-> It is currently possible to scale the Premium SKU to 31 units. If you foresee demand approaching this limit, consider the /26 subnet or /25 submit.

- - Issuer URL, which takes the form `<authentication-endpoint>/<tenant-id>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint [value specific to the cloud environment](/entra/identity-platform/authentication-national-cloud#azure-ad-authentication-endpoints). For example, a workforce tenant in global Azure would use "https://login.microsoftonline.com" as its authentication endpoint.

-> [!NOTE]

-> Currently, the Azure portal does not allow you to configure an App Service certificate in Key Vault to use the RBAC model. You can, however, use Azure CLI, Azure PowerShell, or an ARM template deployment to perform this configuration.

- Any of these cases trigger all instances in the source slot to restart. During [swap with preview](#Multi-Phase), this marks the end of the first phase. The swap operation is paused, and you can validate that the source slot works correctly with the target slot's settings.

-1. If [auto swap](#Auto-Swap) is enabled with [custom warm-up](#Warm-up), trigger [Application Initiation](/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) by making an HTTP request to the application root ("/") on each instance of the source slot.

-### Considerations when using Azure Front Door

-When using Azure App Service with Easy Auth behind Azure Front Door or other reverse proxies, a few additional things have to be taken into consideration.

-1) Disable Caching for the authentication workflow

-2) Use the Front Door endpoint for redirects

-3) Ensure that App Service is using the right redirect URI

-> The back-end services for managed identities maintain a cache per resource URI for around 24 hours. If you update the access policy of a particular target resource and immediately retrieve a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh.

-A raw HTTP GET request looks like the following example:

-Host: localhost:4141

-X-IDENTITY-HEADER: 853b9a84-5bfa-4b22-a3f3-0b9a43d9ad8a

-| `WEBSITE_HTTPLOGGING_RETENTION_DAYS` | Retention period in days of web server logs for Windows native apps, if web server logs are enabled. | `10` |

-> While the instructions in this section are for a system-assigned identity, a user-assigned identity can just as easily be used. To do this. you would need the change the `az webapp identity assign command` to assign the desired user-assigned identity. Then, when creating the SQL user, make sure to use the name of the user-assigned identity resource rather than the site name.

- "Id": "/subscriptions/536d30b8-665b-40fc-bd7e-68c65f816365/resourceGroups/rgOne/providers/Microsoft.Network/applicationGateways/appgw1/b

- "Id": "/subscriptions/536d30b8-665b-40fc-bd7e-68c65f816365/resourceGroups/rgOne/providers/Microsoft.Network/applicationGateways/appg

-**x-request-id** is a unique guid generated by Application Gateway for Containers for each client request and presented in the forwarded request to the backend target. The guid consists of 32 alphanumeric characters, separated by dashes (for example: d23387ab-e629-458a-9c93-6108d374bc75). This guid can be used to correlate a request received by Application Gateway for Containers and initiated to a backend target as defined in access logs.

- HELM_NAMESPACE='<your cluster name>'

-{"level":"info","version":"x.x.x","operationID":"1ea7ffd4-b2c4-460b-bce7-4d3f855ce8d5","Timestamp":"2024-02-26T20:31:53.760313623Z","message":"Successfully sent config update request"}

-{"level":"error","version":"x.x.x","error":"rpc error: code = PermissionDenied desc = ALB Controller with object id '5b26a949-297d-40c7-b10f-5d1cf2e3259d' does not have authorization to perform action on Application Gateway for Containers resource.Please check RBAC delegations to the Application Gateway for Containers resource.","Timestamp":"2024-02-26T20:31:53.769444995Z","message":"Unable to capture config update response"}

-{"level":"error","version":"x.x.x","error":"rpc error: code = PermissionDenied desc = ALB Controller with object id '5b26a949-297d-40c7-b10f-5d1cf2e3259d' does not have authorization to perform action on Application Gateway for Containers resource.Please check RBAC delegations to the Application Gateway for Containers resource.","Timestamp":"2024-02-26T20:31:54.470728646Z","message":"Unable to capture endpoint update response"}

- 2023-04-28 22:08:46Z\",\"error_codes\":[70021],\"timestamp\":\"2023-04-28 22:08:46Z\",\"trace_id\":\"08079978-7238-4ae3-9406-ba3b479db000\",\"correlation_id\":\"b2f10283-8dc6-4493-bb0e-b0cd009b17fb\",\"error_uri\":\"https://login.microsoftonline.com/error?code=70021\"}

-appgw.ingress.kubernetes.io/waf-policy-for-path: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/SampleRG/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/AGICWAFPolcy"

-description: This article provides instructions on how to scale your AKS back-end pods by using Application Gateway metrics and the Azure Kubernetes Metrics Adapter.

-This article explains how you can use the `AvgRequestCountPerHealthyHost` metric in Azure Application Gateway to scale up Azure Kubernetes Service (AKS) pods for an application. The `AvgRequestCountPerHealthyHost` metric measures average requests sent to a specific combination of a back-end pool and a back-end HTTP setting.

-1. Create a Microsoft Entra service principal and assign it `Monitoring Reader` access over the Application Gateway instance's resource group:

-1. Create an `ExternalMetric` resource with the name `appgw-request-count-metric`. This resource instructs the metric adapter to expose the `AvgRequestCountPerHealthyHost` metric for the `myApplicationGateway` resource in the `myResourceGroup` resource group. You can use the `filter` field to target a specific back-end pool and back-end HTTP setting in the Application Gateway instance.

- resourceGroup: myResourceGroup # replace with your Application Gateway instance's resource group name

- resourceName: myApplicationGateway # replace with your Application Gateway instance's name

-## Next steps

-The life cycle of the Azure Application Gateway instance differs when you disable the AGIC add-on, depending on whether you created the Application Gateway instance by using the AGIC add-on or you deployed it separately from the add-on. You can run the same command to re-enable the AGIC add-on if you ever disable it, or to enable the AGIC add-on by using an existing AKS cluster and Application Gateway instance.

-## Disable the AGIC add-on with an associated Application Gateway instance

-If the AGIC add-on automatically deployed the Application Gateway instance for you when you first set up everything, then disabling the AGIC add-on might delete the Application Gateway instance by default. The AGIC add-on considers two criteria to determine if it should delete the associated Application Gateway instance:

-If both criteria are met, the AGIC add-on deletes the Application Gateway instance when you disable the add-on. However, the AGIC add-on doesn't delete the public IP address or the subnet in which it deployed the Application Gateway instance.

-If the first criterion isn't met, disabling the add-on doesn't delete the Application Gateway instance, even if the instance has the `created-by: ingress-appgw` tag. Likewise, if the second criterion isn't met (that is, the Application Gateway instance lacks that tag), disabling the add-on doesn't delete the Application Gateway instance in the `MC_*` node resource group.

-> If you don't want the add-on to delete your Application Gateway instance when you disable the add-on, but the instance meets both criteria, remove the `created-by: ingress-appgw` tag.

-## Enable the AGIC add-on on an existing Application Gateway instance and AKS cluster

-If you ever disable the AGIC add-on and need to re-enable it, or you want to enable the add-on by using an existing Application Gateway instance and AKS cluster, run the following command:

- - [Brownfield deployment](ingress-controller-install-existing.md): If you have an existing AKS cluster and Application Gateway instance, refer to these instructions to install AGIC on the AKS cluster.

-The `guestbook` application is a canonical Kubernetes application that consists of a web UI front end, a back end, and a Redis database.

-This ingress exposes the `frontend` service of the `guestbook-all-in-one` deployment as a default back end of the Application Gateway instance.

-Now the `guestbook` application should be available. You can check the availability by visiting the public address of the Application Gateway instance.

-If you don't specify a host name, the `guestbook` service is available on all the host names that point to the Application Gateway instance.

-Assuming that all the prerequisites are fulfilled, and you have an Application Gateway instance controlled by a Kubernetes ingress in Azure Kubernetes Service (AKS), the preceding deployment would result in a WebSocket server exposed on port 80 of your Application Gateway instance's public IP address and the `ws.contoso.com` domain.

-description: This article provides information on how to deploy the Application Gateway Ingress Controller by using an existing Application Gateway instance.

-# Install AGIC by using an existing Application Gateway instance

-## Back up the Application Gateway instance

-Before you install AGIC, back up your Application Gateway instance's configuration:

-1. In the [Azure portal](https://portal.azure.com/), go to your Application Gateway instance.

-1. Grant the identity **Contributor** access to your Application Gateway instance. You need the ID of the Application Gateway instance, which looks like `/subscriptions/A/resourceGroups/B/providers/Microsoft.Network/applicationGateways/C`.

-To understand how you can expose an AKS service to the internet over HTTP or HTTPS by using an Azure Application Gateway instance, see [this how-to guide](ingress-controller-expose-service-over-http-https.md).

-## Set up a shared Application Gateway instance

-By default, AGIC assumes full ownership of the Application Gateway instance that it's linked to. AGIC version 0.8.0 and later can share a single Application Gateway instance with other Azure components. For example, you could use the same Application Gateway instance for an app

-Let's look at an imaginary Application Gateway instance that manages traffic for two websites:

-With default settings, AGIC assumes 100% ownership of the Application Gateway instance that it's pointed to. AGIC overwrites all of the App Gateway configuration. If you manually create a listener for `prod.contoso.com` on Application Gateway without defining it in the Kubernetes ingress, AGIC deletes the `prod.contoso.com` configuration within seconds.

-### Enable a shared Application Gateway instance by using a new AGIC installation

-### Enable a shared Application Gateway instance for an existing AGIC installation

-Assume that you already have a working AKS cluster and an Application Gateway instance, and you configured AGIC in your cluster. You have an Ingress for `prod.contoso.com` and are successfully serving traffic for it from the cluster.

-You want to add `staging.contoso.com` to your existing Application Gateway instance, but you need to host it on a [virtual machine](https://azure.microsoft.com/services/virtual-machines/). You're going to reuse the existing Application Gateway instance and manually configure a listener and back-end pools for `staging.contoso.com`. But manually tweaking the Application Gateway configuration (by using the [Azure portal](https://portal.azure.com), [Resource Manager APIs](/rest/api/resources/), or [Terraform](https://www.terraform.io/)) would conflict with AGIC's assumptions of full ownership. Shortly after you apply changes, AGIC overwrites or deletes them.

-3. Modify the Application Gateway configuration from the Azure portal. For example, add listeners, routing rules, and back ends. The new object that you created (`manually-configured-staging-environment`) prohibits AGIC from overwriting the Application Gateway configuration related to

-description: This article provides information on how to deploy the Application Gateway Ingress Controller by using a new Application Gateway instance.

-# Install AGIC by using a new Application Gateway instance

-With the instructions in the previous section, you created and configured a new AKS cluster and an Application Gateway instance. You're now ready to deploy a sample app and an ingress controller to your new Kubernetes infrastructure.

- - `appgw.subscriptionId`: The Azure subscription ID in which Application Gateway resides. Example: `a123b234-a3b4-557d-b2df-a0bc12de1234`.

- - `appgw.resourceGroup`: Name of the Azure resource group in which you created the Application Gateway instance. Example: `app-gw-resource-group`.

- - `appgw.name`: Name of the Application Gateway instance. Example: `applicationgatewayd0f0`.

- - `appgw.shared`: Boolean flag that defaults to `false`. Set it to `true` if you need a [shared Application Gateway instance](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/072626cb4e37f7b7a1b0c4578c38d1eadc3e8701/docs/setup/install-existing.md#multi-cluster--shared-app-gateway).

- > In the command, `<resource-group>` is the resource group of your Application Gateway instance. The `<identity-name>` placeholder is the name of the created identity. You can list all identities for a particular subscription by using `az identity list`.

-description: This article provides information on how to obtain a certificate from Let's Encrypt and use it on your Application Gateway instance for AKS clusters.

-3. Create an ingress resource to expose the `guestbook` application by using the Application Gateway instance with the Let's Encrypt certificate.

- Ensure that your Application Gateway instance has a public front-end IP configuration with a DNS name. Use the default `azure.com` domain, or provision an Azure DNS zone and then assign your own custom domain. The annotation `certmanager.k8s.io/cluster-issuer: letsencrypt-staging` tells cert-manager to process the tagged ingress resource.

-As of version 0.7, the [Application Gateway Kubernetes Ingress Controller](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/README.md) (AGIC) can ingest events from and observe multiple namespaces. If an Azure Kubernetes Service (AKS) administrator decides to use [Azure Application Gateway](https://azure.microsoft.com/services/application-gateway/) as an ingress, all namespaces use the same instance of Application Gateway. A single installation of AGIC monitors accessible namespaces and configures the Application Gateway instance that it's associated with.

-Multiple-namespaced [ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource) could instruct AGIC to create conflicting configurations for a single Application Gateway instance. That is, two ingresses could claim the same domain for an instance.

-At the top of the hierarchy, AGIC could create *listeners* (IP address, port, and host) and *routing rules* (binding listener, back-end pool, and HTTP settings). Multiple namespaces and ingresses could share them.

-On the other hand, AGIC could create paths, back-end pools, HTTP settings, and TLS certificates for one namespace only and remove duplicates.

-Despite the two ingress resources demanding traffic for `www.contoso.com` to be routed to the respective Kubernetes namespaces, only one back end can service the traffic. AGIC creates a configuration on a "first in, first out" basis for one of the resources. If two ingress resources are created at the same time, the one earlier in the alphabet takes precedence. Based on this property, AGIC creates settings for the `production` ingress. Application Gateway is configured with the following resources:

-For example, if you add `staging` first, AGIC configures Application Gateway to route traffic to the staging back-end pool. At a later stage, introducing `production` ingress causes AGIC to reprogram Application Gateway, which starts routing traffic to the `production` back-end pool.

-For Application Gateway instances without a private IP, ingresses annotated with `appgw.ingress.kubernetes.io/use-private-ip: "true"` are ignored. The ingress event and the Application Gateway Ingress Controller (AGIC) pod log indicate this problem:

-This code makes the ingress controller filter the IP address configurations for a private IP when it's configuring the front-end listeners on the Application Gateway instance. AGIC can stop working if the value of `usePrivateIP` is `true` and no private IP is assigned.

-> Application Gateway v2 requires a public IP. If you require Application Gateway to be private, attach a [network security group](../virtual-network/network-security-groups-overview.md) to the Application Gateway instance's subnet to restrict traffic.

- -resourceId /subscriptions/8b1d0fea-8d57-4975-adfb-308f1f4d12aa/resourceGroups/MyResourceGroup/providers/Microsoft.Network/applicationGateways/myv1appgateway `

- -publicIpResourceId "/subscriptions/8b1d0fea-8d57-4975-adfb-308f1f4d12aa/resourceGroups/MyResourceGroup/providers/Microsoft.Network/publicIPAddresses/MyPublicIP" `

- "clientIP": "191.96.249.97",

- "requestQuery": "X-AzureApplicationGateway-CACHE-HIT=0&SERVER-ROUTED=10.4.0.4&X-AzureApplicationGateway-LOG-ID=874f1f0f-6807-41c9-b7bc-f3cfa74aa0b1&SERVER-STATUS=404",

-The 2.x versions of the core packages change the supported framework assets and bring in support for new .NET APIs from these later versions. When using .NET 9 (Preview) or later, your app needs to reference version 2.0.0-preview1 or later of both packages.

-When updating to the 2.x versions, please note the following changes:

-When using .NET isolated functions, you have access to the start-up of your function app, which is usually in `Program.cs`. You're responsible for creating and starting your own host instance. As such, you also have direct access to the configuration pipeline for your app. With .NET Functions isolated worker process, you can much more easily add configurations, inject dependencies, and run your own middleware.

-Before calling `Build()` on the `HostBuilder`, you should:

-The [ConfigureFunctionsWorkerDefaults] method is used to add the settings required for the function app to run in an isolated worker process, which includes the following functionality:

-+ Default gRPC support.

-Having access to the host builder pipeline means that you can also set any app-specific configurations during initialization. You can call the [ConfigureAppConfiguration] method on [HostBuilder] one or more times to add the configurations required by your function app. To learn more about app configuration, see [Configuration in ASP.NET Core](/aspnet/core/fundamentals/configuration/?view=aspnetcore-5.0&preserve-view=true).

-These configurations apply to your function app running in a separate process. To make changes to the functions host or trigger and binding configuration, you still need to use the [host.json file](functions-host-json.md).

-Dependency injection is simplified when compared to .NET in-process functions, which requires you to create a startup class to register services.

-For a .NET isolated process app, you use the .NET standard way of call [ConfigureServices] on the host builder and use the extension methods on [IServiceCollection] to inject specific services.

-The following example injects a singleton service dependency:

-The isolated worker model uses `System.Text.Json` by default. You can customize the behavior of the serializer by configuring services as part of your `Program.cs` file. This section covers general-purpose serialization and will not influence [HTTP trigger JSON serialization with ASP.NET Core integration](#json-serialization-with-aspnet-core-integration), which must be configured separately.

-You might wish to instead use JSON.NET (`Newtonsoft.Json`) for serialization. To do this, you would install the [`Microsoft.Azure.Core.NewtonsoftJson`](https://www.nuget.org/packages/Microsoft.Azure.Core.NewtonsoftJson) package. Then, in your service registration, you would reassign the `Serializer` property on the `WorkerOptions` configuration. The following example shows this using `ConfigureFunctionsWebApplication`, but it will also work for `ConfigureFunctionsWorkerDefaults`:

-1. In your `Program.cs` file, update the host builder configuration to use `ConfigureFunctionsWebApplication()` instead of `ConfigureFunctionsWorkerDefaults()`. The following example shows a minimal setup without other customizations:

- using Microsoft.Extensions.Hosting;

-In .NET isolated, you can write to logs by using an [`ILogger<T>`][ILogger&lt;T&gt;] or [`ILogger`][ILogger] instance. The logger can be obtained through [dependency injection](#dependency-injection) of an [`ILogger<T>`][ILogger&lt;T&gt;] or of an [ILoggerFactory]:

-As part of configuring your app in `Program.cs`, you can also define the behavior for how errors are surfaced to your logs. By default, exceptions thrown by your code can end up wrapped in an `RpcException`. To remove this extra layer, set the `EnableUserCodeException` property to "true" as part of configuring the builder:

-Many of the deployment methods make use of a zip archive. If you are creating the zip archive yourself, it must follow the structure outlined in this section. If it does not, your app may experience errors at startup.

-These files are generated by the build process, and they are not meant to be edited directly.

-When you deploy to your function app in Azure, you also need to ensure that the framework is made available to the app. During the preview period, some tools and experiences may not surface the new preview version as an option. If you do not see the preview version included in the Azure Portal, for example, you can use the REST API, Bicep templates, or the Azure CLI to configure the version manually.

-One important difference to remember when connecting with the Storage API is that the URL for storage in Azure Government is different than the URL for storage in commercial Azure. Specifically, the domain ends with "core.usgovcloudapi.net", rather than "core.windows.net".

-These endpoint differences must be taken into account when you connect to storage in Azure Government with C#.

-1. Go to the [Azure Government portal](https://portal.azure.us) and select your storage account and then click the "Access Keys" tab:

- 

-2. Copy/paste the storage account connection string.

-#### C#

-1. Open Visual Studio and create a new project. Add a reference to the [Azure Tables client library for .NET](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/tables/Azure.Data.Tables). This package contains classes for connecting to your Storage Table account.

-2. Add these two lines of C# code to connect:

- ```cs

- var credentials = new TableSharedKeyCredential(storageAccountName, Environment.GetEnvironmentVariable("STORAGE_ACCOUNT_KEY"));

- var storageTableUri = Environment.GetEnvironmentVariable("STORAGE_TABLE_URI");

- var tableServiceClient = new TableServiceClient(new Uri(storageTableUri), credentials);

- ```

-3. At this point, we can interact with Storage as we normally would. For example, if we want to retrieve a specific entity from our Table Storage, we could do it like this:

- ```cs

- var tableClient = tableServiceClient.GetTableClient("Contacts");

- ContactEntity contact = tableClient.GetEntity<ContactEntity>("gov-partition1", "0fb52a6c-3784-4dc5-aa6d-ecda4426dbda");

- Console.WriteLine($"Contact: {contact.FirstName} {contact.LastName}");

- ```

-1. Download the [Azure Tables client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/tables/azure-data-tables) and configure your project correctly.

-2. Create a "test" class where we'll access Azure Table Storage using the Azure Tables client library.

- Copy and paste the code below, and **paste** your Storage Account connection string into the `AZURE_STORAGE_CONNECTION_STRING` environment variable.

- ```java

- import com.azure.data.tables.implementation.ModelHelper;

- import com.azure.data.tables.models.*;

- import java.util.HashMap;

- public class test {

- public static final String storageConnectionString = System.getEnv("AZURE_STORAGE_CONNECTION_STRING");

- public static void main(String[] args) {

- try

- {

- // Create the table service client.

- TableServiceClient tableServiceClient = new TableServiceClientBuilder()

- .connectionString(storageConnectionString)

- .buildClient();

- // Create the table if it doesn't exist.

- String tableName = "Contacts";

- TableClient tableClient = tableServiceClient.createTableIfNotExists(tableName);

- // Create a new customer entity.

- TableEntity customer1 = ModelHelper.createEntity(new HashMap<String, Object>() {{

- put("PartitionKey", "Brown");

- put("RowKey", "Walter");

- put("Email", "Walter@contoso.com");

- }});

- // Insert table entry into table

- tableClient.createEntity(customer1);

- }

- catch (Exception e)

- {

- // Output the stack trace.

- e.printStackTrace();

- }

- }

- ```

-1. Download the [Azure Storage Blob client library for Node.js](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/storage/storage-blob) and configure your application correctly.

-2. The following code below connects to Azure Blob Storage and creates a Container using the Azure Storage API.

- **Paste** your Azure Storage account connection string into the `AZURE_STORAGE_CONNECTION_STRING` environment variable.

- ```javascript

- var { BlobServiceClient } = require("@azure/storage-blob");

- var storageConnectionString = process.env["AZURE_STORAGE_CONNECTION_STRING"];

- var blobServiceClient = BlobServiceClient.fromConnectionString(storageConnectionString);

- var containerClient = blobServiceClient.getContainerClient('testing');

- containerClient.createIfNotExists();

- ```

-1. Download the [Azure Storage Blob client library for Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/storage/azure-storage-blob).

-2. When using the Storage library for Python to connect to Azure Government, paste your Azure storage connection string in the `AZURE_STORAGE_CONNECTION_STRING` environment variable.

- ```python

- # Create the BlobServiceClient that is used to call the Blob service for the storage account

- connection_string = os.getenv("AZURE_STORAGE_CONNECTION_STRING")

- blob_service_client = BlobServiceClient.from_connection_string(conn_str=connection_string)

- container_name ='ml-gov-demo'

- container = blob_service_client.get_container_client(container=container_name)

- generator = container.list_blobs()

- for blob in generator:

- print("\t Blob name: " + blob.name)

- ```

-As you begin to develop solutions for indoor maps, you can discover ways to integrate existing Azure Maps capabilities. For example, you can implement asset tracking or safety scenarios by using the [Geofence service] with Creator indoor maps. For example, you can use the Geofence API to determine whether a worker enters or leaves specific indoor areas. For more information about how to connect Azure Maps with IoT telemetry, see [Tutorial: Implement IoT spatial analytics by using Azure Maps].

-[Tutorial: Implement IoT spatial analytics by using Azure Maps]: tutorial-iot-hub-maps.md

-* Sequential I/O: 100% sequential writes max out at 8,500 MiB/second, while a single large volume is capable of 10 GiB/second (12,800 MiB/second) throughput.

-1. Select one or more resources by selecting the checkboxes. To select all, select the checkbox on the left of **Name**. The **Export template** menu item only becomes enabled after you've selected at least one resource.

- On the screenshot, only the storage account is selected.

-1. Select **Export template**.

-## Download template before deployment

-The portal has the option of downloading a template before deploying it. This option isn't available through PowerShell or Azure CLI.

-1. Select the Azure service you want to deploy.

-1. Fill in the values for the new service.

-1. After passing validation, but before starting the deployment, select **Download a template for automation**.

- :::image type="content" source="./media/export-template-portal/download-before-deployment.png" alt-text="Screenshot of the option to download a template before deployment in Azure portal.":::

-1. The template is displayed and is available for download and deploy.

-1. Copy the value of the client secret, and then paste it to a secure location to save for later use.

-This is the FAQ of Azure Web PubSub service.

-Both [Azure SignalR Service](https://azure.microsoft.com/services/signalr-service) and [Azure Web PubSub service](https://azure.microsoft.com/services/web-pubsub) help customers build real-time web applications easily with large scale and high availability and enable customers to focus on their business logic instead of managing the messaging infrastructure. In general, you may choose Azure SignalR Service if you already use SignalR library to build real-time application. Instead, if you're looking for a generic solution to build real-time application based on WebSocket and publish-subscribe pattern, you may choose Azure Web PubSub service. The Azure Web PubSub service is **not** a replacement for Azure SignalR Service. They're targeting different scenarios.

-Azure Web PubSub does not store any customer data. If you use Azure Web PubSub service together with other Azure services, like Azure Storage for diagnostics, see [Azure Privacy Overview (white paper)](https://go.microsoft.com/fwlink/p/?linkid=2220836) for guidance about how to keep data residency in Azure regions.

-You can easily verify the TTL settings of your blobs. With your browser's developer tools, test that your blob includes the `Cache-Control` response header. You can also use a tool such as [Wget](https://www.gnu.org/software/wget/), [Postman](https://www.getpostman.com/), or [Fiddler](https://www.telerik.com/fiddler) to examine the response headers.

-You can easily verify the TTL settings of your web content. With your browser's developer tools, test that your web content includes the `Cache-Control` response header. You can also use a tool such as **wget**, [Postman](https://www.getpostman.com/), or [Fiddler](https://www.telerik.com/fiddler) to examine the response headers.

-description: Use Azure Communication Services SDKs to access BreakoutRooms.

-# BreakoutRooms

-In this article, you learn how to implement Microsoft Teams breakout rooms with Azure Communication Services. This capability allows Azure Communication Services users in Teams meetings to participate in breakout rooms. Teams administrators control availability of breakout rooms in Teams meeting with Teams meeting policy. You can find additional information about breakout rooms in [Teams documentation](https://support.microsoft.com/office/use-breakout-rooms-in-microsoft-teams-meetings-7de1f48a-da07-466c-a5ab-4ebace28e461).

-The following tables show support of breakout rooms for specific call type and identity.

-The following tables show support of individual APIs in calling SDK to individual identity types.

-The following tables show support of breakout rooms feature in individual Azure Communication Services SDKs.

-## Breakout rooms

-This article describes how to implement Microsoft Teams spotlight capability with Azure Communication Services Calling SDKs. This capability enables users in the call or meeting to pin and unpin videos for everyone. The maximum limit of pinned videos is seven.

-Since the video stream resolution of a participant is increased when spotlighted, it should be noted that the settings done on [Video Constraints](../../concepts/voice-video-calling/video-constraints.md) also apply to spotlight.

-Spotlighting a video is like pinning it for everyone in the meeting. The organizer, co-organizer, or presenter can choose up to seven people's video feeds (including their own) to highlight for everyone else.

-The two different ways to spotlight are your own video and someone else's video (up to seven people).

-When a user spotlights or pins someone in the meeting, this increases the height or width of the participant grid depending on the orientation.

-Remind participants that they can't spotlight a video if their view is set to Large gallery or Together mode.

-| 403 | 45903 | ExpectedError | Only participants with the roles of organizer, co-organizer, or presenter can initiate a spotlight. | Ensure the participant calling the `startSpotlight` operation has the role of organizer, co-organizer, or presenter. |

-Use this article to stay updated on new features and other useful information related to Azure Communication Services.

-Developers can use [Call Automation APIs](./concepts/call-automation/call-automation.md) to bring Teams users into business-to-consumer (B2C) calling workflows and interactions, which helps you deliver advanced customer service solutions. This interoperability is offered over VoIP to reduce telephony infrastructure overhead. Developers can add Teams users to Azure Communication Services calls by using the participants' Microsoft Entra object IDs (OIDs).

-## December 2023

-### Call Diagnostics

-Azure Communication Services Call Diagnostics is available in preview. Call Diagnostics helps developers troubleshoot and improve their applications for voice and video calling.

-Call Diagnostics is an Azure Monitor experience that offers specialized telemetry and diagnostic pages in the Azure portal. With Call Diagnostics, you can access and analyze data, visualizations, and insights for each call. Then you can identify and resolve issues that affect the user experience.

-Call Diagnostics works with other Azure Communication Services features, such as noise suppression and pre-call troubleshooting, to deliver reliable video-calling experiences that are easy to develop and operate.

-For more information, see [Call Diagnostics](./concepts/voice-video-calling/call-diagnostics.md).

-### WebJS Calling updates

-The following APIs for WebJS Calling features moved to general availability: Media Quality Statistics, Video Constraints, and Data Channel.

-#### Media Quality Statistics

-Developers can use the Media Quality Statistics API to better understand their video-calling quality and reliability experience in real time from within the Calling SDK. When developers understand from the client side what their customers are experiencing, they can delve deeper into understanding and mitigating any problems that arise for users.

-For more information, see [Media quality statistics](./concepts/voice-video-calling/media-quality-sdk.md).

-#### Video Constraints

-Developers can use the Video Constraints API to better manage the overall quality of calls. For example, if a developer knows that a participant has a poor internet connection, the developer can limit video resolution size on the sender side to use less bandwidth. The result is an improved calling experience for the participant.

-For more information about improving the calling experience by using the Video Constraints API, see [Quickstart: Set video constraints in your calling app](./quickstarts/voice-video-calling/get-started-video-constraints.md).

-#### Data Channel

-The Data Channel API enables real-time messaging during audio and video calls. This function enables developers to manage their own data pipeline and send their own unique messages to remote participants on a call. A data channel enhances communication capabilities by enabling local participants to connect directly to remote participants when the scenario requires it.

-Get started with [Quickstart: Add Data Channel messaging to your calling app](./quickstarts/voice-video-calling/get-started-data-channel.md).

-This article shows how to configure Azure Container Apps to use Facebook as an authentication provider.

-To complete the procedure in this article, you need a Facebook account that has a verified email address and a mobile phone number. To create a new Facebook account, go to [facebook.com](https://facebook.com/).

- > The app secret is an important security credential. Do not share this secret with anyone or distribute it within a client application.

- The secret will be stored as a [secret](manage-secrets.md) in your container app.

-1. If you're configuring the first identity provider for this application, you'll be prompted with a **Container Apps authentication settings** section. Otherwise, you may move on to the next step.

-You're now ready to use Facebook for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.

-This article shows you how to configure Azure Container Apps to use a custom authentication provider that adheres to the [OpenID Connect specification](https://openid.net/connect/). OpenID Connect (OIDC) is an industry standard used by many identity providers (IDPs). You don't need to understand the details of the specification in order to configure your app to use an adherent IDP.

-Your provider will require you to register the details of your application with it. One of these steps involves specifying a redirect URI. This redirect URI will be of the form `<app-url>/.auth/login/<provider-name>/callback`. Each identity provider should provide more instructions on how to complete these steps.

-You'll need to collect a **client ID** and **client secret** for your application.

-> The client secret is an important security credential. Do not share this secret with anyone or distribute it within a client application.

-Additionally, you'll need the OpenID Connect metadata for the provider. This information is often exposed via a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), which is the provider's Issuer URL suffixed with `/.well-known/openid-configuration`. Gather this configuration URL.

-If you're unable to use a configuration metadata document, you'll need to gather the following values separately:

-1. Specify an application setting name for your client secret. Your client secret will be stored as a [secret](manage-secrets.md) in your container app.

-In this tutorial, you'll deploy a containerized ASP.NET Core 6.0 application to Azure Container Apps using Visual Studio. The steps below also apply to earlier versions of ASP.NET Core.

-Begin by creating the containerized ASP.NET Core application to deploy to Azure.

-1) Inside Visual Studio, select **File** and then choose **New => Project**.

-4) On the **Additional Information** screen, make sure to select **Enable Docker**, and then make sure **Linux** is selected for the **Docker OS** setting. Azure Container Apps currently does not support Windows containers. This selection ensures the project template supports containerization by default. While enabled, the project uses a container as it is running or building.

-The application includes a Dockerfile because the Enable Docker setting was selected in the project template. Visual Studio uses the Dockerfile to build the container image that is run by Azure Container Apps.

-You are now ready to deploy to the application to Azure Containers Apps.

-The Visual Studio publish dialogs will help you choose existing Azure resources, or create new ones to be used to deploy your applications to. It will also build the container image using the Dockerfile in the project, push this image to ACR, and finally deploy the new image to the container app selected.

-5) Next, create an Azure Container App to host the project. Select the **green plus icon** on the right to open the create dialog. In the *Create new* dialog, enter the following values:

- - **Resource group**: A resource group acts as a logical container to organize related resources in Azure. You can either select an existing resource group, or select **New** to create one with a name of your choosing, such as `msdocscontainerapps`.

- - **Container Apps Environment**: Container Apps Environment: Every container app must be part of a container app environment. An environment provides an isolated network for one or more container apps, making it possible for them to easily invoke each other. Click **New** to open the Create new dialog for your container app environment. Leave the default values and select **OK** to close the environment dialog.

- - **Container Name**: This is the friendly name of the container that will run for this container app. Use the name `msdocscontainer1` for this quickstart. A container app typically runs a single container, but there are times when having more than one container is needed. One such example is when a sidecar container is required to perform an activity such as specialized logging or communications.

-6) Select **Create** to finalize the creation or your container app. Visual Studio and Azure create the needed resources on your behalf. This process may take a couple minutes, so allow it to run to completion before moving on.

-8) On the **Registry** screen, you can either select an existing Registry if you have one, or create a new one. To create a new one, click the green **+** icon on the right. On the **Create new** registry screen, fill in the following values:

- - **Subscription Name**: Select the subscription you want to use - you may only have one to choose from.

-9) After you have populated these values, select **Create**. Visual Studio and Azure will take a moment to create the registry.

-10) Once the container registry is created, make sure it is selected, and then choose **Finish**. Visual Studio will take a moment to create the publish profile. This publish profile is where VS stores the publish options and resources you chose so you can quickly publish again whenever you want. You can close the dialog once it finishes.

-Choose **Publish** in the upper right of the publishing profile screen to deploy to the container app you created in Azure. This process may take a moment, so wait for it to complete.

-When the app finishes deploying, Visual Studio opens a browser to the URL of your deployed site. This page may initially display an error if all of the proper resources have not finished provisioning. You can continue to refresh the browser periodically to check if the deployment has fully completed.

-Container Apps can also be deployed using CI/CD through [GitHub actions](https://docs.github.com/en/actions), which are a powerful tool for automating, customizing, and executing development workflows directly through the GitHub repository of your project.

-If Visual Studio detects the project you are publishing is hosted in GitHub, the publish flow presents an additional **Deployment type** step. This stage allows developers to choose whether to publish directly through Visual Studio using the steps shown earlier in the quickstart, or through a GitHub Actions workflow.

-If you select the GitHub Actions workflow, Visual Studio will add a *.github* folder to the root directory of the project, along with a generated YAML file inside of it. The YAML file contains GitHub Actions configurations to build and deploy your app to Azure every time you push your code.

-After you make a change and push your code, you can see the progress of the build and deploy process in GitHub under the **Actions** tab. This page provides detailed logs and indicators regarding the progress and health of the workflow.

-Once you see a green checkmark next to the build and deploy jobs the workflow is complete. When you browse to your Container Apps site you should see the latest changes applied. You can always find the URL for your container app using the Azure portal page.

-If you're not going to continue to use this application, you can delete the Azure Container Apps instance and all the associated services by removing the resource group.

-Follow these steps in the Azure portal to remove the resources you created:

- The process to delete the resource group may take a few minutes to complete.

-| Container app name | Enter **my-container-app**. |

- If there are errors, any tab containing errors is marked with a red dot. Navigate to the appropriate tab. Fields containing an error will be highlighted in red. Once all errors are fixed, select **Review and create** again.

- A page with the message *Deployment is in progress* is displayed. Once the deployment is successfully completed, you'll see the message: *Your deployment is complete*.

-You can verify your deployment is successful by querying the Log Analytics workspace. You may need to wait a 5 to 10 minutes for the analytics to arrive for the first time before you are able to query the logs.

-After about 5 to 10 minutes has passed after creating the container app, use the following steps to view logged messages.

- The process to delete the resource group may take a few minutes to complete.

-The following offers aren't supported yet:

-| [ServiceNow (legacy)](connector-servicenow-legacy.md)   | [Link](connector-servicenow.md#upgrade-your-servicenow-linked-service) | End of support announced and new version available | December 31, 2024 | / |

->The new ServiceNow connector provides improved native ServiceNow support. If you are using the legacy ServiceNow connector in your solution, please [upgrade your ServiceNow connector](connector-servicenow.md#upgrade-your-servicenow-linked-service) before **December 31, 2024**. Refer to this [section](connector-servicenow.md#differences-between-servicenow-and-servicenow-legacy) for details on the difference between the legacy and latest version.

->The new ServiceNow connector provides improved native ServiceNow support. If you are using the legacy ServiceNow connector in your solution, please [upgrade your ServiceNow connector](#upgrade-your-servicenow-linked-service) before **December 31, 2024**. Refer to this [section](#differences-between-servicenow-and-servicenow-legacy) for details on the difference between the legacy and latest version.

-You'll also need to download a sample glTF (Graphics Language Transmission Format) 3D file to use for the scene in this quickstart. [Select this link to download RobotArms.glb](https://cardboardresources.blob.core.windows.net/public/RobotArms.glb).

-

-

-

- 1. On the **App settings** tab, check whether the settings named **SAP_PSE** and **SAP__PSE_Password** already exist. If they don't exist, you have to add each setting at the end of the settings list, provide the following required information, and select **Apply** for each setting:

-> [!CAUTION]

-> Make sure to protect an SAS just as you would protect an account key from unauthorized use.

-> Set up or have a plan in place for revoking a compromised SAS key. Employ discretion in

-> distributing an SAS URI, and only distribute SAS URIs over a secure connection such as HTTPS.

-> Make sure to only perform operations that use an SAS over an HTTPS connection.

-> If you use an SAS to access storage services, Microsoft recommends that you

-Inbound calls to the endpoint on a request-based trigger can use only one authorization scheme, either SAS or [OAuth 2.0 with Microsoft Entra ID](#enable-oauth). Although using one scheme doesn't disable the other, if you use both schemes at the same time, Azure Logic Apps generates an error because the service doesn't know which scheme to choose.

-If your Consumption workflow starts with the **Request** trigger, you can [disable SAS authentication](#disable-sas). This option works even if you also [restrict authorization to use only OAuth 2.0 with Microsoft Entra ID](#enable-oauth-only-option). For Standard workflows, you can use other authentication types without disabling SAS.

-> [!IMPORTANT]

-> with [managed identities](/entra/identity/managed-identities-azure-resources/overview) for authentication when possible.

-For more information about using SAS, see the following sections in this guide:

-> This action disables SAS authentication for incoming requests and blocks existing SAS tokens or

-> signatures from working. However, your SAS tokens or signatures remain valid and still work

-> if you enable SAS authentication again. To disable SAS tokens and signatures, see

-To generate a new security access key at any time, use the Azure REST API or Azure portal. All previously generated URLs that use the old key are invalidated and no longer have authorization to trigger the logic app. The URLs that you retrieve after regeneration are signed with the new access key.

-1. In the [Azure portal](https://portal.azure.com), open the logic app that has the key you want to regenerate.

-| **Authority** | `authority` | No | <*URL-for-authority-token-issuer*> | The URL for the authority that provides the access token, such as `https://login.microsoftonline.com/` for Azure global service regions. For other national clouds, review [Microsoft Entra authentication endpoints - Choosing your identity authority](/entra/identity-platform/authentication-national-cloud#application-endpoints). |

-## Related contet

-> [!CAUTION]

-> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](/azure/virtual-machines/workloads/centos/centos-end-of-life).

-Few Linux machines like Oracle/CentOS have a configuration value that requires **tty** option to be enabled by default which can cause an error. In such cases, you can disable this setting by adding **a "!"** character in the **/etc/sudoers** file. You can also add the following at the end of **/etc/sudoers/** file to ensure that no other configuration in the file can override this:

-The following screenshot depicts a graph and chart showing the top flows and their frequency. Flows are also shown by NSG rule and flows by decision. Grafana is highly customizable so it's advisable that you create dashboards to suit your specific monitoring needs. The following example shows a typical dashboard:

-

- },

- "sshKeyUrl": {

- "type": "string",

- "metadata": {

- "description": "SSH Key URL that is used for to gather list of Public Keys"

- }

- ],

- "sshKeyUrl": {

- "value": "https://"

- },

-When a new Cluster is created, the credentials are automatically rotated during deployment. The managed credential process then automatically rotates these credentials every 60 days. The updated credentials are written to the key vault associated with the Cluster resource. The last rotation timestamps are currently not visible to users, but is a planned enhancement to the Operator Nexus Platform.

-> The introduction of this capability enables auto-rotation for existing instances. If any of the supported credentials have not been rotated within the last 60 days, they will be rotated at the time of upgrade.

-| [Azure API Management](migrate-api-mgt.md) |  |

-| Region | Data Map | Data Governance | Scan | Policy | Insights |

-| | | | | | |

-|Southeast Asia|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|East US|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|Australia East|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg"::: |:::image type="icon" source="media/yes-icon.svg":::|

-|West US 2|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|Canada Central|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg"::: |:::image type="icon" source="media/yes-icon.svg":::|

-|Central India|||:::image type="icon" source="media/yes-icon.svg":::||:::image type="icon" source="media/yes-icon.svg":::|

-|East US 2|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|France Central|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|Germany West Central|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|Japan East|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|Korea Central|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|West US 3|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|North Europe|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|South Africa North|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|Sweden Central|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg"::: |

-|Switzerland North|||:::image type="icon" source="media/yes-icon.svg":::|||

-|USGov Virginia|:::image type="icon" source="media/yes-icon.svg":::||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg"::: |:::image type="icon" source="media/yes-icon.svg":::|

-|South Central US|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|Brazil South|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|UK South|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg"::: |:::image type="icon" source="media/yes-icon.svg":::|

-|Qatar Central|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

-|China North 3|:::image type="icon" source="media/yes-icon.svg":::||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg"::: |:::image type="icon" source="media/yes-icon.svg":::|

-|West Europe|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|

- ΓÇïFor more information on how to change the `nfs_disable_idmapping` parameter, see the [Red Hat Knowledge Base](https://access.redhat.com/solutions/1749883).

- sudo pcs constraint location SAPHanaTopology_HN1_03-clone rule score=-INFINITY hana_nfs1_active ne true and hana_nfs2_active ne true

- sudo pcs constraint location SAPHana_HN1_03-master rule score=-INFINITY hana_nfs1_active ne true and hana_nfs2_active ne true

- sudo pcs constraint location SAPHana_HN1_03-clone rule score=-INFINITY hana_nfs1_active ne true and hana_nfs2_active ne true

- Take the cluster out of maintenance mode.

-To migrate SAP VMs to a flexible scale set, you need to re-create the VMs and the disks with zone constraints (if necessary) from existing resources. There's no direct way to migrate SAP workloads deployed in availability sets or availability zones to flexible scale with FD=1. An [open-source project](https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/Move-VM-from-AvSet-to-AvZone/Move-Regional-SAP-HA-To-Zonal-SAP-HA-WhitePaper) includes PowerShell functions that you can use as a sample, and a [blog post](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/how-to-easily-migrate-an-existing-sap-system-vms-to-flexible/ba-p/3833548) shows you how to modify a HA or non-HA SAP system deployed in availability set or availability zone to flexible scale set with FD=1.

-If you ingest at least 500 GB into your Microsoft Sentinel workspace or workspaces in the same region, consider moving to a Log Analytics dedicated cluster to decrease costs. A Log Analytics dedicated cluster Commitment Tier aggregates data volume across workspaces that collectively ingest a total of 500 GB or more. For more information, see [Simplified pricing tier for dedicated cluster](enroll-simplified-pricing-tier.md#simplified-pricing-tiers-for-dedicated-clusters).

-| Source Service Type | Source services are services you can connect to target services. They are usually Azure compute services and they include Azure App Service, Azure Functions, Azure Container Apps and Azure Spring Apps.

-| Azure Container Apps | `/subscriptions/{subscription}/resourceGroups/{source_resource_group}/providers/Microsoft.App/containerApps/{app}` |

-* **WebApp/Container Apps/Spring Apps + Database:** Use Service Connector to connect PostgreSQL, MySQL, or Azure Cosmos DB to your App Service/Container Apps/Spring Apps.

-* **WebApp/Container Apps/Spring Apps + Storage:** Use Service Connector to connect to Azure Storage accounts and use your preferred storage products easily for any of your apps.

-* **WebApp/Container Apps/Spring Apps + Messaging

-**Compute

-**Target

-> - (Europe) Italy North

-> - (Europe) UK South

-> - (Europe) Poland Central

-> - (Middle East) Israel Central

-> - (North America) Canada Central

-> - (North America) East US

-> - (North America) East US 2

-An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, and tables. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. For more information about Azure storage accounts, see [Storage account overview](storage-account-overview.md).

-> - (Europe) Italy North

-> - (Europe) UK South

-> - (Europe) Poland Central

-> - (Middle East) Israel Central

-> - (North America) Canada Central

-> - (North America) East US

-> - (North America) East US 2

-Objects in synchronized databases cannot be modified from serverless SQL pool.

-Azure Synapse currently only shares managed and external Spark tables that store their data in Parquet, DELTA, or CSV format with the SQL engines. Tables backed by other formats are not automatically synced. You may be able to sync such tables explicitly yourself as an external table in your own SQL database if the SQL engine supports the table's underlying format.

-| `IntegerType`, `Integer`, `int` | `int` | **Spark** *IntegerType* represents 4-byte signed integer numbers. <BR>**SQL**: See [int, bigint, smallint, and tinyint](/sql/t-sql/data-types/int-bigint-smallint-and-tinyint-transact-sql).|

-| `ByteType`, `Byte`, `tinyint` | `smallint` | **Spark**: *ByteType* represents 1-byte signed integer numbers [-128 to 127] and ShortType represents 2-byte signed integer numbers [-32768 to 32767]. <br> **SQL**: Tinyint represents 1-byte signed integer numbers [0, 255] and smallint represents 2-byte signed integer numbers [-32768, 32767]. See [int, bigint, smallint, and tinyint](/sql/t-sql/data-types/int-bigint-smallint-and-tinyint-transact-sql).|

-| `DateType`, `date` | `date` | **Spark**: *DateType* represents values comprising values of fields year, month and day, without a time-zone.<BR>**SQL**: See [date](/sql/t-sql/data-types/date-transact-sql).|

-| `StringType`, `String`, `varchar` | `Varchar(n)` | **Spark**: *StringType* represents character string values. *VarcharType(n)* is a variant of StringType which has a length limitation. Data writing will fail if the input string exceeds the length limitation. This type can only be used in table schema, not functions/operators.<br> *CharType(n)* is a variant of *VarcharType(n)* which is fixed length. Reading column of type *CharType(n)* always returns string values of length n. *CharType(n)* column comparison will pad the short one to the longer length. <br> **SQL**: If there's a length provided from Spark, n in *varchar(n)* will be set to that length. If it is partitioned column, n can be max 2048. Otherwise, it will be *varchar(max)*. See [char and varchar](/sql/t-sql/data-types/char-and-varchar-transact-sql).<br> Use it with collation `Latin1_General_100_BIN2_UTF8`. |

-| `BinaryType`, `binary` | `varbinary(n)` | **SQL**: If there's a length provided from Spark, `n` in *Varbinary(n)* will be set to that length. If it is partitioned column, n can be max 2048. Otherwise, it will be *Varbinary(max)*. See [binary and varbinary](/sql/t-sql/data-types/binary-and-varbinary-transact-sql).|

-The Spark databases and tables, as well as their synchronized representations in the SQL engine will be secured at the underlying storage level. Since they do not currently have permissions on the objects themselves, the objects can be seen in the object explorer.

-SELECT * FROM mytestdb.dbo.myparquettable WHERE name = 'Alice';

-In this example, we will create an external Spark table over the Parquet data files that got created in the previous example for the managed table.

-Replace the placeholder `<storage-name>` with the ADLS Gen2 storage account name that you are using, `<fs>` with the file system name you're using and the placeholder `<synapse_ws>` with the name of the Azure Synapse workspace you're using to run this example.

-The Azure Synapse notebook activity in a [Synapse pipeline](../data-factory/concepts-pipelines-activities.md) runs a Synapse notebook in your Azure Synapse workspace. This article builds on the [data transformation activities](../data-factory/transform-data.md) article, which presents a general overview of data transformation and the supported transformation activities. 

-description: Learn how to renew a Trusted Signing identity validation.

-# Renew a Trusted Signing identity validation

-On the **Identity validation** pane, you can check the expiration date of your identity validation. You can renew your Trusted Signing identity validation 60 days before the expiration date. A reminder notification to renew your identity validation is sent to the primary and secondary email addresses for the Trusted Signing account.

-You can complete identity validation *only* in the Azure portal. You can't complete identity validation by using the Azure CLI.

-> [!NOTE]

-> If you don't renew your identity validation before the expiration date, certificate renewal stops. The signing process that's associated with the specific certificate profiles is effectively halted.

-1. In the [Azure portal](https://portal.azure.com/), go to your Trusted Signing account.

-1. Confirm that you're assigned the Trusted Signing Identity Verifier role.

- To learn about managing access by using role-based access control (RBAC), see [Assign roles in Trusted Signing](tutorial-assign-roles.md).

-1. On the Trusted Signing account **Overview** pane or on the resource menu under **Objects**, select **Identity validations**.

-1. Select the identity validation request that you want to renew. On the menu bar, select **Renew**.

- :::image type="content" source="media/trusted-signing-renew-identity-validation.png" alt-text="Screenshot that shows the Renew option for an identity validation request." lightbox="media/trusted-signing-renew-identity-validation.png":::

- If you encounter validation errors when you renew by selecting the **Renew** button or if the identity validation request is expired, create a new identity validation request. To learn more about creating a new identity validation, see the [Set up Trusted Signing quickstart](quickstart.md).

-1. Verify that after you renew a request, the identity validation status is **Completed**.

-1. To ensure that you can continue to use your existing *metadata.json* file:

- 1. On the Trusted Signing account **Overview** pane or on the resource menu under **Objects**, select **Certificate profiles**.

- 1. On the **Certificate profiles** pane, delete the existing certificate profile that's associated with the expiring identity validation.

- 1. Create a new certificate profile that has the same name.

- 1. Select the identity validation.

- When the certificate profile is successfully created, signing resumes without any other configuration changes.

-1. On the Trusted Signing account **Overview** pane, in the resource menu under **Monitoring**, select **Diagnostic settings**.

-1. On the **Diagnostic settings** pane, select **+ Add diagnostic setting**.

- 1. Under **Logs** > **Categories**, select the **Sign Transactions** checkbox.

- 1. Under **Destination details**, select the **Archive to a storage account** checkbox.

- 1. Select the subscription and storage account that you want to use.

-1. Select **Save**. A pane displays a list of all diagnostic settings that were created for this code signing account.ΓÇ»

-1. After you create a diagnostic setting, wait for 10 to 15 minutes for the events to begin to be ingested in the storage account you created.ΓÇ»

-1. Go to the storage account.ΓÇ»

-1. In your storage account resource menu under **Data storage**, go to **Containers**.

-1. In the list, select the container named `insights-logs-signtransactions`. Go to the date and time you want to view to download the log.

-| `query.prod.cms.rt.microsoft.com` | TCP | 443 | Download an MSI to update the client. Required for automatic updates. | [Windows Desktop](users/connect-windows.md) |

-| `query.prod.cms.rt.microsoft.com` | TCP | 443 | Download an MSI to update the client. Required for automatic updates. | [Windows Desktop](users/connect-windows.md) |

-description: Learn how to connect to Azure Virtual Desktop using the Remote Desktop client for Android and Chrome OS.

-# Connect to Azure Virtual Desktop with the Remote Desktop client for Android and Chrome OS

-The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to access your desktops and applications. This article shows you how to connect to Azure Virtual Desktop with the Remote Desktop client for Android and Chrome OS.

-You can find a list of all the Remote Desktop clients you can use to connect to Azure Virtual Desktop at [Remote Desktop clients overview](remote-desktop-clients-overview.md).

-If you want to connect to Remote Desktop Services or a remote PC instead of Azure Virtual Desktop, see [Connect to Remote Desktop Services with the Remote Desktop client for Android and Chrome OS](/windows-server/remote/remote-desktop-services/clients/remote-desktop-android).

-## Prerequisites

-Before you can access your resources, you'll need to meet the prerequisites:

- - Smartphone or tablet running Android 9 or later.

- - Chromebook running Chrome OS 53 or later. Learn more about [Android applications running in Chrome OS](https://sites.google.com/a/chromium.org/dev/chromium-os/chrome-os-systems-supporting-android-apps).

-> [!IMPORTANT]

-> The Android client is not available on platforms built on the Android Open Source Project (AOSP) that do not include Google Mobile Services (GMS), the client is only available through the canonical Google Play Store.

-## Subscribe to a workspace

-A workspace combines all the desktops and applications that have been made available to you by your admin. To be able to see these in the Remote Desktop client, you need to subscribe to the workspace by following these steps:

-1. Open the **RD Client** app on your device.

-1. In the Connection Center, tap **+**, then tap **Add Workspace**.

-1. In the **Email or Workspace URL** box, either enter your user account, for example `user@contoso.com`, or the relevant URL from the following table. After a few seconds, the message **A workspace is associated with this URL** should be displayed.

- > [!TIP]

- > If you see the message **No workspace is associated with this email address**, your admin might not have set up email discovery. Use one of the following workspace URLs instead.

- | Azure environment | Workspace URL |

- |--|--|

- | Azure cloud *(most common)* | `https://rdweb.wvd.microsoft.com` |

- | Azure for US Government | `https://rdweb.wvd.azure.us/api/arm/feeddiscovery` |

- | Azure operated by 21Vianet | `https://rdweb.wvd.azure.cn/api/arm/feeddiscovery` |

-1. Tap **Next**.

-1. Sign in with your user account. After a few seconds, your workspaces should show the desktops and applications that have been made available to you by your admin.

-Once you've subscribed to a workspace, its content will update automatically regularly. Resources may be added, changed, or removed based on changes made by your admin.

-## Connect to your desktops and applications

-1. Open the **RD Client** app on your device.

-1. Tap one of the icons to launch a session to Azure Virtual Desktop. You may be prompted to enter the password for your user account again, and to make sure you trust the remote PC before you connect, depending on how your admin has configured Azure Virtual Desktop.

-## Beta client

-If you want to help us test new builds before they're released, you should download our beta client. Organizations can use the beta client to validate new versions for their users before they're generally available. For more information, see [Test the beta client](client-features-android-chrome-os.md#test-the-beta-client).

-## Next steps

-To learn more about the features of the Remote Desktop client for Android and Chrome OS, check out [Use features of the Remote Desktop client for Android and Chrome OS when connecting to Azure Virtual Desktop](client-features-android-chrome-os.md).

-description: Learn how to connect to Azure Virtual Desktop using the Remote Desktop client for iOS and iPadOS.

-# Connect to Azure Virtual Desktop with the Remote Desktop client for iOS and iPadOS

-The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to access your desktops and applications. This article shows you how to connect to Azure Virtual Desktop with the Remote Desktop client for iOS and iPadOS.

-You can find a list of all the Remote Desktop clients you can use to connect to Azure Virtual Desktop at [Remote Desktop clients overview](remote-desktop-clients-overview.md).

-If you want to connect to Remote Desktop Services or a remote PC instead of Azure Virtual Desktop, see [Connect to Remote Desktop Services with the Remote Desktop client for iOS and iPadOS](/windows-server/remote/remote-desktop-services/clients/remote-desktop-ios).

-## Prerequisites

-Before you can access your resources, you'll need to meet the following prerequisites:

-## Subscribe to a workspace

-A workspace combines all the desktops and applications that have been made available to you by your admin. To be able to see these in the Remote Desktop client, you need to subscribe to the workspace by following these steps:

-1. Open the **RD Client** app on your device.

-1. In the Connection Center, tap **+**, then tap **Add Workspace**.

-1. In the **Email or Workspace URL** box, either enter your user account, for example `user@contoso.com`, or the relevant URL from the following table. After a few seconds, the message **A workspace is associated with this URL** should be displayed.

- > [!TIP]

- > If you see the message **No workspace is associated with this email address**, your admin might not have set up email discovery. Use one of the following workspace URLs instead.

- | Azure environment | Workspace URL |

- |--|--|

- | Azure cloud *(most common)* | `https://rdweb.wvd.microsoft.com` |

- | Azure for US Government | `https://rdweb.wvd.azure.us/api/arm/feeddiscovery` |

- | Azure operated by 21Vianet | `https://rdweb.wvd.azure.cn/api/arm/feeddiscovery` |

-1. Tap **Next**.

-1. Sign in with your user account. After a few seconds, your workspaces should show the desktops and applications that have been made available to you by your admin.

-Once you've subscribed to a workspace, its content will update automatically regularly. Resources may be added, changed, or removed based on changes made by your admin.

-## Connect to your desktops and applications

-1. Open the **RD Client** app on your device.

-1. Tap one of the icons to launch a session to Azure Virtual Desktop. You may be prompted to enter the password for your user account again, depending on how your admin has configured Azure Virtual Desktop.

-## Beta client

-If you want to help us test new builds before they're released, you should download our beta client. Organizations can use the beta client to validate new versions for their users before they're generally available. For more information, see [Test the beta client](client-features-ios-ipados.md#test-the-beta-client).

-> [!IMPORTANT]

-> The Remote Desktop app is changing to Windows App. To ensure you can validate the upcoming Windows App update before it's released into the store, the Windows App preview is now available in the [Remote Desktop Beta channels](client-features-ios-ipados.md#test-the-beta-client) where you can test the experience of updating from Remote Desktop to Windows App. To learn more about Windows App, see [Get started with Windows App to connect to devices and apps](/windows-app/get-started-connect-devices-desktops-apps).

-## Next steps

-To learn more about the features of the Remote Desktop client for iOS and iPadOS, check out [Use features of the Remote Desktop client for iOS and iPadOS when connecting to Azure Virtual Desktop](client-features-ios-ipados.md).

-description: Learn how to connect to Azure Virtual Desktop using the Remote Desktop client for macOS.

-# Connect to Azure Virtual Desktop with the Remote Desktop client for macOS

-The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to access your desktops and applications. This article shows you how to connect to Azure Virtual Desktop with the Remote Desktop client for macOS.

-You can find a list of all the Remote Desktop clients at [Remote Desktop clients overview](remote-desktop-clients-overview.md).

-If you want to connect to Remote Desktop Services or a remote PC instead of Azure Virtual Desktop, see [Connect to Remote Desktop Services with the Remote Desktop client for macOS](/windows-server/remote/remote-desktop-services/clients/remote-desktop-mac).

-## Prerequisites

-Before you can access your resources, you'll need to meet the prerequisites:

->[!NOTE]

->The macOS Remote Desktop client currently isn't distributed in the China region in the App Store.

-## Subscribe to a workspace

-A workspace combines all the desktops and applications that have been made available to you by your admin. To be able to see these in the Remote Desktop client, you need to subscribe to the workspace by following these steps:

-1. Open the **Microsoft Remote Desktop** app on your device.

-1. In the Connection Center, select **+**, then select **Add Workspace**.

-1. In the **Email or Workspace URL** box, either enter your user account, for example `user@contoso.com`, or the relevant URL from the following table. After a few seconds, the message **A workspace is associated with this URL** should be displayed.

- > [!TIP]

- > If you see the message **No workspace is associated with this email address**, your admin might not have set up email discovery. Use one of the following workspace URLs instead.

- | Azure environment | Workspace URL |

- |--|--|

- | Azure cloud *(most common)* | `https://rdweb.wvd.microsoft.com` |

- | Azure for US Government | `https://rdweb.wvd.azure.us/api/arm/feeddiscovery` |

- | Azure operated by 21Vianet | `https://rdweb.wvd.azure.cn/api/arm/feeddiscovery` |

-1. Select **Add**.

-1. Sign in with your user account. After a few seconds, your workspaces should show the desktops and applications that have been made available to you by your admin.

-Once you've subscribed to a workspace, its content will update automatically every six hours and each time you start the client. Resources may be added, changed, or removed based on changes made by your admin.

-## Connect to your desktops and applications

-1. Open the **Microsoft Remote Desktop** app on your device.

-1. Double-click one of the icons to launch a session to Azure Virtual Desktop. You may be prompted to enter the password for your user account again, depending on how your admin has configured Azure Virtual Desktop.

-## Beta client

-If you want to help us test new builds before they're released, you should download our beta client. Organizations can use the beta client to validate new versions for their users before they're generally available. For more information, see [Test the beta client](client-features-macos.md#test-the-beta-client).

-> [!IMPORTANT]

-> The Remote Desktop app is changing to Windows App. To ensure you can validate the upcoming Windows App update before it's released into the store, the Windows App preview is now available in the [Remote Desktop Beta channels](client-features-macos.md#test-the-beta-client) where you can test the experience of updating from Remote Desktop to Windows App. To learn more about Windows App, see [Get started with Windows App to connect to devices and apps](/windows-app/get-started-connect-devices-desktops-apps).

-## Next steps

-description: Learn how to connect to Azure Virtual Desktop using the Remote Desktop web client.

-# Connect to Azure Virtual Desktop with the Remote Desktop Web client

-The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to access your desktops and applications. This article shows you how to connect to Azure Virtual Desktop with the Remote Desktop Web client. The web client lets you access your Azure Virtual Desktop resources directly from a web browser without needing to install a separate client.

-You can find a list of all the Remote Desktop clients you can use to connect to Azure Virtual Desktop at [Remote Desktop clients overview](remote-desktop-clients-overview.md).

-## Prerequisites

-Before you can access your resources, you'll need to meet the prerequisites:

- | Web browser | Supported operating system | Notes |

- |-|-||

- | Microsoft Edge | Windows, macOS, Linux, Chrome OS | Version 79 or later |

- | Google Chrome | Windows, macOS, Linux, Chrome OS | Version 57 or later |

- | Apple Safari | macOS | Version 11 or later |

- | Mozilla Firefox | Windows, macOS, Linux | Version 55 or later |

-> [!NOTE]

-> The Remote Desktop Web client doesn't support mobile web browsers.

->

-> As of September 30, 2021, the Remote Desktop Web client no longer supports Internet Explorer. We recommend that you use Microsoft Edge with the Remote Desktop Web client instead. For more information, see our [blog post](https://aka.ms/WVDSupportIE11).

-## Access your resources

-When you sign in to the Remote Desktop Web client, you'll see your workspaces. A workspace combines all the desktops and applications that have been made available to you by your admin. You sign in by following these steps:

-1. Open your web browser.

-1. Go to one of the following URLs:

- | Azure environment | Workspace URL |

- |--|--|

- | Azure cloud *(most common)* | [https://client.wvd.microsoft.com/arm/webclient/](https://client.wvd.microsoft.com/arm/webclient/) |

- | Azure cloud (classic) | [https://client.wvd.microsoft.com/webclient/https://docsupdatetracker.net/index.html](https://client.wvd.microsoft.com/webclient/https://docsupdatetracker.net/index.html) |

- | Azure for US Government | [https://rdweb.wvd.azure.us/arm/webclient/](https://rdweb.wvd.azure.us/arm/webclient/) |

- | Azure operated by 21Vianet | [https://rdweb.wvd.azure.cn/arm/webclient/](https://rdweb.wvd.azure.cn/arm/webclient/) |

-1. Sign in with your user account. Once you've signed in successfully, your workspaces should show the desktops and applications that have been made available to you by your admin.

-1. Select one of the icons to launch a session to Azure Virtual Desktop. You may be prompted to enter the password for your user account again, depending on how your admin has configured Azure Virtual Desktop.

-1. A prompt for **Access local resources** may be displayed asking you confirm which local resources you want to be available in the remote session. Make your selection, then select **Allow**.

->[!TIP]

->If you've already signed in to the web browser with a different Microsoft Entra account than the one you want to use for Azure Virtual Desktop, you should either sign out or use a private browser window.

-## Next steps

-To learn more about the features of the Remote Desktop Web client, check out [Use features of the Remote Desktop Web client when connecting to Azure Virtual Desktop](client-features-web.md).

-description: Learn how to connect to Azure Virtual Desktop using the Remote Desktop client for Windows.

-zone_pivot_groups: azure-virtual-desktop-windows-clients

-# Connect to Azure Virtual Desktop with the Remote Desktop client for Windows

-> [!IMPORTANT]

-> The Azure Virtual Desktop store app is no longer available for download or installation. To ensure a seamless experience and avoid any disruption, users are encouraged to download the Windows App Windows App is the gateway to securely connect to any devices or apps across Azure Virtual Desktop, Windows 365, and Microsoft Dev Box. For more information, see [What is Windows App](/windows-app/overview).

-The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to access your desktops and applications. This article shows you how to connect to Azure Virtual Desktop with the Remote Desktop client for Windows, which only allows you to subscribe to a feed made available to you by your organization administrators.

-There are three versions of the Remote Desktop client for Windows, which are all supported for connecting to Azure Virtual Desktop:

-> [!TIP]

-> You can also connect to Azure Virtual Desktop with Windows App, a single app to securely connect you to Windows devices and apps from Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs. For more information, see [What is Windows App?](/windows-app/overview)

-You can find a list of all the Remote Desktop clients you can use to connect to Azure Virtual Desktop at [Remote Desktop clients overview](remote-desktop-clients-overview.md).

-If you want to connect to Remote Desktop Services or a remote PC instead of Azure Virtual Desktop, see [Connect to Remote Desktop Services with the Remote Desktop app for Windows](/windows-server/remote/remote-desktop-services/clients/windows).

-> [!TIP]

-> Select the version of the Remote Desktop client for Windows you want to use with the buttons at the top of this article.

-## Prerequisites

-Before you can access your resources, you'll need to meet the prerequisites.

- - Windows 11

- - Windows 10

- - Windows Server 2022

- - Windows Server 2019

- - Windows Server 2016

-

- > [!IMPORTANT]

- > - Support for Windows 7 ended on January 10, 2023.

- > - Support for Windows Server 2012 R2 ended on October 10, 2023.

- - Windows 11

- - Windows 10

-Before you can access your resources, you'll need to meet the prerequisites.

- - Windows 11

- - Windows 10

-## Download and install the Remote Desktop client (MSI)

-Here's how to install the Remote Desktop client for Windows using the MSI installer. If you want to deploy the Remote Desktop client in an enterprise, you can use `msiexec` from the command line to install the MSI file. For more information, see [Enterprise deployment](client-features-windows.md#enterprise-deployment).

-1. Download the Remote Desktop client installer, choosing the correct version for your device:

- - [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369) *(most common)*

- - [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139456)

- - [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139370)

-1. Run the installer by double-clicking the file you downloaded.

-1. On the welcome screen, select **Next**.

-1. To accept the end-user license agreement, check the box for **I accept the terms in the License Agreement**, then select **Next**.

-1. For the Installation Scope, select one of the following options:

- - **Install just for you**: Remote Desktop will be installed in a per-user folder and be available just for your user account. You don't need local Administrator privileges.

- - **Install for all users of this machine**: Remote Desktop will be installed in a per-machine folder and be available for all users. You must have local Administrator privileges

-1. Select **Install**.

-1. Once installation has completed, select **Finish**.

-1. If you left the box for **Launch Remote Desktop when setup exits** selected, the Remote Desktop client will automatically open. Alternatively to launch the client after installation, use the Start menu to search for and select **Remote Desktop**.

-> [!IMPORTANT]

-> If you have the Remote Desktop client (MSI) and the Azure Virtual Desktop app from the Microsoft Store installed on the same device, you may see the message that begins **A version of this application called Azure Virtual Desktop was installed from the Microsoft Store**. Both apps are supported, and you have the option to choose **Continue anyway**, however it could be confusing to use the same remote resource across both apps. We recommend using only one version of the app at a time.

-## Download and install the Azure Virtual Desktop app

-The Azure Virtual Desktop app is available from the Microsoft Store. To download and install it, follow these steps:

-1. Go to the [Azure Virtual Desktop Store app in the Microsoft Store](https://aka.ms/AVDStoreClient).

-1. Select **Install** to start downloading the app and installing it.

-1. Once the app has finished downloading and installing, select **Open**. The first time the app runs, it will install the *Azure Virtual Desktop (HostApp)* dependency automatically.

-> [!IMPORTANT]

-> If you have the Azure Virtual Desktop app from the Microsoft Store and the Remote Desktop client (MSI) installed on the same device, you may see the message that begins **A version of this application called Azure Virtual Desktop was installed from the Microsoft Store**. Both apps are supported, and you have the option to choose **Continue anyway**, however it could be confusing to use the same remote resource across both apps. We recommend using only one version of the app at a time.

-> [!IMPORTANT]

-> We're no longer updating the Remote Desktop app for Windows with new features and support for Azure Virtual Desktop will be removed in the future.

->

-> For the best Azure Virtual Desktop experience that includes the latest features and updates, we recommend you download the Remote Desktop client (MSI) instead.

-The Remote Desktop app is available from the Microsoft Store. To download and install it, follow these steps:

-1. Go to the [Remote Desktop app in the Microsoft Store](https://go.microsoft.com/fwlink/?LinkID=616709).

-1. Select **Install** to start downloading the app and installing it.

-1. Once the app has finished downloading and installing, select **Open**.

-## Subscribe to a workspace

-A workspace combines all the desktops and applications that have been made available to you by your admin. To be able to see these in the Remote Desktop client, you need to subscribe to the workspace by following these steps:

-1. Open the **Remote Desktop** app on your device.

-1. The first time you subscribe to a workspace, from the **Let's get started** screen, select **Subscribe** or **Subscribe with URL**.

- - If you selected **Subscribe**, sign in with your user account when prompted, for example `user@contoso.com`. After a few seconds, your workspaces should show the desktops and applications that have been made available to you by your admin.

-

- If you see the message **No workspace is associated with this email address**, your admin might not have set up email discovery, or you are using an Azure environment that is not Azure cloud, such as Azure for US Government. Try the steps to **Subscribe with URL** instead.

-

- - If you selected **Subscribe with URL**, in the **Email or Workspace URL** box, enter the relevant URL from the following table. After a few seconds, the message **We found Workspaces at the following URLs** should be displayed.

- | Azure environment | Workspace URL |

- |--|--|

- | Azure cloud *(most common)* | `https://rdweb.wvd.microsoft.com` |

- | Azure for US Government | `https://rdweb.wvd.azure.us/api/arm/feeddiscovery` |

- | Azure operated by 21Vianet | `https://rdweb.wvd.azure.cn/api/arm/feeddiscovery` |

-1. Select **Next**.

-1. Sign in with your user account when prompted. After a few seconds, the workspace should show the desktops and applications that have been made available to you by your admin.

-Once you've subscribed to a workspace, its content will update automatically regularly and each time you start the client. Resources may be added, changed, or removed based on changes made by your admin.

-A workspace combines all the desktops and applications that have been made available to you by your admin. To be able to see these in the Azure Virtual Desktop app, you need to subscribe to the workspace by following these steps:

-1. Open the **Azure Virtual Desktop** app on your device.

-1. The first time you subscribe to a workspace, from the **Let's get started** screen, select **Subscribe** or **Subscribe with URL**. Use the tabs below for your scenario.

- - If you selected **Subscribe**, sign in with your user account when prompted, for example `user@contoso.com`. After a few seconds, your workspaces should show the desktops and applications that have been made available to you by your admin.

-

- If you see the message **No workspace is associated with this email address**, your admin might not have set up email discovery, or you are using an Azure environment that is not Azure cloud, such as Azure for US Government. Try the steps to **Subscribe with URL** instead.

- - If you selected **Subscribe with URL**, in the **Email or Workspace URL** box, enter the relevant URL from the following table. After a few seconds, the message **We found Workspaces at the following URLs** should be displayed.

- | Azure environment | Workspace URL |

- |--|--|

- | Azure cloud *(most common)* | `https://rdweb.wvd.microsoft.com` |

- | Azure for US Government | `https://rdweb.wvd.azure.us/api/arm/feeddiscovery` |

- | Azure operated by 21Vianet | `https://rdweb.wvd.azure.cn/api/arm/feeddiscovery` |

-1. Select **Next**.

-1. Sign in with your user account when prompted. After a few seconds, the workspace should show the desktops and applications that have been made available to you by your admin.

-Once you've subscribed to a workspace, its content will update automatically regularly and each time you start the client. Resources may be added, changed, or removed based on changes made by your admin.

-A workspace combines all the desktops and applications that have been made available to you by your admin. To be able to see these in the Remote Desktop app, you need to subscribe to the workspace by following these steps:

-1. Open the **Remote Desktop** app on your device.

-1. In the Connection Center, select **+ Add**, then select **Workspaces**.

-1. In the **Email or Workspace URL** box, either enter your user account, for example `user@contoso.com`, or the relevant URL from the following table. After a few seconds, the message **We found Workspaces at the following URLs** should be displayed.

- If you see the message **We couldn't find any Workspaces associated with this email address. Try providing a URL instead**, your admin might not have set up email discovery. Use one of the following workspace URLs instead.

- | Azure environment | Workspace URL |

- |--|--|

- | Azure cloud *(most common)* | `https://rdweb.wvd.microsoft.com` |

- | Azure for US Government | `https://rdweb.wvd.azure.us/api/arm/feeddiscovery` |

- | Azure operated by 21Vianet | `https://rdweb.wvd.azure.cn/api/arm/feeddiscovery` |

-1. Select **Subscribe**.

-1. Sign in with your user account. After a few seconds, your workspaces should show the desktops and applications that have been made available to you by your admin.

-Once you've subscribed to a workspace, its content will update automatically regularly. Resources may be added, changed, or removed based on changes made by your admin.

-## Connect to your desktops and applications

-Once you've subscribed to a workspace, here's how to connect:

-1. Open the **Remote Desktop** client on your device.

-1. Double-click one of the icons to launch a session to Azure Virtual Desktop. You may be prompted to enter the password for your user account again, depending on how your admin has configured Azure Virtual Desktop.

-1. Open the **Azure Virtual Desktop** app on your device.

-1. Double-click one of the icons to launch a session to Azure Virtual Desktop. You may be prompted to enter the password for your user account again, depending on how your admin has configured Azure Virtual Desktop.

-1. To pin your desktops and applications to the Start Menu, right-click one of the icons and select **Pin to Start Menu**, then confirm the prompt.

-1. Open the **Remote Desktop** app on your device.

-1. Select one of the icons to launch a session to Azure Virtual Desktop. You may be prompted to enter the password for your user account again, depending on how your admin has configured Azure Virtual Desktop.

-## Insider releases

-If you want to help us test new builds before they're released, you should download our Insider releases. Organizations can use the Insider releases to validate new versions for their users before they're generally available. For more information, see [Enable Insider releases](client-features-windows.md#enable-insider-releases).

-## Next steps

-Here's a list of the Remote Desktop client apps and our documentation for connecting to Azure Virtual Desktop, where you can find download links, what's new, and learn how to install and use each client.

-| Windows<br /><ul><li>Remote Desktop client (MSI)</li><li>Azure Virtual Desktop Store app</li><li>Remote Desktop Store app</li></ul> | [Connect to Azure Virtual Desktop with the Remote Desktop client for Windows](connect-windows.md) | [What's new](../whats-new-client-windows.md) |

-| Web | [Connect to Azure Virtual Desktop with the Remote Desktop client for Web](connect-web.md) | [What's new](/windows-server/remote/remote-desktop-services/clients/web-client-whatsnew?context=/azure/virtual-desktop/context/context) |

-| macOS | [Connect to Azure Virtual Desktop with the Remote Desktop client for macOS](connect-macos.md) | [What's new](/windows-server/remote/remote-desktop-services/clients/mac-whatsnew?context=/azure/virtual-desktop/context/context) |

-| iOS/iPadOS | [Connect to Azure Virtual Desktop with the Remote Desktop client for iOS and iPadOS](connect-ios-ipados.md) | [What's new](/windows-server/remote/remote-desktop-services/clients/ios-whatsnew?context=/azure/virtual-desktop/context/context) |

-| Android/Chrome OS | [Connect to Azure Virtual Desktop with the Remote Desktop client for Android and Chrome OS](connect-android-chrome-os.md) | [What's new](/windows-server/remote/remote-desktop-services/clients/android-whatsnew?context=/azure/virtual-desktop/context/context) |

-* If you already have a local network gateway, you can modify it.To modify a local network gateway, go to the local network gateway resource **Configuration** page and make any necessary changes.

-| VNet | Static | EgressSNAT | 10.0.1.0/24 | 100.0.1.0/24 | Both connections |

-| Branch1 | Static | IngressSNAT | 10.0.1.0/24 | 100.0.2.0/24 | Branch1 connection |

-| Branch2 | Static | IngressSNAT | 10.0.1.0/24 | 100.0.3.0/24 | Branch2 connection |

-* IngressSNAT rule 1: This rule translates the on-premises address space 10.0.1.0/24 to 100.0.2.0/24.

-* IngressSNAT rule 2: This rule translates the on-premises address space 10.0.1.0/24 to 100.0.3.0/24.

-* EgressSNAT rule 1: This rule translates the VNet address space 10.0.1.0/24 to 100.0.1.0/24.

-| Network | Original | Translated |

-| | | |

-| VNet | 10.0.1.0/24 | 100.0.1.0/24 |

-| Branch 1 | 10.0.1.0/24 | 100.0.2.0/24 |

-| Branch 2 | 10.0.1.0/24 | 100.0.3.0/24 |

-If your P2S configuration uses a custom audience with your Microsoft-registered App ID, you might receive the error message **CAA20004** when you try to connect. Retrying authentication usually resolves the issue. This happens because the VPN client profile needs both the custom audience ID and the Microsoft application ID. To prevent this, modify your profile configuration .xml file to include both the custom application ID and the Microsoft application ID.

-[About point-to-site connections](point-to-site-about.md).

-description: Learn how to configure VPN clients for P2S configurations that use certificate authentication. This article applies to Windows and the OpenVPN Client.

-# Configure OpenVPN client for P2S certificate authentication connections - Windows

-If your point-to-site (P2S) VPN gateway is configured to use OpenVPN and certificate authentication, you can connect to your virtual network using the OpenVPN Client. This article walks you through the steps to configure the **OpenVPN client** and connect to your virtual network.

-Locate and unzip the VPN client profile configuration package you generated. For Certificate authentication and OpenVPN, you should see an OpenVPN folder. If you don't see the folder, verify the following items:

-1. Validate Azure OpenAI call using [Postman](https://www.postman.com/).

- :::image type="content" source="../media/protect-azure-open-ai/postman-body.png" alt-text="Screenshot showing the post body." lightbox="../media/protect-azure-open-ai/postman-body.png":::

-2. Use Postman to send a POST request to the Azure Front Door endpoint.

- 1. Replace the Azure OpenAI endpoint with the AFD endpoint in Postman POST request.

- If you attempt to send a POST request to your Azure OpenAI endpoint with the Content-Type header `text/plain`, you get this message. Make sure to update your Content-Type header to `application/json` in the header section in Postman.