-| `nbf`| No | Activation date and time. |

-| `exp`| No | Expiration date and time. |

-* Optional [zone redundancy](../reliability/migrate-api-mgt.md), if that region supports it.

-* If your API Management instance is deployed in a virtual network, ensure that you set up a virtual network and subnet in the location that you plan to add, and within the same subscription. To enable zone redundancy, also set up a new public IP. See [virtual network prerequisites](api-management-using-with-vnet.md#prerequisites).

-* Learn more about [zone redundancy](../reliability/migrate-api-mgt.md) to improve the availability of an API Management instance in a region.

-> Use the [capacity](api-management-capacity.md) metric and your own testing to decide the number of scale units that will provide the gateway performance for your needs. Learn more about [scaling and upgrading](upgrade-and-scale.md) your service instance.

-2. Navigate to your Automation account, and select **Linked workspace** under **Related resources**.

-3. Select **Go to workspace**.

-4. Select **Solutions** under **General**.

-> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](/azure/virtual-machines/workloads/centos/centos-end-of-life).

-> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](/azure/virtual-machines/workloads/centos/centos-end-of-life).

-> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](/azure/virtual-machines/workloads/centos/centos-end-of-life).

-> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](/azure/virtual-machines/workloads/centos/centos-end-of-life).

-> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](/azure/virtual-machines/workloads/centos/centos-end-of-life).

- approved = context.wait_for_external_event('Approval')

- winner = context.task_any([event1, event2, event3])

-> [Run a sample that waits for human interaction](durable-functions-phone-verification.md)

-Azure Maps is a portfolio of geospatial service APIs that are natively integrated into Azure. These APIs enable developers, enterprises, and ISVs to develop location-aware apps, IoT, mobility, logistics, and asset tracking solutions.

-The Azure Maps REST APIs can be called from languages such as Python and R to enable geospatial data analysis and machine learning scenarios. Azure Maps offers a robust set of [routing APIs] that allow users to calculate routes between several data points. The calculations are based on various conditions, such as vehicle type or reachable area.

-In this tutorial, you walk help a driver whose electric vehicle battery is low. The driver needs to find the closest possible charging station from the vehicle's location.

-> * Search for electric vehicle charging stations within the reachable range, or isochrone.

-* An [Azure storage account]

-To follow along with this tutorial, you need to create an Azure Notebooks project and download and run the Jupyter Notebook file. The Jupyter Notebook file contains Python code, which implements the scenario in this tutorial. To create an Azure Notebooks project and upload the Jupyter Notebook document to it, do the following steps:

-1. Go to [Azure Notebooks] and sign in. For more information, see [Quickstart: Sign in and set a user ID].

-1. After the upload has finished successfully, your file is displayed on your project page. Double-click on the file to open it as a Jupyter Notebook.

-Try to understand the functionality that's implemented in the Jupyter Notebook file. Run the code, in the Jupyter Notebook file, one cell at a time. You can run the code in each cell by selecting the **Run** button at the top of the Jupyter Notebook app.

-To run the code in Jupyter Notebook, install packages at the project level by doing the following steps:

- c. In the third drop-down list, select **Python Version 3.6** as your version.

-To load all the required modules and frameworks, run the following script.

-A package delivery company has some electric vehicles in its fleet. During the day, electric vehicles need to be recharged without having to return to the warehouse. Every time the remaining charge drops to less than an hour, you search for a set of charging stations that are within a reachable range. Essentially, you search for a charging station when the battery is low on charge. And, you get the boundary information for that range of charging stations.

-Because the company prefers to use routes that require a balance of economy and speed, the requested routeType is *eco*. The following script calls the [Get Route Range API] of the Azure Maps routing service. It uses parameters for the vehicle's consumption model. The script then parses the response to create a polygon object of the geojson format, which represents the car's maximum reachable range.

-To determine the boundaries for the electric vehicle's reachable range, run the script in the following cell:

-After you've determined the reachable range (isochrone) for the electric vehicle, you can search for charging stations within that range.

-The following script calls the Azure Maps [Post Search Inside Geometry API]. It searches for charging stations for electric vehicle, within the boundaries of the car's maximum reachable range. Then, the script parses the response to an array of reachable locations.

-To search for electric vehicle charging stations within the reachable range, run the following script:

-## Upload the reachable range and charging points

-It's helpful to visualize the charging stations and the boundary for the maximum reachable range of the electric vehicle on a map. Follow the steps outlined in the [How to create data registry] article to upload the boundary data and charging stations data as geojson objects to your [Azure storage account] then register them in your Azure Maps account. Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is how you reference the geojson objects you uploaded into your Azure storage account from your source code.

-<!

-To upload the boundary and charging point data to Azure Maps Data service, run the following two cells:

-```python

-rangeData = {

- "type": "FeatureCollection",

- "features": [

- {

- "type": "Feature",

- "properties": {},

- "geometry": {

- "type": "Polygon",

- "coordinates": [

- polyBounds

- ]

- }

- }

- ]

-}

-# Upload the range data to Azure Maps Data service.

-uploadRangeResponse = await session.post("https://us.atlas.microsoft.com/mapData?subscription-key={}&api-version=2.0&dataFormat=geojson".format(subscriptionKey), json = rangeData)

-rangeUdidRequest = uploadRangeResponse.headers["Location"]+"&subscription-key={}".format(subscriptionKey)

-while True:

- getRangeUdid = await (await session.get(rangeUdidRequest)).json()

- if 'udid' in getRangeUdid:

- break

- else:

- time.sleep(0.2)

-rangeUdid = getRangeUdid["udid"]

-```

-```python

-poiData = {

- "type": "FeatureCollection",

- "features": [

- {

- "type": "Feature",

- "properties": {},

- "geometry": {

- "type": "MultiPoint",

- "coordinates": reachableLocations

- }

- }

- ]

-}

-# Upload the electric vehicle charging station data to Azure Maps Data service.

-uploadPOIsResponse = await session.post("https://us.atlas.microsoft.com/mapData?subscription-key={}&api-version=2.0&dataFormat=geojson".format(subscriptionKey), json = poiData)

-poiUdidRequest = uploadPOIsResponse.headers["Location"]+"&subscription-key={}".format(subscriptionKey)

-while True:

- getPoiUdid = await (await session.get(poiUdidRequest)).json()

- if 'udid' in getPoiUdid:

- break

- else:

- time.sleep(0.2)

-poiUdid = getPoiUdid["udid"]

-```

->

-After you've uploaded the data to the Azure storage account, call the Azure Maps [Get Map Image service]. This service is used to render the charging points and maximum reachable boundary on the static map image by running the following script:

-path = "lcff3333|lw3|la0.80|fa0.35||udid-{}".format(rangeUdid)

-pins = "custom|an15 53||udid-{}||https://raw.githubusercontent.com/Azure-Samples/AzureMapsCodeSamples/master/AzureMapsCodeSamples/Common/images/icons/ev_pin.png".format(poiUdid)

-First, you want to determine all the potential charging stations within the reachable range. Then, you want to know which of them can be reached in a minimum amount of time.

-The following script calls the Azure Maps [Matrix Routing API]. It returns the specified vehicle location, the travel time, and the distance to each charging station. The script in the next cell parses the response to locate the closest reachable charging station with respect to time.

-To find the closest reachable charging station that can be reached in the least amount of time, run the script in the following cell:

-Now that you've found the closest charging station, you can call the [Get Route Directions API] to request the detailed route from the electric vehicle's current location to the charging station.

-To get the route to the charging station and to parse the response to create a geojson object that represents the route, run the script in the following cell:

-To help visualize the route, follow the steps outlined in the [How to create data registry] article to upload the route data as a geojson object to your [Azure storage account] then register it in your Azure Maps account. Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is how you reference the geojson objects you uploaded into your Azure storage account from your source code. Then, call the rendering service, [Get Map Image API], to render the route on the map, and visualize it.

-To get an image for the rendered route on the map, run the following script:

-# Upload the route data to Azure Maps Data service .

-routeUploadRequest = await session.post("https://atlas.microsoft.com/mapData?subscription-key={}&api-version=2.0&dataFormat=geojson".format(subscriptionKey), json = routeData)

-udidRequestURI = routeUploadRequest.headers["Location"]+"&subscription-key={}".format(subscriptionKey)

-while True:

- udidRequest = await (await session.get(udidRequestURI)).json()

- if 'udid' in udidRequest:

- break

- else:

- time.sleep(0.2)

-udid = udidRequest["udid"]

-destination[1], destination[0] = destination[0], destination[1]

-path = "lc0f6dd9|lw6||udid-{}".format(udid)

-pins = "default|codb1818||{} {}|{} {}".format(str(currentLocation[1]),str(currentLocation[0]),destination[1],destination[0])

-minLat, maxLat = (float(destination[0]),currentLocation[0]) if float(destination[0])<currentLocation[0] else (currentLocation[0], float(destination[0]))

-minLon, maxLon = (float(destination[1]),currentLocation[1]) if float(destination[1])<currentLocation[1] else (currentLocation[1], float(destination[1]))

-## Clean up resources

-There are no resources that require cleanup.

-[Azure storage account]: /azure/storage/common/storage-account-create?tabs=azure-portal

-[Get Map Image API]: /rest/api/maps/render/get-map-static-image

-[Get Route Directions API]: /rest/api/maps/route/getroutedirections

-[Get Route Range API]: /rest/api/maps/route/getrouterange

-[How to create data registry]: how-to-create-data-registries.md

-[Matrix Routing API]: /rest/api/maps/route/postroutematrix

-[Post Search Inside Geometry API]: /rest/api/maps/search/postsearchinsidegeometry?view=rest-maps-1.0&preserve-view=true

-[Quickstart: Sign in and set a user ID]: https://notebooks.azure.com

- * `$cloudCred`: use `Get-Credential` (should be a Microsoft Entra Global Administrator)

-# Performance considerations for Azure NetApp Files

-description: Describes performance benchmarks Azure NetApp Files delivers for Linux.

-# Azure NetApp Files performance benchmarks for Linux

-This article describes performance benchmarks Azure NetApp Files delivers for Linux.

-description: Describes Azure NetApp Files best practices about Azure virtual machine SKUs, including differences within and between SKUs.

-# Azure virtual machine SKUs best practices for Azure NetApp Files

-This article describes Azure NetApp Files best practices about Azure virtual machine SKUs, including differences within and between SKUs.

-* AMD or Intel: For example, SAS uses a math kernel library designed specifically for Intel processors. In this case, Intel SKUs are preferred over AMD SKU.

-* The F2, E_v3, and D_v3 machine types are each based on more than one chipset. In using Azure Dedicated Hosts, you might select specific models (Broadwell, Cascade Lake, or Skylake when selecting the E type for example). Otherwise, the chipset selection is non-deterministic. If you are deploying an HPC cluster and a consistent experience across the inventory is important, then you can consider single Azure Dedicated Hosts or go with single chipset SKUs such as the E_v4 or D_v4.

- * When the accelerated network interface is inappropriately mapped to a sub optimal NUMA Node, read performance decreases significantly. Although mapping the accelerated networking interface to a specific NUMA node is beneficial on newer SKUs, it must be considered a requirement on SKUs with these chipsets (Lv2|E_v3|D_v3).

- * Virtual machines running on the Lv2, or either E_v3 or D_v3 running on a Broadwell chipset are more susceptible to resource contention than when running on other SKUs. When testing using multiple virtual machines running within a single Azure Dedicated Host, running network-based storage workload from one virtual machine has been seen to decrease the performance of network-based storage workloads running from a second virtual machine. The decrease is more pronounced when any of the virtual machines on the node have not had their accelerated network interface/NUMA node optimally mapped. Keep in mind that the E_v3 and D_V3 may between them land on Haswell, Broadwell, Cascade Lake, or Skylake.

-For the most consistent performance when selecting virtual machines, select from SKUs with a single type of chipset ΓÇô newer SKUs are preferred over the older models where available. Keep in mind that, aside from using a dedicated host, predicting correctly which type of hardware the E_v3 or D_v3 virtual machines land on is unlikely. When using the E_v3 or D_v3 SKU:

-* When a virtual machine is turned off, de-allocated, and then turned on again, the virtual machine is likely to change hosts and as such hardware models.

-The following table highlights the differences within and between SKUs. Note, for example, that the chipset of the underlying E_v3 and D_v3 vary between the Broadwell, Cascade Lake, Skylake, and also in the case of the D_v3.

-When preparing a multi-node SAS GRID environment for production, you might notice a repeatable one-hour-and-fifteen-minute variance between analytics runs with no other difference than underlying hardware.

-* Whenever possible, select the E_v4, D_v4, or newer rather than the E_v3 or D_v3 SKUs.

-Tests conducted internally using an EDA benchmark in 2020 found that with a single regular Azure NetApp Files volume, workload as high as 40,000 IOPS could be achieved at the 2ms mark, and 50,000 at the edge.

-The 2020 internal testing also explored single endpoint limits, the limits were reached with six volumes. Large Volume outperforms the scenario with six regular volumes by 260%.

- "demoaccountType": {

- "Standard_RAGRS"

-1. Visual Studio also provides intellisense to help you understand the properties that are available when editing the template. For example, to edit the properties for your App Service plan, navigate to the **HostingPlan** resource, and add a value for the **properties**. Notice that intellisense shows the available values and provides a description of that value.

- :::image type="content" source="./media/create-visual-studio-deployment-project/show-intellisense.png" alt-text="Screenshot of Visual Studio editor showing intellisense suggestions for Resource Manager template.":::

- You can set **numberOfWorkers** to 1, and save the file.

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

-# Use Azure VMware Solution with Azure Elastic SAN (Integration in Preview)

-For example, `https://contoso.azureedge.net/photo.png`.

-If you run into the issue "The app is trying to access a service '1fd5118e-2576-4263-8130-9503064c837a'(Azure Communication Services) that your organization '{GUID}' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application to create the required service principal." your Microsoft Entra tenant lacks a service principal for the Azure Communication Services application. To fix this issue, use PowerShell as a Microsoft Entra administrator to connect to your tenant. Replace `Tenant_ID` with an ID of your Microsoft Entra tenancy.

-New-MgServicePrincipal -AppId "1fd5118e-2576-4263-8130-9503064c837a"

- "topic": "/subscriptions/50ad1522-5c2c-4d9a-a6c8-67c11ecb75b8/resourcegroups/acse2e/providers/microsoft.communication/communicationservices/{communication-services-resource-name}",

- New-AzureADServicePrincipal -AppId eb63d611-525e-4a31-abd7-0cb33f679599 -DisplayName "Operator Connect"

- $projectSynergyApplicationId = "eb63d611-525e-4a31-abd7-0cb33f679599"

- $dataRead = "eb63d611-525e-4a31-abd7-0cb33f679599"

-1. Add a second **Application Id** for the value `8502a0ec-c76d-412f-836c-398018e2312b`.

- New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"

- $cvmAgent = az ad sp show --id "bf7b6499-ff71-4aa2-97a4-f372087be7f0" | Out-String | ConvertFrom-Json

- $cvmAgent = az ad sp show --id "bf7b6499-ff71-4aa2-97a4-f372087be7f0" | Out-String | ConvertFrom-Json

- New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"

- $cvmAgent = az ad sp show --id "bf7b6499-ff71-4aa2-97a4-f372087be7f0" | Out-String | ConvertFrom-Json

- New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"

- | **Application ID** | `c4829704-0edc-4c3d-a347-7c4a67586f3c` |

-| EnrollmentReader | Enrollment readers can view data at the enrollment, department, and account scopes. The data contains charges for all of the subscriptions under the scopes, including across tenants. Can view the Azure Prepayment (previously called monetary commitment) balance associated with the enrollment. | 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e |

-| EA purchaser | Purchase reservation orders and view reservation transactions. It has all the permissions of EnrollmentReader, which have all the permissions of DepartmentReader. It can view usage and charges across all accounts and subscriptions. Can view the Azure Prepayment (previously called monetary commitment) balance associated with the enrollment. | da6647fb-7651-49ee-be91-c43c4877f0c4 |

-| SubscriptionCreator | Create new subscriptions in the given scope of Account. | a0bcee42-bf30-4d1b-926a-48d21664ef71 |

- | `properties.roleDefinitionId` | `/providers/Microsoft.Billing/billingAccounts/{BillingAccountName}/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e` |

- Notice that `24f8edb6-1668-4659-b5e2-40bb5f3a7d7e` is a billing role definition ID for an EnrollmentReader.

-`"/providers/Microsoft.Billing/billingAccounts/1111111/billingRoleDefinitions/ da6647fb-7651-49ee-be91-c43c4877f0c4"`

- | `properties.roleDefinitionId` | `/providers/Microsoft.Billing/billingAccounts/{BillingAccountID}/enrollmentAccounts/{enrollmentAccountID}/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71` |

- The billing role definition ID of `a0bcee42-bf30-4d1b-926a-48d21664ef71` is for the subscription creator role.

- "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- Use the `principalName` property to identify the account that you want to grant Azure RBAC Owner access to. Copy the `name` of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. It's the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as `enrollmentAccountObjectId`.

- 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx | SignUpEngineering@contoso.com

- Use the `principalName` property to identify the account you want to grant Azure RBAC Owner access to. Copy the `ObjectId` of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. Paste this object ID somewhere so that you can use it in the next step as the `enrollmentAccountObjectId`.

- "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- Use the `principalName` property to identify the account that you want to grant Azure RBAC Owner access to. Copy the `name` of that account. For example, if you wanted to grant Azure RBAC Owner access to the SignUpEngineering@contoso.com enrollment account, you'd copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. It's the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as `enrollmentAccountObjectId`.

- Run the following command, replacing ```<enrollmentAccountObjectId>``` with the `name` you copied in the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). Replace ```<userObjectId>``` with the object ID you copied from the second step.

- "scope": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- Run the following [New-AzRoleAssignment](../../role-based-access-control/role-assignments-powershell.md) command, replacing ```<enrollmentAccountObjectId>``` with the `ObjectId` collected in the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). Replace ```<userObjectId>``` with the object ID collected in the second step.

- Run the following [az role assignment create](../../role-based-access-control/role-assignments-cli.md) command, replacing ```<enrollmentAccountObjectId>``` with the `name` you copied in the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). Replace ```<userObjectId>``` with the object ID collected in the second step.

-Get-AzADServicePrincipal -ApplicationId aaaaaaaa-bbbb-cccc-1111-222222222222 | Select-Object -Property Id

- "id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

- "name": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

-Use the `displayName` property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is *MicrosoftCustomerAgreement*. Copy the `name` of the account. For example, to create a subscription for the `Contoso` billing account, copy `5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx`. Paste the value somewhere so that you can use it in the next step.

-Name : 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx

-Use the `displayName` property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is *MicrosoftCustomerAgreement*. Copy the `name` of the account. For example, to create a subscription for the `Contoso` billing account, copy `5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx`. Paste the value somewhere so that you can use it in the next step.

- "id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

- "name": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

-Use the `displayName` property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is *MicrosoftCustomerAgreement*. Copy the `name` of the account. For example, to create a subscription for the `Contoso` billing account, copy `5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx`. Paste the value somewhere so that you can use it in the next step.

-GET https://management.azure.com/providers/Microsoft.Billing/billingaccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingprofiles/?api-version=2020-05-01

- "id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx",

- Copy the `id` to next identify the invoice sections underneath the billing profile. For example, copy `/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx` and call the following API.

-GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoicesections?api-version=2020-05-01

- "id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx",

-Use the `id` property to identify the invoice section for which you want to create subscriptions. Copy the entire string. For example, `/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx`.

-Get-AzBillingProfile -BillingAccountName 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx

-Get-AzInvoiceSection -BillingAccountName 5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx -BillingProfileName AW4F-xxxx-xxx-xxx

-The `name` above is the Invoice section name you need to create a subscription under. Construct your billing scope using the format `/providers/Microsoft.Billing/billingAccounts/<BillingAccountName>/billingProfiles/<BillingProfileName>/invoiceSections/<InvoiceSectionName>`. In this example, this value equates to `"/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx"`.

-az billing profile list --account-name "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx" --expand "InvoiceSections"

- "id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx",

- "id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx",

-Use the `id` property under the invoice section object to identify the invoice section for which you want to create subscriptions. Copy the entire string. For example, /providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx.

-The following example creates a subscription named *Dev Team subscription* for the *Development* invoice section. The subscription is billed to the *Contoso Billing Profile* billing profile and appears on the *Development* section of its invoice. You use the copied billing scope from the previous step: `/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx`.

- "billingScope": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx",

-Run the following [New-AzSubscriptionAlias](/powershell/module/az.subscription/new-azsubscriptionalias) command and the billing scope `"/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx"`.

-New-AzSubscriptionAlias -AliasName "sampleAlias" -SubscriptionName "Dev Team Subscription" -BillingScope "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx" -Workload "Production"

-az account alias create --name "sampleAlias" --billing-scope "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx" --display-name "Dev Team Subscription" --workload "Production"

- "value": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx"

- -billingScope "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx"

- --parameters subscriptionAliasName='sampleAlias' billingScope='/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx'

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

- "name": "99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

-Use the `displayName` property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is *MicrosoftPartnerAgreement*. Copy the `name` for the account. For example, to create a subscription for the `Contoso` billing account, copy `99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx`. Paste the value somewhere so that you can use it in the next step.

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

- "name": "99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

-Use the displayName property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is MicrosoftPartnerAgreement. Copy the name for the account. For example, to create a subscription for the Contoso billing account, copy 99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx. Paste the value somewhere so that you can use it in the next step.

-Make the following request, with the `name` copied from the first step (```99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx```) to list all customers in the billing account for whom you can create Azure subscriptions.

-GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers?api-version=2020-05-01

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/7d15644f-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "name": "7d15644f-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/YL4M-xxxx-xxx-xxx",

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/acba85c9-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/YL4M-xxxx-xxx-xxx",

-Use the `displayName` property to identify the customer for which you want to create subscriptions. Copy the `id` for the customer. For example, to create a subscription for `Fabrikam toys`, copy `/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/7d15644f-xxxx-xxxx-xxxx-xxxxxxxxxxxx`. Paste the value somewhere to use it in later steps.

-az billing customer list --account-name 99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx

- "billingProfileId": "providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/7d15644f-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "id": "providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/7d15644f-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/acba85c9-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/acba85c9-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

-Use the `displayName` property to identify the customer for which you want to create subscriptions. Copy the `id` for the customer. For example, to create a subscription for `Fabrikam toys`, copy `/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/7d15644f-xxxx-xxxx-xxxx-xxxxxxxxxxxx`. Paste the value somewhere to use it in later steps.

-Make the following request, with the `id` copied from the second step (```/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx```) to list all resellers that are available for a customer.

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2ed2c490-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/YL4M-xxxx-xxx-xxx",

-Make the following request, with the `name` copied from the first step (```99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx```) and customer `name` copied from the previous step (```acba85c9-xxxx-xxxx-xxxx-xxxxxxxxxxxx```).

- az billing customer show --expand "enabledAzurePlans,resellers" --account-name "99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx" --name "acba85c9-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/YL4M-xxxx-xxx-xxx",

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2ed2c490-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

-The following example creates a subscription named *Dev Team subscription* for *Fabrikam toys* and associate *Wingtip* reseller to the subscription. You use the copied billing scope from previous step: `/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.

- "billingScope": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "subscriptionId": "b5bab918-e8a9-4c34-a2e2-ebc1b75b9d74",

-Run the following New-AzSubscriptionAlias command, using the billing scope `"/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx"`.

-New-AzSubscriptionAlias -AliasName "sampleAlias" -SubscriptionName "Dev Team Subscription" -BillingScope "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -Workload 'Production"

-az account alias create --name "sampleAlias" --billing-scope "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --display-name "Dev Team Subscription" --workload "Production"

- "value": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

- -billingScope "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

- --parameters subscriptionAliasName='sampleAlias' billingScope='/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

- "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

-Use the `principalName` property to identify the account that you want subscriptions to be billed to. Copy the `name` of that account. For example, create subscriptions under the SignUpEngineering@contoso.com enrollment account, copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. The identifier is the object ID of the enrollment account. Paste the value somewhere so that you can use it in the next step as `enrollmentAccountObjectId`.

-747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx | SignUpEngineering@contoso.com

-Use the `principalName` property to identify the account that you want subscriptions to be billed to. Copy the `ObjectId` of that account. For example, to create subscriptions under the SignUpEngineering@contoso.com enrollment account, copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. Paste the object ID somewhere so that you can use it in the next step as the `enrollmentAccountObjectId`.

- "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

-Use the `principalName` property to identify the account that you want subscriptions to be billed to. Copy the `name` of that account. For example, to create subscriptions under the SignUpEngineering@contoso.com enrollment account, copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. The identifier is the object ID of the enrollment account. Paste the value somewhere so that you can use it in the next step as `enrollmentAccountObjectId`.

-Make the following request, replacing `<enrollmentAccountObjectId>` with the `name` copied from the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). To specify owners, see [how to get user object IDs](grant-access-to-create-subscription.md#userObjectId).

-Run the [New-AzSubscription](/powershell/module/az.subscription) command below, replacing `<enrollmentAccountObjectId>` with the `ObjectId` collected in the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). To specify owners, see [how to get user object IDs](grant-access-to-create-subscription.md#userObjectId).

-Run the [az account create](/cli/azure/account#-ext-subscription-az-account-create) command below, replacing `<enrollmentAccountObjectId>` with the `name` you copied in the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). To specify owners, see [how to get user object IDs](grant-access-to-create-subscription.md#userObjectId).

- "id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

- "name": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

- "accountId": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

-Use the `displayName` property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is *MicrosoftCustomerAgreement*. Copy the `name` of the account. For example, to create a subscription for the `Contoso` billing account, copy `5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx`. Paste the value somewhere so that you can use it in the next step.

-Make the following request, replacing `<billingAccountName>` with the `name` copied from the first step (```5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx```).

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/PBFV-xxxx-xxx-xxx",

- "invoiceSectionId": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/PBFV-xxxx-xxx-xxx/invoiceSections/GJ77-xxxx-xxx-xxx"

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/PBFV-xxxx-xxx-xxx",

- "invoiceSectionId": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/PBFV-XXXX-XXX-XXX/invoiceSections/GJGR-XXXX-XXX-XXX"

-Use the `invoiceSectionDisplayName` property to identify the invoice section for which you want to create subscriptions. Copy `invoiceSectionId`, `billingProfileId`, and one of the `skuId` for the invoice section. For example, to create a subscription of type `Microsoft Azure plan` for `Development` invoice section, copy `/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_2019-05-31/billingProfiles/PBFV-XXXX-XXX-XXX/invoiceSections/GJGR-XXXX-XXX-XXX`, `/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_2019-05-31/billingProfiles/PBFV-xxxx-xxx-xxx`, and `0001`. Paste the values somewhere so that you can use them in the next step.

-Make the following request, replacing `<invoiceSectionId>` with the `invoiceSectionId` copied from the second step (```/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_2019-05-31/billingProfiles/PBFV-XXXX-XXX-XXX/invoiceSections/GJGR-XXXX-XXX-XXX```). Pass the `billingProfileId` and `skuId` copied from the second step in the request parameters of the API. To specify owners, see [how to get user object IDs](grant-access-to-create-subscription.md#userObjectId).

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

- "name": "99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",

- "accountId": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

-Use the `displayName` property to identify the billing account for which you want to create subscriptions. Ensure, the agreementType of the account is *MicrosoftPartnerAgreement*. Copy the `name` for the account. For example, to create a subscription for the `Contoso` billing account, copy `99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx`. Paste the value somewhere so that you can use it in the next step.

-Make the following request, replacing `<billingAccountName>` with the `name` copied from the first step (```5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx```) to list all customers in the billing account for whom you can create Azure subscriptions.

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "name": "2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/JUT6-xxxx-xxxx-xxxx",

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/97c3fac4-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/JUT6-xxxx-xxxx-xxxx",

-Use the `displayName` property to identify the customer for which you want to create subscriptions. Copy the `id` for the customer. For example, to create a subscription for `Fabrikam toys`, copy `/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx`. Paste the value somewhere to use it in later steps.

-Make the following request, replacing `<customerId>` with the `id` copied from the second step (```/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx```) to list all resellers that are available for a customer.

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2ed2c490-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/4ed2c793-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

-Make the following request, replacing `<customerId>` with the `id` copied from the second step (```/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). Pass the optional *resellerId* copied from the second step in the request parameters of the API.

-description: Learn about Enterprise administrator roles in Azure. You can assign five distinct administrative roles.

-# Managing Azure Enterprise Agreement roles

-> [!NOTE]

-> Enterprise administrators have permissions to create new subscriptions under active enrollment accounts. For more information about creating new subscriptions, see [Add a new subscription](direct-ea-administration.md#add-a-subscription).

-To help manage your organization's usage and spend, Azure customers with an Enterprise Agreement can assign six distinct administrative roles:

-Once they activate their account, the account status is updated from _pending_ to _active_. The account owner needs to read the `Warning` message and select **Continue**. New users might get prompted to enter their first and last name to create a Commerce Account. If so, they must add the required information to continue and then the account is activated.

-PUT https://management.azure.com/subscriptions/222f1459-6ebd-4896-82ab-652d5f6883cf/resourcegroups/abnarain-rg/providers/Microsoft.DataFactory/factories/ambika-df/integrationruntimes/sample-2?api-version=2018-06-01

- #customCommand: 'run build-preview export $(Build.Repository.LocalPath) /subscriptions/222f1459-6ebd-4896-82ab-652d5f6883cf/resourceGroups/GartnerMQ2021/providers/Microsoft.DataFactory/factories/Dev-GartnerMQ2021-DataFactory "ArmTemplate"'

- "principalId": "765ad4ab-XXXX-XXXX-XXXX-51ed985819dc",

- "tenantId": "72f988bf-XXXX-XXXX-XXXX-2d7cd011db47"

-765ad4ab-XXXX-XXXX-XXXX-51ed985819dc 72f988bf-XXXX-XXXX-XXXX-2d7cd011db47

-PS C:\> Get-AzADServicePrincipal -ObjectId 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc

-ServicePrincipalNames : {76f668b3-XXXX-XXXX-XXXX-1b3348c75e02, https://identity.azure.net/P86P8g6nt1QxfPJx22om8MOooMf/Ag0Qf/nnREppHkU=}

-ApplicationId : 76f668b3-XXXX-XXXX-XXXX-1b3348c75e02

-Id : 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc

- "principalId":"554cff9e-XXXX-XXXX-XXXX-90c7d9ff2ead",

- "tenantId":"72f988bf-XXXX-XXXX-XXXX-2d7cd011db47"

-`Job failed due to reason: Error while reading file abfss:REDACTED_LOCAL_PART@prod.dfs.core.windows.net/import/data/e3342084-930c-4f08-9975-558a3116a1a9/part-00000-tid-7848242374008877624-5df7454e-7b14-4253-a20b-d20b63fe9983-1-1-c000.csv. It is possible the underlying files have been updated. You can explicitly invalidate the cache in Spark by running 'REFRESH TABLE tableName' command in SQL or by recreating the Dataset/DataFrame involved.`

-3. Add the specified system/user-assigned managed identity for your ADF to the group. You can follow the [Managed identity for Data Factory or Azure Synapse](./data-factory-service-identity.md) article to get the Object ID of specified system/user-assigned managed identity for your ADF (e.g. 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc, but do not use the Application ID for this purpose).

- Add-AzureAdGroupMember -ObjectId $Group.ObjectId -RefObjectId 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc

-| **correlationId** |String | The unique ID for tracking a particular request. | `319dc6b4-f348-405e-b8d7-aafc77b73e77` |

-| **correlationId** |String | The unique ID for tracking a particular request. | `319dc6b4-f348-405e-b8d7-aafc77b73e77` |

-| **correlationId** |String | The unique ID for tracking a particular request. | `319dc6b4-f348-405e-b8d7-aafc77b73e77` |

-| **correlationId** | String | The unique ID for tracking a particular operation | `e55700df-4caf-4e7c-bfb8-78ac7d2f28a0` |

-| **correlationId** | String | The unique ID for tracking a particular operation | `e55700df-4caf-4e7c-bfb8-78ac7d2f28a0` |

-| **correlationId** | String | The unique ID for tracking a particular operation | `e55700df-4caf-4e7c-bfb8-78ac7d2f28a0` |

-| **correlationId** | String | The unique ID for tracking a particular operation | `e55700df-4caf-4e7c-bfb8-78ac7d2f28a0` |

-| **correlationId** | String | The unique ID for tracking a particular operation | `e55700df-4caf-4e7c-bfb8-78ac7d2f28a0` |

-

- "context"

- "github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventhubs"

- // create an Event Hubs producer client using a connection string to the namespace and the event hub

- producerClient, err := azeventhubs.NewProducerClientFromConnectionString("NAMESPACE CONNECTION STRING", "EVENT HUB NAME", nil)

- if err != nil {

- panic(err)

- }

- defer producerClient.Close(context.TODO())

- // create sample events

- events := createEventsForSample()

- // create a batch object and add sample events to the batch

- newBatchOptions := &azeventhubs.EventDataBatchOptions{}

- batch, err := producerClient.NewEventDataBatch(context.TODO(), newBatchOptions)

- for i := 0; i < len(events); i++ {

- err = batch.AddEventData(events[i], nil)

- }

- // send the batch of events to the event hub

- producerClient.SendEventDataBatch(context.TODO(), batch, nil)

- return []*azeventhubs.EventData{

- {

- Body: []byte("hello"),

- },

- {

- Body: []byte("world"),

- },

- }

- "context"

- "errors"

- "fmt"

- "time"

- "github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventhubs"

- "github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventhubs/checkpoints"

- "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"

- // create a container client using a connection string and container name

- checkClient, err := container.NewClientFromConnectionString("AZURE STORAGE CONNECTION STRING", "CONTAINER NAME", nil)

-

- // create a checkpoint store that will be used by the event hub

- checkpointStore, err := checkpoints.NewBlobStore(checkClient, nil)

- if err != nil {

- panic(err)

- }

- // create a consumer client using a connection string to the namespace and the event hub

- consumerClient, err := azeventhubs.NewConsumerClientFromConnectionString("NAMESPACE CONNECTION STRING", "EVENT HUB NAME", azeventhubs.DefaultConsumerGroup, nil)

- if err != nil {

- panic(err)

- }

- defer consumerClient.Close(context.TODO())

- // create a processor to receive and process events

- processor, err := azeventhubs.NewProcessor(consumerClient, checkpointStore, nil)

- if err != nil {

- panic(err)

- }

- // for each partition in the event hub, create a partition client with processEvents as the function to process events

- dispatchPartitionClients := func() {

- for {

- partitionClient := processor.NextPartitionClient(context.TODO())

- if partitionClient == nil {

- break

- }

- go func() {

- if err := processEvents(partitionClient); err != nil {

- panic(err)

- }

- }()

- }

- }

- // run all partition clients

- go dispatchPartitionClients()

- processorCtx, processorCancel := context.WithCancel(context.TODO())

- defer processorCancel()

- if err := processor.Run(processorCtx); err != nil {

- panic(err)

- }

- defer closePartitionResources(partitionClient)

- for {

- receiveCtx, receiveCtxCancel := context.WithTimeout(context.TODO(), time.Minute)

- events, err := partitionClient.ReceiveEvents(receiveCtx, 100, nil)

- receiveCtxCancel()

- if err != nil && !errors.Is(err, context.DeadlineExceeded) {

- return err

- }

- fmt.Printf("Processing %d event(s)\n", len(events))

- for _, event := range events {

- fmt.Printf("Event received with body %v\n", string(event.Body))

- }

- if len(events) != 0 {

- if err := partitionClient.UpdateCheckpoint(context.TODO(), events[len(events)-1]); err != nil {

- return err

- }

- }

- }

- defer partitionClient.Close(context.TODO())

-You can purchase 1, 2, 4, 8, and 16 processing units (PUs) for each namespace. Because the Premium tier is a capacity-based offering, the achievable throughput isn't set by a throttle like it is in the Standard tier. The throughput depends on the work you ask Event Hubs to do, which is similar to the Dedicated tier. The effective ingest and stream throughput per PU depends on various factors, such as the:

- [Event Hubs Premium](./event-hubs-premium-overview.md) provides superior performance and better isolation within a managed multitenant PaaS environment. The resources in a Premium tier are isolated at the CPU and memory level so that each tenant workload runs in isolation. This resource container is called a **Processing Unit** (PU). You can purchase 1, 2, 4, 8 or 16 processing Units for each Event Hubs Premium namespace.

-You can connect your on-premises datacenters or offices to the Microsoft cloud through point-to-point Ethernet links. Point-to-point Ethernet providers can offer Layer 2 connections, or managed Layer 3 connections between your site and the Microsoft cloud.

- * [Link a virtual network to an ExpressRoute circuit](expressroute-howto-linkvnet-portal-resource-manager.md)

-> There are limits to the bandwidth and number of connections possible on each ExpressRoute circuit. If a single customer's needs exceed these limits, they will require multiple ExpressRoute circuits for their hybrid network implementation.

-> Network bandwidth can be increased as needed without disrupting communications, but to reduce the network speed requires tearing down the circuit and recreating it at the lower network speed.

->

->

-"id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/authorizations/MyAuthorization1",

- "resourceId": "/SUBSCRIPTIONS/27CAFCA8-B9A4-4264-B399-45D0C9CCA1AB/RESOURCEGROUPS/AFDXPRIVATEPREVIEW/PROVIDERS/MICROSOFT.CDN/PROFILES/AFDXPRIVATEPREVIEW-JESSIE",

- "probeURL": "http://afdxprivatepreview.blob.core.windows.net:80/",

- "originName": "afdxprivatepreview.blob.core.windows.net",

- "originIP": "52.239.224.228:80",

-> If there are no routing rules for an exact-match frontend host with a catch-all route Path (`/*`), then there will not be a match to any routing rule.

-|For FHIR instances created after August 19,2024, diagnostic logs aren't available in log analytics workspace. |September 19,2024 9:00 am PST| -- | -- |

-The export functionality has been improved to optimize memory usage. With this change the export process now pushes data to blob storage one resource at a time, reducing memory consumption.

-1. The import operation returns a HTTP 400 error when a search parameter resource is ingested via the import process. This change is intended to prevent search parameters from being placed in an invalid state when ingested with an import operation.

-2. The import operation will return a HTTP 400 status code, as opposed to the previous HTTP 500 status code, in cases where configuration issues with the storage account occur. This update aims to improve error handling associated with managed identities during import operations.

-Query optimization is added when searching FHIR resources with a data range. This query optimization will help with efficient querying as one combined CTE is generated.

-1. Get the managed identity of the Azure IoT Operations Preview Arc extension.

-1. Assign a role to the managed identity that grants permission to write to the storage account, such as *Storage Blob Data Contributor*. To learn more, see [Authorize access to blobs using Microsoft Entra ID](../../storage/blobs/authorize-access-azure-active-directory.md).

-1. Create the *DataflowEndpoint* resource and specify the managed identity authentication method.

- ```yaml

- apiVersion: connectivity.iotoperations.azure.com/v1beta1

- kind: DataflowEndpoint

- metadata:

- name: adls

- spec:

- endpointType: DataLakeStorage

- dataLakeStorageSettings:

- host: https://<account>.blob.core.windows.net

- authentication:

- method: SystemAssignedManagedIdentity

- systemAssignedManagedIdentitySettings: {}

- ```

-1. Follow the steps in the [access token](#access-token) section to get a SAS token for the storage account and store it in a Kubernetes secret.

-1. Create the *DataflowEndpoint* resource and specify the access token authentication method.

- ```yaml

- apiVersion: connectivity.iotoperations.azure.com/v1beta1

- kind: DataflowEndpoint

- metadata:

- name: adls

- spec:

- endpointType: DataLakeStorage

- dataLakeStorageSettings:

- host: https://<account>.blob.core.windows.net

- authentication:

- method: AccessToken

- accessTokenSettings:

- secretRef: my-sas

- ```

-## Configure dataflow destination

-Once the endpoint is created, you can use it in a dataflow by specifying the endpoint name in the dataflow's destination settings. The following example is a dataflow configuration that uses the MQTT endpoint for the source and Azure Data Lake Storage Gen2 as the destination. The source data is from the MQTT topics `thermostats/+/telemetry/temperature/#` and `humidifiers/+/telemetry/humidity/#`. The destination sends the data to Azure Data Lake Storage table `telemetryTable`.

-kind: Dataflow

- name: my-dataflow

- profileRef: default

- mode: Enabled

- operations:

- - operationType: Source

- sourceSettings:

- endpointRef: mq

- dataSources:

- - thermostats/+/telemetry/temperature/#

- - humidifiers/+/telemetry/humidity/#

- - operationType: Destination

- destinationSettings:

- endpointRef: adls

- # dataDestination should be the storage container name

- dataDestination: telemetryTable

-For more information about dataflow destination settings, see [Create a dataflow](howto-create-dataflow.md).

-> [!NOTE]

-> Using the ADLSv2 endpoint as a source in a dataflow isn't supported. You can use the endpoint as a destination only.

-To customize the endpoint settings, see the following sections for more information.

-In the *DataflowEndpoint* resource, specify the managed identity authentication method. In most cases, you don't need to specify other settings. Not specifying an audience creates a managed identity with the default audience scoped to your storage account.

- audience: https://<account>.blob.core.windows.net

-kubectl create secret generic my-sas \

-Create the *DataflowEndpoint* resource with the secret reference.

- secretRef: my-sas

-Set the values in the dataflow endpoint custom resource.

- Alternatively, you can enable streaming ingestion on the entire cluster. See [Enable streaming ingestion on an existing cluster](/azure/data-explorer/ingest-data-streaming#enable-streaming-ingestion-on-an-existing-cluster).

-1. In your Azure Data Explorer database, under **Security + networking** select **Permissions** > **Add** > **Ingestor**. Search for the Azure IoT Operations extension name then add it.

-Create the dataflow endpoint resource with your cluster and database information. We suggest using the managed identity of the Azure Arc-enabled Kubernetes cluster. This approach is secure and eliminates the need for secret management.

- name: adx

- host: <cluster>.<region>.kusto.windows.net

- database: <database-name>

-## Configure dataflow destination

-Once the endpoint is created, you can use it in a dataflow by specifying the endpoint name in the dataflow's destination settings.

-```yaml

-apiVersion: connectivity.iotoperations.azure.com/v1beta1

-kind: Dataflow

-metadata:

- name: my-dataflow

- namespace: azure-iot-operations

-spec:

- profileRef: default

- mode: Enabled

- operations:

- - operationType: Source

- sourceSettings:

- endpointRef: mq

- dataSources:

- - thermostats/+/telemetry/temperature/#

- - humidifiers/+/telemetry/humidity/#

- - operationType: Destination

- destinationSettings:

- endpointRef: adx

- dataDestination: database-name

-For more information about dataflow destination settings, see [Create a dataflow](howto-create-dataflow.md).

-> [!NOTE]

-> Using the Azure Data Explorer endpoint as a source in a dataflow isn't supported. You can use the endpoint as a destination only.

-To customize the endpoint settings, see the following sections for more information.

- audience: https://<audience URL>

-Set the values in the dataflow endpoint custom resource.

-# [Kubernetes](#tab/kubernetes)

-1. Get the managed identity of the Azure IoT Operations Preview Arc extension.

-1. In the Microsoft Fabric workspace you created, select **Manage access** > **+ Add people or groups**.

-1. Search for the Azure IoT Operations Preview Arc extension by its name, and select the app ID GUID value that you found in the previous step.

-1. Select **Contributor** as the role, then select **Add**.

-1. Create the *DataflowEndpoint* resource and specify the managed identity authentication method.

- ```yaml

- apiVersion: connectivity.iotoperations.azure.com/v1beta1

- kind: DataflowEndpoint

- metadata:

- name: fabric

- spec:

- endpointType: FabricOneLake

- fabricOneLakeSettings:

- # The default Fabric OneLake host URL in most cases

- host: https://onelake.dfs.fabric.microsoft.com

- oneLakePathType: Tables

- authentication:

- method: SystemAssignedManagedIdentity

- systemAssignedManagedIdentitySettings: {}

- names:

- workspaceName: <EXAMPLE-WORKSPACE-NAME>

- lakehouseName: <EXAMPLE-LAKEHOUSE-NAME>

- ```

-# [Bicep](#tab/bicep)

-This Bicep template file from [Bicep File for Microsoft Fabric OneLake dataflow Tutorial](https://gist.github.com/david-emakenemi/289a167c8fa393d3a7dce274a6eb21eb) deploys the necessary resources for dataflows to Fabric OneLake.

-1. Download the file to your local, and make sure to replace the values for `customLocationName`, `aioInstanceName`, `schemaRegistryName`, `opcuaSchemaName`, and `persistentVCName`.

-1. Next, deploy the resources using the [az stack group](/azure/azure-resource-manager/bicep/deployment-stacks?tabs=azure-powershell) command in your terminal:

-```azurecli

-az stack group create --name MyDeploymentStack --resource-group $RESOURCE_GROUP --template-file /workspaces/explore-iot-operations/<filename>.bicep --action-on-unmanage 'deleteResources' --deny-settings-mode 'none' --yes

-This endpoint is the destination for the dataflow that receives messages to Fabric OneLake.

- name: 'onelake-ep'

- name: customLocation.id

- host: 'https://msit-onelake.dfs.fabric.microsoft.com'

- lakehouseName: '<EXAMPLE-LAKEHOUSE-NAME>'

- workspaceName: '<EXAMPLE-WORKSPACE-NAME>'

- }

- batching: {

- latencySeconds: 5

- maxMessages: 10000

-## Configure dataflow destination

-Once the endpoint is created, you can use it in a dataflow by specifying the endpoint name in the dataflow's destination settings.

-# [Kubernetes](#tab/kubernetes)

-```yaml

-apiVersion: connectivity.iotoperations.azure.com/v1beta1

-kind: Dataflow

-metadata:

- name: my-dataflow

- namespace: azure-iot-operations

-spec:

- profileRef: default

- mode: Enabled

- operations:

- - operationType: Source

- sourceSettings:

- endpointRef: mq

- dataSources:

- *

- - operationType: Destination

- destinationSettings:

- endpointRef: fabric

-```

-To customize the endpoint settings, see the following sections for more information.

-### Fabric OneLake host URL

-Use the `host` setting to specify the Fabric OneLake host URL. Usually, it's `https://onelake.dfs.fabric.microsoft.com`.

-```yaml

-fabricOneLakeSettings:

- host: https://onelake.dfs.fabric.microsoft.com

-```

-However, if this host value doesn't work and you're not getting data, try checking for the URL from the Properties of one of the precreated lakehouse folders.

-

-The host value should look like `https://xyz.dfs.fabric.microsoft.com`.

-To learn more, see [Connecting to Microsoft OneLake](/fabric/onelake/onelake-access-api).

-### OneLake path type

-Use the `oneLakePathType` setting to specify the type of path in the Fabric OneLake. The default value is `Tables`, which is used for the Tables folder in the lakehouse typically in Delta Parquet format.

-```yaml

-fabricOneLakeSettings:

- oneLakePathType: Tables

-```

-Another possible value is `Files`. Use this value for the Files folder in the lakehouse, which is unstructured and can be in any format.

-```yaml

-fabricOneLakeSettings:

- oneLakePathType: Files

-```

-# [Bicep](#tab/bicep)

-```bicep

-resource dataflow_onelake 'Microsoft.IoTOperations/instances/dataflowProfiles/dataflows@2024-08-15-preview' = {

- parent: defaultDataflowProfile

- name: 'dataflow-onelake3'

- extendedLocation: {

- name: customLocation.id

- type: 'CustomLocation'

- }

- properties: {

- mode: 'Enabled'

- operations: [

- {

- operationType: 'Source'

- sourceSettings: {

- endpointRef: defaultDataflowEndpoint.name

- dataSources: array('azure-iot-operations/data/thermostat')

- }

- }

- {

- operationType: 'BuiltInTransformation'

- builtInTransformationSettings: {

- map: [

- {

- inputs: array('*')

- output: '*'

- }

- ]

- schemaRef: 'aio-sr://${opcuaSchemaName}:${opcuaSchemaVer}'

- serializationFormat: 'Delta' // Can also be 'Parquet'

- }

- }

- {

- operationType: 'Destination'

- destinationSettings: {

- endpointRef: oneLakeEndpoint.name

- dataDestination: 'opc'

- }

- }

- ]

- }

-}

-The `BuiltInTransformation` in this Bicep file transforms the data flowing through the dataflow pipeline. It applies a pass-through operation, mapping all input fields `(inputs: array('*'))` directly to the output `(output: '*')`, without altering the data.

-It also references the defined OPC-UA schema to ensure the data is structured according to the OPC UA protocol. The transformation then serializes the data in Delta format (or Parquet if specified).

-This step ensures that the data adheres to the required schema and format before being sent to the destination.

-For more information about dataflow destination settings, see [Create a dataflow](howto-create-dataflow.md).

-> [!NOTE]

-> Using the Fabric OneLake dataflow endpoint as a source in a dataflow isn't supported. You can use the endpoint as a destination only.

-In the *DataflowEndpoint* resource, specify the managed identity authentication method. In most cases, you don't need to specify other settings. This configuration creates a managed identity with the default audience.

- audience: https://contoso.onelake.dfs.fabric.microsoft.com

- authentication: {

- method: 'SystemAssignedManagedIdentity'

- systemAssignedManagedIdentitySettings: {

- audience: 'https://contoso.onelake.dfs.fabric.microsoft.com'

- }

- }

- ...

- authentication: {

- method: 'UserAssignedManagedIdentity'

- userAssignedManagedIdentitySettings: {

- clientId: '<clientId>'

- tenantId: '<tenantId>'

- }

- }

- ...

-Set the values in the dataflow endpoint custom resource.

-The bicep file has the values in the dataflow endpoint resource.

-<!-- TODO Add a way for users to override the file with values using the az stack group command >

-batching: {

- latencySeconds: 5

- maxMessages: 10000

- | Host | The hostname of the Kafka broker in the format `<HOST>.servicebus.windows.net:9093`. Include port number `9093` in the host setting for Event Hubs. |

-# [Kubernetes](#tab/kubernetes)

-1. Get the managed identity of the Azure IoT Operations Arc extension.

-1. Assign the managed identity to the Event Hubs namespace with the `Azure Event Hubs Data Sender` or `Azure Event Hubs Data Receiver` role.

-1. Create the *DataflowEndpoint* resource and specify the managed identity authentication method.

- ```yaml

- apiVersion: connectivity.iotoperations.azure.com/v1beta1

- kind: DataflowEndpoint

- metadata:

- name: eventhubs

- namespace: azure-iot-operations

- spec:

- endpointType: Kafka

- kafkaSettings:

- host: <HOST>.servicebus.windows.net:9093

- authentication:

- method: SystemAssignedManagedIdentity

- systemAssignedManagedIdentitySettings: {}

- tls:

- mode: Enabled

- consumerGroupId: mqConnector

- ```

-The Kafka topic, or individual event hub, is configured later when you create the dataflow. The Kafka topic is the destination for the dataflow messages.

-#### Use connection string for authentication to Event Hubs

-To use connection string for authentication to Event Hubs, update the `authentication` section of the Kafka settings to use the `Sasl` method and configure the `saslSettings` with the `saslType` as `Plain` and the `secretRef` with the name of the secret that contains the connection string.

- method: Sasl

- saslSettings:

- saslType: Plain

- secretRef: <YOUR-TOKEN-SECRET-NAME>

-In the example, the `secretRef` is the name of the secret that contains the connection string. The secret must be in the same namespace as the Kafka dataflow resource. The secret must have both the username and password as key-value pairs. For example:

- | Authentication method| The method used for authentication. Choose *System assigned managed identity*, *User assigned managed identity*, *SASL*, or *X509 certificate*. |

-> Currently, the operations experience doesn't support using a Kafka dataflow endpoint as a source. You can create a dataflow with a source Kafka dataflow endpoint using the Kubernetes or Bicep.

- secretRef: <YOUR-TOKEN-SECRET-NAME>

-## Use the endpoint in a dataflow source or destination

-Once the endpoint is created, you can use it in a dataflow by specifying the endpoint name in the dataflow's source or destination settings.

-# [Portal](#tab/portal)

-1. In the Azure IoT Operations Preview portal, create a new dataflow or edit an existing dataflow by selecting the **Dataflows** tab. If creating a new dataflow, select **Create dataflow** and replace `<new-dataflow>` with a name for the dataflow.

-1. In the editor, select the source endpoint. Kafka endpoints can be used as both source and destination. Currently, you can only use the portal to create a dataflow with a Kafka endpoint as a destination. Use a Kubernetes custom resource or Bicep to create a dataflow with a Kafka endpoint as a source.

-1. Choose the Kafka dataflow endpoint that you created previously.

-1. Specify the Kafka topic where messages are sent.

- :::image type="content" source="media/howto-configure-kafka-endpoint/dataflow-mq-kafka.png" alt-text="Screenshot using operations experience to create a dataflow with an MQTT source and Azure Event Hubs destination.":::

-# [Kubernetes](#tab/kubernetes)

-```yaml

-apiVersion: connectivity.iotoperations.azure.com/v1beta1

-kind: Dataflow

-metadata:

- name: my-dataflow

- namespace: azure-iot-operations

-spec:

- profileRef: default

- mode: Enabled

- operations:

- - operationType: Source

- sourceSettings:

- endpointRef: mq

- dataSources:

- *

- - operationType: Destination

- destinationSettings:

- endpointRef: kafka

-For more information about dataflow destination settings, see [Create a dataflow](howto-create-dataflow.md).

-The following authentication methods are available for Kafka broker dataflow endpoints. For more information about enabling secure settings by configuring an Azure Key Vault and enabling workload identities, see [Enable secure settings in Azure IoT Operations Preview deployment](../deploy-iot-ops/howto-enable-secure-settings.md).

-To use SASL for authentication, update the `authentication` section of the Kafka settings to use the `Sasl` method and configure the `saslSettings` with the `saslType` and the `secretRef` with the name of the secret that contains the SASL token.

- saslType: Plain

- secretRef: <YOUR-TOKEN-SECRET-NAME>

-To use X.509 for authentication, update the `authentication` section of the Kafka settings to use the `X509Certificate` method and configure the `x509CertificateSettings` with the `secretRef` with the name of the secret that contains the X.509 certificate.

- secretRef: <YOUR-TOKEN-SECRET-NAME>

-Update the `authentication` section of the DataflowEndpoint Kafka settings to use the `SystemAssignedManagedIdentity` method. In most cases, you can set the `systemAssignedManagedIdentitySettings` with an empty object.

-This sets the audience to the default value, which is the same as the Event Hubs namespace host value in the form of `https://<NAMESPACE>.servicebus.windows.net`. However, if you need to override the default audience, you can set the `audience` field to the desired value. The audience is the resource that the managed identity is requesting access to. For example:

- audience: <YOUR-AUDIENCE-OVERRIDE-VALUE>

-Enter the user assigned managed identity client ID and tenant ID in the appropriate fields.

-To use a user-assigned managed identity, specify the `UserAssignedManagedIdentity` authentication method.

- {}

-<!-- TODO: Add link to WLIF docs -->

-To use anonymous authentication, update the `authentication` section of the Kafka settings to use the `Anonymous` method.

-You can set advanced settings for the Kafka dataflow endpoint such as TLS, trusted CA certificate, Kafka messaging settings, batching, and CloudEvents. You can set these settings in the dataflow endpoint **Advanced** portal tab or within the dataflow endpoint custom resource.

-| Setting | Description |

-| | - |

-| Consumer group ID | The ID of the consumer group for the Kafka endpoint. The consumer group ID is used to identify the consumer group that the dataflow uses to read messages from the Kafka topic. The consumer group ID must be unique within the Kafka broker. |

-| Compression | The compression type used for messages sent to Kafka topics. Supported types are `None`, `Gzip`, `Snappy`, and `Lz4`. Compression helps to reduce the network bandwidth and storage space required for data transfer. However, compression also adds some overhead and latency to the process. This setting takes effect only if the endpoint is used as a destination where the dataflow is a producer. |

-| Copy MQTT properties | Whether to copy MQTT message properties to Kafka message headers. For more information, see [Copy MQTT properties](#copy-mqtt-properties). |

-| Kafka acknowledgement | The level of acknowledgement requested from the Kafka broker. Supported values are `None`, `All`, `One`, and `Zero`. For more information, see [Kafka acknowledgements](#kafka-acknowledgements). |

-| Partition handling strategy | The partition handling strategy controls how messages are assigned to Kafka partitions when sending them to Kafka topics. Supported values are `Default`, `Static`, `Topic`, and `Property`. For more information, see [Partition handling strategy](#partition-handling-strategy). |

-| TLS mode enabled | Enables TLS for the Kafka endpoint. |

-| Trusted CA certificate config map | The ConfigMap containing the trusted CA certificate for the Kafka endpoint. This ConfigMap should contain the CA certificate in PEM format. The ConfigMap must be in the same namespace as the Kafka dataflow resource. For more information, see [Trusted CA certificate](#trusted-ca-certificate). |

-| Batching enabled | Enables batching. Batching allows you to group multiple messages together and compress them as a single unit, which can improve the compression efficiency and reduce the network overhead. This setting takes effect only if the endpoint is used as a destination where the dataflow is a producer. |

-| Batching latency | The maximum time interval in milliseconds that messages can be buffered before being sent. If this interval is reached, then all buffered messages are sent as a batch, regardless of how many or how large they are. |

-| Maximum bytes | The maximum size in bytes that can be buffered before being sent. If this size is reached, then all buffered messages are sent as a batch, regardless of how many they are or how long they are buffered. |

-| Message count | The maximum number of messages that can be buffered before being sent. If this number is reached, then all buffered messages are sent as a batch, regardless of how large they are or how long they are buffered. |

-| Cloud event attributes | The CloudEvents attributes to include in the Kafka messages. |

-### TLS settings

-Under `kafkaSettings.tls`, you can configure additional settings for the TLS connection to the Kafka broker.

-To enable or disable TLS for the Kafka endpoint, update the `mode` setting in the TLS settings. For example:

- mode: Enabled

-To configure the trusted CA certificate for the Kafka endpoint, update the `trustedCaCertificateConfigMapRef` setting in the TLS settings. For example:

- trustedCaCertificateConfigMapRef: <YOUR-CA-CERTIFICATE>

-This setting is important if the Kafka broker uses a self-signed certificate or a certificate signed by a custom CA that isn't trusted by default.

-However in the case of Azure Event Hubs, the CA certificate isn't required because the Event Hubs service uses a certificate signed by a public CA that is trusted by default.

-### Kafka messaging settings

-Under `kafkaSettings`, you can configure additional settings for the Kafka endpoint.

-#### Consumer group ID

-To configure the consumer group ID for the Kafka endpoint, update the `consumerGroupId` setting in the Kafka settings. For example:

- consumerGroupId: fromMq

-The consumer group ID is used to identify the consumer group that the dataflow uses to read messages from the Kafka topic. The consumer group ID must be unique within the Kafka broker.

-<!-- TODO: check for accuracy -->

-This setting takes effect only if the endpoint is used as a source (that is, the dataflow is a consumer).

-#### Compression

-To configure the compression type for the Kafka endpoint, update the `compression` setting in the Kafka settings. For example:

-```yaml

-kafkaSettings:

- compression: Gzip

-```

-#### Batching

-An example of using batching is:

-In the example, messages are sent either when there are 100 messages in the buffer, or when there are 1,024 bytes in the buffer, or when 1,000 milliseconds elapse since the last send, whichever comes first.

-#### Partition handling strategy

-An example of using partition handling strategy is:

- partitionStrategy: Property

- partitionKeyProperty: device-id

-This means that messages with the same "device-id" property are sent to the same partition.

-#### Kafka acknowledgements

-Kafka acknowledgements (acks) are used to control the durability and consistency of messages sent to Kafka topics. When a producer sends a message to a Kafka topic, it can request different levels of acknowledgements from the Kafka broker to ensure that the message is successfully written to the topic and replicated across the Kafka cluster.

-| `None` | The dataflow doesn't wait for any acknowledgements from the Kafka broker. This is the fastest but least durable option. |

-| `Zero` | The dataflow waits for the message to be written to the leader partition but doesn't wait for any acknowledgements from the followers. This is faster than `One` but less durable. |

-An example of using Kafka acknowledgements is:

- kafkaAcks: All

-This means that the dataflow waits for the message to be written to the leader partition and all follower partitions.

-#### Copy MQTT properties

- copyMqttProperties: Enabled

-To disable copying MQTT properties, set the value to `Disabled`.

-##### Kafka endpoint is a destination

-###### The Message Expiry Interval property

-##### Kafka endpoint is a dataflow source

-###### UTF-8 / Binary Mismatches

-###### >=64KB property mismatches

-###### Property translation when using Event Hubs and producers that use AMQP

-The `CloudEventAttributes` options are `Propagate` or`CreateOrRemap`. For example:

-mqttSettings:

- CloudEventAttributes: Propagate # or CreateOrRemap

- name: esa

- persistentVolumeClaimRef: <PVC-NAME>

-The PersistentVolumeClaim (PVC) must be in the same namespace as the *DataflowEndpoint*.

-# [Bicep](#tab/bicep)

-This Bicep template file from [Bicep File for local storage dataflow Tutorial](https://gist.github.com/david-emakenemi/52377e32af1abd0efe41a5da27190a10) deploys the necessary resources for dataflows to local storage.

-Download the file to your local, and make sure to replace the values for `customLocationName`, `aioInstanceName`, `schemaRegistryName`, `opcuaSchemaName`, and `persistentVCName`.

-Next, deploy the resources using the [az stack group](/azure/azure-resource-manager/bicep/deployment-stacks?tabs=azure-powershell) command in your terminal:

-```azurecli

-az stack group create --name MyDeploymentStack --resource-group $RESOURCE_GROUP --template-file /workspaces/explore-iot-operations/<filename>.bicep --action-on-unmanage 'deleteResources' --deny-settings-mode 'none' --yes

-```

-This endpoint is the destination for the dataflow that receives messages to Local storage.

- name: 'local-storage-ep'

- name: customLocation.id

-## Configure dataflow destination

-Once the endpoint is created, you can use it in a dataflow by specifying the endpoint name in the dataflow's destination settings.

-# [Kubernetes](#tab/kubernetes)

-```yaml

-apiVersion: connectivity.iotoperations.azure.com/v1beta1

-kind: Dataflow

-metadata:

- name: my-dataflow

- namespace: azure-iot-operations

-spec:

- profileRef: default

- mode: Enabled

- operations:

- - operationType: Source

- sourceSettings:

- endpointRef: mq

- dataSources:

- *

- - operationType: Destination

- destinationSettings:

- endpointRef: esa

-# [Bicep](#tab/bicep)

-```bicep

-{

- operationType: 'Destination'

- destinationSettings: {

- endpointRef: localStorageDataflowEndpoint.name

- dataDestination: 'sensorData'

- }

-}

-```

-For more information about dataflow destination settings, see [Create a dataflow](howto-create-dataflow.md).

-> [!NOTE]

-> Using the local storage endpoint as a source in a dataflow isn't supported. You can use the endpoint as a destination only.

-Azure IoT Operations provides a built-in MQTT broker that you can use with dataflows. When you deploy Azure IoT Operations, a *default* MQTT broker dataflow endpoint is created with default settings. You can use this endpoint as a source or destination for dataflows.

- | Authentication method | The method used for authentication. Choose *System assigned managed identity*, or *X509 certificate* |

-To configure an MQTT broker endpoint with default settings, you can omit the host field along with other optional fields.

- name: mq

- audience: aio-internal

-This configuration creates a connection to the default MQTT broker with the following settings:

-> [!IMPORTANT]

-> If any of these default MQTT broker settings change, the dataflow endpoint must be updated to reflect the new settings. For example, if the default MQTT broker listener changes to use a different service name `my-mqtt-broker` and port 8885, you must update the endpoint to use the new host `host: my-mqtt-broker:8885`. Same applies to other settings like authentication and TLS.

-This Bicep template file from [Bicep File for MQTT-bridge dataflow Tutorial](https://gist.github.com/david-emakenemi/7a72df52c2e7a51d2424f36143b7da85) deploys the necessary dataflow and dataflow endpoints for MQTT broker and Azure Event Grid.

-Download the file to your local, and make sure to replace the values for `customLocationName`, `aioInstanceName`, `eventGridHostName`.

-Next, deploy the resources using the [az stack group](/azure/azure-resource-manager/bicep/deployment-stacks?tabs=azure-powershell) command in your terminal:

-```azurecli

-az stack group create --name MyDeploymentStack --resource-group $RESOURCE_GROUP --template-file /workspaces/explore-iot-operations/mqtt-bridge.bicep --action-on-unmanage 'deleteResources' --deny-settings-mode 'none' --yes

-```

-This endpoint is the source for the dataflow that sends messages to Azure Event Grid.

- parent: aioInstance

- name: 'aiomq'

- name: customLocation.id

- audience: 'aio-internal'

- host: 'aio-broker:18883'

- trustedCaCertificateConfigMapRef: 'azure-iot-operations-aio-ca-trust-bundle'

-## How to configure a dataflow endpoint for MQTT brokers

-You can use an MQTT broker dataflow endpoint for dataflow sources and destinations.

-### Azure Event Grid

-[Azure Event Grid provides a fully managed MQTT broker](../../event-grid/mqtt-overview.md) that works with Azure IoT Operations dataflows.

-To configure an Azure Event Grid MQTT broker endpoint, we recommend that you use managed identity for authentication.

- | Host | The hostname and port of the MQTT broker. Use the format `<hostname>:<port>` |

- | Authentication method | The method used for authentication. Choose *System assigned managed identity*, *User assigned managed identity*, or *X509 certificate* |

- | Client ID | The client ID of the user-assigned managed identity. Required if using *User assigned managed identity*. |

- | Tenant ID | The tenant ID of the user-assigned managed identity. Required if using *User assigned managed identity*. |

- | X509 client certificate | The X.509 client certificate used for authentication. Required if using *X509 certificate*. |

- | X509 client key | The private key corresponding to the X.509 client certificate. Required if using *X509 certificate*. |

- | X509 intermediate certificates | The intermediate certificates for the X.509 client certificate chain. Required if using *X509 certificate*. |

-1. Create an Event Grid namespace and enable MQTT.

-1. Get the managed identity of the Azure IoT Operations Arc extension.

-1. Assign the managed identity to the Event Grid namespace or topic space with an appropriate role like `EventGrid TopicSpaces Publisher` or `EventGrid TopicSpaces Subscriber`.

-1. This endpoint is the destination for the dataflow that receives messages from the default MQTT Broker.

- name: eventgrid

-# [Bicep](#tab/bicep)

-1. Create an Event Grid namespace and enable MQTT.

-1. Get the managed identity of the Azure IoT Operations Arc extension.

-1. Assign the managed identity to the Event Grid namespace or topic space with an appropriate role like `EventGrid TopicSpaces Publisher` or `EventGrid TopicSpaces Subscriber`.

-1. This endpoint is the destination for the dataflow that receives messages from the default MQTT broker.

- name: 'eventgrid'

- name: customLocation.id

-Azure Event Grid MQTT broker doesn't support shared subscriptions, which means that you can't set the `instanceCount` to more than `1` in the dataflow profile. If you set `instanceCount` greater than `1`, the dataflow fails to start.

- ...

- mode: Enabled

-properties: {

- endpointType: 'Mqtt'

- mqttSettings: {

- authentication: {

- ...

- }

- host: 'MQTT-BROKER-HOST>:8883'

- tls: {

- mode: 'Enabled'

- trustedCaCertificateConfigMapRef: '<YOUR CA CERTIFICATE CONFIG MAP>'

- }

- }

- }

-```

-## Use the endpoint in a dataflow source or destination

-Once you've configured the endpoint, you can use it in a dataflow as both a source or a destination. The MQTT topics are configured in the dataflow source or destination settings, which allows you to reuse the same *DataflowEndpoint* resource with multiple dataflows and different MQTT topics.

-# [Portal](#tab/portal)

-1. In the Azure IoT Operations Preview portal, create a new dataflow or edit an existing dataflow by selecting the **Dataflows** tab. If creating a new dataflow, select **Create dataflow** and replace `<new-dataflow>` with a name for the dataflow.

-1. In the editor, select **MQTT** as the source dataflow endpoint.

- Enter the following settings for the source endpoint:

- | Setting | Description |

- | - | - |

- | MQTT topic | The topic to which the dataflow subscribes (if source) or publishes (if destination). |

- | Message schema| The schema that defines the structure of the messages being received (if source) or sent (if destination). You can select an existing schema or upload a new schema to the schema registry. |

-1. Select the dataflow endpoint for the destination. Choose an existing MQTT dataflow endpoint. For example, the default MQTT Broker endpoint or a custom MQTT broker endpoint.

-1. Select **Proceed** to configure the destination settings.

-1. Enter the MQTT topic to which the dataflow publishes messages.

-1. Select **Apply** to provision the dataflow.

- :::image type="content" source="media/howto-configure-mqtt-endpoint/create-dataflow-mq-mq.png" alt-text="Screenshot using operations experience to create a dataflow with an MQTT source and destination.":::

-# [Kubernetes](#tab/kubernetes)

-```yaml

-apiVersion: connectivity.iotoperations.azure.com/v1beta1

-kind: Dataflow

-metadata:

- name: my-dataflow

- namespace: azure-iot-operations

-spec:

- profileRef: default

- mode: Enabled

- operations:

- - operationType: Source

- sourceSettings:

- endpointRef: mqsource

- dataSources:

- - thermostats/+/telemetry/temperature/#

- - operationType: Destination

- destinationSettings:

- endpointRef: mqdestination

- dataDestination:

- - sensors/thermostats/temperature

-```

-# [Bicep](#tab/bicep)

-```bicep

-resource dataflow 'Microsoft.IoTOperations/instances/dataflowProfiles/dataflows@2024-08-15-preview' = {

- parent: defaultDataflowProfile

- name: 'my-dataflow'

- extendedLocation: {

- name: customLocation.id

- type: 'CustomLocation'

- properties: {

- mode: 'Enabled'

- operations: [

- {

- operationType: 'Source'

- sourceSettings: {

- endpointRef: 'mqsource'

- dataSources: array('thermostats/+/telemetry/temperature/#')

- }

- }

- {

- operationType: 'Destination'

- destinationSettings: {

- endpointRef: 'mqdestination'

- dataDestination: 'sensors/thermostats/temperature'

- }

- }

- ]

-}

-For more information about dataflow destination settings, see [Create a dataflow](howto-create-dataflow.md).

- systemAssignedManagedIdentitySettings: {}

-Enter the user assigned managed identity client ID and tenant ID in the appropriate fields.

-To use a user-assigned managed identity, specify the `UserAssignedManagedIdentity` authentication method and provide the `clientId` and `tenantId` of the managed identity..

- audience: <YOUR-SERVICE-ACCOUNT-AUDIENCE>

- audience: '<YOUR-SERVICE-ACCOUNT-AUDIENCE>'

-You can set advanced settings for the MQTT broker dataflow endpoint such as TLS, trusted CA certificate, MQTT messaging settings, and CloudEvents. You can set these settings in the dataflow endpoint **Advanced** portal tab or within the dataflow endpoint custom resource.

-### TLS

-Under `mqttSettings.tls`, you can configure the TLS settings for the MQTT broker. To enable or disable TLS, set the `mode` field to `Enabled` or `Disabled`.

- mode: Enabled

-### Trusted CA certificate

-To use a trusted CA certificate for the MQTT broker, you can create a Kubernetes ConfigMap with the CA certificate and reference it in the DataflowEndpoint resource.

- mode: Enabled

- trustedCaCertificateConfigMapRef: <your CA certificate config map>

-This is useful when the MQTT broker uses a self-signed certificate or a certificate that's not trusted by default. The CA certificate is used to verify the MQTT broker's certificate. In the case of Event Grid, its CA certificate is already widely trusted and so you can omit this setting.

-### MQTT messaging settings

-Under `mqttSettings`, you can configure the MQTT messaging settings for the dataflow MQTT client used with the endpoint.

-#### Client ID prefix

- clientIdPrefix: dataflow

-#### QoS

- qos: 1

-#### Retain

- retain: Keep

-This setting is useful to ensure that the remote broker has the same message as the local broker, which can be important for Unified Namespace scenarios.

-If set to `Never`, the retain flag is removed from the MQTT messages. This can be useful when you don't want the remote broker to retain any messages or if the remote broker doesn't support retain.

-The *retain* setting only takes effect if the dataflow uses MQTT endpoint as both source and destination. For example, in an MQTT bridge scenario.

-#### Session expiry

-You can set the session expiry interval for the dataflow MQTT client. The session expiry interval is the maximum time that an MQTT session is maintained if the dataflow client disconnects. The default is 3600 seconds.

-#### MQTT or WebSockets protocol

-#### Max inflight messages

-#### Keep alive

-#### CloudEvents

-The `CloudEventAttributes` options are `Propagate` or`CreateOrRemap`.

-##### Propagate setting

-##### CreateOrRemap setting

-# [Bicep](#tab/bicep)

-TODO

-```bicep

-bicep here

-```

-This article shows you how to create a dataflow with an example, including the source, transformation, and destination.

-## Create dataflow

-Once you have dataflow endpoints, you can use them to create a dataflow. Recall that a dataflow is made up of three parts: the source, the transformation, and the destination.

-To create a dataflow in [operations experience](https://iotoperations.azure.com/), select **Dataflow** > **Create dataflow**.

-# [Bicep](#tab/bicep)

-The [Bicep File to create Dataflow](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/quickstarts/dataflow.bicep) deploys the necessary resources for dataflows.

-1. Download the template file and replace the values for `customLocationName`, `aioInstanceName`, `schemaRegistryName`, `opcuaSchemaName`, and `persistentVCName`.

-1. Deploy the resources using the [az stack group](/azure/azure-resource-manager/bicep/deployment-stacks?tabs=azure-powershell) command in your terminal:

- ```azurecli

- az stack group create --name MyDeploymentStack --resource-group $RESOURCE_GROUP --template-file /workspaces/explore-iot-operations/<filename>.bicep --action-on-unmanage 'deleteResources' --deny-settings-mode 'none' --yes

- ```

- The overall structure of a dataflow configuration for Bicep is as follows:

- name: 'my-dataflow'

-# [Kubernetes](#tab/kubernetes)

-The overall structure of a dataflow configuration is as follows:

-```yaml

-apiVersion: connectivity.iotoperations.azure.com/v1beta1

-kind: Dataflow

-metadata:

- name: my-dataflow

- namespace: azure-iot-operations

-spec:

- profileRef: default

- mode: Enabled

- operations:

- - operationType: Source

- sourceSettings:

- # See source configuration section

- - operationType: BuiltInTransformation

- builtInTransformationSettings:

- # See transformation configuration section

- - operationType: Destination

- destinationSettings:

- # See destination configuration section

-```

-<!-- TODO: link to API reference -->

-## Configure a source with a dataflow endpoint to get data

-To configure a source for the dataflow, specify the endpoint reference and data source. You can specify a list of data sources for the endpoint.

-# [Portal](#tab/portal)

-### Use Asset as a source

-# [Bicep](#tab/bicep)

-# [Kubernetes](#tab/kubernetes)

-### Use MQTT as a source

-1. Enter the **MQTT Topic** that you want to listen to for incoming messages.

-1. Choose a **Message schema** from the dropdown list or upload a new schema. If the source data has optional fields or fields with different types, specify a deserialization schema to ensure consistency. For example, the data might have fields that aren't present in all messages. Without the schema, the transformation can't handle these fields as they would have empty values. With the schema, you can specify default values or ignore the fields.

-{

- operationType: 'Source'

- sourceSettings: {

- endpointRef: MqttBrokerDataflowEndpoint.name // Reference to the 'mq' endpoint

- dataSources: [

- 'azure-iot-operations/data/thermostat', // MQTT topic for thermostat temperature data

- 'humidifiers/+/telemetry/humidity/#' // MQTT topic for humidifier humidity data

-

- ]

- }

-The `dataSources` setting is an array of MQTT topics that define the data source. In this example, `azure-iot-operations/data/thermostat` refers to one of the topics in the dataSources array where thermostat data is published.

-Datasources allow you to specify multiple MQTT or Kafka topics without needing to modify the endpoint configuration. This means the same endpoint can be reused across multiple dataflows, even if the topics vary. For more information, see [Reuse dataflow endpoints](./howto-configure-dataflow-endpoint.md#reuse-endpoints).

-<!-- TODO: Put the right article link here -->

-For more information about creating an MQTT endpoint as a dataflow source, see [MQTT Endpoint](howto-configure-mqtt-endpoint.md).

-# [Kubernetes](#tab/kubernetes)

-For example, to configure a source using an MQTT endpoint and two MQTT topic filters, use the following configuration:

- endpointRef: mq

- - thermostats/+/telemetry/temperature/#

- - humidifiers/+/telemetry/humidity/#

-Because `dataSources` allows you to specify MQTT or Kafka topics without modifying the endpoint configuration, you can reuse the endpoint for multiple dataflows even if the topics are different. To learn more, see [Reuse dataflow endpoints](./howto-configure-dataflow-endpoint.md#reuse-endpoints).

-<!-- TODO: link to API reference -->

-#### Specify schema to deserialize data

-If the source data has optional fields or fields with different types, specify a deserialization schema to ensure consistency. For example, the data might have fields that aren't present in all messages. Without the schema, the transformation can't handle these fields as they would have empty values. With the schema, you can specify default values or ignore the fields.

-spec:

- operations:

- - operationType: Source

- sourceSettings:

- serializationFormat: Json

- schemaRef: aio-sr://exampleNamespace/exampleAvroSchema:1.0.0

-To specify the schema, create the file and store it in the schema registry.

-```json

-{

- "$schema": "http://json-schema.org/draft-07/schema#",

- "name": "Temperature",

- "description": "Schema for representing an asset's key attributes",

- "type": "object",

- "required": [ "deviceId", "asset_name"],

- "properties": {

- "deviceId": {

- "type": "string"

- },

- "temperature": {

- "type": "double"

- },

- "serial_number": {

- "type": "string"

- },

- "production_date": {

- "type": "string",

- "description": "Event duration"

- },

- "asset_name": {

- "type": "string",

- "description": "Name of asset"

- },

- "location": {

- "type": "string",

- },

- "manufacturer": {

- "type": "string",

- "description": "Name of manufacturer"

- }

- }

-> The only supported serialization format is JSON. The schema is optional.

-For more information about schema registry, see [Understand message schemas](concept-schema-registry.md).

-#### Shared subscriptions

-<!-- TODO: may not be final -->

-To use shared subscriptions with MQTT sources, you can specify the shared subscription topic in the form of `$shared/<subscription-group>/<topic>`.

- - $shared/myGroup/thermostats/+/telemetry/temperature/#

-> [!NOTE]

-> If the instance count in the [dataflow profile](howto-configure-dataflow-profile.md) is greater than 1, then the shared subscription topic must be used.

-<!-- TODO: Details -->

-## Configure transformation to process data

-The transformation operation is where you can transform the data from the source before you send it to the destination. Transformations are optional. If you don't need to make changes to the data, don't include the transformation operation in the dataflow configuration. Multiple transformations are chained together in stages regardless of the order in which they're specified in the configuration. The order of the stages is always

-1. **Enrich**: Add additional data to the source data given a dataset and condition to match.

-1. **Filter**: Filter the data based on a condition.

-1. **Map**: Move data from one field to another with an optional conversion.

-In the operations experience, select **Dataflow** > **Add transform (optional)**.

-# [Bicep](#tab/bicep)

-```bicep

-{

- operationType: 'BuiltInTransformation'

- builtInTransformationSettings: {

- map: [

- // ...

- ]

- filter: [

- // ...

- ]

- }

-}

-### Specify output schema to transform data

-The following configuration demonstrates how to define an output schema in your Bicep file. In this example, the schema defines fields such as `asset_id`, `asset_name`, `location`, `temperature`, `manufacturer`, `production_date`, and `serial_number`. Each field is assigned a data type and marked as non-nullable. The assignment ensures all incoming messages contain these fields with valid data.

-var assetDeltaSchema = '''

-{

- "$schema": "Delta/1.0",

- "type": "object",

- "properties": {

- "type": "struct",

- "fields": [

- { "name": "asset_id", "type": "string", "nullable": false, "metadata": {} },

- { "name": "asset_name", "type": "string", "nullable": false, "metadata": {} },

- { "name": "location", "type": "string", "nullable": false, "metadata": {} },

- { "name": "manufacturer", "type": "string", "nullable": false, "metadata": {} },

- { "name": "production_date", "type": "string", "nullable": false, "metadata": {} },

- { "name": "serial_number", "type": "string", "nullable": false, "metadata": {} },

- { "name": "temperature", "type": "double", "nullable": false, "metadata": {} }

- ]

- }

-'''

-The following Bicep configuration registers the schema with the Azure Schema Registry. This configuration creates a schema definition and assigns it a version within the schema registry, allowing it to be referenced later in your data transformations.

-```bicep

-param opcuaSchemaName string = 'opcua-output-delta'

-param opcuaSchemaVer string = '1'

-resource opcSchema 'Microsoft.DeviceRegistry/schemaRegistries/schemas@2024-09-01-preview' = {

- parent: schemaRegistry

- name: opcuaSchemaName

- properties: {

- displayName: 'OPC UA Delta Schema'

- description: 'This is a OPC UA delta Schema'

- format: 'Delta/1.0'

- schemaType: 'MessageSchema'

- }

-}

-resource opcuaSchemaInstance 'Microsoft.DeviceRegistry/schemaRegistries/schemas/schemaVersions@2024-09-01-preview' = {

- parent: opcSchema

- name: opcuaSchemaVer

- properties: {

- description: 'Schema version'

- schemaContent: opcuaSchemaContent

- }

-}

-```

-builtInTransformationSettings:

- datasets:

- # ...

- filter:

- # ...

- map:

- # ...

-<!-- TODO: link to API reference -->

-### Enrich: Add reference data

-To enrich the data, you can use the reference dataset in the Azure IoT Operations [distributed state store (DSS)](../create-edge-apps/concept-about-state-store-protocol.md). The dataset is used to add extra data to the source data based on a condition. The condition is specified as a field in the source data that matches a field in the dataset.

-Key names in the distributed state store correspond to a dataset in the dataflow configuration.

-Currently, the enrich operation isn't available in the operations experience.

-# [Bicep](#tab/bicep)

-This example shows how you could use the `deviceId` field in the source data to match the `asset` field in the dataset:

-```bicep

-builtInTransformationSettings: {

- datasets: [

- {

- key: 'assetDataset'

- inputs: [

- '$source.deviceId', // Reference to the device ID from the source

- '$context(assetDataset).asset' // Reference to the asset from the dataset context

- ]

- expression: '$1 == $2' // Expression to evaluate the inputs

- }

- ]

-}

-### Passthrough operation

-For example, you could apply a passthrough operation that takes all the input fields and maps them to the output field, essentially passing through all fields.

- {

- inputs: array('*')

- output: '*'

- }

-The data from the source with the `deviceId` field matching `thermostat1` has the `location` and `manufacturer` fields available in `filter` and `map` stages.

-<!-- TODO: link to API reference -->

-You can load sample data into the DSS by using the [DSS set tool sample](https://github.com/Azure-Samples/explore-iot-operations/tree/main/samples/dss_set).

- 'temperature ? $last' // Reference to the last temperature value, if available

- expression: '$1 > 20' // Expression to filter based on the temperature value

-# [Kubernetes](#tab/kubernetes)

-For example, you could use the `temperature` field in the source data to filter the data:

-```yaml

-builtInTransformationSettings:

- filter:

- - inputs:

- - temperature ? $last # - $1

- expression: "$1 > 20"

-```

-<!-- TODO: link to API reference -->

- 'temperature' // Reference to the temperature input

- output: 'temperatureCelsius' // Output variable for the converted temperature

- expression: '($1 - 32) * 5/9' // Expression to convert Fahrenheit to Celsius

- '$context(assetDataset).location' // Reference to the location from the dataset context

- output: 'location' // Output variable for the location

-# [Kubernetes](#tab/kubernetes)

-For example, you could use the `temperature` field in the source data to convert the temperature to Celsius and store it in the `temperatureCelsius` field. You could also enrich the source data with the `location` field from the contextualization dataset:

-```yaml

-builtInTransformationSettings:

- map:

- - inputs:

- - temperature # - $1

- output: temperatureCelsius

- expression: "($1 - 32) * 5/9"

- - inputs:

- - $context(assetDataset).location

- output: location

-```

-<!-- TODO: link to API reference -->

-If you want to serialize the data before sending it to the destination, you need to specify a schema and serialization format. Otherwise, the data is serialized in JSON with the types inferred. Remember that storage endpoints like Microsoft Fabric or Azure Data Lake require a schema to ensure data consistency.

-Specify the **Output** schema when you add the destination dataflow endpoint.

-When the dataflow resource is created, it includes a `schemaRef` value that points to the generated schema stored in the schema registry. It can be referenced in transformations which creates a new schema in Delta format.

-This [Bicep File to create Dataflow](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/quickstarts/dataflow.bicep) provides a streamlined approach to provisioning the dataflow with schema integration.

-{

- operationType: 'BuiltInTransformation'

- builtInTransformationSettings: {

- // ..

- schemaRef: 'aio-sr://${opcuaSchemaName}:${opcuaSchemaVer}'

- serializationFormat: 'Parquet'

- }

-# [Kubernetes](#tab/kubernetes)

-builtInTransformationSettings:

- serializationFormat: Parquet

- schemaRef: aio-sr://<NAMESPACE>/<SCHEMA>:<VERSION>

-To specify the schema, you can create a Schema custom resource with the schema definition.

-For more information about schema registry, see [Understand message schemas](concept-schema-registry.md).

-```json

-{

- "$schema": "http://json-schema.org/draft-07/schema#",

- "name": "Temperature",

- "description": "Schema for representing an asset's key attributes",

- "type": "object",

- "required": [ "deviceId", "asset_name"],

- "properties": {

- "deviceId": {

- "type": "string"

- },

- "temperature": {

- "type": "double"

- },

- "serial_number": {

- "type": "string"

- },

- "production_date": {

- "type": "string",

- "description": "Event duration"

- },

- "asset_name": {

- "type": "string",

- "description": "Name of asset"

- },

- "location": {

- "type": "string",

- },

- "manufacturer": {

- "type": "string",

- "description": "Name of manufacturer"

- }

- }

-Supported serialization formats are JSON, Parquet, and Delta.

-## Configure destination with a dataflow endpoint to send data

-To configure a destination for the dataflow, specify the endpoint reference and data destination. You can specify a list of data destinations for the endpoint.

-> [!IMPORTANT]

-> Storage endpoints require a schema reference. If you've created storage destination endpoints for Microsoft Fabric OneLake, ADLS Gen 2, Azure Data Explorer and Local Storage, use bicep to specify the schema reference.

-1. Select the dataflow endpoint to use as the destination.

- :::image type="content" source="media/howto-create-dataflow/dataflow-destination.png" alt-text="Screenshot using operations experience to select Event Hubs destination endpoint.":::

-1. Select **Proceed** to configure the destination.

-1. Add the mapping details based on the type of destination.

-The following example configures Fabric OneLake as a destination with a static MQTT topic.

-resource oneLakeEndpoint 'Microsoft.IoTOperations/instances/dataflowEndpoints@2024-08-15-preview' = {

- parent: aioInstance

- name: 'onelake-ep'

- extendedLocation: {

- name: customLocation.id

- type: 'CustomLocation'

- }

- properties: {

- endpointType: 'FabricOneLake'

- fabricOneLakeSettings: {

- authentication: {

- method: 'SystemAssignedManagedIdentity'

- systemAssignedManagedIdentitySettings: {}

- }

- oneLakePathType: 'Tables'

- host: 'https://msit-onelake.dfs.fabric.microsoft.com'

- names: {

- lakehouseName: '<EXAMPLE-LAKEHOUSE-NAME>'

- workspaceName: '<EXAMPLE-WORKSPACE-NAME>'

- }

- batching: {

- latencySeconds: 5

- maxMessages: 10000

- }

- }

- }

-{

- operationType: 'Destination'

- destinationSettings: {

- endpointRef: oneLakeEndpoint.name // oneLake endpoint

- dataDestination: 'sensorData' // static MQTT topic

- }

-# [Kubernetes](#tab/kubernetes)

-For example, to configure a destination using the MQTT endpoint created earlier and a static MQTT topic, use the following configuration:

-```yaml

-destinationSettings:

- endpointRef: mq

- dataDestination: factory

- endpointRef: mq

- endpointRef: mq

-# [Bicep](#tab/bicep)

-Bicep is infrastructure as code and no export is required. Use the [Bicep template file to create a dataflow](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/quickstarts/dataflow.bicep) to quickly set up and configure dataflows.

-The dataflow and dataflow endpoints for MQTT broker and Azure Event Grid can be deployed as standard Azure resources since they have Azure Resource Provider (RPs) implementations. This Bicep template file from [Bicep File for MQTT-bridge dataflow Tutorial](https://gist.github.com/david-emakenemi/7a72df52c2e7a51d2424f36143b7da85) deploys the necessary dataflow and dataflow endpoints.

-Azure IoT Operations Preview deploys a default *BrokerAuthentication* resource named `authn` linked with the default listener named `listener` in the `azure-iot-operations` namespace. It's configured to only use Kubernetes Service Account Tokens (SATs) for authentication. To inspect it, run:

-kubectl get brokerauthentication authn -n azure-iot-operations -o yaml

- name: authn

- - "aio-internal"

- name: authn

-By default, Azure IoT Operations Preview deploys a default Broker resource named `broker`. It's deployed in the `azure-iot-operations` namespace with cardinality and memory profile settings as configured during the initial deployment with Azure portal or Azure CLI. To see the settings, run the following command:

-kubectl get broker broker -n azure-iot-operations -o yaml

-kubectl delete broker broker -n azure-iot-operations

-Then, create a YAML file with desired settings. For example, the following YAML file configures the broker with name `broker` in namespace `azure-iot-operations` with `medium` memory profile and `distributed` mode with two frontend replicas and two backend chains with two partitions and two workers each. Also, the [encryption of internal traffic option](#configure-encryption-of-internal-traffic) is disabled.

- name: broker

-The broker advanced settings include client configurations, encryption of internal traffic, and certificate rotations. For more information on the advanced settings, see the [Broker]() API reference.

- name: broker

-When you deploy Azure IoT Operations Preview, the deployment also creates a *BrokerListener* resource named `listener` in the `azure-iot-operations` namespace. This listener is linked to the default Broker resource named `broker` that's also created during deployment. The default listener exposes the broker on port 18883 with TLS and SAT authentication enabled. The TLS certificate is [automatically managed](howto-configure-tls-auto.md) by cert-manager. Authorization is disabled by default.

-kubectl get brokerlistener listener -n azure-iot-operations -o yaml

- name: listener

- brokerRef: broker

- - port: 18883

- authenticationRef: authn

-kubectl patch brokerlistener listener -n azure-iot-operations --type='json' -p='[{"op": "add", "path": "/spec/ports/", "value": {"port": 1883, "protocol": "Mqtt"}}]'

- brokerRef: broker

- authenticationRef: authn

- brokerRef: broker

- brokerRef: broker

- brokerRef: broker

-The MQTT broker and north-bound cloud connector components can be deployed as regular Azure resources as they have Azure Resource Provider (RPs) implementations. A single Bicep template file from the *explore-iot-operations* repository deploys all the required edge and cloud resources and Azure role-based access assignments. Run this command in your Codespace terminal:

-CLUSTER_NAME=<arc-connected-cluster-name>

-TEMPLATE_FILE_NAME='tutorials/mq-realtime-fabric-dashboard/deployEdgeAndCloudResources.bicep'

- az deployment group create \

- --name az-resources \

- --resource-group $RESOURCE_GROUP \

- --template-file $TEMPLATE_FILE_NAME \

- --parameters clusterName=$CLUSTER_NAME

-The resources deployed by the template include:

-* [Event Hubs related resources](https://github.com/Azure-Samples/explore-iot-operations/blob/88ff2f4759acdcb4f752aa23e89b30286ab0cc99/tutorials/mq-realtime-fabric-dashboard/deployEdgeAndCloudResources.bicep#L349)

-* [IoT Operations MQTT broker Arc extension](https://github.com/Azure-Samples/explore-iot-operations/blob/88ff2f4759acdcb4f752aa23e89b30286ab0cc99/tutorials/mq-realtime-fabric-dashboard/deployEdgeAndCloudResources.bicep#L118)

-* [MQTT broker Broker](https://github.com/Azure-Samples/explore-iot-operations/blob/88ff2f4759acdcb4f752aa23e89b30286ab0cc99/tutorials/mq-realtime-fabric-dashboard/deployEdgeAndCloudResources.bicep#L202)

-* [Kafka north-bound connector and topicmap](https://github.com/Azure-Samples/explore-iot-operations/blob/88ff2f4759acdcb4f752aa23e89b30286ab0cc99/tutorials/mq-realtime-fabric-dashboard/deployEdgeAndCloudResources.bicep#L282)

-* [Azure role-based access assignments](https://github.com/Azure-Samples/explore-iot-operations/blob/88ff2f4759acdcb4f752aa23e89b30286ab0cc99/tutorials/mq-realtime-fabric-dashboard/deployEdgeAndCloudResources.bicep#L379)

-1. The Kafka north-bound connector is [preconfigured in the deployment](https://github.com/Azure-Samples/explore-iot-operations/blob/e4bf8375e933c29c49bfd905090b37caef644135/tutorials/mq-realtime-fabric-dashboard/deployEdgeAndCloudResources.bicep#L331) to pick up messages from the MQTT topic where messages are being published to Event Hubs in the cloud.

-1. After about a minute, confirm the message delivery in Event Hubs metrics.

-## Next steps

-[Upload MQTT data to Microsoft Fabric lakehouse](tutorial-upload-mqtt-lakehouse.md)

-1. In **Target settings**, select the subscription and target region to which you'll migrate. Specify the resource group in which the Azure VMs will reside after migration.

-## Next steps

-The command produces an output file containing the results of the data extract. Users should configure the Cluster resource with a storage account and identity that has access to the storage account to receive the output. There's a deprecated method of sending data to the Cluster Manager storage account if a storage account hasn't been provided on the Cluster. The Cluster Manager's storage account will be disabled in a future release as using a separate storage account is more secure.

-## Create and configure storage resources (customer-managed storage)

-2. In the storage account, create a blob storage container. See [Create a container](/azure/storage/blobs/storage-quickstart-blobs-portal#create-a-container).

-3. Assign the "Storage Blob Data Contributor" role to users and managed identities which need access to the run-data-extract output. See [Assign an Azure role for access to blob data](/azure/storage/blobs/assign-azure-role-data-access?tabs=portal). The role must also be assigned to either a user-assigned managed identity or the cluster's own system-assigned managed identity. For more information on managed identities, see [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).

-When assigning a role to the cluster's system-assigned identity, make sure you select the resource with the type "Cluster (Operator Nexus)."

-## Configure the cluster to use a user-assigned managed identity for storage access

-Use this command to configure the cluster for a user-assigned identity:

-The identity resource ID can be found by clicking "JSON view" on the identity resource; the ID is at the top of the panel that appears. The container URL can be found on the Settings -> Properties tab of the container resource.

-## Configure the cluster to use a system-assigned managed identity for storage access

-Use this command to configure the cluster to use its own system-assigned identity:

-## Clear the cluster's CommandOutputSettings

-## Verify Storage Account access (cluster manager storage)

-If using the deprecated Cluster Manager storage method, verify you have access to the Cluster Manager's storage account

-1. From Azure portal, navigate to Cluster Manager's Storage account.

-1. In the Storage account details, select **Storage browser** from the navigation menu on the left side.

-1. In the Storage browser details, select on **Blob containers**.

-1. If you encounter a `403 This request is not authorized to perform this operation.` while accessing the storage account, storage accountΓÇÖs firewall settings need to be updated to include the public IP address.

-1. Request access by creating a support ticket via Portal on the Cluster Manager resource. Provide the public IP address that requires access.

-This example executes the `hardware-support-data-collection` command and get `SysInfo` and `TTYLog` logs from the Dell Server. The script executes a `racadm supportassist collect` command on the designated baremetal machine. The resulting tar.gz file contains the zipped extract command file outputs in `hardware-support-data-<timestamp>.zip`.

-sequence of `mdatp` commands on the designated baremetal machine.

-## Viewing the Output

-The command provides another command (if using customer provided storage) or a link (if using cluster manager storage) to download the full output. The tar.gz file also contains the zipped extract command file outputs. Download the output file from the storage blob to a local directory by specifying the directory path in the optional argument `--output-directory`.

-> Storage Account could be locked resulting in `403 This request is not authorized to perform this operation.` due to networking or firewall restrictions. Refer to the [customer-managed storage](#create-and-configure-storage-resources-customer-managed-storage) or [cluster manager storage](#verify-storage-account-access-cluster-manager-storage) sections for procedures to verify access.

-There might be situations where a user needs to investigate & resolve issues with an on-premises BMM. Operator Nexus provides the `az networkcloud baremetalmachine run-read-command` so users can run a curated list of read only commands to get information from a BMM.

-The command produces an output file containing its results. Users should configure the Cluster resource with a storage account and identity that has access to the storage account to receive the output. There's a deprecated method of sending data to the Cluster Manager storage account if a storage account hasn't been provided on the Cluster. The Cluster Manager's storage account will be disabled in a future release as using a separate storage account is more secure.

-## Create and configure storage resources (customer-managed storage)

-2. In the storage account, create a blob storage container. See [Create a container](/azure/storage/blobs/storage-quickstart-blobs-portal#create-a-container).

-3. Assign the "Storage Blob Data Contributor" role to users and managed identities which need access to the run-read-command output. See [Assign an Azure role for access to blob data](/azure/storage/blobs/assign-azure-role-data-access?tabs=portal). The role must also be assigned to either a user-assigned managed identity or the cluster's own system-assigned managed identity. For more information on managed identities, see [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).

-When assigning a role to the cluster's system-assigned identity, make sure you select the resource with the type "Cluster (Operator Nexus)."

-## Configure the cluster to use a user-assigned managed identity for storage access

-Use this command to configure the cluster for a user-assigned identity:

-The identity resource ID can be found by clicking "JSON view" on the identity resource; the ID is at the top of the panel that appears. The container URL can be found on the Settings -> Properties tab of the container resource.

-## Configure the cluster to use a system-assigned managed identity for storage access

-Use this command to configure the cluster to use its own system-assigned identity:

-## Clear the cluster's CommandOutputSettings

-The CommandOutputSettings can be cleared, directing run-read-command output back to the cluster manager's storage. However, it isn't recommended since it's less secure, and the option will be removed in a future release.

-## Verify Storage Account access (cluster manager storage)

-If using the deprecated Cluster Manager storage method, verify you have access to the Cluster Manager's storage account

-1. From Azure portal, navigate to Cluster Manager's Storage account.

-1. In the Storage account details, select **Storage browser** from the navigation menu on the left side.

-1. In the Storage browser details, select on **Blob containers**.

-1. If you encounter a `403 This request is not authorized to perform this operation.` while accessing the storage account, storage accountΓÇÖs firewall settings need to be updated to include the public IP address.

-1. Request access by creating a support ticket via Portal on the Cluster Manager resource. Provide the public IP address that requires access.

-baremetal host, such as `ipmitool` and `racadm`.

-## Checking command status and viewing output

-## How to view the output of an `az networkcloud baremetalmachine run-read-command` in the Cluster Manager Storage account

-This guide walks you through accessing the output file that is created in the Cluster Manager Storage account when an `az networkcloud baremetalmachine run-read-command` is executed on a server. The name of the file is identified in the `az rest` status output.

-1. Open the Cluster Manager Managed Resource Group for the Cluster where the server is housed and then select the **Storage account**.

-1. In the Storage account details, select **Storage browser** from the navigation menu on the left side.

-1. In the Storage browser details, select on **Blob containers**.

-1. Select the baremetal-run-command-output blob container.

-1. Storage Account could be locked resulting in `403 This request is not authorized to perform this operation.` due to networking or firewall restrictions. Refer to the [customer-managed storage](#create-and-configure-storage-resources-customer-managed-storage) or [cluster manager storage](#verify-storage-account-access-cluster-manager-storage) sections for procedures to verify access.

-1. Select the output file from the run-read command. The file name can be identified from the `az rest --method get` command. Additionally, the **Last modified** timestamp aligns with when the command was executed.

-1. You can manage & download the output file from the **Overview** pop-out.

-The Azure API Management service supports [zone redundancy](../reliability/availability-zones-overview.md), which provides resiliency and high availability to a service instance in a specific Azure region. With zone redundancy, the gateway and the control plane of your API Management instance (management API, developer portal, Git configuration) are replicated across datacenters in physically separated zones, so they're resilient to a zone failure.

-This article describes four options for migrating an API Management instance to availability zones. For background about configuring API Management for high availability, see [Ensure API Management availability and reliability](../api-management/high-availability.md).

-* To configure API Management for zone redundancy, your instance must be in one of the [Azure regions that support availability zones](availability-zones-service-support.md#azure-regions-with-availability-zone-support).

-* When you're migrating an API Management instance that's deployed in an external or internal virtual network to availability zones, you must specify a new public IP address resource. In an internal virtual network, the public IP address is used only for management operations, not for API requests. [Learn more about IP addresses of API Management](../api-management/api-management-howto-ip-addresses.md).

-* When you're enabling availability zones in a region, you configure API Management scale [units](../api-management/upgrade-and-scale.md) that you can distribute evenly across the zones. For example, if you configure two zones, you can configure two units, four units, or another multiple of two units.

-* If you configured autoscaling for your API Management instance in the primary location, you might need to adjust your autoscale settings after enabling zone redundancy. The number of API Management units in autoscale rules and limits must be a multiple of the number of zones.

-1. Create a new subnet and public IP address in the location to migrate to availability zones. Detailed requirements are in the [virtual networking guidance](../api-management/api-management-using-with-vnet.md?tabs=stv2#prerequisites).

-1. In the respective boxes under **Network**, select the new subnet and new public IP address in the location.

-1. Create a new subnet and public IP address in the location to migrate to availability zones. Detailed requirements are in the [virtual networking guidance](../api-management/api-management-using-with-vnet.md?tabs=stv2#prerequisites).

-1. In the **Public IP Address** box, select the new public IP address in the location.

-1. If your API Management instance is deployed in a virtual network in the primary location, set up a [virtual network](../api-management/api-management-using-with-vnet.md?tabs=stv2), subnet, and public IP address in any new location where you plan to enable zone redundancy.

-1. If your API Management instance is deployed in a virtual network, use the boxes under **Network** to select the virtual network, subnet, and public IP address that are available in the location.

-When you open Microsoft Sentinel, you are presented with a list of all the workspaces to which you have access rights, across all selected tenants and subscriptions. To the left of each workspace name is a checkbox. Selecting the name of a single workspace will bring you into that workspace. To choose multiple workspaces, select all the corresponding checkboxes, and then select the **View incidents** button at the top of the page.

-Note that in the list of workspaces, you can see the directory, subscription, location, and resource group associated with each workspace. The directory corresponds to the tenant.

-If you've determined and set up your environment to extend across workspaces, you can:

-Other components within Azure can occasionally have service issues. For example, when a system that Service Bus uses is being upgraded, that system can temporarily experience reduced capabilities. To work around these types of issues, Service Bus regularly investigates and implements mitigations. Side effects of these mitigations do appear. For example, to handle transient issues with storage, Service Bus implements a system that allows message send operations to work consistently. Due to the nature of the mitigation, a sent message can take up to 15 minutes to appear in the affected queue or subscription and be ready for a receive operation. Generally speaking, most entities will not experience this issue. However, given the number of entities in Service Bus within Azure, this mitigation is sometimes needed for a small subset of Service Bus customers.

-[Configure Elastic SAN networking](elastic-san-networking.md)

-description: Learn how to control access to Azure Files by assigning share-level permissions to a Microsoft Entra identity that represents a hybrid user to control user access to Azure file shares with identity-based authentication.

-Share-level permissions on Azure file shares are configured for Microsoft Entra users, groups, or service principals, while directory and file-level permissions are enforced using Windows access control lists (ACLs). You must assign share-level permissions to the Microsoft Entra identity representing the same user, group, or service principal in your AD DS in order to support AD DS authentication to your Azure file share. Authentication and authorization against identities that only exist in Microsoft Entra ID, such as Azure Managed Identities (MSIs), aren't supported.

-There are three scenarios where we instead recommend using a [default share-level permission](#share-level-permissions-for-all-authenticated-identities) to allow contributor, elevated contributor, or reader access to all authenticated identities:

- - This is typical when you're managing multi-tenant environments. Using a default share-level permission allows you to bypass the requirement for a Microsoft Entra ID [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md). You can still use Windows ACLs on your files and directories for granular permission enforcement.

-> [!NOTE]

-> Because computer accounts don't have an identity in Microsoft Entra ID, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a [default share-level permission](#share-level-permissions-for-all-authenticated-identities).

-## Share-level permissions and Azure RBAC roles

-The following table lists the share-level permissions and how they align with the built-in Azure RBAC roles:

-|Supported built-in roles |Description |

-> The share-level permissions will take up to three hours to take effect once completed. Please wait for the permissions to sync before connecting to your file share using your credentials.

-1. In the Azure portal, go to your file share, or [create a file share](storage-how-to-create-file-share.md).

-1. In the **Add role assignment** blade, select the [appropriate built-in role](#share-level-permissions-and-azure-rbac-roles) from the **Role** list.

- 1. Storage File Data SMB Share Reader

- 1. Storage File Data SMB Share Contributor

- 1. Storage File Data SMB Share Elevated Contributor

-The following CLI 2.0 command assigns an Azure role to a Microsoft Entra identity, based on sign-in name. For more information about assigning Azure roles with Azure CLI, see [Add or remove Azure role assignments using the Azure CLI](../../role-based-access-control/role-assignments-cli.md).

-#Assign the built-in role to the target identity: Storage File Data SMB Share Reader, Storage File Data SMB Share Contributor, Storage File Data SMB Share Elevated Contributor

-1. Select the appropriate role to be enabled as the default [share permission](#share-level-permissions-and-azure-rbac-roles) from the dropdown list.

-## Azure RBAC permissions

-The following table contains the Azure RBAC permissions related to this configuration. If you're using Azure Storage Explorer, you'll also need the [Reader and Data Access](../../role-based-access-control/built-in-roles.md#reader-and-data-access) role in order to read/access the file share.

-| Share-level permission (built-in role) | NTFS permission | Resulting access |

-||||

-|Storage File Data SMB Share Reader | Full control, Modify, Read, Write, Execute | Read & execute |

-| | Read | Read |

-|Storage File Data SMB Share Contributor | Full control | Modify, Read, Write, Execute |

-| | Modify | Modify |

-| | Read & execute | Read & execute |

-| | Read | Read |

-| | Write | Write |

-|Storage File Data SMB Share Elevated Contributor | Full control | Modify, Read, Write, Edit (Change permissions), Execute |

-| | Modify | Modify |

-| | Read & execute | Read & execute |

-| | Read | Read |

-| | Write | Write |

-> This setup works for newly created file shares because any new file/directory will inherit the configured root permission. For file shares migrated along with existing ACLs, or if you migrate any on premises file/directory with existing permissions in a new fileshare, this approach might not work because the migrated files don't inherit the configured root ACL.

-Before you configure Windows ACLs, you must first mount the file share by using your storage account key. To do this, log into a domain-joined device, open a Windows command prompt, and run the following command. Remember to replace `<YourStorageAccountName>`, `<FileShareName>`, and `<YourStorageAccountKey>` with your own values. If Z: is already in use, replace it with an available drive letter. You can find your storage account key in the Azure portal by navigating to the storage account and selecting **Security + networking** > **Access keys**, or you can use the `Get-AzStorageAccountKey` PowerShell cmdlet.

-> [!IMPORTANT]

-> If your environment has multiple AD DS forests, don't use Windows Explorer to configure ACLs. Use icacls instead.

-To grant full permissions to all directories and files under the file share, including the root directory, run the following Windows command from a machine that has line-of-sight to the AD domain controller. Remember to replace the placeholder values in the example with your own values.

-If you're logged on to a domain-joined Windows client, you can use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory. If your client isn't domain-joined, [use icacls](#configure-windows-acls-with-icacls) for configuring Windows ACLs.

-1. Open Windows File Explorer and right click on the file/directory and select **Properties**.

-1. In the prompt window for adding new users, enter the target username you want to grant permissions to in the **Enter the object names to select** box, and select **Check Names** to find the full UPN name of the target user.

-Now that you've enabled and configured identity-based authentication with AD DS, you can [mount a file share](storage-files-identity-ad-ds-mount-file-share.md).

-description: Learn how to mount an SMB Azure file share using your on-premises Active Directory Domain Services (AD DS) credentials.

-# Mount an Azure file share

-Before you begin this article, make sure you've read [configure directory and file-level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md).

-The process described in this article verifies that your SMB file share and access permissions are set up correctly and that you can mount your SMB Azure file share. Remember that share-level role assignment can take some time to take effect.

-Sign in to the client using the credentials of the identity that you granted permissions to.

-Run the PowerShell script below or [use the Azure portal](storage-files-quick-create-use-windows.md#map-the-azure-file-share-to-a-windows-drive) to persistently mount the Azure file share and map it to drive Z: on Windows. If Z: is already in use, replace it with an available drive letter. The script will check to see if this storage account is accessible via TCP port 445, which is the port SMB uses. Remember to replace the placeholder values with your own values. For more information, see [Use an Azure file share with Windows](storage-how-to-use-files-windows.md).

-Non-domain-joined VMs or VMs that are joined to a different AD domain than the storage account can access Azure file shares if they have unimpeded network connectivity to the domain controllers and provide explicit credentials (username and password). The user accessing the file share must have an identity and credentials in the AD domain that the storage account is joined to.

-> Azure Files doesn't support SID to UPN translation for users and groups from a non-domain joined VM or a VM joined to a different domain via Windows File Explorer. If you want to view file/directory owners or view/modify NTFS permissions via Windows File Explorer, you can do so only from domain joined VMs.

-1. Make sure you've set up identity-based authentication and synced your AD user account(s) to Microsoft Entra ID.

-description: Learn how to enable identity-based authentication over Server Message Block (SMB) for Azure Files through Microsoft Entra Domain Services. Your domain-joined Windows VMs can then access Azure file shares by using Microsoft Entra credentials.

-This article focuses on enabling and configuring Microsoft Entra Domain Services (formerly Azure Active Directory Domain Services) for identity-based authentication with Azure file shares. In this authentication scenario, Microsoft Entra credentials and Microsoft Entra Domain Services credentials are the same and can be used interchangeably.

-We strongly recommend that you review the [How it works section](./storage-files-active-directory-overview.md#how-it-works) to select the right AD source for authentication. The setup is different depending on the AD source you choose.

-Before you enable Microsoft Entra Domain Services authentication over SMB for Azure file shares, verify that your Microsoft Entra ID and Azure Storage environments are properly configured. We recommend that you walk through the [prerequisites](#prerequisites) to make sure you've completed all the required steps.

-Follow these steps to grant access to Azure Files resources with Microsoft Entra credentials:

-1. Enable Microsoft Entra Domain Services authentication over SMB for your storage account to register the storage account with the associated Microsoft Entra Domain Services deployment.

-1. Assign share-level permissions to a Microsoft Entra identity (a user, group, or service principal).

-1. Connect to your Azure file share using a storage account key and configure Windows access control lists (ACLs) for directories and files.

-1. Mount an Azure file share from a domain-joined VM.

-## Assign share-level permissions

-To access Azure Files resources with identity-based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity. **We highly recommend assigning permissions by declaring actions and data actions explicitly as opposed to using the wildcard (\*) character.**

-Most users should assign share-level permissions to specific Microsoft Entra users or groups, and then [configure Windows ACLs](#configure-windows-acls) for granular access control at the directory and file level. However, alternatively you can set a [default share-level permission](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities) to allow contributor, elevated contributor, or reader access to **all authenticated identities**.

-There are five Azure built-in roles for Azure Files, some of which allow granting share-level permissions to users and groups:

-> [!IMPORTANT]

-> Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Administrative control isn't supported with Microsoft Entra credentials.

-You can use the Azure portal, PowerShell, or Azure CLI to assign the built-in roles to the Microsoft Entra identity of a user for granting share-level permissions. Be aware that the share-level Azure role assignment can take some time to take effect. We recommend using share-level permission for high-level access management to an AD group representing a group of users and identities, then leverage Windows ACLs for granular access control at the directory/file level.

-<a name='assign-an-azure-role-to-an-azure-ad-identity'></a>

-### Assign an Azure role to a Microsoft Entra identity

-> [!IMPORTANT]

-> **Assign permissions by explicitly declaring actions and data actions as opposed to using a wildcard (\*) character.** If a custom role definition for a data action contains a wildcard character, all identities assigned to that role are granted access for all possible data actions. This means that all such identities will also be granted any new data action added to the platform. The additional access and permissions granted through new actions or data actions may be unwanted behavior for customers using wildcard.

-# [Portal](#tab/azure-portal)

-To assign an Azure role to a Microsoft Entra identity using the [Azure portal](https://portal.azure.com), follow these steps:

-1. In the Azure portal, go to your file share, or [Create a file share](storage-how-to-create-file-share.md).

-2. Select **Access Control (IAM)**.

-3. Select **Add a role assignment**

-4. In the **Add role assignment** blade, select the appropriate built-in role (for example, Storage File Data SMB Share Reader or Storage File Data SMB Share Contributor) from the **Role** list. Leave **Assign access to** at the default setting: **Microsoft Entra user, group, or service principal**. Select the target Microsoft Entra identity by name or email address.

-5. Select **Review + assign** to complete the role assignment.

-# [PowerShell](#tab/azure-powershell)

-The following PowerShell sample shows how to assign an Azure role to a Microsoft Entra identity, based on sign-in name. For more information about assigning Azure roles with PowerShell, see [Manage access using RBAC and Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md).

-Before you run the following sample script, remember to replace placeholder values, including brackets, with your own values.

-```powershell

-#Get the name of the custom role

-$FileShareContributorRole = Get-AzRoleDefinition "<role-name>" #Use one of the built-in roles: Storage File Data SMB Share Reader, Storage File Data SMB Share Contributor, Storage File Data SMB Share Elevated Contributor

-#Constrain the scope to the target file share

-$scope = "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/fileServices/default/fileshares/<share-name>"

-#Assign the custom role to the target identity with the specified scope.

-New-AzRoleAssignment -SignInName <user-principal-name> -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope

-```

-# [Azure CLI](#tab/azure-cli)

-

-The following command shows how to assign an Azure role to a Microsoft Entra identity based on sign-in name. For more information about assigning Azure roles with Azure CLI, see [Manage access by using RBAC and Azure CLI](../../role-based-access-control/role-assignments-cli.md).

-Before you run the following sample script, remember to replace placeholder values, including brackets, with your own values.

-```azurecli-interactive

-#Assign the built-in role to the target identity: Storage File Data SMB Share Reader, Storage File Data SMB Share Contributor, Storage File Data SMB Share Elevated Contributor

-az role assignment create --role "<role-name>" --assignee <user-principal-name> --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/fileServices/default/fileshares/<share-name>"

-```

-## Configure Windows ACLs

-After you assign share-level permissions with RBAC, you can assign Windows ACLs at the root, directory, or file level. Think of share-level permissions as the high-level gatekeeper that determines whether a user can access the share, whereas Windows ACLs act at a more granular level to determine what operations the user can do at the directory or file level.

-Azure Files supports the full set of basic and advanced permissions. You can view and configure Windows ACLs on directories and files in an Azure file share by mounting the share and then using Windows File Explorer or running the Windows [icacls](/windows-server/administration/windows-commands/icacls) or [Set-ACL](/powershell/module/microsoft.powershell.security/set-acl) command.

-The following sets of permissions are supported on the root directory of a file share:

-For more information, see [Configure directory and file-level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md).

-### Mount the file share using your storage account key

-Before you configure Windows ACLs, you must first mount the file share to your domain-joined VM by using your storage account key. To do this, log into the domain-joined VM as a Microsoft Entra user, open a Windows command prompt, and run the following command. Remember to replace `<YourStorageAccountName>`, `<FileShareName>`, and `<YourStorageAccountKey>` with your own values. If Z: is already in use, replace it with an available drive letter. You can find your storage account key in the Azure portal by navigating to the storage account and selecting **Security + networking** > **Access keys**, or you can use the `Get-AzStorageAccountKey` PowerShell cmdlet.

-It's important that you use the `net use` Windows command to mount the share at this stage and not PowerShell. If you use PowerShell to mount the share, then the share won't be visible to Windows File Explorer or cmd.exe, and you won't be able to configure Windows ACLs.

-> [!NOTE]

-> You might see the **Full Control** ACL applied to a role already. This typically already offers the ability to assign permissions. However, because there are access checks at two levels (the share level and the file/directory level), this is restricted. Only users who have the **SMB Elevated Contributor** role and create a new file or directory can assign permissions on those new files or directories without using the storage account key. All other file/directory permission assignment requires connecting to the share using the storage account key first.

-```

-net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:localhost\<YourStorageAccountName> <YourStorageAccountKey>

-```

-### Configure Windows ACLs with Windows File Explorer

-After you've mounted your Azure file share, you must configure the Windows ACLs. You can do this using either Windows File Explorer or icacls.

-Follow these steps to use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory.

-1. Open Windows File Explorer and right click on the file/directory and select **Properties**.

-1. Select the **Security** tab.

-1. Select **Edit** to change permissions.

-1. You can change the permissions of existing users or select **Add** to grant permissions to new users.

-1. In the prompt window for adding new users, enter the target user name you want to grant permission to in the **Enter the object names to select** box, and select **Check Names** to find the full UPN name of the target user.

-1. Select **OK**.

-1. In the **Security** tab, select all permissions you want to grant your new user.

-1. Select **Apply**.

-### Configure Windows ACLs with icacls

-Use the following Windows command to grant full permissions to all directories and files under the file share, including the root directory. Remember to replace the placeholder values in the example with your own values.

-```

-icacls <mounted-drive-letter>: /grant <user-email>:(f)

-```

-For more information on how to use icacls to set Windows ACLs and the different types of supported permissions, see [the command-line reference for icacls](/windows-server/administration/windows-commands/icacls).

-## Mount the file share from a domain-joined VM

-The following process verifies that your file share and access permissions were set up correctly and that you can access an Azure file share from a domain-joined VM. Be aware that the share-level Azure role assignment can take some time to take effect.

-Sign in to the domain-joined VM using the Microsoft Entra identity to which you granted permissions. Be sure to sign in with Microsoft Entra credentials. If the drive is already mounted with the storage account key, you'll need to disconnect the drive or sign in again.

-Run the PowerShell script below or [use the Azure portal](storage-files-quick-create-use-windows.md#map-the-azure-file-share-to-a-windows-drive) to persistently mount the Azure file share and map it to drive Z: on Windows. If Z: is already in use, replace it with an available drive letter. Because you've been authenticated, you won't need to provide the storage account key. The script will check to see if this storage account is accessible via TCP port 445, which is the port SMB uses. Remember to replace `<storage-account-name>` and `<file-share-name>` with your own values. For more information, see [Use an Azure file share with Windows](storage-how-to-use-files-windows.md).

-Unless you're using [custom domain names](storage-files-identity-ad-ds-mount-file-share.md#mount-file-shares-using-custom-domain-names), you should mount Azure file shares using the suffix `file.core.windows.net`, even if you set up a private endpoint for your share.

-```powershell

-$connectTestResult = Test-NetConnection -ComputerName <storage-account-name>.file.core.windows.net -Port 445

-if ($connectTestResult.TcpTestSucceeded) {

- cmd.exe /C "cmdkey /add:`"<storage-account-name>.file.core.windows.net`" /user:`"localhost\<storage-account-name>`""

- New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\<file-share-name>" -Persist -Scope global

-} else {

- Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."

-}

-```

-You can also use the `net-use` command from a Windows prompt to mount the file share. Remember to replace `<YourStorageAccountName>` and `<FileShareName>` with your own values.

-```

-net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName>

-```

-## Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain

-Non-domain-joined VMs or VMs that are joined to a different domain than the storage account can access Azure file shares using Microsoft Entra Domain Services authentication only if the VM has unimpeded network connectivity to the domain controllers for Microsoft Entra Domain Services, which are located in Azure. This usually requires setting up a site-to-site or point-to-site VPN. The user accessing the file share must have an identity (a Microsoft Entra identity synced from Microsoft Entra ID to Microsoft Entra Domain Services) in the Microsoft Entra Domain Services managed domain, and must provide explicit credentials (username and password).

-To mount a file share from a non-domain-joined VM, the user must either:

-Using one of these approaches will allow the client to contact the domain controller in the Microsoft Entra Domain Services domain to request and receive Kerberos tickets.

-For example:

-```

-net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:<DOMAINNAME\username>

-```

-or

-```

-net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:<username@domainFQDN>

-```

-## Next steps

-To grant additional users access to your file share, follow the instructions in [Assign share-level permissions](#assign-share-level-permissions) and [Configure Windows ACLs](#configure-windows-acls).

-For more information about identity-based authentication for Azure Files, see these resources:

-When you enable identity-based access, you can set for each share which users and groups have access to that particular share. Once a user is allowed into a share, Windows ACLs (also called NTFS permissions) on individual files and directories take over. This allows for fine-grained control over permissions, similar to an SMB share on a Windows server.

-Once share-level permissions are in place, you can assign directory/file-level permissions to the user or group. **This requires using a device with unimpeded network connectivity to an on-premises AD**. To use Windows File Explorer, the device also needs to be domain-joined.

-There are two options for configuring directory and file-level permissions with Microsoft Entra Kerberos authentication:

-To configure directory and file-level permissions through Windows File Explorer, you also need to specify domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or from an on-premises AD-joined client. If you prefer to configure using icacls, this step isn't required.

-> [!IMPORTANT]

-> You can set file/directory level ACLs for identities which aren't synced to Microsoft Entra ID. However, these ACLs won't be enforced because the Kerberos ticket used for authentication/authorization won't contain these not-synced identities. In order to enforce set ACLs, identities must be synced to Microsoft Entra ID.

-> [!TIP]

-> If Microsoft Entra hybrid joined users from two different forests will be accessing the share, it's best to use icacls to configure directory and file-level permissions. This is because Windows File Explorer ACL configuration requires the client to be domain joined to the Active Directory domain that the storage account is joined to.

-When you enable identity-based access, you can set for each share which users and groups have access to that particular share. Once a user is allowed into a share, Windows ACLs (also called NTFS permissions) on individual files and directories take over. This allows for fine-grained control over permissions, similar to an SMB share on a Windows server.

-Once share-level permissions are in place, you can assign directory/file-level permissions to the user or group. **This requires using a device with unimpeded network connectivity to an on-premises AD**. To use Windows File Explorer, the device also needs to be domain-joined.

-There are two options for configuring directory and file-level permissions with Microsoft Entra Kerberos authentication:

-To configure directory and file-level permissions through Windows File Explorer, you also need to specify domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or from an on-premises AD-joined client. If you prefer to configure using icacls, this step isn't required.

-> [!IMPORTANT]

-> You can set file/directory level ACLs for identities which aren't synced to Microsoft Entra ID. However, these ACLs won't be enforced because the Kerberos ticket used for authentication/authorization won't contain these not-synced identities. In order to enforce set ACLs, identities must be synced to Microsoft Entra ID.

-> [!TIP]

-> If Microsoft Entra hybrid joined users from two different forests will be accessing the share, it's best to use icacls to configure directory and file-level permissions. This is because Windows File Explorer ACL configuration requires the client to be domain joined to the Active Directory domain that the storage account is joined to.

-For more information, see these resources:

-| Production | 1.0.9103.3700 |