+## Configure your custom policy

+Get the example of the force password reset policy on [GitHub](https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset). In each file, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is *contosob2c*, all instances of `yourtenant.onmicrosoft.com` become `contosob2c.onmicrosoft.com`.

+## Upload and test the policy

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the **Directories + subscriptions** icon in the portal toolbar.

+1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

+1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.

+1. Select **Identity Experience Framework**.

+1. In **Custom Policies**, select **Upload Policy**.

+1. Select the *TrustFrameworkExtensionsCustomForcePasswordReset.xml* file.

+1. Select **Upload**.

+1. Repeat steps 6 through 8 for the relying party file *TrustFrameworkExtensionsCustomForcePasswordReset.xml*.

+## Run the policy

+1. Open the policy that you uploaded *B2C_1A_TrustFrameworkExtensions_custom_ForcePasswordReset*.

+1. For **Application**, select the application that you registered earlier. To see the token, the **Reply URL** should show `https://jwt.ms`.

+1. Select **Run now**.

+1. Sign in with the user account for which you reset the password.

+1. You now must change the password for the user. Change the password and select **Continue**. The token is returned to `https://jwt.ms` and should be displayed to you.

+The **Name** attribute of the **Protocol** element needs to be set to `OAuth2`. Set the **OutputTokenFormat** element to `OAuth2Error`.

+ <Protocol Name="OAuth2" />

+Learn about [UserJourneys](userjourneys.md)

+Finally, add the multitenant app to the Azure AD app gallery. Follow the instructions in [Publish your app to the Azure AD app gallery](../active-directory/manage-apps/v2-howto-app-gallery-listing.md). To add your app to the app gallery, do the following:

+1. [Create and publish documentation](../active-directory/manage-apps/v2-howto-app-gallery-listing.md#create-and-publish-documentation).

+1. [Submit your app](../active-directory/manage-apps/v2-howto-app-gallery-listing.md#submit-your-application) with the following information:

+- Learn how to [Publish your app to the Azure AD app gallery](../active-directory/manage-apps/v2-howto-app-gallery-listing.md).

+To request an automatic Azure AD provisioning connector for an app that doesn't currently have one, see [Azure Active Directory Application Request](../manage-apps/v2-howto-app-gallery-listing.md).

+* [Enable Single Sign-on for your application](../manage-apps/v2-howto-app-gallery-listing.md)

+1. [Create a request](../manage-apps/v2-howto-app-gallery-listing.md) for a pre-integrated user provisioning connector. Our team will work with you and the application developer to onboard your application to our platform if it supports SCIM.

+If you're building an application that will be used by more than one tenant, you can make it available in the Azure AD application gallery. This will make it easy for organizations to discover the application and configure provisioning. Publishing your app in the Azure AD gallery and making provisioning available to others is easy. Check out the steps [here](../manage-apps/v2-howto-app-gallery-listing.md). Microsoft will work with you to integrate your application into our gallery, test your endpoint, and release onboarding [documentation](../saas-apps/tutorial-list.md) for customers to use.

+ If you want to request a new application for provisioning, you can [request that your application be integrated with our app gallery](../manage-apps/v2-howto-app-gallery-listing.md). For a user provisioning request, we require the application to have a SCIM-compliant endpoint. Request that the application vendor follow the SCIM standard so we can onboard the app to our platform quickly.

+* Poor signal quality.

+ * Have the user attempt to log in using a wi-fi connection by installing the Microsoft Authenticator app.

+ * Or, use SMS authentication instead of phone (voice) authentication.

+- Have the credentials required to complete the steps in the scenario:

+ - An Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest. Referred to as **$domainCred**.

+ - An Azure Active Directory user who is a member of the Global Administrators role. Referred to as **$cloudCred**.

+

+ $cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest.'

+ $domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.'

+ Title: 'What is Azure AD Connect cloud sync? | Microsoft Docs'

+Azure AD Connect cloud sync is new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application. However, it can be used alongside Azure AD Connect sync and it provides the following benefits:

+- Support for large groups with up to 50,000 members. It's recommended to use only the OU scoping filter when synchronizing large groups.

+| Support for merging user attributes from multiple domains|ΓùÅ | |

+| Cross domain references|ΓùÅ |ΓùÅ |

+By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition isnΓÇÖt configured.

+The **Configure** toggle when set to **Yes** applies to checked items, when set to **No** it applies to all client apps, including modern and legacy authentication clients. This toggle doesnΓÇÖt appear in policies created before August 2020.

+ - When policy blocks the use of Exchange ActiveSync the affected user will receive a single quarantine email. This email with provide information on why theyΓÇÖre blocked and include remediation instructions if able.

+ - This option includes clients that use basic/legacy authentication protocols that donΓÇÖt support modern authentication.

+This setting works with all browsers. However, to satisfy a device policy, like a compliant device requirement, the following operating systems and browsers are supported. Operating Systems and browsers that have fallen out of mainstream support arenΓÇÖt shown on this list:

+| Operating Systems | Browsers |

+| Windows 10 + | Microsoft Edge, [Chrome](#chrome-support), [Firefox 91+](https://support.mozilla.org/kb/windows-sso) |

+| Windows Server 2022 | Microsoft Edge, [Chrome](#chrome-support) |

+| Windows Server 2019 | Microsoft Edge, [Chrome](#chrome-support) |

+| iOS | Microsoft Edge, Safari |

+| Android | Microsoft Edge, Chrome |

+These browsers support device authentication, allowing the device to be identified and validated against a policy. The device check fails if the browser is running in private mode or if cookies are disabled.

+| MFA and location policy for apps. Device-based policies arenΓÇÖt supported.| Any My Apps app service | Android and iOS |

+If the access control assigned to the policy uses **Require approved client app**, the user is directed to install and use the Outlook mobile client. In the case that **Multi-factor authentication**, **Terms of use**, or **custom controls** are required, affected users are blocked, because basic authentication doesnΓÇÖt support these controls.

+ThereΓÇÖs a new optional condition in Conditional Access called filter for devices. When configuring filter for devices as a condition, organizations can choose to include or exclude devices based on a filter using a rule expression on device properties. The rule expression for filter for devices can be authored using rule builder or rule syntax. This experience is similar to the one used for dynamic membership rules for groups. For more information, see the article [Conditional Access: Filter for devices (preview)](concept-condition-filters-for-devices.md).

+Organizations can use this control to require Azure AD to pass device information to the selected cloud apps. The device information allows cloud apps to know if a connection is from a compliant or domain-joined device and update the session experience. This control only supports Office 365, SharePoint Online, and Exchange Online as selected cloud apps. When selected, the cloud app uses the device information to provide users with a limited or full experience. Limited when the device isn't managed or compliant and full when the device is managed and compliant.

+Token lifetimes for Office web apps are reduced to 1 hour when a Conditional Access policy is set.

+1. User moves out of an allowed IP range.

+| Tenants that explicitly enabled some users in their tenants with the old experience.| Yes | No | Old CAE settings will be greyed out. Clicking **Migrate** launches the new Conditional Access policy wizard, which includes **All users**, while excluding users and groups copied from CAE. It also sets the new **Customize continuous access evaluation** Session control to **Disabled**. |

+| Tenants that explicitly disabled the preview. | Yes | No | Old CAE settings will be greyed out. Clicking **Migrate** launches the new Conditional Access policy wizard, which includes **All users**, and sets the new **Customize continuous access evaluation** Session control to **Disabled**. |

+- After 1 hour when a Conditional Access IP policy is set

+To further reduce this time, a SharePoint Administrator can reduce the maximum lifetime of coauthoring sessions for documents stored in SharePoint Online and OneDrive for Business, by [configuring a network location policy in SharePoint Online](/sharepoint/control-access-based-on-network-location). Once this configuration is changed, the maximum lifetime of coauthoring sessions will be reduced to 15 minutes, and can be adjusted further using the SharePoint Online PowerShell command "[Set-SPOTenant ΓÇôIPAddressWACTokenLifetime](/powershell/module/sharepoint-online/set-spotenant)".

+[  ](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-sign-ins-log-apply-filter.png#lightbox)

+The potential IP address mismatch between Azure AD & resource provider table allows admins to investigate sessions where the IP address detected by Azure AD doesn't match with the IP address detected by the resource provider.

+If you use a certificate as a client secret, the certificate must be deployed safely. We recommend that you store the certificate in a secure spot supported by the platform, such as in the certificate store on Windows or by using Azure Key Vault.

+Here's an example of how to craft these claims:

+using System.Collections.Generic;

+private static IDictionary<string, object> GetClaims(string tenantId, string clientId)

+ //aud = https://login.microsoftonline.com/ + Tenant ID + /v2.0

+ string aud = $"https://login.microsoftonline.com/{tenantId}/v2.0";

+ string ConfidentialClientID = clientId; //client id 00000000-0000-0000-0000-000000000000

+ const uint JwtToAadLifetimeInSeconds = 60 * 10; // Ten minutes

+ DateTimeOffset validFrom = DateTimeOffset.UtcNow;

+ DateTimeOffset validUntil = validFrom.AddSeconds(JwtToAadLifetimeInSeconds);

+ return new Dictionary<string, object>()

+ {

+ { "aud", aud },

+ { "exp", validUntil.ToUnixTimeSeconds() },

+ { "iss", ConfidentialClientID },

+ { "jti", Guid.NewGuid().ToString() },

+ { "nbf", validFrom.ToUnixTimeSeconds() },

+ { "sub", ConfidentialClientID }

+ };

+Here's how to craft a signed client assertion:

+using System.Collections.Generic;

+using System.Security.Cryptography.X509Certificates;

+using System.Security.Cryptography;

+using System.Text;

+using System.Text.Json;

+...

+static string Base64UrlEncode(byte[] arg)

+static string GetSignedClientAssertion(X509Certificate2 certificate, string tenantId, string clientId)

+ // Get the RSA with the private key, used for signing.

+ var rsa = certificate.GetRSAPrivateKey();

+ //x5t represents the certificate thumbprint base64 url encoded

+ {

+ { "alg", "RS256"},

+ { "typ", "JWT" },

+ { "x5t", Base64UrlEncode(certificate.GetCertHash()) }

+ };

+ var claims = GetClaims(tenantId, clientId);

+ var headerBytes = JsonSerializer.SerializeToUtf8Bytes(header);

+ var claimsBytes = JsonSerializer.SerializeToUtf8Bytes(claims);

+ string token = Base64UrlEncode(headerBytes) + "." + Base64UrlEncode(claimsBytes);

+ string signature = Base64UrlEncode(rsa.SignData(Encoding.UTF8.GetBytes(token), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));

+ string GetSignedClientAssertionAlt(X509Certificate2 certificate)

+ SigningCredentials = new X509SigningCredentials(certificate)

+ X509Certificate2 certificate = ReadCertificate(config.CertificateName);

+ string signedClientAssertion = GetSignedClientAssertion(certificate, tenantId, ConfidentialClientID)

+ // OR

+ //string signedClientAssertion = GetSignedClientAssertionAlt(certificate);

+- **Is this the same thing as the Azure AD Application Gallery?** No- publisher verification is a complementary but separate program to the [Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). Developers who fit the above criteria should complete the publisher verification process independently of participation in that program.

+```JavaScript

+// the Azure AD endpoint is the authority endpoint for token issuance

+AAD_ENDPOINT=Enter_the_Cloud_Instance_Id_Here // https://login.microsoftonline.com/

+// the graph endpoint is the application ID URI of Microsoft Graph

+GRAPH_ENDPOINT=Enter_the_Graph_Endpoint_Here // https://graph.microsoft.com/

+Azure Active Directory (Azure AD) supports the SAML 2.0 web browser single sign-out profile. For single sign-out to work correctly, the **LogoutURL** for the application must be explicitly registered with Azure AD during application registration. If the app is [added to the Azure App Gallery](../manage-apps/v2-howto-app-gallery-listing.md) then this value can be set by default. Otherwise, the value must be determined and set by the person adding the app to their Azure AD tenant. Azure AD uses the LogoutURL to redirect users after they're signed out.

+- Download devices.

+## Download devices

+Global readers, Cloud Device Administrators, Intune Administrators, and Global Administrators can use the **Download devices** option to export a CSV file that lists devices. You can apply filters to determine which devices to list. If you don't apply any filters, all devices will be listed. An export task might run for as long as an hour, depending on your selections. If the export task exceeds 1 hour, it fails, and no file is output.

+description: How to use Azure Active Directory Conditional Access policies to secure external access to resources.

+This article discusses applying Conditional Access policies to external users and assumes you donΓÇÖt have access to [Entitlement Management](../governance/entitlement-management-overview.md) functionality. Conditional Access policies can be and are used alongside Entitlement Management.

+YouΓÇÖll use that plan to create your Conditional Access policies for external access.

+> Create several internal and external user test accounts so that you can test the policies you create before applying them.

+* If you canΓÇÖt use connected organizations in Entitlement Management, create an Azure AD security group or Microsoft 365 group for each partner organization you work with. Assign all users from that partner to the group. You may then use those groups in Conditional Access policies.

+* Clearly name policies specific to external access with a naming convention. One naming convention is *ExternalAccess_actiontaken_AppGroup*. For example a policy for external access that blocks access to finance apps, called ExternalAccess_Block_FinanceApps.

+You can block external users from accessing specific sets of resources with Conditional Access policies. Once youΓÇÖve determined the set of resources to which you want to block access, create a policy.

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies, for example ExternalAccess_Block_FinanceApps.

+1. Under **Assignments**, select **Users and groups**.

+ 1. Under **Include**, select **All guests and external users**.

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's [emergency access or break-glass accounts](../roles/security-emergency-access.md).

+ 1. Select **Done**.

+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

+ 1. Under **Exclude**, select any applications that shouldnΓÇÖt be blocked.

+1. Under **Access controls** > **Grant**, select **Block access**, and choose **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After confirming your settings using [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+### Block external access to all except specific external users

+There may be times you want to block external users except a specific group. For example, you may want to block all external users except those working for the finance team from the finance applications. To do this [Create a security group](active-directory-groups-create-azure-portal.md) to contain the external users who should access the finance applications:

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies, for example ExternalAccess_Block_AllButFinance.

+1. Under **Assignments**, select **Users and groups**.

+ 1. Under **Include**, select **All guests and external users**.

+ 1. Under **Exclude**, select **Users and groups**,

+ 1. Choose your organization's [emergency access or break-glass accounts](../roles/security-emergency-access.md).

+ 1. Choose the security group of external users you want to exclude from being blocked from specific applications.

+ 1. Select **Done**.

+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

+ 1. Under **Exclude**, select the finance applications that shouldnΓÇÖt be blocked.

+1. Under **Access controls** > **Grant**, select **Block access**, and choose **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After confirming your settings using [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+Many common Conditional Access policies are documented. See the article [Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md) for other common policies you may want to adapt for external users.

+1. [Discover your current state](2-secure-access-current-state.md)

+1. [Create a governance plan](3-secure-access-plan.md)

+1. [Use groups for security](4-secure-access-groups.md)

+1. [Transition to Azure AD B2B](5-secure-access-b2b.md)

+1. [Secure access with Entitlement Management](6-secure-access-entitlement-managment.md)

+1. [Secure access with Conditional Access policies](7-secure-access-conditional-access.md) (YouΓÇÖre here)

+1. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)

+1. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)

+Finally, if you have an Azure AD app gallery and use applications that support SSO with Azure AD, we recommend [listing the application in the app gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+In addition you can [integrate applications not in the gallery](../manage-apps/view-applications-portal.md), including any application that already exists in your organization, or any third-party application from a vendor who is not already part of the Azure AD gallery. You can also [add your app to the gallery](../manage-apps/v2-howto-app-gallery-listing.md) if it is not there.

+| Added to eligible privileged role| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role managementΓÇï<br>-and-<br>Activity type = Add member to role completed (eligible)<br>-and-<br>Status = Success or failureΓÇï<br>-and-<br>Modified properties = Role.DisplayName| Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml) |

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+For listing your application in the Azure AD app gallery, read the details [here](../manage-apps/v2-howto-app-gallery-listing.md).

+- The minimum .Net Framework version required is 4.6.2, and newer versions of .Net are also supported.

+Risky activity can be detected for a user that is not linked to a specific malicious sign-in but to the user itself.

+| Leaked credentials | This risk detection type indicates that the user's valid credentials have been leaked. When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users' current valid credentials to find valid matches. For more information about leaked credentials, see [Common questions](#common-questions). |

+A sign-in risk represents the probability that a given authentication request is not authorized by the identity owner.

+| Unfamiliar sign-in properties | Real-time | This risk detection type considers past sign-in history (IP, Latitude / Longitude and ASN) to look for anomalous sign-ins. The system stores information about previous locations used by a user, and considers these "familiar" locations. The risk detection is triggered when the sign-in occurs from a location that is not already in the list of familiar locations. Newly created users will be in "learning mode" for a while where unfamiliar sign-in properties risk detections will be turned off while our algorithms learn the user's behavior. The learning mode duration is dynamic and depends on how much time it takes the algorithm to gather enough information about the user's sign-in patterns. The minimum duration is five days. A user can go back into learning mode after a long period of inactivity. The system also ignores sign-ins from familiar devices, and locations that are geographically close to a familiar location. <br><br> We also run this detection for basic authentication (or legacy protocols). Because these protocols do not have modern properties such as client ID, there is limited telemetry to reduce false positives. We recommend our customers to move to modern authentication. <br><br> Unfamiliar sign-in properties can be detected on both interactive and non-interactive sign-ins. When this detection is detected on non-interactive sign-ins, it deserves increased scrutiny due to the risk of token replay attacks. |

+| Additional risk detected | Real-time or Offline | This detection indicates that one of the above premium detections was detected. Since the premium detections are visible only to Azure AD Premium P2 customers, they are titled "additional risk detected" for customers without Azure AD Premium P2 licenses. |

+Identity Protection categorizes risk into three tiers: low, medium, and high. When configuring [custom Identity protection policies](./concept-identity-protection-policies.md#custom-conditional-access-policy), you can also configure it to trigger upon **No risk** level. No Risk means there is no active indication that the user's identity has been compromised.

+While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.

+Disabled user accounts can be re-enabled. If the credentials of a disabled account are compromised, and the account gets re-enabled, bad actors might use those credentials to gain access. That is why, Identity Protection generates risk detections for suspicious activities against disabled user accounts to alert customers about potential account compromise. If an account is no longer in use and wont be re-enabled, customers should consider deleting it to prevent compromise. No risk detections are generated for deleted accounts.

+#### Why are not I seeing any leaked credentials?

+Leaked credentials are processed anytime Microsoft finds a new, publicly available batch. Because of the sensitive nature, the leaked credentials are deleted shortly after processing. Only new leaked credentials found after you enable password hash synchronization (PHS) will be processed against your tenant. Verifying against previously found credential pairs is not done.

+#### I have not seen any leaked credential risk events for quite some time?

+If you have not seen any leaked credential risk events, it is because of the following reasons:

+- You do not have PHS enabled for your tenant.

+- Microsoft has not found any leaked credential pairs that match your users.

+- [Investigate risk](howto-identity-protection-investigate-risk.md)

+- [Remediate and unblock users](howto-identity-protection-remediate-unblock.md)

+Organizations must decide the level of risk they are willing to accept balancing user experience and security posture.

+- When a sign-in risk policy triggers:

+ - Azure AD MFA can be triggered, allowing to user to prove it is them by using one of their registered authentication methods, resetting the sign-in risk.

+Policies allow for excluding users such as your [emergency access or break-glass administrator accounts](../roles/security-emergency-access.md). Organizations may need to exclude other accounts from specific policies based on the way the accounts are used. Exclusions should be reviewed regularly to see if they are still applicable.

+ 1. Under **Configure user risk levels needed for policy to be enforced**, select **High**.

+1. Under **Conditions** > **Sign-in risk**, set **Configure** to **Yes**. Under **Select the sign-in risk level this policy will apply to**.

+Selecting individual entries may enable more entries at the top of the report such as the ability to confirm a sign-in as compromised or safe, confirm a user as compromised, or dismiss user risk.

+Selecting individual entries expands a details window below the detections. The details view allows administrators to investigate and take action on each detection.

+The risky sign-ins report contains filterable data for up to the past 30 days (one month).

+The risk detections report contains filterable data for up to the past 90 days (three months).

+## Investigation framework

+Organizations may use the following frameworks to begin their investigation into any suspicious activity. Investigations may require having a conversation with the user in question, review of the [sign-in logs](../reports-monitoring/concept-sign-ins.md), or review of the [audit logs](../reports-monitoring/concept-audit-logs.md) to name a few.

+1. Check the logs and validate whether the suspicious activity is normal for the given user.

+ 1. Look at the userΓÇÖs past activities including at least the following properties to see if they are normal for the given user.

+ 1. Application

+ 1. Device - Is the device registered or compliant?

+ 1. Location - Is the user traveling to a different location or accessing devices from multiple locations?

+ 1. IP address

+ 1. User agent string

+ 1. If you have access to other security tools like [Microsoft Sentinel](../../sentinel/overview.md), check for corresponding alerts that might indicate a larger issue.

+1. Reach out to the user to confirm if they recognize the sign-in. Methods such as email or Teams may be compromised.

+ 1. Confirm the information you have such as:

+ 1. Application

+ 1. Device

+ 1. Location

+ 1. IP address

+### Investigate Azure AD threat intelligence detections

+To investigate an Azure AD Threat Intelligence risk detection, follow these steps:

+If more information is shown for the detection:

+1. Sign-in was from a suspicious IP Address:

+ 1. Confirm if the IP address shows suspicious behavior in your environment.

+ 1. Does the IP generate a high number of failures for a user or set of users in your directory?

+ 1. Is the traffic of the IP coming from an unexpected protocol or application, for example Exchange legacy protocols?

+ 1. If the IP address corresponds to a cloud service provider, rule out that there are no legitimate enterprise applications running from the same IP.

+1. This account was attacked by a Password spray:

+ 1. Validate that no other users in your directory are targets of the same attack.

+ 1. Do other users have sign-ins with similar atypical patterns seen in the detected sign-in within the same time frame? Password spray attacks may display unusual patterns in:

+ 1. User agent string

+ 1. Application

+ 1. Protocol

+ 1. Ranges of IPs/ASNs

+ 1. Time and frequency of sign-ins

+- [Remediate and unblock users](howto-identity-protection-remediate-unblock.md)

+After completing your [investigation](howto-identity-protection-investigate-risk.md), you need to take action to remediate the risk or unblock users. Organizations can enable automated remediation using their [risk policies](howto-identity-protection-configure-risk-policies.md). Organizations should try to close all risk detections that they are presented in a time period your organization is comfortable with. Microsoft recommends closing events quickly, because time matters when working with risk.

+### Remediation framework

+1. If the account is confirmed compromised:

+ 1. Select the event or user in the **Risky sign-ins** or **Risky users** reports and choose "Confirm compromised".

+ 1. If a risk policy or a Conditional Access policy was not triggered at part of the risk detection, and the risk was not [self-remediated](#self-remediation-with-risk-policy), then:

+ 1. [Request a password reset](#manual-password-reset).

+ 1. Block the user if you suspect the attacker can reset the password or do multi-factor authentication for the user.

+ 1. Revoke refresh tokens.

+ 1. [Disable any devices](../devices/device-management-azure-portal.md) considered compromised.

+ 1. If using [continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md), revoke all access tokens.

+For more information about what happens when confirming compromise, see the section [How should I give risk feedback and what happens under the hood?](howto-identity-protection-risk-feedback.md#how-should-i-give-risk-feedback-and-what-happens-under-the-hood).

+If you allow users to self-remediate, with Azure AD Multi-Factor Authentication (MFA) and self-service password reset (SSPR) in your risk policies, they can unblock themselves when risk is detected. These detections are then considered closed. Users must have previously registered for Azure AD MFA and SSPR for use when risk is detected.

+Some detections may not raise risk to the level where a user self-remediation would be required but administrators should still evaluate these detections. Administrators may determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies.

+- **Require the user to reset password** - Requiring the users to reset passwords enables self-recovery without contacting help desk or an administrator. This method only applies to users that are registered for Azure AD MFA and SSPR. For users that have not been registered, this option is not available.

+When you click **Dismiss user risk**, all events are closed and the affected user is no longer at risk. However, because this method does not have an impact on the existing password, it does not bring the related identity back into a safe state.

+To unblock an account blocked because of user risk, administrators have the following options:

+## BIG-IP configuration methods

+After you successfully integrate an application with Azure AD and thoroughly tested it, you can request to have it added to the gallery. Publishing an application to the gallery from the portal isn't supported but there is a process that you can follow to have it done for you. For more information about publishing to the gallery, select [Request new gallery application](../manage-apps/v2-howto-app-gallery-listing.md).

+If you want to add your custom application to the Azure Application Gallery, see [Publish your app to the Azure AD app gallery](../manage-apps/v2-howto-app-gallery-listing.md).

+You can pre-integrate your application with Azure AD to support SSO and automated provisioning by following the process to [publish it in Azure Marketplace](../manage-apps/v2-howto-app-gallery-listing.md). Azure Marketplace is a trusted source of applications for IT admins. Applications listed there have been validated to be compatible with Azure AD. They support SSO, automate user provisioning, and can easily integrate into customer tenants with automated app registration.

+**If you are in contact with this applicationΓÇÖs vendor,** send them our way so Microsoft can work with them to natively integrate their application with Azure Active Directory. You can send the vendor to the [Listing your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md) to get them started.

+In addition to this, **if you are in contact with this applicationΓÇÖs vendor,** **send them our way** so we can work with them to natively integrate their application with Azure Active Directory. You can send the vendor to the [Listing your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md) to get them started.

+In addition to this, **if you are in contact with this applicationΓÇÖs vendor,** **send them our way** so we can work with them to natively integrate their application with Azure Active Directory. You can send the vendor to the [Listing your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md) to get them started.

+If you want to make your application available through the gallery, you can [submit a request to have it added](../manage-apps/v2-howto-app-gallery-listing.md).

+| [Password Administrator](permissions-reference.md#password-administrator) | Can reset passwords for non-administrators within the assigned administrative unit only. |

+ https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions

+ https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments

+ "directoryScopeId":"/<GUID OF APPLICATION REGISTRATION>"

+ Title: 'Tutorial: Azure AD SSO integration with eLearnPOSH'

+description: Learn how to configure single sign-on between Azure Active Directory and eLearnPOSH.

+# Tutorial: Azure AD SSO integration with eLearnPOSH

+In this tutorial, you'll learn how to integrate eLearnPOSH with Azure Active Directory (Azure AD). When you integrate eLearnPOSH with Azure AD, you can:

+* Control in Azure AD who has access to eLearnPOSH.

+* Enable your users to be automatically signed-in to eLearnPOSH with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* eLearnPOSH single sign-on (SSO) enabled subscription.

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* eLearnPOSH supports **IDP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add eLearnPOSH from the gallery

+To configure the integration of eLearnPOSH into Azure AD, you need to add eLearnPOSH from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **eLearnPOSH** in the search box.

+1. Select **eLearnPOSH** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for eLearnPOSH

+Configure and test Azure AD SSO with eLearnPOSH using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in eLearnPOSH.

+To configure and test Azure AD SSO with eLearnPOSH, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure eLearnPOSH SSO](#configure-elearnposh-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create eLearnPOSH test user](#create-elearnposh-test-user)** - to have a counterpart of B.Simon in eLearnPOSH that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **eLearnPOSH** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. eLearnPOSH application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, eLearnPOSH application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+

+ | Name | Source Attribute |

+ | | |

+ | department | user.department |

+ | designation | user.jobtitle |

+ | email | user.userprincipalname |

+ | empid | user.employeeid |

+ | firstname | user.givenname |

+ | lastname | user.surname |

+ | primary-email | user.primaryauthoritativeemail |

+ | username | user.userprincipalname |

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to eLearnPOSH.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **eLearnPOSH**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure eLearnPOSH SSO

+To configure single sign-on on **eLearnPOSH** side, you need to send the **App Federation Metadata Url** to [eLearnPOSH support team](mailto:contact@succeedtech.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create eLearnPOSH test user

+In this section, you create a user called Britta Simon in eLearnPOSH. Work with [eLearnPOSH support team](mailto:contact@succeedtech.com) to add the users in the eLearnPOSH platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the eLearnPOSH for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the eLearnPOSH tile in the My Apps, you should be automatically signed in to the eLearnPOSH for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure eLearnPOSH you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+Once you configure Excelity HCM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Hornbill'

+# Tutorial: Azure AD SSO integration with Hornbill

+ `https://sso.hornbill.com/<INSTANCE_NAME>/<SUBDOMAIN>`

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+Once you configure Hornbill you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Manifestly Checklists'

+description: Learn how to configure single sign-on between Azure Active Directory and Manifestly Checklists.

+# Tutorial: Azure AD SSO integration with Manifestly Checklists

+In this tutorial, you'll learn how to integrate Manifestly Checklists with Azure Active Directory (Azure AD). When you integrate Manifestly Checklists with Azure AD, you can:

+* Control in Azure AD who has access to Manifestly Checklists.

+* Enable your users to be automatically signed-in to Manifestly Checklists with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Manifestly Checklists single sign-on (SSO) enabled subscription.

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Manifestly Checklists supports **SP and IDP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Manifestly Checklists from the gallery

+To configure the integration of Manifestly Checklists into Azure AD, you need to add Manifestly Checklists from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Manifestly Checklists** in the search box.

+1. Select **Manifestly Checklists** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Manifestly Checklists

+Configure and test Azure AD SSO with Manifestly Checklists using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Manifestly Checklists.

+To configure and test Azure AD SSO with Manifestly Checklists, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Manifestly Checklists SSO](#configure-manifestly-checklists-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Manifestly Checklists test user](#create-manifestly-checklists-test-user)** - to have a counterpart of B.Simon in Manifestly Checklists that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Manifestly Checklists** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type the URL:

+ `https://app.manifest.ly/users/saml/metadata`

+ b. In the **Reply URL** text box, type the URL:

+ `https://app.manifest.ly/users/saml/auth`

+ c. In the **Sign-on URL** text box, type a URL using one of the following patterns:

+ | **Sign-on URL** |

+ | -|

+ | `https://app.manifest.ly/users/sign_in` |

+ | `https://app.manifest.ly/a/<CustomerName>` |

+ > [!NOTE]

+ > This value is not real. Update this value with the actual Sign-on URL. Contact [Manifestly Checklists Client support team](mailto:support@manifest.ly) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Manifestly Checklists application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Manifestly Checklists application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+

+ | Name | Source Attribute |

+ | | |

+ | email | user.mail |

+ | first_name | user.givenname |

+ | last_name | user.surname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Manifestly Checklists** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Manifestly Checklists.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Manifestly Checklists**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Manifestly Checklists SSO

+1. Log in to your Manifestly Checklists company site as an administrator.

+1. Go to **Settings** > **SSO** and click **Set up SAML Sign On** button.

+ 

+1. In the **Edit SAML Single Sign** page, perform the following steps:

+ 

+ 1. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **SAML Cert** textbox.

+ 1. In the **SAML Entity** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.

+ 1. In the **SAML URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.

+ 1. Click **Save**.

+### Create Manifestly Checklists test user

+1. In a different web browser window, sign into your Manifestly Checklists company site as an administrator.

+1. Go to **Teams** > **Users** and click **Add User**.

+ 

+1. Enter the **Name** and **Email** in the textbox and click **Send Invite**.

+ 

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Manifestly Checklists Sign on URL where you can initiate the login flow.

+* Go to Manifestly Checklists Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Manifestly Checklists for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Manifestly Checklists tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Manifestly Checklists for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Manifestly Checklists you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+Once you configure Maxient Conduct Manager Software you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ a. In the **Identifier** text box, enter `PingConnect`. (If this identifier is already used by another application, contact the [Pendo support team](mailto:support@pendo.io).)

+

+ Title: 'Tutorial: Azure AD SSO integration with UltiPro Perception'

+description: Learn how to configure single sign-on between Azure Active Directory and UltiPro Perception.

+# Tutorial: Azure AD SSO integration with UltiPro Perception

+In this tutorial, you'll learn how to integrate UltiPro Perception with Azure Active Directory (Azure AD). When you integrate UltiPro Perception with Azure AD, you can:

+* Control in Azure AD who has access to UltiPro Perception.

+* Enable your users to be automatically signed-in to UltiPro Perception with their Azure AD accounts.

+* UltiPro Perception single sign-on (SSO) enabled subscription.

+* UltiPro Perception supports **IDP** initiated SSO.

+## Add UltiPro Perception from the gallery

+To configure the integration of UltiPro Perception into Azure AD, you need to add UltiPro Perception from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **UltiPro Perception** in the search box.

+1. Select **UltiPro Perception** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for UltiPro Perception

+Configure and test Azure AD SSO with UltiPro Perception using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in UltiPro Perception.

+To configure and test Azure AD SSO with UltiPro Perception, perform the following steps:

+1. **[Configure UltiPro Perception SSO](#configure-ultipro-perception-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create UltiPro Perception test user](#create-ultipro-perception-test-user)** - to have a counterpart of B.Simon in UltiPro Perception that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **UltiPro Perception** application integration page, find the **Manage** section and select **single sign-on**.

+ a. In the **Reply URL** text box, type a URL using the following pattern:

+ b. The **UltiPro Perception** application requires the **Azure AD Identifier** value as <entity_id>, which you will get from the **Set up UltiPro Perception** section, to be URI-encoded. To get the URI-encoded value, use the following link: **http://www.url-encode-decode.com/**.

+ c. After getting the URI-encoded value combine it with the **Reply URL** as mentioned below-

+ d. Paste the above value in the **Reply URL** textbox.

+6. On the **Set up UltiPro Perception** section, copy the appropriate URL(s) as per your requirement.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to UltiPro Perception.

+1. In the applications list, select **UltiPro Perception**.

+## Configure UltiPro Perception SSO

+1. In another browser window, sign on to your UltiPro Perception company site as an administrator.

+ 

+ 

+### Create UltiPro Perception test user

+In this section, you create a user called Britta Simon in UltiPro Perception. Work with [UltiPro Perception support team](https://www.ultimatesoftware.com/Contact/ContactUs) to add the users in the UltiPro Perception platform.

+* Click on Test this application in Azure portal and you should be automatically signed in to the UltiPro Perception for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the UltiPro Perception tile in the My Apps, you should be automatically signed in to the UltiPro Perception for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+Once you configure UltiPro Perception you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+Use the [application network portal](../manage-apps/v2-howto-app-gallery-listing.md) to request a [SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md) enabled application to be added to the gallery for automatic provisioning or a SAML / OIDC enabled application to be added to the gallery for SSO.

+Once you configure Twic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Zivver'

+description: Learn how to configure single sign-on between Azure Active Directory and Zivver.

+# Tutorial: Azure AD SSO integration with Zivver

+In this tutorial, you'll learn how to integrate Zivver with Azure Active Directory (Azure AD). When you integrate Zivver with Azure AD, you can:

+* Control in Azure AD who has access to Zivver.

+* Enable your users to be automatically signed-in to Zivver with their Azure AD accounts.

+To configure Azure AD integration with Zivver, you need the following items:

+* Zivver single sign-on enabled subscription.

+* Zivver supports **IDP** initiated SSO.

+## Add Zivver from the gallery

+To configure the integration of Zivver into Azure AD, you need to add Zivver from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **Zivver** in the search box.

+1. Select **Zivver** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Zivver

+Configure and test Azure AD SSO with Zivver using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Zivver.

+To configure and test Azure AD SSO with Zivver, perform the following steps:

+1. **[Configure Zivver SSO](#configure-zivver-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Zivver test user](#create-zivver-test-user)** - to have a counterpart of B.Simon in Zivver that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **Zivver** application integration page, find the **Manage** section and select **single sign-on**.

+5. Zivver application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. Zivver application expects **nameidentifier** to be mapped with **user.mail**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.

+6. In addition to above, Zivver application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:

+8. On the **Set up Zivver** section, copy the appropriate URL(s) as per your requirement.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Zivver.

+1. In the applications list, select **Zivver**.

+## Configure Zivver SSO

+1. In a different web browser window, sign in to your Zivver company [site](https://app.zivver.com/login) as an administrator.

+### Create Zivver test user

+In this section, you create a user called Britta Simon in Zivver. Work with [Zivver support team](https://support.zivver.com/) to add the users in the Zivver platform. Users must be created and activated before you use single sign-on.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Zivver for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Zivver tile in the My Apps, you should be automatically signed in to the Zivver for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+Once you configure Zivver you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+Microsoft provides guidance on additional actions you can take to secure your workloads through services like [Microsoft Defender for Containers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks). The following is a list of additional security threats related to AKS and Kubernetes that customers should be aware of:

+- *mcr.microsoft.com/oss/calico/node*

+- *mcr.microsoft.com/oss/kubernetes-csi/azuredisk-csi*

+> [!WARNING]

+> Nodepool upgrade will cause downtime for your AKS cluster as the nodes in the nodepools will be cordoned/drained and then reimaged.

+> - The process of assigning the certificate might take 15 minutes or more depending on the size of the deployment. The Developer SKU has downtime during the process. The Basic and higher SKUs don't have downtime during the process.

+> - You can also upload a CA certificate using the `New-AzApiManagementSystemCertificate` PowerShell command.

+* East Asia

+### Why are the Health check request not showing in my web server logs?

+The Health check request are sent to your site internally, so the request will not show in [the web server logs](troubleshoot-diagnostic-logs.md#enable-web-server-logging). This also means the request will have an origin of `127.0.0.1` since it the request being sent internally. You can add log statements in your Health check code to keep logs of when your Health check path is pinged.

+1. In the console, run `curl -s <protocol>://<fqdn-address>` with a URL that matches the application rule you configured, To continue example in the previous screenshot, you can use **curl -s https://api.my-ip.io/ip**. The following screenshot shows a successful response from the API, showing the public IP address of your App Service app.

+> [!NOTE]

+> If you require Application Gateway to sync the last version of the certificate with the key vault, provide the versionless `secretId` value (no hash). To do this, in the preceding example, replace the following line:

+>

+> ```

+> $secretId = $secret.Id # https://<keyvaultname>.vault.azure.net/secrets/<hash>

+> ```

+>

+> With this line:

+>

+> ```

+> $secretId = $secret.Id.Replace($secret.Version, "") # https://<keyvaultname>.vault.azure.net/secrets/

+> ```

+There are two locations where certificates may exist: certificates stored in Azure Key Vault, or certificates uploaded to an application gateway.

+## Certificates on Azure Key Vault

+When Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination. The instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate if it exists. If an updated certificate is found, the TLS/SSL certificate that's currently associated with the HTTPS listener is automatically rotated.

+> [!TIP]

+> Any change to Application Gateway will force a check against Key Vault to see if any new versions of certificates are available. This includes, but is not limited to, changes to Frontend IP Configurations, Listeners, Rules, Backend Pools, Resource Tags, and more. If an updated certificate is found, the new certificate will immediately be presented.

+Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway will automatically rotate the certificate if a newer version is available in your key vault. An example of a secret URI without a version is `https://myvault.vault.azure.net/secrets/mysecret/`.

+## Certificates on an application gateway

+Application Gateway supports certificate upload without the need to configure Azure Key Vault. To renew the uploaded certificates, use the following steps for the Azure portal, Azure PowerShell, or Azure CLI.

+### Azure portal

+### Azure PowerShell

+### Azure CLI

+To learn how to configure TLS Offloading with Azure Application Gateway, see [Configure TLS Offload](./create-ssl-portal.md).

+1. Use the following command to generate the Certificate Signing Request (CSR).

+1. Use the following command to generate the Root Certificate.

+ ```

+ openssl x509 -req -sha256 -days 365 -in contoso.csr -signkey contoso.key -out contoso.crt

+ ```

+ The previous commands create the root certificate. You'll use this to sign your server certificate.

+[Reference documentation](https://azuresdkdocs.blob.core.windows.net/$web/jav)

+ implementation(group = "com.azure", name = "azure-ai-formrecognizer", version = "4.0.0-beta.3")

+* **Azure Virtual Desktop** - orchestrate scaling of VMs or start/stop VMs based on utilization.

+> [Create an Automation account](./quickstarts/create-account-portal.md)

+description: You can create an Azure Arc-enabled PostgreSQL Hyperscale server group from the Azure portal.

+You can create an Azure Arc-enabled PostgreSQL Hyperscale server group from the Azure portal. To do so, follow the steps in this article.

+## Get started

+You might want read the following important topics before you proceed. (If you're already familiar with these topics, you can skip.)

+If you prefer to try things out without provisioning a full environment yourself, get started quickly with [Azure Arc jumpstart](https://azurearcjumpstart.io/azure_arc_jumpstart/azure_arc_data/). You can do this on Azure Kubernetes Service (AKS), AWS Elastic Kubernetes Service (EKS), Google Cloud Kubernetes Engine (GKE), or in an Azure virtual machine (VM).

+## Deploy an Azure Arc data controller

+Before you deploy an Azure Arc-enabled PostgreSQL Hyperscale server group that you operate from the Azure portal, you must first deploy an Azure Arc data controller. You must configure the data controller to use the *directly connected* mode.

+To deploy an Azure Arc data controller, complete the instructions in these articles:

+1. [Deploy data controller - directly connected mode (prerequisites)](create-data-controller-direct-prerequisites.md)

+1. [Deploy Azure Arc data controller in directly connected mode from Azure portal](create-data-controller-direct-azure-portal.md)

+## Temporary step for OpenShift users only

+If you're using Red Hat OpenShift, you must implement this step before moving to the next one. To deploy an Azure Arc-enabled PostgreSQL Hyperscale server group onto Red Hat OpenShift in a project other than the default, run the following command against your cluster. This command updates the security constraints and grants the necessary privileges to the service accounts that will run your Hyperscale server group. The security context constraint (SCC) called `arc-data-scc` is the one you added when you deployed the Azure Arc data controller.

+`server-group-name` is the name of the server group you will create during the next step.

+You have now deployed an Azure Arc data controller that uses the directly connected mode, as described earlier in the article. You can't operate an Azure Arc-enabled PostgreSQL Hyperscale server group from the Azure portal if you deployed it to an Azure Arc data controller configured to use the *indirectly connected* mode.

+Next, you choose one the options in the following sections.

+### Deploy from Azure Marketplace

+1. Go to [the Azure portal](https://portal.azure.com).

+2. In Azure Marketplace, search for **azure arc postgres**, and select **Azure Arc-enabled PostgreSQL Hyperscale server groups**.

+3. Select **+ Create** in the upper-left corner of the page.

+4. Fill in the form, like you deploy any other Azure resource.

+### Deploy from Azure Database for PostgreSQL deployment option page

+1. Go to the following URL: `https://ms.portal.azure.com/#create/Microsoft.PostgreSQLServer`.

+1. Select **Azure Arc-enabled PostgreSQL Hyperscale (Preview)** in the lower right of the page.

+1. Fill in the form, like you deploy any other Azure resource.

+### Deploy from the Azure Arc center

+1. Go to the following URL: `https://ms.portal.azure.com/#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/overview`.

+1. From the **Deploy Azure services** tile, select **Deploy**. Then, from the **PostgreSQL Hyperscale (Preview)** tile, select **Deploy**. Alternatively, from the left pane, in the **Services** section, select **PostgreSQL Hyperscale (Preview)**. Then select **+ Create** in the upper left of the pane.

+### Important considerations

+Be aware of the following considerations when you're deploying:

+- **The number of worker nodes you want to deploy to scale out and potentially reach better performances.** For more information, see [Concepts for distributing data with Azure Arc-enabled PostgreSQL Hyperscale server group](concepts-distributed-postgres-hyperscale.md).

+ The following table indicates the range of supported values, and what form of deployment you get with them. For example, if you want to deploy a server group with two worker nodes, indicate *2*. This will create three pods, one for the coordinator node or instance, and two for the worker nodes or instances (one for each of the workers).

+ |You need |Shape of the server group you will deploy |Number of worker nodes to indicate |Note |

+ |||||

+ |A scaled-out form of Azure Arc-enabled PostgreSQL Hyperscale to satisfy the scalability needs of your applications. |Three or more instances of Azure Arc-enabled PostgreSQL Hyperscale. One is the coordinator, and *n* are workers, with *n >=2*. |*n*, with *n>=2*. |The Citus extension that provides the Hyperscale capability is loaded. |

+ |A basic form of Azure Arc-enabled PostgreSQL Hyperscale. You want to do functional validation of your application, at minimum cost. You don't need performance and scalability validation. |One instance of Azure Arc-enabled PostgreSQL Hyperscale. The instance serves as both coordinator and worker. |*0*, and add Citus to the list of extensions to load. |The Citus extension that provides the Hyperscale capability is loaded. |

+ |A simple instance of Azure Arc-enabled PostgreSQL Hyperscale that is ready to scale out when you need it. |One instance of Azure Arc-enabled PostgreSQL Hyperscale. It isn't yet aware of the semantic for coordinator and worker. To scale it out after deployment, edit the configuration, increase the number of worker nodes, and distribute the data. |*0*. |The Citus extension that provides the Hyperscale capability is present on your deployment, but isn't yet loaded. |

+ | | | | |

+ Although you can indicate *1* worker, it's not a good idea to do so. This deployment doesn't provide you with much value. With it, you get two instances of Azure Arc-enabled PostgreSQL Hyperscale: one coordinator and one worker. You don't scale out the data because you deploy a single worker. As such, you don't see an increased level of performance and scalability.

+- **The storage classes you want your server group to use.** It's important to set the storage class right at the time you deploy a server group. You can't change this setting after you deploy. If you don't indicate storage classes, you get the storage classes of the data controller by default.

+ - To set the storage class for the data, indicate the parameter `--storage-class-data` or `-scd`, followed by the name of the storage class.

+ - To set the storage class for the logs, indicate the parameter `--storage-class-logs` or `-scl`, followed by the name of the storage class.

+ - To set the storage class for the backups, you either indicate a storage class or a volume claim mount. A *volume claim mount* is a pair of an existing persistent volume claim (in the same namespace) and a volume type (and optional metadata depending on the volume type), separated by colon. The persistent volume is mounted in each pod for the Azure Arc-enabled PostgreSQL Hyperscale server group.

+ - If you want to do only full database restores, set the parameter `--storage-class-backups` or `-scb`, followed by the name of the storage class.

+ - If you want to do both full database restores and point-in-time restores, set the parameter `--volume-claim-mounts`, followed by the name of a volume claim and a volume type.

+- [Get connection endpoints and connection strings](get-connection-endpoints-and-connection-strings-postgres-hyperscale.md)

+- [Expanding persistent volume claims](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims)

+Azure provides configuration management capability using GitOps in Azure Kubernetes Service (AKS) and Azure Arc-enabled Kubernetes clusters. You can easily enable and use GitOps in these clusters.

+GitOps is enabled in an Azure Arc-enabled Kubernetes or AKS cluster as a `Microsoft.KubernetesConfiguration/extensions/microsoft.flux` [cluster extension](./conceptual-extensions.md) resource. The `microsoft.flux` extension must be installed in the cluster before one or more `fluxConfigurations` can be created. The extension will be installed automatically when you create the first `Microsoft.KubernetesConfiguration/fluxConfigurations` in a cluster, or you can install it manually using the portal, the Azure CLI (*az k8s-extension create --extensionType=microsoft.flux*), ARM template, or REST API.

+You create Flux configuration resources (`Microsoft.KubernetesConfiguration/fluxConfigurations`) to enable GitOps management of the cluster from your Git repos or Bucket sources. When you create a `fluxConfigurations` resource, the values you supply for the parameters, such as the target Git repo, are used to create and configure the Kubernetes objects that enable the GitOps process in that cluster. To ensure data security, the `fluxConfigurations` resource data is stored encrypted at rest in an Azure Cosmos DB database by the Cluster Configuration service.

+* Creates `GitRepository` or `Bucket` custom resource and `Kustomization` custom resources from the information in the `FluxConfig` custom resource.

+Each `fluxConfigurations` resource in Azure will be associated in a Kubernetes cluster with one Flux `GitRepository` or `Bucket` custom resource and one or more `Kustomization` custom resources. When you create a `fluxConfigurations` resource, you'll specify, among other information, the URL to the source (Git repository or Bucket) and the sync target in the source for each `Kustomization`. You can configure dependencies between `Kustomization` custom resources to control deployment sequencing. Also, you can create multiple namespace-scoped `fluxConfigurations` resources on the same cluster for different applications and app teams.

+> * Sensitive customer inputs like private key and token/password are stored for less than 48 hours in the Kubernetes Configuration service. If you update any of these values in Azure, assure that your clusters connect with Azure within 48 hours.

+Advance to the next tutorial to learn how to enable GitOps on your AKS or Azure Arc-enabled Kubernetes clusters

+GitOps with Flux v2 can be enabled in Azure Kubernetes Service (AKS) managed clusters or Azure Arc-enabled Kubernetes connected clusters as a cluster extension. After the `microsoft.flux` cluster extension is installed, you can create one or more `fluxConfigurations` resources that sync your Git repository sources to the cluster and reconcile the cluster to the desired state. With GitOps, you can use your Git repository as the source of truth for cluster configuration and application deployment.

+False whl connectedk8s C:\Users\somename\.azure\cliextensions\connectedk8s False 1.2.0

+False whl k8s-configuration C:\Users\somename\.azure\cliextensions\k8s-configuration False 1.4.1

+False whl k8s-extension C:\Users\somename\.azure\cliextensions\k8s-extension False 1.0.4

+* The cluster type is Azure Arc (`-t connectedClusters`), but this example also works with AKS (`-t managedClusters`).

+For an AKS cluster, use the same command but with `-t managedClusters`replacing `-t connectedClusters`.

+ deployed-object : Commands to see deployed objects associated with Flux v2 Kubernetes

+ configurations.

+ kustomization : Commands to manage Kustomizations associated with Flux v2 Kubernetes

+ configurations.

+ create : Create a Flux v2 Kubernetes configuration.

+ delete : Delete a Flux v2 Kubernetes configuration.

+ list : List all Flux v2 Kubernetes configurations.

+ show : Show a Flux v2 Kubernetes configuration.

+ update : Update a Flux v2 Kubernetes configuration.

+ az k8s-configuration flux create : Create a Flux v2 Kubernetes configuration.

+ --cluster-type -t [Required] : Specify Arc connected clusters or AKS managed clusters.

+ --url -u [Required] : URL of the source to reconcile.

+ --bucket-insecure : Communicate with a bucket without TLS. Allowed values: false,

+ true.

+ --bucket-name : Name of the S3 bucket to sync.

+ --kind : Source kind to reconcile. Allowed values: bucket, git.

+ Default: git.

+ --local-auth-ref --local-ref : Local reference to a kubernetes secret in the configuration

+ namespace to use for communication to the source.

+Bucket Auth Arguments

+ --bucket-access-key : Access Key ID used to authenticate with the bucket.

+ --bucket-secret-key : Secret Key used to authenticate with the bucket.

+Git Auth Arguments

+ Create a Flux v2 Kubernetes configuration

+ --branch main --kustomization name=my-kustomization

+ Create a Kubernetes v2 Flux Configuration with Bucket Source Kind

+ az k8s-configuration flux create --resource-group my-resource-group \

+ --cluster-name mycluster --cluster-type connectedClusters \

+ --name myconfig --scope cluster --namespace my-namespace \

+ --kind bucket --url https://bucket-provider.minio.io \

+ --bucket-name my-bucket --kustomization name=my-kustomization \

+ --bucket-access-key my-access-key --bucket-secret-key my-secret-key

+### Source general arguments

+| `--kind` | String | Source kind to reconcile. Allowed values: `bucket`, `git`. Default: `git`. |

+| `--timeout` | [golang duration format](https://pkg.go.dev/time#Duration.String) | Maximum time to attempt to reconcile the source before timing out. Default: `10m`. |

+| `--sync-interval` `--interval` | [golang duration format](https://pkg.go.dev/time#Duration.String) | Time between reconciliations of the source on the cluster. Default: `10m`. |

+### Git repository source reference arguments

+### Bucket source arguments

+If you use a `bucket` source instead of a `git` source, here are the bucket-specific command arguments.

+| `--url` `-u` | URL String | The URL for the `bucket`. Formats supported: http://, https://, s3://. |

+| `--bucket-name` | String | Name of the `bucket` to sync. |

+| `--bucket-access-key` | String | Access Key ID used to authenticate with the `bucket`. |

+| `--bucket-secret-key` | String | Secret Key used to authenticate with the `bucket`. |

+| `--bucket-insecure` | Boolean | Communicate with a `bucket` without TLS. If not provided, assumed false; if provided, assumed true. |

+### Local secret for authentication with source

+You can use a local Kubernetes secret for authentication with the `git` or `bucket` source.

+| Parameter | Format | Notes |

+| - | - | - |

+| `--local-auth-ref` `--local-ref` | String | Local reference to a Kubernetes secret in the Flux configuration namespace to use for authentication with the source. |

+>If you need Flux to access the source through your proxy, you'll need to update the Azure Arc agents with the proxy settings. For more information, see [Connect using an outbound proxy server](./quickstart-connect-cluster.md?tabs=azure-cli#4a-connect-using-an-outbound-proxy-server).

+ create : Create a Kustomization associated with a Flux v2 Kubernetes configuration.

+ delete : Delete a Kustomization associated with a Flux v2 Kubernetes configuration.

+ list : List Kustomizations associated with a Flux v2 Kubernetes configuration.

+ show : Show a Kustomization associated with a Flux v2 Kubernetes configuration.

+ update : Update a Kustomization associated with a Flux v2 Kubernetes configuration.

+ > [!NOTE]

+ > Service principle need to be a member of **owner role** of Azure AD application to be able to create or modify the Secure Webhook action in the action group.

+ Title: Upgrade legacy rules management to the current Azure Monitor Log Alerts API

+description: Learn how to switch to the log alerts management to ScheduledQueryRules API

+# Upgrade legacy rules management to the current Log Alerts API from legacy Log Analytics Alert API

+> Once a user chooses to switch rules with legacy management to the current [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules) it is not possible to revert back to the older [legacy Log Analytics Alert API](./api-alerts.md).

+In the past, users used the [legacy Log Analytics Alert API](./api-alerts.md) to manage log alert rules. Currently workspaces use [ScheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules) for new rules. This article describes the benefits and the process of switching legacy log alert rules management from the legacy API to the current API.

+- Manage all log rules in one API.

+- Support for stateful and 1-minute log alert previews for legacy rules.

+- [PowerShell cmdlets](./alerts-manage-alerts-previous-version.md#manage-log-alerts-using-powershell) and [Azure CLI](./alerts-log.md#manage-log-alerts-using-cli) support for switched rules.

+- Alignment of severities with all other alert types and newer rules.

+- Ability to create [cross workspace log alert](../logs/cross-workspace-query.md) that span several external resources like Log Analytics workspaces or Application Insights resources for switched rules.

+- Users can specify dimensions to split the alerts for switched rules.

+- Log alerts have extended period of up to two days of data (previously limited to one day) for switched rules.

+- All switched rules must be created/edited with the current API. See [sample use via Azure Resource Template](alerts-log-create-templates.md) and [sample use via PowerShell](./alerts-manage-alerts-previous-version.md#manage-log-alerts-using-powershell).

+If the Log Analytics workspace was switched to [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules), the response is:

+This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) to configure [log alerts](./alerts-unified-log.md) in Azure Monitor. Resource Manager templates enable you to programmatically set up alerts in a consistent and reproducible way across your environments. Log alerts are created in the `Microsoft.Insights/scheduledQueryRules` resource provider. See API reference for [Scheduled Query Rules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules).

+[Scheduled Query Rules creation](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules/create-or-update) template for all resource types (sample data set as variables):

+[Scheduled Query Rules creation](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules/create-or-update) template based on [number of results log alert](./alerts-unified-log.md#count-of-the-results-table-rows) (sample data set as variables):

+[Scheduled Query Rules creation](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules/create-or-update) template based on [metric measurement](./alerts-unified-log.md#calculation-of-measure-based-on-a-numeric-column-such-as-cpu-counter-value) that queries [cross-resources](../logs/cross-workspace-query.md) (sample data set as variables):

+> When using cross-resource query in log alert, the usage of [authorizedResources](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules/create-or-update#source) is mandatory and user must have access to the list of resources stated

+> [Cross-resource queries](../logs/cross-workspace-query.md) are supported in the new [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules). If you still use the [legacy Log Analytics Alert API](./api-alerts.md) for creating log alerts, you can learn about switching [here](../alerts/alerts-log-api-switch.md).

+### Actions are muted or alert rule is defined to resolve automatically

+Log alerts provide an option to mute fired alert actions for a set amount of time using **Mute actions** and to only fire once per condition being met using **Automatically resolve alerts**.

+A common issue is that you think that the alert didn't fire, but it was actually the rule configuration.

+1. On the Alerts screen in Azure Monitor, select **Alert rules**.

+- CLI: [az monitor scheduled-query list](/cli/azure/monitor/scheduled-query#az-monitor-scheduled-query-list)

+- REST API - [List by subscription](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules/list-by-subscription)

+Log alerts run queries on Log Analytics data. First you should start [collecting log data](../essentials/resource-logs.md) and query the log data for issues. You can use the [alert query examples topic](../logs/queries.md) in Log Analytics to understand what you can discover or [get started on writing your own query](../logs/log-analytics-tutorial.md).

+Time range is set in the rule condition definition. It's called **Override query time range** in the advance settings section.

+Unlike log analytics, the time range in alerts is limited to a maximum of two days of data. Even if longer range **ago** command is used in the query, the time range will apply. For example, a query scans up to 2 days, even if the text contains **ago(7d)**.

+If you use **ago** command in the query, the range is automatically set to two days. You can also change time range manually in cases the query requires more data than the alert evaluation even if there is no **ago** command in the query.

+Count of results is the default measure and is used when you set a **Measure** with a selection of **Table rows**. Ideal for working with events such as Windows event logs, syslog, application exceptions. Triggers when log records happen or doesn't happen in the evaluated time window.

+Calculation of measure based on a numeric column is used when the **Measure** has a selection of any number column name.

+The calculation that is done on multiple records to aggregate them to one numeric value using the [**Aggregation granularity**](#aggregation-granularity) defined. For example:

+- **Sum** returns the sum of measure column.

+- **Average** returns the average of the measure column.

+Split alerts by number or string columns into separate alerts by grouping into unique combinations. It's configured in **Split by dimensions** section of the condition (limited to six splits). When creating resource-centric alerts at scale (subscription or resource group scope), you can split by Azure resource ID column. Splitting on Azure resource ID column will change the target of the alert to the specified resource.

+- **Resource ID Column:** _ResourceId

+- **Dimensions:**

+- **Aggregation granularity:** 15 minutes

+The interval in which the query is run. Can be set from a minute to a day.

+Stateless alerts fire each time the condition is met, even if fired previously. You can [mark the alert as closed](../alerts/alerts-managing-alert-states.md) once the alert instance is resolved. You can also mute actions to prevent them from triggering for a period after an alert rule fired using the **Mute Actions** option in the alert details section.

+Log alerts allow you to set a location for alert rules. You can select any of the supported locations, which align to [Log Analytics supported region list](https://azure.microsoft.com/global-infrastructure/services/?products=monitor).

+- Log Alerts on Log Analytics shown with exact resource name along with resource group and alert properties; when created using [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules).

+> As [announced](https://azure.microsoft.com/updates/switch-api-preference-log-alerts/), log analytics workspace(s) created after *June 1, 2019* manage alert rules using the current [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules). Customers are encouraged to [switch to the current API](./alerts-log-api-switch.md) in older workspaces to leverage Azure Monitor scheduledQueryRules [benefits](./alerts-log-api-switch.md#benefits). This article describes management of alert rules using the legacy API.

+$ helm upgrade --set omsagent.secret.wsid=<your_workspace_id>,omsagent.secret.key=<your_workspace_key>,omsagent.env.clusterName=<my_prod_cluster> incubator/azuremonitor-containers

+$ helm upgrade --set omsagent.domain=opinsights.azure.cn,omsagent.secret.wsid=<your_workspace_id>,omsagent.secret.key=<your_workspace_key>,omsagent.env.clusterName=<your_cluster_name> incubator/azuremonitor-containers

+$ helm upgrade --set omsagent.domain=opinsights.azure.us,omsagent.secret.wsid=<your_workspace_id>,omsagent.secret.key=<your_workspace_key>,omsagent.env.clusterName=<your_cluster_name> incubator/azuremonitor-containers

+- All tables will be supported in export, but currently limited to those specified in the [supported tables](#supported-tables) section below.

+- The legacy custom log wonΓÇÖt be supported in export. The next generation of custom log available in preview early 2022 can be exported.

+- Storage account must be unique across rules in workspace.

+Data export rule defines the destination and tables for which data is exported. You can create 10 rules in 'enable' state in your workspace, more rules are allowed in 'disable' state. Storage account must be unique across rules in workspace. Multiple rules can use the same event hub namespace when sending to separate event hubs.

+> - The legacy custom log wonΓÇÖt be supported in export. The next generation of custom log available in preview early 2022 can be exported.

+- Security fixes for docker services running as root in azureeyemodule (mcr.microsoft.com/azureedgedevices/azureeyemodule:2112-1), azureearspeechclientmodule, and webstreammodule.

+* Virtual machines in an existing virtual network can be moved to a new subscription only when the virtual network and all of its dependent resources are also moved.

+When deploying a resource, you may receive the following error:

+Resources that have an accessible endpoint, such as a fully qualified domain name, can't use reserved words or trademarks in the name. The name is checked when the resource is created, even if the endpoint isn't currently enabled.

+Azure SQL Database [elastic pools](./elastic-pool-overview.md) is a cost-effective solution for managing many databases with varying resource usage. All databases in an elastic pool share the same allocation of resources, such as CPU, memory, worker threads, storage space, `tempdb`, on the assumption that **only a subset of databases in the pool will use compute resources at any given time**. This assumption allows elastic pools to be cost-effective. Instead of paying for all resources each individual database could potentially need, customers pay for a much smaller set of resources, shared among all databases in the pool.

+Resource sharing requires the system to carefully control resource usage to minimize the "noisy neighbor" effect, where a database with high resource consumption affects other databases in the same elastic pool. Azure SQL Database achieves these goals by implementing [resource governance](resource-limits-logical-server.md#resource-governance). At the same time, the system must provide sufficient resources for features such as high availability and disaster recovery (HADR), backup and restore, monitoring, Query Store, Automatic tuning, etc. to function reliably.

+To send an alert when pool resource utilization (CPU, data IO, log IO, workers, etc.) exceeds a threshold, consider creating alerts via the [Azure portal](alerts-insights-configure-portal.md) or the [Add-AzMetricAlertRulev2](/powershell/module/az.monitor/add-azmetricalertrulev2) PowerShell cmdlet. When monitoring elastic pools, consider also creating alerts for individual databases in the pool if needed in your scenario. For a sample scenario of monitoring elastic pools, see [Monitor and manage performance of Azure SQL Database in a multi-tenant SaaS app](saas-dbpertenant-performance-monitoring.md).

+|`oom_per_second`|The rate of out-of-memory (OOM) errors in an elastic pool, which is an indicator of memory pressure. Available in the [sys.dm_resource_governor_resource_pools_history_ex](/sql/relational-databases/system-dynamic-management-views/sys-dm-resource-governor-resource-pools-history-ex-azure-sql-database) view. See [Examples](#examples) for a sample query to calculate this metric. For more information, see resource limits for [elastic pools using DTUs](resource-limits-dtu-elastic-pools.md) or [elastic pools using vCores](resource-limits-vcore-elastic-pools.md), and [Troubleshoot out of memory errors with Azure SQL Database](troubleshoot-memory-errors-issues.md).|0|

+|[sys.dm_resource_governor_resource_pools_history_ex](/sql/relational-databases/system-dynamic-management-views/sys-dm-resource-governor-resource-pools-history-ex-azure-sql-database)|Returns resource pool utilization statistics for recent history, based on the number of snapshots available. Each row represents a time interval. The duration of the interval is provided in the `duration_ms` column. The `delta_` columns return the change in each statistic during the interval.|

+|[sys.dm_resource_governor_workload_groups_history_ex](/sql/relational-databases/system-dynamic-management-views/sys-dm-resource-governor-workload-groups-history-ex-azure-sql-database)|Returns workload group utilization statistics for recent history, based on the number of snapshots available. Each row represents a time interval. The duration of the interval is provided in the `duration_ms` column. The `delta_` columns return the change in each statistic during the interval.|

+**Leave sufficient resource headroom**. If resource contention and performance degradation occur, mitigation may involve moving some databases out of the affected elastic pool, or scaling up the pool, as noted earlier. However, these actions require additional compute resources to complete. In particular, for Premium and Business Critical pools, these actions require transferring all data for the databases being moved, or for all databases in the elastic pool if the pool is scaled up. Data transfer is a long running and resource-intensive operation. If the pool is already under high resource pressure, the mitigating operation itself will degrade performance even further. In extreme cases, it may not be possible to solve resource contention via database move or pool scale-up because the required resources are not available. In this case, temporarily reducing query workload on the affected elastic pool may be the only solution.

+> [!NOTE]

+> For DTU elastic pools, the eDTU metric at the pool level is not a MAX or a SUM of individual database utilization. It is derived from the utilization of various pool level metrics. Pool level resource limits may be higher than individual database level limits, so it is possible that an individual database can reach a specific resource limit (CPU, data IO, log IO, etc.), even when the eDTU reporting for the pool indicates no limit been reached.

+Limit the number of databases per server to a lower number than the maximum supported. In many scenarios, using up to 1000-2000 databases per server is optimal. To reduce the likelihood of accidental server deletion, place a [delete lock](../../azure-resource-manager/management/lock-resources.md) on the server or its resource group.

+### View individual database capacity settings

+Use the `sys.dm_user_db_resource_governance` dynamic management view to view the actual configuration and capacity settings used by resource governance in the current database or elastic pool. For more information, see [sys.dm_user_db_resource_governance](/sql/relational-databases/system-dynamic-management-views/sys-dm-user-db-resource-governor-azure-sql-database).

+Run this query in any database in an elastic pool. All databases in the pool have the same resource governance settings.

+```sql

+SELECT * FROM sys.dm_user_db_resource_governance AS rg

+WHERE database_id = DB_ID();

+```

+### Monitoring overall elastic pool resource consumption

+Use the `sys.elastic_pool_resource_stats` system catalog view to monitor the resource consumption of the entire pool. For more information, see [sys.elastic_pool_resource_stats](/sql/relational-databases/system-catalog-views/sys-elastic-pool-resource-stats-azure-sql-database).

+This sample query to view the last 10 minutes should be run in the `master` database of the logical Azure SQL server containing the desired elastic pool.

+```sql

+SELECT * FROM sys.elastic_pool_resource_stats AS rs

+WHERE rs.start_time > DATEADD(mi, -10, SYSUTCDATETIME())

+AND rs.elastic_pool_name = '<elastic pool name>';

+```

+### Monitoring individual database resource consumption

+Use the `sys.dm_db_resource_stats` dynamic management view to monitor the resource consumption of individual databases. For more information, see [sys.dm_db_resource_stats](/sql/relational-databases/system-dynamic-management-views/sys-dm-db-resource-stats-azure-sql-database). One row exists for every 15 seconds, even if there is no activity. Historical data is maintained for approximately one hour.

+This sample query to view the last 10 minutes of data should be run in the desired database.

+```sql

+SELECT * FROM sys.dm_db_resource_stats AS rs

+WHERE rs.end_time > DATEADD(mi, -10, SYSUTCDATETIME());

+```

+For longer retention time with less frequency, consider the following query on `sys.resource_stats`, run in the `master` database of the Azure SQL logical server. For more information, see [sys.resource_stats (Azure SQL Database)](/sql/relational-databases/system-catalog-views/sys-resource-stats-azure-sql-database). One row exists every five minutes, and historical data is maintained for two weeks.

+```sql

+SELECT * FROM sys.resource_stats

+WHERE [database_name] = 'sample'

+ORDER BY [start_time] desc;

+```

+This query calculates the `oom_per_second` metric for each resource pool for recent history, based on the number of snapshots available. This sample query helps identify the recent average number of failed memory allocations in the pool. This query can be run in any database in an elastic pool.

+This query returns the current value of the `tempdb_log_used_percent` metric, showing the relative utilization of the `tempdb` transaction log relative to its maximum allowed size. This query can be run in any database in an elastic pool.

+Configure a failover group for an Azure SQL Database elastic pool and test failover using the Azure portal. In this tutorial, you'll learn how to:

+In this step, you create a resource group, server, single database, and server-level IP firewall rule for access to the server.

+In this step, you'll create an elastic pool and add your database to it.

+1. Select **Azure SQL** in the left-hand menu of the Azure portal. If **Azure SQL** isn't in the list, select **All services**, then type "Azure SQL" in the search box. (Optional) Select the star next to **Azure SQL** to favorite it and add it as an item in the left-hand navigation.

+Set these additional parameter values for use in creating the elastic pool.

+Use the [az sql elastic-pool create](/cli/azure/sql/elastic-pool#az-sql-elastic-pool-create) command to create an elastic pool.

+Use the [az sql db update](/cli/azure/sql/db#az_sql_db_update) command to add a database to an elastic pool.

+In this step, you'll create a [failover group](auto-failover-group-overview.md) between an existing server and a new server in another region. Then add the elastic pool to the failover group.

+1. Select **Azure SQL** in the left-hand menu of the [Azure portal](https://portal.azure.com). If **Azure SQL** isn't in the list, select **All services**, then type Azure SQL in the search box. (Optional) Select the star next to **Azure SQL** to favorite it and add it as an item in the left-hand navigation.

+ - **Location**: Choose a location from the drop-down, such as `East US`. This location can't be the same location as your primary server.

+ 

+In this step, you use the Azure CLI to create your secondary server, failover group, elastic pool, and add a database to the failover group.

+Set these additional parameter values for use in creating the failover group.

+Use the [az sql server create](/cli/azure/sql/server#az_sql_server_create) command to create a secondary server.

+Use the [az sql elastic-pool create](/cli/azure/sql/elastic-pool#az-sql-elastic-pool-create) command to create an elastic pool on the secondary server.

+Use the [az sql failover-group create](/cli/azure/sql/failover-group#az_sql_failover_group_create) command to create a failover group.

+### Add database to the failover group

+Use the [az sql failover-group update](/cli/azure/sql/failover-group#az_sql_failover_group_update) command to add a database to the failover group.

+In this step, you'll fail your failover group over to the secondary server, and then fail back using the Azure portal.

+1. Select **Azure SQL** in the left-hand menu of the [Azure portal](https://portal.azure.com). If **Azure SQL** isn't in the list, select **All services**, then type Azure SQL in the search box. (Optional) Select the star next to **Azure SQL** to favorite it and add it as an item in the left-hand navigation.

+Use the [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) command to confirm the roles of each server in the failover group.

+Use the [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) command to fail over to the secondary server. Use the [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) command to verify a successful failover.

+Use the [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) command to fail back to the primary server.

+In this step, you create a resource group, server, single database, and server-level IP firewall rule for access to the server.

+Use the [az sql server create](/cli/azure/sql/server#az_sql_server_create) command to create a secondary server with .

+Use the [az sql failover-group create](/cli/azure/sql/failover-group#az_sql_failover_group_create) command to create a failover group.

+Use the [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) command to confirm the roles of each server.

+Use the [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) to fail over to the secondary server. Use the [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) command to verify a successful failover.

+Use the [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) command to fail back to the primary server.

+| [Elastic query](elastic-query-overview.md) (in public preview) | Yes, with required RDBMS type. | No, use native cross-DB queries and Linked Server instead|

+| VNet Service endpoint | [Yes](vnet-service-endpoint-rule-overview.md) | Yes |

+The Azure CLI code blocks in this section create a resource group, server, single database, and server-level IP firewall rule for access to the server. Make sure to record the generated resource group and server names, so you can manage these resources later.

+The Azure CLI code blocks in this section use the [az sql up](/cli/azure/sql#az_sql_up) command to simplify the database creation process. With it, you can create a database and all of its associated resources with a single command. This includes the resource group, server name, server location, database name, and login information. The database is created with a default pricing tier of General Purpose, Provisioned, Gen5, 2 vCores.

+Use the [az sql up](/cli/azure/sql#az_sql_up) command to create and configure a [logical server](logical-servers.md) for Azure SQL Database for immediate use. Make sure to record the generated resource group and server names, so you can manage these resources later.

+- [EXTERNAL TABLE](/sql/t-sql/statements/create-external-table-transact-sql) (except Polybase, in preview)

+- For a quickstart that shows you how to create a new SQL Managed Instance, see [Create a SQL Managed Instance](instance-create-quickstart.md).

+| **Profile Driven Storage** | Profile driven storage view |

+| **Virtual machine** | Change Configuration<br />&#160;&#160;&#160;&#160;Acquire disk lease<br />&#160;&#160;&#160;&#160;Add existing disk<br />&#160;&#160;&#160;&#160;Add new disk<br />&#160;&#160;&#160;&#160;Add or remove device<br />&#160;&#160;&#160;&#160;Advanced configuration<br />&#160;&#160;&#160;&#160;Change CPU count<br />&#160;&#160;&#160;&#160;Change memory<br />&#160;&#160;&#160;&#160;Change settings<br />&#160;&#160;&#160;&#160;Change swapfile placement<br />&#160;&#160;&#160;&#160;Change resource<br />&#160;&#160;&#160;&#160;Configure host USB device<br />&#160;&#160;&#160;&#160;Configure raw device<br />&#160;&#160;&#160;&#160;Configure managedBy<br />&#160;&#160;&#160;&#160;Display connection settings<br />&#160;&#160;&#160;&#160;Extend virtual disk<br />&#160;&#160;&#160;&#160;Modify device settings<br />&#160;&#160;&#160;&#160;Query fault tolerance compatibility<br />&#160;&#160;&#160;&#160;Query unowned files<br />&#160;&#160;&#160;&#160;Reload from paths<br />&#160;&#160;&#160;&#160;Remove disk<br />&#160;&#160;&#160;&#160;Rename<br />&#160;&#160;&#160;&#160;Reset guest information<br />&#160;&#160;&#160;&#160;Set annotation<br />&#160;&#160;&#160;&#160;Toggle disk change tracking<br />&#160;&#160;&#160;&#160;Toggle fork parent<br />&#160;&#160;&#160;&#160;Upgrade virtual machine compatibility<br />Edit inventory<br />&#160;&#160;&#160;&#160;Create from existing<br />&#160;&#160;&#160;&#160;Create new<br />&#160;&#160;&#160;&#160;Move<br />&#160;&#160;&#160;&#160;Register<br />&#160;&#160;&#160;&#160;Remove<br />&#160;&#160;&#160;&#160;Unregister<br />Guest operations<br />&#160;&#160;&#160;&#160;Guest operation alias modification<br />&#160;&#160;&#160;&#160;Guest operation alias query<br />&#160;&#160;&#160;&#160;Guest operation modifications<br />&#160;&#160;&#160;&#160;Guest operation program execution<br />&#160;&#160;&#160;&#160;Guest operation queries<br />Interaction<br />&#160;&#160;&#160;&#160;Answer question<br />&#160;&#160;&#160;&#160;Back up operation on virtual machine<br />&#160;&#160;&#160;&#160;Configure CD media<br />&#160;&#160;&#160;&#160;Configure floppy media<br />&#160;&#160;&#160;&#160;Connect devices<br />&#160;&#160;&#160;&#160;Console interaction<br />&#160;&#160;&#160;&#160;Create screenshot<br />&#160;&#160;&#160;&#160;Defragment all disks<br />&#160;&#160;&#160;&#160;Drag and drop<br />&#160;&#160;&#160;&#160;Guest operating system management by VIX API<br />&#160;&#160;&#160;&#160;Inject USB HID scan codes<br />&#160;&#160;&#160;&#160;Install VMware tools<br />&#160;&#160;&#160;&#160;Pause or Unpause<br />&#160;&#160;&#160;&#160;Wipe or shrink operations<br />&#160;&#160;&#160;&#160;Power off<br />&#160;&#160;&#160;&#160;Power on<br />&#160;&#160;&#160;&#160;Record session on virtual machine<br />&#160;&#160;&#160;&#160;Replay session on virtual machine<br />&#160;&#160;&#160;&#160;Reset<br />&#160;&#160;&#160;&#160;Resume Fault Tolerance<br />&#160;&#160;&#160;&#160;Suspend<br />&#160;&#160;&#160;&#160;Suspend fault tolerance<br />&#160;&#160;&#160;&#160;Test failover<br />&#160;&#160;&#160;&#160;Test restart secondary VM<br />&#160;&#160;&#160;&#160;Turn off fault tolerance<br />&#160;&#160;&#160;&#160;Turn on fault tolerance<br />Provisioning<br />&#160;&#160;&#160;&#160;Allow disk access<br />&#160;&#160;&#160;&#160;Allow file access<br />&#160;&#160;&#160;&#160;Allow read-only disk access<br />&#160;&#160;&#160;&#160;Allow virtual machine download<br />&#160;&#160;&#160;&#160;Clone template<br />&#160;&#160;&#160;&#160;Clone virtual machine<br />&#160;&#160;&#160;&#160;Create template from virtual machine<br />&#160;&#160;&#160;&#160;Customize guest<br />&#160;&#160;&#160;&#160;Deploy template<br />&#160;&#160;&#160;&#160;Mark as template<br />&#160;&#160;&#160;&#160;Modify customization specification<br />&#160;&#160;&#160;&#160;Promote disks<br />&#160;&#160;&#160;&#160;Read customization specifications<br />Service configuration<br />&#160;&#160;&#160;&#160;Allow notifications<br />&#160;&#160;&#160;&#160;Allow polling of global event notifications<br />&#160;&#160;&#160;&#160;Manage service configuration<br />&#160;&#160;&#160;&#160;Modify service configuration<br />&#160;&#160;&#160;&#160;Query service configurations<br />&#160;&#160;&#160;&#160;Read service configuration<br />Snapshot management<br />&#160;&#160;&#160;&#160;Create snapshot<br />&#160;&#160;&#160;&#160;Remove snapshot<br />&#160;&#160;&#160;&#160;Rename snapshot<br />&#160;&#160;&#160;&#160;Revert snapshot<br />vSphere Replication<br />&#160;&#160;&#160;&#160;Configure replication<br />&#160;&#160;&#160;&#160;Manage replication<br />&#160;&#160;&#160;&#160;Monitor replication |

+- [Zerto](https://www.zerto.com/solutions/use-cases/disaster-recovery/)

+- [RiverMeadow](https://www.rivermeadow.com/disaster-recovery-azure-blob)

+Such clients can be used when clients want to talk to each other. Messages are sent from `client2` to the service and the service delivers the message directly to `client1` if the clients are authorized to do so.

+Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 1903 or greater

+* [Windows 10 IoT Enterprise Lifecycle](https://docs.microsoft.com/lifecycle/products/windows-10-iot-enterprise)

+</br>

+|Name|SecuredCore.Firmware.Attestation|

+|:|:|

+|Status|Required|

+|Description|The purpose of the test is to ensure the device can remotely attest to the Microsoft Azure Attestation service.|

+|Target Availability|2022|

+|Requirements dependency|Azure Attestation Service|

+|Validation Type|Manual/Tools|

+|Validation|Device to be validated through toolset to ensure that platform boot logs and measurements of boot activity can be collected and remotely attested to the Microsoft Azure Attestation service.|

+|Resources| [Microsoft Azure Attestation](../attestation/index.yml) |

+|Name|SecuredCore.Firmware.Attestation|

+|Description|The purpose of the test is to ensure the device can remotely attest to the Microsoft Azure Attestation service.|

+|Validation|Device to be validated through toolset to ensure that platform boot logs and measurements of boot activity can be collected and remotely attested to the Microsoft Azure Attestation service.|

+|Resources| [Microsoft Azure Attestation](../attestation/index.yml) |

+</br>

+|Name|SecuredCore.Hardware.SecureEnclave|

+|:|:|

+|Status|Optional|

+|Description|The purpose of the test to validate the existence of a secure enclave and that the enclave is accessible from a secure agent.|

+|Target Availability|2022|

+|Validation Type|Manual/Tools|

+|Validation|Device to be validated through toolset to ensure the Azure Security Agent can communicate with the secure enclave|

+|Resources|https://github.com/openenclave/openenclave/blob/master/samples/BuildSamplesLinux.md|

+|Name|SecuredCore.Protection.SignedUpdates|

+|Description|The purpose of the test is to validate that updates must be signed.|

+|Validation|Device to be validated through toolset to ensure that updates to the operating system, drivers, application software, libraries, packages and firmware will not be applied unless properly signed and validated.

+|Resources||

+* [NVIDIA graphics drivers](https://docs.nvidia.com/datacenter/tesla/tesla-installation-notes/https://docsupdatetracker.net/index.html) and [NVIDIA CUDA Toolkit](https://docs.nvidia.com/cuda/cuda-installation-guide-linux/https://docsupdatetracker.net/index.html). The minimum GPU driver version is 460 with CUDA 11.1.

+| STATIONARY_TARGET_REMOVER_CONFIG | JSON indicating the parameters for stationary target removal, which adds the capability to learn and ignore long-term stationary false positive targets such as mannequins or people in pictures. Configuration should be in the following format: `"{\"enable\": true, \"bbox_dist_threshold-in_pixels\": 5, \"buffer_length_in_seconds\": 3600, \"filter_ratio\": 0.2 }"`|

+ "width": 512,

+ "height": 288,

+ }

+ }

+ }

+ }

+| `personBoundingBoxGroundPoints` | list | A list of coordinates on the floor plane relative to the camera. Each coordinate corresponds to the bottom right of the bounding box in `uniformlySpacedPersonBoundingBoxes` with the same index. <br/> See the `centerGroundPointX/centerGroundPointY` fields under the [JSON format for cognitiveservices.vision.spatialanalysis-persondistance AI Insights](#json-format-for-cognitiveservicesvisionspatialanalysis-persondistance-ai-insights) section for more details on how coordinates on the floor plane are calculated. |

+### Tracker node parameter settings

+"remove_stationary_objects": true,

+"stationary_objects_dist_threshold_in_pixels": 5,

+"stationary_objects_buffer_length_in_seconds": 3600,

+"stationary_objects_filter_ratio": 0.2

+| `remove_stationary_objects` | bool | Indicates whether you want to remove stationary objects. `remove_stationary_objects` is set by default to True. |

+| `stationary_objects_dist_threshold_in_pixels` | int | The neighborhood distance threshold to decide whether two detection boxes can be treated as the same detection. `stationary_objects_dist_threshold_in_pixels` is set by default to 5. |

+| `stationary_objects_buffer_length_in_seconds` | int | The minimum length of time in seconds that the system has to look back to decide whether a target is a stationary target or not. `stationary_objects_buffer_length_in_seconds` is set by default to 3600. |

+| `stationary_objects_filter_ratio` | float | If a target is repeatedly detected at the same location (defined in `stationary_objects_dist_threshold_in_pixels`) for greater `stationary_objects_filter_ratio` (0.2 means 20%) of the `stationary_objects_buffer_length_in_seconds` time interval, it will be treated as a stationary target. `stationary_objects_filter_ratio` is set by default to 0.2. |

+ "aggregation_method": "average"

+ }

+ "centerGroundPointX": "2.6310102939605713",

+ "centerGroundPointY": "0.0",

+ "groundOrientationAngle": "1.3",

+ "footprintX": "0.7306610584259033",

+ "footprintY": "0.8814966493381893"

+ },

+ "attributes": [

+ {

+ "label": "face_mask",

+ "confidence": 0.99,

+ "task": ""

+ }

+ ]

+ "metadata": {

+ "centerGroundPointX": "2.6310102939605713",

+ "centerGroundPointY": "18.635927200317383",

+ "groundOrientationAngle": "1.3",

+ "footprintX": "0.7306610584259033",

+ "footprintY": "0.8814966493381893"

+ "attributes": [

+ {

+ "label": "face_mask",

+ "confidence": 0.99,

+ "task": ""

+ }

+ ]

+ "schemaVersion": "2.0"

+| `attributes` | array| Array of attributes. Each attribute consist of label, task, and confidence |

+| `label` | string| The attribute value (for example, `{label: face_mask}` indicates the detected person is wearing a face mask ) |

+| `confidence (attribute)` | float| The attribute confidence value with range of 0 to 1 (for example, `{confidence: 0.9, label: face_nomask}` indicates the detected person is *not* wearing a face mask ) |

+| `task` | string | The attribute classification task/class |

+ "centerGroundPointX": "2.6310102939605713",

+ "centerGroundPointY": "18.635927200317383",

+ "groundOrientationAngle": "1.3",

+ "trackingId": "90d55bfc64c54bfd98226697ad8445ca",

+ "speed": "1.2",

+ "footprintX": "0.7306610584259033",

+ "footprintY": "0.8814966493381893"

+ },

+ "attributes": [

+ {

+ "label": "face_mask",

+ "confidence": 0.99,

+ "task": ""

+ }

+ ]

+ "schemaVersion": "2.0"

+| `attributes` | array| Array of attributes. Each attribute consist of label, task, and confidence |

+| `label` | string| The attribute value (for example, `{label: face_mask}` indicates the detected person is wearing a face mask ) |

+| `confidence (attribute)` | float| The attribute confidence value with range of 0 to 1 (for example, `{confidence: 0.9, label: face_nomask}` indicates the detected person is *not* wearing a face mask ) |

+| `task` | string | The attribute classification task/class |

+ "metadata": {

+ "centerGroundPointX": "2.6310102939605713",

+ "centerGroundPointY": "18.635927200317383",

+ "groundOrientationAngle": "1.3",

+ "trackingId": "afcc2e2a32a6480288e24381f9c5d00e",

+ "speed": "1.2",

+ "footprintX": "0.7306610584259033",

+ "footprintY": "0.8814966493381893"

+ },

+ "attributes": [

+ {

+ "label": "face_mask",

+ "confidence": 0.99,

+ "task": ""

+ }

+ ]

+ }

+ "schemaVersion": "2.0"

+ "dwellTime": 7132.0,

+ "dwellFrames": 20

+ "metadata": {

+ "centerGroundPointX": "2.6310102939605713",

+ "centerGroundPointY": "18.635927200317383",

+ "groundOrientationAngle": "1.2",

+ "mappedImageOrientation": "0.3",

+ "speed": "1.2",

+ "trackingId": "afcc2e2a32a6480288e24381f9c5d00e",

+ "footprintX": "0.7306610584259033",

+ "footprintY": "0.8814966493381893"

+ }

+ "schemaVersion": "2.0"

+| `attributes` | array| Array of attributes. Each attribute consist of label, task, and confidence |

+| `label` | string| The attribute value (for example, `{label: face_mask}` indicates the detected person is wearing a face mask ) |

+| `confidence (attribute)` | float| The attribute confidence value with range of 0 to 1 (for example, `{confidence: 0.9, label: face_nomask}` indicates the detected person is *not* wearing a face mask ) |

+| `task` | string | The attribute classification task/class |

+ "metadata": {

+ "centerGroundPointX": "-1.4638760089874268",

+ "centerGroundPointY": "18.29732322692871",

+ "groundOrientationAngle": "1.3",

+ "footprintX": "0.7306610584259033",

+ "footprintY": "0.8814966493381893"

+ }

+ "metadata": {

+ "centerGroundPointX": "2.6310102939605713",

+ "centerGroundPointY": "18.635927200317383",

+ "groundOrientationAngle": "1.3",

+ "footprintX": "0.7306610584259033",

+ "footprintY": "0.8814966493381893"

+ }

+ "schemaVersion": "2.0"

+| `centerGroundPointX/centerGroundPointY` | 2 float values| `x`, `y` values with the coordinates of the person's inferred location on the ground in feet. `x` and `y` are coordinates on the floor plane, assuming the floor is level. The camera's location is the origin. |

+In this example, `centerGroundPoint` is `{centerGroundPointX: 4, centerGroundPointY: 5}`. This means there's a person four feet away from the camera and five feet to the right, looking at the room top-down.

+You can add all QnA Maker-supported [file types](https://docs.microsoft.com/azure/cognitive-services/qnamaker/concepts/data-sources-and-content#file-and-url-data-types) from a SharePoint site to your knowledge base. You may have to grant [permissions](#permissions) if the file resource is secured.

+> [Collaborate on your knowledge base](https://docs.microsoft.com/azure/cognitive-services/qnamaker/concepts/data-sources-and-content#file-and-url-data-types.yml)

+> [!div class="nextstepaction"]

+> [Speech to text v3.0 API reference](https://centralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription)

+Another staple of analytics is to identify interactions where a specific event or experience has occurred. This is typically done with one of two approaches; either an ad hoc search where the user simply types a phrase and the system responds, or a more structured query where an analyst can create a set of logical statements that identify a scenario in a call, and then each call can be indexed against that set of queries. A good search example is the ubiquitous compliance statement "this call shall be recorded for quality purposes... ". Many companies want to make sure that their agents are providing this disclaimer to customers before the call is actually recorded. Most analytics systems have the ability to trend the behaviors found by query/search algorithms, and this reporting of trends is ultimately one of the most important functions of an analytics system. Through [Cognitive services directory](https://azure.microsoft.com/services/cognitive-services/directory/search/) your end-to-end solution can be significantly enhanced with indexing and search capabilities.

+Another scenario is direct integration with Session Initiation Protocol (SIP). An Azure service connects to a SIP Server, thus getting an inbound stream and an outbound stream, which is used for the speech-to-text and text-to-speech phases. To connect to a SIP Server there are commercial software offerings, such as Ozeki SDK, or the [Microsoft Graph communications API](/graph/api/resources/communications-api-overview), that are designed to support this type of scenario for audio calls.

+Conversation Transcription is a [speech-to-text](speech-to-text.md) solution that provides real-time or asynchronous transcription of any conversation. Conversation Transcription combines speech recognition, speaker identification, and sentence attribution to determine who said what and when in a conversation.

+- **Timestamps** - Each speaker utterance has a timestamp, so that you can easily find when a phrase was said.

+- **Readable transcripts** - Transcripts have formatting and punctuation added automatically to ensure the text closely matches what was being said.

+- **User profiles** - User profiles are generated by collecting user voice samples and sending them to signature generation.

+- **Speaker identification** - Speakers are identified using user profiles and a _speaker identifier_ is assigned to each.

+- **Multi-speaker diarization** - Determine who said what by synthesizing the audio stream with each speaker identifier.

+- **Real-time transcription** ΓÇô Provide live transcripts of who is saying what and when while the conversation is happening.

+- **Asynchronous transcription** ΓÇô Provide transcripts with higher accuracy by using a multichannel audio stream.

+User voice samples for voice signatures are required for speaker identification. Speakers who do not have voice samples will be recognized as "Unidentified". Unidentified speakers can still be differentiated when the `DifferentiateGuestSpeakers` property is enabled (see example below). The transcription output will then show speakers as "Guest_0", "Guest_1", etc. instead of recognizing as pre-enrolled specific speaker names.

+```csharp

+config.SetProperty("DifferentiateGuestSpeakers", "true");

+```

+> [!div class="nextstepaction"]

+> [Get started with Custom Neural Voice](how-to-custom-voice.md)

+[Audio Content Creation](https://aka.ms/audiocontentcreation) is an easy-to-use and powerful tool that lets you build highly natural audio content for a variety of scenarios, like audiobooks, news broadcasts, video narrations, and chat bots. With Audio Content Creation, you can fine-tune Text-to-Speech voices and design-customized audio experiences in an efficient and low-cost way.

+1. After getting the Azure account and the Speech resource, you can log into [Audio Content Creation](https://aka.ms/audiocontentcreation) by selecting **Get started**.

+2. The home page lists all the products under Speech Studio. Select **Audio Content Creation** to start.

+3. The **Welcome to Speech Studio** page will appear to you to set up the speech service. Select the Azure subscription and the Speech resource you want to work on. Select **Use resource** to complete the settings. When you log into the Audio Content Creation tool for the Next time, we will link you directly to the audio work files under the current speech resource. You can check your Azure subscriptions details and status in [Azure portal](https://portal.azure.com/). If you do not have available speech resource and you are the owner or admin of an Azure subscription, you can also create a new Speech resource in Speech Studio by selecting **Create a new resource**. If you are a user role for a certain Azure subscription, you may not have the permission to create a new speech resource. Please contact your admin to get the speech resource access.

+4. Select the content you want to preview and select the **play** icon (a triangle) to preview the default synthesis output. Please note that if you make any changes on the text, you need to select the **Stop** icon and then select **play** icon again to re-generate the audio with changed scripts.

+1. Select **New** > **file** to create a new audio tuning file.

+1. Select **Upload** to import one or more text files. Both plain text and SSML are supported. If your script file is more than 20,000 characters, please split the file by paragraphs, by character or by regular expressions.

+1. Select **Export** to create an audio creation task. **Export to Audio Library** is recommended as it supports the long audio output and the full audio output experience. You can also download the audio to your local disk directly, but only the first 10 minutes are available.

+5. Select **Download**. Now you're ready to use your custom tuned audio in your apps or products.

+2. Select **Access control (IAM)**. Select **Add** > **Add role assignment (Preview)** to open the Add role assignment pane.

+1. The user will receive an email invitation. Accept the invitation by selecting **Accept invitation** > **Accept to join Azure** in the email. Then the user will be redirected to the Azure portal. The user does not need to take further action in the Azure portal. After a few moments, the user is assigned the role at the speech resource scope, and will have the access to this speech resource. If the user didn't receive the invitation email, you can search the user's account under "Role assignments" and go inside the user's profile. Find "Identity" -> "Invitation accepted", and select **(manage)** to resend the email invitation. You can also copy the invitation link to the users.

+1. The user now visits or refreshes the [Audio Content Creation](https://aka.ms/audiocontentcreation) product page, and sign in with the user's Microsoft account. Select **Audio Content Creation** block among all speech products. Choose the speech resource in the pop-up window or in the settings at the upper right of the page. If the user cannot find available speech resource, check if you are in the right directory. To check the right directory, select the account profile in the upper right corner, and select **Switch** besides the "Current directory". If there are more than one directory available, it means you have access to multiple directories. Switch to different directories and go to settings to see if the right speech resource is available.

+2. Select **Access control (IAM)** > **Role assignments** tab to view all the role assignments for this speech resource.

+3. Select the users you want to remove, select **Remove** > **Ok**.

+2. In the [Azure portal](https://portal.azure.com/), select the collapsed menu in the upper left. Select **Azure Active Directory**, and then Select **Users**.

+3. Search the user's Microsoft account, and go to the user's detail page. Select **Assigned roles**.

+4. Select **Add assignments** > **Directory Readers**. If the button "Add assignments" is grayed out, it means that you do not have the access. Only the global administrator of this directory can add assignment to users.

+In this article, you learn how to quantitatively measure and improve the accuracy of Microsoft speech-to-text models or your own custom models. Audio + human-labeled transcription data is required to test accuracy, and 30 minutes to 5 hours of representative audio should be provided.

+If you want to replicate WER measurements locally, you can use `sclite` from the [NIST Scoring Toolkit (SCTK)](https://github.com/usnistgov/SCTK).

+2. Navigate to **Speech-to-text** > **Custom Speech** > [Project Name] > **Testing**.

+3. Select **Add Test**.

+6. Select **Create**.

+Once the test is complete, indicated by the status change to *Succeeded*, you'll find a WER number for both models included in your test. Select on the test name to view the testing detail page. This detail page lists all the utterances in your dataset, indicating the recognition results of the two models alongside the transcription from the submitted dataset. To help inspect the side-by-side comparison, you can toggle various error types including insertion, deletion, and substitution. By listening to the audio and comparing recognition results in each column, which shows the human-labeled transcription and the results for two speech-to-text models, you can decide which model meets your needs and where additional training and improvements are required.

+| Call center | Low, 8 kHz, could be two people on one audio channel, could be compressed | Narrow, unique to domain and products | Conversational, loosely structured |

+You can use structured text data in markdown format similarly to plain text sentences, but you would use structured text data when your data follows a particular pattern in particular utterances that only differ by words or phrases from a list. For more information, see [Structured text data for training](how-to-custom-speech-test-and-train.md#structured-text-data-for-training-public-preview).

+* When the quality of transcripts varies, you can duplicate exceptionally good sentences (like excellent transcriptions that include key phrases) to increase their weight.

+* Include text and audio data to cover the kinds of verbal statements that your users will make when they're interacting with your model. For example, a model that raises and lowers the temperature needs training on statements that people might make to request such changes.

+* Include all speech variances that you want your model to recognize. Many factors can vary speech, including accents, dialects, language-mixing, age, gender, voice pitch, stress level, and time of day.

+* Include samples from different environments, for example, indoor, outdoor, and road noise, where your model will be used.

+* Record audio with hardware devices that the production system will use. If your model needs to identify speech recorded on devices of varying quality, the audio data that you provide to train your model must also represent these diverse scenarios.

+* Keep the dataset diverse and representative of your project needs. You can add more data to your model later.

+* Only include data that your model needs to transcribe. Including data that isn't within your custom model's recognition needs can harm recognition quality overall.

+> Start with small sets of sample data that match the language, acoustics, and hardware where your model will be used. Small datasets of representative data can expose problems before you invest in gathering larger datasets for training.

+> Base models and custom models can be used up to a certain date as described in [Model and endpoint lifecycle](./how-to-custom-speech-model-and-endpoint-lifecycle.md). Speech Studio shows this date in the **Expiration** column for each model and endpoint. After that date request to an endpoint or to batch transcription might fail or fall back to base model.

+- [Learn how to use your custom model](how-to-specify-source-language.md)

+In [Prepare training data](how-to-custom-voice-prepare-data.md), you learned about the different data types you can use to train a custom neural voice and the different format requirements. Once you've prepared your data and the voice talent verbal statement, you can start to upload them to the [Speech Studio](https://aka.ms/custom-voice-portal). In this article, you learn how to train a custom neural voice through the Speech Studio portal. See the [supported languages](language-support.md#custom-neural-voice) for custom neural voice.

+* [Create a custom voice project](how-to-custom-voice.md)

+> Custom neural voice is available with limited access. Make sure you understand the [responsible AI requirements](/legal/cognitive-services/speech-service/custom-neural-voice/limited-access-custom-neural-voice?context=%2fazure%2fcognitive-services%2fspeech-service%2fcontext%2fcontext), and then [apply for access](https://aka.ms/customneural).

+1. Select **Prepare training data** > **Add training set**.

+1. Enter **Name** and **Description**, and then select **Create** to add a new training set.

+1. Select **Upload data** > **Choose data type** > **Upload data** > **Specify the target training set**.

+1. Enter **Name** and **Description** for your data > review the settings and select **Submit**.

+All data you upload must meet the requirements for the data type that you choose. It's important to correctly format your data before it's uploaded, which ensures the data will be accurately processed by the Speech service. Go to [Prepare training data](how-to-custom-voice-prepare-data.md) and make sure your data has been rightly formatted.

+Once the data is uploaded, you can check the details in the training set detail view. On the **Overview** tab, you can further check the pronunciation scores and the noise level for each of your data. The pronunciation score ranges from 0-100. A score below 70 normally indicates a speech error or script mismatch. A heavy accent can reduce your pronunciation score and affect the generated digital voice.

+The issues are divided into three types. Referring to the following three tables to check the respective types of errors. Data with these errors will be excluded during training.

+The second type of errors listed in the next table will be automatically fixed, but double checking the fixed data is recommended.

+Unresolved errors listed in the next table will affect the quality of training. However, the data with these errors won't be excluded during training. For higher-quality training, manually fixing these errors is recommended.

+| Script | Non-normalized text|This script contains digit 0-9. Expand them to normalized words and match with the audio. For example, normalize "123" to "one hundred and twenty-three".|

+| Script | Non-normalized text|This script contains symbols {}. Normalize the symbols to match the audio. For example, '50%' to "fifty percent".|

+Training of custom neural voices isn't free. Check the [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) for details. However, if you have statistical parametric or concatenative voice models deployed before March 31, 2021 with S0 Speech resources, free neural training credits are offered to your Azure subscription, and you can train 5 different versions of neural voices for free.

+>- To train a neural voice, you must specify a voice talent profile with the audio consent file provided of the voice talent acknowledging to use his/her speech data to train a custom neural voice model. Custom neural voice is available with limited access. Make sure you understand the [responsible AI requirements](/legal/cognitive-services/speech-service/custom-neural-voice/limited-access-custom-neural-voice?context=%2fazure%2fcognitive-services%2fspeech-service%2fcontext%2fcontext) and [apply the access here](https://aka.ms/customneural).

+> Custom neural voice training is only available in the three regions: East US, Southeast Asia, and UK South. But you can easily copy a neural voice model from the three regions to other different regions. Check the regions supported for custom neural voice: [regions for custom neural voice](regions.md#text-to-speech).

+1. Select **Deploy model** > **Deploy model**.

+1. Enter a **Name** and **Description** for your custom endpoint.

+1. Select a voice model you would like to associate with this endpoint.

+1. Select **Deploy** to create your endpoint.

+After you've selected the **Deploy** button, you'll see an entry for your new endpoint. It may take a few minutes for the Speech service to deploy the new endpoint. When the status of the deployment is **Succeeded**, the endpoint is ready for use.

+The custom endpoint is functionally identical to the standard endpoint that's used for Text-to-Speech requests. For more information, see [Speech SDK](./get-started-text-to-speech.md) or [REST API](rest-text-to-speech.md).

+2. Sign in to [Speech Studio](https://speech.microsoft.com), then select **Custom Voice**.

+To create a custom voice project:

+1. Sign in [Speech Studio](https://speech.microsoft.com).

+1. Select **Text-to-Speech** > **Custom Voice** > **Create project**.

+1. Follow the instructions provided by the wizard to create your project.

+1. After you've created a project, you will see four tabs: **Set up voice talent**, **Prepare training data**, **Train model**, and **Deploy model**. See [Prepare data for custom neural voice](how-to-custom-voice-prepare-data.md) to set up voice talent and proceed to training data.

+Once you have prepared the training data, go to [Speech Studio](https://aka.ms/custom-voice) to create your custom neural voice. You need to select at least 300 utterances to create a custom neural voice. A series of data quality checks are automatically performed when you upload them. To build high-quality voice models, you should fix the errors and submit again.

+ Title: How to use pronunciation assessment

+Pronunciation assessment evaluates speech pronunciation and gives speakers feedback on the accuracy and fluency of spoken audio. With pronunciation assessment, language learners can practice, get instant feedback, and improve their pronunciation so that they can speak and present with confidence. Educators can use the capability to evaluate pronunciation of multiple speakers in real time.

+| `AccuracyScore` | Pronunciation accuracy of the speech. Accuracy indicates how closely the phonemes match a native speaker's pronunciation. Word and full text accuracy scores are aggregated from phoneme-level accuracy score. |

+A _viseme_ is the visual description of a phoneme in spoken language. It defines the position of the face and mouth when speaking a word. Each viseme depicts the key facial poses for a specific set of phonemes.

+Viseme can be used to control the movement of 2D and 3D avatar models, perfectly matching mouth movements to synthetic speech. For example, you can:

+ * Create an animated virtual voice assistant for intelligent kiosks, building multi-mode integrated services for your customers.

+ * Build immersive news broadcasts and improve audience experiences with natural face and mouth movements.

+ * Generate more interactive gaming avatars and cartoon characters that can speak with dynamic content.

+ * Make more effective language teaching videos that help language learners to understand the mouth behavior of each word and phoneme.

+ * People with hearing impairment can also pick up sounds visually and "lip-read" speech content that shows visemes on an animated face.

+> [!div class="nextstepaction"]

+> [SSML phonetic alphabets](speech-ssml-phonetic-sets.md)

+description: Learn how to use real-time Conversation Transcription with the REST API and SDK. Conversation Transcription allows you to transcribe meetings and other conversations with the ability to add, remove, and identify multiple participants by streaming audio to the Speech service.

+You can transcribe meetings and other conversations with the ability to add, remove, and identify multiple participants by streaming audio to the Speech service. You first create voice signatures for each participant using the REST API, and then use the voice signatures with the Speech SDK to transcribe conversations. See the Conversation Transcription [overview](conversation-transcription.md) for more information.

+The Long Audio API provides asynchronous synthesis of long-form text to speech. For example: audio books, news articles, and documents. There's no need to deploy a custom voice endpoint. Unlike the Text-to-speech API used by the Speech SDK, the Long Audio API can create synthesized audio longer than 10 minutes. This makes it ideal for publishers and audio content platforms to create long audio content like audio books in a batch.

+- **Webhook notifications**: All running processes of the service support webhook notifications. REST API v3.0 provides the calls to enable you to register your webhooks where notifications are sent.

+>The preceding formats are supported through the REST API for short audio and WebSocket in the Speech service. The [Speech SDK](speech-sdk.md) supports the WAV format with PCM codec as well as [other formats](how-to-use-codec-compressed-audio-input-streams.md).

+> For more For more information, see [pronunciation assessment](how-to-pronunciation-assessment.md).

+If you're using a custom neural voice, the body of a request can be sent as plain text (ASCII or UTF-8). Otherwise, the body of each `POST` request is sent as [SSML](speech-synthesis-markup.md). SSML allows you to choose the voice and language of the synthesized speech that the text-to-speech feature returns. For a complete list of supported voices, see [Language and voice support for the Speech service](language-support.md#text-to-speech).

+In the following tables, the parameters without "Adjustable" row are **not** adjustable for all price tiers.

+*Example.* Your application is using text-to-speech and your current workload is 5 Transactions per Second (TPS). The next second you increase the load to 20 TPS (that is four times more). The Service immediately starts scaling up to fulfill the new load, but likely it will not be able to do it within a second, so some of the requests will get Response Code 429.

+- Test different load increase patterns. See the [workload pattern example](#example-of-a-workload-pattern-best-practice)

+- Create additional Speech resources in the same or different Regions and distribute the workload among them using "Round Robin" technique. This is especially important for the text-to-speech Transactions per Second (TPS) parameter, which is set to 200 per Speech resource and cannot be adjusted.

+[Speech Studio](https://speech.microsoft.com) is a set of UI-based tools for building and integrating features from Azure Cognitive Services Speech in your applications. You create projects in Speech Studio using a no-code approach, and then reference those assets in your applications using the [Speech SDK](speech-sdk.md), [Speech CLI](spx-overview.md), or REST APIs.

+You need to have an Azure account and add a Speech resource before you can use [Speech Studio](https://speech.microsoft.com). If you don't have an account and resource, [try the Speech service for free](overview.md#try-the-speech-service-for-free).

+1. Select a Speech resource in your subscription. You can change the resources anytime in "Settings" in the top menu.

+* **Voice Gallery**: Build apps and services that speak naturally. Choose from more than 170 voices in over 70 languages and variants. Bring your scenarios to life with highly expressive and human-like neural voices.

+> [!div class="nextstepaction"]

+> [Explore Speech Studio](https://speech.microsoft.com)

+ Title: "Tutorial: Voice-enable your bot - Speech service"

+# Tutorial: Voice-enable your bot

+You can use Azure Cognitive Services Speech to voice-enable a chat bot.

+In this tutorial, you'll use the Microsoft Bot Framework to create a bot that responds to what you say. You'll deploy your bot to Azure and register it with the Bot Framework Direct Line Speech channel. Then, you'll configure a sample client app for Windows that lets you speak to your bot and hear it speak back to you.

+To complete the tutorial, you don't need extensive experience or familiarity with Azure, Bot Framework bots, or Direct Line Speech.

+The client app that you'll create in this tutorial uses a handful of Azure services. To reduce the round-trip time for responses from your bot, you'll want to make sure that these services are in the same Azure region.

+This section walks you through creating a resource group in the West US region. You'll use this resource group when you're creating individual resources for the Bot Framework, the Direct Line Speech channel, and the Speech service.

+Ensure that you use a [supported Azure region](regions.md#voice-assistants). The Direct Line Speech channel uses the text-to-speech service, which has neural and standard voices. Neural voices are used at [these Azure regions](regions.md#prebuilt-neural-voices), and standard voices (retiring) are used at [these Azure regions](how-to-migrate-to-prebuilt-neural-voice.md).

+Now that you've created resources, start with the echo bot sample, which echoes the text that you've entered as its response. The sample code is already configured to work with the Direct Line Speech channel, which you'll connect after you've deployed the bot to Azure.

+The [Bot Framework Emulator](https://github.com/microsoft/botframework-emulator) is a desktop app that lets bot developers test and debug their bots locally (or remotely through a tunnel). The emulator accepts typed text as the input (not voice). The bot will also respond with text.

+

+1. Select **Connect**.

+If you want to test your deployed bot with text input, use the following steps. Note that these steps are optional and aren't required for you to continue with the tutorial.

+|Error (ConnectionFailure) : Connection was closed by the remote host. Error code: 1011. Error details: Response status code does not indicate success: 500 (InternalServerError)| Your bot specified a neural voice in the [speak](https://github.com/microsoft/botframework-sdk/blob/master/specs/botframework-activity/botframework-activity.md#speak) field of its output activity, but the Azure region associated with your subscription key doesn't support neural voices. See [neural voices](./regions.md#prebuilt-neural-voices) and [standard voices](how-to-migrate-to-prebuilt-neural-voice.md).|

+If you're connected to a bot and no activity has happened in the last five minutes, the service automatically closes the web socket connection with the client and with the bot. This is by design. A message appears on the bottom bar: "Active connection timed out but ready to reconnect on demand."

+The Speech SDK supports custom keyword activation. Similar to "Hey Cortana" for a Microsoft assistant, you can write an app that will continuously listen for a keyword of your choice. Keep in mind that a keyword can be single word or a multiple-word phrase.

+ * You see a transcription of what you spoke.

+ * You hear the bot's response.

+Release note for `3.0.0-amd64`:

+**Features**

+* Support for using containers in [disconnected environments](disconnected-containers.md).

+| `latest` | | `sha256:7eff5d7610f20622b5c5cae6235602774108f2de7aeebe2148016b6d232f7c42`|

+| `3.0.0-amd64` | | `sha256:7eff5d7610f20622b5c5cae6235602774108f2de7aeebe2148016b6d232f7c42`|

+Release note for `2.18.0-amd64`:

+Regular monthly upgrade

+| `2.18.0-amd64` | |

+Release note for `3.0.0-amd64-<locale>`:

+**Features**

+* Support for using containers in [disconnected environments](disconnected-containers.md).

+| `3.0.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `3.0.0-amd64-en-us`.|

+| Locale for v3.0.0 | Notes | Digest |

+| `ar-ae` | Container image with the `ar-AE` locale. | `sha256:3ce4ab5141dd46d2fce732b3659cba8fc70ab83fa5b37bf43f4dfa2efca5aef7` |

+| `ar-bh` | Container image with the `ar-BH` locale. | `sha256:86ed164f98f1d1776faa9bda4a7846bc0ad9232dd0613ae506fd5698d4823787` |

+| `ar-eg` | Container image with the `ar-EG` locale. | `sha256:43fa641504d6e8b89e31f6eaa033ad680bb586b93fa3853747051a570fbf05ca` |

+| `ar-iq` | Container image with the `ar-IQ` locale. | `sha256:001c0d3ac2e3fec59993e001a8278696b847b14a1bd1ed5c843d18959b3d3d4e` |

+| `ar-jo` | Container image with the `ar-JO` locale. | `sha256:1707f21fa9cbe5bd2275023620718f1a98429e5f5fb7279211951500d30a6e65` |

+| `ar-kw` | Container image with the `ar-KW` locale. | `sha256:3ce4ab5141dd46d2fce732b3659cba8fc70ab83fa5b37bf43f4dfa2efca5aef7` |

+| `ar-lb` | Container image with the `ar-LB` locale. | `sha256:d237ecf21770b493c5aaf3bbab5ae9260aba121518996192d13924b4c5e999f4` |

+| `ar-om` | Container image with the `ar-OM` locale. | `sha256:d1e4e45ba5df3a9307433e8a631f02142c246e5a2fbf9c25edf97e290008c63a` |

+| `ar-qa` | Container image with the `ar-QA` locale. | `sha256:3ce4ab5141dd46d2fce732b3659cba8fc70ab83fa5b37bf43f4dfa2efca5aef7` |

+| `ar-sa` | Container image with the `ar-SA` locale. | `sha256:3ce4ab5141dd46d2fce732b3659cba8fc70ab83fa5b37bf43f4dfa2efca5aef7` |

+| `ar-sy` | Container image with the `ar-SY` locale. | `sha256:a51c67916deac54a73ea1bb5084b511c34cd649764bd5935aac9f527bf33baf0` |

+| `bg-bg` | Container image with the `bg-BG` locale. | `sha256:f0d70b8ab0e324ee42f0ca7fe57fa828c29ac1df11261676f7168b60139a0e3c` |

+| `ca-es` | Container image with the `ca-ES` locale. | `sha256:b876d37460b96cddb76fd74f0dfa64ad97399681eda27969e30f74d703a16b05` |

+| `cs-cz` | Container image with the `cs-CZ` locale. | `sha256:73bb40181bae4da3d3aaa1f77f5b831156ca496fbd065b4944b6e49f0807d9e9` |

+| `da-dk` | Container image with the `da-DK` locale. | `sha256:a0b65559390af1100941983d850bf549f1aefe3ce56574de1a8cab63d5c52694` |

+| `de-at` | Container image with the `de-AT` locale. | `sha256:78030695ef9ff10e5a465340e211f1ca76dce569b9e8bd8c7758d28d2139965e` |

+| `de-ch` | Container image with the `de-CH` locale. | `sha256:7705a78e3ea3d05bdf1a09876b9cd4c03a8734463f350e0eed81cc989710bcd5` |

+| `de-de` | Container image with the `de-DE` locale. | `sha256:d10066583f94bc3db96d2afd28fa42e880bd71e3f6195cc764bda79d039a58c7` |

+| `el-gr` | Container image with the `el-GR` locale. | `sha256:d8b7d28287e016baacb4df7e3bf2d5cd7f6124ec136446200ad70b9472ee8207` |

+| `en-au` | Container image with the `en-AU` locale. | `sha256:493742b671c10b6767b371b8bb687241cbf38f53929a2ecc18979d531be136b4` |

+| `en-ca` | Container image with the `en-CA` locale. | `sha256:61fa4cb2a671b504f06fa89f4d90ade6ccfbc378d93d1eada0cc47434b45601f` |

+| `en-gb` | Container image with the `en-GB` locale. | `sha256:3b0f47356aab046c176bf2a5a5187404e3e5a9a50387bd29d35ce2371d49beff` |

+| `en-hk` | Container image with the `en-HK` locale. | `sha256:bf98a2553b9555254968f6deeeee85e83462cb45a04adcd9c35be62c1cf51924` |

+| `en-ie` | Container image with the `en-IE` locale. | `sha256:952a611a3911faf893313b51529d392eeac82a4a8abe542c49ca7aa9c89e8a48` |

+| `en-in` | Container image with the `en-IN` locale. | `sha256:6ad1168ac4e278ed65d66a8a5de441327522b27619dfdf6ecae52a68ab04b214` |

+| `en-nz` | Container image with the `en-NZ` locale. | `sha256:03174464fab551c34df402102cac3b4f4b4efc0a4250a14c07f35318787ad9e2` |

+| `en-ph` | Container image with the `en-PH` locale. | `sha256:e38bbe4ae16dc792be3b6e9e2e488588fdd9d12eed08f330cd5dfc5d318b74e0` |

+| `en-sg` | Container image with the `en-SG` locale. | `sha256:58476a88fb548b0ad18d54a118024c628a555a67d75fa5fdf7e860cc43b25272` |

+| `en-us` | Container image with the `en-US` locale. | `sha256:e1ea7a52fd45ab959d10b597dc7f455f02100973f3edc8a67d25dd8cb373bac3` |

+| `en-za` | Container image with the `en-ZA` locale. | `sha256:e5eabe477da8f6fb11a8083c67723026f268ba1a35372d1dffde85cc9d09bae9` |

+| `es-ar` | Container image with the `es-AR` locale. | `sha256:b5c1279f30ee301d7e8d28cb084262da50a5c495feca36f04489a29ecd24f24f` |

+| `es-bo` | Container image with the `es-BO` locale. | `sha256:d2e70e3fe109c6dcf02d75830efae3ea13955a1e68f590eeaf2c42239cd4a00a` |

+| `es-cl` | Container image with the `es-CL` locale. | `sha256:70c5975df4b4ae2f301e73e35e21eaef306c50ee62a51526c1c29a0487ef8f0c` |

+| `es-co` | Container image with the `es-CO` locale. | `sha256:b81dd737747421ebb71b8f02cd16534a80809f2c792425d04f78388b4e9b10f1` |

+| `es-cr` | Container image with the `es-CR` locale. | `sha256:2b5a469f630a647626a99a78d5bfe9afec331a18ea895b42bd5aa68bebdca73e` |

+| `es-cu` | Container image with the `es-CU` locale. | `sha256:5c5c54cfa3da78579e872fec36c49902e402ddb14ffbe4ef4c273e6767219ccf` |

+| `es-do` | Container image with the `es-DO` locale. | `sha256:d417cedae4b7eb455700084e3e305552bbd6b2c20d0bba3d03d4a95052002dbc` |

+| `es-ec` | Container image with the `es-EC` locale. | `sha256:82258abbba72a1238dfa334da0046ffd760480d793f18cbea1441c3fdb596255` |

+| `es-es` | Container image with the `es-ES` locale. | `sha256:efad3474a24ba7662e3d10808e31e2641580e206aa381f5d43af79604b367fc0` |

+| `es-gt` | Container image with the `es-GT` locale. | `sha256:86dc0a12fdd237abc00e14e26714440e311e9945dd07ff662ca24881f23a5b2f` |

+| `es-hn` | Container image with the `es-HN` locale. | `sha256:52139db949594a13a1c6f98f49b30d880d9426ce2f239bfde6090e3532fd7351` |

+| `es-mx` | Container image with the `es-MX` locale. | `sha256:0ab8ea9a70f378f6684e4fc7d9d4db0596e8790badf0217b4c415f4857bce38f` |

+| `es-ni` | Container image with the `es-NI` locale. | `sha256:512853c5af3b374b82848d3c5117d69264473a08d460b85d072829e36e3bd92f` |

+| `es-pa` | Container image with the `es-PA` locale. | `sha256:c3a871d1f4b6c22e78e92f96ac3af435129ea2cfbe80cfef97d10d88e68ac763` |

+| `es-pe` | Container image with the `es-PE` locale. | `sha256:bd1ea7e260276d0ea29506270bc790c4eabb76b6d6026776b523628eb7806b08` |

+| `es-pr` | Container image with the `es-PR` locale. | `sha256:005e23623966802ed801373457ad57bf19aed5031f5fcd197cacb387082c7d95` |

+| `es-py` | Container image with the `es-PY` locale. | `sha256:fb0c71003d5dd73d93e10c04b7316d13129152ca293f16ac2b8b91361ecde1ca` |

+| `es-sv` | Container image with the `es-SV` locale. | `sha256:23d1e068a418845a1783e6f9beb365782dc95baea21304780ea4023444d63352` |

+| `es-us` | Container image with the `es-US` locale. | `sha256:268ef7cec34fd0e2449f15d924a263566dcfb147b66f1596c3b593cdc9080119` |

+| `es-uy` | Container image with the `es-UY` locale. | `sha256:229e68ab16658646556f76d61e1e675aa39751130b8e87f1aba1d723036230e2` |

+| `es-ve` | Container image with the `es-VE` locale. | `sha256:764337c9d5145986a1e292dfd6b69fa2a2cc335e0bd9e53c4d4f45b8dff05cc4` |

+| `et-ee` | Container image with the `et-EE` locale. | `sha256:4ba59e9b68686386055771d240d8b5ca8e5e12723c7017b15e2674f525c46395` |

+| `fi-fi` | Container image with the `fi-FI` locale. | `sha256:aa8040e8467194f654cb7c8444e027757053e0322e87940b2f4434e09686cec3` |

+| `fr-ca` | Container image with the `fr-CA` locale. | `sha256:b213da609a2f2c8631a71d3e74f6d155e237ddbf1367574a3e6f0fc2144c4b73` |

+| `fr-fr` | Container image with the `fr-FR` locale. | `sha256:6b5f98a5c8573dc03557b62ccda6ce9a1426b0ad6f2d432788294c1e41cd9deb` |

+| `ga-ie` | Container image with the `ga-IE` locale. | `sha256:b5f5955b4baf9d431fc46c1a8c1afe994e6811ff9ae575106954b1c40821a7d3` |

+| `gu-in` | Container image with the `gu-IN` locale. | `sha256:a1bc229571563ca5769664a2457e42cce82216dfee5820f871b6a870e29f6d26` |

+| `hi-in` | Container image with the `hi-IN` locale. | `sha256:f28b07751cbebcd020e0fba17811fc97ee1f49e53e5584e970d6db30f60e34e9` |

+| `hr-hr` | Container image with the `hr-HR` locale. | `sha256:c4bea85be0d7236b86b1a2315de764cb094ab1e567699b90a86e53716ed467f6` |

+| `hu-hu` | Container image with the `hu-HU` locale. | `sha256:189bc20605d93b17c739361364b94462d5007ff237ec8b28c0aa0f7aadc495ab` |

+| `it-it` | Container image with the `it-IT` locale. | `sha256:572887127159990a3d44f6f5c3e5616d3df5b9f7b4696487407dcda619570d72` |

+| `ja-jp` | Container image with the `ja-JP` locale. | `sha256:4b961e96614ce3845d5456db84163ae3a14acca6a8d7adf1ebded8a242f59be8` |

+| `ko-kr` | Container image with the `ko-KR` locale. | `sha256:1b2ca4c7ff3361241c6eb5090fd739f9d72c52a6ffcaf05b1d305ae9cac76661` |

+| `lt-lt` | Container image with the `lt-LT` locale. | `sha256:4733f6390a776707fc082fd025a73b5e73532c859c6add626640b1705decaa8b` |

+| `lv-lv` | Container image with the `lv-LV` locale. | `sha256:84ebb7ab14e9ccd04da97747bc2611bff3f5d7bb2494e16c7ca257f1dacf3742` |

+| `mr-in` | Container image with the `mr-IN` locale. | `sha256:ca3edf97d26ff985cfe10b1bdcec2f65825758884cf706caca6855c6b865f4fd` |

+| `mt-mt` | Container image with the `mt-MT` locale. | `sha256:f3f9e5ee72abed81d93dae46a13be28491f833e96e43312d685388deee39af67` |

+| `nb-no` | Container image with the `nb-NO` locale. | `sha256:e0f5df9b49ebcd341fa4de899d4840c7b9e0cb291d5d6b3c8269f5e40420933c` |

+| `nl-nl` | Container image with the `nl-NL` locale. | `sha256:895ce0059b0fafe145053e1521fb63188a6d856753467ab85bd24aa8926102c1` |

+| `pl-pl` | Container image with the `pl-PL` locale. | `sha256:f74afc0b64860b97db449a8c6892fb1cb484e0ab9a02b15ab4e984a0f3a7c62d` |

+| `pt-br` | Container image with the `pt-BR` locale. | `sha256:963c4cca989f14861d56aafa1a58ad14f489f7b5ba2ac6052a617d8950ee507c` |

+| `pt-pt` | Container image with the `pt-PT` locale. | `sha256:468d4511672566d7d3de35a1c6150fdaa70634664a2553ae871c11806b024cb8` |

+| `ro-ro` | Container image with the `ro-RO` locale. | `sha256:4de5d11d77c1e7015090da0a82b81b3328973a389d99afeb2c188e70464bc544` |

+| `ru-ru` | Container image with the `ru-RU` locale. | `sha256:8a643ce653efcbf7e8042d87d89e456cd44ab6f100970ed4a38a1d6b5491a6c0` |

+| `sk-sk` | Container image with the `sk-SK` locale. | `sha256:8b11c142024cee74d395a5bf0d8e6ed980304ac7a127302b08ad248fb66d82ea` |

+| `sl-si` | Container image with the `sl-SI` locale. | `sha256:bd140766406a58c679e4cf7f4c48448d2cd9f9cacd005c1f5bfd4bf4642b4193` |

+| `sv-se` | Container image with the `sv-SE` locale. | `sha256:a47258027fdaf47b776e1e6f58d71a130574f42a0bccf14ba0a1d215d4546add` |

+| `ta-in` | Container image with the `ta-IN` locale. | `sha256:376cb98f99e733c4f6015cb283923bb07f3c126341959b0ba1cb5472619a2836` |

+| `te-in` | Container image with the `te-IN` locale. | `sha256:d0ae77a2e5539dbdd809d895eea123320fb4aab24932af38b769d26968a4150c` |

+| `th-th` | Container image with the `th-TH` locale. | `sha256:522c14b9cbb6a218839942bf7c36b3fc207f26cf6ce4068bc883e8dd7890237b` |

+| `tr-tr` | Container image with the `tr-TR` locale. | `sha256:c5f1ef181cb8287c917b9db2ee68eaa24b4f05e59372a00081bec70797bd54d1` |

+| `zh-cn` | Container image with the `zh-CN` locale. | `sha256:110e1e79bbb10254f9bd735b1c9cb70b0bf5a88f73da7a68985d2c861a40f201` |

+| `zh-hk` | Container image with the `zh-HK` locale. | `sha256:c1e0830d3cb04c8151c2e9c8c6eb0fb97036a09829fc8539a06bb07ca68a8e5e` |

+| `zh-tw` | Container image with the `zh-TW` locale. | `sha256:dd1ef4db3784594ba8c7c211f6196714690fbd360a8f81f5b109e8a023585b3d` |

+Release note for `2.18.0-amd64-<locale>`:

+Regular monthly release

+| `2.18.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.18.0-amd64-en-us`.|

+| Locale for v2.18.0 | Notes | Digest |

+|--|:--|:--|

+| `ar-ae` | Container image with the `ar-AE` locale. | `sha256:5cbc37cc91e0608cf174be5f2a320ca7daf312ade59fd9a3983d5324e68edae2` |

+| `ar-bh` | Container image with the `ar-BH` locale. | `sha256:16e6f169cf2ea025fc7d21c805a4a452e12b8d7b9530c8e9fc54ae68ee4f08dd` |

+| `ar-eg` | Container image with the `ar-EG` locale. | `sha256:05dd5bc85de5567809259339aa213fc802b38924d025dc1786600e663bfd4996` |

+| `ar-iq` | Container image with the `ar-IQ` locale. | `sha256:94973685069d212c19d67d9c0c8eb3f0124e08ff82807e976b59578f1bd67e97` |

+| `ar-jo` | Container image with the `ar-JO` locale. | `sha256:0dd7f1985b8544136bb1049d1b40d7c5858551f81721181a2e34fd1f9cb68e5b` |

+| `ar-kw` | Container image with the `ar-KW` locale. | `sha256:5cbc37cc91e0608cf174be5f2a320ca7daf312ade59fd9a3983d5324e68edae2` |

+| `ar-lb` | Container image with the `ar-LB` locale. | `sha256:9879fce4158fb8af2457eb6503607f78b7aade76eb4146c1ee7c142e7f9a21d4` |

+| `ar-om` | Container image with the `ar-OM` locale. | `sha256:0b1cd0c810cabad4217833d44b91479cd416d375e7ea43f2d14645f7bf859aa6` |

+| `ar-qa` | Container image with the `ar-QA` locale. | `sha256:5cbc37cc91e0608cf174be5f2a320ca7daf312ade59fd9a3983d5324e68edae2` |

+| `ar-sa` | Container image with the `ar-SA` locale. | `sha256:5cbc37cc91e0608cf174be5f2a320ca7daf312ade59fd9a3983d5324e68edae2` |

+| `ar-sy` | Container image with the `ar-SY` locale. | `sha256:7b206ca47a9004866857ad8b9c9ea824bd128089a8bdb374e6da565b0ea30f05` |

+| `bg-bg` | Container image with the `bg-BG` locale. | `sha256:a560c4e58476dcd9e5044f81da766a350b3b3464faaa6c93741a094c4afb621c` |

+| `ca-es` | Container image with the `ca-ES` locale. | `sha256:405cb4f74d10d5ff50efe9161b5cf21204d51c74b83766ea31ec2b8a878de495` |

+| `cs-cz` | Container image with the `cs-CZ` locale. | `sha256:87bde59f8fc441165f638a8665c480d259a3107b0edae5f022cb1b8f7e02a837` |

+| `da-dk` | Container image with the `da-DK` locale. | `sha256:ee6773b88378e9a01a35804f965bec0531b01327630174b927320553f023b7e9` |

+| `de-at` | Container image with the `de-AT` locale. | `sha256:f66bee7e43c05c1e434e0218d57ad094d47ec7be39e90ede3eb48fc9398fb873` |

+| `de-ch` | Container image with the `de-CH` locale. | `sha256:adb77da42c2637c072850fb2b5b2b2e508dff79e1ccdc5111b8f635167e35cc1` |

+| `de-de` | Container image with the `de-DE` locale. | `sha256:7143c59231017104bab633a108b5605166355f78e9dde2e3a4ebe6ffe71faafb` |

+| `el-gr` | Container image with the `el-GR` locale. | `sha256:4ce2fdeeaf53edc6811c079365e2aab56be75ea9abe3d94a6a96ca8dc0368573` |

+| `en-au` | Container image with the `en-AU` locale. | `sha256:e02827b1dcef490f792b04e7cd39eb7d46df4dbe57d340549b11193753136e76` |

+| `en-ca` | Container image with the `en-CA` locale. | `sha256:f5411eccf7659b1cc2303e118ef1ef002a700dd1a7363688a224763a6d19b7fe` |

+| `en-gb` | Container image with the `en-GB` locale. | `sha256:a87007b86fb1ca31b9a0368d01d7bfc4337b4262afb3356a88c752a29480f364` |

+| `en-hk` | Container image with the `en-HK` locale. | `sha256:a6014d4cbfafd2d49453f3ff12ea82fe8abc1e14bae639a2e9361de85a095f34` |

+| `en-ie` | Container image with the `en-IE` locale. | `sha256:aa6202c44028d4a8c608f04d6b66f473566d945012372182053d94dfc78eaa93` |

+| `en-in` | Container image with the `en-IN` locale. | `sha256:7ec9eaef19a2545e0a1afd70cb9707cf48029031e9f6b50cb6833045cbe66b29` |

+| `en-nz` | Container image with the `en-NZ` locale. | `sha256:48a95d03dc1200bfb56b1e3416dd1f94a0ad0227c0cf6c3c1730d862f2e99c15` |

+| `en-ph` | Container image with the `en-PH` locale. | `sha256:ab220ea3063af44c0ee7f7b9805289302faea578a50f4da5790b587ea49d31bc` |

+| `en-sg` | Container image with the `en-SG` locale. | `sha256:0f9cadefbe4d8236ef8e9c57b7473327541c1e37f53a2796f332bb2e190391f4` |

+| `en-us` | Container image with the `en-US` locale. | `sha256:bb13765581c938cbdcdcdec16fbc86f098fcebeecd16f33a50d9e5728a9dedb7` |

+| `en-za` | Container image with the `en-ZA` locale. | `sha256:096f4652fa8150cd1e2fa9b504cd2cce5bbb55b467ca9ba9f33d6b5c904fc51f` |

+| `es-ar` | Container image with the `es-AR` locale. | `sha256:acccaa583aaedab78d6614ada897d948d1d36d994d2fcd7f6b7e6435fe0b224f` |

+| `es-bo` | Container image with the `es-BO` locale. | `sha256:8d6631fefc679fe27366521a124d65dfa21c3e6b2a983f7da953e87d8711fad0` |

+| `es-cl` | Container image with the `es-CL` locale. | `sha256:0cd131cc39c2fe1231b7442f43f81b5e7c5317b51f5c9d9306bfa38c6abee060` |

+| `es-co` | Container image with the `es-CO` locale. | `sha256:ef4dcdcbce5f0dadde35f52c4322084274312e7b4a1e7dd18d76f92471a0688a` |

+| `es-cr` | Container image with the `es-CR` locale. | `sha256:8ee41457cf10efda1f3b126ae8dc21a1d5d2e966c9e3327a2134c597cfc16d89` |

+| `es-cu` | Container image with the `es-CU` locale. | `sha256:d00af5e4c41c9a240b64029ea8035e5e0012f54eec970771e84cfc4b59ecc373` |

+| `es-do` | Container image with the `es-DO` locale. | `sha256:9905d776b637cc5de8014a36af94ecc67088c1725fc578f805b682e969e04b3f` |

+| `es-ec` | Container image with the `es-EC` locale. | `sha256:a4e8d08b0a696d879cc20fb55171e90b32590514e999f73f98146b6921443cc3` |

+| `es-es` | Container image with the `es-ES` locale. | `sha256:1ecb4b3c86ff34b26b25058fd6c00b738c3c65d98f15c7a42e187f372ebadb60` |

+| `es-gt` | Container image with the `es-GT` locale. | `sha256:fd575f64f124bcb909d0515666e0a2555c3f1fe31dc8383c7fc953b423eed2e7` |

+| `es-hn` | Container image with the `es-HN` locale. | `sha256:5f96eebe2cea5a67e054c211cb744205e0ef15c957e8d38d618c746ff2c9f82a` |

+| `es-mx` | Container image with the `es-MX` locale. | `sha256:f9c8beb68ac7a1090f974b192df158013da5817b84b7e4c478ca646afe777c70` |

+| `es-ni` | Container image with the `es-NI` locale. | `sha256:150b98205f6802d85c4bb49fd8d334a6dd757ca1bb6cec747f93a5450a94eb85` |

+| `es-pa` | Container image with the `es-PA` locale. | `sha256:b27591217dc5b6db01570e9afac00949cdd78b26fe3469ed538bda62d6fb9209` |

+| `es-pe` | Container image with the `es-PE` locale. | `sha256:77dc8b771f638c2086de2ab573a28953865b95145cf82016459361e5cc3c5a47` |

+| `es-pr` | Container image with the `es-PR` locale. | `sha256:9f429598b0fc09efc6e9ce575fde538d400ceb7fa92807319873daba4b19dcf1` |

+| `es-py` | Container image with the `es-PY` locale. | `sha256:5cdaefc98a799ddd3800176efd6ffb896f5356af9b53a215d0600e874d94d893` |

+| `es-sv` | Container image with the `es-SV` locale. | `sha256:888bee57b4962c05c7a2cf569a22bb7bdc8bf2cf502e7f235ef1a0dafacb352d` |

+| `es-us` | Container image with the `es-US` locale. | `sha256:b021255ff7916f2d4b669114f3e5aad06de0c0b87656a9cc37af1f5f452e910b` |

+| `es-uy` | Container image with the `es-UY` locale. | `sha256:f69c019aa438f3f701b84805842dad98eeaa9a6998b261ea63e56dd80c1cd42c` |

+| `es-ve` | Container image with the `es-VE` locale. | `sha256:6cbd6d11bf9a021277c2fd42ef53242f12b7df00b559e572bbbe6baf48a84bac` |

+| `et-ee` | Container image with the `et-EE` locale. | `sha256:7b3a11a1e6f03ea4b802d97034588fbd461ebfed7ad08dc100c92586feff2208` |

+| `fi-fi` | Container image with the `fi-FI` locale. | `sha256:eb765a640aa8ff89e9bc718b100635a7c6adc2342b2da8fc621e66b7ba8696d4` |

+| `fr-ca` | Container image with the `fr-CA` locale. | `sha256:90127487c698e5d1a45c1a5813cda6805ba52a41468130f6dd4c28fe87f98fab` |

+| `fr-fr` | Container image with the `fr-FR` locale. | `sha256:ffc7c3844873f7e639f2a137b991edc54b750b362756f6f8897fbfaaa32fe1df` |

+| `ga-ie` | Container image with the `ga-IE` locale. | `sha256:ab41b4ad9161c342fac69fbd517264ad23579512a2500190b62e97586e5ec963` |

+| `gu-in` | Container image with the `gu-IN` locale. | `sha256:ac4da9f6d62baa41a193c4765e76eb507f51d069f989ae2860bada1c3e5ff968` |

+| `hi-in` | Container image with the `hi-IN` locale. | `sha256:9131208103997e9829239e3a8585c23f5dc2affc4ffbe3840270247d30b42be6` |

+| `hr-hr` | Container image with the `hr-HR` locale. | `sha256:4ccb5056e7763b736362b7f7b663f71f2bd20b23fc4516a6c63dd105f2b99e9b` |

+| `hu-hu` | Container image with the `hu-HU` locale. | `sha256:05a8d6be2d280cf8aa43fa059f4571417d47866bf603b8c1714ce079c4e66e6d` |

+| `it-it` | Container image with the `it-IT` locale. | `sha256:9e35544bc1a488d4b3fefc05860279c7a189505562fe2e4b1267da67154efded` |

+| `ja-jp` | Container image with the `ja-JP` locale. | `sha256:a1a3a6a81916a98aa6df68704f8a2d8ad318e3cd54d78ed97a98ee3b6af1e599` |

+| `ko-kr` | Container image with the `ko-KR` locale. | `sha256:67af86517f8915f3ebe107f65e62175dd2a7bb995416c963dca1eb398ed1502a` |

+| `lt-lt` | Container image with the `lt-LT` locale. | `sha256:aa2248878811831ab58438f40c66be6332505f3194037275b37babfceaed1732` |

+| `lv-lv` | Container image with the `lv-LV` locale. | `sha256:1ac940c96d054cf75e93cda1b88942ad5a7f4d3a269bbaf42060b91786394356` |

+| `mr-in` | Container image with the `mr-IN` locale. | `sha256:ca917fa5139516a75a9747f479fbbfb80819899c9d447c893578aadebf2d1c84` |

+| `mt-mt` | Container image with the `mt-MT` locale. | `sha256:8f2e0aac8961d8c7d560b83ff02f9fdb50708c1e508f8c0c12662391940354df` |

+| `nb-no` | Container image with the `nb-NO` locale. | `sha256:7eae1acddc5341e653944dbe26fd44669e1868b70e5d49559529f2eeb8f33b02` |

+| `nl-nl` | Container image with the `nl-NL` locale. | `sha256:5c3767d6f563b6b201a55338de1149fac43706c026c4ba6a358675d44c44d743` |

+| `pl-pl` | Container image with the `pl-PL` locale. | `sha256:22ee4fd3a864576b58276b9a02821fba439f7ea5f5c462e62deca1778a8b91a6` |

+| `pt-br` | Container image with the `pt-BR` locale. | `sha256:660c69103e721206e14436882272e80396592a45801a186d2830993140d4c8e0` |

+| `pt-pt` | Container image with the `pt-PT` locale. | `sha256:3579963235d8b05173fac42725e3509475bc42e197a5f0f325828a37ef2cf613` |

+| `ro-ro` | Container image with the `ro-RO` locale. | `sha256:23c07debd00bf4a817898784fb77bdf3fd27071b196226a8df81de5bdf4bf9f8` |

+| `ru-ru` | Container image with the `ru-RU` locale. | `sha256:b310ce3849e3c066678e4c90843ccf24e5972759a58b32863ba94801a481811b` |

+| `sk-sk` | Container image with the `sk-SK` locale. | `sha256:a750a88a2c7677b2507730905819764ae56e560a96394abe3340888d4c986f3f` |

+| `sl-si` | Container image with the `sl-SI` locale. | `sha256:3b92dde403d279395de09c77e3f866fc5d6757fc1c9bbf52639be59aee57b3be` |

+| `sv-se` | Container image with the `sv-SE` locale. | `sha256:70291a568a3093db066fbeff4ae294dac1d3ee41789e293896793b9c76990eb9` |

+| `ta-in` | Container image with the `ta-IN` locale. | `sha256:e1a5d1a748137d549b858635c6c9f470e3049a14dc3f5b300dca46819765de9b` |

+| `te-in` | Container image with the `te-IN` locale. | `sha256:0e11a0d8be515c7149f4d1774c1621d6a3b27674a31beaa7a9f62e54f9497858` |

+| `th-th` | Container image with the `th-TH` locale. | `sha256:2164d04ab1f9821c4beccc2d34e97bc9cec7ad387b17e8257801cd25a28dc412` |

+| `tr-tr` | Container image with the `tr-TR` locale. | `sha256:011ce659926bb4d4a56c8b3616b16ac7b80228c43e23d4b9154c96c67aa5db1b` |

+| `zh-cn` | Container image with the `zh-CN` locale. | `sha256:c7357d975838ae827376cc10ef48c6db8ee65751ee4f15db9a31ab5e51a876f2` |

+| `zh-hk` | Container image with the `zh-HK` locale. | `sha256:ea1c310631044b22fb61b79da59089db5ecd2e2ea0c3ab75d63e1c1c1d204a48` |

+| `zh-tw` | Container image with the `zh-TW` locale. | `sha256:c3a2388d3cb7d22035b3a5e4562185541cbfe885ab6ed96f3b9e3a3aa65aa56c` |

+Your [dataset is split](../how-to/train-model.md#data-split) into two parts: a set for training, and a set for testing. The training set while building the model and the testing set is used as a blind set to evaluate model performance after training is completed.

+You can train multiple models on the same dataset within the same project. After you have trained your model successfully, you can [view its evaluation](how-to/view-model-evaluation.md). You can [deploy and test](quickstart.md#deploy-your-model) your model within [Language studio](https://aka.ms/languageStudio). You can add or remove tags from your data and train a **new** model and test it as well. View [service limits](service-limits.md)to learn about maximum number of trained models with the same project. When you train a new model, your dataset is [split](how-to/train-model.md#data-split) randomly into training and testing sets. Because of this, there is no guarantee that the model evaluation is performed on the same test set, so results are not comparable. It is recommended that you develop your own test set and use it to evaluate both models so you can measure improvement.

+* When you train a new model your dataset is [split](how-to/train-model.md#data-split) randomly into training and testing sets, so there is no guarantee that the reflected model evaluation is on the same test set, so results are not comparable.

+## Data split

+3. Select **Start a training job** from the top menu.

+4. To train a new model, select **Train a new model** and type in the model name in the text box below. You can **overwrite an existing model** by selecting this option and select the model you want from the dropdown below.

+5. Click on the **Train** button.

+6. You can check the status of the training job in the same page. Only successfully completed tasks will generate models.

+You can only have one training job running at a time. You cannot create or start other tasks in the same project.

+<!-- After training has completed successfully, keep in mind:

+ -->

+3. In this page you can only view the successfully trained models. You can select the model name for more details.

+4. You can find the **model-level** evaluation metrics under the **Overview** section and the **class-level** evaluation metrics under the **Class performance metrics** section. See [Evaluation metrics](../concepts/evaluation.md#model-level-and-class-level-evaluation-metrics) for more information.

+* Your [training dataset](how-to/train-model.md#data-split) should include at least 10 files and no more than 1,000,000 files.

+3. Select **Start a training job** from the top menu.

+4. To train a new model, select **Train a new model** and type in the model name in the text box below. You can **overwrite an existing model** by selecting this option and select the model you want from the dropdown below.

+5. Click on the **Train** button.

+6. You can check the status of the training job in the same page. Only successfully completed tasks will generate models.

+You can only have one training job running at a time. You cannot create or start other tasks in the same project.

+3. In this page you can only view the sucessfuly trained models. You can click on the model name for more details.

+In this article, we use the Language studio to demonstrate key concepts of custom Named Entity Recognition (NER). As an example weΓÇÖll build a custom NER model to extract relevant entities from loan agreements.

+Custom question answering, a feature of Azure Cognitive Service for Language was introduced in May 2021 with several new capabilities including enhanced relevance using a deep learning ranker, precise answers, and end-to-end region support. Each custom question answering project is equivalent to a knowledge base in QnA Maker. You can easily migrate knowledge bases from a QnA Maker resource to custom question answering projects within a [language resource](https://aka.ms/create-language-resource). You can also choose to migrate knowledge bases from multiple QnA Maker resources to a specific language resource.

+recommendations: false

+recommendations: false

+recommendations: false

+### Some Android devices failing to join calls and meetings.

+A number of specific Android devices fail to join calls and meetings. The devices that run into this issue, wont recover and will fail on every attemp. These are mostly Samsung phones with biggest contributors A326U, A125U and A215U models.

+- This is a known regression introduced on [Chromium](https://bugs.chromium.org/p/webrtc/issues/detail?id=13223).

+| Phone numbers| [REST](/rest/api/communication/phonenumbers) | Service| Acquire and manage phone numbers |

+| SMS | [REST](/rest/api/communication/sms) | Service| Send and receive SMS messages|

+| Calling | Proprietary transport | Client | Voice, video, screen-sharing, and other real-time communication |

+| Calling Server | [REST](/rest/api/communication/callautomation/server-calls) | Service| Make and manage calls, play audio, and configure recording |

+| Network Traversal | [REST](/api/communication/communication-network-traversal)| Service| Access TURN servers for low-level data transport |

+ Title: Built-in operations versus Azure connectors in Standard

+description: Learn the differences between built-in operations and Azure connectors for Standard logic apps.

+ms.suite: integration

+# As a developer, I want to understand the differences between built-in and Azure connectors in Azure Logic Apps (Standard).

+# Differences between built-in operations and Azure connectors in Azure Logic Apps (Standard)

+When you create a **Logic App (Standard)** stateful workflow, the workflow designer shows the available triggers and actions as categories named **Built-in** and **Azure**.

+In **Logic Apps (Standard)**, built-in connectors are known as *service provider connectors*. These connectors are actually custom extensions that are implemented based on Azure Functions. Built-in connectors run in the same cluster as the Azure Logic Apps engine. Anyone can create their own service provider connector.

+Azure connectors are the same as the [*managed connectors*](managed.md) in **Logic App (Consumption)** workflows. These connectors are managed by Microsoft and run in shared connector clusters in the Azure cloud. Separately from the managed connector clusters, the Azure Logic Apps engine runs in a different cluster. If your workflow has to invoke a managed connector operation, the Azure Logic Apps engine makes a call to the connector in the connector clusters. In turn, the connector might then call the backend target service, which can be Office 365, Salesforce, and so on.

+<a name="considerations-authentication"></a>

+## Considerations for authentication

+Authentication considerations for built-in and Azure connectors differ based on whether you develop the workflow in the Azure portal or locally in Visual Studio Code.

+| Environment | Connector type | Authentication |

+|-|-|-|

+| Azure portal | Built-in | Connection strings, credentials, or connection parameters are stored in your logic app's configuration or app settings. |

+| Azure portal | Azure | Connections are authenticated using either a managed identity or [Azure Active Directory (Azure AD) app registration with access policies enabled on the Azure API connections](../logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md#set-up-connection-authentication). |

+| Visual Studio Code | Built-in | Connection strings or credentials are stored in the logic app project's **local.settings.json** file. |

+| Visual Studio Code | Azure | During workflow design, API connections are created and stored in the Azure cloud backend. To run these connections in your local environment, a bearer token is issued for seven days and is stored in your logic app project's **local.settings.json** file. |

+||||

+<a name="considerations-backend-communication"></a>

+## Considerations for backend communication

+For an Azure connector to work, your backend service, such as Office 365 or SQL Server, has to allow traffic through the [outbound IP addresses for managed connectors](/connectors/common/outbound-ip-addresses) in the region where you created your logic app.

+For a built-in connector to work, your backend service has to allow traffic from the Azure Logic Apps engine instead. You can find the outbound IP addresses for the Azure Logic Apps enine by using the following steps:

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource.

+1. On the logic app resource menu, under **Settings**, select **Properties**.

+1. Under **Outgoing IP addresses** and **Additional Outgoing IP addresses**, copy all the IP addresses, and set your backend service to allow traffic through these IP addresses.

+<a name="considerations-vnet"></a>

+## Considerations for virtual network integration

+Built-in connectors run in the same cluster as the Azure Logic Apps host runtime and can use virtual network (VNet) integration capabilities to access resources over a private network. However, Azure connectors run in shared managed connector environment and can't benefit from these VNET integration capabilities.

+Instead, for Azure connectors to work when VNet integration is enabled on a Standard logic app, you have to allow traffic through the [outbound IP addresses for managed connectors](/connectors/common/outbound-ip-addresses) in the region where you created your logic app. For example, if the subnet that's used in the VNet integration has a network security group (NSG) policy or firewall, that subnet has to allow outbound traffic to the outbound IP addresses for managed connectors.

+## Next steps

+- [Logic Apps Anywhere: Networking possibilities with Logic Apps (single-tenant)](https://techcommunity.microsoft.com/t5/integrations-on-azure/logic-apps-anywhere-networking-possibilities-with-logic-app/ba-p/2105047)

+- [Azure Logic Apps Running Anywhere: Built-in connector extensibility](https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/azure-logic-apps-running-anywhere-built-in-connector/ba-p/1921272)

+description: Schedule and run recurring automated tasks and workflows with the Recurrence trigger in Azure Logic Apps.

+ > If you use the **Day** or **Week** frequency and specify a future date and time, make sure that you set up the recurrence in advance:

+ >

+ > * **Day**: Set up the daily recurrence at least 24 hours in advance.

+ >

+ > * **Week**: Set up the weekly recurrence at least 7 days in advance.

+ >

+ > Otherwise, the workflow might skip the first recurrence.

+ >

+ > If a recurrence doesn't specify a specific [start date and time](../logic-apps/concepts-schedule-automated-recurring-tasks-workflows.md#start-time), the first recurrence runs immediately

+ > when you save or deploy the logic app, despite your trigger's recurrence setup. To avoid this behavior, provide a start

+ > date and time for when you want the first recurrence to run.

+ >

+ > If a recurrence doesn't specify any other advanced scheduling options such as specific times to run future recurrences,

+ > those recurrences are based on the last run time. As a result, the start times for those recurrences might drift due to

+ > factors such as latency during storage calls. To make sure that your logic app doesn't miss a recurrence, especially when

+ > the frequency is in days or longer, try these options:

+ >

+ > * Use the [Sliding Window trigger](../connectors/connectors-native-sliding-window.md), rather than the Recurrence trigger.

+| `resources.memory` | The amount of RAM allocated to the container. | This value is up to `4Gi`. The only allowed units are [gibibytes](https://simple.wikipedia.org/wiki/Gibibyte) (`Gi`). Values must adhere to the following rules: the value must be greater than zero and less than `4Gi`, and can be any decimal number, with a maximum of two decimal places. For example, `1.25Gi` is valid, but `1.555Gi` is invalid. The default is `1Gi` per container. |

+| <input type="checkbox"/> | DefaultTraceListener | The DefaultTraceListener poses performance issues on production environments causing high CPU and I/O bottlenecks. Make sure you are using the latest SDK versions or [remove the DefaultTraceListener from your application](performance-tips-dotnet-sdk-v3-sql.md#logging-and-tracing) |

+## <a id="logging-and-tracing"></a> Logging and tracing

+Some environments have the [.NET DefaultTraceListener](/dotnet/api/system.diagnostics.defaulttracelistener) enabled. The DefaultTraceListener poses performance issues on production environments causing high CPU and I/O bottlenecks. Check and make sure that the DefaultTraceListener is disabled for your application by removing it from the [TraceListeners](/dotnet/framework/debug-trace-profile/how-to-create-and-initialize-trace-listeners) on production environments.

+Latest SDK versions (greater than 3.23.0) automatically remove it when they detect it, with older versions, you can remove it by:

+# [.NET 6 / .NET Core](#tab/trace-net-core)

+```csharp

+if (!Debugger.IsAttached)

+{

+ Type defaultTrace = Type.GetType("Microsoft.Azure.Cosmos.Core.Trace.DefaultTrace,Microsoft.Azure.Cosmos.Direct");

+ TraceSource traceSource = (TraceSource)defaultTrace.GetProperty("TraceSource").GetValue(null);

+ traceSource.Listeners.Remove("Default");

+ // Add your own trace listeners

+}

+```

+# [.NET Framework](#tab/trace-net-fx)

+Edit your `app.config` or `web.config` files:

+```xml

+<configuration>

+ <system.diagnostics>

+ <sources>

+ <source name="DocDBTrace" switchName="SourceSwitch" switchType="System.Diagnostics.SourceSwitch" >

+ <listeners>

+ <remove name="Default" />

+ <!--Add your own trace listeners-->

+ <add name="myListener" ... />

+ </listeners>

+ </source>

+ </sources>

+ </system.diagnostics>

+<configuration>

+```

+#### UnknownHostException

+UnknownHostException means that the Java framework cannot resolve the DNS entry for the Cosmos DB endpoint in the affected machine. You should verify that the machine can resolve the DNS entry or if you have any custom DNS resolution software (such as VPN or Proxy, or a custom solution), make sure it contains the right configuration for the DNS endpoint that the error is claiming cannot be resolved.

+ Title: Transfer Azure Enterprise enrollment accounts and subscriptions

+description: Describes how Azure Enterprise enrollment accounts and subscriptions are transferred.

+# Transfer Azure Enterprise enrollment accounts and subscriptions

+This section is for informational purposes only as the action can't be performed by an enterprise administrator. A support request is needed to transfer an enterprise account to a new enrollment.

+- The enrollment number and account to transfer for the source enrollment

+- Approval from an EA Administrator is required for the target and source enrollment.

+- You should consider an enrollment transfer if an account transfer doesn't meet your requirements.

+- Your account transfer moves all services and subscriptions related to the specific accounts.

+- Your transferred account appears inactive under the source enrollment and appears active under the target enrollment when the transfer is complete.

+- Your account shows the end date corresponding to the effective transfer date on the source enrollment. The same date is the start date on the target enrollment.

+- Your account usage incurred before the effective transfer date remains under the source enrollment.

+This section is for informational purposes only as the action can't be performed by an enterprise administrator. A support request is needed to transfer an enterprise enrollment to a new one, unless the enrollment qualifies for [Auto enrollment transfer](#auto-enrollment-transfer).

+- If department administrator (DA) or account owner (AO) view charges were enabled on the transferred enrollment, they must be enabled on the new enrollment.

+- If you're using API reports or Power BI, generate a new API key under your new enrollment.

+- If the enrollment you're transferring from has reservation purchases, the reservation purchasing fee will remain in the source enrollment. However, all reservation benefits will be transferred across for use in the new enrollment.

+- Cost view settings for department administrators or account owners don't carry over.

+- If the source and destination enrollments are on different cloud instances, the transfer will fail. Support personnel can transfer only within the same cloud instance.

+ - Whenever there's is a currency change during or after an enrollment transfer, reservations paid for monthly are canceled for the source enrollment at the time of next monthly payment for an individual reservation. This cancellation is intentional and affects only the monthly reservation purchases.

+You might see that an enrollment has the **Transferred** state, even if you haven't submitted a support ticket to request an enrollment transfer. The **Transferred** state results from the auto enrollment transfer process. In order for the auto enrollment transfer to occur during the renewal phrase, there are a few items that must be included in the new agreement:

+### Prepayment isn't transferrable

+Prepayment isn't transferrable between enrollments. Prepayment balances are tied contractually to the enrollment where it was ordered. Prepayment isn't transferred as part of the account or enrollment transfer process.

+When an Azure subscription is transferred to an account in the same Azure Active Directory tenant, then all users, groups, and service principals that had Azure role-based access control (RBAC) to manage resources keep their access. For more information, see [(Azure RBAC)](../../role-based-access-control/overview.md).

+To view users with Azure RBAC access to the subscription:

+1. Open **Subscriptions** in the Azure portal.

+3. Select **Role assignments**. The role assignments page lists all users who have Azure RBAC access to the subscription.

+If the subscription is transferred to an account in a different Azure AD tenant, then all users, groups, and service principals that had an [Azure RBAC role](../../role-based-access-control/overview.md) to manage resources _lose_ their access. Although Azure RBAC access isn't present, access to the subscription might be available through security mechanisms, including:

+If the recipient needs to restrict, access to their Azure resources, they should consider updating any secrets associated with the service. Most resources can be updated by using the following steps:

+2. select **All resources** on the Hub menu.

+4. select **Settings** to view and update existing secrets on the resource page.

+- If you need help with troubleshooting Azure EA portal issues, see [Troubleshoot Azure EA portal access](ea-portal-troubleshoot.md).

+When you enable error row handling ("continue on error") in the sink transformation, the service will take an additional step before writing the compatible rows to your destination table. This additional step will have a small performance penalty that can be in the range of 5% added for this step with an additional small performance hit also added if you set the option to also write the incompatible rows to a log file.

+This Azure Databricks Delta Lake connector supports the following authentication types. See the corresponding sections for details.

+- [Access token](#access-token)

+- [System-assigned managed identity authentication](#managed-identity)

+- [User-assigned managed identity authentication](#user-assigned-managed-identity-authentication)

+### Access token

+The following properties are supported for the Azure Databricks Delta Lake linked service:

+### <a name="managed-identity"></a> System-assigned managed identity authentication

+To learn more about system-assigned managed identities for Azure resources, see [system-assigned managed identity for Azure resources](data-factory-service-identity.md#system-assigned-managed-identity).

+To use system-assigned managed identity authentication, follow these steps to grant permissions:

+1. [Retrieve the managed identity information](data-factory-service-identity.md#retrieve-managed-identity) by copying the value of the **managed identity object ID** generated along with your data factory or Synapse workspace.

+2. Grant the managed identity the correct permissions in Azure Databricks. In general, you must grant at least the **Contributor** role to your system-assigned managed identity in **Access control (IAM)** of Azure Databricks.

+The following properties are supported for the Azure Databricks Delta Lake linked service:

+| Property | Description | Required |

+| :- | :-- | :- |

+| type | The type property must be set to **AzureDatabricksDeltaLake**. | Yes |

+| domain | Specify the Azure Databricks workspace URL, e.g. `https://adb-xxxxxxxxx.xx.azuredatabricks.net`. | Yes |

+| clusterId | Specify the cluster ID of an existing cluster. It should be an already created Interactive Cluster. <br>You can find the Cluster ID of an Interactive Cluster on Databricks workspace -> Clusters -> Interactive Cluster Name -> Configuration -> Tags. [Learn more](/azure/databricks/clusters/configure#cluster-tags). | Yes |

+| workspaceResourceId | Specify the workspace resource ID of your Azure Databricks.| Yes |

+| connectVia | The [integration runtime](concepts-integration-runtime.md) that is used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime (if your data store is located in a private network). If not specified, it uses the default Azure integration runtime. | No |

+**Example:**

+```json

+{

+ "name": "AzureDatabricksDeltaLakeLinkedService",

+ "properties": {

+ "type": "AzureDatabricksDeltaLake",

+ "typeProperties": {

+ "domain": "https://adb-xxxxxxxxx.xx.azuredatabricks.net",

+ "clusterId": "<cluster id>",

+ "workspaceResourceId": "<workspace resource id>"

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+### User-assigned managed identity authentication

+To learn more about user-assigned managed identities for Azure resources, see [user-assigned managed identities](data-factory-service-identity.md#user-assigned-managed-identity)

+To use user-assigned managed identity authentication, follow these steps:

+1. [Create one or multiple user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md) and grant permission in your Azure Databricks. In general, you must grant at least the **Contributor** role to your user-assigned managed identity in **Access control (IAM)** of Azure Databricks.

+

+2. Assign one or multiple user-assigned managed identities to your data factory or Synapse workspace, and [create credentials](credentials.md) for each user-assigned managed identity.

+The following properties are supported for the Azure Databricks Delta Lake linked service:

+| Property | Description | Required |

+| :- | :-- | :- |

+| type | The type property must be set to **AzureDatabricksDeltaLake**. | Yes |

+| domain | Specify the Azure Databricks workspace URL, e.g. `https://adb-xxxxxxxxx.xx.azuredatabricks.net`. | Yes |

+| clusterId | Specify the cluster ID of an existing cluster. It should be an already created Interactive Cluster. <br>You can find the Cluster ID of an Interactive Cluster on Databricks workspace -> Clusters -> Interactive Cluster Name -> Configuration -> Tags. [Learn more](/azure/databricks/clusters/configure#cluster-tags). | Yes |

+| credentials | Specify the user-assigned managed identity as the credential object. | Yes |

+| workspaceResourceId | Specify the workspace resource ID of your Azure Databricks. | Yes |

+| connectVia | The [integration runtime](concepts-integration-runtime.md) that is used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime (if your data store is located in a private network). If not specified, it uses the default Azure integration runtime. | No |

+**Example:**

+```json

+{

+ "name": "AzureDatabricksDeltaLakeLinkedService",

+ "properties": {

+ "type": "AzureDatabricksDeltaLake",

+ "typeProperties": {

+ "domain": "https://adb-xxxxxxxxx.xx.azuredatabricks.net",

+ "clusterId": "<cluster id>",

+ "credential": {

+ "referenceName": "credential1",

+ "type": "CredentialReference"

+ },

+ "workspaceResourceId": "<workspace resource id>"

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+# Copy data from or to SAP Cloud for Customer (C4C) using Azure Data Factory or Synapse Analytics

+For instance, `allowSchemaDrift: true,` in a source transformation tells the service to include all columns from the source dataset in the data flow even if they aren't included in the schema projection.

+When you build a data flow script to use with PowerShell or an API, you must collapse the formatted text into a single line. You can keep tabs and newlines as escape characters. But the text must be formatted to fit inside a JSON property. There's a button on the script editor UI at the bottom that will format the script as a single line for you.

+And a sink with no schema would be:

+This is a generic aggregate pattern that demonstrates how you can keep the remaining columns in your output metadata when you're building aggregates. In this case, we use the ```first()``` function to choose the first value in every column whose name isn't "movie". To use this, create an Aggregate transformation called DistinctRows and then paste this in your script over top of the existing DistinctRows aggregate script.

+This snippet will add a new Aggregate transformation to your data flow, which will take all incoming columns, generate a hash that is used for grouping to eliminate duplicates, then provide the first occurrence of each duplicate as output. You don't need to explicitly name the columns, they'll be automatically generated from your incoming data stream.

+split(contains(array(toString(columns())),isNull(#item)),

+When you need to load an existing database schema from an unknown or dynamic set of incoming columns, you must map the right-side columns in the Sink transformation. This is only needed when you're loading an existing table. Add this snippet before your Sink to create a Select that auto-maps your columns. Leave your Sink mapping to auto-map.

+Here's how to implement the common "Fill Down" problem with data sets when you want to replace NULL values with the value from the previous non-NULL value in the sequence. Note that this operation can have negative performance implications because you must create a synthetic window across your entire data set with a "dummy" category value. Additionally, you must sort by a value to create the proper data sequence to find the previous non-NULL value. This snippet below creates the synthetic category as "dummy" and sorts by a surrogate key. You can remove the surrogate key and use your own data-specific sort key. This code snippet assumes you've already added a Source transformation called ```source1```

+This sample snippet demonstrates how the Window transformation can be used to compare column values from the current row context with column values from rows before and after the current row. In this example, a Derived Column is used to generate a dummy value to enable a window partition across the entire data set. A Surrogate Key transformation is used to assign a unique key value for each row. When you apply this pattern to your data transformations, you can remove the surrogate key if you're a column that you wish to order by and you can remove the derived column if you have columns to use to partition your data by.

+| Row level error handling | Row level error handling is currently not supported. For example, to filter out non-numeric values from a column, one approach would be to transform the text column to a number. Every cell, which fails to transform will be in an error state and need to be filtered. This scenario isn't possible in scaled-out M. |

+* When you click OK, you'll see the data in the editor updated with the pivoted values

+* You'll also see a warning message that the transformation may be unsupported

+2. You'll see a warning message

+ get-vm

+ To: azure.qsjp@quantiumsolutions.com

+- Email：[azure.qsjp@quantiumsolutions.com](mailto:azure.qsjp@quantiumsolutions.com)

+<!--ACLs DEFINITION

+**Transfer methods.** Support for ACLs transfer during a data copy varies with the file transfer protocol or service that you use. There are also some differences when you use a Windows client vs. a Linux client for the data copy.

+- SMB transfers. When you [copy data over SMB](databox/data-box-deploy-copy-data.md), all the ACLs for directories and files that you copy to your Data Box over SMB are copied and transferred. Transfers include both discretionary ACLs (DACLs) and system ACLs (SACLs). If you're using a Linux client for an SMB transfer, only Windows NT ACLs are transferred.

+- NFS transfers. ACLs aren't transferred when you [copy data over Network File System (NFS)](databox/data-box-deploy-copy-data-via-nfs.md).

+- Data copy service - ACLs aren't transferred when you [copy data via the data copy service](data-box-deploy-copy-data-via-copy-service.md). The data copy service reads data directly from your shares and can't read ACLs.

+

+**Default ACLs.** Even if your data copy tool does not copy ACLs, in Windows, the default ACLs on directories and files are transferred to Azure Files. The default ACLs aren't transferred in Linux.

+The default ACLs have permissions for the built-in Administrator account, the SYSTEM account, and the SMB share user account that was used to mount and copy data in the Data Box.

+**Disabling ACLs transfer.** Transfer of ACLs is enabled by default. You might want to disable this setting in the local web UI on your Data Box. For more information, see [Use the local web UI to administer your Data Box and Data Box.-->

+Depending on the transfer method used and whether you're using a Windows or Linux client, some or all discretionary and default access control lists (ACLs) on files and folders may be transferred during the data copy to Azure Files.

+Transfer of ACLs is enabled by default. You might want to disable this setting in the local web UI on your Data Box. For more information, see [Use the local web UI to administer your Data Box and Data Box Heavy](./data-box-local-web-ui-admin.md).

+

+**ACLs transfer over SMB**

+During an [SMB file transfer](./data-box-deploy-copy-data.md), the following ACLs are transferred:

+- Discretionary ACLs (DACLs) and system ACLs (SACLs) for directories and files that you copy to your Data Box

+- If you use a Linux client, only Windows NT ACLs are transferred.<!--Kyle asked: What are Windows NT ACLs.-->

+ACLs aren't transferred when you [copy data over NFS](./data-box-deploy-copy-data-via-nfs.md) or [use the data copy service](data-box-deploy-copy-data-via-copy-service.md). The data copy service reads data directly from your shares and can't read ACLs.

+**Default ACLs transfer**

+Even if your data copy tool doesn't copy ACLs, the default ACLs on directories and files are transferred to Azure Files when you use a Windows client. The default ACLs aren't transferred when you use a Linux client.

+The following default ACLs are transferred:

+- Account permissions:

+ - Built-in Administrator account

+ - SYSTEM account

+ - SMB share user account used to mount and copy data in the Data Box

+- Security descriptors with these properties: DACL, Owner, Group, SACL

+To transfer the ACLs, timestamps, and attributes for your data, use the following procedures to copy data into the Data Box.

+### Linux data copy tools

+Transferring metadata in Linux is a two-step process. First, you copy the source data using a tool such as `rsync`, which does not copy metadata. After you copy the data, you can copy the metadata using a tool such as `smbcacls` or `cifsacl`.

+- Data Box usage capacity may be less than 80 TiB because of ReFS metadata space consumption.

+ > If there is a label "MG Inherited" alongside your default initiative, it means that the initiative has been assigned to a management group and inherited by the subscription you're viewing.

+1. From the **Default initiative** or **Your custom initiatives** sections, select the relevant initiative containing the policy you want to disable.

+1. From the **Default initiative**, **Industry & regulatory standards**, or **Your custom initiatives** sections, select the relevant initiative with the policy you want to enable.

+### Cloud Shell users: Upload manifest

+If you're using Cloud Shell for this tutorial, you'll need to upload the manifest file you created to the Cloud Shell, so that you can access it in Cloud Shell commands when configuring the app registration. If you're using a local installation of the Azure CLI, you can skip this step.

+In this section, you'll run a CLI command to create an app registration with the following settings:

+Run the following command to create the registration. If you're using Cloud Shell, the path to the manifest.json file is `@manifest.json`.

+az ad app create --display-name <app-registration-name> --available-to-other-tenants false --reply-urls http://localhost --native-app --required-resource-accesses "<path-to-manifest.json>"

+You can also verify the app registration was successfully created with the necessary API permissions by using the Azure portal. For portal instructions, see [Verify API permissions (portal)](how-to-create-app-registration-portal.md#verify-api-permissions).

+## Create Azure Digital Twins role assignment

+In this section, you'll create a role assignment for the app registration to set its permissions on the Azure Digital Twins instance. This role will determine what permissions the app registration holds on the instance, so you should select the role that matches the appropriate level of permission for your situation. One possible role is [Azure Digital Twins Data Owner](../role-based-access-control/built-in-roles.md#azure-digital-twins-data-owner). For a full list of roles and their descriptions, see [Azure built-in roles](../role-based-access-control/built-in-roles.md).

+Use the following command to assign the role (must be run by a user with [sufficient permissions](how-to-set-up-instance-cli.md#prerequisites-permission-requirements) in the Azure subscription). The command requires you to pass in the name of the app registration.

+```azurecli-interactive

+az dt role-assignment create --dt-name <your-Azure-Digital-Twins-instance> --assignee "<name-of-app-registration>" --role "<appropriate-role-name>"

+```

+The result of this command is outputted information about the role assignment that's been created for the app registration.

+### Verify role assignment

+To further verify the role assignment, you can look for it in the Azure portal. Follow the instructions in [Verify role assignment (portal)](how-to-create-app-registration-portal.md#verify-role-assignment).

+## Provide Azure Digital Twins permissions

+Next, configure the app registration you've created with permissions to access Azure Digital Twins. First, **create a role assignment** for the app registration within the Azure Digital Twins instance. Then, **provide API permissions** for the app to read and write to the Azure Digital Twins APIs.

+### Create role assignment

+In this section, you'll create a role assignment for the app registration on the Azure Digital Twins instance. This role will determine what permissions the app registration holds on the instance, so you should select the role that matches the appropriate level of permission for your situation. One possible role is [Azure Digital Twins Data Owner](../role-based-access-control/built-in-roles.md#azure-digital-twins-data-owner). For a full list of roles and their descriptions, see [Azure built-in roles](../role-based-access-control/built-in-roles.md).

+1. First, open the page for your Azure Digital Twins instance in the Azure portal.

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the Add role assignment page.

+1. Assign the appropriate role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+

+ | Setting | Value |

+ | | |

+ | Role | Select as appropriate |

+ | Assign access to | User, group, or service principal |

+ | Members | Search for the name or [client ID](#collect-client-id-and-tenant-id) of the app registration |

+

+ 

+#### Verify role assignment

+You can view the role assignment you've set up under *Access control (IAM) > Role assignments*.

+The app registration should show up in the list along with the role you assigned to it.

+### Provide API permissions

+In this section, you'll grant your app baseline read/write permissions to the Azure Digital Twins APIs.

+#### Verify API permissions

+If these values are missing, retry the steps in the [section for adding the API permission](#provide-api-permissions).

+In this section, you will **create a new instance of Azure Digital Twins** using the CLI command. You will need to provide:

+* A resource group where the instance will be deployed. If you do not already have an existing resource group in mind, you can create one now with this command:

+* A name for your instance. If your subscription has another Azure Digital Twins instance in the region that is

+If the instance was created successfully, the result in the CLI looks something like this, outputting information about the resource you have created:

+You now have an Azure Digital Twins instance ready to go. Next, you will give the appropriate Azure user permissions to manage it.

+To give a user permission to manage an Azure Digital Twins instance, you must assign them the **Azure Digital Twins Data Owner** role within the instance.

+The result of this command is outputted information about the role assignment that has been created for the user.

+ | Members | Search for the name or email address of the user to assign |

+Microsoft Azure Dev Tools for Teaching puts professional developer tools,

+software, and services from Microsoft in the hands of faculty and students

+with plans that come as a part of various Academic Volume Licensing Agreements.

+Students receive developer tools at no cost--everything needed to create apps, games,

+and websites--so they can chase their dreams, create the next big breakthrough in technology,

+or get a head start on their career.

+We designed Azure Dev Tools for Teaching to help professors teach and students learn more effectively.

+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

+ > [!NOTE]

+ > The creation of this redirect rule will incur a small charge.

+This architecture ensures that requests from your end users always reach the closest Front Door environment. If the preferred Front Door environment is unhealthy, all traffic automatically moves to the next closest environment.

+- **Required modules**: Links to the [PowerShell Desired State Configuration (DSC)](https://docs.microsoft.com/powershell/dsc/overview?view=dsc-1.1)

+Using [authorization code flow](../../active-directory/azuread-dev/v1-protocols-oauth-code.md) as an example, accessing a FHIR server goes through the four steps:

+1. The client sends a request to the `/authorize` endpoint of Azure AD. Azure AD will redirect the client to a sign in page where the user will authenticate using appropriate credentials (for example username and password or two-factor authentication). See details on [obtaining an authorization code](../../active-directory/azuread-dev/v1-protocols-oauth-code.md#request-an-authorization-code). Upon successful authentication, an *authorization code* is returned to the client. Azure AD will only allow this authorization code to be returned to a registered reply URL configured in the client application registration.

+It's important to note that the Azure API for FHIR isn't involved in validating user credentials and it doesn't issue the token. The authentication and token creation is done by Azure AD. The Azure API for FHIR simply validates that the token is signed correctly (it's authentic) and that it has appropriate claims.

+```json

+```

+```json

+```

+As mentioned, there are several ways to obtain a token from Azure AD. They're described in detail in the [Azure AD developer documentation](../../active-directory/develop/index.yml).

+When using a FHIR server, you can use either the `v1.0` or the `v2.0` endpoints. The choice may depend on the authentication libraries you're using in your client application.

+How Azure API for FHIR validates the access token will depend on implementation and configuration. In this article, we'll walk through the validation steps, which can be helpful when troubleshooting access issues.

+Azure AD will return a document like this one to the FHIR server.

+The important properties for the FHIR server are `jwks_uri`, which tells the server where to fetch the encryption keys needed to validate the token signature and `issuer`, which tells the server what will be in the issuer claim (`iss`) of tokens issued by this server. The FHIR server can use this to validate that it's receiving an authentic token.

+A FHIR server may also validate that an access token has the scopes (in token claim `scp`) to access the part of the FHIR API that a client is trying to access. Currently, the Azure API for FHIR and the FHIR server for Azure don't validate token scopes.

+To assist with creation of these search parameters and profiles, we have a [sample http file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/C4BB/C4BB.http) that includes all the steps outlined in this tutorial in a single file. Once you've uploaded all the necessary profiles and search parameters, you can run the capability statement test in Touchstone.

+After testing the capabilities statement, we'll test the [read capabilities](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/01-Read&activeOnly=false&contentEntry=TEST_SCRIPTS) in Azure API for FHIR against the C4BB IG. This test is testing conformance against the eight profiles you loaded in the first test. You'll need to have resources loaded that conform to the profiles. The best path would be to test against resources that you already have in your database, but we also have an [http file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/C4BB/C4BB_Sample_Resources.http) available with sample resources pulled from the examples in the IG that you can use to create the resources and test against.

+The [Patient-everything](https://www.hl7.org/fhir/patient-operation-everything.html) operation is used to provide a view of all resources related to a patient. This operation can be useful to give patients' access to their entire record or for a provider or other user to perform a bulk data download related to a patient. According to the FHIR specification, Patient-everything returns all the information related to one or more patients described in the resource or context on which this operation is invoked. In the Azure API for FHIR, Patient-everything is available to pull data related to a specific patient.

+> [!Note]

+> You must specify an ID for a specific patient. If you need all data for all patients, see [$export](../data-transformation/export-data.md).

+* Resources that are directly referenced by the patient resource, except [link](https://www.hl7.org/fhir/patient-definitions.html#Patient.link) references that aren't of [seealso](https://www.hl7.org/fhir/codesystem-link-type.html#content) or if the `seealso` link references a `RelatedPerson`.

+* [Device resources](https://www.hl7.org/fhir/device.html) that reference the patient resource.

+> [!Note]

+> If the patient has more than 100 devices linked to them, only 100 will be returned.

+> This implementation of Patient-everything does not support the _count parameter.

+The FHIR specification has a detailed overview of the different types of [patient links](https://www.hl7.org/fhir/valueset-link-type.html#expansion), but here's a high-level summary:

+### Patient-everything patient links details

+Right now, [replaces](https://www.hl7.org/fhir/codesystem-link-type.html#link-type-replaces) and [refer](https://www.hl7.org/fhir/codesystem-link-type.html#link-type-refer) links are ignored by the Patient-everything operation, and the linked patient isn't returned in the bundle.

+As described, [seealso](https://www.hl7.org/fhir/codesystem-link-type.html#link-type-seealso) links reference another patient that's considered equally valid to the original. After the Patient-everything operation is run, if the patient has `seealso` links to other patients, the operation runs Patient-everything on each `seealso` link. This means if a patient links to five other patients with a type `seealso` link, we'll run Patient-everything on each of those five patients.

+> This is set up to only follow `seealso` links one layer deep. It doesn't process a `seealso` link's `seealso` links.

+[](media/patient-everything/see-also-flow.png#lightbox)

+## Patient-everything response order

+The Patient-everything operation returns results in phases:

+1. Phase 1 returns the `Patient` resource itself in addition to any `generalPractitioner` and `managingOrganization` resources ir references.

+1. Phase 2 and 3 both return resources in the patient compartment. If the start or end query parameters are specified, Phase 2 returns resources from the compartment that can be filtered by their clinical date, and Phase 3 returns resources from the compartment that can't be filtered by their clinical date. If neither of these parameters are specified, Phase 2 is skipped and Phase 3 returns all patient-compartment resources.

+1. Phase 4 will return any devices that reference the patient.

+Each phase will return results in a bundle. If the results span multiple pages, the next link in the bundle will point to the next page of results for that phase. After all results from a phase are returned, the next link in the bundle will point to the call to initiate the next phase.

+If the original patient has any `seealso` links, phases 1 through 4 will be repeated for each of those patients.

+Here are some examples of using the Patient-everything operation. In addition to the examples, we have a [sample REST file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PatientEverythingLinks.http) that illustrates how the `seealso` and `replaced-by` behavior works.

+To use Patient-everything to query between 2010 and 2020, use the following call:

+Now that you know how to use the Patient-everything operation, you can learn about the search options.

+When a resource conforms to a profile, the profile is specified inside the `profile` element of the resource. Below you can see an example of the beginning of a 'Patient' resource which has http://hl7.org/fhir/us/carin-bb/StructureDefinition/C4BB-Patient profile.

+Profiles are also specified by various Implementation Guides (IGs). Some common IGs are listed below. You can go to the specific IG site to learn more about the IG and the profiles defined within it.

+> [!NOTE]

+> The Azure API for FHIR does not store any profiles from implementation guides by default. You will need to load them into the Azure API for FHIR.

+For example, if you'd like to store the `us-core-allergyintolerance` profile, you'd use the following rest command with the US Core allergy intolerance profile in the body. We have included a snippet of this profile for the example.

+For more examples, see the [US Core sample REST file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PayerDataExchange/USCore.http) on the open-source site that walks through storing US Core profiles. To get the most up to date profiles you should get the profiles directly from HL7 and the implementation guide that defines them.

+In the previous tutorial, you deployed the Azure API for FHIR and registered your client application. You're now ready to test your Azure API for FHIR.

+First we'll get the capability statement for your Azure API for FHIR.

+1. Open Postman.

+1. Retrieve the capability statement by doing `GET https://\<FHIR-SERVER-NAME>.azurehealthcareapis.com/metadata`. In the image below the FHIR server name is **fhirserver**.

+Next we'll attempt to retrieve a patient. To retrieve a patient, enter `GET https://\<FHIR-SERVER-NAME>.azurehealthcareapis.com/Patient`. YouΓÇÖll receive a 401 Unauthorized error. This error is because you haven't proven that you should have access to patient data.

+1. Select **Authorization** and set the Type to **OAuth2.0** in Postman.

+1. Select **Get New Access Token**.

+Now you have access, you can create a new patient. Here's a sample of a simple patient you can add into your FHIR server. Enter this `json` into the **Body** section of Postman.

+If you do the GET command to retrieve a patient again, you'll see James Tiberious Kirk listed in the output.

+> [!NOTE]

+> When sending requests to the Azure API for FHIR, you need to ensure that you've set the content-type header to `application/json`

+Now that you can successfully connect to your client application, youΓÇÖre ready to write your web application.

+| \_typeFilter | Yes | To request finer-grained filtering, you can use \_typeFilter along with the \_type parameter. The value of the _typeFilter parameter is a comma-separated list of FHIR queries that further restrict the results |

+> [!Note]

+> You must specify an ID for a specific patient. If you need all data for all patients, see [$export](../data-transformation/export-data.md).

+* [Patient resource](https://www.hl7.org/fhir/patient.html).

+* Resources that are directly referenced by the patient resource, except [link](https://www.hl7.org/fhir/patient-definitions.html#Patient.link) references that aren't of [seealso](https://www.hl7.org/fhir/codesystem-link-type.html#content) or if the `seealso` link references a `RelatedPerson`.

+* Resources in the [Patient Compartment](https://www.hl7.org/fhir/compartmentdefinition-patient.html).

+* [Device resources](https://www.hl7.org/fhir/device.html) that reference the patient resource.

+> [!Note]

+> If the patient has more than 100 devices linked to them, only 100 will be returned.

+> This implementation of Patient-everything does not support the _count parameter.

+The FHIR specification has a detailed overview of the different types of [patient links](https://www.hl7.org/fhir/valueset-link-type.html#expansion), but we've include a high-level summary:

+### Patient-everything patient links details

+Right now, [replaces](https://www.hl7.org/fhir/codesystem-link-type.html#link-type-replaces) and [refer](https://www.hl7.org/fhir/codesystem-link-type.html#link-type-refer) links are ignored by the Patient-everything operation, and the linked patient isn't returned in the bundle.

+As described, [seealso](https://www.hl7.org/fhir/codesystem-link-type.html#link-type-seealso) links reference another patient that's considered equally valid to the original. After the Patient-everything operation is run, if the patient has `seealso` links to other patients, the operation runs Patient-everything on each `seealso` link. This means if a patient links to five other patients with a type `seealso` link, we'll run Patient-everything on each of those five patients.

+[](media/patient-everything/see-also-flow.png#lightbox)

+## Patient-everything response order

+The Patient-everything operation returns results in phases:

+1. Phase 1 returns the `Patient` resource itself in addition to any `generalPractitioner` and `managingOrganization` resources ir references.

+1. Phase 2 and 3 both return resources in the patient compartment. If the `start` or `end` query parameters are specified, Phase 2 returns resources from the compartment that can be filtered by their clinical date, and Phase 3 returns resources from the compartment that can't be filtered by their clinical date. If neither of these parameters are specified, Phase 2 is skipped and Phase 3 returns all patient-compartment resources.

+1. Phase 4 will return any devices that reference the patient.

+Each phase will return results in a bundle. If the results span multiple pages, the next link in the bundle will point to the next page of results for that phase. After all results from a phase are returned, the next link in the bundle will point to the call to initiate the next phase.

+If the original patient has any `seealso` links, phases 1 through 4 will be repeated for each of those patients.

+Here are some examples of using the Patient-everything operation. In addition to these examples, we have a [sample REST file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PatientEverythingLinks.http) that illustrates how the `seealso` and `replaced-by` behavior works.

+Now that you know how to use the Patient-everything operation, you can learn about the search options.

+When a resource conforms to a profile, the profile is specified inside the `profile` element of the resource. Below you can see an example of the beginning of a 'Patient' resource which has http://hl7.org/fhir/us/carin-bb/StructureDefinition/C4BB-Patient profile.

+Profiles are also specified by various Implementation Guides (IGs). Some common IGs are listed below. You can go to the specific IG site to learn more about the IG and the profiles defined within it.

+> [!NOTE]

+> The FHIR service does not store any profiles from implementation guides by default. You will need to load them into the FHIR service.

+For example, if you'd like to store the `us-core-allergyintolerance` profile, you'd use the following rest command with the US Core allergy intolerance profile in the body. We have included a snippet of this profile for the example.

+For more examples, see the [US Core sample REST file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PayerDataExchange/USCore.http) on the open-source site that walks through storing US Core profiles. To get the most up to date profiles you should get the profiles directly from HL7 and the implementation guide that defines them.

+We have many open-source projects on GitHub that provide you the source code and instructions to deploy services for various uses. YouΓÇÖre always welcome to visit our GitHub repositories to learn and experiment with our features and products.

+* [microsoft/fhir-server](https://github.com/microsoft/fhir-server/): open-source FHIR Server, which is the basis for FHIR service

+## Analytic Pipelines

+FHIR Analytics Pipelines help you build components and pipelines for rectangularizing and moving FHIR data from Azure FHIR servers namely [Azure Healthcare APIs FHIR Server](https://docs.microsoft.com/azure/healthcare-apis/), [Azure API for FHIR](https://docs.microsoft.com/azure/healthcare-apis/azure-api-for-fhir/), and [FHIR Server for Azure](https://github.com/microsoft/fhir-server) to [Azure Data Lake](https://azure.microsoft.com/solutions/data-lake/) and thereby make it available for analytics with [Azure Synapse Analytics](https://azure.microsoft.com/services/synapse-analytics/), [Power BI](https://powerbi.microsoft.com/), and [Azure Machine Learning](https://azure.microsoft.com/services/machine-learning/).

+The descriptions and capabilities of these two solutions are summarized below:

+### FHIR to Synapse Sync Agent

+The FHIR to Synapse Sync Agent is an Azure function that extracts data from a FHIR Server using FHIR Resource APIs, and converts it to hierarchical Parquet files, and writes it to Azure Data Lake in near real time. This agent also contains a [script](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToDataLake/scripts/Set-SynapseEnvironment.ps1) to create external tables and views in Synapse Serverless SQL pool pointing to the Parquet files.

+This solution enables you to query against the entire FHIR data with tools such as Synapse Studio, SSMS, and Power BI. You can also access the Parquet files directly from a Synapse Spark pool. You should consider using this solution if you want to access all your FHIR data in near real time and want to defer custom transformation to downstream systems.

+### FHIR to CDM Pipeline Generator

+The FHIR to CDM Pipeline Generator is a tool to generate an ADF pipeline for moving a snapshot of data from a FHIR server using $export API to a [CDM folder](https://docs.microsoft.com/common-data-model/data-lake) in Azure Data Lake Storage Gen 2 in `.csv` format. The tool requires a user-created configuration file containing instructions to project and flatten FHIR Resources and fields into tables. You can also follow the [instructions](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToCdm/docs/cdm-to-synapse.md) for creating a downstream pipeline in Synapse workspace to move data from CDM folder to Synapse dedicated SQL pool.

+This solution enables you to transform the data into tabular format as it gets written to CDM folder. You should consider this solution if you want to transform FHIR data into a custom schema as it is extracted from the FHIR server.

+* [microsoft/healthkit-on-fhir](https://github.com/microsoft/healthkit-on-fhir): a Swift library that automates the export of Apple HealthKit Data to a FHIR Server.

+## Next steps

+In this article, you learned about some of the Healthcare APIs open-source GitHub projects that provide source code and instructions to let you experiment and deploy services for various uses. For more information about Healthcare APIs, see

+ Title: Display IoT connector metrics logging - Azure Healthcare APIs

+# How to display IoT connector metrics

+In this article, you'll learn how to display IoT connector metrics in the Azure portal.

+## Display metrics

+ :::image type="content" source="media\iot-metrics\iot-workspace-displayed-with-connectors-button.png" alt-text="Screenshot of select the IoT connectors button." lightbox="media\iot-metrics\iot-connectors-button.png":::

+2. Select the IoT connector that you would like to display the metrics for.

+ :::image type="content" source="media\iot-metrics\iot-connector-select.png" alt-text="Screenshot of select IoT connector you would like to display metrics for." lightbox="media\iot-metrics\iot-connector-select.png":::

+3. Select **Metrics** button within the IoT connector page.

+ :::image type="content" source="media\iot-metrics\iot-select-metrics.png" alt-text="Screenshot of Select the Metrics button." lightbox="media\iot-metrics\iot-metrics-button.png":::

+4. From the metrics page, you can create the metrics that you want to display for your IoT connector. For this example, we'll be choosing the following selections:

+ * **Scope** = IoT connector name (**Default**)

+ * **Metric Namespace** = Standard Metrics (**Default**)

+ * **Metric** = IoT connector metrics you want to display. For this example, we'll choose **Number of Incoming Messages**.

+ * **Aggregation** = How you would like to display the metrics. For this example, we'll choose **Count**.

+ :::image type="content" source="media\iot-metrics\iot-select-metrics-to-display.png" alt-text="Screenshpt of select metrics to display." lightbox="media\iot-metrics\iot-metrics-selection-close-up.png":::

+5. We can now see the IoT connector metrics for **Number of Incoming Messages** displayed on the Azure portal.

+ > [!TIP]

+ > You can add additional metrics by selecting the **Add metric** button and making your choices.

+ :::image type="content" source="media\iot-metrics\iot-metrics-add-button.png" alt-text="Screenshot of select Add metric button to add more metrics." lightbox="media\iot-metrics\iot-add-metric-button.png":::

+ > [!IMPORTANT]

+ > If you leave the metrics page, the metrics settings are lost and will have to be recreated. If you would like to save your IoT connector metrics for future viewing, you can pin them to an Azure dashboard as a tile.

+## Pinning metrics tile on Azure portal dashboard

+1. To pin the metrics tile to an Azure portal dashboard, select the **Pin to dashboard** button.

+ :::image type="content" source="media\iot-metrics\iot-metrics-select-add-pin-to-dashboard.png" alt-text="Screenshot of select the Pin to dashboard button." lightbox="media\iot-metrics\iot-pin-to-dashboard-button.png":::

+2. Select the dashboard you would like to display IoT connector metrics on. For this example, we'll use a private dashboard named `IoT connector Metrics`. Select **Pin** to add the metrics tile to the dashboard.

+ :::image type="content" source="media\iot-metrics\iot-select-pin-to-dashboard.png" alt-text="Screenshot of select dashboard and Pin button to complete the dashboard pinning process." lightbox="media\iot-metrics\iot-select-pin-to-dashboard.png":::

+3. You'll receive a confirmation that the metrics tile was successfully added to the dashboard.

+ :::image type="content" source="media\iot-metrics\iot-select-dashboard-pinned-successful.png" alt-text="Screenshot of metrics tile successfully pinned to dashboard." lightbox="media\iot-metrics\iot-select-dashboard-pinned-successful.png":::

+ :::image type="content" source="media\iot-metrics\iot-select-dashboard-with-metrics-tile.png" alt-text="Screenshot of select the Dashboard button." lightbox="media\iot-metrics\iot-dashboard-button.png":::

+5. Select the dashboard that you pinned the metrics tile to. For this example, the dashboard is **IoT connector Metrics**. The dashboard will display the IoT connector metrics tile that you created in the previous steps.

+ :::image type="content" source="media\iot-metrics\iot-dashboard-with-metrics-tile-displayed.png" alt-text="Screenshot of dashboard with pinned IoT connector metrics tile." lightbox="media\iot-metrics\iot-dashboard-with-metrics-tile-displayed.png":::

+ > [!TIP]

+ > See the [IoT connector troubleshooting guide](./iot-troubleshoot-guide.md) for assistance fixing common errors, conditions and issues.

+To learn how to export Iot connector metrics, see

+>[Configure diagnostic setting for IoT connector metrics exporting](./iot-metrics-diagnostics-export.md)

+<!-- Click the image below to watch a [video demonstration](https://azure.microsoft.com/resources/videos/set-up-hpc-cache/) of creating a cache and adding a storage target from the Azure portal.

+[](https://azure.microsoft.com/resources/videos/set-up-hpc-cache/) -->

+<!--

+[](https://azure.microsoft.com/resources/videos/set-up-hpc-cache/) -->

+<!-- The [Managing Azure HPC Cache video](https://azure.microsoft.com/resources/videos/managing-hpc-cache/) shows how to edit a storage target in the Azure portal. -->

+<!-- Click the image below to watch a [video](https://azure.microsoft.com/resources/videos/managing-hpc-cache/) that demonstrates cache management tasks.

+[](https://azure.microsoft.com/resources/videos/managing-hpc-cache/) -->

+<!-- ## Overview video

+Click the image above to watch a [short overview of Azure HPC Cache](https://azure.microsoft.com/resources/videos/hpc-cache-overview/). -->

+<!-- ## Video overviews

+Read the rest of this article for specific recommendations. -->

+| Number of alerts for an email action | One alert every minute per rule | This quota is fixed and can't be changed. |

+| Number of alerts for a webhook action | One alert every 10 seconds per action | This quota is fixed and can't be changed. |

+| Number of alerts for a Power Automate action | One alert every 10 seconds per action | This quota is fixed and can't be changed. |

+| Number of alerts for an Azure Logic App action | One alert every 10 seconds per action | This quota is fixed and can't be changed. |

+| Number of alerts for an Azure Monitor Group action | One alert every 10 seconds per action | This quota is fixed and can't be changed. |

+ * Be mindful of twin size limits when using custom modules

+### Be mindful of twin size limits when using custom modules

+The deployment manifest that contains custom modules is part of the EdgeAgent twin. Review the [limitation on module twin size](../iot-hub/iot-hub-devguide-module-twins.md#module-twin-size).

+If you deploy a large number of modules, you might exhaust this twin size limit. Consider some common mitigations to this hard limit:

+- Store any configuration in the custom module twin, which has its own limit.

+- Store some configuration that points to a non-space-limited location (that is, to a blob store).

+> [!WARNING]

+> If you use this method and specify the wrong DNS address, *edgeAgent* loses connection with IoT Hub and can't receive new deployments to fix the issue. To resolve this issue, you can reinstall the IoT Edge runtime. Before you install a new instance of IoT Edge, be sure to remove any *edgeAgent* containers from the previous installation.

+ Title: Scheduling recurring tasks and workflows

+description: An overview about scheduling recurring automated tasks, processes, and workflows with Azure Logic Apps.

+> [!NOTE]

+> The Azure Logic Apps job scheduler template creates a CreateTimerJob logic app that calls a TimerJob logic app. You can then call the CreateTimerJob logic app as an API by making an HTTP request and passing a schedule as input for the request. Each call to the CreateTimerJob logic app also calls the TimerJob logic app, which creates a new TimerJob instance that continuously runs based on the specified schedule or until meeting a specified limit. That way, you can run as many TimerJob instances as you want without worrying about workflow limits because instances aren't individual logic app workflow definitions or resources.

+You can start your logic app workflow by using the Recurrence trigger or Sliding Window trigger, which isn't associated with any specific service or system. These triggers start and run your workflow based on your specified recurrence where you select the interval and frequency, such as the number of seconds, minutes, hours, days, weeks, or months. You can also set the start date and time along with the time zone. Each time that a trigger fires, Azure Logic Apps creates and runs a new workflow instance for your logic app.

+ > [!IMPORTANT]

+ > If you use the **Day** or **Week** frequency and specify a future date and time, make sure that you set up the recurrence in advance:

+ >

+ > * **Day**: Set up the daily recurrence at least 24 hours in advance.

+ >

+ > * **Week**: Set up the weekly recurrence at least 7 days in advance.

+ >

+ > Otherwise, the workflow might skip the first recurrence.

+ >

+Here are some patterns that show how you can control recurrence with the start date and time, and how Azure Logic Apps runs these recurrences:

+| Start time in the past | **Recurrence** trigger: Calculates run times based on the specified start time and discards past run times. <p><p>Runs the first workload at the next future run time. <p><p>Runs future workloads based on the last run time. <p><p>**Sliding Window** trigger: Calculates run times based on the specified start time and honors past run times. <p><p>Runs future workloads based on the specified start time. <p><p>For more explanation, see the example following this table. | Runs the first workload *no sooner* than the start time, based on the schedule calculated from the start time. <p><p>Runs future workloads based on the specified schedule. <p><p>**Note:** If you specify a recurrence with a schedule, but don't specify hours or minutes for the schedule, Azure Logic Apps calculates future run times by using the hours or minutes, respectively, from the first run time. |

+| Start time now or in the future | Runs the first workload at the specified start time. <p><p>**Recurrence** trigger: Runs future workloads based on the last run time. <p><p>**Sliding Window** trigger: Runs future workloads based on the specified start time. | Runs the first workload *no sooner* than the start time, based on the schedule calculated from the start time. <p><p>Runs future workloads based on the specified schedule. If you use the **Day** or **Week** frequency and specify a future date and time, make sure that you set up the recurrence in advance: <p>- **Day**: Set up the daily recurrence at least 24 hours in advance. <p>- **Week**: Set up the weekly recurrence at least 7 days in advance. <p>Otherwise, the workflow might skip the first recurrence. <p>**Note:** If you specify a recurrence with a schedule, but don't specify hours or minutes for the schedule, Azure Logic Apps calculates future run times by using the hours or minutes, respectively, from the first run time. |

+For the Recurrence trigger, the Azure Logic Apps engine calculates run times based on the start time, discards past run times, uses the next future start time for the first run, and calculates future runs based on the last run time.

+Recurring built-in triggers honor the schedule that you set, including any time zone that you specify. If you don't select a time zone, daylight saving time (DST) might affect when triggers run, for example, shifting the start time one hour forward when DST starts and one hour backward when DST ends. When scheduling jobs, Azure Logic Apps puts the message for processing into the queue and specifies when that message becomes available, based on the UTC time when the last job ran and the UTC time when the next job is scheduled to run.

+If you want to run your logic app only at one time in the future, you can use the **Scheduler: Run once jobs** template. After you create a new logic app but before opening the workflow designer, under the **Templates** section, from the **Category** list, select **Schedule**, and then select this template:

+| Recurrence, <br>Sliding Window | Run every hour, on the hour (with start date and time) | 1 | Hour | *startDate*Thh:00:00Z | {unavailable} | {none} | {none} | This schedule doesn't start *any sooner* than the specified start date and time. Future recurrences run every hour at the "00" minute mark, which Azure Logic Apps calculates from the start time. <p>If the frequency is "Week" or "Month", this schedule respectively runs only one day per week or one day per month. |

+> [!IMPORTANT]

+> Scaling out an ISE can take 20-30 minutes on average.

+After you submit the pipeline and the run finishes successfully, you can [deploy the real-time endpoint](../tutorial-designer-automobile-price-deploy.md#deploy-the-real-time-endpoint).

+See the [set of components available](component-reference.md) to Azure Machine Learning.

+Use ```k8s-extension update``` CLI command to update the mutable properties of Azure Machine Learning extension. For more information, see the [`k8s-extension update` CLI command documentation](/cli/azure/k8s-extension?view=azure-cli-latest#az_k8s_extension_update&preserve-view=true).

+Use [`k8s-extension delete`](/cli/azure/k8s-extension?view=azure-cli-latest#az_k8s_extension_delete&preserve-view=true) CLI command to delete the Azure Machine Learning extension.

+ - "Microsoft.Network/virtualNetworks/subnets/join/action" on the subnet resource.

+ target = "https://pkgs.dev.azure.com/<MY-ORG>",

+ cd.set_pip_option("--extra-index-url https://pkgs.dev.azure.com/<MY-ORG>/_packaging/<MY-FEED>/pypi/simple")")

+ > [!IMPORTANT]

+ > When you create the storage account for your media services account, change the storage authentication type to *System authentication*. Otherwise, you will get authentication errors for this example.

+Get the values from your account to create a *.env* file. Save it without a name and just the extension. Use *sample.env* as a template for your *.env* file. Save the *.env* file to the *BasicEncoding* folder in your local clone.

+ . .venv/Scripts/activate

+1. Install the `python-dotenv` library. This will enable you to load the environment variables quickly and easily.

+ ```bash

+ pip install python-dotenv

+ ```

+1. Install the `azure-identity` library for Python. This module is needed for Azure Active Directory authentication. See the details at [Azure Identity client library for Python](/python/api/overview/azure/identity-readme#environment-variables).

+1. Install the Python SDK for [Azure Media Services](/python/api/overview/azure/media-services).

+1. Install the [Azure Storage SDK for Python](https://pypi.org/project/azure-storage-blob/).

+You can optionally install ALL of the requirements for a given sample by using the *requirements.txt* file in the samples folder.

+In this sample, a random number gets generated for naming things so you can identify them as a group that gets created together when you ran the script. The random number is optional, and can be removed when you're done testing the script.

+Once you successfully complete the quickstart, delete the resources created in the resource group.

+- [Azure Storage Blob Python SDK reference](/python/api/azure-storage-blob/)

+| Version | [Single Server](overview.md) <br/> Current minor version |[Flexible Server](./flexible-server/overview.md) <br/> Current minor version |

+

+ > [!NOTE]

+ > TLE stands for Two-Line Element.

+Backup redundancy ensures that your database meets its availability and durability targets even in the case of failures and Azure Database for PostgreSQL extends three options to users -

+description: Learn about the available PostgreSQL extensions in Azure Database for PostgreSQL - Flexible Server

+This feature brings the primary server down and initiates the failover workflow in which the standby promote operation is performed. Once the standby completes the recovery process till the last committed data, it is promoted to be the primary server. DNS records are updated and your application can connect to the promoted primary server. Your application can continue to write to the primary while a new standby server is established in the background and that does not impact the uptime.

+> You can't directly create your own deny assignments. For more information, see [Azure deny assignments](deny-assignments.md).

+> You can't directly create your own deny assignments. For more information, see [Azure deny assignments](deny-assignments.md).

+> You can't directly create your own deny assignments. For more information, see [Azure deny assignments](deny-assignments.md).

+Deny assignments are created and managed by Azure to protect resources. Azure Blueprints and Azure managed apps use deny assignments to protect system-managed resources. Azure Blueprints and Azure managed apps are the only way that deny assignments can be created. You can't directly create your own deny assignments. Azure Blueprints uses deny assignments to lock resources, but just for resources deployed as part of a blueprint. For more information, see [Understand resource locking in Azure Blueprints](../governance/blueprints/concepts/resource-locking.md).

+A debug session is a cached indexer and skillset execution, scoped to a single document, that you can use to edit and test your changes interactively. If you're unfamiliar with how a debug session works, see [Debug sessions in Azure Cognitive Search](cognitive-search-debug-session.md). To practice a debug workflow with a sample document, see [Tutorial: Debug sessions](cognitive-search-tutorial-debug-sessions.md).

+ A debug session works with all generally available [indexer data sources](search-data-sources-gallery.md) and most preview data sources. The MongoDB API (preview) of Cosmos DB is currently not supported.

+1. Provide a name for the session, for example *cog-search-debug-sessions*.

+1. Specify a general-purpose storage account that will be used to cache the skill executions. You'll be prompted to select and optionally create a blob container in Blob Storage or Azure Data Lake Storage Gen2. You can reuse the same container for all subsequent debug sessions you create.

+1. Choose a document. The session will default to the first document in the data source, but you can also choose which document to step through by providing its URL.

+1. Optionally, specify any indexer execution settings that should be used to create the session. The settings should mimic the settings used by the actual indexer. Any indexer options that you specify in a debug session have no effect on the indexer itself.

+1. Return to **Errors/Warnings** to see if the count is reduced. The list won't be refreshed until you open the tab.

+AI enrichment pipelines extract or infer information and structure from source documents, creating an enriched document in the process. An enriched document is first created during document cracking and populated with a root node (`/document`), plus nodes for any content that is lifted directly from the data source, such as metadata and the document key. Additional nodes are created by skills during skill execution, where each skill output adds a new node to the enrichment tree.

+1. In the details pane to the right, select **Executions**, select an OUTPUT, and then open the Expression Evaluator (**`</>`**) to view the expression and its result.

+ If you're importing raw content straight from the data source, bypassing enrichment, you should find those fields in **Field Mappings**.

+1. Select **Output Field Mappings** at the bottom of the graph. Here you'll find mappings from skill outputs to target fields in the search index. Unless you used the Import Data wizard, output field mappings are defined manually and could be incomplete or mistyped.

+Connect to Azure Storage through Azure Data Lake Storage Gen2 to extract content from a hierarchy of directories and nested subdirectories.

+### SharePoint

+by [Cognitive Search](search-what-is-azure-search.md)

+Connect to a SharePoint site and index documents from one or more document libraries, for accounts and search services in the same tenant. Text and normalized images will be extracted by default. Optionally, you can configure a skillset for more content transformation and enrichment, or configure change tracking to refresh a search index with new or changed content in SharePoint.

+[More details](search-howto-index-sharepoint-online.md)

+### Azure MySQL

+Connect to MySQL database on Azure to extract rows in a table, serialized into JSON documents, and imported into a search index as search documents. On subsequent runs, assuming High Water Mark change detection policy is configured, the indexer will take all changes, uploads, and delete and reflect those changes in your search index.

+[More details](search-howto-index-mysql.md)

+### Azure Files

+Connect to Azure Storage through Azure Files share to extract content serialized into JSON documents, and imported into a search index as search documents.

+[More details](search-file-storage-integration.md)

+Secure enterprise search connector for reliably indexing content from Microsoft Azure Active Directory (Azure AD) and intelligently searching it with Azure Cognitive Search. It indexes objects from Azure AD via the Microsoft Graph API. The connector can be used for ingesting principals into Cognitive Search in near real time to implement use cases like expert search, equipment search, and location search or to provide early-binding security trimming in conjunction with custom data sources. The connector supports federated authentication against Microsoft 365.

+Secure enterprise search connector for reliably indexing content from OpenText Documentum eRoom and intelligently searching it with Azure Cognitive Search. It robustly indexes repositories, folders and files together with their meta data and properties from Documentum eRoom in near real time. The connector fully supports OpenText Documentum eRoomΓÇÖs built-in user and group management.

+If you have partitioned data, you can create indexer-data-source combinations that pull from each data source and write to the same search index. Because each indexer is distinct, you can run them at the same time, populating a search index more quickly than if you ran them sequentially.

+There are some risks associated with parallel indexing. First, recall that indexing does not run in the background, increasing the likelihood that queries will be throttled or dropped. Second, Azure Cognitive Search does not lock the index for updates. Concurrent writes are managed, invoking a retry if a particular write does not succeed on first attempt, but you might notice an increase in indexing failures.

+The number of indexing jobs that can run simultaneously varies for text-based and skills-based indexing. For more information, see [Indexer execution](search-howto-run-reset-indexers.md#indexer-execution).

+1. For text-based indexing, [sign in to Azure portal](https://portal.azure.com) and check the number of search units used by your search service. Select **Settings** > **Scale** to view the number at the top of the page. The number of indexers that will run in parallel is approximately equal to the number of search units.

+1. Schedule the indexers. Review indexer status and execution history for confirmation.

+| Skills-based indexing | 2 hours | Indeterminate | Typically runs on an internally-managed, multi-tenant content processing cluster, depending on how complex the skillset is. A simple skill might execute on your search service if the service has capacity. Otherwise, skills-based indexer jobs execute off-service. Because the content processing cluster is multi-tenant, nodes are added to meet demand. If you experience a delay in on-demand or scheduled execution, it's probably because the system is either adding nodes or waiting for one to become available.|

+Indexers can be configured to run on a schedule when you set the "schedule" property in the indexer definition. By default, an indexer runs once, immediately after it is created. Afterwards, you can run it again on demand or on a schedule. Some situations where indexer scheduling is useful include:

+ Indexer jobs are subject to a maximum running time of 24 hours for regular data sources and 2 hours for indexers with skillsets. If indexing cannot complete within the maximum interval, you can configure a schedule that runs every 2 hours. Indexers can automatically pick up where they left off, based on an internal high water mark that marks where indexing last ended. Running an indexer on a recurring 2-hour schedule allows it to process a very large data set (many millions of documents) beyond the 24-interval allowed for a single job. For more information about indexing large data volumes, see [How to index large data sets in Azure Cognitive Search](search-howto-large-index.md).

+## Prerequisites

+## Schedule definition

+| "interval" | (required) The amount of time between the start of two consecutive indexer executions. The smallest interval allowed is 5 minutes, and the longest is 1440 minutes (24 hours). It must be formatted as an XSD "dayTimeDuration" value (a restricted subset of an [ISO 8601 duration](https://www.w3.org/TR/xmlschema11-2/#dayTimeDuration) value). </br></br>The pattern for this is: `P(nD)(T(nH)(nM))`. </br></br>Examples: `PT15M` for every 15 minutes, `PT2H` for every 2 hours.|

+| "startTime" | (optional) Start time is specified in coordinated universal time (UTC). If omitted, the current time is used. This time can be in the past, in which case the first execution is scheduled as if the indexer has been running continuously since the original start time.|

+## Scheduling behavior

+For text-based indexing, the scheduler can kick off as many indexer jobs as the search service supports, which is determined by the number of search units. For example, if the service has three replicas and four partitions, you can generally have twelve indexer jobs in active execution, whether initiated on demand or on a schedule.

+Skills-based indexers run in a different [execution environment](search-howto-run-reset-indexers.md#indexer-execution). For this reason, the number of service units has no bearing on the number of skills-based indexer jobs you can run. Multiple skills-based indexers can run in parallel, but doing so depends on node availability within the execution environment.

+Although multiple indexers can run simultaneously, a given indexer is single instance. You cannot run two copies of the same indexer concurrently. If an indexer happens to still be running when its next scheduled execution is set to start, the pending execution is postponed until the next scheduled occurrence, allowing the current job to finish.

+LetΓÇÖs consider an example to make this more concrete. Suppose we configure an indexer schedule with an interval of hourly and a start time of June 1, 2021 at 8:00:00 AM UTC. Here's what could happen when an indexer run takes longer than an hour:

+> [!NOTE]

+> If an indexer is set to a certain schedule but repeatedly fails on the same document each time, the indexer will begin running on a less frequent interval (up to the maximum interval of at least once every 24 hours) until it successfully makes progress again. If you believe you have fixed whatever the underlying issue, you can [run the indexer manually](search-howto-run-reset-indexers.md), and if indexing succeeds, the indexer will return to its regular schedule.

+- `ssh-keyscan` is not supported.

+- SSH commands, that are not SFTP, are not supported.

+description: Soft delete for blobs protects your data so that you can more easily recover your data when it's erroneously modified or deleted by an application or by another storage account user.

+- Blob versioning, to automatically maintain previous versions of a blob. When blob versioning is enabled, you can restore an earlier version of a blob to recover your data if it's erroneously modified or deleted. To learn how to enable blob versioning, see [Enable and manage blob versioning](versioning-enable.md).

+When you enable blob soft delete for a storage account, you specify a retention period for deleted objects of between 1 and 365 days. The retention period indicates how long the data remains available after it's deleted or overwritten. The clock starts on the retention period as soon as an object is deleted or overwritten.

+Attempting to delete a soft-deleted object doesn't affect its expiry time.

+If a blob has snapshots, the blob can't be deleted unless the snapshots are also deleted. When you delete a blob and its snapshots, both the blob and snapshots are marked as soft-deleted. No new snapshots are created.

+Soft-deleted objects are invisible unless they're explicitly displayed or listed. For more information about how to list soft-deleted objects, see [Manage and restore soft-deleted blobs](soft-delete-blob-manage.md).

+Blob soft delete doesn't protect against operations to write blob metadata or properties. No soft-deleted snapshot is created when a blob's metadata or properties are updated.

+Blob soft delete doesn't afford overwrite protection for blobs in the archive tier. If a blob in the archive tier is overwritten with a new blob in any tier, then the overwritten blob is permanently deleted.

+For premium storage accounts, soft-deleted snapshots don't count toward the per-blob limit of 100 snapshots.

+In accounts that have a hierarchical namespace, the **Undelete Blob** operation can also be used to restore a soft-deleted directory and all its contents. If you rename a directory that contains soft deleted blobs, those soft deleted blobs become disconnected from the directory. If you want to restore those blobs, you'll have to revert the name of the directory back to its original name or create a separate directory that uses the original directory name. Otherwise, you'll receive an error when you attempt to restore those soft deleted blobs.

+Calling **Undelete Blob** on a blob that isn't soft-deleted will restore any soft-deleted snapshots that are associated with the blob. If the blob has no snapshots and isn't soft-deleted, then calling **Undelete Blob** has no effect.

+Data in a soft-deleted blob or snapshot can't be read until the object has been restored.

+If blob versioning and blob soft delete are both enabled for a storage account, then overwriting a blob automatically creates a new version. The new version isn't soft-deleted and isn't removed when the soft-delete retention period expires. No soft-deleted snapshots are created. When you delete a blob, the current version of the blob becomes a previous version, and there's no longer a current version. No new version is created and no soft-deleted snapshots are created.

+Enabling soft delete and versioning together protects blob versions from deletion. When soft delete is enabled, deleting a version creates a soft-deleted version. You can use the **Undelete Blob** operation to restore soft-deleted versions during the soft delete retention period. The **Undelete Blob** operation always restores all soft-deleted versions of the blob. It isn't possible to restore only a single soft-deleted version.

+| [Delete Storage Account](/rest/api/storagerp/storageaccounts/delete) | No change. Containers and blobs in the deleted account aren't recoverable. | No change. Containers and blobs in the deleted account aren't recoverable. |

+| [Delete Container](/rest/api/storageservices/delete-container) | No change. Blobs in the deleted container aren't recoverable. | No change. Blobs in the deleted container aren't recoverable. |

+| [Put Blob](/rest/api/storageservices/put-blob)<br />[Put Block List](/rest/api/storageservices/put-block-list)<br />[Copy Blob](/rest/api/storageservices/copy-blob)<br />[Copy Blob from URL](/rest/api/storageservices/copy-blob) | If called on an active blob, then a snapshot of the blob's state prior to the operation is automatically generated. <br /><br /> If called on a soft-deleted blob, then a snapshot of the blob's prior state is generated only if it's being replaced by a blob of the same type. If the blob is of a different type, then all existing soft deleted data is permanently deleted. | A new version that captures the blob's state prior to the operation is automatically generated. |

+| [Put Block](/rest/api/storageservices/put-block) | If used to commit a block to an active blob, there's no change.<br /><br />If used to commit a block to a blob that is soft-deleted, a new blob is created and a snapshot is automatically generated to capture the state of the soft-deleted blob. | No change. |

+| [Put Page](/rest/api/storageservices/put-page)<br />[Put Page from URL](/rest/api/storageservices/put-page-from-url) | No change. Page blob data that is overwritten or cleared using this operation isn't saved and isn't recoverable. | No change. Page blob data that is overwritten or cleared using this operation isn't saved and isn't recoverable. |

+| [Set Blob Properties](/rest/api/storageservices/set-blob-properties) | No change. Overwritten blob properties aren't recoverable. | No change. Overwritten blob properties aren't recoverable. |

+| [Set Blob Metadata](/rest/api/storageservices/set-blob-metadata) | No change. Overwritten blob metadata isn't recoverable. | A new version that captures the blob's state prior to the operation is automatically generated. |

+|[Delete Blob](/rest/api/storageservices/delete-blob)|A soft deleted object is created. The soft deleted object is deleted after the retention period. Soft delete won't be supported for blobs with snapshots and snapshots.|

+| Standard general-purpose v2 |  | ³ |  |  |

+| Premium block blobs |  | ³ |  |  |

+All soft deleted data is billed at the same rate as active data. You won't be charged for data that is permanently deleted after the retention period elapses.

+You aren't billed for transactions related to the automatic generation of snapshots or versions when a blob is overwritten or deleted. You're billed for calls to the **Undelete Blob** operation at the transaction rate for write operations.

+Data that is overwritten by a call to [Put Page](/rest/api/storageservices/put-page) isn't recoverable. An Azure virtual machine writes to an unmanaged disk using calls to [Put Page](/rest/api/storageservices/put-page), so using soft delete to undo writes to an unmanaged disk from an Azure VM isn't a supported scenario.

+description: Soft delete for containers protects your data so that you can more easily recover your data when it's erroneously modified or deleted by an application or by another storage account user.

+- Blob versioning, to automatically maintain previous versions of a blob. When blob versioning is enabled, you can restore an earlier version of a blob to recover your data if it's erroneously modified or deleted. To learn how to enable blob versioning, see [Enable and manage blob versioning](versioning-enable.md).

+When you enable container soft delete, you can specify a retention period for deleted containers that is between 1 and 365 days. The default retention period is seven days. During the retention period, you can recover a deleted container by calling the **Restore Container** operation.

+When you restore a container, the container's blobs and any blob versions and snapshots are also restored. However, you can only use container soft delete to restore blobs if the container itself was deleted. To a restore a deleted blob when its parent container hasn't been deleted, you must use blob soft delete or blob versioning.

+After the retention period has expired, the container is permanently deleted from Azure Storage and can't be recovered. The clock starts on the retention period at the point that the container is deleted. You can change the retention period at any time, but keep in mind that an updated retention period applies only to newly deleted containers. Previously deleted containers will be permanently deleted based on the retention period that was in effect at the time that the container was deleted.

+Disabling container soft delete doesn't result in permanent deletion of containers that were previously soft-deleted. Any soft-deleted containers will be permanently deleted at the expiration of the retention period that was in effect at the time that the container was deleted.

+| Standard general-purpose v2 |  | |  |  |

+| Premium block blobs |  | |  |  |

+There's no additional charge to enable container soft delete. Data in soft deleted containers is billed at the same rate as active data.

+| [Soft delete for blobs](./soft-delete-blob-overview.md) |  |  ³ |  |  |

+| [Soft delete for containers](soft-delete-container-overview.md) |  |  |  |  |

+```azurepowershell

+To learn how to enable purge protection on an existing key vault with PowerShell, see [Azure Key Vault recovery overview](../../key-vault/general/key-vault-recovery.md?tabs=azure-powershell).

+```azurecli

+To learn how to enable purge protection on an existing key vault with Azure CLI, see [Azure Key Vault recovery overview](../../key-vault/general/key-vault-recovery.md?tabs=azure-cli).

+Azure Storage encryption supports RSA and RSA-HSM keys of sizes 2048, 3072 and 4096. For more information about supported key types, see [About keys](../../key-vault/keys/about-keys.md).

+```azurepowershell

+```azurecli

+## Choose a managed identity to authorize access to the key vault

+When you enable customer-managed keys for a storage account, you must specify a managed identity that will be used to authorize access to the key vault that contains the key. The managed identity must have permissions to access the key in the key vault.

+The managed identity that authorizes access to the key vault may be either a user-assigned or system-assigned managed identity, depending on your scenario:

+- When you configure customer-managed keys at the time that you create a storage account, you must specify a user-assigned managed identity.

+- When you configure customer-managed keys on an existing storage account, you can specify either a user-assigned managed identity or a system-assigned managed identity.

+To learn more about system-assigned versus user-assigned managed identities, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types).

+### Use a user-assigned managed identity to authorize access

+A user-assigned is a standalone Azure resource. To learn how to create and manage a user-assigned managed identity, see [Manage user-assigned managed identities](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).

+Both new and existing storage accounts can use a user-assigned identity to authorize access to the key vault. You must create the user-assigned identity before you configure customer-managed keys.

+#### [Azure portal](#tab/portal)

+When you configure customer-managed keys with the Azure portal, you can select an existing user-assigned identity through the portal user interface. For details, see one of the following sections:

+- [Configure customer-managed keys for a new account](#configure-customer-managed-keys-for-a-new-account)

+- [Configure customer-managed keys for an existing account](#configure-customer-managed-keys-for-an-existing-account)

+#### [PowerShell](#tab/powershell)

+To authorize access to the key vault with a user-assigned managed identity, you will need the resource ID and principal ID of the user-assigned managed identity. Call [Get-AzUserAssignedIdentity](/powershell/module/az.managedserviceidentity/get-azuserassignedidentity) to get the user-assigned managed identity, then save the resource ID and principal ID to variables. You will need these values in subsequent steps:

+```azurepowershell

+$userIdentityId = (Get-AzUserAssignedIdentity -Name <user-assigned-identity> -ResourceGroupName <resource-group>).Id

+$principalId = $userIdentity.PrincipalId

+```

+#### [Azure CLI](#tab/azure-cli)

+To authorize access to the key vault with a user-assigned managed identity, you will need the resource ID and principal ID of the user-assigned managed identity. Call [az identity show](/cli/azure/identity#az-identity-show) command to get the user-assigned managed identity, then save the resource ID and principal ID to variables. You will need these values in subsequent steps:

+```azurecli

+userIdentityId=$(az identity show --name sample-user-assigned-identity --resource-group storagesamples-rg --query id)

+principalId=$(az identity show --name sample-user-assigned-identity --resource-group storagesamples-rg --query principalId)

+```

+### Use a system-assigned managed identity to authorize access

+A system-assigned managed identity is associated with an instance of an Azure service, in this case an Azure Storage account. You must explicitly assign a system-assigned managed identity to a storage account before you can use the system-assigned managed identity to authorize access to the key vault that contains your customer-managed key.

+Only existing storage accounts can use a system-assigned identity to authorize access to the key vault. New storage accounts must use a user-assigned identity, if customer-managed keys are configured on account creation.

+#### [Azure portal](#tab/portal)

+When you configure customer-managed keys with the Azure portal with a system-assigned managed identity, the system-assigned managed identity is assigned to the storage account for you under the covers. For details, see [Configure customer-managed keys for an existing account](#configure-customer-managed-keys-for-an-existing-account).

+#### [PowerShell](#tab/powershell)

+To assign a system-assigned managed identity to your storage account, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount):

+```azurepowershell

+Next, get the principal ID for the system-assigned managed identity, and save it to a variable. You will need this value in the next step to create the key vault access policy:

+```azurepowershell

+$principalId = $storageAccount.Identity.PrincipalId

+#### [Azure CLI](#tab/azure-cli)

+To authenticate access to the key vault with a system-assigned managed identity, assign the system-assigned managed identity to the storage account by calling [az storage account update](/cli/azure/storage/account#az_storage_account_update):

+```azurecli

+az storage account update \

+ --name <storage-account> \

+ --resource-group <resource_group> \

+ --assign-identity

+```

+Next, get the principal ID for the system-assigned managed identity, and save it to a variable. You will need this value in the next step to create the key vault access policy:

+```azurecli

+principalId = $(az storage account show --name <storage-account> --resource-group <resource_group> --query identity.principalId)

+```

+## Configure the key vault access policy

+The next step is to configure the key vault access policy. The key vault access policy grants permissions to the managed identity that will be used to authorize access to the key vault. For more information about assigning the key vault access policy, see [Assign an Azure Key Vault access policy](../../key-vault/general/assign-access-policy.md).

+### [Azure portal](#tab/portal)

+When you configure customer-managed keys with the Azure portal, the key vault access policy is configured for you under the covers.

+### [PowerShell](#tab/powershell)

+To configure the key vault access policy with PowerShell, call [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy), providing the variable for the principal ID that you previously retrieved for the managed identity.

+```azurepowershell

+ -ObjectId $principalId `

+### [Azure CLI](#tab/azure-cli)

+To configure the key vault access policy with PowerShell, call [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy), providing the variable for the principal ID that you previously retrieved for the managed identity.

+```azurecli

+az keyvault set-policy \

+ --name <key-vault> \

+ --resource-group <resource_group>

+ --object-id $principalId \

+ --key-permissions get unwrapKey wrapKey

+## Configure customer-managed keys for a new account

+When you configure encryption with customer-managed keys for a new storage account, you can choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault. Alternately, you can explicitly specify a key version to be used for encryption until the key version is manually updated.

+You must use an existing user-assigned managed identity to authorize access to the key vault when you configure customer-managed keys while creating the storage account. The user-assigned managed identity must have appropriate permissions to access the key vault.

+### [Azure portal](#tab/portal)

+To configure customer-managed keys for a new storage account with automatic updating of the key version, follow these steps:

+1. In the Azure portal, navigate to the **Storage accounts** page, and select the **Create** button to create a new account.

+1. Follow the steps outlined in [Create a storage account](storage-account-create.md) to fill out the fields on the **Basics**, **Advanced**, **Networking**, and **Data Protection** tabs.

+1. On the **Encryption** tab, indicate for which services you want to enable support for customer-managed keys in the **Enable support for customer-managed keys** field.

+1. In the **Encryption type** field, select **Customer-managed keys (CMK)**.

+1. In the **Encryption key** field, choose **Select a key vault and key**, and specify the key vault and key.

+1. For the **User-assigned identity** field, select an existing user-assigned managed identity.

+ :::image type="content" source="media/customer-managed-keys-configure-key-vault/portal-new-account-configure-cmk.png" alt-text="Screenshot showing how to configure customer-managed keys for a new storage account in Azure portal":::

+1. Select **Review + create** to validate and create the new account.

+You can also configure customer-managed keys with manual updating of the key version when you create a new storage account. Follow the steps described in [Configure encryption for manual updating of key versions](#configure-encryption-for-manual-updating-of-key-versions).

+### [PowerShell](#tab/powershell)

+To configure customer-managed keys for a new storage account with automatic updating of the key version, call [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount), as shown in the following example. Use the variable you created previously for the resource ID for the user-assigned managed identity. You will also need the key vault URI and key name:

+```azurepowershell

+New-AzStorageAccount -ResourceGroupName <resource-group> `

+ -Name <storage-account> `

+ -Kind StorageV2 `

+ -SkuName Standard_LRS `

+ -Location $location `

+ -IdentityType SystemAssignedUserAssigned `

+ -UserIdentityId $userIdentityId `

+ -KeyVaultUri $keyVault.VaultUri `

+ -KeyName $key.Name `

+ -KeyVaultUserAssignedIdentityId $userIdentityId

+### [Azure CLI](#tab/azure-cli)

+To configure customer-managed keys for a new storage account with automatic updating of the key version, call [az storage account create](/cli/azure/storage/account#az-storage-account-create), as shown in the following example. Use the variable you created previously for the resource ID for the user-assigned managed identity. You will also need the key vault URI and key name:

+```azurecli

+az storage account create \

+ --name <storage-account> \

+ --resource-group <resource-group> \

+ --location <location> \

+ --sku Standard_LRS \

+ --kind StorageV2 \

+ --identity-type SystemAssigned,UserAssigned \

+ --user-identity-id <user-assigned-managed-identity> \

+ --encryption-key-vault <key-vault-uri> \

+ --encryption-key-name <key-name> \

+ --encryption-key-source Microsoft.Keyvault \

+ --key-vault-user-identity-id <user-assigned-managed-identity>

+## Configure customer-managed keys for an existing account

+When you configure encryption with customer-managed keys for an existing storage account, you can choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault. Alternately, you can explicitly specify a key version to be used for encryption until the key version is manually updated.

+You can use either a system-assigned or user-assigned managed identity to authorize access to the key vault when you configure customer-managed keys for an existing storage account.

+> [!NOTE]

+> To rotate a key, create a new version of the key in Azure Key Vault. Azure Storage does not handle the rotation of the key in Azure Key Vault, so you will need to rotate your key manually or create a function to rotate it on a schedule.

+### Configure encryption for automatic updating of key versions

+Azure Storage can automatically update the customer-managed key that is used for encryption to use the latest key version. When the customer-managed key is rotated in Azure Key Vault, Azure Storage will automatically begin using the latest version of the key for encryption.

+### [Azure portal](#tab/portal)

+To configure customer-managed keys for an existing account with automatic updating of the key version in the Azure portal, follow these steps:

+1. Navigate to your storage account.

+1. On the **Settings** blade for the storage account, click **Encryption**. By default, key management is set to **Microsoft Managed Keys**, as shown in the following image.

+ :::image type="content" source="media/customer-managed-keys-configure-key-vault/portal-configure-encryption-keys.png" alt-text="Screenshot showing encryption options in Azure portal" lightbox="media/customer-managed-keys-configure-key-vault/portal-configure-encryption-keys.png":::

+1. Select the **Customer Managed Keys** option.

+1. Choose the **Select from Key Vault** option.

+1. Select **Select a key vault and key**.

+1. Select the key vault containing the key you want to use. You can also create a new key vault.

+1. Select the key from the key vault. You can also create a new key.

+ :::image type="content" source="media/customer-managed-keys-configure-key-vault/portal-select-key-from-key-vault.png" alt-text="Screenshot showing how to select key vault and key in Azure portal.":::

+1. Select the type of identity to use to authenticate access to the key vault. The options include **System-assigned** (the default) or **User-assigned**. To learn more about each type of managed identity, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types).

+ 1. If you select **System-assigned**, the system-assigned managed identity for the storage account is created under the covers, if it does not already exist.

+ 1. If you select **User-assigned**, then you must select an existing user-assigned identity that has permissions to access the key vault. To learn how to create a user-assigned identity, see [Manage user-assigned managed identities](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).

+ :::image type="content" source="media/customer-managed-keys-configure-key-vault/select-user-assigned-managed-identity-portal.png" alt-text="Screenshot showing how to select a user-assigned managed identity for key vault authentication":::

+1. Save your changes.

+After you've specified the key, the Azure portal indicates that automatic updating of the key version is enabled and displays the key version currently in use for encryption. The portal also displays the type of managed identity used to authorize access to the key vault and the principal ID for the managed identity.

+### [PowerShell](#tab/powershell)

+To configure customer-managed keys for an existing account with automatic updating of the key version with PowerShell, install the [Az.Storage](https://www.powershellgallery.com/packages/Az.Storage) module, version 2.0.0 or later.

+Next, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) to update the storage account's encryption settings, omitting the key version. Include the **-KeyvaultEncryption** option to enable customer-managed keys for the storage account.

+```azurepowershell

+Set-AzStorageAccount -ResourceGroupName $storageAccount.ResourceGroupName `

+ -AccountName $storageAccount.StorageAccountName `

+ -KeyvaultEncryption `

+ -KeyName $key.Name `

+ -KeyVaultUri $keyVault.VaultUri

+### [Azure CLI](#tab/azure-cli)

+To configure customer-managed keys for an existing account with automatic updating of the key version with Azure CLI, install [Azure CLI version 2.4.0](/cli/azure/release-notes-azure-cli#april-21-2020) or later. For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli).

+Next, call [az storage account update](/cli/azure/storage/account#az_storage_account_update) to update the storage account's encryption settings, omitting the key version. Include the `--encryption-key-source` parameter and set it to `Microsoft.Keyvault` to enable customer-managed keys for the account.

+```azurecli

+If you prefer to manually update the key version, then explicitly specify the version at the time that you configure encryption with customer-managed keys. In this case, Azure Storage will not automatically update the key version when a new version is created in the key vault. To use a new key version, you must manually update the version used for Azure Storage encryption.

+ :::image type="content" source="media/customer-managed-keys-configure-key-vault/portal-copy-key-identifier.png" alt-text="Screenshot showing key vault key URI in Azure portal":::

+ :::image type="content" source="media/customer-managed-keys-configure-key-vault/portal-specify-key-uri.png" alt-text="Screenshot showing how to enter key URI in Azure portal":::

+```azurepowershell

+When you manually update the key version, you will need to update the storage account's encryption settings to use the new version. First, call [Get-AzKeyVaultKey](/powershell/module/az.keyvault/get-azkeyvaultkey) to get the latest version of the key. Then call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.

+```azurecli

+When you manually update the key version, you will need to update the storage account's encryption settings to use the new version. First, query for the key vault URI by calling [az keyvault show](/cli/azure/keyvault#az_keyvault_show), and for the key version by calling [az keyvault key list-versions](/cli/azure/keyvault/key#az_keyvault_key_list-versions). Then call [az storage account update](/cli/azure/storage/account#az_storage_account_update) to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.

+To change the key with PowerShell, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) as shown in [Configure customer-managed keys for an existing account](#configure-customer-managed-keys-for-an-existing-account) and provide the new key name and version. If the new key is in a different key vault, then you must also update the key vault URI.

+To change the key with Azure CLI, call [az storage account update](/cli/azure/storage/account#az_storage_account_update) as shown in [Configure customer-managed keys for an existing account](#configure-customer-managed-keys-for-an-existing-account) and provide the new key name and version. If the new key is in a different key vault, then you must also update the key vault URI.

+```azurepowershell

+```azurecli

+```azurepowershell

+```azurecli

+1. An Azure Key Vault admin grants permissions to encryption keys to a managed identity. The managed identity may be either a user-assigned managed identity that you create and manage, or a system-assigned managed identity that is associated with the storage account.

+The managed identity that is associated with the storage account must have these permissions at a minimum to access a customer-managed key in Azure Key Vault:

+When you enable or disable customer-managed keys, or when you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Storage account does not need to be re-encrypted.

+You can enable customer-managed keys on both new and existing storage accounts. When you enable customer-managed keys, you must specify a managed identity to be used to authorize access to the key vault that contains the key. The managed identity may be either a user-assigned or system-assigned managed identity:

+- When you configure customer-managed keys at the time that you create a storage account, you must use a user-assigned managed identity.

+- When you configure customer-managed keys on an existing storage account, you can use either a user-assigned managed identity or a system-assigned managed identity.

+To learn more about system-assigned versus user-assigned managed identities, see [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).

+On the **Encryption** tab, you can configure options that relate to how your data is encrypted when it is persisted to the cloud. Some of these options can be configured only when you create the storage account.

+| Enable support for customer-managed keys | Required | By default, customer managed keys can be used to encrypt only blobs and files. Set this option to **All service types (blobs, files, tables, and queues)** to enable support for customer-managed keys for all services. You are not required to use customer-managed keys if you choose this option. For more information, see [Customer-managed keys for Azure Storage encryption](customer-managed-keys-overview.md). |

+| Encryption key | Required if **Encryption type** field is set to **Customer-managed keys**. | If you choose **Select a key vault and key**, you are presented with the option to navigate to the key vault and key that you wish to use. If you choose **Enter key from URI**, then you are presented with a field to enter the key URI and the subscription. |

+| User-assigned identity | Required if **Encryption type** field is set to **Customer-managed keys**. | If you are configuring customer-managed keys at create time for the storage account, you must provide a user-assigned identity to use for authorizing access to the key vault. |

+An example: *RoboCopy /MIR* will mirror source to target - that means added, changed, and deleted files are considered. An important difference in using *AzCopy -sync* is that deleted files on the source are not removed on the target. That makes for an incomplete differential-copy feature set. AzCopy will continue to evolve. At this time, AzCopy is not a recommended tool for migration scenarios with Azure file shares as the target.

+You can create an [Anomaly Detector](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesAnomalyDetector) resource in the Azure portal:

+|Pricing model|Based on your own resource usage|Based on your own resource usage|Fixed per-user pricing ([Windows 365 Enterprise pricing](https://www.microsoft.com/windows-365/enterprise/compare-plans-pricing))|Fixed per-user pricing ([Windows 365 Business pricing](https://www.microsoft.com/windows-365/business/compare-plans-pricing))|

+ Title: Associate a virtual machine scale set to a Capacity Reservation group (preview)

+# Associate a virtual machine scale set to a Capacity Reservation group (preview)

+- **Uniform Orchestration Mode:** In this mode, virtual machine scale sets use a VM profile or a template to scale up to the desired capacity. While there is some ability to manage or customize individual VM instances, Uniform uses identical VM instances. These instances are exposed through the virtual machine scale sets VM APIs and are not compatible with the standard Azure IaaS VM API commands. Since the scale set performs all the actual VM operations, reservations are associated with the virtual machine scale set directly. Once the scale set is associated with the reservation, all the subsequent VM allocations will be done against the reservation.

+- **Flexible Orchestration Mode:** In this mode, you get more flexibility managing the individual virtual machine scale set VM instances as they can use the standard Azure IaaS VM APIs instead of using the scale set interface. This mode will not work with Capacity Reservation during public preview.

+To learn more about these modes, go to [Virtual Machine Scale Sets Orchestration Modes](../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md). The rest of this article will cover how to associate a Uniform virtual machine scale set to a Capacity Reservation group.

+## Associate a new virtual machine scale set to a Capacity Reservation group

+To associate a new Uniform virtual machine scale set to a Capacity Reservation group, construct the following PUT request to the *Microsoft.Compute* provider:

+Add the `capacityReservationGroup` property in the `virtualMachineProfile` property:

+Use `az vmss create` to create a new virtual machine scale set and add the `capacity-reservation-group` property to associate the scale set to an existing Capacity Reservation group. The following example creates a Uniform scale set for a Standard_Ds1_v2 VM in the East US location and associates the scale set to a Capacity Reservation group.

+Use `New-AzVmss` to create a new virtual machine scale set and add the `CapacityReservationGroupId` property to associate the scale set to an existing Capacity Reservation group. The following example creates a Uniform scale set for a Standard_Ds1_v2 VM in the East US location and associates the scale set to a Capacity Reservation group.

+ARM templates let you deploy groups of related resources. In a single template, you can create Capacity Reservation group and Capacity Reservations. You can deploy templates through the Azure portal, Azure CLI, or Azure PowerShell, or from continuous integration/continuous delivery (CI/CD) pipelines.

+If your environment meets the prerequisites and you are familiar with using ARM templates, use this [Create Virtual Machine Scale Sets with Capacity Reservation](https://github.com/Azure/on-demand-capacity-reservation/blob/main/VirtualMachineScaleSetWithReservation.json) template.

+## Associate an existing virtual machine scale set to Capacity Reservation group

+During public preview, you are first required to deallocate your scale set. Then you can associate the existing Uniform virtual machine scale set to the Capacity Reservation group at the time of reallocation. This ensures that all the scale set VMs consume Capacity Reservation at the time of reallocation.

+- **Automatic Upgrade** ΓÇô In this mode, the scale set VM instances are automatically associated with the Capacity Reservation group without any further action from you. When the scale set VMs are reallocated, they start consuming the reserved capacity.

+- **Rolling Upgrade** ΓÇô In this mode, scale set VM instances are associated with the Capacity Reservation group without any further action from you. However, they are updated in batches with an optional pause time between them. When the scale set VMs are reallocated, they start consuming the reserved capacity.

+- **Manual Upgrade** ΓÇô In this mode, nothing happens to the scale set VM instances when the virtual machine scale set is attached to a Capacity Reservation group. You will need to do individual updates to each scale set VM by [upgrading it with the latest Scale Set model](../virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set.md#how-to-bring-vms-up-to-date-with-the-latest-scale-set-model).

+1. Associate the scale set to the Capacity Reservation group.

+1. Associate the scale set to the Capacity Reservation group.

+Once the Uniform virtual machine scale set is associated with the Capacity Reservation group, all the subsequent VM allocations will happen against the Capacity Reservation. Azure automatically finds the matching Capacity Reservation in the group and consumes a reserved slot.

+The Capacity Reservation group *Instance View* will reflect the new scale set VMs under the `virtualMachinesAssociated` & `virtualMachinesAllocated` properties:

+View your virtual machine scale set and Capacity Reservation group association with Instance View using PowerShell.

+1. Go to your Capacity Reservation group

+1. Select **Resources** under **Setting**

+1. In the table, you will be able to see all the scale set VMs that are associated with the Capacity Reservation group

+> The location (Region and Availability Zones) of the virtual machine scale set and the Capacity Reservation group must match for the association to succeed. For a regional scale set, the region must match between the scale set and the Capacity Reservation group. For a zonal scale set, both the regions and the zones must match between the scale set and the Capacity Reservation group.

+When a scale set is spread across multiple zones, it always attempts to deploy evenly across the included Availability Zones. Because of that even deployment, a Capacity Reservation group should always have the same quantity of reserved VMs in each zone. As an illustration of why this is important, consider the following example.

+In this case, the scale set is incurring extra cost for 15 unused instances in Zone 1. The scale-out is also relying on 5 VMs in Zone 2 and 10 VMs in Zone 3 that are not protected by Capacity Reservation. If each zone had 25 capacity instances reserved, then all 75 VMs would be protected by Capacity Reservation and the deployment would not incur any extra cost for unused instances.

+Since the reservations can be overallocated, the scale set can continue to scale normally beyond the limits of the reservation. The only difference is that the VMs allocated above the quantity reserved are not covered by Capacity Reservation SLA. To learn more, go to [Overallocating Capacity Reservation](capacity-reservation-overallocate.md).

+This article walks through the steps of associating a new or existing virtual machine to a Capacity Reservation group. To learn more about Capacity Reservations, see the [overview article](capacity-reservation-overview.md).

+To associate a new VM to the Capacity Reservation group, the group must be explicitly referenced as a property of the virtual machine. This reference protects the matching reservation in the group from accidental consumption by less critical applications and workloads that are not intended to use it.

+In the request body, include the `capacityReservationGroup` property:

+1. In the **Capacity Reservations** dropdown, select the Capacity Reservation group that you want the VM to be associated with

+Use `az vm create` to create a new VM and add the `capacity-reservation-group` property to associate it to an existing Capacity Reservation group. The following example creates a Standard_D2s_v3 VM in the East US location and associate the VM to a Capacity Reservation group.

+Use `New-AzVM` to create a new VM and add the `CapacityReservationGroupId` property to associate it to an existing Capacity Reservation group. The following example creates a Standard_D2s_v3 VM in the East US location and associate the VM to a Capacity Reservation group.

+ARM templates let you deploy groups of related resources. In a single template, you can create Capacity Reservation group and capacity reservations. You can deploy templates through the Azure portal, Azure CLI, or Azure PowerShell, or from continuous integration/continuous delivery (CI/CD) pipelines.

+If your environment meets the prerequisites and you are familiar with using ARM templates, use this [Create VM with Capacity Reservation](https://github.com/Azure/on-demand-capacity-reservation/blob/main/VirtualMachineWithReservation.json) template.

+During public preview, you are first required to deallocate your scale set. Then you can associate the existing Uniform virtual machine scale set to the Capacity Reservation group at the time of reallocation. This ensures that all the scale set VMs consume Capacity Reservation at the time of reallocation.

+1. Select **Overview**

+1. In the **Capacity Reservation group** dropdown, select the group that you want the VM to be associated with

+1. Associate the VM to a Capacity Reservation group

+1. Associate the VM to a Capacity Reservation group

+Once the `capacityReservationGroup` property is set, an association now exists between the VM and the group. Azure automatically finds the matching Capacity Reservation in the group and consumes a reserved slot. The Capacity ReservationΓÇÖs *Instance View* will reflect the new VM in the `virtualMachinesAllocated` property:

+1. Go to your Capacity Reservation group

+1. Look at the table to see all the VMs that are associated with the Capacity Reservation group

+> [Remove a VMs association to a Capacity Reservation group](capacity-reservation-remove-vm.md)

+Capacity Reservation is always created as part of a Capacity Reservation group. The first step is to create a group if a suitable one doesnΓÇÖt exist already, then create reservations. Once successfully created, reservations are immediately available for use with virtual machines. The capacity is reserved for your use as long as the reservation is not deleted.

+A well-formed request for Capacity Reservation group should always succeed as it does not reserve any capacity. It just acts as a container for reservations. However, a request for Capacity Reservation could fail if you do not have the required quota for the VM series or if Azure doesnΓÇÖt have enough capacity to fulfill the request. Either request more quota or try a different VM size, location, or zone combination.

+A Capacity Reservation creation succeeds or fails in its entirety. For a request to reserve 10 instances, success is returned only if all 10 could be allocated. Otherwise, the Capacity Reservation creation will fail.

+> This preview version is provided without a service-level agreement, and we do not recommend it for production workloads. Certain features might not be supported or might have constrained capabilities.

+- The location parameter must match the location property for the parent Capacity Reservation group. A mismatch will result in an error.

+- Each Capacity Reservation group can have exactly one reservation for a given VM size. For example, only one Capacity Reservation can be created for the VM size `Standard_D2s_v3`. Attempt to create a second reservation for `Standard_D2s_v3` in the same Capacity Reservation group will result in an error. However, another reservation can be created in the same group for other VM sizes, such as `Standard_D4s_v3`, `Standard_D8s_v3`, and so on.

+- For a Capacity Reservation group that supports zones, each reservation type is defined by the combination of **VM size** and **zone**. For example, one Capacity Reservation for `Standard_D2s_v3` in `Zone 1`, another Capacity Reservation for `Standard_D2s_v3` in `Zone 2`, and a third Capacity Reservation for `Standard_D2s_v3` in `Zone 3` is supported.

+## Create a Capacity Reservation

+1. Create a Capacity Reservation group

+ To create a Capacity Reservation group, construct the following PUT request on *Microsoft.Compute* provider:

+ In the request body, include the following parameter:

+ The group in the following example will only support regional reservations, because zones were not specified at the time of creation. To create a zonal group, pass an extra parameter *zones* in the request body:

+ In the request body, include the following parameters:

+1. In the search bar, type **Capacity Reservation groups**

+1. Select **Capacity Reservation groups** from the options

+1. Under the *Basics* tab, create a Capacity Reservation group:

+1. Under the *Review + Create* tab, review your Capacity Reservation group information

+1. Before you can create a Capacity Reservation, create a resource group with `az group create`. The following example creates a resource group *myResourceGroup* in the East US location.

+1. Now create a Capacity Reservation group with `az capacity reservation group create`. The following example creates a group *myCapacityReservationGroup* in the East US location for all 3 availability zones.

+1. Once the Capacity Reservation group is created, create a new Capacity Reservation with `az capacity reservation create`. The following example creates *myCapacityReservation* for 5 quantities of Standard_D2s_v3 VM size in Zone 1 of East US location.

+1. Before you can create a Capacity Reservation, create a resource group with `New-AzResourceGroup`. The following example creates a resource group *myResourceGroup* in the East US location.

+1. Now create a Capacity Reservation group with `New-AzCapacityReservationGroup`. The following example creates a group *myCapacityReservationGroup* in the East US location for all 3 availability zones.

+1. Once the Capacity Reservation group is created, create a new Capacity Reservation with `New-AzCapacityReservation`. The following example creates *myCapacityReservation* for 5 quantities of Standard_D2s_v3 VM size in Zone 1 of East US location.

+ARM templates let you deploy groups of related resources. In a single template, you can create Capacity Reservation group and Capacity Reservations. You can deploy templates through the Azure portal, Azure CLI, or Azure PowerShell, or from continuous integration/continuous delivery (CI/CD) pipelines.

+If your environment meets the prerequisites and you are familiar with using ARM templates, use any of the following templates:

+<!-- The three dashes above show that your section of tabbed content is complete. Do not remove them :) -->

+To find the VM size and the quantity reserved, use the following command:

+1. In the search bar, type **Capacity Reservation groups**

+1. Select **Capacity Reservation groups** from the options

+1. From the list, select the Capacity Reservation group name you just created

+1. Select **Overview**

+<!-- The three dashes above show that your section of tabbed content is complete. Do not remove them :) -->

+> [Learn how to modify your Capacity Reservation](capacity-reservation-modify.md)

+After creating a Capacity Reservation group and Capacity Reservation, you may want to modify your reservations. This article explains how to do the following actions using API, Azure portal, and PowerShell.

+> * Resize VMs associated with a Capacity Reservation group

+> * Delete the Capacity Reservation group and Capacity Reservation

+Update the number of virtual machine instances reserved in a Capacity Reservation.

+1. Go to your Capacity Reservation group

+## Resize VMs associated with a Capacity Reservation group

+You must do one of the following options if the VM being resized is currently attached to a Capacity Reservation group and that group doesnΓÇÖt have a reservation for the target size:

+- Create a new reservation for that size

+- Remove the virtual machine from the reservation group before resizing.

+1. Consider the following scenarios:

+ 1. If the target VM size is not part of the group, [create a new Capacity Reservation](capacity-reservation-create.md) for the target VM

+1. Go to your Capacity Reservation group

+ 1. If the target VM size is not part of the group, [create a new Capacity Reservation](capacity-reservation-create.md) for the target VM

+1. Get the names of all Capacity Reservations within the Capacity Reservation group with `az capacity reservation group show`

+1. From the response, find the names of all the Capacity Reservations

+1. Consider the following scenarios:

+ 1. If the target VM size is not part of the group, [create a new Capacity Reservation](capacity-reservation-create.md) for the target VM

+1. From the response, find the names of all the Capacity Reservations

+1. Consider the following scenarios:

+ 1. If the target VM size is not part of the group, [create a new Capacity Reservation](capacity-reservation-create.md) for the target VM

+## Delete a Capacity Reservation group and Capacity Reservation

+Azure allows a group to be deleted when all the member Capacity Reservations have been deleted and no VMs are associated to the group.

+To delete a Capacity Reservation, first find out all of the virtual machines that are associated to it. The list of virtual machines is available under `virtualMachinesAssociated` property.

+First, find all virtual machines associated with the Capacity Reservation group and dissociate them.

+From the above response, find the names of all virtual machines under the `virtualMachinesAssociated` property and remove them from the Capacity Reservation group using the steps in [Remove a VM association to a Capacity Reservation](capacity-reservation-remove-vm.md).

+Once all the virtual machines are removed from the Capacity Reservation group, delete the member Capacity Reservation(s):

+Lastly, delete the parent Capacity Reservation group.

+1. Go to your Capacity Reservation group

+1. Delete the Capacity Reservation group

+ 1. Go to the Capacity Reservation group

+Find out all the virtual machines associated with Capacity Reservation group and dissociate them.

+1. Run the following command:

+1. From the above response, find out the names of all the virtual machines under the `VirtualMachinesAssociated` property and remove them from the Capacity Reservation group using the steps detailed in [Remove a virtual machine association from a Capacity Reservation group](capacity-reservation-remove-vm.md).

+1. Delete the Capacity Reservation group:

+Find out all the virtual machines associated with Capacity Reservation group and dissociate them.

+1. Run the following command:

+1. From the above response, find out the names of all the virtual machines under the `VirtualMachinesAssociated` property and remove them from the Capacity Reservation group using the steps detailed in [Remove a virtual machine association from a Capacity Reservation group](capacity-reservation-remove-vm.md).

+1. Delete the Capacity Reservation group:

+A well-formed request for reducing the quantity reserved should always succeed no matter the number of VMs associated with the reservation. However, increasing the quantity reserved may require more quota and for Azure to fulfill the additional capacity request. In a rare scenario in which Azure canΓÇÖt fulfill the request to increase the quantity reserved for existing reservations, it is possible that the reservation goes into a *Failed* state and becomes unavailable until the quantity reserved is restored to the original amount.

+1. Search for the name of the Capacity Reservation

+Azure permits association of extra VMs beyond the reserved count of a Capacity Reservation to facilitate burst and other scale-out scenarios, without the overhead of managing around the limits of reserved capacity. The only difference is that the count of VMs beyond the quantity reserved does not receive the capacity availability SLA benefit. As long as Azure has available capacity that meets the virtual machine requirements, the extra allocations will succeed.

+The Instance View of a Capacity Reservation group provides a snapshot of usage for each member Capacity Reservation. You can use the Instance View to see how overallocation works.

+This article assumes you have created a Capacity Reservation group (`myCapacityReservationGroup`), a member Capacity Reservation (`myCapacityReservation`), and a virtual machine (*myVM1*) that is associated to the group. Go to [Create a Capacity Reservation](capacity-reservation-create.md) and [Associate a VM to a Capacity Reservation](capacity-reservation-associate-vm.md) for more details.

+## Instance View for Capacity Reservation group

+The Instance View for a Capacity Reservation group will look like this:

+Let's say we create another virtual machine named *myVM2* and associate it with the above Capacity Reservation group.

+The Instance View for the Capacity Reservation group will now look like this:

+> Azure will not stop allocations just because a Capacity Reservation is fully consumed. Auto-scale rules, temporary scale-out, and related requirements will work beyond the quantity of reserved capacity as long as Azure has available capacity.

+| Reservation consumed | Length of `virtualMachinesAllocated` == `capacity` | Additional VMs will not receive the capacity SLA unless some existing VMs are deallocated. Optionally try to increase the capacity so extra planned VMs will receive an SLA. |

+| Reservation overallocated | Length of `virtualMachinesAllocated` > `capacity` | Additional VMs will not receive the capacity SLA. Also, the quantity of VMs (Length of `virtualMachinesAllocated` ΓÇô `capacity`) will not receive a capacity SLA if deallocated. Optionally increase the capacity to add capacity SLA to more of the existing VMs. |

+On-demand Capacity Reservation enables you to reserve Compute capacity in an Azure region or an Availability Zone for any duration of time. Unlike [Reserved Instances](https://azure.microsoft.com/pricing/reserved-vm-instances/), you do not have to sign up for a 1-year or a 3-year term commitment. Create and delete reservations at any time and have full control over how you want to manage your reservations.

+Once the Capacity Reservation is created, the capacity is available immediately and is exclusively reserved for your use until the reservation is deleted.

+> This preview version is provided without a service-level agreement, and we do not recommend it for production workloads. Certain features might not be supported or might have constrained capabilities.

+To create a Capacity Reservation, these parameters are passed to Azure as a capacity request. If the subscription lacks the required quota or Azure does not have capacity available that meets the specification, the reservation will fail to deploy. To avoid deployment failure, request more quota or try a different VM size, location, or zone combination.

+Once Azure accepts a reservation request, it is available to be consumed by VMs of matching configurations. To consume Capacity Reservation, the VM will have to specify the reservation as one of its properties. Otherwise, the Capacity Reservation will remain unused. One benefit of this design is that you can target only critical workloads to reservations and other non-critical workloads can run without reserved capacity.

+- Spot VMs and Azure Dedicated Host Nodes are not supported with Capacity Reservation.

+- Some deployment constraints are not supported:

+- For the supported VM series during public preview, up to 3 Fault Domains (FDs) will be supported. A deployment with more than 3 FDs will fail to deploy against Capacity Reservation.

+- Availability Sets are not supported with Capacity Reservation.

+- Reservations are only available to paid Azure customers. Sponsored accounts such as Free Trial and Azure for Students are not eligible to use this feature.

+Capacity Reservations are priced at the same rate as the underlying VM size. For example, if you create a reservation for ten quantities of D2s_v3 VM, as soon as the reservation is created, you will start getting billed for ten D2s_v3 VMs, even if the reservation is not being used.

+If you then deploy a D2s_v3 VM and specify reservation as its property, the Capacity Reservation gets used. Once in use, you will only pay for the VM and nothing extra for the Capacity Reservation. LetΓÇÖs say you deploy five D2s_v3 VMs against the previously mentioned Capacity Reservation. You will see a bill for five D2s_v3 VMs and five unused Capacity Reservation, both charged at the same rate as a D2s_v3 VM.

+Both used and unused Capacity Reservation are eligible for Reserved Instances term commitment discounts. In the previous example, if you have Reserved Instances for two D2s_v3 VMs in the same Azure region, the billing for two resources (either VM or unused Capacity Reservation) will be zeroed out and you will only pay for the rest of the eight resources. Those eight resources are the five unused capacity reservations and three D2s_v3 VMs. In this case, the term commitment discounts could be applied on either the VM or the unused Capacity Reservation, both of which are charged at the same PAYG rate.

+Capacity Reservation can be created for a specific VM size in an Azure region or an Availability Zone. All reservations are created and managed as part of a Capacity Reservation group, which allows creation of a group to manage different VM sizes in a single multi-tier application. Each reservation is for one VM size and a group can have only one reservation per VM size.

+To consume Capacity Reservation, specify Capacity Reservation group as one of the VM properties. If the group doesnΓÇÖt have a matching reservation, Azure will return an error message.

+The quantity reserved for reservation can be adjusted after initial deployment by changing the capacity property. Other changes to Capacity Reservation, such as VM size or location, are not permitted. The recommended approach is to delete the existing reservation and create a new one with the new requirements.

+- `capacity` = Total quantity of instances reserved by the customer.

+- `virtualMachinesAllocated` = List of VMs allocated against the Capacity Reservation and count towards consuming the capacity. These VMs are either *Running*, *Stopped* (*Allocated*), or in a transitional state such as *Starting* or *Stopping*. This list doesnΓÇÖt include the VMs that are in deallocated state, referred to as *Stopped* (*deallocated*).

+- `virtualMachinesAssociated` = List of VMs associated with the Capacity Reservation. This list has all the VMs that have been configured to use the reservation, including the ones that are in deallocated state.

+The previous example will start with `capacity` as 2 and length of `virutalMachinesAllocated` and `virtualMachinesAssociated` as 0.

+Now suppose the application scales down to the minimum of two VMs. Since VM 0 needs an update, it is chosen for deallocation. The reservation automatically shifts to this state:

+The `capacity` and the length of `virtualMachinesAllocated` are both 2. However, the length for `virtualMachinesAssociated` is still 3 as VM 0, though deallocated, is still associated with the Capacity Reservation.

+The status of the Capacity Reservation will now show `capacity` as 2 and length of `virtualMachinesAssociated` and `virtualMachinesAllocated` as 0. From this state, the Capacity Reservation can be deleted. Once deleted, you will not pay for the reservation anymore.

+When a Capacity Reservation is empty, VM usage will be reported for the corresponding VM size and the location. [VM Reserved Instances](https://azure.microsoft.com/pricing/reserved-vm-instances/) can cover some or all of the Capacity Reservation usage even when VMs are not deployed.

+For example, lets say a Capacity Reservation with quantity reserved 2 has been created. The subscription has access to one matching Reserved VM Instance of the same size. The result is two usage streams for the Capacity Reservation, one of which is covered by the Reserved Instance:

+In the previous image, a Reserved VM Instance discount is applied to one of the unused instances and the cost for that instance will be zeroed out. For the other instance, PAYG rate will be charged for the VM size reserved.

+In the previous image, the VM Reserved Instance discount is applied to VM 0, which will only be charged for other components such as disk and networking. The other unused instance is being charged at PAYG rate for the VM size reserved.

+- **WhatΓÇÖs the price of on-demand Capacity Reservation?**

+ The price of your on-demand Capacity Reservation is same as the price of underlying VM size associated with the reservation. When using Capacity Reservation, you will be charged for the VM size you selected at pay-as-you-go rates, whether the VM has been provisioned or not. Visit the [Windows](https://azure.microsoft.com/pricing/details/virtual-machines/windows/) and [Linux](https://azure.microsoft.com/pricing/details/virtual-machines/linux/) VM pricing pages for more details.

+- **Will I get charged twice, for the cost of on-demand Capacity Reservation and for the actual VM when I finally provision it?**

+ No, you will only get charged once for on-demand Capacity Reservation.

+- **Can I apply Reserved Virtual Machine Instance (RI) to on-demand Capacity Reservation to lower my costs?**

+ Yes, you can apply existing or future RIs to on-demand capacity reservations and receive RI discounts. Available RIs are applied automatically to Capacity Reservation the same way they are applied to VMs.

+- **What is the difference between Reserved Virtual Machine Instance (RI) and on-demand Capacity Reservation?**

+ Both RIs and on-demand capacity reservations are applicable to Azure VMs. However, RIs provide discounted reservation rates for your VMs compared to pay-as-you-go rates as a result of a 1-year or 3-year term commitment. Conversely, on-demand capacity reservations do not require a commitment. You can create or cancel a Capacity Reservation at any time. However, no discounts are applied, and you will incur charges at pay-as-you-go rates after your Capacity Reservation has been successfully provisioned. Unlike RIs, which prioritize capacity but do not guarantee it, when you purchase an on-demand Capacity Reservation, Azure sets aside compute capacity for your VM and provides an SLA guarantee.

+This article walks you through removing a virtual machine scale set association from a Capacity Reservation group. To learn more about capacity reservations, see the [overview article](capacity-reservation-overview.md).

+- Option 1: Deallocate the Virtual machine scale set, change the Capacity Reservation group property at the scale set level, and then update the underlying VMs

+- Option 2: Update the reserved quantity to zero and then change the Capacity Reservation group property

+The first option is to deallocate the virtual machine scale set, change the Capacity Reservation group property at the scale set level, and then update the underlying VMs.

+1. Update the virtual machine scale set to remove association with the Capacity Reservation group

+1. Deallocate the virtual machine scale set. The following command will deallocate all virtual machines within the scale set:

+1. Update the scale set to remove association with the Capacity Reservation group. Setting the `capacity-reservation-group` property to None removes the association of scale set to the Capacity Reservation group:

+1. Deallocate the virtual machine scale set. The following command will deallocate all virtual machines within the scale set:

+1. Update the scale set to remove association with the Capacity Reservation group. Setting the `CapacityReservationGroupId` property to null removes the association of scale set to the Capacity Reservation group:

+The second option involves updating the reserved quantity to zero and then changing the Capacity Reservation group property.

+This option works well when the scale set cannot be deallocated and when a reservation is no longer needed. For example, you may create a Capacity Reservation to temporarily assure capacity during a large-scale deployment. Once completed, the reservation is no longer needed.

+ In the request body, include the following parameters:

+ Note that `capacity` property is set to 0.

+1. Update the virtual machine scale set to remove the association with the Capacity Reservation group

+2. Update the scale set to remove association with Capacity Reservation group by setting the `capacity-reservation-group` property to None:

+2. Update the scale set to remove association with Capacity Reservation group by setting the `CapacityReservationGroupId` property to null:

+- **Automatic Upgrade** ΓÇô In this mode, the scale set VM instances are automatically dissociated from the Capacity Reservation group without any further action from you.

+- **Rolling Upgrade** ΓÇô In this mode, the scale set VM instances are dissociated from the Capacity Reservation group without any further action from you. However, they are updated in batches with an optional pause time between them.

+- **Manual Upgrade** ΓÇô In this mode, nothing happens to the scale set VM instances when the virtual machine scale set is updated. You will need to individually remove each scale set VM by [upgrading it with the latest Scale Set model](../virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set.md#how-to-bring-vms-up-to-date-with-the-latest-scale-set-model).

+# Remove a VM association from a Capacity Reservation group (preview)

+This article walks you through the steps of removing a VM association to a Capacity Reservation group. To learn more about capacity reservations, see the [overview article](capacity-reservation-overview.md).

+- Option 1: Deallocate the virtual machine, change the Capacity Reservation group property, and optionally restart the virtual machine

+- Option 2: Update the reserved quantity to zero and then change the Capacity Reservation group property

+The first option is to deallocate the VM, change the Capacity Reservation group property, and optionally restart the VM.

+1. Update the VM to remove association with the Capacity Reservation group

+1. Go to your VM and select **Overview**

+ 1. You will know your VM is deallocated when the status changes to *Stopped (deallocated)*

+ 1. At this point in the process, the VM is still associated with the Capacity Reservation group, which is reflected in the `virtualMachinesAssociated` property of the Capacity Reservation

+1. Set the **Capacity Reservation group** value to *None*

+ - The VM is no longer associated with the Capacity Reservation group

+1. Deallocate the virtual machine

+1. Update the VM to remove association with the Capacity Reservation group by setting the `capacity-reservation-group` property to None:

+1. Deallocate the virtual machine

+1. Update the VM to remove association with the Capacity Reservation group by setting the `CapacityReservationGroupId` property to null:

+The second option involves updating the reserved quantity to zero and then changing the Capacity Reservation group property.

+This option works well when the virtual machine canΓÇÖt be deallocated and when a reservation is no longer needed. For example, you may create a Capacity Reservation to temporarily assure capacity during a large-scale deployment. Once completed, the reservation is no longer needed.

+ In the request body, include the following parameters:

+ Note that `capacity` property is set to 0.

+1. Update the VM to remove the association with the Capacity Reservation group

+1. Go to your Capacity Reservation group and select **Overview**

+1. Go to your VM and select **Configuration**

+1. Set the **Capacity Reservation group** value to *None*

+ - Note that the VM is no longer associated with the Capacity Reservation group

+1. Update the VM to remove association with the Capacity Reservation group by setting the `capacity-reservation-group` property to None:

+1. Update the VM to remove association with the Capacity Reservation group by setting the `CapacityReservationGroupId` property to null:

+> [Learn how to associate a scale set to a Capacity Reservation group](capacity-reservation-associate-virtual-machine-scale-set.md)

+## Benefits

+**Regions**:

+- Azure Dedicated Host

+Trusted launch also introduces vTPM for Azure VMs. This is a virtualized version of a hardware [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview), compliant with the TPM2.0 spec. It serves as a dedicated secure vault for keys and measurements. Trusted launch provides your VM with its own dedicated TPM instance, running in a secure environment outside the reach of any VM. The vTPM enables [attestation](/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation) by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers).

+Trusted launch is integrated with Azure Defender for Cloud to ensure your VMs are properly configured. Azure Defender for Cloud will continually assess compatible VMs and issue relevant recommendations.

+- **Recommendation to enable Secure Boot** - This Recommendation only applies for VMs that support trusted launch. Azure Defender for Cloud will identify VMs that can enable Secure Boot, but have it disabled. It will issue a low severity recommendation to enable it.

+- **Recommendation to enable vTPM** - If your VM has vTPM enabled, Azure Defender for Cloud can use it to perform Guest Attestation and identify advanced threat patterns. If Azure Defender for Cloud identifies VMs that support trusted launch and have vTPM disabled, it will issue a low severity recommendation to enable it.

+- **Recommendation to install guest attestation extension** - If your VM has secure boot and vTPM enabled but it doesn't have the guest attestation extension installed, Azure Defender for Cloud will issue a low severity recommendation to install the guest attestation extension on it. This extension allows Azure Defender for Cloud to proactively attest and monitor the boot integrity of your VMs. Boot integrity is attested via remote attestation.

+- Firmware rootkits: these kits overwrite the firmware of the virtual machineΓÇÖs BIOS, so the rootkit can start before the OS.

+Azure Defender for Cloud periodically performs attestation. If the attestation fails, a medium severity alert will be triggered. Trusted launch attestation can fail for the following reasons:

+Hyper-V Shielded VM is currently available on Hyper-V only. [Hyper-V Shielded VM](/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms) is typically deployed in conjunction with Guarded Fabric. A Guarded Fabric consists of a Host Guardian Service (HGS), one or more guarded hosts, and a set of Shielded VMs. Hyper-V Shielded VMs are intended for use in fabrics where the data and state of the virtual machine must be protected from both fabric administrators and untrusted software that might be running on the Hyper-V hosts. Trusted launch on the other hand can be deployed as a standalone virtual machine or virtual machine scale sets on Azure without additional deployment and management of HGS. All of the trusted launch features can be enabled with a simple change in deployment code or a checkbox on the Azure portal.

+VM Guest State (VMGS) is specific to Trusted Launch VM. It is a blob that is managed by Azure and contains the unified extensible firmware interface (UEFI) secure boot signature databases and other security information. The lifecycle of the VMGS blob is tied to that of the OS Disk.

+> Under certain circumstances, 2 VMs in the same AvailabilitySet could share the same FaultDomain. This can be confirmed by going into your availability set and checking the Fault Domain column. This can be causeed by the following sequence of events while deploying the VMs:

+> 1. The 1st VM is Deployed

+> 1. The 1st VM is Stopped/Deallocated

+> 1. The 2nd VM is Deployed.

+> Under these circumstances, the OS Disk of the 2nd VM might be created on the same Fault Domain as the 1st VM, and so the 2nd VM will also land on the same FaultDomain. To avoid this issue, it's recommended to not stop/deallocate the VMs between deployments.

+- Are third-party HA frameworks, besides Windows and Pacemaker supported? Check bottom part of [SAP support note #1928533](https://launchpad.support.sap.com/#/notes/1928533)

+- Why are the Azure [Da(s)v4](../../dav4-dasv4-series.md)/[Ea(s)](../../eav4-easv4-series.md) VM families not certified for SAP HANA? The Azure Das/Eas VM families are based on AMD processor-driven hardware. SAP HANA does not support AMD processors, not even in virtualized scenarios

+- January 24, 2022: Change in [HA for SAP NW on SLES with NFS on Azure Files](./high-availability-guide-suse-nfs-azure-files.md), [HA for SAP NW on Azure VMs on SLES with ANF](./high-availability-guide-suse-netapp-files.md), [HA for SAP NW on Azure VMs on SLES for SAP applications](./high-availability-guide-suse.md), [HA for NFS on Azure VMs on SLES](./high-availability-guide-suse-nfs.md), [HA for SAP NNW on Azure VMs on SLES multi-SID guide](./high-availability-guide-suse-multi-sid.md), [HA for SAP NW on RHEL with NFS on Azure Files](./high-availability-guide-rhel-nfs-azure-files.md), [HA for SAP NW on Azure VMs on RHEL for SAP applications](./high-availability-guide-rhel.md) and [HA for SAP NW on Azure VMs on RHEL with ANF](./high-availability-guide-rhel-netapp-files.md) and [HA for SAP NW on Azure VMs on RHEL multi-SID guide](./high-availability-guide-rhel-multi-sid.md) to remove cidr_netmask from Pacemaker configuration to allow the resource agent to determine the value automatically

+- December 08, 2021: Change in [SQL Server Azure Virtual Machines DBMS deployment for SAP NetWeaver](./dbms_guide_sqlserver.md) to clarify Azure Load Balancer settings

+- December 08, 2021: Release of scenario [HA of SAP HANA Scale-up with Azure NetApp Files on SLES](./sap-hana-high-availability-netapp-files-suse.md)

+- December 02, 2021: Introduction of new STONITH fencing method in [Setting up Pacemaker on SUSE Linux Enterprise Server in Azure](high-availability-guide-suse-pacemaker.md) using Azure shared disk SBD device

+- December 01, 2021: Change in [SAP ASCS/SCS instance with WSFC and file share](./sap-high-availability-guide-wsfc-file-share.md), [HA for SAP NetWeaver on Azure VMs on Windows with Azure NetApp Files(SMB)](./high-availability-guide-windows-netapp-files-smb.md) and [HA for SAP NetWeaver on Azure VMs on Windows with Azure Files(SMB)](./high-availability-guide-windows-azure-files-smb.md) to update the SAP kernel version, required to support clustering SAP on Windows with file share

+- November 16, 2021: Release of high availability guides for SAP ASCS/ERS with NFS on Azure files [HA for SAP NW on SLES with NFS on Azure Files](./high-availability-guide-suse-nfs-azure-files.md) and [HA for SAP NW on RHEL with NFS on Azure Files](./high-availability-guide-rhel-nfs-azure-files.md)

+- June 22, 2020: Add installation steps for new VM Extension for SAP to the [Deployment Guide](deployment-guide.md)

+- March 16, 2020: Clarification of column certification scenario in SAP HANA IaaS certified platform in [What SAP software is supported for Azure deployments](./sap-supported-product-on-azure.md)

+- March 11, 2020: Change in [SAP workload on Azure virtual machine supported scenarios](./sap-planning-supported-configurations.md) to clarify multiple databases per DBMS instance support

+ ip=10.3.1.52 \

+ ip=10.3.1.54 \

+ ip=10.3.1.53 \

+ ip=10.3.1.55 \

+ ip=192.168.14.9 \

+ ip=192.168.14.10 \

+ ip=10.90.90.10 \

+ ip=10.90.90.9 \

+ ip=<b>10.0.0.7</b> \

+ ip=<b>10.0.0.8</b> \

+| SAP Business Suite Software | Windows, SUSE Linux Enterprise, Red Hat Enterprise Linux, Oracle Linux |SQL Server, Oracle (Windows and Oracle Linux only), DB2, SAP ASE | [1928533 - SAP Applications on Azure: Supported Products and Azure VM types](https://launchpad.support.sap.com/#/notes/1928533) |

+| SAP Business All-in-One | Windows, SUSE Linux Enterprise, Red Hat Enterprise Linux, Oracle Linux |SQL Server, Oracle (Windows and Oracle Linux only), DB2, SAP ASE | [1928533 - SAP Applications on Azure: Supported Products and Azure VM types](https://launchpad.support.sap.com/#/notes/1928533)|

+| SAP BusinessObjects BI | Windows |N/A | [1928533 - SAP Applications on Azure: Supported Products and Azure VM types](https://launchpad.support.sap.com/#/notes/1928533) |

+| SAP NetWeaver | Windows, SUSE Linux Enterprise, Red Hat Enterprise Linux, Oracle Linux |SQL Server, Oracle (Windows and Oracle Linux only), DB2, SAP ASE | [1928533 - SAP Applications on Azure: Supported Products and Azure VM types](https://launchpad.support.sap.com/#/notes/1928533) |

+ :::image type="content" source="./media/virtual-wan-expressroute-portal/createwan.png" alt-text="Screenshot shows Create WAN page." border="false":::

+ :::image type="content" source="./media/virtual-wan-expressroute-portal/edithub.png" alt-text="Screenshot shows editing an existing hub." border="false":::

+ :::image type="content" source="./media/virtual-wan-expressroute-portal/cktconnect.png" alt-text="Screenshot shows connect circuits." border="false":::

+ :::image type="content" source="./media/virtual-wan-expressroute-portal/redeem.png" alt-text="Screenshot shows the ExpressRoute for a virtual hub with Redeem authorization key selected."border="false":::

+ :::image type="content" source="./media/virtual-wan-expressroute-portal/redeemkey2.png" alt-text="Screenshot shows redeem authorization key values." border="false":::

+ :::image type="content" source="./media/virtual-wan-expressroute-portal/defaultroute1.png" alt-text="Screenshot shows Edit ExpressRoute Gateway page." border="false":::

+1. Select **Enable** to propagate the default route.

+ :::image type="content" source="./media/virtual-wan-expressroute-portal/defaultroute2.png" alt-text="Screenshot shows enable propagate default route." border="false":::