navigation.

+1. On the **Configuration and policies** page, select **Repositories** under **External resources** in the left navigation.

+ On the **Repositories** screen, the **Public Artifact Repo** and **Public Environment Repo** are automatically present for all labs, and connect to the [DevTest Labs public GitHub repository](https://github.com/Azure/azure-devtestlab). If these repos aren't enabled for your lab, you can enable them by selecting the checkboxes next to **Public Artifact Repo** and **Public Environment Repo**, and then selecting **Enable** on the top menu bar. For more information, see [Enable and configure public environments](devtest-lab-create-environment-from-arm.md#enable-and-configure-public-environments).

+1. To add your private ARM template repository to the lab, select **Add** in the top menu bar.

+ 

+1. In the **Repositories** pane, enter the following information:

+ - **Name**: Enter a repository name to use in the lab.

+ - **Git clone URL**: Enter the Git HTTPS clone URL from GitHub or Azure Repos.

+ - **Branch** (optional): Enter the branch that has your ARM template definitions.

+ - **Personal access token**: Enter the personal access token to securely access your repository.

+ - To get a token from Azure Repos, select **User settings** > **Personal access tokens**.

+ - To get your token from GitHub, under your profile, select **Settings** > **Developer settings** > **Personal access tokens**.

+ - **Folder paths**: Enter the folder for your ARM template definitions, relative to the Git clone URI.

+1. Select **Save**.

+ 

+The repository now appears in the **Repositories** list for the lab. Users can now use the repository templates to [create multi-VM DevTest Labs environments](devtest-lab-create-environment-from-arm.md). Lab administrators can use the templates to [automate lab deployment and management tasks](devtest-lab-use-arm-and-powershell-for-lab-resources.md#arm-template-automation).

+- [Best practices for creating Azure Resource Manager templates](../azure-resource-manager/templates/best-practices.md)

+- [Add a Git repository to store custom artifacts and Resource Manager templates](devtest-lab-add-artifact-repo.md)

+- [Use ARM templates to create DevTest Labs environments](devtest-lab-create-environment-from-arm.md)

+- [ARM quickstart templates for DevTest Labs automation](https://github.com/Azure/azure-quickstart-templates)

+> [Enable HTTPS for a custom domain](how-to-configure-https-custom-domain.md)

+An enrollment group is a group of devices that share a specific attestation mechanism. Enrollment groups support X.509 certificate or symmetric key attestation. Devices in an X.509 enrollment group present X.509 certificates that have been signed by the same root or intermediate Certificate Authority (CA). The common name (CN) of each device's end-entity (leaf) certificate becomes the registration ID for that device. Devices in a symmetric key enrollment group present SAS tokens derived from the group symmetric key. The name of the enrollment group as well as the registration IDs presented by devices must be case-insensitive strings (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). For devices in an enrollment group, the registration ID is also used as the device ID that is registered to IoT Hub.

+An individual enrollment is an entry for a single device that may register. Individual enrollments may use either X.509 leaf certificates or SAS tokens (from a physical or virtual TPM) as the attestation mechanisms. The registration ID in an individual enrollment is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). For X.509 individual enrollments, the certificate common name (CN) becomes the registration ID, so the common name must adhere to the registration ID string format. Individual enrollments may have the desired IoT hub device ID specified in the enrollment entry. If it's not specified, the registration ID becomes the device ID that's registered to IoT Hub.

+The registration ID is used to uniquely identify a device registration with the Device Provisioning Service. The registration ID must be unique in the provisioning service [ID scope](#id-scope). Each device must have a registration ID. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`).

+* In the case of X.509-based attestation, the registration ID is set to the common name (CN) of the device certificate. For this reason, the common name must adhere to the registration ID string format.

+First, a unique registration ID is defined for each device authenticating through an enrollment group. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The registration ID should be something unique that identifies the device. For example, a legacy device may not support many security features. The legacy device may only have a MAC address or serial number available to uniquely identify that device. In that case, a registration ID can be composed of the MAC address and serial number similar to the following:

+### Installation of the derived device key

+Leaf certificates used with [Individual enrollment](./concepts-service.md#individual-enrollment) or [Enrollment group](./concepts-service.md#enrollment-group) entries must have the certificate common name (CN) set to the registration ID. The registration ID identifies the device registration with DPS and must be unique to the DPS instance (ID scope) where the device registers. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`).

+For enrollment groups, the certificate common name (CN) also sets the device ID that is registered with IoT Hub. The device ID will be shown in the **Registration Records** for the authenticated device in the enrollment group. For individual enrollments, the device ID can be set in the enrollment entry. If it's not set in the enrollment entry, then the certificate common name (CN) is used.

+ - **Group name**: Enter **mylegacydevices**. The enrollment group name is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`).

+Create unique registration IDs for each device. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`).

+ | **Group name** | The name of the group of devices. The enrollment group name is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`).|

+ **Group name**: Enter *contoso-us-devices*. The enrollment group name is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`).

+1. Generate your unique key using **openssl**. You'll use the following Bash shell script (replace `{primary-key}` with the enrollment group's **Primary Key** that you copied earlier and replace `{contoso-simdevice}`with your own unique registration ID for each device. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`).

+ * **Registration ID**: Enter a registration ID to identify the enrollment. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). For example, *symm-key-device-007*.

+ * **IoT Hub Device ID:** Enter a device identifier. The device ID must comply with the [Device ID string requirements](../iot-hub/iot-hub-devguide-identity-registry.md#device-identity-properties).

+ | `--i` or `--Id` | True | The registration ID when using individual enrollment, or the desired device ID when using group enrollment. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The device ID must comply with the [Device ID string requirements](../iot-hub/iot-hub-devguide-identity-registry.md#device-identity-properties). |

+ The certificate generated by this command has a subject common name (CN) of _iothubx509device1_. For X.509-based enrollments, the [Registration ID](./concepts-service.md#registration-id) is set to the common name. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The common name must adhere to this format.

+2. Create a _leaf_ X.509 certificate by running the script using your own _certificate-name_. For X.509-based enrollments, the leaf certificate's common name becomes the [Registration ID](./concepts-service.md#registration-id). The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The _certificate-name_ parameter must adhere to this format.

+The certificate file has its subject common name (CN) set to `Python-device-01`. For an X.509-based enrollments, the [Registration ID](./concepts-service.md#registration-id) is set to the common name. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The common name must adhere to this format.

+3. Enter **N** for _Do you want to input common name_. This creates a certificate with a subject common name (CN) of _microsoftriotcore_.

+ For an X.509-based enrollments, the [Registration ID](./concepts-service.md#registration-id) is set to the common name. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The common name must adhere to this format.

+ | **Group name** | Enter **contoso-custom-allocated-devices**. The enrollment group name is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). |

+ | **Group name** | For this tutorial, enter **custom-hsm-x509-devices**. The enrollment group name is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). |

+ - The *Registration ID* that is used to uniquely identify a device in the namespace/scope. This may or may not be the same as the device ID. The registration ID is mandatory for every device. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). For TPM-based devices, the registration ID may be derived from the TPM itself, for example, an SHA-256 hash of the TPM Endorsement Key.

+ - The *Registration ID* that is used to uniquely identify a device in the namespace/scope. This may or may not be the same as the device ID. The registration ID is mandatory for every device. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). For X.509 based devices, the registration ID is derived from the certificate's common name (CN), so the common name must adhere to the registration ID string format. For further information on these requirements see [DPS terminology](./concepts-service.md).

+* [Apache Kafka](https://kafka.apache.org/). For more information, see the [Apache Kafka developer guide for Event Hubs](../event-hubs/apache-kafka-developer-guide.md).

+1. Click on the parameters tab at the top of the screen in order to specify the maximum validity period in months that you want. If you need to input the parameters, you can uncheck 'Only show parameters that need input or review' option. Select **audit** or **deny** for the effect of the policy following the guidance in the sections above. Then select the review + create button.

+|[HashiCorp Vault](https://www.hashicorp.com/products/vault)| HashiCorp Vault is an identity-based security solution that leverages trusted sources of identity to keep secrets and application data secure, including API keys, passwords, or certificates. HashiCorp Vaults must be unsealed with an unsealing key to provide access to data. Hardware-backed keys stored in Managed HSM can be used to automatically unseal a HashiCorp Vault and reduce the operational overhead associated with storing and serving this unsealing key. <br>[Documentation](https://www.vaultproject.io/docs/configuration/seal/azurekeyvault)|

+You can sync a lab user list to an existing Azure Active Directory (Azure AD) group so that you don't have to manually add or delete users.

+ - Azure AD groups created through Teams don't show up in this list. You can add the Azure Lab Services app inside Teams to create and manage labs directly from within it. See more information about [managing a labΓÇÖs user list from within Teams](how-to-manage-user-lists-within-teams.md).

+> [Connect to a VM in the classroom lab](tutorial-connect-virtual-machine-classroom-lab.md)

+Azure Load Testing uses Apache JMeter version 5.4.1 for running load tests. You can use Apache JMeter plugins that are available on https://jmeter-plugins.org in your test script.

+For an example of training a model using Scikit-learn, see [Tutorial: Train an image classification model with Azure Machine Learning](tutorial-train-deploy-notebook.md).

+For an example of registering a model, see [Train an image classification model with Azure Machine Learning](tutorial-train-deploy-notebook.md).

+For an example of deploying a model as a web service, see [Tutorial: Train and deploy a model](tutorial-train-deploy-notebook.md).

+* [Tutorial: Train and deploy a model](tutorial-train-deploy-notebook.md)

+* Directly from the [integrated notebooks experience](tutorial-train-deploy-notebook.md#azure)

+- [Tutorial: Train and deploy a model](tutorial-train-deploy-notebook.md)

+* [Tutorial: Train and deploy a model](tutorial-train-deploy-notebook.md) uses a managed compute target to train a model.

+- [Train and deploy a model](tutorial-train-deploy-notebook.md) on Azure Machine Learning with the MNIST dataset.

+- [Train and deploy a model](tutorial-train-deploy-notebook.md) on Azure Machine Learning with the MNIST dataset.

+* A trained machine learning model registered in your workspace. If you do not have a model, use the [Image classification tutorial: train model](tutorial-train-deploy-notebook.md) to train and register one.

+* A trained machine learning model registered in your workspace. If you do not have a model, use the [Image classification tutorial: train model](tutorial-train-deploy-notebook.md) to train and register one.

+- A model and an environment. If you don't have a trained model, you can use the model and dependency files provided in [this tutorial](tutorial-train-deploy-notebook.md).

+The following example demonstrates how to load a registered scikit-learn model and score it by using NumPy data. This example is based on the model and dependencies of [this tutorial](tutorial-train-deploy-notebook.md).

+* A trained machine learning model. To learn more, see the [Train image classification model](tutorial-train-deploy-notebook.md) tutorial.

+- You need a trained machine-learning model to be deployed to AKS. If you don't have a model, see the [Train image classification model](tutorial-train-deploy-notebook.md) tutorial.

+This guide assumes that you have an image classification model registered in Azure Machine Learning. If not, register the model using a [pretrained model](https://github.com/Azure/MachineLearningNotebooks/raw/master/tutorials/image-classification-mnist-dat).

+* Learn to [train image classification models in Azure](./tutorial-train-deploy-notebook.md)

+* See an example of how to register the best model and deploy it in the tutorial, [Train an image classification model with Azure Machine Learning](tutorial-train-deploy-notebook.md).

+For an example, see [Tutorial: Create your first ML experiment](tutorial-train-deploy-notebook.md#azure).

+Once you have a workspace, learn how to [Train and deploy a model](tutorial-train-deploy-notebook.md).

+* [Tutorial: Train and deploy a model](tutorial-train-deploy-notebook.md) uses a managed compute target to train a model.

+* [Tutorial: Train & deploy models](tutorial-train-deploy-notebook.md)

+* [Tutorial: Train & deploy models](tutorial-train-deploy-notebook.md)

+1. Perform an action that requires ACR. For example, the [tutorial on training a model](tutorial-train-deploy-notebook.md).

+ - Learn how to clone sample notebooks in [Tutorial: Train and deploy a model](tutorial-train-deploy-notebook.md).

+Start training your models and tracking the run histories using the new CLI and SDK. You can learn how with the [Tutorial: train models with Azure Machine Learning](tutorial-train-deploy-notebook.md).

+ + [Use a Jupyter notebook to train image classification models](tutorial-train-deploy-notebook.md)

+ + [Use a Jupyter notebook to train image classification models](tutorial-train-deploy-notebook.md)

+- [Train and deploy an image classification model with MNIST](tutorial-train-deploy-notebook.md)

+[Tutorial: Train and deploy a model](tutorial-train-deploy-notebook.md) with Azure Machine Learning.

+* For a walkthrough of how to train with Azure Machine Learning outside of Visual Studio Code, see [Tutorial: Train and deploy a model with Azure Machine Learning](tutorial-train-deploy-notebook.md).

+description: Troubleshoot private plans in the commercial marketplace

+# Troubleshooting Private Plans in the commercial marketplace

+This topic discusses various issues and solutions when troubleshooting private plans.

+| *Solution/offer one-pager (Required)* | Drive awareness among potential customers with a professionally designed one-pager that showcases the value proposition of your solution.<br><br>You can use one of the relevant templates to provide a customer-ready description of your offering:<br><ul><li> [Microsoft Azure one-pager template](https://aka.ms/Customer-One-Pager_MicrosoftAzure)</li><li>[Microsoft Dynamics 365 one-pager template](https://aka.ms/Customer-One-Pager_MicrosoftDynamics365)</li> <li>[Microsoft 365 one-pager template](https://aka.ms/Customer-One-Pager_MicrosoftOffice365) </li><li>[Windows 10 one-pager template](https://aka.ms/Customer-One-Pager_Windows)</li></ul> <br> Microsoft sales teams may share this information with customers to help determine if your offering may be a good fit, and to ensure that it is customer ready. <br><br>A one-pager <i>should not</i> be longer than 10 pages. |

+| *Solution/offer pitch deck (Required)* | You can use the [Customer presentation template](https://aka.ms/GTMServices_CustomerPresentation) to create your pitch deck. This deck should reference the [Reference architecture diagram](reference-architecture-diagram.md). The purpose of this slide deck is to pitch your offer and its value proposition. After ensuring that your offer is customer ready, Microsoft sales teams may share this presentation with customers to articulate the value that your company and Microsoft bring when deploying a joint solution. The presentation should cover what your offer does, how it can help customers, what industries the offer is relevant for, and how it compares with competing solutions. |

+| *Customer case study* (Optional)| Use the [Case study template](https://aka.ms/GTM_Case_Study_Template) to create your customer case study. This information shows a potential customer how you and Microsoft have successfully deployed your offer in prior cases. |

+- For information about commercial marketplace rewards and technical benefits, see [Your commercial marketplace benefits](gtm-your-marketplace-benefits.md).

+1. In the left menu, under **Organization profile**, select **Legal**. Then select the **Developer** tab to view details related to your commercial marketplace account.

+1. Go to **Account settings**.

+1. In the left menu expand **Payout and tax** and select **Payout and tax profiles**.

+1. Then in the left menu expand **Organization profile** and select **Billing profile**.

+- [Add and manage users](add-manage-users.md)

+## Additional resources

+Do you have questions about getting started as a Microsoft commercial marketplace publisher? Here's a list of support options for the commercial marketplace. In addition to the following resources, you can also get many of your questions answered in the [Marketplace channel of C+AI Community Forum](https://www.microsoftpartnercommunity.com/t5/Marketplace/bd-p/2222).

+### Onboarding

+Open a ticket with Microsoft [marketplace publisher support](https://go.microsoft.com/fwlink/?linkid=2165533) for issues with onboarding and getting started.

+### Partner Center

+| Support channel | Description | Availability |

+|: |: |: |

+| For assistance, visit the Create an incident page located at [Marketplace Support](https://go.microsoft.com/fwlink/?linkid=2165533)</li> </ul> | Support for Partner Center. | Support is provided 24x5. |

+|

+### Technical

+| Support channel | Description |

+|: |: |

+| MSDN forums: Marketplace located at [Microsoft Q&A question page](/answers/products/azure) | Microsoft Developer Network forum. |

+| Stack Overflow: Azure located at [stackoverflow.com/questions/tagged/azure](https://stackoverflow.com/questions/tagged/azure) | Stack Overflow environment to get solutions and ask questions about everything related to Azure Marketplace.<ul> <li>Stack Overflow: Azure Marketplace located at [stackoverflow.com/questions/tagged/azure-marketplace](https://stackoverflow.com/questions/tagged/azure-marketplace)</li> <li>Stack Overflow: Azure Resource Manager located at [stackoverflow.com/questions/tagged/azure-resource-manager](https://stackoverflow.com/questions/tagged/azure-resource-manager)</li> <li>Stack Overflow: Virtual Machines on Azure located at [stackoverflow.com/questions/tagged/azure-virtual-machine](https://stackoverflow.com/questions/tagged/azure-virtual-machine)</li> <li>Stack Overflow: Containers on Azure located at [stackoverflow.com/search?q=azure+container](https://stackoverflow.com/search?q=azure+container)</li> </ul> |

+### Marketing resources

+| Support channel | Description | Availability |

+|: |: |: |

+| Email: [cebrand@microsoft.com](mailto:cebrand@microsoft.com) | Answers to questions about usage for Azure logos and branding. | |

+|

+For questions about Marketplace Rewards, contact [Partner Center support](https://partner.microsoft.com/support/v2/?stage=1).

+Learn about important updates in the commercial marketplace program of Partner Center. This page is updated monthly, so be sure to check back!

+| Added a [Revenue Dashboard](revenue-dashboard.md) to Partner Center, including a revenue report, [sample queries](analytics-sample-queries.md#revenue-report-queries), and [FAQs](/analytics-faq#revenue) page. | 2021-12-08 |

+| Offers | Container and container apps offers can now use the Microsoft [Standard Contract](standard-contract.md). | 2021-11-02 |

+| Offers | Private plans for [SaaS offers](plan-saas-offer.md) are now available on AppSource. | 2021-10-06 |

+| Offers | In [Set up an Azure Marketplace subscription for hosted test drives](test-drive-azure-subscription-setup.md), for **Set up for Dynamics 365 apps on Dataverse and Power Apps**, we added a new method to remove users from your Azure tenant. | 2021-10-01 |

+| Policy | The SaaS customer [refund window](/marketplace/refund-policies) is now [72 hours](/marketplace-faq-publisher-guide) for all offers. | 2021-09-01 |

+| Payouts | We've updated the external tax form page, including instructions on how to reconcile 1099-k forms; see questions about tax forms at [Understand IRS tax forms issued by Microsoft](/partner-center/understand-irs-tax-forms). | 2022-01-06 |

+| Taxation | Updated [tax details page](/partner-center/tax-details-marketplace) country list to include the following: <br><br> - Argentina <br> - Bulgaria <br> - Hong Kong SAR <br> - Korea (South) <br>- Pakistan <br> - Palestinian Authority <br> - Panama <br> - Paraguay <br> - Peru <br> - Philippines <br> - Saint Kitts and Nevis <br> - Senegal <br> - Sri Lanka <br> - Tajikistan <br> - Tanzania <br> - Thailand <br> - Trinidad and Tobago <br> - Tunisia <br> - Turkmenistan <br> - Uganda <br> - Uzbekistan <br> - Zimbabwe | 2021-07-01 |

+| Offers | Added a new article, [Troubleshooting Private Plans in the commercial marketplace](azure-private-plan-troubleshooting.md). | 2021-12-13 |

+| Offers | We have updated the names of [Dynamics 365](/marketplace-dynamics-365#licensing-options) offer types: <br><br> - Dynamics 365 for Customer Engagement &amp; PowerApps is now **Dynamics 365 apps on Dataverse and Power Apps** <br> - Dynamics 365 for operations is now **Dynamics 365 Operations Apps** <br> - Dynamics 365 business central is now **Dynamics 365 Business Central** | 2021-12-03 |

+ * West Central US

+ * West US

+ For details, see the how-to guide to [manage credentials](./manage-credentials.md).

+

+ - Refer to [Network architecture best practices](./concept-best-practices-network.md#integration-runtime-options).

+Azure Purview supports labeling of both structured and unstructured data stored across various data sources. Labeling of data within Purview allows users to easily find data that matches pre-defined auto-labeling rules that have been configured in the Microsoft 365 Security and Compliance Center (SCC). Azure Purview extends the use of Microsoft 365 sensitivity labels to assets stored in infrastructure cloud locations and structured data sources.

+## Protect Personal Identifiable Information(PII) with Custom Sensitivity Label for Azure Purview, using Microsoft Information Protection

+Storing and processing of Personal Identifiable Information is subject to special protection. With referring to Regulations labeling of Personal Identifiable Information data is crucial to identify and label sensitive information. The detection and labeling tasks of Personal Identifiable Information can be used on different stages of your workflows and because Personal Identifiable Information is ubiquitous and fluid in your organization it is important to define identification rules for building policies that suit your individual situation

+- If you already have Microsoft 365 sensitivity labels in use in your environment, it is recommended that you continue to use your existing labels rather than making duplicate or more labels for Purview. This approach allows you to maximize the investment you have already made in the Microsoft 365 compliance space and ensures consistent labeling across your data estate.

+> [!WARNING]

+> If you have not already configured autolabeling for files and emails on your sensitivity labels, keep in mind this can have user impact within your Office and Microsoft 365 environment. You may however test autolabeling on database columns without user impact.

+- The default setting for detection criteria is **All of these** which means that the asset must contain all of the specified sensitive info types for the label to be applied. While the default setting may be valid in some instances, many customers prefer to change the setting to **Any of these** meaning that if at least one of them is found the label is applied.

+- [Define your sensitivity labels via Microsoft information Protection is recommended to identify your Personal Identifiable Information at central place](/microsoft-365/compliance/information-protection).

+- [Use Policy templates as a starting point to build your rulesets](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr).

+- [Combine Data Classifications to an individual Ruleset](./supported-classifications.md).

+- [Force Labeling by using auto label functionality](./how-to-automatically-label-your-content.md).

+- Build groups of Sensitivity Labels and store them as dedicated Sensitivity Label Policy ΓÇô for example store all required Sensitivity Labels for Regulatory Rules by using the same Sensitivity Label Policy to publish.

+- Capture all test cases for your labels and test your Label policies with all applications you want to secure.

+- Promote Sensitivity Label Policies to Azure Purview.

+- Run test scans from Purview on different Data Sources (for Example Hybrid-Cloud, On-Premise) to identify Sensitivity Labels.

+- Gather and consider insights (for example by using Purview insights) and use alerting mechanism to mitigate potential breaches of Regulations.

+By using Sensitivity Labels with Azure Purview you are able to extend your Microsoft Information Protection beyond the border of Microsoft Data Estate to your On-prem, Hybrid-Could, Multi-Cloud and SaaS Scenarios.

+- Create a new Azure Purview account. You can [follow our quick-start guide to create one](create-catalog-portal.md).

+### Register Azure Purview as a resource provider in other subscriptions

+Execute this step only if the Storage and Azure Purview accounts are in different subscriptions. Register Azure Purview as a resource provider in the subscription for the Azure Storage account by following this guide: [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md)

+#### Azure Purview account permissions

+- User needs Azure Purview *Data source admins* role at the root collection level to:

+- User needs Azure Purview *Policy authors* role at root collection level to create or edit policies.

+Check the section on managing Azure Purview role assignments in this [guide](how-to-create-and-manage-collections.md).

+> - In addition to Azure Purview *Policy authors* role, user requires *Directory Reader* permission in Azure Active Directory to create data owner policy. Learn more about permissions for [Azure AD Directory Reader](../active-directory/roles/permissions-reference.md#directory-readers)

+> - Azure Purview *Policy author* role is not sufficient to create policies. It also requires Azure Purview *Data source admin* role as well.

+### Register and scan data sources in Azure Purview

+Register and scan each data source with Azure Purview to later define access policies. You can follow these guides:

+> Make sure you write down the **Name** you use when registering a source in Azure Purview. You will need it when you publish a policy. The recommended practice is to make the registered name exactly the same as the endpoint name (i.e. the Storage account name).

+If you would like to use a data source to create access policies in Azure Purview, enable it for access policy through the **Data use governance** toggle, as shown in the picture.

+> - While user needs to have both Azure Storage *Owner* and Azure Purview *Data source admin* to enable a source for *Data use governance*, any of those roles can independently disable it.

+> - Moving data sources to a different resource group or subscription is not yet supported. If want to do that, de-register the data source in Azure Purview before moving it and then register it again after that happens.

+- Should you have multiple Azure Purview accounts, be aware that **all** data sources belonging to a subscription must be registered for *Data use governance* in a single Azure Purview account. That Azure Purview account can be in any subscription in the tenant. The *Data use governance* toggle will become greyed out when there are invalid configurations. Some examples of valid and invalid configurations follow in the diagram below:

+ - **Case 1** shows a valid configuration where a Storage account is registered in an Azure Purview account in the same subscription.

+ - **Case 2** shows a valid configuration where a Storage account is registered in an Azure Purview account in a different subscription.

+ - **Case 3** shows an invalid configuration arising because Storage accounts S3SA1 and S3SA2 both belong to Subscription 3, but are registered to different Azure Purview accounts. In that case, the *Data use governance* toggle will only work in the Azure Purview account that wins and registers a data source in that subscription first. The toggle will then be greyed out for the other data source.

+"

+This section describes the steps for creating, updating, and publishing Azure Purview access policies.

+1. Log in to Azure Purview portal.

+> - Do not create policy statements based on Azure Purview resource sets. Even if displayed in Azure Purview policy authoring UI, they are not yet enforced. Learn more about [resource sets](concept-resource-sets.md).

+Steps to create a new policy in Azure Purview are as follows.

+1. Log in to Azure Purview portal.

+1. Navigate to Azure Purview policy app using the left side panel.

+1. The Policy portal will present the list of existing policies in Azure Purview. Select the policy that needs to be updated.

+1. Log in to Azure Purview portal.

+1. Navigate to the Azure Purview Policy app using the left side panel.

+1. The Policy portal will present the list of existing policies in Azure Purview. Locate the policy that needs to be published. Select the **Publish** button on the right top corner of the page.

+The limit for Azure Purview policies that can be enforced by Storage accounts is 100MB per subscription, which roughly equates to 5000 policies.

+| **Azure Purview policy action** | **Data source specific actions** |

+|[Data Map Capacity unit (CU)](concept-elastic-data-map.md) |1 CU (25 Operations/second throughput and 10 GB metadata storage) | 100 CU (Contact Support for higher CU)|

+|Data Map Storage |10 GB for each Capacity Unit | 1000 GB for for 100 CU (Contact Support for more storage) |

+## Where is Azure RBAC data stored?

+Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource.

+When a role assignment or any other Azure RBAC data is deleted, the data is globally deleted. Principals that had access to a resource via Azure RBAC data will lose their access.

+## Why is Azure RBAC data global?

+Azure RBAC data is global to ensure that customers can timely access resources regardless from where they are accessing. Azure RBAC is enforced by Azure Resource Manager, which has a global endpoint and requests are routed to the nearest region for speed and resilience. Therefore, Azure RBAC must be enforced in all regions and the data is replicated to all regions. For more information, see [Resiliency of Azure Resource Manager](../azure-resource-manager/management/overview.md#resiliency-of-azure-resource-manager).

+Consider the following example. Arina creates a virtual machine in East Asia. Bob, who is a member of Arina's team, works in the United States. Bob needs to access the virtual machine that was created in East Asia. To grant Bob timely access to the virtual machine, Azure needs to globally replicate the role assignment that grants Bob access to the virtual machine from anywhere Bob is.

+

+## Monitor with Azure Monitoring Metrics

+Cognitive Search is a monitored resource in Azure Monitor, which means that you can use [Metrics Explorer](/azure/azure-monitor/essentials/data-platform-metrics#metrics-explorer) to see basic metrics about the number of indexer-processed documents and skill invocations. These metrics can be used to monitor indexer progress and [set up alerts](/azure/azure-monitor/alerts/alerts-metric-overview).

+Metric views can be filtered or split up by a set of predefined dimensions.

+| Metric Name | Description | Dimensions | Sample use cases |

+|||||

+| Document processed count | Shows the number of indexer processed documents. | Data source name, failed, index name, indexer name, skillset name | <br> - Can be referenced as a rough measure of throughput (number of documents processed by indexer over time) <br> - Set up to alert on failed documents |

+| Skill execution invocation count | Shows the number of skill invocations. | Data source name, failed, index name, indexer name, skill name, skill type, skillset name | <br> - Reference to ensure skills are invoked as expected by comparing relative invocation numbers between skills and number of skill invocation to the number of documents. <br> - Set up to alert on failed skill invocations |

+The screenshot below shows the number of documents processed by indexers within a service over an hour, split up by indexer name.

+ 

+You can also configure the graph to see the number of skill invocation over the same hour interval.

+ 

+Semantic search is a collection of features that improve the quality of search results. When enabled on your search service, it extends the query execution pipeline in two ways. First, it adds secondary ranking over an initial result set, promoting the most semantically relevant results to the top of the list. Second, it extracts and returns captions and answers in the response, which you can render on a search page to improve the user's search experience.

+ Title: Connect Azure Virtual Desktop to Microsoft Sentinel | Microsoft Docs

+description: Learn to connect your Azure Virtual Desktop data to Microsoft Sentinel.

+# Connect Azure Virtual Desktop data to Microsoft Sentinel

+This article describes how you can monitor your Azure Virtual Desktop environments using Microsoft Sentinel.

+For example, monitoring your Azure Virtual Desktop environments can enable you to provide more remote work using virtualized desktops, while maintaining your organization's security posture.

+## Azure Virtual Desktop data in Microsoft Sentinel

+Azure Virtual Desktop data in Microsoft Sentinel includes the following types:

+|Data |Description |

+|||

+|**Windows event logs** | Windows event logs from the Azure Virtual Desktop environment are streamed into a Microsoft Sentinel-enabled Log Analytics workspace in the same manner as Windows event logs from other Windows machines, outside of the Azure Virtual Desktop environment. <br><br>Install the Log Analytics agent onto your Windows machine and configure the Windows event logs to be sent to the Log Analytics workspace.<br><br>For more information, see:<br>- [Install Log Analytics agent on Windows computers](../azure-monitor/agents/agent-windows.md)<br>- [Collect Windows event log data sources with Log Analytics agent](../azure-monitor/agents/data-sources-windows-events.md)<br>- [Connect Windows security events](connect-windows-security-events.md) |

+|**Microsoft Defender for Endpoint alerts** | To configure Defender for Endpoint for Azure Virtual Desktop, use the same procedure as you would for any other Windows endpoint. <br><br>For more information, see: <br>- [Set up Microsoft Defender for Endpoint deployment](/windows/security/threat-protection/microsoft-defender-atp/production-deployment)<br>- [Connect data from Microsoft 365 Defender to Microsoft Sentinel](connect-microsoft-365-defender.md) |

+|**Azure Virtual Desktop diagnostics** | Azure Virtual Desktop diagnostics is a feature of the Azure Virtual Desktop PaaS service, which logs information whenever someone assigned Azure Virtual Desktop role uses the service. <br><br>Each log contains information about which Azure Virtual Desktop role was involved in the activity, any error messages that appear during the session, tenant information, and user information. <br><br>The diagnostics feature creates activity logs for both user and administrative actions. <br><br>For more information, see [Use Log Analytics for the diagnostics feature in Azure Virtual Desktop](../virtual-desktop/virtual-desktop-fall-2019/diagnostics-log-analytics-2019.md). |

+| | |

+## Connect Azure Virtual Desktop data

+To start ingesting Azure Virtual Desktop data into Microsoft Sentinel, use the instructions from the Azure Virtual Desktop documentation.

+For more information, see [Push Azure Virtual Desktop data to your Log Analytics workspace](../virtual-desktop/diagnostics-log-analytics.md).

+## Find your data

+After a successful connection is established, run queries in Microsoft Sentinel against your Log Analytics data.

+For example, see sample queries from the [Azure Virtual Desktop documentation](../virtual-desktop/diagnostics-log-analytics.md).

+Microsoft Sentinel also provides built-in queries in the **General** > **Logs** > **Azure Virtual Desktop** area:

+[ ](media/connect-windows-virtual-desktop/windows-virtual-desktop-queries.png#lightbox)

+## Next steps

+For more information, see the [Azure Monitor for Azure Virtual Desktop glossary](../virtual-desktop/azure-monitor-glossary.md).

+To take advantage of the data collected with your custom connector, [develop Advanced SIM Information Model (SIEM) parsers](normalization-develop-parsers.md) to work with your connector. Using [ASIM](normalization.md) enables Microsoft Sentinel's built-in content to use your custom data and makes it easier for analysts to query the data.

+If your connector method allows for it, you can implement part of the parsing as part of the connector to improve query time parsing performance:

+You will still need to implement ASIM parsers, but implementing part of the parsing directly with the connector simplifies the parsing and improves performance.

+> [!IMPORTANT]

+>

+> We recommend that your query uses an [Advanced SIEM Information model (ASIM) parser](normalization-about-parsers.md) and not a built-in table. This ensures that the query will support any current or future relevant data source rather than a single data source.

+>

+ > [!IMPORTANT]

+ >

+ > We recommend that your query uses an [Advanced SIEM Information model (ASIM) parser](normalization-about-parsers.md) and not a native table. This will ensure that the query supports any current or future relevant data source rather than a single data source.

+ >

+A typical query starts with a table or parser name followed by a series of operators separated by a pipe character ("\|").

+> [!IMPORTANT]

+>

+> We recommend that your query uses an [Advanced SIEM Information model (ASIM) parser](normalization-about-parsers.md) and not a built-in table. This ensures that the query will support any current or future relevant data source rather than a single data source.

+>

+ > [!IMPORTANT]

+ >

+ > We recommend that your query uses an [Advanced SIEM Information model (ASIM) parser](normalization-about-parsers.md) and not a built-in table. This ensures that the query will support any current or future relevant data source rather than a single data source.

+ >

+

+|**Cybersecurity Maturity Model Certification (CMMC)** | Provides a mechanism for viewing log queries aligned to CMMC controls across the Microsoft portfolio, including Microsoft security offerings, Office 365, Teams, Intune, Azure Virtual Desktop, and so on. <br><br>For more information, see [Cybersecurity Maturity Model Certification (CMMC) Workbook in Public Preview](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-cybersecurity-maturity-model-certification-cmmc/ba-p/2111184).|

+We know that compliance isnΓÇÖt just an annual requirement, and organizations must monitor configurations over time like a muscle. Azure Sentinel's Zero Trust workbook uses the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Azure Virtual Desktop, and many more.

+The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries aligned to CMMC controls across the Microsoft portfolio, including Microsoft security offerings, Office 365, Teams, Intune, Azure Virtual Desktop and many more.

+Microsoft Sentinel also allows you to edit indicators, whether they've been created directly in Microsoft Sentinel, or come from partner sources, like TIP and TAXII servers. For indicators created in Microsoft Sentinel, all fields are editable. For indicators coming from partner sources, only specific fields are editable, including tags, *Expiration date*, *Confidence*, and *Revoked*.

+## Login, logout, and user details

+| User details | `/.auth/me` |

+> [Set user roles programmatically](./assign-roles-microsoft-graph.md)

+ Title: Enterprise-grade edge (preview) in Azure Static Web Apps

+description: Learn about Azure Static Web Apps enterprise-grade edge (Preview)

+# Enterprise-grade edge (Preview)

+Use Azure Static Web Apps enterprise-grade edge (Preview) to enable faster page loads, enhance security, and optimize reliability for your global applications. Enterprise edge combines the capabilities of Azure Static Web Apps, Azure Front Door, and Azure Content Delivery Network (CDN) into a single secure cloud CDN platform.

+Key features of Azure Static Web Apps enterprise-grade edge include:

+* Global presence in 118+ [edge locations](/azure/frontdoor/edge-locations-by-region) across 100 metro cities.

+* Caching assets at the [edge](/azure/frontdoor/front-door-caching).

+* Proactive protection against [Distributed Denial of Service (DDoS) attacks](/azure/frontdoor/front-door-ddos).

+* Native support of end-to-end IPv6 connectivity and [HTTP/2 protocol](/azure/frontdoor/front-door-http2.md).

+* Optimized file compression.

+> [!NOTE]

+> Static Web Apps enterprise-grade edge is currently in preview.

+## Caching

+When enterprise-grade edge is enabled for your static web app, you benefit from caching at various levels.

+* **CDN**: Caching content on edge locations as physically close to users a possible to reduce latency.

+* **DNS**: Caching DNS records for faster lookups.

+* **Browser**: Files are stored in the browser and returned for identical requests.

+For further control, you can also create [custom cache control headers](configuration.md) for your static web app.

+## Configuration types

+You can enable enterprise-grade edge powered by Azure Front Door via a managed experience through the Azure portal, or you [can set it up manually](front-door-manual.md).

+A managed experience provides:

+* Zero configuration changes

+* No downtime

+* Automatically managed SSL certifications and custom domains

+A manual setup gives you full control over the CDN configuration including the chance to:

+* Limit traffic origin by origin

+* Add a web application firewall

+* Use more advanced features of Azure Front Door

+## Enable enterprise-grade edge

+### Prerequisites

+* [Custom domain](./custom-domain.md) configured for your static web app with a time to live (TTL) set to less than 48 hrs.

+* An application deployed with [Azure Static Web Apps](./get-started-portal.md) that uses the Standard hosting plan.

+# [Azure portal](#tab/azure-portal)

+1. Navigate to your static web app in the Azure portal.

+1. Select **Enterprise-grade edge** in the left menu.

+1. Check the box labeled **Enable enterprise-grade edge**.

+1. Select **Save**.

+1. Select **OK** to confirm the save.

+ Enabling this feature incurs extra costs.

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az extension add -n enterprise-edge

+az staticwebapp enterprise-edge enable -n my-static-webapp -g my-resource-group

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Application configuration](configuration.md)

+| `claims` | An array of claims returned by your [custom authentication provider](authentication-custom.md). |

+ "userRoles": ["anonymous", "authenticated"],

+ "claims": [{

+ "typ": "name",

+ "val": "Azure Static Web Apps"

+ }]

+|[Azure Data Explorer](azure-database-explorer-output.md)|Yes|Managed Identity|

+| **[Transactions](develop-transactions.md)** | Yes | Yes, applicable only on the meta-data objects. |

+| **Cross-database queries** | No | Yes, 3-part-name references are supported including [USE](/sql/t-sql/language-elements/use-transact-sql?view=azure-sqldw-latest&preserve-view=true) statement. |

+| **Built-in/system aggregates** | Transact-SQL built-in aggregates except, except [CHECKSUM_AGG](/sql/t-sql/functions/checksum-agg-transact-sql?view=azure-sqldw-latest&preserve-view=true) and [GROUPING_ID](/sql/t-sql/functions/grouping-id-transact-sql?view=azure-sqldw-latest&preserve-view=true) | All Transact-SQL built-in [aggregates](/sql/t-sql/functions/aggregate-functions-transact-sql?view=sql-server-ver15) are supported. |

+| **SQL username/password authentication**| Yes | Yes, users can access serverless SQL pool using their usernames and passwords. |

+| **Storage Azure Active Directory (Azure AD) passthrough authentication** | Yes | [Yes](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types), applicable to Azure AD logins. The identity of the Azure AD user is passed to the storage if a credential is not specified. Azure AD passthrough authentication is not available for the SQL users. |

+| **Storage [Managed Identity](../../data-factory/data-factory-service-identity.md?context=/azure/synapse-analytics/context/context&tabs=synapse-analytics) authentication** | Yes, using [Managed Service Identity Credential](../../azure-sql/database/vnet-service-endpoint-rule-overview.md?bc=%2fazure%2fsynapse-analytics%2fbreadcrumb%2ftoc.json&preserve-view=true&toc=%2fazure%2fsynapse-analytics%2ftoc.json&view=azure-sqldw-latest&preserve-view=true) | Yes, using [Managed Identity](develop-storage-files-storage-access-control.md?tabs=managed-identity#database-scoped-credential) credential. |

+| **Storage Application identity authentication** | [Yes](/sql/t-sql/statements/create-external-data-source-transact-sql?view=azure-sqldw-latest&preserve-view=true) | Yes, you can create a [credential](develop-storage-files-storage-access-control.md?tabs=service-principal#database-scoped-credential) with a [service principal application ID](develop-storage-files-storage-access-control.md?tabs=service-principal#supported-storage-authorization-types) that will be used to authenticate on the storage. |

+| **Server-level roles** | No | Yes, sysadmin, public, and other server-roles are supported. |

+| **Auditing** | [Yes](../../azure-sql/database/auditing-overview.md) | [Yes](../../azure-sql/database/auditing-overview.md) |

+| **Internal storage** | Yes | No, data is placed in Azure Data Lake or Cosmos DB analytical storage. |

+* Accelerate Spark workloads with NVIDIA GPU acceleration [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--16536080) [article](./spark/apache-spark-rapids-gpu.md)

+* Mount remote storage to a Synapse Spark pool [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--1823990543) [article](./spark/synapse-file-mount-api.md)

+* Natively read & write data in ADLS with Pandas [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-663522290) [article](./spark/tutorial-use-pandas-spark-pool.md)

+* Dynamic allocation of executors for Spark [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--1143932173) [article](./spark/apache-spark-autoscale.md)

+### Machine Learning

+* The Synapse Machine Learning library [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--463873803) [article](https://microsoft.github.io/SynapseML/docs/about/)

+* Getting started with state-of-the-art pre-built intelligent models [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-2023639030) [article](./machine-learning/tutorial-form-recognizer-use-mmlspark.md)

+* Building responsible AI systems with the Synapse ML library [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-914346508) [article](https://microsoft.github.io/SynapseML/docs/features/responsible_ai/Model%20Interpretation%20on%20Spark/)

+* PREDICT is now GA for Synapse Dedicated SQL pools [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1594404878) [article](./machine-learning/tutorial-sql-pool-model-scoring-wizard.md)

+* Simple & scalable scoring with PREDICT and MLFlow for Apache Spark for Synapse [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--213049585) [article](./machine-learning/tutorial-score-model-predict-spark-pool.md)

+* Retail AI solutions [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--2020504048) [article](./machine-learning/quickstart-industry-ai-solutions.md)

+### Security

+* User-Assigned managed identities now supported in Synapse Pipelines in preview [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--1340445678) [article](../data-factory/credentials.md?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext&tabs=data-factory)

+* Browse ADLS Gen2 folders in an Azure Synapse Analytics workspace in preview [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1147067155) [article](how-to-access-container-with-access-control-lists.md)

+### Data Integration

+* Pipeline Fail activity [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1827125525) [article](../data-factory/control-flow-fail-activity.md)

+* Mapping Data Flow gets new native connectors [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-717833003) [article](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/mapping-data-flow-gets-new-native-connectors/ba-p/2866754)

+* Synapse Link for Dataverse [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1397891373) [article](/powerapps/maker/data-platform/azure-synapse-link-synapse)

+* Custom partitions for Synapse link for Azure Cosmos DB in preview [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--409563090) [article](../cosmos-db/custom-partitioning-analytical-store.md)

+- We don't recommend assigning both the RemoteApp and desktop app groups in a single host pool to the same user. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active user sessions at the same time, as this can cause the following things to happen:

+ - The session hosts become overloaded

+ - Users get stuck when trying to login

+ - Connections won't work

+ - The screen turns black

+ - The application crashes

+ - Other negative effects on end-user experience and session performance

+An [Azure Compute Gallery](./shared-image-galleries.md) (formerly known as Shared Image Gallery) simplifies sharing resources, like images and application packages, across your organization.

+In API version 2021-10-01 and beyond, Azure VM Image Builder supports adding Azure user-assigned identities to the build VM to enable scenarios where you will need to authenticate with services like Azure Key Vault in your subscription.

+For more information on permissions, please see the following links: [PowerShell](./linux/image-builder-permissions-powershell.md), [AZ CLI](./linux/image-builder-permissions-cli.md) and [Image Builder template reference: Identity](https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-json#identity).

+VM Applications are a resource type in Azure Compute Gallery (formerly known as Shared Image Gallery) that simplifies management, sharing, and global distribution of applications for your virtual machines.

+- Learn how to [create and deploy VM application packages](vm-applications-how-to.md).

+az vm run-command show --name "myRunCommand" --vm-name "myVM" --resource-group "myRG" --expand

+- January 12, 2022: Change in [HA for SAP NetWeaver on Azure VMs on Windows with Azure NetApp Files(SMB)](./high-availability-guide-windows-netapp-files-smb.md) to remove obsolete information for the SAP kernel that supports the scenario.

+ * SAP Kernel 7.22 or later

+NAT can be created in a specific Availability Zone and has redundancy built in within the specified zone. NAT is non-zonal by default. When creating [availability zones](../../availability-zones/az-overview.md) scenarios, NAT can be isolated in a specific zone. This is known as a zonal deployment.

+* NAT is the recommended method for outbound connectivity. A NAT gateway does not have the same limitations of SNAT port exhaustion as does [default outbound access](/azure/virtual-network/ip-services/default-outbound-access) and [outbound rules of a load balancer](/azure/load-balancer/outbound-rules).

+ * To migrate outbound access to NAT gateway from default outbound access or from outbound rules of a load balancer, see [Migrate outbound access to Azure Virtual Network NAT](/azure/virtual-network/nat-gateway/tutorial-migrate-outbound-nat)

+* NAT cannot span multiple virtual networks.

+ Title: 'Tutorial: Migrate outbound access to NAT gateway'

+description: Learn how to migrate outbound access in your virtual network to a Virtual Network NAT gateway.

+# Tutorial: Migrate outbound access to Azure Virtual Network NAT

+In this article, you'll learn how to migrate your outbound connectivity from [default outbound access](../ip-services/default-outbound-access.md) to a NAT gateway. You'll learn how to change your outbound connectivity from load balancer outbound rules to a NAT gateway. You'll reuse the IP address from the outbound rule configuration for the NAT gateway.

+Azure Virtual Network NAT is the recommended method for outbound connectivity. A NAT gateway is a fully managed and highly resilient Network Address Translation (NAT) service. A NAT gateway doesn't have the same limitations of SNAT port exhaustion as default outbound access. A NAT gateway replaces the need for outbound rules in a load balancer for outbound connectivity.

+For more information about Azure Virtual Network NAT, see [What is Azure Virtual Network NAT](nat-overview.md)

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Migrate default outbound access to a NAT gateway.

+> * Migrate load balancer outbound connectivity and IP address to a NAT gateway.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* A standard public load balancer in your subscription. The load balancer must have a separate frontend IP address and outbound rules configured. For more information on creating an Azure Load Balancer, see [Quickstart: Create a public load balancer to load balance VMs using the Azure portal](../../load-balancer/quickstart-load-balancer-standard-public-portal.md)

+ * The load balancer name used in the examples is **myLoadBalancer**.

+> [!NOTE]

+> Virtual Network NAT provides outbound connectivity for standard internal load balancers. To configure create a NAT gateway resource and associate it to your subnet. For more information on integrating a NAT gateway with your internal load balancers, see [Tutorial: Integrate NAT gateway with an internal load balancer - Azure portal - Virtual Network NAT](tutorial-nat-gateway-load-balancer-internal-portal.md).

+## Migrate default outbound access

+In this section, youΓÇÖll learn how to change your outbound connectivity method from default outbound access to a NAT gateway.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways**.

+3. In **NAT gateways**, select **+ Create**.

+4. In **Create network address translation (NAT) gateway**, enter or select the following information.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **myResourceGroup**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select the region of your virtual network. In this example, it's **West Europe**. |

+ | Availability zone | Leave the default of **None**. |

+ | Idle timeout (minutes) | Enter **10**. |

+5. Select the **Outbound IP** tab, or select **Next: Outbound IP** at the bottom of the page.

+6. In **Public IP addresses** in the **Outbound IP** tab, select **Create a new public IP address**.

+7. In **Add a public IP address**, enter **myNATgatewayIP** in **Name**. Select **OK**.

+8. Select the **Subnet** tab, or select **Next: Subnet** at the bottom of the page.

+9. In the pull-down box for **Virtual network**, select your virtual network.

+10. In **Subnet name**, select the checkbox next to your subnet.

+11. Select the **Review + create** tab, or select **Review + create** at the bottom of the page.

+12. Select **Create**.

+## Migrate load balancer outbound connectivity

+In this section, youΓÇÖll learn how to change your outbound connectivity method from outbound rules to a NAT gateway. You'll keep the same frontend IP address used for the outbound rules. You'll remove the outbound ruleΓÇÖs frontend IP configuration then create a NAT gateway with the same frontend IP address. A public load balancer is used throughout this section.

+### Remove outbound rule frontend IP configuration

+You remove the outbound rule and the associated frontend IP configuration from your load balancer. The load balancer name used in this example is **myLoadBalancer**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+3. Select **myLoadBalancer** or your load balancer.

+4. In **myLoadBalancer**, select **Frontend IP configuration** in **Settings**.

+5. Note the **IP address** in **Frontend IP configuration** that you wish to migrate to a **NAT gateway**. You'll need this information in the next section. In this example, it's **myFrontendIP-outbound**.

+6. Select **Delete** next to the IP configuration you wish to remove. In this example, it's **myFrontendIP-outbound**.

+ :::image type="content" source="./media/tutorial-migrate-outbound-nat/frontend-ip.png" alt-text="Screenshot of frontend IP address removal for NAT gateway.":::

+7. Select **Delete**.

+8. In **Delete myFrontendIP-outbound**, select the check box next to **I have read and understood that this frontend IP configuration as well as the associated resources listed above will be deleted**.

+9. Select **Delete**. This procedure will delete the frontend IP configuration and the outbound rule associated with the frontend.

+ :::image type="content" source="./media/tutorial-migrate-outbound-nat/delete-frontend-ip.png" alt-text="Screenshot of confirmation of frontend IP address removal for NAT gateway.":::

+### Create NAT gateway

+In this section, youΓÇÖll create a NAT gateway with the IP address previously used for outbound rule and assign it to your pre-created subnet within your virtual network. The subnet name for this example is **myBackendSubnet**.

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways**.

+2. In **NAT gateways**, select **+ Create**.

+3. In **Create network address translation (NAT) gateway**, enter or select the following information.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **myResourceGroup**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select the region of your virtual network. In this example, it's **West Europe**. |

+ | Availability zone | Leave the default of **None**. |

+ | Idle timeout (minutes) | Enter **10**. |

+4. Select the **Outbound IP** tab, or select **Next: Outbound IP** at the bottom of the page.

+5. In **Public IP addresses** in the **Outbound IP** tab, select the IP address you noted from the previous section. In this example, it's **myPublicIP-outbound**.

+6. Select the **Subnet** tab, or select **Next: Subnet** at the bottom of the page.

+7. In the pull-down box for **Virtual network**, select your virtual network.

+8. In **Subnet name**, select the checkbox for your subnet. In this example, it's **myBackendSubnet**.

+9. Select the **Review + create** tab, or select **Review + create** at the bottom of the page.

+10. Select **Create**.

+## Clean up resources

+If you're not going to continue to use this application, delete

+the NAT gateway with the following steps:

+1. From the left-hand menu, select **Resource groups**.

+2. Select the **myResourceGroup** resource group.

+3. Select **Delete resource group**.

+4. Enter **myResourceGroup** and select **Delete**.

+## Next steps

+In this article, you learned how to:

+* Migrate default outbound access to a NAT gateway.

+* Migrate load balancer outbound connectivity and IP address to a NAT gateway.

+For more information about NAT gateway and the connectivity benefits it provides, see [Design virtual networks with NAT gateway](nat-gateway-resource.md).

+Advance to the next article to learn how to integrate a NAT gateway with a public load balancer:

+> [!div class="nextstepaction"]

+> [Integrate a NAT gateway with a public load balancer using the Azure portal](tutorial-nat-gateway-load-balancer-public-portal.md)

+description: Learn how to create an any-to-any configuration using an Azure Resource Manager template (ARM template).

+* Public key certificate data is required for this configuration. See [Generate and export certificates](certificates-point-to-site.md#cer) for steps to generate and export the required certificates. Sample certificate data is provided in the article only to satisfy the template requirements in order to create a P2S gateway.

+1. On the template page, enter the values. For the **Hub_Public Certificate Data for P2S** fields, you need to input the public key certificate data from the root certificate that you want to use (as mentioned in the prerequisites). If you haven't generated a root certificate and you are using these steps as only an exercise to run the template and observe the results, you can use the following example certificate data for both hubs. If you choose to use this example data and later want P2S clients to connect, you must replace this information with the certificate data from your own environment.

+ > This certificate data is supplied for example purposes only. Replace this example data with the public key [certificate data](certificates-point-to-site.md#cer) from your own certificate if you want P2S clients to connect.

+The template does not configure all of the settings necessary for a hybrid network. Complete the following configurations and settings, depending on your requirements:

+Azure AD authentication allows users to connect to Azure using their Azure Active Directory credentials. Native Azure AD authentication is only supported for OpenVPN protocol and Windows 10 and 11 and also requires the use of the [Azure VPN Client](https://go.microsoft.com/fwlink/?linkid=2117554).

+| where Category == 'FrontdoorWebApplicationFirewallLog'