-| August 2023 | Added a downloadable package that contains the Microsoft Entra architecture icons, branding playbook (which contains guidelines about the Microsoft Security visual identity), and terms of use. |

- > [I agree to the above terms. Download icons.](https://download.microsoft.com/download/a/4/2/a4289cad-4eaf-4580-87fd-ce999a601516/Microsoft-Entra-architecture-icons.zip?wt.mc_id=microsoftentraicons_downloadmicrosoftentraicons_content_cnl_csasci)

-Additional context isn't supported for Network Policy Server (NPS) or Active Directory Federation Services (AD FS).

-> To complete this task, you must have *Microsoft Entra Permissions Management Administrator* permissions. You can't enable Permissions Management as a user from another tenant who has signed in via B2B or via Azure Lighthouse.

- 1. Browse to the [Microsoft Entra admin center](https://entra.microsoft.com) and sign in to [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) as a [Global Administrator](https://aka.ms/globaladmin).

-description: An introduction to Permissions Management.

-# What's Microsoft Entra Permissions Management?

-## Overview

-Permissions Management allows customers to address three key use cases: *discover*, *remediate*, and *monitor*.

-Permissions Management has been designed in such a way that we recommended you 'step-through' each of the below phases in order to gain insights into permissions across the organization. This is because you generally can't action what is yet to be discovered, likewise you can't continually evaluate what is yet to be remediated.

-Permissions Management deepens Zero Trust security strategies by augmenting the least privilege access principle, allowing customers to:

- > You can download a PDF report for up to 10 authorization systems at one time. The authorization systems must be part of the same cloud environment (for example, 1- 10 authorization systems that are all on Amazon Web Service (AWS)).

-These policies are directed at highly privileged administrators in your environment, where compromise may cause the most damage.

-As mentioned in the blog post [IPv6 is coming to Microsoft Entra ID](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/ipv6-coming-to-azure-ad/ba-p/2967451) we now support IPv6 in Microsoft Entra services.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).

-

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Reader](../roles/permissions-reference.md#global-reader).

-1. Browse to **Identity** > **Overview** > **Properties**.

-Microsoft has reamed Azure Active Directory (Azure AD) to Microsoft Entra ID for the following reasons: (1) to communicate the multicloud, multiplatform functionality of the products, (2) to alleviate confusion with Windows Server Active Directory, and (3) to unify the [Microsoft Entra](/entra) product family.

-Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID ΓÇô previously known as Azure AD ΓÇô continues to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and whatΓÇÖs included are available on the [pricing and free trials page](https://aka.ms/PricingEntra).

-Licensing, pricing, and functionality aren't changing. Display names will be updated October 1, 2023 as follows.

-Customers using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription continue to have access to the same capabilities. It will be called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>.

-If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant. To protect all of our users, security defaults are being rolled out to all new tenants at creation.

-This policy applies to all users who are accessing Azure Resource Manager services, whether they're an administrator or a user. This applies to ARM APIs such as accessing your subscription, VMs, storage accounts etc. This does not include Microsoft Entra ID or Microsoft Graph.

-Security defaults users are required to register for and use multifactor authentication using the [Microsoft Authenticator app using notifications](../authentication/concept-authentication-authenticator-app.md). Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option. Users can also use any third party application using [OATH TOTP](../authentication/concept-authentication-oath-tokens.md) to generate codes.

-|Single-factor one-time password (OTP) <br> (something you have)| Microsoft Authenticator App (OTP) <br> Single-factor Hardware/Software OTP<sup data-htmlnode="">1</sup>|

-|Single-factor crypto software <br> (something you have)|Single-factor software certificate <br> Microsoft Entra joined <sup data-htmlnode="">2</sup> with software TPM <br> Microsoft Entra hybrid joined <sup data-htmlnode="">2</sup> with software TPM <br> Compliant mobile device |

-|Single-factor crypto hardware <br> (something you have) | Microsoft Entra joined <sup data-htmlnode="">2</sup> with hardware TPM <br> Microsoft Entra hybrid joined <sup data-htmlnode="">2</sup> with hardware TPM|

-<sup data-htmlnode="">1</sup> 30-second or 60-second OATH-TOTP SHA-1 token

-<sup data-htmlnode="">2</sup> For more information on device join states, see [Microsoft Entra device identity](../devices/index.yml)

-| | [AU10TIX](https://www.au10tix.com/solutions/microsoft-azure-active-directory-verifiable-credentials-program) improves Verifiability While Protecting Privacy For Businesses, Employees, Contractors, Vendors, And Customers. | [Configure Verified ID by AU10TIX as your Identity Verification Partner](https://aka.ms/au10tixvc). |

-|  | [Idemia](https://na.idemia.com/identity/verifiable-credentials/) Integration with Verified ID enables ΓÇ£Verify once, use everywhereΓÇ¥ functionality.| * |

-The API call returns an **vector** JSON object, which defines the image's coordinates in the high-dimensional vector space.

-The API call returns an **vector** JSON object, which defines the text string's coordinates in the high-dimensional vector space.

-Our standard (not customized) language service features are built on AI models that we call pre-trained models.

-We strongly recommend using the `latest` model version to utilize the latest and highest quality models. As our models improve, itΓÇÖs possible that some of your model results may change. Model versions may be deprecated, so don't recommend including specified versions in your implementation.

-| Feature | Supported versions |

-|--|--|

-| Sentiment Analysis and opinion mining | `2021-10-01`, `2022-06-01`,`2022-10-01`,`2022-11-01*` |

-| Language Detection | `2021-11-20`, `2022-10-01*` |

-| Entity Linking | `2021-06-01*` |

-| Named Entity Recognition (NER) | `2021-06-01*`, `2022-10-01-preview`, `2023-02-01-preview`, `2023-04-15-preview**`|

-| Personally Identifiable Information (PII) detection | `2021-01-15*`, `2023-01-01-preview`, `2023-04-15-preview**` |

-| PII detection for conversations (Preview) | `2022-05-15-preview`, `2023-04-15-preview**` |

-| Question answering | `2021-10-01*` |

-| Text Analytics for health | `2021-05-15`, `2022-03-01*`, `2022-08-15-preview`, `2023-01-01-preview**`|

-| Key phrase extraction | `2021-06-01`, `2022-07-01`,`2022-10-01*` |

-| Document summarization - extractive only (preview) | `2022-08-31-preview**` |

-\* Latest Generally Available (GA) model version

-| Conversational language understanding | `2022-05-01` | October 28, 2022 | October 28, 2023 |

-| **Vision** | | |

-| [Azure AI Vision](https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/) | Free, Standard (S1) | Billed by the number of transactions. Price per transaction varies per feature (Read, OCR, Spatial Analysis). For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/). |

-| **Speech** | | |

-| [Speech service](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) | Free, Standard | Billing varies by feature (speech-to-text, text to speech, speech translation, speaker recognition). Primarily, billing is by transaction count or character count. For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/). |

-| **Language** | | |

-| [QnA Maker](https://azure.microsoft.com/pricing/details/cognitive-services/qna-maker/) | Free, Standard | Subscription fee billed monthly. For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/qna-maker/). |

-| [Language service](https://azure.microsoft.com/pricing/details/cognitive-services/text-analytics/) | Free, Standard | Billed by number of text records. |

-| [Translator](https://azure.microsoft.com/pricing/details/cognitive-services/translator/) | Free, Pay-as-you-go (S1), Volume discount (S2, S3, S4, C2, C3, C4, D3) | Pricing varies by meter and feature. For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator/). <li>Text translation is billed by number of characters translated.</li><li>Document translation is billed by characters translated.</li><li>Custom translation is billed by characters of source and target training data.</li> |

-| **Decision** | | |

-| [Anomaly Detector](https://azure.microsoft.com/pricing/details/cognitive-services/anomaly-detector/) | Free, Standard | Billed by the number of transactions. |

-| [Content Moderator](https://azure.microsoft.com/pricing/details/cognitive-services/content-moderator/) | Free, Standard | Billed by the number of transactions. |

-<!-- Note to Azure service writer: Modify the following as needed for your service. Replace example screenshots with ones taken for your service. If you need assistance capturing screenshots, ask banders for help. -->

-2. Open the scope in the Azure portal and select **Cost analysis** in the menu. For example, go to **Subscriptions**, select a subscription from the list, and then select **Cost analysis** in the menu. Select **Scope** to switch to a different scope in cost analysis.

-3. By default, cost for services are shown in the first donut chart. Select the area in the chart labeled Azure AI services.

-> [Learn more about Azure AI containers](../../containers/index.yml?context=%2fazure%2fcognitive-services%2ftranslator%2fcontext%2fcontext)

-|  [Anomaly Detector](./Anomaly-Detector/index.yml)(retired) | Identify potential problems early on |

-|  [Metrics Advisor](./metrics-advisor/index.yml)(retired) | An AI service that detects unwanted contents |

-|  [Personalizer](./personalizer/index.yml)(retired) | Create rich, personalized experiences for each user |

-| 1.25 | Aug 2022 | Oct 2022 | Dec 2022 | Dec 2023 | Until 1.29 GA |

-* Log to [Application Insights](api-management-howto-app-insights.md) for debugging purposes. Correlate [transactions in Application Insights](../azure-monitor/app/transaction-diagnostics.md) between API Management and the backend API to [trace them end-to-end](../azure-monitor/app/correlation.md).

-If you change your Docker container settings to point to a new container, it may take a few minutes before the app serves HTTP requests from the new container. While the new container is being pulled and started, App Service continues to serve requests from the old container. Only when the new container is started and ready to receive requests does App Service start sending requests to it.

-If the app changes compute instances for any reason, such as scaling up and down the pricing tiers, App Service must pull down all layers again. The same is true if you scale out to add additional instances. There are also rare cases where the app instances may change without a scale operation.

-Your custom container may use environment variables that need to be supplied externally. You can pass them in via the [Cloud Shell](https://shell.azure.com). In Bash:

-The new keys at each restart may reset ASP.NET forms authentication and view state, if your app depends on them. To prevent the automatic regeneration of keys, [set them manually as App Service app settings](#configure-environment-variables).

-You can connect to your Windows container directly for diagnostic tasks by navigating to `https://<app-name>.scm.azurewebsites.net/DebugConsole`. Here's how it works:

-If you try to download the Docker log that is currently in use using an FTP client, you may get an error because of a file lock.

-Navigate directly to `https://<app-name>.scm.azurewebsites.net/api/logs/docker` to see metadata for the Docker logs. You may see more than one log file listed, and the `href` property lets you download the log file directly.

-By default, a Windows container runs with all available cores for your chosen pricing tier. You may want to reduce the number of cores that your staging slot uses, for example. To reduce the number of cores used by a container, set the `WEBSITE_CPU_CORES_LIMIT` app setting to the preferred number of cores. You can set it via the [Cloud Shell](https://shell.azure.com). In Bash:

-The processors may be multicore or hyperthreading processors. Information on how many cores are available for each pricing tier can be found in [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/windows/), in the **Premium v3 service plan** section.

-description: You can open an SSH session to a Linux container in Azure App Service. Custom Linux containers are supported with some modifications to your custom image.

-keywords: azure app service, web app, linux, oss

-# Open an SSH session to a Linux container in Azure App Service

-[Secure Shell (SSH)](https://wikipedia.org/wiki/Secure_Shell) is commonly used to execute administrative commands remotely from a command-line terminal. App Service on Linux provides SSH support into the app container.

-You can post questions and concerns on the [Azure forum](/answers/topics/azure-webapps.html).

- - filters:

- - type: URLRewrite

- urlRewrite:

- path:

- type: ReplacePrefixMatch

- replacePrefixMatch: /ecommerce

-By default, the feature is pre-configured to evaluate the percentage CPU metric to see if average utilization is 5 percent or less. This scenario is controlled by the following variables and can be modified if the default values don't meet your requirements:

-* `External_AutoStop_MetricName`

-* `External_AutoStop_Threshold`

-* `External_AutoStop_TimeAggregationOperator`

-* `External_AutoStop_TimeWindow`

-* `External_AutoStop_Frequency`

-* `External_AutoStop_Severity`

-### Image tag

-`v1.24.0_2023-10-10`

-### Image tag

-`v1.23.0_2023-09-12`

-### Image tag

-`v1.22.0_2023-08-08`

-### Image tag

-`v1.21.0_2023-07-11`

-### Image tag

-`v1.20.0_2023-06-13`

-### Image tag

-`v1.19.0_2023-05-09`

-### Image tag

-`v1.18.0_2023-04-11`

-### Image tag

-`v1.17.0_2023-03-14`

-### Image tag

-`v1.16.0_2023-02-14`

-### Image tag

-`v1.15.0_2023-01-10`

-### Image tag

-`v1.14.0_2022-12-13`

-### Image tag

-`v1.13.0_2022-11-08`

-### Image tag

-`v1.12.0_2022-10-11`

-### Image tag

-`v1.11.0_2022-09-13`

-### Image tag

-`v1.10.0_2022-08-09`

-### Image tag

-`v1.9.0_2022-07-12`

-### Image tag

-`v1.8.0_2022-06-14`

-### Image tag

-`v1.7.0_2022-05-24`

-### Image tag

-`v1.6.0_2022-05-02`

-### Image tag

-`v1.5.0_2022-04-05`

-### Image tag

-`v1.4.1_2022-03-08`

-### Image tag

-`v1.4.0_2022-02-25`

-### Image tag

-`v1.3.0_2022-01-27`

-| VMware | [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) |TKGm 2.3; upstream K8s v1.26.5+vmware.2<br>TKGm 2.2; upstream K8s v1.25.7+vmware.2 <br>TKGm 2.1.0; upstream K8s v1.24.9+vmware.1 <br>TKGm 1.6.0; upstream K8s v1.23.8+vmware.2|

-### Required Azure permissions

-* To onboard Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.

-* To read, modify, and delete Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.

-### Networking

-Arc resource bridge communicates outbound securely to Azure Arc over TCP port 443. If the appliance needs to connect through a firewall or proxy server to communicate over the internet, it communicates outbound using the HTTPS protocol. You may need to allow specific URLs to [ensure outbound connectivity is not blocked](troubleshoot-resource-bridge.md#not-able-to-connect-to-url) by your firewall or proxy server. For more information, see [Azure Arc resource bridge (preview) network requirements](network-requirements.md).

- > This account requires the "Log on as a service" right. This right is automatically granted during agent installation, but if your organization configures user rights assignments with Group Policy, you may need to adjust your Group Policy Object to grant the right to "NT SERVICE\\himds" or "NT SERVICE\\ALL SERVICES" to allow the agent to function.

-* The Extension Service agent can use up to 5% of the CPU to install, upgrade, run, and delete extensions. Some extensions may apply more restrictive CPU limits once installed. The following exceptions apply:

- | MDE.Linux | Linux | 30% |

-## Version 1.18 - May 2022

-## Version 1.6 - May 2021

-## Version 1.31 - June 2023

-Download for [Windows](https://download.microsoft.com/download/2/6/e/26e2b001-1364-41ed-90b0-1340a44ba409/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

-### Known issue

-The first release of agent version 1.31 had a known issue affecting customers using proxy servers. The issue displays as `AZCM0026: Network Error` and a message about "no IP addresses found" when connecting a server to Azure Arc using a proxy server. A newer version of agent 1.31 was released on June 14, 2023 that addresses this issue.

-To check if you're running the latest version of the Azure connected machine agent, navigate to the server in the Azure portal or run `azcmagent show` from a terminal on the server itself and look for the "Agent version." The table below shows the version numbers for the first and patched releases of agent 1.31.

-| Package type | Version number with proxy issue | Version number of patched agent |

-| | - | - |

-| Windows | 1.31.02347.1069 | 1.31.02356.1083 |

-| RPM-based Linux | 1.31.02347.957 | 1.31.02356.970 |

-| DEB-based Linux | 1.31.02347.939 | 1.31.02356.952 |

-### New features

-### Fixed

-This option is the default on Windows operating systems with a desktop experience. It login page opens in your default web browser. This option may be required if your organization has configured conditional access policies that require you to log in from trusted machines.

-This option is the default on Windows operating systems with a desktop experience. The login page opens in your default web browser. This option may be required if your organization has configured conditional access policies that require you to log in from trusted machines.

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-Each Azure Arc-enabled server has a managed identity as part of a resource group inside an Azure subscription. That identity represents the server running on-premises or other cloud environment. Access to this resource is controlled by standard [Azure role-based access control](../../role-based-access-control/overview.md). From the [**Access Control (IAM)**](../../role-based-access-control/role-assignments-portal.md) page in the Azure portal, you can verify who has access to your Azure Arc-enabled server.

-Starting with agent version 1.16, you can optionally limit the extensions that can be installed on your server and disable Guest Configuration. These controls can be useful when connecting servers to Azure that need to be monitored or secured by Azure, but should not allow arbitrary management capabilities like running scripts with Custom Script Extension or configuring settings on the server with Guest Configuration.

-These security controls can only be configured by running a command on the server itself and cannot be modified from Azure. This approach preserves the server admin's intent when enabling remote management scenarios with Azure Arc, but also means that changing the setting is more difficult if you later decide to change them. This feature is intended for particularly sensitive servers (for example, Active Directory Domain Controllers, servers that handle payment data, and servers subject to strict change control measures). In most other cases, it is not necessary to modify these settings.

-To limit which [extensions](manage-vm-extensions.md) can be installed on your server, you can configure lists of the extensions you wish to allow and block on the server. The extension manager will evaluate all requests to install, update, or upgrade extensions against the allowlist and blocklist to determine if the extension can be installed on the server. Delete requests are always allowed.

-The most secure option is to explicitly allow the extensions you expect to be installed. Any extension not in the allowlist is automatically blocked. To configure the Azure Connected Machine agent to allow only the Log Analytics Agent for Linux and the Dependency Agent for Linux, run the following command on each server:

-azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/OMSAgentForLinux,Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentLinux"

-You can block one or more extensions by adding them to the blocklist. If an extension is present in both the allowlist and blocklist, it will be blocked. To block the Custom Script extension for Linux, run the following command:

-Extensions are specified by their publisher and type, separated by a forward slash. See the list of the [most common extensions](manage-vm-extensions.md) in the docs or list the VM extensions already installed on your server in the [portal](manage-vm-extensions-portal.md#list-extensions-installed), [Azure PowerShell](manage-vm-extensions-powershell.md#list-extensions-installed), or [Azure CLI](manage-vm-extensions-cli.md#list-extensions-installed).

-The table below describes the behavior when performing an extension operation against an agent that has the allowlist or blocklist configured.

-> If an extension is already installed on your server before you configure an allowlist or blocklist, it will not automatically be removed. It is your responsibility to delete the extension from Azure to fully remove it from the machine. Delete requests are always accepted to accommodate this scenario. Once deleted, the allowlist and blocklist will determine whether or not to allow future install attempts.

-When Guest Configuration is disabled, any Guest Configuration policies assigned to the machine in Azure will report as non-compliant. Consider [creating an exemption](../../governance/policy/concepts/exemption-structure.md) for these machines or [changing the scope](../../governance/policy/concepts/assignment-structure.md#excluded-scopes) of your policy assignments if you don't want to see these machines reported as non-compliant.

-Disabling the extension manager will not remove any extensions already installed on your server. Extensions that are hosted in their own Windows or Linux services, such as the Log Analytics Agent, may continue to run even if the extension manager is disabled. Other extensions that are hosted by the extension manager itself, like the Azure Monitor Agent, will not run if the extension manger is disabled. You should [remove any extensions](manage-vm-extensions-portal.md#remove-extensions) before disabling the extension manager to ensure no extensions continue to run on the server.

-When configuring the Azure Connected Machine agent with a reduced set of capabilities, it is important to consider the mechanisms that someone could use to remove those restrictions and implement appropriate controls. Anybody capable of running commands as an administrator or root user on the server can change the Azure Connected Machine agent configuration. Extensions and guest configuration policies execute in privileged contexts on your server, and as such may be able to change the agent configuration. If you apply these security controls to lock down the agent, Microsoft recommends the following best practices to ensure only local server admins can update the agent configuration:

-It's common to use Azure Arc to monitor your servers with Azure Monitor and Microsoft Sentinel and secure them with Microsoft Defender for Cloud. The following configuration samples can help you configure the Azure Arc Connected Machine agent to only allow these scenarios.

-Microsoft Defender for Cloud enables additional extensions on your server to identify vulnerable software on your server and enable Microsoft Defender for Endpoint (if configured). Microsoft Defender for Cloud also uses Guest Configuration for its regulatory compliance feature. Since a custom Guest Configuration assignment could be used to undo the agent limitations, you should carefully evaluate whether or not you need the regulatory compliance feature and, as a result, Guest Configuration to be enabled on the machine.

-While the Hybrid Instance Metadata Service can be accessed by any application running on the machine, only authorized applications can request a Microsoft Entra token for the system assigned identity. On the first attempt to access the token URI, the service will generate a randomly generated cryptographic blob in a location on the file system that only trusted callers can read. The caller must then read the file (proving it has appropriate permission) and retry the request with the file contents in the authorization header to successfully retrieve a Microsoft Entra token.

-The logical isolation of tenant infrastructure in a public multi-tenant cloud is [fundamental to maintaining security](https://azure.microsoft.com/resources/azure-network-security/). The overarching principle for a virtualized solution is to allow only connections and communications that are necessary for that virtualized solution to operate, blocking all other ports and connections by default. Azure [Virtual Network](../virtual-network/virtual-networks-overview.md) (VNet) helps ensure that your private network traffic is logically isolated from traffic belonging to other customers. Virtual Machines (VMs) in one VNet can't communicate directly with VMs in a different VNet even if both VNets are created by the same customer. [Networking isolation](../security/fundamentals/isolation-choices.md#networking-isolation) ensures that communication between your VMs remains private within a VNet. You can connect your VNets via [VNet peering](../virtual-network/virtual-network-peering-overview.md) or [VPN gateways](../vpn-gateway/vpn-gateway-about-vpngateways.md), depending on your connectivity options, including bandwidth, latency, and encryption requirements.

-> - **[Azure network security white paper](https://azure.microsoft.com/resources/azure-network-security/)**

-The following features and services now have and Azure Monitor Agent version (some are still in Public Preview). This means you can already choose to use Azure Monitor Agent to collect data when you enable the feature or service.

-* [Search explorer](../app/diagnostic-search.md)

-To investigate further, click on 'View full details in Application Insights' the links in this page will take you straight to a [search page](../app/diagnostic-search.md) filtered to the relevant requests, exception, dependency, or traces.

-* [Search explorer](../app/diagnostic-search.md)

-In Application Insights, a *custom event* is a data point that you can display in [Metrics Explorer](../essentials/metrics-charts.md) as an aggregated count and in [Diagnostic Search](./diagnostic-search.md) as individual occurrences. (It isn't related to MVC or other framework "events.")

-You can correlate telemetry items together by associating them with operation context. The standard request-tracking module does this for exceptions and other events that are sent while an HTTP request is being processed. In [Search](./diagnostic-search.md) and [Analytics](../logs/log-query-overview.md), you can easily find any events associated with the request by using its operation ID.

-* To [examine individual occurrences](./diagnostic-search.md).

-Use `TrackTrace` to help diagnose problems by sending a "breadcrumb trail" to Application Insights. You can send chunks of diagnostic data and inspect them in [Diagnostic Search](./diagnostic-search.md).

-In [Search](./diagnostic-search.md), you can then easily filter out all the messages of a particular severity level that relate to a particular database.

-You can also [search](./diagnostic-search.md) for client data points with specific user names and accounts.

-* [Search events and logs](./diagnostic-search.md)

-* [Search events and logs](./diagnostic-search.md)

-* The [end-to-end transaction diagnostic experience](transaction-diagnostics.md) correlates server-side telemetry from across all your Application Insights-monitored components into a single view.

-* [Transaction Diagnostics](transaction-diagnostics.md) shows unified, correlated server data.

-Below is the currently supported list of dependency calls that are automatically detected as dependencies without requiring any additional modification to your application's code. These dependencies are visualized in the Application Insights [Application map](./app-map.md) and [Transaction diagnostics](./transaction-diagnostics.md) views. If your dependency isn't on the list below, you can still track it manually with a [track dependency call](./api-custom-events-metrics.md#trackdependency).

-* <xref:Microsoft.VisualStudio.ApplicationInsights.TelemetryClient.TrackEvent%2A?displayProperty=nameWithType> is typically used for monitoring usage patterns, but the data it sends also appears under **Custom Events** in diagnostic search. Events are named and can carry string properties and numeric metrics on which you can [filter your diagnostic searches](./diagnostic-search.md).

-To see these events, on the left menu, open [Search](./diagnostic-search.md). Select the dropdown menu **Event types**, and then choose **Custom Event**, **Trace**, or **Exception**.

-The properties and measurements parameters are optional, but they're useful for [filtering and adding](./diagnostic-search.md) extra information. For example, if you have an app that can run several games, you could find all the exception reports related to a particular game. You can add as many items as you want to each dictionary.

-* [Learn more about Transaction Search](diagnostic-search.md)

-[diagnostic]: ./diagnostic-search.md

-* [Transaction diagnostics](./transaction-diagnostics.md)

-To learn more about the end-to-end transaction diagnostics experience, see the [transaction diagnostics documentation](./transaction-diagnostics.md).

-|Environment/Resource provider | .NET Framework | .NET Core / .NET | Java | Node.js | Python |

-|-|||-|-|--|

-|Azure App Service on Windows - Publish as Code | [ :white_check_mark: :link: ](azure-web-apps-net.md) ┬╣ | :x: |

-|Azure App Service on Windows - Publish as Docker | [ :white_check_mark: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) ┬▓ | :x: | :x: |

-|Azure App Service on Linux - Publish as Code | :x: | [ :white_check_mark: :link: ](azure-web-apps-net-core.md?tabs=linux) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: |

-|Azure App Service on Linux - Publish as Docker | :x: | :x: | [ :white_check_mark: :link: ](azure-web-apps-java.md) | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: |

-|Azure Functions - basic | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ |

-|Azure Functions - dependencies | :x: | :x: | [ :white_check_mark: :link: ](monitor-functions.md) | :x: | [ :white_check_mark: :link: ](monitor-functions.md#distributed-tracing-for-python-function-apps) |

-|Azure Spring Cloud | :x: | :x: | [ :white_check_mark: :link: ](azure-web-apps-java.md) | :x: | :x: |

-|Azure Kubernetes Service (AKS) | :x: | :x: | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |

-|Azure VMs Windows | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) ┬▓ | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |

-|On-premises VMs Windows | [ :white_check_mark: :link: ](application-insights-asp-net-agent.md) ┬│ | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |

-|Standalone agent - any environment | :x: | :x: | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |

-[diagnostic]: ./diagnostic-search.md

-Application Insights uses dependency type to customize UI experiences. For queues, it recognizes the following types of `DependencyTelemetry` that improve [Transaction diagnostics experience](./transaction-diagnostics.md):

-description: Search and filter raw telemetry sent by your web app.

-# Use Search in Application Insights

-Transaction search is a feature of [Application Insights](./app-insights-overview.md) that you use to find and explore individual telemetry items, such as page views, exceptions, or web requests. You can also view log traces and events that you've coded.

-For more complex queries over your data, use [Log Analytics](../logs/log-analytics-tutorial.md).

-## Where do you see Search?

-You can find **Search** in the Azure portal or Visual Studio.

-### In the Azure portal

-You can open transaction search from the Application Insights **Overview** tab of your application. You can also select **Search** under **Investigate** on the left menu.

-Go to the **Event types** dropdown menu to see a list of telemetry items such as server requests, page views, and custom events that you've coded. At the top of the **Results** list is a summary chart showing counts of events over time.

-Back out of the dropdown menu or select **Refresh** to get new events.

-### In Visual Studio

-In Visual Studio, there's also an **Application Insights Search** window. It's most useful for displaying telemetry events generated by the application that you're debugging. But it can also show the events collected from your published app at the Azure portal.

-Open the **Application Insights Search** window in Visual Studio:

-The **Application Insights Search** window has features similar to the web portal:

-The **Track Operation** tab is available when you open a request or a page view. An "operation" is a sequence of events that's associated with a single request or page view. For example, dependency calls, exceptions, trace logs, and custom events might be part of a single operation. The **Track Operation** tab shows graphically the timing and duration of these events in relation to the request or page view.

-## Inspect individual items

-Select any telemetry item to see key fields and related items.

-The end-to-end transaction details view opens.

-## Filter event types

-Open the **Event types** dropdown menu and choose the event types you want to see. If you want to restore the filters later, select **Reset**.

-The event types are:

-* **Trace**: [Diagnostic logs](./asp-net-trace-logs.md) including TrackTrace, log4Net, NLog, and System.Diagnostic.Trace calls.

-* **Request**: HTTP requests received by your server application including pages, scripts, images, style files, and data. These events are used to create the request and response overview charts.

-* **Page View**: [Telemetry sent by the web client](./javascript.md) used to create page view reports.

-* **Custom Event**: If you inserted calls to `TrackEvent()` to [monitor usage](./api-custom-events-metrics.md), you can search them here.

-* **Exception**: Uncaught [exceptions in the server](./asp-net-exceptions.md), and the exceptions that you log by using `TrackException()`.

-* **Dependency**: [Calls from your server application](./asp-net-dependencies.md) to other services such as REST APIs or databases, and AJAX calls from your [client code](./javascript.md).

-* **Availability**: Results of [availability tests](availability-overview.md)

-## Filter on property values

-You can filter events on the values of their properties. The available properties depend on the event types you selected. Select **Filter** :::image type="content" source="./media/diagnostic-search/filter-icon.png" lightbox="./media/diagnostic-search/filter-icon.png" alt-text="Filter icon"::: to start.

-Choosing no values of a particular property has the same effect as choosing all values. It switches off filtering on that property.

-Notice that the counts to the right of the filter values show how many occurrences there are in the current filtered set.

-## Find events with the same property

-To find all the items with the same property value, either enter it in the **Search** box or select the checkbox when you look through properties on the **Filter** tab.

-## Search the data

-> [!NOTE]

-> To write more complex queries, open [Logs (Analytics)](../logs/log-analytics-tutorial.md) at the top of the **Search** pane.

->

-You can search for terms in any of the property values. This capability is useful if you've written [custom events](./api-custom-events-metrics.md) with property values.

-You might want to set a time range because searches over a shorter range are faster.

-Search for complete words, not substrings. Use quotation marks to enclose special characters.

-| String | *Not* found | Found |

-| | | |

-| HomeController.About |`home`<br/>`controller`<br/>`out` | `homecontroller`<br/>`about`<br/>`"homecontroller.about"`|

-|United States|`Uni`<br/>`ted`|`united`<br/>`states`<br/>`united AND states`<br/>`"united states"`

-You can use the following search expressions:

-| Sample query | Effect |

-| | |

-| `apple` |Find all events in the time range whose fields include the word "apple". |

-| `apple AND banana` <br/>`apple banana` |Find events that contain both words. Use capital "AND", not "and". <br/>Short form. |

-| `apple OR banana` |Find events that contain either word. Use "OR", not "or". |

-| `apple NOT banana` |Find events that contain one word but not the other. |

-## Sampling

-If your app generates a large amount of telemetry, and you're using the ASP.NET SDK version 2.0.0-beta3 or later, the adaptive sampling module automatically reduces the volume that's sent to the portal by sending only a representative fraction of events. Events that are related to the same request are selected or deselected as a group so that you can navigate between related events.

-Learn about [sampling](./sampling.md).

-## Create work item

-You can create a bug in GitHub or Azure DevOps with the details from any telemetry item.

-Go to the end-to-end transaction detail view by selecting any telemetry item. Then select **Create work item**.

-The first time you do this step, you're asked to configure a link to your Azure DevOps organization and project. You can also configure the link on the **Work Items** tab.

-## Send more telemetry to Application Insights

-In addition to the out-of-the-box telemetry sent by Application Insights SDK, you can:

-* Capture log traces from your favorite logging framework in [.NET](./asp-net-trace-logs.md) or [Java](./opentelemetry-add-modify.md?tabs=java#logs). This means you can search through your log traces and correlate them with page views, exceptions, and other events.

-* [Write code](./api-custom-events-metrics.md) to send custom events, page views, and exceptions.

-Learn how to [send logs and custom telemetry to Application Insights](./asp-net-trace-logs.md).

-## <a name="questions"></a>Frequently asked questions

-Find answers to common questions.

-### <a name="limits"></a>How much data is retained?

-See the [Limits summary](../service-limits.md#application-insights).

-### How can I see POST data in my server requests?

-We don't log the POST data automatically, but you can use [TrackTrace or log calls](./asp-net-trace-logs.md). Put the POST data in the message parameter. You can't filter on the message in the same way you can filter on properties, but the size limit is longer.

-### Why does my Azure Function search return no results?

-The URL query strings are not logged by Azure Functions.

-## <a name="add"></a>Next steps

-* [Write complex queries in Analytics](../logs/log-analytics-tutorial.md)

-* [Send logs and custom telemetry to Application Insights](./asp-net-trace-logs.md)

-* [Availability overview](availability-overview.md)

-Azure Monitor provides two experiences for consuming distributed trace data: the [transaction diagnostics](./transaction-diagnostics.md) view for a single transaction/request and the [application map](./app-map.md) view to show how systems interact.

-* [Use Diagnostic Search](./diagnostic-search.md)

-* Use [Search](./diagnostic-search.md) to look for specific events.

-* [Create work items](./diagnostic-search.md#create-work-item)

-* You want synchronized sampling between client and server so that, when you're investigating events in [Search](./diagnostic-search.md), you can navigate between related events on the client and server, such as page views and HTTP requests.

-You can set the **Application Version** property so that you can filter [search](../../azure-monitor/app/diagnostic-search.md) and [metric explorer](../../azure-monitor/essentials/metrics-charts.md) results.

-When the Application Insights web module has the build information, it automatically adds **Application Version** as a property to every item of telemetry. For this reason, you can filter by version when you perform [diagnostic searches](../../azure-monitor/app/diagnostic-search.md) or when you [explore metrics](../../azure-monitor/essentials/metrics-charts.md).

-description: This article explains Application Insights end-to-end transaction diagnostics.

-# Unified cross-component transaction diagnostics

-The unified diagnostics experience automatically correlates server-side telemetry from across all your Application Insights monitored components into a single view. It doesn't matter if you have multiple resources. Application Insights detects the underlying relationship and allows you to easily diagnose the application component, dependency, or exception that caused a transaction slowdown or failure.

-## What is a component?

-Components are independently deployable parts of your distributed or microservice application. Developers and operations teams have code-level visibility or access to telemetry generated by these application components.

-* Components are different from "observed" external dependencies, such as SQL and event hubs, which your team or organization might not have access to (code or telemetry).

-* Components run on any number of server, role, or container instances.

-* Components can be separate Application Insights instrumentation keys, even if subscriptions are different. Components also can be different roles that report to a single Application Insights instrumentation key. The new experience shows details across all components, regardless of how they were set up.

-> [!NOTE]

-> Are you missing the related item links? All the related telemetry is on the left side in the [top](#cross-component-transaction-chart) and [bottom](#all-telemetry-with-this-operation-id) sections.

-## Transaction diagnostics experience

-This view has four key parts: a results list, a cross-component transaction chart, a time-sequence list of all telemetry related to this operation, and the details pane for any selected telemetry item on the left.

-## Cross-component transaction chart

-This chart provides a timeline with horizontal bars during requests and dependencies across components. Any exceptions that are collected are also marked on the timeline.

-1. The top row on this chart represents the entry point. It's the incoming request to the first component called in this transaction. The duration is the total time taken for the transaction to complete.

-1. Any calls to external dependencies are simple noncollapsible rows, with icons that represent the dependency type.

-1. Calls to other components are collapsible rows. Each row corresponds to a specific operation invoked at the component.

-1. By default, the request, dependency, or exception that you selected appears on the right side. Select any row to see its [details](#details-of-the-selected-telemetry).

-> [!NOTE]

-> Calls to other components have two rows. One row represents the outbound call (dependency) from the caller component. The other row corresponds to the inbound request at the called component. The leading icon and distinct styling of the duration bars help differentiate between them.

-## All telemetry with this Operation ID

-This section shows a flat list view in a time sequence of all the telemetry related to this transaction. It also shows the custom events and traces that aren't displayed in the transaction chart. You can filter this list to telemetry generated by a specific component or call. You can select any telemetry item in this list to see corresponding [details on the right](#details-of-the-selected-telemetry).

-## Details of the selected telemetry

-This collapsible pane shows the detail of any selected item from the transaction chart or the list. **Show all** lists all the standard attributes that are collected. Any custom attributes are listed separately under the standard set. Select the ellipsis button (...) under the **Call Stack** trace window to get an option to copy the trace. **Open profiler traces** and **Open debug snapshot** show code-level diagnostics in corresponding detail panes.

-## Search results

-This collapsible pane shows the other results that meet the filter criteria. Select any result to update the respective details of the preceding three sections. We try to find samples that are most likely to have the details available from all components, even if sampling is in effect in any of them. These samples are shown as suggestions.

-## Profiler and Snapshot Debugger

-[Application Insights Profiler](./profiler.md) or [Snapshot Debugger](snapshot-debugger.md) help with code-level diagnostics of performance and failure issues. With this experience, you can see Profiler traces or snapshots from any component with a single selection.

-If you can't get Profiler working, contact serviceprofilerhelp\@microsoft.com.

-If you can't get Snapshot Debugger working, contact snapshothelp\@microsoft.com.

-## Frequently asked questions

-This section provides answers to common questions.

-### Why do I see a single component on the chart and the other components only show as external dependencies without any details?

-Potential reasons:

-* Are the other components instrumented with Application Insights?

-* Are they using the latest stable Application Insights SDK?

-* If these components are separate Application Insights resources, do you have required [access](resources-roles-access-control.md)?

-If you do have access and the components are instrumented with the latest Application Insights SDKs, let us know via the feedback channel in the upper-right corner.

-### I see duplicate rows for the dependencies. Is this behavior expected?

-Currently, we're showing the outbound dependency call separate from the inbound request. Typically, the two calls look identical with only the duration value being different because of the network round trip. The leading icon and distinct styling of the duration bars help differentiate between them. Is this presentation of the data confusing? Give us your feedback!

-### What about clock skews across different component instances?

-Timelines are adjusted for clock skews in the transaction chart. You can see the exact timestamps in the details pane or by using Log Analytics.

-### Why is the new experience missing most of the related items queries?

-This behavior is by design. All the related items, across all components, are already available on the left side in the top and bottom sections. The new experience has two related items that the left side doesn't cover: all telemetry from five minutes before and after this event and the user timeline.

-### Is there a way to see fewer events per transaction when I use the Application Insights JavaScript SDK?

-The transaction diagnostics experience shows all telemetry in a [single operation](distributed-tracing-telemetry-correlation.md#data-model-for-telemetry-correlation) that shares an [Operation ID](data-model-complete.md#operation-id). By default, the Application Insights SDK for JavaScript creates a new operation for each unique page view. In a single-page application (SPA), only one page view event will be generated and a single Operation ID will be used for all telemetry generated. As a result, many events might be correlated to the same operation.

-In these scenarios, you can use Automatic Route Tracking to automatically create new operations for navigation in your SPA. You must turn on [enableAutoRouteTracking](javascript.md#single-page-applications) so that a page view is generated every time the URL route is updated (logical page view occurs). If you want to manually refresh the Operation ID, call `appInsights.properties.context.telemetryTrace.traceID = Microsoft.ApplicationInsights.Telemetry.Util.generateW3CId()`. Manually triggering a PageView event also resets the Operation ID.

-### Why do transaction detail durations not add up to the top-request duration?

-Time not explained in the Gantt chart is time that isn't covered by a tracked dependency. This issue can occur because external calls weren't instrumented, either automatically or manually. It can also occur because the time taken was in process rather than because of an external call.

-If all calls were instrumented, in process is the likely root cause for the time spent. A useful tool for diagnosing the process is the [Application Insights profiler](./profiler.md).

-### What if I see the message ***Error retrieving data*** while navigating Application Insights in the Azure portal?

-This error indicates that the browser was unable to call into a required API or the API returned a failure response. To troubleshoot the behavior, open a browser [InPrivate window](https://support.microsoft.com/microsoft-edge/browse-inprivate-in-microsoft-edge-cd2c9a48-0bc4-b98e-5e46-ac40c84e27e2) and [disable any browser extensions](https://support.microsoft.com/microsoft-edge/add-turn-off-or-remove-extensions-in-microsoft-edge-9c0ec68c-2fbc-2f2c-9ff0-bdc76f46b026) that are running, then identify if you can still reproduce the portal behavior. If the portal error still occurs, try testing with other browsers, or other machines, investigate DNS or other network related issues from the client machine where the API calls are failing. If the portal error persists and requires further investigations, then [collect a browser network trace](../../azure-portal/capture-browser-trace.md#capture-a-browser-trace-for-troubleshooting) while you reproduce the unexpected portal behavior and open a support case from the Azure portal.

-Application-Insights|[Use Search in Application Insights](app/diagnostic-search.md)|We clarified that URL query strings are not logged by Azure Functions and that URL query strings won't show up in searches.|

-|[Unified cross-component transaction diagnostics](./app/transaction-diagnostics.md)|Added a FAQ section to help troubleshoot Azure portal errors like "error retrieving data."|

-Use the symbolic name to reference the module in another part of the Bicep file. For example, you can use the symbolic name to get the output from a module. The symbolic name may contain a-z, A-Z, 0-9, and underscore (`_`). The name can't start with a number. A module can't have the same name as a parameter, variable, or resource.

-If a module with a static name is deployed concurrently to the same scope, there's the potential for one deployment to interfere with the output from the other deployment. For example, if two Bicep files use the same module with the same static name (`examplemodule`) and targeted to the same resource group, one deployment may show the wrong output. If you're concerned about concurrent deployments to the same scope, give your module a unique name.

-The public module registry is hosted in a Microsoft container registry (MCR). The source code and the modules are stored in [GitHub](https://github.com/azure/bicep-registry-modules). The [README file](https://github.com/azure/bicep-registry-modules#readme) in the GitHub repo lists the available modules and their latest versions:

-Select the versions to see the available versions. You can also select **Code** to see the module source code, and open the Readme files.

-description: An overview of connection string in Azure SignalR Service, how to generate it and how to configure it in app server

-# Connection string in Azure SignalR Service

-A connection string contains information about how to connect to Azure Signal Service (ASRS). In this article, you learn the basics of connection string and how to configure it in your application.

-## What is a connection string

-A connection string consists of a series of key/value pairs separated by semicolons(;). An equal sign(=) to connect each key and its value. Keys aren't case sensitive.

-For example, a typical connection string may look like this:

-> Endpoint=https://<resource_name>.service.signalr.net;AccessKey=<access_key>;Version=1.0;

-| Endpoint | The URL of your ASRS instance. | Y | N/A | `https://foo.service.signalr.net` |

-| Port | The port that your ASRS instance is listening on. on. | N | 80/443, depends on the endpoint URI schema | 8080 |

-| Version | The version of given connection. string. | N | 1.0 | 1.0 |

-| ClientEndpoint | The URI of your reverse proxy, such as the App Gateway or API. Management | N | null | `https://foo.bar` |

-| AuthType | The auth type. By default the service uses the AccessKey authorize requests. **Case insensitive** | N | null | Azure, azure.msi, azure.app |

-The local auth method is used when `AuthType` is set to null.

-| AccessKey | The key string in base64 format for building access token. | Y | null | ABCDEFGHIJKLMNOPQRSTUVWEXYZ0123456789+=/ |

-The Microsoft Entra auth method is used when `AuthType` is set to `azure`, `azure.app` or `azure.msi`.

-| ClientId | A GUID of an Azure application or an Azure identity. | N | null | `00000000-0000-0000-0000-000000000000` |

-| TenantId | A GUID of an organization in Microsoft Entra ID. | N | null | `00000000-0000-0000-0000-000000000000` |

-| ClientSecret | The password of an Azure application instance. | N | null | `***********************.****************` |

-| ClientCertPath | The absolute path of a client certificate (cert) file to an Azure application instance. | N | null | `/usr/local/cert/app.cert` |

-A different `TokenCredential` is used to generate Microsoft Entra tokens depending on the parameters you have given.

- [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) is used.

- ```text

- Endpoint=xxx;AuthType=azure

- ```

- 1. A user-assigned managed identity is used if `clientId` has been given in connection string.

- - [ManagedIdentityCredential(clientId)](/dotnet/api/azure.identity.managedidentitycredential) is used.

- 1. A system-assigned managed identity is used.

- - [ManagedIdentityCredential()](/dotnet/api/azure.identity.managedidentitycredential) is used.

- `clientId` and `tenantId` are required to use [Microsoft Entra application with service principal](../active-directory/develop/howto-create-service-principal-portal.md).

- 1. [ClientSecretCredential(clientId, tenantId, clientSecret)](/dotnet/api/azure.identity.clientsecretcredential) is used if `clientSecret` is given.

- 1. [ClientCertificateCredential(clientId, tenantId, clientCertPath)](/dotnet/api/azure.identity.clientcertificatecredential) is used if `clientCertPath` is given.

-### From Azure portal

-Open your SignalR service resource in Azure portal and go to `Keys` tab.

-You see two connection strings (primary and secondary) in the following format:

-> Endpoint=https://<resource_name>.service.signalr.net;AccessKey=<access_key>;Version=1.0;

-### From Azure CLI

-You can also use Azure CLI to get the connection string:

-You can use a [Microsoft Entra application](../active-directory/develop/app-objects-and-service-principals.md) to connect to your SignalR service. As long as the application has the right permission to access SignalR service, no access key is needed.

-To use Microsoft Entra authentication, you need to remove `AccessKey` from connection string and add `AuthType=azure.app`. You also need to specify the credentials of your Microsoft Entra application, including client ID, client secret and tenant ID. The connection string looks as follows:

-For more information about how to authenticate using Microsoft Entra application, see [Authorize from Azure Applications](signalr-howto-authorize-application.md).

-## Authenticate with Managed identity

-You can also use a system assigned or user assigned [managed identity](../active-directory/managed-identities-azure-resources/overview.md) to authenticate with SignalR service.

-To use a system assigned identity, add `AuthType=azure.msi` to the connection string:

-The SignalR service SDK automatically uses the identity of your app server.

-To use a user assigned identity, include the client ID of the managed identity in the connection string:

-For more information about how to configure managed identity, see [Authorize from Managed Identity](signalr-howto-authorize-managed-identity.md).

-> It's highly recommended to use managed identity to authenticate with SignalR service as it's a more secure way compared to using access keys. If you don't use access keys authentication, consider completely disabling it (go to Azure portal -> Keys -> Access Key -> Disable). If you still use access keys, it's highly recommended to rotate them regularly. For more information, see [Rotate access keys for Azure SignalR Service](signalr-howto-key-rotation.md).

-It may be cumbersome and error-prone to build connection strings manually. To avoid making mistakes, SignalR provides a connection string generator to help you generate a connection string that includes Microsoft Entra identities like `clientId`, `tenantId`, etc. To use the tool open your SignalR instance in Azure portal, select **Connection strings** from the left side menu.

-In this page you can choose different authentication types (access key, managed identity or Microsoft Entra application) and input information like client endpoint, client ID, client secret, etc. Then connection string is automatically generated. You can copy and use it in your application.

-> Information you enter won't be saved after you leave the page. You will need to copy and save your connection string to use in your application.

-For more information about how access tokens are generated and validated, see [Authenticate via Microsoft Entra token](signalr-reference-data-plane-rest-api.md#authenticate-via-microsoft-entra-token) in [Azure SignalR service data plane REST API reference](signalr-reference-data-plane-rest-api.md) .

-## Client and server endpoints

-A connection string contains the HTTP endpoint for app server to connect to SignalR service. The server returns the HTTP endpoint to the clients in a negotiate response, so the client can connect to the service.

-In some applications, there may be an extra component in front of SignalR service. All client connections need to go through that component first. For example, [Azure Application Gateway](../application-gateway/overview.md) is a common service that provides additional network security.

-In such case, the client needs to connect to an endpoint different than SignalR service. Instead of manually replacing the endpoint at the client side, you can add `ClientEndpoint` to connection string:

-The app server returns a response to the client's negotiate request containing the correct endpoint URL for the client to connect to. For more information about client connections, see [Azure SignalR Service internals](signalr-concept-internals.md#client-connections).

-Similarly, the server wants to make [server connections](signalr-concept-internals.md#azure-signalr-service-internals) or call [REST APIs](https://github.com/Azure/azure-signalr/blob/dev/docs/rest-api.md) to the service, the SignalR service may also be behind another service like [Azure Application Gateway](../application-gateway/overview.md). In that case, you can use `ServerEndpoint` to specify the actual endpoint for server connections and REST APIs:

-## Configure connection string in your application

-You can set the connection string when calling `AddAzureSignalR()` API:

-Or you can call `AddAzureSignalR()` without any arguments. The service SDK returns the connection string from a config named `Azure:SignalR:ConnectionString` in your [configuration provider](/dotnet/core/extensions/configuration-providers).

-In a local development environment, the configuration is stored in a file (_appsettings.json_ or _secrets.json_) or environment variables. You can use one of the following ways to configure connection string:

-In a production environment, you can use other Azure services to manage config/secrets like Azure [Key Vault](../key-vault/general/overview.md) and [App Configuration](../azure-app-configuration/overview.md). See their documentation to learn how to set up configuration provider for those services.

-> Even when you're directly setting a connection string using code, it's not recommended to hardcode the connection string in source code You should read the connection string from a secret store like key vault and pass it to `AddAzureSignalR()`.

-Azure SignalR Service also allows the server to connect to multiple service endpoints at the same time, so it can handle more connections that are beyond a service instance's limit. Also, when one service instance is down the other service instances can be used as backup. For more information about how to use multiple instances, see [Scale SignalR Service with multiple instances](signalr-howto-scale-multi-instances.md).

-There are also two ways to configure multiple instances:

- You can use any supported configuration provider (secret manager, environment variables, key vault, etc.) to store connection strings. Take secret manager as an example:

- You can assign a name and type to each endpoint by using a different config name in the following format:

-There are two ways to authenticate to Azure SignalR Service resources: Microsoft Entra ID and Access Key. Microsoft Entra ID offers superior security and ease of use compared to the access key method.

-With Microsoft Entra ID, you do not need to store tokens in your code, reducing the risk of potential security vulnerabilities.

-We highly recommend using Microsoft Entra ID for your Azure SignalR Service resources whenever possible.

-> Disabling local authentication can have following consequences.

-> - The current set of access keys will be permanently deleted.

-> - Tokens signed with the current set of access keys will become unavailable.

-## Use Azure portal

-In this section, you will learn how to use the Azure portal to disable local authentication.

-1. Navigate to your SignalR Service resource in the [Azure portal](https://portal.azure.com).

-2. in the **Settings** section of the menu sidebar, select **Keys** tab.

-3. Select **Disabled** for local authentication.

-4. Click **Save** button.

-

-## Use Azure Resource Manager template

-You can disable local authentication by setting `disableLocalAuth` property to true as shown in the following Azure Resource Manager template.

-## Use Azure Policy

-You can assign the [Azure SignalR Service should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff70eecba-335d-4bbc-81d5-5b17b03d498f) Azure policy to an Azure subscription or a resource group to enforce disabling of local authentication for all SignalR resources in the subscription or the resource group.

-

-See the following docs to learn about authentication methods.

-The service supports only one managed identity; you can create either a system-assigned or user-assigned identity. A system-assigned identity is dedicated to your SignalR instance and is deleted when you delete the instance. A user-assigned identity is managed independently of your SignalR resource.

-To add a system-managed identity to your SignalR instance:

-1. Browse to your SignalR instance in the Azure portal.

-1. Select **Save**.

- :::image type="content" source="media/signalr-howto-use-managed-identity/system-identity-portal.png" alt-text="Screenshot showing Add a system-assigned identity in the portal.":::

-To add a user-assigned identity to your SignalR instance, you need to create the identity then add it to your service.

-1. Browse to your SignalR instance in the Azure portal.

-1. Select the identity from the **User assigned managed identities** drop down menu.

- :::image type="content" source="media/signalr-howto-use-managed-identity/user-identity-portal.png" alt-text="Screenshot showing Add a user-assigned identity in the portal.":::

-Once you've added a [system-assigned identity](#add-a-system-assigned-identity) or [user-assigned identity](#add-a-user-assigned-identity) to your SignalR instance, you can enable managed identity authentication in the upstream endpoint settings.

-1. Browse to your SignalR instance.

-1. Enter the upstream endpoint URL pattern in the **Add an upstream URL pattern** text box. See [URL template settings](concept-upstream.md#url-template-settings)

-1. Select Add one Upstream Setting and select any asterisk go to **Upstream Settings**.

- :::image type="content" source="media/signalr-howto-use-managed-identity/pre-msi-settings.png" alt-text="Screenshot of Azure SignalR service Settings.":::

-1. Configure your upstream endpoint settings.

- :::image type="content" source="media/signalr-howto-use-managed-identity/msi-settings.png" alt-text="Screenshot of Azure SignalR service Upstream settings.":::

-1. In the managed identity authentication settings, for **Resource**, you can specify the target resource. The resource will become an `aud` claim in the obtained access token, which can be used as a part of validation in your upstream endpoints. The resource can be one of the following formats:

- - Empty

- - Application (client) ID of the service principal

- - Application ID URI of the service principal

- - Resource ID of an Azure service (For a list of Azure services that support managed identities, see [Azure services that support managed identities](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication).)

- > If you manually validate an access token your service, you can choose any one of the resource formats. Make sure that the **Resource** value in **Auth** settings and the validation are consistent. When you use Azure role-based access control (Azure RBAC) for a data plane, you must use the resource format that the service provider requests.

-To validate access tokens, your app should also validate the audience and the signing tokens. These tokens need to be validated against the values in the OpenID discovery document. For example, see the [tenant-independent version of the document](https://login.microsoftonline.com/common/.well-known/openid-configuration).

-The Microsoft Entra middleware has built-in capabilities for validating access tokens. You can browse through our [samples](../active-directory/develop/sample-v2-code.md) to find one in the language of your choice.

-Libraries and code samples that show how to handle token validation are available. There are also several open-source partner libraries available for JSON Web Token (JWT) validation. There's at least one option for almost every platform and language. For more information about Microsoft Entra authentication libraries and code samples, see [Microsoft identity platform authentication libraries](../active-directory/develop/reference-v2-libraries.md).

-#### Authentication in Function App

-You can easily set access validation for a Function App without code changes using the Azure portal.

-1. Go to the Function App in the Azure portal.

-1. In the **Basics** tab, select **Microsoft** from the **Identity provider** dropdown.

-1. Select **Log in with Microsoft Entra ID** in **Action to take when request is not authenticated**.

-1. Select **Microsoft** in the identity provider dropdown. The option to create a new registration is selected by default. You can change the name of the registration. For more information on enabling Microsoft Entra provider, see [Configure your App Service or Azure Functions app to login with Microsoft Entra ID](../app-service/configure-authentication-provider-aad.md)

- :::image type="content" source="media/signalr-howto-use-managed-identity/function-aad.png" alt-text="Function Microsoft Entra ID":::

-1. Navigate to SignalR Service and follow the [steps](howto-use-managed-identity.md#add-a-system-assigned-identity) to add a system-assigned identity or user-assigned identity.

-1. go to **Upstream settings** in SignalR Service and choose **Use Managed Identity** and **Select from existing Applications**. Select the application you created previously.

-After you configure these settings, the Function App will reject requests without an access token in the header.

-> To pass the authentication, the _Issuer Url_ must match the _iss_ claim in token. Currently, we only support v1 endpoint (see [v1.0 and v2.0](../active-directory/develop/access-tokens.md)).

-To verify the _Issuer Url_ format in your Function app:

-1. Go to the Function app in the portal.

-1. Verify that the _Issuer Url_ has the format `https://sts.windows.net/<tenant-id>/`.

-## Use a managed identity for Key Vault reference

-SignalR Service can access Key Vault to get secrets using the managed identity.

-1. Add a [system-assigned identity](#add-a-system-assigned-identity) or [user-assigned identity](#add-a-user-assigned-identity) to your SignalR instance.

-1. Grant secret read permission for the managed identity in the Access policies in the Key Vault. See [Assign a Key Vault access policy using the Azure portal](../key-vault/general/assign-access-policy-portal.md)

-Currently, this feature can be used to [Reference secret in Upstream URL Pattern](./concept-upstream.md#key-vault-secret-reference-in-url-template-settings)

-description: This article provides information on authorizing access to Azure SignalR Service resources using Microsoft Entra ID.

-Azure SignalR Service supports Microsoft Entra ID for authorizing requests to SignalR resources. With Microsoft Entra ID, you can utilize role-based access control (RBAC) to grant permissions to a security principal^{[<a href="#security-principal">1</a>]}. The security principal is authenticated by Microsoft Entra ID, which returns an OAuth 2.0 token. The token is then used to authorize a request against the SignalR resource.

-Authorizing requests against SignalR with Microsoft Entra ID provides superior security and ease of use compared to Access Key authorization. It is highly recommended to use Microsoft Entra ID for authorizing whenever possible, as it ensures access with the minimum required privileges.

-<a id="security-principal"></a>

-_[1] security principal: a user/resource group, an application, or a service principal such as system-assigned identities and user-assigned identities._

-> Disabling local authentication can have following influences.

-> - The current set of access keys will be permanently deleted.

-> - Tokens signed with access keys will no longer be available.

-When a security principal attempts to access a SignalR resource, the request must be authorized. Get access to a resource requires 2 steps when using Microsoft Entra ID.

-1. The security principal has to be authenticated by Microsoft Entra ID, which will then return an OAuth 2.0 token.

-1. The token is passed as part of a request to the SignalR resource for authorizing the request.

-When using Access Key, the key is shared between your app server (or Function App) and the SignalR resource. The SignalR service authenticates the client connection request with the shared key.

-When using Microsoft Entra ID, there is no shared key. Instead, SignalR uses a **temporary access key** for signing tokens used in client connections. The workflow contains four steps.

-2. The security principal calls SignalR Auth API to get a **temporary access key**.

-3. The security principal signs a client token with the **temporary access key** for client connections during negotiation.

-4. The client uses the client token to connect to Azure SignalR resources.

-The **temporary access key** expires in 90 minutes. It's recommend getting a new one and rotate the old one once an hour.

-The workflow is built in the [Azure SignalR SDK for app server](https://github.com/Azure/azure-signalr).

-Microsoft Entra ID authorizes access rights to secured resources through [Azure role-based access control](../role-based-access-control/overview.md). Azure SignalR defines a set of Azure built-in roles that encompass common sets of permissions used to access SignalR resources. You can also define custom roles for access to SignalR resources.

-You may have to determine the scope of access that the security principal should have before you assign any Azure RBAC role to a security principal. It is recommended to only grant the narrowest possible scope. Azure RBAC roles defined at a broader scope are inherited by the resources beneath them.

-You can scope access to Azure SignalR resources at the following levels, beginning with the narrowest scope:

-| **An individual resource.** | Applies to only the target resource. |

-| **A resource group.** | Applies to all of the resources in a resource group. |

-| **A subscription.** | Applies to all of the resources in a subscription. |

-| **A management group.** | Applies to all of the resources in the subscriptions included in a management group. |

-## Azure built-in roles for SignalR resources

-| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server) | Access to Websocket connection creation API and Auth APIs. | Most commonly for an App Server. |

-| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner) | Full access to all data-plane APIs, including REST APIs, WebSocket connection creation API and Auth APIs. | Use for **Serverless mode** for Authorization with Microsoft Entra ID since it requires both REST APIs permissions and Auth API permissions. |

-| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner) | Full access to data-plane REST APIs. | Often used to write a tool that manages connections and groups but does **NOT** make connections or call Auth APIs. |

-| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs. | Commonly used to write a monitoring tool that calls **ONLY** SignalR data-plane **READONLY** REST APIs. |

-To learn how to create an Azure application and use Microsoft Entra authorization, see:

-To learn how to configure a managed identity and use Microsoft Entra authorization, see:

-To learn more about roles and role assignments, see:

-To learn how to create custom roles, see:

-To learn how to use only Microsoft Entra authentication, see:

-description: This article provides information about authorizing request to SignalR resources with Microsoft Entra applications

-# Authorize requests to SignalR resources with Microsoft Entra applications

-This article shows how to configure your SignalR resource and codes to authorize requests to a SignalR resource from a Microsoft Entra application.

-The first step is to register a Microsoft Entra application.

-1. On the [Azure portal](https://portal.azure.com/), search for and select **Microsoft Entra ID**

-2. Under **Manage** section, select **App registrations**.

-3. Select **New registration**.

- 

-4. Enter a display **Name** for your application.

-5. Select **Register** to confirm the register.

-Once you have your application registered, you can find the **Application (client) ID** and **Directory (tenant) ID** under its Overview page. These GUIDs can be useful in the following steps.

-

-To learn more about registering an application, see

-The application requires a client secret to prove its identity when requesting a token. To create a client secret, follow these steps.

-1. Under **Manage** section, select **Certificates & secrets**

- 

-1. Enter a **description** for the client secret, and choose a **expire time**.

-1. Copy the value of the **client secret** and then paste it to a secure location.

- > The secret will display only once.

-You can also upload a certification instead of creating a client secret.

-

-To learn more about adding credentials, see

-## Add role assignments on Azure portal

-The following steps describe how to assign a `SignalR App Server` role to a service principal (application) over a SignalR resource. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

-> A role can be assigned to any scope, including management group, subscription, resource group or a single resource. To learn more about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md)

-1. From the [Azure portal](https://portal.azure.com/), navigate to your SignalR resource.

-1. Select **Add > Add role assignment**.

- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::

-1. On the **Members** tab, select **User, group, or service principal**, and then select **Select members**.

-1. Search for and select the application that to which you'd like to assign the role.

-> Azure role assignments may take up to 30 minutes to propagate.

-To learn more about how to assign and manage Azure role assignments, see these articles:

-| `AZURE_CLIENT_ID` | The client(application) ID of an App Registration in the tenant. |

-| `AZURE_CLIENT_SECRET` | A client secret that was generated for the App Registration. |

-| `AZURE_CLIENT_CERTIFICATE_PATH` | A path to a certificate and private key pair in PEM or PFX format, which can authenticate the App Registration. |

-| `AZURE_USERNAME` | The username, also known as upn, of a Microsoft Entra user account. |

-| `AZURE_PASSWORD` | The password of the Microsoft Entra user account. Password isn't supported for accounts with MFA enabled. |

-You can use either [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) or [EnvironmentCredential](/dotnet/api/azure.identity.environmentcredential) to configure your SignalR endpoints.

-Or using `EnvironmentalCredential` directly.

-To learn how `DefaultAzureCredential` works, see [DefaultAzureCredential Class](/dotnet/api/overview/azure/identity-readme#defaultazurecredential).

-#### Use different credentials while using multiple endpoints

-For some reason, you may want to use different credentials for different endpoints.

-In this scenario, you can use [ClientSecretCredential](/dotnet/api/azure.identity.clientsecretcredential) or [ClientCertificateCredential](/dotnet/api/azure.identity.clientcertificatecredential).

-### Azure Functions SignalR bindings

-Azure Functions SignalR bindings use [application settings](../azure-functions/functions-how-to-use-azure-function-app-settings.md) on portal or [`local.settings.json`](../azure-functions/functions-develop-local.md#local-settings-file) at local to configure Microsoft Entra application identities to access your SignalR resources.

-Firstly, you need to specify the service URI of the SignalR Service, whose key is `serviceUri` starting with a **connection name prefix** (defaults to `AzureSignalRConnectionString`) and a separator (`__` on Azure portal and `:` in the local.settings.json file). The connection name can be customized with the binding property [`ConnectionStringSetting`](../azure-functions/functions-bindings-signalr-service.md). Continue reading to find the sample.

-Then you choose to configure your Microsoft Entra application identity in [pre-defined environment variables](#configure-identity-in-pre-defined-environment-variables) or [in SignalR specified variables](#configure-identity-in-signalr-specified-variables).

-#### Configure identity in pre-defined environment variables

-See [Environment variables](/dotnet/api/overview/azure/identity-readme#environment-variables) for the list of pre-defined environment variables. When you have multiple services, we recommend that you use the same application identity, so that you don't need to configure the identity for each service. These environment variables might also be used by other services according to the settings of other services.

-For example, to use client secret credentials, configure as follows in the `local.settings.json` file.

-On Azure portal, add settings as follows:

-#### Configure identity in SignalR specified variables

-The SignalR specified variables share the same key prefix with `serviceUri` key. Here's the list of variables you might use:

-Here are the samples to use client secret credentials:

-In the `local.settings.json` file:

-On Azure portal, add settings as follows:

-description: This article provides information about authorizing request to SignalR resources with Microsoft Entra managed identities

-# Authorize requests to SignalR resources with Microsoft Entra managed identities

-Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra managed identities

-](../active-directory/managed-identities-azure-resources/overview.md).

-This article shows how to configure your SignalR resource and code to authorize requests to a SignalR resource from a managed identity.

-This example shows you how to configure `System-assigned managed identity` on a `Virtual Machine` using the Azure portal.

-1. Open [Azure portal](https://portal.azure.com/), Search for and select a Virtual Machine.

-1. Under **Settings** section, select **Identity**.

-1. On the **System assigned** tab, toggle the **Status** to **On**.

- 

-To learn how to create user-assigned managed identities, see [Create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity)

-### For App service and Azure Functions

-See [How to use managed identities for App Service and Azure Functions](../app-service/overview-managed-identity.md).

-## Add role assignments on Azure portal

-The following steps describe how to assign a `SignalR App Server` role to a system-assigned identity over a SignalR resource. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

-> A role can be assigned to any scope, including management group, subscription, resource group or a single resource. To learn more about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md)

-1. From the [Azure portal](https://portal.azure.com/), navigate to your SignalR resource.

-1. Select **Add > Add role assignment**.

- :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::

-1. On the **Members** tab, select **Managed identity**, and then select **Select members**.

-1. Select **System-assigned managed identity**, search for a virtual machine to which you'd like to assign the role, and then select it.

-> Azure role assignments may take up to 30 minutes to propagate.

-To learn more about how to assign and manage Azure role assignments, see these articles:

-### App Server

-#### Using system-assigned identity

-You can use either [DefaultAzureCredential](/dotnet/api/overview/azure/identity-readme#defaultazurecredential) or [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential) to configure your SignalR endpoints. However, the best practice is to use `ManagedIdentityCredential` directly.

-The system-assigned managed identity is used by default, but **make sure that you don't configure any environment variables** that the [EnvironmentCredential](/dotnet/api/azure.identity.environmentcredential) preserved if you were using `DefaultAzureCredential`. Otherwise it falls back to use `EnvironmentCredential` to make the request and it results to a `Unauthorized` response in most cases.

-#### Using user-assigned identity

-> Use **Client Id**, not the Object (principal) ID even if they are both GUID!

-### Azure Functions SignalR bindings

-Azure Functions SignalR bindings use [application settings](../azure-functions/functions-how-to-use-azure-function-app-settings.md) on portal or [`local.settings.json`](../azure-functions/functions-develop-local.md#local-settings-file) at local to configure managed identity to access your SignalR resources.

-You might need a group of key-value pairs to configure an identity. The keys of all the key-value pairs must start with a **connection name prefix** (defaults to `AzureSignalRConnectionString`) and a separator (`__` on portal and `:` at local). The prefix can be customized with binding property [`ConnectionStringSetting`](../azure-functions/functions-bindings-signalr-service.md).

-#### Using system-assigned identity

-If you only configure the service URI, then the `DefaultAzureCredential` is used. This class is useful when you want to share the same configuration on Azure and local development environments. To learn how `DefaultAzureCredential` works, see [DefaultAzureCredential](/dotnet/api/overview/azure/identity-readme#defaultazurecredential).

-In the Azure portal, use the following example to configure a `DefaultAzureCredential`. If you don't configure any [environment variables listed here](/dotnet/api/overview/azure/identity-readme#environment-variables), then the system-assigned identity is used to authenticate.

-Here's a config sample of `DefaultAzureCredential` in the `local.settings.json` file. At the local scope there's no managed identity, and the authentication via Visual Studio, Azure CLI, and Azure PowerShell accounts are attempted in order.

-If you want to use system-assigned identity independently and without the influence of [other environment variables](/dotnet/api/overview/azure/identity-readme#environment-variables), you should set the `credential` key with the connection name prefix to `managedidentity`. Here's an application settings sample:

-#### Using user-assigned identity

-If you want to use user-assigned identity, you need to assign `clientId`in addition to the `serviceUri` and `credential` keys with the connection name prefix. Here's the application settings sample:

-* When your client goes through your reverse proxy to Azure SignalR, set `ClientEndpoint` as your reverse proxy URL. When your client *negotiate*s with your hub server, the hub server will return the URL defined in `ClientEndpoint` for your client to connect. [Check here for more details.](./concept-connection-string.md#client-and-server-endpoints)

-description: Learn how to use live trace tool for Azure SignalR service

-# How to use live trace tool for Azure SignalR service

-Live trace tool is a single web application for capturing and displaying live traces in Azure SignalR Service. The live traces can be collected in real time without any dependency on other services. You can enable and disable the live trace feature with a single select. You can also choose any log category that you're interested.

-> Note that the live traces will be counted as outbound messages.

-> Using Microsoft Entra ID to access the live trace tool is not supported. You have to enable **Access Key** in **Keys** settings.

-## Launch the live trace tool

-> [!NOTE]

-> When enable access key, you'll use access token to authenticate live trace tool.

-> Otherwise, you'll use Microsoft Entra ID to authenticate live trace tool.

-> You can check whether you enable access key or not in your SignalR Service's Keys page in Azure portal.

-### Steps for access key enabled

-1. Go to the Azure portal and your SignalR Service page.

-1. From the menu on the left, under **Monitoring** select **Live trace settings**.

-1. Select **Save** button. It will take a moment for the changes to take effect.

-1. When updating is complete, select **Open Live Trace Tool**.

- :::image type="content" source="media/signalr-howto-troubleshoot-live-trace/signalr-enable-live-trace.png" alt-text="Screenshot of launching the live trace tool.":::

-### Steps for access key disabled

-1. Go to the Azure portal and your SignalR Service page.

-1. In the new page, Click **+Add**, then click **Role assignment**.

-1. In the new page, focus on **Job function roles** tab, Select **SignalR Service Owner** role, and then click **Next**.

-1. In **Members** page, click **+Select members**.

-1. In the new panel, search and select members, and then click **Select**.

-1. Click **Review + assign**, and wait for the completion notification.

-#### Visit live trace tool

-1. Go to the Azure portal and your SignalR Service page.

-1. From the menu on the left, under **Monitoring** select **Live trace settings**.

-1. Select **Save** button. It will take a moment for the changes to take effect.

-1. When updating is complete, select **Open Live Trace Tool**.

- :::image type="content" source="media/signalr-howto-troubleshoot-live-trace/signalr-enable-live-trace.png" alt-text="Screenshot of launching the live trace tool.":::

-1. The live trace tool will pop up a Microsoft sign in window. If no window is pop up, check and allow pop up windows in your browser.

-1. Wait for **Ready** showing in the status bar.

-The live trace tool provides functionality to help you capture the live traces for troubleshooting.

-* **Capture**: Begin to capture the real time live traces from SignalR Service instance with live trace tool.

-* **Clear**: Clear the captured real time live traces.

-* **Export**: Export live traces to a file. The current supported file format is CSV file.

-* **Log filter**: The live trace tool allows you to filter the captured real time live traces with one specific key word. Separators (for example, space, comma, semicolon, and so on), if present, will be treated as part of the key word.

-The real time live traces captured by live trace tool contain detailed information for troubleshooting.

-| | |

-| Time | Log event time |

-| Log Level | Log event level (Trace/Debug/Informational/Warning/Error) |

-| Event Name | Operation name of the event |

-| Message | Detailed message of log event |

-| Exception | The run-time exception of Azure Web PubSub service |

-| Hub | User-defined Hub Name |

-| Connection ID | Identity of the connection |

-| Connection Type | Type of the connection. Allowed values are `Server` (connections between server and service) and `Client` (connections between client and service)|

-| User ID | Identity of the user |

-| IP | The IP address of client |

-| Server Sticky | Routing mode of client. Allowed values are `Disabled`, `Preferred` and `Required`. For more information, see [ServerStickyMode](https://github.com/Azure/azure-signalr/blob/master/docs/run-asp-net-core.md#serverstickymode) |

-| Transport | The transport that the client can use to send HTTP requests. Allowed values are `WebSockets`, `ServerSentEvents` and `LongPolling`. For more information, see [HttpTransportType](/dotnet/api/microsoft.aspnetcore.http.connections.httptransporttype) |

-| Message Tracing ID | The unique identifier for a message |

-| Route Template | The route template of the API |

-| Http Method | The Http method (POST/GET/PUT/DELETE) |

-| URL | The uniform resource locator |

-| Trace ID | The unique identifier to represent a request |

-| Status Code | the Http response code |

-| Duration | The duration between the request is received and processed |

-| Headers | The additional information passed by the client and the server with an HTTP request or response |

-| Invocation ID | The unique identifier to represent an invocation (only available for ASP.NET SignalR) |

-| Message Type | The type of the message (BroadcastDataMessage\|JoinGroupMessage\|LeaveGroupMessage\|...) |

-## Next Steps

-In this guide, you learned about how to use live trace tool. Next, learn how to handle the common issues:

-* Troubleshooting guides: How to troubleshoot typical issues based on live traces, see [troubleshooting guide](./signalr-howto-troubleshoot-guide.md).

-* Troubleshooting methods: For self-diagnosis to find the root cause directly or narrow down the issue, see [troubleshooting methods introduction](./signalr-howto-troubleshoot-method.md).

-description: Describes the REST APIs Azure SignalR service supports to manage the connections and send messages to them.

-# Azure SignalR service data plane REST API reference

-In addition to the classic client-server pattern, Azure SignalR Service provides a set of REST APIs so that you can easily integrate real-time functionality into your serverless architecture.

-> Azure SignalR Service only supports using REST API to manage clients connected using ASP.NET Core SignalR. Clients connected using ASP.NET SignalR use a different data protocol that is not currently supported.

-## Typical serverless Architecture with Azure Functions

-The following diagram shows a typical serverless architecture using Azure SignalR Service with Azure Functions.

-In a serverless architecture, clients still have persistent connections to the SignalR Service.

-Since there's no application server to handle traffic, clients are in `LISTEN` mode, which means they can only receive messages but can't send messages.

-SignalR Service disconnects any client that sends messages because it's an invalid operation.

-You can find a complete sample of using SignalR Service with Azure Functions at [here](https://github.com/aspnet/AzureSignalR-samples/tree/master/samples/RealtimeSignIn).

-## API

-The following table shows all supported versions of REST API. You can also find the swagger file for each version of REST API.

-| API Version | Status | Port | Doc | Spec |

-| `20220601` | Latest | Standard | [Doc](./swagger/signalr-data-plane-rest-v20220601.md) | [swagger](https://github.com/Azure/azure-signalr/blob/dev/docs/swagger/V20220601.json) |

-| `1.0` | Stable | Standard | [Doc](./swagger/signalr-data-plane-rest-v1.md) | [swagger](https://github.com/Azure/azure-signalr/blob/dev/docs/swagger/v1.json) |

-| `1.0-preview` | Obsolete | Standard | [Doc](./swagger/signalr-data-plane-rest-v1-preview.md) | [swagger](https://github.com/Azure/azure-signalr/blob/dev/docs/swagger/v1-preview.json) |

-The available APIs are listed as following.

-| [Broadcast a message to all clients connected to target hub.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-connected-to-target-hub) | `POST /api/v1/hubs/{hub}` |

-| [Broadcast a message to all clients belong to the target user.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-belong-to-the-target-user) | `POST /api/v1/hubs/{hub}/users/{id}` |

-| [Send message to the specific connection.](./swagger/signalr-data-plane-rest-v1.md#send-message-to-the-specific-connection) | `POST /api/v1/hubs/{hub}/connections/{connectionId}` |

-| [Check if the connection with the given connectionId exists.](./swagger/signalr-data-plane-rest-v1.md#check-if-the-connection-with-the-given-connectionid-exists) | `GET /api/v1/hubs/{hub}/connections/{connectionId}` |

-| [Close the client connection.](./swagger/signalr-data-plane-rest-v1.md#close-the-client-connection) | `DELETE /api/v1/hubs/{hub}/connections/{connectionId}` |

-| [Broadcast a message to all clients within the target group.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-within-the-target-group) | `POST /api/v1/hubs/{hub}/groups/{group}` |

-| [Check if there are any client connections inside the given group.](./swagger/signalr-data-plane-rest-v1.md#check-if-there-are-any-client-connections-inside-the-given-group) | `GET /api/v1/hubs/{hub}/groups/{group}` |

-| [Check if there are any client connections connected for the given user.](./swagger/signalr-data-plane-rest-v1.md#check-if-there-are-any-client-connections-connected-for-the-given-user) | `GET /api/v1/hubs/{hub}/users/{user}` |

-| [Add a connection to the target group.](./swagger/signalr-data-plane-rest-v1.md#add-a-connection-to-the-target-group) | `PUT /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}` |

-| [Remove a connection from the target group.](./swagger/signalr-data-plane-rest-v1.md#remove-a-connection-from-the-target-group) | `DELETE /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}` |

-| [Check whether a user exists in the target group.](./swagger/signalr-data-plane-rest-v1.md#check-whether-a-user-exists-in-the-target-group) | `GET /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

-| [Add a user to the target group.](./swagger/signalr-data-plane-rest-v1.md#add-a-user-to-the-target-group) | `PUT /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

-| [Remove a user from the target group.](./swagger/signalr-data-plane-rest-v1.md#remove-a-user-from-the-target-group) | `DELETE /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

-| [Remove a user from all groups.](./swagger/signalr-data-plane-rest-v1.md#remove-a-user-from-all-groups) | `DELETE /api/v1/hubs/{hub}/users/{user}/groups` |

-## Using REST API

-### Authenticate via Azure SignalR Service AccessKey

-In each HTTP request, an authorization header with a [JSON Web Token (JWT)](https://en.wikipedia.org/wiki/JSON_Web_Token) is required to authenticate with SignalR Service.

-#### Signing Algorithm and Signature

-Use the `AccessKey` in Azure SignalR Service instance's connection string to sign the generated JWT token.

-The following claims are required to be included in the JWT token.

-| Claim Type | Is Required | Description |

-| `aud` | true | Needs to be the same as your HTTP request URL, trailing slash and query parameters not included. For example, a broadcast request's audience should look like: `https://example.service.signalr.net/api/v1/hubs/myhub`. |

-| `exp` | true | Epoch time when this token expires. |

-### Authenticate via Microsoft Entra token

-Similar to authenticating using `AccessKey`, when authenticating using Microsoft Entra token, a [JSON Web Token (JWT)](https://en.wikipedia.org/wiki/JSON_Web_Token) is also required to authenticate the HTTP request.

-The difference is, in this scenario, the JWT Token is generated by Microsoft Entra ID. For more information, see [Learn how to generate Microsoft Entra tokens](../active-directory/develop/reference-v2-libraries.md)

-You could also use **Role Based Access Control (RBAC)** to authorize the request from your client/server to SignalR Service. For more information, see [Authorize access with Microsoft Entra ID for Azure SignalR Service](./signalr-concept-authorize-azure-active-directory.md)

-### Implement Negotiate Endpoint

-As shown in the [architecture section](#serverless), you should implement a `negotiate` function that returns a redirect negotiation response so that clients can connect to the service.

-A typical negotiation response looks as follows:

-```json

-{

- "url": "https://<service_name>.service.signalr.net/client/?hub=<hub_name>",

- "accessToken": "<a typical JWT token>"

-}

-```

-The `accessToken` is generated using the same algorithm described in the [authentication section](#authenticate-via-azure-signalr-service-accesskey). The only difference is the `aud` claim should be the same as `url`.

-You should host your negotiate API in `https://<hub_url>/negotiate` so you can still use SignalR client to connect to the hub url. Read more about redirecting client to Azure SignalR Service at [here](./signalr-concept-internals.md#client-connections).

-In order to the call user-related REST API, each of your clients should identify themselves to SignalR Service. Otherwise SignalR Service can't find target connections from a given user ID.

-Client identification can be achieved by including a `nameid` claim in each client's JWT token when they're connecting to SignalR Service.

-Then SignalR Service uses the value of `nameid` claim as the user ID of each client connection.

-You can find a complete console app to demonstrate how to manually build a REST API HTTP request in SignalR Service [here](https://github.com/aspnet/AzureSignalR-samples/tree/master/samples/Serverless).

-You can also use [Microsoft.Azure.SignalR.Management](https://www.nuget.org/packages/Microsoft.Azure.SignalR.Management) to publish messages to SignalR Service using the similar interfaces of `IHubContext`. Samples can be found [here](https://github.com/aspnet/AzureSignalR-samples/tree/master/samples/Management). For more information, see [How to use Management SDK](https://github.com/Azure/azure-signalr/blob/dev/docs/management-sdk-guide.md).

-## Limitation

-Currently, we have the following limitation for REST API requests:

-If you want to send messages larger than 1 MB, use the Management SDK with `persistent` mode.

-description: In this tutorial, you learn how to authenticate Azure SignalR Service clients for Azure Functions binding

-A step by step tutorial to build a chat room with authentication and private messaging using Azure Functions, App Service Authentication, and SignalR Service.

-## Introduction

-### Technologies used

-### Prerequisites

- - If you don't have one, you can [create one for free](https://azure.microsoft.com/free/).

-### Create an Azure SignalR service resource

-Your application will access a SignalR Service instance. Use the following steps to create a SignalR Service instance using the Azure portal.

-1. Select on the **Create a resource** (**+**) button for creating a new Azure resource.

- | **Resource group** | Create a new resource group with a unique name |

- | **Resource name** | A unique name for the SignalR Service instance |

- | **Region** | Select a region close to you |

- | **Pricing Tier** | Free |

- | **Service mode** | Serverless |

-### Create an Azure Function App and an Azure Storage account

-1. From the home page in the Azure portal, select on the **Create a resource** (**+**).

- | **Resource group** | Use the same resource group with your SignalR Service instance |

- | **Function App name** | A unique name for the Function app instance |

- | **Runtime stack** | Node.js |

- | **Region** | Select a region close to you |

-1. By default, a new Azure Storage account will also be created in the same resource group together with your function app. If you want to use another storage account in the function app, switch to **Hosting** tab to choose an account.

-1. Select **Review + Create**, then select **Create**.

-1. Execute the following command in your terminal to create a new JavaScript Functions project.

-```bash

-func init --worker-runtime node --language javascript --name my-app

-```

-By default, the generated project includes a _host.json_ file containing the extension bundles which include the SignalR extension. For more information about extension bundles, see [Register Azure Functions binding extensions](../azure-functions/functions-bindings-register.md#extension-bundles).

-When running and debugging the Azure Functions runtime locally, application settings are read by the function app from _local.settings.json_. Update this file with the connection strings of the SignalR Service instance and the storage account that you created earlier.

-1. Replace the content of _local.settings.json_ with the following code:

- ```json

- {

- "IsEncrypted": false,

- "Values": {

- "FUNCTIONS_WORKER_RUNTIME": "node",

- "AzureWebJobsStorage": "<your-storage-account-connection-string>",

- "AzureSignalRConnectionString": "<your-Azure-SignalR-connection-string>"

- }

- }

- ```

- - Enter the Azure SignalR Service connection string into the `AzureSignalRConnectionString` setting.

- Navigate to your SignalR Service in the Azure portal. In the **Settings** section, locate the **Keys** setting. Select the **Copy** button to the right of the connection string to copy it to your clipboard. You can use either the primary or secondary connection string.

- - Enter the storage account connection string into the `AzureWebJobsStorage` setting.

- Navigate to your storage account in the Azure portal. In the **Security + networking** section, locate the **Access keys** setting. Select the **Copy** button to the right of the connection string to copy it to your clipboard. You can use either the primary or secondary connection string.

-### Create a function to authenticate users to SignalR Service

-When the chat app first opens in the browser, it requires valid connection credentials to connect to Azure SignalR Service. You'll create an HTTP triggered function named `negotiate` in your function app to return this connection information.

-> This function must be named `negotiate` as the SignalR client requires an endpoint that ends in `/negotiate`.

-1. From the root project folder, create the `negotiate` function from a built-in template with the following command.

- The function contains an HTTP trigger binding to receive requests from SignalR clients and a SignalR input binding to generate valid credentials for a client to connect to an Azure SignalR Service hub named `default`.

- There's no `userId` property in the `signalRConnectionInfo` binding for local development, but you'll add it later to set the user name of a SignalR connection when you deploy the function app to Azure.

-1. Open _negotiate/index.js_ to view the body of the function.

- This function takes the SignalR connection information from the input binding and returns it to the client in the HTTP response body. The SignalR client uses this information to connect to the SignalR Service instance.

-The web app also requires an HTTP API to send chat messages. You'll create an HTTP triggered function named `sendMessage` that sends messages to all connected clients using SignalR Service.

-1. From the root project folder, create an HTTP trigger function named `sendMessage` from the template with the command:

- Two changes are made to the original file:

- - Changes the route to `messages` and restricts the HTTP trigger to the `POST` HTTP method.

- - Adds a SignalR Service output binding that sends a message returned by the function to all clients connected to a SignalR Service hub named `default`.

- This function takes the body from the HTTP request and sends it to clients connected to SignalR Service, invoking a function named `newMessage` on each client.

-### Host the chat client web user interface

-The chat application's UI is a simple single-page application (SPA) created with the Vue JavaScript framework using [ASP.NET Core SignalR JavaScript client](/aspnet/core/signalr/javascript-client). For simplicity, the function app hosts the web page. In a production environment, you can use [Static Web Apps](https://azure.microsoft.com/products/app-service/static) to host the web page.

-1. Create a new folder named _content_ in the root directory of your function project.

-1. In the _content_ folder, create a new file named _https://docsupdatetracker.net/index.html_.

-1. From the root project folder, create an HTTP trigger function named `index` from the template with the command:

-1. Modify the content of `index/index.js` to the following:

- The function reads the static web page and returns it to the user.

-1. Open _index/function.json_, change the `authLevel` of the bindings to `anonymous`. Now the whole file looks like this:

-1. Now you can test your app locally. Start the function app with the command:

-1. Open **http://localhost:7071/api/index** in your web browser. You should be able to see a web page as follows:

- :::image type="content" source="./media/signalr-tutorial-authenticate-azure-functions/local-chat-client-ui.png" alt-text="Screenshot of local chat client web user interface.":::

-1. Enter a message in the chat box and press enter.

- The message is displayed on the web page. Because the user name of the SignalR client isn't set, we send all messages as "anonymous".

-You have been running the function app and chat application locally. You'll now deploy them to Azure and enable authentication and private messaging in the application.

-### Configure function app for authentication

-So far, the chat app works anonymously. In Azure, you'll use [App Service Authentication](../app-service/overview-authentication-authorization.md) to authenticate the user. The user ID or username of the authenticated user is passed to the `SignalRConnectionInfo` binding to generate connection information authenticated as the user.

-1. Insert a `userId` property to the `SignalRConnectionInfo` binding with value `{headers.x-ms-client-principal-name}`. This value is a [binding expression](../azure-functions/functions-triggers-bindings.md) that sets the user name of the SignalR client to the name of the authenticated user. The binding should now look like this.

-### Deploy function app to Azure

-Deploy the function app to Azure with the following command:

-### Enable App Service Authentication

-Azure Functions supports authentication with Microsoft Entra ID, Facebook, Twitter, Microsoft account, and Google. You will use **Microsoft** as the identity provider for this tutorial.

-1. Go to the resource page of your function app on Azure portal.

-1. Select **Settings** -> **Authentication**.

- :::image type="content" source="./media/signalr-tutorial-authenticate-azure-functions/function-app-authentication.png" alt-text="Screenshot of the Function App Authentication page.":::

-1. Select **Microsoft** from the **Identity provider** list.

- :::image type="content" source="media/signalr-tutorial-authenticate-azure-functions/function-app-select-identity-provider.png" alt-text="Screenshot of 'Add an identity provider' page.":::

- Azure Functions supports authentication with Microsoft Entra ID, Facebook, Twitter, Microsoft account, and Google. For more information about the supported identity providers, see the following articles:

- - [Microsoft Entra ID](../app-service/configure-authentication-provider-aad.md)

- - [Facebook](../app-service/configure-authentication-provider-facebook.md)

- - [Twitter](../app-service/configure-authentication-provider-twitter.md)

- - [Microsoft account](../app-service/configure-authentication-provider-microsoft.md)

- - [Google](../app-service/configure-authentication-provider-google.md)

-1. Select **Add** to complete the settings. An app registration will be created, which associates your identity provider with your function app.

-### Try the application

-1. Open **https://\<YOUR-FUNCTION-APP-NAME\>.azurewebsites.net/api/index**

-1. Select **Login** to authenticate with your chosen authentication provider.

-1. Send public messages by entering them into the main chat box.

-1. Send private messages by clicking on a username in the chat history. Only the selected recipient will receive these messages.

-Congratulations! You've deployed a real-time, serverless chat app!

-To clean up the resources created in this tutorial, delete the resource group using the Azure portal.

-> Deleting the resource group deletes all resources contained within it. If the resource group contains resources outside the scope of this tutorial, they will also be deleted.

-In this tutorial, you learned how to use Azure Functions with Azure SignalR Service. Read more about building real-time serverless applications with SignalR Service bindings for Azure Functions.

-## Azure Region Availability Zone (AZ) to SKU mapping

-When planning your Azure VMware Solution design, use the following table to understand what SKUs are available in each physical Availability Zone of an [Azure region](https://azure.microsoft.com/explore/global-infrastructure/geographies/#geographies). This is important for placing your private clouds in close proximity to your Azure native workloads, including integrated services such as Azure NetApp Files and Pure Cloud Block Storage (CBS). The Multi-AZ capability for Azure VMware Solution Stretched Clusters is also tagged in the table below.

-Customer quota for Azure VMware Solution is assigned by Azure region, and you are not able to specify the Availability Zone during private cloud provisioning. An auto selection algorithm is used to balance deployments across the Azure region. If you have a particular Availability Zone you want to deploy to, open an SR with Microsoft requesting a "special placement policy" for your Subscription, Azure region, Availability Zone, and SKU type. This policy will remain in place until you request it be removed or changed.

-| [Restore an encrypted VM](./backup-azure-vms-encryption.md) | From the portal, restore the disks and then use PowerShell to create the VM | <ul><li> [Encrypted VM with Microsoft Entra ID](../virtual-machines/windows/disk-encryption-windows-aad.md) <li> [Encrypted VM without Microsoft Entra ID](../virtual-machines/windows/disk-encryption-windows.md) <li> [Encrypted VM *with Microsoft Entra ID* migrated to *without Microsoft Entra ID*](../virtual-machines/windows/disk-encryption-faq.yml#can-i-migrate-vms-that-were-encrypted-with-an-azure-ad-app-to-encryption-without-an-azure-ad-app-)</ul> |

-Batch supports Windows server images that have container support designations. Typically, these image SKU names are suffixed with `-with-containers` or `-with-containers-smalldisk`. Additionally, [the API to list all supported images in Batch](batch-linux-nodes.md#list-of-virtual-machine-images) denotes a `DockerCompatible` capability if the image supports Docker containers.

-tooling required for your workflow.

-For more information about Azure data disks in Linux, see this [article](../virtual-machine-scale-sets/tutorial-use-disks-cli.md).

-For more information about Azure data disks in Windows, see this [article](../virtual-machine-scale-sets/tutorial-use-disks-powershell.md).

-## <a name="aad-express"> </a> Option 1: Create a new app registration automatically

-## <a name="aad-advanced"> </a>Option 2: Use an existing registration created separately

-### <a name="aad-register"> </a>Create an app registration in Microsoft Entra ID for your container app

-### <a name="aad-secrets"> </a>Enable Microsoft Entra ID in your container app

-1. Select the app registration you created earlier for your container app. If you don't see the app registration, make sure that you've added the **user_impersonation** scope in [Create an app registration in Microsoft Entra ID for your container app](#aad-register).

-1. To export the data from the source MongoDB instance, open a terminal and use the ``--host``, ``--username``, and ``--password`` arguments to connect to and export JSON records.

- ```bash

- mongoexport \

- --host <hostname><:port> \

- --username <username> \

- --password <password> \

- --db <database-name> \

- --collection <collection-name> \

- --out <filename>.json

- ```

-1. Optionally, export a subset of the MongoDB data by adding a ``--query`` argument. This argument ensures that the tool only exports documents that match the filter.

- ```bash

- mongoexport \

- --host <hostname><:port> \

- --username <username> \

- --password <password> \

- --db <database-name> \

- --collection <collection-name> \

- --query '{ "quantity": { "$gte": 15 } }' \

- --out <filename>.json

- ```

- --writeConcern="{w:0}" \

- <target-connection-string>

-1. To create a data dump of all data in your MongoDB instance, open a terminal and use the ``--host``, ``--username``, and ``--password`` arguments to dump the data as native BSON.

- ```bash

- mongodump \

- --host <hostname><:port> \

- --username <username> \

- --password <password> \

- --out <dump-directory>

- ```

-1. Optionally, you can specify the ``--db`` and ``--collection`` arguments to narrow the scope of the data you wish to dump:

- ```bash

- mongodump \

- --host <hostname><:port> \

- --username <username> \

- --password <password> \

- --db <database-name> \

- --out <dump-directory>

- ```

- ```bash

- mongodump \

- --host <hostname><:port> \

- --username <username> \

- --password <password> \

- --db <database-name> \

- --collection <collection-name> \

- --out <dump-directory>

- ```

- --writeConcern="{w:0}" \

- --db <database-name> \

- --collection <collection-name> \

- --ssl \

- <dump-directory>/<database-name>/<collection-name>.bson

-If you don't see **Account Admin**, you might have a Microsoft Customer Agreement or Enterprise Agreement account. Instead, [check your access to a Microsoft Customer Agreement](understand-mca-roles.md#check-access-to-a-microsoft-customer-agreement) or see [Manage Azure Enterprise Agreement roles](understand-ea-roles.md).

-Dev Box validates your image for hibernate support. Your dev box definition may fail validation if hibernation couldn't be successfully enabled using your image.

-## Restrictions:

-> [!NOTE]

-> See [What are the usage limits for Azure DNS?](dns-faq.yml#what-are-the-usage-limits-for-azure-dns-) for a list of usage limits for the DNS private resolver.

-description: Overview of support for hosting DNS zones and records in Microsoft Azure DNS.

-A domain name registrar is an organization that allows you to purchase a domain name, such as `contoso.com`. Purchasing a domain name gives you the right to control the DNS hierarchy under that name, for example allowing you to direct the name `www.contoso.com` to your company web site. The registrar may host the domain in its own name servers on your behalf or allow you to specify alternative name servers.

-The DNS standards permit a single TXT record to contain multiple strings, each of which may be up to 255 characters in length. Where multiple strings are used, they're concatenated by clients and treated as a single string.

-description: Overview of a private DNS zone

-# What is a private Azure DNS zone

-To understand how many private DNS zones you can create in a subscription and how many record sets are supported in a private DNS zone, see [Azure DNS limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-dns-limits)

-[](media/how-to-manage-audit-logs/how-to-manage-audit-logs-1-audit-event-diagnostic-logs.png#lightbox)

-| RequestId | String | This is the unique ID associated to the request, which triggered the operation on data plane. |

-If you're trying to onboard a new tenant to HDInsight on AKS, you need to provide consent to first party App of HDInsight on AKS to Access API. This app will try to provision the application used to authenticate cluster users and groups.

-> Resource owner would be able to run the command to provision the first party service principal on the given tenant.

-description: Learn how to create a project and use the data labeling tool to label images in the project. Enable machine learning-assisted labeling or human-in-the-loop labeling to help with the task.

-Set up labels for classification, object detection (bounding box), or instance segmentation (polygon).

-To accelerate labeling tasks, on the **ML assisted labeling** page, you can trigger automatic machine learning models. Medical images (files that have a *.dcm* extension) aren't included in assisted labeling.

-You can export an image label as:

-> * For pipeline jobs, the user identity must be configured at job top level, not for individual pipeline steps.

-You can create a new notebook and execute the instructions in this tutorial step by step. You can also open the existing notebook named *2. Enable materialization and backfill feature data.ipynb* from the *featurestore_sample/notebooks* directory, and then run it. You can choose *sdk_only* or *sdk_and_cli*. Keep this tutorial open and refer to it for documentation links and more explanation.

-1. Configure the session:

- 1. On the **Python packages** tab, select **Upload Conda file**.

- 1. Upload the *conda.yml* file that you [uploaded in the first tutorial](./tutorial-get-started-with-feature-store.md#prepare-the-notebook-environment).

- 1. Increase the session time-out (idle time) to avoid frequent prerequisite reruns.

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=install-ml-ext-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=auth-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=set-default-subs-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=create-new-storage)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=create-new-storage-container)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=set-container-arm-id-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=use-existing-storage)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=retrieve-uai-properties)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai-fs)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai-offline-store)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=dump_featurestore_yaml)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=enable-offline-store)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=enable-offline-mat-txns-fset)]

- To run this tutorial, you can create a new notebook and execute the instructions step by step. You can also open and run the existing notebook named *4. Enable recurrent materialization and run batch inference*. You can find that notebook, and all the notebooks in this series, in the *featurestore_sample/notebooks* directory. You can choose *sdk_only* or *sdk_and_cli*. Keep this tutorial open and refer to it for documentation links and more explanation.

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/4. Enable recurrent materialization and run batch inference.ipynb?name=install-ml-ext-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/4. Enable recurrent materialization and run batch inference.ipynb?name=auth-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/4. Enable recurrent materialization and run batch inference.ipynb?name=set-default-subs-cli)]

- You can create a new notebook and execute the instructions in this tutorial step by step. You can also open and run the existing notebook named *3. Experiment and train models using features.ipynb* from the *featurestore_sample/notebooks* directory. You can choose *sdk_only* or *sdk_and_cli*. Keep this tutorial open and refer to it for documentation links and more explanation.

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/3. Experiment and train models using features.ipynb?name=install-ml-ext-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/3. Experiment and train models using features.ipynb?name=auth-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/3. Experiment and train models using features.ipynb?name=set-default-subs-cli)]

- > - client_ecncryption_options

- > - saved_caches_directory

- For more details refer [GTID Reset](/cli/azure/mysql/flexible-server/gtid).

-

-Instance Readiness Testing (IRT) is a framework built to orchestrate real-world workloads for testing of the Azure Operator Nexus Platform.

-## Environment requirements

- * Networks to use for the test are specified in a "networks-blueprint.yml" file, see [Input Configuration](#input-configuration).

-## Input configuration

-Build your input file. The IRT tarball provides `irt-input.example.yml` as an example, follow the [instructions](#download-irt) to download the tarball. These values **will not work for your instances**, they need to be manually changed and the file should also be renamed to `irt-input.yml`. The example input file is provided as a stub to aid in configuring new input files. Overridable values and their usage are outlined in the example. The **[One Time Setup](#one-time-setup) assists in setting input values by writing key/value pairs to the config file as they execute.**

-The network information is provided in either a `networks-blueprint.yml` file, similar to the `networks-blueprint.example.yml` that is provided, or appended to the `irt-input.yml` file. The schema for IRT is defined in the `networks-blueprint.example.yml`. The networks are created as part of the test, provide network details that aren't in use. Currently IRT has the following network requirements:

-* Three (3) L3 Networks

- * Two of them with MTU 1500

- * One of them with MTU 9000 and shouldn't have a fabric_asn attribute

-* One (1) Trunked Network

-* All VLANs should be greater than 500

-## One Time Setup

-### Download IRT

-IRT is distributed via tarball, download it, extract it, and navigate to the `irt` directory.

-1. From your Linux environment, download nexus-irt.tar.gz from aka.ms/nexus-irt `curl -Lo nexus-irt.tar.gz aka.ms/nexus-irt`

-1. Extract the tarball to the local file system: `mkdir -p irt && tar xf nexus-irt.tar.gz --directory ./irt`

-1. Switch to the new directory `cd irt`

-### Install dependencies

-There are multiple dependencies expected to be available during execution. Review this list;

-* `jq` version 1.6 or greater

-* `yq` version 4.33 or greater

-* `azcopy` version 10 or greater

-* `az` Azure CLI, stay up to date. Minimum expected version: 2.11.0(supports self upgrade)

-* `elinks` - for viewing html files on the command line

-* `tree` - for viewing directory structures

-* `moreutils` - for viewing progress from the Azure Container Instance (ACI) container

-The `setup.sh` script is provided to aid with installing the listed dependencies. It installs any dependencies that aren't available in PATH. It doesn't upgrade any dependencies that don't meet the minimum required versions.

-> [!NOTE]

-> `setup.sh` assumes a nonroot user and attempts to use `sudo`

-### All in one setup

-`all-in-one-setup.sh` is provided to create all of the Azure resources required to run IRT. This process includes creating a managed identity, a service principal, a security group, isolation domains, and a storage account to archive the test results. These resources can be created during the all in one script, or they can be created step by step per the instructions in this document. Each of the script, individually and via the all in one script, writes updates to your `irt-input.yml` file with the key value pairs needed to utilize the resources you created. Review the `irt-input.example.yml` file for the required inputs needed for one or more of the scripts, regardless of the methodology you pursue. All of the scripts are idempotent, and also allow you to use existing resources if desired.

-### Step-by-Step setup

-> [!NOTE]

-> Only use this section if you're NOT using `all-in-one.sh`

-If your workflow is incompatible with `all-in-one.sh`, each resource needed for IRT can be created manually with each supplemental script. Like `all-in-one.sh`, running these scripts writes key/value pairs to your `irt-input.yml` for you to use during your run. These four scripts make up the `all-in-one.sh`.

-IRT makes commands against your resources, and needs permission to do so. IRT requires a managed identity and a service principal to execute. It also requires that the service principal is a member of the Microsoft Entra Security Group that is also provided as input.

-#### Create managed identity

-<details>

-<summary>Expand to see how to create managed identity.</summary>

-A managed identity with the following role assignments is needed to execute tests. The supplemental script, `create-managed-identity.sh` creates a managed identity with these role assignments.

-* `Contributor` - For creating and manipulating resources

-* `Storage Blob Data Contributor` - For reading from and writing to the storage blob container

-* `Log Analytics Reader` - For reading metadata about the LAW

-* `Kubernetes Connected Cluster Role` - For read/write operations on connected cluster

-Executing `create-managed-identity.sh` requires the input yaml to have the following properties, all of them can be overridden by the corresponding environment variables:

-```yml

-MANAGED_IDENTITY:

- RESOURCE_GROUP: "<resource-group>" # env: MANAGED_IDENTITY_RESOURCE_GROUP

- NAME: "<name>" # env: MANAGED_IDENTITY_NAME

- SUBSCRIPTION: "<subscription>" # env: MANAGED_IDENTITY_SUBSCRIPTION

- LOCATION: "<location>" # env: MANAGED_IDENTITY_LOCATION

-```

-* `MANAGED_IDENTITY.RESOURCE_GROUP` - The resource group the managed identity is created in.

-* `MANAGED_IDENTITY.NAME` - The name of the managed identity to be created.

-* `MANAGED_IDENTITY.SUBSCRIPTION` - The subscription where the resource group should reside.

-* `MANAGED_IDENTITY.LOCATION` - The location to create the resource group.

-```bash

-# Example execution of the script

-./create-managed-identity.sh irt-input.yml

-```

-> [!NOTE]

-> if `MANAGED_IDENTITY_ID` is set in the input yaml or as an environment variable the script won't create anything.

-**RESULT:** This script prints a value for `MANAGED_IDENTITY_ID` and sets it to the input.yml.

-See [Input Configuration](#input-configuration).

-```yml

-MANAGED_IDENTITY_ID: <generated_id>

-```

-</details>

-#### Create service principal and security group

-<details>

-<summary>Expand to see how to create service principal and security group.</summary>

-A service principal with the following role assignments. The supplemental script, `create-service-principal.sh` creates a service principal with these role assignments, or add role assignments to an existing service principal.

-* `Contributor` - For creating and manipulating resources

-* `Storage Blob Data Contributor` - For reading from and writing to the storage blob container

-* `Azure ARC Kubernetes Admin` - For ARC enrolling the NKS cluster

-Additionally, the script creates the necessary security group, and adds the service principal to the security group. If the security group exists, it adds the service principal to the existing security group.

-Executing `create-service-principal.sh` requires the input yaml to have the following properties, all of them can be overridden by the corresponding environment variables:

-```yml

-SERVICE_PRINCIPAL:

- NAME: "<name>" # env: SERVICE_PRINCIPAL_NAME

- AAD_GROUP_NAME: "<aad-group-name>" # env: SERVICE_PRINCIPAL_AAD_GROUP_NAME

- SUBSCRIPTION: "<subscription>" # env: SERVICE_PRINCIPAL_SUBSCRIPTION

-```

-* `SERVICE_PRINCIPAL.NAME` - The name of the service principal, created with the `az ad sp create-for-rbac` command.

-* `SERVICE_PRINCIPAL.AAD_GROUP_NAME` - The name of the security group.

-* `SERVICE_PRINCIPAL.SUBSCRIPTION` - The subscription of the service principal.

-```bash

-# Example execution of the script

-./create-service-principal.sh irt-input.yml

-```

-> [!NOTE]

-> if all `SP_ID`,`SP_PASSWORD`,`SP_TENANT_ID`,`AAD_GROUP_ID` are set in the yaml or as an environment variable the script skips creating them.

-**RESULT:** This script prints values for `AAD_GROUP_ID`, `SP_ID`, `SP_PASSWORD`, and `SP_TENANT` and sets the values back to the input yaml.

-See [Input Configuration](#input-configuration).

-```yml

-SP_ID: "<generated-sp-id>"

-SP_PASSWORD: "<generated-sp-password>" # If SP already exists sp password is not retreivable, please fill it in.

-SP_TENANT_ID: "<generated-sp-tenant-id>"

-AAD_GROUP_ID: "generated-aad-group-id"

-```

-</details>

-#### Create l3 isolation domains

-<details>

-<summary>Expand to see how to create l3 isolation.</summary>

-The testing framework doesn't create, destroy, or manipulate isolation domains. Therefore, existing isolation domains can be used. Each isolation domain requires at least one external network. The supplemental script, `create-l3-isolation-domains.sh`. Internal networks are created, manipulated, and destroyed through the course of testing.

-Executing `create-l3-isolation-domains.sh` requires one **parameter**, a path to a file containing the networks requirements. You can choose either the standalone network-blueprint.yml or the input.yml based on your workflow, both should contain the information needed.

-```bash

-# Example of the script being invoked using networks-blueprint.yml:

-./create-l3-isolation-domains.sh networks-blueprint.yml

-```

-```bash

-# Example of the script being invoked using irt-input.yml:

-# the network-blueprint should exist under NETWORK_BLUEPRINT node.

-./create-l3-isolation-domains.sh irt-input.yml

-```

-</details>

-#### Create archive storage

-<details>

-<summary>Expand to see how to create archive storage.</summary>

-IRT creates an html test report after running a test scenario. These reports can optionally be uploaded to a blob storage container. The supplementary script `create-archive-storage.sh` to create a storage container, storage account, and resource group if they don't already exist.

-Executing `create-archive-storage.sh` requires the input yaml to have the following properties, all of them can be overridden by the corresponding environment variables:

-```yml

-ARCHIVE_STORAGE:

- RESOURCE_GROUP: "<resource-group>" # env: ARCHIVE_STORAGE_RESOURCE_GROUP

- ACCOUNT_NAME: "<storage-account-name>" # env: ARCHIVE_STORAGE_ACCOUNT_NAME

- CONTAINER_NAME: "<storage-container-name>" # env: ARCHIVE_STORAGE_CONTAINER_NAME

- SUBSCRIPTION: "<subscription>" # env: ARCHIVE_STORAGE_SUBSCRIPTION

- LOCATION: "<location>" # env: ARCHIVE_STORAGE_LOCATION

-```

-* `ARCHIVE_STORAGE_RESOURCE_GROUP` - The resource group the managed identity is created in.

-* `ARCHIVE_STORAGE_ACCOUNT_NAME` - The name of the Azure storage account to be created.

-* `ARCHIVE_STORAGE_CONTAINER_NAME` - The name of the blob storage container to be created.

-* `SUBSCRIPTION` - The subscription where the resource group is created in.

-* `LOCATION` - The location where the resource group is created in.

-> [!NOTE]

-> if `PUBLISH_RESULTS_TO` is set in the input yaml or as an environment variable the script skips creating a new one.

-```bash

-# Example execution of the script

-./create-archive-storage.sh irt-input.yaml

-```

-**RESULT:** This script prints a value for `PUBLISH_RESULTS_TO` and sets the value in the input.yml. See [Input Configuration](#input-configuration).

-```yml

-PUBLISH_RESULTS_TO: <generated_id>

-```

-</details>

-## Execution

-* Execute. This example assumes irt-input.yml is in the same location as irt.sh. If your file is located in a different directory, provide the full file path.

-```bash

-./irt.sh irt-input.yml

-```

-## Results

-1. A file named `summary-<cluster_name>-<timestamp>.html` is downloaded at the end of the run and contains the testing results. It can be viewed:

- 1. From any browser

- 1. Using elinks or lynx to view from the command line; for example:

- 1. `elinks summary-<cluster_name>-<timestamp>.html`

- 1. If the `PUBLISH_RESULTS_TO` parameter was provided, the results are uploaded to the blob container you specified. It can be previewed by navigating to the link presented to you at the end of the IRT run.

- # Cluster Manager environment variables

- export CLUSTER_MANAGER_NAME="contorso-cluster-manager-1234"

- export CLUSTER_MANAGER_RG="contorso-cluster-manager-1234-rg"

- export CLUSTER_MANAGER_EXTENDED_LOC="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ExtendedLocation/customLocations/clusterManagerExtendedLocationName"

- # Your Console resource environment variables

- export VM_RESOURCE_GROUP="my-vm-rg"

- # your environment variables

- export PRIVATE_ENDPOINT_CONNECTION_NAME="my-contorse-ple-pls-connection"

-## Establishing Private Network Connectivity

-In order to establish a secure session with a Virtual Machine, you need to establish private network connectivity between your network and the Cluster Manager's private network.

-This private network relies on the Azure Private Link Endpoint (PLE) and the Azure Private Link Service (PLS).

-The Cluster Manager automatically creates a PLS so that you can establish a private network connection between your network and the Cluster Manager's private network.

-This section provides a step-by-step guide to help you to establish a private network connectivity.

-1. You need to retrieve the resource identifier for the PLS associated to the VM Console service running in the Cluster Manager.

- ```bash

- # retrieve the infrastructure resource group of the AKS cluster

- export pls_resource_group=$(az aks show --name ${CLUSTER_MANAGER_NAME} -g ${CLUSTER_MANAGER_RG} --query "nodeResourceGroup" -o tsv)

- # retrieve the Private Link Service resource id

- export pls_resourceid=$(az network private-link-service show \

- --name console-pls \

- --resource-group ${pls_resource_group} \

- --query id \

- --output tsv)

- ```

-1. Create the PLE for establishing a private and secure connection between your network and the Cluster Manager's private network. You need the PLS resource ID obtained in [Creating Console Resource](#creating-console-resource).

- ```bash

- az network private-endpoint create \

- --connection-name "${PRIVATE_ENDPOINT_CONNECTION_NAME}" \

- --name "${PRIVATE_ENDPOINT_NAME}" \

- --private-connection-resource-id "${pls_resourceid}" \

- --resource-group "${PRIVATE_ENDPOINT_RG}" \

- --vnet-name "${PRIVATE_ENDPOINT_VNET}" \

- --subnet "${PRIVATE_ENDPOINT_SUBNET}" \

- --manual-request false

- ```

-1. Retrieve the private IP address allocated to the PLE, which you need when establishing a session.

- ```bash

- export ple_interface_id=$(az network private-endpoint list --resource-group ${PRIVATE_ENDPOINT_RG} --query "[0].networkInterfaces[0].id" -o tsv)

- export sshmux_ple_ip=$(az network nic show --ids $ple_interface_id --query 'ipConfigurations[0].privateIPAddress' -o tsv)

- echo "sshmux_ple_ip: ${sshmux_ple_ip}"

- ```

-## Creating Console Resource

-The Console resource provides the information about the VM such as VM name, public SSH key, expiration date for the session, etc.

-This section provides step-by-step guide to help you to create a Console resource using Azure CLI commands.

-1. Before you can establish a session with a VM, create the Console resource for that VM.

- ```bash

- az networkcloud virtualmachine console create \

- --virtual-machine-name "${VIRTUAL_MACHINE_NAME}" \

- --resource-group "${VM_RESOURCE_GROUP}" \

- --extended-location name="${CLUSTER_MANAGER_EXTENDED_LOC}" type="CustomLocation" \

- --enabled True \

- --ssh-public-key key-data "${CONSOLE_PUBLIC_KEY}" \

- [--expiration "${CONSOLE_EXPIRATION_TIME}"]

- ```

- If you omit the `--expiration` parameter, the Cluster Manager will automatically set the expiration to one day after the creation of the Console resource. Also note that the `expiration` date & time format **must** comply with RFC3339 otherwise the creation of the Console resource fails.

- > [!NOTE]

- > For a complete synopsis for this command, invoke `az networkcloud console create --help`.

-1. Upon successful creation of the Console resource, retrieve the VM Access ID. You must use this unique identifier as `user` of the SSH session.

- virtual_machine_access_id=$(az networkcloud virtualmachine console show \

- --virtual-machine-name "${VIRTUAL_MACHINE_NAME}" \

- --resource-group "${VM_RESOURCE_GROUP}" \

- --query "virtualMachineAccessId")

-> For a complete synopsis for this command, invoke `az networkcloud virtualmachine console show --help`.

-## Establishing a session with a Virtual Machine

- az networkcloud virtualmachine console update \

- --virtual-machine-name "${VIRTUAL_MACHINE_NAME}" \

- --resource-group "${VM_RESOURCE_GROUP}" \

- [--enabled True | False] \

- [--key-data "${CONSOLE_PUBLIC_KEY}"] \

- [--expiration "${CONSOLE_EXPIRATION_TIME}"]

- az networkcloud virtualmachine console delete \

- --virtual-machine-name "${VIRTUAL_MACHINE_NAME}" \

- --resource-group "${VM_RESOURCE_GROUP}"

- ```bash

- az network private-endpoint delete \

- --name ${PRIVATE_ENDPOINT_NAME}-ple \

- --resource-group ${PRIVATE_ENDPOINT_NAME}-rg

- ```

-> [!NOTE]

-> If each server has two CPU chipsets and each CPU chip has 28 cores, then with hyperthreading enabled (default), the CPU chip supports 56 vCPUs. With 8 vCPUs in each chip reserved for infrastructure (OS and agents), the remaining 48 are available for tenant workloads.

-To contact a satellite, it must be registered and authorized as a spacecraft resource with Azure Orbital Ground Station using required identifying information.

-1. In the Azure Portal search box, enter **Spacecraft**. Select **Spacecraft** in the search results.

- > Authorization of private spacecraft requires the customer to have acquired a spacecraft license for their spacecraft. Microsoft can provide technical information required to complete the federal regulator and ITU processes as needed. This process augments the ground station licenses in our network and ensures customer satellites are added and authorized. Third party ground station networks are not included.

- >

- > Public spacecraft do not require licensing for authorization. The Azure Orbital Ground Station service supports several public satellites including Aqua, Suomi NPP, JPSS-1/NOAA-20, and Terra.

-### Private spacecraft

-#### Step 1: Provide more detail

-After the authorization request is generated, our regulatory team will investigate the request and determine if more detail is required. If so, a customer support representative will reach out to you with a regulatory intake form. You will need to input information regarding relevant filings, call signs, orbital parameters, link details, antenna details, point of contacts, etc.

-Fill out all relevant fields in this form. When you are finished entering information, email this form back to the customer support representative.

-#### Step 2: Await feedback from our regulatory team

-Based on the details provided in the steps above, our regulatory team will make an assessment on time and cost to onboard your spacecraft to all requested ground stations. This step will take a few weeks to execute.

-Once the determination is made, we will confirm the cost with you and ask you to authorize before proceeding.

-#### Step 3: Azure Orbital Ground Station requests relevant ground station licensing

-Upon authorization, you will be billed the fees associated with licensing your spacecraft at each relevant ground station. Our regulatory team will seek the relevant licenses to enable your spacecraft to communicate with the desired ground stations. Refer to the following table for an estimated timeline for execution:

-| **Station** | **Qunicy** | **Chile** | **Sweden** | **South Africa** | **Singapore** |

-| -- | - | | - | - | - |

-| Onboarding Timeframe | 3-6 months | 3-6 months | 3-6 months | <1 month | 3-6 months |

-| Feature unavailable in select regions. | Currently unavailable in the following regions: </br> West India </br> Australia Central 2 </br> South Africa West </br> Brazil Southeast |

- | Traffic to remote virtual network | Select **Allow (default)**. |

- | Traffic forwarded from remote virtual network | Select **Allow (default)**. |

- | Virtual network gateway or Route Server | Select **None (default)**. |

- | Traffic to remote virtual network | Select **Allow (default)**. |

- | Traffic forwarded from remote virtual network | Select **Allow (default)**. |

- | Virtual network gateway or Route Server | Select **None (default)**. |

-In the output, you can see the current routing preference setting in front of **"HubRoutingPreference":**:

-Updates the Terraform state file.

-You can use this script to add missing or modified resources to the Terraform state file. This script is useful if resources have been modified or created without using Terraform.

- --azure_resource_id "${azure_resource_id}"

-| [**SAP BW/4HANA 2021 SP04 Developer Edition**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/1b0ac659-a5b4-4d3b-b1ae-f1a1cb89c6db)| March 23 2023 | This solution offers you an insight of SAP BW/4HANA2021 SP04. SAP BW/4HANA is the next generation Data Warehouse optimized for SAP HANA. Beside the basic BW/4HANA options the solution offers a bunch of SAP HANA optimized BW/4HANA Content and the next step of Hybrid Scenarios with SAP Data Warehouse Cloud. | [Create Appliance](https://cal.sap.com/registration?sguid=1b0ac659-a5b4-4d3b-b1ae-f1a1cb89c6db&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

-| [**SAP NetWeaver 7.5 SP15 on SAP ASE**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/solutions/69efd5d1-04de-42d8-a279-813b7a54c1f6) | January 3 2018 | SAP NetWeaver 7.5 SP15 on SAP ASE | [Create Appliance](https://cal.sap.com/registration?sguid=69efd5d1-04de-42d8-a279-813b7a54c1f6&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

-Get started with vector search in Azure Cognitive Search using the **2023-07-01-Preview** REST APIs that create, load, and query a search index.

-+ [Sample Postman collection](https://github.com/Azure-Samples/azure-search-postman-samples/tree/main/Quickstart-vectors), with requests targeting the **2023-07-01-preview** API version of Azure Cognitive Search.

-1. Start Postman and import the collection `AzureSearchQuickstartVectors.postman_collection.json`.

- | search-api-version | 2023-07-01-Preview |

-Use the [Create or Update Index](/rest/api/searchservice/preview-api/create-or-update-index) REST API for this request.

- "name": "HotelNameVector",

- "searchable": true,

- "vectorSearchConfiguration": "my-vector-config"

- "name": "DescriptionVector",

- "searchable": true,

- "vectorSearchConfiguration": "my-vector-config"

- "algorithmConfigurations": [

- "name": "my-vector-config",

- ]

-+ Vector fields must be `"type": "Collection(Edm.Single)"` with `"dimensions"` and `"vectorSearchConfiguration"` properties. See [this article](/rest/api/searchservice/preview-api/create-or-update-index) for property descriptions.

-+ The `"vectorSearch"` section is an array of algorithm configurations used by vector fields. Currently, only HNSW is supported. HNSW is a graph-based Approximate Nearest Neighbors (ANN) algorithm optimized for high-recall, low-latency applications.

-Use the [Add, Update, or Delete Documents](/rest/api/searchservice/preview-api/add-update-delete-documents) REST API for this request.

-Use the [Search Documents](/rest/api/searchservice/preview-api/search-documents) REST API for query request. Public preview has specific requirements for using POST on the queries. Also, the API version must be 2023-07-01-Preview.

-The vector query string is semantically similar to the search string, but has terms that don't exist in the search index. If you do a keyword search for "classic lodging near running trails, eateries, retail", results are zero. We use this example to show you can get relevant results even if there are no matching terms.

-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}

- "k": 7

-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}

- "vectors": [

- "value": [ VECTOR OMITTED ],

- "k": 7

-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}

- "vectors": [

- "value": [ VECTOR OMITTED],

- "fields": "DescriptionVector"

-Here's the last query in the collection: a hybrid query, with semantic ranking, filtered to show just those hotels within a 500-kilometer radius of Washington D.C.

-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}

- "vectors": [

- "value": [ VECTOR OMITTED ],

- "fields": "DescriptionVector"

-This code loads [AzureSearchWriter](). It consumes a tabular dataset and infers a search index schema that defines one field for each column. The translations structure is an array, so it's articulated in the index as a complex collection with subfields for each language translation. The generated index will have a document key and use the default values for fields created using the [Create Index REST API](/rest/api/searchservice/create-index).

-> Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, preview REST API, and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme).

-> + Add one or more vector fields to the index schema.

-+ Azure Cognitive Search, in any region and on any tier. Most existing services support vector search. For services created prior to January 2019, there is a small subset which won't support vector search. If an index containing vector fields fails to be created or updated, this is an indicator. In this situation, a new service must be created.

-## Add a vector field to the fields collection

-The schema must include a `vectorConfiguration` section, a field for the document key, vector fields, and any other fields that you need for hybrid search scenarios.

-+ `vectorConfiguration` specifies the algorithm and parameters used during indexing to create "nearest neighbor" information among the vector nodes. Currently, only Hierarchical Navigable Small World (HNSW) is supported.

-+ Vector fields are of type `Collection(Edm.Single)` and single-precision floating-point values. A field of this type also has a `dimensions` property and a `vectorConfiguration` property

-During indexing, HNSW determines how closely the vectors match and stores the neighborhood information as a proximity graph in the index. You can have multiple configurations within an index if you want different HNSW parameter combinations. As long as the vector fields contain embeddings from the same model, having a different vector configuration per field has no effect on queries.

-You can use the Azure portal, REST APIs, or the beta packages of the Azure SDKs to index vectors.

-### [**Azure portal**](#tab/portal-add-field)

-Use the index designer in the Azure portal to add vector field definitions. If the index doesn't have a vector configuration, you're prompted to create one when you add your first vector field to the index.

-Although you can add a field to an index, there's no portal (Import data wizard) support for loading it with vector data. Instead, use the REST APIs or an SDK for data import.

-1. [Sign in to Azure portal](https://portal.azure.com) and open your search service page in a browser.

-1. In the left-side navigation pane, select **Search management** > **Indexes**.

-1. Select **+ Add Index** and give the index a name.

-1. Select **Add Field**:

- :::image type="content" source="media/vector-search-how-to-create-index/portal-add-field.png" alt-text="Screenshot of the Add Field pane." border="true":::

- **Key points**:

- + Name the field (no spaces).

- + Choose type `Collection(Edm.Single)`.

- + Select "Retrievable" if you want the query to return the vector data in search results. If you have other fields with human readable content that you can return as a proxy for the match, you should set "Retrievable" to false to save space.

- + "Searchable" is mandatory for a vector field and can't be changed.

- + "Dimensions" is the length of the vector returned by the model. Set this value to specify `1536` for **text-embeddding-ada-002**, where the input text that you provide is numerically described using 1536 dimensions.

-1. Select or create a vector configuration used for similarity search. If the index doesn't have a vector configuration, you must select **Create**.

- :::image type="content" source="media/vector-search-how-to-create-index/portal-add-vector-configuration.png" alt-text="Screenshot of the vector configuration properties." border="true":::

- + Name the configuration. The name must be unique within the index.

- + "hnsw" is the Approximate Nearest Neighbors (ANN) algorithm used to create the proximity graph during indexing. Currently, only Hierarchical Navigable Small World (HNSW) is supported.

- + "Bi-directional link count" default is 4. The range is 4 to 10. Lower values should return less noise in the results.

- + "efConstruction" default is 400. The range is 100 to 1,000. It's the number of nearest neighbors used during indexing.

- + "efSearch default is 500. The range is 100 to 1,000. It's the number of nearest neighbors used during search.

- + "Similarity metric" should be "cosine" if you're using Azure OpenAI, otherwise use the similarity metric associated with the embedding model your're using. Supported values are `cosine`, `dotProduct`, `euclidean`.

- If you're familiar with HNSW parameters, you might be wondering about how to set the `"k"` number of nearest neighbors to return in the result. In Cognitive Search, that value is set on the [query request](vector-search-how-to-query.md).

-1. Select **Save** to save the vector configuration and the field definition.

-### [**REST API**](#tab/rest-add-field)

-Use the **2023-07-01-Preview** REST API for vector scenarios. If you're updating an existing index to include vector fields, make sure the `allowIndexDowntime` query parameter is set to `true`.

-In the following REST API example, "title" and "content" contain textual content used in full text search and semantic search, while "titleVector" and "contentVector" contain vector data.

-1. Add a `vectorSearch` section in the index that specifies the similarity algorithm used to create the embedding space. Currently, only `"hnsw"` is supported. For "metric", valid values are `cosine`, `euclidean`, and `dotProduct`. The `cosine` metric is specified because it's the similarity metric that the Azure OpenAI models use to create embeddings.

- + Name the configuration. The name must be unique within the index.

- + "hnsw" is the Approximate Nearest Neighbors (ANN) algorithm used to create the proximity graph during indexing. Currently, only Hierarchical Navigable Small World (HNSW) is supported.

- + "metric" should be "cosine" if you're using Azure OpenAI, otherwise use the similarity metric associated with the embedding model your're using. Supported values are `cosine`, `dotProduct`, `euclidean`.

- + For `Collection(Edm.Single)`, the "filterable", "facetable", "sortable" attributes are "false" by default. Don't set them to "true" because those behaviors don't apply within the context of vector fields and the request will fail.

- + "searchable" must be "true".

- + "retrievable" set to "true" allows you to display the raw vectors (for example, as a verification step), but doing so increases storage. Set to "false" if you don't need to return raw vectors. You don't need to return vectors for a query, but if you're passing a vector result to a downstream app then set "retrievable" to "true".

-Use the [Add, Update, or Delete Documents Preview REST API](/rest/api/searchservice/preview-api/add-update-delete-documents) to push documents containing vector data.

-> Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, preview REST API, and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme).

-> + [Query vector fields](#vector-query-request).

-> + [Query multiple vector fields at once](#multiple-vector-fields).

-> + [Run multiple vector queries in parallel](#multiple-vector-queries).

-+ Azure Cognitive Search, in any region and on any tier. Most existing services support vector search. For services created prior to January 2019, there is a small subset which won't support vector search. If an index containing vector fields fails to be created or updated, this is an indicator. In this situation, a new service must be created.

-+ Use REST API version **2023-07-01-Preview**, the [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr/tree/main), or Search Explorer in the Azure portal.

-### [**Azure portal**](#tab/portal-vector-query)

-Be sure to the **JSON view** and formulate the query in JSON. The search bar in **Query view** is for full text search and will treat any vector input as plain text.

-1. Sign in to Azure portal and find your search service.

-1. Under **Search management** and **Indexes**, select the index.

- :::image type="content" source="media/vector-search-how-to-query/select-index.png" alt-text="Screenshot of the indexes menu." border="true":::

-1. On Search Explorer, under **View**, select **JSON view**.

- :::image type="content" source="media/vector-search-how-to-query/select-json-view.png" alt-text="Screenshot of the index list." border="true":::

-1. By default, the search API is **2023-07-01-Preview**. This is the correct API version for vector search.

-1. Paste in a JSON vector query, and then select **Search**. You can use the REST example as a template for your JSON query.

- :::image type="content" source="media/vector-search-how-to-query/paste-vector-query.png" alt-text="Screenshot of the JSON query." border="true":::

-### [**REST API**](#tab/rest-vector-query)

-In this single vector query, which is shortened for brevity, the "value" contains the vectorized text of the query input, "fields" determines which vector fields are searched, and "k" specifies the number of nearest neighbors to return.

-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version=2023-07-01-Preview

-Here's an example of filter expressions combined with a vector query:

-> [!TIP]

-> If you don't have source fields with text or numeric values, check for document metadata, such as LastModified or CreatedBy properties, that might be useful in a filter.

-### Overhead from the selected algorithm

-Each approximate-nearest-neighbor algorithm creates other data structures in memory to enable efficient searching. These consume extra space within memory.

-**For HNSW algorithm, this overhead is between 5% to 20%.**

-Overhead is lower for higher dimensions because the raw size of the vectors is larger, but the extra data structures remain a fixed size since they store information on connectivity within the graph. As a result, the contribution of the extra data structures makes up a smaller portion of the overall size.

-Overhead is higher for larger values of the HNSW parameter `m`, which sets the number of bi-directional links created for every new vector during index construction. (The reason is because _m_ contributes roughly _m times 8 to 10_ bytes per document.)

-Based on internal tests, a model with _m=4_ and _dims=96_ has an overhead of ~17%, and a model with _m=4_ and _dims=768_ has an overhead of ~5%.

-> Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, [**2023-07-01-Preview REST APIs**](/rest/api/searchservice/index-preview), and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme).

-+ **Filtered vector search**. A query request can include a vector query and a [filter expression](search-filters.md). Filters apply to text and numeric fields, and are useful for including or excluding search documents based on filter criteria. Although a vector field isn't filterable itself, you can set up a filterable text or numeric field. The search engine processes the filter after the vector query executes, trimming search results from query response.

-Azure Cognitive Search uses Hierarchical Navigable Small Worlds (HNSW), which is a leading ANN algorithm optimized for high-recall, low-latency applications where data distribution is unknown or can change frequently.

-Hierarchical Navigable Small World (HNSW) is an algorithm used for efficient [approximate nearest neighbor (ANN)](vector-search-overview.md#approximate-nearest-neighbors) search in high-dimensional spaces. It organizes data points into a hierarchical graph structure that enables fast neighbor queries by navigating through the graph while maintaining a balance between search accuracy and computational efficiency.

-HNSW has several configuration parameters that can be tuned to achieve the throughput, latency, and recall objectives for your search application. You can create multiple configurations if you need optimizations for specific scenarios, but only one configuration can be specified on each vector field.

-Vector search algorithms are specified in the json path `vectorSearch.algorithmConfigurations` in a search index, and then specified on the field definition (also in the index):

-Because many algorithm configuration parameters are used to initialize the vector index during index creation, they're immutable parameters and can't be changed once the index is built. There's a subset of query-time parameters that may be modified.

-1. Graph pruning and optimization: This may be performed after indexing all vectors to improve navigability and efficiency of the HNSW graph.

-| vector search | `@search.score` | HNSW algorithm, using the similarity metric specified in the HNSW configuration. | 0.333 - 1.00 (Cosine) |

-## [Azure CLI](#tab/Azure-CLI)

-## [IntelliJ](#tab/IntelliJ)

-## [Visual Studio Code](#tab/visual-studio-code)

-After deployment, you can access the app at `https://<your-Azure-Spring-Apps-instance-name>-demo.azuremicroservices.io`. When you open the app, you get the response `Hello World`.

-From the navigation pane of the Azure Spring Apps instance overview page, select **Logs** to check the app's logs.

-## [Azure CLI](#tab/Azure-CLI)

-Use the following command to check the app's log to investigate any deployment issue:

-```azurecli

-az spring app logs \

- --service ${SERVICE_NAME} \

- --name ${APP_NAME}

-```

-## [IntelliJ](#tab/IntelliJ)

-1. Open the **Azure Explorer** window, expand the node **Azure**, expand the service node **Azure Spring Apps**, expand the Azure Spring Apps instance you created, and then select the *demo* instance of the app you created.

-2. Right-click and select **Start Streaming Logs**, then select **OK** to see real-time application logs.

-## [Visual Studio Code](#tab/visual-studio-code)

-To stream your application logs, follow the steps in the [Stream your application logs](https://code.visualstudio.com/docs/java/java-spring-apps#_stream-your-application-logs) section of [Java on Azure Spring Apps](https://code.visualstudio.com/docs/java/java-spring-apps).

-> [Create a service connection in Azure Spring Apps with the Azure CLI](../service-connector/quickstart-cli-spring-cloud-connection.md)

-| [Logs](../azure-monitor/app/diagnostic-search.md) | _Monitoring > Logs_ | Interact with an editor to query transaction logs. |

-The first container that appears in this command is the source. The second one is the destination. Make sure to append a SAS token to each source URL.

-If you provide authorization credentials by using Microsoft Entra ID, you can omit the SAS token only from the destination URL. Make sure that you've set up the proper roles in your destination account. See [Option 1: Use Microsoft Entra ID](storage-use-azcopy-v10.md?toc=/azure/storage/blobs/toc.json#option-1-use-azure-active-directory).

-The first directory that appears in this command is the source. The second one is the destination. Make sure to append a SAS token to each source URL.

-If you provide authorization credentials by using Microsoft Entra ID, you can omit the SAS token only from the destination URL. Make sure that you've set up the proper roles in your destination account. See [Option 1: Use Microsoft Entra ID](storage-use-azcopy-v10.md?toc=/azure/storage/blobs/toc.json#option-1-use-azure-active-directory).

-Azure File Sync also supports most of the special case valid Unicode characters and control characters except for the trailing dot (.)

-For more information on unsupported characters in Azure File Sync, refer to the [documentation](/troubleshoot/azure/azure-storage/file-sync-troubleshoot-sync-errors#handling-unsupported-characters).

-1. Let some data accumulate. Sit back and let people use your application for a while. Telemetry will come in and you'll see statistical charts in [metric explorer](../azure-monitor/essentials/metrics-charts.md) and individual events in [diagnostic search](../azure-monitor/app/diagnostic-search.md).

-[diagnostic]: ../azure-monitor/app/diagnostic-search.md

-1. Let some data accumulate. Sit back and let people use your application for a while. Telemetry will come in and you'll see statistical charts in [metric explorer](../azure-monitor/essentials/metrics-charts.md) and individual events in [diagnostic search](../azure-monitor/app/diagnostic-search.md).

-sc <- spark_connect(master = "yarn", version = spark_version, spark_home = "/opt/spark", config = config)

-For the assessed machines that are reporting updates, you can configure [periodic assessment](assessment-options.md#periodic-assessment), [hot patching](updates-maintenance-schedules.md#hot-patching),and [patch orchestration](manage-multiple-machines.md#summary-of-machine-status) either immediately or schedule the updates by defining the maintenance window.

-Azure Update Manager provides a SaaS solution to manage and govern software updates to Windows and Linux machines across Azure, on-premises, and multi-cloud environments.

-The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Azure Automation Update management solution relies on this agent and may encounter issues once the agent is retired. It doesn't work with Azure Monitoring Agent (AMA) either.

-# Update options in Azure Update Manager

-This article provides an overview of the various update and maintenance options available by Azure Update Manager.

-Update Manager provides you with the flexibility to take an immediate action or schedule an update within a defined maintenance window. It also supports new patching methods, such as [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md) and [hot patching](../automanage/automanage-hotpatch.md?context=%2fazure%2fvirtual-machines%2fcontext%2fcontext).

-## Update now/One-time update

-Update Manager allows you to secure your machines immediately by installing updates on demand. To perform the on-demand updates, see [Check and install one-time updates](deploy-updates.md#install-updates-on-a-single-vm).

-## Scheduled patching

-You can create a schedule on a daily, weekly, or hourly cadence according to your requirement. You can specify the machines that must be updated as part of the schedule and the updates that must be installed. The schedule then automatically installs the updates according to the specifications.

-Update Manager uses a maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates. For more information, see the [Maintenance control documentation](/azure/virtual-machines/maintenance-control).

-Start by using [scheduled patching](scheduled-patching.md) to create and save recurring deployment schedules.

-> [!NOTE]

-> The patch orchestration property for Azure machines should be set to **Customer Managed Schedules** because it's a prerequisite for scheduled patching. For more information, see the [list of prerequisites](../update-center/scheduled-patching.md#prerequisites-for-scheduled-patching).

-## Automatic VM guest patching in Azure

-This mode of patching lets the Azure platform automatically download and install all the security and critical updates on your machines every month and apply them on your machines following the availability-first principles. For more information, see [Automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md).

-On the **Azure Update Manager** home page, go to **Update Settings** and select **Patch orchestration** as the **Azure Managed - Safe Deployment** value to enable this VM property.

-## Windows automatic updates

-This mode of patching allows the operating system to automatically install updates as soon as they're available. It uses the VM property that's enabled by setting the patch orchestration to OS orchestrated/automatic by the OS.

-## Hot patching

-Hot patching allows you to install updates on supported Windows Server Azure Edition VMs without requiring a reboot after installation. It reduces the number of reboots required on your mission-critical application workloads running on Windows Server. For more information, see [Hot patch for new virtual machines](../automanage/automanage-hotpatch.md).

-The hot patching property is available as a setting in Update Manager. You can enable it by using the Update settings flow. For detailed instructions, see [Manage update configuration settings](manage-update-settings.md#configure-settings-on-a-single-vm).

-* To troubleshoot issues, see [Troubleshoot Update Manager](troubleshoot.md).

-Bpsv2 VMs offer up to 16 vCPU and 64 GiB of RAM and are optimized for scale-out and most enterprise workloads. Bpsv2-series virtual machines support Standard SSD, Standard HDD, Premium SSd disk types with no local-SSD support (i.e. no local or temp disk) and you can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

-**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

-**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

-**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

-Some services or VM features are only available in certain regions, such as specific VM sizes or storage types. There are also some global Azure services that do not require you to select a particular region, such as [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md), [Traffic Manager](../traffic-manager/traffic-manager-overview.md), or [Azure DNS](../dns/dns-overview.md). To assist you in designing your application environment, you can check the [availability of Azure services across each region](https://azure.microsoft.com/regions/#services). You can also [programmatically query the supported VM sizes and restrictions in each region](../azure-resource-manager/templates/error-sku-not-available.md).

-This article contains two scripts. The first script copies a managed disk that's using platform-managed keys to same or different subscription but in the same region. The second script copies a managed disk that's using customer-managed keys to the same or a different subscription in the same region. Either copy only works when the subscriptions are part of the same Azure AD tenant.

-There is no charge for encrypting virtual disks in Azure. Cryptographic keys are stored in Azure Key Vault using software-protection, or you can import or generate your keys in Hardware Security Modules (HSMs) certified to FIPS 140-2 level 2 standards. These cryptographic keys are used to encrypt and decrypt virtual disks attached to your VM. You retain control of these cryptographic keys and can audit their use. An Azure Active Directory service principal provides a secure mechanism for issuing these cryptographic keys as VMs are powered on and off.

-The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. Your code that's running on a VM can request a token from two endpoints that are accessible only from within the VM. For more detailed information about this service, review the [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) overview page.

-| Centralize VM authentication. | You can centralize the authentication of your Windows and Linux VMs by using [Azure Active Directory authentication](../active-directory/develop/authentication-vs-authorization.md). | - |

-1. Under **assign access to**, leave the default of **Azure AD user, group, or service principal**.

-* [Can I share image versions across Azure AD tenants?](#can-i-share-image-versions-across-azure-ad-tenants)

-### Can I share image versions across Azure AD tenants?

-description: In this article, learn how to create and configure a key vault for Azure Disk Encryption with Azure AD.

-# Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release)

-**The new release of Azure Disk Encryption eliminates the requirement for providing an Azure AD application parameter to enable VM disk encryption. With the new release, you are no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters using the new release. To view instructions to enable VM disk encryption using the new release, see [Azure Disk Encryption](disk-encryption-overview.md). VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.**

-Creating and configuring a key vault for use with Azure Disk Encryption with Azure AD (previous release) involves three steps:

-2. Set up an Azure AD application and service principal.

-3. Set the key vault access policy for the Azure AD app.

-## Set up an Azure AD app and service principal

-When you need encryption to be enabled on a running VM in Azure, Azure Disk Encryption generates and writes the encryption keys to your key vault. Managing encryption keys in your key vault requires Azure AD authentication. Create an Azure AD application for this purpose. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Azure AD authentication](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md).

-### Set up an Azure AD app and service principal with Azure PowerShell

-1. Use the [New-AzADApplication](/powershell/module/az.resources/new-azadapplication) PowerShell cmdlet to create an Azure AD application. MyApplicationHomePage and the MyApplicationUri can be any values you wish.

-3. The $azureAdApplication.ApplicationId is the Azure AD ClientID and the $aadClientSecret is the client secret that you'll use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately. Running `$azureAdApplication.ApplicationId` will show you the ApplicationID.

-### Set up an Azure AD app and service principal with Azure CLI

-3. The appId returned is the Azure AD ClientID used in other commands. It's also the SPN you'll use for az keyvault set-policy. The password is the client secret that you should use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately.

-### Set up an Azure AD app and service principal through the Azure portal

-Use the steps from the [Use portal to create an Azure Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md) article to create an Azure AD application. Each of these steps will take you directly to the article section to complete.

-2. [Create an Azure Active Directory application](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)

- - The authentication key is used by the application as a credential to sign in to Azure AD. In the Azure portal, this secret is called keys, but has no relation to key vaults. Secure this secret appropriately.

-## Set the key vault access policy for the Azure AD app

-To write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Azure Active Directory application that has permissions to write secrets to the Key Vault.

-> Azure Disk Encryption requires you to configure the following access policies to your Azure AD client application: _WrapKey_ and _Set_ permissions.

-### Set the key vault access policy for the Azure AD app with Azure PowerShell

-Your Azure AD application needs rights to access the keys or secrets in the vault. Use the [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy) cmdlet to grant permissions to the application, using the client ID (which was generated when the application was registered) as the _ΓÇôServicePrincipalName_ parameter value. To learn more, see the blog post [Azure Key Vault - Step by Step](/archive/blogs/kv/azure-key-vault-step-by-step).

-### Set the key vault access policy for the Azure AD app with Azure CLI

-### Set the key vault access policy for the Azure AD app with the portal

-3. Under **Select principal**, search for the Azure AD application you created and select it.

- #Step 3: Enable the vault for disk encryption and set the access policy for the Azure AD application.

- # Create the Azure AD application and associate the certificate with it.

- #Enable encryption on the VM using Azure AD client ID and the client certificate thumbprint

-[Enable Azure Disk Encryption with Azure AD on Windows VMs (previous release)](disk-encryption-windows-aad.md)

-> - If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. See [Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release)](disk-encryption-key-vault-aad.md) for details.

-**The new release of Azure Disk Encryption eliminates the requirement for providing an Azure AD application parameter to enable VM disk encryption. With the new release, you are no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters using the new release. To view instructions to enable VM disk encryption using the new release, see [Azure Disk Encryption for Windows VMs](disk-encryption-overview.md). VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.**

-This article supplements [Azure Disk Encryption for Windows VMs](disk-encryption-overview.md) with additional requirements and prerequisites for Azure Disk Encryption with Azure AD (previous release). The [Supported VMs and operating systems](disk-encryption-overview.md#supported-vms-and-operating-systems) section remains the same.

-**To enable the Azure Disk Encryption feature using the older AAD parameter syntax, the IaaS VMs must meet the following network endpoint configuration requirements:**

- - To get a token to connect to your key vault, the IaaS VM must be able to connect to an Azure Active Directory endpoint, \[login.microsoftonline.com\].

-For details, see [Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release)](disk-encryption-key-vault-aad.md).

-> - If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. See [Azure Disk Encryption with Azure AD (previous release)](disk-encryption-overview-aad.md) for details.

- - To get a token to connect to your key vault, the Windows VM must be able to connect to an Azure Active Directory endpoint, \[login.microsoftonline.com\].

-|$aadAppName|Name of the Azure AD application that will be used to write secrets to KeyVault. A new application with this name will be created if one doesn't exist. If this app already exists, pass aadClientSecret parameter to the script.|False|

-|$aadClientSecret|Client secret of the Azure AD application that was created earlier.|False|

-### Encrypt or decrypt VMs without an Azure AD app

-### Encrypt or decrypt VMs with an Azure AD app (previous release)

-When encryption is being enabled with [Azure AD credentials](disk-encryption-windows-aad.md#), the target VM must allow connectivity to both Azure Active Directory endpoints and Key Vault endpoints. Current Azure Active Directory authentication endpoints are maintained in sections 56 and 59 of the [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) documentation. Key Vault instructions are provided in the documentation on how to [Access Azure Key Vault behind a firewall](../../key-vault/general/access-behind-firewall.md).

-# Azure Disk Encryption with Azure AD for Windows VMs (previous release)

-**The new release of Azure Disk Encryption eliminates the requirement for providing an Azure AD application parameter to enable VM disk encryption. With the new release, you are no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters using the new release. To view instructions to enable VM disk encryption using the new release, see [Azure Disk Encryption for Windows VMS](disk-encryption-windows.md). VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.**

-The following table lists the Resource Manager template parameters for new VMs from the Marketplace scenario using Azure AD client ID:

-| AADClientID | Client ID of the Azure AD application that has permissions to write secrets to your key vault. |

-| AADClientSecret | Client secret of the Azure AD application that has permissions to write secrets to your key vault. |

-The following table lists the Resource Manager template parameters for existing or running VMs that use an Azure AD client ID:

-| AADClientID | Client ID of the Azure AD application that has permissions to write secrets to the key vault. |

-| AADClientSecret | Client secret of the Azure AD application that has permissions to write secrets to the key vault. |

-## Enable encryption using Azure AD client certificate-based authentication.

-You can use client certificate authentication with or without KEK. Before using the PowerShell scripts, you should already have the certificate uploaded to the key vault and deployed to the VM. If you're using KEK too, the KEK should already exist. For more information, see the [Certificate-based authentication for Azure AD](disk-encryption-key-vault-aad.md#certificate-based-authentication-optional) section of the prerequisites article.

-> - If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. See [Azure Disk Encryption with Azure AD (previous release)](disk-encryption-overview-aad.md) for details.

-> Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with the managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Azure AD directories](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).

- > It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Azure Active Directory. If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again.

-## Secure uploads with Azure AD

-If you're using [Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md) to control resource access, you can now use it to restrict uploading of Azure managed disks. This feature is available as a GA offering in all regions. When a user attempts to upload a disk, Azure validates the identity of the requesting user in Azure AD, and confirms that user has the required permissions. At a higher level, a system administrator could set a policy at the Azure account or subscription level to ensure that an Azure AD identity has the necessary permissions for uploading before allowing a disk or a disk snapshot to be uploaded. If you have any questions on securing uploads with Azure AD, reach out to this email: azuredisks@microsoft .com

-To access managed disks secured with Azure AD, the requesting user must have either the [Data Operator for Managed Disks](../../role-based-access-control/built-in-roles.md#data-operator-for-managed-disks) role, or a [custom role](../../role-based-access-control/custom-roles-powershell.md) with the following permissions:

-If Azure AD is used to enforce upload restrictions on a subscription or at the account level, [Add-AzVHD](/powershell/module/az.compute/add-azvhd) only succeeds if attempted by a user that has the [appropriate RBAC role or necessary permissions](#assign-rbac-role). You'll need to [assign RBAC permissions](../../role-based-access-control/role-assignments-powershell.md) to grant access to the disk and generate a writeable SAS.

-> If you're using Azure AD to enforce upload restrictions, add `DataAccessAuthMode 'AzureActiveDirectory'` to the end of your `Add-AzVhd` command.

-> If you're using Azure AD to secure your uploads, add `-dataAccessAuthMode 'AzureActiveDirectory'` to `New-AzDiskConfig`.

-If you've additional questions, see the section on [uploading a managed disk](../faq-for-disks.yml#uploading-to-a-managed-disk) in the FAQ.

-## Secure downloads and uploads with Azure AD

-> If you're using Azure AD to secure managed disk downloads, the user downloading the VHD must have the appropriate [RBAC permissions](#assign-rbac-role).

-> If you're using Azure AD to secure your managed disk uploads and downloads, add `--auth-mode login` to `az storage blob download`.

-1. If the VM is part of a domain, check the following Azure AD policies to make sure the previous

-1. Check the following Azure AD policies to make sure they're not blocking RDP access:

-1. Check the following Azure AD policy to make sure they're not removing any of the required access

- Azure AD | `login.microsoftonline.com` | `login.microsoftonline.us`| Authorize and authenticate to Site Recovery service URLs.

- Azure AD tag | Allows access to all IP addresses that correspond to Azure AD.

-4. In **Target region**, select the region to which you want to replicate the VM. The source and target regions must be in the same Azure Active Directory tenant.

-## Additional Information about joining Azure Active Directory

-Azure provisions all Windows VMs with built-in administrator account, which can't be used to join Azure Active Directory. For example, *Settings > Account > Access Work or School > + Connect* won't work. You must create and log on as a second administrator account to join Azure AD manually. You can also configure Azure AD using a provisioning package, use the link in the *Next Steps* section to learn more.

-Microsoft has created Terraform scripts to enable automated deployment of the network interconnect. The Terraform scripts need to authenticate with Azure before they run, because they require adequate permissions on the Azure subscription. Authentication can be performed using an [Azure Active Directory service principal](../../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) or using the Azure CLI. For more information, see [CLI Authentication](https://www.terraform.io/cli/auth).

-To ensure network security, the storage account that you use for NFS mounting must be contained within a virtual network. Azure Active Directory (Azure AD) security and access control lists (ACLs) are not yet supported in accounts that have NFS 3.0 protocol support enabled on them.

-Microsoft and Oracle have worked together to enable customers to deploy Oracle applications such as Oracle E-Business Suite, JD Edwards EnterpriseOne, and PeopleSoft in the cloud. With the introduction of the preview [private network interconnectivity](configure-azure-oci-networking.md) between Microsoft Azure and Oracle Cloud Infrastructure (OCI), Oracle applications can now be deployed on Azure with their back-end databases in Azure or OCI. Oracle applications can also be integrated with Azure Active Directory, allowing you to set up single sign-on so that users can sign into the Oracle application using their Azure Active Directory (Azure AD) credentials.

-The identity tier contains the EBS Asserter VM. EBS Asserter allows you to synchronize identities from Oracle Identity Cloud Service (IDCS) and Azure AD. The EBS Asserter is needed because EBS doesn't support single sign-on protocols like SAML 2.0 or OpenID Connect. The EBS Asserter consumes the OpenID connect token (generated by IDCS), validates it, and then creates a session for the user in EBS.

-While this architecture shows IDCS integration, Azure AD unified access and single sign-on also can be enabled with Oracle Access Manager with Oracle Internet Directory or Oracle Unified Directory. For more information, see the whitepapers on [Deploying Oracle EBS with IDCS Integration](https://www.oracle.com/a/ocom/docs/deploy-ebusiness-suite-across-oci-azure-sso-idcs.pdf) or [Deploying Oracle EBS with OAM Integration](https://www.oracle.com/a/ocom/docs/deploy-ebusiness-suite-across-oci-azure-sso-oam.pdf).

-Identity is one of the core pillars of the partnership between Microsoft and Oracle. Significant work has been done to integrate [Oracle Identity Cloud Service](https://docs.oracle.com/en/cloud/paas/identity-cloud/https://docsupdatetracker.net/index.html) (IDCS) with [Azure Active Directory](../../../active-directory/index.yml) (Azure AD). Azure AD is Microsoft's cloud-based identity and access management service. Your users can sign in and access various resources with help from Azure AD. Azure AD also allows you to manage your users and their permissions.

-Currently, this integration allows you to manage in one central location. Azure AD synchronizes any changes in the directory with the corresponding Oracle directory and is used for single sign-on to cross-cloud Oracle solutions.

-The Azure WLS solutions are aimed at making it as easy as possible to migrate your Java applications to Azure virtual machines. The solutions do so by generating deployed resources for most common cloud provisioning scenarios. The solutions automatically provision virtual network, storage, Java, WLS, and Linux resources. With minimal effort, WebLogic Server is installed. The solutions can set up security with a network security group, load balancing with Azure App Gateway or Oracle HTTP Server, authentication with Azure Active Directory, centralized logging using ELK and distributed caching with Oracle Coherence. You can also automatically connect to your existing database including Azure PostgreSQL, Azure SQL, and the Oracle Database on the Oracle Cloud or Azure.

- | Allow access to remote virtual network | Leave the default of selected. |

- | Allow traffic to remote virtual network | Select the checkbox. |

- | Allow traffic forwarded from the remote virtual network (allow gateway transit) | Leave the default of cleared. |

- | Allow access to remote virtual network | Leave the default of selected. |

- | Allow traffic to remote virtual network | Select the checkbox. |

- | Allow traffic forwarded from the remote virtual network (allow gateway transit) | Leave the default of cleared. |

- | Use remote virtual network gateway or route server | Leave the default of cleared. |