-|policies.js|authorities|Your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`). Then, replace with the user flows, or custom policy you created in [step 1](#step-1-configure-your-user-flow) (for example, `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>`).|

-|policies.js|authorityDomain|Your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).|

-|apiConfig.js|webApi|The URL of the web API, `http://localhost:5000/tasks`.|

- webApi: "http://localhost:5000/tasks"

-description: List of services that support managed identities for Azure resources and Azure AD authentication

-# Services that support managed identities for Azure resources

-Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. Using a managed identity, you can authenticate to any service that supports Azure AD authentication without having credentials in your code. We are in the process of integrating managed identities for Azure resources and Azure AD authentication across Azure. Check back often for updates.

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-> [!NOTE]

-> Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

-## Azure services that support managed identities for Azure resources

-The following Azure services support managed identities for Azure resources:

-### Azure API Management

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-| User assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-Refer to the following list to configure managed identity for Azure API Management (in regions where available):

-### Azure App Configuration

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not Available | ![Available][check] |

-| User assigned | ![Available][check] | ![Available][check] | Not Available | ![Available][check] |

-Refer to the following list to configure managed identity for Azure App Configuration (in regions where available):

-### Azure App Service

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-| User assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-Refer to the following list to configure managed identity for Azure App Service (in regions where available):

-### Azure Arc-enabled Kubernetes

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Preview | Not available | Not available | Not available |

-| User assigned | Not available | Not available | Not available | Not available |

-Azure Arc-enabled Kubernetes currently [supports system assigned identity](../../azure-arc/kubernetes/quickstart-connect-cluster.md). The managed service identity certificate is used by all Azure Arc-enabled Kubernetes agents for communication with Azure.

-### Azure Arc-enabled servers

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | Not available |

-| User assigned | Not available | Not available | Not available | Not available |

-All Azure Arc-enabled servers have a system assigned identity. You cannot disable or change the system assigned identity on an Azure Arc-enabled server. Refer to the following resources to learn more about how to consume managed identities on Azure Arc-enabled servers:

-### Azure Arc resource bridge

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | Not available | Not available | Not available |

-| User assigned | Not available | Not available | Not available | Not available |

-Azure Arc resource bridge currently [supports system assigned identity](../../azure-arc/resource-bridge/security-overview.md). The managed service identity is used by agents in the resource bridge for communication with Azure.

-### Azure Automanage

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Preview | Not available | Not available | Not available |

-| User assigned | Not available | Not available | Not available | Not available |

-Refer to the following document to reconfigure a managed identity if you have moved your subscription to a new tenant:

-* [Repair a broken Automanage Account](../../automanage/repair-automanage-account.md)

-### Azure Automation

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][Check]| ![Available][Check] | Not available | ![Available][Check] |

-| User assigned | ![Available][Check] | ![Available][Check] | Not available | ![Available][Check] |

-Refer to the following documents to use managed identity with [Azure Automation](../../automation/automation-intro.md):

-* [Automation account authentication overview - Managed identities](../../automation/automation-security-overview.md#managed-identities)

-* [Enable and use managed identity for Automation](../../automation/enable-managed-identity-for-automation.md)

-### Azure Blueprints

-|Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | Not available |

-| User assigned | ![Available][check] | ![Available][check] | Not available | Not available |

-Refer to the following list to use a managed identity with [Azure Blueprints](../../governance/blueprints/overview.md):

-### Azure Cognitive Search

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-| User assigned | Not available | Not available | Not available | Not available |

-### Azure Cognitive Services

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-| User assigned | Not available | Not available | Not available | Not available |

-### Azure Container Instances

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Linux: Preview<br>Windows: Not available | Not available | Not available | Not available |

-| User assigned | Linux: Preview<br>Windows: Not available | Not available | Not available | Not available |

-Refer to the following list to configure managed identity for Azure Container Instances (in regions where available):

-### Azure Container Registry Tasks

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | Preview | Not available | Preview |

-| User assigned | Preview | Preview | Not available | Preview |

-Refer to the following list to configure managed identity for Azure Container Registry Tasks (in regions where available):

-### Azure Data Explorer

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-| User assigned | Not available | Not available | Not available | Not available |

-### Azure Data Factory V2

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-| User assigned | Not available | Not available | Not available | Not available |

-Refer to the following list to configure managed identity for Azure Data Factory V2 (in regions where available):

-### Azure Digital Twins

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | Not available | Not available | Not available |

-| User assigned | Not available | Not available | Not available | Not available |

-Refer to the following list to configure managed identity for Azure Digital Twins (in regions where available):

-### Azure Event Grid

-Managed identity type |All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Preview | Preview | Not available | Preview |

-| User assigned | Preview | Preview | Not available | Preview |

-### Azure Firewall Policy

-Managed identity type |All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Not available | Not available | Not available | Not available |

-| User assigned | Preview | Not available | Not available | Not available |

-### Azure Functions

-Managed identity type |All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-| User assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-Refer to the following list to configure managed identity for Azure Functions (in regions where available):

-### Azure IoT Hub

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-| User assigned | ![Available][check] | Not available | Not available | Not available |

-Refer to the following list to configure managed identity for Azure IoT Hub (in regions where available):

-### Azure Import/Export

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | | | | |

-| System assigned | Available in the region where Azure Import Export service is available | Preview | Available | Available |

-| User assigned | Not available | Not available | Not available | Not available |

-### Azure Kubernetes Service (AKS)

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | Not available |

-| User assigned | Preview | ![Available][check] | Not available | Not available |

-For more information, see [Use managed identities in Azure Kubernetes Service](../../aks/use-managed-identity.md).

-### Azure Log Analytics cluster

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-| User assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-For more information, see [how identity works in Azure Monitor](../../azure-monitor/logs/customer-managed-keys.md)

-### Azure Logic Apps

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-| User assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |

-Refer to the following list to configure managed identity for Azure Logic Apps (in regions where available):

-### Azure Machine Learning

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Preview | Not Available | Not available | Not available |

-| User assigned | Preview | Not available | Not available | Not available |

-For more information, see [Use managed identities with Azure Machine Learning](../../machine-learning/how-to-use-managed-identities.md).

-### Azure Maps

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Preview | Preview | Not available | Not available |

-| User assigned | Preview | Preview | Not available | Not available |

-For more information, see [Authentication on Azure Maps](../../azure-maps/azure-maps-authentication.md).

-### Azure Media Services

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | Not Available | ![Available][check] |

-| User assigned | Not Available | Not Available | Not Available | Not Available |

-Refer to the following list to configure managed identity for Azure Media Services (in regions where available):

-### Azure Policy

-|Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-| User assigned | Not available | Not available | Not available | Not available |

-Refer to the following list to configure managed identity for Azure Policy (in regions where available):

-### Azure Service Fabric

-[Managed Identity for Service Fabric Applications](../../service-fabric/concepts-managed-identity.md) is available in all regions.

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | Not Available | Not Available | not Available |

-| User assigned | ![Available][check] | Not Available | Not Available |Not Available |

-Refer to the following list to configure managed identity for Azure Service Fabric applications in all regions:

-### Azure Spring Cloud

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | Not Available | Not Available | ![Available][check] |

-| User assigned | Not Available | Not Available | Not Available | Not Available |

-For more information, see [How to enable system-assigned managed identity for applications in Azure Spring Cloud](../../spring-cloud/how-to-enable-system-assigned-managed-identity.md).

-### Azure Stack Edge

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | | | | |

-| System assigned | Available in the region where Azure Stack Edge service is available | Not available | Not available | Not available |

-| User assigned | Not available | Not available | Not available | Not available |

-### Azure Virtual Machine Scale Sets

-|Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-| User assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-Refer to the following list to configure managed identity for Azure Virtual Machine Scale Sets (in regions where available):

-### Azure Virtual Machines

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-| User assigned | ![Available][check] | ![Available][check] | ![Available][check] | ![Available][check] |

-Refer to the following list to configure managed identity for Azure Virtual Machines (in regions where available):

-### Azure VM Image Builder

-| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Not Available | Not Available | Not Available | Not Available |

-| User assigned | [Available in supported regions](../../virtual-machines/image-builder-overview.md#regions) | Not Available | Not Available | Not Available |

-To learn how to configure managed identity for Azure VM Image Builder (in regions where available), see the [Image Builder overview](../../virtual-machines/image-builder-overview.md#permissions).

-### Azure SignalR Service

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Preview | Preview | Not available | Preview |

-| User assigned | Preview | Preview | Not available | Preview |

-Refer to the following list to configure managed identity for Azure SignalR Service (in regions where available):

-### Azure Resource Mover

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | Available in the regions where Azure Resource Mover service is available | Not available | Not available | Not available |

-| User assigned | Not available | Not available | Not available | Not available |

-Refer to the following document to use Azure Resource Mover:

-## Azure services that support Azure AD authentication

-The following services support Azure AD authentication, and have been tested with client services that use managed identities for Azure resources.

-### Azure Resource Manager

-Refer to the following list to configure access to Azure Resource

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://management.azure.com/`| ![Available][check] |

-| Azure Government | `https://management.usgovcloudapi.net/` | ![Available][check] |

-| Azure Germany | `https://management.microsoftazure.de/` | ![Available][check] |

-| Azure China 21Vianet | `https://management.chinacloudapi.cn` | ![Available][check] |

-### Azure Key Vault

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://vault.azure.net`| ![Available][check] |

-| Azure Government | `https://vault.usgovcloudapi.net` | ![Available][check] |

-| Azure Germany | `https://vault.microsoftazure.de` | ![Available][check] |

-| Azure China 21Vianet | `https://vault.azure.cn` | ![Available][check] |

-### Azure Data Lake

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://datalake.azure.net/` | ![Available][check] |

-| Azure Government | | Not Available |

-| Azure Germany | | Not Available |

-| Azure China 21Vianet | | Not Available |

-### Azure Cosmos DB

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://<account>.documents.azure.com/`<br/><br/>`https://cosmos.azure.com` | ![Available][check] |

-| Azure Government | `https://<account>.documents.azure.us/`<br/><br/>`https://cosmos.azure.us` | ![Available][check] |

-| Azure Germany | `https://<account>.documents.microsoftazure.de/`<br/><br/>`https://cosmos.microsoftazure.de` | ![Available][check] |

-| Azure China 21Vianet | `https://<account>.documents.azure.cn/`<br/><br/>`https://cosmos.azure.cn` | ![Available][check] |

-### Azure SQL

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://database.windows.net/` | ![Available][check] |

-| Azure Government | `https://database.usgovcloudapi.net/` | ![Available][check] |

-| Azure Germany | `https://database.cloudapi.de/` | ![Available][check] |

-| Azure China 21Vianet | `https://database.chinacloudapi.cn/` | ![Available][check] |

-### Azure Data Explorer

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://<account>.<region>.kusto.windows.net` | ![Available][check] |

-| Azure Government | `https://<account>.<region>.kusto.usgovcloudapi.net` | ![Available][check] |

-| Azure Germany | `https://<account>.<region>.kusto.cloudapi.de` | ![Available][check] |

-| Azure China 21Vianet | `https://<account>.<region>.kusto.chinacloudapi.cn` | ![Available][check] |

-### Azure Event Hubs

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://eventhubs.azure.net` | ![Available][check] |

-| Azure Government | `https://eventhubs.azure.net` | ![Available][check] |

-| Azure Germany | `https://eventhubs.azure.net` | ![Available][check] |

-| Azure China 21Vianet | `https://eventhubs.azure.net` | ![Available][check] |

-### Azure Service Bus

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://servicebus.azure.net` | ![Available][check] |

-| Azure Government | `https://servicebus.azure.net` | ![Available][check] |

-| Azure Germany | `https://servicebus.azure.net` | ![Available][check] |

-| Azure China 21Vianet | `https://servicebus.azure.net` | ![Available][check] |

-### Azure Storage blobs, queues, and tables

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://storage.azure.com/` <br /><br />`https://<account>.blob.core.windows.net` <br /><br />`https://<account>.queue.core.windows.net` <br /><br />`https://<account>.table.core.windows.net`| ![Available][check] |

-| Azure Government | `https://storage.azure.com/`<br /><br />`https://<account>.blob.core.usgovcloudapi.net` <br /><br />`https://<account>.queue.core.usgovcloudapi.net` <br /><br />`https://<account>.table.core.usgovcloudapi.net`| ![Available][check] |

-| Azure Germany | `https://storage.azure.com/`<br /><br />`https://<account>.blob.core.cloudapi.de` <br /><br />`https://<account>.queue.core.cloudapi.de` <br /><br />`https://<account>.table.core.cloudapi.de`| ![Available][check] |

-| Azure China 21Vianet | `https://storage.azure.com/`<br /><br />`https://<account>.blob.core.chinacloudapi.cn` <br /><br />`https://<account>.queue.core.chinacloudapi.cn` <br /><br />`https://<account>.table.core.chinacloudapi.cn`| ![Available][check] |

-### Azure Analysis Services

-| Cloud | Resource ID | Status |

-|--||:-:|

-| Azure Global | `https://*.asazure.windows.net` | ![Available][check] |

-| Azure Government | `https://*.asazure.usgovcloudapi.net` | ![Available][check] |

-| Azure Germany | `https://*.asazure.cloudapi.de` | ![Available][check] |

-| Azure China 21Vianet | `https://*.asazure.chinacloudapi.cn` | ![Available][check] |

-### Azure Communication Services

-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |

-| | :-: | :-: | :-: | :-: |

-| System assigned | ![Available][check] | Not available | Not available | Not available |

-| User assigned | ![Available][check] | Not available | Not available | Not available |

-> [!NOTE]

-> You can use Managed Identities to authenticate an [Azure Stream analytics job to Power BI](../../stream-analytics/powerbi-output-managed-identity.md).

-[check]: media/services-support-managed-identities/check.png "Available"

-# Tutorial: Azure Active Directory integration with MOVEit Transfer - Azure AD integration

-* MOVEit Transfer - Azure AD integration supports **SP** initiated SSO

-### Configure Azure AD SSO

- c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** value gets auto populated in **Basic SAML Configuration** section:

- 

- In the **Sign-on URL** text box, type the URL:

-### Configure MOVEit Transfer - Azure AD integration SSO

- 

- 

- 

- * Verify **entityID** matches **Identifier** in the **Basic SAML Configuration** section .

- * Verify **AssertionConsumerService** Location URL matches **REPLY URL** in the **Basic SAML Configuration** section.

- 

- 

- 

- 

- 

-### Test SSO

-Once you configure MOVEit Transfer - Azure AD integration you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with NAVEX One

-* NAVEX One supports **SP** initiated SSO

-## Adding NAVEX One from the gallery

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- a. In the **Sign-on URL** text box, type a URL using one of the following patterns:

- | Sign-on URL |

- |--|

- | `https://<CLIENT_KEY>.navexglobal.com` |

- | `https://<CLIENT_KEY>.navexglobal.eu` |

- |

- b. In the **Identifier** text box, type one of the following URLs:

- c. In the **Reply URL** text box, type one of the following URLs:

-Once you configure NAVEX One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-# Tutorial: Azure Active Directory integration with Showpad

-In this tutorial, you learn how to integrate Showpad with Azure Active Directory (Azure AD).

-Integrating Showpad with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Showpad.

-* You can enable your users to be automatically signed-in to Showpad (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)

-* Showpad single sign-on enabled subscription

-* Showpad supports **SP** initiated SSO

-* Showpad supports **Just In Time** user provisioning

-## Adding Showpad from the gallery

-**To add Showpad from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **Showpad**, select **Showpad** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Showpad based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Showpad needs to be established.

-To configure and test Azure AD single sign-on with Showpad, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Showpad Single Sign-On](#configure-showpad-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Showpad test user](#create-showpad-test-user)** - to have a counterpart of Britta Simon in Showpad that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Showpad, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Showpad** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- `https://<comapany-name>.showpad.biz/login`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Showpad Client support team](https://help.showpad.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Showpad Single Sign-On

- 

- 

- 

-### Create an Azure AD test user

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`

- For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-### Assign the Azure AD test user

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Showpad.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Showpad**.

- 

-2. In the applications list, select **Showpad**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Showpad tile in the Access Panel, you should be automatically signed in to the Showpad for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-az aks cluster create --name myAKSCluster2 --resource-group myResourceGroup --snapshot-id $SNAPSHOT_ID

-### Create a private AKS cluster with a BYO Private DNS SubZone (Preview)

-* Azure CLI >= 2.29.0 or Azure CLI with aks-preview extension 0.5.34 or later.

-### Register the `EnablePrivateClusterSubZone` preview feature

-To create an AKS private cluster with SubZone, you must enable the `EnablePrivateClusterSubZone` feature flag on your subscription.

-Register the `EnablePrivateClusterSubZone` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:

-```azurecli-interactive

-az feature register --namespace "Microsoft.ContainerService" --name "EnablePrivateClusterSubZone"

-```

-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:

-```azurecli-interactive

-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnablePrivateClusterSubZone')].{Name:name,State:properties.state}"

-```

-When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

-```azurecli-interactive

-az provider register --namespace Microsoft.ContainerService

-```

-### Install the aks-preview CLI extension

-```azurecli-interactive

-# Install the aks-preview extension

-az extension add --name aks-preview

-# Update the extension to make sure you have the latest version installed

-az extension update --name aks-preview

-```

-Here are some key features of App Service:

-> [Custom container (Windows or Linux)](tutorial-custom-container.md)

-authSettings=$(echo "$authSettingsΓÇ¥ | jq '.properties' | jq '.identityProviders.azureActiveDirectory.login += {"loginParameters":["scope=openid profile email offline_access api://<back-end-client-id>/user_impersonation"]}')

-1. If they don't match, change the probe configuration so that is has the correct string value to accept.

- "etag": "a1LIDdNEIV6wCnfv3xaip7fMXD3"

-1. In *Program.cs*, add a reference to the .NET Core Configuration API namespace:

- ```csharp

- using Microsoft.Extensions.Configuration;

- ```

-1. Update the `CreateWebHostBuilder` method to use App Configuration by calling the `AddAzureAppConfiguration` method.

- > [!IMPORTANT]

- > `CreateHostBuilder` replaces `CreateWebHostBuilder` in .NET Core 3.x. Select the correct syntax based on your environment.

- #### [.NET 5.x](#tab/core5x)

- public static IHostBuilder CreateHostBuilder(string[] args) =>

- Host.CreateDefaultBuilder(args)

- .ConfigureWebHostDefaults(webBuilder =>

- webBuilder.ConfigureAppConfiguration(config =>

- {

- var settings = config.Build();

- var connection = settings.GetConnectionString("AppConfig");

- config.AddAzureAppConfiguration(connection);

- }).UseStartup<Startup>());

- ```csharp

- public static IHostBuilder CreateHostBuilder(string[] args) =>

- Host.CreateDefaultBuilder(args)

- .ConfigureWebHostDefaults(webBuilder =>

- webBuilder.ConfigureAppConfiguration(config =>

- }).UseStartup<Startup>());

- ```

- #### [.NET Core 2.x](#tab/core2x)

- ```csharp

- public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>

- WebHost.CreateDefaultBuilder(args)

- .ConfigureAppConfiguration(config =>

- {

- var settings = config.Build();

- var connection = settings.GetConnectionString("AppConfig");

- config.AddAzureAppConfiguration(connection);

- })

- .UseStartup<Startup>();

- ```

-

- With the preceding change, the [configuration provider for App Configuration](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration) has been registered with the .NET Core Configuration API.

-1. If you're working on your local machine, use a browser to navigate to `http://localhost:5000`. This address is the default URL for the locally hosted web app. If you're working in the Azure Cloud Shell, select the **Web Preview** button followed by **Configure**.

-* Windows Server 2008 R2 SP1, Windows Server 2012 R2, 2016, 2019, and 2022 (including Server Core)

-* Oracle Linux 7

->To deploy to an existing app by using a custom container, in [Azure Functions Core Tools](functions-run-local.md), use the [`func deploy`](functions-run-local.md#publish) command.

-Functions also lets you define your Functions project to run in a Docker container. Use the [`--docker` option][func init] of `func init` to generate a Dockerfile for your specific language. This file is then used when creating a container to deploy.

-Core Tools can be used to deploy your project as a custom container image to a Kubernetes cluster. The command you use depends on the type of scaler used in the cluster.

-# [KEDA](#tab/keda)

-# [Default/KNative](#tab/default)

-```command

-func deploy --name <FUNCTION_APP> --platform kubernetes --registry <REGISTRY_USERNAME>

-```

-In the example above, replace `<FUNCTION_APP>` with the name of the function app in Azure and `<REGISTRY_USERNAME>` with your registry account name, such as you Docker username. The container is built locally and pushed to your Docker registry account with an image name based on `<FUNCTION_APP>`. You must have the Docker command line tools installed.

-To learn more, see the [`func deploy` command](functions-core-tools-reference.md#func-deploy).

-To learn how to publish a custom container to Azure without Kubernetes, see [Create a function on Linux using a custom container](functions-create-function-linux-custom-image.md).

-1. Use the Micrometer [global registry](https://micrometer.io/docs/concepts#_global_registry) to create a meter:

- static final Counter counter = Metrics.counter("test_counter");

-1. Use the counter to record metrics:

-1. Add the Container Monitoring solution to your Log Analytics workspace from [Azure marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.ContainersOMS?tab=Overview) or by using the process described in [Add monitoring solutions from the Solutions Gallery](../insights/solutions.md).

-To monitor a readable secondary, include the key-value `ApplicationIntent=ReadOnly` in the connection string. SQL Insights supports monitoring a single secondary. The collected data will be tagged to reflect primary or secondary.

-Get the details from the **Connection strings** menu item for the managed instance.

-To monitor a readable secondary, include the key-value `ApplicationIntent=ReadOnly` in the connection string. SQL Insights supports monitoring of a single secondary. Collected data will be tagged to reflect Primary or Secondary.

- "Server=MyServerIPAddress;Port=1433;User Id=$username;Password=$password;"

-If your monitoring virtual machine is in the same VNET, use the private IP address of the Server. Otherwise, use the public IP address. If you're using Azure SQL virtual machine, you can see which port to use here on the **Security** page for the resource.

-> Export destinations have limits and should be monitored to minimize throttling, failures, and latency. See [storage accounts scalability](../../storage/common/scalability-targets-standard-account.md#scale-targets-for-standard-storage-accounts) and [event hub namespace quota](../../event-hubs/event-hubs-quotas.md).

-Data export rule defines the destination and tables for which data is exported. You can create 10 rules in 'enable' state in your workspace, more rules are allowed in 'disable' state. Storage account destination must be unique across all export rules in workspace, but multiple rules can export to the same event hub namespace in separate event hubs.

-> The *billingType* property is not supported in PowerShell.

-The Azure Percept DK carrier board, Azure Percept Vision device, and Azure Percept Audio accessory are manufactured with built-in 80/20 1010 connectors, which allow for endless mounting configurations with 80/20 rails. This integration enables customers and solution builders to more easily extend their proof of concepts to production environments.

-| Microsoft.EventGrid/domains | [listKeys](/rest/api/eventgrid/version2021-12-01/domains/list-shared-access-keys) |

-| Microsoft.EventGrid/topics | [listKeys](/rest/api/eventgrid/version2021-12-01/topics/list-shared-access-keys) |

-A template spec is a resource type for storing an Azure Resource Manager template (ARM template) or a Bicep file in Azure for later deployment. Bicep files are transpiled into ARM JSON templates before they are stored. This resource type enables you to share ARM templates with other users in your organization. Just like any other Azure resource, you can use Azure role-based access control (Azure RBAC) to share the template spec.

-| Microsoft.EventGrid/domains | [listKeys](/rest/api/eventgrid/version2021-12-01/domains/list-shared-access-keys) |

-| Microsoft.EventGrid/topics | [listKeys](/rest/api/eventgrid/version2021-12-01/topics/list-shared-access-keys) |

-> [!NOTE]

-> Azure SQL Database Configurable Backup Storage Redundancy is currently available in public preview in Brazil South and generally available in Southeast Asia Azure region only. In the preview, if the source database is created with locally-redundant or zone-redundant backup storage redundancy, database copy to a server in a different Azure region is not supported.

-* Elastic query currently only supports read-only access to external tables. You can, however, use full T-SQL functionality on the database where the external table is defined. This can be useful to, e.g., persist temporary results using, for example, SELECT <column_list> INTO <local_table>, or to define stored procedures on the elastic query database that refer to external tables.

-> [!NOTE]

-> The link feature is released in limited public preview with support for currently only SQL Server 2019 Enterprise Edition CU13 (or above). [Sign-up now](https://aka.ms/mi-link-signup) to participate in the limited public preview.

-## Sign-up for link

-To use the link feature, you will need:

-Use the following link to sign-up for the limited preview of the link feature.

-> [!div class="nextstepaction"]

-> [Sign up for link feature preview](https://aka.ms/mi-link-signup)

-| Central US | Yes | |

-| East US | Yes | Yes |

-| East US 2 | Yes | Yes |

-| **Batch Management JavaScript** |[Azure SDK for JavaScript - Docs](/javascript/api/overview/azure/batch/management) |[npm](https://www.npmjs.com/package/@azure/arm-batch) |- |- |

-| AZ_BATCH_TASK_WORKING_DIR | The full path of the [task working directory](files-and-directories.md) on the node. The currently running task has read/write access to this directory. | All tasks. | C:\user\tasks\workitems\batchjob001\job-1\task001\wd |

-To perform asynchronous inference, provide the blob source path to the zip file containing the inference data, the start time, and end time.

-* Due to payload limitation, the size of inference data in the request body is limited, which support at most `2880` timestamps * `300` variables.

-First, you'll need a Microsoft account; if you do not one, you can sign up for free at the [**Microsoft account portal**](https://account.microsoft.com/account). Select **Create a Microsoft account** and follow the steps to create and verify your new account.

-description: Store structured data in the cloud using Azure Table storage or the Azure Cosmos DB Table API by using Python.

-# Get started with Azure Table storage and the Azure Cosmos DB Table API using Python

-This sample shows you how to use the [Azure Cosmos DB Table SDK for Python](https://pypi.python.org/pypi/azure-cosmosdb-table/) in common Azure Table storage scenarios. The name of the SDK indicates it is for use with Azure Cosmos DB, but it works with both Azure Cosmos DB and Azure Tables storage, each service just has a unique endpoint. These scenarios are explored using Python examples that illustrate how to:

-While working through the scenarios in this sample, you may want to refer to the [Azure Cosmos DB SDK for Python API reference](/python/api/overview/azure/cosmosdb).

-* [Azure Cosmos DB Table SDK for Python](https://pypi.python.org/pypi/azure-cosmosdb-table/). This SDK connects with both Azure Table storage and the Azure Cosmos DB Table API.

-## Install the Azure Cosmos DB Table SDK for Python

-After you've created a Storage account, your next step is to install the [Microsoft Azure Cosmos DB Table SDK for Python](https://pypi.python.org/pypi/azure-cosmosdb-table/). For details on installing the SDK, refer to the [README.rst](https://github.com/Azure/azure-cosmosdb-python/blob/master/azure-cosmosdb-table/README.rst) file in the Cosmos DB Table SDK for Python repository on GitHub.

-## Import the TableService and Entity classes

-To work with entities in the Azure Table service in Python, you use the [TableService][py_TableService] and [Entity][py_Entity] classes. Add this code near the top your Python file to import both:

-from azure.cosmosdb.table.tableservice import TableService

-from azure.cosmosdb.table.models import Entity

-To connect to Azure Storage Table service, create a [TableService][py_TableService] object, and pass in your Storage account name and account key. Replace `myaccount` and `mykey` with your account name and key.

-table_service = TableService(account_name='myaccount', account_key='mykey')

-## Connect to Azure Cosmos DB

-To connect to Azure Cosmos DB, copy your primary connection string from the Azure portal, and create a [TableService][py_TableService] object using your copied connection string:

-table_service = TableService(connection_string='DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=mykey;TableEndpoint=myendpoint;')

-Call [create_table][py_create_table] to create the table.

-To add an entity, you first create an object that represents your entity, then pass the object to the [TableService.insert_entity method][py_TableService]. The entity object can be a dictionary or an object of type [Entity][py_Entity], and defines your entity's property names and values. Every entity must include the required [PartitionKey and RowKey](#partitionkey-and-rowkey) properties, in addition to any other properties you define for the entity.

-This example creates a dictionary object representing an entity, then passes it to the [insert_entity][py_insert_entity] method to add it to the table:

-task = {'PartitionKey': 'tasksSeattle', 'RowKey': '001',

- 'description': 'Take out the trash', 'priority': 200}

-table_service.insert_entity('tasktable', task)

-This example creates an [Entity][py_Entity] object, then passes it to the [insert_entity][py_insert_entity] method to add it to the table:

-task = Entity()

-task.PartitionKey = 'tasksSeattle'

-task.RowKey = '002'

-task.description = 'Wash the car'

-task.priority = 100

-table_service.insert_entity('tasktable', task)

-To update all of an entity's property values, call the [update_entity][py_update_entity] method. This example shows how to replace an existing entity with an updated version:

-task = {'PartitionKey': 'tasksSeattle', 'RowKey': '001',

- 'description': 'Take out the garbage', 'priority': 250}

-table_service.update_entity('tasktable', task)

-If the entity that is being updated doesn't already exist, then the update operation will fail. If you want to store an entity whether it exists or not, use [insert_or_replace_entity][py_insert_or_replace_entity]. In the following example, the first call will replace the existing entity. The second call will insert a new entity, since no entity with the specified PartitionKey and RowKey exists in the table.

-task = {'PartitionKey': 'tasksSeattle', 'RowKey': '001',

- 'description': 'Take out the garbage again', 'priority': 250}

-table_service.insert_or_replace_entity('tasktable', task)

-task = {'PartitionKey': 'tasksSeattle', 'RowKey': '003',

- 'description': 'Buy detergent', 'priority': 300}

-table_service.insert_or_replace_entity('tasktable', task)

-> The [update_entity][py_update_entity] method replaces all properties and values of an existing entity, which you can also use to remove properties from an existing entity. You can use the [merge_entity][py_merge_entity] method to update an existing entity with new or modified property values without completely replacing the entity.

-To ensure the atomic processing of a request by the Table service, you can submit multiple operations together in a batch. First, use the [TableBatch][py_TableBatch] class to add multiple operations to a single batch. Next, call [TableService][py_TableService].[commit_batch][py_commit_batch] to submit the operations in an atomic operation. All entities to be modified in batch must be in the same partition.

-from azure.cosmosdb.table.tablebatch import TableBatch

-batch = TableBatch()

-task004 = {'PartitionKey': 'tasksSeattle', 'RowKey': '004',

- 'description': 'Go grocery shopping', 'priority': 400}

-task005 = {'PartitionKey': 'tasksSeattle', 'RowKey': '005',

- 'description': 'Clean the bathroom', 'priority': 100}

-batch.insert_entity(task004)

-batch.insert_entity(task005)

-table_service.commit_batch('tasktable', batch)

-```

-Batches can also be used with the context manager syntax:

-```python

-task006 = {'PartitionKey': 'tasksSeattle', 'RowKey': '006',

- 'description': 'Go grocery shopping', 'priority': 400}

-task007 = {'PartitionKey': 'tasksSeattle', 'RowKey': '007',

- 'description': 'Clean the bathroom', 'priority': 100}

-with table_service.batch('tasktable') as batch:

- batch.insert_entity(task006)

- batch.insert_entity(task007)

-To query for an entity in a table, pass its PartitionKey and RowKey to the [TableService][py_TableService].[get_entity][py_get_entity] method.

-task = table_service.get_entity('tasktable', 'tasksSeattle', '001')

-print(task.description)

-print(task.priority)

-You can query for a set of entities by supplying a filter string with the **filter** parameter. This example finds all tasks in Seattle by applying a filter on PartitionKey:

-tasks = table_service.query_entities(

- 'tasktable', filter="PartitionKey eq 'tasksSeattle'")

- print(task.description)

- print(task.priority)

-tasks = table_service.query_entities(

- 'tasktable', filter="PartitionKey eq 'tasksSeattle'", select='description')

- print(task.description)

-You can also query for entities within a table without using the partition and row keys. Use the `table_service.query_entities` method without the "filter" and "select" parameters as show in the following example:

-tasks = table_service.query_entities(

- 'tasktable')

-Delete an entity by passing its **PartitionKey** and **RowKey** to the [delete_entity][py_delete_entity] method.

-table_service.delete_entity('tasktable', 'tasksSeattle', '001')

-If you no longer need a table or any of the entities within it, call the [delete_table][py_delete_table] method to permanently delete the table from Azure Storage.

-* [Azure Cosmos DB SDK for Python API reference](/python/api/overview/azure/cosmosdb)

-[py_commit_batch]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_create_table]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_delete_entity]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_get_entity]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_insert_entity]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_insert_or_replace_entity]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_Entity]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.models.entity

-[py_merge_entity]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_update_entity]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_delete_table]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_TableService]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-[py_TableBatch]: /python/api/azure-cosmosdb-table/azure.cosmosdb.table.tableservice.tableservice

-## Related blog posts

- | [Learn about image factory](./devtest-lab-faq.yml#blog-post) |Watch a video that describes how to set up and use an image factory.|

-To make sure a licensed image is available to lab users, a lab owner with admin permissions must first accept the terms and conditions for that licensed image. Enabling programmatic deployment for the subscription associated with a licensed image automatically accepts the legal terms and privacy statements for that image. [Working with Marketplace Images on Azure Resource Manager](https://azure.microsoft.com/blog/working-with-marketplace-images-on-azure-resource-manager/) provides additional information about programmatic deployment of marketplace images.

->

->

-## Related blog posts

-### Question

-How can I set up an easily repeatable process to bring my custom organizational images into a DevTest Labs environment?

-### Answer

-See [this video on Image Factory pattern](./devtest-lab-faq.yml#blog-post). This scenario is an advanced scenario, and the scripts provided are sample scripts only. If any changes are required, you need to manage and maintain the scripts used in your environment.

-Using DevTest Labs to create a custom image pipeline in Azure Pipelines:

-See [Use environments in DevTest Labs](devtest-lab-test-env.md).

- | [Learn about image factory](./devtest-lab-faq.yml#blog-post) |Watch a video that describes how to set up and use an image factory.|

-| Feature | Lab Services | DevTest Labs |

-| -- | -- | - |

-| Azure infrastructure management. | Service automatically manages. | You manage.  |

-| Infrastructure resiliency. | Service automatically handles. | You handle.  |

-| Subscription management. | Service handles resource allocation in internal subscriptions. | You manage in your own Azure subscription. |

-| Autoscaling. | Service automatically handles. | No autoscaling. |

-| Azure Resource Manager deployments. | Not available. | Available. |

-## Next steps

-See the following articles:

-| `$conformance` | An enum containing the conformance status of this digital twin (*conformant*, *non-conformant*, *unknown*) |

-| `$metadata.$model` | [Optional] The ID of the model interface that characterizes this digital twin |

-| `$metadata.<property-name>.desiredValue` | [Only for writable properties] The desired value of the specified property |

-| `$metadata.<property-name>.desiredVersion` | [Only for writable properties] The version of the desired value |

-| `$metadata.<property-name>.ackVersion` | The version acknowledged by the device app implementing the digital twin |

-| `$metadata.<property-name>.ackCode` | [Only for writable properties] The `ack` code returned by the device app implementing the digital twin |

-| `$metadata.<property-name>.ackDescription` | [Only for writable properties] The `ack` description returned by the device app implementing the digital twin |

-| `<component-name>.<property-name>` | The value of the component's property in JSON (`string`, number type, or object) |

-Here's an example of a digital twin formatted as a JSON object:

- "$dtId": "Cafe",

- "$etag": "W/\"e59ce8f5-03c0-4356-aea9-249ecbdc07f9\"",

- "Temperature": 72,

- "Location": {

- "x": 101,

- "y": 33

- },

- "component": {

- "TableOccupancy": 1,

- "TableOccupancy": {

- "desiredValue": 1,

- "desiredVersion": 3,

- "ackVersion": 2,

- "ackCode": 200,

- "ackDescription": "OK"

- }

- }

- },

- "$metadata": {

- "$model": "dtmi:com:contoso:Room;1",

- "Temperature": {

- "desiredValue": 72,

- "desiredVersion": 5,

- "ackVersion": 4,

- "ackCode": 200,

- "ackDescription": "OK"

- "Location": {

- "desiredValue": {

- "x": 101,

- "y": 33,

- },

- "desiredVersion": 8,

- "ackVersion": 8,

- "ackCode": 200,

- "ackDescription": "OK"

- }

-}

- ## Supported regions

-Azure Firewall Premium is supported in the following regions:

-Apache Spark, has a Structured Streaming API that gives streaming capabilities not available in Apache Hive. Beginning with HDInsight 4.0, Apache Spark 2.3.1 and Apache Hive 3.1.0 have separate metastores. The separate metastores can make interoperability difficult. The Hive Warehouse Connector makes it easier to use Spark and Hive together. The HWC library loads data from LLAP daemons to Spark executors in parallel. This process makes it more efficient and adaptable than a standard JDBC connection from Spark to Hive.

-For Python, add the following configuration as well.

-If your DNS server updates IP addresses, the associated NFS storage targets will become temporarily unavailable. Read how to update your custom DNS system IP addresses in [View and manage storage targets](manage-storage-targets.md#update-ip-address-custom-dns-configurations-only).

- For example, if you choose 2GB/second throughput and do not choose the highest cache storage size, your cache supports a maximum of 10 storage targets.

-You can select from three storage target types: **NFS**, **Blob**, and **ADLS-NFS**. Choose the type that matches the kind of storage system you will use to store your files during this HPC Cache project.

- You will need to authorize the cache instance to access the storage account as described in [Add the access roles](#add-the-access-control-roles-to-your-account).

-You can do this ahead of time, or by clicking a link on the portal page where you add a Blob storage target. Keep in mind that it can take up to five minutes for the role settings to propagate through the Azure environment, so you should wait a few minutes after adding the roles before creating a storage target.

-

-1. Repeat this process to assign the role "Storage Blob Data Contributor".

-HPC Cache's built-in usage models let you choose how to balance fast response with the risk of getting stale data. If you want to optimize speed for reading files, you might not care whether the files in the cache are checked against the back-end files. On the other hand, if you want to make sure your files are always up to date with the remote storage, choose a model that checks frequently.

- Do not use this option if there is a risk that a file might be modified directly on the storage system without first writing it to the cache. If that happens, the cached version of the file will be out of sync with the back-end file.

- Client reads and client writes are both cached. Files in the cache are assumed to be newer than files on the back-end storage system. Cached files are only automatically checked against the files on back-end storage every eight hours. Modified files in the cache are written to the back-end storage system after they have been in the cache for 20 minutes with no additional changes.

-* Because NFS-enabled blob containers have an NFS-compatible hierarchical structure, you do not need to use the cache to ingest data, and the containers are readable by other NFS systems.

-To create an ADLS-NFS storage target, open the **Add storage target** page in the Azure portal. (Additional methods are in development.)

-* **Storage account** - Select the account that you want to use. If your NFS-enabled storage account does not appear in the list, check that it conforms to the prerequisites and that the cache can access it.

- You will need to authorize the cache instance to access the storage account as described in [Add the access roles](#add-the-access-control-roles-to-your-account).

-> Read [View and manage storage targets](manage-storage-targets.md) to learn how to delete or suspend storage targets, or make them write cached data to back-end storage.

-Storage targets in caches with some types of custom DNS settings also have a control for refreshing their IP addresses. (This kind of configuration is rare.) Learn how to refresh the DNS settings in [View and manage storage targets](manage-storage-targets.md#update-ip-address-custom-dns-configurations-only).

-Before using the Azure portal to create a new Azure HPC Cache, make sure your environment meets these requirements.

-* The subnet cannot host any other VMs, even for related services like client machines.

-The cache needs DNS to access resources outside of its virtual network. Depending on which resources you are using, you might need to set up a customized DNS server and configure forwarding between that server and Azure DNS servers:

-Additional tips for NTP access:

-<!-- heading is linked in create storage target GUI as aka.ms/hpc-cache-prereq#storage-infrastructure - make sure to fix that if you change the wording of this heading -->

-The size of your cache determines how many storage targets it can support - up to 10 storage targets for most caches, or up to 20 for the largest sizes. Read [Size your cache correctly to support your storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets) for details.

-The storage account must be accessible from your cache's private subnet. If your account uses a private endpoint or a public endpoint that is restricted to specific virtual networks, make sure to enable access from the cache's subnet. (An open public endpoint is not recommended.)

-You also must give the cache application access to your Azure storage account as mentioned in [Permissions](#permissions), above. Follow the procedure in [Add storage targets](hpc-cache-add-storage.md#add-the-access-control-roles-to-your-account) to give the cache the required access roles. If you are not the storage account owner, have the owner do this step.

- * Check export policies to make sure they do not include restrictions on root access from the cache's subnet.

- * Do not forget to complete the Advanced section, where you enable NFS access.

- If you are not the storage account owner, have the owner do this step.

-Some storage targets also have a **Refresh DNS** option on this menu, which updates the storage target IP address from a custom DNS server. This configuration is uncommon.

-The **Flush** option tells the cache to immediately copy any changed files stored in the cache to the back-end storage system. For example, if your client machines are updating a particular file repeatedly, it is held in the cache for quicker access and not written to the long-term storage system for a period ranging from several minutes to more than an hour.

-Deleting a storage target removes the storage system's association with this Azure HPC Cache, but it does not change the back-end storage system. For example, if you used an Azure Blob storage container, the container and its contents still exist after you delete it from the cache. You can add the container to a different Azure HPC Cache, re-add it to this cache, or delete it with the Azure portal.

-If there is a large amount of changed data stored in the cache, deleting a storage target can take several minutes to complete. Wait for the action to finish to be sure that the data is safely stored in your long-term storage system.

-### Update IP address (custom DNS configurations only)

-If your cache uses a non-default DNS configuration, it's possible for your NFS storage target's IP address to change because of back-end DNS changes. If your DNS server changes the back-end storage system's IP address, Azure HPC Cache can lose access to the storage system.

-Ideally, you should work with the manager of your cache's custom DNS system to plan for any updates, because these changes make storage unavailable.

-If you need to update a storage target's DNS-provided IP address, use the **Storage targets** page. Click the **...** symbol in the right column to open the context menu. Choose **Refresh DNS** to query the custom DNS server for a new IP address.

-* **State** indicates the operational state of the storage target. This value updates regularly and helps you understand whether or not the storage target is available for client requests, and also which of the management options are available.

-The **State** value affects which management options you can use. Here is a short explanation of the values and their effects.

-A cloud-based, companion microservice with a REST interface is described and available [here](https://github.com/Azure/Industrial-IoT/blob/master/docs/services/publisher.md). It can be used to configure OPC Publisher via an OpenAPI-compatible interface, for example through Swagger.

-IDictionary<string, string> models = client.GetModels("dtmi:com:example:TemperatureController;1");

-models.Keys.ToList().ForEach(k => Console.WriteLine(k));

-* West Europe

-> [!WARNING]

-> This feature is currently disabled due to an issue with the service.

-description: Get started learning how to retrieve load balancer metadata using the Azure Instance Metadata Service.

-# Retrieve load balancer metadata using the Azure Instance Metadata Service (IMDS)

-description: Get started learning about using the Azure Instance Metadata Service to retrieve load balancer information.

-# Retrieve load balancer information by using the Azure Instance Metadata Service

-When you place virtual machine or virtual machine set instances behind an Azure Standard Load Balancer, use the IMDS to retrieve metadata related to the load balancer and the instances.

-## Access the load balancer metadata using the IMDS

-For more information on how to access the load balancer metadata, see [Use the Azure Instance Metadata Service to access load balancer information](howto-load-balancer-imds.md).

-Azure Load Balancer supports availability zones scenarios. You can use Standard Load Balancer to increase availability throughout your scenario by aligning resources with, and distribution across zones. Review this document to understand these concepts and fundamental scenario design guidance

-It is recommended you use zone-redundant Load Balancer for your production workloads.

-> The generally available functionality for creating datastores requires credential-based authentication for accessing storage services, like a service principal or shared access signature (SAS) token. These credentials can be accessed by users who have *Reader* access to the workspace. <br><br>If this is a concern, [create a datastore that uses identity-based data access to storage services](how-to-identity-based-data-access.md).

-This task type is a required parameter and is passed in using the `task` parameter in the `AutoMLImageConfig`.

-The model algorithm is required and is passed in via `model_name` parameter. You can either specify a single `model_name` or choose between multiple. In addition to controlling the model algorithm, you can also tune hyperparameters used for model training. While many of the hyperparameters exposed are model-agnostic, there are instances where hyperparameters are task-specific or model-specific.

-The following table summarizes the supported models for each computer vision task.

-Object detection | **YOLOv5**: One stage object detection model <br> **Faster RCNN ResNet FPN**: Two stage object detection models <br> **RetinaNet ResNet FPN**: address class imbalance with Focal Loss <br> <br>*Note: Refer to [`model_size` hyperparameter](#model-specific-hyperparameters) for YOLOv5 model sizes.*| ***`yolov5`\**** <br> `fasterrcnn_resnet18_fpn` <br> `fasterrcnn_resnet34_fpn` <br> `fasterrcnn_resnet50_fpn` <br> `fasterrcnn_resnet101_fpn` <br> `fasterrcnn_resnet152_fpn` <br> `retinanet_resnet50_fpn`

-### Model agnostic hyperparameters

-The following table describes the hyperparameters that are model agnostic.

-| Parameter name | Description | Default|

-| | - | |

-| `number_of_epochs` | Number of training epochs. <br>Must be a positive integer. | 15 <br> (except `yolov5`: 30) |

-| `training_batch_size` | Training batch size.<br> Must be a positive integer. | Multi-class/multi-label: 78 <br>(except *vit-variants*: <br> `vits16r224`: 128 <br>`vitb16r224`: 48 <br>`vitl16r224`:10)<br><br>Object detection: 2 <br>(except `yolov5`: 16) <br><br> Instance segmentation: 2 <br> <br> *Note: The defaults are largest batch size that can be used on 12 GiB GPU memory*.|

-| `validation_batch_size` | Validation batch size.<br> Must be a positive integer. | Multi-class/multi-label: 78 <br>(except *vit-variants*: <br> `vits16r224`: 128 <br>`vitb16r224`: 48 <br>`vitl16r224`:10)<br><br>Object detection: 1 <br>(except `yolov5`: 16) <br><br> Instance segmentation: 1 <br> <br> *Note: The defaults are largest batch size that can be used on 12 GiB GPU memory*.|

-| `grad_accumulation_step` | Gradient accumulation means running a configured number of `grad_accumulation_step` without updating the model weights while accumulating the gradients of those steps, and then using the accumulated gradients to compute the weight updates. <br> Must be a positive integer. | 1 |

-| `early_stopping` | Enable early stopping logic during training. <br> Must be 0 or 1.| 1 |

-| `early_stopping_patience` | Minimum number of epochs or validation evaluations with<br>no primary metric improvement before the run is stopped.<br> Must be a positive integer. | 5 |

-| `early_stopping_delay` | Minimum number of epochs or validation evaluations to wait<br>before primary metric improvement is tracked for early stopping.<br> Must be a positive integer. | 5 |

-| `learning_rate` | Initial learning rate. <br>Must be a float in the range [0, 1]. | Multi-class: 0.01 <br>(except *vit-variants*: <br> `vits16r224`: 0.0125<br>`vitb16r224`: 0.0125<br>`vitl16r224`: 0.001) <br><br> Multi-label: 0.035 <br>(except *vit-variants*:<br>`vits16r224`: 0.025<br>`vitb16r224`: 0.025 <br>`vitl16r224`: 0.002) <br><br> Object detection: 0.005 <br>(except `yolov5`: 0.01) <br><br> Instance segmentation: 0.005 |

-| `lr_scheduler` | Type of learning rate scheduler. <br> Must be `warmup_cosine` or `step`. | `warmup_cosine` |

-| `step_lr_gamma` | Value of gamma when learning rate scheduler is `step`.<br> Must be a float in the range [0, 1]. | 0.5 |

-| `step_lr_step_size` | Value of step size when learning rate scheduler is `step`.<br> Must be a positive integer. | 5 |

-| `warmup_cosine_lr_cycles` | Value of cosine cycle when learning rate scheduler is `warmup_cosine`. <br> Must be a float in the range [0, 1]. | 0.45 |

-| `warmup_cosine_lr_warmup_epochs` | Value of warmup epochs when learning rate scheduler is `warmup_cosine`. <br> Must be a positive integer. | 2 |

-| `optimizer` | Type of optimizer. <br> Must be either `sgd`, `adam`, `adamw`. | `sgd` |

-| `momentum` | Value of momentum when optimizer is `sgd`. <br> Must be a float in the range [0, 1]. | 0.9 |

-| `weight_decay` | Value of weight decay when optimizer is `sgd`, `adam`, or `adamw`. <br> Must be a float in the range [0, 1]. | 1e-4 |

-|`nesterov`| Enable `nesterov` when optimizer is `sgd`. <br> Must be 0 or 1.| 1 |

-|`beta1` | Value of `beta1` when optimizer is `adam` or `adamw`. <br> Must be a float in the range [0, 1]. | 0.9 |

-|`beta2` | Value of `beta2` when optimizer is `adam` or `adamw`.<br> Must be a float in the range [0, 1]. | 0.999 |

-|`amsgrad` | Enable `amsgrad` when optimizer is `adam` or `adamw`.<br> Must be 0 or 1. | 0 |

-|`evaluation_frequency`| Frequency to evaluate validation dataset to get metric scores. <br> Must be a positive integer. | 1 |

-|`split_ratio`| If validation data is not defined, this specifies the split ratio for splitting train data into random train and validation subsets. <br> Must be a float in the range [0, 1].| 0.2 |

-|`checkpoint_frequency`| Frequency to store model checkpoints. <br> Must be a positive integer. | Checkpoint at epoch with best primary metric on validation.|

-|`layers_to_freeze`| How many layers to freeze for your model. For instance, passing 2 as value for `seresnext` means freezing layer0 and layer1 referring to the below supported model layer info. <br> Must be a positive integer. <br><br>`'resnet': [('conv1.', 'bn1.'), 'layer1.', 'layer2.', 'layer3.', 'layer4.'],`<br>`'mobilenetv2': ['features.0.', 'features.1.', 'features.2.', 'features.3.', 'features.4.', 'features.5.', 'features.6.', 'features.7.', 'features.8.', 'features.9.', 'features.10.', 'features.11.', 'features.12.', 'features.13.', 'features.14.', 'features.15.', 'features.16.', 'features.17.', 'features.18.'],`<br>`'seresnext': ['layer0.', 'layer1.', 'layer2.', 'layer3.', 'layer4.'],`<br>`'vit': ['patch_embed', 'blocks.0.', 'blocks.1.', 'blocks.2.', 'blocks.3.', 'blocks.4.', 'blocks.5.', 'blocks.6.','blocks.7.', 'blocks.8.', 'blocks.9.', 'blocks.10.', 'blocks.11.'],`<br>`'yolov5_backbone': ['model.0.', 'model.1.', 'model.2.', 'model.3.', 'model.4.','model.5.', 'model.6.', 'model.7.', 'model.8.', 'model.9.'],`<br>`'resnet_backbone': ['backbone.body.conv1.', 'backbone.body.layer1.', 'backbone.body.layer2.','backbone.body.layer3.', 'backbone.body.layer4.']` | no default  |

-### Task-specific hyperparameters

-The following table summarizes hyperparmeters for image classification (multi-class and multi-label) tasks.

-| Parameter name | Description | Default |

-| - |-|--|

-| `weighted_loss` | 0 for no weighted loss.<br>1 for weighted loss with sqrt.(class_weights) <br> 2 for weighted loss with class_weights. <br> Must be 0 or 1 or 2. | 0 |

-| `valid_resize_size` | Image size to which to resize before cropping for validation dataset. <br> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> Training run may get into CUDA OOM if the size is too big*. | 256  |

-| `valid_crop_size` | Image crop size that's input to your neural network for validation dataset. <br> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> *ViT-variants* should have the same `valid_crop_size` and `train_crop_size`. <li> Training run may get into CUDA OOM if the size is too big*. | 224 |

-| `train_crop_size` | Image crop size that's input to your neural network for train dataset. <br> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> *ViT-variants* should have the same `valid_crop_size` and `train_crop_size`. <li> Training run may get into CUDA OOM if the size is too big*. | 224 |

-The following hyperparameters are for object detection and instance segmentation tasks.

-> [!Warning]

-> These parameters are not supported with the `yolov5` algorithm.

-| Parameter name | Description | Default |

-| - |-|--|

-| `validation_metric_type` | Metric computation method to use for validation metrics. <br> Must be `none`, `coco`, `voc`, or `coco_voc`. | `voc` |

-| `min_size` | Minimum size of the image to be rescaled before feeding it to the backbone. <br> Must be a positive integer. <br> <br> *Note: training run may get into CUDA OOM if the size is too big*.| 600 |

-| `max_size` | Maximum size of the image to be rescaled before feeding it to the backbone. <br> Must be a positive integer.<br> <br> *Note: training run may get into CUDA OOM if the size is too big*. | 1333 |

-| `box_score_thresh` | During inference, only return proposals with a classification score greater than `box_score_thresh`. <br> Must be a float in the range [0, 1].| 0.3 |

-| `box_nms_thresh` | Non-maximum suppression (NMS) threshold for the prediction head. Used during inference. <br>Must be a float in the range [0, 1]. | 0.5 |

-| `box_detections_per_img` | Maximum number of detections per image, for all classes. <br> Must be a positive integer.| 100 |

-| `tile_grid_size` | The grid size to use for tiling each image. <br>*Note: tile_grid_size must not be None to enable [small object detection](how-to-use-automl-small-object-detect.md) logic*<br> A tuple of two integers passed as a string. Example: --tile_grid_size "(3, 2)" | No Default |

-| `tile_overlap_ratio` | Overlap ratio between adjacent tiles in each dimension. <br> Must be float in the range of [0, 1) | 0.25 |

-| `tile_predictions_nms_thresh` | The IOU threshold to use to perform NMS while merging predictions from tiles and image. Used in validation/ inference. <br> Must be float in the range of [0, 1] | 0.25 |

-### Model-specific hyperparameters

-This table summarizes hyperparameters specific to the `yolov5` algorithm.

-| Parameter name | Description | Default |

-| - |-|-|

-| `validation_metric_type` | Metric computation method to use for validation metrics. <br> Must be `none`, `coco`, `voc`, or `coco_voc`. | `voc` |

-| `img_size` | Image size for train and validation. <br> Must be a positive integer. <br> <br> *Note: training run may get into CUDA OOM if the size is too big*. | 640 |

-| `model_size` | Model size. <br> Must be `small`, `medium`, `large`, or `xlarge`. <br><br> *Note: training run may get into CUDA OOM if the model size is too big*. | `medium` |

-| `multi_scale` | Enable multi-scale image by varying image size by +/- 50% <br> Must be 0 or 1. <br> <br> *Note: training run may get into CUDA OOM if no sufficient GPU memory*. | 0 |

-| `box_score_thresh` | During inference, only return proposals with a score greater than `box_score_thresh`. The score is the multiplication of the objectness score and classification probability. <br> Must be a float in the range [0, 1]. | 0.1 |

-| `box_iou_thresh` | IoU threshold used during inference in non-maximum suppression post processing. <br> Must be a float in the range [0, 1]. | 0.5 |

-You can define the model algorithms and hyperparameters to sweep in the parameter space. See [Configure model algorithms and hyperparameters](#configure-model-algorithms-and-hyperparameters) for the list of supported model algorithms and hyperparameters for each task type. See [details on supported distributions for discrete and continuous hyperparameters](how-to-tune-hyperparameters.md#define-the-search-space).

-It should be noted that currently only random sampling supports conditional hyperparameter spaces

-The automl training runs generates output model files, evaluation metrics, logs and deployment artifacts like the scoring file and the environment file which can be viewed from the outputs and logs and metrics tab of the child runs.

-For a detailed description on these parameters, please refer to the above section on [task specific hyperparameters](#task-specific-hyperparameters).

-* When using a workspace with multiple private endpoints (preview), one of the private endpoints must be in the same VNet as the following dependency

-## Multiple private endpoints (preview)

-As a preview feature, Azure Machine Learning supports multiple private endpoints for a workspace. Multiple private endpoints are often used when you want to keep different environments separate. The following are some scenarios that are enabled by using multiple private endpoints:

-Adding multiple endpoints uses the same steps as described in the [Add a private endpoint to a workspace](#add-a-private-endpoint-to-a-workspace) section.

-[FileDatasets](how-to-create-register-datasets.md#filedataset) create references to single or multiple files or public URLs. Whereas,

-[TabularDatasets](how-to-create-register-datasets.md#tabulardataset) represent your data in a tabular format. You can create TabularDatasets from .csv, .tsv, .parquet, .jsonl files, and from SQL query results.

- 1. If your data is formatted into subsets, for example time windows, and you want to use those subsets for training, select type **Partition timestamp**. Doing so enables timeseries operations on your dataset. Learn more about how to [leverage partitions in your dataset for training](how-to-monitor-datasets.md?tabs=azure-studio#create-target-dataset).

-# Customer intent: As an experienced Python developer, I need to make my data in Azure Storage available to my compute to train my machine learning models.

-Typically, datastores use credential-based data access to confirm you have permission to access the storage service. They keep connection information, like your subscription ID and token authorization, in the [key vault](https://azure.microsoft.com/services/key-vault/) that's associated with the workspace. When you create a datastore that uses identity-based data access, your Azure account ([Azure Active Directory token](../active-directory/fundamentals/active-directory-whatis.md)) is used to confirm you have permission to access the storage service. In this scenario, no authentication credentials are saved. Only the storage account information is stored in the datastore.

-To create datastores that use credential-based authentication, like access keys or service principals, see [Connect to storage services on Azure](how-to-access-data.md).

-> [!IMPORTANT]

-Certain machine learning scenarios involve training models with private data. In such cases, data scientists need to run training workflows without being exposed to the confidential input data. In this scenario, a managed identity of the training compute is used for data access authentication. This approach allows storage admins to grant Storage Blob Data Reader access to the managed identity that the training compute uses to run the training job. The individual data scientists don't need to be granted access. For more information, see [Set up managed identity on a compute cluster](how-to-create-attach-compute-cluster.md#managed-identity).

-Identity-based data access supports connections to only the following storage

-* **Training compute access** - Access training compute targets like Azure Machine Learning Compute Instance and Azure Machine Learning Compute Clusters with public IP addresses (preview).

-### Object detection and Instance segmentation metrics

-The predictions with confidence score greater than score threshold are output as predictions and used in the metric calculation, the default value of which is model specific and can be referred from the [hyperparameter tuning](how-to-auto-train-image-models.md#model-specific-hyperparameters) page(`box_score_threshold` hyperparameter).

-> The image object detection model evaluation can use coco metrics if the `validation_metric_type` hyperparameter is set to be 'coco' as explained in the [hyperparameter tuning](how-to-auto-train-image-models.md#task-specific-hyperparameters) section.

-Configuring geo-redundant storage for backup is only allowed during server create. Once the server is provisioned, you cannot change the backup storage redundancy option. However you can still move your existing backups storage to geo-redundant storage using the following suggested ways :

-The backup retention period governs how far back in time can a point-in-time restore operation be performed, since it's based on backups available. The backup retention period can also be treated as a recovery window from a restore perspective. All backups required to perform a point-in-time restore within the backup retention period are retained in backup storage. For example - if the backup retention period is set to seven days, the recovery window is considered last seven days. In this scenario, all the backups required to restore the server in last seven days are retained. With a backup retention window of seven days, database snapshots and transaction log backups are stored for the last eight days (1 day prior to the window).

-The Backup and Restore blade in the Azure portal lists the automated full backups taken daily once. One can use this blade to view the completion timestamps for all available full backups within the serverΓÇÖs retention period and to perform restore operations using these full backups. The list of available backups includes all full automated backups within the retention period, a timestamp showing the successful completion, a timestamp indicating how long a backup will be retained, and a restore action.

-The estimated time of recovery depends on several factors including the database sizes, the transaction log backup size, the compute size of the SKU, and the time of the restore as well. The transaction log recovery is the most time consuming part of the restore process. If the restore time is chosen closer to the snapshot backup schedule, the restore operations are faster since transaction log application is minimal. To estimate the accurate recovery time for your server, we highly recommend testing it in your environment as it has too many environment specific variables.

-You can restore a server to it's [geo-paired region](../../availability-zones/cross-region-replication-azure.md) where the service is available if you have configured your server for geo-redundant backups. Geo-restore to other regions is not supported currently.

-By default, Azure Database for MySQL enables automated backups of your entire server (encompassing all databases created) with a default 7 day retention period. The only way to manually take a backup is by using community tools such as mysqldump as documented [here](../concepts-migrate-dump-restore.md#dump-and-restore-using-mysqldump-utility) or mydumper as documented [here](../concepts-migrate-mydumper-myloader.md#create-a-backup-using-mydumper). If you wish to backup Azure Database for MySQL to a Blob storage, refer to our tech community blog [Backup Azure Database for MySQL to a Blob Storage](https://techcommunity.microsoft.com/t5/azure-database-for-mysql/backup-azure-database-for-mysql-to-a-blob-storage/ba-p/803830).

-The best way to validate availability of successfully completed backups is to view the full automated backups taken within the retention period in the Backup and Restore blade. If a backup fails it will not be listed in the available backups list and our backup service will try every 20 mins to take a backup until a successful backup is taken. These backup failures are due to heavy transactional production loads on the server.

-| **Geo-redundant backup** | Flexible server backups can be configured as geo-redundant at create time. Enabling Geo-redundancy replicates the server backup data files in the primary region’s paired region to provide regional resiliency. Geo-redundant backup storage provides at least 99.99999999999999% (16 nines) durability of objects over a given year. Refer to [Concepts - Backup and Restore](./concepts-backup-restore.md) for more details.| Available in all [Azure paired regions](../../availability-zones/cross-region-replication-azure.md) |

-| Brazil South | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

-| West US 3 | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |

-| Ability to restore to a different region | Yes (Geo-redundant) | No | User Managed |

-| Ability to restore a deleted server | Yes | No | No |

-| DR across Azure regions | Using cross region read replicas, geo-redundant backup | Not supported | User Managed |

-# Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Red Hat OpenShift 4 cluster

-This guide demonstrates how to run your Java, Java EE, [Jakarta EE](https://jakarta.ee/), or [MicroProfile](https://microprofile.io/) application on the Open Liberty/WebSphere Liberty runtime and then deploy the containerized application to an Azure Red Hat OpenShift (ARO) 4 cluster using the Open Liberty Operator. This article will walk you through preparing a Liberty application, building the application Docker image and running the containerized application on an ARO 4 cluster. For more details on Open Liberty, see [the Open Liberty project page](https://openliberty.io/). For more details on IBM WebSphere Liberty see [the WebSphere Liberty product page](https://www.ibm.com/cloud/websphere-liberty).

- Though the "Get a Red Hat pull secret" step is labeled as optional, **it is required for this article**. The pull secret enables your Azure Red Hat OpenShift cluster to find the Open Liberty Operator.

- * Write down the cluster console URL which looks like `https://console-openshift-console.apps.<random>.<region>.aroapp.io/`.

-* The output of `oc whoami` after following the steps for signing in to the OpenShift CLI. This value is called **aad-user** for discussion.

-Besides image management, the **aad-user** will also be granted administrative permissions for managing resources in the demo project of the ARO 4 cluster. Sign in to the OpenShift CLI and grant the **aad-user** the necessary privileges by following these steps.

-After creating and connecting to the cluster, install the Open Liberty Operator. The main starting page for the Open Liberty Operator is on [GitHub](https://github.com/OpenLiberty/open-liberty-operator).

-7. Observe the Open Liberty Operator is successfully installed and ready for use. If you don't, diagnose and resolve the problem before continuing.

-We'll use a Java EE 8 application as our example in this guide. Open Liberty is a [Java EE 8 full profile](https://javaee.github.io/javaee-spec/javadocs/) compatible server, so it can easily run the application. Open Liberty is also [Jakarta EE 8 full profile compatible](https://jakarta.ee/specifications/platform/8/apidocs/).

-To run the application on Open Liberty, you need to create an Open Liberty server configuration file so that the [Liberty Maven plugin](https://github.com/OpenLiberty/ci.maven#liberty-maven-plugin) can package the application for deployment. The Liberty Maven plugin is not required to deploy the application to OpenShift. However, we'll use it in this example with Open LibertyΓÇÖs developer (dev) mode. Developer mode lets you easily run the application locally. Complete the following steps on your local computer.

-1. Copy `2-simple/pom.xml` to `1-start/pom.xml`. This step adds the `liberty-maven-plugin` to the POM.

-1. Sign in with the OpenShift CLI by using the following steps. For discussion, this process is known as `oc login`.

-1. In the middle of the page, select **Open Liberty Application**. The navigation of items in the user interface mirrors the actual containment hierarchy of technologies in use.

-3. Change directory to `2-simple` of your local clone, and run the following commands to deploy your Liberty application to the ARO 4 cluster. Command output is also shown inline.

-4. Check to see `1/1` under the `READY` column before you continue. If not, investigate and resolve the problem before continuing.

-| **Azure SQL Managed Instance** | Microsoft.Sql/managedInstances | Sql Managed Instance (managedInstance) |

-This package contains the entire C# API as well as all plugin binaries required to use Azure Remote Rendering with Unity.

-[The Mixed Reality Feature Tool](/windows/mixed-reality/develop/unity/welcome-to-mr-feature-tool) ([download](https://aka.ms/mrfeaturetool)) is a tool used to integrate Mixed Reality feature packages into Unity projects. The package is not part of the [ARR samples repository](https://github.com/Azure/azure-remote-rendering), and it is not available from Unity's internal package registry.

-To add the package to a project you need to:

-1. On the **Discover Features** page tick the box for the **Microsoft Azure Remote Rendering** package and select the version of the package you wish to add to your project

-To update your local package just select a newer version from the Mixed Reality Feature Tool and install it. Updating the package may occasionally lead to console errors. If this occurs, try closing and reopening the project.

- ```

- * Run the following command in PowerShell to download the package to the provided destination directory.

-1. [Install the downloaded package](https://docs.unity3d.com/Manual/upm-ui-tarball.html) with Unity's Package Manager.

-To update your local package just rerun the respective command you used and reimport the package. Updating the package may occasionally lead to console errors. If this occurs, try closing and reopening the project.

-To use the **:::no-loc text="Universal render pipeline":::**, its package has to be installed in Unity. This can either be done in Unity's **Package Manager** UI (package name **Universal RP**, version 7.3.1 or newer), or through the `Packages/manifest.json` file, as described in the [Unity project setup tutorial](../../tutorials/unity/view-remote-models/view-remote-models.md#include-the-azure-remote-rendering-package).

-* [Tutorial: View Remote Models](../../tutorials/unity/view-remote-models/view-remote-models.md)

-1. Click the **"..."** button in the top right.

-1. Select **Downloads and Updates**.

-1. Search the list for **HEVC Video Extensions from Device Manufacturer**. If this item is not listed under updates, the most recent version is already installed.

-1. Click the **Get Updates** button and wait for it to install.

-## Include the Azure Remote Rendering package

-[Follow the instructions](../../../how-tos/unity/install-remote-rendering-unity-package.md) on how to add the Azure Remote Rendering package to a Unity Project.

-1. Open the context menu by right clicking on the *Transform* component and select the **Reset** option:

- 

- 

- 

-1. Change the **Default Quality Level** of all platforms to *Low*. This setting will enable more efficient rendering of local content and doesn't affect the quality of remotely rendered content.

- 

-1. Change the **Scriptable Rendering Pipeline** setting to *HybridRenderingPipeline*.\

- \

- Sometimes the UI does not populate the list of available pipeline types from the packages. If this occurs, the *HybridRenderingPipeline* asset must be dragged onto the field manually:\

- 

- > If you're unable to drag and drop the *HybridRenderingPipeline* asset into the Render Pipeline Asset field (possibly because the field doesn't exist!), ensure your package configuration contains the `com.unity.render-pipelines.universal` package.

-1. Select the **Universal Windows Platform settings** tab, represented as a Windows icon.

-1. Change the **XR Settings** to support Windows Mixed Reality as shown below:

- 1. Enable **Virtual Reality Supported**

- 1. Press the '+' button and add **Windows Mixed Reality**

- 1. Set **Depth Format** to *16-Bit Depth*

- 1. Ensure **Depth Buffer Sharing** is enabled

- 1. Set **Stereo Rendering Mode** to *Single Pass Instanced*

- 

-1. In the same window, above **XR Settings**, expand **Publishing Settings**

-1. Scroll down to **Capabilities** and select:

- * **InternetClient**

- * **InternetClientServer**

- * **SpatialPerception**

- * **PrivateNetworkClientServer** (*optional*). Select this option if you want to connect the Unity remote debugger to your device.

-1. Under **Supported Device Families**, enable **Holographic** and **Desktop**

-1. Select **Universal Windows Platform**

-1. Configure your settings to match those found below

-1. Press the **Switch Platform** button.\

-

- 

-

- 

-

-

-

-1. Drag the component on to its own event, to reference itself.\

-\

-

-

-

-

-

- 

-

-In this article, learn the steps for extracting content and metadata from file shares in Azure Storage and sending the content to a search index in Azure Cognitive Search. The resulting index can be queried using full text search.

-+ Files should contain non-binary textual content for text-based indexing. This indexer also supports [AI enrichment](cognitive-search-concept-intro.md) if you have binary files.

-A primary difference between a file share indexer and other indexers is the data source assignment. The data source definition specifies "type": `"azurefile"`, a content path, and how to connect.

-A data source definition can also include additional properties for [soft deletion policies](#soft-delete-using-custom-metadata) and [field mappings](search-indexer-field-mappings.md) if field names and types are not the same.

-**Full access storage account connection string**:

-`{ "connectionString" : "DefaultEndpointsProtocol=https;AccountName=<your storage account>;AccountKey=<your account key>;" }`

-You can get the connection string from the Storage account page in Azure portal by selecting **Access keys** in the left navigation pane. Make sure to select a full connection string and not just a key.

-**Managed identity connection string**:

-`{ "connectionString" : "ResourceId=/subscriptions/<your subscription ID>/resourceGroups/<your resource group name>/providers/Microsoft.Storage/storageAccounts/<your storage account name>/;" }`

-This connection string requires [configuring your search service as a trusted service](search-howto-managed-identities-storage.md) under Azure Active Directory,and then granting **Reader and data access** rights to the search service in Azure Storage.

-**Storage account shared access signature** (SAS) connection string:

-`{ "connectionString" : "BlobEndpoint=https://<your account>.file.core.windows.net/;SharedAccessSignature=?sv=2016-05-31&sig=<the signature>&spr=https&se=<the validity end time>&sp=rl&sr=s;" }`

-The SAS should have the list and read permissions on file shares.

-**Container shared access signature**:

-`{ "connectionString" : "ContainerSharedAccessUri=https://<your storage account>.file.core.windows.net/<share name>?sv=2016-05-31&sr=s&sig=<the signature>&se=<the validity end time>&sp=rl;" }`

-The SAS should have the list and read permissions on the file share. For more information on storage shared access signatures, see [Using Shared Access Signatures](../storage/common/storage-sas-overview.md).

-> If you use SAS credentials, you will need to update the data source credentials periodically with renewed signatures to prevent their expiration. If SAS credentials expire, the indexer will fail with an error message similar to "Credentials provided in the connection string are invalid or have expired".

-1. [Create or update an index](/rest/api/searchservice/create-index) to define search fields that will store file content, metadata, and system properties:

- ```json

-1. Create a key field ("key": true) to uniquely identify each search document based on unique identifiers in the files. For this data source type, the indexer will automatically identify and encode a value for this field. No field mappings are necessary.

-1. Add a "content" field to store extracted text from each file.

-1. See [Create an indexer](search-howto-create-indexers.md) for more information about other properties.

-## Change and deletion detection

-After an initial search index is created, you might want subsequent indexer jobs to pick up only new and changed documents. Fortunately, content in Azure Storage is timestamped, which gives indexers sufficient information for determining what's new and changed automatically. For search content that originates from Azure File Storage, the indexer keeps track of the file's `LastModified` timestamp and reindexes only new and changed files.

-Although change detection is a given, deletion detection is not. If you want to detect deleted files, make sure to use a "soft delete" approach. If you delete the files outright in a file share, corresponding search documents will not be removed from the search index.

-## Soft delete using custom metadata

-This method uses a file's metadata to determine whether a search document should be removed from the index. This method requires two separate actions, deleting the search document from the index, followed by file deletion in Azure Storage.

-There are steps to follow in both File storage and Cognitive Search, but there are no other feature dependencies.

-1. Add a custom metadata key-value pair to the file in Azure storage to indicate to Azure Cognitive Search that it is logically deleted.

-1. Configure a soft deletion column detection policy on the data source. For example, the following policy considers a file to be deleted if it has a metadata property `IsDeleted` with the value `true`:

- ```http

- PUT https://[service name].search.windows.net/datasources/file-datasource?api-version=2020-06-30

- Content-Type: application/json

- api-key: [admin key]

- {

- "name" : "file-datasource",

- "type" : "azurefile",

- "credentials" : { "connectionString" : "<your storage connection string>" },

- "container" : { "name" : "my-share", "query" : null },

- "dataDeletionDetectionPolicy" : {

- "@odata.type" :"#Microsoft.Azure.Search.SoftDeleteColumnDeletionDetectionPolicy",

- "softDeleteColumnName" : "IsDeleted",

- "softDeleteMarkerValue" : "true"

- }

- }

- ```

-1. Once the indexer has processed the file and deleted the document from the search index, you can delete the file in Azure Storage.

-### Reindexing undeleted files (using custom metadata)

-After an indexer processes a deleted file and removes the corresponding search document from the index, it won't revisit that file if you restore it later if the file's `LastModified` timestamp is older than the last indexer run.

-If you would like to reindex that document, change the `"softDeleteMarkerValue" : "false"` for that file and rerun the indexer.

-## See also

-+ [Indexers in Azure Cognitive Search](search-indexer-overview.md)

-+ [What is Azure Files?](../storage/files/storage-files-introduction.md)

-description: Set up an Azure Data Lake Storage Gen2 indexer to automate indexing of content and metadata for full text search in Azure Cognitive Search.

-This article shows you how to configure an Azure Data Lake Storage (ADLS) Gen2 indexer to extract content and make it searchable in Azure Cognitive Search. This workflow creates a search index on Azure Cognitive Search and loads it with existing content extracted from ADLS Gen2.

-ADLS Gen2 is available through Azure Storage. When setting up an Azure Storage account, you have the option of enabling [hierarchical namespace](../storage/blobs/data-lake-storage-namespace.md) that organizes files into a hierarchy of directories and nested subdirectories. By enabling hierarchical namespace, you enable ADLS Gen2.

-Examples in this article use the portal and REST APIs. For examples in C#, see [Index Data Lake Gen2 using Azure AD](https://github.com/Azure-Samples/azure-search-dotnet-samples/blob/master/data-lake-gen2-acl-indexing/README.md) on GitHub.

-This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information specific to indexing from Blob Storage.

-+ Blob content cannot exceed the [indexer limits](search-limits-quotas-capacity.md#indexer-limits) for your search service tier.

-Azure Cognitive Search supports [Azure RBAC for indexer access](search-howto-managed-identities-storage.md) to your content in storage, but it does not support document-level permissions. In Azure Cognitive Search, all users have the same level of access to all searchable and retrievable content in the index. If document-level permissions are an application requirement, consider [security trimming](search-security-trimming-for-azure-search.md) as a workaround.

-The data source definition specifies the data source type, as well as other properties for authentication and connection to the content to be indexed.

-A Data Lake Storage Gen2 data source definition looks similar to the example below:

-```http

- POST https://[service name].search.windows.net/datasources?api-version=2020-06-30

- Content-Type: application/json

- api-key: [Search service admin key]

- "name" : "adlsgen2-datasource",

-```

-The `"credentials"` property can be a connection string, as shown in the above example, or one of the alternative approaches described in the next section. The `"container"` property provides the location of content within Azure Storage, and `"query"` is used to specify a subfolder in the container. For more information about data source definitions, see [Create Data Source (REST)](/rest/api/searchservice/create-data-source).

-<a name="Credentials"></a>

-### Supported credentials and connection strings

-You can provide the credentials for the container in one of these ways:

-**Managed identity connection string**:

-`{ "connectionString" : "ResourceId=/subscriptions/<your subscription ID>/resourceGroups/<your resource group name>/providers/Microsoft.Storage/storageAccounts/<your storage account name>/;" }`

-This connection string does not require an account key, but you must follow the instructions for [Setting up a connection to an Azure Storage account using a managed identity](search-howto-managed-identities-storage.md).

-**Full access storage account connection string**:

-`{ "connectionString" : "DefaultEndpointsProtocol=https;AccountName=<your storage account>;AccountKey=<your account key>;" }`

-You can get the connection string from the Azure portal by navigating to the storage account blade > Settings > Keys (for Classic storage accounts) or Settings > Access keys (for Azure Resource Manager storage accounts).

-**Storage account shared access signature** (SAS) connection string:

-`{ "connectionString" : "BlobEndpoint=https://<your account>.blob.core.windows.net/;SharedAccessSignature=?sv=2016-05-31&sig=<the signature>&spr=https&se=<the validity end time>&srt=co&ss=b&sp=rl;" }`

-The SAS should have the list and read permissions on containers and objects (blobs in this case).

-**Container shared access signature**:

-`{ "connectionString" : "ContainerSharedAccessUri=https://<your storage account>.blob.core.windows.net/<container name>?sv=2016-05-31&sr=c&sig=<the signature>&se=<the validity end time>&sp=rl;" }`

-The SAS should have the list and read permissions on the container. For more information on storage shared access signatures, see [Using Shared Access Signatures](../storage/common/storage-sas-overview.md).

-### Step 2 - Create an index

-The index specifies the fields in a document, attributes, and other constructs that shape the search experience. All indexers require that you specify a search index definition as the destination. The following example uses the [Create Index (REST API)](/rest/api/searchservice/create-index).

-```http

- Content-Type: application/json

- api-key: [admin key]

-

- "name" : "my-target-index",

- { "name": "id", "type": "Edm.String", "key": true, "searchable": false },

- { "name": "content", "type": "Edm.String", "searchable": true, "filterable": false, "sortable": false, "facetable": false }

- }

-```

-Index definitions require one field in the `"fields"` collection to act as the document key. Index definitions should also include fields for content and metadata.

-A **`content`** field is common to blob content. It contains the text extracted from blobs. Your definition of this field might look similar to the one above. You aren't required to use this name, but doing lets you take advantage of implicit field mappings. The blob indexer can send blob contents to a content Edm.String field in the index, with no field mappings required.

-You could also add fields for any blob metadata that you want in the index. The indexer can read custom metadata properties, [standard metadata](#indexing-blob-metadata) properties, and [content-specific metadata](search-blob-metadata-properties.md) properties. For more information about indexes, see [Create an index](search-what-is-an-index.md).

-### Step 3 - Configure and run the indexer

-Once the index and data source have been created, you're ready to [create the indexer](/rest/api/searchservice/create-indexer):

-```http

- POST https://[service name].search.windows.net/indexers?api-version=2020-06-30

- Content-Type: application/json

- api-key: [admin key]

- {

- "name" : "adlsgen2-indexer",

- "dataSourceName" : "adlsgen2-datasource",

- "targetIndexName" : "my-target-index",

- "schedule" : {

- "interval" : "PT2H"

-```

-This indexer runs immediately, and then [on a schedule](search-howto-schedule-indexers.md) every two hours (schedule interval is set to "PT2H"). To run an indexer every 30 minutes, set the interval to "PT30M". The shortest supported interval is 5 minutes. The schedule is optional - if omitted, an indexer runs only once when it's created. However, you can run an indexer on-demand at any time.

-<a name="DocumentKeys"></a>

-## Defining document keys and field mappings

-In a search index, the document key uniquely identifies each document. The field you choose must be of type `Edm.String`. For blob content, the best candidates for a document key are metadata properties on the blob.

-+ **`metadata_storage_name`** - this property is a candidate, but only if names are unique across all containers and folders you are indexing. Regardless of blob location, the end result is that the document key (name) must be unique in the search index after all content has been indexed.

- Another potential issue about the storage name is that it might contain characters that are invalid for document keys, such as dashes. You can handle invalid characters by using the `base64Encode` [field mapping function](search-indexer-field-mappings.md#base64EncodeFunction). If you do this, remember to also encode document keys when passing them in API calls such as [Lookup Document (REST)](/rest/api/searchservice/lookup-document). In .NET, you can use the [UrlTokenEncode method](/dotnet/api/system.web.httpserverutility.urltokenencode) to encode characters.

-+ **`metadata_storage_path`** - using the full path ensures uniqueness, but the path definitely contains `/` characters that are [invalid in a document key](/rest/api/searchservice/naming-rules). As above, you can use the `base64Encode` [function](search-indexer-field-mappings.md#base64EncodeFunction) to encode characters.

-+ A third option is to add a custom metadata property to the blobs. This option requires that your blob upload process adds that metadata property to all blobs. Since the key is a required property, any blobs that are missing a value will fail to be indexed.

-> [!IMPORTANT]

-> If there is no explicit mapping for the key field in the index, Azure Cognitive Search automatically uses `metadata_storage_path` as the key and base-64 encodes key values (the second option above).

->

-> If you use a custom metadata property as a key, avoid making changes to that property. Indexers will add duplicate documents for the same blob if the key property changes.

-### Example

-The following example demonstrates `metadata_storage_name` as the document key. Assume the index has a key field named `key` and another field named `fileSize` for storing the document size. [Field mappings](search-indexer-field-mappings.md) in the indexer definition establish field associations, and `metadata_storage_name` has the [`base64Encode` field mapping function](search-indexer-field-mappings.md#base64EncodeFunction) to handle unsupported characters.

-```http

- PUT https://[service name].search.windows.net/indexers/adlsgen2-indexer?api-version=2020-06-30

- Content-Type: application/json

- api-key: [admin key]

-

- "dataSourceName" : "adlsgen2-datasource",

- "targetIndexName" : "my-target-index",

- "schedule" : { "interval" : "PT2H" },

- "fieldMappings" : [

- { "sourceFieldName" : "metadata_storage_name", "targetFieldName" : "key", "mappingFunction" : { "name" : "base64Encode" } },

- { "sourceFieldName" : "metadata_storage_size", "targetFieldName" : "fileSize" }

- ]

-```

-### How to make an encoded field "searchable"

-There are times when you need to use an encoded version of a field like `metadata_storage_path` as the key, but also need that field to be searchable (without encoding) in the search index. To support both use cases, you can map `metadata_storage_path` to two fields; one for the key (encoded), and a second for a path field that we can assume is attributed as "searchable" in the index schema. The example below shows two field mappings for `metadata_storage_path`.

-```http

- PUT https://[service name].search.windows.net/indexers/adlsgen2-indexer?api-version=2020-06-30

- Content-Type: application/json

- api-key: [admin key]

-

- {

- "dataSourceName" : " adlsgen2-datasource",

- "targetIndexName" : "my-target-index",

- "schedule" : { "interval" : "PT2H" },

- "fieldMappings" : [

- { "sourceFieldName" : "metadata_storage_path", "targetFieldName" : "key", "mappingFunction" : { "name" : "base64Encode" } },

- { "sourceFieldName" : "metadata_storage_path", "targetFieldName" : "path" }

- ]

- }

-```

-<a name="PartsOfBlobToIndex"></a>

-## Index content and metadata

-Data Lake Storage Gen2 blobs contain content and metadata. You can control which parts of the blobs are indexed using the `dataToExtract` configuration parameter. It can take the following values:

-+ `contentAndMetadata` - specifies that all metadata and textual content extracted from the blob are indexed. This is the default value.

-+ `storageMetadata` - specifies that only the [standard blob properties and user-specified metadata](../storage/blobs/storage-blob-container-properties-metadata.md) are indexed.

-+ `allMetadata` - specifies that standard blob properties and any [metadata for found content types](search-blob-metadata-properties.md) are extracted from the blob content and indexed.

-For example, to index only the storage metadata, use:

-```http

-PUT https://[service name].search.windows.net/indexers/[indexer name]?api-version=2020-06-30

-Content-Type: application/json

-api-key: [admin key]

-{

- ... other parts of indexer definition

- "parameters" : { "configuration" : { "dataToExtract" : "storageMetadata" } }

-}

-```

-## Indexing blob content

-By default, blobs with structured content, such as JSON or CSV, are indexed as a single chunk of text. But if the JSON or CSV documents have an internal structure (delimiters), you can assign parsing modes to generate individual search documents for each line or element. For more information, see [Indexing JSON blobs](search-howto-index-json-blobs.md) and [Indexing CSV blobs](search-howto-index-csv-blobs.md).

-A compound or embedded document (such as a ZIP archive, a Word document with embedded Outlook email containing attachments, or a .MSG file with attachments) is also indexed as a single document. For example, all images extracted from the attachments of an .MSG file will be returned in the normalized_images field.

-The textual content of the document is extracted into a string field named `content`.

- > Azure Cognitive Search limits how much text it extracts depending on the pricing tier. The current [service limits](search-limits-quotas-capacity.md#indexer-limits) are 32,000 characters for Free tier, 64,000 for Basic, 4 million for Standard, 8 million for Standard S2, and 16 million for Standard S3. A warning is included in the indexer status response for truncated documents.

-Indexers can also index blob metadata. First, any user-specified metadata properties can be extracted verbatim. To receive the values, you must define field in the search index of type `Edm.String`, with same name as the metadata key of the blob. For example, if a blob has a metadata key of `Sensitivity` with value `High`, you should define a field named `Sensitivity` in your search index and it will be populated with the value `High`.

-Second, standard blob metadata properties can be extracted into the fields listed below. The blob indexer automatically creates internal field mappings for these blob metadata properties. You still have to add the fields you want to use the index definition, but you can omit creating field mappings in the indexer.

- + **metadata_storage_name** (`Edm.String`) - the file name of the blob. For example, if you have a blob /my-container/my-folder/subfolder/resume.pdf, the value of this field is `resume.pdf`.

- + **metadata_storage_path** (`Edm.String`) - the full URI of the blob, including the storage account. For example, `https://myaccount.blob.core.windows.net/my-container/my-folder/subfolder/resume.pdf`

- + **metadata_storage_content_type** (`Edm.String`) - content type as specified by the code you used to upload the blob. For example, `application/octet-stream`.

- + **metadata_storage_last_modified** (`Edm.DateTimeOffset`) - last modified timestamp for the blob. Azure Cognitive Search uses this timestamp to identify changed blobs, to avoid reindexing everything after the initial indexing.

- + **metadata_storage_size** (`Edm.Int64`) - blob size in bytes.

- + **metadata_storage_content_md5** (`Edm.String`) - MD5 hash of the blob content, if available.

- + **metadata_storage_sas_token** (`Edm.String`) - A temporary SAS token that can be used by [custom skills](cognitive-search-custom-skill-interface.md) to get access to the blob. This token should not be stored for later use as it might expire.

-<a name="WhichBlobsAreIndexed"></a>

-You can control which blobs are indexed, and which are skipped, by setting role assignments, the blob's file type, or by setting properties on the blob themselves, causing the indexer to skip over them.

-### Use access controls and role assignments

-Indexers that run under a system or user-assigned managed identity can have membership in either a Reader or Storage Blob Data Reader role that grants read permissions on specific files and folders.

-### Include specific file extensions

-Use `indexedFileNameExtensions` to provide a comma-separated list of file extensions to index (with a leading dot). For example, to index only the .PDF and .DOCX blobs, do this:

-```http

-PUT https://[service name].search.windows.net/indexers/[indexer name]?api-version=2020-06-30

-Content-Type: application/json

-api-key: [admin key]

-{

- ... other parts of indexer definition

- "parameters" : { "configuration" : { "indexedFileNameExtensions" : ".pdf,.docx" } }

-}

-```

-### Exclude specific file extensions

-Use `excludedFileNameExtensions` to provide a comma-separated list of file extensions to skip (again, with a leading dot). For example, to index all blobs except those with the .PNG and .JPEG extensions, do this:

-PUT https://[service name].search.windows.net/indexers/[indexer name]?api-version=2020-06-30

-Content-Type: application/json

-api-key: [admin key]

- ... other parts of indexer definition

- "parameters" : { "configuration" : { "excludedFileNameExtensions" : ".png,.jpeg" } }

-If both `indexedFileNameExtensions` and `excludedFileNameExtensions` parameters are present, the indexer first looks at `indexedFileNameExtensions`, then at `excludedFileNameExtensions`. If the same file extension is in both lists, it will be excluded from indexing.

-The indexer configuration parameters apply to all blobs in the container or folder. Sometimes, you want to control how *individual blobs* are indexed. You can do this by adding the following metadata properties and values to blobs in Blob storage. When the indexer encounters this property, it will skip the blob or its content in the indexing run.

-## Index large datasets

-Indexing blobs can be a time-consuming process. In cases where you have millions of blobs to index, you can speed up indexing by partitioning your data and using multiple indexers to [process the data in parallel](search-howto-large-index.md#parallel-indexing). Here's how you can set this up:

-1. Set up several data sources, one per container or folder. To point to a blob folder, use the `query` parameter:

- ```json

- {

- "name" : "blob-datasource",

- "type" : "azureblob",

- "credentials" : { "connectionString" : "<your storage connection string>" },

- "container" : { "name" : "my-container", "query" : "my-folder" }

- }

- ```

-1. Create a corresponding indexer for each data source. All of the indexers should point to the same target search index.

-One search unit in your service can run one indexer at any given time. Creating multiple indexers as described above is only useful if they actually run in parallel.

-To run multiple indexers in parallel, scale out your search service by creating an appropriate number of partitions and replicas. For example, if your search service has 6 search units (for example, 2 partitions x 3 replicas), then 6 indexers can run simultaneously, resulting in a six-fold increase in the indexing throughput. To learn more about scaling and capacity planning, see [Adjust the capacity of an Azure Cognitive Search service](search-capacity-planning.md).

-## Handling errors

-By default, the blob indexer stops as soon as it encounters a blob with an unsupported content type (for example, an image). You could use the `excludedFileNameExtensions` parameter to skip certain content types. However, you might want to indexing to proceed even if errors occur, and then debug individual documents later. For more information about indexer errors, see [Indexer troubleshooting guidance](search-indexer-troubleshooting.md) and [Indexer errors and warnings](cognitive-search-common-errors-warnings.md).

-### Respond to errors

-There are four indexer properties that control the indexer's response when errors occur. The following examples show how to set these properties in the indexer definition. If an indexer already exists, you can add these properties by editing the definition in the portal.

-#### `"maxFailedItems"` and `"maxFailedItemsPerBatch"`

-Continue indexing if errors happen at any point of processing, either while parsing blobs or while adding documents to an index. Set these properties to the number of acceptable failures. A value of `-1` allows processing no matter how many errors occur. Otherwise, the value is a positive integer.

-PUT https://[service name].search.windows.net/indexers/[indexer name]?api-version=2020-06-30

-Content-Type: application/json

-api-key: [admin key]

- ... other parts of indexer definition

- "parameters" : { "maxFailedItems" : 10, "maxFailedItemsPerBatch" : 10 }

-#### `"failOnUnsupportedContentType"` and `"failOnUnprocessableDocument"`

-For some blobs, Azure Cognitive Search is unable to determine the content type, or unable to process a document of an otherwise supported content type. To ignore these failure conditions, set configuration parameters to `false`:

-```http

-PUT https://[service name].search.windows.net/indexers/[indexer name]?api-version=2020-06-30

-Content-Type: application/json

-api-key: [admin key]

-{

- ... other parts of indexer definition

- "parameters" : { "configuration" : { "failOnUnsupportedContentType" : false, "failOnUnprocessableDocument" : false } }

-}

-```

-### Relax indexer constraints

-You can also set [blob configuration properties](/rest/api/searchservice/create-indexer#blob-configuration-parameters) that effectively determine whether an error condition exists. The following property can relax constraints, suppressing errors that would otherwise occur.

-+ `"indexStorageMetadataOnlyForOversizedDocuments"` to index storage metadata for blob content that is too large to process. Oversized blobs are treated as errors by default. For limits on blob size, see [service Limits](search-limits-quotas-capacity.md).

-## See also

-+ [Indexers in Azure Cognitive Search](search-indexer-overview.md)

-+ [Create an indexer](search-howto-create-indexers.md)

-+ [AI enrichment overview](cognitive-search-concept-intro.md)

-+ [Search over blobs overview](search-blob-storage-integration.md)

-description: After an initial search index build that imports from Azure Blob Storage, subsequent indexing can pick up just those blobs that are changed or deleted. This article explains the details.

-# Change and deletion detection in blob indexing (Azure Cognitive Search)

-After an initial search index is created, you might want subsequent indexer jobs to only pick up new and changed documents. For search content that originates from Azure Blob Storage or Azure Data Lake Storage Gen2, change detection occurs automatically when you use a schedule to trigger indexing. By default, the service reindexes only the changed blobs, as determined by the blob's `LastModified` timestamp. In contrast with other data sources supported by search indexers, blobs always have a timestamp, which eliminates the need to set up a change detection policy manually.

-Although change detection is a given, deletion detection is not. If you want to detect deleted documents, make sure to use a "soft delete" approach. If you delete the blobs outright, corresponding documents will not be removed from the search index.

-There are two ways to implement the soft delete approach:

-+ Native blob soft delete (preview), described next

-> [!NOTE]

-> Azure Data Lake Storage Gen2 allows directories to be renamed. When a directory is renamed the timestamps for the blobs in that directory do not get updated. As a result, the indexer will not reindex those blobs. If you need the blobs in a directory to be reindexed after a directory rename because they now have new URLs, you will need to update the `LastModified` timestamp for all the blobs in the directory so that the indexer knows to reindex them during a future run. The virtual directories in Azure Blob Storage cannot be changed so they do not have this issue.

-> Support for native blob soft delete is in preview. Preview functionality is provided without a service level agreement, and is not recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). The [REST API version 2020-06-30-Preview](./search-api-preview.md) provides this feature. There is currently no portal or .NET SDK support.

-### Prerequisites

-+ Blobs must be in an Azure Blob Storage container. The Cognitive Search native blob soft delete policy is not supported for blobs from Azure Data Lake Storage Gen2.

-## Soft delete using custom metadata

-This method uses a blob's metadata to determine whether a search document should be removed from the index. This method requires two separate actions, deleting the search document from the index, followed by blob deletion in Azure Storage.

-There are steps to follow in both Blob storage and Cognitive Search, but there are no other feature dependencies. This capability is supported in generally available APIs.

-1. Add a custom metadata key-value pair to the blob to indicate to Azure Cognitive Search that it is logically deleted.

-1. Configure a soft deletion column detection policy on the data source. For example, the following policy considers a blob to be deleted if it has a metadata property `IsDeleted` with the value `true`:

- ```http

- PUT https://[service name].search.windows.net/datasources/blob-datasource?api-version=2020-06-30

- Content-Type: application/json

- api-key: [admin key]

- "name" : "blob-datasource",

- "type" : "azureblob",

- "container" : { "name" : "my-container", "query" : null },

-1. Once the indexer has processed the blob and deleted the document from the index, you can delete the blob in Azure Blob Storage.

-### Reindexing undeleted blobs (using custom metadata)

-After an indexer processes a deleted blob and removes the corresponding search document from the index, it won't revisit that blob if you restore it later if the blob's `LastModified` timestamp is older than the last indexer run.

-If you would like to reindex that document, change the `"softDeleteMarkerValue" : "false"` for that blob and rerun the indexer.

-In Azure Cognitive Search, blob [indexers](search-indexer-overview.md) are frequently used for both [AI enrichment](cognitive-search-concept-intro.md) and text-based processing.

-This article focuses on how to configure a blob indexer for text-based indexing, where just the textual content and metadata are loaded into a search index for full text search scenarios. Inputs are your blobs, in a single container. Output is a search index with searchable content and metadata stored in individual fields.

-+ Blob containers storing non-binary textual content for text-based indexing. This indexer also supports [AI enrichment](cognitive-search-concept-intro.md) if you have binary files. Note that blob content cannot exceed the [indexer limits](search-limits-quotas-capacity.md#indexer-limits) for your search service tier.

-The Azure Cognitive Search blob indexer can extract text from the following document formats:

-A primary difference between a blob indexer and other indexers is the data source assignment. The data source definition specifies "type": `"azureblob"`, a content path, and how to connect

-A data source definition can also include additional properties for [soft deletion policies](search-howto-index-changed-deleted-blobs.md) and [field mappings](search-indexer-field-mappings.md) if field names and types are not the same.

-|This connection string does not require an account key, but you must follow the instructions for [Setting up a connection to an Azure Storage account using a managed identity](search-howto-managed-identities-storage.md).|

-| The SAS should have the list and read permissions on the container. For more information on Azure Storage shared access signatures, see [Using Shared Access Signatures](../storage/common/storage-sas-overview.md). |

- { "name": "metadata_storage_path", "type": "Edm.String", "key": true, "searchable": false },

-1. Designate one string field as the document key that uniquely identifies each document. For blob content, the best candidates for a document key are metadata properties on the blob:

- + **`metadata_storage_path`** (default). Using the full path ensures uniqueness, but the path contains `/` characters that are [invalid in a document key](/rest/api/searchservice/naming-rules). Use the [base64Encode function](search-indexer-field-mappings.md#base64EncodeFunction) to encode characters (see the example in the next section). If using the portal to define the indexer, the encoding step is built in.

- + **`metadata_storage_name`** is a candidate, but only if names are unique across all containers and folders you are indexing. When considering this option, watch for characters that are invalid for document keys, such as dashes. You can handle invalid characters by using the [base64Encode function](search-indexer-field-mappings.md#base64EncodeFunction) (see the example in the next section). If you do this, remember to also encode document keys when passing them in API calls such as [Lookup Document (REST)](/rest/api/searchservice/lookup-document). In .NET, you can use the [UrlTokenEncode method](/dotnet/api/system.web.httpserverutility.urltokenencode) to encode characters.

- > [!NOTE]

- > If there is no explicit mapping for the key field in the index, Azure Cognitive Search automatically uses "metadata_storage_path" as the key and base-64 encodes key values.

-1. Add a "content" field if you want to import the content, or text, extracted from blobs. You aren't required to name the field "content", but doing lets you take advantage of implicit field mappings. The blob indexer can send blob contents to a "content" field of type `Edm.String` in the index, with no field mappings required.

-Indexer configuration specifies the inputs, parameters, and properties that inform run time behaviors.

-Under "configuration", you can control which blobs are indexed, and which are skipped, by the blob's file type or by setting properties on the blob themselves, causing the indexer to skip over them.

- "excludedFileNameExtensions" : ".png,.jpeg"

-1. In the optional "configuration" section, provide any inclusion or exclusion criteria. If left unspecified, all blobs in the container are retrieved.

- If both `indexedFileNameExtensions` and `excludedFileNameExtensions` parameters are present, Azure Cognitive Search first looks at `indexedFileNameExtensions`, then at `excludedFileNameExtensions`. If the same file extension is present in both lists, it will be excluded from indexing.

-1. See [Create an indexer](search-howto-create-indexers.md) for more information about other properties.

-### Set field mappings

-Field mappings are a section in the indexer definition that maps source fields to destination fields in the search index.

-In blob indexing, you can often omit field mappings because the indexer has built-in support for mapping the "content" property and [blob metadata properties](#indexing-blob-metadata) to fields in an index, assuming the search field name matches the blob property name, and is of the expected data type.

-Reasons for [creating an explicit field mapping](search-indexer-field-mappings.md) might be to handle naming or data type differences, or to add functions such as base64encoding, as illustrated in the following examples.

-### Example: Base-encoding metadata_storage_name

-The following example demonstrates "metadata_storage_name" as the document key. Assume the index has a key field named "key" and another field named "fileSize" for storing the document size. [Field mappings](search-indexer-field-mappings.md) in the indexer definition establish field associations, and "metadata_storage_name" has the [base64Encode field mapping function](search-indexer-field-mappings.md#base64EncodeFunction) to handle unsupported characters.

-```http

-POST https://[service name].search.windows.net/indexers?api-version=2020-06-30

-{

- "name" : "my-blob-indexer",

- "dataSourceName" : "my-blob-datasource ",

- "targetIndexName" : "my-search-index",

- "schedule" : { "interval" : "PT2H" },

- "fieldMappings" : [

- { "sourceFieldName" : "metadata_storage_name", "targetFieldName" : "key", "mappingFunction" : { "name" : "base64Encode" } },

- { "sourceFieldName" : "metadata_storage_size", "targetFieldName" : "fileSize" }

- ]

-}

-```

-### Example: How to make an encoded field "searchable"

-There are times when you need to use an encoded version of a field like "metadata_storage_path" as the key, but also need that field to be searchable (without encoding) in the search index. To support both use cases, you can map "metadata_storage_path" to two fields; one for the key (encoded), and a second for a path field that we can assume is attributed as "searchable" in the index schema. The example below shows two field mappings for "metadata_storage_path".

-```http

-PUT /indexers/blob-indexer?api-version=2020-06-30

-{

- "dataSourceName" : " blob-datasource ",

- "targetIndexName" : "my-target-index",

- "schedule" : { "interval" : "PT2H" },

- "fieldMappings" : [

- { "sourceFieldName" : "metadata_storage_path", "targetFieldName" : "key", "mappingFunction" : { "name" : "base64Encode" } },

- { "sourceFieldName" : "metadata_storage_path", "targetFieldName" : "path" }

- ]

-}

-```

-<a name="PartsOfBlobToIndex"></a>

-### Set parameters

-Blob indexers include parameters that optimize indexing for specific use cases, such as content types (JSON, CSV, PDF), or to specify which parts of the blob to index.

-This section describes several of the more frequently used parameters. For the full list, see [Blob configuration parameters reference](/rest/api/searchservice/create-indexer#blob-configuration-parameters).

-1. [Create or update an indexer](/rest/api/searchservice/create-indexer) to set its parameters:

- ```json

- "parameters": {

- "batchSize": null,

- "maxFailedItems": 0,

- "maxFailedItemsPerBatch": 0,

- "configuration": {

- "dataToExtract": "contentAndMetadata",

- "parsingMode": "default",

- "imageAction": "none"

- }

- }

- ```

-1. Set "dataToExtract" to control which parts of the blobs are indexed:

- + "contentAndMetadata" specifies that all metadata and textual content extracted from the blob are indexed. This is the default value.

- + "storageMetadata" specifies that only the [standard blob properties and user-specified metadata](../storage/blobs/storage-blob-container-properties-metadata.md) are indexed.

- + "allMetadata" specifies that standard blob properties and any [metadata for found content types](search-blob-metadata-properties.md) are extracted from the blob content and indexed.

-1. Set "parsingMode" if blobs should be mapped to [multiple search documents](search-howto-index-one-to-many-blobs.md), or if they consist of [plain text](search-howto-index-plaintext-blobs.md), [JSON documents](search-howto-index-json-blobs.md), or [CSV files](search-howto-index-csv-blobs.md).

-1. Set "batchSize` if the default (10 documents) is either under utilizing or overwhelming available resources. Default batch sizes are data source specific. Blob indexing sets batch size at 10 documents in recognition of the larger average document size.

-1. See [Handling errors](#handling-errors) for guidance on setting "maxFailedItems" or "maxFailedItemsPerBatch".

-## Indexing blob metadata

-Blob metadata can be helpful in search solutions, providing information about blob origin and content types that could be useful for filtering and queries.

-First, any user-specified metadata properties can be extracted verbatim. To receive the values, you must define field in the search index of type `Edm.String`, with same name as the metadata key of the blob. For example, if a blob has a metadata key of `Sensitivity` with value `High`, you should define a field named `Sensitivity` in your search index and it will be populated with the value `High`.

-Second, standard blob metadata properties can be extracted into the fields listed below. The blob indexer automatically creates internal field mappings for these blob metadata properties. You still have to add the fields to the index definition, but you can omit creating field mappings in the indexer.

-## How blobs are indexed

-By default, most blobs are indexed as a single search document in the index, including blobs with structured content, such as JSON or CSV, which are indexed as a single chunk of text. However, for JSON or CSV documents that have an internal structure (delimiters), you can assign parsing modes to generate individual search documents for each line or element:

-+ [Indexing JSON blobs](search-howto-index-json-blobs.md)

-+ [Indexing CSV blobs](search-howto-index-csv-blobs.md).

-A compound or embedded document (such as a ZIP archive, a Word document with embedded Outlook email containing attachments, or a .MSG file with attachments) is also indexed as a single document. For example, all images extracted from the attachments of an .MSG file will be returned in the normalized_images field within the same search document.

-The indexer configuration parameters apply to all blobs in the container or folder. Sometimes, you want to control how *individual blobs* are indexed. You can do this by adding the following metadata properties and values to blobs in Blob storage. When the indexer encounters this property, it will skip the blob or its content in the indexing run.

-Indexing blobs can be a time-consuming process. In cases where you have millions of blobs to index, you can speed up indexing by partitioning your data and using multiple indexers to [process the data in parallel](search-howto-large-index.md#parallel-indexing). Here's how you can set this up:

-+ Partition your data into multiple blob containers or virtual folders

-+ Set up several data sources, one per container or folder. To point to a blob folder, use the `query` parameter:

- ```json

- {

- "name" : "blob-datasource",

- "type" : "azureblob",

- "credentials" : { "connectionString" : "<your storage connection string>" },

- "container" : { "name" : "my-container", "query" : "my-folder" }

- }

- ```

-+ Create a corresponding indexer for each data source. All of the indexers should point to the same target search index.

-+ One search unit in your service can run one indexer at any given time. Creating multiple indexers as described above is only useful if they actually run in parallel.

- To run multiple indexers in parallel, scale out your search service by creating an appropriate number of partitions and replicas. For example, if your search service has 6 search units (for example, 2 partitions x 3 replicas), then 6 indexers can run simultaneously, resulting in a six-fold increase in the indexing throughput. To learn more about scaling and capacity planning, see [Adjust the capacity of an Azure Cognitive Search service](search-capacity-planning.md).

-## Handling errors

-By default, the blob indexer stops as soon as it encounters a blob with an unsupported content type (for example, an image). You could use the "excludedFileNameExtensions" parameter to skip certain content types. However, you might want to indexing to proceed even if errors occur, and then debug individual documents later. For more information about indexer errors, see [Indexer troubleshooting guidance](search-indexer-troubleshooting.md) and [Indexer errors and warnings](cognitive-search-common-errors-warnings.md).

-### Respond to errors

-There are four indexer properties that control the indexer's response when errors occur. The following examples show how to set these properties in the indexer definition. If an indexer already exists, you can add these properties by editing the definition in the portal.

-#### `"maxFailedItems"` and `"maxFailedItemsPerBatch"`

-Continue indexing if errors happen at any point of processing, either while parsing blobs or while adding documents to an index. Set these properties to the number of acceptable failures. A value of `-1` allows processing no matter how many errors occur. Otherwise, the value is a positive integer.

- "maxFailedItemsPerBatch" : 10

- }

-}

-```

-#### `"failOnUnsupportedContentType"` and `"failOnUnprocessableDocument"`

-For some blobs, Azure Cognitive Search is unable to determine the content type, or unable to process a document of an otherwise supported content type. To ignore these failure conditions, set configuration parameters to `false`:

-```http

-PUT /indexers/[indexer name]?api-version=2020-06-30

-{

- "parameters" : {

- "failOnUnprocessableDocument" : false

- }

-### Relax indexer constraints

-You can also set [blob configuration parameters](/rest/api/searchservice/create-indexer#blob-configuration-parameters) that effectively determine whether an error condition exists. The following property can relax constraints, suppressing errors that would otherwise occur.

-+ "indexStorageMetadataOnlyForOversizedDocuments" to index storage metadata for blob content that is too large to process. Oversized blobs are treated as errors by default. For limits on blob size, see [service Limits](search-limits-quotas-capacity.md).

-## See also

-+ [Indexers in Azure Cognitive Search](search-indexer-overview.md)

-+ [Create an indexer](search-howto-create-indexers.md)

-+ [AI enrichment overview](cognitive-search-concept-intro.md)

-+ [Search over blobs overview](search-blob-storage-integration.md)

-Configure a table [indexer](search-indexer-overview.md) in Azure Cognitive Search to retrieve, serialize, and index entity content from a single table in Azure Table Storage.

-+ Tables with entities containing non-binary textual content for text-based indexing. This indexer also supports [AI enrichment](cognitive-search-concept-intro.md) if you have binary files.

-A primary difference between a table indexer and other indexers is the data source assignment. The data source definition specifies "type": `"azuretable"`, a content path, and how to connect.

-A data source definition can also include additional properties for [soft deletion policies](#soft-delete-using-custom-metadata) and [field mappings](search-indexer-field-mappings.md) if field names and types are not the same.

-**Full access storage account connection string**:

-`{ "connectionString" : "DefaultEndpointsProtocol=https;AccountName=<your storage account>;AccountKey=<your account key>;" }`

-You can get the connection string from the Storage account page in Azure portal by selecting **Access keys** in the left navigation pane. Make sure to select a full connection string and not just a key.

-+ **Managed identity connection string**: `ResourceId=/subscriptions/<your subscription ID>/resourceGroups/<your resource group name>/providers/Microsoft.Storage/storageAccounts/<your storage account name>/;`

-This connection string does not require an account key, but you must follow the instructions for [Setting up a connection to an Azure Storage account using a managed identity](search-howto-managed-identities-storage.md).

-+ **Storage account shared access signature connection string**: `TableEndpoint=https://<your account>.table.core.windows.net/;SharedAccessSignature=?sv=2016-05-31&sig=<the signature>&spr=https&se=<the validity end time>&srt=co&ss=t&sp=rl` The shared access signature should have the list and read permissions on containers (tables in this case) and objects (table rows).

-+ **Table shared access signature**: `ContainerSharedAccessUri=https://<your storage account>.table.core.windows.net/<table name>?tn=<table name>&sv=2016-05-31&sig=<the signature>&se=<the validity end time>&sp=r` The shared access signature should have query (read) permissions on the table.

-For more information on storage shared access signatures, see [Using shared access signatures](../storage/common/storage-sas-overview.md).

-> [!NOTE]

-> If you use shared access signature credentials, you will need to update the data source credentials periodically with renewed signatures to prevent their expiration or the indexer will fail with a "Credentials provided in the connection string are invalid or have expired" message.

- "name" : "my-search-index",

- "fields": [

- { "name": "ID", "type": "Edm.String", "key": true, "searchable": false },

- { "name": "SomeColumnInMyTable", "type": "Edm.String", "searchable": true }

- ]

-1. Create a key field, but do not define field mappings to alternative unique strings in the table.

- A table indexer will populate the key field with concatenated partition and row keys from the table. For example, if a rowΓÇÖs PartitionKey is `PK1` and RowKey is `RK1`, then the `Key` field's value is `PK1RK1`. If the partition key is null, just the row key is used.

-1. Create additional fields that correspond to entity fields. Using the same names and compatible [data types](/rest/api/searchservice/supported-data-types) minimizes the need for [field mappings](search-indexer-field-mappings.md).

- "schedule" : { "interval" : "PT2H" }

-## Change and deletion detection

-After an initial search index is created, you might want subsequent indexer jobs to pick up only new and changed documents. Fortunately, content in Azure Storage is timestamped, which gives indexers sufficient information for determining what's new and changed automatically. For search content that originates from Azure Table Storage, the indexer keeps track of the entity's `Timestamp` timestamp and reindexes only new and changed content.

-Although change detection is a given, deletion detection is not. If you want to detect deleted entities, make sure to use a "soft delete" approach. If you delete the files outright in a table, corresponding search documents will not be removed from the search index.

-## Soft delete using custom metadata

-To indicate that certain documents must be removed from the search index, you can use a soft delete strategy. Instead of deleting an entity, add a property to indicate that it's deleted, and set up a soft deletion detection policy on the data source. For example, the following policy considers that an entity is deleted if it has an `IsDeleted` property set to `"true"`:

-```http

-PUT https://[service name].search.windows.net/datasources?api-version=2020-06-30

-Content-Type: application/json

-api-key: [admin key]

-{

- "name" : "my-table-datasource",

- "type" : "azuretable",

- "credentials" : { "connectionString" : "<your storage connection string>" },

- "container" : { "name" : "table name", "query" : "<query>" },

- "dataDeletionDetectionPolicy" : { "@odata.type" : "#Microsoft.Azure.Search.SoftDeleteColumnDeletionDetectionPolicy", "softDeleteColumnName" : "IsDeleted", "softDeleteMarkerValue" : "true" }

-}

-```

-<a name="Performance"></a>

-## Performance considerations

-By default, Azure Cognitive Search uses the following internal query filter to keep track of which source entities have been updated since the last run: `Timestamp >= HighWaterMarkValue`.

-Because Azure tables donΓÇÖt have a secondary index on the `Timestamp` field, this type of query requires a full table scan and is therefore slow for large tables.

-Here are two possible approaches for improving table indexing performance. Both rely on using table partitions:

-+ If your data can naturally be partitioned into several partition ranges, create a data source and a corresponding indexer for each partition range. Each indexer now has to process only a specific partition range, resulting in better query performance. If the data that needs to be indexed has a small number of fixed partitions, even better: each indexer only does a partition scan. For example, to create a data source for processing a partition range with keys from `000` to `100`, use a query like this:

- ```json

- "container" : { "name" : "my-table", "query" : "PartitionKey ge '000' and PartitionKey lt '100' " }

- ```

-+ If your data is partitioned by time (for example, you create a new partition every day or week), consider the following approach:

- + Use a query of the form: `(PartitionKey ge <TimeStamp>) and (other filters)`.

- + Monitor indexer progress by using [Get Indexer Status API](/rest/api/searchservice/get-indexer-status), and periodically update the `<TimeStamp>` condition of the query based on the latest successful high-water-mark value.

- + With this approach, if you need to trigger a complete reindexing, you need to reset the datasource query in addition to resetting the indexer.

-## See also

-+ [Indexers in Azure Cognitive Search](search-indexer-overview.md)

-+ [Create an indexer](search-howto-create-indexers.md)

-When using Azure Cognitive Search indexers, the indexer will automatically map fields in a data source to fields in a target index, assuming field names and types are compatible. In some cases, input data doesn't quite match the schema of your target index. One solution is to use *field mappings* to specifically set the data path during the indexing process.

-Field mappings can be used to address the following scenarios:

-#### Example - document key lookup

-Only URL-safe characters can appear in an Azure Cognitive Search document key (so that you can address the document using the [Lookup API](/rest/api/searchservice/lookup-document)). If the source field for your key contains URL-unsafe characters, you can use the `base64Encode` function to convert it at indexing time. However, a document key (both before and after conversion) can't be longer than 1,024 characters.

-When you retrieve the encoded key at search time, use the `base64Decode` function to get the original key value, and use that to retrieve the source document.

-```JSON

-"fieldMappings" : [

- {

- "sourceFieldName" : "SourceKey",

- "targetFieldName" : "IndexKey",

- "mappingFunction" : {

- "name" : "base64Encode",

- "parameters" : { "useHttpServerUtilityUrlTokenEncode" : false }

- }]

- ```

- Some Azure storage clients automatically url encode blob metadata if it contains non-ASCII characters. However, if you want to make such metadata searchable (as plain text), you can use the `urlDecode` function to turn the encoded data back into regular strings when populating your search index.

- This function converts a string of any length to a fixed length string.

-For the Windows DNS Server and Windows Firewall connectors, select the **Install solution** button. For the legacy Security Events connector, choose the [**event set**](windows-security-event-id-reference.md) you wish to send and select **Update**.

-For more information, see [Insecure protocols workbook setup](./get-visibility.md#use-built-in-workbooks).

-See also: [**Windows Security Events via AMA**](#windows-security-events-via-ama) connector based on Azure Monitor Agent (AMA)

-[Configure the **Security events / Windows Security Events connector** for **anomalous RDP login detection**](#configure-the-security-events--windows-security-events-connector-for-anomalous-rdp-login-detection).

-| <b>…from ZRS</b> | Perform a manual migration | Perform a manual migration | N/A | Request a live migration<sup>3</sup> <br /><br /> OR <br /><br /> Use PowerShell or Azure CLI to change the replication setting as part of a failback operation only<sup>4</sup> |

-<sup>4</sup> After an account failover to the secondary region, it's possible to initiate a fail back from the new primary back to the new secondary with PowerShell or Azure CLI (version 2.30.0 or later). For more information, see [Use caution when failing back to the original primary](storage-disaster-recovery-guidance.md#use-caution-when-failing-back-to-the-original-primary). <br />

-You can implement machine learning models as a user-defined function (UDF) in your Azure Stream Analytics jobs to do real-time scoring and predictions on your streaming input data. [Azure Machine Learning](../machine-learning/overview-what-is-azure-machine-learning.md) allows you to use any popular open-source tool, such as Tensorflow, scikit-learn, or PyTorch, to prep, train, and deploy models.

-| **User defined functions** | [Yes](/sql/t-sql/statements/create-function-sql-data-warehouse?view=azure-sqldw-latest&preserve-view=true) | Yes, only inline table-valued functions. Scalar user-defined functions are not supported. |

-| **Workload management, resource classes, and concurrency control** | Yes, see [workload management, resource classes, and concurrency control](../sql-data-warehouse/resource-classes-for-workload-management.md?context=/azure/synapse-analytics/context/context). | No, serverless SQL pool automatically manages the resources. |

-| **Cost control** | Yes, using scale-up and scale-down actions. | Yes, using [the Azure portal or T-SQL procedure](./data-processed.md#cost-control). |

-| **SELECT statement** | Yes. `SELECT` statement is supported, but some Transact-SQL query clauses, such as [FOR XML/FOR JSON](/sql/t-sql/queries/select-for-clause-transact-sql?view=azure-sqldw-latest&preserve-view=true), [MATCH](/sql/t-sql/queries/match-sql-graph?view=azure-sqldw-latest&preserve-view=true), OFFSET/FETCH are not supported. | Yes, `SELECT` statement is supported, but some Transact-SQL query clauses like [FOR XML](/sql/t-sql/queries/select-for-clause-transact-sql?view=azure-sqldw-latest&preserve-view=true), [MATCH](/sql/t-sql/queries/match-sql-graph?view=azure-sqldw-latest&preserve-view=true), [PREDICT](/sql/t-sql/queries/predict-transact-sql?view=azure-sqldw-latest&preserve-view=true), GROUPNG SETS, and query hints are not supported. |

-| **CTAS statement** | Yes | No, [CREATE TABLE AS SELECT](/sql/t-sql/statements/create-table-as-select-azure-sql-data-warehouse?view=azure-sqldw-latest&preserve-view=true) statement is not supported in serverless SQL pool. |

-| **[Labels](develop-label.md)** | Yes | No, labels are not supported. |

-| **Cross-database queries** | No | Yes, 3-part-name references are supported including [USE](/sql/t-sql/language-elements/use-transact-sql?view=azure-sqldw-latest&preserve-view=true) statement. The queries can reference the serverless SQL databases or the Lake databases in the same workspace. Cross-workspace queries are not supported. |

-| **Row-level security** | [Yes](/sql/relational-databases/security/row-level-security?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json&view=azure-sqldw-latest&preserve-view=true) | No built-in support. Use custom views as a [workaround](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/how-to-implement-row-level-security-in-serverless-sql-pools/ba-p/2354759). |

-| **Data masking** | [Yes](../guidance/security-white-paper-access-control.md#dynamic-data-masking) | No, use wrapper SQL views that explicitly mask some columns as a workaround. |

-| **Azure Data Studio (ADS)** | Yes | Yes, you can [use Azure Data Studio](get-started-azure-data-studio.md) (version 1.18.0 or higher) to query serverless SQL pool. SQL scripts and SQL Notebooks are supported. |

-| **SQL Server Management Studio (SSMS)** | Yes | Yes, you can [use SQL Server Management Studio](get-started-ssms.md) (version 18.5 or higher) to query serverless SQL pool. SSMS shows only the objects that are available in the serverless SQL pools. |

-| **Azure Data Lake v2** | Yes | Yes, you can use external tables and the `OPENROWSET` function to read data from ADLS. |

-| **Azure Blob Storage** | Yes | Yes, you can use external tables and the `OPENROWSET` function to read data from Azure Blob Storage. |

- "requestPath": "</requestPath>"

-az vm create ΓÇôvmss "myVMSS" ΓÇô-platform_fault_domain 1

-Sign in to the [Azure portal](https://portal.azure.com) if you haven't already.

-1. In the **Virtual machines** page, select **Add**. The **Create a virtual machine** page opens.

-1. Under **Instance details**, type *myVM* for the **Virtual machine name**, choose *East US* for your **Region**, and choose *Ubuntu 18.04 LTS* for your **Image**. Leave the other defaults.

- 

-## Create SSH key pair

-Use [ssh-keygen](https://www.ssh.com/ssh/keygen/) to create an SSH key pair. If you already have an SSH key pair, you can skip this step.

-```azurepowershell-interactive

-ssh-keygen -t rsa -b 4096

-```

-You will be prompted to provide a filename for the key pair or you can hit **Enter** to use the default location of `/home/<username>/.ssh/id_rsa`. You will also be able to create a password for the keys, if you like.

-For more detailed information on how to create SSH key pairs, see [How to use SSH keys with Windows](ssh-from-windows.md).

-If you create your SSH key pair using the Cloud Shell, it will be stored in a [storage account that is automatically created by Cloud Shell](../../cloud-shell/persisting-shell-storage.md). Don't delete the storage account, or the files share in it, until after you have retrieved your keys or you will lose access to the VM.

-## Create virtual network resources

-Create a virtual network, subnet, and a public IP address. These resources are used to provide network connectivity to the VM and connect it to the internet:

-```azurepowershell-interactive

-# Create a subnet configuration

-$subnetConfig = New-AzVirtualNetworkSubnetConfig `

- -Name "mySubnet" `

- -AddressPrefix 192.168.1.0/24

-# Create a virtual network

-$vnet = New-AzVirtualNetwork `

- -ResourceGroupName "myResourceGroup" `

- -Location "EastUS" `

- -Name "myVNET" `

- -AddressPrefix 192.168.0.0/16 `

- -Subnet $subnetConfig

-# Create a public IP address and specify a DNS name

-$pip = New-AzPublicIpAddress `

- -ResourceGroupName "myResourceGroup" `

- -Location "EastUS" `

- -AllocationMethod Static `

- -IdleTimeoutInMinutes 4 `

- -Name "mypublicdns$(Get-Random)"

-```

-Create an Azure Network Security Group and traffic rule. The Network Security Group secures the VM with inbound and outbound rules. In the following example, an inbound rule is created for TCP port 22 that allows SSH connections. To allow incoming web traffic, an inbound rule for TCP port 80 is also created.

-# Create an inbound network security group rule for port 22

-$nsgRuleSSH = New-AzNetworkSecurityRuleConfig `

- -Name "myNetworkSecurityGroupRuleSSH" `

- -Protocol "Tcp" `

- -Direction "Inbound" `

- -Priority 1000 `

- -SourceAddressPrefix * `

- -SourcePortRange * `

- -DestinationAddressPrefix * `

- -DestinationPortRange 22 `

- -Access "Allow"

-# Create an inbound network security group rule for port 80

-$nsgRuleWeb = New-AzNetworkSecurityRuleConfig `

- -Name "myNetworkSecurityGroupRuleWWW" `

- -Protocol "Tcp" `

- -Direction "Inbound" `

- -Priority 1001 `

- -SourceAddressPrefix * `

- -SourcePortRange * `

- -DestinationAddressPrefix * `

- -DestinationPortRange 80 `

- -Access "Allow"

-# Create a network security group

-$nsg = New-AzNetworkSecurityGroup `

- -ResourceGroupName "myResourceGroup" `

- -Location "EastUS" `

- -Name "myNetworkSecurityGroup" `

- -SecurityRules $nsgRuleSSH,$nsgRuleWeb

-Create a virtual network interface card (NIC) with [New-AzNetworkInterface](/powershell/module/az.network/new-aznetworkinterface). The virtual NIC connects the VM to a subnet, Network Security Group, and public IP address.

-```azurepowershell-interactive

-# Create a virtual network card and associate with public IP address and NSG

-$nic = New-AzNetworkInterface `

- -Name "myNic" `

- -ResourceGroupName "myResourceGroup" `

- -Location "EastUS" `

- -SubnetId $vnet.Subnets[0].Id `

- -PublicIpAddressId $pip.Id `

- -NetworkSecurityGroupId $nsg.Id

-## Create a virtual machine

-To create a VM in PowerShell, you create a configuration that has settings like the image to use, size, and authentication options. Then the configuration is used to build the VM.

-Define the SSH credentials, OS information, and VM size. In this example, the SSH key is stored in `~/.ssh/id_rsa.pub`.

-```azurepowershell-interactive

-# Define a credential object

-$securePassword = ConvertTo-SecureString ' ' -AsPlainText -Force

-$cred = New-Object System.Management.Automation.PSCredential ("azureuser", $securePassword)

-# Create a virtual machine configuration

-$vmConfig = New-AzVMConfig `

- -VMName "myVM" `

- -VMSize "Standard_D1_v2" | `

-Set-AzVMOperatingSystem `

- -Linux `

- -ComputerName "myVM" `

- -Credential $cred `

- -DisablePasswordAuthentication | `

-Set-AzVMSourceImage `

- -PublisherName "Canonical" `

- -Offer "UbuntuServer" `

- -Skus "18.04-LTS" `

- -Version "latest" | `

-Add-AzVMNetworkInterface `

- -Id $nic.Id

-# Configure the SSH key

-$sshPublicKey = cat ~/.ssh/id_rsa.pub

-Add-AzVMSshPublicKey `

- -VM $vmconfig `

- -KeyData $sshPublicKey `

- -Path "/home/azureuser/.ssh/authorized_keys"

-```

-Now, combine the previous configuration definitions to create with [New-AzVM](/powershell/module/az.compute/new-azvm):

-New-AzVM `

- -ResourceGroupName "myResourceGroup" `

- -Location eastus -VM $vmConfig

-It will take a few minutes for your VM to be deployed. When the deployment is finished, move on to the next section.

-## Connect to the VM

-Using the same shell you used to create your SSH key pair, paste the the following command into the shell to create an SSH session. Replace *10.111.12.123* with the IP address of your VM.

-ssh azureuser@10.111.12.123

-When prompted, the login user name is *azureuser*. If a passphrase is used with your SSH keys, you need to enter that when prompted.

-1. In the **Virtual machines** page, select **Create** then **Virtual machine**.

-$validate.ValidationMessages

-The previous command displays any warnings and errors that block migration. If validation is successful, you can continue with the following steps to **Prepare** and **Commit** the migration: