+When using the funnel-based approach, the funnel tenant will be located in one specific region and serve users globally. Since the funnel tenants operation utilizes a global component of the Azure AD B2C service, it will maintain a consistant level of performance regardless of where users login from.

+As shown in the diagram above, the Azure AD B2C tenant in the funnel-based approach will only utilize the Policy Engine to perform the redirection to regional Azure AD B2C tenants. The Azure AD B2C Policy Engine component is globally distributed. Therefore, the funnel isn't constrained from a performance perspective, regardless of where the Azure AD B2C funnel tenant is provisioned. A performance loss is encountered due to the extra redirect between funnel and regional tenants in the funnel-based approach.

+In the regional-based approach, since each user is directed to their most local Azure AD B2C, performance is consistant for all users logging in.

+The regional tenants will perform directory calls into the Directory Store, which is the only regionalized component in both the funnel-based and regional-based architectures.

+|  provides users the option to sign in using finger print, face ID or [Windows Hello](https://support.microsoft.com/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0) for enhanced security.

+|  enables migrating a legacy application using header-based authentication to Azure AD B2C with no application code change. |

+ Title: Migrate applications to Azure AD B2C with Grit's app proxy

+description: Learn how Grit's app proxy can migrate your applications to Azure AD B2C with no code change

+# Migrate applications using header-based authentication to Azure Active Directory B2C with Grit's app proxy

+In this sample tutorial, learn how to migrate a legacy application using header-based authentication to Azure Active Directory B2C (Azure AD B2C) with [Grit's app proxy](https://www.gritiam.com/appProxy.html).

+Benefits of using Grit's app proxy are as follows:

+- No application code change and easy deployment resulting in faster ROI

+- Enables users to use modern authentication experiences such as Multi-Factor authentication, biometrics, and password-less resulting in enhanced security.

+- Significant savings on the license cost of the legacy authentication solution

+## Prerequisites

+To get started, you'll need:

+- License to GritΓÇÖs app proxy. Contact [Grit support](mailto:info@gritsoftwaresystems.com) for license details. For this tutorial, you don't need a license.

+- An Azure subscription. If you don't have one, get a [free account](https://azure.microsoft.com/free/).

+- An [Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.

+## Scenario description

+Grit integration includes the following components:

+- **Azure AD B2C**: The authorization server to verify user credentials - Authenticated users access on-premises applications using a local account stored in the Azure AD B2C directory.

+- **Grit app proxy**: The service that passes identity to applications through HTTP headers.

+- **Web application**: The legacy application to which user requests access.

+The following architecture diagram shows the implementation.

+ 

+1. The user requests access to an on-premises application.

+2. Grit app proxy receives the request through [Azure Web Application Firewall (WAF)](https://azure.microsoft.com/products/web-application-firewall/) and sends it to the application.

+3. Grit app proxy checks user authentication state. With no session token, or an invalid token, the user goes to Azure AD B2C for authentication.

+4. Azure AD B2C sends the user request to the endpoint specified during Grit app proxy registration in the Azure AD B2C tenant.

+4. Grit app proxy evaluates access policies and calculates attribute values in HTTP headers forwarded to the application. Grit app proxy sets the header values and sends the request to the application.

+5. The user is authenticated with access granted/denied to the application.

+## Onboard with Grit app proxy

+Contact [Grit support](mailto:info@gritsoftwaresystems.com) for details to get onboarded.

+### Configure Grit's app proxy solution with Azure AD B2C

+For this tutorial, Grit already has a backend application and an Azure AD B2C policy. This tutorial will be about configuring the proxy to access the backend application.

+You can use the UX to configure each page of the backend application for security. You can configure the type of auth required by each page and the header values needed.

+If the users need to be denied permission to certain pages based on group membership or some other criteria, it's handled by the auth user journey.

+1. Navigate to https://proxyeditor.z13.web.core.windows.net/.

+2. Once the dropdown appears, select the dropdown, and select **Create New**.

+3. Enter a name for the page that contains only letters and numbers.

+4. Enter **B2C_1A_SIGNUP_SIGNIN** into the B2C Policy box.

+5. Select **GET** at the HTTP method.

+6. Enter 'https://anj-grit-legacy-backend.azurewebsites.net/Home/Page' into the endpoint field and that would be the endpoint to your legacy application.

+ >[!NOTE]

+ >This demo is publicly available, values you enter will be visible to public. Don't configure a secure application with this demo.

+ 

+7. Select **ADD HEADER**.

+8. Enter **x-iss** in the destination header field to configure the valid HTTP header that must be sent to the application.

+9. Enter **given_name** into the Value field that is the name of a claim in the B2C policy. The value of the claim will be passed into the header.

+10. Select **Token** as the source.

+11. Select **SAVE SETTINGS**.

+12. Select the link in the popup. It will take you to a sign-in page. Select the sign-up link and enter the required information. Once you complete the sign-up process, you'll be redirected to the legacy application. The application displays the name you provided in the **Given name** field during sign-up.

+## Test the flow

+1. Navigate to the on-premises application URL.

+2. The Grit app proxy redirects to the page you configured in your user flow.

+From the list, select the IdP.

+3. At the prompt, enter your credentials. If necessary, include an Azure AD Multi-Factor authentication (MFA) token.

+4. You're redirected to Azure AD B2C, which forwards the application request to the Grit's app proxy redirect URI.

+5. The Grit's app proxy evaluates policies, calculates headers, and sends the user to the upstream application.

+6. The requested application appears.

+## Additional resources

+- [Grit app proxy documentation](https://www.gritiam.com/appProxy.html)

+- [Configure the Grit IAM B2B2C solution with Azure AD B2C](partner-grit-iam.md)

+- [Edit Azure AD B2C Identity Experience Framework (IEF) XML with Grit Visual IEF Editor](partner-grit-editor.md)

+- [Configure Grit biometric authentication with Azure AD B2C](partner-grit-authentication.md)

+ Title: Configure Grit's biometric authentication with Azure Active Directory B2C

+description: Learn how Grit's biometric authentication with Azure AD B2C secures your account

+# Configure Grit's biometric authentication with Azure Active Directory B2C

+In this sample tutorial, learn how to integrate [Grit's](https://www.gritiam.com) Biometric authentication with Azure Active Directory B2C (Azure AD B2C). Biometric authentication provides users the option to sign in using finger print, face ID or [Windows Hello](https://support.microsoft.com/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0). It works both on desktop and mobile applications, provided the device is capable of doing biometric authentication.

+Biometric authentication has the following benefits:

+1. For users who sign in infrequently or forget passwords often resulting in frequent password resets, biometric authentication reduces friction.

+2. Compared to Multi-factor authentication (MFA), biometric authentication is cheaper and more secure.

+3. Improved security prevents phishing attack for high valued customers.

+4. Adds an additional layer of authentication before the user performs a high value operation like credit card transaction.

+## Prerequisites

+To get started, you'll need:

+- License to [Grit's Visual IEF builder](https://www.gritiefedit.com/). Contact [Grit support](mailto:info@gritsoftwaresystems.com) for licensing details. For this tutorial you don't need a license.

+- An Azure subscription. If you don't have one, get a [free account](https://azure.microsoft.com/free/).

+- An [Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.

+## Scenario description

+In this tutorial, we'll cover the following scenario:

+The end user creates an account with username and password (and MFA if needed). If their device supports biometric, they're enrolled in biometrics, and their account is linked to the biometric authentication of the device. Any future logins in that device, unless the user chooses not to, will happen through biometrics.

+The user can link multiple devices to the same account. User will have to sign in through their email/password (and MFA if needed), they'll then be presented with an option to link a new device.

+For example, user has an account with Contoso. User accesses the account from the computer at work that supports Windows Hello. User also accesses the account from the home computer that doesn't support Windows Hello and an Android phone.

+1. After logging in with the work computer, user will be presented with an option to enroll in Windows Hello. If user chooses to do so, any future logins will happen through Windows Hello.

+1. After logging in with the home computer, user won't be prompted to enroll in biometrics as the device doesn't support biometrics.

+1. After logging in with the Android phone, user will be asked to enroll in biometrics. Any future logins will happen through biometrics.

+Using Grit's visual flow chart multiple other scenarios can be implemented. Contact [Grit support](mailto:info@gritsoftwaresystems.com) to discuss your scenarios.

+## Onboard with Grit's biometric authentication

+Contact [Grit support](mailto:info@gritsoftwaresystems.com) for details to get onboarded.

+### Configure Grit's biometric authentication with Azure AD B2C

+1. Navigate to <https://www.gritiefedit.com> and enter your email if you're asked for it.

+1. Press cancel in the quick start wizard.

+1. In the pop-up, select **Customize User Journey**. Under Bio Metric, select the checkbox for **Enable Biometric**.

+1. Scroll down and select **Generate template**, a flow chart appears.

+1. From the left menu, select **Run Flowcharts** > **Deploy flow charts**.

+1. If your device supports Windows Hello or biometric authenticator,

+ select **Test Authentication Journey Builder** link, otherwise send

+ the link to a device that supports biometric authentication.

+1. A web page will open on a new tab. Under **Sign in with your social account**, select **createNewAccount**.

+1. Go through the steps to create an account. When asked for **Setup Biometric Device sign in**, select **yes**.

+1. Steps to perform the biometric depends on the device you are in.

+1. A page appears that displays the token. Open the provided link.

+1. This time the sign-in will happen through biometrics.

+Repeat the same steps for another device. No need to sign up again, use the credentials created to sign in.

+## Additional resources

+- [Grit documentation](https://app.archbee.com/public/PREVIEW-ddjwV0RI2eVfcBOylxFGI/PREVIEW-bjH2arQd1Kn4le6z_zH84)

+- [Configure the Grit IAM B2B2C solution with Azure AD B2C](partner-grit-iam.md)

+- [Edit Azure AD B2C Identity Experience Framework (IEF) XML with Grit Visual IEF Editor](partner-grit-editor.md)

+- [Migrate legacy apps to Azure AD B2C with Grit's app proxy](partner-grit-app-proxy.md)

+>[!NOTE]

+> For users in on-premises Active Directory, you must sync the users to Azure AD. You can sync users and attributes using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) or [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md). Both of these solutions automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as SAMAccountName) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect) or [use Azure AD Connect cloud sync](#create-an-extension-attribute-using-cloud-sync). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service.

+## Create an extension attribute using cloud sync

+Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping. Use the steps below to auto-discover these attributes and set up a corresponding mapping to Azure AD.

+1. Sign-in to the Azure portal with a hybrid administrator account

+2. Select Azure AD Connect

+3. Select **Manage Azure AD cloud sync**

+4. Select the configuration you wish to add the extension attribute and mapping

+5. Under **Manage attributes** select **click to edit mappings**

+6. Click **Add attribute mapping**. The attributes will automatically be discovered.

+7. The new attributes will be available in the drop-down under **source attribute**.

+8. Fill in the type of mapping you want and click **Apply**.

+ [](media/user-provisioning-sync-attributes-for-mapping/schema-1.png#lightbox)

+For more information, see [Cloud Sync Custom Attribute Mapping](../cloud-sync/custom-attribute-mapping.md)

+**Steps to set up passwordless phone signin(PSI) with CBA**

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Follow the steps at [Enable passwordless phone sign-in authentication](../authentication/howto-authentication-passwordless-phone.md#enable-passwordless-phone-sign-in-authentication-methods)

+ >[!IMPORTANT]

+ >In the above configuration under step 4, please choose **Passwordless** option. Change the mode for each groups added for PSI for **Authentication mode**, choose **Passwordless** for passwordless sign-in to work with CBA.

+## Username policies

+| Characters allowed |A ΓÇô Z<br>a - z<br>0 ΓÇô 9<br>' \. - \_ ! \# ^ \~ |

+| Characters not allowed |Any "\@\" character that's not separating the username from the domain.<br>Can't contain a period character "." immediately preceding the "\@\" symbol |

+| Length constraints |The total length must not exceed 113 characters<br>There can be up to 64 characters before the "\@\" symbol<br>There can be up to 48 characters after the "\@\" symbol |

+## Azure AD password policies

+| Characters allowed |A ΓÇô Z<br>a - z<br>0 ΓÇô 9<br>@ # $ % ^ & * - _ ! + = [ ] { } &#124; \ : ' , . ? / \` ~ " ( ) ; < ><br>Blank space |

+| Characters not allowed | Unicode characters |

+| Password restrictions |A minimum of 8 characters and a maximum of 256 characters.<br>Requires three out of four of the following:<br>- Lowercase characters<br>- Uppercase characters<br>- Numbers (0-9)<br>- Symbols (see the previous password restrictions) |

+| Password expiry duration (Maximum password age) |Default value: **90** days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with [Get-MsolPasswordPolicy](/powershell/module/msonline/get-msolpasswordpolicy).<br>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure Active Directory Module for Windows PowerShell.|

+| Password expiry (Let passwords never expire) |Default value: **false** (indicates that passwords have an expiration date).<br>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet. |

+- It's within the first 30 days of a trial subscription

+ -Or-

+- A custom domain isn't configured (the tenant is using the default **.onmicrosoft.com*, which isn't recommended for production use) and Azure AD Connect isn't synchronizing identities.

+## Password expiration policies

+> [!NOTE]

+> For information on AWS service quotas, and to request an AWS service quota increase, visit [the AWS documentation](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).

+ Title: 'Azure AD Connect cloud sync directory extensions and custom attribute mapping'

+description: This topic provides information on custom attribute mapping in cloud sync.

+# Cloud Sync directory extensions and custom attribute mapping

+## Directory extensions

+You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises.

+For additional information on directory extensions see [Using directory extension attributes in claims](../develop/active-directory-schema-extensions.md)

+ You can see the available attributes by using [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). You can also use this feature to create dynamic groups in Azure AD.

+>[!NOTE]

+> In order to discover new Active Directory extension attributes, the provisioning agent needs to be restarted. You should restart the agent after the directory extensions have been created. For Azure AD extension attributes, the agent doesn't need to be restarted.

+

+## Syncing directory extensions for Azure Active Directory Connect cloud sync

+You can use [directory extensions](/graph/api/resources/extensionproperty?view=graph-rest-1.0&preserve-view=true) to extend the synchronization schema directory definition in Azure Active Directory (Azure AD) with your own attributes.

+>[!Important]

+> Directory extension for Azure Active Directory Connect cloud sync is only supported for applications with the identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥ and the [Tenant Schema Extension App](../hybrid/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard) created by Azure AD Connect

+### Create application and service principal for directory extension

+You need to create an [application](/graph/api/resources/application?view=graph-rest-1.0&preserve-view=true) with the identifier URI "api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp" if it doesn't exist and create a service principal for the application if it doesn't exist.

+ 1. Check if application with the identifier URI "api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp" exists.

+ - Using Microsoft Graph

+ ```

+ GET /applications?$filter=identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')

+ ```

+ For more information, see [Get application](/graph/api/application-get?view=graph-rest-1.0&tabs=http&preserve-view=true)

+ - Using PowerShell

+

+ ```

+ Get-AzureADApplication -Filter "identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')"

+ ```

+ For more information, see [Get-AzureADApplication](/powershell/module/azuread/get-azureadapplication?view=azureadps-2.0&preserve-view=true)

+ 2. If the application doesn't exist, create the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp.ΓÇ¥

+ - Using Microsoft Graph

+ ```

+ POST https://graph.microsoft.com/v1.0/applications

+ Content-type: application/json

+ {

+ "displayName": "CloudSyncCustomExtensionsApp",

+ "identifierUris": ["api://<tenant id>/CloudSyncCustomExtensionsApp"]

+ }

+ ```

+ For more information, see [create application](/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http&preserve-view=true)

+ - Using PowerShell

+ ```

+ New-AzureADApplication -DisplayName "CloudSyncCustomExtensionsApp" -IdentifierUris "api://<tenant id>/CloudSyncCustomExtensionsApp"

+ ```

+ For more information, see [New-AzureADApplication](/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0&preserve-view=true)

+

+ 3. Check if the service principal exists for the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥.

+ - Using Microsoft Graph

+ ```

+ GET /servicePrincipals?$filter=(appId eq '{appId}')

+ ```

+ For more information, see [get service principal](/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http&preserve-view=true)

+ - Using PowerShell

+ ```

+ Get-AzureADServicePrincipal -ObjectId '<application objectid>'

+ ```

+ For more information, see [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal?view=azureadps-2.0&preserve-view=true&preserve-view=true)

+

+ 4. If a service principal doesn't exist, create a new service principal for the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥

+ - Using Microsoft Graph

+ ```

+ POST https://graph.microsoft.com/v1.0/servicePrincipals

+ Content-type: application/json

+ {

+ "appId":

+ "<application appId>"

+ }

+ ```

+ For more information, see [create servicePrincipal](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http&preserve-view=true)

+ - Using PowerShell

+

+ ```

+ New-AzureADServicePrincipal -AppId '<appId>'

+ ```

+ For more information, see [New-AzureADServicePrincipal](/powershell/module/azuread/new-azureadserviceprincipal?view=azureadps-2.0&preserve-view=true)

+

+ 5. You can create directory extensions in Azure AD in several different ways.

+|Method|Description|URL|

+|--|--|--|

+|MS Graph|Create extensions using GRAPH|[Create extensionProperty](/graph/api/application-post-extensionproperty?view=graph-rest-1.0&tabs=http&preserve-view=true)|

+|PowerShell|Create extensions using PowerShell|[New-AzureADApplicationExtensionProperty](/powershell/module/azuread/new-azureadapplicationextensionproperty?view=azureadps-2.0&preserve-view=true)|

+Using Cloud Sync and Azure AD Connect|Create extensions using Azure AD Connect|[Create an extension attribute using Azure AD Connect](../app-provisioning/user-provisioning-sync-attributes-for-mapping.md#create-an-extension-attribute-using-azure-ad-connect)|

+|Customizing attributes to sync|Information on customizing which attributes to synch|[Customize which attributes to synchronize with Azure AD](../hybrid/how-to-connect-sync-feature-directory-extensions.md#customize-which-attributes-to-synchronize-with-azure-ad)

+## Use attribute mapping to map Directory Extensions

+If you have extended Active Directory to include custom attributes, you can add these attributes and map them to users.

+To discover and map attributes, click **Add attribute mapping**. The attributes will automatically be discovered and will be available in the drop-down under **source attribute**. Fill in the type of mapping you want and click **Apply**.

+ [](media/custom-attribute-mapping/schema-1.png#lightbox)

+For information on new attributes that are added and updated in Azure AD see the [user resource type](/graph/api/resources/user?view=graph-rest-1.0#properties&preserve-view=true) and consider subscribing to [change notifications](/graph/webhooks).

+For more information on extension attributes, see [Syncing extension attributes for Azure Active Directory Application Provisioning](../app-provisioning/user-provisioning-sync-attributes-for-mapping.md)

+## Additional resources

+- [Understand the Azure AD schema and custom expressions](concept-attributes.md)

+- [Azure AD Connect sync: Directory extensions](../hybrid/how-to-connect-sync-feature-directory-extensions.md)

+- [Attribute mapping in Azure AD Connect cloud sync](how-to-attribute-mapping.md)

+ Title: 'Azure AD cloud sync insights workbook'

+description: This article describes the Azure Monitor workbook for cloud sync.

+# Azure AD cloud sync insights workbook

+The Cloud sync workbook provides a flexible canvas for data analysis. The workbook allows you to create rich visual reports within the Azure portal. To learn more, see Azure Monitor Workbooks overview.

+This workbook is intended for Hybrid Identity Admins who use cloud sync to sync users from AD to Azure AD. It allows admins to gain insights into sync status and details.

+The workbook can be accessed by select **Insights** on the left hand side of the cloud sync page.

+ :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-1.png" alt-text="Screenshot of the cloud sync workbook." lightbox="media/how-to-cloud-sync-workbook/workbook-1.png":::

+>[!NOTE]

+>The Insights node is available at both the all configurations level and the individual configuration level. To view information on individual configurations select the Job Id for the configuration.

+This workbook:

+- Provides a synchronization summary of users and groups synchronized from AD to Azure AD

+- Provides a detailed view of information captured by the cloud sync provisioning logs.

+- Allows you to customize the data to tailor it to your specific needs

+|Field|Description|

+|--|--|

+|Date|The range that you want to view data on.|

+|Status|View the provisioning status such as Success or Skipped.|

+|Action|View the provisioning actions taken such as Create or Delete.|

+|Job Id|Allows you to target specific Job Ids. This can be used to see individual configuration data if you have multiple configurations.|

+|SyncType|Filter by type of synchronization such as object or password.|

+## Enabling provisioning logs

+You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md) and [Provisioning Logs for troubleshooting cloud sync](how-to-troubleshoot.md).

+## Sync summary

+The sync summary section provides a summary of your organizations synchronization activities. These activities include:

+ - Sync actions per day by action

+ - Sync actions per day by status

+ - Unique sync count by status

+ - Recent sync errors

+ :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-2.png" alt-text="Screenshot of the cloud sync summary." lightbox="media/how-to-cloud-sync-workbook/workbook-2.png":::

+## Sync details

+The sync details tab allows you to drill into the synchronization data and get more information. This information includes:

+ - Objects sync by status

+ - Sync log details

+

+ :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-3.png" alt-text="Screenshot of the cloud sync details." lightbox="media/how-to-cloud-sync-workbook/workbook-3.png":::

+You can further drill in to the sync log details for additional information.

+ :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-4.png" alt-text="Screenshot of the log details." lightbox="media/how-to-cloud-sync-workbook/workbook-4.png":::

+## Job Id

+A Job Id will be created for each configuration when it runs and is populated with data. You can look at individual configuration based on Job Id.

+## Custom queries

+You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](../../azure-monitor/logs/get-started-queries.md). Also, be sure to check out [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md).

+## Custom alerts

+Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.

+To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-log.md).

+## Next steps

+- [What is provisioning?](what-is-provisioning.md)

+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)

+- [Known limitations](how-to-prerequisites.md#known-limitations)

+- [Error codes](reference-error-codes.md)

+## Directory extensions and custom attribute mapping.

+Azure AD Connect cloud sync allows you to extend the directory with extensions and provides for custom attribute mapping. For more information see [Directory extensions and custom attribute mapping](custom-attribute-mapping.md).

+- Ensure that values in **Initial password** comply with the currently active [password policy](../authentication/concept-sspr-policy.md#username-policies).

+In this tutorial, you work for WoodGrove Bank as an IT administrator. YouΓÇÖve been asked to create an access package to onboard partners from an outside organization that your business group is working with. They'll need access to a Teams group called **External collaboration**.

+1. In the Azure portal, in the left navigation, select **Azure Active Directory**.

+2. In the left menu, select **Identity Governance**.

+3. In the left menu, select **Access packages**. If you see Access denied, ensure that an Azure AD Premium P2 license is present in your directory.

+4. Select **New access package**.

+1. Select **Next** to open the **Resource roles** tab.

+2. Select on **Groups and Teams** and search for your group **External collaboration**.

+1. Select **Next** to open the **Requests** tab.

+2. In the **Users who can request access** section, select **For users not in your directory** and then select **All users (All connected organizations + any new external users)**.

+3. Because any user who isn't yet in your directory can view and submit a request for this access package, **Yes** is mandatory for the **Require approval** setting.

+1. Select **Next** to open the **Requestor information** tab

+1. Select **Next** to open the **Lifecycle** tab

+1. Select **Next** to open the **Review + Create** tab.

+3. When you're happy with your selections, select on **Create**. After a few moments, you should see a notification that the access package was successfully created.

+1. In the **Azure portal**, in the left navigation, select **Azure Active Directory**.

+2. In the left menu, select **Identity Governance**.

+3. In the left menu, select **Access Packages**.

+5. Select **Resource Roles**.

+1. Look for an email or a message from the project or business manager you're working with. The email should include a link to the access package you'll need access to. The link starts with `myaccess`, includes a directory hint, and ends with an access package ID. (For US Government, the domain may be `https://myaccess.microsoft.us` instead.)

+ 1. Select the row to see Access package details, and then select Request access.

+ 1. Or select **Request access** directly.

+1. When finished, select **Submit** to submit your request.

+1. Select **Request history** to see a list of your requests and the status.

+1. Select **Request history** from the navigation menu to the left.

+1. Find the access package for which you're resubmitting a request.

+1. Select the check mark to select the access package.

+1. Select the blue **View** link to the right of the selected access package.

+1. Select the **Resubmit** button at the bottom of the pane.

+1. In the My Access portal, on the left, select **Request history** to see a list of your requests and the status.

+1. Select the **View** link for the request you want to cancel.

+1. If the request is still in the **pending approval** state, you can select **Cancel request** to cancel the request.

+1. Select **Request history** to confirm the request was canceled.

+* If you get an access denied message when configuring entitlement management, and you're a Global administrator, ensure that your directory has an [Azure AD Premium P2 (or EMS E5) license](entitlement-management-overview.md#license-requirements). If you've recently renewed an expired Azure AD Premium P2 subscription, then it may take 8 hours for this license renewal to be visible.

+* If your tenant's Azure AD Premium P2 license has expired, then you won't be able to process new access requests or perform access reviews.

+* If you get an access denied message when creating or viewing access packages, and you're a member of a Catalog creator group, you must [create a catalog](entitlement-management-catalog-create.md) prior to creating your first access package.

+* Roles for applications are defined by the application itself and are managed in Azure AD. If an application doesn't have any resource roles, entitlement management assigns users to a **Default Access** role.

+ The Azure portal may also show service principals for services that can't be selected as applications. In particular, **Exchange Online** and **SharePoint Online** are services, not applications that have resource roles in the directory, so they can't be included in an access package. Instead, use group-based licensing to establish an appropriate license for a user who needs access to those services.

+* Applications that only support Personal Microsoft Account users for authentication, and don't support organizational accounts in your directory, don't have application roles and can't be added to access package catalogs.

+* For a group to be a resource in an access package, it must be able to be modifiable in Azure AD. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either.

+* SharePoint Online document libraries and individual documents can't be added as resources. Instead, create an [Azure AD security group](../fundamentals/active-directory-groups-create-azure-portal.md), include that group and a site role in the access package, and in SharePoint Online use that group to control access to the document library or document.

+* When you remove a member of a team, they're removed from the Microsoft 365 Group as well. Removal from the team's chat functionality might be delayed. For more information, see [Group membership](/microsoftteams/office-365-groups#group-membership).

+* When an external user wants to request access to an access package, make sure they're using the **My Access portal link** for the access package. For more information, see [Share link to request an access package](entitlement-management-access-package-settings.md). If an external user just visits **myaccess.microsoft.com** and doesn't use the full My Access portal link, then they'll see the access packages available to them in their own organization and not in your organization.

+* If a new external user that has not previously signed in your directory receives an access package including a SharePoint Online site, their access package will show as not fully delivered until their account is provisioned in SharePoint Online. For more information about sharing settings, see [Review your SharePoint Online external sharing settings](entitlement-management-external-users.md#review-your-sharepoint-online-external-sharing-settings).

+* When a user wants to request access to an access package, be sure that they're using the **My Access portal link** for the access package. For more information, see [Share link to request an access package](entitlement-management-access-package-settings.md).

+* If you open the My Access portal with your browser set to in-private or incognito mode, this might conflict with the sign-in behavior. We recommend that you don't use in-private or incognito mode for your browser when you visit the My Access portal.

+* When a user who isn't yet in your directory signs in to the My Access portal to request an access package, be sure they authenticate using their organizational account. The organizational account can be either an account in the resource directory, or in a directory that is included in one of the policies of the access package. If the user's account isn't an organizational account, or the directory where they authenticate isn't included in the policy, then the user won't see the access package. For more information, see [Request access to an access package](entitlement-management-request-access.md).

+* If a user is blocked from signing in to the resource directory, they won't be able to request access in the My Access portal. Before the user can request access, you must remove the sign-in block from the user's profile. To remove the sign-in block, in the Azure portal, select **Azure Active Directory**, select **Users**, select the user, and then select **Profile**. Edit the **Settings** section and change **Block sign in** to **No**. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/active-directory-users-profile-azure-portal.md). You can also check if the user was blocked due to an [Identity Protection policy](../identity-protection/howto-identity-protection-remediate-unblock.md).

+* In the My Access portal, if a user is both a requestor and an approver, they won't see their request for an access package on the **Approvals** page. This behavior is intentional - a user can't approve their own request. Ensure that the access package they're requesting has additional approvers configured on the policy. For more information, see [Change request and approval settings for an access package](entitlement-management-access-package-request-policy.md).

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. Select **Requests**.

+1. Select the count to see all of the request's delivery errors.

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. Select **Requests**.

+1. Select the request you want to reprocess.

+1. In the request details pane, select **Reprocess request**.

+You can only cancel a pending request that hasn't yet been delivered or whose delivery has failed.The **cancel** button would be grayed out otherwise.

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. Select **Requests**.

+1. Select the request you want to cancel.

+1. In the request details pane, select **Cancel request**.

+* For example, consider an access package with two policies for internal employees in which both policies apply to the requestor. The first policy is for specific users that include the requestor. The second policy is for all users in a directory that the requestor is a member of. In this scenario, the first policy is automatically selected for the requestor because it's more strict. The requestor isn't given the option to select the second policy.

+* [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)

+Learn more about [integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

+- [Custom installation of Azure AD Connect](how-to-connect-install-custom.md)

+zone_pivot_groups: enterprise-apps-minus-aad-powershell

+1. On the **Properties** pane, you may want to configure the following properties for your application:

+ - Logo

+ - User sign in options

+ - App visibility to users

+ - Set available URL options

+ - Choose whether app assignment is required

+

+Use the following Microsoft Graph PowerShell script to configure basic application properties.

+You'll need to consent to the `Application.ReadWrite.All` permission.

+```powershell

+Import-Module Microsoft.Graph.Applications

+$params = @{

+ Tags = @(

+ "HR"

+ "Payroll"

+ "HideApp"

+ )

+ Info = @{

+ LogoUrl = "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png"

+ MarketingUrl = "https://www.contoso.com/app/marketing"

+ PrivacyStatementUrl = "https://www.contoso.com/app/privacy"

+ SupportUrl = "https://www.contoso.com/app/support"

+ TermsOfServiceUrl = "https://www.contoso.com/app/termsofservice"

+ }

+ Web = @{

+ HomePageUrl = "https://www.contoso.com/"

+ LogoutUrl = "https://www.contoso.com/frontchannel_logout"

+ RedirectUris = @(

+ "https://localhost"

+ )

+ }

+ ServiceManagementReference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"

+}

+Update-MgApplication -ApplicationId $applicationId -BodyParameter $params

+```

+To configure the basic properties of an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.

+You'll need to consent to the `Application.ReadWrite.All` permission.

+Run the following Microsoft Graph query to configure basic application properties.

+```http

+PATCH https://graph.microsoft.com/v1.0/applications/0d0021e2-eaab-4b9f-a5ad-38c55337d63e/

+Content-type: application/json

+{

+ "tags": [

+ "HR",

+ "Payroll",

+ "HideApp"

+ ],

+ "info": {

+ "logoUrl": "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png",

+ "marketingUrl": "https://www.contoso.com/app/marketing",

+ "privacyStatementUrl": "https://www.contoso.com/app/privacy",

+ "supportUrl": "https://www.contoso.com/app/support",

+ "termsOfServiceUrl": "https://www.contoso.com/app/termsofservice"

+ },

+ "web": {

+ "homePageUrl": "https://www.contoso.com/",

+ "logoutUrl": "https://www.contoso.com/frontchannel_logout",

+ "redirectUris": [

+ "https://localhost"

+ ]

+ },

+ "serviceManagementReference": "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"

+}

+```

+You can also configure other advanced properties of both app registrations and enterprise applications (service principals) through Microsoft Graph. These include properties such as permissions, and role assignments. For more information, see [Create and manage an Azure AD application using Microsoft Graph](/graph/tutorial-applications-basics#configure-other-basic-properties-for-your-app).

+zone_pivot_groups: enterprise-apps-minus-aad-powershell

+#Customer intent: As an Azure AD administrator, I want to assign owners to enterprise applications.

+An [owner of an enterprise application](overview-assign-app-owners.md) in Azure Active Directory (Azure AD) can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignments. An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the enterprise applications they own. In this article, you learn how to assign an owner of an application.

+Use the following Microsoft Graph PowerShell cmdlet to add an owner to an enterprise application.

+You'll need to consent to the `Application.ReadWrite.All` permission.

+In the following example, the user's object ID is 8afc02cb-4d62-4dba-b536-9f6d73e9be26 and the applicationId is 46e6adf4-a9cf-4b60-9390-0ba6fb00bf6b.

+```powershell

+Import-Module Microsoft.Graph.Applications

+$params = @{

+ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"

+}

+New-MgServicePrincipalOwnerByRef -ServicePrincipalId '46e6adf4-a9cf-4b60-9390-0ba6fb00bf6b' -BodyParameter $params

+```

+To assign an owner to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.

+You'll need to consent to the `Application.ReadWrite.All` permission.

+Run the following Microsoft Graph query to assign an owner to an application. You need the object ID of the user you want to assign the application to. In the following example, the user's object ID is 8afc02cb-4d62-4dba-b536-9f6d73e9be26 and the appId is 46e6adf4-a9cf-4b60-9390-0ba6fb00bf6b.

+```http

+POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='46e6adf4-a9cf-4b60-9390-0ba6fb00bf6b')/owners/$ref

+Content-Type: application/json

+{

+ "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"

+}

+```

+1. Under **Security**, select **Consent and permissions**.

+1. Under **Manage**, select **Admin consent settings**.

+ 

+

+ - **Selected users will receive request expiration reminders** - Enable or disable reminder email notifications to the reviewers when a request is about to expire.

+ > [!NOTE]

+ > You can add or remove reviewers for this workflow by modifying the **Select admin consent requests reviewers** list. A current limitation of this feature is that a reviewer can retain the ability to review requests that were made while they were designated as a reviewer.

+zone_pivot_groups: enterprise-apps-minus-portal-aad

+App consent policies where the ID begins with "microsoft-" are built-in policies. Some of these built-in policies are used in existing built-in directory roles. For example, the `microsoft-application-admin` app consent policy describes the conditions under which the Application Administrator and Cloud Application Administrator roles are allowed to grant tenant-wide admin consent. Built-in policies can be used in custom directory roles and to configure user consent settings, but can't be edited or deleted.

+1. A user or service with one of the following roles:

+

+

+ Repeat this step to add more "include" condition sets.

+ Repeat this step to add more "exclude" condition sets.

+To manage app consent policies, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.

+## List existing app consent policies

+It's a good idea to start by getting familiar with the existing app consent policies in your organization:

+1. List all app consent policies:

+```http

+GET /policies/permissionGrantPolicies?$select=id,displayName,description

+```

+1. View the "include" condition sets of a policy:

+```http

+GET /policies/permissionGrantPolicies/{ microsoft-application-admin }/includes

+```

+1. View the "exclude" condition sets:

+```http

+GET /policies/permissionGrantPolicies/{ microsoft-application-admin }/excludes

+```

+## Create a custom app consent policy

+Follow these steps to create a custom app consent policy:

+1. Create a new empty app consent policy.

+```http

+POST https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies

+Content-Type: application/json

+{

+ "id": "my-custom-policy",

+ "displayName": "My first custom consent policy",

+ "description": "This is a sample custom app consent policy"

+}

+```

+1. Add "include" condition sets.

+ Include delegated permissions classified "low", for apps from verified publishers

+```http

+POST https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies/{ my-custom-policy }/includes

+Content-Type: application/json

+{

+ "permissionType": "delegated",

+ ΓÇ£PermissionClassification: "low",

+ "clientApplicationsFromVerifiedPublisherOnly": true

+}

+```

+ Repeat this step to add more "include" condition sets.

+1. Optionally, add "exclude" condition sets.

+ Exclude delegated permissions for the Azure Management API (appId 46e6adf4-a9cf-4b60-9390-0ba6fb00bf6b)

+```http

+POST https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies/my-custom-policy /excludes

+Content-Type: application/json

+{

+ "permissionType": "delegated",

+ "resourceApplication": "46e6adf4-a9cf-4b60-9390-0ba6fb00bf6b "

+}

+```

+ Repeat this step to add more "exclude" condition sets.

+Once the app consent policy has been created, you can [allow user consent](configure-user-consent.md?tabs=azure-powershell#allow-user-consent-subject-to-an-app-consent-policy) subject to this policy.

+## Delete a custom app consent policy

+1. The following shows how you can delete a custom app consent policy. **This action canΓÇÖt be undone.**

+```http

+DELETE https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies/ my-custom-policy

+```

+> [!WARNING]

+> Deleted app consent policies cannot be restored. If you accidentally delete a custom app consent policy, you will need to re-create the policy.

+| PermissionClassification | The [permission classification](configure-permission-classifications.md) for the permission being granted, or "all" to match with any permission classification (including permissions that aren't classified). Default is "all". |

+| PermissionType | The permission type of the permission being granted. Use "application" for application permissions (for example, app roles) or "delegated" for delegated permissions. <br><br>**Note**: The value "delegatedUserConsentable" indicates delegated permissions that haven't been configured by the API publisher to require admin consent. This value may be used in built-in permission grant policies, but can't be used in custom permission grant policies. Required. |

+| ResourceApplication | The **AppId** of the resource application (for example, the API) for which a permission is being granted, or "any" to match with any resource application or API. Default is "any". |

+| ClientApplicationsFromVerifiedPublisherOnly | Set this switch to only match on client applications with a [verified publishers](../develop/publisher-verification-overview.md). Disable this switch (`-ClientApplicationsFromVerifiedPublisherOnly:$false`) to match on any client app, even if it doesn't have a verified publisher. Default is `$false`. |

+> [!WARNING]

+> Deleted app consent policies cannot be restored. If you accidentally delete a custom app consent policy, you will need to re-create the policy.

+## Features

+* Mounts secrets, keys, and certificates to a pod by using a CSI volume

+* Supports CSI inline volumes

+* Supports mounting multiple secrets store objects as a single volume

+* Supports pod portability with the `SecretProviderClass` CRD

+* Supports Windows containers

+* Syncs with Kubernetes secrets

+* Supports autorotation of mounted contents and synced Kubernetes secrets

+## Limitations

+A container using subPath volume mount won't receive secret updates when it's rotated. For more information, see [Secrets Store CSI Driver known limitations](https://secrets-store-csi-driver.sigs.k8s.io/known-limitations.html#secrets-not-rotated-when-using-subpath-volume-mount).

+## Prerequisites

+* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* Check that your version of the Azure CLI is 2.30.0 or later. If it's an earlier version, [install the latest version](/cli/azure/install-azure-cli).

+* If you're restricting Ingress to the cluster, make sure ports **9808** and **8095** are open.

+* The minimum recommended Kubernetes version is based on the [rolling Kubernetes version support window][kubernetes-version-support]. Make sure you're running version N-2 or later.

+1. Create an Azure resource group.

+ ```azurecli-interactive

+ az group create -n myResourceGroup -l eastus2

+ ```

+2. Create an AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability using the [`az aks create`][az-aks-create] command with the `azure-keyvault-secrets-provider` add-on.

+ ```azurecli-interactive

+ az aks create -n myAKSCluster -g myResourceGroup --enable-addons azure-keyvault-secrets-provider --enable-managed-identity

+ ```

+3. A user-assigned managed identity, named `azureKeyvaultSecretsProvider`, is created by the add-on to access Azure resources. The following example uses this identity to connect to the Azure key vault where the secrets will be stored, but you can also use other [identity access methods][identity-access-methods]. Take note of the identity's `clientId` in the output.

+ ```json

+ ...,

+ "addonProfiles": {

+ "azureKeyvaultSecretsProvider": {

+ ...,

+ "identity": {

+ "clientId": "<client-id>",

+ ...

+ }

+ }

+ ```

+* Upgrade an existing AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability using the [`az aks enable-addons`][az-aks-enable-addons] command with the `azure-keyvault-secrets-provider` add-on. The add-on creates a user-assigned managed identity you can use to authenticate to your Azure key vault.

+ ```azurecli-interactive

+ az aks enable-addons --addons azure-keyvault-secrets-provider --name myAKSCluster --resource-group myResourceGroup

+ ```

+1. Verify the installation is finished using the `kubectl get pods` command to list all pods that have the `secrets-store-csi-driver` and `secrets-store-provider-azure` labels in the kube-system namespace, and ensure that your output looks similar to the following output:

+ ```bash

+ kubectl get pods -n kube-system -l 'app in (secrets-store-csi-driver,secrets-store-provider-azure)'

+ NAME READY STATUS RESTARTS AGE

+ aks-secrets-store-csi-driver-4vpkj 3/3 Running 2 4m25s

+ aks-secrets-store-csi-driver-ctjq6 3/3 Running 2 4m21s

+ aks-secrets-store-csi-driver-tlvlq 3/3 Running 2 4m24s

+ aks-secrets-store-provider-azure-5p4nb 1/1 Running 0 4m21s

+ aks-secrets-store-provider-azure-6pqmv 1/1 Running 0 4m24s

+ aks-secrets-store-provider-azure-f5qlm 1/1 Running 0 4m25s

+ ```

+2. Verify that each node in your cluster's node pool has a Secrets Store CSI Driver pod and a Secrets Store Provider Azure pod running.

+In addition to an AKS cluster, you'll need an Azure key vault resource that stores the secret content.

+1. Create an Azure key vault using the [`az keyvault create`][az-keyvault-create] command. The name of the key vault must be globally unique.

+ ```azurecli

+ az keyvault create -n <keyvault-name> -g myResourceGroup -l eastus2

+ ```

+2. Your Azure key vault can store keys, secrets, and certificates. In this example, use the [`az keyvault secret set`][az-keyvault-secret-set] command to set a plain-text secret called `ExampleSecret`.

+ ```azurecli

+ az keyvault secret set --vault-name <keyvault-name> -n ExampleSecret --value MyAKSExampleSecret

+ ```

+3. Take note of the following properties for use in the next section:

+ * The name of the secret object in the key vault

+ * The object type (secret, key, or certificate)

+ * The name of your Azure key vault resource

+ * The Azure tenant ID that the subscription belongs to

+* An [Azure Active Directory pod identity][aad-pod-identity] (preview)

+* An [Azure Active Directory workload identity][aad-workload-identity] (preview)

+* A user-assigned or system-assigned managed identity

+> [!IMPORTANT]

+> The rest of the examples on this page require that you've followed the instructions in [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods], chosen one of the identity methods, and configured a SecretProviderClass. Come back to this page after completing those steps.

+* Use the following commands to validate your secrets and print a test secret.

+ ```bash

+ ## show secrets held in secrets-store

+ kubectl exec busybox-secrets-store-inline -- ls /mnt/secrets-store/

+ ## print a test secret 'ExampleSecret' held in secrets-store

+ kubectl exec busybox-secrets-store-inline -- cat /mnt/secrets-store/ExampleSecret

+ ```

+* Disable the Azure Key Vault Provider for Secrets Store CSI Driver capability in an existing cluster using the [`az aks disable-addons`][az-aks-disable-addons] command with the `azure-keyvault-secrets-provider` add-on.

+ ```azurecli-interactive

+ az aks disable-addons --addons azure-keyvault-secrets-provider -g myResourceGroup -n myAKSCluster

+ ```

+## More configuration options

+> **Mount the Kubernetes Secret as a volume**: Use the autorotation and Sync K8s secrets features of Secrets Store CSI Driver. The application will need to watch for changes from the mounted Kubernetes Secret volume. When the Kubernetes Secret is updated by the CSI Driver, the corresponding volume contents are automatically updated.

+#### Enable autorotation on a new AKS cluster

+* Enable autorotation of secrets using the `enable-secret-rotation` parameter when you create your cluster.

+ ```azurecli-interactive

+ az aks create -n myAKSCluster2 -g myResourceGroup --enable-addons azure-keyvault-secrets-provider --enable-secret-rotation

+ ```

+#### Enable autorotation on an existing AKS cluster

+* Update an existing cluster to enable autorotation of secrets using the [`az aks addon update`][az-aks-addon-update] command and the `enable-secret-rotation` parameter.

+ ```azurecli-interactive

+ az aks addon update -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider --enable-secret-rotation

+ ```

+#### Specify a custom rotation interval

+* Specify a custom rotation interval using the `rotation-poll-interval` parameter.

+ ```azurecli-interactive

+ az aks addon update -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider --enable-secret-rotation --rotation-poll-interval 5m

+ ```

+#### Disable autorotation

+* To disable autorotation, first disable the addon. Then, re-enable the addon without the `enable-secret-rotation` parameter.

+ ```azurecli-interactive

+ # disable the addon

+ az aks addon disable -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider

+ # re-enable the addon without the `enable-secret-rotation` parameter

+ az aks addon enable -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider

+ ```

+### Sync mounted content with a Kubernetes secret

+You might want to create a Kubernetes secret to mirror your mounted secrets content. Your secrets will sync after you start a pod to mount them. When you delete the pods that consume the secrets, your Kubernetes secret will also be deleted.

+To sync mounted content with a Kubernetes secret, use the `secretObjects` field when creating a `SecretProviderClass` to define the desired state of the Kubernetes secret, as shown in the following example.

+> Make sure the `objectName` in the `secretObjects` field matches the file name of the mounted content. If you use `objectAlias` instead, it should match the object alias.

+After creating the Kubernetes secret, you can reference it by setting an environment variable in your pod, as shown in the following example code.

+> The example YAML demonstrates access to a secret through env variables and through volume/volumeMount. This is for illustrative purposes; a typical application would use one method or the other. However, be aware that in order for a secret to be available through env variables, it first must be mounted by at least one pod.

+## Access metrics

+Metrics are served via Prometheus from port 8898, but this port isn't exposed outside the pod by default.

+* Access the metrics over localhost using `kubectl port-forward`.

+ ```bash

+ kubectl port-forward -n kube-system ds/aks-secrets-store-provider-azure 8898:8898 & curl localhost:8898/metrics

+ ```

+#### Metrics provided by the Azure Key Vault Provider for Secrets Store CSI Driver

+Metrics are served from port 8095, but this port isn't exposed outside the pod by default.

+* Access the metrics over localhost using `kubectl port-forward`.

+ ```bash

+ kubectl port-forward -n kube-system ds/aks-secrets-store-csi-driver 8095:8095 &

+ curl localhost:8095/metrics

+ ```

+#### Metrics provided by the Secrets Store CSI Driver

+For generic troubleshooting steps, see [Azure Key Vault Provider for Secrets Store CSI Driver troubleshooting](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/troubleshooting/).

+In this article, you learned how to use the Azure Key Vault Provider for Secrets Store CSI Driver with an AKS cluster. To learn more about the Azure Key Vault Provider for Secrets Store CSI Driver, see:

+* [Using the Azure Key Vault Provider](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/usage/)

+* [Upgrading the Azure Key Vault Provider](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/upgrading/)

+* [Using Secrets Store CSI with AKS and Azure Key Vault](https://github.com/Azure-Samples/secrets-store-csi-with-aks-akv)

+[az-keyvault-create]: /cli/azure/keyvault#az-keyvault-create.md

+[az-keyvault-secret-set]: /cli/azure/keyvault#az-keyvault-secret-set.md

+[az-aks-addon-update]: /cli/azure/aks#addon-update.md

+2. With the pod deployed, run the following command and verify the *hello-apparmor* pod shows a *Running* status:

+ hello-apparmor 0/1 Running 0 50s

+ - "fqdn-subdomain" can be utilized with "CUSTOM_PRIVATE_DNS_ZONE_RESOURCE_ID" only to provide subdomain capabilities to `privatelink.<region>.azmk8s.io`.

+ - If your AKS cluster is configured with an Active Directory service principal, AKS does not support using a system-assigned managed identity with custom private DNS zone.

+[network-contributor-role]: ../role-based-access-control/built-in-roles.md#network-contributor

+> [!NOTE]

+> If AKS has custom private DNS zone, AKS does not support to use system-assigned managed identity.

+| header-name | The name of the HTTP header holding the token. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | `Authorization` |

+The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the default `Authorization` header using the `Bearer` scheme. In this example, the Azure AD tenant ID and client application ID are provided using named values.

+| **Training file size * Template** | 50 MB ⁴ | 50 MB (default value) |

+| Adjustable | No | No |

+| **Total Training dataset size * Template** | 150 MB ⁴ | 150 MB (default value) |

+ * The identity used needs to at least have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`) and 'Read' permission on the resource group the Azure Arc Cluster is targeting.

+ - Azure Red Hat OpenShift

+For issues encountered with Arc resource bridge, collect logs for further investigation using the Azure CLI [`az arcappliance logs`](/cli/azure/arcappliance/logs) command. This command needs to be run from the same management machine that was used to run commands to deploy the Arc resource bridge. If there is a problem collecting logs, most likely the management machine is unable to reach the Appliance VM, and the network administrator needs to allow communication between the management machine to the Appliance VM.

+The `az arcappliance logs` command requires SSH to the Azure Arc resource bridge VM. The SSH key is saved to the management machine. To use a different machine to run the logs command, make sure the following files are copied to the machine in the same location:

+If you are experiencing connectivity, check to make sure your network allows all of the firewall and proxy URLs that are required to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs. For more information, see [Azure Arc resource bridge (preview) network requirements](network-requirements.md).

+Be sure that the proxy server on your management machine trusts both the SSL certificate for your SSL proxy and the SSL certificate of the Microsoft download servers.

+While trying to deploy Arc Resource Bridge, a "KVA timeout error" may appear. The "KVA timeout error" is a generic error that can be the result of a variety of network misconfigurations that involve the management machine, Appliance VM, or Control Plane IP not having communication with each other, to the internet, or required URLs. This communication failure is often due to issues with DNS resolution, proxy settings, network configuration, or internet access.

+For clarity, "management machine" refers to the machine where deployment CLI commands are being run. "Appliance VM" is the VM that hosts Arc resource bridge. "Control Plane IP" is the IP of the control plane for the Kubernetes management cluster in the Appliance VM.

+- Management machine is unable to communicate with Control Plane IP and Appliance VM IP.

+- Appliance VM is unable to communicate with the management machine, vCenter endpoint (for VMware), or MOC cloud agent endpoint (for Azure Stack HCI).ΓÇ»

+- Proxy server configuration on the management machine or Arc resource bridge configuration files is incorrect. This can impact both the management machine and the Appliance VM. When the `az arcappliance prepare` command is run, the management machine won't be able to connect and download OS images if the host proxy isn't correctly configured. Internet access on the Appliance VM might be broken by incorrect or missing proxy configuration, which impacts the VM’s ability to pull container images. 

+1. When there is a problem with deployment, the first step is to collect logs by Appliance VM IP (not by kubeconfig, as the kubeconfig may be empty if deploy command did not complete). Problems collecting logs are most likely due to the management machine being unable to reach the Appliance VM.

+1. The management machine must be able to communicate with the Appliance VM IP and Control Plane IP. Ping the Control Plane IP and Appliance VM IP from the management machine and verify there is a response from both IPs.

+ If a request times out, the management machine is not able to communicate with the IP(s). This could be caused by a closed port, network misconfiguration or a firewall block. Work with your network administrator to allow communication between the management machine to the Control Plane IP and Appliance VM IP.

+1. Appliance VM IP and Control Plane IP must be able to communicate with the management machine and vCenter endpoint (for VMware) or MOC cloud agent endpoint (for HCI). Work with your network administrator to ensure the network is configured to permit this. This may require adding a firewall rule to open port 443 from the Appliance VM IP and Control Plane IP to vCenter or port 65000 and 55000 for Azure Stack HCI MOC cloud agent. Review [network requirements for Azure Stack HCI](/azure-stack/hci/manage/azure-arc-vm-management-prerequisites#network-port-requirements) and [VMware](../vmware-vsphere/quick-start-connect-vcenter-to-arc-using-script.md) for Arc resource bridge.

+1. In a non-proxy environment, the management machine must have external and internal DNS resolution. The management machine must be able to reach a DNS server that can resolve internal names such as vCenter endpoint for vSphere or cloud agent endpoint for Azure Stack HCI. The DNS server also needs to be able to [resolve external addresses](#restricted-outbound-connectivity), such as Azure URLs and OS image download URLs. Work with your system administrator to ensure that the management machine has internal and external DNS resolution. In a proxy environment, the DNS resolution on the proxy server should resolve internal endpoints and [required external addresses](#restricted-outbound-connectivity).

+ To test DNS resolution to an internal address from the management machine in a non-proxy scenario, open command prompt and run `nslookup <vCenter endpoint or HCI MOC cloud agent IP>`. You should receive an answer if the management machine has internal DNS resolution in a non-proxy scenario. 

+To resolve this issue, perform the following steps to configure your management machine with the Azure CLI 64-bit version:

+|France Central| 100 | 60 |

+|North Europe| 100 | 100 |

+|South Central US| 100 | 100 |

+|UK South| 100 | 100 |

+|West US| 100 | 100 |

+This section outlines variations and considerations when using Security services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=payment-hsm,azure-sentinel,azure-dedicated-hsm,information-protection,application-gateway,vpn-gateway,security-center,key-vault,active-directory-ds,ddos-protection,active-directory&regions=usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+### [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)

+For feature variations and limitations, see [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov).

+[Render service V2](/rest/api/maps/render-v2) introduces a new version of the [Get Map Tile V2 API](/rest/api/maps/render-v2/get-map-tile) that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 (where applicable) tile sizes and numerous map types such as road, weather, contour, or map tiles created using Azure Maps Creator. For a complete list, see [TilesetID](/rest/api/maps/render-v2/get-map-tile#tilesetid) in the REST API documentation. It's recommended that you use Render service V2 instead of Render service V1. You're required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service V2, either as basemaps or layers, in any third-party map control. For more information, see [How to use the Get Map Attribution API](how-to-show-attribution.md).

+Weather services offer APIs that developers can use to retrieve weather information for a particular location. The information contains details such as observation date and time, brief description of the weather conditions, weather icon, precipitation indicator flags, temperature, and wind speed information. Other details such as RealFeelΓäó Temperature and UV index are also returned.

+| [Search][search readme] | [@azure-rest/maps-search][search package] | [search samples][search sample] |

+[search package]: https://www.npmjs.com/package/@azure-rest/maps-search

+[search readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-search-rest/README.md

+[search sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-search-rest/samples/v1-beta

+[js search readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-search-rest/README.md

+[js search package]: https://www.npmjs.com/package/@azure-rest/maps-search

+[js search sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-search-rest/samples/v1-beta/javascript

+| Oct 2022 | **Windows** <ul><li>Increased reliability of data uploads</li><li>Data quality improvements</li></ul> **Linux** <ul><li>Support for `http_proxy` and `https_proxy` environment variables for [network proxy configurations](./azure-monitor-agent-data-collection-endpoint.md#proxy-configuration) for the agent</li><li>[Text logs](./data-collection-text-log.md) <ul><li>Network proxy support enabled</li><li>Fixed missing `_ResourceId`</li><li>Increased maximum line size support to 1MB</li></ul></li><li>Support ingestion of syslog events whose timestamp is in the future</li><li>Performance improvements</li><li>Fixed `diskio` metrics instance name dimension to use the disk mount path(s) instead of the device name(s)</li><li>Fixed world writable file issue to lockdown write access to certain agent logs and configuration files stored locally on the machine</li></ul> | 1.10.0.0 | 1.24.2 |

+For more information about multi-resource alert rules and the resource types supported for this capability, see [Monitoring at scale using metric alerts in Azure Monitor](alerts-types.md#monitor-multiple-resources).

+|AvailableStorage |No |(deprecated) Available Storage |Bytes |Total |"Available Storage"will be removed from Azure Monitor at the end of September 2023. Cosmos DB collection storage size is now unlimited. The only restriction is that the storage size for each logical partition key is 20GB. You can enable PartitionKeyStatistics in Diagnostic Log to know the storage consumption for top partition keys. For more info about Cosmos DB storage quota, refer to [Azure Cosmos DB service limits]( ../../cosmos-db/concepts-limits.md). After deprecation, the remaining alert rules still defined on the deprecated metric will be automatically disabled post the deprecation date. |CollectionName, DatabaseName, Region |

+| Retrieve | Access log query results from a:<ul><li>Command line via the [Azure CLI](/cli/azure/monitor/log-analytics) or [Azure PowerShell cmdlets](/powershell/module/az.operationalinsights).</li><li>Custom app via the [REST API](/rest/api/loganalytics/) or client library for [.NET](/dotnet/api/overview/azure/Monitor.Query-readme), [Go](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/monitor/azquery), [Java](/java/api/overview/azure/monitor-query-readme), [JavaScript](/javascript/api/overview/azure/monitor-query-readme), or [Python](/python/api/overview/azure/monitor-query-readme).</li></ul> |

+- Learn about the [monitoring data available](../data-sources.md) for various resources in Azure.

+Log Analytics Dedicated clusters in Azure Monitor enable advanced capabilities, and higher query utilization, provided to linked Log Analytics workspaces. Clusters require a minimum ingestion commitment of 500 GB per day. You can link and unlink workspaces from a dedicated cluster without any data loss or service interruption.

+## Permissions

+- To save a query, you need the **Log Analytics Contributor** role.

+- To view a saved query, you need the **Log Analytics Reader** role.

+When you save a query, it's stored in a query pack, which has benefits over the previous method of storing the query in a workspace, including:

+> The search job feature is currently not supported for the following cases:

+> - Workspaces with [customer-managed keys](customer-managed-keys.md).

+> - Workspaces in the China East 2 region.

+> [!NOTE]

+> We recommend that you run your application on the Basic service tier, or higher, when using Snapshot Debugger. For most applications, the Free and Shared service tiers don't have enough memory or disk space to save snapshots. The Consumption tier is not currently available for Snapshot Debugger.

+* DNS PTR records must exist for each AD DS domain controller assigned to the **AD Site Name** specified in the Azure NetApp Files Active Directory connection.

+* PTR records must exist for all domain controllers in the site for ADDS LDAP over TLS to function properly.

+ >[!NOTE]

+ >DNS PTR records for the AD DS machine account(s) must be created in the AD DS **Organizational Unit** specified in the Azure NetApp Files AD connection for LDAP Signing to work.

+* Ensure that the PTR records for the AD DS domain controllers used by Azure NetApp Files have been created on the DNS servers.

+* If dynamic DNS updates are not used, you need to manually create an A record and a PTR record for the AD DS machine account(s) created in the AD DS **Organizational Unit** (specified in the Azure NetApp Files AD connection) to support Azure NetApp FIles LDAP Signing, LDAP over TLS, SMB, dual-protocol, or Kerberos NFSv4.1 volumes.

+- You have a connection to the Azure VMware Solution private cloud through your on-premises environment or your native Azure Virtual Network.

+At this point, you should have already deployed an Azure VMware Solution private cloud. You need to have a connection from your on-premises environment or your native Azure Virtual Network to the Azure VMware Solution private cloud.

+ - `k8sNodeIPPoolStart`, `k8sNodeIPPoolEnd`, `gatewayIPAddress` ,`applianceControlPlaneIpAddress` are optional. You may choose to skip all the optional fields or provide values for all. If you choose not to provide the optional fields, then you must use /28 address space for `networkCIDRForApplianceVM`

+When **cloud admin** credentials are updated, use the following steps to update the credentials in the appliance store.

+1. Log in to the jumpbox VM from where onboarding was performed. Change the directory to **onboarding directory**.

+1. Delete the resource bridge Azure Resource Manager resource.

+1. Log in to your Azure VMware Solution private cloud.

+**Region support for Azure VMware Solution**

+Arc for Azure VMware Solution is supported in all regions where Arc for VMware vSphere on-premises is supported. For more details, see [Azure Arc-enabled VMware vSphere](https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview).

+DHCP support isn't available to customers at this time, we only support static IP.

+[Azure Policy](../governance/policy/overview.md) is a free service in Azure to create, assign, and manage policies that enforce rules and effects to ensure your resources stay compliant with your corporate standards and service level agreements. Use these policies to audit Web PubSub resources for compliance.

+This article describes the built-in policies for Azure Web PubSub Service.

+The following table contains an index of Azure Policy built-in policy definitions for Azure Web PubSub. For Azure Policy built-ins for other services, see [Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md).

+The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).

+When assigning a policy definition:

+* You can assign policy definitions using the [Azure portal](../governance/policy/assign-policy-portal.md), [Azure CLI](../governance/policy/assign-policy-azurecli.md), a [Resource Manager template](../governance/policy/assign-policy-template.md), or the Azure Policy SDKs.

+* Policy assignments can be scoped to a resource group, a subscription, or an [Azure management group](../governance/management-groups/overview.md).

+* You can enable or disable [policy enforcement](../governance/policy/concepts/assignment-structure.md#enforcement-mode) at any time.

+* Web PubSub policy assignments apply to existing and new Web PubSub resources within the scope.

+1. Open the Azure portal and search for **Policy**.

+1. Select **Policy**.

+1. Use the filters to display by **Scope**, **Type** or **Compliance state**. Use search list by name or

+ ID.

+1. Select a policy to review aggregate compliance details and events.

+1. Select a specific Web PubSub for resource compliance.

+You can use the Azure CLI to get compliance data. Use the [az policy assignment list](/cli/azure/policy/assignment#az-policy-assignment-list) command to get the policy IDs of the Azure Web PubSub Service policies that are applied:

+Example output:

+Run the [az policy state list](/cli/azure/policy/state#az-policy-state-list) command to return the JSON-formatted compliance state for all resources under a specific resource group:

+Run the [az policy state list](/cli/azure/policy/state#az-policy-state-list) command to return the JSON-formatted compliance state of a specific Web PubSub resource:

+ Title: Built-in policy definitions for Azure Web PubSub

+description: Lists Azure Policy built-in policy definitions for Azure Web PubSub. These built-in policy definitions provide common approaches to managing your Azure resources.

+# Azure Policy built-in definitions for Azure Web PubSub

+This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy

+definitions for Azure Web PubSub. For Azure Policy built-ins for other services, see

+[Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md).

+The name of each built-in policy definition links to the policy definition in the Azure portal. Use

+the link in the **Version** column to view the source on the

+[Azure Policy GitHub repo](https://github.com/Azure/azure-policy).

+## Policy definitions

+## Next steps

+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).

+- Review the [Azure Policy definition structure](../governance/policy/concepts/definition-structure.md).

+- Review [Understanding policy effects](../governance/policy/concepts/effects.md).

+- [Oracle (Generally Available)](../virtual-machines/workloads/oracle/oracle-database-backup-azure-backup.md) - [Link to support matrix](backup-support-matrix-iaas.md#support-matrix-for-managed-pre-and-post-scripts-for-linux-databases)

+ Title: Support matrix for Azure VM backups

+description: Get a summary of support settings and limitations for backing up Azure VMs by using the Azure Backup service.

+# Support matrix for Azure VM backups

+You can use the [Azure Backup service](backup-overview.md) to back up on-premises machines and workloads, along with Azure virtual machines (VMs). This article summarizes support settings and limitations when you back up Azure VMs by using Azure Backup.

+Other support matrices include:

+- [Support matrix](backup-support-matrix-mabs-dpm.md) for Azure Backup servers and System Center Data Protection Manager (DPM) backup

+Here's how you can back up and restore Azure VMs by using the Azure Backup service.

+Direct backup of Azure VMs | Back up the entire VM. | No additional agent is needed on the Azure VM. Azure Backup installs and uses an extension to the [Azure VM agent](../virtual-machines/extensions/agent-windows.md) that's running on the VM. | Restore as follows:<br/><br/> - **Create a basic VM**. This is useful if the VM has no special configuration, such as multiple IP addresses.<br/><br/> - **Restore the VM disk**. Restore the disk. Then attach it to an existing VM, or create a new VM from the disk by using PowerShell.<br/><br/> - **Replace the VM disk**. If a VM exists and it uses managed disks (unencrypted), you can restore a disk and use it to replace an existing disk on the VM.<br/><br/> - **Restore specific files or folders**. You can restore files or folders from a VM instead of restoring the entire VM.

+Direct backup of Azure VMs (Windows only) | Back up specific files, folders, or volumes. | Install the [Azure Recovery Services agent](backup-azure-file-folder-backup-faq.yml).<br/><br/> You can run the MARS agent alongside the backup extension for the Azure VM agent to back up the VM at the file or folder level. | Restore specific files or folders.

+Backup of Azure VMs to the backup server | Back up files, folders, or volumes; system state or bare metal files; and app data to System Center DPM or to Microsoft Azure Backup Server (MABS).<br/><br/> DPM or MABS then backs up to the backup vault. | Install the DPM or MABS protection agent on the VM. The MARS agent is installed on DPM or MABS.| Restore files, folders, or volumes; system state or bare metal files; and app data.

+Learn more about [using a backup server](backup-architecture.md#architecture-back-up-to-dpmmabs) and about [support requirements](backup-support-matrix-mabs-dpm.md).

+Back up a VM that's shut down or offline | Supported.<br/><br/> Snapshot is crash consistent only, not app consistent.

+Back up managed disks after enabling a resource group lock | Not supported.<br/><br/> Azure Backup can't delete the older restore points. Backups will start to fail when the limit of restore points is reached.

+Modify backup policy for a VM | Supported.<br/><br/> The VM will be backed up according to the schedule and retention settings in the new policy. If retention settings are extended, existing recovery points are marked and kept. If they're reduced, existing recovery points will be pruned in the next cleanup job and eventually deleted.

+Cancel a backup job| Supported during the snapshot process.<br/><br/> Not supported when the snapshot is being transferred to the vault.

+Back up daily via the Azure VM extension | Four backups per day: one scheduled backup as set up in the backup policy, and three on-demand backups. <br><br> To allow user retries in case of failed attempts, the hard limit for on-demand backups is set to nine attempts.

+Back up daily via the MARS agent | Three scheduled backups per day.

+Back up daily via DPM or MABS | Two scheduled backups per day.

+Back up monthly or yearly| Not supported when you're backing up with the Azure VM extension. Only daily and weekly are supported.<br/><br/> You can set up the policy to retain daily or weekly backups for a monthly or yearly retention period.

+Automatically adjust the clock | Not supported.<br/><br/> Azure Backup doesn't automatically adjust for daylight saving time when you're backing up a VM.<br/><br/> Modify the policy manually as needed.

+[Disable security features for hybrid backup](./backup-azure-security-feature.md) |Not supported.

+Back up a VM whose machine time is changed | Not supported.<br/><br/> If you change the machine time to a future date/time after enabling backup for that VM, even if the time change is reverted, successful backup isn't guaranteed.

+Do multiple backups per day | Supported through **Enhanced policy** (in preview). <br><br> For hourly backup, the minimum recovery point objective (RPO) is 4 hours and the maximum is 24 hours. You can set the backup schedule to 4, 6, 8, 12, and 24 hours, respectively. [Learn how to back up an Azure VM by using Enhanced policy](backup-azure-vms-enhanced-policy.md).

+Back up a VM with a deprecated plan when the publisher has removed it from Azure Marketplace | Not supported. <br><br> Backup is possible. However, restore will fail. <br><br> If you've already configured backup for a VM with a deprecated virtual machine offer and encounter a restore error, see [Troubleshoot backup errors with Azure VMs](backup-azure-vms-troubleshoot.md#usererrormarketplacevmnotsupportedvm-creation-failed-due-to-market-place-purchase-request-being-not-present).

+The following table summarizes the supported operating systems when you're backing up Azure VMs running Windows.

+Back up with the Azure VM agent extension | - Windows 11 client (64 bit only) <br/><br/> - Windows 10 client (64 bit only) <br/><br/>- Windows Server 2022 (Datacenter, Datacenter Core, and Standard) <br/><br/>- Windows Server 2019 (Datacenter, Datacenter Core, and Standard) <br/><br/> - Windows Server 2016 (Datacenter, Datacenter Core, and Standard) <br/><br/> - Windows Server 2012 R2 (Datacenter and Standard) <br/><br/> - Windows Server 2012 (Datacenter and Standard) <br/><br/> - Windows Server 2008 R2 (RTM and SP1 Standard) <br/><br/> - Windows Server 2008 (64 bit only)

+Back up with the MARS agent | [Supported](backup-support-matrix-mars-agent.md#supported-operating-systems) operating systems

+Back up with DPM or MABS | Supported operating systems for backup with [MABS](backup-mabs-protection-matrix.md) and [DPM](/system-center/dpm/dpm-protection-matrix)

+Back up Linux Azure VMs with the Linux Azure VM agent | Supported for file-consistent backup.<br/><br/> Also supported for app-consistent backup that uses [custom scripts](backup-azure-linux-app-consistent.md).<br/><br/> During restore, you can create a new VM, restore a disk and use it to create a VM, or restore a disk and use it to replace a disk on an existing VM. You can also restore individual files and folders.

+Back up Linux Azure VMs with the MARS agent | Not supported.<br/><br/> The MARS agent can be installed only on Windows machines.

+Back up Linux Azure VMs with DPM or MABS | Not supported.

+Back up Linux Azure VMs with Docker mount points | Currently, Azure Backup doesn't support exclusion of Docker mount points because these are mounted at different paths every time.

+For Linux VM backups, Azure Backup supports the list of [Linux distributions endorsed by Azure](../virtual-machines/linux/endorsed-distros.md). Note the following:

+- Azure Backup doesn't support CoreOS Linux.

+- Azure Backup doesn't support a proxy-configured Linux VM if it doesn't have Python version 2.7 or later installed.

+- Azure Backup doesn't support backing up Network File System (NFS) files that are mounted from storage, or from any other NFS server, to Linux or Windows machines. It backs up only disks that are locally attached to the VM.

+## Support matrix for managed pre and post scripts for Linux databases

+Azure Backup provides the following support for customers to author their own pre and post scripts.

+|Oracle in Azure VMs | [Oracle Linux](../virtual-machines/linux/endorsed-distros.md) | Oracle 12.x or later |

+Maximum recovery points per protected instance (machine or workload) | 9999.

+Maximum backup frequency to a vault (Azure VM extension) | Once a day.

+Maximum backup frequency to a vault (MARS agent) | Three backups per day.

+Maximum backup frequency to DPM or MABS | Every 15 minutes for SQL Server.<br/><br/> Once an hour for other workloads.

+Recovery points on DPM or MABS disk | 64 for file servers, and 448 for app servers.<br/><br/> Tape recovery points are unlimited for on-premises DPM.

+**Create a new VM** | This option quickly creates and gets a basic VM up and running from a restore point.<br/><br/> You can specify a name for the VM, select the resource group and virtual network in which it will be placed, and specify a storage account for the restored VM. The new VM must be created in the same region as the source VM.

+**Restore disk** | This option restores a VM disk, which can you can then use to create a new VM.<br/><br/> Azure Backup provides a template to help you customize and create a VM. <br/><br> The restore job generates a template that you can download and use to specify custom VM settings and create a VM.<br/><br/> The disks are copied to the resource group that you specify.<br/><br/> Alternatively, you can attach the disk to an existing VM, or create a new VM by using PowerShell.<br/><br/> This option is useful if you want to customize the VM, add configuration settings that weren't there at the time of backup, or add settings that must be configured via the template or PowerShell.

+**Replace existing** | You can restore a disk and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it has been deleted, you can't use this option.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk, and it stores the snapshot in the staging location that you specify. Existing disks connected to the VM are replaced with the selected restore point.<br/><br/> The snapshot is copied to the vault and retained in accordance with the retention policy. <br/><br/> After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>This option is supported for unencrypted managed VMs and for VMs [created from custom images](https://azure.microsoft.com/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/). It's not supported for unmanaged disks and VMs, classic VMs, and [generalized VMs](../virtual-machines/windows/capture-image-resource.md).<br/><br/> If the restore point has more or fewer disks than the current VM, the number of disks in the restore point will only reflect the VM configuration.<br><br> This option is also supported for VMs with linked resources, like [user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) and [Azure Key Vault](../key-vault/general/overview.md).

+**Cross Region (secondary region)** | You can use cross-region restore to restore Azure VMs in the secondary region, which is an [Azure paired region](../availability-zones/cross-region-replication-azure.md).<br><br> You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.<br><br> This feature is available for the following options:<br> - [Create a VM](./backup-azure-arm-restore-vms.md#create-a-vm) <br> - [Restore disks](./backup-azure-arm-restore-vms.md#restore-disks) <br><br> We don't currently support the [Replace existing disks](./backup-azure-arm-restore-vms.md#replace-existing-disks) option.<br><br> Backup admins and app admins have permissions to perform the restore operation on a secondary region.

+**Cross Subscription (preview)** | You can use cross-subscription restore to restore Azure managed VMs in different subscriptions.<br><br> You can restore Azure VMs or disks to any subscription from restore points. This is one of the Azure role-based access control (RBAC) capabilities. <br><br> This feature is available for the following options:<br> - [Create a VM](./backup-azure-arm-restore-vms.md#create-a-vm) <br> - [Restore disks](./backup-azure-arm-restore-vms.md#restore-disks) <br><br> Cross-subscription restore is unsupported for [snapshots](backup-azure-vms-introduction.md#snapshot-creation) and [secondary region](backup-azure-arm-restore-vms.md#restore-in-secondary-region) restores. It's also unsupported for [unmanaged VMs](backup-azure-arm-restore-vms.md#restoring-unmanaged-vms-and-disks-as-managed), [encrypted Azure VMs](backup-azure-vms-introduction.md#encryption-of-azure-vm-backups), and [trusted launch VMs](backup-support-matrix-iaas.md#tvm-backup).

+**Cross Zonal Restore** | You can use cross-zonal restore to restore Azure zone-pinned VMs in available zones.<br><br> You can restore Azure VMs or disks to different zones (one of the Azure RBAC capabilities) from restore points. <br><br> This feature is available for the following options:<br> - [Create a VM](./backup-azure-arm-restore-vms.md#create-a-vm) <br> - [Restore disks](./backup-azure-arm-restore-vms.md#restore-disks) <br><br> Cross-zonal restore is unsupported for [snapshots](backup-azure-vms-introduction.md#snapshot-creation) of restore points. It's also unsupported for [encrypted Azure VMs](backup-azure-vms-introduction.md#encryption-of-azure-vm-backups) and [trusted launch VMs](backup-support-matrix-iaas.md#tvm-backup).

+Restore files across operating systems | You can restore files on any machine that has the same OS as the backed-up VM, or a compatible OS. See the [compatible OS table](backup-azure-restore-files-from-vm.md#step-3-os-requirements-to-successfully-run-the-script).

+Restore files from encrypted VMs | Not supported.

+Restore files from network-restricted storage accounts | Not supported.

+Restore files on VMs by using Windows Storage Spaces | Not supported on the same VM.<br/><br/> Instead, restore the files on a compatible VM.

+Restore files on a Linux VM by using LVM or RAID arrays | Not supported on the same VM.<br/><br/> Restore on a compatible VM.

+Restore files with special network settings | Not supported on the same VM. <br/><br/> Restore on a compatible VM.

+Restore files from a shared disk, temporary drive, deduplicated disk, ultra disk, or disk with a write accelerator enabled | Not supported. <br/><br/>See [Azure VM storage support](#vm-storage-support).

+<a name="backup-azure-cross-subscription-restore">Restore across a subscription</a> | [Cross-subscription restore (preview)](backup-azure-arm-restore-vms.md#restore-options) is now supported in Azure VMs.

+[Restore across a region](backup-azure-arm-restore-vms.md#cross-region-restore) | Supported.

+<a name="backup-azure-cross-zonal-restore">Restore across a zone</a> | [Cross-zonal restore](backup-azure-arm-restore-vms.md#restore-options) is now supported in Azure VMs.

+Restore to an existing VM | Use the replace disk option.

+Restore a disk with a storage account enabled for Azure Storage service-side encryption (SSE) | Not supported.<br/><br/> Restore to an account that doesn't have SSE enabled.

+Restore a VM directly to an availability set | For managed disks, you can restore the disk and use the availability set option in the template.<br/><br/> Not supported for unmanaged disks. For unmanaged disks, restore the disk, and then create a VM in the availability set.

+Restore backup of unmanaged VMs after upgrading to a managed VM| Supported.<br/><br/> You can restore disks and then create a managed VM.

+Restore a VM to a restore point before the VM was migrated to managed disks | Supported.<br/><br/> You restore to unmanaged disks (default), convert the restored disks to managed disks, and create a VM with the managed disks.

+Restore a VM that has been deleted | Supported.<br/><br/> You can restore the VM from a recovery point.

+Restore a VM in a different virtual network |Supported.<br/><br/> The virtual network must be in the same subscription and region.

+Back up VMs of a certain size |You can back up any Azure VM that has at least two CPU cores and 1 GB of RAM.<br/><br/> [Learn more](../virtual-machines/sizes.md).

+Back up VMs in [availability sets](../virtual-machines/availability.md#availability-sets) | Supported.<br/><br/> You can't restore a VM in an availability set by using the option to quickly create a VM. Instead, when you restore the VM, restore the disk and use it to deploy a VM, or restore a disk and use it to replace an existing disk.

+Back up VMs that are deployed with [Azure Hybrid Benefit](../virtual-machines/windows/hybrid-use-benefit-licensing.md) | Supported.

+Back up VMs that are deployed from [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?filters=virtual-machine-images) (published by Microsoft or a third party) |Supported.<br/><br/> The VMs must be running a supported operating system.<br/><br/> When you're recovering files on the VM, you can restore only to a compatible OS (not an earlier or later OS). We don't restore Azure Marketplace VMs backed as VMs, because these need purchase information. They're restored only as disks.

+Back up VMs that are deployed from a custom image (third-party) |Supported.<br/><br/> The VMs must be running a supported operating system.<br/><br/> When you're recovering files on VMs, you can restore only to a compatible OS (not an earlier or later OS).

+Back up VMs that are migrated to Azure| Supported.<br/><br/> To back up a VM, make sure that the VM agent is installed on the migrated machine.

+Back up multiple VMs and provide consistency | Azure Backup doesn't provide data and application consistency across multiple VMs.

+Back up a VM with [diagnostic settings](../azure-monitor/essentials/platform-logs-overview.md) | Not supported. <br/><br/> If the restore of the Azure VM with diagnostic settings is triggered via the [Create new](backup-azure-arm-restore-vms.md#create-a-vm) option, the restore fails.

+Restore zone-pinned VMs | Supported (where [availability zones](https://azure.microsoft.com/global-infrastructure/availability-zones/) are available).<br/><br/>Azure Backup now supports [restoring Azure VMs to a any availability zones](backup-azure-arm-restore-vms.md#restore-options) other than the zone that's pinned in VMs. This support enables you to restore VMs when the primary zone is unavailable.

+Back up Gen2 VMs | Supported. <br><br/> Azure Backup supports backup and restore of [Gen2 VMs](https://azure.microsoft.com/updates/generation-2-virtual-machines-in-azure-public-preview/). When these VMs are restored from a recovery point, they're restored as [Gen2 VMs](https://azure.microsoft.com/updates/generation-2-virtual-machines-in-azure-public-preview/).

+Back up Azure VMs with locks | Supported for managed VMs. <br><br> Not supported for unmanaged VMs.

+[Restore spot VMs](../virtual-machines/spot-vms.md) | Not supported. <br><br/> Azure Backup restores spot VMs as regular Azure VMs.

+[Restore VMs in an Azure dedicated host](../virtual-machines/dedicated-hosts.md) | Supported.<br></br>When you're restoring an Azure VM through the [Create new](backup-azure-arm-restore-vms.md#create-a-vm) option, the VM can't be restored in the dedicated host, even when the restore is successful. To achieve this, we recommend that you [restore as disks](backup-azure-arm-restore-vms.md#restore-disks). While you're restoring as disks by using the template, create a VM in a dedicated host, and then attach the disks.<br></br>This is not applicable in a secondary region while you're performing [cross-region restore](backup-azure-arm-restore-vms.md#cross-region-restore).

+Configure standalone Azure VMs in Windows Storage Spaces | Supported.

+[Restore virtual machine scale sets](../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md#scale-sets-with-flexible-orchestration) | Supported for the flexible orchestration model to back up and restore a single Azure VM.

+Restore with managed identities | Supported for managed Azure VMs. <br><br> Not supported for classic and unmanaged Azure VMs. <br><br> Cross-region restore isn't supported with managed identities. <br><br> Currently, this is available in all Azure public and national cloud regions. <br><br> [Learn more](backup-azure-arm-restore-vms.md#restore-vms-with-managed-identities).

+<a name="tvm-backup">Back up trusted launch VMs</a> | Backup is supported. <br><br> Backup of trusted launch VMs is supported through [Enhanced policy](backup-azure-vms-enhanced-policy.md). You can enable backup through a [Recovery Services vault](./backup-azure-arm-vms-prepare.md), the [pane for managing a VM](./backup-during-vm-creation.md#start-a-backup-after-creating-the-vm), and the [pane for creating a VM](backup-during-vm-creation.md#create-a-vm-with-backup-configured). <br><br> **Feature details** <br><br> - Backup is supported in all regions where trusted launch VMs are available. <br><br> - Configuration of backups, alerts, and monitoring for trusted launch VMs is currently not supported through the backup center. <br><br> - Migration of an existing [Gen2 VM](../virtual-machines/generation-2.md) (protected with Azure Backup) to a trusted launch VM is currently not supported. [Learn how to create a trusted launch VM](../virtual-machines/trusted-launch-portal.md?tabs=portal#deploy-a-trusted-launch-vm). <br><br> - Item-level restore is not supported.

+[Back up confidential VMs](../confidential-computing/confidential-vm-overview.md) | The backup support is in limited preview. <br><br> Backup is supported only for confidential VMs that have no confidential disk encryption and for confidential VMs that have confidential OS disk encryption through a platform-managed key (PMK). <br><br> Backup is currently not supported for confidential VMs that have confidential OS disk encryption through a customer-managed key (CMK). <br><br> **Feature details** <br><br> - Backup is supported in [all regions where confidential VMs are available](../confidential-computing/confidential-vm-overview.md#regions). <br><br> - Backup is supported only if you're using [Enhanced policy](backup-azure-vms-enhanced-policy.md). You can configure backup through the [pane for creating a VM](backup-azure-arm-vms-prepare.md), the [pane for managing a VM](backup-during-vm-creation.md#start-a-backup-after-creating-the-vm), and the [Recovery Services vault](backup-azure-arm-vms-prepare.md). <br><br> - [Cross-region restore](backup-azure-arm-restore-vms.md#cross-region-restore) and file recovery (item-level restore) for confidential VMs are currently not supported.

+Azure VM data disks | Support for backup of Azure VMs is up to 32 disks.<br><br> Support for backup of Azure VMs with unmanaged disks or classic VMs is up to 16 disks only.

+Storage type | Standard HDD, Standard SSD, Premium SSD. <br><br> Backup and restore of [zone-redundant storage disks](../virtual-machines/disks-redundancy.md#zone-redundant-storage-for-managed-disks) is supported.

+Encrypted disks | Supported.<br/><br/> Azure VMs enabled with Azure Disk Encryption can be backed up (with or without the Azure Active Directory app).<br/><br/> Encrypted VMs can't be recovered at the file or folder level. You must recover the entire VM.<br/><br/> You can enable encryption on VMs that Azure Backup is already protecting. <br><br> You can back up and restore disks encrypted via platform-managed keys or customer-managed keys. You can also assign a disk-encryption set while restoring in the same region. That is, providing a disk-encryption set while performing cross-region restore is currently not supported. However, you can assign the disk-encryption set to the restored disk after the restore is complete.

+Disks with a write accelerator enabled | Azure VMs with disk backup for a write accelerator became available in all Azure public regions on May 18, 2022. If disk backup for a write accelerator is not required as part of VM backup, you can choose to remove it by using the [selective disk feature](selective-disk-backup-restore.md). <br><br>**Important** <br> Virtual machines with write accelerator disks need internet connectivity for a successful backup, even though those disks are excluded from the backup.

+Disks enabled for access with a private endpoint | Not supported.

+Backup and restore of deduplicated VMs or disks | Azure Backup doesn't support deduplication. For more information, see [this article](./backup-support-matrix.md#disk-deduplication-support). <br/> <br/> Azure Backup doesn't deduplicate across VMs in the Recovery Services vault. <br/> <br/> If there are VMs in a deduplication state during restore, the files can't be restored because the vault doesn't understand the format. However, you can successfully perform the full VM restore.

+Adding a disk to a protected VM | Supported.

+Resizing a disk on a protected VM | Supported.

+Shared storage| Backing up VMs by using Cluster Shared Volumes (CSV) or Scale-Out File Server isn't supported. CSV writers are likely to fail during backup. On restore, disks that contain CSV volumes might not come up.

+Ultra SSD disks | Not supported. For more information, see [these limitations](selective-disk-backup-restore.md#limitations).

+[Temporary disks](../virtual-machines/managed-disks-overview.md#temporary-disk) | Azure Backup doesn't back up temporary disks.

+[Resilient File System (ReFS)](/windows-server/storage/refs/refs-overview) restore | Supported. Volume Shadow Copy Service (VSS) supports app-consistent backups on ReFS.

+Dynamic disk with spanned or striped volumes | Supported, unless you enable the selective disk feature on an Azure VM.

+Number of network interfaces (NICs) | Supported up to the maximum number for a specific Azure VM size.<br/><br/> NICs are created when the VM is created during the restore process.<br/><br/> The number of NICs on the restored VM mirrors the number of NICs on the VM when you enabled protection. Removing NICs after you enable protection doesn't affect the count.

+External or internal load balancer |Supported. <br/><br/> [Learn more](backup-azure-arm-restore-vms.md#restore-vms-with-special-configurations) about restoring VMs with special network settings.

+VMs with public IP addresses| Supported.<br/><br/> Associate an existing public IP address with the NIC, or create an address and associate it with the NIC after the restore is done.

+Network security group (NSG) on a NIC or subnet |Supported.

+Dynamic IP address |Supported.<br/><br/> If the NIC on the source VM uses dynamic IP addressing, the NIC on the restored VM will also use it by default.

+Virtual network service endpoints| Supported.<br/><br/> Storage account settings for a firewall and a virtual network should allow access from all networks.

+## Support for VM security and encryption

+Azure Backup supports encryption for in-transit and at-rest data.

+For network traffic to Azure:

+- Backup traffic from servers to the Recovery Services vault is encrypted via Advanced Encryption Standard 256.

+- Backup data is stored in the Recovery Services vault in encrypted form.

+For data security:

+- When you're backing up Azure VMs, you need to set up encryption *within* the virtual machine.

+- Azure Backup supports Azure Disk Encryption, which uses BitLocker on virtual machines running Windows and uses *dm-crypt* on Linux virtual machines.

+- On the back end, Azure Backup uses [Azure Storage service-side encryption](../storage/common/storage-service-encryption.md) to help protect data at rest.

+On-premises Windows machines without DPM or MABS | ![Yes][green] | ![Yes][green]

+On-premises or Azure VMs with DPM | ![Yes][green] | ![Yes][green]

+On-premises or Azure VMs with MABS | ![Yes][green] | ![Yes][green]

+Azure Backup supports the compression of backup traffic. Note the following:

+- If you're using DPM or MABS, you can save bandwidth by compressing the data before it's backed up.

+**Machine** | **Compress to DPM/MABS (TCP)** | **Compress to vault (HTTPS)**

+On-premises Windows machines without DPM or MABS | Not applicable | ![Yes][green]

+Azure VMs | Not applicable | Not applicable

+On-premises or Azure VMs with DPM | ![Yes][green] | ![Yes][green]

+On-premises or Azure VMs with MABS | ![Yes][green] | ![Yes][green]

+Many of the failure errors or the outage scenarios are transient in nature, and you can remediate by setting up the right Azure role-based access control (Azure RBAC) permissions or re-trigger the backup/restore job. As the solution to such failures is simple, that you donΓÇÖt need to invest time waiting for an engineer to manually trigger the job or to assign the relevant permission. Therefore, the smarter way to handle this scenario is to automate the retry of the failed jobs. This will highly minimize the time taken to recover from failures.

+| **Batch Management .NET** |[Azure SDK for .NET - Docs](/dotnet/api/overview/azure/batch/management/management-batch(deprecated)) |[NuGet](https://www.nuget.org/packages/Microsoft.Azure.Management.Batch/) | [Tutorial](batch-management-dotnet.md) |[GitHub](https://github.com/Azure-Samples/azure-batch-samples/tree/master/CSharp) |

+ --name $accountName \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --resource-group $resourceGroupName \

+After the Batch account is created with system-assigned managed identity and the access to Key Vault is granted, update the Batch account with the `{Key Identifier}` URL under `keyVaultProperties` parameter. Also set `--encryption-key-source` as `Microsoft.KeyVault`.

+ --name $accountName \

+ --resource-group $resourceGroupName \

+ --encryption-key-source Microsoft.KeyVault \

+ --encryption-key-identifier {YourKeyIdentifier}

+ --name $accountName \

+ --resource-group $resourceGroupName \

+ --encryption-key-identifier {YourKeyIdentifierWithNewVersion}

+ --name $accountName \

+ --resource-group $resourceGroupName \

+ --encryption-key-identifier {YourNewKeyIdentifier}

+To update the priority of a job, call the [Update the properties of a job](/rest/api/batchservice/job/update) operation (Batch REST), or modify the [CloudJob.Priority](/dotnet/api/microsoft.azure.batch.cloudjob.priority) (Batch .NET). Priority values range from -1000 (lowest priority) to +1000 (highest priority).

+For speech recognition, the initial latency is higher with language identification. You should only include this optional feature as needed.

+> [!IMPORTANT]

+> Language Identification (preview) APIs have been simplified in the Speech SDK version 1.25. The

+`SpeechServiceConnection_SingleLanguageIdPriority` and `SpeechServiceConnection_ContinuousLanguageIdPriority` properties have

+been removed and replaced by a single property `SpeechServiceConnection_LanguageIdMode`. Prioritizing between low latency and high accuracy is no longer necessary following recent model improvements. Now, you only need to select whether to run at-start or continuous Language Identification when doing continuous speech recognition or translation.

+Code snippets are included with the concepts described next. Complete samples for each use case are provided later.

+You provide candidate languages with the `AutoDetectSourceLanguageConfig` object, at least one of which is expected to be in the audio. You can include up to four languages for [at-start LID](#at-start-and-continuous-language-identification) or up to 10 languages for [continuous LID](#at-start-and-continuous-language-identification). The Speech service returns one of the candidate languages provided even if those languages weren't in the audio. For example, if `fr-FR` (French) and `en-US` (English) are provided as candidates, but German is spoken, either `fr-FR` or `en-US` would be returned.

+You must provide the full locale with dash (`-`) separator, but language identification only uses one locale per base language. Don't include multiple locales (for example, "en-US" and "en-GB") for the same language.

+- At-start LID identifies the language once within the first few seconds of audio. Use at-start LID if the language in the audio won't change. With at-start LID, a single language is detected and returned in less than 5 seconds.

+- Continuous LID can identify multiple languages for the duration of the audio. Use continuous LID if the language in the audio could change. Continuous LID doesn't support changing languages within the same sentence. For example, if you're primarily speaking Spanish and insert some English words, it will not detect the language change per word.

+You implement at-start LID or continuous LID by calling methods for [recognize once or continuous](#recognize-once-or-continuous). Continuous LID is only supported with continuous recognition.

+Language identification is completed with recognition objects and operations. You'll make a request to the Speech service for recognition of audio.

+You'll either call the "recognize once" method, or the start and stop continuous recognition methods. You choose from:

+- Recognize once with At-start LID. Continuous LID isn't supported for recognize once.

+- Continuous recognition with at-start LID

+The `SpeechServiceConnection_LanguageIdMode` property is only required for continuous LID. Without it, the Speech service defaults to at-start lid. The supported values are "AtStart" for at-start LID or "Continuous" for continuous LID.

+// Recognize once with At-start LID. Continuous LID isn't supported for recognize once.

+speechConfig.SetProperty(PropertyId.SpeechServiceConnection_LanguageIdMode, "Continuous");

+// Recognize once with At-start LID. Continuous LID isn't supported for recognize once.

+speechConfig->SetProperty(PropertyId::SpeechServiceConnection_LanguageIdMode, "Continuous");

+// Recognize once with At-start LID. Continuous LID isn't supported for recognize once.

+speechConfig.setProperty(PropertyId.SpeechServiceConnection_LanguageIdMode, "Continuous");

+# Recognize once with At-start LID. Continuous LID isn't supported for recognize once.

+speech_config.set_property(property_id=speechsdk.PropertyId.SpeechServiceConnection_LanguageIdMode, value='Continuous')

+>

+See more examples of speech-to-text recognition with language identification on [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/csharp/sharedcontent/console/speech_recognition_with_language_id_samples.cs).

+// Set the LanguageIdMode (Optional; Either Continuous or AtStart are accepted; Default AtStart)

+config.SetProperty(PropertyId.SpeechServiceConnection_LanguageIdMode, "Continuous");

+Language detection with a custom endpoint isn't supported by the Speech SDK for JavaScript. For example, if you include "fr-FR" as shown here, the custom endpoint will be ignored.

+ // Set the LanguageIdMode (Optional; Either Continuous or AtStart are accepted; Default AtStart)

+ config.SetProperty(PropertyId.SpeechServiceConnection_LanguageIdMode, "Continuous");

+ // Set the LanguageIdMode (Optional; Either Continuous or AtStart are accepted; Default AtStart)

+ speechConfig->SetProperty(PropertyId::SpeechServiceConnection_LanguageIdMode, "Continuous");

+# Set the LanguageIdMode (Optional; Either Continuous or AtStart are accepted; Default AtStart)

+translation_config.set_property(property_id=speechsdk.PropertyId.SpeechServiceConnection_LanguageIdMode, value='Continuous')

+* [Try the speech to text quickstart](get-started-speech-to-text.md)

+* [Improve recognition accuracy with custom speech](custom-speech-overview.md)

+* [Use batch transcription](batch-transcription.md)

+* Speech SDK 1.25.0 was released in January 2023.

+Learn about [managing deployments, models, and finetuning with the REST API](/rest/api/cognitiveservices/azureopenaistable/deployments/create).

+- [Call with Chat Composite](https://azure.github.io/communication-ui-library/?path=/docs/composites-call-with-chat-basicexample--basic-example)

+| iOS | ❌ | ✔️ | ❌ | ❌ | ✔️ |

+description: Learn how to build a chat experience with a bot by using the Azure Communication Services Chat SDK and Azure Bot Service.

+# Quickstart: Add a bot to your chat app

+Learn how to build conversational AI experiences in a chat application by using the Azure Communication Services Chat messaging channel that's available in Azure Bot Service. In this quickstart, you create a bot by using the BotFramework SDK. Then, you integrate the bot into a chat application you create by using the Communication Services Chat SDK.

+In this quickstart, you learn how to:

+- [Create and deploy a bot in Azure](#create-and-deploy-a-bot-in-azure)

+- [Get a Communication Services resource](#get-a-communication-services-resource)

+- [Enable the Communication Services Chat channel for the bot](#enable-the-communication-services-chat-channel)

+- [Create a chat app and add the bot as a participant](#create-a-chat-app-and-add-the-bot-as-a-participant)

+- [Explore more features for your bot](#more-things-you-can-do-with-a-bot)

+- An Azure account and an active subscription. Create an [account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- [Visual Studio 2019 or later](https://visualstudio.microsoft.com/vs/).

+- The latest version of .NET Core. In this quickstart, we use [.NET Core 3.1](https://dotnet.microsoft.com/download/dotnet-core/3.1). Be sure to install the version that corresponds with your instance of Visual Studio, 32-bit or 64-bit.

+## Create and deploy a bot in Azure

+To use Azure Communication Services chat as a channel in Azure Bot Service, first deploy a bot. To deploy a bot, you complete these steps:

+- Create an Azure Bot Service resource

+- Get the bot's app ID and password

+- Create a web app to hold the bot logic

+- Create a messaging endpoint for the bot

+### Create an Azure Bot Service resource

+First, [use the Azure portal to create an Azure Bot Service resource](/azure/bot-service/abs-quickstart?tabs=userassigned).

+This quickstart uses a multi-tenant bot. To use a single-tenant bot or a managed identity bot, see [Support for single-tenant and managed identity bots](#support-for-single-tenant-and-managed-identity-bots).

+### Get the bot's app ID and app password

+Next, [get the Microsoft app ID and password](/azure/bot-service/abs-quickstart?tabs=userassigned#to-get-your-app-or-tenant-id) that are assigned to your bot when it's deployed. You use these values for later configurations.

+### Create a web app to hold the bot logic

+To create a web app for your bot, you can revise [Bot Builder samples](https://github.com/Microsoft/BotBuilder-Samples) for your scenario or use the [Bot Builder SDK](/composer/introduction) to create a web app. One of the simplest samples is [Echo Bot](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/02.echo-bot).

+Azure Bot Service typically expects the Bot Application Web App Controller to expose an endpoint in the form `/api/messages`. The endpoint handles all messages that are sent to the bot.

+To create the bot app, either use the Azure CLI to [create an Azure App Service resource](/azure/bot-service/provision-app-service?tabs=singletenant%2Cexistingplan) or create the app in the Azure portal.

+To create a bot web app by using the Azure portal:

+1. In the portal, select **Create a resource**. In the search box, enter **web app**. Select the **Web App** tile.

+

+ :::image type="content" source="./media/web-app.png" alt-text="Screenshot that shows creating a web app resource in the Azure portal.":::

+1. In **Create Web App**, select or enter details for the app, including the region where you want to deploy the app.

+

+ :::image type="content" source="./media/web-app-create-options.png" alt-text="Screenshot that shows details to set to create a web app deployment.":::

+1. Select **Review + Create** to validate the deployment and review the deployment details. Then, select **Create**.

+1. When the web app resource is created, copy the hostname URL that's shown in the resource details. The URL will be part of the endpoint you create for the web app.

+

+ :::image type="content" source="./media/web-app-endpoint.png" alt-text="Screenshot that shows how to copy the web app endpoint URL.":::

+### Create a messaging endpoint for the bot

+Next, in the bot resource, create a web app messaging endpoint:

+1. In the Azure portal, go to your Azure Bot resource. In the resource menu, select **Configuration**.

+1. In **Configuration**, for **Messaging endpoint**, paste the hostname URL of the web app you copied in the preceding section. Append the URL with `/api/messages`.

+1. Select **Save**.

+### Deploy the web app

+The final step to create a bot is to deploy the web app. For this quickstart, use the Echo Bot sample. The Echo Bot functionality is limited to echoing the user input. Here's how you deploy it to your web app in Azure:

+1. Use Git to clone this GitHub repository:

+ ```console

+ git clone https://github.com/Microsoft/BotBuilder-Samples.git

+ cd BotBuilder-Samples

+ ```

+1. In Visual Studio, open the [Echo Bot project](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/02.echo-bot).

+1. In the Visual Studio project, open the *Appsettings.json* file. Paste the [Microsoft app ID and app password](#get-the-bots-app-id-and-app-password) you copied earlier:

+ ```json

+ "MicrosoftAppId": "<App-registration-ID>",

+ ```

+ Next, use Visual Studio for C# bots to deploy the bot.

+ You also can use a Command Prompt window to [deploy an Azure bot](/azure/bot-service/provision-and-publish-a-bot?tabs=userassigned%2Ccsharp).

+1. In Visual Studio, in Solution Explorer, right-click the **EchoBot** project and select **Publish**:

+ :::image type="content" source="./media/publish-app.png" alt-text="Screenshot that shows publishing your web app from Visual Studio.":::

+1. Select **New** to create a new publishing profile. For **Target**, select **Azure**:

+ :::image type="content" source="./media/select-azure-as-target.png" alt-text="Screenshot that shows how to select Azure as target in a new publishing profile.":::

+

+ For the specific target, select **Azure App Service**:

+

+ :::image type="content" source="./media/select-app-service.png" alt-text="Screenshot that shows how to select Azure App Service as the specific target.":::

+1. In the deployment configuration, select the web app in the results that appear after you sign in to your Azure account. To complete the profile, select **Finish**, and then select **Publish** to start the deployment.

+

+ :::image type="content" source="./media/smaller-deployment-config.png" alt-text="Screenshot that shows setting the deployment configuration with the web app name." lightbox="./media/deployment-config.png":::

+## Get a Communication Services resource

+Now that your bot is created and deployed, create a Communication Services resource to use to set up a Communication Services channel:

+1. Complete the steps to [create a Communication Services resource](../../quickstarts/create-communication-resource.md).

+1. Create a Communication Services user and issue a [user access token](../../quickstarts/access-tokens.md). Be sure to set the scope to **chat**. *Copy the token string and the user ID string*.

+## Enable the Communication Services Chat channel

+When you have a Communication Services resource, you can set up a Communication Services channel in the bot resource. In this process, a user ID is generated for the bot.

+1. In the Azure portal, go to your Azure Bot resource. In the resource menu, select **Channels**. In the list of available channels, select **Azure Communications Services - Chat**.

+ :::image type="content" source="./media/smaller-demoapp-launch-acs-chat.png" alt-text="Screenshot that shows opening the Communication Services Chat channel." lightbox="./media/demoapp-launch-acs-chat.png":::

+1. Select **Connect** to see a list of Communication Services resources that are available in your subscription.

+ :::image type="content" source="./media/smaller-bot-connect-acs-chat-channel.png" alt-text="Screenshot that shows how to connect a Communication Service resource to the bot." lightbox="./media/bot-connect-acs-chat-channel.png":::

+1. In the **New Connection** pane, select the Communication Services chat resource, and then select **Apply**.

+ :::image type="content" source="./media/smaller-bot-choose-resource.png" alt-text="Screenshot that shows how to save the selected Communication Service resource to create a new Communication Services user ID." lightbox="./media/bot-choose-resource.png":::

+1. When the resource details are verified, a bot ID is shown in the **Bot ACS Id** column. You can use the bot ID to represent the bot in a chat thread by using the Communication Services Chat AddParticipant API. After you add the bot to a chat as participant, the bot starts to receive chat-related activities, and it can respond in the chat thread.

+ :::image type="content" source="./media/smaller-acs-chat-channel-saved.png" alt-text="Screenshot that shows the new Communication Services user ID assigned to the bot." lightbox="./media/acs-chat-channel-saved.png":::

+## Create a chat app and add the bot as a participant

+Now that you have the bot's Communication Services ID, you can create a chat thread with the bot as a participant.

+1. Run the following command to create a C# application:

+ ```console

+ dotnet new console -o ChatQuickstart

+ ```

+1. Change your directory to the new app folder and use the `dotnet build` command to compile your application:

+ ```console

+ cd ChatQuickstart

+ dotnet build

+ ```

+Install the Communication Services Chat SDK for .NET:

+```powershell

+To create a chat client, use your Communication Services endpoint and the user access token you generated earlier. Use the `CommunicationIdentityClient` class from the Identity SDK to create a user and issue a token to pass to your chat client.

+Copy the following code and paste it in the *Program.cs* source file:

+ // Your unique Communication Services endpoint

+Use the `createChatThread` method on `chatClient` to create a chat thread. Replace the ID with the bot's Communication Services ID.

+The `GetChatThreadClient` method returns a thread client for a thread that already exists:

+To use `SendMessage` to send a message to a thread:

+You can get chat messages by polling the `GetMessages` method on the chat thread client at set intervals:

+Check the list of messages for the bot's echo reply to "Hello World".

+You can use JavaScript or the Azure mobile SDKs to subscribe to incoming message notifications:

+```javascript

+// Open notifications channel

+// Subscribe to new notifications

+ // Your code here

+When you're finished using the chat thread, delete the thread:

+To deploy the chat application:

+1. In Visual Studio, open the chat project.

+1. Right-click the **ChatQuickstart** project and select **Publish**:

+ :::image type="content" source="./media/deploy-chat-application.png" alt-text="Screenshot that shows deploying the chat application to Azure from Visual Studio.":::

+A bot can receive more than a plain-text message from a user in a Communications Services Chat channel. Some of the activities a bot can receive from a user include:

+- Message delete

+- Various attachments, including adaptive cards

+The next sections show some samples to illustrate these features.

+The current Echo Bot logic accepts input from the user and echoes it back. If you want to add more logic, such as responding to a participant-added Communication Services event, copy the following code and paste it in the [EchoBot.cs](https://github.com/microsoft/BotBuilder-Samples/blob/main/samples/csharp_dotnetcore/02.echo-bot/Bots/EchoBot.cs) source file:

+You can send an adaptive card to the chat thread to increase engagement and efficiency. An adaptive card also helps you communicate with users in various ways. You can send an adaptive card from a bot by adding the card as a bot activity attachment.

+Here's an example of how to send an adaptive card:

+Get sample payloads for adaptive cards at [Samples and templates](https://adaptivecards.io/samples).

+For a chat user, the Communication Services Chat channel adds a field to the message metadata that indicates the message has an attachment. In the metadata, the `microsoft.azure.communication.chat.bot.contenttype` property is set to `azurebotservice.adaptivecard`.

+Here's an example of a chat message that has an adaptive card attached:

+ "content": "{\"attachments\":[{\"contentType\":\"application/vnd.microsoft.card.adaptive\",\"content\":{/* the adaptive card */}}]}",

+ "senderDisplayName": "BotDisplayName",

+ "metadata": {

+ "microsoft.azure.communication.chat.bot.contenttype": "azurebotservice.adaptivecard"

+ },

+#### Send a message from user to bot

+You can send a basic text message from a user to the bot the same way you send a text message to another user.

+However, when you send a message that has an attachment from a user to a bot, add this flag to the Communication Services Chat metadata:

+`"microsoft.azure.communication.chat.bot.contenttype": "azurebotservice.adaptivecard"`

+To send an event activity from a user to a bot, add this flag to the Communication Services Chat metadata:

+`"microsoft.azure.communication.chat.bot.contenttype": "azurebotservice.event"`

+The following sections show sample formats for chat messages from a user to a bot.

+#### Simple text message

+ "},

+```

+#### Message with an attachment

+ "content": "{

+ "senderDisplayName": "Acs-Dev-Bot",

+ "metadata": {

+ "microsoft.azure.communication.chat.bot.contenttype": "azurebotservice.adaptivecard",

+ "text": "random text",

+ "key1": "value1",

+ "key2": "{\r\n \"subkey1\": \"subValue1\"\r\n}"

+ },

+#### Message with an event activity

+An event payload includes all JSON fields in the message content except `Name`. The `Name` field contains the name of the event.

+In the following example, the event name `endOfConversation` with the payload `"{field1":"value1", "field2": { "nestedField":"nestedValue" }}` is sent to the bot:

+The metadata field `microsoft.azure.communication.chat.bot.contenttype` is required only in a message that's sent from a user to a bot.

+The following sections describe supported bot activity fields for bot-to-user flows and user-to-bot flows.

+### Bot-to-user flow

+The following bot activity fields are supported for bot-to-user flows.

+- Message

+- Typing

+- `From.Name` (Converted to Communication Services `SenderDisplayName`.)

+- `ChannelData` (Converted to Communication Services `Chat Metadata`. If any `ChannelData` mapping values are objects, they're serialized in JSON format and sent as a string.)

+### User-to-bot flow

+These bot activity fields are supported for user-to-bot flows.

+- Message

+ - `Id` (Communication Services Chat message ID)

+- Conversation update

+ - `MembersAdded`

+ - `MembersRemoved`

+ - `TopicName`

+- Message update

+ - `Id` (Updated Communication Services Chat message ID)

+ - `Text`

+ - `Attachments`

+- Message delete

+ - `Id` (Deleted Communication Services Chat message ID)

+- Event

+ - `Name`

+ - `Value`

+- Typing

+- `Recipient.Id` and `Recipient.Name` (Communication Services Chat user ID and display name)

+- `From.Id` and `From.Name` (Communication Services Chat user ID and display name)

+- `Conversation.Id` (Communication Services Chat thread ID)

+- `ChannelId` (Communication Services Chat if empty)

+- `ChannelData` (Communication Services Chat message metadata)

+## Support for single-tenant and managed identity bots

+Communication Services Chat channel supports single-tenant bots, managed identity bots, and multi-tenant bots. To set up a single-tenant or managed identity bot, review [Bot identity information](/azure/bot-service/bot-builder-authentication?tabs=userassigned%2Caadv2%2Ccsharp#bot-identity-information).

+For a managed identity bot, you might have to [update the bot service identity](/azure/bot-service/bot-builder-authentication?tabs=userassigned%2Caadv2%2Ccsharp#to-update-your-app-service).

+Sometimes, a bot doesn't understand a question, or it can't answer a question. A customer might ask in the chat to be connected to a human agent. In these scenarios, the chat thread must be handed off from the bot to a human agent. You can design your application to [transition a conversation from a bot to a human](/azure/bot-service/bot-service-design-pattern-handoff-human).

+## Handling bot-to-bot communication

+In some use cases, two bots need to be added to the same chat thread to provide different services. In this scenario, you might need to ensure that a bot doesn't send automated replies to another bot's messages. If not handled properly, the bots' automated interaction between themselves might result in an infinite loop of messages.

+You can verify the Communication Services user identity of a message sender in the activity's `From.Id` property. Check to see whether it belongs to another bot. Then, take the required action to prevent a bot-to-bot communication flow. If this type of scenario results in high call volumes, the Communication Services Chat channel throttles the requests and a bot can't send and receive messages.

+Learn more about [throttle limits](/azure/communication-services/concepts/service-limits#chat).

+## Troubleshoot

+The following sections describe ways to troubleshoot common scenarios.

+### Chat channel can't be added

+In the [Microsoft Bot Framework developer portal](https://dev.botframework.com/bots), go to **Configuration** > **Bot Messaging** to verify that the endpoint has been set correctly.

+Verify that the bot's Microsoft app ID and password are saved correctly in the bot configuration file you upload to the web app.

+### Bot can't be added as a participant

+Verify that the bot's Communication Services ID is used correctly when a request is sent to add a bot to a chat thread.

+Try the [chat bot demo app](https://github.com/Azure/communication-preview/tree/master/samples/AzureBotService-Sample-App) for a 1:1 chat between a chat user and a bot via the BotFramework WebChat UI component.

+3. Set your adminUserId string in `Server/appsettings.json`

+ Title: Resource availability & quota limits for ACI

+description: Availability and quota limits of compute and memory resources for the Azure Container Instances service in different Azure regions.

+# Resource availability & quota limits for ACI

+This article details the availability and quota limits of Azure Container Instances compute, memory, and storage resources in Azure regions and by target operating system. For a general list of available regions for Azure Container Instances, see [available regions](https://azure.microsoft.com/regions/services/).

+Values presented are the maximum resources available per deployment of a [container group](container-instances-container-groups.md). Values are current at time of publication.

+> [!NOTE]

+> Container groups created within these resource limits are subject to availability within the deployment region. When a region is under heavy load, you may experience a failure when deploying instances. To mitigate such a deployment failure, try deploying instances with lower resource settings, or try your deployment at a later time or in a different region with available resources.

+## Default Quota Limits

+All Azure services include certain default limits and quotas for resources and features. This section details the default quotas and limits for Azure Container Instances.

+Use the [List Usage](/rest/api/container-instances/location/listusage) API to review current quota usage in a region for a subscription.

+Certain default limits and quotas can be increased. To request an increase of one or more resources that support such an increase, please submit an [Azure support request][azure-support] (select "Quota" for **Issue type**).

+> [!IMPORTANT]

+> Not all limit increase requests are guaranteed to be approved.

+> Deployments with GPU resources are not supported in an Azure virtual network deployment and are only available on Linux container groups.

+> Using GPU resources (preview) is not fully supported yet and any support is provided on a best-effort basis.

+### Unchangeable (Hard) Limits

+The following limits are default limits that canΓÇÖt be increased through a quota request. Any quota increase requests for these limits will not be approved.

+| Resource | Actual Limit |

+| | : |

+| Number of containers per container group | 60 |

+| Number of volumes per container group | 20 |

+| Ports per IP | 5 |

+| Container instance log size - running instance | 4 MB |

+| Container instance log size - stopped instance | 16 KB or 1,000 lines |

+### Changeable Limits (Eligible for Quota Increases)

+| Resource | Actual Limit |

+| | : |

+| Standard sku container groups per region per subscription | 100 |

+| Standard sku cores (CPUs) per region per subscription | 100 |

+| Standard sku cores (CPUs) for K80 GPU per region per subscription | 0 |

+| Standard sku cores (CPUs) for V100 GPU per region per subscription | 0 |

+| Container group creates per hour |300¹ |

+| Container group creates per 5 minutes | 100¹ |

+| Container group deletes per hour | 300¹ |

+| Container group deletes per 5 minutes | 100¹ |

+## Standard Core Resources

+### Linux Container Groups

+By default, the following resources are available general purpose (standard core SKU) containers in general deployments and [Azure virtual network](container-instances-vnet.md) deployments) for Linux & Windows containers.

+| Max CPU | Max Memory (GB) | VNET Max CPU | VNET Max Memory (GB) | Storage (GB) |

+| :: | :: | :-: | :--: | :-: |

+| 4 | 16 | 4 | 16 | 50 |

+For a general list of available regions for Azure Container Instances, see [available regions](https://azure.microsoft.com/regions/services/).

+### Windows Containers

+The following regions and maximum resources are available to container groups with [supported and preview](./container-instances-faq.yml) Windows Server containers.

+#### Windows Server 2019 LTSC

+> [!NOTE]

+> 1B and 2B hosts have been deprecated for Windows Server 2019 LSTC. See [Host and container version compatibility](/virtualization/windowscontainers/deploy-containers/update-containers#host-and-container-version-compatibility) for more information on 1B, 2B, and 3B hosts.

+The following resources are available in all Azure Regions supported by Azure Container Instances. For a general list of available regions for Azure Container Instances, see [available regions](https://azure.microsoft.com/regions/services/).

+| 3B Max CPU | 3B Max Memory (GB) | Storage (GB) | Availability Zone support |

+| :-: | :--: | :-: |

+| 4 | 16 | 20 | Y |

+## GPU Resources (Preview)

+> [!IMPORTANT]

+> Not all limit increase requests are guaranteed to be approved.

+> Deployments with GPU resources are not supported in an Azure virtual network deployment and are only available on Linux container groups.

+> Using GPU resources (preview) is not fully supported yet and any support is provided on a best-effort basis.

+The following maximum resources are available to a container group deployed with [GPU resources](container-instances-gpu.md) (preview).

+| GPU SKUs | GPU count | Max CPU | Max Memory (GB) | Storage (GB) |

+| | | | | |

+| K80 | 1 | 6 | 56 | 50 |

+| K80 | 2 | 12 | 112 | 50 |

+| K80 | 4 | 24 | 224 | 50 |

+| P100, V100 | 1 | 6 | 112 | 50 |

+| P100, V100 | 2 | 12 | 224 | 50 |

+| P100, V100 | 4 | 24 | 448 | 50 |

+## Next steps

+Certain default limits and quotas can be increased. To request an increase of one or more resources that support such an increase, please submit an [Azure support request][azure-support] (select "Quota" for **Issue type**).

+Let the team know if you'd like to see additional regions or increased resource availability at [aka.ms/aci/feedback](https://aka.ms/aci/feedback).

+For information on troubleshooting container instance deployment, see [Troubleshoot deployment issues with Azure Container Instances](container-instances-troubleshooting.md)

+<!-- LINKS - External -->

+[az-region-support]: ../availability-zones/az-overview.md#regions

+[azure-support]: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest

+

+

+> Container group deployment to a virtual network is generally available for Linux and Windows containers, in most regions where Azure Container Instances is available. For details, see [Regions and resource availability](container-instances-region-availability.md).

+> Container group deployment to a virtual network is generally available for Linux and Windows containers, in most regions where Azure Container Instances is available. For details, see [Regions and resource availability][container-regions].

+Azure Cosmos DB only supports a time-to-live (TTL) at the collection level (_ts) in version 3.2. Upgrade to versions 3.6+ to take advantage of other forms of [TTL](time-to-live.md).

+This article applies to a Microsoft Online Service Program (pay-as-you-go) account or a Visual Studio account. If you have a Microsoft Customer Agreement (Azure plan) account, see [Understand Microsoft Customer Agreement administrative roles in Azure](understand-mca-roles.md). If you have an Azure Enterprise Agreement, see [Manage Azure Enterprise Agreement roles](understand-ea-roles.md).

+If you don't see **Account Admin**, you might have a Microsoft Customer Agreement or Enterprise Agreement account. Instead, [check your access to a Microsoft Customer Agreement](understand-mca-roles.md#check-access-to-a-microsoft-customer-agreement) or see [Manage Azure Enterprise Agreement roles](understand-ea-roles.md).

+ - Java Runtime (JRE) version 8 from a JRE provider such as [Eclipse Temurin](https://adoptium.net/temurin/releases/?version=8). Ensure that the JAVA_HOME environment variable is set to the JDK folder (and not just the JRE folder).

+| [SAP CDC](connector-sap-change-data-capture.md) | | Γ£ô/- | | Can connect to all SAP releases supporting SAP Operational Data Provisioning (ODP). This includes most SAP ECC and SAP BW releases, as well as SAP S/4HANA, SAP BW/4HANA and SAP Landscape Transformation Replication Server (SLT). Regarding prerequisites for the SAP source syste, follow [SAP system requirements](sap-change-data-capture-prerequisites-configuration.md#sap-system-requirements). For details on the connector, follow [Overview and architecture of the SAP CDC capabilities](sap-change-data-capture-introduction-architecture.md) |

+- Make sure that DataSources are released for extraction via ODP. This requirement applies to DataSources that customers create as well as DataSources created by SAP in older releases of SAP ECC. For more information, see the following SAP support note [2232584 - To release SAP extractors for ODP API](https://launchpad.support.sap.com/#/notes/2232584).

+The GitHub integration with Data Factory supports both public GitHub (that is, [https://github.com](https://github.com)), GitHub Enterprise Cloud and GitHub Enterprise Server. You can use both public and private GitHub repositories with Data Factory as long you have read and write permission to the repository in GitHub. To connect with a public repository, select the **Use Link Repository option**, as they will not be visible in the dropdown menu of **Repository name**. ADFΓÇÖs GitHub enterprise server integration only works with [officially supported versions of GitHub enterprise server.](https://docs.github.com/en/enterprise-server@3.1/admin/all-releases)

+- To [send alerts in real-time](continuous-export.md) to Log Analytics or Event Hubs to create automated processes to analyze and respond to security alerts.

+ Title: Defender for DevOps FAQ

+description: If you're having issues with Defender for DevOps perhaps, you can solve it with these frequently asked questions.

+# Defender for DevOps frequently asked questions (FAQ)

+If you're having issues with Defender for DevOps these frequently asked questions may assist you,

+## FAQ

+- [I donΓÇÖt see Recommendations for findings](#i-dont-see-recommendations-for-findings)

+- [Why can't I find my repository](#why-cant-i-find-my-repository)

+- [Secret scan didn't run on my code](#secret-scan-didnt-run-on-my-code)

+- [I donΓÇÖt see generated SARIF file in the path I chose to drop it](#i-dont-see-generated-sarif-file-in-the-path-i-chose-to-drop-it)

+- [I donΓÇÖt see the results for my ADO projects in Microsoft Defender for Cloud](#i-dont-see-the-results-for-my-ado-projects-in-microsoft-defender-for-cloud)

+- [What information does Defender for DevOps store about me and my enterprise, and where is the data stored?](#what-information-does-defender-for-devops-store-about-me-and-my-enterprise-and-where-is-the-data-stored)

+### I donΓÇÖt see Recommendations for findings

+Ensure that you've onboarded the project with the connector and that your repository (that build is for), is onboarded to Microsoft Defender for Cloud. You can learn how to [onboard your DevOps repository](/azure/defender-for-cloud/quickstart-onboard-devops?branch=main) to Defender for Cloud.

+You must have more than a [stakeholder license](https://azure.microsoft.com/pricing/details/devops/azure-devops-services/) to the repos to onboard them. You can confirm if you've onboarded the repositories by seeing them in the inventory list in Microsoft Defender for Cloud.

+### Why can't I find my repository

+Only TfsGit is supported on Azure DevOps service.

+Ensure that you've [onboarded your repositories](/azure/defender-for-cloud/quickstart-onboard-devops?branch=main) to Microsoft Defender for Cloud. If you still can't see your repository, ensure that you're signed in with the correct Azure DevOps organization user account. If the user for the connector is wrong, you need to delete the connector that was created, sign in with the correct user account and re-create the connector.

+### Secret scan didn't run on my code

+To ensure your code is scanned for secrets, make sure you've [onboarded your repositories](/azure/defender-for-cloud/quickstart-onboard-devops?branch=main) to Defender for Cloud.

+In addition to onboarding resources, you must have the [Microsoft Security DevOps (MSDO) Azure DevOps extension](/azure/defender-for-cloud/azure-devops-extension?branch=main) configured for your pipelines. The extension runs secret scan along with other scanners.

+If no secrets are identified through scans, the total exposed secret for the resource shows `Healthy` in Microsoft Defender for Cloud. If secret scan isn't enabled (meaning MSDO isn't configured for your pipeline), the resource shows as `N/A` in Defender for Cloud.

+### I donΓÇÖt see generated SARIF file in the path I chose to drop it

+If you donΓÇÖt see SARIF file in the expected path, you may have chosen a different drop path than the `CodeAnalysisLogs/msdo.sarif` one. Currently you should drop your SARIF files to `CodeAnalysisLogs/msdo.sarif`.

+### I donΓÇÖt see the results for my ADO projects in Microsoft Defender for Cloud

+Currently, OSS vulnerabilities, IaC scanning vulnerabilities, and Total code scanning vulnerabilities are only available for GitHub repositories.

+Azure DevOps repositories only have the total exposed secrets available and will show `N/A` for all other fields. You can learn more about how to [Review your findings](defender-for-devops-introduction.md).

+### What information does Defender for DevOps store about me and my enterprise, and where is the data stored?

+Data Defender for DevOps connects to your source code management system, for example, Azure DevOps, GitHub, to provide a central console for your DevOps resources and security posture. Defender for DevOps processes and stores the following information:

+- Metadata on your connected source code management systems and associated repositories. This data includes user, organizational, and authentication information.

+- Scan results for recommendations and assessments results and details.

+Data is stored within the region your connector is created in. You should consider which region to create your connector in, for any data residency requirements as you design and create your DevOps connector.

+Defender for DevOps currently doesn't process or store your code, build, and audit logs.

+## Next steps

+- [Overview of Defender for DevOps](defender-for-devops-introduction.md)

+No. When you enable [Microsoft Defender for Servers](defender-for-servers-introduction.md) on an Azure subscription or a connected AWS account, all of the connected machines will be protected by Defender for Servers. This includes servers that don't have the Log Analytics agent or Azure Monitor agent installed.

+ For a complete list of metadata and server objects that you need to move, refer to the detailed information available in [Manage Metadata When Making a Database Available on Another Server](/sql/relational-databases/databases/manage-metadata-when-making-a-database-available-on-another-server).

+ Title: Azure Firewall easy upgrade/downgrade (preview)

+description: Learn about Azure Firewall easy upgrade/downgrade (preview)

+# Azure Firewall easy upgrade/downgrade (preview)

+> [!IMPORTANT]

+> This feature is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+You can now easily upgrade your existing Firewall Standard SKU to Premium SKU and downgrade from Premium to Standard SKU. The process is fully automated and has no service impact (zero service downtime).

+## Policies

+In the upgrade process, you can select the policy to be attached to the upgraded Premium SKU. You can select an existing Premium Policy or an existing Standard Policy. You can use your existing Standard policy and let the system automatically duplicate, upgrade to Premium Policy, and then attach it to the newly created Premium Firewall.

+## Availability

+This new capability is available through the Azure portal as shown here. It's also available via PowerShell and Terraform by changing the sku_tier attribute.

+> [!NOTE]

+> This new upgrade/downgrade capability will also support the Basic SKU for GA.

+## Next steps

+- To learn more about Azure Firewall, see [What is Azure Firewall?](overview.md).

+ Title: Azure Firewall network rule name logging (preview)

+description: Learn about Azure Firewall network rule name logging (preview)

+# Azure Firewall network rule name logging (preview)

+For more information, see [Azure Firewall network rule name logging (preview)](firewall-network-rule-logging.md).

+Policy Analytics provides insights, centralized visibility, and control to Azure Firewall. IT teams today are challenged to keep Firewall rules up to date, manage existing rules, and remove unused rules. Any accidental rule updates can lead to a significant downtime for IT teams.

+For more information, see [Azure Firewall Policy Analytics (preview)](policy-analytics.md).

+### Easy upgrade/downgrade (preview)

+For more information, see [Azure Firewall easy upgrade/downgrade (preview)](easy-upgrade.md).

+ Title: Azure Firewall Policy Analytics (preview)

+description: Learn about Azure Firewall Policy Analytics (preview)

+# Azure Firewall Policy Analytics (preview)

+> [!IMPORTANT]

+> This feature is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Policy Analytics provides insights, centralized visibility, and control to Azure Firewall. IT teams today are challenged to keep Firewall rules up to date, manage existing rules, and remove unused rules. Any accidental rule updates can lead to a significant downtime for IT teams.

+For large, geographically dispersed organizations, manually managing Firewall rules and policies is a complex and sometimes error-prone process. The new Policy Analytics feature is the answer to this common challenge faced by IT teams.

+You can now refine and update Firewall rules and policies with confidence in just a few steps in the Azure portal. You have granular control to define your own custom rules for an enhanced security and compliance posture. You can automate rule and policy management to reduce the risks associated with a manual process.<br><br>

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE57NCC]

+## Pricing

+Enabling Policy Analytics on a Firewall Policy associated with a single firewall is billed per policy as described on the [Azure Firewall Manager pricing](https://azure.microsoft.com/pricing/details/firewall-manager/) page. Enabling Policy Analytics on a Firewall Policy associated with more than one firewall is offered at no added cost.

+## Key Policy Analytics features

+- **Policy insight panel**: Aggregates insights and highlights relevant policy information.

+- **Rule analytics**: Analyzes existing DNAT, Network, and Application rules to identify rules with low utilization or rules with low usage in a specific time window.

+- **Traffic flow analysis**: Maps traffic flow to rules by identifying top traffic flows and enabling an integrated experience.

+- **Single Rule analysis**: Analyzes a single rule to learn what traffic hits that rule to refine the access it provides and improve the overall security posture.

+## Prerequisites

+- An Azure Firewall Standard or Premium

+- An Azure Firewall Standard or Premium policy attached to the Firewall

+- The [Azure Firewall network rule name logging (preview)](firewall-network-rule-logging.md) must be enabled to view network rules analysis.

+- The [Azure Structured Firewall Logs (preview)](firewall-structured-logs.md) must be enabled on Firewall Standard or Premium.

+## Enable Policy Analytics

+Policy analytics starts monitoring the flows in the DNAT, Network, and Application rule analysis only after you enable the feature. It can't analyze rules hit before the feature is enabled.

+### Firewall with no diagnostics settings configured

+1. Once all prerequisites are met, select **Policy analytics (preview)** in the table of contents.

+2. Next, select **Configure Workspaces**.

+3. In the pane that opens, select the **Enable Policy Analytics** checkbox.

+4. Next, choose a log analytics workspace. The log analytics workspace should be the same as the Firewall attached to the policy.

+5. Select **Save** after you choose the log analytics workspace.

+6. Go to the Firewall attached to the policy and enter the **Diagnostic settings** page. You'll see the **FirewallPolicySetting** added there as part of the policy analytics feature.

+7. Select **Edit Setting**, and ensure the **Resource specific** toggle is checked, and the highlighted tables are checked. In the previous example, all logs are written to the log analytics workspace.

+### Firewall with Diagnostics settings already configured

+1. Ensure that the Firewall attached to the policy is logging to **Resource Specific** tables, and that the following three tables are also selected:

+ - AZFWApplicationRuleAggregation

+ - AZFWNetworkRuleAggregation

+ - AZFWNatRuleAggregation

+2. Next, select **Policy Analytics (preview)** in the table of contents. Once inside the feature, select **Configure Workspaces**.

+3. Now, select **Enable Policy Analytics**.

+4. Next, choose a log analytics workspace. The log analytics workspace should be the same as the Firewall attached to the policy.

+5. Select **Save** after you choose the log analytics workspace.

+ During the save process, you might see the following error message: **Failed to update Diagnostic Settings**

+ You can disregard this error message if the policy was successfully updated.

+> [!TIP]

+> Policy Analytics has a dependency on both Log Analytics and Azure Firewall resource specific logging. Verify the Firewall is configured appropriately or follow the previous instructions. Be aware that logs take 60 minutes to appear after enabling them for the first time. This is because logs are aggregated in the backend every hour. You can check logs are configured appropriately by running a log analytics query on the resource specific tables such as **AZFWNetworkRuleAggregation**, **AZFWApplicationRuleAggregation**, and **AZFWNatRuleAggregation**.

+## Next steps

+- To learn more about Azure Firewall logs and metrics, see [Azure Firewall logs and metrics](logs-and-metrics.md).

+## **November 2022**

+**Fixed the Error generated when resource is updated using if-match header and PATCH**

+Bug is now fixed and Resource will be updated if matches the Etag header. For details , see [#2877](https://github.com/microsoft/fhir-server/issues/2877)|

+ > If you're going to allow access from multiple services to the device message event hub, it's required that each service has its own event hub consumer group.

+> To learn more about how the MedTech service transforms and persists device message data into the Fast Healthcare Interoperability Resources (FHIR&#174;) service as FHIR Observations, see [Understand the MedTech service device message data transformation](understand-service.md).

+ > If you're going to allow access from multiple services to the device message event hub, it's required that each service has its own event hub consumer group.

+This article provides answers to frequently asked questions (FAQs) about the MedTech service.

+## Where is the MedTech service available?

+## Can I use the MedTech service with a different FHIR service other than the Azure Health Data Services FHIR service?

+No. The MedTech service currently only supports the Azure Health Data Services Fast Healthcare Interoperability Resources (FHIR&#174;) service for the persistence of transformed device message data. The open-source version of the MedTech service supports the use of different FHIR services.

+## What versions of FHIR does the MedTech service support?

+The MedTech service currently only supports the persistence of [HL7 FHIR&#174; R4](https://www.hl7.org/implement/standards/product_brief.cfm?product_id=491).

+## How long does it take for device message data to show up on the FHIR service?

+The MedTech service buffers the FHIR Observations resources created during the transformation stage and provides near real-time processing. However, it can potentially take up to five minutes for FHIR Observation resources to be persisted in the FHIR service. To learn how the MedTech service transforms device message data into FHIR Observations resources, see [Understand the MedTech service device message data transformation](understand-service.md).

+## Why do I have to provide device and FHIR destination mappings to the MedTech service?

+The MedTech service requires the device and FHIR destination mappings to perform normalization and transformation processes on the device message data. To learn how the MedTech service transforms device message data into FHIR Observations resources, see [Understand the MedTech service device message data transformation](understand-service.md).

+## Does the MedTech service perform backups of device messages?

+## What are the subscription quota limits for the MedTech service?

+## Can I use the MedTech service with device messages from Apple&#174;, Google&#174;, or Fitbit&#174; devices?

+To learn about the MedTech service, see

+> [!div class="nextstepaction"]

+> [What is the MedTech service?](overview.md)

+For more information on the MedTech service device message data transformation, see [Understand the MedTech service device message data transformation](understand-service.md).

+|Latency|Average Group Stage Latency|The average latency of the group stage. The [group stage](understand-service.md#group) performs buffering, aggregating, and grouping on normalized messages.|

+|Latency|Average Normalize Stage Latency|The average latency of the normalized stage. The [normalized stage](understand-service.md#normalize) performs normalization on raw incoming messages.|

+|Traffic|Number of Fhir resources saved|The total number of Fast Healthcare Interoperability Resources (FHIR&#174;) resources [updated or persisted](understand-service.md#persist) by the MedTech service.|

+|Traffic|Number of Incoming Messages|The number of received raw [incoming messages](understand-service.md#ingest) (for example, the device events) from the configured source event hub.|

+|Traffic|Number of Measurements|The number of normalized value readings received by the FHIR [transformation stage](understand-service.md#transform) of the MedTech service.|

+2. Copy the below table query string into your Log Analytics workspace query area and select **Run**. Using the *AHDSMedTechDiagnosticLogs* table will provide you with all logs contained in the entire table for the selected **Time range** setting (the default value is **Last 24 hours**). The MedTech service provides five pre-defined queries that will be addressed in the article section titled [Accessing the MedTech service pre-defined Azure Log Analytics queries](#accessing-the-medtech-service-pre-defined-azure-log-analytics-queries).

+Many functions are available when using **JMESPath** as the expression language. Besides the functions available as part of the JMESPath specification, many more custom functions may also be used. This article describes the MedTech service-specific custom functions for use with the MedTech service [device mapping](how-to-configure-device-mappings.md) during the device message [normalization](understand-service.md#normalize) process.

+|Latency|**Average Group Stage Latency**|The average latency of the group stage. The [group stage](understand-service.md#group) performs buffering, aggregating, and grouping on normalized messages.|

+|Latency|**Average Normalize Stage Latency**|The average latency of the normalized stage. The [normalized stage](understand-service.md#normalize) performs normalization on raw incoming messages.|

+|Traffic|Number of Fhir resources saved|The total number of Fast Healthcare Interoperability Resources (FHIR&#174;) resources [updated or persisted](understand-service.md#persist) by the MedTech service.|

+|Traffic|**Number of Incoming Messages**|The number of received raw [incoming messages](understand-service.md#ingest) (for example, the device events) from the configured source event hub.|

+|Traffic|**Number of Measurements**|The number of normalized value readings received by the FHIR [transformation stage](understand-service.md#transform) of the MedTech service.|

+(FHIR&#174;) is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+To learn about how the MedTech service processes device messages, see

+> [Understand the MedTech service device message data transformation](understand-service.md)

+> For information about the MedTech service device message data transformation, see [Understand the MedTech service device message data transformation](understand-service.md).

+ Title: Understand the MedTech service device message data transformation - Azure Health Data Services

+description: This article will provide you with an understanding of the MedTech service device messaging data transformation to FHIR Observation resources. The MedTech service ingests, normalizes, groups, transforms, and persists device message data into the FHIR service.

+# Understand the MedTech service device message data transformation

+This article provides an overview of the device message data processing stages within the [MedTech service](overview.md). The MedTech service transforms device message data into Fast Healthcare Interoperability Resources (FHIR&#174;) [Observation](https://www.hl7.org/fhir/observation.html) resources for persistence on the [FHIR service](../fhir/overview.md).

+The MedTech service device message data processing follows these steps and in this order:

+> [!div class="checklist"]

+> - Ingest

+> - Normalize - Device mappings applied.

+> - Group

+> - Transform - FHIR destination mappings applied.

+> - Persist

+## Ingest

+Ingest is the first stage where device messages are received from an [Azure Event Hubs](../../event-hubs/index.yml) event hub (`device message event hub`) and immediately pulled into the MedTech service. The Event Hubs service supports high scale and throughput with the ability to receive and process millions of device messages per second. It also enables the MedTech service to consume messages asynchronously, removing the need for devices to wait while device messages are processed.

+The device message event hub uses the MedTech service's [system-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types) and [Azure resource-based access control (Azure RBAC)](/azure/role-based-access-control/overview) for secure access to the device message event hub.

+> [!NOTE]

+> JSON is the only supported format at this time for device message data.

+> [!IMPORTANT]

+> If you're going to allow access from multiple services to the device message event hub, it's required that each service has its own event hub consumer group.

+>

+> Consumer groups enable multiple consuming applications to have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. For more information, see [Consumer groups](../../event-hubs/event-hubs-features.md#consumer-groups).

+>

+> Examples:

+>

+> - Two MedTech services accessing the same device message event hub.

+>

+> - A MedTech service and a storage writer application accessing the same device message event hub.

+## Normalize

+Normalize is the next stage where device message data is processed using user-selected/user-created conforming and valid [device mappings](how-to-configure-device-mappings.md). This mapping process results in transforming device message data into a normalized schema.

+The normalization process not only simplifies data processing at later stages, but also provides the capability to project one device message into multiple normalized messages. For instance, a device could send multiple vital signs for body temperature, pulse rate, blood pressure, and respiration rate in a single device message. This device message would create four separate FHIR Observation resources. Each resource would represent a different vital sign, with the device message projected into four different normalized messages.

+## Group

+Group is the next *optional* stage where the normalized messages available from the MedTech service normalization stage are grouped using three different parameters:

+> [!div class="checklist"]

+> - Device identity

+> - Measurement type

+> - Time period

+`Device identity` and `measurement type` grouping is optional and enabled by the use of the [SampledData](https://www.hl7.org/fhir/datatypes.html#SampledData) measurement type. The SampledData measurement type provides a concise way to represent a time-based series of measurements from a device message into FHIR Observation resources. When you use the SampledData measurement type, measurements can be grouped into a single FHIR Observation resource that represents a 1-hour period or a 24-hour period.

+## Transform

+Transform is the next stage where normalized messages are processed using user-selected/user-created conforming and valid [FHIR destination mappings](how-to-configure-fhir-mappings.md). Normalized messages get transformed into FHIR Observation resources if a matching FHIR destination mapping has been authored.

+At this point, the [Device](https://www.hl7.org/fhir/device.html) resource, along with its associated [Patient](https://www.hl7.org/fhir/patient.html) resource, is also retrieved from the FHIR service using the device identifier present in the device message. These resources are added as a reference to the FHIR Observation resource being created.

+> [!NOTE]

+> All identity look ups are cached once resolved to decrease load on the FHIR service. If you plan on reusing devices with multiple patients, it is advised you create a virtual device resource that is specific to the patient and send the virtual device identifier in the device message payload. The virtual device can be linked to the actual device resource as a parent.

+If no Device resource for a given device identifier exists in the FHIR service, the outcome depends upon the value of [Resolution Type](deploy-new-config.md#configure-the-destination-tab) set at the time of the MedTech service deployment. When set to `Lookup`, the specific message is ignored, and the pipeline will continue to process other incoming device messages. If set to `Create`, the MedTech service will create minimal Device and Patient resources on the FHIR service.

+> [!NOTE]

+> The `Resolution Type` can also be adjusted post deployment of the MedTech service in the event that a different type is later desired.

+The MedTech service buffers the FHIR Observations resources created during the transformation stage and provides near real-time processing. However, it can potentially take up to five minutes for FHIR Observation resources to be persisted in the FHIR service.

+## Persist

+Persist is the final stage where the FHIR Observation resources from the transform stage are persisted in the [FHIR service](../fhir/overview.md). If the FHIR Observation resource is new, it will be created in the FHIR service. If the FHIR Observation resource already existed, it will get updated in the FHIR service.

+The FHIR service uses the MedTech service's [system-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types) and [Azure resource-based access control (Azure RBAC)](/azure/role-based-access-control/overview) for secure access to the FHIR service.

+## Next steps

+In this article, you learned about the MedTech service device message processing and persistence in the FHIR service.

+To learn how to configure the MedTech service device and FHIR destination mappings, see

+> [!div class="nextstepaction"]

+> [How to configure device mappings](how-to-configure-device-mappings.md)

+> [!div class="nextstepaction"]

+> [How to configure FHIR destination mappings](how-to-configure-fhir-mappings.md)

+FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+|Issue | Date discovered | Workaround | Date resolved |

+|The SQL provider will cause the `RawResource` column in the database to save incorrectly. This occurs in a small number of cases when a transient exception occurs that causes the provider to use its retry logic.ΓÇ»|April 2022 |-|May 2022 Resolved [#2571](https://github.com/microsoft/fhir-server/pull/2571) |

+| Queries not providing consistent result counts after appended with `_sort` operator. For more information, see [#2680](https://github.com/microsoft/fhir-server/pull/2680). | July 2022 | No workaround|Not resolved |

+>[Note]

+## December 2022

+### Azure Health Data Services

+**Azure Health Data services General Available (GA) in new regions**

+General availability (GA) of Azure Health Data services in France Central, North Central US and Qatar Central Regions.

+

+### DICOM service

+ **DICOM Events available in public preview**

+Azure Health Data Services [Events](events/events-overview.md) now include a public preview of [two new event types](events/events-message-structure.md#dicom-events-message-structure) for the DICOM service. These new event types enable applications that use Event Grid to use event-driven workflows when DICOM images are created or deleted.

+## November 2022

+### FHIR service

+**Fixed the Error generated when resource is updated using if-match header and PATCH**

+Bug is now fixed and Resource will be updated if matches the Etag header. For details , see [#2877](https://github.com/microsoft/fhir-server/issues/2877)

+### Toolkit and Samples Open Source

+**Azure Health Data Services Toolkit is released**

+The [Azure Health Data Services Toolkit](https://github.com/microsoft/azure-health-data-services-toolkit), which was previously in a pre-release state, is now in **Public Preview** . The toolkit is open-source project and allows customers to more easily customize and extend the functionality of their Azure Health Data Services implementations. The NuGet packages of the toolkit are available for download from the NuGet gallery, and you can find links to them from the repo documentation.

+## October 2022

+### MedTech service

+ **Added Deploy to Azure button**

+ Customers can now deploy the MedTech service fully, including Event Hubs, AHDS workspace, FHIR service, MedTech service, and managed identity roles, all by clicking the "Deploy to Azure" button. [Deploy the MedTech service using an Azure Resource Manager template](./iot/deploy-new-arm.md)

+**Added the Dropped Event Metrics**

+Customers can now determine if their mappings are working as intended, as they can now see dropped events as a metric to ensure that data is flowing through accurately.

+FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+ Title: Tutorial - Azure IoT smart-meter monitoring

+description: This tutorial shows you how to deploy and use an application template for monitoring smart meters in Azure IoT Central.

+# Tutorial: Deploy and walk through an application template for monitoring smart meters

+Smart meters enable not only automated billing, but also advanced metering use cases like real-time readings and bidirectional communication.

+An application template enables utilities and partners to monitor the status and data of smart meters, along with defining alarms and notifications. The template provides sample commands, such as disconnecting a meter and updating software. You can set up the meter data to egress to other business applications, and to develop custom solutions.

+The application's key functionalities include:

+- Sample device model for meters

+- Meter readings such as energy, power, and voltage

+In this tutorial, you learn how to:

+- Create an application for monitoring smart meters.

+- Walk through the application.

+- Clean up resources.

+## Application architecture

+The architecture of the application consists of the following components. Some solutions might not require every component listed here.

+A smart meter is one of the most important devices among all the energy assets. It records and communicates energy consumption data to utilities for monitoring and other use cases, such as billing and demand response.

+Typically, a meter uses a gateway or bridge to connect to an Azure IoT Central application. To learn more about bridges, see [Use the Azure IoT Central device bridge to connect other IoT clouds to Azure IoT Central](../core/howto-build-iotc-device-bridge.md).

+### Azure IoT Central platform

+When you build an Internet of Things (IoT) solution, Azure IoT Central simplifies the build process and helps reduce the burden and costs of IoT management, operations, and development. With Azure IoT Central, you can easily connect, monitor, and manage your IoT assets at scale.

+After you connect your smart meters to Azure IoT Central, the application template uses built-in features such as device models, commands, and dashboards. The application template also uses the Azure IoT Central storage for warm path scenarios such as near real-time meter data monitoring, analytics, rules, and visualization.

+### Extensibility options to build with Azure IoT Central

+The Azure IoT Central platform provides two extensibility options: Continuous Data Export and APIs. Customers and partners can choose between these options to customize their solutions for their specific needs.

+For example, a partner might configure Continuous Data Export with Azure Data Lake Storage. That partner can then use Data Lake Storage for long-term data retention and other scenarios for cold path storage, such batch processing, auditing, and reporting.

+To complete this tutorial, you need an active Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Create an application for monitoring smart meters

+1. Go to the [Azure IoT Central build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account.

+1. Select **Build** from the left menu, and then select the **Energy** tab.

+ :::image type="content" source="media/tutorial-iot-central-smart-meter/smart-meter-build.png" alt-text="Screenshot that shows the Azure IoT Central build site with energy app templates.":::

+1. Under **Smart meter monitoring**, select **Create app**.

+To learn more, see [Create an Azure IoT Central application](../core/howto-create-iot-central-application.md).

+The following sections walk you through the key features of the application.

+After you deploy the application template, it comes with a sample smart meter, a device model, and a dashboard.

+Adatum is a fictitious energy company that monitors and manages smart meters. The dashboard for monitoring smart meters shows properties, data, and sample commands for meters. The dashboard enables operators and support teams to proactively perform the following activities before they become support incidents:

+* Monitor minimum and maximum voltage readings for network health.

+* Perform command and control operations, such as reconnecting a meter and updating a firmware version. In the template, the command buttons show the possible functionalities and don't send real commands.

+The application comes with a sample smart-meter device. You can see available devices by selecting **Devices** on the left menu.

+Select the link for sample device **SM0123456789** to see the device details. You can update the writable properties of the device on the **Update Properties** page, and then visualize the updated values on the dashboard.

+### Device template

+Select **Device templates** on the left menu to see the model of the smart meter. The model has a predefined interface for data, properties, commands, and views.

+> [Tutorial: Deploy and walk through a solar panel application template](tutorial-solar-panel-app.md)

+When importing a .pem file, check if the format is the following:

+--BEGIN CERTIFICATE--<br>

+MIID2TCCAsGg...<br>

+--END CERTIFICATE--<br>

+--BEGIN PRIVATE KEY--<br>

+MIIEvQIBADAN...<br>

+--END PRIVATE KEY--<br>

+az role assignment create --role "Storage Blob Data Contributor" --assignee t-trtr@microsoft.com --scope "/subscriptions/aaaaaaaa-bbbb-bbbb-cccc-dddddddddddd/resourceGroups/contosoResourceGroup5/providers/Microsoft.Storage/storageAccounts/contosoblobstorage5

+ getSecret(secretName).then(secretValue => {

+ console.log(`The value of secret '${secretName}' in '${keyVaultName}' is: '${secretValue}'`);

+[Azure Key Vault REST API](/rest/api/keyvault/)

+For more information about how objects in Key Vault are versioned, see [Key Vault objects, identifiers, and versioning](../general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning).

+> Granting a security principal management plane access to an managed HSM does not grant them any access to data plane to access keys or data plane role assignments Managed HSM local RBAC). This isolation is by design to prevent inadvertent expansion of privileges affecting access to keys stored in Managed HSM. The one exception is members of the Azure Active Directory Global Administrator role are implicitly part of the Managed HSM Administrator role for recovery purposes such as when there are no longer any valid Managed HSM administrator accounts. Please follow [Azure Active Directory best practices for securing the Global Adminstrator role](../../active-directory/roles/best-practices.md#5-limit-the-number-of-global-administrators-to-less-than-5).

+- For more information about usage logging for Managed HSM logging, see [Managed HSM logging](logging.md)

+An **endpoint**, in this context, is an HTTPS path that provides an interface for clients to send requests (input data) and receive the inferencing (scoring) output of a trained model. An endpoint provides:

+Azure Machine Learning allows you to implement both [online endpoints](#what-are-online-endpoints) and [batch endpoints](#what-are-batch-endpoints).

+In this article, learn how to apply Machine Learning Operations (MLOps) practices in Azure Machine Learning for the purpose of managing the lifecycle of your models. Applying MLOps practices can improve the quality and consistency of your machine learning solutions.

+1. Zipping the files in your project folder and upload to the cloud.

+

+ > [!TIP]

+ > [!INCLUDE [amlinclude-info](../../includes/machine-learning-amlignore-gitignore.md)]

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](concept-train-machine-learning-model.md#understand-what-happens-when-you-submit-a-training-job) or don't include it in the source directory.

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](concept-train-machine-learning-model.md#understand-what-happens-when-you-submit-a-training-job) or don't include it in the source directory.

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](concept-train-machine-learning-model.md#understand-what-happens-when-you-submit-a-training-job) or don't include it in the source directory.

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](concept-train-machine-learning-model.md#understand-what-happens-when-you-submit-a-training-job) or don't include it in the source directory.

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use an [.ignore file](concept-train-machine-learning-model.md#understand-what-happens-when-you-submit-a-training-job) or don't include it in the source directory. Instead, access your data by using a [datastore](/python/api/azureml-core/azureml.data).

+| `success_threshold` | integer | The minimum consecutive successes for the probe to be considered successful after having failed. Minimum value is `1` for readiness probe. The value for liveness probe is fixed as `1`. | `1` |

+In this article, learn how to apply Machine Learning Operations (MLOps) practices in Azure Machine Learning for the purpose of managing the lifecycle of your models. Applying MLOps practices can improve the quality and consistency of your machine learning solutions.

+ Title: Where to save & write experiment files

+description: Learn where to save your input and output files to prevent storage limitation errors and experiment latency.

+# Where to save and write files for Azure Machine Learning experiments

+In this article, you learn where to save input files, and where to write output files from your experiments to prevent storage limit errors and experiment latency.

+When launching training jobs on a [compute target](../concept-compute-target.md), they are isolated from outside environments. The purpose of this design is to ensure reproducibility and portability of the experiment. If you run the same script twice, on the same or another compute target, you receive the same results. With this design, you can treat compute targets as stateless computation resources, each having no affinity to the jobs that are running after they are finished.

+## Where to save input files

+Before you can initiate an experiment on a compute target or your local machine, you must ensure that the necessary files are available to that compute target, such as dependency files and data files your code needs to run.

+Azure Machine Learning jobs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](how-to-save-write-experiment-files.md#storage-limits-of-experiment-snapshots) or don't include it in the source directory. Instead, access your data using a [datastore](/python/api/azureml-core/azureml.data).

+The storage limit for experiment snapshots is 300 MB and/or 2000 files.

+For this reason, we recommend:

+* **Storing your files in an Azure Machine Learning [dataset](/python/api/azureml-core/azureml.data).** This prevents experiment latency issues, and has the advantages of accessing data from a remote compute target, which means authentication and mounting are managed by Azure Machine Learning. Learn more about how to specify a dataset as your input data source in your training script with [Train with datasets](how-to-train-with-datasets.md).

+* **If you only need a couple data files and dependency scripts and can't use a datastore,** place the files in the same folder directory as your training script. Specify this folder as your `source_directory` directly in your training script, or in the code that calls your training script.

+<a name="limits"></a>

+### Storage limits of experiment snapshots

+For experiments, Azure Machine Learning automatically makes an experiment snapshot of your code based on the directory you suggest when you configure the job. This has a total limit of 300 MB and/or 2000 files. If you exceed this limit, you'll see the following error:

+```Python

+While attempting to take snapshot of .

+Your total snapshot size exceeds the limit of 300.0 MB

+```

+To resolve this error, store your experiment files on a datastore. If you can't use a datastore, the below table offers possible alternate solutions.

+Experiment&nbsp;description|Storage limit solution

+|

+Less than 2000 files & can't use a datastore| Override snapshot size limit with <br> `azureml._restclient.snapshots_client.SNAPSHOT_MAX_SIZE_BYTES = 'insert_desired_size'`<br> This may take several minutes depending on the number and size of files.

+Must use specific script directory| [!INCLUDE [amlinclude-info](../../../includes/machine-learning-amlignore-gitignore.md)]

+Pipeline|Use a different subdirectory for each step

+Jupyter notebooks| Create a `.amlignore` file or move your notebook into a new, empty, subdirectory and run your code again.

+## Where to write files

+Due to the isolation of training experiments, the changes to files that happen during jobs are not necessarily persisted outside of your environment. If your script modifies the files local to compute, the changes are not persisted for your next experiment job, and they're not propagated back to the client machine automatically. Therefore, the changes made during the first experiment job don't and shouldn't affect those in the second.

+When writing changes, we recommend writing files to storage via an Azure Machine Learning dataset with an [OutputFileDatasetConfig object](/python/api/azureml-core/azureml.data.output_dataset_config.outputfiledatasetconfig). See [how to create an OutputFileDatasetConfig](how-to-train-with-datasets.md#where-to-write-training-output).

+Otherwise, write files to the `./outputs` and/or `./logs` folder.

+>[!Important]

+> Two folders, *outputs* and *logs*, receive special treatment by Azure Machine Learning. During training, when you write files to`./outputs` and`./logs` folders, the files will automatically upload to your job history, so that you have access to them once your job is finished.

+* **For output such as status messages or scoring results,** write files to the `./outputs` folder, so they are persisted as artifacts in job history. Be mindful of the number and size of files written to this folder, as latency may occur when the contents are uploaded to job history. If latency is a concern, writing files to a datastore is recommended.

+* **To save written file as logs in job history,** write files to `./logs` folder. The logs are uploaded in real time, so this method is suitable for streaming live updates from a remote job.

+## Next steps

+* Learn more about [accessing data from storage](how-to-access-data.md).

+* Learn more about [Create compute targets for model training and deployment](../how-to-create-attach-compute-studio.md)

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](how-to-save-write-experiment-files.md#storage-limits-of-experiment-snapshots) or don't include it in the source directory . Instead, access your data using an Azure ML [dataset](how-to-train-with-datasets.md).

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](how-to-save-write-experiment-files.md#storage-limits-of-experiment-snapshots) or don't include it in the source directory . Instead, access your data using an Azure ML [dataset](how-to-train-with-datasets.md).

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](how-to-save-write-experiment-files.md#storage-limits-of-experiment-snapshots) or don't include it in the source directory . Instead, access your data using an Azure ML [dataset](how-to-train-with-datasets.md).

+# Update vCPU sizes for an Azure virtual machine offer

+Complete these steps when you are notified that new vCPU sizes are now supported.

+> These steps apply regardless of the selected price input option (free, flat ate, per vCPU, per vCPU size, per market and vCPU size) and must be completed within the period specified in the notification from Microsoft. Otherwise, weΓÇÖll publish the new vCPU sizes at the price that we calculate for you.

+1. Sign-in to [Partner Center](https://go.microsoft.com/fwlink/?linkid=2166002).

+ - If either the _Per_ *vCPU* _size_ or _Per market and_ vCPU _size_ price entry options are used, under **Pricing**, verify the price and make any necessary adjustments for the new vCPU sizes that have been added.

+ - If your price entry option is set to _Free_, _Flat rate_, or _Per_ *vCPU*, go to step 7.

+

+1. Select **Save draft** and then **Review and publish**. After the offer is republished, the new vCPU sizes will be available to your customers at the prices that you have set.

+

+> [!NOTE]

+> Private plans can only be deployed by the customers configured in the private audience. It is recommended to create a Private Offer instead of using private plans. However, if you decide to make a private plan instead, keep in mind that the Plan ID, URN and Offer Name is publicly visible via Azure CLI. When creating your private plans, be sure to name them appropriately with this in mind.

+ Title: 'Tutorial: Monitor network communication with virtual machine scale set - Azure portal'

+description: In this tutorial, you'll learn how to monitor network communication between two virtual machine scale sets with Azure Network Watcher connection monitor using the Azure portal.

+# Customer intent: I need to monitor communication between a virtual machine scale set and another VM. If the communication fails, I need to know why, so that I can resolve the problem.

+# Tutorial: Monitor network communication with a virtual machine scale set using the Azure portal

+Successful communication between a virtual machine scale set and another endpoint, such as virtual machine (VM), can be critical for your organization. Sometimes, the introduction of configuration changes can break communication.

+In this tutorial, you learn how to:

+> * Monitor communication between a scale set and a VM by using Connection monitor.

+> * Generate alerts on Connection monitor metrics.

+> This tutorial uses Connection monitor (classic). To experience enhanced connectivity monitoring, try the updated version of [Connection monitor](connection-monitor-overview.md).

+> As of July 1, 2021, you can't add new connection monitors in Connection monitor (classic) but you can continue to use earlier versions that were created prior to that date. To minimize service disruption to your current workloads, [migrate from Connection monitor (classic) to the latest Connection monitor](migrate-to-connection-monitor-from-connection-monitor-classic.md) in Azure Network Watcher before February 29, 2024.

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Prerequisites

+* An Azure subscription

+First, create a public standard load balancer using the Azure portal. The name and public IP address you create are automatically configured as the load balancer's front end.

+1. In the search box, enter **load balancer** and then, under **Marketplace** in the search results, select **Load balancer**.

+1. Type **Scale set** in the search box. In the results, under **Marketplace**, select **Virtual machine scale sets**.

+1. On the **Virtual machine scale sets** pane, select **Create**. The **Create a virtual machine scale set** page opens.

+To create a monitor in Connection monitor by using the Azure portal:

+ You'll see a list of the connection monitors that were created in Connection monitor. To see the connection monitors that were created in the classic Connection monitor, select the **Connection monitor** tab.

+ :::image type="content" source="./media/connection-monitor-2-preview/cm-resource-view.png" alt-text="Screenshot that lists the connection monitors that were created in Connection monitor.":::

+1. On the **Connection monitor** dashboard, at the upper left, select **Create**.

+ :::image type="content" source="./media/connection-monitor-2-preview/create-cm-basics.png" alt-text="Screenshot that shows the 'Basics' pane in Connection monitor.":::

+1. Add sources, destinations, and test configurations in your test groups. To learn about setting up test groups, see [Create test groups in Connection monitor](#create-test-groups-in-a-connection-monitor).

+ :::image type="content" source="./media/connection-monitor-2-preview/create-tg.png" alt-text="Screenshot that shows the 'Test groups' pane in Connection monitor.":::

+1. At the bottom of the pane, select **Next: Create Alerts**. To learn about creating alerts, see [Create alerts in Connection monitor](#create-alerts-in-connection-monitor).

+ :::image type="content" source="./media/connection-monitor-2-preview/review-create-cm.png" alt-text="Screenshot that shows the 'Review + create' pane in Connection monitor.":::

+ > The **Review + create** pane shows the cost per month during the Connection monitor stage. Currently, the **Current Cost/Month** column shows no charge. When Connection monitor becomes generally available, this column will show a monthly charge.

+ > Even during the Connection monitor stage, Log Analytics ingestion charges apply.

+ > Connection monitor now supports the auto-enabling of monitoring extensions for Azure and non-Azure endpoints, thus eliminating the need for manual installation of monitoring solutions during the creation of Connection monitor.

+ * To choose Azure agents, select the **Azure endpoints** tab. Here you see only VMs or virtual machine scale sets that are bound to the region that you specified when you created the connection monitor. By default, VMs and virtual machine scale sets are grouped into the subscription that they belong to. These groups are collapsed.

+ :::image type="content" source="./media/connection-monitor-2-preview/add-sources-1.png" alt-text="Screenshot that shows the 'Add Sources' pane and the Azure endpoints, including the 'virtual machine scale set' pane, in Connection monitor.":::

+ :::image type="content" source="./media/connection-monitor-2-preview/add-non-azure-sources.png" alt-text="Screenshot that shows the 'Add Sources' pane and the 'Non-Azure endpoints' pane in Connection monitor.":::

+ :::image type="content" source="./media/connection-monitor-2-preview/add-endpoints.png" alt-text="Screenshot that shows where to add public endpoints as destinations in Connection monitor.":::

+1. **Test configurations**: You can add one or more test configurations to a test group. Create a new test configuration by using the **New configuration** pane. Or add a test configuration from another test group in the same Connection monitor from the **Choose existing** pane.

+ :::image type="content" source="./media/connection-monitor-2-preview/add-test-config.png" alt-text="Screenshot that shows where to set up a test configuration in Connection monitor.":::

+1. **Test Groups**: You can add one or more Test Groups to a Connection monitor. These test groups can consist of multiple Azure or non-Azure endpoints.

+ For selected Azure VMs or Azure virtual machine scale sets and non-Azure endpoints without monitoring extensions, the extension for Azure VMs and the Network Performance Monitor solution for non-Azure endpoints will be auto-enabled after the creation of Connection monitor begins.

+ If the selected virtual machine scale set is set for manual upgrade, you'll have to upgrade the scale set after the Network Watcher extension installation. Doing so lets you continue setting up the Connection monitor with virtual machine scale sets as endpoints. If the virtual machine scale set is set to auto-upgrade, you don't need to worry about upgrading after the installation of the Network Watcher extension.

+ In the previously mentioned scenario, you can consent to an auto-upgrade of virtual Machine Scale sets with auto-enabling of the Network Watcher extension during the creation of Connection monitor for virtual Machine Scale sets with manual upgrading. This approach eliminates the need to manually upgrade the virtual machine scale set after you install the Network Watcher extension.

+ :::image type="content" source="./media/connection-monitor-2-preview/consent-vmss-auto-upgrade.png" alt-text="Screenshot that shows where to set up a test group and consent for an auto-upgrade of the virtual machine scale set in Connection monitor.":::

+## Create alerts in Connection monitor

+Currently, Connection monitor provides default coverage for the scale set instances that are selected as endpoints. This means that only a default percentage of all the added scale set instances would be randomly selected to monitor connectivity from the scale set to the endpoint.

+As a best practice, to avoid loss of data due to downscaling of instances, we recommend that you select *all* instances in a scale set while you're creating a test group, instead of selecting a particular few for monitoring your endpoints.

+Azure PostgreSQL uses [Azure Storage encryption](../../storage/common/storage-service-encryption.md) to encrypt data at-rest by default using Microsoft-managed keys. For Azure PostgreSQL users, it's similar to Transparent Data Encryption (TDE) in other databases such as SQL Server. Many organizations require full control of access to the data using a customer-managed key. Data encryption with customer-managed keys for Azure Database for PostgreSQL Flexible server enables you to bring your key (BYOK) for data protection at rest. It also allows organizations to implement separation of duties in the management of keys and data. With customer-managed encryption, you're responsible for, and in full control of, a key's lifecycle, key usage permissions, and auditing of operations on keys.

+Data encryption with customer-managed keys for Azure Database for PostgreSQL Flexible server is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the service's data encryption key (DEK). The KEK is an asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault](https://azure.microsoft.com/services/key-vault/)) instance. The Key Encryption Key (KEK) and Data Encryption Key (DEK) are described in more detail later in this article.

+Data encryption with customer-managed keys for Azure Database for PostgreSQL - Flexible Server provides the following benefits:

+- [Data Curator role](catalog-permissions.md#roles) on the collection where the data asset is housed and/or the root collection, depending on what you need. See the guide on [managing Microsoft Purview role assignments](catalog-permissions.md#assign-permissions-to-your-users).

+ - Create and modify asset types, modify assets - Data Curator on the collection where the data asset is housed. An asset will need to be moved to your collection after creation for you to be able to modify it.

+ - Create and modify assets - Data curator on the root collection.

+

+>[!NOTE]

+> As this feature is in preview, these permissions are not the final permission structure for metamodel. Updates will continue to be made to this structure.

+>[!NOTE]

+> Since this feature is in preview, available abilities are regularly updated.

+- New assets are created in the root collection, but can be edited afterwards to be moved to a new collection.

+For more information about the metamodel, see the metamodel [concept page](concept-metamodel.md).

+Microsoft Purview automates data discovery by providing data scanning and classification for assets across your data estate. Metadata and descriptions of discovered data assets are integrated into a holistic map of your data estate. Microsoft Purview Data Map provides the foundation for data discovery and data governance. Microsoft Purview Data Map is a cloud native PaaS service that captures metadata about enterprise data present in analytics and operation systems on-premises and cloud. Microsoft Purview Data Map is automatically kept up to date with built-in automated scanning and classification system. Business users can configure and use the data map through an intuitive UI and developers can programmatically interact with the Data Map using open-source Apache Atlas 2.2 APIs.

+Microsoft Purview Data Map powers the Microsoft Purview Data Catalog, the Microsoft Purview Data Estate Insights and the Microsoft Purview Data Policy as unified experiences within the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).

+For more information, see our [introduction to Data Map](concept-elastic-data-map.md).

+Atop the Data Map, there are purpose-built apps that create environments for data discovery, access management, and insights about your data landscape.

+| [Microsoft.Azure.Management.Search 4.0.0](/dotnet/api/overview/azure/search/management/management-cognitivesearch) | Active | Targets the Management REST api-version=2020-08-01. |

+Azure SDK for .NET includes an [**Azure.Search.Documents**](/dotnet/api/overview/azure/search) client library from the Azure SDK team that is functionally equivalent to the previous client library, [Microsoft.Azure.Search](/dotnet/api/microsoft.azure.search). Version 11 is more consistent in terms of Azure programmability. Some examples include [`AzureKeyCredential`](/dotnet/api/azure.azurekeycredential) key authentication, and [System.Text.Json.Serialization](/dotnet/api/system.text.json.serialization) for JSON serialization.

+The client library doesn't provide [service management operations](/rest/api/searchmanagement/), such as creating and scaling search services and managing API keys. If you need to manage your search resources from a .NET application, use the [Microsoft.Azure.Management.Search](/dotnet/api/microsoft.azure.management.search) library in the Azure SDK for .NET.

+The solution is built on the same antimalware platform as Microsoft Security Essentials (MSE), Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Microsoft Intune, and Microsoft Defender for Cloud. Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. Protection may be deployed based on the needs of application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.

+* **Antimalware Engine updates** - automatically updates the Microsoft Antimalware engine.

+* **Antimalware Platform updates** - automatically updates the Microsoft Antimalware platform.

+* **Exclusions** - allows application and service administrators to configure exclusions for files, processes, and drives.

+> Microsoft Antimalware can also be deployed using Microsoft Defender for Cloud. Read [Install Endpoint Protection in Microsoft Defender for Cloud](../../defender-for-cloud/integration-defender-for-endpoint.md) for more information.

+> Microsoft Defender Antivirus is the built-in Antimalware enabled in Windows Server 2016 and above.

+> The Azure VM Antimalware extension can still be added to a Windows Server 2016 and above Azure VM with Microsoft Defender Antivirus. In this scenario, the extension applies any optional [configuration policies](antimalware.md#default-and-custom-antimalware-configuration) to be used by Microsoft Defender Antivirus The extension does not deploy any other antimalware services.

+> See the [Samples](antimalware.md#samples) section of this article for more details.

+* Virtual Machines - In the Azure portal, under **Security Extensions**

+* Virtual Machines - Using the Visual Studio virtual machines configuration in Server Explorer

+* Virtual Machines and Cloud Services - Using the Antimalware [classic deployment model](/previous-versions/azure/ee460799(v=azure.100))

+* Virtual Machines and Cloud Services - Using Antimalware PowerShell cmdlets

+The Azure portal or PowerShell cmdlets push the Antimalware extension package file to the Azure system at a pre-determined fixed location. The Azure Guest Agent (or the Fabric Agent) launches the Antimalware Extension, applying the Antimalware configuration settings supplied as input. This step enables the Antimalware service with either default or custom configuration settings. If no custom configuration is provided, then the antimalware service is enabled with the default configuration settings. See the [Samples](antimalware.md#samples) section of this article for more details..

+> You can however use PowerShell/APIs and Azure Resource Manager templates to deploy Virtual Machine Scale Sets with the Microsoft Anti-Malware extension. For installing an extension on an already running Virtual Machine, you can use the sample Python script [vmssextn.py](https://github.com/gbowerman/vmsstools#vmssextn). This script gets the existing extension config on the Scale Set and adds an extension to the list of existing extensions on the VM Scale Sets.

+>The Visual Studio Virtual Machines configuration for Antimalware supports only JSON format configuration. See the [Samples](antimalware.md#samples) section of this article for more details.

+>The Azure Virtual Machines configuration for Antimalware supports only JSON format configuration. See the [Samples](antimalware.md#samples) section of this article for more details.

+See the [Samples](antimalware.md#samples) section of this article for more details.

+## Samples

+1. Set up your PowerShell environment using this [documentation](https://github.com/Azure/azure-powershell) on GitHub.

+2. Use the [New-AzConnectedMachineExtension](../../azure-arc/servers/manage-vm-extensions-powershell.md) cmdlet to enable and configure Microsoft Antimalware for your Arc-enabled servers.

+- Azure Logic Apps

+- Microsoft Azure Attestation

+- OpenAI

+ Title: Migrate applications to use passwordless authentication with Azure Service Bus

+description: Learn to migrate existing Service Bus applications away from connection strings to use Azure AD and Azure RBAC for enhanced security.

+ - devx-track-csharp

+ - passwordless-dotnet

+ms.devlang: csharp

+# Migrate an application to use passwordless connections with Azure Service Bus

+Application requests to Azure Service Bus must be authenticated using either account access keys or passwordless connections. However, you should prioritize passwordless connections in your applications when possible. This tutorial explores how to migrate from traditional authentication methods to more secure, passwordless connections.

+## Security risks associated with access keys

+The following code example demonstrates how to connect to Azure Service Bus using a connection string that includes an access key. When you create a Service Bus, Azure generates these keys and connection strings automatically. Many developers gravitate towards this solution because it feels familiar to options they've worked with in the past. If your application currently uses connection strings, consider migrating to passwordless connections using the steps described in this document.

+```csharp

+var serviceBusClient = new ServiceBusClient(

+ "<NAMESPACE-CONNECTION-STRING>",

+ clientOptions);

+```

+Connection strings should be used with caution. Developers must be diligent to never expose the keys in an unsecure location. Anyone who gains access to the key is able to authenticate. For example, if an account key is accidentally checked into source control, sent through an unsecure email, pasted into the wrong chat, or viewed by someone who shouldn't have permission, there's risk of a malicious user accessing the application. Instead, consider updating your application to use passwordless connections.

+## Migrate to passwordless connections

+## Steps to migrate an app to use passwordless authentication

+The following steps explain how to migrate an existing application to use passwordless connections instead of a key-based solution. You'll first configure a local development environment, and then apply those concepts to an Azure app hosting environment. These same migration steps should apply whether you're using access keys directly, or through connection strings.

+### Configure roles and users for local development authentication

+### Sign-in and migrate the app code to use passwordless connections

+For local development, make sure you're authenticated with the same Azure AD account you assigned the role to for the Service Bus namespace. You can authenticate via the Azure CLI, Visual Studio, Azure PowerShell, or other tools such as IntelliJ.

+Next you'll need to update your code to use passwordless connections.

+1. To use `DefaultAzureCredential` in a .NET application, add the **Azure.Identity** NuGet package to your application.

+ ```dotnetcli

+ dotnet add package Azure.Identity

+ ```

+1. At the top of your `Program.cs` file, add the following `using` statement:

+ ```csharp

+ using Azure.Identity;

+ ```

+1. Identify the locations in your code that currently create a `ServiceBusClient` to connect to Azure Service Bus. This task is often handled in `Program.cs`, potentially as part of your service registration with the .NET dependency injection container. Update your code to match the following example:

+ ```csharp

+ var clientOptions = new ServiceBusClientOptions

+ {

+ TransportType = ServiceBusTransportType.AmqpWebSockets

+ };

+ //TODO: Replace the "<SERVICE-BUS-NAMESPACE-NAME>" placeholder.

+ client = new ServiceBusClient(

+ "<SERVICE-BUS-NAMESPACE-NAME>.servicebus.windows.net",

+ new DefaultAzureCredential(),

+ clientOptions);

+ ```

+1. Make sure to update the Service Bus namespace in the URI of your `ServiceBusClient`. You can find the namespace on the overview page of the Azure portal.

+#### Run the app locally

+After making these code changes, run your application locally. The new configuration should pick up your local credentials, such as the Azure CLI, Visual Studio, or IntelliJ. The roles you assigned to your local dev user in Azure will allow your app to connect to the Azure service locally.

+### Configure the Azure hosting environment

+Once your application is configured to use passwordless connections and runs locally, the same code can authenticate to Azure services after it's deployed to Azure. For example, an application deployed to an Azure App Service instance that has a managed identity enabled can connect to Azure Service Bus.

+#### Create the managed identity using the Azure portal

+Alternatively, you can also enable managed identity on an Azure hosting environment using the Azure CLI.

+### [Service Connector](#tab/service-connector-identity)

+You can use Service Connector to create a connection between an Azure compute hosting environment and a target service using the Azure CLI. The CLI automatically handles creating a managed identity and assigns the proper role, as explained in the [portal instructions](#create-the-managed-identity-using-the-azure-portal).

+If you're using an Azure App Service, use the `az webapp connection` command:

+```azurecli

+az webapp connection create servicebus \

+ --resource-group <resource-group-name> \

+ --name <webapp-name> \

+ --target-resource-group <target-resource-group-name> \

+ --namespace <target-service-bus-namespace> \

+ --system-identity

+```

+If you're using Azure Spring Apps, use the `az spring connection` command:

+```azurecli

+az spring connection create servicebus \

+ --resource-group <resource-group-name> \

+ --service <service-instance-name> \

+ --app <app-name> \

+ --deployment <deployment-name> \

+ --target-resource-group <target-resource-group> \

+ --namespace <target-service-bus-namespace> \

+ --system-identity

+```

+If you're using Azure Container Apps, use the `az containerapp connection` command:

+```azurecli

+az containerapp connection create servicebus \

+ --resource-group <resource-group-name> \

+ --name <webapp-name> \

+ --target-resource-group <target-resource-group-name> \

+ --namespace <target-service-bus-namespace> \

+ --system-identity

+```

+### [Azure App Service](#tab/app-service-identity)

+You can assign a managed identity to an Azure App Service instance with the [az webapp identity assign](/cli/azure/webapp/identity) command.

+```azurecli

+az webapp identity assign \

+ --resource-group <resource-group-name> \

+ --name <webapp-name>

+```

+### [Azure Spring Apps](#tab/spring-apps-identity)

+You can assign a managed identity to an Azure Spring Apps instance with the [az spring app identity assign](/cli/azure/spring/app/identity) command.

+```azurecli

+az spring app identity assign \

+ --resource-group <resource-group-name> \

+ --name <app-name> \

+ --service <service-name>

+```

+### [Azure Container Apps](#tab/container-apps-identity)

+You can assign a managed identity to an Azure Container Apps instance with the [az container app identity assign](/cli/azure/containerapp/identity) command.

+```azurecli

+az containerapp identity assign \

+ --resource-group <resource-group-name> \

+ --name <app-name>

+```

+### [Azure Virtual Machines](#tab/virtual-machines-identity)

+You can assign a managed identity to a virtual machine with the [az vm identity assign](/cli/azure/vm/identity) command.

+```azurecli

+az vm identity assign \

+ --resource-group <resource-group-name> \

+ --name <virtual-machine-name>

+```

+### [Azure Kubernetes Service](#tab/aks-identity)

+You can assign a managed identity to an Azure Kubernetes Service (AKS) instance with the [az aks update](/cli/azure/aks) command.

+```azurecli

+az aks update \

+ --resource-group <resource-group-name> \

+ --name <virtual-machine-name>

+ --enable-managed-identity

+```

+#### Assign roles to the managed identity

+Next, you need to grant permissions to the managed identity you created to access your Service Bus. You can do this by assigning a role to the managed identity, just like you did with your local development user.

+### [Service Connector](#tab/assign-role-service-connector)

+If you connected your services using the Service Connector you don't need to complete this step. The necessary configurations were handled for you:

+* If you selected a managed identity while creating the connection, a system-assigned managed identity was created for your app and assigned the **Azure Service Bus Data Owner** role on the Service Bus.

+* If you selected connection string, the connection string was added as an app environment variable.

+### [Azure portal](#tab/assign-role-azure-portal)

+1. Navigate to your Service Bus overview page and select **Access Control (IAM)** from the left navigation.

+1. Choose **Add role assignment**.

+ :::image type="content" source="../../includes/passwordless/media/migration-add-role-small.png" alt-text="Screenshot showing how to add a role to a managed identity." lightbox="../../includes/passwordless/media/migration-add-role.png":::

+1. In the **Role** search box, search for *Azure Service Bus Data Owner*, which is a common role used to manage data operations for blobs. You can assign whatever role is appropriate for your use case. Select the *Azure Service Bus Data Owner* from the list and choose **Next**.

+1. On the **Add role assignment** screen, for the **Assign access to** option, select **Managed identity**. Then choose **+Select members**.

+1. In the flyout, search for the managed identity you created by entering the name of your app service. Select the system assigned identity, and then choose **Select** to close the flyout menu.

+ :::image type="content" source="../../includes/passwordless/media/migration-select-identity-small.png" alt-text="Screenshot showing how to select the assigned managed identity." lightbox="../../includes/passwordless/media/migration-select-identity.png":::

+1. Select **Next** a couple times until you're able to select **Review + assign** to finish the role assignment.

+### [Azure CLI](#tab/assign-role-azure-cli)

+To assign a role at the resource level using the Azure CLI, you first must retrieve the resource ID using the `az servicebus show` command. You can filter the output properties using the --query parameter.

+```azurecli

+az servicebus show \

+ --resource-group '<your-resource-group-name>' \

+ --name '<your-service-bus-namespace>' \

+ --query id

+```

+Copy the output ID from the preceding command. You can then assign roles using the `az role` command of the Azure CLI.

+```azurecli

+az role assignment create \

+ --assignee "<your-username>" \

+ --role "Azure Service Bus Data Owner" \

+ --scope "<your-resource-id>"

+```

+#### Test the app

+After making these code changes, browse to your hosted application in the browser. Your app should be able to connect to the Service Bus successfully. Keep in mind that it may take several minutes for the role assignments to propagate through your Azure environment. Your application is now configured to run both locally and in a production environment without the developers having to manage secrets in the application itself.

+## Next steps

+In this tutorial, you learned how to migrate an application to passwordless connections.

+* [Difference in Service Fabric Events Channel](service-fabric-diagnostics-overview.md#platform-cluster-monitoring)

+ Title: Resource impact from Azure outages

+description: This article details where to find information from Azure Service Health about how Azure outages might affect your resources.

+# Resource impact from Azure outages

+[Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health/) helps customers view any health events that affect their subscriptions and tenants. In the Azure portal, the **Service Issues** pane in **Service Health** shows any ongoing problems in Azure services that are affecting your resources. You can understand when each problem began, and what services and regions are affected.

+Previously, the **Potential Impact** tab on the **Service Issues** pane appeared in the incident details section. It showed any resources under a subscription that an outage might affect, along with a signal from [Azure Resource Health](../service-health/resource-health-overview.md) to help you evaluate impact.

+In support of the experience of viewing affected resources, Service Health has enabled a new feature to:

+- Replace the **Potential Impact** tab with an **Impacted Resources** tab on the **Service Issues** pane.

+- Display resources that are confirmed to be affected by an outage.

+- Display resources that are not confirmed to be affected by an outage but could be affected because they fall under a service or region that's confirmed to be affected.

+- Provide the status of both confirmed and potential affected resources to show their availability.

+This article details what Service Health communicates and where you can view information about your affected resources.

+>This feature will be rolled out in phases. Initially, only selected subscription-level customers will get the experience. The rollout will gradually expand to 100 percent of subscription customers. It will go live for tenant-level customers in the future.

+## View affected resources

+In the Azure portal, the **Impacted Resources** tab under **Service Health** > **Service Issues** displays resources that are or might be affected by an outage. The following example of the **Impacted Resources** tab shows an incident with confirmed and potentially affected resources.

+Service Health provides the following information:

+|**Resource Name**|Name of the resource. This name is a clickable link that goes to the Resource Health page for the resource. If no Resource Health signal is available for the resource, this name is text only.|

+|**Resource Health**|Health status of the resource: <br><br>**Available**: Your resource is healthy, but a service event might have affected it at a previous point in time. <br><br>**Degraded** or **Unavailable**: A customer-initiated action or a platform-initiated action might have caused this status. It means your resource was affected but might now be healthy, pending a status update. <br><br>:::image type="content" source="./media/impacted-resource-outage/rh-cropped.PNG" alt-text="Screenshot of health statuses for a resource.":::|

+|**Impact Type**|Indication of whether the resource is or might be affected: <br><br>**Confirmed**: The resource is confirmed to be affected by an outage. Check the **Summary** section for any action items that you can take to remediate the problem. <br><br>**Potential**: The resource is not confirmed to be affected, but it could potentially be affected because it's under a service or region that an outage is affecting. Check the **Resource Health** column to make sure that everything is working as planned.|

+|**Resource Type**|Type of affected resource (for example, virtual machine).|

+|**Resource Group**|Resource group that contains the affected resource.|

+|**Location**|Location that contains the affected resource.|

+|**Subscription ID**|Unique ID for the subscription that contains the affected resource.|

+|**Subscription Name**|Subscription name for the subscription that contains the affected resource.|

+|**Tenant ID**|Unique ID for the tenant that contains the affected resource.|

+>Not all resources show a Resource Health status. The status appears only on resources for which a Resource Health signal is available. The status of resources for which a Resource Health signal is not available appears as **N/A**, and the corresponding **Resource Name** value is text instead of a clickable link.

+## Filter results

+You can adjust the results by using these filters:

+- **Impact type**: Select **Confirmed** or **Potential**.

+- **Subscription ID**: Show all subscription IDs that the user can access.

+- **Status**: Focus on Resource Health status by selecting **Available**, **Unavailable**, **Degraded**, **Unknown**, or **N/A**.

+To export the list of affected resources to an Excel file, select the **Export to CSV** option.

+## Access affected resources programmatically via an API

+You can get information about outage-affected resources programmatically by using the Events API. For details on how to access this data, see the [API documentation](/rest/api/resourcehealth/2022-05-01/impacted-resources/list-by-subscription-id-and-event-id?tabs=HTTP).

+## Next steps

+- [Introduction to the Azure Service Health dashboard](service-health-overview.md)

+- [Introduction to Azure Resource Health](resource-health-overview.md)

+- [Frequently asked questions about Azure Resource Health](resource-health-faq.yml)

+If no binaries are available for your distribution, you can [Option 2: Build the binaries from source code](#option-2-build-the-binaries-from-source-code).

+ --name myFile.txt \

+ --file myFile.txt \

+ --name myFile.txt \

+ --file <~/destination/path/for/file> \

+azcopy copy 'C:\myDirectory\myFile.txt' 'https://mystorageaccount.blob.core.windows.net/mycontainer/myFile.txt'

+# Migrate an application to use passwordless connections with Azure Storage

+Alternatively, you can also enable managed identity on an Azure hosting environment using the Azure CLI.

+| **Azure Resource Manager** | `https://management.azure.com` | `https://management.usgovcloudapi.net` | Any user call (like PowerShell) goes to/through this URL, including the initial server registration call. |

+| **Azure Active Directory** | `https://login.windows.net`<br>`https://login.microsoftonline.com` | `https://login.microsoftonline.us` | Azure Resource Manager calls must be made by an authenticated user. To succeed, this URL is used for user authentication. |

+| **Azure Active Directory** | `https://graph.microsoft.com/` | `https://graph.microsoft.com/` | As part of deploying Azure File Sync, a service principal in the subscription's Azure Active Directory will be created. This URL is used for that. This principal is used for delegating a minimal set of rights to the Azure File Sync service. The user performing the initial setup of Azure File Sync must be an authenticated user with subscription owner privileges. |

+| **Azure Active Directory** | `https://secure.aadcdn.microsoftonline-p.com` | Use the public endpoint URL. | This URL is accessed by the Active Directory authentication library that the Azure File Sync server registration UI uses to log in the administrator. |

+| **Microsoft PKI** | `https://www.microsoft.com/pki/mscorp/cps`<br>`http://crl.microsoft.com/pki/mscorp/crl/`<br>`http://mscrl.microsoft.com/pki/mscorp/crl/`<br>`http://ocsp.msocsp.com`<br>`http://ocsp.digicert.com/`<br>`http://crl3.digicert.com/` | `https://www.microsoft.com/pki/mscorp/cps`<br>`http://crl.microsoft.com/pki/mscorp/crl/`<br>`http://mscrl.microsoft.com/pki/mscorp/crl/`<br>`http://ocsp.msocsp.com`<br>`http://ocsp.digicert.com/`<br>`http://crl3.digicert.com/` | Once the Azure File Sync agent is installed, the PKI URL is used to download intermediate certificates required to communicate with the Azure File Sync service and Azure file share. The OCSP URL is used to check the status of a certificate. |

+## Platform features

+| | Dedicated | Serverless |

+| | | |

+| Scaling | [Yes](../sql-data-warehouse/sql-data-warehouse-manage-compute-overview.md) | Serverless SQL pool automatically scales depending on the workload. |

+| Pause/resume | [Yes](../sql-data-warehouse/sql-data-warehouse-manage-compute-overview.md) | Serverless SQL pool automatically deactivated when it is not used and activated when needed. User action is not required. |

+| Database backups | [Yes](../sql-data-warehouse/backup-and-restore.md) | No. Data is stored in external systems (ADLS, Cosmos DB), so make sure that you are doing backups of data at source. Make sure that you use store SQL metadata (table, view, procedure definitions, and user permissions) in the source control. Table definitions in the Lake database are stored in Spark metadata, so make sure that you are also keeping Spark table definitions in the source control. |

+| Database restore | [Yes](../sql-data-warehouse/backup-and-restore.md) | No. Data is stored in external systems (ADLS, Cosmos DB), so you need to recover source systems to bring your data. Make sure that your SQL metadata (table, view, procedure definitions, and user permissions) is in the source control so you can re-create the SQL objects. Table definitions in the Lake database are stored in Spark metadata, so make sure that you are also keeping Spark table definitions in the source control. |

+### Preview user interface (preview)

+A new user interface is available in preview for you to try. To enable the new user interface:

+1. Sign in to the Remote Desktop Web client.

+1. Toggle **Try the new client (Preview)** to **On**. To revert to the original user interface, toggle this to **Off**.

+### Grid view and list view (preview)

+You can change the view of remote resources assigned to you between grid view (default) and list view. To change between grid view and list view:

+1. Sign in to the Remote Desktop Web client and make sure you have toggled **Try the new client (Preview)** to **On**.

+1. In the top-right hand corner, select **Grid View** icon or the **List View** icon. The change will take effect immediately.

+### Light mode and dark mode (preview)

+You can change between light mode (default) and dark mode. To change between light mode and dark mode:

+1. Sign in to the Remote Desktop Web client and make sure you have toggled **Try the new client (Preview)** to **On**, then select **Settings** on the taskbar.

+1. Toggle **Dark Mode** to **On** to use dark mode, or **Off** to use light mode. The change will take effect immediately.

+## Reset user settings (preview)

+If you want to reset your user settings back to the default, you can do this in the web client for the current browser. To reset user settings:

+1. Sign in to the Remote Desktop Web client and make sure you have toggled **Try the new client (Preview)** to **On**, then select **Settings** on the taskbar.

+1. Select **Reset user settings**. You'll need to confirm that you want reset the web client settings to default.

+## Preview features

+If you want to help us test new features, you should enable the preview. A new user interface is available in preview; to learn how to try the new user interface, see [Preview user interface](client-features-web.md#preview-user-interface-preview), and for more information about what's new, see [What's new in the Remote Desktop Web client for Azure Virtual Desktop](../whats-new-client-web.md?toc=%2Fazure%2Fvirtual-desktop%2Fusers%2Ftoc.json).

+ Title: What's new in the Remote Desktop Web client for Azure Virtual Desktop

+description: Learn about recent changes to the Remote Desktop Web client for Azure Virtual Desktop

+# What's new in the Remote Desktop Web client for Azure Virtual Desktop

+We regularly update the Remote Desktop Web client for Azure Virtual Desktop, adding new features and fixing issues. Here's where you'll find the latest updates.

+You can find more detailed information about the Windows Desktop client at [Connect to Azure Virtual Desktop with the Remote Desktop Web client](users/connect-web.md) and [Use features of the Remote Desktop Web client when connecting to Azure Virtual Desktop](users/client-features-web.md).

+> [!NOTE]

+> What's new information used to be combined for the Remote Desktop Web client for Azure Virtual Desktop and Remote Desktop Services. You can find information for versions earlier than 2.0.0.3 at [What's new in the web client](/windows-server/remote/remote-desktop-services/clients/web-client-whatsnew).

+## Updates for version 2.0.0.3 (preview)

+*Date published: January 26th 2023*

+A new user interface is available in preview, which has the following new functionality:

+- An updated design.

+- [Switch between grid view and list view](users/client-features-web.md#grid-view-and-list-view-preview).

+- [Switch between light mode and dark mode](users/client-features-web.md#light-mode-and-dark-mode-preview).

+- [Reset user settings](users/client-features-web.md#reset-user-settings-preview).

+For more information and how to try the new user interface, see [Preview user interface](users/client-features-web.md#preview-user-interface-preview).

+## Next steps

+- [Connect to Azure Virtual Desktop with the Remote Desktop Web client](users/connect-web.md)

+- [Use features of the Remote Desktop Web client when connecting to Azure Virtual Desktop](users/client-features-web.md)

+- Various bug fixes for multimedia redirection (MMR) video playback redirection.

+ Title: What's new for Azure Compute Gallery

+description: Learn about what's new for Azure Compute Gallery in Azure.

+# What's new for Azure Compute Gallery

+This article is a list of updates to Compute Gallery features in Azure.

+## January 2023 updates:

+- [Launched public preview of Direct shared gallery on 07/25](/azure/virtual-machines/share-gallery-direct?tabs=portaldirect)

+- [Best Practices document now available](/azure/virtual-machines/azure-compute-gallery#best-practices)

+- [Replica count for 'Image Versions' increased from 50 to 100](/azure/virtual-machines/azure-compute-gallery#limits)

+### Supported features:

+- ['ARM64' image support](/cli/azure/sig/image-definition?view=azure-cli-latest#az-sig-image-definition-create&preserve-view=true)

+- ['TrustedLaunch' support](/cli/azure/sig/image-definition?view=azure-cli-latest#az-sig-image-definition-create&preserve-view=true)

+- ['ConfidentialVM' support](/cli/azure/sig/image-definition?view=azure-cli-latest#az-sig-image-definition-create&preserve-view=true)

+- ['IsAcceleratedNetworkSupported' support](/cli/azure/sig/image-definition?view=azure-cli-latest#az-sig-image-definition-create&preserve-view=true)

+- [Replication Mode: Full and Shallow](/cli/azure/sig/image-version?view=azure-cli-latest#commands&preserve-view=true)

+ - Shallow replication support image size up to 32 TB

+ - Shallow replication is only for test images

+## Next steps

+For updates and announcements about Azure, see the [Microsoft Azure Blog](https://azure.microsoft.com/blog/).

+You have two options for getting the status of snapshots. You can either get a [list of all incremental snapshots associated with a specific disk](#clilist-incremental-snapshots), and their respective status, or you can get the [status of an individual snapshot](#cliindividual-snapshot).

+#### CLI - List incremental snapshots

+The following script returns a list of all snapshots associated with a particular disk. The value of the `CompletionPercent` property of any snapshot must be 100 before it can be used. Replace `yourResourceGroupNameHere`, `yourSubscriptionId`, and `yourDiskNameHere` with your values then run the script:

+#### CLI - Individual snapshot

+You can also check the status of an individual snapshot by checking the `CompletionPercent` property. Replace `$sourceSnapshotName` with the name of your snapshot then run the following command. The value of the property must be 100 before you can use the snapshot for restoring disk or generate a SAS URI for downloading the underlying data.

+You have two options for getting the status of snapshots. You can either get a [list of all incremental snapshots associated with a particular disk](#powershelllist-incremental-snapshots) and their respective status, or you can get the [status of an individual snapshot](#powershellindividual-snapshots).

+#### PowerShell - List incremental snapshots

+The following script returns a list of all incremental snapshots associated with a particular disk that haven't completed their background copy. Replace `yourResourceGroupNameHere` and `yourDiskNameHere`, then run the script.

+#### PowerShell - individual snapshots

+You can check the `CompletionPercent` property of an individual snapshot to get its status. Replace `yourResourceGroupNameHere` and `yourSnapshotName` then run the script. The value of the property must be 100 before you can use the snapshot for restoring disk or generate a SAS URI for downloading the underlying data.

+az disk update --name mySharedDisk --max-shares 5 --resource-group myResourceGroup

+The modern threat landscape for cloud environments is dynamic, increasing the pressure on business IT cloud subscribers to maintain effective protection in order to meet compliance and security requirements. Microsoft Antimalware for Azure is free, real-time protection capability. Microsoft Antimalware helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. The solution is built on the same antimalware platform as Microsoft Security Essentials (MSE), Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender for Windows 8.0 and higher.

+The Microsoft Antimalware for Azure solution includes the Microsoft Antimalware Client, and Service, Antimalware classic deployment model, Antimalware PowerShell cmdlets, and Azure Diagnostics Extension. The Microsoft Antimalware solution is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families.

+It isn't supported on the Windows Server 2008 operating system, and also isn't supported in Linux.

+Windows Defender is the built-in Antimalware enabled in Windows Server 2016. The Windows Defender Interface is also enabled by default on some Windows Server 2016 SKUs. The Azure VM Antimalware extension can still be added to a Windows Server 2016 and above Azure VM with Windows Defender. In this scenario the extension applies any optional [configuration policies](../../security/fundamentals/antimalware.md#default-and-custom-antimalware-configuration) to be used by Windows Defender. The extension does not deploy any other antimalware service. See the [Samples](../../security/fundamentals/antimalware.md#samples) section of the Microsoft Antimalware article for more details.

+The Microsoft Antimalware for Windows requires that the target virtual machine is connected to the internet to receive regular engine and signature updates.

+The JSON configuration for a virtual machine extension can be nested inside the virtual machine resource, or placed at the root or top level of a Resource Manager JSON template.

+For more information, see [Set name and type for child resources](../../azure-resource-manager/templates/child-resource-name-type.md).

+ - false = Error out, as false isn't a supported value

+| -2147023293 | A fatal error occurred during installation. In most cases, it will. Epp.msi, can't register\start\stop AM service or mini filter driver | MSI logs from EPP.msi are required here for future investigation |

+| -2147023277 | Installation package couldn't be opened | Verify that the package exists, and is accessible, or contact the application vendor to verify that this is a valid Windows Installer package |

+| -2147205073 | The websso issuer isn't supported | |

+| -2147024893 | The system can't find the path specified | |

+| -2146885619 | Not a cryptographic message or the cryptographic message isn't formatted correctly | |

+| -1073741819 | The instruction at 0x%p referenced memory at 0x%p. The memory couldn't be %s | |

+If you need more help at any point in this article, you can contact the Azure experts on the [Azure and Stack Overflow forums](https://azure.microsoft.com/support/forums/). Alternatively, you can file an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select Get support. For information about using Azure Support, read the [Microsoft Azure support FAQ](https://azure.microsoft.com/support/faq/).

+Scheduled events are delivered to and can be acknowledged by:

+> For example, if you have 100 VMs in a availability set and there's an update to one of them, the scheduled event will go to all 100, whereas if there are 100 single VMs in a zone, then event will only go to the VM which is getting impacted.

+If the VM isn't created within a Virtual Network, the default cases for cloud services and classic VMs, extra logic is required to discover the IP address to use.

+| 2019-01-01 | General Availability | All | <li> Added support for Virtual Machine Scale Sets EventType 'Terminate' |

+Scheduled Events is disabled for your service if it doesn't make a request for 24 hours.

+If you restart a VM, an event with the type `Reboot` is scheduled. If you redeploy a VM, an event with the type `Redeploy` is scheduled. Typically events with a user event source can be immediately approved to avoid a delay on user-initiated actions. We advise having a primary and secondary VM communicating and approving user generated scheduled events in case the primary VM becomes unresponsive. This arrangement will prevent delays in recovering your application back to a good state.

+| EventType | Impact this event causes. <br><br> Values: <br><ul><li> `Freeze`: The Virtual Machine is scheduled to pause for a few seconds. CPU and network connectivity may be suspended, but there's no impact on memory or open files.<li>`Reboot`: The Virtual Machine is scheduled for reboot (non-persistent memory is lost). This event is made available on a best effort basis <li>`Redeploy`: The Virtual Machine is scheduled to move to another node (ephemeral disks are lost). <li>`Preempt`: The Spot Virtual Machine is being deleted (ephemeral disks are lost). <li> `Terminate`: The virtual machine is scheduled to be deleted. |

+| DurationInSeconds | The expected duration of the interruption caused by the event. <br><br> Example: <br><ul><li> `9`: The interruption caused by the event will last for 9 seconds. <li> `0`: The event won't interrupt the VM or impact its availability (for example, update to the network) <li>`-1`: The default value used if the impact duration is either unknown or not applicable. |

+> In some cases, Azure is able to predict host failure due to degraded hardware and will attempt to mitigate disruption to your service by scheduling a migration. Affected virtual machines will receive a scheduled event with a `NotBefore` that is typically a few days in the future. The actual time varies depending on the predicted failure risk assessment. Azure tries to give 7 days' advance notice when possible, but the actual time varies and might be smaller if the prediction is that there's a high chance of the hardware failing imminently. To minimize risk to your service in case the hardware fails before the system-initiated migration, we recommend that you self-redeploy your virtual machine as soon as possible.

+The service will always return a 200 success code for a valid event ID, even if it was already approved by a different VM. A 400 error code indicates that the request header or payload was malformed.

+The following response is an example of a series of events that were seen by two VMs that were live migrated to another node.

+The `DocumentIncarnation` is changing every time there's new information in `Events`. An approval of the event would allow the freeze to proceed for both WestNO_0 and WestNO_1. The `DurationInSeconds` of -1 indicates that the platform doesn't know how long the operation will take.

+ # Events that may be impactful (for example, Reboot or redeploy) may need custom

+When you enable replication for a VM, the Site Recovery Mobility service extension installs on the VM, and registers it with [Azure Site Recovery](../../site-recovery/site-recovery-overview.md). During replication, VM disk writes are sent to a cache storage account in the source VM region. Data is sent from there to the target region, and recovery points are generated from the data. When you fail a VM over to another region during disaster recovery, a recovery point is used to create a VM in the target region.

+ Events Hub tag | Allows access to Site Recovery monitoring.

+ Azure Site Recovery tag | Allows access to the Site Recovery service in any region.

+7. In **Availability options**, specify whether the VM will deploy as standalone, in an availability zone, or in an availability set.

+ - The indicated Azure Automation account manages the update process.

+After completing a disaster recovery drill, we suggest you continue to try out a full failover. If you don't want to do a full failover, you can disable replication. Disabling replication will:

+- Remove the VM from the Site Recovery list of replicated machines.

+- Stop Site Recovery billing for the VM.

+- Automatically clean up source replication settings.

+Azure Backup offers Azure Disk Backup (preview) as a native, cloud-based backup solution that protects your data in managed disks. It's a simple, secure, and cost-effective solution that enables you to configure protection for managed disks in a few steps. Azure Disk Backup offers a turnkey solution that provides snapshot lifecycle management for managed disks by automating periodic creation of snapshots and retaining it for configured duration using backup policy. For details on Azure Disk Backup, see [Overview of Azure Disk Backup](../backup/disk-backup-overview.md).

+> To publish images to a direct shared gallery during the preview, you need to register at [https://aka.ms/directsharedgallery-preview](https://aka.ms/directsharedgallery-preview). Please submit the form and share your use case, We will evaluate the request and follow up in 10 business days after submitting the form. No additional access required to consume images, Creating VMs from a direct shared gallery is open to all Azure users in the target subscription or tenant the gallery is shared with. In most scenarios RBAC/Cross-tenant sharing using service principal is sufficient, request access to this feature only if you wish to share images widely with all users in the subscription/tenant.

+1. From the **Certificate Information** dropdown, select the name of the child certificate (the client certificate). For example, **P2SChildCert**. You can also (optionally) select a [Secondary Profile](#secondary-profile).

+#### Secondary Profile

+A VPN gateway is a type of virtual network gateway. A virtual network gateway is composed of two or more Azure-managed VMs that are automatically configured and deployed to a specific subnet you create called the *GatewaySubnet*. The gateway VMs contain routing tables and run specific gateway services.