+### 3. Set up the AWS master account connection (Optional)

+1. In the **Permissions Management Onboarding - AWS Master Account Details** page, enter the **Master Account ID** and **Master Account Role**.

+### 4. Set up the AWS Central logging account connection (Optional but recommended)

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: 7fa2a1b1-7ed3-4c51-ae17-f5d4ee88488c

+ms.devlang: na

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: 9d391bd3-b0d3-4c7d-af8a-70bc0a538706

+ms.devlang: na

+* **System Admins** and an **IT Administrator** can set up Active Directory with Smartsheet

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Smartsheet](../app-provisioning/customize-application-attributes.md).

+1. Sign in as a **System Admin** in the **[Smartsheet portal](https://app.smartsheet.com/b/home)** and navigate to **Account > Admin Center**.

+ 

+1. In the Admin Center page click on the **Menu** option to expose the Menu panel.

+ 

+1. Navigate to **Menu > Settings > Domains & User Auto-Provisioning**.

+ 

+1. To add a new domain click on **Add Domain** and follow instructions.Once the domain is added make sure it gets verified as well.

+1. Generate the **Secret Token** required to configure automatic user provisioning with Azure AD by navigating **[Smartsheet portal](https://app.smartsheet.com/b/home)** and then navigating to **Account > Apps and Integrations**.

+1. Choose **API Access**. Click **Generate new access token**.

+1. Define the name of the API Access Token. Click **OK**.

+1. Copy the API Access Token and save it as this will be the only time you can view it. This is required in the **Secret Token** field in Azure AD.

+ 

+1. In the applications list, select **Smartsheet**.

+ 

+1. Select the **Provisioning** tab.

+1. Set the **Provisioning Mode** to **Automatic**.

+1. Under the **Admin Credentials** section, input the **SCIM 2.0 base URL** of `https://scim.smartsheet.com/v2` and **Access Token** value retrieved earlier from Smartsheet in **Secret Token** respectively. Click **Test Connection** to ensure Azure AD can connect to Smartsheet. If the connection fails, ensure your Smartsheet account has SysAdmin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**.

+ 

+1. Click **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Smartsheet**.

+1. Review the user attributes that are synchronized from Azure AD to Smartsheet in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Smartsheet for update operations. Select the **Save** button to commit any changes.

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Smartsheet, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to Smartsheet by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you are ready to provision, click **Save**.

+ 

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+

+For more information about the components of an application gateway, see [Application gateway components](application-gateway-components.md).

+You'll create the application gateway using the tabs on the **Create application gateway** page.

+1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

+2. Under **Categories**, select **Networking** and then select **Application Gateway** in the **Popular Azure services** list.

+2. For Azure to communicate between the resources that you create, a virtual network is needed. You can either create a new virtual network or use an existing one. In this example, you'll create a new virtual network at the same time that you create the application gateway. Application Gateway instances are created in separate subnets. You create two subnets in this example: One for the application gateway, and another for the backend servers.

+ - **Subnet name** (Application Gateway subnet): The **Subnets** grid will show a subnet named *default*. Change the name of this subnet to *myAGSubnet*.<br>The application gateway subnet can contain only application gateways. No other resources are allowed.

+The backend pool is used to route requests to the backend servers that serve the request. Backend pools can be composed of NICs, Virtual Machine Scale Sets, public IP addresses, internal IP addresses, fully qualified domain names (FQDN), and multi-tenant back-ends like Azure App Service. In this example, you'll create an empty backend pool with your application gateway and then add backend targets to the backend pool.

+2. In the **Add a routing rule** window that opens, enter the following values for Rule name and Priority:

+ - **Rule name**: Enter *myRoutingRule* for the name of the rule.

+ - **Priority**: The priority value should be between 1 and 20000 (where 1 represents highest priority and 20000 represents lowest) - for the purposes of this quickstart, enter *100* for the priority.

+5. For the **Backend setting**, select **Add new** to add a new Backend setting. The Backend setting will determine the behavior of the routing rule. In the **Add Backend setting** window that opens, enter *myBackendSetting* for the **Backend settings name** and *80* for the **Backend port**. Accept the default values for the other settings in the **Add Backend setting** window, then select **Add** to return to the **Add a routing rule** window.

+ 

+See [Regions and Availability Zones in Azure](../availability-zones/az-overview.md) for the Azure regions that have availability zones.

+- Learn more about [regions that support availability zones](../availability-zones/az-overview.md).

+### Associate DCEs to target machines

+Associate the data collection endpoints to the target resources by editing the data collection rule in the Azure portal. On the **Resources** tab, select **Enable Data Collection Endpoints**. Select a DCE for each virtual machine. See [Configure data collection for Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md).

+| Connectivity over Active/Active Zone Redundant gateways | No | No |

+| Connectivity over Active/Passive Zone Redundant gateways | Yes | Yes |

+description: Learn how to migrate Azure Batch low-priority VMs to Spot VMs and plan for feature end of support.

+# Migrate Batch low-priority VMs to Spot VMs

+The ability to allocate low-priority compute nodes in Azure Batch pools is being retired on *September 30, 2025*. Learn how to migrate your Batch pools with low-priority compute nodes to compute nodes based on Spot instances.

+Currently, as part of a Batch pool configuration, you can specify a target number of low-priority compute nodes for Batch managed pool allocation Batch accounts. In user subscription pool allocation Batch accounts, you can specify a target number of spot compute nodes. In both cases, these compute resources are allocated from spare capacity and offered at a discount compared to dedicated, on-demand VMs.

+The amount of unused capacity that's available varies depending on factors such as VM family, VM size, region, and time of day. Unlike dedicated capacity, these low-priority or spot VMs can be reclaimed at any time by Azure. Therefore, low-priority and spot VMs are typically viable for Batch workloads that are amenable to interruption or don't require strict completion timeframes to potentially lower costs.

+Only low-priority compute nodes in Batch are being retired. Spot compute nodes will continue to be supported, is a GA offering, and not affected by this deprecation. On September 30, 2025, we'll retire low-priority compute nodes. After that date, existing low-priority pools in Batch may no longer be usable, attempts to seek back to target low-priority node counts will fail, and you'll no longer be able to provision new pools with low-priority compute nodes.

+## Alternative: Use Azure Spot-based compute nodes in Batch pools

+As of December 2021, Azure Batch began offering Spot-based compute nodes in Batch. Like low-priority VMs, you can use spot instances to obtain spare capacity at a discounted price in exchange for the possibility that the VM will be preempted. If a preemption occurs, the spot compute node will be evicted and all work that wasn't appropriately checkpointed will be lost. Checkpointing is optional and is up to the Batch end-user to implement. The running Batch task that was interrupted due to preemption will be automatically requeued for execution by a different compute node. Additionally, Azure Batch will automatically attempt to seek back to the target Spot node count as specified on the pool.

+See the [detailed breakdown](batch-spot-vms.md) between the low-priority and spot offering in Batch.

+## Migrate a Batch pool with low-priority compute nodes or create a Batch pool with Spot instances

+1. Ensure that you're using a [user subscription pool allocation mode Batch account](batch-account-create-portal.md).

+- How do I create a user subscription pool allocation Batch account?

+ See the [quickstart](./batch-account-create-portal.md) to create a new Batch account in user subscription pool allocation mode.

+- Are Spot VMs available in Batch managed pool allocation accounts?

+ No. Spot VMs are available only in user subscription pool allocation Batch accounts.

+

+- Are spot instances available for `CloudServiceConfiguration` Pools?

+ No. Spot instances are only available for `VirtualMachineConfiguration` pools. `CloudServiceConfiguration` pools will be [retired](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/) before low-priority pools. We recommend that you migrate to `VirtualMachineConfiguration` pools and user subscription pool allocation Batch accounts before then.

+- What is the pricing and eviction policy of spot instances? Can I view pricing history and eviction rates?

+- Can I transfer my quotas between Batch accounts?

+ Currently you can't transfer any quotas between Batch accounts.

+## Next steps

+See the [Batch Spot compute instance guide](batch-spot-vms.md) for details on further details in the difference between offerings, limitations, and deployment examples.

+ 1. Disable authentication-as-arm in ACR - Azure CLI.

+ 2. Disable authentication-as-arm in the ACR - Azure portal.

+ 3. Create and configure Conditional Access policy for Azure Container Registry.

+ ```azurecli-interactive

+ az acr config authentication-as-arm show -r <registry>

+ ```

+ ```azurecli-interactive

+ az acr config authentication-as-arm update -r <registry> --status [enabled/disabled]

+ ```

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+ 2. Refer to the ACR's built-in policy definitions in the [azure-container-registry-built-in-policy definition's](policy-reference.md).

+ 3. Assign a built-in policy to disable authentication-as-arm definition - Azure portal.

+Azure Container Registry has two built-in policy definitions to disable authentication-as-arm, as below:

+>* `Container registries should have ARM audience token authentication disabled.` - This policy will report, block any non-compliant resources, and also sends a request to update non-compliant to compliant.

+>* `Configure container registries to disable ARM audience token authentication.` - This policy offers remediation and updates non-compliant to compliant resources.

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+ 1. Navigate to your **Azure Container Registry** > **Resource Group** > **Settings** > **Policies** .

+ :::image type="content" source="media/container-registry-enable-conditional-policy/01-azure-policies.png" alt-text="Screenshot showing how to navigate Azure policies.":::

+ 1. Navigate to **Azure Policy**, On the **Assignments**, select **Assign policy**.

+

+ :::image type="content" source="media/container-registry-enable-conditional-policy/02-Assign-policy.png" alt-text="Screenshot showing how to assign a policy.":::

+ 1. Under the **Assign policy** , use filters to search and find the **Scope**, **Policy definition**, **Assignment name**.

+ :::image type="content" source="media/container-registry-enable-conditional-policy/03-Assign-policy-tab.png" alt-text="Screenshot of the assign policy tab.":::

+ 1. Select **Scope** to filter and search for the **Subscription** and **ResourceGroup** and choose **Select**.

+ :::image type="content" source="media/container-registry-enable-conditional-policy/04-select-scope.png" alt-text="Screenshot of the Scope tab.":::

+ 1. Select **Policy definition** to filter and search the built-in policy definitions for the Conditional Access policy.

+

+ :::image type="content" source="media/container-registry-enable-conditional-policy/05-built-in-policy-definitions.png" alt-text="Screenshot of built-in-policy-definitions.":::

+ 1. Use filters to select and confirm **Scope**, **Policy definition**, and **Assignment name**.

+ 1. Use the filters to limit compliance states or to search for policies.

+ 1. Confirm your settings and set policy enforcement as **enabled**.

+ 1. Select **Review+Create**.

+ :::image type="content" source="media/container-registry-enable-conditional-policy/06-enable-policy.png" alt-text="Screenshot to activate a Conditional Access policy":::

+ 1. Sign in to the [Azure portal](https://portal.azure.com) by using an account with *global administrator* permissions.

+ 1. Search for and select **Azure Active Directory**. Then select **Security** from the menu on the left-hand side.

+ 1. Select **Conditional Access**, select **+ New policy**, and then select **Create new policy**.

+

+ :::image type="content" alt-text="A screenshot of the Conditional Access page, where you select 'New policy' and then select 'Create new policy'." source="media/container-registry-enable-conditional-policy/01-create-conditional-access.png":::

+ 1. Enter a name for the policy, such as *demo*.

+ 1. Under **Assignments**, select the current value under **Users or workload identities**.

+

+ :::image type="content" alt-text="A screenshot of the Conditional Access page, where you select the current value under 'Users or workload identities'." source="media/container-registry-enable-conditional-policy/02-conditional-access-users-and-groups.png":::

+ 1. Under **What does this policy apply to?**, verify and select **Users and groups**.

+ 1. Under **Include**, choose **Select users and groups**, and then select **All users**.

+

+ :::image type="content" alt-text="A screenshot of the page for creating a new policy, where you select options to specify users." source="media/container-registry-enable-conditional-policy/03-conditional-access-users-groups-select-users.png":::

+ 1. Under **Exclude**, choose **Select users and groups**, to exclude any choice of selection.

+ 1. Under **Cloud apps or actions**, choose **Cloud apps**.

+ 1. Under **Include**, choose **Select apps**.

+ :::image type="content" alt-text="A screenshot of the page for creating a new policy, where you select options to specify cloud apps." source="media/container-registry-enable-conditional-policy/04-select-cloud-apps-select-apps.png":::

+ 1. Browse for and select apps to apply Conditional Access, in this case *Azure Container Registry*, then choose **Select**.

+ :::image type="content" alt-text="A screenshot of the list of apps, with results filtered, and 'Azure Container Registry' selected." source="media/container-registry-enable-conditional-policy/05-select-azure-container-registry-app.png":::

+ 1. Under **Conditions** , configure control access level with options such as *User risk level*, *Sign-in risk level*, *Sign-in risk detections (Preview)*, *Device platforms*, *Locations*, *Client apps*, *Time (Preview)*, *Filter for devices*.

+ 1. Under **Grant**, filter and choose from options to enforce grant access or block access, during a sign-in event to the Azure portal. In this case grant access with *Require multifactor authentication*, then choose **Select**.

+ >[!TIP]

+ > To configure and grant multi-factor authentication, see [configure and conditions for multi-factor authentication.](/azure/active-directory/authentication/tutorial-enable-azure-mfa#configure-the-conditions-for-multi-factor-authentication)

+ 1. Under **Session**, filter and choose from options to enable any control on session level experience of the cloud apps.

+ 1. After selecting and confirming, Under **Enable policy**, select **On**.

+ 1. To apply and activate the policy, Select **Create**.

+ :::image type="content" alt-text="A screenshot showing how to activate the Conditional Access policy." source="media/container-registry-enable-conditional-policy/06-enable-conditional-access-policy.png":::

+ We have now completed creating the Conditional Access policy for the Azure Container Registry.

+* Currently we don't delete any data from analytical store. If you set your ATTL to any positive integer, the data won't be included in your queries and you won't be billed for it. But if you change ATTL back to `-1`, all the data will show up again, you will start to be billed for all the data volume.

+Data in the analytics store can only be accessed through Azure Synapse Link, which is done in the Azure Synapse Analytics runtimes: Azure Synapse Apache Spark pools and Azure Synapse serverless SQL pools. See [Azure Synapse Analytics pricing page](https://azure.microsoft.com/pricing/details/synapse-analytics/) for full details on the pricing model to access data in analytical store.

+In order to get a high-level cost estimate to enable analytical store on an Azure Cosmos DB container, from the analytical store perspective, you can use the [Azure Cosmos DB Capacity planner](https://cosmos.azure.com/capacitycalculator/) and get an estimate of your analytical storage and write operations costs.

+Analytical store read operations estimates aren't included in the Azure Cosmos DB cost calculator since they are a function of your analytical workload. But as a high-level estimate, scan of 1 TB of data in analytical store typically results in 130,000 analytical read operations, and results in a cost of $0.065. As an example, if you use Azure Synapse serverless SQL pools to perform this scan of 1 TB, it will cost $5.00 according to [Azure Synapse Analytics pricing page](https://azure.microsoft.com/pricing/details/synapse-analytics/). The final total cost for this 1 TB scan would be $5.065.

+While the above estimate is for scanning 1TB of data in analytical store, applying filters reduces the volume of data scanned and this determines the exact number of analytical read operations given the consumption pricing model. A proof-of-concept around the analytical workload would provide a more finer estimate of analytical read operations. This estimate doesn't include the cost of Azure Synapse Analytics.

+The current minor release is 14.5. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/14.5/) to

+The current minor release is 13.8. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/13.8/) to

+The current minor release is 12.12. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/12.12/) to

+The current minor release is 11.17. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/11.17/) to

+## PostgreSQL version syntax

+The table below provides the retirement details for PostgreSQL major versions in Azure Cosmos DB for PostgreSQL.

+| Version | What's New | Supported since | Retirement date (Azure)|

+| [PostgreSQL 11](https://www.postgresql.org/about/news/postgresql-11-released-1894/) | [Features](https://www.postgresql.org/docs/11/release-11.html) | May 7, 2019 | November 9, 2023 |

+| [PostgreSQL 12](https://www.postgresql.org/about/news/postgresql-12-released-1976/) | [Features](https://www.postgresql.org/docs/12/release-12.html) | Apr 6, 2021 | November 14, 2024

+| [PostgreSQL 13](https://www.postgresql.org/about/news/postgresql-13-released-2077/) | [Features](https://www.postgresql.org/docs/13/release-13.html) | Apr 6, 2021 | November 13, 2025

+| [PostgreSQL 14](https://www.postgresql.org/about/news/postgresql-14-released-2318/) | [Features](https://www.postgresql.org/docs/14/release-14.html) | Oct 1, 2021 | November 12, 2026

+ * [Error message relocation to Status column](#error-message-relocation-to-status-column)

+#### Error message relocation to Status column

+Error messages have now been relocated to the **Status** column. This will allow you to easily view errors when you see a **Failed** pipeline run.

+Find the error icon in the pipeline monitoring page and in the pipeline **Output** tab after debugging your pipeline.

+> [!NOTE]

+> You can't enable TTL in default auto-resolve Azure integration runtime. You can create a new Azure integration runtime for it.

+The process for granting your MedTech service system-assigned managed identity access to your **FHIR service** requires the same 13 steps that you used to grant access to your device message event hub. There are two exceptions. The first is that, instead of navigating to the **Access Control (IAM)** menu from within your event hub (as outlined in steps 1-4), you should navigate to the equivalent **Access Control (IAM)** menu from within your **FHIR service**. The second exception is that, in step 6, your MedTech service system-assigned managed identity will require you to select the **View** button directly across from **FHIR Data Writer** access instead of the button across from **Azure Event Hubs Data Receiver**.

+ | `--i` or `--IdScope` | True | The ID Scope of the DPS instance |

+ | `--r` or `--RegistrationId` | True | The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). |

+ | `--p` or `--PrimaryKey` | True | The primary key of the individual enrollment or the derived device key of the group enrollment. See the [ComputeDerivedSymmetricKeySample](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/device/samples/Getting%20Started/ComputeDerivedSymmetricKeySample) for how to generate the derived key. |

+ dotnet run --i <id-scope> --r <registration-id> --p <primarykey>

+ D:\azure-iot-sdk-csharp\provisioning\device\samples\How To\SymmetricKeySample>dotnet run --i 0ne00000A0A --r symm-key-csharp-device-01 --p sbDDeEzRuEuGKag+kQKV+T1QGakRtHpsERLP0yPjwR93TrpEgEh/Y07CXstfha6dhIPWvdD1nRxK5T0KGKA+nQ==

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters keyVaultName=<vault-name> objectId=<object-id>

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -keyVaultName "<vault-name>" -objectId "<object-id>"

+To add, update, or delete app settings, select and review the following sections for Azure portal, Visual Studio Code, Azure CLI, or ARM (Bicep) template. For app settings specific to logic apps, review the [reference guide for available app settings - local.settings.json](#reference-local-settings-json).

+### [Azure portal](#tab/azure-portal)

+To review the app settings for your single-tenant based logic app in the Azure portal, follow these steps:

+1. In the [Azure portal](https://portal.azure.com/) search box, find and open your logic app.

+1. On your logic app menu, under **Settings**, select **Configuration**.

+1. On the **Configuration** page, on the **Application settings** tab, review the app settings for your logic app.

+ For more information about these settings, review the [reference guide for available app settings - local.settings.json](#reference-local-settings-json).

+1. To view all values, select **Show Values**. Or, to view a single value, select that value.

+To add a setting, follow these steps:

+1. On the **Application settings** tab, under **Application settings**, select **New application setting**.

+1. For **Name**, enter the *key* or name for your new setting.

+1. For **Value**, enter the value for your new setting.

+1. When you're ready to create your new *key-value* pair, select **OK**.

+| `Jobs.BackgroundJobs.NumPartitionsInJobTriggersQueue` | `1` job queue | Sets the number of job queues monitored by job dispatchers for jobs to process. This value also affects the number of storage partitions where job queues exist. |

+| `Jobs.BackgroundJobs.NumWorkersPerProcessorCount` | `192` dispatcher worker instances | Sets the number of *dispatcher worker instances* or *job dispatchers* to have per processor core. This value affects the number of workflow runs per core. |

+<a name="recurrence-triggers"></a>

+### Recurrence-based triggers

+| Setting | Default value | Description |

+|||-|

+| `Microsoft.Azure.Workflows.ServiceProviders.MaximumAllowedTriggerStateSizeInKB` | `1` KB | Sets the trigger state's maximum allowed size for recurrence-based triggers such as the built-in SFTP trigger. The trigger state persists data across multiple service provider recurrence-based triggers. <br><br>**Important**: Based on your storage size, avoid setting this value too high, which can adversely affect storage and performance. |

+<a name="trigger-concurrency"></a>

+### Trigger concurrency

+| Setting | Default value | Description |

+|||-|

+| `Runtime.Trigger.MaximumRunConcurrency` | `100` runs | Sets the maximum number of concurrent runs that a trigger can start. This value appears in the trigger's concurrency definition. |

+| `Runtime.Trigger.MaximumWaitingRuns` | `200` runs | Sets the maximum number of runs that can wait after concurrent runs meet the maximum. This value appears in the trigger's concurrency definition. |

+| `Runtime.Backend.FlowRunTimeout` | `90.00:00:00` <br>(90 days) | Sets the amount of time a workflow can continue running before forcing a timeout. <br><br>**Important**: Make sure this value is less than or equal to the `Runtime.FlowRetentionThreshold` value. Otherwise, run histories can get deleted before the associated jobs are complete. |

+| `Runtime.FlowRunActionJob.MaximumActionResultSize` | `209715200` bytes | Sets the maximum size in bytes that the combined inputs and outputs can have in an action. |

+<a name="store-inline-or-blob"></a>

+### Store content inline or use blobs

+| `Runtime.FlowRunEngine.ForeachMaximumItemsForContentInlining` | `20` items | When a `For each` loop is running, each item's value is stored either inline with other metadata in table storage or separately in blob storage. Sets the number of items to store inline with other metadata. |

+| `Runtime.FlowRunRetryableActionJobCallback.MaximumPagesForContentInlining` | `20` pages | Sets the maximum number of pages to store as inline content in table storage before storing in blob storage. |

+| `Runtime.FlowTriggerSplitOnJob.MaximumItemsForContentInlining` | `40` items | When the `SplitOn` setting debatches array items into multiple workflow instances, each item's value is stored either inline with other metadata in table storage or separately in blob storage. Sets the number of items to store inline. |

+| `Runtime.ScaleUnit.MaximumCharactersForContentInlining` | `8192` characters | Sets the maximum number of operation input and output characters to store inline in table storage before storing in blob storage. |

+| `Runtime.Backend.ForeachDefaultDegreeOfParallelism` | `20` iterations | Sets the default number of concurrent iterations, or degree of parallelism, in a `For each` loop. To run sequentially, set the value to `1`. |

+| `Runtime.Backend.Stateless.FlowDefaultForeachItemsLimit` | `100` items | For a *stateless workflow*, sets the maximum number of array items to process in a `For each` loop. |

+| `Runtime.Backend.Stateless.MaximumUntilLimitCount` | `100` iterations | For a *stateless workflow*, sets the maximum number possible for the `Count` property in an `Until` action. |

+| `Runtime.Backend.VariableOperation.MaximumVariableSize` | Stateful workflow: `104857600` characters | Sets the maximum size in characters for the content that a variable can store when used in a stateful workflow. |

+### Built-in HTTP operations

+| `Runtime.Backend.HttpOperation.MaxContentSize` | `104857600` bytes | Sets the maximum request size in bytes for HTTP triggers and actions. |

+| `Runtime.Backend.HttpOperation.RequestTimeout` | `00:03:45` <br>(3 min and 45 sec) | Sets the request timeout value for HTTP triggers and actions. |

+### Built-in HTTP Webhook operations

+| `Runtime.Backend.HttpWebhookOperation.MaxContentSize` | `104857600` bytes | Sets the maximum request size in bytes for HTTP webhook triggers and actions. |

+| `Runtime.Backend.HttpWebhookOperation.RequestTimeout` | `00:02:00` <br>(2 min) | Sets the request timeout value for HTTP webhook triggers and actions. |

+<a name="built-in-storage"></a>

+### Built-in Azure Storage operations

+<a name="built-in-blob-storage"></a>

+#### Blob storage

+| Setting | Default value | Description |

+|||-|

+| `Runtime.ContentStorage.RequestOptionsDeltaBackoff` | `00:00:02` <br>(2 sec) | Sets the backoff interval between retries sent to blob storage. |

+| `Runtime.ContentStorage.RequestOptionsMaximumAttempts` | `4` retries | Sets the maximum number of retries sent to table and queue storage. |

+| `Runtime.ContentStorage.RequestOptionsMaximumExecutionTime` | `00:02:00` <br>(2 min) | Sets the operation timeout value, including retries, for blob requests from the Azure Logic Apps runtime. |

+| `Runtime.ContentStorage.RequestOptionsServerTimeout` | `00:00:30` <br>(30 sec) | Sets the timeout value for blob requests from the Azure Logic Apps runtime. |

+<a name="built-in-table-queue-storage"></a>

+#### Table and queue storage

+| Setting | Default value | Description |

+|||-|

+| `Runtime.DataStorage.RequestOptionsDeltaBackoff` | `00:00:02` <br>(2 sec) | Sets the backoff interval between retries sent to table and queue storage. |

+| `Runtime.DataStorage.RequestOptionsMaximumAttempts` | `4` retries | Sets the maximum number of retries sent to table and queue storage. |

+| `Runtime.DataStorage.RequestOptionsMaximumExecutionTime` | `00:00:45` <br>(45 sec) | Sets the operation timeout value, including retries, for table and queue storage requests from the Azure Logic Apps runtime. |

+| `Runtime.DataStorage.RequestOptionsServerTimeout` | `00:00:16` <br>(16 sec) | Sets the timeout value for table and queue storage requests from the Azure Logic Apps runtime. |

+<a name="built-in-azure-service-bus"></a>

+### Managed connector operations

+### Azure portal - host.json

+To review the host settings for your single-tenant based logic app in the Azure portal, follow these steps:

+1. In the [Azure portal](https://portal.azure.com/) search box, find and open your logic app.

+1. On your logic app menu, under **Development Tools**, select **Advanced Tools**.

+1. On the **Advanced Tools** page, select **Go**, which opens the **Kudu** environment for your logic app.

+1. On the Kudu toolbar, from the **Debug console** menu, select **CMD**.

+1. In the Azure portal, stop your logic app.

+ 1. On your logic app menu, select **Overview**.

+ 1. On the **Overview** pane's toolbar, select **Stop**.

+1. On your logic app menu, under **Development Tools**, select **Advanced Tools**.

+1. On the **Advanced Tools** pane, select **Go**, which opens the Kudu environment for your logic app.

+1. On the Kudu toolbar, open the **Debug console** menu, and select **CMD**.

+ A console window opens so that you can browse to the **wwwroot** folder using the command prompt. Or, you can browse the directory structure that appears above the console window.

+1. Browse along the following path to the **wwwroot** folder: `...\home\site\wwwroot`.

+1. Above the console window, in the directory table, next to the **host.json** file, select **Edit**.

+1. After the **host.json** file opens, review any host settings that were previously added for your logic app.

+To add a setting, follow these steps:

+1. Before you add or edit settings, stop your logic app in the Azure portal.

+ 1. On your logic app menu, select **Overview**.

+ 1. On the **Overview** pane's toolbar, select **Stop**.

+1. Return to the **host.json** file. Under the `extensionBundle` object, add the `extensions` object, which includes the `workflow` and `settings` objects, for example:

+1. When you're done, remember to select **Save**.

+1. Now, restart your logic app. Return to your logic app's **Overview** page, and select **Restart**.

+### Visual Studio Code - host.json

+To review the host settings for your logic app in Visual Studio Code, follow these steps:

+1. In your logic app project, at the root project level, find and open the **host.json** file.

+1. In the `extensions` object, under `workflows` and `settings`, review any host settings that were previously added for your logic app. Otherwise, the `extensions` object won't appear in the file.

+To add a host setting, follow these steps:

+1. In the **host.json** file, under the `extensionBundle` object, add the `extensions` object, which includes the `workflow` and `settings` objects, for example:

+|A path on Azure Storage | `https://<account_name>.blob.core.windows.net/<container_name>/<path>` <br> `abfss://<file_system>@<account_name>.dfs.core.windows.net/<path>` |

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- An Azure account with an active subscription.

+3. In **Virtual machines**, select **+ Create** then **+ Azure virtual machine**.

+ :::image type="content" source="./media/network-watcher-nsg-flow-logging-portal/microsoft-insights-registered.png" alt-text="Screenshot of registering microsoft insights provider.":::

+ | Storage account name | Enter a name for your storage account. </br> Must be 3-24 characters long, and can contain only lowercase letters and numbers, and must be unique across all Azure Storage. |

+ | Region | Select **(US) East US**. |

+4. Select **Review**.

+ "resourceId": "/SUBSCRIPTIONS/<subscriptionId>/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/MYVM-NSG",

+ "mac": "<macAddress>",

+ "systemId": "<Id>",

+ "resourceId": "/SUBSCRIPTIONS/<subscriptionId>/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/MYVM-NSG",

+ "mac": "<macAddress>",

+ "mac": "<macAddress>",

+* **aro**

+> * Private networks already using the private DNS zone for a given type, can only connect to public resources if they don't have any private endpoint connections, otherwise a corresponding DNS configuration is required on the private DNS zone in order to complete the DNS resolution sequence.

+> * Private endpoint private DNS zone configurations will only automatically generate if you use the recommended naming scheme in the table below.

+* Microsoft Purview doesn't support over 800 columns in the Schema tab and it will show "Additional-Columns-Truncated" if there are more than 800 columns.

+* Microsoft Purview doesn't support over 800 columns in the Schema tab and it will show "Additional-Columns-Truncated".

+To configure cross-tenant customer-managed keys for a new storage account with PowerShell, first install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage/4.4.2-preview), version 4.4.2-preview.

+$keyName = "<key-name>"

+To configure cross-tenant customer-managed keys for a new storage account with Azure CLI, first install the [storage-preview](https://github.com/Azure/azure-cli-extensions/tree/main/src/storage-preview) extension. For more information about installing Azure CLI extensions, see [How to install and manage Azure CLI extensions](/cli/azure/azure-cli-extensions-overview).

+Next, call [az storage account create](/cli/azure/storage/account#az-storage-account-create), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Provide the key vault URI and key name from the customer's key vault.

+Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

+```azurecli

+accountName="<storage-account>"

+kvUri="<key-vault-uri>"

+keyName="<key-name>"

+multiTenantAppId="<multi-tenant-app-id>"

+# Get the resource ID for the user-assigned managed identity.

+identityResourceId=$(az identity show --name $managedIdentity \

+ --resource-group $isvRgName \

+ --query id \

+ --output tsv)

+az storage account create \

+ --name $accountName \

+ --resource-group $isvRgName \

+ --location $isvLocation \

+ --sku Standard_LRS \

+ --kind StorageV2 \

+ --identity-type SystemAssigned,UserAssigned \

+ --user-identity-id $identityResourceId \

+ --encryption-key-vault $kvUri \

+ --encryption-key-name $keyName \

+ --encryption-key-source Microsoft.Keyvault \

+ --key-vault-user-identity-id $identityResourceId \

+ --key-vault-federated-client-id $multiTenantAppId

+```

+- If a user is configured as an Azure Active Directory administrator and Synapse Administrator, and then removed from the Azure Active Directory administrator role, then the user will lose access to the dedicated SQL pools in Synapse. They must be removed and then added to the Synapse Administrator role to regain access to dedicated SQL pools.

+>[!Note]

+>If a user is configured as an Active Directory admin and Synapse Administrator, and then removed from the Active Directory admin role, then the user will lose access to the dedicated SQL pools in Synapse. They must be removed and then added to the Synapse Administrator role to regain access to dedicated SQL pools.