+Azure Active Directory B2C (Azure AD B2C) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This billing model applies to both Azure AD B2C tenants and [Azure AD guest user collaboration (B2B)](../active-directory/external-identities/external-identities-pricing.md). MAU billing helps you reduce costs by offering a free tier and flexible, predictable pricing. In this article, learn about MAU billing, linking Azure AD B2C tenants to a subscription, and changing the pricing tier.

+- Active, interactive sign-in by the user. For example, [sign-up or sign-in](add-sign-up-and-sign-in-policy.md), [self-service password reset](add-password-reset-policy.md), or any type of [user flow](user-flow-overview.md) or [custom policy](custom-policy-overview.md).

+- Passive, non-interactive sign-in such as [single sign-on (SSO)](session-behavior.md), or any type of token acquisition. For example, authorization code flow, token refresh, or [resource owner password credentials flow](add-ropc-policy.md).

+MAU billing went into effect for Azure AD B2C tenants on **November 1, 2019**. Any Azure AD B2C tenants that you created and linked to a subscription on or after that date have been billed on a per-MAU basis.

+- If you have an Azure AD B2C tenant that hasn't been linked to a subscription, link it now.

+- If you have an existing Azure AD B2C tenant that was linked to a subscription before November 1, 2019, upgrade to the monthly active users (MAU) billing model. You can also choose to stay on the per-authentication billing model.

+Usage charges for Azure Active Directory B2C (Azure AD B2C) are billed to an Azure subscription. You need to explicitly link an Azure AD B2C tenant to an Azure subscription by creating an Azure AD B2C *resource* within the target Azure subscription. Several Azure AD B2C resources can be created in a single Azure subscription, along with other Azure resources like virtual machines, and storage accounts. You can see all of the resources within a subscription by going to the Azure Active Directory (Azure AD) tenant that the subscription is associated with.

+A tenant must be linked to the appropriate Azure pricing tier based on the features you want to use with your Azure AD B2C tenant. Premium features require Azure AD B2C Premium P1 or P2, as described in the [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).

+In some cases, you'll need to upgrade your pricing tier as you use new features. For example, if you want to use [Identity Protection](conditional-access-identity-protection-overview.md), risk-based Conditional Access policies, and any future Premium P2 capabilities with Azure AD B2C.

+To change your pricing tier, follow these steps:

+

+ 

+ 

+ 

+ 

+ 

+ 

+For the latest information about usage billing and pricing, see [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).

+Asserts that one date is later than a second date. Determines whether the `rightOperand` is greater than the `leftOperand`. If yes, throws an exception.

+| InputParameter | AssertIfEqualTo | boolean | Specifies whether this assertion should throw an error if the left operand is equal to the right operand. Possible values: `true` (default), or `false`. |

+### AssertDateTimeIsGreaterThan example

+- Input claims:

+ - **leftOperand**: 2022-01-01T15:00:00

+ - **rightOperand**: 2022-01-22T15:00:00

+- Input parameters:

+ - **AssertIfEqualTo**: false

+ - **AssertIfRightOperandIsNotPresent**: true

+ - **TreatAsEqualIfWithinMillseconds**: 300000 (30 seconds)

+- Result: Error thrown

+### Call the claims transformation

+The following `Example-AssertDates` validation technical profile calls the `AssertApprovedDateTimeLaterThanCurrentDateTime` claims transformation.

+<TechnicalProfile Id="Example-AssertDates">

+ <DisplayName>Unit test</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="ComparisonResult" DefaultValue="false" />

+ </OutputClaims>

+ <OutputClaimsTransformation ReferenceId="AssertDates" />

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+The self-asserted technical profile calls the validation `Example-AssertDates` technical profile.

+<TechnicalProfile Id="SelfAsserted-AssertDateTimeIsGreaterThan">

+ <DisplayName>User ID signup</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>

+ <Item Key="DateTimeGreaterThan">Custom error message if the provided right operand is greater than the right operand.</Item>

+ ...

+ <ValidationTechnicalProfile ReferenceId="ClaimsTransformation-AssertDateTimeIsGreaterThan" />

+Converts a `Date` claim type to a `DateTime` claim type. The claims transformation converts the time format and adds 12:00:00 AM to the date.

+| InputClaim | inputClaim | date | The claim type to be converted. |

+| OutputClaim | outputClaim | dateTime | The claim type that is produced after this claims transformation has been invoked. |

+### ConvertDateToDateTimeClaim example

+ - **inputClaim**: 2022-01-03

+ - **outputClaim**: 2022-01-03T00:00:00.0000000Z

+Converts a `DateTime` claim type to a `Date` claim type. The claims transformation removes the time format from the date.

+| InputClaim | inputClaim | dateTime | The claim type to be converted. |

+| OutputClaim | outputClaim | date | The claim type that is produced after this claims transformation has been invoked. |

+### ConvertDateTimeToDateClaim example

+ - **inputClaim**: 2022-01-03T11:34:22.0000000Z

+ - **outputClaim**: 2022-01-03

+Compares two dates and determines whether the first date is later, earlier, or equal to another. The result is a new Boolean claim with a value of `true` or `false`.

+| InputClaim | firstDateTime | dateTime | The first date to compare whether it's later, earlier, or equal to the second date. Null value throws an exception. |

+| InputClaim | secondDateTime | dateTime | The second date to compare. Null value is treated as the current datetTime. |

+| InputParameter | timeSpanInSeconds | int | Timespan to add to the first date. Possible values: range from negative -2,147,483,648 through positive 2,147,483,647. |

+| OutputClaim | result | boolean | The claim that is produced after this claims transformation has been invoked. |

+Use this claims transformation to determine if first date plus the timespan parameter is later, earlier, or equal to another. For example, you may store the last time a user accepted your terms of services (TOS). After three months, you can ask the user to access the TOS again.

+To run the claim transformation, you first need to get the current date and also the last time user accepts the TOS.

+### DateTimeComparison example

+The following example shows that the first date (2022-01-01T00:00:00) plus 90 days is later than the second date (2022-03-16T00:00:00).

+ <InputClaim ClaimTypeReferenceId="currentDateTime" TransformationClaimType="firstDateTime" />

+ - **firstDateTime**: 2022-01-01T00:00:00.100000Z

+ - **secondDateTime**: 2022-03-16T00:00:00.100000Z

+

+## GetCurrentDateTime

+Get the current UTC date and time and add the value to a claim type.

+| Item | TransformationClaimType | Data Type | Notes |

+| - | -- | | -- |

+| OutputClaim | currentDateTime | dateTime | The claim type that is produced after this claims transformation has been invoked. |

+### GetCurrentDateTime example

+The following example shows how to get the current data and time:

+```xml

+<ClaimsTransformation Id="GetSystemDateTime" TransformationMethod="GetCurrentDateTime">

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="systemDateTime" TransformationClaimType="currentDateTime" />

+ </OutputClaims>

+</ClaimsTransformation>

+```

+* Output claims:

+ * **currentDateTime**: 2022-01-14T11:40:35.0000000Z

+## Next steps

+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo

+This article provides examples for using general claims transformations of the Identity Experience Framework schema in Azure Active Directory B2C (Azure AD B2C). For more information, see [claims transformations](claimstransformations.md).

+| InputClaim | inputClaim | string, int | The claim type, which is to be copied. |

+| OutputClaim | outputClaim | string, int | The claim that is produced after this claims transformation has been invoked. |

+### CopyClaim example

+| OutputClaim | outputClaim | boolean | The claim that is produced after this claims transformation has been invoked. |

+### DoesClaimExist example

+| OutputClaim | hash | string | The claim that is produced after this claims transformation has been invoked. The claim configured in the `plaintext` inputClaim. |

+### Hash example

+## Next steps

+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo

+To enable multifactor authentication, get the custom policy starter pack from GitHub as follows:

+- [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository from `https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack`, and then update the XML files in the **SocialAndLocalAccountsWithMFA** starter pack with your Azure AD B2C tenant name. The **SocialAndLocalAccountsWithMFA** enables social and local sign in options, and multifactor authentication options, except for the Authenticator app - TOTP option.

+ 1. In the application (for example, *Contoso webapp*), select **Still having trouble?**. This displays **Account Name** and **Secret**.

+In Azure AD B2C, you can delete a user's TOTP authenticator app enrollment. Then the user would be required to re-enroll their account to use TOTP authentication again. To delete a user's TOTP enrollment, you can use either the [Azure portal](https://portal.azure.com) or the [Microsoft Graph API](/graph/api/softwareoathauthenticationmethod-delete).

+|setting.forgotPasswordLinkOverride ⁴| No | A password reset claims exchange to be executed. For more information, see [Self-service password reset](add-password-reset-policy.md). |

+| [Customer Identity Management with Azure AD B2C](/Shows/On-NET/Customer-Identity-Management-with-Azure-AD-B2C) | Video (20 minutes) | In this overview of the service, Parakh Jain ([@jainparakh](https://twitter.com/jainparakh)) from the Azure AD B2C team provides us an overview of how the service works, and also show how we can quickly connect B2C to an ASP.NET Core application. |

+ Title: "Quickstart: Call Microsoft Graph from a console application | Azure"

+description: In this quickstart, you learn how a console application can get an access token and call an API protected by Microsoft identity platform, using the app's own identity

+zone_pivot_groups: console-app-quickstart

+#Customer intent: As an app developer, I want to learn how my console app can get an access token and call an API that's protected by the Microsoft identity platform by using the client credentials flow.

+# Quickstart: Acquire a token and call the Microsoft Graph API by using a console app's identity

+ Title: "Quickstart: Sign in users and call Microsoft Graph in a desktop app | Azure"

+description: In this quickstart, learn how a desktop application can get an access token and call an API protected by the Microsoft identity platform.

+zone_pivot_groups: desktop-app-quickstart

+#Customer intent: As an application developer, I want to learn how my desktop application can get an access token and call an API that's protected by the Microsoft identity platform.

+# Quickstart: Acquire a token and call Microsoft Graph API from a desktop application

+ Title: "Quickstart: Add sign in with Microsoft to a mobile app | Azure"

+description: In this quickstart, learn how a mobile app can sign in users, get an access token from the Microsoft identity platform, and call the Microsoft Graph API.

+zone_pivot_groups: mobile-app-quickstart

+#Customer intent: As an application developer, I want to learn how to sign in users and call Microsoft Graph from my mobile application.

+# Quickstart: Sign in users and call the Microsoft Graph API from a mobile application

+Get started with the Microsoft identity platform by registering an application in the Azure portal.

+To configure application settings based on the platform or device you're targeting, follow these steps:

+Client secrets are considered less secure than certificate credentials. Application developers sometimes use client secrets during local app development because of their ease of use. However, you should use certificate credentials for any of your applications that are running in production.

+### Step 1: Configure your application in the Azure portal

+For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker.

+> [!div class="nextstepaction"]

+> [Make these changes for me]()

+> [!div class="alert alert-info"]

+>  Your application is configured with these attributes

+### Step 2: Download the project

+Run the project using Android Studio.

+> [!div class="nextstepaction"]

+### Step 3: Your app is configured and ready to run

+We have configured your project with values of your app's properties and it's ready to run.

+The sample app starts on the **Single Account Mode** screen. A default scope, **user.read**, is provided by default, which is used when reading your own profile data during the Microsoft Graph API call. The URL for the Microsoft Graph API call is provided by default. You can change both of these if you wish.

+

+Use the app menu to change between single and multiple account modes.

+In single account mode, sign in using a work or home account:

+1. Select **Get graph data interactively** to prompt the user for their credentials. You'll see the output from the call to the Microsoft Graph API in the bottom of the screen.

+2. Once signed in, select **Get graph data silently** to make a call to the Microsoft Graph API without prompting the user for credentials again. You'll see the output from the call to the Microsoft Graph API in the bottom of the screen.

+In multiple account mode, you can repeat the same steps. Additionally, you can remove the signed-in account, which also removes the cached tokens for that account.

+> [!div class="sxs-lookup"]

+## Prerequisites

+- Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- [Azure Active Directory tenant](quickstart-create-new-tenant.md)

+- [.NET Core SDK 3.1+](https://dotnet.microsoft.com/)

+- [Visual Studio 2019](https://visualstudio.microsoft.com/vs/) or [Visual Studio Code](https://code.visualstudio.com/)

+## Step 1: Register the application

+First, register the web API in your Azure AD tenant and add a scope by following these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations** > **New registration**.

+1. For **Name**, enter a name for your application. For example, enter **AspNetCoreWebApi-Quickstart**. Users of your app will see this name, and you can change it later.

+1. Select **Register**.

+1. Under **Manage**, select **Expose an API** > **Add a scope**. For **Application ID URI**, accept the default by selecting **Save and continue**, and then enter the following details:

+ - **Scope name**: `access_as_user`

+ - **Who can consent?**: **Admins and users**

+ - **Admin consent display name**: `Access AspNetCoreWebApi-Quickstart`

+ - **Admin consent description**: `Allows the app to access AspNetCoreWebApi-Quickstart as the signed-in user.`

+ - **User consent display name**: `Access AspNetCoreWebApi-Quickstart`

+ - **User consent description**: `Allow the application to access AspNetCoreWebApi-Quickstart on your behalf.`

+ - **State**: **Enabled**

+1. Select **Add scope** to complete the scope addition.

+[Download the ASP.NET Core solution](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/archive/aspnetcore3-1.zip) from GitHub.

+## Step 3: Configure the ASP.NET Core project

+In this step, configure the sample code to work with the app registration that you created earlier.

+1. Extract the .zip archive into a folder near the root of your drive. For example, extract into *C:\Azure-Samples*.

+ We recommend extracting the archive into a directory near the root of your drive to avoid errors caused by path length limitations on Windows.

+1. Open the solution in the *webapi* folder in your code editor.

+1. Open the *appsettings.json* file and modify the following code:

+ ```json

+ "ClientId": "Enter_the_Application_Id_here",

+ "TenantId": "Enter_the_Tenant_Info_Here"

+ ```

+ - Replace `Enter_the_Application_Id_here` with the application (client) ID of the application that you registered in the Azure portal. You can find the application (client) ID on the app's **Overview** page.

+ - Replace `Enter_the_Tenant_Info_Here` with one of the following:

+ - If your application supports **Accounts in this organizational directory only**, replace this value with the directory (tenant) ID (a GUID) or tenant name (for example, `contoso.onmicrosoft.com`). You can find the directory (tenant) ID on the app's **Overview** page.

+ - If your application supports **Accounts in any organizational directory**, replace this value with `organizations`.

+ - If your application supports **All Microsoft account users**, leave this value as `common`.

+For this quickstart, don't change any other values in the *appsettings.json* file.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+#### Step 1: Configure your application

+For the code sample for this quickstart to work, add a **Redirect URI** compatible with the Auth broker.

+> [!div class="nextstepaction"]

+> [Make this change for me]()

+> [!div class="alert alert-info"]

+>  Your application is configured with these attributes

+#### Step 2: Download the sample project

+> [!div class="nextstepaction"]

+> [Download the code sample for iOS]()

+> [!div class="nextstepaction"]

+> [Download the code sample for macOS]()

+#### Step 4: Your app is configured and ready to run

+We have configured your project with values of your app's properties and it's ready to run.

+> [!NOTE]

+> `Enter_the_Supported_Account_Info_Here`

+1. If you're building an app for [Azure AD national clouds](/graph/deployments#app-registration-and-token-service-root-endpoints), replace the line starting with 'let kGraphEndpoint' and 'let kAuthority' with correct endpoints. For global access, use default values:

+ ```swift

+ let kGraphEndpoint = "https://graph.microsoft.com/"

+ let kAuthority = "https://login.microsoftonline.com/common"

+ ```

+1. Other endpoints are documented [here](/graph/deployments#app-registration-and-token-service-root-endpoints). For example, to run the quickstart with Azure AD Germany, use following:

+ ```swift

+ let kGraphEndpoint = "https://graph.microsoft.de/"

+ let kAuthority = "https://login.microsoftonline.de/common"

+ ```

+3. Open the project settings. In the **Identity** section, enter the **Bundle Identifier** that you entered into the portal.

+4. Right-click **Info.plist** and select **Open As** > **Source Code**.

+5. Under the dict root node, replace `Enter_the_bundle_Id_Here` with the ***Bundle Id*** that you used in the portal. Notice the `msauth.` prefix in the string.

+ ```xml

+ <key>CFBundleURLTypes</key>

+ <array>

+ <dict>

+ <key>CFBundleURLSchemes</key>

+ <array>

+ <string>msauth.Enter_the_Bundle_Id_Here</string>

+ </array>

+ </dict>

+ </array>

+ ```

+6. Build and run the app!

+> [!div class="sxs-lookup"]

+### Download and configure the quickstart app

+#### Step 1: Configure the application in Azure portal

+For the code sample for this quickstart to work, you need to create a client secret, and add Graph API's **User.Read.All** application permission.

+> [!div class="nextstepaction"]

+> [Make these changes for me]()

+> [!div class="alert alert-info"]

+>  Your application is configured with these attributes.

+#### Step 2: Download the Java project

+> [!div class="sxs-lookup nextstepaction"]

+> [!div class="sxs-lookup"]

+#### Step 3: Admin consent

+If you are a global administrator, go to **API Permissions** page select **Grant admin consent for Enter_the_Tenant_Name_Here**.

+> [!div id="apipermissionspage"]

+> [Go to the API Permissions page]()

+#### Step 4: Run the application

+> | `CLIENT_SECRET` | Is the client secret created for the application in Azure portal. |

+> | `SCOPE` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations** in the Azure portal.|

+> [!div class="sxs-lookup"]

+### Download and configure your quickstart app

+#### Step 1: Configure your application in the Azure portal

+For the code sample in this quickstart to work, create a client secret and add the Graph API's **User.Read.All** application permission.

+> [!div class="nextstepaction"]

+> [Make these changes for me]()

+> [!div class="alert alert-info"]

+>  Your application is configured with these attributes.

+#### Step 2: Download your Visual Studio project

+> [!div class="sxs-lookup"]

+> [!div class="sxs-lookup" id="autoupdate" class="nextstepaction"]

+> [!div class="sxs-lookup"]

+#### Step 3: Admin consent

+If you're a global administrator, go to the **API Permissions** page and select **Grant admin consent for Enter_the_Tenant_Name_Here**.

+> [!div id="apipermissionspage"]

+> [Go to the API Permissions page]()

+#### Step 4: Run the application

+> [!div class="sxs-lookup"]

+### How the sample works

+

+### Download and configure the sample app

+#### Step 1: Configure the application in Azure portal

+For the code sample for this quickstart to work, you need to create a client secret, and add Graph API's **User.Read.All** application permission.

+> [!div class="nextstepaction"]

+> [Make these changes for me]()

+> [!div class="alert alert-info"]

+>  Your application is configured with these attributes.

+#### Step 2: Download the Node.js sample project

+> [!div class="sxs-lookup nextstepaction"]

+> [!div class="sxs-lookup"]

+#### Step 3: Admin consent

+If you are a global administrator, go to **API Permissions** page select **Grant admin consent for Enter_the_Tenant_Name_Here**

+#### Step 4: Run the application

+#### Step 1: Configure the application in Azure portal

+For the code sample for this quickstart to work, you need to add a reply URL as **msal://redirect**.

+> [!div class="nextstepaction"]

+> [Make this change for me]()

+> [!div class="alert alert-info"]

+>  Your application is configured with these attributes.

+#### Step 2: Download the Electron sample project

+> [!div class="nextstepaction"]

+> [!div class="sxs-lookup"]

+#### Step 4: Run the application

+> [!div class="sxs-lookup"]

+### Download and configure the quickstart app

+#### Step 1: Configure your application in Azure portal

+For the code sample in this quickstart to work, create a client secret and add Graph API's **User.Read.All** application permission.

+> [!div class="nextstepaction"]

+> [Make these changes for me]()

+> [!div class="alert alert-info"]

+>  Your application is configured with these attributes.

+#### Step 2: Download the Python project

+> [!div class="sxs-lookup nextstepaction"]

+> [!div class="sxs-lookup"]

+#### Step 3: Admin consent

+If you are a global administrator, go to **API Permissions** page select **Grant admin consent for Enter_the_Tenant_Name_Here**.

+> [!div id="apipermissionspage"]

+> [Go to the API Permissions page]()

+#### Step 4: Run the application

+> | `config["secret"]` | Is the client secret created for the application in Azure portal. |

+> | `config["scope"]` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations** in the Azure portal.|

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* [Visual Studio 2019](https://visualstudio.microsoft.com/vs/)

+#### Step 1: Configure the application

+For the code sample in this quickstart to work, add a **Redirect URI** of `https://login.microsoftonline.com/common/oauth2/nativeclient`.

+> [!div class="nextstepaction"]

+> [Make this change for me]()

+> [!div class="alert alert-info"]

+>  Your application is configured with these attributes.

+#### Step 2: Download the Visual Studio project

+Run the project using Visual Studio 2019.

+> [!div class="nextstepaction"]

+#### Step 3: Your app is configured and ready to run

+We have configured your project with values of your app's properties and it's ready to run.

+For single tenant applications, adding or updating the AppId URI validates that the domain in the HTTPS scheme URI is listed in the verified domain list in the customer tenant or that the value uses the default scheme (`api://{appId}`) provided by Azure AD. This could prevent applications from adding an AppId URI if the domain isn't in the verified domain list or the value does not use the default scheme.

+On 1 June 2018, the official Azure Active Directory (Azure AD) Authority for Azure Government changed from `https://login-us.microsoftonline.com` to `https://login.microsoftonline.us`. This change also applied to Microsoft 365 GCC High and DoD, which Azure Government Azure AD also services. If you own an application within a US Government tenant, you must update your application to sign users in on the `.us` endpoint.

+### .default and combined consent

+The middle tier application adds the client to the known client applications list in its manifest. If a consent prompt is triggered by the client, the consent flow will be both for itself and the middle tier application. On the Microsoft identity platform, this is done using the [`.default` scope](v2-permissions-and-consent.md#the-default-scope). When triggering a consent screen using known client applications and `.default`, the consent screen will show permissions for **both** the client to the middle tier API, and also request whatever permissions are required by the middle-tier API. The user provides consent for both applications, and then the OBO flow works.

+The resource service (API) identified in the request should be the API for which the client application is requesting an access token as a result of the user's sign-in. For example, `scope=openid https://middle-tier-api.example.com/.default` (to request an access token for the middle tier API), or `scope=openid offline_access .default` (when a resource is not identified, it defaults to Microsoft Graph).

+Regardless of which API is identified in the authorization request, the consent prompt will be a combined consent prompt including all required permissions configured for the client app, as well as all required permissions configured for each middle tier API listed in the client's required permissions list, and which have identified the client as a known client application.

+At this time, the `offline_access` ("Maintain access to data you have given it access to") permission and `User.Read` ("Sign you in and read your profile") permission are automatically included in the initial consent to an application. These permissions are generally required for proper app functionality. The `offline_access` permission gives the app access to refresh tokens that are critical for native apps and web apps. The `User.Read` permission gives access to the `sub` claim. It allows the client or app to correctly identify the user over time and access rudimentary user information.

+In the app registration portal, applications can list the permissions they require, including both delegated permissions and application permissions. This setup allows the use of the `.default` scope and the Azure portal's **Grant admin consent** option.

+>Application permissions can be requested only through the use of [`.default`](#the-default-scope). So if your app needs application permissions, make sure they're listed in the app registration portal.

+|`scope` | Required | Defines the set of permissions being requested by the application. Scopes can be either static (using [`.default`](#the-default-scope)) or dynamic. This set can include the OpenID Connect scopes (`openid`, `profile`, `email`). If you need application permissions, you must use `.default` to request the statically configured list of permissions. |

+At this point, Azure AD requires a tenant administrator to sign in to complete the request. The administrator is asked to approve all the permissions that you requested in the `scope` parameter. If you used a static (`.default`) value, it will function like the v1.0 admin consent endpoint and request consent for all scopes found in the required permissions for the app.

+ "scope": "https://outlook.office.com/Mail.Read https://outlook.office.com/mail.send",

+## The .default scope

+The `.default` scope is used to refer generically to a resource service (API) in a request, without identifying specific permissions. If consent is necessary, using `.default` signals that consent should be prompted for all required permissions listed in the application registration (for all APIs in the list).

+The scope parameter value is constructed by using the identifier URI for the resource and `.default`, separated by a forward slash (`/`). For example, if the resource's identifier URI is `https://contoso.com`, the scope to request is `https://contoso.com/.default`. For cases where you must include a second slash to correctly request the token, see the [section about trailing slashes](#trailing-slash-and-default).

+Using `scope={resource-identifier}/.default` is functionally the same as `resource={resource-identifier}` on the v1.0 endpoint (where `{resource-identifier}` is the identifier URI for the API, for example `https://graph.microsoft.com` for Microsoft Graph).

+The `.default` scope can be used in any OAuth 2.0 flow and to initiate [admin consent](v2-admin-consent.md). It's use is required in the [On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md) and [client credentials flow](v2-oauth2-client-creds-grant-flow.md).

+Clients can't combine static (`.default`) consent and dynamic consent in a single request. So `scope=https://graph.microsoft.com/.default Mail.Read` results in an error because it combines scope types.

+### .default when the user has already given consent

+The `.default` scope is functionally identical to the behavior of the `resource`-centric v1.0 endpoint. It carries the consent behavior of the v1.0 endpoint as well. That is, `.default` triggers a consent prompt only if consent has not been granted for any delegated permission between the client and the resource, on behalf of the signed-in user.

+If consent does exists, the returned token contains all scopes granted for that resource for the signed-in user. However, if no permission has been granted for the requested resource (or if the `prompt=consent` parameter has been provided), a consent prompt is shown for all required permissions configured on the client application registration, for all APIs in the list.

+For example, if the scope `https://graph.microsoft.com/.default` is requested, your application is requesting an access token for the Microsoft Graph API. If at least one delegated permission has been granted for Microsoft Graph on behalf of the signed-in user, the sign-in will continue and all Microsoft Graph delegated permissions which have been granted for that user will be included in the access token. If no permissions have been granted for the requested resource (Microsoft Graph, in this example), then a consent prompt will be presented for all required permissions configured on the application, for all APIs in the list.

+In this example, the user or a tenant administrator has granted the `Mail.Read` and `User.Read` Microsoft Graph permissions to the client.

+If the client requests `scope=https://graph.microsoft.com/.default`, no consent prompt is shown, regardless of the contents of the client application's registered permissions for Microsoft Graph. The returned token contains the scopes `Mail.Read` and `User.Read`.

+In this example, the user hasn't granted consent between the client and Microsoft Graph, nor has an administrator. The client has registered for the permissions `User.Read` and `Contacts.Read`. It has also registered for the Azure Key Vault scope `https://vault.azure.net/user_impersonation`.

+When the client requests a token for `scope=https://graph.microsoft.com/.default`, the user sees a consent page for the Microsoft Graph `User.Read` and `Contacts.Read` scopes, and for the Azure Key Vault `user_impersonation` scope. The returned token contains only the `User.Read` and `Contacts.Read` scopes, and it can be used only against Microsoft Graph.

+In this example, the user has already consented to `Mail.Read` for the client. The client has registered for the `Contacts.Read` scope.

+The client first performs a sign-in with `scope=https://graph.microsoft.com/.default`. Based on the `scopes` parameter of the response, the application's code detects that only `Mail.Read` has been granted. The client then initiates a second sign-in using `scope=https://graph.microsoft.com/.default`, and this time forces consent using `prompt=consent`. If the user is allowed to consent for all the permissions that the application registered, they will be shown the consent prompt. (If not, they will be shown an error message or the [admin consent request](../manage-apps/configure-admin-consent-workflow.md) form.) Both `Contacts.Read` and `Mail.Read` will be in the consent prompt. If consent is granted and the sign-in continues, the token returned is for Microsoft Graph, and contains `Mail.Read` and `Contacts.Read`.

+### Using the .default scope with the client

+In some cases, a client can request its own `.default` scope. The following example demonstrates this scenario.

+```http

+GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

+ ?response_type=token //Code or a hybrid flow is also possible here

+ &client_id=9ada6f8a-6d83-41bc-b169-a306c21527a5

+ &scope=9ada6f8a-6d83-41bc-b169-a306c21527a5/.default

+ &redirect_uri=https%3A%2F%2Flocalhost

+ &state=1234

+This code example produces a consent page for all registered permissions if the preceding descriptions of consent and `.default` apply to the scenario. Then the code returns an `id_token`, rather than an access token.

+### Client credentials grant flow and .default

+Another use of `.default` is to request app roles (also known as application permissions) in a non-interactive application like a daemon app that uses the [client credentials](v2-oauth2-client-creds-grant-flow.md) grant flow to call a web API.

+To define app roles (application permissions) for a web API, see [Add app roles in your application](howto-add-app-roles-in-azure-ad-apps.md).

+Client credentials requests in your client service *must* include `scope={resource}/.default`. Here, `{resource}` is the web API that your app intends to call, and wishes to obtain an access token for. Issuing a client credentials request by using individual application permissions (roles) is *not* supported. All the app roles (application permissions) that have been granted for that web API are included in the returned access token.

+To grant access to the app roles you define, including granting admin consent for the application, see [Configure a client application to access a web API](quickstart-configure-app-access-web-apis.md).

+### Trailing slash and .default

+Some resource URIs have a trailing forward slash, for example, `https://contoso.com/` as opposed to `https://contoso.com`. The trailing slash can cause problems with token validation. Problems occur primarily when a token is requested for Azure Resource Manager (`https://management.azure.com/`). In this case, a trailing slash on the resource URI means the slash must be present when the token is requested. So when you request a token for `https://management.azure.com/` and use `.default`, you must request `https://management.azure.com//.default` (notice the double slash!). In general, if you verify that the token is being issued, and if the token is being rejected by the API that should accept it, consider adding a second forward slash and trying again.

+ Title: Exchange a SAML token issued by Active Directory Federation Services (AD FS) for a Microsoft Graph access token

+description: Learn how to fetch data from Microsoft Graph without prompting an AD FS-federated user for credentials by using the SAML bearer assertion flow.

+# Exchange a SAML token issued by AD FS for a Microsoft Graph access token

+To enable single sign-on (SSO) in applications that use SAML tokens issued by Active Directory Federation Services (AD FS) and also require access to Microsoft Graph, follow the steps in this article.

+You'll enable the SAML bearer assertion flow to exchange a SAMLv1 token issued by the federated AD FS instance for an OAuth 2.0 access token for Microsoft Graph. When the user's browser is redirected to Azure Active Directory (Azure AD) to authenticate them, the browser picks up the session from the SAML sign-in instead of asking the user to enter their credentials.

+> [!IMPORTANT]

+> This scenario works **only** when AD FS is the federated identity provider that issued the original SAMLv1 token. You **cannot** exchange a SAMLv2 token issued by Azure AD for a Microsoft Graph access token.

+## Prerequisites

+- AD FS federated as an identity provider for single sign-on; see [Setting up AD FS and Enabling Single Sign-On to Office 365](/archive/blogs/canitpro/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365) for an example.

+- [Postman](https://www.getpostman.com/) for testing requests.

+## Scenario overview

+The OAuth 2.0 SAML bearer assertion flow allows you to request an OAuth access token using a SAML assertion when a client needs to use an existing trust relationship. The signature applied to the SAML assertion provides authentication of the authorized app. A SAML assertion is an XML security token issued by an identity provider and consumed by a service provider. The service provider relies on its content to identify the assertion's subject for security-related purposes.

+The SAML assertion is posted to the OAuth token endpoint. The endpoint processes the assertion and issues an access token based on prior approval of the app. The client isn't required to have or store a refresh token, nor is the client secret required to be passed to the token endpoint.

+

+## Register the application with Azure AD

+Start by registering the application in the [portal](https://ms.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade):

+1. Sign in to the [app registration page of the portal](https://ms.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) (Please note that we are using the v2.0 endpoints for Graph API and hence need to register the application in Azure portal. Otherwise we could have used the registrations in Azure AD).

+1. When the **Register an application** page appears, enter your application's registration information:

+1. In the left pane, select **API permissions** and then **Add a permission**. Select **Microsoft Graph**, then **delegated permissions**, and then select **Tasks.read** since we intend to use the Outlook Graph API.

+## Get the SAML assertion from AD FS

+Create a POST request to the AD FS endpoint using SOAP envelope to fetch the SAML assertion:

+AD FS request body:

+

+Once the request is posted successfully, you should receive a SAML assertion from AD FS. Only the **SAML:Assertion** tag data is required, convert it to base64 encoding to use in further requests.

+## Get the OAuth 2.0 token using the SAML assertion

+Fetch an OAuth 2.0 token using the AD FS assertion response.

+## Get the data with the OAuth 2.0 token

+After receiving the access token, call the Graph APIs (Outlook tasks in this example).

+ Title: "Quickstart: Protect a web API with the Microsoft identity platform | Azure"

+description: In this quickstart, you download and modify a code sample that demonstrates how to protect a web API by using the Microsoft identity platform for authorization.

+zone_pivot_groups: web-api-quickstart

+#Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform so that my web app can sign in users of personal accounts, work accounts, and school accounts.

+# Quickstart: Protect a web API with the Microsoft identity platform

+1. In the navigation pane, select **Service** > **Claim Descriptions**.

+1. Under **Actions**, select **Add Claim Description**.

+1. In the **Add a Claim Description** window, specify the following values:

+1. Click **Ok**.

+### Add the relying party trust

+1. In the navigation pane, select **Relying Party Trusts**.

+1. Under **Actions**, select **Add Relying Party Trust**.

+1. In the **Add Relying Party Trust** wizard, select **Claims aware**, and then select **Start**.

+1. In the **Select Data Source** section, select the check box for **Import data about the relying party published online or on a local network**. Enter this federation metadata URL: `https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml`. Select **Next**.

+1. Leave the other settings in their default options. Continue to select **Next**, and finally select **Close** to close the wizard.

+### Create claims rules

+1. Right-click the relying party trust you created, and then select **Edit Claim Issuance Policy**.

+1. In the **Edit Claim Rules** wizard, select **Add Rule**.

+1. In **Claim rule template**, select **Send LDAP Attributes as Claims**.

+1. In **Configure Claim Rule**, specify the following values:

+1. Select **Finish**.

+1. Select **Add Rule**.

+1. In **Claim rule template**, select **Transform an Incoming Claim**, and then select **Next**.

+1. In **Configure Claim Rule**, specify the following values:

+1. Select **Finish**.

+1. The **Edit Claim Rules** pane shows the new rules. Select **Apply**.

+1. Select **OK**. The AD FS server is now configured for federation using the SAML 2.0 protocol.

+## Configure AD FS for WS-Fed federation

+As an Azure or Microsoft 365 subscriber, you can purchase the Azure Active Directory Premium editions online. For detailed steps, see How to Purchase Azure Active Directory Premium - New Customers.

+## Identifying users who already have incompatible access to another access package

+If you are configuring incompatible access settings on an access package that already has users assigned to it, then any of those users who also have an assignment to the incompatible access package or groups will not be able to re-request access.

+**Prerequisite role**: Global administrator, Identity Governance administrator, User administrator, Catalog owner or Access package manager

+Follow these steps to view the list of users who have assignments to two access packages.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Click **Azure Active Directory**, and then click **Identity Governance**.

+1. In the left menu, click **Access packages** and then open the access package where you will be configuring incompatible assignments.

+1. In the left menu, click **Assignments**.

+1. In the **Status** field, ensure that **Delivered** status is selected.

+1. Click the **Download** button and save the resulting CSV file as the first file with a list of assignments.

+1. In the navigation bar, click **Identity Governance**.

+1. In the left menu, click **Access packages** and then open the access package which you plan to indicate as incompatible.

+1. In the left menu, click **Assignments**.

+1. In the **Status** field, ensure that the **Delivered** status is selected.

+1. Click the **Download** button and save the resulting CSV file as the second file with a list of assignments.

+1. Use a spreadsheet program such as Excel to open the two files.

+1. Users who are listed in both files will have already-existing incompatible assignments.

+### Identifying users who already have incompatible access programmatically

+You can also query the users who have assignments to an access package with the `Get-MgEntitlementManagementAccessPackageAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.6.0 or later.

+For example, if you have two access packages, one with ID `29be137f-b006-426c-b46a-0df3d4e25ccd` and the other with ID `cce10272-68d8-4482-8ba3-a5965c86cfe5`, then you could retrieve the users who have assignments to the first access package, and then compare them to the users who have assignments to the second access package. You can also report the users who have assignments delivered to both, using a PowerShell script similar to the following:

+```powershell

+$c = Connect-MgGraph -Scopes "EntitlementManagement.Read.All"

+Select-MgProfile -Name "beta"

+$ap_w_id = "29be137f-b006-426c-b46a-0df3d4e25ccd"

+$ap_e_id = "cce10272-68d8-4482-8ba3-a5965c86cfe5"

+$apa_w_filter = "accessPackage/id eq '" + $ap_w_id + "' and assignmentState eq 'Delivered'"

+$apa_e_filter = "accessPackage/id eq '" + $ap_e_id + "' and assignmentState eq 'Delivered'"

+$apa_w = Get-MgEntitlementManagementAccessPackageAssignment -Filter $apa_w_filter -ExpandProperty target -All

+$apa_e = Get-MgEntitlementManagementAccessPackageAssignment -Filter $apa_e_filter -ExpandProperty target -All

+$htt = @{}; foreach ($e in $apa_e) { if ($null -ne $e.Target -and $null -ne $e.Target.Id) {$htt[$e.Target.Id] = $e} }

+foreach ($w in $apa_w) { if ($null -ne $w.Target -and $null -ne $w.Target.Id -and $htt.ContainsKey($w.Target.Id)) { write-output $w.Target.Email } }

+```

+## Configuring multiple access packages for override scenarios

+If an access package has been configured as incompatible, then a user who has an assignment to that incompatible access package cannot request the access package, nor can an administrator make a new assignment that would be incompatible.

+For example, if the **Production environment** access package has marked the **Development environment** package as incompatible, and a user has an assignment to the **Development environment** access package, then the access package manager for **Production environment** cannot create an assignment for that user to the **Production environment**. In order to proceed with that assignment, the user's existing assignment to the **Development environment** access package must first be removed.

+If there is an exceptional situation where separation of duties rules might need to be overridden, then configuring an additional access package to capture the users who have overlapping access rights will make it clear to the approvers, reviewers, and auditors the exceptional nature of those assignments.

+For example, if there was a scenario that some users would need to have access to both production and deployment environments at the same time, you could create a new access package **Production and development environments**. That access package could have as its resource roles some of the resource roles of the **Production environment** access package and some of the resource roles of the **Development environment** access package.

+If the motivation of the incompatible access is one resource's roles are particularly problematic, then that resource could be omitted from the combined access package, and require explicit administrator assignment of a user to the role. If that is a third party application or your own application, then you can ensure oversight by monitoring those role assignments using the *Application role assignment activity* workbook described in the next section.

+Depending on your governance processes, that combined access package could have as its policy either:

+ - a **direct assignments policy**, so that only an access package manager would be interacting with the access package, or

+ - a **users can request access policy**, so that a user can request, with potentially an additional approval stage

+This policy could have as its lifecycle settings a much shorter expiration number of days than a policy on other access packages, or require more frequent access reviews, with regular oversight so that users do not retain access longer than necessary.

+

+Users now find their BIG-IP published services consolidated in the [MyApps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) or [O365 launchpads](https://airhead.io/airbase/launchpads/R3kW-RkDFEedipcU1AFlnA) along with self-service capabilities to a broader set of services, no matter the type of device or location. Users can even continue accessing published services directly via the BIG-IPs proprietary Webtop portal, if preferred. When logging off, SHA ensures a usersΓÇÖ session is terminated at both ends, the BIG-IP and Azure AD, ensuring services remain fully protected from unauthorized access.

+| Datawiza Access Broker | [https://docs.microsoft.com/azure/active-directory/manage-apps/datawiza-with-azure-ad](./datawiza-with-azure-ad.md) |

+| Silverfort Authentication Platform | [https://docs.microsoft.com/azure/active-directory/manage-apps/silverfort-azure-ad-integration](./silverfort-azure-ad-integration.md) |

+### I can't add another user to my password-based SSO app

+A user cannot have more than 48 credentials configured across all password SSO apps where the user is directly assigned.

+If you want to add more apps with password-based SSO to a user, consider assigning the app to a group the user is a direct member of, and configuring the credential for the group. Note that the credentials configured for the group will be available for all members of the group.

+### I can't add another group to my password-based SSO app

+Each password-based SSO app has a limit of 48 groups which are assigned and have had credentials configured for them. If you want to add additional groups, you can either:

+- Remove groups who are no longer using the app

+## How do users get assigned an application in Azure AD?

+There are several ways a user can be assigned an application. Assignment can be performed by an administrator, a business delegate, or sometimes, the user themselves. Below describes the ways users can get assigned to applications:

+* An administrator assigns a license to a user directly, for a Microsoft service such as [Microsoft 365](https://products.office.com/)

+* An administrator assigns a license to a group that the user is a member of, for a Microsoft service such as [Microsoft 365](https://products.office.com/)

+* A user [consents to an application](consent-and-permissions-overview.md#user-consent) on behalf of themselves.

+> [!VIDEO https://docs.microsoft.com/Shows/On-NET/Using-Azure-Managed-identities/player?format=ny]

+In Azure Active Directory (Azure AD), you can add users or groups to an administrative unit to restrict the scope of role permissions. For additional details on what scoped administrators can do, see [Administrative units in Azure Active Directory](administrative-units.md).

+- [Administrative units in Azure Active Directory](administrative-units.md)

+Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their [default user permissions](../fundamentals/users-default-permissions.md) to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services.

+| Administrative unit-scoped management of group properties and membership | Supported | Supported | Not supported |

+> [!NOTE]

+> Adding a group to an administrative unit does not grant scoped group administrators the ability to manage properties for individual members of that group. For example, a scoped group administrator can manage group membership, but they can't manage authentication methods of users who are members of the group added to an administrative unit. To manage authentication methods of users who are members of the group that is added to an administrative unit, the individual group members must be directly added as users of the administrative unit, and the group administrator must also be assigned a role that can manage user authentication methods.

+## Constraints

+Here are some of the constraints for administrative units.

+- Administrative units can't be nested.

+- Administrative unit-scoped user account administrators can't create or delete users.

+- A scoped role assignment doesn't apply to members of groups added to an administrative unit, unless the group members are directly added to the administrative unit. For more information, see [Add members to an administrative unit](admin-units-members-add.md).

+- Administrative units are currently not available in [Azure AD Identity Governance](../governance/identity-governance-overview.md).

+- [Administrative unit limits](../enterprise-users/directory-service-limits-restrictions.md?context=%2fazure%2factive-directory%2froles%2fcontext%2fugr-context)

+Accessing a private AKS cluster requires that you connect to that cluster either from the cluster virtual network, from a peered network, or via a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a *jumpbox* within the cluster virtual network, or creating a private endpoint inside of another virtual network. Alternatively, you can use `command invoke` to access private clusters without having to configure a VPN or Express Route. Using `command invoke` allows you to remotely invoke commands like `kubectl` and `helm` on your private cluster through the Azure API without directly connecting to the cluster. Permissions for using `command invoke` are controlled through the `Microsoft.ContainerService/managedClusters/runcommand/action` and `Microsoft.ContainerService/managedclusters/commandResults/read` roles.

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+This article also requires that you're running Azure PowerShell version 5.9.0 or later. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install Azure PowerShell][azure-powershell-install].

+In addition, this article assumes you have an existing AKS cluster with an integrated ACR. For more details on creating an AKS cluster with an integrated ACR, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-integrated-acr-ps].

+## Basic configuration

+To create a simple NGINX ingress controller without customizing the defaults, you will use helm.

+### [Azure CLI](#tab/azure-cli)

+```console

+NAMESPACE=ingress-basic

+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

+helm repo update

+helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace $NAMESPACE

+```

+### [Azure PowerShell](#tab/azure-powershell)

+```powershell-interactive

+$Namespace = 'ingress-basic'

+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

+helm repo update

+helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace $Namespace

+```

+Note that the above configuration uses the 'out of the box' configuration for simplicity. If needed, you could add parameters for customizing the deployment, eg, `--set controller.replicaCount=3`. The next section will show a highly customized example of the ingress controller.

+## Customized configuration

+As an alternative to the basic configuration presented in the above section, the next set of steps will show how to deploy a customized ingress controller.

+### Import the images used by the Helm chart into your ACR

+### [Azure CLI](#tab/azure-cli)

+To control image versions, you will want to import them into your own Azure Container registry. The [NGINX ingress controller Helm chart][ingress-nginx-helm-chart] relies on three container images. Use `az acr import` to import those images into your ACR.

+### [Azure PowerShell](#tab/azure-powershell)

+To control image versions, you will want to import them into your own Azure Container registry. The [NGINX ingress controller Helm chart][ingress-nginx-helm-chart] relies on three container images. Use `Import-AzContainerRegistryImage` to import those images into your ACR.

+```azurepowershell-interactive

+$RegistryName = "<REGISTRY_NAME>"

+$ResourceGroup = (Get-AzContainerRegistry | Where-Object {$_.name -eq $RegistryName} ).ResourceGroupName

+$SourceRegistry = "k8s.gcr.io"

+$ControllerImage = "ingress-nginx/controller"

+$ControllerTag = "v1.0.4"

+$PatchImage = "ingress-nginx/kube-webhook-certgen"

+$PatchTag = "v1.1.1"

+$DefaultBackendImage = "defaultbackend-amd64"

+$DefaultBackendTag = "1.5"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${ControllerImage}:${ControllerTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${PatchImage}:${PatchTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${DefaultBackendImage}:${DefaultBackendTag}"

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+# Add the ingress-nginx repository

+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

+# Set variable for ACR location to use for pulling images

+$AcrUrl = (Get-AzContainerRegistry -ResourceGroupName $ResourceGroup -Name $RegistryName).LoginServer

+# Use Helm to deploy an NGINX ingress controller

+helm install nginx-ingress ingress-nginx/ingress-nginx `

+ --namespace ingress-basic --create-namespace `

+ --set controller.replicaCount=2 `

+ --set controller.nodeSelector."kubernetes\.io/os"=linux `

+ --set controller.image.registry=$AcrUrL `

+ --set controller.image.image=$ControllerImage `

+ --set controller.image.tag=$ControllerTag `

+ --set controller.image.digest="" `

+ --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux `

+ --set controller.admissionWebhooks.patch.image.registry=$AcrUrl `

+ --set controller.admissionWebhooks.patch.image.image=$PatchImage `

+ --set controller.admissionWebhooks.patch.image.tag=$PatchTag `

+ --set controller.admissionWebhooks.patch.image.digest="" `

+ --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux `

+ --set defaultBackend.image.registry=$AcrUrl `

+ --set defaultBackend.image.image=$DefaultBackendImage `

+ --set defaultBackend.image.tag=$DefaultBackendTag `

+ --set defaultBackend.image.digest=""

+```

+## Check the load balancer service

+[aks-integrated-acr-ps]: cluster-container-registry-integration.md?tabs=azure-powershell#create-a-new-aks-cluster-with-acr-integration

+[acr-helm]: ../container-registry/container-registry-helm-repos.md

+[azure-powershell-install]: /powershell/azure/install-az-ps

+This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

+### [Azure CLI](#tab/azure-cli)

+In addition, this article assumes you have an existing AKS cluster with an integrated ACR. For more details on creating an AKS cluster with an integrated ACR, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-integrated-acr].

+### [Azure PowerShell](#tab/azure-powershell)

+In addition, this article assumes you have an existing AKS cluster with an integrated ACR. For more details on creating an AKS cluster with an integrated ACR, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-integrated-acr-ps].

+This article also requires that you're running Azure PowerShell version 5.9.0 or later. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install Azure PowerShell][azure-powershell-install].

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+Use `Import-AzContainerRegistryImage` to import those images into your ACR.

+```azurepowershell-interactive

+$RegistryName = "<REGISTRY_NAME>"

+$ResourceGroup = (Get-AzContainerRegistry | Where-Object {$_.name -eq $RegistryName} ).ResourceGroupName

+$SourceRegistry = "k8s.gcr.io"

+$ControllerImage = "ingress-nginx/controller"

+$ControllerTag = "v1.0.4"

+$PatchImage = "ingress-nginx/kube-webhook-certgen"

+$PatchTag = "v1.1.1"

+$DefaultBackendImage = "defaultbackend-amd64"

+$DefaultBackendTag = "1.5"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${ControllerImage}:${ControllerTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${PatchImage}:${PatchTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${DefaultBackendImage}:${DefaultBackendTag}"

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+# Add the ingress-nginx repository

+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

+# Set variable for ACR location to use for pulling images

+$AcrUrl = (Get-AzContainerRegistry -ResourceGroupName $ResourceGroup -Name $RegistryName).LoginServer

+# Use Helm to deploy an NGINX ingress controller

+helm install nginx-ingress ingress-nginx/ingress-nginx `

+ --namespace ingress-basic --create-namespace `

+ --set controller.replicaCount=2 `

+ --set controller.nodeSelector."kubernetes\.io/os"=linux `

+ --set controller.image.registry=$AcrUrl `

+ --set controller.image.image=$ControllerImage `

+ --set controller.image.tag=$ControllerTag `

+ --set controller.image.digest="" `

+ --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux `

+ --set controller.admissionWebhooks.patch.image.registry=$AcrUrl `

+ --set controller.admissionWebhooks.patch.image.image=$PatchImage `

+ --set controller.admissionWebhooks.patch.image.tag=$PatchTag `

+ --set controller.admissionWebhooks.patch.image.digest="" `

+ --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux `

+ --set defaultBackend.image.registry=$AcrUrl `

+ --set defaultBackend.image.image=$DefaultBackendImage `

+ --set defaultBackend.image.tag=$DefaultBackendTag `

+ --set defaultBackend.image.digest=""

+```

+[aks-quickstart-cli]: kubernetes-walkthrough.md

+[aks-quickstart-powershell]: kubernetes-walkthrough-powershell.md

+[aks-quickstart-portal]: kubernetes-walkthrough-portal.md

+[aks-integrated-acr-ps]: cluster-container-registry-integration.md?tabs=azure-powershell#create-a-new-aks-cluster-with-acr-integration

+[azure-powershell-install]: /powershell/azure/install-az-ps

+### [Azure CLI](#tab/azure-cli)

+This article also requires that you are running the Azure CLI version 2.0.64 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+### [Azure PowerShell](#tab/azure-powershell)

+In addition, this article assumes you have an existing AKS cluster with an integrated ACR. For more details on creating an AKS cluster with an integrated ACR, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-integrated-acr-ps].

+This article also requires that you're running PowerShell 7.2 or newer and Azure PowerShell version 5.9.0 or later. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install Azure PowerShell][azure-powershell-install].

+This article uses the [NGINX ingress controller Helm chart][ingress-nginx-helm-chart], which relies on three container images.

+### [Azure CLI](#tab/azure-cli)

+Use `az acr import` to import those images into your ACR.

+### [Azure PowerShell](#tab/azure-powershell)

+Use `Import-AzContainerRegistryImage` to import those images into your ACR.

+```azurepowershell-interactive

+$RegistryName = "<REGISTRY_NAME>"

+$ResourceGroup = (Get-AzContainerRegistry | Where-Object {$_.name -eq $RegistryName} ).ResourceGroupName

+$SourceRegistry = "k8s.gcr.io"

+$ControllerImage = "ingress-nginx/controller"

+$ControllerTag = "v1.0.4"

+$PatchImage = "ingress-nginx/kube-webhook-certgen"

+$PatchTag = "v1.1.1"

+$DefaultBackendImage = "defaultbackend-amd64"

+$DefaultBackendTag = "1.5"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${ControllerImage}:${ControllerTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${PatchImage}:${PatchTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $SourceRegistry -SourceImage "${DefaultBackendImage}:${DefaultBackendTag}"

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+# Create a namespace for your ingress resources

+kubectl create namespace ingress-basic

+# Add the ingress-nginx repository

+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

+# Set variable for ACR location to use for pulling images

+$AcrUrl = (Get-AzContainerRegistry -ResourceGroupName $ResourceGroup -Name $RegistryName).LoginServer

+# Use Helm to deploy an NGINX ingress controller

+helm install nginx-ingress ingress-nginx/ingress-nginx `

+ --namespace ingress-basic `

+ --set controller.replicaCount=2 `

+ --set controller.nodeSelector."kubernetes\.io/os"=linux `

+ --set controller.image.registry=$AcrUrl `

+ --set controller.image.image=$ControllerImage `

+ --set controller.image.tag=$ControllerTag `

+ --set controller.image.digest="" `

+ --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux `

+ --set controller.admissionWebhooks.patch.image.registry=$AcrUrl `

+ --set controller.admissionWebhooks.patch.image.image=$PatchImage `

+ --set controller.admissionWebhooks.patch.image.tag=$PatchTag `

+ --set controller.admissionWebhooks.patch.image.digest="" `

+ --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux `

+ --set defaultBackend.image.registry=$AcrUrl `

+ --set defaultBackend.image.image=$DefaultBackendImage `

+ --set defaultBackend.image.tag=$DefaultBackendTag `

+ --set defaultBackend.image.digest=""

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+For this article, let's generate a self-signed certificate with `New-SelfSignedCertificate`. For production use, you should request a trusted, signed certificate through a provider or your own certificate authority (CA). In the next step, you generate a Kubernetes *Secret* using the TLS certificate and private key you generated.

+The following example generates a 2048-bit RSA X509 certificate valid for 365 days named *aks-ingress-tls.crt*. The private key file is named *aks-ingress-tls.key*. A Kubernetes TLS secret requires both of these files.

+This article works with the *demo.azure.com* subject common name and doesn't need to be changed. For production use, specify your own organizational values for the `-subj` parameter:

+```powershell-interactive

+$Certificate = New-SelfSignedCertificate -KeyAlgorithm RSA -KeyLength 2048 -Subject "CN=demo.azure.com,O=aks-ingress-tls" -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My\

+$certificatePem =[System.Security.Cryptography.PemEncoding]::Write("CERTIFICATE", $Certificate.RawData)

+$certificatePem -join '' | Out-File -FilePath aks-ingress-tls.crt

+$privKeyBytes = $Certificate.PrivateKey.ExportPkcs8PrivateKey()

+$privKeyPem = [System.Security.Cryptography.PemEncoding]::Write("PRIVATE KEY", $privKeyBytes)

+$privKeyPem -join '' | Out-File -FilePath aks-ingress-tls.key

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```powershell-interactive

+kubectl create secret tls aks-ingress-tls `

+ --namespace ingress-basic `

+ --key aks-ingress-tls.key `

+ --cert aks-ingress-tls.crt

+```

+[aks-integrated-acr-ps]: cluster-container-registry-integration.md?tabs=azure-powershell#create-a-new-aks-cluster-with-acr-integration

+[azure-powershell-install]: /powershell/azure/install-az-ps

+This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

+### [Azure CLI](#tab/azure-cli)

+This article also requires that you are running the Azure CLI version 2.0.64 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+### [Azure PowerShell](#tab/azure-powershell)

+In addition, this article assumes you have an existing AKS cluster with an integrated ACR. For more details on creating an AKS cluster with an integrated ACR, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-integrated-acr-ps].

+This article also requires that you're running Azure PowerShell version 5.9.0 or later. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install Azure PowerShell][azure-powershell-install].

+This article uses the [NGINX ingress controller Helm chart][ingress-nginx-helm-chart], which relies on three container images.

+### [Azure CLI](#tab/azure-cli)

+Use `az acr import` to import those images into your ACR.

+### [Azure PowerShell](#tab/azure-powershell)

+Use `Import-AzContainerRegistryImage` to import those images into your ACR.

+```azurepowershell-interactive

+$RegistryName = "<REGISTRY_NAME>"

+$ResourceGroup = (Get-AzContainerRegistry | Where-Object {$_.name -eq $RegistryName} ).ResourceGroupName

+$ControllerRegistry = "k8s.gcr.io"

+$ControllerImage = "ingress-nginx/controller"

+$ControllerTag = "v1.0.4"

+$PatchRegistry = "docker.io"

+$PatchImage = "jettech/kube-webhook-certgen"

+$PatchTag = "v1.5.1"

+$DefaultBackendRegistry = "k8s.gcr.io"

+$DefaultBackendImage = "defaultbackend-amd64"

+$DefaultBackendTag = "1.5"

+$CertManagerRegistry = "quay.io"

+$CertManagerTag = "v1.3.1"

+$CertManagerImageController = "jetstack/cert-manager-controller"

+$CertManagerImageWebhook = "jetstack/cert-manager-webhook"

+$CertManagerImageCaInjector = "jetstack/cert-manager-cainjector"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $ControllerRegistry -SourceImage "${ControllerImage}:${ControllerTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $PatchRegistry -SourceImage "${PatchImage}:${PatchTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $DefaultBackendRegistry -SourceImage "${DefaultBackendImage}:${DefaultBackendTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $CertManagerRegistry -SourceImage "${CertManagerImageController}:${CertManagerTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $CertManagerRegistry -SourceImage "${CertManagerImageWebhook}:${CertManagerTag}"

+Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $CertManagerRegistry -SourceImage "${CertManagerImageCaInjector}:${CertManagerTag}"

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+If you need to create a static public IP address, first get the resource group name of the AKS cluster with the [Get-AzAksCluster][get-az-aks-cluster] command:

+```azurepowershell-interactive

+(Get-AzAksCluster -ResourceGroupName $ResourceGroup -Name myAKSCluster).NodeResourceGroup

+```

+Next, create a public IP address with the *static* allocation method using the [New-AzPublicIpAddress][new-az-public-ip-address] command. The following example creates a public IP address named *myAKSPublicIP* in the AKS cluster resource group obtained in the previous step:

+```azurepowershell-interactive

+(New-AzPublicIpAddress -ResourceGroupName MC_myResourceGroup_myAKSCluster_eastus -Name myAKSPublicIP -Sku Standard -AllocationMethod Static -Location eastus).IpAddress

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```powershell-interactive

+# Add the ingress-nginx repository

+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

+# Set variable for ACR location to use for pulling images

+$AcrUrl = (Get-AzContainerRegistry -ResourceGroupName $ResourceGroup -Name $RegistryName).LoginServer

+$StaticIp = "<STATIC_IP>"

+$DnsLabel = "<DNS_LABEL>"

+helm install nginx-ingress ingress-nginx/ingress-nginx `

+ --namespace ingress-basic --create-namespace `

+ --set controller.replicaCount=2 `

+ --set controller.nodeSelector."kubernetes\.io/os"=linux `

+ --set controller.image.registry=$AcrUrl `

+ --set controller.image.image=$ControllerImage `

+ --set controller.image.tag=$ControllerTag `

+ --set controller.image.digest="" `

+ --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux `

+ --set controller.admissionWebhooks.patch.image.registry=$AcrUrl `

+ --set controller.admissionWebhooks.patch.image.image=$PatchImage `

+ --set controller.admissionWebhooks.patch.image.tag=$PatchTag `

+ --set controller.admissionWebhooks.patch.image.digest="" `

+ --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux `

+ --set defaultBackend.image.registry=$AcrUrl, `

+ --set defaultBackend.image.image=$DefaultBackendImage `

+ --set defaultBackend.image.tag=$DefaultBackendTag `

+ --set defaultBackend.image.digest="" `

+ --set controller.service.loadBalancerIP=$StaticIp `

+ --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DnsLabel

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+(Get-AzPublicIpAddress -ResourceGroupName MC_myResourceGroup_myAKSCluster_eastus -Name myAKSPublicIP).DnsSettings.Fqdn

+```

+### [Azure CLI](#tab/azure-cli)

+ --set cainjector.image.tag=$CERT_MANAGER_TAG

+### [Azure PowerShell](#tab/azure-powershell)

+```powershell-interactive

+# Label the cert-manager namespace to disable resource validation

+kubectl label namespace ingress-basic cert-manager.io/disable-validation=true

+# Add the Jetstack Helm repository

+helm repo add jetstack https://charts.jetstack.io

+# Update your local Helm chart repository cache

+helm repo update

+# Install the cert-manager Helm chart

+helm install cert-manager jetstack/cert-manager `

+ --namespace ingress-basic `

+ --version $CertManagerTag `

+ --set installCRDs=true `

+ --set nodeSelector."kubernetes\.io/os"=linux `

+ --set image.repository=$AcrUrl/$CertManagerImageController `

+ --set image.tag=$CertManagerTag `

+ --set webhook.image.repository=$AcrUrl/$CertManagerImageWebhook `

+ --set webhook.image.tag=$CertManagerTag `

+ --set cainjector.image.repository=$AcrUrl/$CertManagerImageCaInjector `

+ --set cainjector.image.tag=$CertManagerTag

+```

+Create a *aks-helloworld-one.yaml* file and copy in the following example YAML:

+ name: aks-helloworld-one

+ app: aks-helloworld-one

+ app: aks-helloworld-one

+ - name: aks-helloworld-one

+ name: aks-helloworld-one

+ app: aks-helloworld-one

+Create a *aks-helloworld-two.yaml* file and copy in the following example YAML:

+ name: aks-helloworld-two

+ app: aks-helloworld-two

+ app: aks-helloworld-two

+ - name: aks-helloworld-two

+ name: aks-helloworld-two

+ app: aks-helloworld-two

+kubectl apply -f aks-helloworld-one.yaml --namespace ingress-basic

+kubectl apply -f aks-helloworld-two.yaml --namespace ingress-basic

+ name: aks-helloworld-one

+ name: aks-helloworld-two

+ name: aks-helloworld-one

+kubectl delete -f aks-helloworld-one.yaml --namespace ingress-basic

+kubectl delete -f aks-helloworld-two.yaml --namespace ingress-basic

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Remove-AzPublicIpAddress -ResourceGroupName MC_myResourceGroup_myAKSCluster_eastus -Name myAKSPublicIP

+```

+[get-az-aks-cluster]: /powershell/module/az.aks/get-azakscluster

+[new-az-public-ip-address]: /powershell/module/az.network/new-azpublicipaddress

+[aks-quickstart-powershell]: kubernetes-walkthrough-powershell.md

+[aks-integrated-acr-ps]: cluster-container-registry-integration.md?tabs=azure-powershell#create-a-new-aks-cluster-with-acr-integration

+[azure-powershell-install]: /powershell/azure/install-az-ps

+This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

+Use `Import-AzContainerRegistryImage` to import those images into your ACR.

+$AcrUrl = (Get-AzContainerRegistry -ResourceGroupName $ResourceGroup -Name $RegistryName).LoginServer

+ --set controller.image.digest="" `

+ --set controller.admissionWebhooks.patch.image.digest="" `

+ --set defaultBackend.image.tag=$DefaultBackendTag `

+ --set defaultBackend.image.digest=""

+ -TTL 3600 `

+* Use a [private endpoint][private-endpoint-service] connection.

+Creating a VM in the same VNET as the AKS cluster is the easiest option. Express Route and VPNs add costs and require additional networking complexity. Virtual network peering requires you to plan your network CIDR ranges to ensure there are no overlapping ranges.

+## Using a private endpoint connection

+A private endpoint can be set up so that an Azure Virtual Network doesn't need to be peered to communicate to the private cluster. To use a private endpoint, create a new private endpoint in your virtual network then create a link between your virtual network and a new private DNS zone.

+> [!IMPORTANT]

+> If the virtual network is configured with custom DNS servers, private DNS will need to be set up appropriately for the environment. See the [virtual networks name resolution documentation][virtual-networks-name-resolution] for more details.

+1. On the Azure portal menu or from the Home page, select **Create a resource**.

+2. Search for **Private Endpoint** and select **Create > Private Endpoint**.

+3. Select **Create**.

+4. On the **Basics** tab, set up the following options:

+ * **Project details**:

+ * Select an Azure **Subscription**.

+ * Select the Azure **Resource group** where your virtual network is located.

+ * **Instance details**:

+ * Enter a **Name** for the private endpoint, such as *myPrivateEndpoint*.

+ * Select a **Region** for the private endpoint.

+

+ > [!IMPORTANT]

+ > Check that the region selected is the same as the virtual network where you want to connect from, otherwise you won't see your virtual network in the **Configuration** tab.

+5. Select **Next: Resource** when complete.

+6. On the **Resource** tab, set up the following options:

+ * **Connection method**: *Connect to an Azure resource in my directory*

+ * **Subscription**: Select your Azure Subscription where the private cluster is located

+ * **Resource type**: *Microsoft.ContainerService/managedClusters*

+ * **Resource**: *myPrivateAKSCluster*

+ * **Target sub-resource**: *management*

+7. Select **Next: Configuration** when complete.

+8. On the **Configuration** tab, set up the following options:

+ * **Networking**:

+ * **Virtual network**: *myVirtualNetwork*

+ * **Subnet**: *mySubnet*

+9. Select **Next: Tags** when complete.

+10. (Optional) On the **Tags** tab, set up key-values as needed.

+11. Select **Next: Review + create**, and then select **Create** when validation completes.

+Record the private IP address of the private endpoint. This private IP address is used in a later step.

+After the private endpoint has been created, create a new private DNS zone with the same name as the private DNS zone that was created by the private cluster.

+1. Go to the node resource group in the Azure portal.

+2. Select the private DNS zone and record:

+ * the name of the private DNS zone, which follows the pattern `*.privatelink.<region>.azmk8s.io`

+ * the name of the A record (excluding the private DNS name)

+ * the time-to-live (TTL)

+3. On the Azure portal menu or from the Home page, select **Create a resource**.

+4. Search for **Private DNS zone** and select **Create > Private DNS Zone**.

+5. On the **Basics** tab, set up the following options:

+ * **Project details**:

+ * Select an Azure **Subscription**

+ * Select the Azure **Resource group** where the private endpoint was created

+ * **Instance details**:

+ * Enter the **Name** of the DNS zone retrieved from previous steps

+ * **Region** defaults to the Azure Resource group location

+6. Select **Review + create** when complete and select **Create** when validation completes.

+After the private DNS zone is created, create an A record. This record associates the private endpoint to the private cluster.

+1. Go to the private DNS zone created in previous steps.

+2. On the **Overview** page, select **+ Record set**.

+3. On the **Add record set** tab, set up the following options:

+ * **Name**: Input the name retrieved from the A record in the private cluster's DNS zone

+ * **Type**: *A - Alias record to IPv4 address*

+ * **TTL**: Input the number to match the record from the A record private cluster's DNS zone

+ * **TTL Unit**: Change the dropdown value to match the A record from the private cluster's DNS zone

+ * **IP address**: Input the IP address of the private endpoint that was created previously

+> [!IMPORTANT]

+> When creating the A record, use only the name, and not the fully qualified domain name (FQDN).

+Once the A record is created, link the private DNS zone to the virtual network that will access the private cluster.

+1. Go to the private DNS zone created in previous steps.

+2. In the left pane, select **Virtual network links**.

+3. Create a new link to add the virtual network to the private DNS zone. It takes a few minutes for the DNS zone link to become available.

+> [!WARNING]

+> If the private cluster is stopped and restarted, the private cluster's original private link service is removed and re-created, which breaks the connection between your private endpoint and the private cluster. To resolve this issue, delete and re-create any user created private endpoints linked to the private cluster. DNS records will also need to be updated if the re-created private endpoints have new IP addresses.

+* IP authorized ranges can't be applied to the private API server endpoint, they only apply to the public API server

+* No support for Azure DevOps Microsoft-hosted Agents with private clusters. Consider using [Self-hosted Agents](/azure/devops/pipelines/agents/agents?tabs=browser).

+* If you need to enable Azure Container Registry to work with a private AKS cluster, [set up a private link for the container registry in the cluster virtual network][container-registry-private-link] or set up peering between the Container Registry virtual network and the private cluster's virtual network.

+[private-endpoint-service]: ../private-link/private-endpoint-overview.md

+[container-registry-private-link]: ../container-registry/container-registry-private-link.md

+[virtual-networks-name-resolution]: ../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server

+**Video:** Check out Automating deployment to learn more about how you can use Azure Automation to speed server creation.

+This example shows how to configure API Management response caching duration that matches the response caching of the backend service as specified by the backed service's `Cache-Control` directive. For a demonstration of configuring and using this policy, see Cloud Cover Episode 177: More API Management Features with Vlad Vinogradsky and fast-forward to 25:25.

+tags: azure-resource-manager

+| [At scale discovery and assessment for ASP.NET app migration with Azure Migrate](/Shows/Inside-Azure-for-IT/At-scale-discovery-and-assessment-for-ASPNET-app-migration-with-Azure-Migrate) |

+You can migrate ASP.NET web apps from single IIS server discovered through Azure Migrate's at-scale discovery experience using [PowerShell scripts](https://github.com/Azure/App-Service-Migration-Assistant/wiki/PowerShell-Scripts) [(download)](https://appmigration.microsoft.com/api/download/psscriptpreview/AppServiceMigrationScripts.zip). Watch the video for [updates on migrating to Azure App Service](/Shows/The-Launch-Space/Updates-on-Migrating-to-Azure-App-Service).

+Download this [preview tool](https://azure.microsoft.com/services/app-service/migration-assistant/) to migrate a Java web app on Apache Tomcat to App Service on Windows. For more information, see the [video](/Shows/The-Launch-Space/Updates-on-Migrating-to-Azure-App-Service) and [how-to](https://github.com/Azure/App-Service-Migration-Assistant/wiki/TOMCAT-Java-Information).

+ Title: How to migrate App Service Environment v2 to App Service Environment v3

+description: Learn how to migrate your App Service Environment v2 to App Service Environment v3

+# How to migrate App Service Environment v2 to App Service Environment v3

+> [!IMPORTANT]

+> This article describes a feature that is currently in preview. You should use this feature for dev environments first before migrating any production environments to ensure there are no unexpected issues. Please provide any feedback related to this article or the feature using the buttons at the bottom of the page.

+>

+An App Service Environment (ASE) v2 can be migrated to an [App Service Environment v3](overview.md). To learn more about the migration process and to see if your App Service Environment supports migration at this time, see the [Migration to App Service Environment v3 Overview](migrate.md).

+## Prerequisites

+Ensure you understand how migrating to an App Service Environment v3 will affect your applications. Review the [migration process](migrate.md#overview-of-the-migration-process) to understand the process timeline and where and when you'll need to get involved. Also review the [FAQs](migrate.md#frequently-asked-questions), which may answer some questions you currently have.

+For the initial preview of the migration feature, you should follow the below steps in order and as written since you'll be making Azure REST API calls. The recommended way for making these calls is by using the [Azure CLI](/cli/azure/). For information about other methods, see [Getting Started with Azure REST](/rest/api/azure/).

+For this guide, [install the Azure CLI](/cli/azure/install-azure-cli) or use the [Azure Cloud Shell](https://shell.azure.com/).

+## 1. Get your App Service Environment ID

+Run these commands to get your App Service Environment ID and store it as an environment variable. Replace the placeholders for name and resource group with your values for the App Service Environment you want to migrate.

+```azurecli

+ASE_NAME=<Your-App-Service-Environment-name>

+ASE_RG=<Your-Resource-Group>

+ASE_ID=$(az appservice ase show --name $ASE_NAME --resource-group $ASE_RG --query id --output tsv)

+```

+## 2. Delegate your App Service Environment subnet

+App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Previous versions didn't require this delegation. You'll need to confirm your subnet is delegated properly and update the delegation if needed before migrating. You can update the delegation either by running the following command or by navigating to the subnet in the [Azure portal](https://portal.azure.com).

+```azurecli

+az network vnet subnet update -g $ASE_RG -n <subnet-name> --vnet-name <vnet-name> --delegations Microsoft.Web/hostingEnvironments

+```

+

+## 3. Validate migration is supported

+The following command will check whether your App Service Environment is supported for migration. If you receive an error or if your App Service Environment is in an unhealthy or suspended state, you can't migrate at this time. For an estimate of when you can migrate, see the [timeline](migrate.md#preview-limitations). If your environment [won't be supported for migration](migrate.md#migration-feature-limitations) or you want to migrate to ASEv3 without using the migration feature, see [migration alternatives](migration-alternatives.md).

+```azurecli

+az rest --method post --uri "${ASE_ID}/migrate?api-version=2021-02-01&phase=validation"

+```

+If there are no errors, your migration is supported and you can continue to the next step.

+## 4. Generate IP addresses for your new App Service Environment v3

+Run the following command to create the new IPs. This step will take about 5 minutes to complete. Don't scale or make changes to your existing App Service Environment during this time.

+```azurecli

+az rest --method post --uri "${ASE_ID}/migrate?api-version=2021-02-01&phase=premigration" --verbose

+```

+Run the following command to check the status of this step.

+```azurecli

+az rest --method get --uri "${ASE_ID}?api-version=2018-11-01" --query properties.status

+```

+If it's in progress, you'll get a status of "Migrating". Once you get a status of "Ready", run the following command to get your new IPs. If you don't see the new IPs immediately, wait a few minutes and try again.

+```azurecli

+az rest --method get --uri "${ASE_ID}/configurations/networking?api-version=2018-11-01"

+```

+## 5. Update dependent resources with new IPs

+Don't move on to full migration immediately after completing the previous step. Using the new IPs, update any resources and networking components to ensure your new environment functions as intended once migration is complete. It's your responsibility to make any necessary updates.

+## 6. Full migration

+Only start this step once you've completed all pre-migration actions listed above and understand the [implications of full migration](migrate.md#full-migration) including what will happen during this time. There will be about one hour of downtime. Don't scale or make changes to your existing App Service Environment during this step.

+```azurecli

+az rest --method post --uri "${ASE_ID}/migrate?api-version=2021-02-01&phase=fullmigration" --verbose

+```

+Run the following command to check the status of your migration. The status will show as "Migrating" while in progress.

+```azurecli

+az rest --method get --uri "${ASE_ID}?api-version=2018-11-01" --query properties.status

+```

+Once you get a status of "Ready", migration is done and you have an App Service Environment v3.

+Get the details of your new environment by running the following command or by navigating to the [Azure portal](https://portal.azure.com).

+```azurecli

+az appservice ase show --name $ASE_NAME --resource group $ASE_RG

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Using an App Service Environment v3](using.md)

+> [!div class="nextstepaction"]

+> [App Service Environment v3 Networking](networking.md)

+ Title: Migration to App Service Environment v3

+description: Overview of the migration process to App Service Environment v3

+# Migration to App Service Environment v3

+> [!IMPORTANT]

+> This article describes a feature that is currently in preview. You should use this feature for dev environments first before migrating any production environments to ensure there are no unexpected issues. Please provide any feedback related to this article or the feature using the buttons at the bottom of the page.

+>

+App Service can now migrate your App Service Environment (ASE) v2 to an [App Service Environment v3](overview.md). App Service Environment v3 provides [advantages and feature differences](overview.md#feature-differences) over earlier versions. Make sure to review the [supported features](overview.md#feature-differences) of App Service Environment v3 before migrating to reduce the risk of an unexpected application issue.

+## Supported scenarios

+At this time, App Service Environment migrations to v3 support both [Internal Load Balancer (ILB)](create-ilb-ase.md) and [external (internet facing with public IP)](create-external-ase.md) App Service Environment v2 in the following regions:

+- West Central US

+- Canada Central

+- Canada East

+- UK South

+- Germany West Central

+- East Asia

+- Australia East

+- Australia Southeast

+You can find the version of your App Service Environment by navigating to your App Service Environment in the [Azure portal](https://portal.azure.com) and selecting **Configuration** under **Settings** on the left-hand side. You can also use [Azure Resource Explorer](https://resources.azure.com/) and review the value of the `kind` property for your App Service Environment.

+### Preview limitations

+For this version of the preview, your new App Service Environment will be placed in the existing subnet that was used for your old environment. Internet facing App Service Environment cannot be migrated to ILB App Service Environment v3 and vice versa.

+Note that App Service Environment v3 doesn't currently support the following features that you may be using with your current App Service Environment. If you require any of these features, don't migrate until they're supported.

+- Sending SMTP traffic. You can still have email triggered alerts but your app can't send outbound traffic on port 25.

+- Deploying your apps with FTP

+- Using remote debug with your apps

+- Monitoring your traffic with Network Watcher or NSG Flow

+- Configuring an IP-based TLS/SSL binding with your apps

+The following scenarios aren't supported in this version of the preview.

+- App Service Environment v2 -> Zone Redundant App Service Environment v3

+- App Service Environment v1

+- App Service Environment v1 -> Zone Redundant App Service Environment v3

+- |ILB App Service Environment v2 with a custom domain suffix

+- ILB App Service Environment v1 with a custom domain suffix

+- Internet facing App Service Environment v2 with IP SSL addresses

+- Internet facing App Service Environment v1 with IP SSL addresses

+- [Zone pinned](zone-redundancy.md) App Service Environment v2

+- App Service Environment in a region not listed above

+The App Service platform will review your App Service Environment to confirm migration support. If your scenario doesn't pass all validation checks, you won't be able to migrate at this time.

+## Overview of the migration process

+Migration consists of a series of steps that must be followed in order. Key points are given below for a subset of the steps. It's important to understand what will happen during these steps and how your environment and apps will be impacted. After reviewing the following information and when you're ready to migrate, follow the [step-by-step guide](how-to-migrate.md).

+> [!NOTE]

+> For this version of the preview, migration must be carried out using Azure REST API calls.

+>

+### Delegate your App Service Environment subnet

+App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. If the App Service Environment's subnet isn't delegated or it's delegated to a different resource, migration will fail.

+### Generate IP addresses for your new App Service Environment v3

+The platform will create the [new inbound IP (if you're migrating an internet facing App Service Environment) and the new outbound IP](networking.md#addresses). While these IPs are getting created, activity with your existing App Service Environment won't be interrupted, however, you won't be able to scale or make changes to your existing environment. This process will take about 5 minutes to complete.

+When completed, you'll be given the new IPs that will be used by your future App Service Environment v3. These new IPs have no effect on your existing environment. The IPs used by your existing environment will continue to be used up until your existing environment is shut down during the full migration step.

+### Update dependent resources with new IPs

+Once the new IPs are created, you'll have the new default outbound to the internet public addresses so you can adjust any external firewalls, DNS routing, network security groups, and so on, in preparation for the migration. For public internet facing App Service Environment, you'll also have the new inbound IP address that you can use to set up new endpoints with services like [Traffic Manager](../../traffic-manager/traffic-manager-overview.md) or [Azure Front Door](../../frontdoor/front-door-overview.md). **It's your responsibility to update any and all resources that will be impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.**

+### Full migration

+After updating all dependent resources with your new IPs, you should continue with full migration as soon as possible. It's recommended that you move on within one week.

+During full migration, the following events will occur:

+- The existing App Service Environment is shut down and replaced by the new App Service Environment v3

+- All App Service plans in the App Service Environment are converted from Isolated to Isolated v2

+- All of the apps that are on your App Service Environment are temporarily down. You should expect about one hour of downtime.

+ - If you can't support downtime, see [migration-alternatives](migration-alternatives.md#guidance-for-manual-migration)

+- The public addresses that are used by the App Service Environment will change to the IPs identified previously

+As in the IP generation step, you won't be able to scale or modify your App Service Environment or deploy apps to it during this process. When migration is complete, the apps that were on the old App Service Environment will be running on the new App Service Environment v3.

+> [!NOTE]

+> Due to the conversion of App Service plans from Isolated to Isolated v2, your apps may be over-provisioned after the migration since the Isolated v2 tier has more memory and CPU per corresponding instance size. You'll have the opportunity to [scale your environment](../manage-scale-up.md) as needed once migration is complete. For more information, review the [SKU details](https://azure.microsoft.com/pricing/details/app-service/windows/).

+>

+## Pricing

+There's no cost to migrate your App Service Environment. You'll stop being charged for your previous App Service Environment as soon as it shuts down during the full migration process, and you'll begin getting charged for your new App Service Environment v3 as soon as it's deployed. For more information about App Service Environment v3 pricing, see the [pricing details](overview.md#pricing).

+## Migration feature limitations

+The migration feature doesn't plan on supporting App Service Environment v1 within a classic VNet. See [migration alternatives](migration-alternatives.md) if your App Service Environment falls into this category. Also, you won't be able to migrate if your App Service Environment is in an unhealthy or suspended state.

+## Frequently asked questions

+- **What if migrating my App Service Environment is not currently supported?**

+ You won't be able migrate using the migration feature at this time. If you have an unsupported environment and want to migrate immediately, see [migration alternatives](migration-alternatives.md).

+- **Will I experience downtime during the migration?**

+ Yes, you should expect about one hour of downtime during the full migration step so plan accordingly. If downtime isn't an option for you, see [migration alternatives](migration-alternatives.md).

+- **Will I need to do anything to my apps after the migration to get them running on the new App Service Environment?**

+ No, all of your apps running on the old environment will be automatically migrated to the new environment and run like before. No user input is needed.

+- **What if my App Service Environment has a custom domain suffix?**

+ You won't be able migrate using the migration feature at this time. If you have an unsupported environment and want to migrate immediately, see [migration alternatives](migration-alternatives.md).

+- **What if my App Service Environment is zone pinned?**

+ Zone pinned App Service Environment is currently not a supported scenario for migration. When supported, zone pinned App Service Environments will be migrated to zone redundant App Service Environment v3.

+- **What properties of my App Service Environment will change?**

+ You'll now be on App Service Environment v3 so be sure to review the [features and feature differences](overview.md#feature-differences) compared to previous versions. For ILB App Service Environment, you'll keep the same ILB IP address. For internet facing App Service Environment, the public IP address and the outbound IP address will change. Note for internet facing App Service Environment, previously there was a single IP for both inbound and outbound. For App Service Environment v3, they're separate. For more information, see [App Service Environment v3 networking](networking.md#addresses).

+- **What happens if migration fails or there is an unexpected issue during the migration?**

+ If there's an unexpected issue, support teams will be on hand. It's recommended to migrate dev environments before touching any production environments.

+- **What happens to my old App Service Environment?**

+ If you decide to migrate an App Service Environment, the old environment gets shut down and deleted and all of your apps are migrated to a new environment. Your old environment will no longer be accessible.

+## Next steps

+> [!div class="nextstepaction"]

+> [Migrate App Service Environment v2 to App Service Environment v3](how-to-migrate.md)

+> [!div class="nextstepaction"]

+> [Migration Alternatives](migration-alternatives.md)

+> [!div class="nextstepaction"]

+> [App Service Environment v3 Networking](networking.md)

+> [!div class="nextstepaction"]

+> [Using an App Service Environment v3](using.md)

+ Title: Alternative methods for migrating to App Service Environment v3

+description: Migrate to App Service Environment v3 Without Using the Migration Feature

+# Migrate to App Service Environment v3 without using the migration feature

+> [!NOTE]

+> The App Service Environment v3 [migration feature](migrate.md) is now available in preview for a set of supported environment configurations. Consider that feature which provides an automated migration path to [App Service Environment v3](overview.md).

+>

+If you're currently using App Service Environment (ASE) v1 or v2, you have the opportunity to migrate your workloads to [App Service Environment v3](overview.md). App Service Environment v3 has [advantages and feature differences](overview.md#feature-differences) that provide enhanced support for your workloads and can reduce overall costs. Consider using the [migration feature](migrate.md) if your environment falls into one of the [supported scenarios](migrate.md#supported-scenarios). If your environment isn't currently supported by the migration feature, you can wait for support if your scenario is listed in the [upcoming supported scenarios](migrate.md#preview-limitations). Otherwise, you can choose to use one of the alternative migration options given below.

+If your App Service Environment [won't be supported for migration](migrate.md#migration-feature-limitations) with the migration feature, you must use one of the alternative methods to migrate to App Service Environment v3.

+## Prerequisites

+Scenario: An existing app running on an App Service Environment v1 or App Service Environment v2 and you need that app to run on an App Service Environment v3.

+For any migration method that doesn't use the [migration feature](migrate.md), you'll need to [create the App Service Environment v3](creation.md) and a new subnet using the method of your choice. There are [feature differences](overview.md#feature-differences) between App Service Environment v1/v2 and App Service Environment v3 as well as [networking changes](networking.md) that will involve new (and for internet-facing environments, additional) IP addresses. You'll need to update any infrastructure that relies on these IPs.

+Note that multiple App Service Environments can't exist in a single subnet. If you need to use your existing subnet for your new App Service Environment v3, you'll need to delete the existing App Service Environment before you create a new one. For this scenario, the recommended migration method is to [back up your apps and then restore them](#back-up-and-restore) on the new environment after it gets created and configured. There will be application downtime during this process because of the time it takes to delete the old environment (15 minutes), create the new App Service Environment v3 (30 minutes), configure any infrastructure and connected resources to work with the new environment (your responsibility), and deploy your apps onto the new environment (application deployment, type, and quantity dependent).

+### Checklist before migrating apps

+- [Create an App Service Environment v3](creation.md)

+- After creating the new environment, update any networking dependencies with the IP addresses associated with the new environment

+- Plan for downtime (if applicable)

+- Decide on a process for recreating your apps in your new environment

+## Isolated v2 App Service plans

+App Service Environment v3 uses Isolated v2 App Service plans that are priced and sized differently than those from Isolated plans. Review the [SKU details](https://azure.microsoft.com/pricing/details/app-service/windows/) to understand how you're new environment will need to be sized and scaled to ensure appropriate capacity. There's no difference in how you create App Service plans for App Service Environment v3 compared to previous versions.

+## Back up and restore

+The [back up](../manage-backup.md) and [restore](../web-sites-restore.md) feature allows you to keep your app configuration, file content, and database connected to your app when migrating to your new environment. Make sure you review the [requirements and restrictions](../manage-backup.md#requirements-and-restrictions) of this feature.

+The step-by-step instructions in the current documentation for [back up](../manage-backup.md) and [restore](../web-sites-restore.md) should be sufficient to allow you to use this feature. When restoring, the **Storage** option lets you select any backup ZIP file from any existing Azure Storage account container in your subscription. A sample of a restore configuration is given below.

+

+|Benefits |Limitations |

+|||

+|Quick - should only take 5-10 minutes per app |Support is limited to [certain database types](../manage-backup.md#what-gets-backed-up) |

+|Multiple apps can be restored at the same time (restoration needs to be configured for each app individually) |Old and new environments as well as supporting resources (for example apps, databases, storage accounts and containers) must all be in the same subscription |

+|In-app MySQL databases are automatically backed up without any configuration |Backups can be up to 10 GB of app and database content, up to 4 GB of which can be the database backup. If the backup size exceeds this limit, you get an error. |

+|Can restore the app to a snapshot of a previous state |Using a [firewall enabled storage account](../../storage/common/storage-network-security.md) as the destination for your backups isn't supported |

+|Can integrate with [Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md) and [Azure Application Gateway](../../application-gateway/overview.md) to distribute traffic across old and new environments |Using a [private endpoint enabled storage account](../../storage/common/storage-private-endpoints.md) for backup and restore isn't supported |

+|Can create empty web apps to restore to in your new environment before you start restoring to speed up the process | |

+## Clone your app to an App Service Environment v3

+[Cloning your apps](../app-service-web-app-cloning.md) is another feature that can be used to get your **Windows** apps onto your App Service Environment v3. There are limitations with cloning apps. These limitations are the same as those for the App Service Backup feature, see [Back up an app in Azure App Service](../manage-backup.md#requirements-and-restrictions).

+> [!NOTE]

+> Cloning apps is supported on Windows App Service only.

+>

+This solution is recommended for users that are using Windows App Service and can't migrate using the [migration feature](migrate.md). You'll need to set up your new App Service Environment v3 before cloning any apps. Cloning an app can take up to 30 minutes to complete. Cloning can be done using PowerShell as described in the [documentation](../app-service-web-app-cloning.md#cloning-an-existing-app-to-an-app-service-environment) or using the Azure portal as described below.

+To clone an app using the [Azure portal](https://www.portal.azure.com), navigate to your existing App Service and select **Clone App** under **Development Tools**. Fill in the required fields using the details for your new App Service Environment v3.

+1. Select an existing or create a new **Resource Group**

+1. Give your app a **Name**. This name can be the same as the old app, but note the site's default URL using the new environment will be different. You'll need to update any custom DNS or connected resources to point to the new URL.

+1. Use your App Service Environment v3 name for **Region**

+1. Choose whether or not to clone your deployment source

+1. You can use an existing Windows **App Service plan** from your new environment if you created one already, or create a new one. The available Windows App Service plans in your new App Service Environment v3, if any, will be listed in the dropdown.

+1. Modify **SKU and size** as needed using one of the Isolated v2 options if creating a new App Service plan. Note App Service Environment v3 uses Isolated v2 plans, which have more memory and CPU per corresponding instance size compared to the Isolated plan. For more information, see [App Service Environment v3 pricing](overview.md#pricing).

+

+|Benefits |Limitations |

+|||

+|Can be automated using PowerShell |Only supported on Windows App Service |

+|Multiple apps can be cloned at the same time (cloning needs to be configured for each app individually or using a script) |Support is limited to [certain database types](../manage-backup.md#what-gets-backed-up) |

+|Can integrate with [Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md) and [Azure Application Gateway](../../application-gateway/overview.md) to distribute traffic across old and new environments |Old and new environments as well as supporting resources (for example apps, databases, storage accounts and containers) must all be in the same subscription |

+## Manually create your apps on an App Service Environment v3

+If the above features don't support your apps or you're looking to take a more manual route, you have the option of deploying your apps following the same process you used for your existing App Service Environment. At this time, all deployment methods except FTP are supported on App Service Environment v3. You don't need to make updates when you deploy your apps to your new environment unless you want to make changes or take advantage of App Service Environment v3's dedicated features.

+You can export [Azure Resource Manager (ARM) templates](../../azure-resource-manager/templates/overview.md) of your existing apps, App Service plans, and any other supported resources and deploy them in your new environment. To export a template for just your app, head over to your App Service and go to **Export template** under **Automation**.

+

+You can also export templates for multiple resources directly from your resource group by going to your resource group, selecting the resources you want a template for, and then selecting **Export template**.

+

+The following initial changes to your Azure Resource Manager templates are required to get your apps onto your App Service Environment v3:

+- Update SKU parameters for App Service plan to an Isolated v2 plan as shown below if creating a new plan

+ ```json

+ "type": "Microsoft.Web/serverfarms",

+ "apiVersion": "2021-02-01",

+ "name": "[parameters('serverfarm_name')]",

+ "location": "East US",

+ "sku": {

+ "name": "I1v2",

+ "tier": "IsolatedV2",

+ "size": "I1v2",

+ "family": "Iv2",

+ "capacity": 1

+ },

+ ```

+- Update App Service plan (serverfarm) parameter the app is to be deployed into to the plan associated with the App Service Environment v3

+- Update hosting environment profile (hostingEnvironmentProfile) parameter to the new App Service Environment v3 resource ID

+- An Azure Resource Manager template export includes all properties exposed by the resource providers for the given resources. Remove all non-required properties such as those which point to the domain of the old app. For example, you `sites` resource could be simplified to the below:

+ ```json

+ "type": "Microsoft.Web/sites",

+ "apiVersion": "2021-02-01",

+ "name": "[parameters('site_name')]",

+ "location": "East US",

+ "dependsOn": [

+ "[resourceId('Microsoft.Web/serverfarms', parameters('serverfarm_name'))]"

+ ],

+ "properties": {

+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('serverfarm_name'))]",

+ "siteConfig": {

+ "linuxFxVersion": "NODE|14-lts"

+ },

+ "hostingEnvironmentProfile": {

+ "id": "[parameters('hostingEnvironments_externalid')]"

+ }

+ }

+ ```

+Other changes may be required depending on how your app is configured.

+Azure Resource Manager templates can be [deployed](../deploy-complex-application-predictably.md) using multiple methods including using the Azure portal, Azure CLI, or PowerShell.

+## Guidance for manual migration

+The [migration feature](migrate.md) automates the migration to App Service Environment v3 and at the same time transfers all of your apps to the new environment. There's about one hour of downtime during this migration. If you're in a position where you can't have any downtime, the recommendation is to use one of the manual options to recreate your apps in an App Service Environment v3.

+You can distribute traffic between your old and new environment using an [Application Gateway](../networking/app-gateway-with-service-endpoints.md). If you're using an Internal Load Balancer (ILB) App Service Environment, see the [considerations](../networking/app-gateway-with-service-endpoints.md#considerations-for-ilb-ase) and [create an Azure Application Gateway](integrate-with-application-gateway.md) with an extra backend pool to distribute traffic between your environments. For internet facing App Service Environments, see these [considerations](../networking/app-gateway-with-service-endpoints.md#considerations-for-external-ase). You can also use services like [Azure Front Door](../../frontdoor/quickstart-create-front-door.md), [Azure Content Delivery Network (CDN)](../../cdn/cdn-add-to-web-app.md), and [Azure Traffic Manager](../../cdn/cdn-traffic-manager.md) to distribute traffic between environments. Using these services allows for testing of your new environment in a controlled manner and allows you to move to your new environment at your own pace.

+Once your migration and any testing with your new environment is complete, delete your old App Service Environment, the apps that are on it, and any supporting resources that you no longer need. You'll continue to be charged for any resources that haven't been deleted.

+## Next steps

+> [!div class="nextstepaction"]

+> [App Service Environment v3 Networking](networking.md)

+> [!div class="nextstepaction"]

+> [Using an App Service Environment v3](using.md)

+> [!div class="nextstepaction"]

+> [Integrate your ILB App Service Environment with the Azure Application Gateway](integrate-with-application-gateway.md)

+When you purchase a domain from the Azure portal, the App Service application is automatically configured to use that custom domain. You donΓÇÖt have to take any additional steps. For more information, watch Azure App Service Self Help: Add a Custom Domain Name on Channel9.

+Also, see Keeping Azure Web Sites up plus Endpoint Monitoring - with Stefan Schackow for a video on endpoint monitoring.

+> For both the v1 and v2 SKUs, rules are processed in the order they are listed in the portal. The best practice when you create path rules is to have the least specific path (the ones with wildcards) at the end. If wildcards are on the top, then they take priority even if there's a more specific match in subsequent path rules.

+> If a basic listener is listed first and matches an incoming request, it gets processed by that listener. However, it's highly recommended to configure multi-site listeners first prior to configuring a basic listener. This ensures that traffic gets routed to the right back end.

+PathPattern is a list of path patterns to match. Each path must start with / and may use \* as a wildcard character. The string fed to the path matcher doesn't include any text after the first `?` or `#`, and those chars aren't allowed here. Otherwise, any characters allowed in a URL are allowed in PathPattern.

+#### Examples

+Path-based rule processing when wildcard (*) is used:

+**Example 1:**

+`/master-dev* to contoso.com`

+`/master-dev/api-core/ to fabrikam.com`

+`/master-dev/* to microsoft.com`

+Because the wildcard path `/master-dev*` is present above more granular paths, all client requests containing `/master-dev` are routed to contoso.com, including the specific `/master-dev/api-core/`. To ensure that the client requests are routed to the appropriate paths, it's critical to have the granular paths above wildcard paths.

+**Example 2:**

+`/ (default) to contoso.com`

+`/master-dev/api-core/ to fabrikam.com`

+`/master-dev/api to bing.com`

+`/master-dev/* to microsoft.com`

+All client requests with the path pattern `/master-dev/*` are processed in the order as listed. If there's no match within the path rules, the request is routed to the default target.

+For more information, see [Resource Manager template using URL-based routing](https://azure.microsoft.com/resources/templates/application-gateway-url-path-based-routing).

+> [!VIDEO https://docs.microsoft.com/Shows/Docs-Azure/Azure-Form-Recognizer/player]

+> [!VIDEO https://docs.microsoft.com/Shows/Docs-Azure/Azure-Form-Recognizer/player]

+> [!VIDEO https://docs.microsoft.com/Shows/Inside-Azure-for-IT/Azure-Arcenabled-data-services-in-disconnected-mode/player?format=ny]

+> [!VIDEO https://docs.microsoft.com/Shows/Inside-Azure-for-IT/Azure-Arcenabled-data-services-in-connected-mode/player?format=ny]

+> [!VIDEO https://docs.microsoft.com/Shows//Inside-Azure-for-IT/Choose-the-right-data-solution-for-your-hybrid-environment/player?format=ny]

+> [!VIDEO https://docs.microsoft.com/Shows/Data-Exposed/What-is-Azure-Arc-Enabled-PostgreSQL-Hyperscale--Data-Exposed/player?format=ny]

+* **Microsoft.HybridConnectivity**

+Register-AzResourceProvider -ProviderNamespace Microsoft.HybridConnectivity

+az provider register --namespace 'Microsoft.HybridConnectivity'

+- Neither cache can have more than one replica.

+[!NOTE]

+> Geo-replication can be enabled for this cache if you scale it to 'Premium' pricing tier and disable data persistence. This feature is not available at this time when using extra replicas.

+- [How does persistence work with geo-replication?](#how-does-persistence-work-with-geo-replication)

+### How does persistence work with geo-replication?

+If you enable data persistence, geo-replication cannot be enabled for your premium cache.

+- [Azure Cache for Redis Premium service tiers](cache-overview.md#service-tiers)

+ - [Test connectivity using _redis-cli_](#test-connectivity-using-redis-cli)

+ - [Test connectivity using PSPING](#test-connectivity-using-psping)

+If your application can't connect to your Azure Cache for Redis, it's possible some configuration on the cache isn't set up correctly. The following sections offer suggestions on how to make sure your cache is configured correctly.

+### Test connectivity using _redis-cli_

+Test connectivity using _redis-cli_. For more information on CLI, [Use the Redis command-line tool with Azure Cache for Redis](cache-how-to-redis-cli-tool.md).

+### Test connectivity using PSPING

+If _redis-cli_ is unable to connect, you can test connectivity using `PSPING` in PowerShell.

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Durable-Functions-in-Azure-Functions/player]

+> [!VIDEO https://docs.microsoft.com/Events/dotnetConf/2018/S204/player]

+## Function timeouts

+Activity, orchestrator, and entity functions are subject to the same [function timeouts](../functions-scale.md#timeout) as all Azure Functions. As a general rule, Durable Functions treats function timeouts the same way as unhandled exceptions thrown by the application code. For example, if an activity times out, the function execution is recorded as a failure, and the orchestrator is notified and handles the timeout just like any other exception: retries take place if specified by the call, or an exception handler may be executed.

+> [!NOTE]

+> The concurrency throttles only apply locally, to limit what is currently being processed on one individual machine. Thus, these throttles do not limit the total throughput of the system. Quite to the contrary, they can actually support proper scale out, as they prevent individual machines from taking on too much work at once. If this leads to unprocessed work accumulating in the queues, the autoscaler adds more machines. The total throughput of the system thus scales out as needed.

+> [!NOTE]

+> The `durableTask/maxConcurrentOrchestratorFunctions` limit applies only to the act of processing new events or operations. Orchestrations or entities that are idle waiting for events or operations do not count towards the limit.

+## Entity operation batching

+To improve performance and cost, entity operations are executed in batches. Each batch is billed as a single function execution.

+By default, the maximum batch size is 50 (for consumption plans) and 5000 (for all other plans). The maximum batch size can also be configured in the [host.json](durable-functions-bindings.md#host-json) file. If the maximum batch size is 1, batching is effectively disabled.

+> [!NOTE]

+> If individual entity operations take a long time to execute, it may be beneficial to limit the maximum batch size to reduce the risk of [function timeouts](#function-timeouts), in particular on consumption plans.

+For a demo on how to build data-centric solutions on Azure Government using HDInsight, see Cognitive Services, HDInsight, and Power BI on Azure Government.

+For usage guidance, feature variations, and limitations, see [Power BI for US government customers](/power-bi/admin/service-govus-overview). For a demo on how to build data-centric solutions on Azure Government using Power BI, see Cognitive Services, HDInsight, and Power BI on Azure Government.

+For more information on Azure Government Compliance, refer to the [compliance documentation](./documentation-government-plan-compliance.md).

+Other cloud providers treat Criminal Justice Information Systems (CJIS) compliance as a check box, rather than a commitment. At Microsoft, we're committed to providing solutions that meet the applicable CJIS controls, today and in the future. In addition, we extend our commitment to justice and public safety through our <a href="https://news.microsoft.com/presskits/dcu/#sm.0000eqdq0pxj4ex3u272bevclb0uc#KwSv0iLdMkJerFly.97">Digital Crimes Unit</a>, Cyber Defense Operations Center, and <a href="https://enterprise.microsoft.com/en-us/industries/government/public-safety/">Worldwide Justice and Public Safety organization</a>.

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Enable-government-missions-in-the-cloud-with-Azure-Government/player]

+> [!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Azure-Maps/player?format=ny]

+[Internet of Things Show - Heat Maps and Image Overlays in Azure Maps](/shows/internet-of-things-show/heat-maps-and-image-overlays-in-azure-maps/player?format=ny)

+>[!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Clustering-point-data-in-Azure-Maps/player?format=ny]

+[Internet of Things Show - Clustering point data in Azure Maps](/shows/Internet-of-Things-Show/Clustering-point-data-in-Azure-Maps/player?format=ny)

+>[!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Clustering-point-data-in-Azure-Maps/player?format=ny]

+>[!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Data-Driven-Styling-with-Azure-Maps/player?format=ny]

+>[Internet of Things Show - Data-Driven Styling with Azure Maps](/shows/Internet-of-Things-Show/Data-Driven-Styling-with-Azure-Maps/player?format=ny)

+>[!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Data-Driven-Styling-with-Azure-Maps/player?format=ny]

+>[!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Azure-Maps-Weather-services-for-developers/player?format=ny]

+> [!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Easily-integrate-spatial-data-into-the-Azure-Maps/player?format=ny]

+> [!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Heat-Maps-and-Image-Overlays-in-Azure-Maps/player?format=ny]

+>[!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Heat-Maps-and-Image-Overlays-in-Azure-Maps/player?format=ny]

+## HTTP headers

+Starting from 3.2.5-BETA, you can capture request and response headers on your server (request) telemetry:

+```json

+{

+ "preview": {

+ "captureHttpServerHeaders": {

+ "requestHeaders": [

+ "My-Header-A"

+ ],

+ "responseHeaders": [

+ "My-Header-B"

+ ]

+ }

+ }

+}

+```

+The header names are case-insensitive.

+The examples above will be captured under property names `http.request.header.my_header_a` and

+`http.response.header.my_header_b`.

+Similarly, you can capture request and response headers on your client (dependency) telemetry:

+```json

+{

+ "preview": {

+ "captureHttpClientHeaders": {

+ "requestHeaders": [

+ "My-Header-C"

+ ],

+ "responseHeaders": [

+ "My-Header-D"

+ ]

+ }

+ }

+}

+```

+Again, the header names are case-insensitive, and the examples above will be captured under property names

+`http.request.header.my_header_c` and `http.response.header.my_header_d`.

+## Http server 4xx response codes

+By default, http server requests that result in 4xx response codes are captured as errors.

+Starting from version 3.2.5-BETA, you can change this behavior to capture them as success if you prefer:

+```json

+{

+ "preview": {

+ "captureHttpServer4xxAsError": false

+ }

+}

+```

+Starting from 3.2.5-BETA, authenticated proxies are supported. You can add `"user"` and `"password"` under `"proxy"` in

+the json above (or if you are using the system properties above, you can add `https.proxyUser` and `https.proxyPassword`

+system properties).

+> [!VIDEO https://docs.microsoft.com/Shows/Data-Exposed/How-to-Set-up-Azure-Monitor-for-SQL-Insights/player?format=ny]

+1. LDAP volumes require an Active Directory configuration for LDAP server settings. Follow instructions in [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections) and [Create an Active Directory connection](create-active-directory-connections.md#create-an-active-directory-connection) to configure Active Directory connections on the Azure portal.

+2. Ensure that the Active Directory LDAP server is up and running on the Active Directory.

+3. LDAP NFS users need to have certain POSIX attributes on the LDAP server. Set the attributes for LDAP users and LDAP groups as follows:

+4. If you want to configure an LDAP-integrated NFSv4.1 Linux client, see [Configure an NFS client for Azure NetApp Files](configure-nfs-clients.md).

+5. If your LDAP-enabled volumes use NFSv4.1, follow instructions in [Configure NFSv4.1 domain](azure-netapp-files-configure-nfsv41-domain.md#configure-nfsv41-domain) to configure the `/etc/idmapd.conf` file.

+6. Follow steps in [Create an NFS volume for Azure NetApp Files](azure-netapp-files-create-volumes.md) to create an NFS volume. During the volume creation process, under the **Protocol** tab, enable the **LDAP** option.

+7. Optional - You can enable local NFS client users not present on the Windows LDAP server to access an NFS volume that has LDAP with extended groups enabled. To do so, enable the **Allow local NFS users with LDAP** option as follows:

+8. <a name="ldap-search-scope"></a>Optional - If you have large topologies, and you use the Unix security style with a dual-protocol volume or LDAP with extended groups, you can use the **LDAP Search Scope** option to avoid "access denied" errors on Linux clients for Azure NetApp Files.

+ The **LDAP Search Scope** option is configured through the **[Active Directory Connections](create-active-directory-connections.md#create-an-active-directory-connection)** page.

+ To resolve the users and group from an LDAP server for large topologies, set the values of the **User DN**, **Group DN**, and **Group Membership Filter** options on the Active Directory Connections page as follows:

+ * Specify nested **User DN** and **Group DN** in the format of `OU=subdirectory,OU=directory,DC=domain,DC=com`.

+ * Specify **Group Membership Filter** in the format of `(gidNumber=*)`.

+ 

+ * **LDAP over TLS**

+ See [Configure ADDS LDAP over TLS](configure-ldap-over-tls.md) for information about this option.

+ * **LDAP Search Scope**, **User DN**, **Group DN**, and **Group Membership Filter**

+ See [Configure ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md#ldap-search-scope) for information about these options.

+* [Configure ADDS LDAP over TLS](configure-ldap-over-tls.md)

+* [ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md)

+ | Protocol | Security style | Name-mapping direction | Permissions applied |

+ | NFSv3 | `Unix` | None | UNIX (mode bits or NFSv4.x ACLs) <br><br> NFSv4.x ACLs can be applied using an NFSv4.x administrative client and honored by NFSv3 clients. |

+* The LDAP with extended groups feature supports the dual protocol of both [NFSv3 and SMB] and [NFSv4.1 and SMB] with the Unix security style. See [Configure ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md) for more information.

+* If you have large topologies, and you use the Unix security style with a dual-protocol volume or LDAP with extended groups, you should use the **LDAP Search Scope** option on the Active Directory Connections page to avoid "access denied" errors on Linux clients for Azure NetApp Files. See [Configure ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md#ldap-search-scope) for more information.

+ The VNet you specify must have a subnet delegated to Azure NetApp Files. Azure NetApp Files can be accessed only from the same VNet or from a VNet that is in the same region as the volume through VNet peering. You can also access the volume from your on-premises network through Express Route.

+ If you have not delegated a subnet, you can click **Create new** on the Create a Volume page. Then in the Create Subnet page, specify the subnet information, and select **Microsoft.NetApp/volumes** to delegate the subnet for Azure NetApp Files. In each VNet, only one subnet can be delegated to Azure NetApp Files.

+ This feature enables encryption for only in-flight SMB3 data. It does not encrypt NFSv3 in-flight data. SMB clients not using SMB3 encryption will not be able to access this volume. Data at rest is encrypted regardless of this setting. See [SMB encryption](azure-netapp-files-smb-performance.md#smb-encryption) for more information.

+## January 2022

+* [LDAP search scope](configure-ldap-extended-groups.md#ldap-search-scope)

+ You might be using the Unix security style with a dual-protocol volume or LDAP with extended groups features in combination with large LDAP topologies. In this case, you might encounter "access denied" errors on Linux clients when interacting with such Azure NetApp Files volumes. You can now use the **LDAP Search Scope** option to specify the LDAP search scope to avoid "access denied" errors.

+* [Active Directory Domain Services (ADDS) LDAP user-mapping with NFS extended groups](configure-ldap-extended-groups.md) now generally available (GA)

+ The ADDS LDAP user-mapping with NFS extended groups feature is now generally available. You no longer need to register the feature before using it.

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+1. In the Azure portal, select **Cloud Shell** from the global controls at the top of the page.

+ :::image type="content" source="media/quick-create-template/cloud-shell.png" alt-text="Screenshot showing the Cloud Shell option in the Azure portal.":::

+ :::image type="content" source="media/quick-create-template/powershell.png" alt-text="Screenshot showing the PowerShell option in Cloud Shell.":::

+1. Next, copy the following command and enter it at the command prompt to create a VM in your new resource group.

+ -Name "myVM1" `

+ After the VM has been created, move on to the next section.

+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/azure-portal-dashboard/). The template for this article is too long to show here. To view the template, see [azuredeploy.json](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.portal/azure-portal-dashboard/azuredeploy.json). The template defines one Azure resource, a dashboard that displays data about the VM you created.

+This example uses the Azure portal to deploy the template. You can also use other methods to deploy ARM templates, such as [Azure PowerShell](../azure-resource-manager/templates/deploy-powershell.md), [Azure CLI](../azure-resource-manager/templates/deploy-cli.md), or [REST API](../azure-resource-manager/templates/deploy-rest.md).

+ :::image type="content" source="media/quick-create-template/create-dashboard-using-template-portal.png" alt-text="Screenshot of the dashboard template deployment screen in the Azure portal.":::

+ - **Subscription**: select the Azure subscription.

+ - **Resource group**: select **SimpleWinVmResourceGroup**.

+ - **Location**: If not automatically selected, choose **East US**.

+ - **Virtual Machine Name**: enter **myVM1**.

+ - **Virtual Machine Resource Group**: enter **SimpleWinVmResourceGroup**.

+1. Select **Create**. You'll see a notification confirming when the dashboard has been deployed successfully.

+> [!CAUTION]

+> Deleting a resource group will delete all of the resources contained within it. If the resource group contains additional resources aside from your virtual machine and dashboard, those resources will also be deleted.

+A dashboard in the Azure portal is a focused and organized view of your cloud resources. This article shows you how to use Azure CLI to create a dashboard. In this example, the dashboard shows the performance of a virtual machine (VM), as well as some static information and links.

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+Select a subscription by using the [az account set](/cli/azure/account#az-account-set) command:

+- Create an [Azure resource group](../azure-resource-manager/management/overview.md#resource-groups) by using the [az group create](/cli/azure/group#az-group-create) command (or use an existing resource group):

+Create a virtual machine by using the [az vm create](/cli/azure/vm#az-vm-create) command:

+az vm create --resource-group myResourceGroup --name myVM1 --image win2016datacenter \

+> This is a new username and password (not the account you use to sign in to Azure). The password must be complex. For more information, see [username requirements](../virtual-machines/windows/faq.yml#what-are-the-username-requirements-when-creating-a-vm-)

+Since Azure dashboards are resources, they can be represented as JSON. For more information, see [The structure of Azure dashboards](./azure-portal-dashboards-structure.md).

+Download the file [portal-dashboard-template-testvm.json](https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/azure-portal/portal-dashboard-template-testvm.json).

+Then, customize the downloaded template file by changing the following to your values:

+- `<subscriptionID>`: Your subscription

+- `<rgName>`: Resource group, for example `myResourceGroup`

+- `<vmName>`: Virtual machine name, for example `myVM1`

+- `<dashboardTitle>`: Dashboard title, for example `Simple VM Dashboard`

+- `<location>`: Your Azure region, for example `centralus`

+1. Run the [az portal dashboard create](/cli/azure/portal/dashboard#az-portal-dashboard-create) command to deploy the template:

+1. Check that the dashboard was created successfully by running the [az portal dashboard show](/cli/azure/portal/dashboard#az-portal-dashboard-show) command:

+To see all the dashboards for the current subscription, use [az portal dashboard list](/cli/azure/portal/dashboard#az-portal-dashboard-list):

+You can also see all the dashboards for a specific resource group:

+To update a dashboard, use the [az portal dashboard update](/cli/azure/portal/dashboard#az-portal-dashboard-update) command:

+## Review deployed resources

+To remove the virtual machine and associated dashboard that you created, delete the resource group that contains them.

+> Deleting the resource group will delete all of the resources contained within it. If the resource group contains additional resources aside from your virtual machine and dashboard, those resources will also be deleted.

+For more information about Azure CLI commands for dashboards, see:

+> [!div class="nextstepaction"]

+> [Azure CLI: az portal dashboard](/cli/azure/portal/dashboard).

+A dashboard in the Azure portal is a focused and organized view of your cloud resources. This article focuses on the process of using the Az.Portal PowerShell module to create a dashboard. The dashboard shows the performance of a virtual machine (VM), as well as some static information

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- If you choose to use PowerShell locally, this article requires that you install the Az PowerShell module and connect to your Azure account using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet. For more information about installing the Az PowerShell module, see [Install Azure PowerShell](/powershell/azure/install-az-ps).

+$vmName = 'myVM1'

+For more information about the dashboard template structure, see [Microsoft portal dashboards template reference](/azure/templates/microsoft.portal/dashboards).

+> Deleting the resource group will delete all of the resources contained within it. If the resource group contains additional resources aside from your virtual machine and dashboard, those resources will also be deleted.

+> [Microsoft Azure PowerShell: Portal Dashboard cmdlets](/powershell/module/Az.Portal/#portal)

+## Azure Purview limits

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Enablement/How-and-why-to-learn-about-ARM-templates/player]

+> [!VIDEO https://docs.microsoft.com/shows/Data-Exposed/What-is-Azure-SQL-Edge/player]

+> [!VIDEO /shows/Data-Exposed/Azure-SQL-Edge-Demo-Renewable-Energy/player]

+If you're new to Azure SQL, check out the *What is Azure SQL* video from our in-depth [Azure SQL video series](/shows/Azure-SQL-for-Beginners/?WT.mc_id=azuresql4beg_azuresql-ch9-niner):

+> [!VIDEO https://docs.microsoft.com/shows/Azure-SQL-for-Beginners/What-is-Azure-SQL-3-of-61/player]

+- Data Exposed episode [What's New in Azure SQL Auditing](/Shows/Data-Exposed/Whats-New-in-Azure-SQL-Auditing) on Channel 9.

+> [!VIDEO https://docs.microsoft.com/Shows/Data-Exposed/Its-just-SQL-Restoring-a-database-to-Azure-SQL-DB-from-backup/player?WT.mc_id=dataexposed-c9-niner]

+- Storage behind a firewall is currently not supported.

+- Data Exposed episode about [Granular Permissions for Azure SQL Dynamic Data Masking](/Shows/Data-Exposed/Granular-Permissions-for-Azure-SQL-Dynamic-Data-Masking) on Channel 9.

+Use this script to create an elastic pool with the [az sql elastic-pool create](/cli/azure/sql/elastic-pool#az-sql-elastic-pool-create) command.

+| [az sql elastic-pool create](/cli/azure/sql/elastic-pool#az-sql-elastic-pool-create) | Creates an elastic pool. |

+Use this script to create an elastic pool on the secondary server with the [az sql elastic-pool create](/cli/azure/sql/elastic-pool#az-sql-elastic-pool-create) command.

+| [az sql elastic-pool create](/cli/azure/sql/elastic-pool#az-sql-elastic-pool-create) | Creates an elastic pool.|

+> [!VIDEO https://docs.microsoft.com/shows/Data-Exposed/Data-Exposed--SQL-Database-Connectivity-Explained/player?WT.mc_id=dataexposed-c9-niner]

+> [!VIDEO https://docs.microsoft.com/shows/Data-Exposed/Data-Exposed--Demo--Vnet-Firewall-Rules-for-SQL-Database/player?WT.mc_id=dataexposed-c9-niner]

+* [Geo-restore](recovery-using-backups.md#geo-restore), to recover the catalog and tenant databases from automatically maintained geo-redundant backups.

+| [az sql failover-group set-primary](/cli/azure/sql/failover-group#az-sql-failover-group-set-primary) | Set the primary of the failover group by failing over all databases from the current primary server |

+If you're new to Azure SQL Database, check out the *Azure SQL Database Overview* video from our in-depth [Azure SQL video series](/shows/Azure-SQL-for-Beginners/?WT.mc_id=azuresql4beg_azuresql-ch9-niner):

+> [!VIDEO https://docs.microsoft.com/shows/Azure-SQL-for-Beginners/Azure-SQL-Database-Overview-7-of-61/player]

+* [Azure SQL Database: Improving Performance Tuning with Automatic Tuning](/Shows/Data-Exposed/Azure-SQL-Database-Improving-Performance-Tuning-with-Automatic-Tuning)

+If you're new to Azure SQL Managed Instance, check out the *Azure SQL Managed Instance* video from our in-depth [Azure SQL video series](/shows/Azure-SQL-for-Beginners/?WT.mc_id=azuresql4beg_azuresql-ch9-niner):

+> [!VIDEO https://docs.microsoft.com/shows/Azure-SQL-for-Beginners/Azure-SQL-Managed-Instance-Overview-6-of-61/player]

+If you're new to Azure SQL, check out the *SQL Server on Azure VM Overview* video from our in-depth [Azure SQL video series](/shows/Azure-SQL-for-Beginners?WT.mc_id=azuresql4beg_azuresql-ch9-niner):

+> [!VIDEO https://docs.microsoft.com/shows/Azure-SQL-for-Beginners/SQL-Server-on-Azure-VM-Overview-4-of-61/player]

+If you're new to SQL Server on Azure VMs, check out the *SQL Server on Azure VM Overview* video from our in-depth [Azure SQL video series](/shows/Azure-SQL-for-Beginners?WT.mc_id=azuresql4beg_azuresql-ch9-niner):

+> [!VIDEO https://docs.microsoft.com/shows/Azure-SQL-for-Beginners/SQL-Server-on-Azure-VM-Overview-4-of-61/player]

+Following are the direct methods exposed by the Video Analyzer edge module. The schema for the direct methods can be found [here](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/videoanalyzer/data-plane/VideoAnalyzer.Edge/preview/1.1.0/AzureVideoAnalyzerSdkDefinitions.json).

+You can also set or update the `retentionPeriod` property of a video resource, using Azure portal, or via the [REST API](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/videoanalyzer/resource-manager/Microsoft.Media/preview/2021-11-01-preview/Videos.json). Below is an example of setting a 3-day retention policy.

+You can query the ARM API [`Videos`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/videoanalyzer/resource-manager/Microsoft.Medi) shows you how.

+When using Video Analyzer edge module to record to a video resource, you will specify a [`segmentLength` property](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/videoanalyzer/data-plane/VideoAnalyzer.Edge/preview/1.1.0/AzureVideoAnalyzer.json) in your pipeline topology which tells the module to aggregate a minimum duration of video (in seconds) before it is written to the cloud. For example, if `segmentLength` is set to 300, then the module will accumulate 5 minutes worth of video before uploading one 5 minutes ΓÇ£chunkΓÇ¥, then go into accumulation mode for the next 5 minutes, and upload again. Increasing the `segmentLength` has the benefit of lowering your Azure Storage transaction costs, as the number of reads and writes will be no more frequent than once every `segmentLength` seconds. If you are using Video Analyzer service, the pipeline topology has the same [`segmentLength` property](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/videoanalyzer/resource-manager/Microsoft.Media/preview/2021-11-01-preview/PipelineTopologies.json).

+CSPs that want to purchase reserved instances for their customers must use the **Admin On Behalf Of** (AOBO) procedure from the [Partner Center documentation](/partner-center/azure-plan-manage). For more information, view the Admin on behalf of (AOBO) video.

+> [!VIDEO /shows/IT-Ops-Talk/Configure-backups-at-scale-using-Azure-Policy/player]

+ > [!VIDEO /shows/IT-Ops-Talk/Automatically-retry-failed-backup-jobs-using-Azure-Resource-Graph-and-Azure-Automation-Runbooks/player]

+#### Allow connectivity for servers behind internal load balancers

+When using an internal load balancer, you need to allow the outbound connectivity from virtual machines behind the internal load balancer to perform backups. To do so, you can use a combination of internal and external standard load balancers to create an outbound connectivity. [Learn more](/azure/load-balancer/egress-only) about the configuration to create an _egress only_ setup for VMs in the backend pool of the internal load balancer.

+- Changing the casing of an SQL database isn't supported after configuring protection.

+ * Azure Backup installs the AzureBackupWindowsWorkload extension on the VM. No agent is installed on an SQL database.

+Azure Backup shows all scheduled and on-demand operations under **Backup jobs** in **Backup center** in the Azure portal, except the scheduled log backups since they can be very frequent. The jobs you see in this portal includes database discovery and registration, configure backup, and backup and restore operations.

+Before you unregister the server, [disable soft delete](/azure/backup/backup-azure-security-feature-cloud#disabling-soft-delete-using-azure-portal), and then delete all backup items.

+>[!NOTE]

+>Deleting backup items with soft delete enabled will lead to 14 days retention, and you will need to wait before the items are completely removed. However, if you've deleted the backup items with soft delete enabled, you can undelete them, disable soft-delete, and then delete them again for immediate removal. [Learn more](/azure/backup/backup-azure-security-feature-cloud#permanently-deleting-soft-deleted-backup-items)

+Unregister a SQL Server instance after you disable protection but before you delete the vault.

+ :::image type="content" source="./media/multi-user-authorization/test-vault-properties.png" alt-text="Screenshot showing the Recovery services vault-properties.":::

+ :::image type="content" source="./media/multi-user-authorization/test-vault-properties-security-settings-inline.png" alt-text="Screenshot showing the Test Vault properties security settings." lightbox="./media/multi-user-authorization/test-vault-properties-security-settings-expanded.png":::

+The following screenshot shows an example of disabling soft delete for an MUA-enabled vault.

+ 1. After **authentication**, click **Save**. With the right access, the request should be successfully completed.

+

+ :::image type="content" source="./media/multi-user-authorization/disable-mua.png" alt-text="Screenshot showing to disable multi-user authentication.":::

+MARSAgentInstaller.exe /q # Please note the commandline install options available here: https://docs.microsoft.com/azure/backup/backup-client-automation#installation-options

+# See: https://docs.microsoft.com/rest/api/backup/securitypins/get

+# See: https://docs.microsoft.com/powershell/module/azurerm.keyvault/Add-AzureKeyVaultKey?view=azurermps-6.13.0

+* The **Basic SKU** provides base functionality, enabling Azure Bastion to manage RDP/SSH connectivity to virtual machines (VMs) without exposing public IP addresses on the target application VMs.

+* The **Standard SKU** enables premium features that allow Azure Bastion to manage remote connectivity at a larger scale.

+Azure Bastion requires a dedicated subnet: **AzureBastionSubnet**. You must create this subnet in the same virtual network that you want to deploy Azure Bastion to. The subnet must have the following configuration:

+| Azure CLI | --public-ip create |[command](/cli/azure/network/public-ip) |

+## <a name="instance"></a>Instances and host scaling

+An instance is an optimized Azure VM that is created when you configure Azure Bastion. It's fully managed by Azure and runs all of the processes needed for Azure Bastion. An instance is also referred to as a scale unit. You connect to client VMs via an Azure Bastion instance. When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of instances. This is called **host scaling**.

+Each instance can support 10 concurrent RDP connections and 50 concurrent SSH connections. The number of connections per instances depends on what actions you are taking when connected to the client VM. For example, if you are doing something data intensive, it creates a larger load for the instance to process. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.

+Instances are created in the AzureBastionSubnet. To allow for host scaling, the AzureBastionSubnet should be /26 or larger. Using a smaller subnet limits the number of instances you can create. For more information about the AzureBastionSubnet, see the [subnets](#subnet) section in this article.

+You can configure this setting using the following methods:

+| Method | Value | Links |

+| | | |

+| Azure portal |Instance count | [Azure portal steps](configure-host-scaling.md)|

+| Azure PowerShell | ScaleUnit | [PowerShell steps](configure-host-scaling-powershell.md) |

+## <a name="ports"></a>Custom ports

+You can specify the port that you want to use to connect to your VMs. By default, the inbound ports used to connect are 3389 for RDP and 22 for SSH. If you configure a custom port value, you need to specify that value when you connect to the VM.

+Custom port values are supported for the Standard SKU only. If your Bastion deployment uses the Basic SKU, you can easily [upgrade a Basic SKU to a Standard SKU](#upgradesku).

+`npm install @azure/batch`

+import { BatchServiceClient, BatchSharedKeyCredentials } from "@azure/batch";

+// Replace values below with Batch Account details

+const batchAccountName = '<batch-account-name>';

+const batchAccountKey = '<batch-account-key>';

+const batchEndpoint = '<batch-account-url>';

+const credentials = new BatchSharedKeyCredentials(batchAccountName, batchAccountKey);

+const batchClient = new BatchServiceClient(credentials, batchEndpoint);

+const imgRef = {

+ publisher: "Canonical",

+ offer: "UbuntuServer",

+ sku: "18.04-LTS",

+ version: "latest"

+}

+const vmConfig = {

+ imageReference: imgRef,

+ nodeAgentSKUId: "batch.node.ubuntu 18.04"

+};

+// Number of VMs to create in a pool

+const numVms = 4;

+// Setting the VM size

+const vmSize = "STANDARD_D1_V2";

+const now = new Date();

+const poolId = `processcsv_${now.getFullYear()}${now.getMonth()}${now.getDay()}${now.getHours()}${now.getSeconds()}`;

+const poolConfig = {

+ id: poolId,

+ displayName: "Processing csv files",

+ vmSize: vmSize,

+ virtualMachineConfiguration: vmConfig,

+ targetDedicatedNodes: numVms,

+ enableAutoScale: false

+};

+// Creating the Pool

+var pool = batchClient.pool.add(poolConfig, function (error, result){

+var cloudPool = batchClient.pool.get(poolId,function(error,result,request,response){

+{

+ id: 'processcsv_2022002321',

+ displayName: 'Processing csv files',

+ url: 'https://<batch-account-name>.westus.batch.azure.com/pools/processcsv_2022002321',

+ eTag: '0x8D9D4088BC56FA1',

+ lastModified: 2022-01-10T07:12:21.943Z,

+ creationTime: 2022-01-10T07:12:21.943Z,

+ stateTransitionTime: 2022-01-10T07:12:21.943Z,

+ allocationState: 'steady',

+ allocationStateTransitionTime: 2022-01-10T07:13:35.103Z,

+ vmSize: 'standard_d1_v2',

+ virtualMachineConfiguration: {

+ imageReference: {

+ publisher: 'Canonical',

+ offer: 'UbuntuServer',

+ sku: '18.04-LTS',

+ version: 'latest'

+ },

+ nodeAgentSKUId: 'batch.node.ubuntu 18.04'

+ },

+ resizeTimeout: 'PT15M',

+ currentDedicatedNodes: 4,

+ currentLowPriorityNodes: 0,

+ targetDedicatedNodes: 4,

+ targetLowPriorityNodes: 0,

+ taskSchedulingPolicy: { nodeFillType: 'Spread' }}

+> You can use the [taskSlotsPerNode](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/batch/arm-batch/src/models/index.ts#L1190-L1191) property to specify maximum number of tasks that can run concurrently on a single node.

+The [shell script](https://github.com/Azure-Samples/azure-batch-samples/blob/master/JavaScript/Node.js/startup_prereq.sh) in this example installs Python-pip and the Azure Storage Blob SDK for Python.

+> A preparation task for a job runs only on the VM nodes where the specific task needs to run. If you want prerequisites to be installed on all nodes irrespective of the tasks that run on it, you can use the [startTask](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/batch/batch/src/models/index.ts#L1432) property while adding a pool. You can use the following preparation task definition for reference.

+A preparation task is specified during the submission of Azure Batch job. Following are some configurable preparation task parameters:

+ - httpUrl: The URL of the file to download

+var jobPrepTaskConfig = {id:"installprereq",commandLine:"sudo sh startup_prereq.sh > startup.log",resourceFiles: [{ 'httpUrl': 'Blob sh url', 'filePath': 'startup_prereq.sh' }],waitForSuccess:true,runElevated:true, userIdentity: {autoUser: {elevationLevel: "admin", scope: "pool"}}}

+ // Setting Batch Pool ID

+const poolInfo = { poolId: poolId };

+// Batch job configuration object

+const jobId = "processcsvjob";

+const jobConfig = {

+ id: jobId,

+ displayName: "process csv files",

+ jobPreparationTask: jobPrepTaskConfig,

+ poolInfo: poolInfo

+};

+ const job = batchClient.job.add(jobConfig, function (error, result) {

+ if (error !== null) {

+ console.log("An error occurred while creating the job...");

+ console.log(error.response);

+ }

+ });

+If we look at the [Python script](https://github.com/Azure-Samples/azure-batch-samples/blob/master/JavaScript/Node.js/processcsv.py), it accepts two parameters:

+Assuming we have four containers "con1", "con2", "con3","con4" following code shows submitting four tasks to the Azure batch job "process csv" we created earlier.

+const containerList = ["con1", "con2", "con3", "con4"]; //Replace with list of blob containers within storage account

+containerList.forEach(function (val, index) {

+ console.log("Submitting task for container : " + val);

+ const containerName = val;

+ const taskID = containerName + "_process";

+ // Task configuration object

+ const taskConfig = {

+ id: taskID,

+ displayName: 'process csv in ' + containerName,

+ commandLine: 'python processcsv.py --container ' + containerName,

+ resourceFiles: [{ 'httpUrl': 'Blob script url', 'filePath': 'processcsv.py' }]

+ };

+ const task = batchClient.task.add(jobId, taskConfig, function (error, result) {

+ if (error !== null) {

+ console.log("Error occured while creating task for container " + containerName + ". Details : " + error.response);

+ }

+ else {

+ console.log("Task for container : " + containerName + " submitted successfully");

+ }

+});

+The portal has detailed views on the tasks and job statuses. You can also use the list and get functions in the Azure JavaScript SDK. Details are provided in the documentation [link](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/batch/batch/src/operations/job.ts#L114-L149).

+For a video introduction to Azure Storage best practices and patterns, see Microsoft Azure Storage ΓÇô What's New, Best Practices and Patterns.

+* May 7, 2021 [New to Anomaly Detector: Multivariate Capabilities](/shows/AI-Show/New-to-Anomaly-Detector-Multivariate-Capabilities) - AI Show on the new multivariate anomaly detection APIs with Tony Xing and Seth Juarez

+* April 20, 2021 AI Show Live | Episode 11| New to Anomaly Detector: Multivariate Capabilities - AI Show live recording with Tony Xing and Seth Juarez

+* May 18, 2020 [Inside Anomaly Detector](/shows/AI-Show/Inside-Anomaly-Detector) - AI Show with Qun Ying and Seth Juarez

+* September 3, 2019 [Anomaly detection on streaming data using Azure Databricks](/shows/AI-Show/Anomaly-detection-on-streaming-data-using-Azure-Databricks) - AI Show with Qun Ying

+* August 27, 2019 [Anomaly Detector v1.0 Best Practices](/shows/AI-Show/Anomaly-Detector-v10-Best-Practices) - AI Show on univariate anomaly detection best practices with Qun Ying

+* August 20, 2019 [Bring Anomaly Detector on-premises with containers support](/shows/AI-Show/Bring-Anomaly-Detector-on-premise-with-containers-support) - AI Show with Qun Ying and Seth Juarez

+* August 13, 2019 [Introducing Azure Anomaly Detector](/shows/AI-Show/Introducing-Azure-Anomaly-Detector?WT.mc_id=ai-c9-niner) - AI Show with Qun Ying and Seth Juarez

+ Title: "Tutorial: Moderate Facebook content - Content Moderator"

+description: In this tutorial, you will learn how to use machine-learning-based Content Moderator to help moderate Facebook posts and comments.

+#Customer intent: As the moderator of a Facebook page, I want to use Azure's machine learning technology to automate and streamline the process of post moderation.

+# Tutorial: Moderate Facebook posts and commands with Azure Content Moderator

+In this tutorial, you will learn how to use Azure Content Moderator to help moderate the posts and comments on a Facebook page. Facebook will send the content posted by visitors to the Content Moderator service. Then your Content Moderator workflows will either publish the content or create reviews within the Review tool, depending on the content scores and thresholds.

+> [!IMPORTANT]

+> In 2018, Facebook implemented a more strict vetting policy for Facebook Apps. You will not be able to complete the steps of this tutorial if your app has not been reviewed and approved by the Facebook review team.

+This tutorial shows you how to:

+> [!div class="checklist"]

+> * Create a Content Moderator team.

+> * Create Azure Functions that listen for HTTP events from Content Moderator and Facebook.

+> * Link a Facebook page to Content Moderator using a Facebook application.

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.

+This diagram illustrates each component of this scenario:

+

+## Prerequisites

+- A Content Moderator subscription key. Follow the instructions in [Create a Cognitive Services account](../cognitive-services-apis-create-account.md) to subscribe to the Content Moderator service and get your key.

+- A [Facebook account](https://www.facebook.com/).

+## Create a review team

+Refer to the [Try Content Moderator on the web](quick-start.md) quickstart for instructions on how to sign up for the [Content Moderator Review tool](https://contentmoderator.cognitive.microsoft.com/) and create a review team. Take note of the **Team ID** value on the **Credentials** page.

+## Configure image moderation workflow

+Refer to the [Define, test, and use workflows](review-tool-user-guide/workflows.md) guide to create a custom image workflow. Content Moderator will use this workflow to automatically check images on Facebook and send some to the Review tool. Take note of the workflow **name**.

+## Configure text moderation workflow

+Again, refer to the [Define, test, and use workflows](review-tool-user-guide/workflows.md) guide; this time, create a custom text workflow. Content Moderator will use this workflow to automatically check text content. Take note of the workflow **name**.

+

+Test your workflow using the **Execute Workflow** button.

+

+## Create Azure Functions

+Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps:

+1. Create an Azure Function App as shown on the [Azure Functions](../../azure-functions/functions-create-function-app-portal.md) page.

+1. Go to the newly created Function App.

+1. Within the App, go to the **Platform features** tab and select **Configuration**. In the **Application settings** section of the next page, select **New application setting** to add the following key/value pairs:

+

+ | App Setting name | value |

+ | -- |-|

+ | `cm:TeamId` | Your Content Moderator TeamId |

+ | `cm:SubscriptionKey` | Your Content Moderator subscription key - See [Credentials](./review-tool-user-guide/configure.md#credentials) |

+ | `cm:Region` | Your Content Moderator region name, without the spaces. You can find this name in the **Location** field of the **Overview** tab of your Azure resource.|

+ | `cm:ImageWorkflow` | Name of the workflow to run on Images |

+ | `cm:TextWorkflow` | Name of the workflow to run on Text |

+ | `cm:CallbackEndpoint` | Url for the CMListener Function App that you will create later in this guide |

+ | `fb:VerificationToken` | A secret token that you create, used to subscribe to the Facebook feed events |

+ | `fb:PageAccessToken` | The Facebook graph api access token does not expire and allows the function Hide/Delete posts on your behalf. You will get this token at a later step. |

+ Click the **Save** button at the top of the page.

+1. Go back to the **Platform features** tab. Use the **+** button on the left pane to bring up the **New function** pane. The function you are about to create will receive events from Facebook.

+ 

+ 1. Click on the tile that says **Http trigger**.

+ 1. Enter the name **FBListener**. The **Authorization Level** field should be set to **Function**.

+ 1. Click **Create**.

+ 1. Replace the contents of the **run.csx** with the contents from **FbListener/run.csx**

+ [!code-csharp[FBListener: csx file](~/samples-fbPageModeration/FbListener/run.csx?range=1-154)]

+1. Create a new **Http trigger** function named **CMListener**. This function receives events from Content Moderator. Replace the contents of the **run.csx** with the contents from **CMListener/run.csx**

+ [!code-csharp[FBListener: csx file](~/samples-fbPageModeration/CmListener/run.csx?range=1-110)]

+## Configure the Facebook page and App

+1. Create a Facebook App.

+ 

+ 1. Navigate to the [Facebook developer site](https://developers.facebook.com/)

+ 1. Go to **My Apps**.

+ 1. Add a New App.

+ 1. Provide a name

+ 1. Select **Webhooks -> Set Up**

+ 1. Select **Page** in the dropdown menu and select **Subscribe to this object**

+ 1. Provide the **FBListener Url** as the Callback URL and the **Verify Token** you configured under the **Function App Settings**

+ 1. Once subscribed, scroll down to feed and select **subscribe**.

+ 1. Select the **Test** button of the **feed** row to send a test message to your FBListener Azure Function, then hit the **Send to My Server** button. You should see the request being received on your FBListener.

+1. Create a Facebook Page.

+ > [!IMPORTANT]

+ > In 2018, Facebook implemented a more strict vetting of Facebook apps. You will not be able to execute sections 2, 3 and 4 if your app has not been reviewed and approved by the Facebook review team.

+ 1. Navigate to [Facebook](https://www.facebook.com/pages) and create a **new Facebook Page**.

+ 1. Allow the Facebook App to access this page by following these steps:

+ 1. Navigate to the [Graph API Explorer](https://developers.facebook.com/tools/explorer/).

+ 1. Select **Application**.

+ 1. Select **Page Access Token**, Send a **Get** request.

+ 1. Select the **Page ID** in the response.

+ 1. Now append the **/subscribed_apps** to the URL and Send a **Get** (empty response) request.

+ 1. Submit a **Post** request. You get the response as **success: true**.

+3. Create a non-expiring Graph API access token.

+ 1. Navigate to the [Graph API Explorer](https://developers.facebook.com/tools/explorer/).

+ 2. Select the **Application** option.

+ 3. Select the **Get User Access Token** option.

+ 4. Under the **Select Permissions**, select **manage_pages** and **publish_pages** options.

+ 5. We will use the **access token** (Short Lived Token) in the next step.

+4. We use Postman for the next few steps.

+ 1. Open **Postman** (or get it [here](https://www.getpostman.com/)).

+ 2. Import these two files:

+ 1. [Postman Collection](https://github.com/MicrosoftContentModerator/samples-fbPageModeration/blob/master/Facebook%20Permanant%20Page%20Access%20Token.postman_collection.json)

+ 2. [Postman Environment](https://github.com/MicrosoftContentModerator/samples-fbPageModeration/blob/master/FB%20Page%20Access%20Token%20Environment.postman_environment.json)

+ 3. Update these environment variables:

+

+ | Key | Value |

+ | -- |-|

+ | appId | Insert your Facebook App Identifier here |

+ | appSecret | Insert your Facebook App's secret here |

+ | short_lived_token | Insert the short lived user access token you generated in the previous step |

+ 4. Now run the 3 APIs listed in the collection:

+ 1. Select **Generate Long-Lived Access Token** and click **Send**.

+ 2. Select **Get User ID** and click **Send**.

+ 3. Select **Get Permanent Page Access Token** and click **Send**.

+ 5. Copy the **access_token** value from the response and assign it to the App setting, **fb:PageAccessToken**.

+The solution sends all images and text posted on your Facebook page to Content Moderator. Then the workflows that you configured earlier are invoked. The content that does not pass your criteria defined in the workflows gets passed to reviews within the review tool. The rest of the content gets published automatically.

+## Next steps

+In this tutorial, you set up a program to analyze product images, tag them by product type, and allow a review team to make informed decisions about content moderation. Next, learn more about the details of image moderation.

+> [!div class="nextstepaction"]

+> [Image moderation](./image-moderation-api.md)

+* [AI show](/Shows/AI-Show/New-Features-in-Language-Understanding) (video) - see the new features in LUIS

+> [!VIDEO https://docs.microsoft.com/Shows/AI-Show/Introducing-QnA-managed-Now-in-Public-Preview/player]

+description: Learn how to stream compressed audio to the Speech service with the Speech SDK.

+# Stream codec-compressed audio

+The Speech SDK and Speech CLI use GStreamer to support different kinds of input audio formats. GStreamer decompresses the audio before it's sent over the wire to the Speech service as raw PCM.

+## Installing GStreamer

+Choose a platform for installation instructions.

+Android | Java | [1.18.3](https://gstreamer.freedesktop.org/data/pkg/android/1.18.3/)

+### [Android](#tab/android)

+See [GStreamer configuration by programming language](#gstreamer-configuration) for the details about building libgstreamer_android.so.

+For more information, see [Android installation instructions](https://gstreamer.freedesktop.org/documentation/installing/for-android-development.html?gi-language=c).

+### [Linux](#tab/linux)

+### [Windows](#tab/windows)

+***

+## GStreamer configuration

+> [!NOTE]

+> GStreamer configuration requirements vary by programming language. For details, choose your programming language at the top of this page. The contents of this section will be updated.

+## Example

+ Title: Speech phonetic alphabets - Speech service

+description: Speech service phonetic alphabet and International Phonetic Alphabet (IPA) examples.

+# SSML phonetic alphabets

+Phonetic alphabets are used with the [Speech Synthesis Markup Language (SSML)](speech-synthesis-markup.md) to improve pronunciation of Text-to-speech voices. See [Use phonemes to improve pronunciation](speech-synthesis-markup.md#use-phonemes-to-improve-pronunciation) to learn when and how to use each alphabet.

+## Speech service phonetic alphabet

+For some locales, the Speech service defines its own phonetic alphabets that typically map to the [International Phonetic Alphabet (IPA)](https://en.wikipedia.org/wiki/International_Phonetic_Alphabet). The 7 locales that support `sapi` are: `en-US`, `fr-FR`, `de-DE`, `es-ES`, `ja-JP`, `zh-CN`, and `zh-TW`.

+You set `sapi` or `ipa` as the `alphabet` in [SSML](speech-synthesis-markup.md#use-phonemes-to-improve-pronunciation).

+### [en-US](#tab/en-US)

+#### English suprasegmentals

+|Example 1 (Onset for consonant, word initial for vowel)|Example 2 (Intervocalic for consonant, word medial nucleus for vowel)|Example 3 (Coda for consonant, word final for vowel)|Comments|

+#### English vowels

+#### English R-colored vowels

+#### English Semivowels

+#### English aspirated oral stops

+#### English Nasal stops

+#### English fricatives

+#### English affricates

+#### English approximants

+### [fr-FR](#tab/fr-FR)

+#### French suprasegmentals

+#### French vowels

+#### French consonants

+### [de-DE](#tab/de-DE)

+#### German suprasegmentals

+#### German vowels

+#### German diphthong

+#### German semivowels

+#### German consonants

+#### German oral consonants

+> We need to add a [gs\] phone between two distinct vowels, except the two vowels are a genuine diphthong. This oral consonant is a glottal stop, for more information, see [glottal stop](http://en.wikipedia.org/wiki/Glottal_stop).

+### [es-ES](#tab/es-ES)

+#### Spanish vowels

+#### Spanish consonants

+### [zh-CN](#tab/zh-CN)

+The Speech service phone set for `zh-CN` is based on the native phone [Pinyin](https://en.wikipedia.org/wiki/Pinyin).

+#### Tone

+### [zh-TW](#tab/zh-TW)

+The Speech service phone set for `zh-TW` is based on the native phone [Bopomofo](https://en.wikipedia.org/wiki/Bopomofo).

+#### Tone

+### [ja-JP](#tab/ja-JP)

+The Speech service phone set for `ja-JP` is based on the native phone [Kana](https://en.wikipedia.org/wiki/Kana) set.

+#### Stress

+## International Phonetic Alphabet

+For the locales below, the Speech service uses the [International Phonetic Alphabet (IPA)](https://en.wikipedia.org/wiki/International_Phonetic_Alphabet).

+You set `ipa` as the `alphabet` in [SSML](speech-synthesis-markup.md#use-phonemes-to-improve-pronunciation).

+These locales all use the same IPA stress and syllables described here.

+|`ipa` | Symbol |

+|-|-|

+| `ˈ` | Primary stress |

+| `ˌ` | Secondary stress |

+| `.` | Syllable boundary |

+Select a tab for the IPA phonemes specific to each locale.

+### [ca-ES](#tab/ca-ES)

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-|-||-|

+| `a` | **a**men | am**a**ro | est**à** |

+| `ɔ` | **o**dre | ofert**o**ri | microt**ò** |

+| `ə` | **e**stan | s**e**ré | aigu**a** |

+| `b` | **b**aba | do**b**la | |

+| `β` | **v**ià | ba**b**a | |

+| `t͡ʃ` | **tx**adià | ma**tx**ucs | fa**ig** |

+| `d̪` | **d**edicada | con**d**uïa | navida**d** |

+| `├░` | **Th**e_Sun | de**d**icada | trinida**d** |

+| `e` | **é**rem | f**e**ta | ser**é** |

+| `ɛ` | **e**cosistema | incorr**e**cta | hav**er** |

+| `f` | **f**acilitades | a**f**ectarà | àgra**f** |

+| `g` | **g**racia | con**g**ratula | |

+| `ɣ` | | ai**g**ua | |

+| `i` | **i**tinerants | it**i**nerants | zomb**i** |

+| `j` | **hi**ena | espla**i**a | cofo**i** |

+| `d͡ʒ` | **dj**akarta | composta**tg**e | geor**ge** |

+| `k` | **c**urós | dode**c**à | doble**c** |

+| `l` | **l**aberint | mio**l**ar | preva**l** |

+| `ʎ` | **ll**igada | mi**ll**orarà | perbu**ll** |

+| `m` | **m**acadàmies | fe**m**ar | subli**m** |

+| `n` | **n**ecessaris | sa**n**itaris | alterame**nt** |

+| `ŋ` | | algo**n**quí | albe**nc** |

+| `╔▓` | **ny**asa | reme**n**jar | alema**ny** |

+| `o` | **o**mbra | ret**o**ndre | omissi**├│** |

+| `p` | **p**egues | este**p**a | ca**p** |

+| `ɾ` | | ca**r**o | càrte**r** |

+| `r` | **r**abada | ca**rr**o | lof├▓fo**r** |

+| `s` | **c**eri | cur**s**ar | cu**s** |

+| `ʃ` | **x**acar | micro**x**ip | midra**ix** |

+| `t̪` | **t**abacaires | es**t**ratifica | debatu**t** |

+| `θ` | **c**eará | ve**c**inos | Álvare**z** |

+| `u` | **u**niversitaris | candidat**u**res | cron**o** |

+| `w` | **w**estfalià | ina**u**gurar | inscri**u** |

+| `x` | **j**uanita | mu**j**eres | heinri**ch** |

+| `z` | **z**elar | bra**s**ils | alian**ze** |

+### [en-GB](#tab/en-GB)

+#### Vowels

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-||--|-|

+| `ɑː` | | f**a**st | br**a** |

+| `æ` | | f**a**t | |

+| `ʌ` | | b**u**g | |

+| `ɛə` | | | h**air** |

+| `aʊ` | **ou**t | m**ou**th | h**ow** |

+| `ə` | **a** | | driv**er** |

+| `aɪ` | | f**i**ve | |

+| `ɛ` | **e**gg | dr**e**ss | |

+| `ɜː` | **er**nest | sh**ir**t | f**ur** |

+| `eɪ` | **ai**lment | l**a**ke | p**ay** |

+| `ɪ` | | add**i**ng | |

+| `ɪə` | | b**ear**d | h**ear** |

+| `iː` | **ea**t | s**ee**d | s**ee** |

+| `ɒ` | | p**o**d | |

+| `ɔː` | | d**aw**n | |

+| `əʊ` | | c**o**de | pill**ow** |

+| `ɔɪ` | | p**oi**nt | b**oy** |

+| `ʊ` | | l**oo**k | |

+| `ʊə` | | | t**our** |

+| `uː` | | f**oo**d | t**wo** |

+#### Consonants

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-||--|-|

+| `b ` | **b**ike | ri**bb**on | ri**b** |

+| `tʃ ` | **ch**allenge | na**t**ure | ri**ch** |

+| `d ` | **d**ate | ca**dd**y | sli**d** |

+| `├░` | **th**is | fa**th**er | brea**the** |

+| `f ` | **f**ace | lau**gh**ing | enou**gh** |

+| `g ` | **g**old | bra**gg**ing | be**g** |

+| `h ` | **h**urry | a**h**ead | |

+| `j` | **y**es | | |

+| `dʒ` | **g**in | ba**dg**er | bri**dge** |

+| `k ` | **c**at | lu**ck**y | tru**ck** |

+| `l ` | **l**eft | ga**ll**on | fi**ll** |

+| `m ` | **m**ile | li**m**it | ha**m** |

+| `n ` | **n**ose | pho**n**etic | ti**n** |

+| `ŋ ` | | si**ng**er | lo**ng** |

+| `p ` | **p**rice | su**p**er | ti**p** |

+| `╔╣` | **r**ate | ve**r**y | |

+| `s ` | **s**ay | si**ss**y | pa**ss** |

+| `ʃ ` | **sh**op | ca**sh**ier | lea**sh** |

+| `t ` | **t**op | ki**tt**en | be**t** |

+| `╬╕` | **th**eatre | ma**the**matics | brea**th** |

+| `v` | **v**ery | li**v**er | ha**ve** |

+| `w ` | **w**ill | | |

+| `z ` | **z**ero | bli**zz**ard | ro**se** |

+### [es-MX](#tab/es-MX)

+#### Vowels

+| `ipa` | Example 1 | Example 2 | Example 3|

+|-||-|-|

+| `ɑ` | **a**zúcar | tom**a**te | rop**a** |

+| `e` | **e**so | rem**e**ro | am**é** |

+| `i` | h**i**lo | liqu**i**do | ol**í** |

+| `o` | h**o**gar | ol**o**te | cas**o** |

+| `u` | **u**no | ning**u**no | tab**├║** |

+#### Consonants

+| `ipa` | Example 1 | Example 2 | Example 3|

+|-||-|-|

+| `b` | **b**ote | | |

+| `╬▓` | ├│r**b**ita | envol**v**ente | |

+| `t͡ʃ` | **ch**ico | ha**ch**a | |

+| `d` | **d**átil | | |

+| `├░` | or**d**en | o**d**a | |

+| `f` | **f**oco | o**f**icina | |

+| `g` | **g**ajo | | |

+| `ɣ` | a**g**ua | ho**gu**era | |

+| `j` | **i**odo | cal**i**ente | re**y** |

+| `j͡j` | | o**ll**a | |

+| `k` | **c**asa | á**c**aro | |

+| `l` | **l**oco | a**l**a | |

+| `ʎ` | **ll**ave | en**y**ugo | |

+| `m` | **m**ata | a**m**ar | |

+| `n` | **n**ada | a**n**o | |

+| `╔▓` | **├▒**o├▒o | a**├▒**o | |

+| `p` | **p**apa | pa**p**a | |

+| `╔╛` | | a**r**o | |

+| `r` | **r**ojo | pe**rr**o | |

+| `s` | **s**illa | a**s**a | |

+| `t` | **t**omate | | sof**t** |

+| `w` | h**u**evo | | |

+| `x` | **j**arra | ho**j**a | |

+### [it-IT](#tab/it-IT)

+#### Vowels

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-||--|--|

+| `a` | **a**mo | s**a**no | scort**a** |

+| `ai` | **ai**cs | abb**ai**no | m**ai** |

+| `aʊ` | **au**dio | r**au**co | b**au** |

+| `e` | **e**roico | v**e**nti / numb**e**r | sapor**e** |

+| `ɛ` | **e**lle | avv**e**nto | lacch**è** |

+| `ej` | **ei**ra | em**ai**l | l**ei** |

+| `ɛu` | **eu**ro | n**eu**ro | |

+| `ei` | | as**ei**tà | scultor**ei** |

+| `eu` | **eu**ropeo | f**eu**dale | |

+| `i` | **i**taliano | v**i**no | sol**i** |

+| `u` | **u**nico | l**u**na | zeb**├╣** |

+| `o` | **o**besità | stra**o**rdinari | amic**o** |

+| `ɔ` | **o**tto | b**o**tte / str**o**kes | per**ò** |

+| `oj` | | oppi**oi**di | |

+| `oi` | **oi**b├▓ | intellettual**oi**de | Gameb**oy** |

+| `ou` | | sh**ow** | talksh**ow** |

+#### Consonants

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-||--|--|

+| `b` | **b**ene | e**b**anista | Euroclu**b** |

+| `bː` | | go**bb**a | |

+| `ʧ` | **c**enare | a**c**ido | fren**ch** |

+| `tʃː` | | bra**cc**io | |

+| `kː` | | pa**cc**o | Innsbru**ck** |

+| `d` | **d**ente | a**d**orare | interlan**d** |

+| `dː` | | ca**dd**e | |

+| `ʣ` | **z**ero | or**z**o | |

+| `ʣː` | | me**zz**o | |

+| `f` | **f**ame | a**f**a | ale**f** |

+| `fː` | | be**ff**a | blu**ff** |

+| `ʤ` | **g**ente | a**g**ire | bei**ge** |

+| `ʤː` | | o**gg**i | |

+| `g` | **g**ara | al**gh**e | smo**g** |

+| `gː` | | fu**gg**a | Zue**gg** |

+| `ʎ` | **gl**i | ammira**gl**i | |

+| `ʎː` | | fo**gl**ia | |

+| `ɲː` | | ba**gn**o | |

+| `╔▓` | **gn**occo | padri**gn**o | Montai**gne** |

+| `j` | **i**eri | p**i**ede | freewif**i** |

+| `k` | **c**aro | an**ch**e | ti**c** ta**c** |

+| `l` | **l**ana | a**l**ato | co**l** |

+| `lː` | | co**ll**a | fu**ll** |

+| `m` | **m**ano | a**m**are | Ada**m** |

+| `mː` | | gra**mm**o | |

+| `n` | **n**aso | la**n**a | no**n** |

+| `nː` | | pa**nn**a | |

+| `p` | **p**ane | e**p**ico | sto**p** |

+| `pː` | | co**pp**a | |

+| `╔╛` | **r**ana | moto**r**e | pe**r** |

+| `r.r` | | ca**rr**o | Sta**rr** |

+| `s` | **s**ano | ca**s**cata | lapi**s** |

+| `sː` | | ca**ss**a | cordle**ss** |

+| `ʃ` | **sc**emo | Gram**sc**i | sla**sh** |

+| `ʃː` | | a**sc**ia | fich**es** |

+| `t` | **t**ana | e**t**erno | al**t** |

+| `tː` | | zi**tt**o | |

+| `ʦ` | **ts**unami | turbolen**z**a | subtes**ts** |

+| `ʦː` | | bo**zz**a | |

+| `v` | **v**ento | a**v**aro | Asimo**v** |

+| `vː` | | be**vv**i | |

+| `w` | **u**ovo | d**u**omo | Marlo**we** |

+### [pt-BR](#tab/pt-BR)

+#### VOWELS

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-|--||--|

+| `i` | **i**lha | f**i**car | com**i** |

+| `ĩ` | **in**tacto | p**in**tar | aberd**een** |

+| `ɑ` | **á**gua | d**a**da | m**á** |

+| `ɔ` | **o**ra | p**o**rta | cip**ó** |

+| `u` | **u**fanista | m**u**la | per**u** |

+| `ũ` | **un**s | p**un**gente | k**uhn** |

+| `o` | **o**rtopedista | f**o**fo | av**├┤** |

+| `e` | **e**lefante | el**e**fante | voc**ê** |

+| `ɐ̃` | **an**ta | c**an**ta | amanh**ã** |

+| `ɐ` | **a**qui | am**a**ciar | dad**a** |

+| `ɛ` | **e**la | s**e**rra | at**é** |

+| `ẽ` | **en**dorfina | p**en**der | |

+| `õ` | **on**tologia | c**on**to | |

+#### Consonants

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-|--||--|

+| `w̃` | | | atualizaçã**o** |

+| `w` | **w**ashington | ág**u**a | uso**u** |

+| `p` | **p**ato | ca**p**ital | |

+| `b` | **b**ola | ca**b**eça | |

+| `t` | **t**ato | ra**t**o | |

+| `d` | **d**ado | ama**d**o | |

+| `g` | **g**ato | mara**g**ato | |

+| `m` | **m**ato | co**m**er | |

+| `n` | **n**o | a**n**o | |

+| `ŋ` | **nh**oque | ni**nh**o | |

+| `f` | **f**aca | a**f**ago | |

+| `v` | **v**aca | ca**v**ar | |

+| `╔╣` | | pa**r**a | ama**r** |

+| `s` | **s**atisfeito | amas**s**ado | casado**s** |

+| `z` | **z**ebra | a**z**ar | |

+| `ʃ` | **ch**eirar | ma**ch**ado | |

+| `ʒ` | **jaca** | in**j**usta | |

+| `x` | **r**ota | ca**rr**eta | |

+| `tʃ` | **t**irar | a**t**irar | |

+| `dʒ` | **d**ia | a**d**iar | |

+| `l` | **l**ata | a**l**eto | |

+| `ʎ` | **lh**ama | ma**lh**ado | |

+| `j̃` | | inabalavelme**n**te | hífe**n** |

+| `j` | | ca**i**xa | sa**i** |

+| `k` | **c**asa | ensa**c**ado | |

+### [pt-PT](#tab/pt-PT)

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-|-|--||

+| `a` | **á**bdito | consul**a**r | medir**á** |

+| `ɐ` | **a**bacaxi | dom**a**ção | long**a** |

+| `ɐ͡j` | **ei**dético | dir**ei**ta | detect**ei** |

+| `ɐ̃` | **an**verso | viaj**an**te | af**ã** |

+| `ɐ͡j̃`| **an**gels | viag**en**s | tamb**ém** |

+| `ɐ͡w̃`| **hão** | significaç**ão**zinha | gab**ão** |

+| `ɐ͡w` | | s**au**dar | hell**o** |

+| `a͡j` | **ai**rosa | cultur**ai**s | v**ai** |

+| `ɔ` | **ho**ra | dep**ó**sito | l**ó** |

+| `ɔ͡j` | **ói**s | her**ói**co | d**ói** |

+| `a͡w` | **ou**tlook | inc**au**to | p**au** |

+| `ə` | **e**xtremo | sapr**e**mar | noit**e** |

+| `b` | **b**acalhau | ta**b**aco | clu**b** |

+| `d` | **d**ado | da**d**o | ban**d** |

+| `ɾ` | **r**ename | ve**r**ás | chuta**r** |

+| `e` | **e**clipse | hav**e**r | buff**et** |

+| `ɛ` | **e**co | hib**é**rnios | pat**é** |

+| `ɛ͡w` | | pirin**éu**s | escarc**éu** |

+| `ẽ` | **em**baçado | dirim**en**te | ám**en** |

+| `e͡w` | **eu** | d**eu**s | beb**eu** |

+| `f` | **f**im | e**f**icácia | gol**f** |

+| `g` | **g**adinho | ape**g**o | blo**g** |

+| `i` | **i**greja | aplaud**i**do | escrev**i** |

+| `ĩ` | **im**paciente | esp**in**çar | manequ**im** |

+| `i͡w` | | n**iu**e | garant**iu** |

+| `j` | **i**ode | desassoc**i**ado | substitu**i** |

+| `k` | **k**iwi | trafi**c**ado | sna**ck** |

+| `l` | **l**aborar | pe**l**ada | fu**ll** |

+| `ɫ` | | po**l**vo | brasi**l** |

+| `ʎ` | **lh**anamente | anti**lh**as | |

+| `m` | **m**aça | ama**nh**ã | mode**m** |

+| `n` | **n**utritivo | campa**n**a | sca**n** |

+| `╔▓` | **nh**ambu-grande | toalhi**nh**a | pe**nh** |

+| `o` | **o**fir | consumad**o**r | stacatt**o** |

+| `o͡j` | **oi**rar | n**oi**te | f**oi** |

+| `õ` | **om**brão | barr**on**da | d**om** |

+| `o͡j̃`| | ocupaç**õe**s | exp**õe** |

+| `p` | **p**ai | crá**p**ula | lapto**p** |

+| `ʀ` | **r**ecordar | gue**rr**a | chauffeu**r** |

+| `s` | **s**eco | gro**ss**eira | bo**ss** |

+| `ʃ` | **ch**uva | du**ch**ar | médio**s** |

+| `t` | **t**abaco | pelo**t**a | inpu**t** |

+| `u` | **u**bi | fac**u**ltativo | fad**o** |

+| `u͡j` | **ui**var | arr**ui**vado | f**ui** |

+| `ũ` | **um**bilical | f**un**cionar | fór**um** |

+| `u͡j̃`| | m**ui**to | |

+| `v` | **v**aca | combatí**v**el | pavlo**v** |

+| `w` | **w**affle | restit**u**ir | katofi**o** |

+| `z` | **z**âmbia | pra**z**er | ja**zz** |

+### [ru-RU](#tab/ru-RU)

+#### VOWELS

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-||-|-|

+| `a` | **а**дрес | р**а**дость | бед**а** |

+| `ʌ` | **о**блаков | з**а**стенчивость | внучк**а** |

+| `ə` | | ябл**о**чн**о**го | |

+| `ɛ` | **э**пос | б**е**лка | каф**е** |

+| `i` | **и**ней | л**и**ст | соловь**и** |

+| `ɪ` | **и**гра | м**е**дведь | мгновень**е** |

+| `ɨ` | **э**нергия | л**ы**с**ы**й | вес**ы** |

+| `ɔ` | **о**крик | м**о**т | весл**о** |

+| `u` | **у**жин | к**у**ст | пойд**у** |

+#### CONSONANT

+| `ipa` | Example 1 | Example 2 | Example 3 |

+|-||-|-|

+| `p` | **п**рофессор | по**п**лавок | укро**п** |

+| `pʲ` | **П**етербург | осле**п**ительно | сте**пь** |

+| `b` | **б**ольшой | со**б**ака | |

+| `bʲ` | **б**елый | у**б**едить | |

+| `t` | **т**айна | с**т**аренький | тви**д** |

+| `tʲ` | **т**епло | учи**т**ель | сине**ть** |

+| `d` | **д**оверчиво | не**д**алеко | |

+| `dʲ` | **д**ядя | е**д**иница | |

+| `k` | **к**рыло | ку**к**уруза | кустарни**к** |

+| `kʲ` | **к**ипяток | неяр**к**ий | |

+| `g` | **г**роза | немно**г**о | |

+| `gʲ` | **г**ерань | помо**г**ите | |

+| `x` | **х**ороший | по**х**од | ду**х** |

+| `xʲ` | **х**илый | хи**х**иканье | |

+| `f` | **ф**антазия | шка**ф**ах | кро**в** |

+| `fʲ` | **ф**естиваль | ко**ф**е | вер**фь** |

+| `v` | **в**нучка | сине**в**а | |

+| `vʲ` | **в**ертеть | с**в**ет | |

+| `s` | **с**казочник | ле**с**ной | карапу**з** |

+| `sʲ` | **с**еять | по**с**ередине | зажгли**сь** |

+| `z` | **з**аяц | зве**з**да | |

+| `zʲ` | **з**емляника | со**з**ерцал | |

+| `ʂ` | **ш**уметь | п**ш**ено | мы**шь** |

+| `ʐ` | **ж**илище | кру**ж**евной | |

+| `t͡s` | **ц**елитель | Вене**ц**ия | незнакоме**ц** |

+| `t͡ɕ` | **ч**асы | о**ч**арование | мя**ч** |

+| `ɕː` | **щ**елчок | о**щ**у**щ**ать | ле**щ** |

+| `m` | **м**олодежь | нес**м**отря | то**м** |

+| `mʲ` | **м**еч | ды**м**ить | се**мь** |

+| `n` | **н**ачало | око**н**це | со**н** |

+| `nʲ` | **н**ебо | ли**н**ялый | тюле**нь** |

+| `l` | **л**ужа | до**л**гожитель | ме**л** |

+| `lʲ` | **л**ицо | неда**л**еко | со**ль** |

+| `r` | **р**адость | со**р**ока | дво**р** |

+| `rʲ` | **р**ябина | набе**р**ежная | две**рь** |

+| `j` | **е**сть | ма**я**к | игрушечны**й** |

+***

+| `alphabet` | Specifies the phonetic alphabet to use when synthesizing the pronunciation of the string in the `ph` attribute. The string specifying the alphabet must be specified in lowercase letters. The following are the possible alphabets that you can specify.<ul><li>`ipa` &ndash; [International Phonetic Alphabet](speech-ssml-phonetic-sets.md#speech-service-phonetic-alphabet)</li><li>`sapi` &ndash; [Speech service phonetic alphabet](speech-ssml-phonetic-sets.md#speech-service-phonetic-alphabet)</li><li>`ups` &ndash; [Universal Phone Set](https://documentation.help/Microsoft-Speech-Platform-SDK-11/17509a49-cae7-41f5-b61d-07beaae872ea.htm)</li></ul><br>The alphabet applies only to the `phoneme` in the element.| Optional |

+The `lexicon` element contains at least one `lexeme` element. Each `lexeme` element contains at least one `grapheme` element and one or more `grapheme`, `alias`, and `phoneme` elements. The `grapheme` element contains text describing the [orthography](https://www.w3.org/TR/pronunciation-lexicon/#term-Orthography). The `alias` elements are used to indicate the pronunciation of an acronym or an abbreviated term. The `phoneme` element provides text describing how the `lexeme` is pronounced. When `alias` and `phoneme` element are provided with the same `grapheme` element, `alias` has higher priority.

+For more information, see [`BookmarkReached`](/dotnet/api/microsoft.cognitiveservices.speech.speechsynthesizer.bookmarkreached).

+For more information, see [`BookmarkReached`](/cpp/cognitive-services/speech/speechsynthesizer#bookmarkreached).

+For more information, see [`BookmarkReached`](/java/api/com.microsoft.cognitiveservices.speech.speechsynthesizer.bookmarkReached#com_microsoft_cognitiveservices_speech_SpeechSynthesizer_BookmarkReached).

+For more information, see [`bookmark_reached`](/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.speechsynthesizer#bookmark-reached).

+For more information, see [`bookmarkReached`](/javascript/api/microsoft-cognitiveservices-speech-sdk/speechsynthesizer#bookmarkReached).

+For more information, see [`addBookmarkReachedEventHandler`](/objectivec/cognitive-services/speech/spxspeechsynthesizer#addbookmarkreachedeventhandler).

+For more information, see [`addBookmarkReachedEventHandler`](/objectivec/cognitive-services/speech/spxspeechsynthesizer).

+### Review test set

+3. Select **Review test set**.

+ "sourceUri": "https://docs.microsoft.com/azure/cognitive-services/qnamaker/overview/overview",

+> [!VIDEO https://docs.microsoft.com/Shows/AI-Show/Introducing-Text-Analytics-for-Health/player]

+Alternatively you can also do a node pool selection deployment for your container deployments as shown below

+```yaml

+apiVersion: batch/v1

+kind: Job

+metadata:

+ name: sgx-test

+spec:

+ template:

+ metadata:

+ labels:

+ app: sgx-test

+ spec:

+ affinity:

+ nodeAffinity:

+ requiredDuringSchedulingIgnoredDuringExecution:

+ nodeSelectorTerms:

+ - matchExpressions:

+ - key: agentpool

+ operator: In

+ values:

+ - acc # this is the name of your confidential computing nodel pool

+ - acc_second # this is the name of your confidential computing nodel pool

+ containers:

+ - name: sgx-test

+ image: oeciteam/oe-helloworld:1.0

+ resources:

+ limits:

+ kubernetes.azure.com/sgx_epc_mem_in_MiB: 10

+ requests:

+ kubernetes.azure.com/sgx_epc_mem_in_MiB: 10

+ restartPolicy: "Never"

+ backoffLimit: 0

+ ```

+## PSW with SGX quote helper

+- **in-proc**: hosts the trusted software components inside the enclave application process. This method is useful when you are performing local attestation (between 2 enclave apps in a single VM node)

+- **out-of-proc**: hosts the trusted software components outside of the enclave application. This is a preferred method when performing remote attestation.

+The out-of-proc attestation model works for confidential workloads. The quote requestor and quote generation are executed separately, but on the same physical machine. The quote generation happens in a centralized manner and serves requests for QUOTES from all entities. Properly define the interface and make the interface discoverable for any entity to request quotes.

+> [!NOTE]

+> If you are using a Intel SGX wrapper software(OSS/ISV) to run you unmodified containers the attestation interaction with hardware is typically handled for your higher level apps. Please refer to the attestation implementation per provider.

+[Azure confidential computing](overview.md) allows you to protect your sensitive data while it's in use. The underlying confidential computing infrastructure protects this data from other applications, administrators, and cloud providers with a hardware backed trusted execution container environments. Adding confidential computing nodes allow you to target container application to run in an isolated, hardware protected, integrity protected in an attestable environment.

+Azure Kubernetes Service (AKS) supports adding [DCsv2 confidential computing nodes](confidential-computing-enclaves.md) powered by Intel SGX. These nodes allow you to run sensitive workloads within a hardware-based trusted execution environment (TEE). TEEs allow user-level code from containers to allocate private regions of memory to execute the code with CPU directly. These private memory regions that execute directly with CPU are called enclaves. Enclaves help protect the data confidentiality, data integrity and code integrity from other processes running on the same nodes, as well as Azure operator. The Intel SGX execution model also removes the intermediate layers of Guest OS, Host OS and Hypervisor thus reducing the attack surface area. The *hardware based per container isolated execution* model in a node allows applications to directly execute with the CPU, while keeping the special block of memory encrypted per container. Confidential computing nodes with confidential containers are a great addition to your zero-trust security planning and defense-in-depth container strategy.

+The add-on feature enables extra capability on AKS when running confidential computing Intel SGX capable node pools on the cluster. "Confcon" add-on on AKS enables the features below.

+The device plugin implements the Kubernetes device plugin interface for Encrypted Page Cache (EPC) memory and exposes the device drivers from the nodes. Effectively, this plugin makes EPC memory as another resource type in Kubernetes. Users can specify limits on this resource just as other resources. Apart from the scheduling function, the device plugin helps assign Intel SGX device driver permissions to confidential container deployments. With this plugin developer can avoid mounting the Intel SGX driver volumes in the deployment files. This add-on on AKS clusters run as a daemonset per VM node that is of Intel SGX capable. A sample implementation of the EPC memory-based deployment (`kubernetes.azure.com/sgx_epc_mem_in_MiB`) sample is [here](https://github.com/Azure-Samples/confidential-computing/blob/main/containersamples/helloworld/helm/templates/helloworld.yaml)

+#### Intel SGX Quote Helper with Platform Software Components <a id="sgx-plugin"></a>

+As part of the plugin another daemonset is deployed per VM node that are of Intel SGX capable on the AKS cluster. This daemonset helps your confidential container apps when a remote out-of-proc attestation request is invoked.

+Enclave applications that do remote attestation need to generate a quote. The quote provides cryptographic proof of the identity and the state of the application, along with the enclave's host environment. Quote generation relies on certain trusted software components from Intel, which are part of the SGX Platform Software Components (PSW/DCAP). This PSW is packaged as a daemon set that runs per node. You can use the PSW when requesting attestation quote from enclave apps. Using the AKS provided service helps better maintain the compatibility between the PSW and other SW components in the host with Intel SGX drivers that are part of the AKS VM nodes. Read more on how your apps can use this daemonset without having to package the attestation primitives as part of your container deployments [More here](confidential-nodes-aks-addon.md#psw-with-sgx-quote-helper)

+[Intel SGX Confidential VMs - DCsv2 SKU List](../virtual-machines/dcv2-series.md)

+[Intel SGX Confidential VMs - DCsv3 SKU List](../virtual-machines/dcv3-series.md)

+> To learn about best practices for managing workloads that have partition keys requiring higher limits for storage or throughput, see [Create a synthetic partition key](synthetic-partition-keys.md). If your workload has already reached the logical partition limit of 20GB in production, it is recommended to re-architect your application with a different partition key as a long-term solution. To help give time for this, you can request a temporary increase in the logical partition key limit for your existing application. [File an Azure support ticket](create-support-request-quota-increase.md) and select quota type **Temporary increase in container's logical partition key size**. Note this is intended as a temporary mitigation and not recommendeded as a long-term solution, as SLA guarantees are not honored when the limit is increased. To remove the configuration, file a support ticket and select quota type **Restore containerΓÇÖs logical partition key size to default (20 GB)**. This can be done after you have either deleted data to fit the 20 GB logical partition limit or have re-architected your application with a different partition key.

+Azure Cosmos DB uses hash-based partitioning scheme to achieve horizontal scaling of data. All Azure Cosmos containers created before May 3, 2019 use a hash function that computes hash based on the first 101 bytes of the partition key. If there are multiple partition keys that have the same first 101 bytes, then those logical partitions are considered as the same logical partition by the service. This can lead to issues like partition size quota being incorrect, unique indexes being incorrectly applied across the partition keys, and uneven distribution of storage. Large partition keys are introduced to solve this issue. Azure Cosmos DB now supports large partition keys with values up to 2 KB.

+Large partition keys are supported by enabling an enhanced version of the hash function, which can generate a unique hash from large partition keys up to 2 KB.

+As a best practice, unless you need support for an [older Cosmos SDK or application that does not support this feature](#supported-sdk-versions), it is always recommended to configure your container with support for large partition keys.

+To create a large partition key, when you create a new container using the Azure portal, check the **My partition key is larger than 101-bytes** option. Unselect the checkbox if you donΓÇÖt need large partition keys or if you have applications running on SDKs version older than 1.18.

+## Create a large partition key (.NET SDK)

+> [!NOTE]

+> By default, all containers created using the .NET SDK V2 do not support large partition keys. By default, all containers created using the .NET SDK V3 support large partition keys.

+|.NET | 1.18 |

+> [!VIDEO https://docs.microsoft.com/Shows/Docs-Azure/Quickstart-Use-Nodejs-to-connect-and-query-data-from-Azure-Cosmos-DB-SQL-API-account/player]

+> [!NOTE]

+> You can use Azure Resource Manager templates to create new autoscale databases/containers and change the autoscale max RU/s setting on an existing database/container that is already configured with autoscale. By design, migrating between manual and autoscale throughput is not supported with Azure Resource Manager templates. To do this programmatically, you can use [Azure CLI](how-to-provision-autoscale-throughput.md#azure-cli) or [PowerShell](how-to-provision-autoscale-throughput.md#azure-powershell).

+This template will create a SQL Cosmos account, a natively maintained Role Definition, and a natively maintained Role Assignment for an Azure AD identity. This template is also available for one-click deploy from Azure Quickstart Templates Gallery.

+Where the v2 SDK had Direct-only diagnostics available through the `RequestDiagnosticsString` property, the v3 SDK uses `Diagnostics` available in all responses and exceptions, which are richer and not restricted to Direct mode. They include not only the time spent on the SDK for the operation, but also the regions the operation contacted:

+ Title: Get started with Cost Management + Billing reporting - Azure

+description: This article helps you to get started with Cost Management + Billing to understand, report on, and analyze your invoiced Microsoft Cloud and AWS costs.

+# Get started with Cost Management + Billing reporting

+Cost Management + Billing includes several tools to help you understand, report on, and analyze your invoiced Microsoft Cloud and AWS costs. The following sections describe the major reporting components.

+## Cost analysis

+Cost analysis should be your first stop in the Azure portal when it comes to understanding what you're spending and where you're spending. Cost analysis helps you:

+- Visualize and analyze your organizational costs

+- Share cost views with others using custom alerts

+- View aggregated costs by organization to understand where costs occur over time and identify spending trends

+- View accumulated costs over time to estimate monthly, quarterly, or even yearly cost trends against a budget

+- Create budgets to provide adherence to financial constraints

+- Use budgets to view daily or monthly costs and help isolate spending irregularities

+Cost analysis is available from every resource group, subscription, management group, and billing account in the Azure portal. If you manage one of these scopes, you can start there and select **Cost analysis** from the menu. If you manage multiple scopes, you may want to start directly within Cost Management:

+Sign in to the Azure portal > select **Home** in the menu > scroll down under **Tools** and select **Cost Management** > select a scope at the top of the page > in the left menu, select **Cost analysis**.

+For more information about cost analysis, see [Explore and analyze costs with cost analysis](quick-acm-cost-analysis.md).

+## Power BI

+While cost analysis offers a rich, interactive experience for analyzing and surfacing insights about your costs, there are times when you need to build more extensive dashboards and complex reports or combine costs with internal data. The Cost Management template app for Power BI is a great way to get up and running with Power BI quickly. For more information about the template app, see [Analyze Azure costs with the Power BI App](analyze-cost-data-azure-cost-management-power-bi-template-app.md).

+Need to go beyond the basics with Power BI? The Cost Management connector for Power BI lets you choose the data you need to help you seamlessly integrate costs with your own datasets or easily build out more complete dashboards and reports to meet your organization's needs. For more information about the connector, see [Connect to Azure Cost Management data in Power BI Desktop](/power-bi/connect-data/desktop-connect-azure-cost-management).

+## Usage details and exports

+If you're looking for raw data to automate business processes or integrate with other systems, start by exporting data to a storage account. Scheduled exports allow you to automatically publish your raw cost data to a storage account on a daily, weekly, or monthly basis. With special handling for large datasets, scheduled exports are the most scalable option for building first-class cost data integration. For more information, see [Create and manage exported data](tutorial-export-acm-data.md).

+If you need more fine-grained control over your data requests, the Usage Details API offers a bit more flexibility to pull raw data the way you need it. For more information, see the [Usage Details REST API](/rest/api/consumption/usage-details/list).

+## Invoices and credits

+Cost analysis is a great tool for reviewing estimated, unbilled charges or for tracking historical cost trends, but it may not show your total billed amount because credits, taxes, and other refunds and charges not available in Cost Management. To estimate your projected bill at the end of the month, start in cost analysis to understand your forecasted costs, then review any available credit or prepaid commitment balance from **Credits** or **Payment methods** for your billing account or billing profile within the Azure portal. To review your final billed charges after the invoice is available, see **Invoices** for your billing account or billing profile.

+Here's an example that shows credits on the Credits tab on the Credits + Commitments page.

+For more information about your invoice, see [View and download your Microsoft Azure invoice](../understand/download-azure-invoice.md)

+For more information about credits, see [Track Microsoft Customer Agreement Azure credit balance](../manage/mca-check-azure-credits-balance.md).

+## Next steps

+- [Explore and analyze costs with cost analysis](quick-acm-cost-analysis.md).

+- [Analyze Azure costs with the Power BI App](analyze-cost-data-azure-cost-management-power-bi-template-app.md).

+- [Connect to Azure Cost Management data in Power BI Desktop](/power-bi/connect-data/desktop-connect-azure-cost-management).

+- [Create and manage exported data](tutorial-export-acm-data.md).

+Additionally, your new partner doesn't automatically get Admin on Behalf Of (AOBO) access to your subscriptions. AOBO is necessary for your partner to manage the Azure subscriptions on your behalf. For more information about Azure privileges, see [Obtain permissions to manage a customer's service or subscription](/partner-center/customers-revoke-admin-privileges).

+The partners should work with the customer to get access to subscriptions. The partners need to get either Admin on Behalf Of - AOBO or [Azure Lighthouse](../../lighthouse/concepts/cloud-solution-provider.md) access open support tickets.

+For general use cases, it is recommended to include global parameters in the ARM template. This integrates natively with the solution outlined in [the CI/CD doc](continuous-integration-delivery.md). In case of automatic publishing and Azure Purview connection, **PowerShell script** method is required. You can find more about PowerShell script method later. Global parameters will be added as an ARM template parameter by default as they often change from environment to environment. You can enable the inclusion of global parameters in the ARM template from the **Manage** hub.

+> The **Include in ARM template** configuration is only available in "Git mode". Currently it is disabled in "live mode" or "Data Factory" mode. In case of automatic publishing or Azure Purview connection, do not use Include global parameters method; use PowerShell script method.

+### Git Repository or Azure Purview Connection Disconnected

+1. In the ADF authoring UI, go to **Manage** -> **Azure Purview**, and select **Connect to an Azure Purview account**.

+ :::image type="content" source="./media/data-factory-purview/register-purview-account.png" alt-text="Screenshot for registering an Azure Purview account.":::

+3. Once connected, you can see the name of the Azure Purview account in the tab **Azure Purview account**.

+If your Azure Purview account is protected by firewall, create the managed private endpoints for Azure Purview. Learn more about how to let Data Factory [access a secured Azure Purview account](how-to-access-secured-purview-account.md). You can either do it during the initial connection or edit an existing connection later.

+The Azure Purview connection information is stored in the data factory resource like the following. To establish the connection programmatically, you can update the data factory and add the `purviewConfiguration` settings. When you want to push lineage from SSIS activities, also add `catalogUri` tag additionally.

+Data factory's managed identity is used to authenticate lineage push operations from data factory to Azure Purview.

+Grant the data factory's managed identity **Data Curator** role on your Azure Purview **root collection**. Learn more about [Access control in Azure Purview](../purview/catalog-permissions.md) and [Add roles and restrict access through collections](../purview/how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).

+When connecting data factory to Azure Purview on authoring UI, ADF tries to add such role assignment automatically. If you have **Collection admins** role on the Azure Purview root collection and have access to Azure Purview account from your network, this operation is done successfully.

+## Monitor Azure Purview connection

+Once you connect the data factory to an Azure Purview account, you see the following page with details on the enabled integration capabilities.

+- **Connected**: The data factory is successfully connected to the Azure Purview account. Note this indicates data factory is associated with an Azure Purview account and has permission to push lineage to it. If your Azure Purview account is protected by firewall, you also need to make sure the integration runtime used to execute the activities and conduct lineage push can reach the Azure Purview account. Learn more from [Access a secured Azure Purview account from Azure Data Factory](how-to-access-secured-purview-account.md).

+- **Disconnected**: The data factory cannot push lineage to Azure Purview because Azure Purview Data Curator role is not granted to data factory's managed identity. To fix this issue, go to your Azure Purview account to check the role assignments, and manually grant the role as needed. Learn more from [Set up authentication](#set-up-authentication) section.

+ - Cannot reach the Azure Purview account from your current network because the account is protected by firewall. You can launch the ADF UI from a private network that has connectivity to your Azure Purview account instead.

+ - You don't have permission to check role assignments on the Azure Purview account. You can contact the Azure Purview account admin to check the role assignments for you. Learn about the needed Azure Purview role from [Set up authentication](#set-up-authentication) section.

+Once you connect the data factory to an Azure Purview account, when you execute pipelines, Data Factory push lineage information to the Azure Purview account. For detailed supported capabilities, see [Supported Azure Data Factory activities](../purview/how-to-link-azure-data-factory.md#supported-azure-data-factory-activities). For an end to end walkthrough, refer to [Tutorial: Push Data Factory lineage data to Azure Purview](tutorial-push-lineage-to-purview.md).

+## Discover and explore data using Azure Purview

+Once you connect the data factory to an Azure Purview account, you can use the search bar at the top center of Data Factory authoring UI to search for data and perform actions. Learn more from [Discover and explore data in ADF using Azure Purview](how-to-discover-explore-purview-data.md).

+[Discover and explore data in ADF using Azure Purview](how-to-discover-explore-purview-data.md)

+[Access a secured Azure Purview account](how-to-access-secured-purview-account.md)

+ Title: Copy and transform data in Dynamics 365 (Microsoft Dataverse) or Dynamics CRM

+description: Learn how to copy and transform data in Dynamics 365 (Microsoft Dataverse) or Dynamics CRM using Azure Data Factory or Azure Synapse Analytics.

+# Copy and transform data in Dynamics 365 (Microsoft Dataverse) or Dynamics CRM using Azure Data Factory or Azure Synapse Analytics

+This article outlines how to use a copy activity in Azure Data Factory or Synapse pipelines to copy data from and to Dynamics 365 (Microsoft Dataverse) or Dynamics CRM, and use a data flow to transform data in Dynamics 365 (Microsoft Dataverse) or Dynamics CRM. To learn more, read the [Azure Data Factory](introduction.md) and the [Azure Synapse Analytics](..\synapse-analytics\overview-what-is.md) introduction articles.

+- [Mapping data flow](concepts-data-flow-overview.md)

+## Mapping data flow properties

+When transforming data in mapping data flow, you can read and write to tables from Dynamics. For more information, see the [source transformation](data-flow-source.md) and [sink transformation](data-flow-sink.md) in mapping data flows. You can choose to use a Dynamics dataset or an [inline dataset](data-flow-source.md#inline-datasets) as source and sink type.

+### Source transformation

+The below table lists the properties supported by Dynamics. You can edit these properties in the **Source options** tab.

+| Name | Description | Required | Allowed values | Data flow script property |

+| - | -- | -- | -- | - |

+| Table | If you select Table as input, data flow fetches all the data from the table specified in the dataset. | No | - | tableName |

+| Query |FetchXML is a proprietary query language that is used in Dynamics online and on-premises. See the following example. To learn more, see [Build queries with FetchXML](/previous-versions/dynamicscrm-2016/developers-guide/gg328332(v=crm.8)). | No | String | query |

+| Entity | The logical name of the entity to retrieve. | Yes when use inline mode | - | entity|

+> [!Note]

+> If you select **Query** as input type, the column type from tables can not be retrieved. It will be treated as string by default.

+#### Dynamics source script example

+When you use Dynamics as source type, the associated data flow script is:

+```

+source(

+ output(

+ new_name as string,

+ new_dataflowtestid as string

+ ),

+ store: 'dynamics',

+ format: 'dynamicsformat',

+ baseUrl: $baseUrl,

+ cloudType:'AzurePublic',

+ servicePrincipalId:$servicePrincipalId,

+ servicePrincipalCredential:$servicePrincipalCredential,

+ entity:'new_datalowtest'

+query:' <fetch mapping='logical' count='3 paging-cookie=''><entity name='new_dataflow_crud_test'><attribute name='new_name'/><attribute name='new_releasedate'/></entity></fetch> '

+ ) ~> movies

+```

+### Sink transformation

+The below table lists the properties supported by Dynamics sink. You can edit these properties in the **Sink options** tab.

+| Name | Description | Required | Allowed values | Data flow script property |

+| - | -- | -- | -- | - |

+| Entity | The logical name of the entity to retrieve. | Yes when use inline mode | - | entity|

+| Request interval | The interval time between API requests in millisecond. | No | - | requestInterval|

+| Update method | Specify what operations are allowed on your database destination. The default is to only allow inserts.<br>To update, upsert, or delete rows, an [Alter row transformation](data-flow-alter-row.md) is required to tag rows for those actions. | Yes | `true` or `false` | insertable <br/>updateable<br/>upsertable<br>deletable|

+| Alternate key name | The alternate key name defined on your entity to do an update, upsert or delete. | No | - | alternateKeyName |

+#### Dynamics sink script example

+When you use Dynamics as sink type, the associated data flow script is:

+```

+moviesAltered sink(

+ input(new_name as string,

+ new_id as string,

+ new_releasedate as string

+ ),

+ store: 'dynamics',

+ format: 'dynamicsformat',

+ baseUrl: $baseUrl,

+ cloudType:'AzurePublic',

+ servicePrincipalId:$servicePrincipalId,

+ servicePrincipalCredential:$servicePrincipalCredential,

+ updateable: true,

+ upsertable: true,

+ insertable: true,

+ deletable:true,

+ alternateKey:'new_testalternatekey',

+ entity:'new_dataflow_crud_test',

+requestInterval:1000

+ ) ~> movieDB

+```

+- **Message**: `Fail to read data form Azure Blob Storage for Azure Blob connector needs MD5 algorithm which can't co-work with FIPS mode. Please change diawp.exe.config in self-hosted integration runtime install directory to disable FIPS policy following https://docs.microsoft.com/dotnet/framework/configure-apps/file-schema/runtime/enforcefipspolicy-element.`

+> [!VIDEO https://docs.microsoft.com/shows/azure-friday/Run-Azure-Functions-from-Azure-Data-Factory-pipelines/player]

+ If you want to enable remote access from intranet with TLS/SSL certificate (Advanced) to secure communication between integration runtime nodes, you can follow steps in [Enable remote access from intranet with TLS/SSL certificate](tutorial-enable-remote-access-intranet-tls-ssl-certificate.md).

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Hybrid-data-movement-across-multiple-Azure-Data-Factories/player]

+| [Dataverse](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |

+| [Dynamics 365](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |

+| [Dynamics CRM](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |

+| [Dataverse](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |

+| [Dynamics 365](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |

+| [Dynamics CRM](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |

+You can use [Azure private endpoints](../private-link/private-endpoint-overview.md) for your Azure Purview accounts to allow secure access from a virtual network (VNet) to the catalog over a Private Link. Azure Purview provides different types of private points for various access need: *account* private endpoint, *portal* private endpoint, and *ingestion* private endpoints. Learn more from [Azure Purview private endpoints conceptual overview](../purview/catalog-private-link.md#conceptual-overview).

+If your Azure Purview account is protected by firewall and denies public access, make sure you follow below checklist to set up the private endpoints so Data Factory can successfully connect to Azure Purview.

+| Scenario | Required Azure Purview private endpoints |

+| [Run pipeline and report lineage to Azure Purview](tutorial-push-lineage-to-purview.md) | For Data Factory pipeline to push lineage to Azure Purview, Azure Purview ***account*** and ***ingestion*** private endpoints are required. <br>- When using **Azure Integration Runtime**, follow the steps in [Managed private endpoints for Azure Purview](#managed-private-endpoints-for-azure-purview) section to create managed private endpoints in the Data Factory managed virtual network.<br>- When using **Self-hosted Integration Runtime**, follow the steps in [this section](../purview/catalog-private-link-end-to-end.md#option-2enable-account-portal-and-ingestion-private-endpoint-on-existing-azure-purview-accounts) to create the *account* and *ingestion* private endpoints in your integration runtime's virtual network. |

+| [Discover and explore data using Azure Purview on ADF UI](how-to-discover-explore-purview-data.md) | To use the search bar at the top center of Data Factory authoring UI to search for Azure Purview data and perform actions, you need to create Azure Purview ***account*** and ***portal*** private endpoints in the virtual network that you launch the Data Factory Studio. Follow the steps in [Enable *account* and *portal* private endpoint](../purview/catalog-private-link-account-portal.md#option-2enable-account-and-portal-private-endpoint-on-existing-azure-purview-accounts). |

+## Managed private endpoints for Azure Purview

+[Managed private endpoints](managed-virtual-network-private-endpoint.md#managed-private-endpoints) are private endpoints created in the Azure Data Factory Managed Virtual Network establishing a private link to Azure resources. When you run pipeline and report lineage to a firewall protected Azure Purview account, create an Azure Integration Runtime with "Virtual network configuration" option enabled, then create the Azure Purview ***account*** and ***ingestion*** managed private endpoints as follows.

+To create managed private endpoints for Azure Purview on Data Factory authoring UI:

+1. Go to **Manage** -> **Azure Purview**, and click **Edit** to edit your existing connected Azure Purview account or click **Connect to an Azure Purview account** to connect to a new Azure Purview account.

+3. Click **+ Create all** button to batch create the needed Azure Purview private endpoints, including the ***account*** private endpoint and the ***ingestion*** private endpoints for the Azure Purview managed resources - Blob storage, Queue storage, and Event Hubs namespace. You need to have at least **Reader** role on your Azure Purview account for Data Factory to retrieve the Azure Purview managed resources' information.

+ :::image type="content" source="./media/how-to-access-secured-purview-account/purview-create-all-managed-private-endpoints.png" alt-text="Create managed private endpoint for your connected Azure Purview account.":::

+ :::image type="content" source="./media/how-to-access-secured-purview-account/name-purview-private-endpoints.png" alt-text="Name the managed private endpoints for your connected Azure Purview account.":::

+5. Click **Create** to create the private endpoints. After creation, 4 private endpoint requests will be generated that must [get approved by an owner of Azure Purview](#approve-private-endpoint-connections).

+Such batch managed private endpoint creation is provided on the Azure Purview UI only. If you want to create the managed private endpoints programmatically, you need to create those PEs individually. You can find Azure Purview managed resources' information from Azure portal -> your Azure Purview account -> Managed resources.

+After you create the managed private endpoints for Azure Purview, you see "Pending" state first. The Azure Purview owner need to approve the private endpoint connections for each resource.

+If you have permission to approve the Azure Purview private endpoint connection, from Data Factory UI:

+If you don't have permission to approve the Azure Purview private endpoint connection, ask the Azure Purview account owner to do as follows.

+- For *account* private endpoint, go to Azure portal -> your Azure Purview account -> Networking -> Private endpoint connection to approve.

+- For *ingestion* private endpoints, go to Azure portal -> your Azure Purview account -> Managed resources, click into the Storage account and Event Hubs namespace respectively, and approve the private endpoint connection in Networking -> Private endpoint connection page.

+You can monitor the created managed private endpoints for Azure Purview at two places:

+- Go to **Manage** -> **Azure Purview** -> **Edit** to open your existing connected Azure Purview account. To see all the relevant private endpoints, you need to have at least **Reader** role on your Azure Purview account for Data Factory to retrieve the Azure Purview managed resources' information. Otherwise, you only see *account* private endpoint with warning.

+- Go to **Manage** -> **Managed private endpoints** where you see all the managed private endpoints created under the data factory. If you have at least **Reader** role on your Azure Purview account, you see Azure Purview relevant private endpoints being grouped together. Otherwise, they show up separately in the list.

+- [Discover and explore data in ADF using Azure Purview](how-to-discover-explore-purview-data.md)

+| Oracle connectors | You need to install the Oracle Connection Manager, Source, and Destination, as well as the Oracle Call Interface (OCI) driver, on the Azure-SSIS IR Enterprise Edition. If necessary, you can also configure the Oracle Transport Network Substrate (TNS), on the Azure-SSIS IR. For more info, see [Custom setup for the Azure-SSIS integration runtime](how-to-configure-azure-ssis-ir-custom-setup.md). |

+- [How to develop paid or licensed custom components for the Azure-SSIS integration runtime](how-to-develop-azure-ssis-ir-licensed-components.md)

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Event-based-data-integration-with-Azure-Data-Factory/player]

+ Title: Discover and explore data in ADF using Azure Purview

+description: Learn how to discover, explore data in Azure Data Factory using Azure Purview

+# Discover and explore data in ADF using Azure Purview

+- Use the search box at the top to find Azure Purview assets based on keywords

+- [Azure Purview account](../purview/create-catalog-portal.md)

+The use Azure Purview in Data Factory requires you to have access to that Azure Purview account. Data Factory passes-through your Azure Purview permission. As an example, if you have a curator permission role, you will be able to edit metadata scanned by Azure Purview.

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Iterative-development-and-debugging-with-Azure-Data-Factory/player]

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Monitor-Data-Factory-pipelines-using-Operations-Management-Suite-OMS/player]

+> [!VIDEO https://docs.microsoft.com/shows/azure-friday/Monitor-your-Azure-Data-Factory-pipelines-proactively-with-alerts/player]

+> [!VIDEO https://docs.microsoft.com/shows/azure-friday/Parameterize-connections-to-your-data-stores-in-Azure-Data-Factory/player]

+>[!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Visually-build-pipelines-for-Azure-Data-Factory-v2/Player]

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Execute-Jars-and-Python-scripts-on-Azure-Databricks-using-Data-Factory/player]

+For an eleven-minute introduction and demonstration of this feature, watch the [video](/Shows/Azure-Friday/Execute-Jars-and-Python-scripts-on-Azure-Databricks-using-Data-Factory/player).

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Execute-Jars-and-Python-scripts-on-Azure-Databricks-using-Data-Factory/player]

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/How-to-execute-Azure-Machine-Learning-service-pipelines-in-Azure-Data-Factory/player]

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/ingest-prepare-and-transform-using-azure-databricks-and-data-factory/player]

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Create-dependent-pipelines-in-your-Azure-Data-Factory/player]

+* **Azure Purview account**. The Azure Purview account captures all lineage data generated by data factory. If you don't have an Azure Purview account, see [Create an Azure Purview](../purview/create-catalog-portal.md).

+### Step 1: Connect Data Factory to your Azure Purview account

+You can establish the connection between Data Factory and Azure Purview account by following the steps in [Connect Data Factory to Azure Purview](connect-data-factory-to-azure-purview.md).

+### Step 4: View lineage information in your Azure Purview account

+On Azure Purview UI, you can browse assets and choose type "Azure Data Factory". You can also search the Data Catalog using keywords.

+ :::image type="content" source="./media/data-factory-purview/copy-lineage.png" alt-text="Screenshot of the Copy activity lineage in Azure Purview." lightbox="./media/data-factory-purview/copy-lineage.png":::

+ :::image type="content" source="./media/data-factory-purview/dataflow-lineage.png" alt-text="Screenshot of the Data Flow lineage in Azure Purview." lightbox="./media/data-factory-purview/dataflow-lineage.png":::

+ :::image type="content" source="./media/data-factory-purview/ssis-lineage.png" alt-text="Screenshot of the Execute SSIS lineage in Azure Purview." lightbox="./media/data-factory-purview/ssis-lineage.png":::

+

+* Ignite talk on optimize Hive on HDInsight

+[Azure Purview](../purview/overview.md), Microsoft's data governance service, provides rich insights into the *sensitivity of your data*. With automated data discovery, sensitive data classification, and end-to-end data lineage, Azure Purview helps organizations manage and govern data in hybrid and multi-cloud environments.

+This page explains the integration of Azure Purview's data sensitivity classification labels within Defender for Cloud.

+To provide the vital information about discovered sensitive data, and help ensure you have that information when you need it, Defender for Cloud displays information from Azure Purview in multiple locations.

+> If a resource is scanned by multiple Azure Purview accounts, the information shown in Defender for Cloud relates to the most recent scan.

+The [asset inventory page](asset-inventory.md) has a collection of powerful filters to group your resources with outstanding alerts and recommendations according to the criteria relevant for any scenario. These filters include **Data sensitivity classifications** and **Data sensitivity labels**. Use these filters to evaluate the security posture of resources on which Azure Purview has discovered sensitive data.

+When reviewing the health of a specific resource, you'll see the Azure Purview information on this page and can use it determine what data has been discovered on this resource alongside the Azure Purview account used to scan the resource.

+- [Azure Purview's supported data sources and file types](../purview/sources-and-scans.md) and [supported data stores](../purview/purview-connector-overview.md)

+- **Information protection** - A graph on this tile shows the resource types that have been scanned by [Azure Purview](../purview/overview.md), found to contain sensitive data, and have outstanding recommendations and alerts. Follow the **scan** link to access the Azure Purview accounts and configure new scans, or select any other part of the tile to open the [asset inventory](asset-inventory.md) and view your resources according to your Azure Purview data sensitivity classifications. [Learn more](information-protection.md).

+In the How to Leverage the Defender for Cloud & Microsoft Operations Management Suite for an Incident Response video, you can see some demonstrations that show how Defender for Cloud can be used in each one of those stages.

+> [!VIDEO https://docs.microsoft.com/Events/Build/2018/BRK3308/player]

+# resource ID of the topic. replace <SUBSCRIPTION ID>, <RESOURCE GROUP NAME>, and <TOPIC NAME>

+# topicResourceID="/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP NAME>/providers/Microsoft.EventGrid/topics/<TOPIC NAME>"

+az network private-endpoint create \

+# Quickstart: Create an Azure Event Hubs schema registry using Azure portal

+**Azure Schema Registry** is a feature of Event Hubs, which provides a central repository for schemas for event-driven and messaging-centric applications. It provides the flexibility for your producer and consumer applications to **exchange data without having to manage and share the schema**. It also provides a simple governance framework for reusable schemas and defines relationship between schemas through a grouping construct (schema groups). For more information, see [Azure Schema Registry in Event Hubs](schema-registry-overview.md).

+This article shows you how to create a schema group with schemas in a schema registry hosted by Azure Event Hubs.

+## Clean up resources

+> [!NOTE]

+> Don't clean up resources if you want to continue to the next quick start linked from **Next steps**.

+1. Navigate to the **Event Hubs Namespace** page.

+1. Select **Schema Registry** on the left menu.

+1. Select the **schema group** you created in this quickstart.

+1. On the **Schema Group** page, select **Delete** on the toolbar.

+1. On the **Delete Schema Group** page, type the name of the schema group, and select **Delete**.

+> [!div class="nextstepaction"]

+> [Validate schema when sending and receiving events - AMQP and .NET](schema-registry-dotnet-send-receive-quickstart.md).

+# Dynamically add partitions to an event hub (Apache Kafka topic)

+ Title: Validate schema when sending or receiving events

+# Quickstart: Validate schema when sending and receiving events - AMQP and .NET

+**Azure Schema Registry** is a feature of Event Hubs, which provides a central repository for schemas for event-driven and messaging-centric applications. It provides the flexibility for your producer and consumer applications to **exchange data without having to manage and share the schema**. It also provides a simple governance framework for reusable schemas and defines relationship between schemas through a grouping construct (schema groups). For more information, see [Azure Schema Registry in Event Hubs](schema-registry-overview.md).

+> [!div class="nextstepaction"]

+> Checkout [Azure Schema Registry client library for .NET](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/schemaregistry/Azure.Data.SchemaRegistry)

+* You can view a video before beginning to better understand the steps.

+Before using ExpressRoute Direct, you must first enroll your subscription. To enroll, please do the following via Azure PowerShell:

+* ExpressRoute on Office 365 advanced training videos

+[Azure Fridays - An overview of Azure Blueprints](/Shows/Azure-Friday/An-overview-of-Azure-Blueprints)

+[Govern your Azure environment through Azure Policy](/events/Build/2018/THR2030)

+- Microsoft.Purview/Accounts (Azure Purview accounts)

+Result fetch timed out

+ at akka.actor.dsl.Inbox$InboxActor$$anonfun$receive$1.applyOrElse(Inbox.scala:117)

+ at scala.PartialFunction$AndThen.applyOrElse(PartialFunction.scala:189)

+ at akka.actor.Actor$class.aroundReceive(Actor.scala:467)

+ at akka.actor.dsl.Inbox$InboxActor.aroundReceive(Inbox.scala:62)

+ at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516)

+ at akka.actor.ActorCell.invoke(ActorCell.scala:487)

+ at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:238)

+ at akka.dispatch.Mailbox.run(Mailbox.scala:220)

+ at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:397)

+ at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)

+ at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)

+ at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)

+ at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

+ The value of `HIVE_VIEW_INSTANCE_NAME` is available by clicking YOUR_USERNAME > Manage Ambari > Views > Names column. Do not use the URL name.

+## December 2021

+### **Features and enhancements**

+|Enhancements &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |Related information |

+| :- | : |

+|Added Publisher to `CapabiilityStatement.name` |You can now find the publisher in the capability statement at `CapabilityStatement.name`. [#2319](https://github.com/microsoft/fhir-server/pull/2319) |

+|Log `FhirOperation` linked to anonymous calls to Request metrics |We werenΓÇÖt logging operations that didnΓÇÖt require authentication. We extended the ability to get `FhirOperation` type in `RequestMetrics` for anonymous calls. [#2295](https://github.com/microsoft/fhir-server/pull/2295) |

+### **Bug fixes**

+|Bug fixes |Related information |

+| :-- | : |

+|Fixed 500 error when `SearchParameter` Code is null |Fixed an issue with `SearchParameter` if it had a null value for Code, the result would be a 500. Now it will result in an `InvalidResourceException` like the other values do. [#2343](https://github.com/microsoft/fhir-server/pull/2343) |

+|Returned `BadRequestException` with valid message when input JSON body is invalid |For invalid JSON body requests, the FHIR server was returning a 500 error. Now we will return a `BadRequestException` with a valid message instead of 500. [#2239](https://github.com/microsoft/fhir-server/pull/2239) |

+|`_sort` can cause `ChainedSearch` to return incorrect results |Previously, the sort options from the chained search's `SearchOption` object was not cleared, causing the sorting options to be passed through to the chained sub-search, which are not valid. This could result in no results when there should be results. This bug is now fixed [#2347](https://github.com/microsoft/fhir-server/pull/2347). It addressed GitHub bug [#2344](https://github.com/microsoft/fhir-server/issues/2344). |

+|Added software name and version to capability statement |In the capability statement, the software name now distinguishes if you're using Azure API for FHIR or Azure Healthcare APIs. The software version will now specify which open-source [release package](https://github.com/microsoft/fhir-server/releases) is live in the managed service [#2294](https://github.com/microsoft/fhir-server/pull/2294). Addresses: [#1778](https://github.com/microsoft/fhir-server/issues/1778) and [#2241](https://github.com/microsoft/fhir-server/issues/2241) |

+|Resolved issue when posting a bundle with incorrect Media Type returned a 500 error. |Previously when posting a search with a key that contains certain characters, a 500 error was returned. This fixes this issue [#2264](https://github.com/microsoft/fhir-server/pull/2264), and it addresses [#2148](https://github.com/microsoft/fhir-server/issues/2148). |

+## December 2021

+### Azure Healthcare APIs

+### **Features and enhancements**

+|Enhancements &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |Related information |

+| :- | : |

+|Quota details for support requests |We've updated the quota details for customer support requests with the latest information. |

+|Local RBAC |We've updated the local RBAC documentation to clarify the use of the secondary tenant and the steps to disable it. |

+|Deploy and configure Healthcare APIs using scripts |We've started the process of providing PowerShell, CLI scripts, and ARM templates to configure app registration and role assignments. Note that scripts for deploying Healthcare APIs will be available after GA. |

+### FHIR service

+### **Features and enhancements**

+|Enhancements | Related information |

+| : | -: |

+|Added Publisher to `CapabiilityStatement.name` |You can now find the publisher in the capability statement at `CapabilityStatement.name`. [#2319](https://github.com/microsoft/fhir-server/pull/2319) |

+|Log `FhirOperation` linked to anonymous calls to Request metrics |We werenΓÇÖt logging operations that didnΓÇÖt require authentication. We extended the ability to get `FhirOperation` type in `RequestMetrics` for anonymous calls. [#2295](https://github.com/microsoft/fhir-server/pull/2295) |

+### **Bug fixes**

+|Bug fixes |Related information |

+| :-- | : |

+|Fixed 500 error when `SearchParameter` Code is null |Fixed an issue with `SearchParameter` if it had a null value for Code, the result would be a 500. Now it will result in an `InvalidResourceException` like the other values do. [#2343](https://github.com/microsoft/fhir-server/pull/2343) |

+|Returned `BadRequestException` with valid message when input JSON body is invalid |For invalid JSON body requests, the FHIR server was returning a 500 error. Now we will return a `BadRequestException` with a valid message instead of 500. [#2239](https://github.com/microsoft/fhir-server/pull/2239) |

+|Handled SQL Timeout issue |If SQL Server timed out, the PUT `/resource{id}` returned a 500 error. Now we handle the 500 error and return a timeout exception with an operation outcome. [#2290](https://github.com/microsoft/fhir-server/pull/2290) |

+|Added software name and version to capability statement. |In the capability statement, the software name now distinguishes if you're using Azure API for FHIR or Azure Healthcare APIs. The software version will now specify which open-source [release package](https://github.com/microsoft/fhir-server/releases) is live in the managed service [#2294](https://github.com/microsoft/fhir-server/pull/2294). Addresses: [#1778](https://github.com/microsoft/fhir-server/issues/1778) and [#2241](https://github.com/microsoft/fhir-server/issues/2241) |

+|Implemented fix to resolve QIDO paging-ordering issues | [#989](https://github.com/microsoft/dicom-server/pull/989) |

+ <img alt='Azure support' src='/media/logos/logo_azure.svg'>

+ <img alt='Stack Overflow' src='/media/logos/logo_stackoverflow.svg'>

+ <img alt='Stay informed' src='/media/common/i_blog.svg'>

+News and information about Azure IoT is shared at the [Azure blog](https://azure.microsoft.com/blog/topics/internet-of-things/) and on the [Internet of Things Show on Channel 9](/Shows/Internet-of-Things-Show).

+2. The device app is notified of the change immediately if the device is connected. If it's not connected, the device app follows the [device reconnection flow](#device-reconnection-flow) when it connects. The device app then reports the updated configuration (or an error condition using the `status` property). Here is the portion of the reported properties:

+> [!IMPORTANT]

+> IoT Plug and Play defines a schema that uses several additional properties to synchronize changes to desired and reported properties. If your solution uses IoT Plug and Play, you must follow the Plug and Play conventions when updating twin properties. For more information and an example, see [Writable properties in IoT Plug and Play](../iot-develop/concepts-convention.md#writable-properties).

+2. The module app is notified of the change immediately if the module is connected. If it's not connected, the module app follows the [module reconnection flow](#module-reconnection-flow) when it connects. The module app then reports the updated configuration (or an error condition using the `status` property). Here is the portion of the reported properties:

+> [!IMPORTANT]

+> IoT Plug and Play defines a schema that uses several additional properties to synchronize changes to desired and reported properties. If your solution uses IoT Plug and Play, you must follow the Plug and Play conventions when updating twin properties. For more information and an example, see [Writable properties in IoT Plug and Play](../iot-develop/concepts-convention.md#writable-properties).

+## Module reconnection flow

+IoT Hub does not preserve desired properties update notifications for disconnected modules. It follows that a module that is connecting must retrieve the full desired properties document, in addition to subscribing for update notifications. Given the possibility of races between update notifications and full retrieval, the following flow must be ensured:

+1. Module app connects to an IoT hub.

+2. Module app subscribes for desired properties update notifications.

+3. Module app retrieves the full document for desired properties.

+The module app can ignore all notifications with `$version` less or equal than the version of the full retrieved document. This approach is possible because IoT Hub guarantees that versions always increment.

+>[!VIDEO https://docs.microsoft.com/Shows/Internet-of-Things-Show/Azure-IoT-C-SDK-insights/Player]

+If you're a [CSP (Cloud Solution Provider)](/partner-center/csp-overview) partner, you can already access the Azure subscriptions created for your customers through the CSP program by using the Administer On Behalf Of (AOBO) functionality. This access allows you to directly support, configure, and manage your customers' subscriptions.

+ Title: Troubleshoot load test errors

+description: Learn how you can troubleshoot errors during your load test by downloading and analyzing the Apache JMeter logs in the Azure portal.

+# Troubleshoot load test errors by downloading Apache JMeter logs in Azure Load Testing Preview

+In this article, you'll learn how to download the Apache JMeter logs for Azure Load Testing Preview in the Azure portal. You can use the logging information to troubleshoot problems while the Apache JMeter script runs.

+The Apache JMeter log can help you identify problems in your JMX file, or run-time issues that occur while the test is running. For example, the application endpoint might be unavailable, or the JMX file might contain invalid credentials.

+When you run a load test, the Azure Load Testing test engines execute your Apache JMeter test script. While your load test is running, Apache JMeter stores detailed logging information in the worker node logs. You can download the JMeter worker node log for your load test run from the Azure portal to help you diagnose load test errors.

+- An Azure load testing resource that has a completed test run. If you need to create an Azure load testing resource, see [Create and run a load test](./quickstart-create-and-run-load-test.md).

+ :::image type="content" source="media/how-to-find-download-logs/logs.png" alt-text="Screenshot that shows how to download the load test logs from the test run details page.":::

+ The browser should now start downloading the JMeter worker node log file *worker.log*.

+1. You can use a text editor to open the log file.

+ The *worker.log* file can help you diagnose the root cause of a failing load test. In the previous screenshot, you can see that the test failed because a file is missing.

+- Learn how to [Monitor server-side application metrics](./how-to-update-rerun-test.md).

+- Learn how to [Get detailed insights for Azure App Service based applications](./how-to-appservice-insights.md).

+- Learn how to [Compare multiple load test runs](./how-to-compare-multiple-test-runs.md).

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Go-serverless-Enterprise-integration-with-Azure-Logic-Apps/player]

+> [!VIDEO https://docs.microsoft.com/Shows/Azure-Friday/Connect-and-extend-your-mainframe-to-the-cloud-with-Logic-Apps/player]

+ Title: 'ML Studio (classic): Deploy workspaces with Azure Resource Manager - Azure'

+description: How to deploy a workspace for Machine Learning Studio (classic) using Azure Resource Manager template

+# Deploy Machine Learning Studio (classic) Workspace Using Azure Resource Manager

+**APPLIES TO:** 

+Using an Azure Resource Manager deployment template saves you time by giving you a scalable way to deploy interconnected components with a validation and retry mechanism. To set up Machine Learning Studio (classic) Workspaces, for example, you need to first configure an Azure storage account and then deploy your workspace. Imagine doing this manually for hundreds of workspaces. An easier alternative is to use an Azure Resource Manager template to deploy an Studio (classic) Workspace and all its dependencies. This article takes you through this process step-by-step. For a great overview of Azure Resource Manager, see [Azure Resource Manager overview](../../azure-resource-manager/management/overview.md).

+## Step-by-step: create a Machine Learning Workspace

+We will create an Azure resource group, then deploy a new Azure storage account and a new Machine Learning Studio (classic) Workspace using a Resource Manager template. Once the deployment is complete, we will print out important information about the workspaces that were created (the primary key, the workspaceID, and the URL to the workspace).

+### Create an Azure Resource Manager template

+A Machine Learning Workspace requires an Azure storage account to store the dataset linked to it.

+The following template uses the name of the resource group to generate the storage account name and the workspace name. It also uses the storage account name as a property when creating the workspace.

+```json

+{

+ "contentVersion": "1.0.0.0",

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "variables": {

+ "namePrefix": "[resourceGroup().name]",

+ "location": "[resourceGroup().location]",

+ "mlVersion": "2016-04-01",

+ "stgVersion": "2015-06-15",

+ "storageAccountName": "[concat(variables('namePrefix'),'stg')]",

+ "mlWorkspaceName": "[concat(variables('namePrefix'),'mlwk')]",

+ "mlResourceId": "[resourceId('Microsoft.MachineLearning/workspaces', variables('mlWorkspaceName'))]",

+ "stgResourceId": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

+ "storageAccountType": "Standard_LRS"

+ },

+ "resources": [

+ {

+ "apiVersion": "[variables('stgVersion')]",

+ "name": "[variables('storageAccountName')]",

+ "type": "Microsoft.Storage/storageAccounts",

+ "location": "[variables('location')]",

+ "properties": {

+ "accountType": "[variables('storageAccountType')]"

+ }

+ },

+ {

+ "apiVersion": "[variables('mlVersion')]",

+ "type": "Microsoft.MachineLearning/workspaces",

+ "name": "[variables('mlWorkspaceName')]",

+ "location": "[variables('location')]",

+ "dependsOn": ["[variables('stgResourceId')]"],

+ "properties": {

+ "UserStorageAccountId": "[variables('stgResourceId')]"

+ }

+ }

+ ],

+ "outputs": {

+ "mlWorkspaceObject": {"type": "object", "value": "[reference(variables('mlResourceId'), variables('mlVersion'))]"},

+ "mlWorkspaceToken": {"type": "string", "value": "[listWorkspaceKeys(variables('mlResourceId'), variables('mlVersion')).primaryToken]"},

+ "mlWorkspaceWorkspaceID": {"type": "string", "value": "[reference(variables('mlResourceId'), variables('mlVersion')).WorkspaceId]"},

+ "mlWorkspaceWorkspaceLink": {"type": "string", "value": "[concat('https://studio.azureml.net/Home/ViewWorkspace/', reference(variables('mlResourceId'), variables('mlVersion')).WorkspaceId)]"}

+ }

+}

+```

+Save this template as mlworkspace.json file under c:\temp\.

+### Deploy the resource group, based on the template

+* Open PowerShell

+* Install modules for Azure Resource Manager and Azure Service Management

+```powershell

+# Install the Azure Resource Manager modules from the PowerShell Gallery (press "A")

+Install-Module Az -Scope CurrentUser

+# Install the Azure Service Management modules from the PowerShell Gallery (press "A")

+Install-Module Azure -Scope CurrentUser

+```

+ These steps download and install the modules necessary to complete the remaining steps. This only needs to be done once in the environment where you are executing the PowerShell commands.

+* Authenticate to Azure

+```powershell

+# Authenticate (enter your credentials in the pop-up window)

+Connect-AzAccount

+```

+This step needs to be repeated for each session. Once authenticated, your subscription information should be displayed.

+

+Now that we have access to Azure, we can create the resource group.

+* Create a resource group

+```powershell

+$rg = New-AzResourceGroup -Name "uniquenamerequired523" -Location "South Central US"

+$rg

+```

+Verify that the resource group is correctly provisioned. **ProvisioningState** should be "Succeeded."

+The resource group name is used by the template to generate the storage account name. The storage account name must be between 3 and 24 characters in length and use numbers and lower-case letters only.

+<!--

+ 

+-->

+* Using the resource group deployment, deploy a new Machine Learning Workspace.

+```powershell

+# Create a Resource Group, TemplateFile is the location of the JSON template.

+$rgd = New-AzResourceGroupDeployment -Name "demo" -TemplateFile "C:\temp\mlworkspace.json" -ResourceGroupName $rg.ResourceGroupName

+```

+Once the deployment is completed, it is straightforward to access properties of the workspace you deployed. For example, you can access the Primary Key Token.

+```powershell

+# Access Machine Learning Studio (classic) Workspace Token after its deployment.

+$rgd.Outputs.mlWorkspaceToken.Value

+```

+Another way to retrieve tokens of existing workspace is to use the Invoke-AzResourceAction command. For example, you can list the primary and secondary tokens of all workspaces.

+```powershell

+# List the primary and secondary tokens of all workspaces

+Get-AzResource |? { $_.ResourceType -Like "*MachineLearning/workspaces*"} |ForEach-Object { Invoke-AzResourceAction -ResourceId $_.ResourceId -Action listworkspacekeys -Force}

+```

+After the workspace is provisioned, you can also automate many Machine Learning Studio (classic) tasks using the [PowerShell Module for Machine Learning Studio (classic)](https://aka.ms/amlps).

+## Next steps

+* Learn more about [authoring Azure Resource Manager Templates](../../azure-resource-manager/templates/syntax.md).

+* Have a look at the [Azure Quickstart Templates Repository](https://github.com/Azure/azure-quickstart-templates).

+* See the [Resource Manager template reference help](/azure/templates/microsoft.machinelearning/allversions)

+<!--Link references-->

+## Container azureml-fe-aci launch fails

+When deploying a service to an Azure Container Instance compute target, Azure Machine Learning attempts to create a front-end container that has the name `azureml-fe-aci` for the inference request. If `azureml-fe-aci` crashes, you can see logs by running `az container logs --name MyContainerGroup --resource-group MyResourceGroup --subscription MySubscription --container-name azureml-fe-aci`. You can follow the error message in the logs to make the fix.

+The most common failure for `azureml-fe-aci` is that the provided SSL certificate or key is invalid.

+* [How to run and debug experiments locally](./how-to-debug-visual-studio-code.md)

+The video [Building Solution Templates, and Managed Applications for Azure Marketplace](/Events/Build/2018/BRK3603) gives a comprehensive introduction to the Azure application offer type:

+## Will v2 streaming locators continue to work after February 2024?

+Streaming locators created with v2 API will continue to work after our v2 API is turned off. Once the Streaming Locator data is created in the Media Services backend database, there is no dependency on the v2 REST API for streaming. We will not remove v2 specific records from the database when v2 is turned off in February 2024.

+

+There are some properties of assets and locators created with v2 that cannot be accessed or updated using the new v3 API. For example, v2 exposes an **Asset Files** API that does not have an equivalent feature in the v3 API. Often this is not a problem for most of our customers, since it is not a widely used feature and you can still stream old locators and delete them when they are no longer needed.

+After migration, you should avoid making any calls to the v2 API to modify streaming locators or assets.

+This article contains a list of all the samples available for Media Services organized by method and SDK. Samples include .NET, Node.js (TypeScript), Python, Java, and also examples using REST with Postman.

+## [Node.JS (Typescript)](#tab/node/)

+|Sample|Description|

+|||

+|[Create an account from code](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Account/CreateAccount/create-account.ts)|The sample shows how to create a Media Services account and set the primary storage account, in addition to advanced configuration settings including Key Delivery IP allowlist, Managed Identity, storage auth, and bring your own encryption key.|

+|[Create an account with user assigned managed identity code](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Account/CreateAccount/create-account_with_managed_identity.ts)|The sample shows how to create a Media Services account and set the primary storage account, in addition to advanced configuration settings including Key Delivery IP allowlist, user or system assigned Managed Identity, storage auth, and bring your own encryption key.|

+|[Hello World - list assets](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/HelloWorld-ListAssets/list-assets.ts)|Basic example of how to connect and list assets |

+|[Live streaming with Standard Passthrough](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Live/Standard_Passthrough_Live_Event/index.ts)| Standard passthrough live streaming example. **WARNING**, make sure to check that all resources are cleaned up and no longer billing in portal when using live|

+|[Live streaming with Standard Passthrough with Event Hubs](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Live/Standard_Passthrough_Live_Event_with_EventHub/index.ts)| Demonstrates how to use Event Hubs to subscribe to events on the live streaming channel. Events include encoder connections, disconnections, heartbeat, latency, discontinuity, and drift issues. **WARNING**, make sure to check that all resources are cleaned up and no longer billing in portal when using live|

+|[Live streaming with Basic Passthrough](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Live/Basic_Passthrough_Live_Event/index.ts)| Shows how to set up the basic passthrough live event if you only need to broadcast a low-cost UGC channel. **WARNING**, make sure to check that all resources are cleaned up and no longer billing in portal when using live|

+|[Live streaming with 720P Standard encoding](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Live/720P_Encoding_Live_Event/index.ts)| Use live encoding in the cloud with the 720P HD adaptive bitrate encoding preset. **WARNING**, make sure to check that all resources are cleaned up and no longer billing in portal when using live|

+|[Live streaming with 1080P encoding](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Live/720P_Encoding_Live_Event/index.ts)| Use live encoding in the cloud with the 1080P HD adaptive bitrate encoding preset. **WARNING**, make sure to check that all resources are cleaned up and no longer billing in portal when using live|

+|[Upload and stream HLS and DASH](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/StreamFilesSample/index.ts)| Basic example for uploading a local file or encoding from a source URL. Sample shows how to use storage SDK to download content, and shows how to stream to a player |

+|[Upload and stream HLS and DASH with PlayReady and Widevine DRM](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/StreamFilesWithDRMSample/index.ts)| Demonstrates how to encode and stream using Widevine and PlayReady DRM |

+|[Upload and use AI to index videos and audio](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoAnalytics/index.ts)| Example of using the Video and Audio Analyzer presets to generate metadata and insights from a video or audio file |

+|[Create Transform, use Job preset overrides (v2-to-v3 API migration)](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/CreateTransform_Job_PresetOverride/index.ts)| If you need a workflow where you desire to submit custom preset jobs to a single queue, you can use this base sample that shows how to create a (mostly) empty Transform, and then you can use the preset override property on the Job to submit custom presets to the same transform. This allows you to treat the v3 AMS API a lot more like the legacy v2 API Job queue if you desire.|

+|[Basic Encoding with H264](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_H264/index.ts)| Shows how to use the standard encoder to encode a source file into H264 format with AAC audio and PNG thumbnails |

+|[Basic Encoding with H264 with Event Hubs/Event Grid](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_H264%20_with_EventHub/index.ts)| Shows how to use the standard encoder and receive and process Event Grid events from Media Services through an Event Hubs. First set up an Event Grid subscription that pushes events into an Event Hubs using the Azure portal or CLI to use this sample. |

+|[Sprite Thumbnail (VTT) in JPG format](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_Sprite_Thumbnail/index.ts)| Shows how to generate a VTT Sprite Thumbnail in JPG format and how to set the columns and number of images. This also shows a speed encoding mode in H264 for a 720P layer. |

+|[Content Aware encoding with H264](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_H264_ContentAware/index.ts)| Example of using the standard encoder with Content Aware encoding to automatically generate the best quality adaptive bitrate streaming set based on an analysis of the source files contents|

+|[Content Aware encoding Constrained with H264](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_H264_ContentAware_Constrained/index.ts)| Demonstrates how to control the output settings of the Content Aware encoding preset to make the outputs more deterministic to your encoding needs and costs. This will still auto generate the best quality adaptive bitrate streaming set based on an analysis of the source files contents, but constrain the output to your desired ranges.|

+|[Overlay Image](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_H264_OverlayImage/index.ts)| Shows how to upload an image file and overlay on top of video with output to MP4 container|

+|[Rotate Video](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_H264_Rotate90degrees/index.ts)| Shows how to use the rotation filter to rotate a video by 90 degrees. |

+|[Output to Transport Stream format](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_H264_To_TransportStream/index.ts)| Shows how to use the standard encoder to encode a source file and output to MPEG Transport Stream format using H264 format with AAC audio and PNG thumbnail|

+|[Basic Encoding with HEVC](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_HEVC/index.ts)| Shows how to use the standard encoder to encode a source file into HEVC format with AAC audio and PNG thumbnails |

+|[Content Aware encoding with HEVC](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_HEVC_ContentAware/index.ts)| Example of using the standard encoder with Content Aware encoding to automatically generate the best quality HEVC (H.265) adaptive bitrate streaming set based on an analysis of the source files contents|

+|[Content Aware encoding Constrained with HEVC](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_HEVC_ContentAware_Constrained/index.ts)| Demonstrates how to control the output settings of the Content Aware encoding preset to make the outputs more deterministic to your encoding needs and costs. This will still auto generate the best quality adaptive bitrate streaming set based on an analysis of the source files contents, but constrain the output to your desired ranges.|

+|[Bulk encoding from a remote Azure storage account using SAS URLs](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoEncoding/Encoding_Bulk_Remote_Storage_Account_SAS/index.ts)| This samples shows how you can point to a remote Azure Storage account using a SAS URL and submit batches of encoding jobs to your account, monitor progress, and continue. You can modify the file extension types to scan for (e.g - .mp4, .mov) and control the batch size submitted. You can also modify the Transform used in the batch operation. This sample demonstrates the use of SAS URL's as ingest sources to a Job input. Make sure to configure the REMOTESTORAGEACCOUNTSAS environment variable in the .env file for this sample to work.|

+| [Video Analytics](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/VideoAnalytics/index.ts)|This sample illustrates how to create a video and audio analyzer transform, upload a video file to an input asset, submit a job with the transform and download the results for verification.|

+| [Audio Analytics basic with per-job language override](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AudioAnalytics/index.ts)|This sample illustrates how to create a audio analyzer transform using the basic mode. It also shows how you can override the preset language on a per-job basis to avoid creating a transform for every language. It also shows how to upload a media file to an input asset, submit a job with the transform and download the results for verification.|

+The [REST Postman](https://github.com/Azure-Samples/media-services-v3-rest-postman) samples include a Postman environment and collection for you to import into the Postman client. The Postman collection samples are recommended for getting familiar with the API structure and how it works with Azure Resource Management (ARM), and the structure of calls from the client SDKs.

+>[!VIDEO https://docs.microsoft.com/Events/Connect/2017/T147/player]

+[Open in Channel 9](/Events/Connect/2017/T147)

+>[!VIDEO https://docs.microsoft.com/Events/Connect/2017/T148/player]

+[Open in Channel 9](/Events/Connect/2017/T148)

+|[Colt](https://cloud.telekom.de/de/infrastruktur/microsoft-azure/azure-networking)|[Network optimization on Azure: 2-hr Assessment](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/colttechnologyservices.azure_networking)|||||

+|[Deutsche Telekom](https://cloud.telekom.de/de/infrastruktur/microsoft-azure/azure-networking)|[Network connectivity to Azure: 2-Hr assessment](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/telekomdeutschlandgmbh1617272539503.azure_netzwerkoptimierung_2_stunden?search=telekom&page=1); [Cloud Transformation with Azure: 1-Day Workshop](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/telekomdeutschlandgmbh1617272539503.azure_cloudtransformation_1_tag?search=telekom&page=1)|[Managed ExpressRoute](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/telekomdeutschlandgmbh1617272539503.azure_intraselect_cloud_connect_implementation?search=telekom&page=1)|||[Azure Networking and Security: 1-Day Workshop](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/telekomdeutschlandgmbh1617272539503.azure_netzwerke_und_sicherheit_1_tag?search=telekom&page=1); [Intraselect SecureConnect: 1-Week Implementation](https://appsource.microsoft.com/de-de/marketplace/consulting-services/telekomdeutschlandgmbh1617272539503.azure_intraselect_secure_connect_implementation?tab=Overview)|

+[Amdocs](https://www.amdocs.com/); [Cirrus Core Networks](https://cirruscorenetworks.com/); [Cognizant](https://www.cognizant.com/cognizant-digital-systems-technology/cloud-enablement-services); [InterCloud](https://intercloud.com/partners/microsoft-azure/); [KINX](https://www.kinx.net/service/cloud/?lang=en); [Netfosys](https://www.netfosys.com/services/azure-networking-services/); [OmniClouds](https://omniclouds.com/); [Sejong Telecom](https://www.sejongtelecom.net/en/pages/service/cloud_ms); [SES](https://www.ses.com/networks/cloud/ses-and-azure-expressroute);

+[How to use the Azure Command-Line Interface for Mac and Linux]:cli-install-nodejs.md

+> [!VIDEO https://docs.microsoft.com/Shows/Docs-Mixed-Reality/Azure-Object-Anchors-Detection-and-Alignment-Best-Practices/player]

+# You need to pip install azureml-opendatasets in Databricks cluster. https://docs.microsoft.com/azure/data-explorer/connect-from-databricks#install-the-python-library-on-your-azure-databricks-cluster

+## High availability states

+recovery. Hyperscale (Citus) runs periodic health checks on every node, and

+after four failed checks it determines that a node is down. Hyperscale (Citus)

+then promotes a standby to primary node status (failover), and provisions a new

+standby-to-be. Streaming replication begins, bringing the new node up to date.

+When all data has been replicated, the node has reached full recovery.

+Hyperscale (Citus) displays its failover progress state on the Overview page

+for server groups in the Azure portal.

+* **Healthy**: HA is enabled and the node is fully replicated to its standby.

+* **Failover in progress**: A failure was detected on the primary node and

+ a failover to standby was initiated. This state will transition into

+ **Creating standby** once failover to the standby node is completed, and the

+ standby becomes the new primary.

+* **Creating standby**: The previous standby was promoted to primary, and a

+ new standby is being created for it. When the new secondary is ready, this

+ state will transition into **Replication in progress**.

+* **Replication in progress**: The new standby node is provisioned and data

+ synchronization is in progress. Once all data is replicated to the new

+ standby, synchronous replication will be enabled between the primary and

+ standby nodes, and the nodes' state will transition back to **Healthy**.

+* **No**: HA is not enabled on this node.

+## Next steps

+ Title: Server group - Hyperscale (Citus) - Azure Database for PostgreSQL

+description: What is a server group in Azure Database for PostgreSQL - Hyperscale (Citus)

+# Hyperscale (Citus) server group

+## Nodes

+The Azure Database for PostgreSQL - Hyperscale (Citus) deployment option allows

+PostgreSQL servers (called nodes) to coordinate with one another in a "server

+group." The server group's nodes collectively hold more data and use more CPU

+cores than would be possible on a single server. The architecture also allows

+the database to scale by adding more nodes to the server group.

+To learn more about the types of Hyperscale (Citus) nodes, see [nodes and

+tables](concepts-nodes.md).

+### Node status

+Hyperscale (Citus) displays the status of nodes in a server group on the

+Overview page in the Azure portal. Each node can have one of these status

+values:

+* **Provisioning**: Initial node provisioning, either as a part of its server

+ group provisioning, or when a worker node is added.

+* **Available**: Node is in a healthy state.

+* **Need attention**: An issue is detected on the node. The node is attempting

+ to self-heal. If self-healing fails, an issue gets put in the queue for our

+ engineers to investigate.

+* **Dropping**: Server group deletion started.

+* **Disabled**: The server group's Azure subscription turned into Disabled

+ states. For more information about subscription states, see [this

+ page](../../cost-management-billing/manage/subscription-states.md).

+## Tiers

+The basic tier in Azure Database for PostgreSQL - Hyperscale (Citus) is a

+simple way to create a small server group that you can scale later. While

+server groups in the standard tier have a coordinator node and at least two

+worker nodes, the basic tier runs everything in a single database node.

+Other than using fewer nodes, the basic tier has all the features of the

+standard tier. Like the standard tier, it supports high availability, read

+replicas, and columnar table storage, among other features.

+### Choosing basic vs standard tier

+The basic tier can be an economical and convenient deployment option for

+initial development, testing, and continuous integration. It uses a single

+database node and presents the same SQL API as the standard tier. You can test

+applications with the basic tier and later [graduate to the standard

+tier](howto-scale-grow.md#add-worker-nodes) with confidence that the

+interface remains the same.

+The basic tier is also appropriate for smaller workloads in production. There

+is room to scale vertically *within* the basic tier by increasing the number of

+server vCores.

+When greater scale is required right away, use the standard tier. Its smallest

+allowed server group has one coordinator node and two workers. You can choose

+to use more nodes based on your use-case, as described in our [initial

+sizing](howto-scale-initial.md) how-to.

+## Next steps

+* Learn to [provision the basic tier](quickstart-create-basic-tier.md)

+* When you're ready, see [how to graduate](howto-scale-grow.md#add-worker-nodes) from the basic tier to the standard tier

+* The [columnar storage](concepts-columnar.md) option is available in both the basic and standard tier

+>[!VIDEO https://docs.microsoft.com/Events/Connect/2017/T147/player]

+[Open in Channel 9](/Events/Connect/2017/T147)

+>[!VIDEO https://docs.microsoft.com/Events/Connect/2017/T148/player]

+[Open in Channel 9](/Events/Connect/2017/T148)

+>[!VIDEO https://docs.microsoft.com/Events/Connect/2017/T149/player]

+[Open in Channel 9](/Events/Connect/2017/T149)

+When you scan [SAP ECC](register-scan-sapecc-source.md) or [SAP S/4HANA](register-scan-saps4hana-source.md) sources in Azure Purview, you need to create the dependent ABAP function module in your SAP server. Azure Purview invokes this function module to extract the metadata from your SAP system during scan.

+Download the SAP ABAP function module source code from Azure Purview Studio. After you register a source for [SAP ECC](register-scan-sapecc-source.md) or [SAP S/4HANA](register-scan-saps4hana-source.md), you can find a download link on top as follows.

+ a. From the main menu, upload the text file you downloaded from Azure Purview Studio as described in [Prerequisites](#prerequisites). To do so, select **Utilities**, **More Utilities**, then **Upload/Download**, then **Upload**.

+Classifications can be system or custom types. System classifications are present in Azure Purview by default. Custom classifications can be created based on a regular expression pattern. Classifications can be applied to assets either automatically or manually.

+description: This how-to guide describes how to view and use Azure Purview Insights asset reporting on your data.

+This how-to guide describes how to access, view, and filter Azure Purview Asset insight reports for your data.

+> * View insights from your Azure Purview account.

+Before getting started with Azure Purview insights, make sure that you've completed the following steps:

+## Use Azure Purview Asset Insights

+1. On the **Overview** page, in the **Get Started** section, select the **Open Azure Purview Studio** tile.

+ :::image type="content" source="./media/asset-insights/portal-access.png" alt-text="Launch Azure Purview from the Azure portal":::

+1. On the Azure Purview **Home** page, select **Insights** on the left menu.

+1. In the **Insights** area, select **Assets** to display the Azure Purview **Asset insights** report.

+# View, edit and delete assets in Azure Purview catalog

+- *Or* Use the Azure Purview Atlas APIs to ingest assets into the catalog.

+You can discover your assets in Azure Purview by either:

+Even on edited assets, after a scan Azure Purview will reflect the truth of the source system. For example: if you edit a column and it's deleted from the source, it will be deleted from your asset in Azure Purview.

+Any asset you delete using the delete button is permanently deleted in Azure Purview. However, if you run a **full scan** on the source from which the asset was ingested into the catalog, then the asset is reingested and you can discover it using the Azure Purview catalog.

+If you have a scheduled scan (weekly or monthly) on the source, the **deleted asset will not get re-ingested** into the catalog unless the asset is modified by an end user since the previous run of the scan. For example, if a SQL table was deleted from Azure Purview, but after the table was deleted a user added a new column to the table in SQL, at the next scan the asset will be rescanned and ingested into the catalog.

+If you delete an asset, only that asset is deleted. Azure Purview does not currently support cascaded deletes. For example, if you delete a storage account asset in your catalog - the containers, folders and files within them are not deleted.

+ Title: Configure Azure AD Conditional Access for Azure Purview

+description: This article describes steps how to configure Azure AD Conditional Access for Azure Purview

+# Customer intent: As an identity and security admin, I want to set up Azure Active Directory Conditional Access for Azure Purview, for secure access.

+# Conditional Access with Azure Purview

+[Azure Purview](/overview.md) supports Microsoft Conditional Access.

+The following steps show how to configure Azure Purview to enforce a Conditional Access policy.

+## Prerequisites

+- When multi-factor authentication is enabled, to login to Azure Purview Studio, you must perform multi-factor authentication.

+## Configure conditional access

+1. Sign in to the Azure portal, select **Azure Active Directory**, and then select **Conditional Access**. For more information, see [Azure Active Directory Conditional Access technical reference](../active-directory/conditional-access/concept-conditional-access-conditions.md).

+ :::image type="content" source="media/catalog-conditional-access/conditional-access-blade.png" alt-text="Screenshot that shows Conditional Access blade"lightbox="media/catalog-conditional-access/conditional-access-blade.png":::

+

+2. In the **Conditional Access-Policies** blade, click **New policy**, provide a name, and then click **Configure rules**.

+3. Under **Assignments**, select **Users and groups**, check **Select users and groups**, and then select the user or group for Conditional Access. Click **Select**, and then click **Done** to accept your selection.

+ :::image type="content" source="media/catalog-conditional-access/select-users-and-groups.png" alt-text="Screenshot that shows User and Group selection"lightbox="media/catalog-conditional-access/select-users-and-groups.png":::

+4. Select **Cloud apps**, click **Select apps**. You see all apps available for Conditional Access. Select **Azure Purview**, at the bottom click **Select**, and then click **Done**.

+

+ :::image type="content" source="media/catalog-conditional-access/select-azure-purview.png" alt-text="Screenshot that shows Applications selection"lightbox="media/catalog-conditional-access/select-azure-purview.png":::

+5. Select **Access controls**, select **Grant**, and then check the policy you want to apply. For this example, we select **Require multi-factor authentication**.

+ :::image type="content" source="media/catalog-conditional-access/grant-access.png" alt-text="Screenshot that shows Grant access tab"lightbox="media/catalog-conditional-access/grant-access.png":::

+6. Set **Enable policy** to **On** and click **Create**.

+## Next steps

+- [Use Azure Purview Studio](/use-purview-studio.md)

+ Metadata collected in Azure Purview from enterprise data systems are stitched across to show an end to end data lineage. Data systems that collect lineage into Azure Purview are broadly categorized into following three types.

+Data integration and ETL tools can push lineage in to Azure Purview at execution time. Tools such as Data Factory, Data Share, Synapse, Azure Databricks, and so on, belong to this category of data systems. The data processing systems reference datasets as source from different databases and storage solutions to create target datasets. The list of data processing systems currently integrated with Azure Purview for lineage are listed in below table.

+Databases & storage solutions such as SQL Server, Teradata, and SAP have query engines to transform data using scripting language. Data lineage from stored procedures is collected in to Azure Purview and stitched with lineage from other systems.

+Lineage in Azure Purview includes datasets and processes. Datasets are also referred to as nodes while processes can be also called edges:

+* **Dataset (Node)**: A dataset (structured or unstructured) provided as an input to a process. For example, a SQL Table, Azure blob, and files (such as .csv and .xml), are all considered datasets. In the lineage section of Azure Purview, datasets are represented by rectangular boxes.

+* **Process (Edge)**: An activity or transformation performed on a dataset is called a process. For example, ADF Copy activity, Data Share snapshot and so on. In the lineage section of Azure Purview, processes are represented by round-edged boxes.

+To access lineage information for an asset in Azure Purview, follow the steps:

+1. Select your Azure Purview account from the list, and then select **Open Azure Purview Studio** from the **Overview** page.

+Data process can take one or more input datasets to produce one or more outputs. In Azure Purview, column level lineage is available for process nodes.

+# Customer intent: As a Azure Purview admin, I want to set up Managed Virtual Network and managed private endpoints for my Azure Purview account.

+> - Australia East

+- Australia East

+A Managed Virtual Network in Azure Purview is a virtual network which is deployed and managed by Azure inside the same region as Azure Purview account to allow scanning Azure data sources inside a managed network, without having to deploy and manage any self-hosted integration runtime virtual machines by the customer in Azure.

+Creating a Managed VNet Runtime within Managed Virtual Network ensures that data integration process is isolated and secure.

+A Managed VNet is created for your Azure Purview account when you create a Managed VNet Runtime for the first time in your Azure Purview account. You can't view or manage the Managed VNets.

+Managed private endpoints are private endpoints created in the Azure Purview Managed Virtual Network establishing a private link to Azure Purview and Azure resources. Azure Purview manages these private endpoints on your behalf.

+> If an Azure PaaS data store (Blob, Azure Data Lake Storage Gen2, Azure Synapse Analytics) has a private endpoint already created against it, and even if it allows access from all networks, Azure Purview would only be able to access it using a managed private endpoint. If a private endpoint does not already exist, you must create one in such scenarios.

+3. From Azure RBAC roles, you must be contributor on the Azure Purview account and data source to approve private links.

+1. Go to the [Azure portal](https://portal.azure.com), and navigate to the **Azure Purview accounts** page and select your _Purview account_.

+ :::image type="content" source="media/catalog-managed-vnet/purview-managed-azure-portal.png" alt-text="Screenshot that shows the Azure Purview account":::

+2. **Open Azure Purview Studio** and navigate to the **Data Map --> Integration runtimes**.

+ :::image type="content" source="media/catalog-managed-vnet/purview-managed-vnet.png" alt-text="Screenshot that shows Azure Purview Data Map menus":::

+5. Deploying the Managed VNet Runtime for the first time triggers multiple workflows in Azure Purview Studio for creating managed private endpoints for Azure Purview and its Managed Storage Account. Click on each workflow to approve the private endpoint for the corresponding Azure resource.

+6. In Azure portal, from your Azure Purview account resource blade, approve the managed private endpoint. From Managed storage account blade approve the managed private endpoints for blob and queue

+ :::image type="content" source="media/catalog-managed-vnet/purview-managed-pe-purview.png" alt-text="Screenshot that shows how to approve a managed private endpoint for Azure Purview":::

+ :::image type="content" source="media/catalog-managed-vnet/purview-managed-pe-purview-approved.png" alt-text="Screenshot that shows how to approve a managed private endpoint for Azure Purview - approved":::

+ :::image type="content" source="media/catalog-managed-vnet/purview-managed-pe-list.png" alt-text="Screenshot that shows managed private endpoints in Azure Purview":::

+ :::image type="content" source="media/catalog-managed-vnet/purview-managed-pe-list-approved.png" alt-text="Screenshot that shows managed private endpoints in Azure Purview - approved ":::

+You can use any of the following options to scan data sources using Azure Purview Managed VNet Runtime:

+To scan a data source using a Managed VNet Runtime and Azure Purview managed identity perform these steps:

+1. Select the **Data Map** tab on the left pane in the Azure Purview Studio.

+You can also use other supported options to scan data sources using Azure Purview Managed Runtime. This requires setting up a private connection to Azure Key Vault where the secret is stored.

+ :::image type="content" source="media/catalog-managed-vnet/purview-managed-pe-key-vault-create.png" alt-text="Screenshot that shows how to create a managed private endpoint for Azure Key Vault in Azure Purview Studio":::

+10. Select the **Data Map** tab on the left pane in the Azure Purview Studio.

+A collection is a tool Azure Purview uses to group assets, sources, and other artifacts into a hierarchy for discoverability and to manage access control. All access to Azure Purview's resources are managed from collections in the Azure Purview account itself.

+|I need to set up scans via the Azure Purview Studio|Data Curator on the collection **or** Data Curator **And** Data Source Administrator where the source is registered|

+All access control is managed in Azure Purview's collections. Azure Purview's collections can be found in the [Azure Purview Studio](https://web.purview.azure.com/resource/). Open your Azure Purview account in the [Azure portal](https://portal.azure.com) and select the Azure Purview Studio tile on the Overview page. From there, navigate to the data map on the left menu, and then select the 'Collections' tab.

+When an Azure Purview account is created, it starts with a root collection that has the same name as the Azure Purview account itself. The creator of the Azure Purview account is automatically added as a Collection Admin, Data Source Admin, Data Curator, and Data Reader on this root collection, and can edit and manage this collection.

+Sources, assets, and objects can be added directly to this root collection, but so can other collections. Adding collections will give you more control over who has access to data across your Azure Purview account.

+You can assign Azure Purview roles to users, security groups and service principals from your Azure Active Directory which is associated with your purview account's subscription.

+> If you created your Azure Purview account using a service principal, to be able to access the Azure Purview Studio and assign permissions to users, you will need to grant a user collection admin permissions on the root collection.

+> az purview account add-root-collection-admin --account-name [Azure Purview Account Name] --resource-group [Resource Group Name] --object-id [User Object Id]

+Collections can be customized for structure of the sources in your Azure Purview account, and can act like organized storage bins for these resources. When you're thinking about the collections you might need, consider how your users will access or discover information. Are your sources broken up by departments? Are there specialized groups within those departments that will only need to discover some assets? Are there some sources that should be discoverable by all your users?

+The [data reader role](#roles) can access information within the catalog, but not manage or edit it. So for our example above, adding the Data Reader permission to a group on the root collection and allowing inheritance will give all users in that group reader permissions on Azure Purview sources and assets. This makes these resources discoverable, but not editable, by everyone in that group. [Restricting inheritance](how-to-create-and-manage-collections.md#restrict-inheritance) on the Revenue group will control access to those assets. Users who need access to revenue information can be added separately to the Revenue collection.

+Role assignment is managed through the collections. Only a user with the [collection admin role](#roles) can grant permissions to other users on that collection. When new permissions need to be added, a collection admin will access the [Azure Purview Studio](https://web.purview.azure.com/resource/), navigate to data map, then the collections tab, and select the collection where a user needs to be added. From the Role Assignments tab they will be able to add and manage users who need permissions.

+Now that you have a base understanding of collections, and access control, follow the guides below to create and manage those collections, or get started with registering sources into your Azure Purview Resource.

+- [Azure Purview supported data sources](purview-connector-overview.md)

+ Title: Connect privately and securely to your Azure Purview account

+description: This article describes how you can set up a private endpoint to connect to your Azure Purview account from restricted network.

+# Connect privately and securely to your Azure Purview account

+In this guide, you will learn how to deploy private endpoints for your Azure Purview account to allow you to connect to your Azure Purview account only from VNets and private networks. To achieve this goal, you need to deploy _account_ and _portal_ private endpoints for your Azure Purview account.

+3. Deploy a [new Azure Purview account](#option-1deploy-a-new-azure-purview-account-with-account-and-portal-private-endpoints) with account and portal private endpoints, or deploy account and portal private endpoints for an [existing Azure Purview account](#option-2enable-account-and-portal-private-endpoint-on-existing-azure-purview-accounts).

+1. Go to the [Azure portal](https://portal.azure.com), and then go to the **Azure Purview accounts** page. Select **+ Create** to create a new Azure Purview account.

+4. On the **Create a private endpoint** page, for **Azure Purview sub-resource**, choose your location, provide a name for _account_ private endpoint and select **account**. Under **networking**, select your virtual network and subnet, and optionally, select **Integrate with private DNS zone** to create a new Azure Private DNS zone.

+6. In **Create Azure Purview account** wizard, select **+Add** again to add _portal_ private endpoint.

+7. On the **Create a private endpoint** page, for **Azure Purview sub-resource**,choose your location, provide a name for _portal_ private endpoint and select **portal**. Under **networking**, select your virtual network and subnet, and optionally, select **Integrate with private DNS zone** to create a new Azure Private DNS zone.

+description: This article describes how you can set up a private endpoint to connect to your Azure Purview account and scan data sources from restricted network for an end to end isolation

+3. Deploy a [new Azure Purview account](#option-1deploy-a-new-azure-purview-account-with-account-portal-and-ingestion-private-endpoints) with account, portal and ingestion private endpoints, or deploy private endpoints for an [existing Azure Purview account](#option-2enable-account-portal-and-ingestion-private-endpoint-on-existing-azure-purview-accounts).

+1. Go to the [Azure portal](https://portal.azure.com), and then go to the **Azure Purview accounts** page. Select **+ Create** to create a new Azure Purview account.

+4. On the **Create a private endpoint** page, for **Azure Purview sub-resource**, choose your location, provide a name for _account_ private endpoint and select **account**. Under **networking**, select your virtual network and subnet, and optionally, select **Integrate with private DNS zone** to create a new Azure Private DNS zone.

+7. On the **Create a private endpoint** page, for **Azure Purview sub-resource**,choose your location, provide a name for _portal_ private endpoint and select **portal**. Under **networking**, select your virtual network and subnet, and optionally, select **Integrate with private DNS zone** to create a new Azure Private DNS zone.

+"Not authorized to access this Azure Purview account. This Azure Purview account is behind a private endpoint. Please access the account from a client in the same virtual network (VNet) that has been configured for the Azure Purview account's private endpoint."

+"This Azure Purview account is behind a private endpoint. Please access the account from a client in the same virtual network (VNet) that has been configured for the Azure Purview account's private endpoint."

+description: This article describes an overview of how you can use a private end point for your Azure Purview account

+# Customer intent: As an Azure Purview admin, I want to set up private endpoints for my Azure Purview account, for secure access.

+ :::image type="content" source="media/catalog-private-link/purview-name-resolution-private-link.png" alt-text="Screenshot that shows Azure Purview name resolution from inside CorpNet.":::

+- By default, during the deployment of _account_ private endpoint for your Azure Purview account, we also create a [private DNS zone](../dns/private-dns-overview.md) that corresponds to the `privatelink` subdomain for Azure Purview as `privatelink.purview.azure.com` including DNS A resource records for the private endpoints.

+- During the deployment of _portal_ private endpoint for your Azure Purview account, we also create a new private DNS zone that corresponds to the `privatelink` subdomain for Azure Purview as `privatelink.purviewstudio.azure.com` including DNS A resource records for _Web_.

+|Ingestion |Azure Purview managed Storage Account - Blob |`privatelink.blob.core.windows.net` |scaneastusabcd1234 |

+|Ingestion |Azure Purview managed Storage Account - Queue |`privatelink.queue.core.windows.net` |scaneastusabcd1234 |

+|Ingestion |Azure Purview managed Storage Account - Event Hub |`privatelink.servicebus.windows.net` |atlas-12345678-1234-1234-abcd-123456789abc |

+| `Contoso-Purview.privatelink.purview.azure.com` | CNAME | \<Azure Purview public endpoint\> |

+| \<Azure Purview public endpoint\> | A | \<Azure Purview public IP address\> |

+| `Web.purview.azure.com` | CNAME | \<Azure Purview Studio public endpoint\> |

+| `Contoso-Purview.privatelink.purview.azure.com` | A | \<Azure Purview account private endpoint IP address\> |

+| `Web.purview.azure.com` | CNAME | \<Azure Purview portal private endpoint IP address\> |

+The following list shows the required Azure DNS zones and A records for Azure Purview private endpoints:

+|Ingestion |Azure Purview managed Storage Account - Blob |`privatelink.blob.core.windows.net` |scaneastusabcd1234 |

+|Ingestion |Azure Purview managed Storage Account - Queue |`privatelink.queue.core.windows.net` |scaneastusabcd1234 |

+|Ingestion |Azure Purview managed Storage Account - Event Hub |`privatelink.servicebus.windows.net` |atlas-12345678-1234-1234-abcd-123456789abc |

+| `Contoso-Purview.privatelink.purview.azure.com` | CNAME | \<Azure Purview public endpoint\> |

+| \<Azure Purview public endpoint\> | A | \<Azure Purview public IP address\> |

+| `Web.purview.azure.com` | CNAME | \<Azure Purview Studio public endpoint\> |

+| `Contoso-Purview.privatelink.purview.azure.com` | A | \<Azure Purview account private endpoint IP address\> |

+| `Web.purview.azure.com` | CNAME | \<Azure Purview portal private endpoint IP address\> |

+ |Ingestion |Azure Purview managed Storage Account - Blob |`privatelink.blob.core.windows.net` |scaneastusabcd1234 |

+ |Ingestion |Azure Purview managed Storage Account - Queue |`privatelink.queue.core.windows.net` |scaneastusabcd1234 |

+ |Ingestion |Azure Purview managed Storage Account - Event Hub |`privatelink.servicebus.windows.net` |atlas-12345678-1234-1234-abcd-123456789abc |

+ Title: Troubleshooting private endpoint configuration for Azure Purview accounts

+description: This article describes how to troubleshoot problems with your Azure Purview account related to private endpoints configurations

+# Customer intent: As an Azure Purview admin, I want to set up private endpoints for my Azure Purview account, for secure access.

+# Troubleshooting private endpoint configuration for Azure Purview accounts

+1. Once you deploy private endpoints for your Azure Purview account, review your Azure environment to make sure private endpoint resources are deployed successfully. Depending on your scenario, one or more of the following Azure private endpoints must be deployed in your Azure subscription:

+4. Test network connectivity and name resolution from management machine to Azure Purview endpoint and purview web url. If account and portal private endpoints are deployed, the endpoints must be resolved through private IP addresses.

+6. From self-hosted integration runtime VM, test network connectivity and name resolution to Azure Purview endpoint.

+8. From the network where data source is located, test network connectivity and name resolution to Azure Purview endpoint and managed resources endpoints.

+11. If ingestion private endpoint is used, make sure self-hosted integration runtime is registered successfully inside Azure Purview account and shows as running both inside the self-hosted integration runtime VM and in the [Azure Purview Studio](https://web.purview.azure.com/resource/) .

+Not authorized to access this Azure Purview account. This Azure Purview account is behind a private endpoint. Please access the account from a client in the same virtual network (VNet) that has been configured for the Azure Purview account's private endpoint.

+ Title: Use private endpoints for secure access to Azure Purview

+description: This article describes a high level overview of how you can use a private end point for your Azure Purview account

+# Customer intent: As an Azure Purview admin, I want to set up private endpoints for my Azure Purview account, for secure access.

+You can use [Azure private endpoints](../private-link/private-endpoint-overview.md) for your Azure Purview accounts to allow users on a virtual network (VNet) to securely access the catalog over a Private Link. A private endpoint uses an IP address from the VNet address space for your Azure Purview account. Network traffic between the clients on the VNet and the Azure Purview account traverses over the VNet and a private link on the Microsoft backbone network.

+|**Scenario 2** - [Connect privately and securely to your Azure Purview account](./catalog-private-link-account-portal.md) | You need to enable access to your Azure Purview account, including access to _Azure Purview Studio_ and Atlas API through private endpoints. (Deploy _account_ and _portal_ private endpoints). |

+|**Scenario 3** - [Scan data source securely using Managed Virtual Network](./catalog-managed-vnet.md) | You need to scan Azure data sources securely, without having to manage a virtual network or a self-hosted integration runtime VM. (Deploy managed private endpoint for Azure Purview, managed storage account and Azure data sources). |

+For troubleshooting private endpoint configuration for Azure Purview accounts, see [Troubleshooting private endpoint configuration for Azure Purview accounts](./catalog-private-link-troubleshoot.md).

+- [Deploy private networking for the Azure Purview Studio](./catalog-private-link-account-portal.md)

+ Title: Classification reporting on your data in Azure Purview using Azure Purview Insights

+description: This how-to guide describes how to view and use Azure Purview classification reporting on your data.

+# Customer intent: As a security officer, I need to understand how to use Azure Purview Insights to learn about sensitive data identified and classified and labeled during scanning.

+This how-to guide describes how to access, view, and filter Azure Purview Classification insight reports for your data.

+> - Launch your Azure Purview account from Azure

+Before getting started with Azure Purview insights, make sure that you've completed the following steps:

+- Signed in to Azure Purview with account with a [Data Reader or Data Curator role](catalog-permissions.md#roles).

+## Use Azure Purview classification insights

+Azure Purview uses the same sensitive information types as Microsoft 365, allowing you to stretch your existing security policies and protection across your entire data estate.

+1. Go to the **Azure Purview** [instance screen in the Azure portal](https://aka.ms/purviewportal) and select your Azure Purview account.

+1. On the **Overview** page, in the **Get Started** section, select the **Azure Purview Studio** tile.

+1. In Azure Purview, select the **Insights** :::image type="icon" source="media/insights/ico-insights.png" border="false"::: menu item on the left to access your **Insights** area.

+1. In the **Insights** :::image type="icon" source="media/insights/ico-insights.png" border="false"::: area, select **Classification** to display the Azure Purview **Classification insights** report.

+Use [Azure Purview collections hierarchy](./concept-best-practices-collections.md) to lay out your organization's data management structure inside a single Azure Purview account. In this scenario, one Azure Purview account is deployed in an Azure subscription. Data sources from one or more Azure subscriptions can be registered and scanned inside the Azure Purview. You can also register and scan data sources from your on-premises or multi-cloud environments.

+Some organizations often have many business units (BUs) that operate separately, and, in some cases, they don't even share billing with each other. In those cases, the organization will end up creating an Azure Purview instance for each BU. This model is not ideal, however, may be necessary, especially because Business Units are often not willing to share Azure billing.

+- [Create an Azure Purview account](./create-catalog-portal.md)

+- Each collection has a name attribute and a friendly name attribute. If you use [Azure Purview Studio](https://web.purview.azure.com/resource/) to deploy a collection, the system automatically assigns a random six-letter name to the collection to avoid duplication. To reduce complexity, avoid using duplicated friendly names across your collections, especially in the same level.

+You can deploy an Azure Purview account inside your Azure subscription in any [supported Azure regions](https://azure.microsoft.com/global-infrastructure/services/?products=purview&regions=all).

+- If you already have Microsoft 365 sensitivity labels in use in your environment, it is recommended that you continue to use your existing labels rather than making duplicate or more labels for Azure Purview. This approach allows you to maximize the investment you have already made in the Microsoft 365 compliance space and ensures consistent labeling across your data estate.

+These attributes cannot be edited or deleted. However, these attributes are not sufficient to completely define a term in an organization. To solve this problem, Azure Purview provides a feature where you can define custom attributes for your glossary.

+Azure Purview has more than 200 system classifiers today and you can define your own classifiers in catalog. As part of the scanning process, we automatically detect these classifications and apply them to data assets and schemas. However, you can override them at any point of time. The human overrides are never replaced by automated scans.

+Sensitivity labels are a type of annotation that allows you to classify and protect your organization's data, without hindering productivity and collaboration. Sensitivity labels are used to identify the categories of classification types within your organizational data, and group the policies that you wish to apply to each category. Azure Purview makes use of the same sensitive information types as Microsoft 365, which allows you to stretch your existing security policies and protection across your entire content and data estate. The same labels can be shared across Microsoft Office products and data assets in Azure Purview.

+* [Use the Azure Purview Studio](use-purview-studio.md)

+This article provides an overview of data lineage in Azure Purview Data Catalog. It also details how data systems can integrate with the catalog to capture lineage of data. Azure Purview can capture lineage for data in different parts of your organization's data estate, and at different levels of preparation including:

+Azure Purview Data Catalog will connect with other data processing, storage, and analytics systems to extract lineage information. The information is combined to represent a generic, scenario-specific lineage experience in the Catalog.

+The following section covers the details about the granularity of which the lineage information is gathered by Azure Purview. This granularity can vary based on the data systems supported in Azure Purview.

+Lineage is a critical feature of the Azure Purview Data Catalog to support quality, trust, and audit scenarios. The goal of a data catalog is to build a robust framework where all the data systems within your environment can naturally connect and report lineage. Once the metadata is available, the data catalog can bring together the metadata provided by data systems to power data governance use cases.

+* [Use the Azure Purview Studio](use-purview-studio.md)

+Azure Purview Data Map provides the foundation for data discovery and data governance. It captures metadata about enterprise data present in analytics, software-as-a-service (SaaS), and operation systems in hybrid, on-premises, and multi-cloud environments. Azure Purview Data Map automatically stays up to date with its built-in scanning and classification system. With the UI, developers can further programmatically interact with the Data Map using open-source Apache Atlas APIs.

+Operations are the throughput measure of the Azure Purview Data Map. They include the Create, Read, Write, Update, and Delete operations on metadata stored in the Data Map. Some examples of operations are listed below:

+The technical metadata includes schema, data type, columns, and so on, that are discovered from Azure Purview [scanning](concept-scans-and-ingestion.md). The business metadata includes automated (for example, promoted from Power BI datasets, or descriptions from SQL tables) and manual tagging of descriptions, glossary terms, and so on. Examples of semantic metadata include the collection mapping to data sources, or classifications. The operational metadata includes Data factory copy and data flow activity run status, and runs time.

+Claudia is an Azure admin at Contoso who wants to provision a new Azure Purview account from Azure portal. While provisioning, she doesnΓÇÖt know the required size of Azure Purview Data Map to support the future state of the platform. However, she knows that the Azure Purview Data Map is billed by Capacity Units, which are affected by storage and operations throughput. She wants to provision the smallest Data Map to keep the cost low and grow the Data Map size elastically based on consumption.

+Claudia can create an Azure Purview account with the default Data Map size of 1 capacity unit that can automatically scale up and down. The autoscaling feature also allows for capacity to be tuned based on intermittent or planned data bursts during specific periods. Claudia follows the next steps in provisioning experience to set up network configuration and completes the provisioning.

+In the Azure monitor metrics page, Claudia can see the consumption of the Data Map storage and operations throughput. She can further set up an alert when the storage or operations throughput reaches a certain limit to monitor the consumption and billing of the new Azure Purview account.

+Customers are billed for one capacity unit (25 ops/sec and 10 GB) and extra billing is based on the consumption of each extra capacity unit rolled up to the hour. The Data Map operations scale in the increments of 25 operations/sec and metadata storage scales in the increments of 10 GB size. Azure Purview Data Map can automatically scale up and down within the elasticity window ([check current limits](how-to-manage-quotas.md)). However, to get the next level of elasticity window, a support ticket needs to be created.

+- Azure Purview Data MapΓÇÖs operation throughput for the given hour is less than or equal to 25 Ops/Sec and storage size is 1 GB. Customers are billed for one capacity unit.

+- Azure Purview Data MapΓÇÖs operation throughput for the given hour is less than or equal to 25 Ops/Sec and storage size is 15 GB. Customers are billed for two capacity units.

+- Azure Purview Data MapΓÇÖs operation throughput for the given hour is 50 Ops/Sec and storage size is 15 GB. Customers are billed for two capacity units.

+- Azure Purview Data MapΓÇÖs operation throughput for the given hour is 50 Ops/Sec and storage size is 25 GB. Customers are billed for three capacity units.

+- Azure Purview Data MapΓÇÖs operation throughput for the given hour is 250 Ops/Sec and storage size is 15 GB. Customers are billed for ten capacity units.

+>Azure Purview Data Map can automatically scale up and down within the elasticity window ([check current limits](how-to-manage-quotas.md)). To get the next level of the elasticity window, a support ticket needs to be created.

+Select **Service and subscription limits (quota)** and complete the on screen instructions by choosing the Azure Purview account that you'd like to request larger capacity for.

+1. Go to the [Azure portal](https://portal.azure.com), and navigate to the **Azure Purview accounts** page and select your _Purview account_

+With elastic Data Map, Azure Purview provides low-cost barrier for customers to start their data governance journey.

+Azure Purview DataMap can grow elastically with pay as you go model starting from as small as 1 Capacity unit.

+- [Azure Purview Pricing](https://azure.microsoft.com/pricing/details/azure-purview/)

+Insights are one of the key pillars of Azure Purview. The feature provides customers, a single pane of glass view into their catalog and further aims to provide specific insights to the data source administrators, business users, data stewards, data officer and, security administrators. Currently, Azure Purview has the following Insights reports that will be available to customers during Insight's public preview.

+The report enables Data Source Administrators to understand overall health of the scans - how many succeeded, how many failed, how many canceled. This report gives a status update on scans that have been executed in the Azure Purview account within a time period of last seven days or last 30 days.

+Azure Purview intentionally doesn't try to classify most document file types like Word, Excel, or PDF as Resource Sets. The exception is CSV format since that is a common partitioned file format.

+This article provides an overview of the Scanning and Ingestion features in Azure Purview. These features connect your Azure Purview account to your sources to populate the data map and data catalog so you can begin exploring and managing your data through Azure Purview.

+After data sources are [registered](manage-data-sources.md) in your Azure Purview account, the next step is to scan the data sources. The scanning process establishes a connection to the data source and captures technical metadata like names, file size, columns, and so on. It also extracts schema for structured data sources, applies classifications on schemas, and [applies sensitivity labels if your Azure Purview account is connected to a Microsoft 365 Security and Compliance Center (SCC)](create-sensitivity-label.md). The scanning process can be triggered to run immediately or can be scheduled to run on a periodic basis to keep your Azure Purview account up to date.

+Azure Purview is secure by default. No passwords or secrets are stored directly in Azure Purview, so youΓÇÖll need to choose an authentication method for your sources. There are four possible ways to authenticate your Azure Purview account, but not all methods are supported for each data source.

+Whenever possible, a Managed Identity is the preferred authentication method because it eliminates the need for storing and managing credentials for individual data sources. This can greatly reduce the time you and your team spend setting up and troubleshooting authentication for scans. When you enable a managed identity for your Azure Purview account, an identity is created in Azure Active Directory and is tied to the lifecycle of your account.

+Azure Purview gives you a choice of scanning weekly or monthly at a specific time you choose. Weekly scans may be appropriate for data sources with structures that are actively under development or frequently change. Monthly scanning is more appropriate for data sources that change infrequently. A good best practice is to work with the administrator of the source you want to scan to identify a time when compute demands on the source are low.

+The technical metadata or classifications identified by the scanning process are then sent to Ingestion. The ingestion process is responsible for populating the data map and is managed by Azure Purview. Ingestion analyses the input from scan, [applies resource set patterns](concept-resource-sets.md#how-azure-purview-detects-resource-sets), populates available [lineage](concept-data-lineage.md) information, and then loads the data map automatically. Assets/schemas can be discovered or curated only after ingestion is complete. So, if your scan is completed but you haven't seen your assets in the data map or catalog, you'll need to wait for the ingestion process to finish.

+This article provides an overview of the search experience in Azure Purview. Search is a core platform capability of Azure Purview, that powers the data discovery and data use governance experiences in an organization.

+The Azure Purview search experience is powered by a managed search index. After a data source is registered with Azure Purview, its metadata is indexed by the search service to allow easy discovery. The index provides search relevance capabilities and completes search requests by querying millions of metadata assets. Search helps you to discover, understand, and use the data to get the most value out of it.

+The search experience in Azure Purview is a three stage process:

+Many times, you may be working on multiple projects at the same time. To make it easier to resume previous projects, Azure Purview search provides the ability to see recent search keywords and suggestions. Also, you can manage the recent search history by selecting **View all** from the search box drop-down.

+* [Use the Azure Purview Studio](use-purview-studio.md)

+> Azure Purview custom classifications are applied only to structured data sources like SQL and CosmosDB, and to structured file types like CSV, JSON, and Parquet. Custom classification isn't applied to unstructured data file types like DOC, PDF, and XLSX.

+1. From your Azure [Azure Purview Studio](https://web.purview.azure.com/resource/), select **Data Map**.

+- A good way to understand what url the scanning agent will compare with your regular expression is to browse through the Azure Purview data catalog, find the asset you want to ignore in the future, and see its fully qualified name (FQN) in the **Overview** tab.

+ Title: 'Quickstart: Create an Azure Purview account in the Azure portal'

+This quickstart describes the steps to create an Azure Purview account in the Azure portal and get started on the process of classifying, securing, and discovering your data in Azure Purview!

+Azure Purview is a data governance service that helps you manage and govern your data landscape. By connecting to data across your on-premises, multi-cloud, and software-as-a-service (SaaS) sources, Azure Purview creates an up-to-date map of your information. It identifies and classifies sensitive data, and provides end to end linage. Data consumers are able to discover data across your organization, and data administrators are able to audit, secure, and ensure right use of your data.

+For more information about Azure Purview, [see our overview page](overview.md). For more information about deploying Azure Purview across your organization, [see our deployment best practices](deployment-best-practices.md).

+1. Go to the **Azure Purview accounts** page in the [Azure portal](https://portal.azure.com).

+1. On the new Create Azure Purview account page, under the **Basics** tab, select the Azure subscription where you want to create your Azure Purview account.

+1. Select an existing **resource group** or create a new one to hold your Azure Purview account.

+1. Enter a **Azure Purview account name**. Spaces and symbols aren't allowed.

+ The name of the Azure Purview account must be globally unique. If you see the following error, change the name of Azure Purview account and try creating again.

+ :::image type="content" source="media/create-catalog-portal/name-error.png" alt-text="Screenshot showing the Create Azure Purview account screen with an account name that is already in use, and the error message highlighted.":::

+ The list shows only locations that support Azure Purview. The location you choose will be the region where your Azure Purview account and meta data will be stored. Sources can be housed in other regions.

+1. Select **Review & Create**, and then select **Create**. It takes a few minutes to complete the creation. The newly created Azure Purview account instance will appear in the list on your **Azure Purview accounts** page.

+ :::image type="content" source="media/create-catalog-portal/create-resource.png" alt-text="Screenshot showing the Create Azure Purview account screen with the Review + Create button highlighted":::

+## Open Azure Purview Studio

+After your Azure Purview account is created, you'll use the Azure Purview Studio to access and manage it. There are two ways to open Azure Purview Studio:

+* Open your Azure Purview account in the [Azure portal](https://portal.azure.com). Select the "Open Azure Purview Studio" tile on the overview page.

+ :::image type="content" source="media/create-catalog-portal/open-purview-studio.png" alt-text="Screenshot showing the Azure Purview account overview page, with the Azure Purview Studio tile highlighted.":::

+* Alternatively, you can browse to [https://web.purview.azure.com](https://web.purview.azure.com), select your Azure Purview account, and sign in to your workspace.

+In this quickstart, you learned how to create an Azure Purview account and how to access it through the Azure Purview Studio.

+Follow these next articles to learn how to navigate the Azure Purview Studio, create a collection, and grant access to Azure Purview:

+* [Using the Azure Purview Studio](use-purview-studio.md)

+ Title: 'Quickstart: Create an Azure Purview account with PowerShell/Azure CLI'

+In this Quickstart, you'll create an Azure Purview account using Azure PowerShell/Azure CLI. [PowerShell reference for Azure Purview](/powershell/module/az.purview/) is available, but this article will take you through all the steps needed to create an account with PowerShell.

+Azure Purview is a data governance service that helps you manage and govern your data landscape. By connecting to data across your on-premises, multi-cloud, and software-as-a-service (SaaS) sources, Azure Purview creates an up-to-date map of your information. It identifies and classifies sensitive data, and provides end to end linage. Data consumers are able to discover data across your organization, and data administrators are able to audit, secure, and ensure right use of your data.

+For more information about Azure Purview, [see our overview page](overview.md). For more information about deploying Azure Purview across your organization, [see our deployment best practices](deployment-best-practices.md).

+1. Create a resource group for your Azure Purview account. You can skip this step if you already have one:

+1. Create or Deploy the Azure Purview account

+ Use the [New-AzPurviewAccount](/powershell/module/az.purview/new-azpurviewaccount) cmdlet to create the Azure Purview account:

+ 1. Create an Azure Purview template file such as `purviewtemplate.json`. You can update `name`, `location`, and `capacity` (`4` or `16`):

+ 1. Deploy Azure Purview template

+ az purview account add-root-collection-admin --account-name [Azure Purview Account Name] --resource-group [Resource Group Name] --object-id [User Object Id]

+ This command will grant the user account [collection admin](catalog-permissions.md#roles) permissions on the root collection in your Azure Purview account. This allows the user to access the Azure Purview Studio and add permission for other users. For more information about permissions in Azure Purview, see our [permissions guide](catalog-permissions.md). For more information about collections, see our [manage collections article](how-to-create-and-manage-collections.md).

+Follow these next articles to learn how to navigate the Azure Purview Studio, create a collection, and grant access to Azure Purview.

+* [How to use the Azure Purview Studio](use-purview-studio.md)

+ Title: 'Quickstart: Create Azure Purview Account using .NET SDK'

+# Quickstart: Create an Azure Purview account using .NET SDK

+Azure Purview is a data governance service that helps you manage and govern your data landscape. By connecting to data across your on-premises, multi-cloud, and software-as-a-service (SaaS) sources, Azure Purview creates an up-to-date map of your information. It identifies and classifies sensitive data, and provides end to end linage. Data consumers are able to discover data across your organization, and data administrators are able to audit, secure, and ensure right use of your data.

+For more information about Azure Purview, [see our overview page](overview.md). For more information about deploying Azure Purview across your organization, [see our deployment best practices](deployment-best-practices.md).

+## Create an Azure Purview client

+2. Add the following code to the **Main** method that sets the variables. Replace the placeholders with your own values. For a list of Azure regions in which Azure Purview is currently available, search on **Azure Purview** and select the regions that interest you on the following page: [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).

+3. Add the following code to the **Main** method that creates an instance of **PurviewManagementClient** class. You use this object to create an Azure Purview Account.

+## Create an Azure Purview account

+Add the following code to the **Main** method that creates a **Azure Purview Account**.

+Console.WriteLine("Creating Azure Purview Account " + purviewAccountName + "...");

+The console prints the progress of creating Azure Purview Account.

+Creating Azure Purview Account testpurview...

+Go to the **Azure Purview accounts** page in the [Azure portal](https://portal.azure.com) and verify the account created using the above code.

+## Delete Azure Purview account

+To programmatically delete an Azure Purview Account, add the following lines of code to the program:

+Console.WriteLine("Deleting the Azure Purview Account");

+## Check if Azure Purview account name is available

+Console.WriteLine("Check Azure Purview account name");

+The code in this tutorial creates a purview account, deletes a purview account and checks for name availability of purview account. You can now download the .NET SDK and learn about other resource provider actions you can perform for an Azure Purview account.

+Follow these next articles to learn how to navigate the Azure Purview Studio, create a collection, and grant access to Azure Purview.

+* [How to use the Azure Purview Studio](use-purview-studio.md)

+description: This article describes how to create an Azure Policy exception for Azure Purview while leaving existing Policies in place to maintain security.

+# Create an Azure Policy exception for Azure Purview

+Many subscriptions have [Azure Policies](../governance/policy/overview.md) in place that restrict the creation of some resources. This is to maintain subscription security and cleanliness. However, Azure Purview accounts deploy two other Azure resources when they are created: an Azure Storage account, and an Event Hub namespace. When you [create Azure Purview Account](create-catalog-portal.md), these resources will be deployed. They will be managed by Azure, so you don't need to maintain them, but you will need to deploy them.

+## Create a policy exception for Azure Purview

+ > The tag could be anything beside `resourceBypass` and it's up to you to define value when creating Azure Purview in latter steps as long as the policy can detect the tag.

+> :::image type="content" source="media/create-catalog-portal/add-purview-tag.png" alt-text="Add tag to Azure Purview account.":::

+ Title: 'Quickstart: Create an Azure Purview account using Python'

+# Quickstart: Create an Azure Purview account using Python

+In this quickstart, you will create an Azure Purview account programatically using Python. [Python reference for Azure Purview](/python/api/azure-mgmt-purview/) is available, but this article will take you through all the steps needed to create an account with Python.

+Azure Purview is a data governance service that helps you manage and govern your data landscape. By connecting to data across your on-premises, multi-cloud, and software-as-a-service (SaaS) sources, Azure Purview creates an up-to-date map of your information. It identifies and classifies sensitive data, and provides end to end linage. Data consumers are able to discover data across your organization, and data administrators are able to audit, secure, and ensure right use of your data.

+For more information about Azure Purview, [see our overview page](overview.md). For more information about deploying Azure Purview across your organization, [see our deployment best practices](deployment-best-practices.md).

+3. To install the Python package for Azure Purview, run the following command:

+ The [Python SDK for Azure Purview](https://github.com/Azure/azure-sdk-for-python) supports Python 2.7, 3.3, 3.4, 3.5, 3.6 and 3.7.

+ # Location name, where Azure Purview account must be created.

+ print("location:", pa.location, " Azure Purview Account Name: ", pa.name, " Id: " , pa.id ," tags: " , pa.tags)

+ print("Error in creating Azure Purview account")

+ print("location:", pa.location, " Azure Purview Account Name: ", purview_name, " Id: " , pa.id ," tags: " , pa.tags)

+ print("Error in creating Azure Purview account")

+Build and start the application. The console prints the progress of Azure Purview account creation. Wait until it is completed.

+location: southcentralus Azure Purview Account Name: purviewpython7 Id: /subscriptions/8c2c7b23-848d-40fe-b817-690d79ad9dfd/resourceGroups/Demo_Catalog/providers/Microsoft.Purview/accounts/purviewpython7 tags: None

+Go to the **Azure Purview accounts** page in the Azure portal and verify the account created using the above code.

+## Delete Azure Purview account

+The code in this tutorial creates a purview account and deletes a purview account. You can now download the python SDK and learn about other resource provider actions you can perform for an Azure Purview account.

+Follow these next articles to learn how to navigate the Azure Purview Studio, create a collection, and grant access to Azure Purview.

+* [How to use the Azure Purview Studio](use-purview-studio.md)

+description: Start utilizing sensitivity labels and classifications to enhance your Azure Purview assets

+* **Label travels with the data:** The sensitivity labels created in Microsoft 365 can also be extended to Azure Purview, SharePoint, Teams, Power BI, and SQL. When you apply a label on an office document and then scan it in Azure Purview, the label will flow to Azure Purview. While the label is applied to the actual file in M365, it is only added as metadata in the Azure Purview catalog. While there are differences in how a label is applied to an asset across various services/applications, labels travel with the data and is recognized by all the services you extend it to.

+* **Overview of your data estate:** Azure Purview provides insights into your data through pre-canned reports. When you scan data in Azure Purview, we hydrate the reports with information on what assets you have, scan history, classifications found in your data, labels applied, glossary terms, etc.

+In addition to Azure Purview labeling for schematized data assets, Microsoft also supports labeling for SQL database columns using the SQL data classification in [SQL Server Management Studio (SSMS)](/sql/ssms/sql-server-management-studio-ssms). While Azure Purview uses the global [sensitivity labels](/microsoft-365/compliance/sensitivity-labels), SSMS only uses labels defined locally.

+Labeling in Azure Purview and labeling in SSMS are separate processes that do not currently interact with each other. Therefore, **labels applied in SSMS are not shown in Azure Purview, and vice versa**. We recommend Azure Purview for labeling SQL databases, as it uses global MIP labels that can be applied across multiple platforms.

+# Disaster recovery for Azure Purview

+This article explains how to configure a disaster recovery environment for Azure Purview. Azure data center outages are rare, but can last anywhere from a few minutes to hours. Data Center outages can cause disruption to environments that are being relied on for data governance. By following the steps detailed in this article, you can continue to govern your data in the event of a data center outage for the primary region of your Azure Purview account.

+Today, Azure Purview does not support automated BCDR. Until that support is added, you are responsible to take care of backup and restore activities. You can manually create a secondary Azure Purview account as a warm standby instance in another region.

+1. Once the primary Azure Purview account is created in a certain region, you must provision one or more secondary Azure Purview accounts in separate regions from Azure portal.

+2. All activities performed on the primary Azure Purview account must be carried out on the secondary Azure Purview accounts as well. This includes:

+- You will be charged for primary and secondary Azure Purview accounts.

+- The primary and secondary Azure Purview accounts cannot be configured to the same Azure Data Factory, Azure Data Share and Synapse Analytics accounts, if applicable. As a result, the lineage from Azure Data Factory and Azure Data Share cannot be seen in the secondary Azure Purview accounts. Also, the Synapse Analytics workspace associated with the primary Azure Purview account cannot be associated with secondary Azure Purview accounts. This is a limitation today and will be addressed when automated BCDR is supported.

+- The integration runtimes are specific to an Azure Purview account. Hence, if scans must run in primary and secondary Azure Purview accounts in-parallel, multiple self-hosted integration runtimes must be maintained. This limitation will also be addressed when automated BCDR is supported.

+- Parallel execution of scans from both primary and secondary Azure Purview accounts on the same source can affect the performance of the source. This can result in scan durations to vary across the Azure Purview accounts.

+ Title: Glossary report on your data using Azure Purview Insights

+description: This how-to guide describes how to view and use Azure Purview Insights glossary reporting on your data.

+This how-to guide describes how to access, view, and filter Azure Purview Glossary insight reports for your data.

+> - Go to Insights from your Azure Purview account

+Before getting started with Azure Purview insights, make sure that you've completed the following steps:

+## Use Azure Purview Glossary Insights

+1. Go to the **Azure Purview** [instance screen in the Azure portal](https://aka.ms/purviewportal) and select your Azure Purview account.

+1. On the **Overview** page, in the **Get Started** section, select **Open Azure Purview Studio** account tile.

+ :::image type="content" source="./media/glossary-insights/portal-access.png" alt-text="Launch Azure Purview from the Azure portal":::

+1. On the Azure Purview **Home** page, select **Insights** on the left menu.

+1. In the **Insights** area, select **Glossary** to display the Azure Purview **Glossary insights** report.

+1. The report starts with **High-level KPIs** that shows ***Total terms*** in your Azure Purview account, ***Approved terms without assets*** and ***Expired terms with assets***. Each of these values will help you identify the health of your Glossary.

+- Create a new or use an existing Azure Purview account. You can [follow our quick-start guide to create one](create-catalog-portal.md).

+>If you don't see the button, and you're not sure if consent has been granted to extend labeling to assets in Azure Purview, see [this FAQ](sensitivity-labels-frequently-asked-questions.yml#how-can-i-determine-if-consent-has-been-granted-to-extend-labeling-to-azure-purview) item on how to determine the status.

+After you've extended labeling to assets in Azure Purview, all published sensitivity labels are available for use in Azure Purview.

+Scan your data in Azure Purview to automatically apply the labels you've created, based on the autolabeling rules you've defined. Allow up to 24 hours for sensitivity label changes to reflect in Azure Purview.

+Once a collection is selected, you will get a list of assets in that collection with the facets and filters available in search. As a collection can have thousands of assets, browse uses the Azure Purview search relevance engine to boost the most important assets to the top.

+- [How to search the Azure Purview data catalog](how-to-search-catalog.md)

+Collections in Azure Purview can be used to organize assets and sources by your business's flow, but they are also the tool used to manage access across Azure Purview. This guide will take you through the creation and management of these collections, as well as cover steps about how to register sources and add assets into your collections.

+* An active [Azure Purview resource](create-catalog-portal.md).

+In order to create and manage collections in Azure Purview, you will need to be a **Collection Admin** within Azure Purview. We can check these permissions in the [Azure Purview Studio](https://web.purview.azure.com/resource/). You can find the studio by going to your Azure Purview resource in the [Azure portal](https://portal.azure.com), and selecting the Open Azure Purview Studio tile on the overview page.

+ :::image type="content" source="./media/how-to-create-and-manage-collections/find-collections.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the Collections tab selected." border="true":::

+1. Select your root collection. This is the top collection in your collection list and will have the same name as your Azure Purview resource. In our example below, it is called Contoso Azure Purview. Alternatively, if collections already exist you can select any collection where you want to create a subcollection.

+ :::image type="content" source="./media/how-to-create-and-manage-collections/select-root-collection.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the root collection highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/role-assignments.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the role assignments tab highlighted." border="true":::

+1. To create a collection, you will need to be in the collection admin list under role assignments. If you created the Azure Purview resource, you should be listed as a collection admin under the root collection already. If not, you will need to contact the collection admin to grant you permission.

+ :::image type="content" source="./media/how-to-create-and-manage-collections/collection-admins.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the collection admin section highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/find-collections.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the Collections tab selected and open." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/select-add-a-collection.png" alt-text="Screenshot of Azure Purview studio window, showing the new collection window, with the add a collection buttons highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/create-collection.png" alt-text="Screenshot of Azure Purview studio window, showing the new collection window, with a display name and collection admins selected, and the create button highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/created-collection.png" alt-text="Screenshot of Azure Purview studio window, showing the newly created collection window." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/edit-collection.png" alt-text="Screenshot of Azure Purview studio window, open to collection window, with the 'edit' button highlighted both in the selected collection window, and under the ellipsis button next to the name of the collection." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/edit-description.png" alt-text="Screenshot of Azure Purview studio window with the edit collection window open, a description added to the collection, and the save button highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/subcollection-menu.png" alt-text="Screenshot of Azure Purview studio collection window, with the button next to the collection name highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/filter-collections.png" alt-text="Screenshot of Azure Purview studio collection window, with the filter above the collections highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/refresh-collections.png" alt-text="Screenshot of Azure Purview studio collection window, with the button next to the Resource name selected, and the refresh button highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/refresh-single-collection.png" alt-text="Screenshot of Azure Purview studio collection window, with the refresh button under the collection window highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/delete-collections.png" alt-text="Screenshot of Azure Purview studio window to delete a collection" border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/delete-collection-confirmation.png" alt-text="Screenshot of Azure Purview studio window showing confirmation message to delete a collection" border="true":::

+3. Verify deletion of the collection from your Azure Purview Data Map.

+Since permissions are managed through collections in Azure Purview, it is important to understand the roles and what permissions they will give your users. A user granted permissions on a collection will have access to sources and assets associated with that collection, as well as inherit permissions to subcollections. Inheritance [can be restricted](#restrict-inheritance), but is allowed by default.

+* **Collection admins** - can edit the collection, its details, and add subcollections. They can also add data curators, data readers, and other Azure Purview roles to a collection scope. Collection admins that are automatically inherited from a parent collection can't be removed.

+ :::image type="content" source="./media/how-to-create-and-manage-collections/select-role-assignments.png" alt-text="Screenshot of Azure Purview studio collection window, with the role assignments tab highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/edit-role-assignments.png" alt-text="Screenshot of Azure Purview studio collection window, with the edit role assignments dropdown list selected." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/search-user-permissions.png" alt-text="Screenshot of Azure Purview studio collection collection admin window with the search bar highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/remove-role-assignment.png" alt-text="Screenshot of Azure Purview studio collection window, with the role assignments tab selected, and the x button beside one of the names highlighted." border="true":::

+Collection permissions are inherited automatically from the parent collection. For example, any permissions on the root collection (the collection at the top of the list that has the same name as your Azure Purview resource), will be inherited by all collections below it. You can restrict inheritance from a parent collection at any time, using the restrict inherited permissions option.

+ :::image type="content" source="./media/how-to-create-and-manage-collections/restrict-access-inheritance.png" alt-text="Screenshot of Azure Purview studio collection window, with the role assignments tab selected, and the restrict inherited permissions slide button highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/remove-restriction.png" alt-text="Screenshot of Azure Purview studio collection window, with the role assignments tab selected, and the unrestrict inherited permissions slide button highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/register-by-collection.png" alt-text="Screenshot of the data map Azure Purview studio window with the register button highlighted both at the top of the page and under a collection."border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/see-registered-source.png" alt-text="Screenshot of the data map Azure Purview studio window with the newly added source card highlighted."border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/new-scan.png" alt-text="Screenshot of a source Azure Purview studio window with the new scan button highlighted."border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/source-under-collection.png" alt-text="Screenshot of the data map Azure Purview studio window with the newly added source card highlighted in the map."border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/collection-path.png" alt-text="Screenshot of Azure Purview studio asset window, with the collection path highlighted." border="true":::

+ 1. If you don't have read permission on a collection, the assets under that collection will not be listed in search results. If you get the direct URL of one asset and open it, you will see the no access page. In this case please contact your Azure Purview admin to grant you the access. You can select the **Refresh** button to check the permission again.

+ :::image type="content" source="./media/how-to-create-and-manage-collections/no-access.png" alt-text="Screenshot of Azure Purview studio asset window where the user has no permissions, and has no access to information or options." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/hierarchy-permissions.png" alt-text="Screenshot of Azure Purview studio hierarchy window where the user has only read permissions, and has no access to options." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/move-asset.png" alt-text="Screenshot of Azure Purview studio asset window with the collection path highlighted and the ellipsis button next to collection path selected." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/move-select-collection.png" alt-text="Screenshot of Azure Purview studio pop-up window with the select a collection dropdown menu highlighted." border="true":::

+1. In Azure Purview, the search bar is located at the top of the Azure Purview studio UX.

+ :::image type="content" source="./media/how-to-create-and-manage-collections/browse-by-collection.png" alt-text="Screenshot of the catalog Azure Purview studio window with the browse assets button highlighted." border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/by-collection-view.png" alt-text="Screenshot of the asset Azure Purview studio window with the by collection tab selected."border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/search-results-by-collection.png" alt-text="Screenshot of the catalog Azure Purview studio window with the by collection tab selected."border="true":::

+ :::image type="content" source="./media/how-to-create-and-manage-collections/view-asset-details.png" alt-text="Screenshot of the catalog Azure Purview studio window with the by collection tab selected and asset check boxes highlighted."border="true":::

+If your Azure Purview account is protected by firewall, learn how to let Azure Synapse [access a secured Azure Purview account](../synapse-analytics/catalog-and-governance/how-to-access-secured-purview-account.md) through Azure Purview private endpoints.

+## Bring Azure Synapse lineage into Azure Purview

+### Step 1: Connect Azure Synapse workspace to your Azure Purview account

+You can connect an Azure Synapse workspace to Azure Purview, and the connection enables Azure Synapse to push lineage information to Azure Purview. Follow the steps in [Connect Synapse workspace to Azure Purview](../synapse-analytics/catalog-and-governance/quickstart-connect-azure-purview.md). Multiple Azure Synapse workspaces can connect to a single Azure Purview account for holistic lineage tracking.

+### Step 4: View lineage information in your Azure Purview account

+In your Azure Purview account, you can browse assets and choose type "Azure Synapse Analytics". You can also search the Data Catalog using keywords.

+This article elaborates on the data lineage aspects of Cassandra source in Azure Purview. The prerequisite to see data lineage in Azure Purview for Cassandra is to [scan your Cassandra server.](../purview/register-scan-cassandra-source.md)

+This article elaborates on the data lineage aspects of Erwin source in Azure Purview. The prerequisite to see data lineage in Azure Purview for Erwin is to [scan your Erwin.](../purview/register-scan-erwin-source.md)

+This article elaborates on the data lineage aspects of BigQuery source in Azure Purview. The prerequisite to see data lineage in Azure Purview for BigQuery is to [scan your BigQuery project.](../purview/register-scan-google-bigquery-source.md)

+This article elaborates on the data lineage aspects of Looker source in Azure Purview. The prerequisite to see data lineage in Azure Purview for Looker is to [scan your Looker.](../purview/register-scan-looker-source.md)

+This article elaborates on the data lineage aspects of Oracle source in Azure Purview. The prerequisite to see data lineage in Azure Purview for Oracle is to [scan your Oracle.](../purview/register-scan-oracle-source.md)

+This article elaborates on the data lineage aspects of Power BI source in Azure Purview. The prerequisite to see data lineage in Azure Purview for Power BI is to [scan your Power BI.](../purview/register-scan-power-bi-tenant.md)

+1. After the Power BI source is scanned, data consumers can perform root cause analysis of a report or dashboard from Azure Purview. For any data discrepancy in a report, users can easily identify the upstream datasets and contact their owners if necessary.

+Once the [scan of your Power BI](../purview/register-scan-power-bi-tenant.md) is complete, following Power BI artifacts will be inventoried in Azure Purview

+This article elaborates on the data lineage aspects of SAP ECC source in Azure Purview. The prerequisite to see data lineage in Azure Purview for SAP ECC is to [scan your SAP ECC.](../purview/register-scan-sapecc-source.md)

+This article elaborates on the data lineage aspects of SAP S/4HANA source in Azure Purview. The prerequisite to see data lineage in Azure Purview for SAP S/4HANA is to [scan your SAP S/4HANA.](../purview/register-scan-saps4hana-source.md)

+Apache Atlas Spark Connector is a hook to track Spark SQL/DataFrame data movements and push metadata changes to Azure Purview Atlas endpoint.

+Since Azure Purview supports Atlas API and Atlas native hook, the connector can report lineage to Azure Purview after configured with Spark. The connector could be configured per job or configured as the cluster default setting.

+ 1. Get Kafka Endpoint and credential in Azure portal of the Azure Purview Account

+ 1. Provide your account with *ΓÇ£Azure Purview Data CuratorΓÇ¥* permission

+ atlas.kafka.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="$ConnectionString" password="<connection string got from your Azure Purview account>";

+### Step 2. Prepare your Azure Purview account

+ 1. Navigate to your Azure Purview account and select Access control (IAM)

+ 1. Add Users and grant your service principal *Azure Purview Data source administrator* role

+4. Post Spark Atlas model definition to Azure Purview Account:

+ 1. Get Atlas Endpoint of the Azure Purview account from properties section of Azure portal.

+ 1. Post Spark type definition into the Azure Purview account:

+### Step 5. Run and Check lineage in Azure Purview account

+Kick off The Spark job and check the lineage info in your Azure Purview account.

+## How to bring SSIS lineage into Azure Purview

+This article elaborates on the data lineage aspects of Teradata source in Azure Purview. The prerequisite to see data lineage in Azure Purview for Teradata is to [scan your Teradata.](../purview/register-scan-teradata-source.md)

+Multiple Azure Data Factories can connect to a single Azure Purview to push lineage information. The current limit allows you to connect up 10 Data Factory accounts at a time from the Azure Purview management center. To show the list of Data Factory accounts connected to your Azure Purview account, do the following:

+ - **Connected**: The data factory is connected to the Azure Purview account.

+Follow the steps below to connect an existing data factory to your Azure Purview account. You can also [connect Data Factory to Azure Purview account from ADF](../data-factory/connect-data-factory-to-azure-purview.md).

+ Some Data Factory instances might be disabled if the data factory is already connected to the current Azure Purview account, or the data factory doesn't have a managed identity.

+ A warning message will be displayed if any of the selected Data Factories are already connected to other Azure Purview account. By selecting OK, the Data Factory connection with the other Azure Purview account will be disconnected. No additional confirmations are required.

+Data factory's managed identity is used to authenticate lineage push operations from data factory to Azure Purview. When connecting data factory to Azure Purview on UI, it adds the role assignment automatically.

+Grant the data factory's managed identity **Data Curator** role on Azure Purview **root collection**. Learn more about [Access control in Azure Purview](../purview/catalog-permissions.md) and [Add roles and restrict access through collections](../purview/how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).

+The integration between Data Factory and Azure Purview supports only a subset of the data systems that Data Factory supports, as described in the following sections.

+If your Azure Purview account is protected by firewall, learn how to let Data Factory [access a secured Azure Purview account](../data-factory/how-to-access-secured-purview-account.md) through Azure Purview private endpoints.

+## Bring Data Factory lineage into Azure Purview

+## Azure Data Share and Azure Purview connected experience

+1. Create an Azure Purview account. All the Data Share lineage information will be collected by an Azure Purview account. You can use an existing one or create a new Azure Purview account.

+1. Connect your Azure Data Share to your Azure Purview account.

+ 1. In the Azure Purview portal, you can go to **Management Center** and connect your Azure Data Share under the **External connections** section.

+ 1. Select **+ New** on the top bar, find your Azure Data Share in the pop-up side bar and add the Data Share account. Run a snapshot job after connecting your Data Share to Azure Purview account, so that the Data Share assets and lineage information is visible in Azure Purview.

+ - Once the share snapshot is complete, you can view associated Data Share assets and lineage in Azure Purview.

+1. Discover Data Share accounts and share information in your Azure Purview account.

+ - In the home page of Azure Purview account, select **Browse by asset type** and select the **Azure Data Share** tile. You can search for an account name, share name, share snapshot, or partner organization. Otherwise apply filters on the Search result page for account name, share type (sent vs received shares).

+ >For Data Share assets to show in Azure Purview, a snapshot job must be run after you connect your Data Share to Azure Purview.

+ - From the Azure Purview search result page, choose the Data share snapshot (received/sent) and select the **Lineage** tab, to see a lineage graph with upstream and downstream dependencies.

+|Azure Purview accounts per region, per tenant (all subscriptions combined)|3|Contact Support|

+Azure Purview allows you to create a glossary of terms that are important for enriching your data. Each new term added to your Azure Purview Data Catalog Glossary is based on a term template that determines the fields for the term. This article describes how to create a term template and custom attributes that can be associated to glossary terms.

+Azure Purview admins can use Azure Monitor to track the operational state of Azure Purview account. Metrics are collected to provide data points for you to track potential problems, troubleshoot, and improve the reliability of the Azure Purview account. The metrics are sent to Azure monitor for events occurring in Azure Purview.

+The metrics can be accessed from the Azure portal for an Azure Purview account. Access to the metrics are controlled by the role assignment of Azure Purview account. Users need to be part of the "Monitoring Reader" role in Azure Purview to see the metrics. Check out [Monitoring Reader Role permissions](../azure-monitor/roles-permissions-security.md#built-in-monitoring-roles) to learn more about the roles access levels.

+The person who created the Azure Purview account automatically gets permissions to view metrics. If anyone else wants to see metrics, add them to the **Monitoring Reader** role, by following these steps:

+To add a user to the **Monitoring Reader** role, the owner of Azure Purview account or the Subscription owner can follow these steps:

+Users in the **Monitoring Reader** role can see the aggregated metrics and diagnostic logs sent to Azure Monitor. The metrics are listed in the Azure portal for the corresponding Azure Purview account. In the Azure portal, select the Metrics section to see the list of all available metrics.

+ :::image type="content" source="./media/how-to-monitor-with-azure-monitor/purview-metrics.png" alt-text="Screenshot showing available Azure Purview metrics section." lightbox="./media/how-to-monitor-with-azure-monitor/purview-metrics.png":::

+Azure Purview users can also access the metrics page directly from the management center of the Azure Purview account. Select Azure Monitor in the main page of Azure Purview management center to launch Azure portal.

+ :::image type="content" source="./media/how-to-monitor-with-azure-monitor/launch-metrics-from-management.png" alt-text="Screenshot to launch Azure Purview metrics from management center." lightbox="./media/how-to-monitor-with-azure-monitor/launch-metrics-from-management.png":::

+Raw telemetry events are emitted to Azure Monitor. Events can be logged to a customer storage account of choice for further analysis. Exporting of logs is done via the Diagnostic settings for the Azure Purview account on the Azure portal.

+The search bar can be quickly accessed from the top bar of the Azure Purview Studio UX. In the data catalog home page, the search bar is in the center of the screen.

+Enter in keywords that help identify your asset such as its name, data type, classifications, and glossary terms. As you enter in search keywords, Azure Purview dynamically suggests assets and searches that may fit your needs. To complete your search, click on "View search results" or press "Enter".

+Once you enter in your search, Azure Purview returns a list of data assets a user is a data reader for to that matched to the keywords entered in.

+The Azure Purview relevance engine sorts through all the matches and ranks them based on what it believes their usefulness is to a user. For example, a table that matches on multiple keywords that a data steward has assigned glossary terms and given a description is likely going to be more interesting to a data consumer than a folder which has been unannotated. A large set of factors determine an assetΓÇÖs relevance score and the Azure Purview search team is constantly tuning the relevance engine to ensure the top search results have value to you.

+- [Azure Purview system-assigned managed identity](#use-azure-purview-system-assigned-managed-identity-to-set-up-scans)

+## Use Azure Purview system-assigned managed identity to set up scans

+If you are using the Azure Purview system-assigned managed identity (SAMI) to set up scans, you will not have to explicitly create a credential and link your key vault to Azure Purview to store them. For detailed instructions on adding the Azure Purview SAMI to have access to scan your data sources, refer to the data source-specific authentication sections below:

+Before assigning access to the Azure Purview system-assigned managed identity (SAMI), first identify your Azure Key Vault permission model from Key Vault resource **Access Policies** in the menu. Follow steps below based on relevant the permission model.

+ :::image type="content" source="media/manage-credentials/add-msi-to-akv-2.png" alt-text="Add Azure Purview managed identity to AKV":::

+5. For **Select principal**, choose the Azure Purview system managed identity. You can search for the Azure Purview SAMI using either the Azure Purview instance name **or** the managed identity application ID. We do not currently support compound identities (managed identity name + application ID).

+4. Set the **Role** to **Key Vault Secrets User** and enter your Azure Purview account name under **Select** input box. Then, select Save to give this role assignment to your Azure Purview account.

+1. From the [Azure portal](https://portal.azure.com), select your Azure Purview account and open the [Azure Purview Studio](https://web.purview.azure.com/resource/). Navigate to the **Management Center** in the studio and then navigate to **credentials**.

+These credential types are supported in Azure Purview:

+For more information, see [Add a secret to Key Vault](../key-vault/secrets/quick-create-portal.md#add-a-secret-to-key-vault) and [Create a new AWS role for Azure Purview](register-scan-amazon-s3.md#create-a-new-aws-role-for-azure-purview).

+The following steps will show you how to create a UAMI for Azure Purview to use.

+1. Once the managed identity is successfully deployed, navigate to the [Azure Purview Studio](https://web.purview.azure.com/), by selecting the **Open Azure Purview Studio** button.

+1. In the [Azure Purview Studio](https://web.purview.azure.com/), navigate to the Management Center in the studio and then navigate to the Credentials section.

+ > If the portal was open during creation of your user assigned managed identity, you'll need to refresh the Azure Purview web portal to load the settings finished in the Azure portal.

+1. Open [Azure Purview Studio](https://web.purview.azure.com/resource/), navigate to the **Data Map**, **Sources**, and select **Register**.

+> The Azure Purview Integration Runtime cannot be shared with an Azure Synapse Analytics or Azure Data Factory Integration Runtime on the same machine. It needs to be installed on a separated machine.

+1. On the home page of the [Azure Purview Studio](https://web.purview.azure.com/resource/), select **Data Map** from the left navigation pane.

+* Any Azure Key Vault used to store credentials for the Azure Purview resource.

+* The managed Storage account and Event Hub resources created by Azure Purview.

+The managed Storage and Event Hub resources can be found in your subscription under a resource group containing the name of your Azure Purview resource. Azure Purview uses these resources to ingest the results of the scan, among many other things, so the self-hosted integration runtime will need to be able to connect directly with these resources.

+> For domains listed with '\<managed Azure Purview storage account>', you will add the name of the managed storage account associated with your Azure Purview resource. You can find this resource in the Portal. Search your Resource Groups for a group named: managed-rg-\<your Azure Purview Resource name>. For example: managed-rg-contosoPurview. You will use the name of the storage account in this resource group.

+> For domains listed with '\<managed Event Hub resource>', you will add the name of the managed Event Hub associated with your Azure Purview resource. You can find this in the same Resource Group as the managed storage account.

+| `*.servicebus.windows.net` | 443 | Global infrastructure Azure Purview uses to run its scans. Wildcard required as there is no dedicated resource. |

+| `<managed Event Hub resource>.servicebus.windows.net` | 443 | Azure Purview uses this to connect with the associated service bus. It will be covered by allowing the above domain, but if you are using Private Endpoints, you will need to test access to this single domain.|

+| `*.frontend.clouddatahub.net` | 443 | Global infrastructure Azure Purview uses to run its scans. Wildcard required as there is no dedicated resource. |

+| `<managed Azure Purview storage account>.core.windows.net` | 443 | Used by the self-hosted integration runtime to connect to the managed Azure storage account.|

+| `<managed Azure Purview storage account>.queue.core.windows.net` | 443 | Queues used by purview to run the scan process. |

+If you will be scanning Parquet files using the Self-Hosted Integration runtime with Azure Purview, you will need to install either the Java Runtime Environment or OpenJDK on your self-hosted IR machine.

+- [Use private endpoints with Azure Purview](catalog-private-link.md)

+description: This article provides a walkthrough to create a .NET Core application that sends/receives events to/from Azure Purview's Apache Atlas Kafka topics by using the latest Azure.Messaging.EventHubs package.

+> A managed event hub is created as part of Azure Purview account creation, see [Azure Purview account creation](create-catalog-portal.md). You can publish messages to the event hub kafka topic ATLAS_HOOK and Azure Purview will consume and process it. Azure Purview will notify entity changes to event hub kafka topic ATLAS_ENTITIES and user can consume and process it.This quickstart uses the new **Azure.Messaging.EventHubs** library.

+## Publish messages to Azure Purview

+This section shows you how to create a .NET Core console application to send events to an Azure Purview via event hub kafka topic **ATLAS_HOOK**.

+ You can get event hub namespace associated with purview account by looking at Atlas kafka endpoint primary/secondary connection strings in properties tab of Azure Purview account.

+ The event hub name should be **ATLAS_HOOK** for sending messages to Azure Purview.

+3. Replace the `Main` method with the following `async Main` method and add an `async ProduceMessage` to push messages into Azure Purview. See the code comments for details.

+## Consume messages from Azure Purview

+This section shows how to write a .NET Core console application that receives messages from an event hub using an event processor. You need to use ATLAS_ENTITIES event hub to receive messages from Azure Purview.The event processor simplifies receiving events from event hubs by managing persistent checkpoints and parallel receptions from those event hubs.

+ You can get event hub namespace associated with purview account by looking at Atlas kafka endpoint primary/secondary connection strings in properties tab of Azure Purview account.

+ The event hub name should be **ATLAS_ENTITIES** for sending messages to Azure Purview.

+### Sample Message received from Azure Purview

+> Atlas currently supports the following operation types: **ENTITY_CREATE_V2**, **ENTITY_PARTIAL_UPDATE_V2**, **ENTITY_FULL_UPDATE_V2**, **ENTITY_DELETE_V2**. Pushing messages to Azure Purview is currently enabled by default. If the scenario involves reading from Azure Purview contact us as it needs to be allow-listed. (provide subscription id and name of Azure Purview account).

+Azure Purview Data Map provides the foundation for data discovery and effective data governance. Azure Purview Data Map is a cloud native PaaS service that captures metadata about enterprise data present in analytics and operation systems on-premises and cloud. Azure Purview Data Map is automatically kept up to date with built-in automated scanning and classification system. Business users can configure and use the Azure Purview Data Map through an intuitive UI and developers can programmatically interact with the Data Map using open-source Apache Atlas 2.0 APIs.

+Azure Purview Data Map powers the Azure Purview Data Catalog and Azure Purview data insights as unified experiences within the [Azure Purview Studio](https://web.purview.azure.com/resource/).

+With the Azure Purview Data Catalog, business and technical users alike can quickly & easily find relevant data using a search experience with filters based on various lenses like glossary terms, classifications, sensitivity labels and more. For subject matter experts, data stewards and officers, the Azure Purview Data Catalog provides data curation features like business glossary management and ability to automate tagging of data assets with glossary terms. Data consumers and producers can also visually trace the lineage of data assets starting from the operational systems on-premises, through movement, transformation & enrichment with various data storage & processing systems in the cloud to consumption in an analytics system like Power BI.

+With the Azure Purview data insights, data officers and security officers can get a birdΓÇÖs eye view and at a glance understand what data is actively scanned, where sensitive data is and how it moves.

+ Title: Azure Purview Connector Overview

+description: This article outlines the different data stores and functionalities supported in Azure Purview

+Azure Purview supports the following data stores. Select each data store to learn the supported capabilities and the corresponding configurations in details.

+## Azure Purview data sources

+> Currently, Azure Purview can't scan an asset that has `/`, `\`, or `#` in its name. To scope your scan and avoid scanning assets that have those characters in the asset name, use the example in [Register and scan an Azure SQL Database](register-scan-azure-sql-database.md#creating-the-scan).

+The following is a list of all the Azure data source (data center) regions where the Azure Purview scanner runs. If your Azure data source is in a region outside of this list, the scanner will run in the region of your Azure Purview instance.

+### Azure Purview scanner regions

+# Quickstart: Create a collection and assign permissions in Azure Purview

+Collections are Azure Purview's tool to manage ownership and access control across assets, sources, and information. They also organize your sources and assets into categories that are customized to match your management experience with your data. This guide will take you through setting up your first collection and collection admin to prepare your Azure Purview environment for your organization.

+* An active [Azure Purview resource](create-catalog-portal.md).

+In order to create and manage collections in Azure Purview, you will need to be a **Collection Admin** within Azure Purview. We can check these permissions in the [Azure Purview Studio](use-purview-studio.md). You can find the studio by going to your Azure Purview resource in the [Azure portal](https://portal.azure.com), and selecting the **Open Azure Purview Studio** tile on the overview page.

+ :::image type="content" source="./media/quickstart-create-collection/find-collections.png" alt-text="Screenshot of Azure Purview studio opened to the Data Map, with the Collections tab selected." border="true":::

+1. Select your root collection. This is the top collection in your collection list and will have the same name as your Azure Purview resource. In our example below, it's called Contoso Azure Purview.

+ :::image type="content" source="./media/quickstart-create-collection/select-root-collection.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the root collection highlighted." border="true":::

+ :::image type="content" source="./media/quickstart-create-collection/role-assignments.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the role assignments tab highlighted." border="true":::

+1. To create a collection, you will need to be in the collection admin list under role assignments. If you created the Azure Purview resource, you should be listed as a collection admin under the root collection already. If not, you'll need to contact the collection admin to grant you permission.

+ :::image type="content" source="./media/quickstart-create-collection/collection-admins.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the collection admin section highlighted." border="true":::

+To create your collection, we'll start in the [Azure Purview Studio](use-purview-studio.md). You can find the studio by going to your Azure Purview resource in the Azure portal and selecting the **Open Azure Purview Studio** tile on the overview page.

+ :::image type="content" source="./media/quickstart-create-collection/find-collections-2.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the Collections tab selected." border="true":::

+ :::image type="content" source="./media/quickstart-create-collection/select-add-collection.png" alt-text="Screenshot of Azure Purview studio window, opened to the Data Map, with the Collections tab selected and Add a Collection highlighted." border="true":::

+ :::image type="content" source="./media/quickstart-create-collection/create-collection.png" alt-text="Screenshot of Azure Purview studio window, showing the new collection window, with a display name and collection admins selected, and the create button highlighted." border="true":::

+ :::image type="content" source="./media/quickstart-create-collection/created-collection.png" alt-text="Screenshot of Azure Purview studio window, showing the newly created collection window." border="true":::

+Now that you have a collection, you can assign permissions to this collection to manage your users access to Azure Purview.

+ :::image type="content" source="./media/quickstart-create-collection/select-role-assignments.png" alt-text="Screenshot of Azure Purview studio collection window, with the role assignments tab highlighted." border="true":::

+ :::image type="content" source="./media/quickstart-create-collection/edit-role-assignments.png" alt-text="Screenshot of Azure Purview studio collection window, with the edit role assignments dropdown list selected." border="true":::

+ Title: Azure Purview product glossary

+Information that is associated with data assets in Azure Azure Purview, for example, glossary terms and classifications. After they are applied, annotations can be used within Search to aid in the discovery of the data assets. 

+Any single object that is stored within an Azure Azure Purview data catalog.

+## Azure Purview instance

+A single Azure Azure Purview resource. 

+Permissions assigned to a user within an Azure Purview instance. Roles, such as Azure Purview Data Curator or Azure Purview Data Reader, determine what can be done within the product.

+* An active [Azure Purview resource](create-catalog-portal.md).

+* You will need to be a Data Source Administrator and Data Reader to register a source and manage it in the Azure Purview Studio. See our [Azure Purview Permissions page](catalog-permissions.md) for details.

+1. Go to the [Azure portal](https://portal.azure.com), and navigate to the **Azure Purview accounts** page and select your _Purview account_

+ :::image type="content" source="media/register-scan-adls-gen1/register-adls-gen1-purview-acct.png" alt-text="Screenshot that shows the Azure Purview account used to register the data source":::

+1. **Open Azure Purview Studio** and navigate to the **Data Map --> Sources**

+ :::image type="content" source="media/register-scan-adls-gen1/register-adls-gen1-open-purview-studio.png" alt-text="Screenshot that shows the link to open Azure Purview Studio":::

+It is important to give your Azure Purview account the permission to scan the ADLS Gen1 data source. You can add the system managed identity, or user-assigned managed identity at the Subscription, Resource Group, or Resource level, depending on what you want it to have scan permissions on.

+1. Choose **Select** and add the _Azure Purview Name_ (which is the system managed identity) or the _[user-assigned managed identity](manage-credentials.md#create-a-user-assigned-managed-identity)_(preview), that has already been registered in Azure Purview, in the **Select user or group** menu.

+ :::image type="content" source="media/register-scan-adls-gen1/register-adls-gen1-assign-permissions.png" alt-text="Screenshot that shows the details to assign permissions for the Azure Purview account":::

+1. Open your **Azure Purview account** and select the **Open Azure Purview Studio**

+ :::image type="content" source="media/register-scan-adls-gen1/register-adls-gen1-purview-acct.png" alt-text="Screenshot that shows the Open Azure Purview Studio":::

+ > * The asset will no longer be updated with schema changes if your source table has changed and you re-scan the source table after editing the description in the schema tab of Azure Purview.

+Now that you have registered your source, follow the below guides to learn more about Azure Purview and your data.

+* An active [Azure Purview resource](create-catalog-portal.md).

+* You will need to be a Data Source Administrator and Data Reader to register a source and manage it in the Azure Purview Studio. See our [Azure Purview Permissions page](catalog-permissions.md) for details.

+1. Go to the [Azure portal](https://portal.azure.com), and navigate to the **Azure Purview accounts** page and select your _Purview account_

+ :::image type="content" source="media/register-scan-adls-gen2/register-adls-gen2-purview-acct.png" alt-text="Screenshot that shows the Azure Purview account used to register the data source":::

+1. **Open Azure Purview Studio** and navigate to the **Data Map --> Sources**

+ :::image type="content" source="media/register-scan-adls-gen2/register-adls-gen2-open-purview-studio.png" alt-text="Screenshot that shows the link to open Azure Purview Studio":::

+It is important to give your Azure Purview account or user-assigned managed identity (UAMI) the permission to scan the ADLS Gen2 data source. You can add your Azure Purview account's system-assigned managed identity (which has the same name as your Azure Purview account) or UAMI at the Subscription, Resource Group, or Resource level, depending on what level scan permissions are needed.

+1. Set the **Role** to **Storage Blob Data Reader** and enter your _Azure Purview account name_ or _[user-assigned managed identity](manage-credentials.md#create-a-user-assigned-managed-identity)_ under the **Select** input box. Then, select **Save** to give this role assignment to your Azure Purview account.

+ :::image type="content" source="media/register-scan-adls-gen2/register-adls-gen2-assign-permissions.png" alt-text="Screenshot that shows the details to assign permissions for the Azure Purview account":::

+1. If your key vault is not connected to Azure Purview yet, you will need to [create a new key vault connection](manage-credentials.md#create-azure-key-vaults-connections-in-your-azure-purview-account)

+1. Set the **Role** to **Storage Blob Data Reader** and enter your _service principal_ under **Select** input box. Then, select **Save** to give this role assignment to your Azure Purview account.

+1. Open your **Azure Purview account** and select the **Open Azure Purview Studio**

+Now that you have registered your source, follow the below guides to learn more about Azure Purview and your data.

+For this service, use Azure Purview to provide a Microsoft account with secure access to AWS, where the Multi-Cloud Scanning Connectors for Azure Purview will run. The Multi-Cloud Scanning Connectors for Azure Purview use this access to your Amazon RDS databases to read your data, and then reports the scanning results, including only the metadata and classification, back to Azure. Use the Azure Purview classification and labeling reports to analyze and review your data scan results.

+> Azure Purview support for Amazon RDS is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.