-Alternatively, you can configure the expected the SAML request signature algorithm in AD FS.

-| `ResolveJsonPathsInJsonTokens` | No | Indicates whether the technical profile resolves JSON paths. Possible values: `true`, or `false` (default). Use this metadata to read data from a nested JSON element. In an [OutputClaim](technicalprofiles.md#output-claims), set the `PartnerClaimType` to the JSON path element you want to output. For example: `firstName.localized`, or `data.0.to.0.email`.|

-| ResolveJsonPathsInJsonTokens | No | Indicates whether the technical profile resolves JSON paths. Possible values: `true`, or `false` (default). Use this metadata to read data from a nested JSON element. In an [OutputClaim](technicalprofiles.md#output-claims), set the `PartnerClaimType` to the JSON path element you want to output. For example: `firstName.localized`, or `data.0.to.0.email`.|

-> Not all client app and resource provider combinations are supported. See table below. The first column of this table refers to web applications launched via web browser (i.e. PowerPoint launched in web browser) while the remaining four columns refer to native applications running on each platform described. Additionally, references to "Office" encompass Word, Excel, and PowerPoint.

-Token lifetimes for Office web apps are reduced to 1 hour when a Conditional Access policy is set.

-| **SharePoint Online** | Not Supported | Supported | Supported | Supported | Supported |

-| **Teams Service** | Supported | Supported | Supported | Supported | Supported |

-| **SharePoint Online** | Supported | Supported | Supported | Supported | Supported |

-| **Exchange Online** | Supported | Supported | Supported | Supported | Supported |

-When multiple users are collaborating on a document at the same time, their access to the document may not be immediately revoked by CAE based on user revocation or policy change events. In this case, the user loses access completely after:

-* Requiring a device is not jailbroken or rooted

-This policy compliance information is forwarded to Azure AD where Conditional Access can make decisions to grant or block access to resources. More information about device compliance policies can be found in the article, [Set rules on devices to allow access to resources in your organization using Intune](/intune/protect/device-compliance-get-started)

-On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.

-description:

-Learn how to [secure access of workload identities](../conditional-access/workload-identity.md) with adaptive policies.

-Azure AD join allows you to join devices directly to Azure AD without the need to join to on-premises Active Directory while keeping your users productive and secure. Azure AD join is enterprise-ready for both at-scale and scoped deployments.

-

-This article assumes that you are familiar with the [Introduction to device management in Azure Active Directory](./overview.md).

-While Hybrid Azure AD join may be preferred for certain scenarios, Azure AD join enables you to transition towards a cloud-first model with Windows. If you are planning to modernize your devices management and reduce device-related IT costs, Azure AD join provides a great foundation towards achieving those objectives.

-You should consider Azure AD join if your goals align with the following criteria:

-Azure AD join works with both, managed and federated environments.

-These scenarios don't require you to configure a federation server for authentication.

-If your identity provider does not support these protocols, Azure AD join does not work natively.

->[!NOTE]

-On-premises UPNs that are different from Azure AD UPNs are not supported on Azure AD joined devices. If your users use an on-premises UPN, you should plan to switch to using their primary UPN in Azure AD.

-UPN changes are only supported starting Windows 10 2004 update. Users on devices with this update will not have any issues after changing their UPNs. For devices prior to Windows 10 2004 update, users would have SSO and Conditional Access issues on their devices. They need to sign in to Windows through the "Other user" tile using their new UPN to resolve this issue.

-If you are using Group Policies, evaluate your GPO and MDM policy parity by using [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) in Microsoft Endpoint Manager.

-Review supported and unsupported policies to determine whether you can use an MDM solution instead of Group policies. For unsupported policies, consider the following:

-If your MDM solution is not available through the Azure AD app gallery, you can add it following the process

-Through co-management, you can use SCCM to manage certain aspects of your devices while policies are delivered through your MDM platform. Microsoft Intune enables co-management with SCCM. For more information on co-management for Windows 10 devices, see [What is co-management?](/configmgr/core/clients/manage/co-management-overview). If you use an MDM product other than Intune, please check with your MDM provider on applicable co-management scenarios.

-We recommend migrating applications from on-premises to cloud for a better user experience and access control. However, Azure AD joined devices can seamlessly provide access to both, on-premises and cloud applications. For more information, see [How SSO to on-premises resources works on Azure AD joined devices](azuread-join-sso.md).

-If an application is added to Azure AD app gallery, users get SSO through Azure AD joined devices. No additional configuration is required. Users get SSO on both, Microsoft Edge and Chrome browsers. For Chrome, you need to deploy the [Windows 10 Accounts extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji).

-We recommend deploying [Universal Print](/universal-print/fundamentals/universal-print-whatis) to have a cloud based print management solution without any on-premises dependencies.

-Remote desktop connection to an Azure AD joined devices requires the host machine to be either Azure AD joined or Hybrid Azure AD joined. Remote desktop from an unjoined or non-Windows device is not supported. For more information, see [Connect to remote Azure AD joined pc](/windows/client-management/connect-to-remote-aadj-pc)

-Currently, Azure AD joined devices do not support RADIUS authentication for connecting to Wi-Fi access points, since RADIUS relies on presence of an on-premises computer object. As an alternative, you can use certificates pushed via Intune or user credentials to authenticate to Wi-Fi.

-**Note**: Azure AD joined devices cannot be deployed using System Preparation Tool (Sysprep) or similar imaging tools

-You can provision Azure AD join using the following approaches:

-Choose your deployment approach or approaches by reviewing the table above and reviewing the following considerations for adopting either approach:

- - Bulk enrollment works better for admin driven deployment to set up devices before handing over to users.

-Set this option to **All** or **Selected** based on the scope of your deployment and who you want to allow to setup an Azure AD joined device.

-Select **ΓÇ£Yes** if you require users to perform MFA while joining devices to Azure AD.

-Each URL has a predefined default value. If these fields are empty, please contact your MDM provider for more information.

-MAM does not apply to Azure AD join.

-> [!div class="nextstepaction"]

-> [Join a new Windows 10 device with Azure AD during a first run](azuread-joined-devices-frx.md)

-> [Join your work device to your organization's network](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973)

-<!--Image references-->

-[1]: ./media/azureadjoin-plan/12.png

-| **Device management** | Group Policy |

-| | Configuration Manager standalone or co-management with Microsoft Intune |

-| | Self-service Password Reset and Windows Hello PIN reset on lock screen |

-| | Enterprise State Roaming across devices |

-| | Co-management with Microsoft Intune and Microsoft Endpoint Configuration Manager |

-| | Self-service Password Reset and Windows Hello PIN reset on lock screen |

-| | Enterprise State Roaming across devices |

-While Azure AD join is primarily intended for organizations that do not have an on-premises Windows Server Active Directory infrastructure, you can certainly use it in scenarios where:

-You can configure Azure AD joined devices for all Windows 10 devices except for Windows 10 Home.

-description: Learn how Azure AD registered devices provide your users with support for the Bring Your Own Device (BYOD) or mobile device scenarios.

-The goal of Azure AD registered devices is to provide your users with support for the bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organizationΓÇÖs resources using a personal device.

-description: Learn how to do a controlled validation of hybrid Azure AD join before enabling it across the entire organization all at once

-# Controlled validation of hybrid Azure AD join

-When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD tenant. The state of these device identities in Azure AD is referred as hybrid Azure AD join. More information about the concepts covered in this article can be found in the articles [Introduction to device management in Azure Active Directory](overview.md) and [Plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md).

-Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire organization all at once. This article will explain how to accomplish a controlled validation of hybrid Azure AD join.

-## Controlled validation of hybrid Azure AD join on Windows current devices

-For devices running the Windows desktop operating system, the supported version is the Windows 10 Anniversary Update (version 1607) or later. As a best practice, upgrade to the latest version of Windows 10.

-To do a controlled validation of hybrid Azure AD join on Windows current devices, you need to:

-1. Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists

-1. Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO)

-1. If you are using AD FS, you must also configure the client-side registry setting for SCP on your AD FS server using a GPO

-1. Browse to **CN=Configuration,DC=contoso,DC=com** > **CN=Services** > **CN=Device Registration Configuration**

-1. Right click on the leaf object **CN=62a0ff2e-97b9-4513-943f-0d221bd30080** and select **Properties**

- 1. Select **keywords** from the **Attribute Editor** window and click **Edit**

- 1. Select the values of **azureADId** and **azureADName** (one at a time) and click **Remove**

-1. Close **ADSI Edit**

-1. Edit the GPO and locate the following path: **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**

-1. Right-click on the Registry and select **New** > **Registry Item**

- 1. On the **General** tab, configure the following

- 1. Action: **Update**

- 1. Hive: **HKEY_LOCAL_MACHINE**

- 1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD**

- 1. Value name: **TenantId**

- 1. Value type: **REG_SZ**

- 1. Value data: The GUID or **Tenant ID** of your Azure AD instance (This value can be found in the **Azure portal** > **Azure Active Directory** > **Properties** > **Tenant ID**)

- 1. Click **OK**

-1. Right-click on the Registry and select **New** > **Registry Item**

- 1. On the **General** tab, configure the following

- 1. Action: **Update**

- 1. Hive: **HKEY_LOCAL_MACHINE**

- 1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD**

- 1. Value name: **TenantName**

- 1. Value type: **REG_SZ**

- 1. Value data: Your verified **domain name** if you are using federated environment such as AD FS. Your verified **domain name** or your onmicrosoft.com domain name for example, `contoso.onmicrosoft.com` if you are using managed environment

- 1. Click **OK**

-1. Close the editor for the newly created GPO

-1. Link the newly created GPO to the desired OU containing domain-joined computers that belong to your controlled rollout population

-If you are using AD FS, you first need to configure client-side SCP using the instructions mentioned above by linking the GPO to your AD FS servers. The SCP object defines the source of authority for device objects. It can be on-premises or Azure AD. When client-side SCP is configured for AD FS, the source for device objects is established as Azure AD.

-## Controlled validation of hybrid Azure AD join on Windows down-level devices

-After you verify that everything works as expected, you can automatically register the rest of your Windows current and down-level devices with Azure AD by [configuring SCP using Azure AD Connect](hybrid-azuread-join-managed-domains.md#configure-hybrid-azure-ad-join).

-[Plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md)

-description: Learn how to configure hybrid Azure Active Directory join for federated domains.

-#Customer intent: As an IT admin, I want to set up hybrid Azure Active Directory (Azure AD) joined devices for federated domains so I can automatically create and manage device identities in Azure AD for my Active Directory domain-joined computers

-# Tutorial: Configure hybrid Azure Active Directory join for federated domains

-Like a user in your organization, a device is a core identity you want to protect. You can use a device's identity to protect your resources at any time and from any location. You can accomplish this goal by bringing device identities and managing them in Azure Active Directory (Azure AD) by using one of the following methods:

-Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your cloud and on-premises resources with [Conditional Access](../conditional-access/howto-conditional-access-policy-compliant-device.md) at the same time.

-A federated environment should have an identity provider that supports the following requirements. If you have a federated environment using Active Directory Federation Services (AD FS), then the below requirements are already supported.

- When you're using AD FS, you need to enable the following WS-Trust endpoints:

- `/adfs/services/trust/2005/windowstransport`

- `/adfs/services/trust/13/windowstransport`

- `/adfs/services/trust/2005/usernamemixed`

- `/adfs/services/trust/13/usernamemixed`

- `/adfs/services/trust/2005/certificatemixed`

- `/adfs/services/trust/13/certificatemixed`

-> [!WARNING]

-> Both **adfs/services/trust/2005/windowstransport** and **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**.

-In this tutorial, you learn how to configure hybrid Azure AD join for Active Directory domain-joined computers devices in a federated environment by using AD FS.

-You learn how to:

-> [!div class="checklist"]

-> * Configure hybrid Azure AD join

-> * Enable Windows downlevel devices

-> * Verify the registration

-> * Troubleshoot

-## Prerequisites

-This tutorial assumes that you're familiar with these articles:

-To configure the scenario in this tutorial, you need:

-Beginning with version 1.1.819.0, Azure AD Connect includes a wizard that you can use to configure hybrid Azure AD join. The wizard significantly simplifies the configuration process. The related wizard:

-The configuration steps in this article are based on using the Azure AD Connect wizard. If you have an earlier version of Azure AD Connect installed, you must upgrade it to 1.1.819 or later to use the wizard. If installing the latest version of Azure AD Connect isn't an option for you, see [how to manually configure hybrid Azure AD join](hybrid-azuread-join-manual.md).

-Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization's network:

-> [!WARNING]

-> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.

-Beginning with Windows 10 1803, if the instantaneous hybrid Azure AD join for a federated environment by using AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that's subsequently used to complete the device registration for hybrid Azure AD join. Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), you must also configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Configure filtering by using Azure AD Connect](../hybrid/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering).

-> [!NOTE]

-> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to AAD, see [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10).

-If your organization requires access to the internet via an outbound proxy, Microsoft recommends [implementing Web Proxy Auto-Discovery (WPAD)](/previous-versions/tn-archive/cc995261(v%3dtechnet.10)) to enable Windows 10 computers for device registration with Azure AD. If you encounter issues configuring and managing WPAD, see [Troubleshoot automatic detection](/previous-versions/tn-archive/cc302643(v=technet.10)).

-If you don't use WPAD and want to configure proxy settings on your computer, you can do so beginning with Windows 10 1709. For more information, see [Configure WinHTTP settings by using a group policy object (GPO)](/archive/blogs/netgeeks/winhttp-proxy-settings-deployed-by-gpo).

-> [!NOTE]

-> If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.

-If your organization requires access to the internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, you must configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.

-To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/) script.

-## Configure hybrid Azure AD join

-To configure a hybrid Azure AD join by using Azure AD Connect, you need:

-**To configure a hybrid Azure AD join by using Azure AD Connect**:

-1. Start Azure AD Connect, and then select **Configure**.

- 

-1. On the **Additional tasks** page, select **Configure device options**, and then select **Next**.

- 

-1. On the **Overview** page, select **Next**.

- 

-1. On the **Connect to Azure AD** page, enter the credentials of a global administrator for your Azure AD tenant, and then select **Next**.

- 

-1. On the **Device options** page, select **Configure Hybrid Azure AD join**, and then select **Next**.

- 

-1. On the **SCP** page, complete the following steps, and then select **Next**:

- 

- 1. Select the forest.

- 1. Select the authentication service. You must select **AD FS server** unless your organization has exclusively Windows 10 clients and you have configured computer/device sync, or your organization uses seamless SSO.

- 1. Select **Add** to enter the enterprise administrator credentials.

-1. On the **Device operating systems** page, select the operating systems that the devices in your Active Directory environment use, and then select **Next**.

- 

-1. On the **Federation configuration** page, enter the credentials of your AD FS administrator, and then select **Next**.

- 

-1. On the **Ready to configure** page, select **Configure**.

- 

-1. On the **Configuration complete** page, select **Exit**.

- 

-## Enable Windows downlevel devices

-If some of your domain-joined devices are Windows downlevel devices, you must:

-> [!NOTE]

-> Windows 7 support ended on January 14, 2020. For more information, [Support for Windows 7 has ended](https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020).

-### Configure the local intranet settings for device registration

-To successfully complete hybrid Azure AD join of your Windows downlevel devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:

-You also must enable **Allow updates to status bar via script** in the userΓÇÖs local intranet zone.

-### Install Microsoft Workplace Join for Windows downlevel computers

-To register Windows downlevel devices, organizations must install [Microsoft Workplace Join for non-Windows 10 computers](https://www.microsoft.com/download/details.aspx?id=53554). Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download Center.

-You can deploy the package by using a software distribution system likeΓÇ»[Microsoft Endpoint Configuration Manager](/configmgr/). The package supports the standard silent installation options with the `quiet` parameter. The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

-The installer creates a scheduled task on the system that runs in the user context. The task is triggered when the user signs in to Windows. The task silently joins the device with Azure AD by using the user credentials after it authenticates with Azure AD.

-## Verify the registration

-Here are 3 ways to locate and verify the device state:

-### Locally on the device

-1. Open Windows PowerShell.

-2. Enter `dsregcmd /status`.

-3. Verify that both **AzureAdJoined** and **DomainJoined** are set to **YES**.

-4. You can use the **DeviceId** and compare the status on the service using either the Azure portal or PowerShell.

-For downlevel devices see the article [Troubleshooting hybrid Azure Active Directory joined down-level devices](troubleshoot-hybrid-join-windows-legacy.md#step-1-retrieve-the-registration-status)

-### Using the Azure portal

-1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices).

-2. Information on how to locate a device can be found in [How to manage device identities using the Azure portal](./device-management-azure-portal.md).

-3. If the **Registered** column says **Pending**, then Hybrid Azure AD Join has not completed. In federated environments, this can happen only if it failed to register and AAD connect is configured to sync the devices.

-4. If the **Registered** column contains a **date/time**, then Hybrid Azure AD Join has completed.

-### Using PowerShell

-Verify the device registration state in your Azure tenant by using **[Get-MsolDevice](/powershell/module/msonline/get-msoldevice)**. This cmdlet is in the [Azure Active Directory PowerShell module](/powershell/azure/active-directory/install-msonlinev1).

-When you use the **Get-MSolDevice** cmdlet to check the service details:

-1. Open Windows PowerShell as an administrator.

-2. Enter `Connect-MsolService` to connect to your Azure tenant.

-#### Count all Hybrid Azure AD joined devices (excluding **Pending** state)

-```azurepowershell

-(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

-```

-#### Count all Hybrid Azure AD joined devices with **Pending** state

-```azurepowershell

-(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

-```

-#### List all Hybrid Azure AD joined devices

-```azurepowershell

-Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

-```

-#### List all Hybrid Azure AD joined devices with **Pending** state

-```azurepowershell

-Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

-```

-#### List details of a single device:

-1. Enter `get-msoldevice -deviceId <deviceId>` (This is the **DeviceId** obtained locally on the device).

-2. Verify that **Enabled** is set to **True**.

-## Troubleshoot your implementation

-If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:

-## Next steps

-Learn how to [manage device identities by using the Azure portal](device-management-azure-portal.md).

-<!--Image references-->

-[1]: ./media/active-directory-conditional-access-automatic-device-registration-setup/12.png

-description: Learn how to configure hybrid Azure Active Directory join for managed domains.

-#Customer intent: As an IT admin, I want to set up hybrid Azure Active Directory (Azure AD) joined devices for managed domains so I can automatically create and manage device identities in Azure AD for my Active Directory domain-joined computers

-# Tutorial: Configure hybrid Azure Active Directory join for managed domains

-In this tutorial, you learn how to configure hybrid Azure Active Directory (Azure AD) join for Active Directory domain-joined devices. This method supports a managed environment that includes both on-premises Active Directory and Azure AD.

-Like a user in your organization, a device is a core identity you want to protect. You can use a device's identity to protect your resources at any time and from any location. You can accomplish this goal by managing device identities in Azure AD. Use one of the following methods:

-This article focuses on hybrid Azure AD join.

-Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your cloud and on-premises resources with [Conditional Access](../conditional-access/howto-conditional-access-policy-compliant-device.md) at the same time.

-You can deploy a managed environment by using [password hash sync (PHS)](../hybrid/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/how-to-connect-sso.md). These scenarios don't require you to configure a federation server for authentication.

-In this tutorial, you learn how to:

-> [!div class="checklist"]

-> * Configure hybrid Azure AD join

-> * Enable Windows down-level devices

-> * Verify joined devices

-> * Troubleshoot

-## Prerequisites

-Familiarize yourself with these articles:

-> [!NOTE]

-> Azure AD doesn't support smartcards or certificates in managed domains.

-Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Organizational unitΓÇôbased filtering](../hybrid/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering).

-> [!NOTE]

-> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to AAD, see [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10).

-Beginning with version 1.1.819.0, Azure AD Connect includes a wizard to configure hybrid Azure AD join. The wizard significantly simplifies the configuration process. The wizard configures the service connection points (SCPs) for device registration.

-The configuration steps in this article are based on using the wizard in Azure AD Connect.

-Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization's network:

-> [!WARNING]

-> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.

-If your organization requires access to the internet via an outbound proxy, you can use [implementing Web Proxy Auto-Discovery (WPAD)](/previous-versions/tn-archive/cc995261(v=technet.10)) to enable Windows 10 computers for device registration with Azure AD. To address issues configuring and managing WPAD, see [Troubleshooting Automatic Detection](/previous-versions/tn-archive/cc302643(v=technet.10)). In Windows 10 devices prior to 1709 update, WPAD is the only available option to configure a proxy to work with Hybrid Azure AD join.

-If you don't use WPAD, you can configure WinHTTP proxy settings on your computer beginning with Windows 10 1709. For more information, see [WinHTTP Proxy Settings deployed by GPO](/archive/blogs/netgeeks/winhttp-proxy-settings-deployed-by-gpo).

-> [!NOTE]

-> If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.

-If your organization requires access to the internet via an authenticated outbound proxy, make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.

-Verify the device can access the above Microsoft resources under the system account by using the [Test Device Registration Connectivity](/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/) script.

-## Configure hybrid Azure AD join

-To configure a hybrid Azure AD join by using Azure AD Connect:

-1. Start Azure AD Connect, and then select **Configure**.

-1. In **Additional tasks**, select **Configure device options**, and then select **Next**.

- 

-1. In **Overview**, select **Next**.

-1. In **Connect to Azure AD**, enter the credentials of a global administrator for your Azure AD tenant.

-1. In **Device options**, select **Configure Hybrid Azure AD join**, and then select **Next**.

- 

-1. In **Device operating systems**, select the operating systems that devices in your Active Directory environment use, and then select **Next**.

- 

-1. In **SCP configuration**, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select **Next**.

- 1. Select the **Forest**.

- 1. Select an **Authentication Service**.

- 1. Select **Add** to enter the enterprise administrator credentials.

- 

-1. In **Ready to configure**, select **Configure**.

-1. In **Configuration complete**, select **Exit**.

-## Enable Windows down-level devices

-If some of your domain-joined devices are Windows down-level devices, you must:

-Windows down-level devices are devices with older operating systems. The following are Windows down-level devices:

-> [!NOTE]

-> Windows 7 support ended on January 14, 2020. For more information, see [Windows 7 support ended](https://support.microsoft.com/help/4057281/windows-7-support-ended-on-january-14-2020).

-### Configure the local intranet settings for device registration

-To complete hybrid Azure AD join of your Windows down-level devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:

-You also must enable **Allow updates to status bar via script** in the user's local intranet zone.

-### Configure seamless SSO

-To complete hybrid Azure AD join of your Windows down-level devices in a managed domain that uses [password hash sync](../hybrid/whatis-phs.md) or [pass-through authentication](../hybrid/how-to-connect-pta.md) as your Azure AD cloud authentication method, you must also [configure seamless SSO](../hybrid/how-to-connect-sso-quick-start.md#step-2-enable-the-feature).

-### Install Microsoft Workplace Join for Windows down-level computers

-To register Windows down-level devices, organizations must install [Microsoft Workplace Join for non-Windows 10 computers](https://www.microsoft.com/download/details.aspx?id=53554). Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download Center.

-You can deploy the package by using a software distribution system likeΓÇ»[Microsoft Endpoint Configuration Manager](/configmgr/). The package supports the standard silent installation options with the `quiet` parameter. The current version of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

-The installer creates a scheduled task on the system that runs in the user context. The task is triggered when the user signs in to Windows. The task silently joins the device with Azure AD by using the user credentials after it authenticates with Azure AD.

-## Verify the registration

-Here are 3 ways to locate and verify the device state:

-### Locally on the device

-1. Open Windows PowerShell.

-2. Enter `dsregcmd /status`.

-3. Verify that both **AzureAdJoined** and **DomainJoined** are set to **YES**.

-4. You can use the **DeviceId** and compare the status on the service using either the Azure portal or PowerShell.

-### Using the Azure portal

-1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices).

-2. Information on how to locate a device can be found in [How to manage device identities using the Azure portal](./device-management-azure-portal.md).

-3. If the **Registered** column says **Pending**, then Hybrid Azure AD Join has not completed.

-4. If the **Registered** column contains a **date/time**, then Hybrid Azure AD Join has completed.

-### Using PowerShell

-Verify the device registration state in your Azure tenant by using **[Get-MsolDevice](/powershell/module/msonline/get-msoldevice)**. This cmdlet is in the [Azure Active Directory PowerShell module](/powershell/azure/active-directory/install-msonlinev1).

-When you use the **Get-MSolDevice** cmdlet to check the service details:

-1. Open Windows PowerShell as an administrator.

-2. Enter `Connect-MsolService` to connect to your Azure tenant.

-#### Count all Hybrid Azure AD joined devices (excluding **Pending** state)

-```azurepowershell

-(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

-```

-#### Count all Hybrid Azure AD joined devices with **Pending** state

-```azurepowershell

-(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

-```

-#### List all Hybrid Azure AD joined devices

-```azurepowershell

-Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

-```

-#### List all Hybrid Azure AD joined devices with **Pending** state

-```azurepowershell

-Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

-```

-#### List details of a single device:

-1. Enter `get-msoldevice -deviceId <deviceId>` (This is the **DeviceId** obtained locally on the device).

-2. Verify that **Enabled** is set to **True**.

-## Troubleshoot your implementation

-If you experience issues completing hybrid Azure AD join for domain-joined Windows devices, see:

-## Next steps

-Advance to the next article to learn how to manage device identities by using the Azure portal.

-> [!div class="nextstepaction"]

-> [Manage device identities](device-management-azure-portal.md)

-description: Learn how to manually configure hybrid Azure Active Directory joined devices.

-#Customer intent: As an IT admin, I want to set up hybrid Azure AD joined devices so that I can automatically bring AD domain-joined devices under control.

-# Tutorial: Configure hybrid Azure Active Directory joined devices manually

-With device management in Azure Active Directory (Azure AD), you can ensure that users are accessing your resources from devices that meet your standards for security and compliance. For more information, see [Introduction to device management in Azure Active Directory](overview.md).

-> [!TIP]

-> If using Azure AD Connect is an option for you, see the related tutorials for [managed](hybrid-azuread-join-managed-domains.md) or [federated](hybrid-azuread-join-federated-domains.md) domains. By using Azure AD Connect, you can significantly simplify the configuration of hybrid Azure AD join.

-If you have an on-premises Active Directory environment and you want to join your domain-joined devices to Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices. In this tutorial, you learn how to:

-> [!div class="checklist"]

-> * Manually configure hybrid Azure AD join

-> * Configure a service connection point

-> * Set up issuance of claims

-> * Enable Windows down-level devices

-> * Verify joined devices

-> * Troubleshoot your implementation

-This tutorial assumes that you're familiar with:

-* [Introduction to device management in Azure Active Directory](./overview.md)

-* [Plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md)

-* [Control the hybrid Azure AD join of your devices](hybrid-azuread-join-control.md)

-Before you start enabling hybrid Azure AD joined devices in your organization, make sure that:

-* You're running an up-to-date version of Azure AD Connect.

-* Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), these OUs need to be configured for synchronization in Azure AD Connect as well.

-Azure AD Connect:

-* Keeps the association between the computer account in your on-premises Active Directory instance and the device object in Azure AD.

-* Enables other device-related features, like Windows Hello for Business.

-Make sure that the following URLs are accessible from computers inside your organization's network for registration of computers to Azure AD:

-If your organization plans to use Seamless SSO, the following URL must be added to the user's local intranet zone.

-Also, the following setting should be enabled in the user's intranet zone: "Allow status bar updates via script."

-If your organization uses managed (non-federated) setup with on-premises Active Directory and does not use Active Directory Federation Services (AD FS) to federate with Azure AD, then hybrid Azure AD join on Windows 10 relies on the computer objects in Active Directory to be synced to Azure AD. Make sure that any OUs that contain the computer objects that need to be hybrid Azure AD joined are enabled for sync in the Azure AD Connect sync configuration.

-For Windows 10 devices on version 1703 or earlier, if your organization requires access to the internet via an outbound proxy, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to register to Azure AD.

-Beginning with Windows 10 1803, even if a hybrid Azure AD join attempt by a device in a federated domain through AD FS fails, and if Azure AD Connect is configured to sync the computer/device objects to Azure AD, the device will try to complete the hybrid Azure AD join by using the synced computer/device.

-> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to Azure AD, see [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10).

-To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/) script.

-## Verify configuration steps

-You can configure hybrid Azure AD joined devices for various types of Windows device platforms. This topic includes the required steps for all typical configuration scenarios.

-Use the following table to get an overview of the steps that are required for your scenario:

-| Steps | Windows current and password hash sync | Windows current and federation | Windows down-level |

-| : | :: | :: | :: |

-| Configure service connection point | ![Check][1] | ![Check][1] | ![Check][1] |

-| Set up issuance of claims | | ![Check][1] | ![Check][1] |

-| Enable non-Windows 10 devices | | | ![Check][1] |

-| Verify joined devices | ![Check][1] | ![Check][1] | ![Check][1] |

-## Configure a service connection point

-Your devices use a service connection point (SCP) object during the registration to discover Azure AD tenant information. In your on-premises Active Directory instance, the SCP object for the hybrid Azure AD joined devices must exist in the configuration naming context partition of the computer's forest. There is only one configuration naming context per forest. In a multi-forest Active Directory configuration, the service connection point must exist in all forests that contain domain-joined computers.

-In your forest, the SCP object for the auto-registration of domain-joined devices is located at:

-If the service connection point does not exist, you can create it by running the `Initialize-ADSyncDomainJoinedComputerSync` cmdlet on your Azure AD Connect server. Enterprise admin credentials are required to run this cmdlet.

-The cmdlet:

-The following script shows an example for using the cmdlet. In this script, `$aadAdminCred = Get-Credential` requires you to type a user name. You need to provide the user name in the user principal name (UPN) format (`user@example.com`).

-* If the AD DS tools are not installed, `Initialize-ADSyncDomainJoinedComputerSync` will fail. You can install the AD DS tools through Server Manager under **Features** > **Remote Server Administration Tools** > **Role Administration Tools**.

-For domain controllers running Windows Server 2008 or earlier versions, use the following script to create the service connection point. In a multi-forest configuration, use the following script to create the service connection point in each forest where computers exist.

- ```PowerShell

- $verifiedDomain = "contoso.com" # Replace this with any of your verified domain names in Azure AD

- $tenantID = "72f988bf-86f1-41af-91ab-2d7cd011db47" # Replace this with you tenant ID

- $configNC = "CN=Configuration,DC=corp,DC=contoso,DC=com" # Replace this with your Active Directory configuration naming context

- $de = New-Object System.DirectoryServices.DirectoryEntry

- $de.Path = "LDAP://CN=Services," + $configNC

- $deDRC = $de.Children.Add("CN=Device Registration Configuration", "container")

- $deDRC.CommitChanges()

- $deSCP = $deDRC.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint")

- $deSCP.Properties["keywords"].Add("azureADName:" + $verifiedDomain)

- $deSCP.Properties["keywords"].Add("azureADId:" + $tenantID)

- $deSCP.CommitChanges()

- ```

-In the preceding script, `$verifiedDomain = "contoso.com"` is a placeholder. Replace it with one of your verified domain names in Azure AD. You have to own the domain before you can use it.

-For more information about verified domain names, see [Add a custom domain name to Azure Active Directory](../fundamentals/add-custom-domain.md).

-To get a list of your verified company domains, you can use the [Get-AzureADDomain](/powershell/module/Azuread/Get-AzureADDomain) cmdlet.

-

-## Set up issuance of claims

->If you donΓÇÖt have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).

-If you have more than one verified domain name, you need to provide the following claim for computers:

-### Issue account type claim

-### Issue objectGUID of the computer account on-premises

-### Issue objectSID of the computer account on-premises

-### Issue issuerID for the computer when multiple verified domain names are in Azure AD

-The `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or partner) issuing the token. In AD FS, you can add issuance transform rules that look like the following ones in that specific order, after the preceding ones. Note that one rule to explicitly issue the rule for users is necessary. In the following rules, a first rule that identifies user versus computer authentication is added.

-### Issue ImmutableID for the computer when one for users exists (for example, using mS-DS-ConsistencyGuid as the source for ImmutableID)

-### Helper script to create the AD FS issuance transform rules

-* This script appends the rules to the existing rules. Do not run the script twice, because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.

-If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.

-## Enable Windows down-level devices

-If some of your domain-joined devices are Windows down-level devices, you need to:

-* Set a policy in Azure AD to enable users to register devices.

-* Configure your on-premises federation service to issue claims to support integrated Windows authentication (IWA) for device registration.

-* Add the Azure AD device authentication endpoint to the local intranet zones to avoid certificate prompts when authenticating the device.

-* Control Windows down-level devices.

-### Set a policy in Azure AD to enable users to register devices

-To register Windows down-level devices, make sure that the setting to allow users to register devices in Azure AD is enabled. In the Azure portal, you can find this setting under **Azure Active Directory** > **Users and groups** > **Device settings**.

-The following policy must be set to **All**: **Users may register their devices with Azure AD**.

-

-### Configure the on-premises federation service

-### Add the Azure AD device authentication endpoint to the local intranet zones

-To avoid certificate prompts when users of registered devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URL to the local intranet zone in Internet Explorer:

-`https://device.login.microsoftonline.com`

-### Control Windows down-level devices

-To register Windows down-level devices, you need to download and install a Windows Installer package (.msi) from the Download Center. For more information, see the section [Controlled validation of hybrid Azure AD join on Windows down-level devices](hybrid-azuread-join-control.md#controlled-validation-of-hybrid-azure-ad-join-on-windows-down-level-devices).

-## Verify joined devices

-Here are 3 ways to locate and verify the device state:

-### Locally on the device

-1. Open Windows PowerShell.

-2. Enter `dsregcmd /status`.

-3. Verify that both **AzureAdJoined** and **DomainJoined** are set to **YES**.

-4. You can use the **DeviceId** and compare the status on the service using either the Azure portal or PowerShell.

-### Using the Azure portal

-1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices).

-2. Information on how to locate a device can be found in [Manage device identities using the Azure portal](./device-management-azure-portal.md).

-3. If the **Registered** column says **Pending**, then Hybrid Azure AD Join has not completed. In federated environments, this can happen only if it failed to register and AAD connect is configured to sync the devices.

-4. If the **Registered** column contains a **date/time**, then Hybrid Azure AD Join has completed.

-### Using PowerShell

-Verify the device registration state in your Azure tenant by using **[Get-MsolDevice](/powershell/module/msonline/get-msoldevice)**. This cmdlet is in the [Azure Active Directory PowerShell module](/powershell/azure/active-directory/install-msonlinev1).

-When you use the **Get-MSolDevice** cmdlet to check the service details:

-1. Open Windows PowerShell as an administrator.

-2. Enter `Connect-MsolService` to connect to your Azure tenant.

-#### Count all Hybrid Azure AD joined devices (excluding **Pending** state)

-```azurepowershell

-(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

-```

-#### Count all Hybrid Azure AD joined devices with **Pending** state

-```azurepowershell

-(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

-```

-#### List all Hybrid Azure AD joined devices

-```azurepowershell

-Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

-```

-#### List all Hybrid Azure AD joined devices with **Pending** state

-```azurepowershell

-Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

-```

-#### List details of a single device:

-1. Enter `get-msoldevice -deviceId <deviceId>` (This is the **DeviceId** obtained locally on the device).

-2. Verify that **Enabled** is set to **True**.

-* [Introduction to device management in Azure Active Directory](overview.md)

-<!--Image references-->

-[1]: ./media/hybrid-azuread-join-manual/12.png

-description: Learn how to configure hybrid Azure Active Directory joined devices.

-# How To: Plan your hybrid Azure Active Directory join implementation

-In a similar way to a user, a device is another core identity you want to protect and use it to protect your resources at any time and from any location. You can accomplish this goal by bringing and managing device identities in Azure AD using one of the following methods:

-By bringing your devices to Azure AD, you maximize your users' productivity through single sign-on (SSO) across your cloud and on-premises resources. At the same time, you can secure access to your cloud and on-premises resources with [Conditional Access](../conditional-access/overview.md).

-If you have an on-premises Active Directory (AD) environment and you want to join your AD domain-joined computers to Azure AD, you can accomplish this by doing hybrid Azure AD join. This article provides you with the related steps to implement a hybrid Azure AD join in your environment.

->

-This article assumes that you are familiar with the [Introduction to device identity management in Azure Active Directory](./overview.md).

-> - Review controlled validation of hybrid Azure AD join

-Hybrid Azure AD join supports a broad range of Windows devices. Because the configuration for devices running older versions of Windows requires additional or different steps, the supported devices are grouped into two categories:

-For devices running the Windows desktop operating system, supported version are listed in this article [Windows 10 release information](/windows/release-information/). As a best practice, Microsoft recommends you upgrade to the latest version of Windows 10.

-If your Windows 10 domain joined devices are [Azure AD registered](concept-azure-ad-register.md) to your tenant, it could lead to a dual state of Hybrid Azure AD joined and Azure AD registered device. We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or above to automatically address this scenario. In pre-1803 releases, you will need to remove the Azure AD registered state manually before enabling Hybrid Azure AD join. In 1803 and above releases, the following changes have been made to avoid this dual state:

-To register devices as hybrid Azure AD join to respective tenants, organizations need to ensure that the SCP configuration is done on the devices and not in AD. More details on how to accomplish this can be found in the article [controlled validation of hybrid Azure AD join](hybrid-azuread-join-control.md). It is also important for organizations to understand that certain Azure AD capabilities will not work in a single forest, multiple Azure AD tenants configurations.

-### Additional considerations

-## Review controlled validation of hybrid Azure AD join

-When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD tenant. The state of these device identities in Azure AD is referred as hybrid Azure AD join. More information about the concepts covered in this article can be found in the article [Introduction to device identity management in Azure Active Directory](overview.md).

-Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire organization all at once. Review the article [controlled validation of hybrid Azure AD join](hybrid-azuread-join-control.md) to understand how to accomplish it.

-> [Cloud authentication using Staged rollout](../hybrid/how-to-connect-staged-rollout.md) is only supported starting Windows 10 1903 update

-> [!NOTE]

-> Azure AD does not support smartcards or certificates in managed domains.

-Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. If installing the required version of Azure AD Connect is not an option for you, see [how to manually configure device registration](hybrid-azuread-join-manual.md).

-Based on the scenario that matches your identity infrastructure, see:

-## Review on-premises AD users UPN support for Hybrid Azure AD join

-Sometimes, your on-premises AD users UPNs could be different from your Azure AD UPNs. In such cases, Windows 10 Hybrid Azure AD join provides limited support for on-premises AD UPNs based on the [authentication method](../hybrid/choose-ad-authn.md), domain type and Windows 10 version. There are two types of on-premises AD UPNs that can exist in your environment:

-The table below provides details on support for these on-premises AD UPNs in Windows 10 Hybrid Azure AD join

-| Routable | Managed | From 1803 release | Generally available, Azure AD SSPR on Windows lock screen is not supported. The on-premises UPN must be synced to the `onPremisesUserPrincipalName` attribute in Azure AD |

-> [!div class="nextstepaction"]

-> [Configure hybrid Azure Active Directory join for federated environment](hybrid-azuread-join-federated-domains.md)

-> [Configure hybrid Azure Active Directory join for managed environment](hybrid-azuread-join-managed-domains.md)

-<!--Image references-->

-[1]: ./media/hybrid-azuread-join-plan/12.png

-The landscape of devices from which your users sign in is expanding. Organizations may provide desktops, laptops, phones, tablets, and other devices. Your users may bring their own array of devices, and access information from varied locations. In this environment, your job as an administrator is to keep your organizational resources secure across all devices.

-Azure Active Directory (Azure AD) enables your organization to meet these goals with device identity management. You can now get your devices in Azure AD and control them from a central location in the [Azure portal](https://portal.azure.com/). This gives you a unified experience, enhanced security, and reduces the time needed to configure a new device.

-There are multiple methods to integrate your devices into Azure AD:

-* You can [register devices](concept-azure-ad-register.md) with Azure AD

-* [Join devices](concept-azure-ad-join.md) to Azure AD (cloud-only) or

-* [Create a hybrid Azure AD join](concept-azure-ad-join-hybrid.md) in between devices in your on-premises Active Directory and Azure AD.

-* Increase productivity ΓÇô With Azure AD, your users can do [seamless sign-on (SSO)](./azuread-join-sso.md) to your on-premises and cloud resources, which enables them to be productive wherever they are.

-* Increase security ΓÇô Azure AD devices enable you to apply [Conditional Access policies](../conditional-access/require-managed-devices.md) to resources based on the identity of the device or user. Conditional Access policies can offer extra protection using [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md). Joining a device to Azure AD is a prerequisite for increasing your security with a [Passwordless Authentication](../authentication/concept-authentication-passwordless.md) strategy.

-* Improve user experience ΓÇô With device identities in Azure AD, you can provide your users with easy access to your organizationΓÇÖs cloud-based resources from both personal and corporate devices. Administrators can enable [Enterprise State Roaming](enterprise-state-roaming-overview.md) for a unified experience across all Windows devices.

-* Simplify deployment and management ΓÇô Device identity management simplifies the process of bringing devices to Azure AD with [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot), [bulk provisioning](/mem/intune/enrollment/windows-bulk-enroll), and [self-service: Out of Box Experience (OOBE)](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973). You can manage these devices with Mobile Device Management (MDM) tools like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), and their identities in [Azure portal](https://portal.azure.com/).

-### Training resources

-Video: [Conditional access with device controls](https://youtu.be/NcONUf-jeS4)

-FAQs: [Azure AD device management FAQ](faq.yml) and [Settings and data roaming FAQ](enterprise-state-roaming-faqs.yml)

-When technology projects fail, they typically do so due to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you are engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood.

-Hybrid Azure AD join deployment is straightforward, and it's 100% an administratorΓÇÖs task without end user action necessary. You may want to do a [controlled validation of hybrid Azure AD join](hybrid-azuread-join-control.md) before enabling it across the entire organization all at once.

-> Personal or bring-your-own device (BYOD) scenarios are not pictured in this diagram. They always result in Azure AD registration.

-| Consideration | Azure AD registered| Azure AD join| Hybrid Azure AD join |

-| - | - | - | - |

-| **Client operating systems**| | | |

-| Windows 10 devices| | |  |

-| Windows down-level devices (Windows 8.1 or Windows 7)| | |  |

-|**Sign in options**| | | |

-| End-user local credentials| | | |

-| Password| | |  |

-| Device PIN| | | |

-| Windows Hello| | | |

-| Windows Hello for Business| | |  |

-| FIDO 2.0 security keys| | |  |

-| Microsoft Authenticator App (passwordless)| | |  |

-|**Key capabilities**| | | |

-| SSO to cloud resources| | |  |

-| SSO to on-premises resources| | |  |

-| Conditional Access <br> (Require devices be marked as compliant) <br> (Must be managed by MDM)|  | | |

-Conditional Access <br>(Require hybrid Azure AD joined devices)| | | 

-| Self-service password reset from the Windows login screen| | |  |

-| Windows Hello PIN reset| | |  |

-| Enterprise state roaming across devices| | |  |

-Registered devices are often managed with [Microsoft Intune](/mem/intune/enrollment/device-enrollment). Devices are enrolled in Intune in a number of ways, depending on the operating system.

-Registered devices are often managed with [Microsoft Intune](/mem/intune/enrollment/device-enrollment). Devices are enrolled in Intune in a number of ways, depending on the operating system.

-However, [Azure AD joined devices can SSO to on-premises resources](azuread-join-sso.md) when they are on the organization's network, can authenticate to on-premises servers like file, print, and other applications.

-If this is the best option for your organization, see the following resources:

-* Familiarize yourself with the [Azure AD Join implementation plan](azureadjoin-plan.md).

-### Provisioning Azure AD Join to your devices

-To provision Azure AD Join, you have the following approaches:

-You may determine that Azure AD Join is the best solution for a device, and that device may already be in a different states. Here are the upgrade considerations.

-| Current device state| Desired device state| How-to |

-| - | - | - |

-| On-premises domain joined| Azure AD Join| Unjoin the device from on-premises domain before joining to Azure AD |

-| Hybrid Azure AD Join| Azure AD Join| Unjoin the device from on-premises domain and from Azure AD before joining to Azure AD |

-| Azure AD registered| Azure AD Join| Unregister the device before joining to Azure AD |

-If you have an on-premises Active Directory environment and you want to join your Active directory domain-joined computers to Azure AD, you can accomplish this with hybrid Azure AD join. It supports a [broad range of Windows devices](hybrid-azuread-join-plan.md), including both Windows current and Windows down-level devices.

-Most organizations already have domain joined devices and manage them via Group Policy or System Center Configuration Manager (SCCM). In that case, we recommend configuring hybrid Azure AD Join to start getting benefits while leveraging existing investment.

-* This overview of [Hybrid Azure AD joined devices](concept-azure-ad-join-hybrid.md).

-* Familiarize yourself with the [Hybrid Azure AD join implementation](hybrid-azuread-join-plan.md) plan.

-[Review your identity infrastructure](hybrid-azuread-join-plan.md). Azure AD Connect provides you with a wizard to configure hybrid Azure AD Join for:

-* [Federated domains](hybrid-azuread-join-federated-domains.md)

-* [Managed domains](hybrid-azuread-join-managed-domains.md)

-If installing the required version of Azure AD Connect isn't an option for you, see [how to manually configure Hybrid Azure AD join](hybrid-azuread-join-manual.md).

-> The on-premises domain-joined Windows 10 device attempts to auto-join to Azure AD to become Hybrid Azure AD joined by default. This will only succeed if you haves set up the right environment.

-You may determine that Hybrid Azure AD Join is the best solution for a device, and that device may already be in a different state. Here are the upgrade considerations.

-| Current device state| Desired device state| How-to |

-| - | - | - |

-| On-premises domain join| Hybrid Azure AD Join| Use Azure AD connect or AD FS to join to Azure |

-| On-premises workgroup joined or new| Hybrid Azure AD Join| Supported with [Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot). Otherwise device needs to be on-premises domain joined before Hybrid Azure AD Join |

-| Azure AD joined| Hybrid Azure AD Join| Unjoin from Azure AD, which puts it in the on-premises workgroup or new state. |

-| Azure AD registerd| Hybrid Azure AD Join| Depends on Windows version. [See these considerations](hybrid-azuread-join-plan.md). |

-Once you have registered or joined your devices to Azure AD, use the [Azure portal](https://portal.azure.com/) as a central place to manage your device identities. The Azure Active Directory devices page enables you to:

-* [Configure your device settings](device-management-azure-portal.md#configure-device-settings)

-* You need to be a local administrator to manage Windows devices. [Azure AD updates this membership for Azure AD joined devices](assign-local-admin.md), automatically adding those with the device manager role as administrators to all joined devices.

-Administrators can secure and further control these registered and joined devices using additional device management tools. These tools provide a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, software installations, and software updates.

-| Device management tools| Azure AD registered| Azure AD join| Hybrid Azure AD join|

-| - | - | - | - |

-| [Mobile Device Management (MDM) ](/windows/client-management/mdm/azure-active-directory-integration-with-mdm) <br>Example: Microsoft Intune| | | |

-| [Co management with Microsoft Intune and Microsoft Endpoint Configuration Manager](/mem/configmgr/comanage/overview) <br>(Windows 10 and later)| | | |

-| [Group policy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11))<br>(Windows only)| | | |

- We recommend that you consider [Microsoft Intune Mobile Application management (MAM)](/mem/intune/apps/app-management) with or without device management for registered iOS or Android devices.

- Administrators can also [deploy virtual desktop infrastructure (VDI) platforms](howto-device-identity-virtual-desktop-infrastructure.md) hosting Windows operating systems in their organizations to streamline management and reduce costs through consolidation and centralization of resources.

-### Troubleshoot device identities

-* [Troubleshooting devices using the dsregcmd command](troubleshoot-device-dsregcmd.md)

-* [Troubleshooting Enterprise State Roaming settings in Azure Active Directory](enterprise-state-roaming-troubleshooting.md)

-If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:

-* [Troubleshoot hybrid Azure AD join for Windows current devices](troubleshoot-hybrid-join-windows-current.md)

-* [Troubleshoot hybrid Azure AD join for Windows down level devices](troubleshoot-hybrid-join-windows-legacy.md)

-* [Plan your Azure AD Join implementation](azureadjoin-plan.md)

-* [Plan your hybrid Azure AD Join implementation](hybrid-azuread-join-plan.md)

-This article provides troubleshooting guidance to help you resolve potential issues with devices that are running Windows 10 or Windows Server 2016.

-description: This document details post configuration tasks needed to complete the Hybrid Azure AD join

-# Post configuration tasks for Hybrid Azure AD join

-After you have run Azure AD Connect to configure your organization for Hybrid Azure AD join, there are a few additional steps that you must complete to finalize that setup. Carry out only the steps that apply for your devices.

-## 1. Configure controlled rollout (Optional)

-All domain-joined devices running Windows 10 and Windows Server 2016 automatically register with Azure AD once all configuration steps are complete. If you prefer a controlled rollout rather than this auto-registration, you can use group policy to selectively enable or disable automatic rollout. This group policy should be set before starting the other configuration steps:

-* Create a group policy object in your Active Directory.

-* Name it (ex- Hybrid Azure AD join).

-* Edit and go to: Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.

->[!NOTE]

->For 2012R2 the policy settings are at **Computer Configuration > Policies > Administrative Templates > Windows Components > Workplace Join > Automatically workplace join client computers**

-* Enable this setting: Register domain-joined computers as devices.

-* Apply and click OK.

-* Link the GPO to the location of your choice (organizational unit, security group, or to the domain for all devices).

-## 2. Configure network with device registration endpoints

-Make sure that the following URLs are accessible from computers inside your organizational network for registration to Azure AD:

-* `https://enterpriseregistration.windows.net`

-* `https://login.microsoftonline.com`

-* `https://device.login.microsoftonline.com`

-## 3. Implement WPAD for Windows 10 devices

-If your organization accesses the Internet via an outbound proxy, implement Web Proxy Auto-Discovery (WPAD)to enable Windows 10 computers to register to Azure AD.

-## 4. Configure the SCP in any forests that were not configured by Azure AD Connect

-The service connection point (SCP) contains your Azure AD tenant information that will be used by your devices for auto-registration. Run the PowerShell script, ConfigureSCP.ps1, that you downloaded from Azure AD Connect.

-## 5. Configure any federation service that was not configured by Azure AD Connect

-If your organization uses a federation service to sign in to Azure AD, the claim rules in your Azure AD relying party trust must allow device authentication. If you are using federation with AD FS, go to [AD FS Help](https://aka.ms/aadrptclaimrules) to generate the claim rules. If you are using a non-Microsoft federation solution, contact that provider for guidance.

->[!NOTE]

->If you have Windows down-level devices, the service must support issuing the authenticationmethod and wiaormultiauthn claims when receiving requests to the Azure AD trust. In AD FS, you should add an issuance transform rule that passes-through the authentication method.

-## 6. Enable Azure AD Seamless SSO for Windows down-level devices

-If your organization uses Password Hash Synchronization or Pass-through Authentication to sign in to Azure AD, enable [Azure AD Seamless SSO](/azure/active-directory/connect/active-directory-aadconnect-sso) with that sign-in method to authenticate Windows down-level devices.

-## 7. Set Azure AD policy for Windows down-level devices

-To register Windows down-level devices, you need to make sure that the Azure AD policy allows users to register devices.

-* Log-in to your account in the Azure portal.

-* Go to: Azure Active Directory > Devices > Device settings

-* Set "Users may register their devices with Azure AD" to ALL.

-* Click Save

-## 8. Add Azure AD endpoint to Windows down-level devices

-Add the Azure AD device authentication endpoint to the local Intranet zones on your Windows down-level devices to avoid certificate prompts when authenticating the devices:

-`https://device.login.microsoftonline.com`

-If you are using [Seamless SSO](how-to-connect-sso.md), also enable ΓÇ£Allow status bar updates via scriptΓÇ¥ on that zone and add the following endpoint:

-`https://autologon.microsoftazuread-sso.com`

-## 9. Install Microsoft Workplace Join on Windows down-level devices

-This installer creates a scheduled task on the device system that runs in the userΓÇÖs context. The task is triggered when the user signs in to Windows. The task silently joins the device with Azure AD with the user credentials after authenticating using integrated Windows authentication. The download center is at https://www.microsoft.com/download/details.aspx?id=53554.

-## 10. Configure group policy to allow device registration

-For information about how to allow hybrid Azure AD join for individual devices, see [Controlled validation of hybrid Azure AD join](../devices/hybrid-azuread-join-control.md).

-## Next steps

-[Configure device writeback](how-to-connect-device-writeback.md)

-description: This article describes group writeback in Azure AD Connect.

- * Application.Read.All

- * Application.ReadWrite.All

- * Application.ReadWrite.OwnedBy

- * Directory.Read.All

- * Group.Read.All

- * IdentityRiskyUser.Read.All

- * Policy.Read.All

- * Policy.ReadWrite.ApplicationConfiguration

- * Policy.ReadWrite.ConditionalAccess

- * User.Read.All

- 8. Grant admin consent for your organization

- Once provisioned, the certificate can be used for every application published through Easy Button. You can also choose to upload a separate certificate for individual applications.

- 

- You can now access the Easy Button functionality that provides quick configuration steps to set up the APM as a SAML Service Provider (SP) and Azure AD as an Identity Provider (IdP) for your application.

-1. Enter **Configuration Name**. A unique name that enables an admin to easily distinguish between Easy Button configurations for published applications

-3. Enter the **Tenant Id**, **Client ID**, and **Client Secret** from your registered application

- Next, under security settings, enter information for Azure AD to encrypt issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides additional assurance that the content tokens canΓÇÖt be intercepted, and personal or corporate data be compromised.

-The **Available Policies** list, by default, displays a list of policies that target selected apps.

-The **Selected Policies** list, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list. They are included by default but can be excluded if necessary.

-Selected policies should either have an **Include** or **Exclude option** checked. If both options are checked, the selected policy is not enforced. Exclude all policies while testing. You can go back and enable them later.

-For this scenario, you will configure a critical line of business (LOB) application for **Kerberos authentication**, also known as **Integrated Windows Authentication (IWA)**.

-Ideally, Azure AD should manage the application, but being legacy, it does not support any form of modern authentication protocols. Modernization would take considerable effort, introducing inevitable costs, and risk of potential downtime.

-Instead, a BIG-IP Virtual Edition (VE) deployed between the public internet and the internal Azure VNet application is connected and will be used to gate inbound access to the application, along with Azure AD for its extensive choice of authentication and authorization capabilities.

-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO. It significantly improves the overall security posture of the application, and allows the business to continue operating at pace, without interruption.

-**BIG-IP:** Reverse proxy functionality enables publishing backend applications. The APM then overlays published applications with SAML Service Provider (SP) and SSO functionality.

- Once provisioned, the certificate can be used for every application published through Easy Button. You can also choose to upload a separate certificate for individual applications.

- You can now access the Easy Button functionality that provides quick configuration steps to set up the APM as a SAML Service Provider (SP) and Azure AD as an Identity Provider (IdP) for your application.

-1. Enter **Configuration Name.** A unique name that enables an admin to easily distinguish between Easy Button configurations for published applications

-3. Enter the **Tenant Id, Client ID,** and **Client Secret** from your registered application

-In the **Additional User Attributes tab**, you can enable session augmentation required by various distributed systems such as Oracle, SAP, and other JAVA based implementations requiring attributes stored in other directories. Attributes fetched from an LDAP source can then be injected as additional SSO headers to further control access based on roles, Partner IDs, etc.![Graphical user interface, text, application, email

-The **Available Policies** list, by default, displays a list of policies that target selected apps.

-The **Selected Policies** list, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list. They are included by default but can be excluded if necessary.

- Selected policies should either have an **Include** or **Exclude** option checked. If both options are checked, the selected policy is not enforced. **Exclude** all policies while testing. You can go back and enable them later.

-The **Application Pool tab** details the services behind a BIG-IP that are represented as a pool, containing one or more application servers.

-From a browser, **connect** to the applicationΓÇÖs external URL or select the **applicationΓÇÖs icon** in the [Microsoft MyApps portal](https://myapps.microsoft.com/). After authenticating against Azure AD, youΓÇÖll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.

- * Application.Read.All

- * Application.ReadWrite.All

- * IdentityRiskyUser.Read.All

- * Policy.Read.All

- * Policy.ReadWrite.ApplicationConfiguration

- * Policy.ReadWrite.ConditionalAccess

- * User.Read.All

-1. Enter **Configuration Name**. A unique name that enables an admin to easily distinguish between Easy Button configurations for published applications

-3. Enter the **Tenant Id**, **Client ID**, and **Client Secret** from your registered application

-4. Confirm the BIG-IP can successfully connect to your tenant, and then select **Next**

- Next, under security settings, enter information for Azure AD to encrypt issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides additional assurance that the content tokens can't be intercepted, and personal or corporate data be compromised.

-The **Available Policies** list, by default, displays a list of policies that target selected apps.

-The **Selected Policies** list, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list. They are included by default but can be excluded if necessary.

-Selected policies should either have an **Include** or **Exclude** option checked. If both options are checked, the selected policy is not enforced. **Exclude** all policies while testing. You can go back and enable them later.

-* **Header Operation:** Insert

-* **Header Name:** upn

-* **Header Value:** %{session.saml.last.identity}

-* **Header Operation:** Insert

-* **Header Name:** employeeid

-* **Header Value:** %{session.saml.last.attr.name.employeeid}

-

-* **Header Operation:** Insert

-* **Header Name:** eventroles

-* **Header Value:** %{session.ldap.last.attr.eventroles}

-| [Helpdesk Administrator](permissions-reference.md#helpdesk-administrator) | Can reset passwords for non-administrators and Helpdesk Administrators in the assigned administrative unit only. |

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Burp Suite Enterprise Edition

-* Burp Suite Enterprise Edition supports **IDP** initiated SSO

-* Burp Suite Enterprise Edition supports **Just In Time** user provisioning

-## Adding Burp Suite Enterprise Edition from the gallery

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:

-Once you configure Burp Suite Enterprise Edition you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with New Relic

-In New Relic's authentication domain UI, you can configure [other settings](https://docs.newrelic.com/docs/accounts/accounts-billing/new-relic-one-user-management/authentication-domains-saml-sso-scim-more/#session-mgmt), like session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with SailPoint IdentityNow

-## Adding SailPoint IdentityNow from the gallery

-Once you configure SailPoint IdentityNow you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with SurveyMonkey Enterprise

-Once you configure SurveyMonkey Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Tulip

-## Adding Tulip from the gallery

- > If the **Identifier** and **Reply URL** values are not getting auto polulated, then fill in the values manually according to your requirement.

-* Click on Test this application in Azure portal and you should be automatically signed in to the Tulip for which you set up the SSO

-Once you configure Tulip you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-description: Learn how update or reset the service principal or AAD Application credentials for an Azure Kubernetes Service (AKS) cluster

-You may also have [integrated your AKS cluster with Azure Active Directory][aad-integration], and use it as an authentication provider for your cluster. In that case you will have 2 more identities created for your cluster, the AAD Server App and the AAD Client App, you may also reset those credentials.

-az ad sp create-for-rbac

-## Update AKS Cluster with new AAD Application credentials

-You may create new AAD Server and Client applications by following the [AAD integration steps][create-aad-app]. Or reset your existing AAD Applications following the [same method as for service principal reset](#reset-the-existing-service-principal-credential). After that you just need to update your cluster AAD Application credentials using the same [az aks update-credentials][az-aks-update-credentials] command but using the *--reset-aad* variables.

-In this article, the service principal for the AKS cluster itself and the AAD Integration Applications were updated. For more information on how to manage identity for workloads within a cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity].

-If you use Azure Key Vault to manage a custom domain TLS certificate, make sure the certificate is inserted into Key Vault [as a _certificate_](/rest/api/keyvault/createcertificate/createcertificate), not a _secret_.

-The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service. It's a TLS/SSL server certificate that's fully managed by App Service and renewed continuously and automatically in six-month increments, 45 days before expiration. You create the certificate and bind it to a custom domain, and let App Service do the rest.

-App Service can now migrate your App Service Environment v2 to an [App Service Environment v3](overview.md). App Service Environment v3 provides [advantages and feature differences](overview.md#feature-differences) over earlier versions. Make sure to review the [supported features](overview.md#feature-differences) of App Service Environment v3 before migrating to reduce the risk of an unexpected application issue.

-> An older version of this protocol, using the "2017-09-01" API version, used the `secret` header instead of `X-IDENTITY-HEADER` and only accepted the `clientid` property for user-assigned. It also returned the `expires_on` in a timestamp format. MSI_ENDPOINT can be used as an alias for IDENTITY_ENDPOINT, and MSI_SECRET can be used as an alias for IDENTITY_HEADER. This version of the protocol is currently required for Linux Consumption hosting plans.

-> | api-version | Query | The version of the token API to be used. Please use "2019-08-01" or later (unless using Linux Consumption, which currently only offers "2017-09-01" - see note above). |

-# Get started with a client library SDKs or REST API

-# Get started with the Sample Labeling tool

-# Quickstart: C# client library SDK v3.0 | Preview

-# Quickstart: Java client library SDK v3.0 | Preview

-# Quickstart: Form Recognizer JavaScript client library SDKs v3.0 | Preview

-# Quickstart: Python client library SDK v3.0 | Preview

-# Quickstart: REST API | Preview

-1. A sidebar pops up to allow you to select any available user-assigned identity to your subscription. Choose an identity and select **Add**. For more information on user assigned managed identities, see [manage user-assigned identity](/azure/active-directory/managed-identities-azure-resources/manage-user-assigned-managed-identities.md).

-There are few exceptions to the retirement policy outlined above. Here is a list of languages that are approaching or have reached their end-of-life dates but continue to be supported on the platform until further notice. When these languages versions reach their end-of-life dates, they are no longer updated or patched. Because of this, we discourage you from developing and running your function apps on these language versions.

-|.NET 5|February 2022|TBA|

-To re-deploy this feature, see [Deploy Start/Stop v2](deploy.md) (preview).

- context.Configuration["APPLICATIONINSIGHTS_CONNECTION_STRING"]);

-In the preceding code, `ApplicationInsightsLoggerProvider` is configured with your `"APPLICATIONINSIGHTS_CONNECTION_STRING"` connection string. Filters are applied, setting the log level to <xref:Microsoft.Extensions.Logging.LogLevel.Trace?displayProperty=nameWithType>.

-> [!IMPORTANT]

-> We recommend [connection strings](./sdk-connection-string.md?tabs=net) over instrumentation keys. New Azure regions *require* the use of connection strings instead of instrumentation keys.

->

-> A connection string identifies the resource that you want to associate with your telemetry data. It also allows you to modify the endpoints that your resource will use as a destination for your telemetry. You'll need to copy the connection string and add it to your application's code or to an environment variable.

- {

- var itemProperties = item as ISupportProperties;

- if (itemProperties != null && !itemProperties.Properties.ContainsKey("AppVersion"))

- {

- itemProperties.Properties["AppVersion"] = "v2.1";

- }

- }

- .Add(new MyTelemetryInitializer());

- using Microsoft.ApplicationInsights.Extensibility;

- using CustomInitializer.Telemetry;

- public void ConfigureServices(IServiceCollection services)

-All new TelemetryClients automatically add the property value you specify. Individual telemetry events can override the default values.

-It is recommended customers get the most recent version of the [AzAcSnap Installer](https://aka.ms/azacsnapdownload) from Microsoft.

-The self-installation file has an associated [AzAcSnap Installer signature file](https://aka.ms/azacsnapdownloadsignature) which is signed with Microsoft's public key to allow for GPG verification of the downloaded installer.

-The installer, which is downloadable per above, has an associated PGP signature file with an `.asc`

-filename extension. This file can be used to ensure the installer downloaded is a verified

-Microsoft provided file. The Microsoft PGP Public Key used for signing Linux packages is available here

-(<https://packages.microsoft.com/keys/microsoft.asc>) and has been used to sign the signature file.

-3. Check the fingerprint with `fpr`

-For more details about using GPG, see [The GNU Privacy Handbook](https://www.gnupg.org/gph/en/manual/book1.html).

-| Database Versions |1.0 SPS12|2.0 SPS0|2.0 SPS1|2.0 SPS2|2.0 SPS3|2.0 SPS4|

-|-||--|--|--|--|--|

-|Single Container Database| √ | √ | - | - | - | - |

-|MDC Single Tenant | - | - | √ | √ | √ | √ |

-|MDC Multiple Tenants | - | - | - | - | - | √ |

-> √ = <small>supported by SAP for Storage Snapshots</small>

- command before using in the production system.

- set up the user for each HANA instance. Create an SAP HANA user account to access HANA

- instance under the SYSTEMDB (and not in the SID database) for MDC. In the single container

- environment, it can be set up under the tenant database.

- node and for each user under which the command is executed.

- Windows editors like Notepad. Using Windows editor may corrupt the file format.

- - Set up `hdbuserstore` for the SAP HANA user to communicate with SAP HANA.

- `azacsnap -c backup` for SAP HANA 2 and later releases.

-system specified in the configuration file. If this node becomes unavailable, there is no mechanism to

-automatically start communicating with another node.

- - For an **SAP HANA Scale-Out with Standby** scenario it is typical to install and configure the snapshot

- tools on the master node. But, if the master node becomes unavailable, the standby node will take over

-the master node role. In this case, the implementation team should configure the snapshot tools on both

-nodes (Master and Stand-By) to avoid any missed snapshots. In the normal state, the master node will take

-HANA snapshots initiated by crontab, but after master node failover those snapshots will have to be

-executed from another node such as the new master node (former standby). To achieve this outcome, the standby

-node would need the snapshot tool installed, storage communication enabled, hdbuserstore configured,

-`azacsnap.json` configured, and crontab commands staged in advance of the failover.

- - For an **SAP HANA HSR HA** scenario, it is recommended to install, configure, and schedule the

-snapshot tools on both (Primary and Secondary) nodes. Then, if the Primary node becomes unavailable,

-the Secondary node will take over with snapshots being taken on the Secondary. In the normal state, the

-Primary node will take HANA snapshots initiated by crontab and the Secondary node would attempt to take

-snapshots but fail as the Primary is functioning correctly. But after Primary node failover, those

-snapshots will be executed from the Secondary node. To achieve this outcome, the Secondary node needs the

-snapshot tool installed, storage communication enabled, `hdbuserstore` configured, azacsnap.json

-configured, and crontab enabled in advance of the failover.

-# Display health status of replication relationship

-You can view replication status on the source volume or the destination volume.

-1. From either the source volume or the destination volume, click **Replication** under Storage Service for either volume.

- The following replication status and health information is displayed:

- * **Total progress** -- Shows the total amount of cumulative bytes transferred over the lifetime of the relationship. This amount is the actual bytes transferred, and it might differ from the logical space that the source and destination volumes report.

-## Next steps

-If you have questions about Azure Managed Applications, try asking on [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-managedapps). A similar question may have already been asked and answered, so check first before posting. Add the tag `azure-managedapps` to get a fast response!

-> | workflows | resource group | 1-80 | Alphanumerics, hyphens, underscores, periods, and parenthesis. |

-|vCore-based|This model allows you to independently choose compute and storage resources. The vCore-based purchasing model also allows you to use [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/) for SQL Server to save costs.|Customers who value flexibility, control, and transparency|

-The single database resource type creates a database in Azure SQL Database with its own set of resources and is managed via a [server](logical-servers.md). With a single database, each database is isolated and portable. Each has its own service tier within the [DTU-based purchasing model](service-tiers-dtu.md) or [vCore-based purchasing model](service-tiers-vcore.md) and a guaranteed compute size.

-# Azure SQL Database glossary of terms

-|Context|Term|More information|

-|Azure service|Azure SQL Database or SQL Database|[Azure SQL Database](database/sql-database-paas-overview.md)|

-|Purchasing model|DTU-based purchasing model|[DTU-based purchasing model](database/service-tiers-dtu.md)|

-||vCore-based purchasing model|[vCore-based purchasing model](database/service-tiers-sql-database-vcore.md)|

-|Deployment option |Single database|[Single databases](database/single-database-overview.md)|

-||Elastic pool|[Elastic pool](database/elastic-pool-overview.md)|

-|Service tier|Basic, Standard, Premium, General Purpose, Hyperscale, Business Critical|For service tiers in the vCore model, see [SQL Database service tiers](database/service-tiers-sql-database-vcore.md#service-tiers). For service tiers in the DTU model, see [DTU model](database/service-tiers-dtu.md#compare-the-dtu-based-service-tiers).|

-|Compute tier|Serverless compute|[Serverless compute](database/service-tiers-sql-database-vcore.md#compute-tiers)

-||Provisioned compute|[Provisioned compute](database/service-tiers-sql-database-vcore.md#compute-tiers)

-|Compute generation|Gen5, M-series, Fsv2-series, DC-series|[Hardware generations](database/service-tiers-sql-database-vcore.md#hardware-generations)

-|Server entity| Server |[Logical SQL servers](database/logical-servers.md)|

-|Resource type|vCore|A CPU core provided to the compute resource for a single database, elastic pool. |

-||Compute size and storage amount|Compute size is the maximum amount of CPU, memory and other non-storage related resources available for a single database, or elastic pool. Storage size is the maximum amount of storage available for a single database, or elastic pool. For sizing options in the vCore model, see [vCore single databases](database/resource-limits-vcore-single-databases.md), and [vCore elastic pools](database/resource-limits-vcore-elastic-pools.md). (../managed-instance/resource-limits.md). For sizing options in the DTU model, see [DTU single databases](database/resource-limits-dtu-single-databases.md) and [DTU elastic pools](database/resource-limits-dtu-elastic-pools.md).

-|Azure service|Azure SQL Managed Instance|[SQL Managed Instance](managed-instance/sql-managed-instance-paas-overview.md)|

-|Purchasing model|vCore-based purchasing model|[vCore-based purchasing model](managed-instance/service-tiers-managed-instance-vcore.md)|

-|Deployment option |Single Instance|[Single Instance](managed-instance/sql-managed-instance-paas-overview.md)|

-||Instance pool (preview)|[Instance pools](managed-instance/instance-pools-overview.md)|

-|Service tier|General Purpose, Business Critical|[SQL Managed Instance service tiers](managed-instance/sql-managed-instance-paas-overview.md#service-tiers)|

-|Compute tier|Provisioned compute|[Provisioned compute](managed-instance/service-tiers-managed-instance-vcore.md#compute-tiers)|

-|Compute generation|Gen5|[Hardware generations](managed-instance/service-tiers-managed-instance-vcore.md#hardware-generations)

-|Server entity|Managed instance or instance| N/A as the SQL Managed Instance is in itself the server |

-|Resource type|vCore|A CPU core provided to the compute resource for SQL Managed Instance.|

-||Compute size and storage amount|Compute size is the maximum amount of CPU, memory and other non-storage related resources for SQL Managed Instance. Storage size is the maximum amount of storage available for a SQL Managed Instance. For sizing options, [SQL Managed Instances](managed-instance/resource-limits.md). |

-Description: Learn about tips and best practices to help protect Azure VMware Solution deployments from vulnerabilities and malicious actors.

-| Stay current with HCX service updates | HCX service updates can include new features, software fixes, and security patches. Apply service updates during a maintenance window where no new HCX operations are queued up by following these [steps](https://docs.vmware.com/en/VMware-HCX/4.1/hcx-user-guide/GUID-F4AEAACB-212B-4FB6-AC36-9E5106879222.html). |

-az webpubsub hub create -n "<your-unique-resource-name>" -g "myResourceGroup" --hub-name "chat" --event-handler url-template="https://<domain-name>.ngrok.io/eventHandler" user-event-pattern="*" system-event="connected"

-* There's no limit on the number of databases you can select for auto-protection at a time. Discovery typically runs every eight hours. However, you can discover and protect new databases immediately if you manually run a discovery by selecting the **Rediscover DBs** option.

-description: Learn how copy and paste to and from an Windows VM using Bastion.

-# Connect to a VM using Bastion and the native client on your Windows computer (Preview)

-Azure Bastion now offers support for connecting to target VMs in Azure using a native RDP or SSH client on your Windows workstation. This feature lets you connect to your target VMs via Bastion using Azure CLI and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). This article helps you configure Bastion with the required settings, and then connect to a VM in the VNet. For more information, see the [What is Azure Bastion?](bastion-overview.md).

-* Native client support is not yet available for use from your local Linux workstation. If you are connecting to your target VM from a Linux workstation, use the Azure portal experience.

-## Configure Bastion

-### To modify an existing bastion host

-### To configure a new bastion host

-## Verify roles and ports

-### Required roles

-## <a name="connect"></a>Connect to a VM

-This section helps you connect to your virtual machine. Use the steps that correspond to the type of VM you want to connect to.

-### Connect to a Linux VM

- * If you signing in to an Azure AD login-enabled VM, use the following command. To learn more about how to use Azure AD to sign in to your Azure Linux VMs, see [Azure Linux VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).

-### Connect to a Windows VM

-1. Once you sign in to your target VM, the native client on your workstation will open up with your VM session; MSTSC for RDP sessions, and SSH CLI extension for SSH sessions.

-> If you are creating your pool with a [custom image](batch-sig-images.md), you can enable disk encryption only if using Windows VMs.

-| Rel 22-01 | [5009557] | Latest Cumulative Update(LCU) | 6.39 | Jan 11, 2022 |

-| Rel 22-01 | [5009555] | Latest Cumulative Update(LCU) | 7.7 | Jan 11, 2022 |

-| Rel 22-01 | [5009546] | Latest Cumulative Update(LCU) | 5.63 | Jan 11, 2022 |

-| Rel 22-01OOB | [4578013] | Standalone Security Update | 4.98 | Aug 19, 2020 |

-| Rel 22-01 | 5008287 | Servicing Stack update | 6.39 | Aug 10, 2021 |

-[5009557]: https://support.microsoft.com/kb/5009557

-[5009555]: https://support.microsoft.com/kb/5009555

-[5009546]: https://support.microsoft.com/kb/5009546

-# Get facial pose events

-constructed_url = endpoint + path

-constructed_url = endpoint + path

-constructed_url = endpoint + path

-constructed_url = endpoint + path

-constructed_url = endpoint + path

-constructed_url = endpoint + path

-constructed_url = endpoint + path

-constructed_url = endpoint + path

-constructed_url = endpoint + path

-No configurations are required for custom question answering and CLU connections, or unlinked intents.

-An orchestration workflow project returns with the response of the top scoring intent, and the response of the service it is connected to.

-| where OperationName=="QnAMaker GenerateAnswer" // This OperationName is valid for custom question answering enabled resources

-| where OperationName=="QnAMaker GenerateAnswer" // This OperationName is valid for custom question answering enabled resources

-| where OperationName=="QnAMaker GenerateAnswer" // This OperationName is valid for custom question answering enabled resources

-Text summarization is one of the features offered by [Azure Cognitive Service for Language](../overview.md), a collection of machine learning and AI algorithms in the cloud for developing intelligent applications that involve written language. This extractive summarization feature can produce a summary by extracting sentences that collectively represent the most important or relevant information within a document. It condenses articles, papers, or documents to key sentences.

-## Responsible AI

-An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the [transparency note for language detection](/legal/cognitive-services/language-service/transparency-note-extractive-summarization?context=/azure/cognitive-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

-## Next steps

-There are two ways to get started using the text summarization feature:

-* [Language Studio](../language-studio.md), which is a web-based platform that enables you to try several Azure Cognitive Service for Language features without needing to write code.

-* The [quickstart article](quickstart.md) for instructions on making requests to the service using the REST API and client library SDK.

-# Job classification concepts

-Azure Communication Services Job Router uses a process called **classification** when a Job is submitted. This article describes the different ways a Job can be classified and the effect this process has on it.

-## Job classification overview

-Job Router uses two primary methods for classifying a Job; static or dynamic. If the calling application has knowledge about the Queue ID, Priority, or Worker Selectors, the Job can be submitted without a Classification Policy; known as **static classification**. If you prefer to let Job Router decide the Queue ID, a Classification Policy can be used to modify the Job's properties; known as **dynamic classification**.

-When you submit a Job using the Job Router SDK, the process of classification will result in an event being sent to your Azure Communication Services Event Grid subscription. The events generated as part of the classification lifecycle give insights into what actions the Job Router is taking. For example, a successful classification will produce a **RouterJobClassified** and a failure will produce a **RouterJobClassificationFailed**.

-## Static classification

-Submitting a Job with a pre-defined Queue ID, Priority, and Worker selectors allows you to get started quickly. Job Router will not modify these properties after submitting the Job unless you update it by specifying a Classification Policy prior to assignment to a Worker. You can update the Classification Policy property of a Job after submission, which will trigger the dynamic classification process.

-> [!NOTE]

-> You have the option of overriding the result of dynamic classification by using the Job Router SDK to update the Job properties manually. For example, you could specify a static Queue ID initially, then update the Job with a Classification Policy ID to be dynamically classified, then override the Queue ID.

-## Dynamic classification

-Specifying a classification policy when you submit a Job will allow Job Router to dynamically assign the Queue ID, Priority, and potentially modify the Worker selectors. This type of classification is beneficial since the calling application does not need to have knowledge of any Job properties including the Queue ID at runtime.

-### Queue selectors

-A Classification Policy can reference a `QueueSelector`, which is used by the classification process to determine which Queue ID will be chosen for a particular Job. The following `QueueSelector` types exist in Job Router and are applicable options to the Queue selection process during classification:

-**QueueLabelSelector -** When you create a Job Router Queue you can specify labels to help the Queue selection process during Job classification. This type of selector uses a collection of `LabelSelectorAttachment` types to offer the most flexibility in selecting the Queue during the classification process. Use this selector to allow the Job classification process to select the Queue ID based on its labels. For more information See the section [below](#using-labels-and-selectors-in-classification).

-**QueueIdSelector -** This selector will enable the use of one of many rule engines to determine the Queue ID of the Job based on the result of the rule. Read the [RouterRule concepts](router-rule-concepts.md) page for more information.

-### Worker selectors

-A Worker selector in a Classification Policy contains a collection of `LabelSelectorAttachment` types, which is used by the classification process to attach Worker selectors to a Job based on its labels. For more information See the section [below](#using-labels-and-selectors-in-classification).

-### Prioritization rule

-The priority of a Job can be resolved during classification using one of many rule engines; similar to how the `QueueIdSelector` works. Read the [RouterRule concepts](router-rule-concepts.md) page for more information.

-## Using labels and selectors in classification

-Job Router uses the key/value pair "labels" of a Job, Worker, and Queue to make various decisions about routing. When using a `LabelSelectorAttachment` on a `QueueSelector`, it acts like a filter. When used within the context of `WorkerSelectors`, it attaches selectors to the initial set that was created with the job. The following `LabelSelectorAttachment` types can be used:

-**Conditional label selector -** Will evaluate a condition defined by a rule. If it resolves to `true`, then the specified collection of selectors will be applied.

-**Weighted allocation label selector -** A collection of `WeightedAllocation` objects that each specify a percentage based weighting and a collection of selector to apply based on the weighting allocation. For example, you may want 30% of the Jobs to go to "Contoso" and 70% of Jobs to go to "Fabrikam".

-3. An Exception Policy **trigger** can take the **action** of requesting a Job be reclassified

-# Job Router concepts

-Azure Communication Services Job Router solves the problem of matching some abstract supply with some abstract demand on a system. Integrated with Azure Event Grid, Job Router delivers near real-time notifications to you, enabling you to build reactive applications to control the behavior of your Job Router instance.

-## Job Router overview

-The Job Router SDKs can be used to build various business scenarios where you have the need to match a unit of work to a particular resource. For example, the work could be defined as a series of phone calls with many potential contact center agents, or a web chat request with a live agent handling multiple concurrent sessions with other people. The need to route some abstract unit of work to an available resource requires you to define the work, known as a [Job](#job), a [Queue](#queue), the [Worker](#worker), and a set of [Policies](#policies), which define the behavioral aspects of how these components interact with each other.

-## Job Router architecture

-Azure Communication Services Job Router uses events to notify your applications about actions within the service. The following diagrams illustrate a simplified flow common to Job Router; submitting a Job, registering a Worker, handling the Job Offer.

-1. The Contoso application submits a Job to the Job Router in the Azure Communication Services instance.

-2. The Job is classified and an event is raised called **RouterJobClassified** which includes all the information about the Job and how the classification process may have modified its properties.

-1. When a Worker is ready to accept a Job, they register with the Job Router via Contoso's Application.

-2. Job Router then sends back a **RouterWorkerRegistered**

-### Matching and accepting a job flow

-1. When Job Router finds a matching Worker for a Job, it offers the work by sending a **RouterWorkerOfferIssued** which the Contoso Application would receive and send a signal to the connected user using a platform such as the Azure SignalR Service.

-2. The Worker accepts the Offer.

-3. Job Router sends an **RouterWorkerOfferAccepted** signifying to the Contoso Application the Worker is assigned to the Job.

-## Real-time notifications

-Azure Communication Services relies on Event Grid's messaging platform to send notifications about what actions Job Router is taking on the workload you send. Job Router sends messages in the form of events whenever an important action happens such as Job lifecycle events including job creation, completion, offer acceptance, and many more.

-## Job

-A Job represents the unit of work, which needs to be routed to an available Worker. Jobs are defined using the Azure Communication Services Job Router SDKs or by submitting an authenticated request to the REST API. Jobs often contain a reference to some unique identifier you may have such as a call ID or a ticket number, along with the characteristics of the work being performed.

-## Queue

-When a Job is created it is assigned to a Queue, either statically at the time of submission, or dynamically through the application of a classification policy. Jobs are grouped together by their assigned Queue and can take on different characteristics depending on how you intend on distributing the workload. Queues require a **Distribution Policy** to determine how jobs are offered to eligible workers.

-Queues in the Job Router can also contain Exception Policies that determine the behavior of Jobs when certain conditions arise. For example, you may want a Job to be moved to a different Queue, the priority increased, or both based on a timer or some other condition.

-## Worker

-A Worker represents the supply available to handle a Job for a particular Queue. Each Worker registered with the Job Router comes with a set of **Labels**, their associated **Queues**, **channel configurations**, and a **total capacity score**. The Job Router uses these factors to determine when and how to route Jobs to a worker in real time.

-Azure Communication Services Job Router maintains and uses the status of a Worker using simple **Active**, **Inactive**, or **Draining** states to determine when available Jobs can be matched to a worker. Together with the status, the channel configuration, and the total capacity score, Job Router calculates viable Workers and issues Offers related to the Job.

-## Policies

-Azure Communication Services Job Router applies flexible Policies to attach dynamic behavior to various aspects of the system. Depending on the policy, a Job's Labels can be consumed & evaluated to alter a Job's priority, which Queue it should be in, and much more. Certain Policies in the Job Router offer inline function processing using PowerFx, or for more complex scenarios, a callback to an Azure Function.

-**Classification policy -** A classification policy helps Job Router define the Queue, the Priority, and can alter the Worker Selectors when the sender is unable or unaware of these parameters at the time of submission. For more information about classification, see the [classification concepts](classification-concepts.md) page.

-**Distribution policy -** When the Job Router receives a new Job, the Distribution Policy is used to locate a suitable Worker and manage the Job Offers. Workers are selected using different **modes**, and based on the policy, Job Router can notify one or more Workers concurrently.

-**Exception policy -** An exception policy controls the behavior of a Job based on a trigger and executes a desired action. The exception policy is attached to a Queue so it can control the behavior of Jobs in the Queue.

-description: Learn about the Azure Communication Services Job Router distribution concepts.

-# Job distribution concepts

-Azure Communication Services Job Router uses a flexible distribution process, which involves the use of a policy and a Job offer lifecycle to assign Workers. This article describes the different ways a Job can be distributed, what the Job offer lifecycle is, and the effect this process has on Workers.

-## Job distribution overview

-Deciding how to distribute Jobs to Workers is a key feature of Job Router and the SDK offers a similarly flexible and extensible model for you to customize your environment. As described in the [classification concepts](classification-concepts.md) guide, once a Job has been classified, Job Router will look for a suitable Worker based on the characteristics of the Job and the Distribution Policy. Alternatively, if Workers are busy, Job Router will look for a suitable Job when a Worker becomes available. Worker suitability is decided across three characteristics; [an available channel](#channel-configurations), their [abilities,](#worker-abilities) and [status](#worker-status). Once a suitable Worker has been found, a check is performed to make sure they have an open channel the Job can be assigned to.

-These two approaches are key concepts in how Job Router initiates the discovery of Jobs or Workers.

-### Finding workers for a job

-Once a Job has completed the [classification process](classification-concepts.md), Job Router will apply the Distribution Policy configured on the Queue to select one or more workers who meet the worker selectors on the job and generate offers for those workers to take on the job.

-### Finding a job for a worker

-There are several scenarios, which will trigger Job Router to find a job for a worker:

-The distribution process is the same as finding Workers for a Job. When a worker is found, an [offer](#job-offer-overview) is generated.

-## Worker overview

-Workers **register** with Job Router using the SDK and supply the following basic information:

-Job Router will always hold a reference to any registered Worker even if they are manually or automatically **deregistered**.

-### Channel configurations

-Each Job requires a channel ID property representing a pre-configured Job Router channel or a custom channel. A channel configuration consists of a `channelId` string and a `capacityCostPerJob` number. Together they represent an abstract mode of communication and the cost of that mode. For example, most people can only be on one phone call at a time, thus a `Voice` channel may have a high cost of `100`. Alternatively, certain workloads such as chat can have a higher concurrency which means they have a lower cost. You can think of channel configurations as open slots in which a Job can be assigned or attached to. The following example illustrates this point:

-```csharp

-await client.RegisterWorkerAsync(

- id: "EdmontonWorker",

- queueIds: new[] { "XBOX_Queue", "XBOX_Escalation_Queue" },

- totalCapacity: 100,

- labels: new LabelCollection

- {

- { "Location", "Edmonton" },

- { "XBOX_Hardware", 7 },

- },

- channelConfigurations: new List<ChannelConfiguration>

- {

- new (

- channelId: ManagedChannels.AcsVoiceChannel,

- capacityCostPerJob: 100

- ),

- new (

- channelId: ManagedChannels.AcsChatChannel,

- capacityCostPerJob: 33

- )

- }

-);

-```

-The above worker is registered with two channel configurations each with unique costs per channel. The effective result is that the `EdmontonWorker` can handle three concurrent `ManagedChannels.AcsChatChannel` Jobs or one `ManagedChannels.AcsVoiceChannel` Job.

-Job Router includes the following pre-configured channel IDs for you to use:

-New abstract channels can be created using the Job Router SDK as follows:

-```csharp

-await client.SetChannelAsync(

- id: "MakePizza",

- name: "Make a pizza"

-);

-await client.SetChannelAsync(

- id: "MakeDonairs",

- name: "Make a donair"

-);

-await client.SetChannelAsync(

- id: "MakeBurgers",

- name: "Make a burger"

-);

-```

-You can then use the channel when registering the Worker to represent their ability to take on a Job matching that channel ID as follows:

-```csharp

-await client.RegisterWorkerAsync(

- id: "PizzaCook",

- queueIds: new[] { "PizzaOrders", "DonairOrders", "BurgerOrders" },

- totalCapacity: 100,

- labels: new LabelCollection

- {

- { "Location", "New Jersey" },

- { "Language", "English" },

- { "PizzaMaker", 7 },

- { "DonairMaker", 10},

- { "BurgerMaker", 5}

- },

- channelConfigurations: new List<ChannelConfiguration>

- {

- new (

- channelId: MakePizza,

- capacityCostPerJob: 50

- ),

- new (

- channelId: MakeDonair,

- capacityCostPerJob: 33

- ),

- new (

- channelId: MakeBurger,

- capacityCostPerJob: 25

- )

- }

-);

-```

-The above example illustrates three abstract channels each with their own cost per Job. As such, the following Job concurrency examples are possible for the `PizzaCook` Worker:

-| MakePizza | MakeDonair | MakeBurger | Score |

-|--|--|--|--|

-| 2 | | | 100 |

-| | 3 | | 99 |

-| 1 | 1 | | 83 |

-| | 2 | 1 | 91 |

-| | | 4 | 100 |

-| | 1 | 2 | 83 |

-### Worker abilities

-Aside from the available channels a Worker may have, the distribution process uses the labels collection of the registered Worker to determine their suitability for a Job. In the pizza cook example above, the Worker has a label collection consisting of:

-```csharp

-new LabelCollection

- {

- { "Location", "New Jersey" },

- { "Language", "English" },

- { "PizzaMaker", 7 },

- { "DonairMaker", 10},

- { "BurgerMaker", 5}

- }

-```

-When a Job is submitted, the **worker selectors** are used to define the requirements for that particular unit of work. If a Job requires an English-speaking person who is good at making donairs, the SDK call would be as follows:

-```csharp

-await client.CreateJobAsync(

- channelId: "MakeDonair",

- channelReference: "ReceiptNumber_555123",

- queueId: "DonairOrders",

- priority: 1,

- workerSelectors: new List<LabelSelector>

- {

- new (

- key: "DonairMaker",

- @operator: LabelOperator.GreaterThanEqual,

- value: 8),

- new (

- key: "English",

- @operator: LabelOperator.GreaterThan,

- value: 5)

- });

-```

-### Worker status

-Since Job Router can handle concurrent Jobs for a Worker depending on their Channel Configurations, the concept of availability is represented by three states:

-**Active -** A Worker is registered with the Job Router and is willing to accept a Job

-**Draining -** A Worker has deregistered with the Job Router, however they are currently assigned one or more active Jobs

-**Inactive -** A Worker has deregistered with the Job Router and they have no active Jobs

-## Job offer overview

-When the distribution process locates a suitable Worker who has an open channel and has the correct status, a Job offer is generated and an event is sent. The Distribution Policy contains the following configurable properties for the offer:

-**OfferTTL -** The time-to-live for each offer generated

-**Mode -** The **distribution modes** which contain both `minConcurrentOffers` and `maxConcurrentOffers` properties. Set two integers for these two variables to control the concurrent numbers of active workers that job offer will be distributed. For example:

-```csharp

- "mode": {

- "kind": "longest-idle",

- "minConcurrentOffers": 1,

- "maxConcurrentOffers": 5,

- "bypassSelectors": false

- }

-}

-```

-In the above example, minConcurrentOffers and maxConcurrentOffers will distribute at least one offer and up to a maximum of five offers to active Workers who match the requirements of the Job.

-> [!Important]

-> When a Job offer is generated for a Worker it consumes one of the channel configurations matching the channel ID of the Job. The consumption of this channel means the Worker will not receive another offer unless additional capacity for that channel is available on the Worker. If the Worker declines the offer or the offer expires, the channel is released.

-### Job offer lifecycle

-The following Job offer lifecycle events can be observed through your Event Grid subscription:

-> [!NOTE]

-> An offer can be accepted or declined by a Worker by using the SDK while all other events are internally generated.

-## Distribution modes

-Job Router includes the following distribution modes:

-**LongestIdleMode -** Generates Offer for the longest idle Worker in a Queue

-**RoundRobinMode -** Given a collection of Workers, pick the next Worker after the last one that was picked ordered by ID.

-**BestWorkerMode -** Use the Job Router's [RuleEngine](router-rule-concepts.md) to choose a Worker based on their labels

-## Distribution summary

-Depending on several factors such as a Worker's status, channel configuration/capacity, the distribution policy's mode, and offer concurrency can influence the way Job offers are generated. It is suggested to start with a simple implementation and add complexity as your requirements dictate.

-# Job Router rules engine concepts

-Azure Communication Services Job Router uses an extensible rules engine to process data and make decisions about your Jobs and Workers. This document covers what the rule engine does and why you may want to apply it in your implementation.

-> [!NOTE]

-> Although the rule engine typically uses labels as input, it can also set values such as a Queue ID without the use of evaluating labels.

-Depending on where you apply rules in Job Router, the result can vary. For example, a Classification Policy can choose a Queue ID based on the labels defined on the input of a Job. In another example, a Distribution Policy can find the best Worker using a custom scoring rule defined by the `RouterRule`.

-### Example: Use a static rule in a classification policy to set the queue ID

-In this example a `StaticRule`, which is a type of `RouterRule` can be used to set the Queue ID of all Jobs, which reference the Classification Policy ID `XBOX_QUEUE_POLICY`.

- id: "XBOX_QUEUE_POLICY",

- queueSelector: new QueueIdSelector(new StaticRule("XBOX"))

-)

-## RouterRule types

-The following `RouterRule` types exist in Job Router to provide flexibility in how your Jobs are processed.

-**Static rule -** This rule can be used specify a static value such as selecting a specific Queue ID.

-**Expression rule -** An expression rule uses the [PowerFx](https://powerapps.microsoft.com/en-us/blog/what-is-microsoft-power-fx/) language to define your rule as an inline expression.

-**Azure Function rule -** Specifying a URI and an `AzureFunctionRuleCredential`, this rule allows the Job Router to pass the input labels as a payload and respond back with an output value. This rule type can be used when your requirements are complex.

-> [!NOTE]

-> Although the **Direct Map rule** is part of the Job Router SDK, it is only supported in the `NearestQueueLabelSelector` at this time.

-

-## Static classification

-When creating a Job with the SDK, specify the queue, priority, and worker selectors only; this method is known as **static classification**. The following example would place a Job in the `XBOX_DEFAULT_QUEUE` with a priority of `1` and require workers to have a skill of `XBOX_Hardware` greater than or equal to `5`.

-> [!NOTE]

-> A Job can be [reclassified after submission](#reclassify-a-job-after-submission) even if it was initially created without a classification policy. In this case, Job Router will evaluate the policy's behavior against the **labels** and make the necessary adjustments to the queue, priority, and worker selectors.

- channelId: ManagedChannels.AcsVoiceChannel,

- channelReference: "12345",

- queueId: queue.Value.Id,

- priority: 1,

- workerSelectors: new List<LabelSelector>

- new (

- key: "Location",

- @operator: LabelOperator.Equal,

- value: "Edmonton")

- });

-## Dynamic classification

-As described above, an easy way of submitting a Job is to specify the Priority, Queue, and Worker Selectors during submission. When doing so, the sender needs to have knowledge about these characteristics. To avoid the sender having explicit knowledge about the inner workings of the Job Router's behavior, the sender can specify a **classification policy** along with a generic **labels** collection to invoke the dynamic behavior.

-### Create a classification policy

-The following classification policy will use the low-code [PowerFx](https://powerapps.microsoft.com/en-us/blog/what-is-microsoft-power-fx/) language to select both the queue and priority. The expression will attempt to match the Job label called `Region` equal to `NA` resulting in the Job being put in the `XBOX_NA_QUEUE` if found, otherwise the `XBOX_DEFAULT_QUEUE`. If the `XBOX_DEFAULT_QUEUE` was also not found, then the job will automatically be sent to the fallback queue `DEFAULT_QUEUE` as defined by `fallbackQueueId`. Additionally, the priority will be `10` if a label called `Hardware_VIP` was matched, otherwise it will be `1`.

-var policy = await client.SetClassificationPolicyAsync(

- id: "XBOX_NA_QUEUE_Priority_1_10",

- name: "Select XBOX Queue and set priority to 1 or 10",

- queueSelector: new QueueIdSelector(

- new ExpressionRule("If(job.Region = \"NA\", \"XBOX_NA_QUEUE\", \"XBOX_DEFAULT_QUEUE\")")

- ),

- new LabelSelector(

- key: "Language",

- @operator: LabelOperator.Equal,

- value: "English")

- },

- prioritizationRule: new ExpressionRule("If(job.Hardware_VIP = true, 10, 1)"),

- fallbackQueueId: "DEFAULT_QUEUE"

-### Submit the job

-The following example will cause the classification policy to evaluate the Job labels. The outcome will place the Job in the queue called `XBOX_NA_QUEUE` and set the priority to `1`.

-var dynamicJob = await client.CreateJobAsync(

- channelId: ManagedChannels.AcsVoiceChannel,

- channelReference: "my_custom_reference_number",

- classificationPolicyId: "XBOX_NA_QUEUE_Priority_1_10",

- labels: new LabelCollection()

- { "Region", "NA" },

- { "Caller_Id", "tel:7805551212" },

- { "Caller_NPA_NXX", "780555" },

- { "XBOX_Hardware", 7 }

-// returns a new GUID such as: 4ad7f4b9-a0ff-458d-b3ec-9f84be26012b

- { "Hardware_VIP", true }

- "Microsoft.Communication.RouterJobExceptionCleared",

-var distributionPolicy = await client.SetDistributionPolicyAsync(

- id: "Longest_Idle_45s_Min1Max10",

- name: "Longest Idle matching with a 45s offer expiration; min 1, max 10 offers",

- offerTTL: TimeSpan.FromSeconds(45),

- mode: new LongestIdleMode(

- minConcurrentOffers: 1,

- maxConcurrentOffers: 10)

-Jobs are organized into a logical Queue. Create the Queue by specifying an **ID**, **name**, and provide the **Distribution Policy** object's ID you created above.

-var queue = await client.SetQueueAsync(

- id: "XBOX_Queue",

- name: "XBOX Queue",

-The quickest way to get started is to specify the ID of the Queue, the priority, and worker requirements when submitting a Job. In the example below, a Job will be submitted directly to the **XBOX Queue** where the workers in that queue require a `Location` label matching the name `Edmonton`.

-var job = await client.CreateJobAsync(

- channelId: ManagedChannels.AcsChatChannel,

- channelReference: "12345",

- workerSelector: new List<LabelSelector>

- new (

- key: "Location",

- @operator: LabelOperator.Equal,

- value: "Edmonton")

-Register a Worker by referencing the Queue ID created previously along with a **capacity** value, **labels**, and **channel configuration** to ensure the `EdmontonWorker` is assigned to the `XBOX_Queue'.

-var edmontonWorker = await client.RegisterWorkerAsync(

- id: "EdmontonWorker",

- queueIds: new []{ queue.Value.Id },

- totalCapacity: 100,

- {"Location", "Edmonton"}

- new (

- channelId: ManagedChannels.AcsVoiceChannel,

- capacityCostPerJob: 100)

-## Query the worker to observe the job offer

-Use the Job Router client connection to query the Worker and observe the ID of the Job against the ID

-```csharp

- // wait 500ms for the Job Router to offer the Job to the Worker

- Task.Delay(500).Wait();

- var result = await client.GetWorkerAsync(edmontonWorker.Value.Id);

- Console.WriteLine(

- $"Job ID: {job.Value.Id} offered to {edmontonWorker.Value.Id} " +

- $"should match Job ID attached to worker: {result.}");

-Job 6b83c5ad-5a92-4aa8-b986-3989c791be91 offered to EdmontonWorker should match Job ID from offer attached to worker: 6b83c5ad-5a92-4aa8-b986-3989c791be91

- --source https://workerappscliextension.blob.core.windows.net/azure-cli-extension/containerapp-0.2.0-py2.py3-none-any.whl

- --source https://workerappscliextension.blob.core.windows.net/azure-cli-extension/containerapp-0.2.0-py2.py3-none-any.whl

- --source https://workerappscliextension.blob.core.windows.net/azure-cli-extension/containerapp-0.2.0-py2.py3-none-any.whl

- --source https://workerappscliextension.blob.core.windows.net/azure-cli-extension/containerapp-0.2.0-py2.py3-none-any.whl

- --source https://workerappscliextension.blob.core.windows.net/azure-cli-extension/containerapp-0.2.0-py2.py3-none-any.whl

- --source https://workerappscliextension.blob.core.windows.net/azure-cli-extension/containerapp-0.2.0-py2.py3-none-any.whl

-description: Learn how to deploy containers in Azure Container Instances by pulling container images from an Azure container registry.

-# Deploy to Azure Container Instances from Azure Container Registry

-[Azure Container Registry](../container-registry/container-registry-intro.md) is an Azure-based, managed container registry service used to store private Docker container images. This article describes how to pull container images stored in an Azure container registry when deploying to Azure Container Instances. A recommended way to configure registry access is to create an Azure Active Directory service principal and password, and store the login credentials in an Azure key vault.

-* You can't authenticate to Azure Container Registry to pull images during container group deployment by using a [managed identity](container-instances-managed-identity.md) configured in the same container group.

-# Allow trusted services to securely access a network-restricted container registry (preview)

-Allowing registry access by trusted Azure services is a **preview** feature.

-* For registry access scenarios that need a managed identity, only a system-assigned identity may be used. User-assigned managed identities aren't currently supported.

-> Curently, enabling the allow trusted services setting doesn't apply to certain other managed Azure services including App Service and Azure Container Instances.

-1. Enable a system-assigned [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) in an instance of one of the [trusted services](#trusted-services) for Azure Container Registry.

-When you enable analytical store on an Azure Cosmos DB container, a new column-store is internally created based on the operational data in your container. This column store is persisted separately from the row-oriented transactional store for that container. The inserts, updates, and deletes to your operational data are automatically synced to analytical store. You don't need the change feed or ETL to sync the data.

-There is no impact on the performance of your transactional workloads due to analytical queries, as the analytical store is separate from the transactional store. Analytical store does not need separate request units (RUs) to be allocated.

-By using horizontal partitioning, Azure Cosmos DB transactional store can elastically scale the storage and throughput without any downtime. Horizontal partitioning in the transactional store provides scalability & elasticity in auto-sync to ensure data is synced to the analytical store in near real time. The data sync happens regardless of the transactional traffic throughput, whether it is 1000 operations/sec or 1 million operations/sec, and it doesn't impact the provisioned throughput in the transactional store.

- * If your documents have 5 levels with 200 properties in each one, all properties will be represented.

- * If your documents have 10 levels with 400 properties in each one, only the 2 first levels will be fully represented in analytical store. Half of the third level will also be represented.

-* The hypothetical document below contains 4 properties and 3 levels.

- * The properties are `id`, `myArray`, `myArray.nested1` and `myArray.nested2`.

- * The analytical store representation will have 2 columns, `id` and `myArray`. You can use Spark or T-SQL functions to also expose the nested structures as columns.

-* While JSON documents (and Cosmos DB collections/containers) are case sensitive from the uniqueness perspective, analytical store is not.

- * **In the same document:** Properties names in the same level should be unique when compared case insensitively. For example, the following JSON document has "Name" and "name" in the same level. While it's a valid JSON document, it doesn't satisfy the uniqueness constraint and hence will not be fully represented in the analytical store. In this example, "Name" and "name" are the same when compared in a case insensitive manner. Only `"Name": "fred"` will be represented in analytical store, because it is the first occurrence. And `"name": "john"` won't be represented at all.

- * There is not schema versioning. The last version inferred from transactional store is what you will see in analytical store.

- * : (Colon)

- * ` (Grave accent)

- * , (Comma)

- * ; (Semicolon)

- * {}

- * ()

- * \n

- * \t

- * = (Equal sign)

- * " (Quotation mark)

- * Since we currently we don't support schema reset, you can change your application to add a redundant property with a similar name, avoiding these characters.

-* The following BSON datatypes are not supported and won't be represented in analytical store:

- * MinKey / MaxKey

-* When using DateTime strings that follows the ISO 8601 UTC standard, expect the following behavior:

-It is possible to use full fidelity Schema for SQL (Core) API accounts, instead of the default option, by setting the schema type when enabling Synapse Link on a Cosmos DB account for the first time. Here are the considerations about changing the default schema representation type:

- * Currently this change can't be made through the Azure portal. All database accounts that have Synapse LinK enabled by the Azure portal will have the default schema representation type, well defined schema.

- * From `integer` to `float`. All documents will be represented in analytical store. However, to read this data with Azure Synapse SQL serverless pools, you must use a WITH clause to convert the column to `varchar`. And after this initial conversion, it is possible to convert it again to a number. Please check the example below, where **num** initial value was an integer and the second one was a float.

- * Properties that don't follow the base schema data type won't be represented in analytical store. For example, consider the documents below: the first one defined the analytical store base schema. The second document, where `id` is `"2"`, **doesn't** have a well-defined schema since property `"code"` is a string and the first document has `"code"` as a number. In this case, the analytical store registers the data type of `"code"` as `integer` for lifetime of the container. The second document will still be included in analytical store, but its `"code"` property will not.

- > The condition above doesn't apply for null properties. For example, `{"a":123} and {"a":null}` is still well defined.

-* Array types must contain a single repeated type. For example, `{"a": ["str",12]}` is not a well-defined schema because the array contains a mix of integer and string types.

-> If the Azure Cosmos DB analytical store follows the well-defined schema representation and the specification above is violated by certain items, those items will not be included in the analytical store.

-* Expect different behavior in regard to different types in well defined schema:

-Here is a map of all the property data types and their suffix representations in the analytical store:

-After the analytical store is enabled, based on the data retention needs of the transactional workloads, you can configure the 'Transactional Store Time to Live (Transactional TTL)' property to have records automatically deleted from the transactional store after a certain time period. Similarly, the 'Analytical Store Time To Live (Analytical TTL)' allows you to manage the lifecycle of data retained in the analytical store independent from the transactional store. By enabling analytical store and configuring TTL properties, you can seamlessly tier and define the data retention period for the two stores.

-> [!NOTE]

->Currently analytical store doesn't support backup and restore. Your backup policy can't be planned relying on analytical store. For more information, check the limitations section of [this](synapse-link.md#limitations) document. It is important to note that the data in the analytical store has a different schema than what exists in the transactional store. While you can generate snapshots of your analytical store data, at no RUs costs, we cannot guarantee the use of this snapshot to backfeed the transactional store. This process is not supported.

-Analytical store partitioning is completely independent of partitioning in the transactional store. By default, data in analytical store is not partitioned. If your analytical queries have frequently used filters, you have the option to partition based on these fields for better query performance. To learn more, see the [introduction to custom partitioning](custom-partitioning-analytical-store.md) and [how to configure custom partitioning](configure-custom-partitioning.md) articles.

-Analytical store follows a consumption-based pricing model where you are charged for:

-* Storage: the volume of the data retained in the analytical store every month including historical data as defined by Analytical TTL.

-Analytical store pricing is separate from the transaction store pricing model. There is no concept of provisioned RUs in the analytical store. See [Azure Cosmos DB pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/) for full details on the pricing model for analytical store.

-> Analytical store read operations estimates are not included in the Cosmos DB cost calculator since they are a function of your analytical workload. While the above estimate is for scanning 1TB of data in analytical store, applying filters reduces the volume of data scanned and this determines the exact number of analytical read operations given the consumption pricing model. A proof-of-concept around the analytical workload would provide a more finer estimate of analytical read operations. This estimate does not include the cost of Azure Synapse Analytics.

-* If the value is set to "0", missing (or set to null): the analytical store is disabled and no data is replicated from transactional store to analytical store

-* If present and the value is set to "-1": the analytical store retains all historical data, irrespective of the retention of the data in the transactional store. This setting indicates that the analytical store has infinite retention of your operational data

-* If present and the value is set to some positive number "n": items will expire from the analytical store "n" seconds after their last modified time in the transactional store. This setting can be leveraged if you want to retain your operational data for a limited period of time in the analytical store, irrespective of the retention of the data in the transactional store

-* If you have analytical TTL bigger than transactional TTL, at some point in time you will have data that only exists in analytical store. This data is read only.

-* Checkout the learn module on how to [Design hybrid transactional and analytical processing using Azure Synapse Analytics](/learn/modules/design-hybrid-transactional-analytical-processing-using-azure-synapse-analytics/)

-After reading this article, you will be able to answer the following questions:

-When working with relational databases, the strategy is to normalize all your data. Normalizing your data typically involves taking an entity, such as a person, and breaking it down into discrete components. In the example above, a person can have multiple contact detail records, as well as multiple address records. Contact details can be further broken down by further extracting common fields like a type. The same applies to address, each record can be of type *Home* or *Business*.

-Using the approach above we have **denormalized** the person record, by **embedding** all the information related to this person, such as their contact details and addresses, into a *single JSON* document.

-* There is embedded data that **changes infrequently**.

-* There is embedded data that will not grow **without bound**.

-* There is embedded data that is **queried frequently together**.

-This might be what a post entity with embedded comments would look like if we were modeling a typical blog, or CMS, system. The problem with this example is that the comments array is **unbounded**, meaning that there is no (practical) limit to the number of comments any single post can have. This may become a problem as the size of the item could grow infinitely large.

-Another case where embedding data is not a good idea is when the embedded data is used often across items and will change frequently.

-This could represent a person's stock portfolio. We have chosen to embed the stock information into each portfolio document. In an environment where related data is changing frequently, like a stock trading application, embedding data that changes frequently is going to mean that you are constantly updating each portfolio document every time a stock is traded.

-Embedding data works nicely for many cases but there are scenarios when denormalizing your data will cause more problems than it is worth. So what do we do now?

-Relational databases are not the only place where you can create relationships between entities. In a document database, you can have information in one document that relates to data in other documents. We do not recommend building systems that would be better suited to a relational database in Azure Cosmos DB, or any other document database, but simple relationships are fine and can be useful.

-Because there is currently no concept of a constraint, foreign-key or otherwise, any inter-document relationships that you have in documents are effectively "weak links" and will not be verified by the database itself. If you want to ensure that the data a document is referring to actually exists, then you need to do this in your application, or through the use of server-side triggers or stored procedures on Azure Cosmos DB.

-If all this join table is doing is gluing together two pieces of data, then why not drop it completely?

-Consider the following.

-Now, if I had an author, I immediately know which books they have written, and conversely if I had a book document loaded I would know the IDs of the author(s). This saves that intermediary query against the join table reducing the number of server round trips your application has to make.

-We've now looked embedding (or denormalizing) and referencing (or normalizing) data, each have their upsides and each have compromises as we have seen.

-If you look at the book document, we can see a few interesting fields when we look at the array of authors. There is an `id` field that is the field we use to refer back to an author document, standard practice in a normalized model, but then we also have `name` and `thumbnailUrl`. We could have stuck with `id` and left the application to get any additional information it needed from the respective author document using the "link", but because our application displays the author's name and a thumbnail picture with every book displayed we can save a round trip to the server per book in a list by denormalizing **some** data from the author.

-The ability to have a model with pre-calculated fields is made possible because Azure Cosmos DB supports **multi-document transactions**. Many NoSQL stores cannot do transactions across documents and therefore advocate design decisions, such as "always embed everything", due to this limitation. With Azure Cosmos DB, you can use server-side triggers, or stored procedures, that insert books and update authors all within an ACID transaction. Now you don't **have** to embed everything into one document just to be sure that your data remains consistent.

-## Next steps

-Just as there is no single way to represent a piece of data on a screen, there is no single way to model your data. You need to understand your application and how it will produce, consume, and process the data. Then, by applying some of the guidelines presented here you can set about creating a model that addresses the immediate needs of your application. When your applications need to change, you can leverage the flexibility of a schema-free database to embrace that change and evolve your data model easily.

- * If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

-Triggers determine when a pipeline run should be kicked off. Currently triggers can be on a wall clock schedule, operate on a periodic interval, or depend on an event. For more information, learn about [trigger execution](concepts-pipeline-execution-triggers.md#trigger-execution). In the management hub, you can create, edit, delete, or view the current state of a trigger.

-| Datasets | A named view of data that references the data that you want to use in your activities as inputs and outputs. Datasets identify data within different data stores, such as tables, files, folders, and documents. For example, an Azure Blob dataset specifies the blob container and folder in Azure Blob storage from which the activity should read the data.<br/><br/>**Availability** defines the processing window slicing model for the dataset (for example, hourly, daily, and so on). | Datasets are the same in the current version. However, you do not need to define **availability** schedules for datasets. You can define a trigger resource that can schedule pipelines from a clock scheduler paradigm. For more information, see [Triggers](concepts-pipeline-execution-triggers.md#trigger-execution) and [Datasets](concepts-datasets-linked-services.md). |

-Learn how to create a data factory by following step-by-step instructions in the following quickstarts: [PowerShell](quickstart-create-data-factory-powershell.md), [.NET](quickstart-create-data-factory-dot-net.md), [Python](quickstart-create-data-factory-python.md), [REST API](quickstart-create-data-factory-rest-api.md).

-Azure Data Factory data includes metadata (pipeline, datasets, linked services, integration runtime and triggers) and monitoring data (pipeline, trigger, and activity runs).

-In all regions (except Brazil South and Southeast Asia), Azure Data Factory data is stored and replicated in the [paired region](../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) to protect against metadata loss. During regional datacenter failures, Microsoft may initiate a regional failover of your Azure Data Factory instance. In most cases, no action is required on your part. When the Microsoft-managed failover has completed, you will be able to access your Azure Data Factory in the failover region.

-Due to data residency requirements in Brazil South, and Southeast Asia, Azure Data Factory data is stored on [local region only](../storage/common/storage-redundancy.md#locally-redundant-storage). For Southeast Asia, all the data are stored in Singapore. For Brazil South, all data are stored in Brazil. When the region is lost due to a significant disaster, Microsoft will not be able to recover your Azure Data Factory data.

-To ensure that you are able to track and audit the changes made to your Azure data factory metadata, you should consider setting up source control for your Azure Data Factory. It will also enable you to access your metadata JSON files for pipelines, datasets, linked services, and trigger. Azure Data Factory enables you to work with different Git repository (Azure DevOps and GitHub).

-This article describes what datasets are, how they are defined in JSON format, and how they are used in Azure Data Factory and Synapse pipelines.

-If you are new to Data Factory, see [Introduction to Azure Data Factory](introduction.md) for an overview. For more information about Azure Synapse see [What is Azure Synapse](../synapse-analytics/overview-what-is.md)

-A data factory or Synapse workspace can have one or more pipelines. A **pipeline** is a logical grouping of **activities** that together perform a task. The activities in a pipeline define actions to perform on your data. Now, a **dataset** is a named view of data that simply points or references the data you want to use in your **activities** as inputs and outputs. Datasets identify data within different data stores, such as tables, files, folders, and documents. For example, an Azure Blob dataset specifies the blob container and folder in Blob storage from which the activity should read the data.

-Here is a sample scenario. To copy data from Blob storage to a SQL Database, you create two linked

-The service supports many different types of datasets, depending on the data stores you use. You can find the list of supported data stores from [Connector overview](connector-overview.md) article. Click a data store to learn how to create a linked service and a dataset for it.

-## Manual execution (on-demand)

-## Trigger execution

-Pipelines and triggers have a many-to-many relationship (except for the tumbling window trigger).Multiple triggers can kick off a single pipeline, or a single trigger can kick off multiple pipelines. In the following trigger definition, the **pipelines** property refers to a list of pipelines that are triggered by the particular trigger. The property definition includes values for the pipeline parameters.

-## Schedule trigger

-An event-based trigger runs pipelines in response to an event. There are two flavors of event based triggers.

-* _Custom event trigger_ processes and handles [custom topics](../event-grid/custom-topics.md) in Event Grid

-These system variables can be referenced anywhere in the trigger JSON for triggers of type [ScheduleTrigger](concepts-pipeline-execution-triggers.md#schedule-trigger).

-| @triggerBody().event.eventType | Type of events that triggered the Custom Event Trigger run. Event type is customer defined field and take on any values of string type. |

-**Response**: You will get response like shown in below example. The "identity" section is populated accordingly.

-Click **+New** to add new filter conditions.

-Additionally, custom event triggers obey the [same limitations as event grid](../event-grid/event-filtering.md#limitations), including:

-| `scope` | The Azure Resource Manager resource ID of the event grid topic. | String | Azure Resource Manager ID | Yes |

-Data Factory doesn't require special permission to your Event Grid. You also do *not* need to assign special Azure RBAC permission to the Data Factory service principal for the operation.

-* Get detailed information about [trigger execution](concepts-pipeline-execution-triggers.md#trigger-execution).

-* For detailed information about triggers, see [Pipeline execution and triggers](concepts-pipeline-execution-triggers.md#trigger-execution).

-1. In your working direactory, create a JSON file named **MyTrigger.json** with the trigger's properties. For this example use the following content:

-| **timeZone** | The time zone the trigger is created in. This setting impact **startTime**, **endTime**, and **schedule**. See [list of supported time zone](#time-zone-option) |

-* For detailed information about triggers, see [Pipeline execution and triggers](concepts-pipeline-execution-triggers.md#trigger-execution).

-If you are new to Azure Data Factory parameter usage in ADF user interface, please review [Data Factory UI for linked services with parameters](./parameterize-linked-services.md#ui-experience) and [Data Factory UI for metadata driven pipeline with parameters](./how-to-use-trigger-parameterization.md#data-factory-ui) for visual explanation.

-1. Click on the blank canvas to bring up pipeline settings. Do not select any activity. You may need to pull up the setting panel from the bottom of the canvas, as it may have been collapsed

-1. Create or attach a trigger to the pipeline, and click **OK**

-For detailed information about triggers, see [Pipeline execution and triggers](concepts-pipeline-execution-triggers.md#trigger-execution).

- }

->[Pipelines and activities](concepts-pipelines-activities.md)

- - Migrating your VM farm, SQL server, and applications to Azure

- - Moving historical data to Azure for in-depth analysis and reporting using HDInsight

- - For example, backup solutions partners such as Commvault and Data Box are used to move initial large historical backup to Azure. Once complete, the incremental data is transferred via network to Azure storage.

-1. **Order** - Create an order in the Azure portal, provide shipping information, and the destination Azure storage account for your data. If the device is available, Azure prepares and ships the device with a shipment tracking ID.

-1. **Order** - Create an export order in the Azure portal, provide shipping information, and the source Azure storage account for your data. If the device is available, Azure prepares a device. Data is copied from your Azure Storage account to the Data Box. Once the data copy is complete, Microsoft ships the device with a shipment tracking ID.

-Data Box can transfer data based on the region in which service is deployed, the country or region you ship the device to, and the target Azure storage account where you transfer the data.

-> Defining authorization headers is a sensible option when your destination is a Webhook. It should not be used for [functions subscribed with a resource id](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update#azurefunctioneventsubscriptiondestination), Service Bus, Event Hubs, and Hybrid Connections as those destinations support their own authentication schemes when used with Event Grid.

-When you use [CLI](create-view-manage-system-topics-cli.md), [REST](/rest/api/eventgrid/version2021-12-01/event-subscriptions/create-or-update), or [Azure Resource Manager template](create-view-manage-system-topics-arm.md), you can choose either of the above methods. We recommend that you create a system topic first and then create a subscription on the topic, as it's the latest way of creating system topics.

- * Pagination and search filter for resources list operations. For an example, see [Topics - List By Subscription](/rest/api/eventgrid/version2021-06-01-preview/partner-namespaces/list-by-subscription).

- * Pagination and search filter for resources list operations. For an example, see [Topics - List By Subscription](/rest/api/eventgrid/version2021-06-01-preview/partner-namespaces/list-by-subscription).

-DNS proxy performs five-second health check loops for as long as the upstream servers report as unhealthy. Once an upstream server is considered healthy, the firewall stops health checks until the next error. When a healthy proxy returns an error during the exchange, the firewall selects another DNS server in the list.

-A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You cannot create your own service tag, nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.

-Azure Firewall supports configuration of Service Tags via PowerShell, Azure CLI, or the Azure portal.

-Next, we must create a new Rule. For the Source or Destination, you can specify the text value of the Service Tag you wish to leverage, as mentioned earlier above in this article.

-Next, we must update the variable containing our Azure Firewall definition with the new Network Rules we created.

-* Restore deleted key on KV to auto recover. For more information, see [Recover Deleted Key](/rest/api/keyvault/recoverdeletedkey).

-* If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

-|[Starburst Presto for Azure HDInsight](https://azuremarketplace.microsoft.com/marketplace/apps/starburstdatainc1582306810515.starburst-enterprise-presto?tab=Overview) |Hadoop |Presto is a fast and scalable distributed SQL query engine. Architected for the separation of storage and compute, Presto is perfect for querying data in Azure Data Lake Storage, Azure Blob Storage, SQL and NoSQL databases, and other data sources. |

-> For devices that are deployed inside of on-premises networks, Azure IoT Hub supports VNET connectivity integration with private endpoints. See [IoT Hub support for VNet](./virtual-network-support.md) for more information.

-| Ensure your routes' custom endpoint resources (storage accounts, service bus and event hubs) are reachable from your network assets only | [Message routing](./iot-hub-devguide-messages-d2c.md) | Follow your resource's guidance on restrict connectivity (for example via [firewall rules](../storage/common/storage-network-security.md), [private links](../private-link/private-endpoint-overview.md), or [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md)); use _AzureIoTHub_ service tags to discover IoT Hub IP address prefixes and add ALLOW rules for those IP prefixes on your resource's firewall configuration (see [limitations](#limitations-and-workarounds) section). |

-* For constrained IoT systems without domain name resolution (DNS), IoT Hub IP address ranges are published periodically via service tags before changes taking effect. It is therefore important that you develop processes to regularly retrieve and use the latest service tags. This process can be automated via the [service tags discovery API](../virtual-network/service-tags-overview.md#service-tags-on-premises). Note that Service tags discovery API is still in preview and in some cases may not produce the full list of tags and IP addresses. Until discovery API is generally available, consider using the [service tags in downloadable JSON format](../virtual-network/service-tags-overview.md#discover-service-tags-by-using-downloadable-json-files).

-* Use the *AzureIoTHub.[region name]* tag to identify IP prefixes used by IoT hub endpoints in a specific region. To account for datacenter disaster recovery, or [regional failover](iot-hub-ha-dr.md) ensure connectivity to IP prefixes of your IoT Hub's geo-pair region is also enabled.

-* Setting up firewall rules in IoT Hub may block off connectivity needed to run Azure CLI and PowerShell commands against your IoT Hub. To avoid this, you can add ALLOW rules for your clients' IP address prefixes to re-enable CLI or PowerShell clients to communicate with your IoT Hub.

-* Your configured [IP filtering rules](iot-hub-ip-filtering.md) are only applied on your IoT Hub IP endpoints and not on your IoT hub's built-in Event Hub endpoint. If you also require IP filtering to be applied on the Event Hub where your messages are stored, you may do so bringing your own Event Hub resource where you can configure your desired IP filtering rules directly. To do so, you need to provision your own Event Hub resource and set up [message routing](./iot-hub-devguide-messages-d2c.md) to send your messages to that resource instead of your IoT Hub's built-in Event Hub. Finally, as discussed in the table above, to enable message routing functionality you also need to allow connectivity from IoT Hub's IP address prefixes to your provisioned Event Hub resource.

-* When routing to a storage account, allowing traffic from IoT Hub's IP address prefixes is only possible when the storage account is in a different region as your IoT Hub.

-az ad sp create-for-rbac -n "MyApp" --password "hVFkk965BuUv"

- When you save a workflow for the first time, and that workflow starts with a Request trigger, the Logic Apps service automatically generates a URL for an endpoint that's created by the Request trigger. Later, when you test your workflow, you send a request to this URL, which fires the trigger and starts the workflow run.

-In this example, the workflow runs when the Request trigger receives an inbound request, which is sent to the URL for the endpoint that's created by the trigger. When you saved the workflow for the first time, the Logic Apps service automatically generated this URL. So, before you can send this request to trigger the workflow, you need to find this URL.

-* The Logic Apps service cancels all in-progress and pending runs immediately.

-* The Logic Apps service doesn't create or run new workflow instances.

- 1. In Visual Studio Code, on the left toolbar, select the Azure icon.

-* The Logic Apps service cancels in-progress and pending runs immediately, but doesn't run cleanup tasks on the storage used by the app.

-* The Logic Apps service doesn't create or run new workflow instances.

-* The Logic Apps services continues all in-progress and pending runs until they finish. Based on the volume or backlog, this process might take time to complete.

-* The Logic Apps service doesn't create or run new workflow instances.

-* The Logic Apps service makes a best effort to cancel any in-progress and pending runs.

-* The Logic Apps service doesn't create or run new workflow instances.

-* The Logic Apps service continues all in-progress and pending runs until they finish. Based on the volume or backlog, this process might take time to complete.

-* The Logic Apps service doesn't create or run new workflow instances.

-* The Logic Apps service makes a best effort to cancel any in-progress and pending runs.

-* The Logic Apps service doesn't create or run new workflow instances.

-If your data storage account is in a **virtual network**, additional configuration steps are required to ensure Azure Machine Learning has access to your data. See [Network isolation & privacy](how-to-enable-studio-virtual-network.md) to ensure the appropriate configuration steps are applied when you create and register your datastore.

-You can apply these updates by detaching the cluster from the Azure Machine Learning workspace, and then reattaching the cluster to the workspace. If TLS is enabled in the cluster, you will need to supply the TLS/SSL certificate and private key when reattaching the cluster.

-## If SSL is enabled.

->[!Note]

->Kubernetes stores the secrets in base-64 encoded format. You will need to base-64 decode the `cert.pem` and `key.pem` components of the secrets prior to providing them to `attach_config.enable_ssl`.

-View details of your project. In this tab you can:

-* Enable incremental refresh

-View details of your project. In this tab you can:

-* Enable incremental refresh

-1. Expand the right pane to view the **70_driver_log.txt** file in browser, or select the file to download the logs locally.

- |Workspace default blob storage| Stores model assets from the designer. Enable managed identity authentication on this storage account to deploy models in the designer. <br> <br> You can visualize and run a designer pipeline if it uses a non-default datastore that has been configured to use managed identity. However, if you try to deploy a trained model without managed identity enabled on the default datastore, deployment will fail regardless of any other datastores in use.|

-The tables below show the contents of the log files in the folders you'll see in this section.

-> [!NOTE]

-> You will not necessarily see every file for every run. For example, the 20_image_build_log*.txt only appears when a new image is built (e.g. when you change you environment).

-#### `azureml-logs` folder

-|File |Description |

-|||

-|20_image_build_log.txt | Docker image building log for the training environment, optional, one per run. Only applicable when updating your Environment. Otherwise AML will reuse cached image. If successful, contains image registry details for the corresponding image. |

-|55_azureml-execution-<node_id>.txt | stdout/stderr log of host tool, one per node. Pulls image to compute target. Note, this log only appears once you have secured compute resources. |

-|65_job_prep-<node_id>.txt | stdout/stderr log of job preparation script, one per node. Download your code to compute target and datastores (if requested). |

-|70_driver_log(_x).txt | stdout/stderr log from AML control script and customer training script, one per process. **Standard output from your script. This file is where your code's logs (for example, print statements) show up.** In the majority of cases, you will monitor the logs here. |

-|70_mpi_log.txt | MPI framework log, optional, one per run. Only for MPI run. |

-|75_job_post-<node_id>.txt | stdout/stderr log of job release script, one per node. Send logs, release the compute resources back to Azure. |

-|process_info.json | show which process is running on which node. |

-|process_status.json | show process status, such as if a process is not started, running, or completed. |

-#### `logs > azureml` folder

-|File |Description |

-|||

-|110_azureml.log | |

-|job_prep_azureml.log | system log for job preparation |

-|job_release_azureml.log | system log for job release |

-#### `logs > azureml > sidecar > node_id` folder

-When sidecar is enabled, job prep and job release scripts will be run within sidecar container. There is one folder for each node.

-|File |Description |

-|||

-|start_cms.txt | Log of process that starts when Sidecar Container starts |

-|prep_cmd.txt | Log for ContextManagers entered when `job_prep.py` is run (some of this content will be streamed to `azureml-logs/65-job_prep`) |

-|release_cmd.txt | Log for ComtextManagers exited when `job_release.py` is run |

-In the studio, go to the experiment run (by selecting the previous URL output) followed by **Outputs + logs**. Select the `70_driver_log.txt` file. Scroll down through the log file until you see the following output:

-1. Select **70_driver_log.txt** to view the output of your run.

-Wait about 10 minutes. You'll see a message that the run has completed. Then use **Refresh** to see the status change to *Completed*. Once the job completes, go to the **Outputs + logs** tab. There you can see a `70_driver_log.txt` file that looks like this:

-> [!NOTE]

-> Your log files may be in a different place, depending on your region. Your log file may be located at **user_logs/std_log.txt** instead.

-1. Select **70_driver_log.txt** to view the output of your run.

-> [!NOTE]

-> Your log files may be in a different place, depending on your region. Your log file may be located at **user_logs/std_log.txt** instead.

-As part of the [OpenID Connect](../active-directory/develop/v2-protocols-oidc.md) flow, Azure AD adds an [ID token](../active-directory/develop/id-tokens.md) to the request when the buyer is sent to the landing page. This token contains multiple pieces of basic information that could be useful in the activation process, including the information seen in this table.

-| tid | Identifier that represents the Azure AD tenant the buyer is from. In the case of an MSA identity, this will always be ``9188040d-6c67-4c5b-b112-36a304b66dad``. For more information, see the note in the next section: Use the Microsoft Graph API. |

-|||

-With the commercial marketplace metering service, you can create software as a service (SaaS) offers that are charged according to non-standard units. Before publishing a SaaS offer to the commercial marketplace, you define the billing dimensions such as bandwidth, tickets, or emails processed. Customers then pay according to their consumption of these dimensions, with your system informing Microsoft via the commercial marketplace metering service API of billable events as they occur.

-As an example, Contoso is a publisher with a SaaS service called Contoso Notification Services (CNS). CNS lets its customers send notifications either via email or text. Contoso is registered as a publisher in Partner Center for the commercial marketplace program to publish SaaS offers to Azure customers. There are three plans associated with CNS, outlined below:

-Based on the plan selected, an Azure customer purchasing subscription to CNS SaaS offer will be able to send the included quantity of text and emails per subscription term (month or year as appears in subscription details - startDate and endDate). Contoso counts the usage up to the included quantity in base without sending any usage events to Microsoft. When customers consume more than the included quantity, they do not have to change plans or do anything different. Contoso will measure the overage beyond the included quantity and start emitting usage events to Microsoft for charging the overage usage using the [commercial marketplace metering service API](../marketplace-metering-service-apis.md). Microsoft in turn will charge the customer for the overage usage as specified by the publisher in the custom dimensions. The overage billing is done on the next billing cycle (monthly, but can be quarterly or early for some customers). For a monthly flat rate plan, the overage billing will be made for every month where overage has occurred. For a yearly flat rate plan, once the quantity included in base per year is consumed, all additional usage emitted by the custom meter will be billed as overage during each billing cycle (monthly) until the end of the subscription's year term.

-Each billing dimension defines a custom unit by which the ISV can emit usage events. Billing dimensions are also used to communicate to the customer about how they will be billed for using the software. They are defined as follows:

-Billing dimensions are shared across all plans for an offer. Some attributes apply to the dimension across all plans, and other attributes are plan-specific.

-The attributes, which define the dimension itself, are shared across all plans for an offer. Before you publish the offer, a change made to these attributes from the context of any plan will affect the dimension definition across all plans. Once you publish the offer, these attributes will no longer be editable. These attributes are:

-The other attributes of a dimension are specific to each plan and can have different values from plan to plan. Before you publish the plan, you can edit these values and only this plan will be affected. Once you publish the plan, these attributes will no longer be editable. These attributes are:

->The following scenarios are explicitly supported: <br> - You can add a new dimension to a new plan. The new dimension will not be enabled for any already published plans. <br> - You can publish a **flat-rate** plan without any dimensions, then add a new plan and configure a new dimension for that plan. The new dimension will not be enabled for already published plans.

-Metered billing using the commercial marketplace metering service is not compatible with offering a free trial. It is not possible to configure a plan to use both metered billing and a free trial.

-Because a dimension used with the commercial marketplace metering service represents an understanding of how a customer will be paying for the service, all the details for a dimension are no longer editable after you publish it. It's important that you have your dimensions fully defined for a plan before you publish.

-description: This article describes how to create and manage firewall rules in Azure Database for PostgreSQL - Single Server using Azure CLI command line.

-# Create and manage firewall rules in Azure Database for PostgreSQL - Single Server using Azure CLI

-Server-level firewall rules can be used to manage access to an Azure Database for PostgreSQL Server from a specific IP address or range of IP addresses. Using convenient Azure CLI commands, you can create, update, delete, list, and show firewall rules to manage your server. For an overview of Azure Database for PostgreSQL firewall rules, see [Azure Database for PostgreSQL Server firewall rules](concepts-firewall-rules.md).

-Virtual Network (VNet) rules can also be used to secure access to your server. Learn more about [creating and managing Virtual Network service endpoints and rules using the Azure CLI](howto-manage-vnet-using-cli.md).

-## Prerequisites

-To step through this how-to guide, you need:

-## Configure firewall rules for Azure Database for PostgreSQL

-The [az postgres server firewall-rule](/cli/azure/postgres/server/firewall-rule) commands are used to configure firewall rules.

-## List firewall rules

-To list the existing server firewall rules, run the [az postgres server firewall-rule list](/cli/azure/postgres/server/firewall-rule) command.

-```azurecli-interactive

-az postgres server firewall-rule list --resource-group myresourcegroup --server-name mydemoserver

-```

-The output lists the firewall rules, if any, by default in JSON format. You may use the switch `--output table` for a more readable table format as the output.

-```azurecli-interactive

-az postgres server firewall-rule list --resource-group myresourcegroup --server-name mydemoserver --output table

-```

-## Create firewall rule

-To create a new firewall rule on the server, run the [az postgres server firewall-rule create](/cli/azure/postgres/server/firewall-rule) command.

-To allow access to a singular IP address, provide the same address in the `--start-ip-address` and `--end-ip-address`, as in this example, replacing the IP shown here with your specific IP.

-```azurecli-interactive

-az postgres server firewall-rule create --resource-group myresourcegroup --server-name mydemoserver --name AllowSingleIpAddress --start-ip-address 13.83.152.1 --end-ip-address 13.83.152.1

-```

-To allow applications from Azure IP addresses to connect to your Azure Database for PostgreSQL server, provide the IP address 0.0.0.0 as the Start IP and End IP, as in this example.

-```azurecli-interactive

-az postgres server firewall-rule create --resource-group myresourcegroup --server-name mydemoserver --name AllowAllAzureIps --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0

-```

-> [!IMPORTANT]

-> This option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users.

->

-Upon success, the command output lists the details of the firewall rule you have created, by default in JSON format. If there is a failure, the output shows an error message instead.

-## Update firewall rule

-Update an existing firewall rule on the server using [az postgres server firewall-rule update](/cli/azure/postgres/server/firewall-rule) command. Provide the name of the existing firewall rule as input, and the start IP and end IP attributes to update.

-```azurecli-interactive

-az postgres server firewall-rule update --resource-group myresourcegroup --server-name mydemoserver --name AllowIpRange --start-ip-address 13.83.152.0 --end-ip-address 13.83.152.0

-```

-Upon success, the command output lists the details of the firewall rule you have updated, by default in JSON format. If there is a failure, the output shows an error message instead.

-> [!NOTE]

-> If the firewall rule does not exist, it gets created by the update command.

-## Show firewall rule details

-You can also show the details of an existing server-level firewall rule by running [az postgres server firewall-rule show](/cli/azure/postgres/server/firewall-rule) command.

-```azurecli-interactive

-az postgres server firewall-rule show --resource-group myresourcegroup --server-name mydemoserver --name AllowIpRange

-```

-Upon success, the command output lists the details of the firewall rule you have specified, by default in JSON format. If there is a failure, the output shows an error message instead.

-## Delete firewall rule

-To revoke access for an IP range to the server, delete an existing firewall rule by executing the [az postgres server firewall-rule delete](/cli/azure/postgres/server/firewall-rule) command. Provide the name of the existing firewall rule.

-```azurecli-interactive

-az postgres server firewall-rule delete --resource-group myresourcegroup --server-name mydemoserver --name AllowIpRange

-```

-Upon success, there is no output. Upon failure, the error message text is returned.

-## Next steps

-## Prerequisites

-To step through this how-to guide:

- > [!NOTE]

- > Support for VNet service endpoints is only for General Purpose and Memory Optimized servers.

- > In case of VNet peering, if traffic is flowing through a common VNet Gateway with service endpoints and is supposed to flow to the peer, please create an ACL/VNet rule to allow Azure Virtual Machines in the Gateway VNet to access the Azure Database for PostgreSQL server.

-## Configure Vnet service endpoints for Azure Database for PostgreSQL

-The [az network vnet](/cli/azure/network/vnet) commands are used to configure Virtual Networks.

-If you have multiple subscriptions, choose the appropriate subscription in which the resource should be billed. Select the specific subscription ID under your account using [az account set](/cli/azure/account#az_account_set) command. Substitute the **id** property from the **az login** output for your subscription into the subscription id placeholder.

-Service endpoints can be configured on virtual networks independently, by a user with write access to the virtual network.

-> It is highly recommended to read this article about service endpoint configurations and considerations before running the sample script below, or configuring service endpoints. **Virtual Network service endpoint:** A [Virtual Network service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) is a subnet whose property values include one or more formal Azure service type names. VNet services endpoints use the service type name **Microsoft.Sql**, which refers to the Azure service named SQL Database. This service tag also applies to the Azure SQL Database, Azure Database for PostgreSQL and MySQL services. It is important to note when applying the **Microsoft.Sql** service tag to a VNet service endpoint it configures service endpoint traffic for all Azure Database services, including Azure SQL Database, Azure Database for PostgreSQL and Azure Database for MySQL servers on the subnet.

->

-### Sample script to create an Azure Database for PostgreSQL database, create a VNet, VNet service endpoint and secure the server to the subnet with a VNet rule

-In this sample script, change the highlighted lines to customize the admin username and password. Replace the SubscriptionID used in the `az account set --subscription` command with your own subscription identifier.

-[!code-azurecli-interactive[main](../../cli_scripts/postgresql/create-postgresql-server-vnet/create-postgresql-server.sh?highlight=5,20 "Create an Azure Database for PostgreSQL, VNet, VNet service endpoint, and VNet rule.")]

-After the script sample has been run, the following command can be used to remove the resource group and all resources associated with it.

-[!code-azurecli-interactive[main](../../cli_scripts/postgresql/create-postgresql-server-vnet/delete-postgresql.sh "Delete the resource group.")]

-<!-- Link references, to text, Within this same GitHub repo. -->

-### Private access (preview)

-#### Server group name

-To be compatible with [private access](concepts-private-access.md),

-a Hyperscale (Citus) server group must have a name that is 40 characters or

-shorter.

-#### Regions

-The private access feature is available in preview in only these regions:

-* Americas

- * East US

- * East US 2

- * West US 2

-* Asia Pacific

- * Japan East

- * Japan West

- * Korea Central

-* Europe

- * Germany West Central

- * UK South

- * West Europe

-# Private access (preview) in Azure Database for PostgreSQL - Hyperscale (Citus)

-> [!NOTE]

->

-> Private access is available for preview in only [certain

-> regions](concepts-limits.md#regions).

->

-> If the private access option is not selectable for your server group even

-> though your server group is within an allowed region, please open an Azure

-> [support

-> request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest),

-> and include your Azure subscription ID, to get access.

-* Learn how to [enable and manage private

- access](howto-private-access.md) (preview)

-* Follow a [tutorial](tutorial-private-access.md) to see

- private access (preview) in action.

-* Learn how to [enable and manage private

- access](howto-private-access.md) (preview)

-The basic tier is also appropriate for smaller workloads in production. There

-is room to scale vertically *within* the basic tier by increasing the number of

-`postgres` super user role. For limited administrative access, Hyperscale (Citus)

-* Read all pg\_stat\_\* views and use various statistics-related extensions --

- even views or extensions normally visible only to superusers.

-1. Go to the **Roles** page for your Hyperscale (Citus) server group, and click **+ Add**:

-2. Enter the role name and password. Click **Save**.

-portal have the `LOGIN` attribute, which means they are true users who

-a tool such as PgAdmin or psql. (See [connecting with

-psql](quickstart-create-portal.md#connect-to-the-database-using-psql)

-in the Hyperscale (Citus) quickstart.)

-system-wide (e.g. for all tables in a schema):

-and click the ellipses **...** next to the user. The ellipses will open a menu

-For more information about database user account management, see PostgreSQL

-# Private access (preview) in Azure Database for PostgreSQL Hyperscale (Citus)

-[Private access](concepts-private-access.md) (preview) allows

-resources in an Azure virtual network to connect securely and privately to

-nodes in a Hyperscale (Citus) server group. This how-to assumes you've already

-created a virtual network and subnet. For an example of setting up

-prerequisites, see the [private access

-tutorial](tutorial-private-access.md).

-7. Select **Private access (preview)**.

- > [!NOTE]

- >

- > Private access is available for preview in only [certain

- > regions](concepts-limits.md#regions).

- >

- > If the private access option is not selectable for your server group

- > even though your server group is within an allowed region,

- > please open an Azure [support

- > request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest),

- > and include your Azure subscription ID, to get access.

-* Learn more about [private access](concepts-private-access.md)

- (preview).

-* Follow a [tutorial](tutorial-private-access.md) to see private

- access (preview) in action.

-* **[Private access](concepts-private-access.md)**.

- Allow hosts on a virtual network (VNet) to securely access a

- Hyperscale (Citus) server group over a private endpoint.

-> [!NOTE]

->

-> Private access is available for preview in only [certain

-> regions](concepts-limits.md#regions).

-description: Get started with the Azure Database for PostgreSQL Hyperscale (Citus) basic tier.

-#Customer intent: As a developer, I want to provision a hyperscale server group so that I can run queries quickly on large datasets.

-# Create a Hyperscale (Citus) basic tier server group in the Azure portal

-Azure Database for PostgreSQL - Hyperscale (Citus) is a managed service that

-you use to run, manage, and scale highly available PostgreSQL databases in the

-cloud. Its [basic tier](concepts-tiers.md) is a a convenient

-deployment option for initial development and testing.

-This quickstart shows you how to create a Hyperscale (Citus) basic tier

-server group using the Azure portal. You'll provision the server group

-and verify that you can connect to it to run queries.

-## Next steps

-In this quickstart, you learned how to provision a Hyperscale (Citus) server group. You connected to it with psql, created a schema, and distributed data.

- applications](./tutorial-design-database-multi-tenant.md)

- size](howto-scale-initial.md) for your server group

-# Quickstart: create a Hyperscale (Citus) server group in the Azure portal

-## Create and distribute tables

-Once connected to the hyperscale coordinator node using psql, you can complete some basic tasks.

-Within Hyperscale (Citus) servers there are three types of tables:

-In this quickstart, we'll primarily focus on distributed tables and getting familiar with them.

-The data model we're going to work with is simple: user and event data from GitHub. Events include fork creation, git commits related to an organization, and more.

-Once you've connected via psql, let's create our tables. In the psql console run:

-```sql

-CREATE TABLE github_events

-(

- event_id bigint,

- event_type text,

- event_public boolean,

- repo_id bigint,

- payload jsonb,

- repo jsonb,

- user_id bigint,

- org jsonb,

- created_at timestamp

-);

-CREATE TABLE github_users

-(

- user_id bigint,

- url text,

- login text,

- avatar_url text,

- gravatar_id text,

- display_login text

-);

-```

-The `payload` field of `github_events` has a JSONB datatype. JSONB is the JSON datatype in binary form in Postgres. The datatype makes it easy to store a flexible schema in a single column.

-Postgres can create a `GIN` index on this type, which will index every key and value within it. With an index, it becomes fast and easy to query the payload with various conditions. Let's go ahead and create a couple of indexes before we load our data. In psql:

-```sql

-CREATE INDEX event_type_index ON github_events (event_type);

-CREATE INDEX payload_index ON github_events USING GIN (payload jsonb_path_ops);

-```

-Next weΓÇÖll take those Postgres tables on the coordinator node and tell Hyperscale (Citus) to shard them across the workers. To do so, weΓÇÖll run a query for each table specifying the key to shard it on. In the current example weΓÇÖll shard both the events and users table on `user_id`:

-```sql

-SELECT create_distributed_table('github_events', 'user_id');

-SELECT create_distributed_table('github_users', 'user_id');

-```

-We're ready to load data. In psql still, shell out to download the files:

-```sql

-\! curl -O https://examples.citusdata.com/users.csv

-\! curl -O https://examples.citusdata.com/events.csv

-```

-Next, load the data from the files into the distributed tables:

-```sql

-SET CLIENT_ENCODING TO 'utf8';

-\copy github_events from 'events.csv' WITH CSV

-\copy github_users from 'users.csv' WITH CSV

-```

-## Run queries

-Now it's time for the fun part, actually running some queries. Let's start with a simple `count (*)` to see how much data we loaded:

-```sql

-SELECT count(*) from github_events;

-```

-That worked nicely. We'll come back to that sort of aggregation in a bit, but for now letΓÇÖs look at a few other queries. Within the JSONB `payload` column there's a good bit of data, but it varies based on event type. `PushEvent` events contain a size that includes the number of distinct commits for the push. We can use it to find the total number of commits per hour:

-```sql

-SELECT date_trunc('hour', created_at) AS hour,

- sum((payload->>'distinct_size')::int) AS num_commits

-FROM github_events

-WHERE event_type = 'PushEvent'

-GROUP BY hour

-ORDER BY hour;

-```

-So far the queries have involved the github\_events exclusively, but we can combine this information with github\_users. Since we sharded both users and events on the same identifier (`user_id`), the rows of both tables with matching user IDs will be [colocated](concepts-colocation.md) on the same database nodes and can easily be joined.

-If we join on `user_id`, Hyperscale (Citus) can push the join execution down into shards for execution in parallel on worker nodes. For example, let's find the users who created the greatest number of repositories:

-```sql

-SELECT gu.login, count(*)

- FROM github_events ge

- JOIN github_users gu

- ON ge.user_id = gu.user_id

- WHERE ge.event_type = 'CreateEvent'

- AND ge.payload @> '{"ref_type": "repository"}'

- GROUP BY gu.login

- ORDER BY count(*) DESC;

-```

-## Clean up resources

-In the preceding steps, you created Azure resources in a server group. If you don't expect to need these resources in the future, delete the server group. Press the **Delete** button in the **Overview** page for your server group. When prompted on a pop-up page, confirm the name of the server group and click the final **Delete** button.

-## Next steps

-In this quickstart, you learned how to provision a Hyperscale (Citus) server group. You connected to it with psql, created a schema, and distributed data.

- applications](./tutorial-design-database-multi-tenant.md)

- size](howto-scale-initial.md) for your server group

-# Create server group with private access (preview) in Azure Database for PostgreSQL - Hyperscale (Citus)

-7. Select **Private access (preview)**.

- > [!NOTE]

- >

- > Private access is available for preview in only [certain

- > regions](concepts-limits.md#regions).

- >

- > If the private access option is not selectable for your server group

- > even though your server group is within an allowed region,

- > please open an Azure [support

- > request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest),

- > and include your Azure subscription ID, to get access.

- (preview)

-description: How to create an Azure Database for PostgreSQL Hyperscale (Citus) server group.

-# Tutorial: create server group

-In this tutorial, you create a server group in Azure Database for PostgreSQL - Hyperscale (Citus). You'll do these steps:

-> [!div class="checklist"]

-> * Provision the nodes

-> * Allow network access

-> * Connect to the coordinator node

-## Next steps

-With a server group provisioned, it's time to go on to the next tutorial:

-* [Work with distributed data](tutorial-shard.md)

-Azure Database for PostgreSQL is a relational database service in the Microsoft cloud based on the [PostgreSQL Community Edition](https://www.postgresql.org/) (available under the GPLv2 license) database engine. Azure Database for PostgreSQL delivers:

-Azure Database for PostgreSQL Flexible Server is a fully managed database service designed to provide more granular control and flexibility over database management functions and configuration settings. In general, the service provides more flexibility and customizations based on the user requirements. The flexible server architecture allows users to opt for high availability within single availability zone and across multiple availability zones. Flexible Server provide better cost optimization controls with the ability to stop/start server and burstable compute tier, ideal for workloads that do not need full compute capacity continuously. The service currently supports community version of PostgreSQL 11 and 12 with plans to add newer versions soon. The service is currently in public preview, available today in wide variety of Azure regions.

-The Hyperscale (Citus) option horizontally scales queries across multiple machines using sharding. Its query engine parallelizes incoming SQL queries across these servers for faster responses on large datasets. It serves applications that require greater scale and performance, generally workloads that are approaching -- or already exceed -- 100 GB of data.

-This quickstart shows how to use [Azure CLI](/cli/azure/get-started-with-azure-cli) commands in [Azure Cloud Shell](https://shell.azure.com) to create a single Azure Database for PostgreSQL server in five minutes. If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account before you begin.

- > [!TIP]

- > Consider using the simpler [az postgres up](/cli/azure/postgres#az_postgres_up) Azure CLI command that's currently in preview. Try out the [quickstart](./quickstart-create-server-up-azure-cli.md).

- - Make a note of the **id** value from the **az login** output to use as the value for the **subscription** argument in the command.

- ```azurecli

- az account set --subscription <subscription id>

- ```

- - If you have multiple subscriptions, choose the appropriate subscription in which the resource should be billed. To get all your subscriptions, use [az account list](/cli/azure/account#az_account_list).

-## Create an Azure Database for PostgreSQL server

-Create an [Azure resource group](../azure-resource-manager/management/overview.md) by using the [az group create](/cli/azure/group#az_group_create) command, and then create your PostgreSQL server inside this resource group. You should provide a unique name. The following example creates a resource group named `myresourcegroup` in the `westus` location.

-```azurecli-interactive

-az group create --name myresourcegroup --location westus

-```

-Create an [Azure Database for PostgreSQL server](overview.md) by using the [az postgres server create](/cli/azure/postgres/server) command. A server can contain multiple databases.

-```azurecli-interactive

-az postgres server create --resource-group myresourcegroup --name mydemoserver --location westus --admin-user myadmin --admin-password <server_admin_password> --sku-name GP_Gen5_2

-```

-Here are the details for the preceding arguments:

-**Setting** | **Sample value** | **Description**

-||

-name | mydemoserver | Unique name that identifies your Azure Database for PostgreSQL server. The server name can contain only lowercase letters, numbers, and the hyphen (-) character. It must contain 3 to 63 characters. For more information, see [Azure Database for PostgreSQL Naming Rules](../azure-resource-manager/management/resource-name-rules.md#microsoftdbforpostgresql).

-resource-group | myresourcegroup | Name of the Azure resource group.

-location | westus | Azure location for the server.

-admin-user | myadmin | Username for the administrator login. It can't be **azure_superuser**, **admin**, **administrator**, **root**, **guest**, or **public**.

-admin-password | *secure password* | Password of the administrator user. It must contain 8 to 128 characters from three of the following categories: English uppercase letters, English lowercase letters, numbers, and non-alphanumeric characters.

-sku-name|GP_Gen5_2| Name of the pricing tier and compute configuration. Follow the convention {pricing tier}_{compute generation}_{vCores} in shorthand. For more information, see [Azure Database for PostgreSQL pricing](https://azure.microsoft.com/pricing/details/postgresql/server/).

->[!IMPORTANT]

->- To view all the arguments for **az postgres server create** command, see [this reference document](/cli/azure/postgres/server#az_postgres_server_create).

-## Configure a server-level firewall rule

-By default, the server that you created is not publicly accessible and is protected with firewall rules. You can configure the firewall rules on your server by using the [az postgres server firewall-rule create](/cli/azure/postgres/server/firewall-rule) command to give your local environment access to connect to the server.

-The following example creates a firewall rule called `AllowMyIP` that allows connections from a specific IP address, 192.168.0.1. Replace the IP address or range of IP addresses that corresponds to where you'll be connecting from. If you don't know your IP address, go to [WhatIsMyIPAddress.com](https://whatismyipaddress.com/) to get it.

-```azurecli-interactive

-az postgres server firewall-rule create --resource-group myresourcegroup --server mydemoserver --name AllowMyIP --start-ip-address 192.168.0.1 --end-ip-address 192.168.0.1

-```

-> To avoid connectivity issues, make sure your network's firewall allows port 5432. Azure Database for PostgreSQL servers use that port.

-```azurecli-interactive

-az postgres server show --resource-group myresourcegroup --name mydemoserver

-The result is in JSON format. Make a note of the **administratorLogin** and **fullyQualifiedDomainName** values.

-```json

-{

- "administratorLogin": "myadmin",

- "earliestRestoreDate": null,

- "fullyQualifiedDomainName": "mydemoserver.postgres.database.azure.com",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.DBforPostgreSQL/servers/mydemoserver",

- "location": "westus",

- "name": "mydemoserver",

- "resourceGroup": "myresourcegroup",

- "sku": {

- "capacity": 2,

- "family": "Gen5",

- "name": "GP_Gen5_2",

- "size": null,

- "tier": "GeneralPurpose"

- },

- "sslEnforcement": "Enabled",

- "storageProfile": {

- "backupRetentionDays": 7,

- "geoRedundantBackup": "Disabled",

- "storageMb": 5120

- },

- "tags": null,

- "type": "Microsoft.DBforPostgreSQL/servers",

- "userVisibleState": "Ready",

- "version": "9.6"

-}

-```

-The [psql](https://www.postgresql.org/docs/current/static/app-psql.html) client is a popular choice for connecting to PostgreSQL servers. You can connect to your server by using psql with [Azure Cloud Shell](../cloud-shell/overview.md). You can also use psql on your local environment if you have it available. An empty database, **postgres**, is automatically created with a new PostgreSQL server. You can use that database to connect with psql, as shown in the following code.

- ```bash

- psql --host=mydemoserver.postgres.database.azure.com --port=5432 --username=myadmin@mydemoserver --dbname=postgres

- ```

-> psql postgresql://myadmin%40mydemoserver@mydemoserver.postgres.database.azure.com:5432/postgres

-> ```

-If you don't need these resources for another quickstart or tutorial, you can delete them by running the following command.

-```azurecli-interactive

-az group delete --name myresourcegroup

-```

-If you just want to delete the one newly created server, you can run the [az postgres server delete](/cli/azure/postgres/server) command.

-```azurecli-interactive

-az postgres server delete --resource-group myresourcegroup --name mydemoserver

-> [Migrate your database using export and import](./howto-migrate-using-export-and-import.md)

-# Quickstart: Use an Azure CLI command, az postgres up (preview), to create an Azure Database for PostgreSQL - Single Server

-> [!IMPORTANT]

-> The [az postgres up](/cli/azure/postgres#az_postgres_up) Azure CLI command is in preview.

-## Prerequisites

-If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account before you begin.

-This article requires that you're running the Azure CLI version 2.0 or later locally. To see the version installed, run the `az --version` command. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

-You'll need to sign in to your account using the [az login](/cli/azure/authenticate-azure-cli) command. Note the **ID** property from the command output for the corresponding subscription name.

-```azurecli

-az login

-```

-If you have multiple subscriptions, choose the appropriate subscription in which the resource should be billed. Select the specific subscription ID under your account using [az account set](/cli/azure/account) command. Substitute the **subscription ID** property from the **az login** output for your subscription into the subscription ID placeholder.

-```azurecli

-az account set --subscription <subscription id>

-```

-## Create an Azure Database for PostgreSQL server

-To use the commands, install the [db-up](/cli/azure/ext/db-up/mysql) extension. If an error is returned, ensure you have installed the latest version of the Azure CLI. See [Install Azure CLI](/cli/azure/install-azure-cli).

-| [Create a server and firewall rule](scripts/sample-create-server-and-firewall-rule.md?toc=%2fcli%2fazure%2ftoc.json) | Azure CLI script that creates an Azure Database for PostgreSQL server and configures a server-level firewall rule. |

-| [Scale a server](scripts/sample-scale-server-up-or-down.md?toc=%2fcli%2fazure%2ftoc.json) | Azure CLI script that scales an Azure Database for PostgreSQL server up or down to allow for changing performance needs. |

-| [Change server configurations](./scripts/sample-change-server-configuration.md?toc=%2fcli%2fazure%2ftoc.json) | Azure CLI script that change configurations options of an Azure Database for PostgreSQL server. |

-| [Restore a server](./scripts/sample-point-in-time-restore.md?toc=%2fcli%2fazure%2ftoc.json) | Azure CLI script that restores an Azure Database for PostgreSQL server to a previous point in time. |

-| [Enable and download server logs](./scripts/sample-server-logs.md?toc=%2fcli%2fazure%2ftoc.json) | Azure CLI script that enables and downloads server logs of an Azure Database for PostgreSQL server. |

-In this sample script, edit the highlighted lines to update the admin username and password to your own.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/change-server-configurations/change-server-configurations.sh?highlight=15-16 "List and update configurations of Azure Database for PostgreSQL.")]

-Use the following command to remove the resource group and all resources associated with it after the script has been run.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/change-server-configurations/delete-postgresql.sh "Delete the resource group.")]

-## Script explanation

-In this sample script, edit the highlighted lines to update the admin username and password to your own.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/create-postgresql-server-and-firewall-rule/create-postgresql-server-and-firewall-rule.sh?highlight=15-16 "Create an Azure Database for PostgreSQL, and server-level firewall rule.")]

-Use the following command to remove the resource group and all resources associated with it after the script has been run.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/create-postgresql-server-and-firewall-rule/delete-postgresql.sh "Delete the resource group.")]

-## Script explanation

-In this sample script, edit the highlighted lines to update the admin username and password to your own. Replace the subscription ID used in the `az monitor` commands with your own subscription ID.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/backup-restore/backup-restore.sh?highlight=15-16 "Restore Azure Database for PostgreSQL.")]

-Use the following command to remove the resource group and all resources associated with it after the script has been run.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/backup-restore/delete-postgresql.sh "Delete the resource group.")]

-## Script explanation

-This sample CLI script scales compute and storage for a single Azure Database for PostgreSQL server after querying the metrics. Compute can scale up or down. Storage can only scale up.

-> [!IMPORTANT]

-Update the script with your subscription ID.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/scale-postgresql-server/scale-postgresql-server.sh "Create and scale Azure Database for PostgreSQL.")]

-Use the following command to remove the resource group and all resources associated with it after the script has been run.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/scale-postgresql-server/delete-postgresql.sh "Delete the resource group.")]

-## Script explanation

-In this sample script, edit the highlighted lines to update the admin username and password to your own. Replace the &lt;log_file_name&gt; in the `az monitor` commands with your own server log file name.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/server-logs/server-logs.sh?highlight=15-16 "Manipulate with server logs.")]

-Use the following command to remove the resource group and all resources associated with it after the script has been run.

-[!code-azurecli-interactive[main](../../../cli_scripts/postgresql/server-logs/delete-postgresql.sh "Delete the resource group.")]

-## Script explanation

-# Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI

-You may use the Azure Cloud Shell in the browser, or [install Azure CLI]( /cli/azure/install-azure-cli) on your own computer to run the commands in this tutorial.

-## Prerequisites

-If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account before you begin.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli).

-If you have multiple subscriptions, choose the appropriate subscription in which the resource exists or is billed for. Select a specific subscription ID under your account using [az account set](/cli/azure/account) command.

-```azurecli-interactive

-az account set --subscription 00000000-0000-0000-0000-000000000000

-```

-Create an [Azure resource group](../azure-resource-manager/management/overview.md) using the [az group create](/cli/azure/group) command. A resource group is a logical container into which Azure resources are deployed and managed as a group. The following example creates a resource group named `myresourcegroup` in the `westus` location.

-```azurecli-interactive

-az group create --name myresourcegroup --location westus

-```

-## Create an Azure Database for PostgreSQL server

-Create an [Azure Database for PostgreSQL server](overview.md) using the [az postgres server create](/cli/azure/postgres/server) command. A server contains a group of databases managed as a group.

-The following example creates a server called `mydemoserver` in your resource group `myresourcegroup` with server admin login `myadmin`. The name of a server maps to DNS name and is thus required to be globally unique in Azure. Substitute the `<server_admin_password>` with your own value. It is a General Purpose, Gen 5 server with 2 vCores.

-```azurecli-interactive

-az postgres server create --resource-group myresourcegroup --name mydemoserver --location westus --admin-user myadmin --admin-password <server_admin_password> --sku-name GP_Gen5_2 --version 9.6

-```

-The sku-name parameter value follows the convention {pricing tier}\_{compute generation}\_{vCores} as in the examples below:

-+ `--sku-name B_Gen5_2` maps to Basic, Gen 5, and 2 vCores.

-+ `--sku-name GP_Gen5_32` maps to General Purpose, Gen 5, and 32 vCores.

-+ `--sku-name MO_Gen5_2` maps to Memory Optimized, Gen 5, and 2 vCores.

-Please see the [pricing tiers](./concepts-pricing-tiers.md) documentation to understand the valid values per region and per tier.

-> [!IMPORTANT]

-> The server admin login and password that you specify here are required to log in to the server and its databases later in this quickstart. Remember or record this information for later use.

-By default, **postgres** database gets created under your server. The [postgres](https://www.postgresql.org/docs/9.6/static/app-initdb.html) database is a default database meant for use by users, utilities, and third-party applications.

-## Configure a server-level firewall rule

-Create an Azure PostgreSQL server-level firewall rule with the [az postgres server firewall-rule create](/cli/azure/postgres/server/firewall-rule) command. A server-level firewall rule allows an external application, such as [psql](https://www.postgresql.org/docs/9.2/static/app-psql.html) or [PgAdmin](https://www.pgadmin.org/) to connect to your server through the Azure PostgreSQL service firewall.

-You can set a firewall rule that covers an IP range to be able to connect from your network. The following example uses [az postgres server firewall-rule create](/cli/azure/postgres/server/firewall-rule) to create a firewall rule `AllowMyIP` that allows connection from a single IP address.

-```azurecli-interactive

-az postgres server firewall-rule create --resource-group myresourcegroup --server mydemoserver --name AllowMyIP --start-ip-address 192.168.0.1 --end-ip-address 192.168.0.1

-```

-To restrict access to your Azure PostgreSQL server to only your network, you can set the firewall rule to only cover your corporate network IP address range.

-> Azure PostgreSQL server communicates over port 5432. When connecting from within a corporate network, outbound traffic over port 5432 may not be allowed by your network's firewall. Have your IT department open port 5432 to connect to your Azure SQL Database server.

->

-To connect to your server, you need to provide host information and access credentials.

-```azurecli-interactive

-az postgres server show --resource-group myresourcegroup --name mydemoserver

-```

-The result is in JSON format. Make a note of the **administratorLogin** and **fullyQualifiedDomainName**.

-```json

-{

- "administratorLogin": "myadmin",

- "earliestRestoreDate": null,

- "fullyQualifiedDomainName": "mydemoserver.postgres.database.azure.com",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.DBforPostgreSQL/servers/mydemoserver",

- "location": "westus",

- "name": "mydemoserver",

- "resourceGroup": "myresourcegroup",

- "sku": {

- "capacity": 2,

- "family": "Gen5",

- "name": "GP_Gen5_2",

- "size": null,

- "tier": "GeneralPurpose"

- },

- "sslEnforcement": "Enabled",

- "storageProfile": {

- "backupRetentionDays": 7,

- "geoRedundantBackup": "Disabled",

- "storageMb": 5120

- },

- "tags": null,

- "type": "Microsoft.DBforPostgreSQL/servers",

- "userVisibleState": "Ready",

- "version": "9.6"

-}

-## Connect to Azure Database for PostgreSQL database using psql

-If your client computer has PostgreSQL installed, you can use a local instance of [psql](https://www.postgresql.org/docs/9.6/static/app-psql.html), or the Azure Cloud Console to connect to an Azure PostgreSQL server. Let's now use the psql command-line utility to connect to the Azure Database for PostgreSQL server.

-1. Run the following psql command to connect to an Azure Database for PostgreSQL database:

- ```

- psql --host=<servername> --port=<port> --username=<user@servername> --dbname=<dbname>

- ```

- For example, the following command connects to the default database called **postgres** on your PostgreSQL server **mydemoserver.postgres.database.azure.com** using access credentials. Enter the `<server_admin_password>` you chose when prompted for password.

-

- ```

- psql --host=mydemoserver.postgres.database.azure.com --port=5432 --username=myadmin@mydemoserver --dbname=postgres

- ```

- > [!TIP]

- > If you prefer to use a URL path to connect to Postgres, URL encode the @ sign in the username with `%40`. For example the connection string for psql would be,

- > ```

- > psql postgresql://myadmin%40mydemoserver@mydemoserver.postgres.database.azure.com:5432/postgres

- > ```

-2. Once you are connected to the server, create a blank database at the prompt:

-3. At the prompt, execute the following command to switch connection to the newly created database **mypgsqldb**:

- id serial PRIMARY KEY,

- name VARCHAR(50),

- quantity INTEGER

-Execute the following query to retrieve information from the inventory table:

-Imagine you have accidentally deleted a table. This is something you cannot easily recover from. Azure Database for PostgreSQL allows you to go back to any point-in-time for which your server has backups (determined by the backup retention period you configured) and restore this point-in-time to a new server. You can use this new server to recover your deleted data.

-In the preceding steps, you created Azure resources in a server group. If you don't expect to need these resources in the future, delete the server group. Press the *Delete* button in the *Overview* page for your server group. When prompted on a pop-up page, confirm the name of the server group and click the final *Delete* button.

-description: This article outlines the different data stores and functionalities supported in Azure Purview

-# Supported data stores

-Azure Purview supports the following data stores. Select each data store to learn the supported capabilities and the corresponding configurations in details.

-description: This article provides conceptual details about supported data sources and file types in Azure Purview.

-# Supported data sources and file types in Azure Purview

-This article discusses supported data sources, file types and scanning concepts in Azure Purview.

-## Supported data sources

-Azure Purview supports all the data sources listed [here](purview-connector-overview.md).

-## File types supported for scanning

-The following file types are supported for scanning, for schema extraction and classification where applicable:

- > [!Note]

- > * Azure Purview scanner only supports schema extraction for the structured file types listed above.

- > * For AVRO, ORC, and PARQUET file types, Azure Purview scanner does not support schema extraction for files that contain complex data types (for example, MAP, LIST, STRUCT).

- > * Azure Purview scanner supports scanning snappy compressed PARQUET types for schema extraction and classification.

- > * For GZIP file types, the GZIP must be mapped to a single csv file within.

- > Gzip files are subject to System and Custom Classification rules. We currently don't support scanning a gzip file mapped to multiple files within, or any file type other than csv.

- > * For delimited file types(CSV, PSV, SSV, TSV, TXT), we do not support data type detection. The data type will be listed as "string" for all columns.

-## Sampling within a file

-In Azure Purview terminology,

-For all structured file formats, Azure Purview scanner samples files in the following way:

- - If a document file is larger than 20 MB, then it is not subject to a deep scan (subject to classification). In that case, Azure Purview captures only basic meta data like file name and fully qualified name.

-## Resource set file sampling

-A folder or group of partition files is detected as a *resource set* in Azure Purview, if it matches with a system resource set policy or a customer defined resource set policy. If a resource set is detected, then Azure Purview will sample each folder that it contains. Learn more about resource sets [here](concept-resource-sets.md).

-File sampling for resource sets by file types:

-## Classification

-All 206 system classification rules apply to structured file formats. Only the MCE classification rules apply to document file types (Not the data scan native regex patterns, bloom filter-based detection). For more information on supported classifications, see [Supported classifications in Azure Purview](supported-classifications.md).

-## Next steps

-description: Step-by-step guide showing how a data owner can create policies on resource groups or subscriptions.

-# Access provisioning by data owner to resource groups or subscriptions (preview)

-This guide describes how a data owner can leverage Azure Purview to enable access to ALL data sources in a subscription or a resource group. This can be achieved through a single policy statement, and will cover all existing data sources, as well as data sources that are created afterwards. However, at this point, only the following data sources are supported:

-### Register the subscription or resource group in Azure Purview

-Enable the resource group or subscription for access policies in Azure Purview by setting the **Data use governance** toggle to enable, as shown in the picture.

-

-## Policy authoring

-Check the blog and demo related to the capabilities mentioned in this how-to guide

-* [Demo of access policy for Azure Storage](https://www.youtube.com/watch?v=CFE8ltT19Ss)

-description: Step-by-step guide on how to integrate Azure Storage with Azure Purview to enable data owners to create access policies.

-# Access provisioning by data owner to Azure Storage datasets (preview)

-This guide describes how a data owner can leverage Azure Purview to enable access to datasets in Azure Storage. At this point, only the following data sources are supported:

-### Register and scan data sources in Azure Purview

-Register and scan each data source with Azure Purview to later define access policies. You can follow these guides:

-Enable the data source for access policies in Azure Purview by setting the **Data use governance** toggle to enable, as shown in the picture.

-

-## Policy authoring

-Check the blog and demo related to the capabilities mentioned in this how-to guide

-| Co-Administrator | 200 per subscription | <ul><li>Same access privileges as the Service Administrator, but canΓÇÖt change the association of subscriptions to Azure directories</li><li>Assign users to the Co-Administrator role, but cannot change the Service Administrator</li></ul> | The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope. |

-If you list this role assignment using Azure PowerShell, you might see an empty `DisplayName` and an `ObjectType` set to **Unknown**. For example, [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment) returns a role assignment that is similar to the following output:

-ObjectType : Unknown

-> Preview functionality is provided without a service level agreement, and is not recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-+ Azure Cognitive Search service

- + Azure Cognitive Search service set up in a [supported region](search-how-to-index-power-query-data-sources.md#regional-availability).

- + Ensure that the Azure Cognitive Search team has enabled your search service for the preview. You can sign up for the preview by filling out [this form](https://aka.ms/azure-cognitive-search/indexer-preview).

-+ Azure Blob Storage account

- + A Blob Storage account is required for the preview to be used as an intermediary for your data. The data will flow from your data source, then to Blob Storage, then to the index. This requirement only exists with the initial gated preview.

-description: Set up a search indexer to index data stored in Azure MySQL for full text search in Azure Cognitive Search.

-# Index data from Azure MySQL

-> MySQL support is currently in public preview under [Supplemental Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). [Request access](https://aka.ms/azure-cognitive-search/indexer-preview) to this feature, and after access is enabled, use a [preview REST API (2020-06-30-preview or later)](search-api-preview.md) to index your content. There is currently no SDK support and no portal support.

-The Azure Cognitive Search indexer for MySQL will crawl your MySQL database on Azure, extract searchable data, and index it in Azure Cognitive Search. The indexer will take all changes, uploads, and deletes for your MySQL database and reflect these changes in your search index.

-You can set up an Azure MySQL indexer by using any of these clients:

-* [Azure portal](https://ms.portal.azure.com)

-* Azure Cognitive Search [REST API](/rest/api/searchservice/Indexer-operations)

-* Azure Cognitive Search [.NET SDK](/dotnet/api/azure.search.documents.indexes.models.searchindexer)

-This article uses the REST APIs.

-## Create an Azure MySQL indexer

-To index MySQL on Azure follow the below steps.

-### Step 1: Create a data source

-To create the data source, send the following request:

-```http

- POST https://[search service name].search.windows.net/datasources?api-version=2020-06-30-Preview

- Content-Type: application/json

- api-key: [admin key]

-

- {

- "name" : "[Data source name]"

- "description" : "[Description of MySQL data source]",

- "type" : "mysql",

- "credentials" : {

- "connectionString" :

- "Server=[MySQLServerName].MySQL.database.azure.com; Port=3306; Database=[DatabaseName]; Uid=[UserName]; Pwd=[Password]; SslMode=Preferred;"

- },

- "container" : {

- "name" : "[TableName]"

- },

- "dataChangeDetectionPolicy" : {

- "@odata.type": "#Microsoft.Azure.Search.HighWaterMarkChangeDetectionPolicy",

- "highWaterMarkColumnName": "[HighWaterMarkColumn]"

- }

- }

-```

-### Step 2: Create an index

-Create the target Azure Cognitive Search index if you donΓÇÖt have one already.

-```http

- POST https://[service name].search.windows.net/indexes?api-version=2020-06-30

- Content-Type: application/json

- api-key: [admin key]

- {

- "name": "[Index name]",

- "fields": [{

- "name": "id",

- "type": "Edm.String",

- "key": true,

- "searchable": false

- }, {

- "name": "description",

- "type": "Edm.String",

- "filterable": false,

- "searchable": true,

- "sortable": false,

- "facetable": false

- }]

-### Step 3: Create the indexer

- POST https://[search service name].search.windows.net/indexers?api-version=2020-06-30-Preview

- Content-Type: application/json

- api-key: [admin key]

-

- {

- "name" : "[Indexer name]"

- "description" : "[Description of MySQL indexer]",

- "dataSourceName" : "[Data source name]",

- "targetIndexName" : "[Index name]"

- }

-```

-## Run indexers on a schedule

-You can also arrange the indexer to run periodically on a schedule. To do this, add the **schedule** property when creating or updating the indexer. The example below shows a PUT request to update the indexer:

- PUT https://[search service name].search.windows.net/indexers/[Indexer name]?api-version=2020-06-30

- Content-Type: application/json

- api-key: [admin-key]

- {

- "dataSourceName" : "[Data source name]",

- "targetIndexName" : "[Index name]",

- "schedule" : {

- "interval" : "PT10M",

- "startTime" : "2021-01-01T00:00:00Z"

- }

-The **interval** parameter is required. The interval refers to the time between the start of two consecutive indexer executions. The smallest allowed interval is 5 minutes; the longest is one day. It must be formatted as an XSD "dayTimeDuration" value (a restricted subset of an [ISO 8601 duration](https://www.w3.org/TR/xmlschema11-2/#dayTimeDuration) value). The pattern for this is: `P(nD)(T(nH)(nM))`. Examples: `PT15M` for every 15 minutes, `PT2H` for every 2 hours.

-For more information about defining indexer schedules see [How to schedule indexers for Azure Cognitive Search](search-howto-schedule-indexers.md).

-Azure Cognitive Search uses **incremental indexing** to avoid having to reindex the entire table or view every time an indexer runs.

-* All inserts specify a value for the column.

-* All updates to an item also change the value of the column.

-* The value of this column increases with each insert or update.

-* Queries with the following WHERE and ORDER BY clauses can be executed efficiently: `WHERE [High Water Mark Column] > [Current High Water Mark Value] ORDER BY [High Water Mark Column]`

- {

- "name" : "[Data source name]",

- "type" : "mysql",

- "credentials" : { "connectionString" : "[connection string]" },

- "container" : { "name" : "[table or view name]" },

- "dataChangeDetectionPolicy" : {

- "@odata.type" : "#Microsoft.Azure.Search.HighWaterMarkChangeDetectionPolicy",

- "highWaterMarkColumnName" : "[last_updated column name]"

- }

- {

- …,

- "dataDeletionDetectionPolicy" : {

- "@odata.type" : "#Microsoft.Azure.Search.SoftDeleteColumnDeletionDetectionPolicy",

- "softDeleteColumnName" : "[a column name]",

- "softDeleteMarkerValue" : "[the value that indicates that a row is deleted]"

- }

-The **softDeleteMarkerValue** must be a string ΓÇô use the string representation of your actual value. For example, if you have an integer column where deleted rows are marked with the value 1, use `"1"`. If you have a BIT column where deleted rows are marked with the Boolean true value, use the string literal `True` or `true`, the case doesn't matter.

-## Mapping between MySQL and Azure Cognitive Search data types

-> The preview does not support geometry types and blobs.

-| MySQL data type | Allowed target index field types |

-| | |

-Congratulations! You have learned how to integrate MySQL with Azure Cognitive Search using an indexer.

-+ To learn more about indexers, see [Creating Indexers in Azure Cognitive Search](search-howto-create-indexers.md)

-description: Quickstart showing how to create a service connection in App Service from Azure portal

-# Quickstart: Create a service connection in App Service from Azure portal

-This quickstart shows you how to create a new service connection with Service Connector in App Service from Azure portal.

-This quickstart assumes that you already have at least an App Service running on Azure. If you don't have an App Service, [create one](../app-service/quickstart-dotnetcore.md).

-You will use Service Connector to create a new service connection in App Service.

-1. Select **All resource** button found on the left of the Azure portal. Type **App Service** in the filter and click the name of the App Service you want to use in the list.

- | **Service Type** | Blob Storage | Target service type. If you don't have a Storage Blob container, you can [create one](../storage/blobs/storage-quickstart-blobs-portal.md) or use an other service type. |

- | **Connection Name** | Generated unique name | The connection name that identifies the connection between your App Service and target service |

- | **Client Type** | The same app stack on this App Service | Your application stack that works with the target service you selected. The default value comes from the App Service runtime stack. |

-1. Click **>** button to expand the list, you can see the environment variables required by your application code.

-1. Click **...** button and select **Validate**, you can see the connection validation details in the pop-up blade from right.

-Red Hat Enterprise Linux | 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6,[7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9](https://support.microsoft.com/help/4578241/), [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609/), [8.3](https://support.microsoft.com/help/4597409/), 8.4 (4.18.0-305.30.1.el8_4.x86_64 or higher), 8.5 (4.18.0-348.5.1.el8_5.x86_64 or higher)

-SUSE Linux Enterprise Server 15 | 15, SP1, SP2[(Supported kernel versions)](#supported-suse-linux-enterprise-server-15-kernel-versions-for-azure-virtual-machines)

-[Rollup 55](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) | 9.42.5941.1 | 5.1.6692.0 | 9.42.5941.1 | 5.1.6692.0 | 2.0.9208.0

-Linux Red Hat Enterprise | 5.2 to 5.11</b><br/> 6.1 to 6.10</b> </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9 Beta version](https://support.microsoft.com/help/4578241/), [7.9](https://support.microsoft.com/help/4590304/) </br> [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), 8.4 (4.18.0-305.30.1.el8_4.x86_64 or higher), 8.5 (4.18.0-348.5.1.el8_5.x86_64 or higher) <br/> Few older kernels on servers running Red Hat Enterprise Linux 5.2-5.11 & 6.1-6.10 do not have [Linux Integration Services (LIS) components](https://www.microsoft.com/download/details.aspx?id=55106) pre-installed. If in-built LIS components are missing, ensure to install the [components](https://www.microsoft.com/download/details.aspx?id=55106) before enabling replication for the machines to boot in Azure.

-`/Role` | Mandatory installation parameter. Specifies whether the Mobility service (Agent) or master target (MasterTarget) should be installed. Note: in prior versions, the correct switches were Mobility Service (MS) or master target (MT)

-You can use a new or existing key vault to store customer-managed keys. The storage account and the key vault must be in the same region, but they can be in different subscriptions.

-The next step is to configure the key vault access policy. The key vault access policy grants permissions to the managed identity that will be used to authorize access to the key vault. For more information about assigning the key vault access policy, see [Assign an Azure Key Vault access policy](../../key-vault/general/assign-access-policy.md).

-When you configure customer-managed keys with the Azure portal, the key vault access policy is configured for you under the covers.

-You can switch a storage account from one type of replication to any other type, but some scenarios are more straightforward than others. If you want to add or remove geo-replication or read access to the secondary region, you can use the Azure portal, PowerShell, or Azure CLI to update the replication setting. However, if you want to change how data is replicated in the primary region, by moving from LRS to ZRS or vice versa, then you must either perform a manual migration or request a live migration. And if you want to move from ZRS to GZRS or RA-GZRS, then you must perform a live migration, unless you are performing a failback operation after failover.

-An Azure storage account contains all of your Azure Storage data objects: blobs, file shares, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that's accessible from anywhere in the world over HTTP or HTTPS. Data in your storage account is durable and highly available, secure, and massively scalable.

-To learn how to create an Azure storage account, see [Create a storage account](storage-account-create.md).

-Azure Storage offers several types of storage accounts. Each type supports different features and has its own pricing model. Consider these differences before you create a storage account to determine the type of account that's best for your applications.

-| Standard general-purpose v2 | Blob (including Data Lake Storage¹), Queue, and Table storage, Azure Files | LRS/GRS/RA-GRS<br /><br />ZRS/GZRS/RA-GZRS² | Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. Note that if you want support for NFS file shares in Azure Files, use the premium file shares account type. |

-| Premium block blobs³ | Blob storage (including Data Lake Storage¹) | LRS<br /><br />ZRS² | Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transactions rates, or scenarios that use smaller objects or require consistently low storage latency. [Learn more about example workloads.](../blobs/storage-blob-block-blob-premium.md) |

-| Premium file shares³ | Azure Files | LRS<br /><br />ZRS² | Premium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both SMB and NFS file shares. |

-² Zone-redundant storage (ZRS) and geo-zone-redundant storage (GZRS/RA-GZRS) are available only for standard general-purpose v2, premium block blobs, and premium file shares accounts in certain regions. For more information, see [Azure Storage redundancy](storage-redundancy.md).

-You cannot change a storage account to a different type after it is created. To move your data to a storage account of a different type, you must create a new account and copy the data to the new account.

-| Blob storage | `https://<storage-account>.blob.core.windows.net` |

-| Queue storage | `https://<storage-account>.queue.core.windows.net` |

-| Table storage | `https://<storage-account>.table.core.windows.net` |

-`http://*mystorageaccount*.blob.core.windows.net/*mycontainer*/*myblob*`

-| Upgrade to a general-purpose v2 storage account | You can upgrade a general-purpose v1 storage account or Blob storage account to a general-purpose v2 account. Note that this action cannot be undone. For more information, see [Upgrade to a general-purpose v2 storage account](storage-account-upgrade.md). |

-The [Azure Storage pricing page](https://azure.microsoft.com/pricing/details/storage/) provides detailed pricing information based on account type, storage capacity, replication, and transactions. The [Data Transfers pricing details](https://azure.microsoft.com/pricing/details/data-transfers/) provides detailed pricing information for data egress. You can use the [Azure Storage pricing calculator](https://azure.microsoft.com/pricing/calculator/?scenario=data-management) to help estimate your costs.

-The following table describes the legacy storage account types. These account types are not recommended by Microsoft, but may be used in certain scenarios:

-| Standard general-purpose v1 | Blob, Queue, and Table storage, Azure Files | LRS/GRS/RA-GRS | Resource Manager, Classic | General-purpose v1 accounts may not have the latest features or the lowest per-gigabyte pricing. Consider using for these scenarios:<br /><ul><li>Your applications require the Azure [classic deployment model](../../azure-portal/supportability/classic-deployment-model-quota-increase-requests.md).</li><li>Your applications are transaction-intensive or use significant geo-replication bandwidth, but don't require large capacity. In this case, a general-purpose v1 account may be the most economical choice.</li><li>You use a version of the Azure Storage REST API that is earlier than 2014-02-14 or a client library with a version lower than 4.x, and you can't upgrade your application.</li><li>You are selecting a storage account to use as a cache for Azure Site Recovery. Because Site Recovery is transaction-intensive, a general-purpose v1 account may be more cost-effective. For more information, see [Support matrix for Azure VM disaster recovery between Azure regions](../../site-recovery/azure-to-azure-support-matrix.md#cache-storage).</li></ul> |

-| Standard Blob storage | Blob storage (block blobs and append blobs only) | LRS/GRS/RA-GRS | Resource Manager | Microsoft recommends using standard general-purpose v2 accounts instead when possible. |

-A user-defined aggregate is used on top of a time window specification to aggregate over the events in that window and produce a single result value. There are two types of UDA interfaces that Stream Analytics supports today, AccumulateOnly and AccumulateDeaccumulate. Both types of UDA can be used by Tumbling, Hopping, Sliding and Session Window. AccumulateDeaccumulate UDA performs better than AccumulateOnly UDA when used together with Hopping, Sliding and Session Window. You choose one of the two types based on the algorithm you use.

-AccumulateOnly aggregates can only accumulate new events to its state, the algorithm does not allow deaccumulation of values. Choose this aggregate type when deaccumulate an event information from the state value is impossible to implement. Following is the JavaScript template for AccumulatOnly aggregates:

-Function alias is the UDA identifier. When called in Stream Analytics query, always use UDA alias together with a "uda." prefix.

-The accumulate() method calculates the UDA state based on the previous state and the current event values. This method is called when an event enters a time window (TUMBLINGWINDOW, HOPPINGWINDOW, SLIDINGWINDOW or SESSIONWINDOW).

-The deaccumulateState() method recalculates state based on the previous state and the state of a hop. This method is called when a set of events leave a HOPPINGWINDOW.

-The computeResult() method returns aggregate result based on the current state. This method is called at the end of a time window (TUMBLINGWINDOW, HOPPINGWINDOW, SLIDINGWINDOW or SESSIONWINDOW).

-Below we walk through the process of creating a UDA from Portal. The example we use here is computing time weighted averages.

-1. Log on to Azure portal and locate your existing Stream Analytics job.

-1. Then click on functions link under **JOB TOPOLOGY**.

-1. Click on the **Add** icon to add a new function.

-1. On the New Function view, select **JavaScript UDA** as the Function Type, then you see a default UDA template show up in the editor.

-1. Once you click the "Save" button, your UDA shows up on the function list.

-1. Click on the new function "TWA", you can check the function definition.

-Azure Stream Analytics supports processing events in CSV, JSON and Avro data formats.

-Both JSON and Avro may contain complex types such as nested objects (records) or arrays. For more information on working with these complex data types, refer to the [Parsing JSON and AVRO data](stream-analytics-parsing-json.md) article.

-Note that the **WITH** clause can be used to define multiple sub-query blocks. This option has the benefit of opening fewer readers to the input source.

-For more information, refer to [**WITH** clause](/stream-analytics-query/with-azure-stream-analytics).

-The **LAG** function can be used to look at past events within a time window and compare them against the current event. For example, the current car make can be outputted if it is different from the last car that went through the toll.

-For more information, refer to [**LAG**](/stream-analytics-query/lag-azure-stream-analytics).

-As events are consumed by the system in real-time, there is no function that can determine if an event will be the last one to arrive for that window of time. To achieve this, the input stream needs to be joined with another where the time of an event is the maximum time for all events at that window.

-The first step on the query finds the maximum time stamp in 10-minute windows, that is the time stamp of the last event for that window. The second step joins the results of the first query with the original stream to find the event that match the last time stamps in each window.

-**DATEDIFF** is a date-specific function that compares and returns the time difference between two DateTime fields, for more information, refer to [date functions](/stream-analytics-query/date-and-time-functions-azure-stream-analytics).

-For more information on joining streams, refer to [**JOIN**](/stream-analytics-query/join-azure-stream-analytics).

-For more information on aggregation, refer to [aggregate functions](/stream-analytics-query/aggregate-functions-azure-stream-analytics).

-For more information, refer to [Hopping window](/stream-analytics-query/hopping-window-azure-stream-analytics).

-For more information, refer to [LAG](/stream-analytics-query/lag-azure-stream-analytics).

-The **LAST** function can be used to retrieve the last event within a specific condition. In this example, the condition is an event of type Start, partitioning the search by **PARTITION BY** user and feature. This way, every user and feature is treated independently when searching for the Start event. **LIMIT DURATION** limits the search back in time to 1 hour between the End and Start events.

-For more information, refer to [**COUNT** aggregate function](/stream-analytics-query/count-azure-stream-analytics).

-For more information, refer to [**IsFirst**](/stream-analytics-query/isfirst-azure-stream-analytics).

-For more information, refer to [COUNT(DISTINCT Time)](/stream-analytics-query/count-azure-stream-analytics).

-For more information, refer to [case expression](/stream-analytics-query/case-azure-stream-analytics).

-Data can be cast in real-time using the **CAST** method. For example, car weight can be converted from type **nvarchar(max)** to type **bigint** and be used on a numeric calculation.

-The **TIMESTAMP OVER BY** clause looks at each device timeline independently using substreams. The output event for each *TollID* is generated as they are computed, meaning that the events are in order with respect to each *TollID* instead of being reordered as if all devices were on the same clock.

-For more information, refer to [TIMESTAMP BY OVER](/stream-analytics-query/timestamp-by-azure-stream-analytics#over-clause-interacts-with-event-ordering).

-For more information on **SessionWindow**, refer to [Session Window](/stream-analytics-query/session-window-azure-stream-analytics) .

-Azure Stream Analytics query language can be extended with custom functions written either in JavaScript or C# language. User Defined Functions (UDF) are custom/complex computations that cannot be easily expressed using the **SQL** language. These UDFs can be defined once and used multiple times within a query. For example, an UDF can be used to convert a hexadecimal *nvarchar(max)* value to an *bigint* value.

-The User Defined Function will compute the *bigint* value from the HexValue on every event consumed.

-For more information, refer to [JavaScript](./stream-analytics-javascript-user-defined-functions.md) and [C#](./stream-analytics-edge-csharp-udf.md).

-This query matches at least two consecutive failure events and generate an alarm when the conditions are met.

-For more information, refer to [MATCH_RECOGNIZE](/stream-analytics-query/match-recognize-stream-analytics).

-For example, a company that is specialized in manufacturing machines for printing passports, lease their machines to governments and consulates. The location of those machines is heavily controlled as to avoid the misplacing and possible use for counterfeiting of passports. Each machine is fitted with a GPS tracker, that information is relayed back to an Azure Stream Analytics job.

-For more information, refer to the [Geofencing and geospatial aggregation scenarios with Azure Stream Analytics](geospatial-scenarios.md) article.

-[stream.analytics.rest.api.reference]: /rest/api/streamanalytics/

-description: This article provides information on how to use the custom connector for moving data between dedicated SQL pools and serverless Apache Spark pools.

-# Introduction

-The Azure Synapse Apache Spark to Synapse SQL connector is designed to efficiently transfer data between serverless Apache Spark pools and dedicated SQL pools in Azure Synapse. The Azure Synapse Apache Spark to Synapse SQL connector works on dedicated SQL pools only, it doesn't work with serverless SQL pool.

-> [!WARNING]

-> The **sqlanalytics()** function name has been changed to **synapsesql()**. The sqlanalytics function will continue to work but will be deprecated. Please change any reference from **sqlanalytics()** to **synapsesql()** to prevent any disruption in the future.

-## Design

-Transferring data between Spark pools and SQL pools can be done using JDBC. However, given two distributed systems such as Spark and SQL pools, JDBC tends to be a bottleneck with serial data transfer.

-The Azure Synapse Apache Spark pool to Synapse SQL connector is a data source implementation for Apache Spark. It uses the Azure Data Lake Storage Gen2 and Polybase in dedicated SQL pools to efficiently transfer data between the Spark cluster and the Synapse dedicated SQL instance.

-

-## Authentication in Azure Synapse Analytics

-Authentication between systems is made seamless in Azure Synapse Analytics. The Token Service connects with Azure Active Directory to obtain security tokens for use when accessing the storage account or the data warehouse server.

-For this reason, there's no need to create credentials or specify them in the connector API as long as Azure AD-Auth is configured at the storage account and the data warehouse server. If not, SQL Auth can be specified. Find more details in the [Usage](#usage) section.

-## Constraints

-## Prerequisites

-To create users, connect to the SQL pool database, and follow these examples:

-```sql

-CREATE USER Mary FROM LOGIN Mary;

-CREATE USER [mike@contoso.com] FROM EXTERNAL PROVIDER;

-```

-To assign a role:

-```sql

-EXEC sp_addrolemember 'db_exporter', 'Mary';

-EXEC sp_addrolemember 'db_exporter',[mike@contoso.com]

-```

-## Usage

-The import statements aren't required, they're pre-imported for the notebook experience.

-### Transfer data to or from a dedicated SQL pool attached within the workspace

-> [!NOTE]

-> **Imports not needed in notebook experience**

-```scala

- import com.microsoft.spark.sqlanalytics.utils.Constants

- import org.apache.spark.sql.SqlAnalyticsConnector._

-```

-#### Read API

-```scala

-val df = spark.read.synapsesql("<DBName>.<Schema>.<TableName>")

-```

-The above API will work for both Internal (Managed) as well as External Tables in the SQL pool.

-#### Write API

-```scala

-df.write.synapsesql("<DBName>.<Schema>.<TableName>", <TableType>)

-```

-The write API creates the table in the dedicated SQL pool and then invokes Polybase to load the data. The table must not exist in the dedicated SQL pool or an error will be returned stating that "There is already an object named..."

-TableType values

-SQL pool-managed table

-```scala

-df.write.synapsesql("<DBName>.<Schema>.<TableName>", Constants.INTERNAL)

-```

-SQL pool external table

-To write to a dedicated SQL pool external table, an EXTERNAL DATA SOURCE and an EXTERNAL FILE FORMAT must exist on the dedicated SQL pool. For more information, read [creating an external data source](/sql/t-sql/statements/create-external-data-source-transact-sql?view=azure-sqldw-latest&preserve-view=true) and [external file formats](/sql/t-sql/statements/create-external-file-format-transact-sql?view=azure-sqldw-latest&preserve-view=true) in dedicated SQL pool. Below are examples for creating an external data source and external file formats in dedicated SQL pool.

-```sql

-CREATE EXTERNAL DATA SOURCE <DataSourceName>

-WITH

- ( LOCATION = 'abfss://...' ,

- TYPE = HADOOP

- ) ;

-CREATE EXTERNAL FILE FORMAT <FileFormatName>

-WITH (

- FORMAT_TYPE = PARQUET,

- DATA_COMPRESSION = 'org.apache.hadoop.io.compress.SnappyCodec'

-);

-```

-An EXTERNAL CREDENTIAL object is not necessary when using Azure Active Directory pass-through authentication to the storage account. Ensure you are a member of the "Storage Blob Data Contributor" role on the storage account.

-```scala

-df.write.

- option(Constants.DATA_SOURCE, <DataSourceName>).

- option(Constants.FILE_FORMAT, <FileFormatName>).

- synapsesql("<DBName>.<Schema>.<TableName>", Constants.EXTERNAL)

-```

-### Transfer data to or from a dedicated SQL pool or database outside the workspace

-> [!NOTE]

-> Imports not needed in notebook experience

-```scala

- import com.microsoft.spark.sqlanalytics.utils.Constants

- import org.apache.spark.sql.SqlAnalyticsConnector._

-```

-#### Read API

-```scala

-val df = spark.read.

-option(Constants.SERVER, "samplews.database.windows.net").

-synapsesql("<DBName>.<Schema>.<TableName>")

-```

-#### Write API

-```scala

-df.write.

-option(Constants.SERVER, "samplews.database.windows.net").

-synapsesql("<DBName>.<Schema>.<TableName>", <TableType>)

-```

-### Use SQL Auth instead of Azure AD

-#### Read API

-Currently the connector doesn't support token-based auth to a dedicated SQL pool that is outside of the workspace. You'll need to use SQL Auth.

-```scala

-val df = spark.read.

-option(Constants.SERVER, "samplews.database.windows.net").

-option(Constants.USER, <SQLServer Login UserName>).

-option(Constants.PASSWORD, <SQLServer Login Password>).

-synapsesql("<DBName>.<Schema>.<TableName>")

-```

-#### Write API

-```scala

-df.write.

-option(Constants.SERVER, "samplews.database.windows.net").

-option(Constants.USER, <SQLServer Login UserName>).

-option(Constants.PASSWORD, <SQLServer Login Password>).

-synapsesql("<DBName>.<Schema>.<TableName>", <TableType>)

-```

-### Use PySpark with the connector

-> [!NOTE]

-> This example is given with only the notebook experience kept in mind.

-Assume you have a dataframe "pyspark_df" that you want to write into the DW.

-Create a temp table using the dataframe in PySpark:

-```py

-pyspark_df.createOrReplaceTempView("pysparkdftemptable")

-```

-Run a Scala cell in the PySpark notebook using magics:

-```scala

-%%spark

-val scala_df = spark.sqlContext.sql ("select * from pysparkdftemptable")

-scala_df.write.synapsesql("sqlpool.dbo.PySparkTable", Constants.INTERNAL)

-```

-Similarly, in the read scenario, read the data using Scala and write it into a temp table, and use Spark SQL in PySpark to query the temp table into a dataframe.

-## Allow other users to use the Azure Synapse Apache Spark to Synapse SQL connector in your workspace

-You need to be Storage Blob Data Owner on the ADLS Gen2 storage account connected to the workspace to alter missing permissions for others. Ensure the user has access to the workspace and permissions to run notebooks.

-### Option 1

-### Option 2

-| Folder | / | synapse | workspaces | \<workspacename> | sparkpools | \<sparkpoolname> | sparkpoolinstances |

-|--|--|--|--|--|--|--|--|

-| Access Permissions | --X | --X | --X | --X | --X | --X | -WX |

-| Default Permissions | | | | | | | |

-> [!IMPORTANT]

-> Make sure you don't select "Default" if you don't intend to.

-description: How to use Azure Advisor with your Azure Virtual Desktop deployment.

-# Use Azure Advisor with Azure Virtual Desktop

-Azure Advisor can help users resolve common issues on their own without having to file support cases. The recommendations reduce the need to submit help requests, saving you time and costs.

-This article will tell you how to set up Azure Advisor in your Azure Virtual Desktop deployment to help your users.

-## What is Azure Advisor?

-Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost. Learn more at [the Azure Advisor website](https://azure.microsoft.com/services/advisor/).

-## How to start using Azure Advisor

-All you need to get started is an Azure account on the Azure portal. First, open the Azure portal at <https://portal.azure.com/#home>, then select **Advisor** under **Azure Services**, as shown in the following image. You can also enter "Azure Advisor" into the search bar in the Azure portal.

-> [!div class="mx-imgBorder"]

-> 

-When you open Azure Advisor, you'll see five categories:

-> [!div class="mx-imgBorder"]

-> 

-When you select a category, you'll go to its active recommendations page. On this page, you can view which recommendations Azure Advisor has for you, as shown in the following image.

-> [!div class="mx-imgBorder"]

-> 

-## Additional tips for Azure Advisor

-## Next steps

-To learn how to resolve recommendations, see [How to resolve Azure Advisor recommendations](azure-advisor-recommendations.md).

-You can also set up Azure Advisor to help you figure out how to resolve or prevent common issues. Learn more at [Use Azure Advisor with Azure Virtual Desktop](azure-advisor.md).

-If you want to learn more about the Azure portal for Azure Virtual Desktop, check out [our tutorials](create-host-pools-azure-marketplace.md). If you're already familiar with the basics, check out some of the other features you can use with the Azure portal, such as [MSIX app attach](app-attach-azure-portal.md) and [Azure Advisor](azure-advisor.md).

-The Guest Configuration extension is a component Azure Policy that performs audit and configuration operations inside virtual machines.

-A: Yes, Azure Hybrid Benefit on reserved instance for RHEL and SLES is available to all users. You can [learn more about this benefit and how to use it here](#azure-hybrid-benefit-on-reserved-instances).

- az ad sp create-for-rbac --name "ServicePrincipalName" --password "My-AAD-client-secret"

- az ad sp create-for-rbac --name "ServicePrincipalName" --password "My-AAD-client-secret"

-* Standard RHEL.

-* RHEL for SAP.

-* RHEL for SAP with High Availability and Update Services.

-If you decide not to use functionalities such as WSFC or Pacemaker on Linux (currently supported only for SUSE Linux Enterprise Server [SLES] 12 and later), Azure VM restart is utilized. It protects SAP systems against planned and unplanned downtime of the Azure physical server infrastructure and overall underlying Azure platform.

-| NAT Gateway | A public IP prefix can be used to scale a NAT gateway by using the public IPs in the prefix for outbound connections. | To associate a prefix to your NAT Gateway: </br> 1. [Create a prefix.](manage-public-ip-address-prefix.md) </br> 2. When creating the NAT Gateway, select the IP prefix as the Outbound IP. |

-Azure public IP addresses are created with a SKU, either basic or standard. The SKU determines their functionality including allocation method, feature support, and resources they can be associated with.

-In this article, you'll learn how to upgrade a static basic SKU public IP address to standard SKU using the Azure CLI.

-In this section, you'll use the Azure CLI and upgrade your static basic SKU public IP to the standard SKU.

-Azure public IP addresses are created with a SKU, either basic or standard. The SKU determines their functionality including allocation method, feature support, and resources they can be associated with.

-In this article, you'll learn how to upgrade a static basic SKU public IP address to standard SKU in the Azure portal.

-In this section, you'll sign in to the Azure portal and upgrade your static basic SKU public IP to the standard sku.

-Azure public IP addresses are created with a SKU, either basic or standard. The SKU determines their functionality including allocation method, feature support, and resources they can be associated with.

-In this article, you'll learn how to upgrade a static basic SKU public IP address to standard SKU using Azure PowerShell.

-In this section, you'll use the Azure CLI to upgrade your static basic SKU public IP to the standard SKU.