-# How to use additional context in Microsoft Authenticator notifications (Preview) - Authentication methods policy

-https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

-GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

-# How to use number matching in multifactor authentication (MFA) notifications (Preview) - Authentication methods policy

->Number matching is a key security upgrade to traditional second factor notifications in the Authenticator app that will be enabled by default for all tenants a few months after general availability (GA).<br>

-Number matching will be available in Azure Government two weeks after General Availability. Number matching isn't supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.

-When a user goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification.

-1. On the **Configure** tab, for **Require number matching for push notifications (Preview)**, change **Status** to **Enabled**, choose who to include or exclude from number matching, and click **Save**.

-| `login_hint` | Login hint | JWT | MSA, Azure AD | An opaque, reliable login hint claim. This claim is the best value to use for the `login_hint` OAuth parameter in all flows to get SSO. It can be passed between applications to help them silently SSO as well - application A can sign in a user, read the `login_hint` claim, and then send the claim and the current tenant context to application B in the query string or fragment when the user selects on a link that takes them to application B. To avoid race conditions and reliability issues, the `login_hint` claim *doesn't* include the current tenant for the user, and defaults to the user's home tenant when used. If you're operating in a guest scenario where the user is from another tenant, you must provide a tenant identifier in the sign-in request, and pass the same to apps you partner with. This claim is intended for use with your SDK's existing `login_hint` functionality, however that it exposed. |

-> | Angular | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call .NET Core web API](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>&#8226; [Call .NET Core web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/7-AdvancedScenarios/1-call-api-obo/README.md)<br/>&#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>&#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/4-Deployment/README.md)| MSAL Angular | &#8226; Authorization code with PKCE<br/>&#8226; On-behalf-of (OBO) |

-With Azure AD [B2B collaboration](what-is-b2b.md), you can invite anyone to collaborate with your organization using their own work, school, or social account. In this quickstart, you'll learn how to add a new guest user to your Azure AD directory in the Azure portal. You'll also send an invitation and see what the guest user's invitation redemption process looks like. In addition to this quickstart, you can learn more about adding guest users [in the Azure portal](add-users-administrator.md), via [PowerShell](b2b-quickstart-invite-powershell.md), or [in bulk](tutorial-bulk-invite.md).

- 

- 

-1. Select **New guest user**.

- 

- 

- 

- 

- 

-|employeeLeaveDateTime|DateTimeOffset|Yes|Not currently|Not currently|

-> To take advantaged of leaver scenarios, you can set the employeeLeaveDateTime manually for cloud-only users. For more information, see: [Configure the employeeLeaveDateTime property for a user](/graph/tutorial-lifecycle-workflows-set-employeeleavedatetime)

- "continueOnError": true,

- "continueOnError": true,

- "continueOnError": true,

- "continueOnError": true,

- "continueOnError": true,

- "continueOnError": true,

- "continueOnError": true,

- "continueOnError": true,

- "continueOnError": true,

- "continueOnError": true,

-Ideally, you want your Azure Active Directory (Azure AD) tenant to be in a secure and healthy state. However, trying to keep your knowledge regarding the management of the various components in your tenant up to date can become overwhelming.

-This is where Azure AD recommendations can help you.

-This article gives you an overview of how you can use Azure AD recommendations.

-The [Azure Advisor](../../advisor/advisor-overview.md) is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, Reliability (formerly called High availability), and security of your Azure resources.

-Azure AD recommendations:

-## Recommendation object

-Azure AD tracks the status of a recommendation in a related object. This object includes attributes that are used to characterize the recommendation and a body to store the actionable guidance.

-Each object is characterized by:

- - A recommendation is marked as CompletedByUser if you mark the recommendation as complete.

- - A recommendation is marked as CompletedBySystem if a recommendation that did once apply is no longer applicable to you because you have taken the necessary steps.

-

-

-The body of a recommendation object contains the actionable guidance:

-On a daily basis, Azure AD analyzes the configuration of your tenant. During an analysis, Azure AD compares the data of the known recommendations with the actual configuration. If a recommendation is flagged as applicable to your tenant, the recommendation status and its corresponding resources are marked as active.

-In the recommendations or resource list, you can use the **Status** information to determine your action item.

-As an administrator, you should review your tenant's recommendations, and their associated resources periodically.

-### Dismiss

-If you don't like a recommendation, or if you have another reason for not applying it, you can dismiss it. In this case, Azure AD asks you for a reason for dismissing a recommendation.

-

-### Mark as complete

-Use this state to indicate that you have:

-A recommendation or resource that has been marked as complete is again evaluated when Azure AD compares the available recommendations with your current configuration.

-### Postpone

-Postpone a recommendation or resource to address it in the future. The recommendation or resource will be marked as Active again when the date that the recommendation or resource is postponed to occurs.

-### Reactivate

-Accidentally dismissed, completed, or postponed a recommendation or resource. Mark it as active again to keep it top of mind.

-## Common tasks

-### Enable recommendations

-To enable your Azure AD recommendations:

-1. Navigate to the **[Preview features](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PreviewHub)** page.

-2. Set the **State** to **On**.

- 

-### Manage recommendations

-To manage your Azure AD recommendations:

-1. Navigate to the [Azure AD overview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) page.

-2. On the Azure AD overview page, in the toolbar, click **Recommendations (Preview)**.

-

- 

-### Update the status of a resource

-To update the status of a resource, you have to right click a resource to bring up the edit menu.

-## Who can access it?

-The Azure AD recommendations feature supports all editions of Azure AD. In other words, there is no specific subscription or license required to use this feature.

-To (re-) view your recommendations, you need to be:

-To manage your recommendations, you need to be:

-## What you should know

-**Right now:**

- > When auto­assign licenses is not enabled, it means that only user data is synced.

- > When auto­license assignment is enabled, you need to note the application instance and license type. Licenses are assigned on a first come, first serve basis until all the licenses are taken.

- * You should see a success notification on the upper­right side of

-* Currently, there are only containerd shims available for [spin][spin] and [slight][slight] applications, which use the [wasmtime][wasmtime] runtime. In addition to wasmtime runtime applications, you can also run containers on WASI/WASM node pools.

-The `validate-jwt` policy enforces existence and validity of a JSON web token (JWT) extracted from a specified HTTP header, extracted from a specified query parameter, or matching a specific value. The JSON Web Key Set (JWKS) is cached and is not fetched on each request. Automatic metadata refresh occurs once per hour. If retrieval fails, it will be refreshed in five minutes.

-| openid-config | The element used for specifying a compliant Open ID configuration endpoint from which signing keys and issuer can be obtained. | No |

-| url | Open ID configuration endpoint URL from where Open ID configuration metadata can be obtained. The response should be according to specs as defined at URL:`https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. For Azure Active Directory use the following URL: `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` substituting your directory tenant name, e.g. `contoso.onmicrosoft.com`. | Yes | N/A |

-This allows us to use a standalone collector with the Prometheus exporter being exposed on port `8889`. To expose the Prometheus metrics, we are asking the Helm chart to configure a ┬┤LoadBalancer` service.

-## Namespace

-Kubernetes [namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) help with dividing a single cluster among multiple teams, projects, or applications. Namespaces provide a scope for resources and names. They can be associated with a resource quota and access control policies.

-The Azure portal provides commands to create self-hosted gateway resources in the **default** namespace. This namespace is automatically created, exists in every cluster, and can't be deleted.

-Consider [creating and deploying](https://www.kubernetesbyexample.com/) a self-hosted gateway into a separate namespace in production.

-## Number of replicas

-The minimum number of replicas suitable for production is three, preferably combined with [high-available scheduling of the instances](#high-availability).

-By default, a self-hosted gateway is deployed with a **RollingUpdate** deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy). Review the default values and consider explicitly setting the [maxUnavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) and [maxSurge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge) fields, especially when you're using a high replica count.

-## Container resources

-By default, the YAML file provided in the Azure portal doesn't specify container resource requests.

-It's impossible to reliably predict and recommend the amount of per-container CPU and memory resources and the number of replicas required for supporting a specific workload. Many factors are at play, such as:

-We recommend setting resource requests to two cores and 2 GiB as a starting point. Perform a load test and scale up/out or down/in based on the results.

-## DNS policy

-DNS name resolution plays a critical role in a self-hosted gateway's ability to connect to dependencies in Azure and dispatch API calls to backend services.

-The YAML file provided in the Azure portal applies the default [ClusterFirst](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) policy. This policy causes name resolution requests not resolved by the cluster DNS to be forwarded to the upstream DNS server that's inherited from the node.

-To learn about name resolution in Kubernetes, see the [Kubernetes website](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service). Consider customizing [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) or [DNS configuration](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-config) as appropriate for your setup.

-## External traffic policy

-The YAML file provided in the Azure portal sets `externalTrafficPolicy` field on the [Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#service-v1-core) object to `Local`. This preserves caller IP address (accessible in the [request context](api-management-policy-expressions.md#ContextVariables)) and disables cross node load balancing, eliminating network hops caused by it. Be aware, that this setting might cause asymmetric distribution of traffic in deployments with unequal number of gateway pods per node.

-## Configuration backup

-Configure a local storage volume for the self-hosted gateway container, so it can persist a backup copy of the latest downloaded configuration. If connectivity is down, the storage volume can use the backup copy upon restart. The volume mount path must be `/apim/config` and must be owned by group ID `1001`. See an example on [GitHub](https://github.com/Azure/api-management-self-hosted-gateway/blob/master/examples/self-hosted-gateway-with-configuration-backup.yaml).

-To learn about storage in Kubernetes, see the [Kubernetes website](https://kubernetes.io/docs/concepts/storage/volumes/).

-To change ownership for a mounted path, see the `securityContext.fsGroup` setting on the [Kubernetes website](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod).

-> [!NOTE]

-> To learn about self-hosted gateway behavior in the presence of a temporary Azure connectivity outage, see [Self-hosted gateway overview](self-hosted-gateway-overview.md#connectivity-to-azure).

-## Local logs and metrics

-The self-hosted gateway sends telemetry to [Azure Monitor](api-management-howto-use-azure-monitor.md) and [Azure Application Insights](api-management-howto-app-insights.md) according to configuration settings in the associated API Management service.

-When [connectivity to Azure](self-hosted-gateway-overview.md#connectivity-to-azure) is temporarily lost, the flow of telemetry to Azure is interrupted and the data is lost for the duration of the outage.

-Consider [setting up local monitoring](how-to-configure-local-metrics-logs.md) to ensure the ability to observe API traffic and prevent telemetry loss during Azure connectivity outages.

-## HTTP(S) proxy

-The self-hosted gateway provides support for HTTP(S) proxy by using the traditional `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables.

-Once configured, the self-hosted gateway will automatically use the proxy for all outbound HTTP(S) requests to the backend services.

-Starting with version 2.1.5 or above, the self-hosted gateway provides observability related to request proxying:

-> [!Warning]

-> Ensure that the [infrastructure requirements](self-hosted-gateway-overview.md#fqdn-dependencies) have been met and that the self-hosted gateway can still connect to them or certain functionality will not work properly.

-This guide shows how to mount Azure Storage as a network share in a built-in Linux container or a custom Linux container in App Service. See the video [how to mount Azure Storage as a local share](https://www.youtube.com/watch?v=OJkvpWYr57Y). The benefits of custom-mounted storage include:

-## 6. Prepare your configurations

-## 7. Migrate to App Service Environment v3

-## 5. Choose your configurations

-## 6. Migrate to App Service Environment v3

-> [Custom domain suffix](./how-to-custom-domain-suffix.md)

-* **Security and compliance** - App Service is [ISO, SOC, and PCI compliant](https://www.microsoft.com/en-us/trustcenter). Authenticate users with [Azure Active Directory](configure-authentication-provider-aad.md), [Google](configure-authentication-provider-google.md), [Facebook](configure-authentication-provider-facebook.md), [Twitter](configure-authentication-provider-twitter.md), or [Microsoft account](configure-authentication-provider-microsoft.md). Create [IP address restrictions](app-service-ip-restrictions.md) and [manage service identities](overview-managed-identity.md).

-> [Custom container (Windows or Linux)](tutorial-custom-container.md)

-# What is a subdomain takeover?

-Learn more about Subdomain Takeover at [Dangling DNS and subdomain takeover](../security/fundamentals/subdomain-takeover.md).

-Azure App Service provides [Name Reservation](#how-name-reservation-service-works) Service and [domain verification tokens](#domain-verification-token) to prevent subdomain takeovers.

-## How Name Reservation Service works

-Upon deletion of an App Service app, the corresponding DNS is reserved. During the reservation period, re-use of the DNS will be forbidden except for subscriptions belonging to tenant of the subscription originally owning the DNS.

-After the reservation expires, the DNS is free to be claimed by any subscription. By Name Reservation Service, the customer is afforded some time to either clean up any associations/pointers to said DNS or re-claim the DNS in Azure. The DNS name being reserved can be derived by appending 'azurewebsites.net'. Name Reservation Service is enabled by default on Azure App Service and doesn't require additional configuration.

-## Domain verification token

-DNS records should be updated before the site deletion to ensure bad actors can't take over the domain between the period of deletion and re-creation. Be aware that the DNS records take time to propagate.

-To get a domain verification ID, see the [Map a custom domain tutorial](app-service-web-tutorial-custom-domain.md#2-get-a-domain-verification-id)

-* [Azure CLI](/cli/azure/overview). This quickstart requires that you are running the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

-### Additional supported parameters

-* [Form Recognizer quickstart](/azure/applied-ai-services/form-recognizer/how-to-guides/v2-1-sdk-rest-api)

-* **StartRecognizeIdentityDocuments**. Renamed methods and method parameters using **Identity** to replace _Id_ keyword for all related identity documents recognition API functionalities.

-* **begin_recognize_identity_documents** and **begin_recognize_identity_documents_from_url**. Renamed methods and method parameters using **Identity** to replace _Id_ keyword.

-> Applies To: Windows PowerShell 5.1

-Managing hundreds or thousands of servers can be a challenge.

-Customers have provided feedback that the most difficult aspect is actually managing

-[configuration data](/powershell/dsc/configurations/configdata).

-Organizing information across logical constructs like location, type, and environment.

-> [!NOTE]

-> This article refers to a solution that is maintained by the Open Source community.

-> Support is only available in the form of GitHub collaboration, not from Microsoft.

-A community maintained solution named

-[Datum](https://github.com/gaelcolas/Datum)

-has been created to resolve this challenge.

-Datum builds on great ideas from other configuration management platforms

-and implements the same type of solution for PowerShell DSC.

-Information is

-[organized in to text files](https://github.com/gaelcolas/Datum#3-intended-usage)

-based on logical ideas.

-Examples would be:

-This information is organized in the file format you prefer (JSON, Yaml, or PSD1).

-Then cmdlets are provided to generate configuration data files by

-[consolidating the information](https://github.com/gaelcolas/Datum#datum-tree)

-from each file in to single view of a server or server role.

-Once the data files have been generated,

-you can use them with

-[DSC Configuration scripts](/powershell/dsc/configurations/write-compile-apply-configuration)

-to generate MOF files

-and

-[upload the MOF files to Azure Automation](./tutorial-configure-servers-desired-state.md#create-and-upload-a-configuration-to-azure-automation).

-Then register your servers from either

-[on-premises](./automation-dsc-onboarding.md#enable-physicalvirtual-linux-machines)

-or [in Azure](./automation-dsc-onboarding.md#enable-azure-vms)

-to pull configurations.

-To try out Datum, visit the

-[PowerShell Gallery](https://www.powershellgallery.com/packages/datum/)

-and download the solution or click "Project Site"

-to view the

-[documentation](https://github.com/gaelcolas/Datum#2-getting-started--concepts).

-description: In this article, you'll learn about the support matrix for Arc-enabled VMware vSphere including vCenter Server versions supported, network requirements etc.

-# Support matrix for Arc-enabled VMware vSphere (preview)

-This article documents the prerequisites and support requirements for using the [Arc-enabled VMware vSphere (preview)](overview.md) to manage your VMware vSphere VMs through Azure Arc.

-To use Arc-enabled VMware vSphere, you must deploy an Azure Arc resource bridge in your VMware vSphere environment. The resource bridge provides an ongoing connection between your VMware vCenter Server and Azure. Once you've connected your VMware vCenter Server to Azure, components on the resource bridge discover your vCenter inventory. You can enable them in Azure and start performing virtual hardware and guest OS operations on them using Azure Arc.

-## VMware vSphere Requirements

-### Resource bridge resource requirements

-| Microsoft container registry | 443 | https://mcr.microsoft.com | Appliance VM IP and control plane endpoint need outbound connection. | Required to pull container images for installation. |

-| Azure Arc Identity service | 443 | https://*.his.arc.azure.com | Appliance VM IP and control plane endpoint need outbound connection. | Manages identity and access control for Azure resources |

-| Azure Arc configuration service | 443 | https://*.dp.kubernetesconfiguration.azure.com | Appliance VM IP and control plane endpoint need outbound connection. | Used for Kubernetes cluster configuration. |

-| Cluster connect service | 443 | https://*.servicebus.windows.net | Appliance VM IP and control plane endpoint need outbound connection. | Provides cloud-enabled communication to connect on-premises resources with the cloud. |

-| Guest Notification service | 443 | `https://guestnotificationservice.azure.com` | Appliance VM IP and control plane endpoint need outbound connection. | Used to connect on-premises resources to Azure. |

-| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com | Host machine, Appliance VM IP and control plane endpoint need outbound connection. | Used when downloading product catalog, product bits, and OS images from SFS. |

-| Resource bridge (appliance) Dataplane service | 443 | https://*.dp.prod.appliances.azure.com | Appliance VM IP and control plane endpoint need outbound connection. | Communicate with resource provider in Azure. |

-| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, `https://ecpacr.azurecr.io` | Appliance VM IP and control plane endpoint need outbound connection. | Required to pull container images. |

-| Resource bridge (appliance) image download | 80 | *.dl.delivery.mp.microsoft.com | Host machine, Appliance VM IP and control plane endpoint need outbound connection. | Download the Arc resource bridge OS images. |

-| ADHS telemetry service | 443 | adhs.events.data.microsoft.com | Appliance VM IP and control plane endpoint need outbound connection. Runs inside the appliance/mariner OS. | Used periodically to send Microsoft required diagnostic data from control plane nodes. Used when telemetry is coming off Mariner, which would mean any K8s control plane. |

-| Microsoft events data service | 443 | v20.events.data.microsoft.com | Appliance VM IP and control plane endpoint need outbound connection. | Used periodically to send Microsoft required diagnostic data from the Azure Stack HCI or Windows Server host. Used when telemetry is coming off Windows like Windows Server or HCI. |

-## Azure permissions required

-Following are the minimum Azure roles required for various operations:

-Any roles with higher permissions such as *Owner/Contributor* role on the same scope, will also allow you to perform all the operations listed above.

-With Arc-enabled VMware vSphere, you can install the Arc connected machine agent on your VMs at scale and use Azure management services on the VMs. There are additional requirements for this capability:

-To enable guest management (install the Arc connected machine agent), ensure

-The officially supported versions of the Windows and Linux operating system for the Azure Connected Machine agent are listed [here](../servers/prerequisites.md#supported-operating-systems). Only x86-64 (64-bit) architectures are supported. x86 (32-bit) and ARM-based architectures, including x86-64 emulation on arm64, aren't supported operating environments.

-* NET Framework 4.6 or later is required. [Download the .NET Framework](/dotnet/framework/install/guide-for-developers).

-* Windows PowerShell 5.1 is required. [Download Windows Management Framework 5.1.](https://www.microsoft.com/download/details.aspx?id=54616).

-* systemd

-* wget (to download the installation script)

-| aka.ms | Used to resolve the download script during installation |

-| download.microsoft.com | Used to download the Windows installation package |

-| packages.microsoft.com | Used to download the Linux installation package |

-| login.windows.net | Azure Active Directory |

-| login.microsoftonline.com | Azure Active Directory |

-| pas.windows.net | Azure Active Directory |

-| management.azure.com | Azure Resource Manager - to create or delete the Arc server resource |

-| *.his.arc.azure.com | Metadata and hybrid identity services |

-| *.guestconfiguration.azure.com | Extension management and guest configuration services |

-| guestnotificationservice.azure.com, *.guestnotificationservice.azure.com | Notification service for extension and connectivity scenarios |

-| azgn*.servicebus.windows.net | Notification service for extension and connectivity scenarios |

-| *.servicebus.windows.net | For Windows Admin Center and SSH scenarios |

-| *.blob.core.windows.net | Download source for Azure Arc-enabled servers extensions |

-| dc.services.visualstudio.com | Agent telemetry |

-| Description | Default trigger behavior, which relies on polling the container for updates. For more information, see the [examples in this article](#example). | Consumes blob storage events from an event subscription. Requires a `Source` parameter value of `EventGrid`. For more information, see [Tutorial: Trigger Azure Functions on blob containers using an event subscription](./functions-event-grid-blob-trigger.md). | Blob name string is manually added to a storage queue when a blob is added to the container. This value is passed directly by a Queue Storage trigger to a Blob Storage input binding on the same function. | Provides the flexibility of triggering on events besides those coming from a storage container. Use when need to also have non-storage events trigger your function. For more information, see [How to work with Event Grid triggers and bindings in Azure Functions](event-grid-how-tos.md). |

-┬╣Blob Storage input and output bindings support blob-only accounts.

-┬▓High scale can be loosely defined as containers that have more than 100,000 blobs in them or storage accounts that have more than 100 blob updates per second.

-* [Dataset service](/rest/api/maps/v2/dataset). Use the Dataset service to create a dataset from a converted Drawing package data. For information about Drawing package requirements, see Drawing package requirements.

-* [Conversion service](/rest/api/maps/v2/dataset). Use the Conversion service to convert a DWG design file into Drawing package data for indoor maps.

-* [Tileset service](/rest/api/maps/v2/tileset). Use the Tileset service to create a vector-based representation of a dataset. Applications can use a tileset to present a visual tile-based view of the dataset.

-* [Feature State service](/rest/api/maps/v2/feature-state). Use the Feature State service to support dynamic map styling. Dynamic map styling allows applications to reflect real-time events on spaces provided by IoT systems.

-* [WFS service](/rest/api/maps/v2/feature-state). Use the WFS service to query your indoor map data. The WFS service follows the [Open Geospatial Consortium API](http://docs.opengeospatial.org/is/17-069r3/17-069r3.html) standards for querying a single dataset.

-| Chile | Γ£ô | Γ£ô | Γ£ô |

-| Indonesia | Γ£ô | Γ£ô | |

-| Singapore | Γ£ô | Γ£ô | |

-| Norway | Γ£ô | Γ£ô | |

-| South Africa | Γ£ô | Γ£ô | |

-Download the [applicationinsights-agent-3.4.1.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.1/applicationinsights-agent-3.4.1.jar) file.

-Add `-javaagent:"path/to/applicationinsights-agent-3.4.1.jar"` to your application's JVM args.

- - Or you can create a configuration file named `applicationinsights.json`. Place it in the same directory as `applicationinsights-agent-3.4.1.jar` with the following content:

-Add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.1.jar"` somewhere before `-jar`, for example:

-java -javaagent:"path/to/applicationinsights-agent-3.4.1.jar" -jar <myapp.jar>

-If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.1.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

-ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.1.jar", "-jar", "<myapp.jar>"]

-If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.1.jar"` somewhere before `-jar`, for example:

-ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.1.jar" -jar <myapp.jar>

- <version>3.4.1</version>

-> Read-only file system is not supported.

-> [!WARNING]

->

-> The invocation must be at the beginning of the `main` method.

-> [!NOTE]

-> Spring's `application.properties` or `application.yaml` files are not supported as

-> as sources for Application Insights Java configuration.

-will be read from the classpath.

-to change this location.

-JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.1.jar"

-CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.1.jar"

-If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.1.jar` to `CATALINA_OPTS`.

-set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.1.jar

-set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.1.jar"

-If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.1.jar` to `CATALINA_OPTS`.

-Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.4.1.jar` to the `Java Options` under the `Java` tab.

-Add `-javaagent:path/to/applicationinsights-agent-3.4.1.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

- JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.4.1.jar -Xms1303m -Xmx1303m ..."

-Add `-javaagent:path/to/applicationinsights-agent-3.4.1.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

- <option value="-javaagent:path/to/applicationinsights-agent-3.4.1.jar"/>

-Add `-javaagent:path/to/applicationinsights-agent-3.4.1.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

- -javaagent:path/to/applicationinsights-agent-3.4.1.jar>

-By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.4.1.jar`.

-If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.4.1.jar` is located.

-If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.4.1.jar` is located.

-Starting from 3.4.1, rate-limited sampling is available, and is now the default.

-This feature is in preview, starting from 3.4.1.

-This feature is in preview, starting from 3.4.1.

-Starting from 3.4.1, this behavior can be disabled if desired, e.g.

-Starting from 3.4.1, this behavior can be disabled if desired, e.g.

-`applicationinsights-agent-3.4.1.jar` is located.

-| `applicationinsights-core` | Update the version to `3.4.1` or later | |

-| `applicationinsights-web` | Update the version to `3.4.1` or later, and remove the Application Insights web filter your `web.xml` file. | |

-| `applicationinsights-web-auto` | Replace with `3.4.1` or later of `applicationinsights-web` | |

-| `applicationinsights-spring-boot-starter` | Replace with `3.4.1` or later of `applicationinsights-web` | The cloud role name will no longer default to `spring.application.name`, see the [3.x configuration docs](./java-standalone-config.md#cloud-role-name) for configuring the cloud role name. |

-# Enable Azure Monitor OpenTelemetry Exporter for .NET, Node.js, and Python applications (preview)

-The Azure Monitor OpenTelemetry Exporter is a component that sends traces (and eventually all application telemetry) to Azure Monitor Application Insights. To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).

-This article describes how to enable and configure the OpenTelemetry-based Azure Monitor Preview offering. After you finish the instructions in this article, you'll be able to send OpenTelemetry traces to Azure Monitor Application Insights.

-> Azure Monitor OpenTelemetry Exporter for .NET, Node.js, and Python applications is currently in preview.

-Carefully consider whether this preview is right for you. It *enables distributed tracing only* and _excludes_:

-If you require a full-feature experience, use the existing Application Insights [ASP.NET](asp-net.md) or [ASP.NET Core](asp-net-core.md) SDK until the OpenTelemetry-based offering matures.

-Carefully consider whether this preview is right for you. It *enables distributed tracing only* and _excludes_:

-Carefully consider whether this preview is right for you. It *enables distributed tracing only* and _excludes_:

-pip install azure-monitor-opentelemetry-exporter

-exporter = AzureMonitorTraceExporter.from_connection_string(

- "<Your Connection String>"

-)

-As part of using Application Insights instrumentation, we collect and send diagnostic data to Microsoft. This data helps us run and improve Application Insights. You have the option to disable nonessential data collection. To learn more, see [Statsbeat in Azure Application Insights](./statsbeat.md).

-using var tracerProvider = Sdk.CreateTracerProviderBuilder()

- .SetResourceBuilder(resourceBuilder)

- .AddSource("OTel.AzureMonitor.Demo")

- .AddAzureMonitorTraceExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>";

- })

- .Build();

-const config: NodeTracerConfig = {

- resource: new Resource({

- [SemanticResourceAttributes.SERVICE_NAME]: "my-helloworld-service",

- [SemanticResourceAttributes.SERVICE_NAMESPACE]: "my-namespace",

- [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: "my-instance",

- }),

- };

-const provider = new NodeTracerProvider(config);

-## Sampling

-Sampling is supported in OpenTelemetry, but it isn't supported in the Azure Monitor OpenTelemetry Exporter at this time.

-> [!WARNING]

-> Enabling sampling in OpenTelemetry makes standard and log-based metrics extremely inaccurate, which adversely affects all Application Insights experiences. Also, enabling sampling alongside the existing Application Insights SDKs results in broken traces.

-<!-- Microsoft has tested and validated that the following instrumentation libraries will work with the **Preview** Release. -->

-### HTTP

- [1.0.0-rc7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.AspNet/1.0.0-rc7)

- Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) version:

- [1.0.0-rc7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.AspNetCore/1.0.0-rc7)

- clients](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.Http/README.md) version:

- [1.0.0-rc7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.Http/1.0.0-rc7)

- [0.26.0](https://www.npmjs.com/package/@opentelemetry/instrumentation-http/v/0.26.0)

- [0.24b0](https://pypi.org/project/opentelemetry-instrumentation-django/0.24b0/)

- [0.24b0](https://pypi.org/project/opentelemetry-instrumentation-flask/0.24b0/)

- [0.24b0](https://pypi.org/project/opentelemetry-instrumentation-requests/0.24b0/)

-### Database

- client](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.SqlClient/README.md) version:

- [1.0.0-rc7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.SqlClient/1.0.0-rc7)

- [0.25.0](https://www.npmjs.com/package/@opentelemetry/instrumentation-mysql/v/0.25.0)

- [0.24b0](https://pypi.org/project/opentelemetry-instrumentation-psycopg2/0.24b0/)

-> [!NOTE]

-> The *preview* offering only includes instrumentations that handle HTTP and database requests. To learn more, see [OpenTelemetry Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/tree/main/specification/trace/semantic_conventions).

-#### Add a custom property

- - [ASP.NET](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.AspNet/README.md#enrich)

- - [ASP.NET Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.AspNetCore/README.md#enrich)

- - [HttpClient and HttpWebRequest](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.Http/README.md#enrich)

-Use the add [custom property example](#add-a-custom-property), but replace the following lines of code in `ActivityEnrichingProcessor.cs`:

-Use the add [custom property example](#add-a-custom-property), but replace the following lines of code:

-Use the add [custom property example](#add-a-custom-property), but replace the following lines of code in `SpanEnrichingProcessor.py`:

-Use the add [custom property example](#add-custom-property), but replace the following lines of code:

-Use the add [custom property example](#add-custom-property), but replace the following lines of code:

-Use the add [custom property example](#add-custom-property), but replace the following lines of code:

- - [ASP.NET](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.AspNet/README.md#filter)

- - [ASP.NET Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.AspNetCore/README.md#filter)

- - [HttpClient and HttpWebRequest](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc7/src/OpenTelemetry.Instrumentation.Http/README.md#filter)

- <!

- ### Get the trace ID or span ID

- You might use X or Y to get the trace ID or span ID. Adding a trace ID or span ID to existing logging telemetry enables better correlation when you debug and diagnose issues.

-

- > [!NOTE]

- > If you manually create spans for log-based metrics and alerting, you'll need to update them to use the metrics API (after it's released) to ensure accuracy.

-

- ```C#

- Placeholder

- ```

-

- For more information, see [GitHub Repo](link).

- >

- ...

-

- ...

- ignoreIncomingPaths: [new RegExp(/dc.services.visualstudio.com/i)]

-Use the add [custom property example](#add-a-custom-property), but replace the following lines of code:

- exporter = AzureMonitorTraceExporter.from_connection_string(

- "<Your Connection String>"

- )

-The Azure Monitor Exporter uses the Python standard logging [library](https://docs.python.org/3/library/logging.html) for its own internal logging. OpenTelemetry API and Azure Monitor Exporter logs are usually logged at the severity level of WARNING or ERROR for irregular activity. The INFO severity level is used for regular or successful activity. By default, the Python logging library sets the severity level to WARNING, so you must change the severity level to see logs under this severity setting. The following example shows how to output logs of *all* severity levels to the console *and* a file:

-$storageAccount.Id = Get-AzStorageAccount -ResourceGroupName "resource-group-name" -Name "storage-account-name"

-New-AzOperationalInsightsLinkedStorageAccount -ResourceGroupName "resource-group-name" -WorkspaceName "workspace-name" -DataSourceType Query -StorageAccountIds $storageAccount.Id

-$storageAccount.Id = Get-AzStorageAccount -ResourceGroupName "resource-group-name" -Name "storage-account-name"

-New-AzOperationalInsightsLinkedStorageAccount -ResourceGroupName "resource-group-name" -WorkspaceName "workspace-name" -DataSourceType Alerts -StorageAccountIds $storageAccount.Id

-> - You can include tables that aren't yet supported in export, and no data will be exported for these until the tables are supported.

-> - The legacy custom log wonΓÇÖt be supported in export. The next generation of custom log available in preview early 2022 can be exported.

-```

-…

-…

- max_session_slots = "64"

-…

-Azure [availability zones](../availability-zones/az-overview.md#availability-zones) are physically separate locations within each supporting Azure region that are tolerant to local failures. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved because of redundancy and logical isolation of Azure services. To ensure resiliency, a minimum of three separate availability zones are present in all availability zone-enabled regions.

-The use of high availability (HA) architectures with availability zones are now a default and best practice recommendation inΓÇ»[AzureΓÇÖs Well-Architected Framework](/architecture/framework/resiliency/app-design#use-availability-zones-within-a-region). Enterprise applications and resources are increasingly deployed into multiple availability zones to achieve this level of high availability (HA) or failure domain (zone) isolation.

-Azure NetApp Files lets you deploy volumes in availability zones. The Azure NetApp Files [availability zone volume placement](manage-availability-zone-volume-placement.md) feature lets you deploy volumes in the logical availability zone of your choice, in alignment with Azure compute and other services in the same zone.

-Azure NetApp Files deployments will occur in the availability of zone of choice if the Azure NetApp Files is present in that availability zone and if it has sufficient capacity. All VMs within the region in (peered) VNets can access all Azure NetApp Files resources.

-// Create a StreamReader from the 'hybridConnectionStream`

-| Microsoft.MachineLearningServices/workspaces/computes | [listKeys](/rest/api/azureml/compute/list-keys) |

-| Microsoft.MachineLearningServices/workspaces/computes | [listNodes](/rest/api/azureml/compute/list-nodes) |

-| Microsoft.MachineLearningServices/workspaces | [listKeys](/rest/api/azureml/workspaces/list-keys) |

-| Microsoft.MachineLearningServices/workspaces/computes | [listKeys](/rest/api/azureml/compute/list-keys) |

-| Microsoft.MachineLearningServices/workspaces/computes | [listNodes](/rest/api/azureml/compute/list-nodes) |

-| Microsoft.MachineLearningServices/workspaces | [listKeys](/rest/api/azureml/workspaces/list-keys) |

-Microsoft Defender for Cloud provides advanced threat protection across your Azure VMware Solution and on-premises virtual machines (VMs). It assesses the vulnerability of Azure VMware Solution VMs and raises alerts as needed. These security alerts can be forwarded to Azure Monitor for resolution. You can define security policies in Microsoft Defender for Cloud. For more information, see [Working with security policies](../security-center/tutorial-security-policy.md).

-

-**Log Analytics agent** collects log data from Azure, Azure VMware Solution, and on-premises VMs. The log data is sent to Azure Monitor Logs and stored in a **Log Analytics Workspace**. Each workspace has its own data repository and configuration to store data. Once the logs are collected, **Microsoft Defender for Cloud** assesses the vulnerability status of Azure VMware Solution VMs and raises an alert for any critical vulnerability. Once assessed, Microsoft Defender for Cloud forwards the vulnerability status to Microsoft Sentinel to create an incident and map with other threats. Microsoft Defender for Cloud is connected to Microsoft Sentinel using Microsoft Defender for Cloud Connector.

- :::image type="content" source="media/azure-security-integration/add-server-to-azure-arc.png" alt-text="Screenshot showing Azure Arc Servers page for adding an Azure VMware Solution VM to Azure.":::

-

- :::image type="content" source="media/azure-security-integration/add-server-using-script.png" alt-text="Screenshot of Azure Arc page showing option for adding a server using interactive script.":::

-

-5. On the **Resource details** tab, fill in the following details and then select **Next: Tags**.

- - Region

-

-Recommendations and assessments provide you with the security health details of your resource.

-

- :::image type="content" source="media/azure-security-integration/select-resource-in-security-center.png" alt-text="Screenshot showing the Microsoft Defender for Cloud Inventory page with the Servers - Azure Arc selected under Resource type.":::

- :::image type="content" source="media/azure-security-integration/view-recommendations-assessments.png" alt-text="Screenshot showing the Microsoft Defender for Cloud security recommendations and assessments.":::

-Microsoft Sentinel provides security analytics, alert detection, and automated threat response across an environment. It's a cloud-native, security information event management (SIEM) solution that's built on top of a Log Analytics Workspace.

-3. Under the Connector Name column, select **Security Events** from the list, and then select **Open connector page**.

-4. On the connector page, select the events you wish to stream and then select **Apply Changes**.

- :::image type="content" source="media/azure-security-integration/select-events-you-want-to-stream.png" alt-text="Screenshot of Security Events page in Microsoft Sentinel where you can select which events to stream.":::

-3. Select **Microsoft Defender for Cloud** from the list and then select **Open connector page**.

- :::image type="content" source="media/azure-security-integration/connect-security-center-with-azure-sentinel.png" alt-text="Screenshot of Data connectors page in Microsoft Sentinel showing selection to connect Microsoft Defender for Cloud with Microsoft Sentinel.":::

-After connecting data sources to Microsoft Sentinel, you can create rules to generate alerts for detected threats. In the following example, we'll create a rule for attempts to sign in to Windows server with the wrong password.

-5. On the **Set rule logic** tab, enter the required information, and then select **Next**.

-

- - Map entities

->After the third failed attempt to sign in to Windows server, the created rule triggers an incident for every unsuccessful attempt.

- :::image type="content" source="media/azure-security-integration/assign-incident.png" alt-text="Screenshot of Microsoft Sentinel Incidents page with incident selected and option to assign the incident for resolution.":::

- >You can also create a new query by selecting **New Query**.

-This article provides recommendations for integrating an Azure VMware Solution deployment in an existing or a new [Hub and Spoke architecture](/azure/architecture/reference-architectures/hybrid-networking/#hub-spoke-network-topology) on Azure.

-* Azure VMware Solution

- - **IaaS Spoke:** Hosts Azure IaaS based workloads, including VM availability sets and virtual machine scale sets, and the corresponding network components.

- - You will need access to the Active Directory Domain Controller(s) with Administrator permissions.

- - Your Active Directory Domain Controller(s) must have LDAPS enabled with a valid certificate. The certificate could be issued by an [Active Directory Certificate Services Certificate Authority (CA)](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) or a [Third-party/Public CA](/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority).

->For further information about LDAPS and certificate issuance, consult with your security or identity management team.

-First, verify that the certificate used for LDAPS is valid.

-

- :::image type="content" source="media/run-command/ldaps-certificate-personal-general.png" alt-text="Screenshot showing the properties of the certificate." lightbox="media/run-command/ldaps-certificate-personal-general.png":::

-

-

-1. In the **Export Private Key** section, select the 2nd option, **No, do not export the private key** and select the **Next** button.

-1. In the **Export File Format** section, select the 2nd option, **Base-64 encoded X.509(.CER)** and then select the **Next** button.

-> Make sure to copy each SAS URL string(s), because they will no longer be available once you leave the page.

-A DNS Zone needs to be created and added to the DNS Service, follow the instructions in [Configure a DNS forwarder in the Azure portal](./configure-dns-azure-vmware-solution.md) to complete these two steps.

-In your Azure VMware Solution private cloud you'll run the `New-LDAPSIdentitySource` cmdlet to add an AD over LDAP with SSL as an external identity source to use with SSO into vCenter Server.

- | **Name** | User-friendly name of the external identity source, for example, **avslab.local**. This is how it will be displayed in vCenter. |

->We don't recommend this method. Instead, use the [Add Active Directory over LDAP with SSL](#add-active-directory-over-ldap-with-ssl) method.

-You'll run the `New-LDAPIdentitySource` cmdlet to add AD over LDAP as an external identity source to use with SSO into vCenter Server.

-

-

-

-## Assign additional vCenter Server Roles to Active Directory Identities

-After you've added an external identity over LDAP or LDAPS you can assign vCenter Server Roles to Active Directory security groups based on your organization's security controls.

-

-

-You'll run the `Remove-GroupFromCloudAdmins` cmdlet to remove a specified AD group from the cloudadmin role.

-This article shows you how to open a [support request](https://rc.portal.azure.com/#create/Microsoft.Support) and provide key information for an Azure VMware Solution deployment or provisioning failure.

-

-* **Overview** pane

-* Deployment logs

-

- ### Get the correlation ID from the resource overview

-You can get the correlation ID for a failed deployment by searching the deployment activity log in the Azure portal.

- :::image type="content" source="media/fix-deployment-failures/open-notifications.png" alt-text="Screenshot that shows the notifications icon in the Azure portal.":::

- :::image type="content" source="media/fix-deployment-failures/more-events-in-activity-log.png" alt-text="Screenshot that shows the More events in the activity log link selected in the Notifications pane.":::

-1. To find the failed deployment and its correlation ID, search for the name of the resource or other information that you used to create the resource.

-

- :::image type="content" source="media/fix-deployment-failures/find-past-deployments.png" alt-text="Screenshot that shows search results for an example private cloud resource and the Create or update a PrivateCloud pane.":::

-

-1. In the **Create or update a PrivateCloud** pane, select the **JSON** tab, and then look for `correlationId` in the log that is shown. Copy the `correlationId` value to include it in your support request.

-

-

-

-

-1. In the left menu, under **Manage**, select **Connectivity**.

-

-

-If your private cloud pre-validation check failed (before deployment), a correlation ID won't have been generated. In this scenario, you can provide the following information in your support request:

-For general information about creating a support request, see [How to create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

- :::image type="content" source="media/fix-deployment-failures/open-support-request.png" alt-text="Screenshot of the New support request pane in the Azure portal.":::

- 1. Paste any error details, including the error or failure messages you copied, in the **Provide details about the issue** text box.

-Azure Backup agent | If DPM is running on System Center 2012 SP1, install Rollup 2 or later for DPM SP1. This is required for agent installation.<br/><br/> This article describes how to deploy the latest version of the Azure Backup agent, also known as the Microsoft Azure Recovery Service (MARS) agent. If you have an earlier version deployed, update to the latest version to ensure that backup works as expected.

-| <br /><ul><li>The Microsoft Azure Recovery Service Agent was unable to connect to Microsoft Azure Backup. (ID: 100050) Check your network settings and ensure that you are able to connect to the internet.<li>(407) Proxy Authentication Required. |A proxy is blocking the connection. | <ul><li>In Internet Explorer, go to **Tools** > **Internet options** > **Security** > **Internet**. Select **Custom Level** and scroll down to the **File download** section. Select **Enable**.<p>You might also have to add [URLs and IP addresses](install-mars-agent.md#verify-internet-access) to your trusted sites in Internet Explorer.<li>Change the settings to use a proxy server. Then provide the proxy server details.<li> If your machine has limited internet access, ensure that firewall settings on the machine or proxy allow these [URLs and IP addresses](install-mars-agent.md#verify-internet-access). <li>If you have antivirus software installed on the server, exclude these files from the antivirus scan: <ul><li>CBEngine.exe (instead of dpmra.exe).<li>CSC.exe (related to .NET Framework). There's a CSC.exe for every .NET Framework version installed on the server. Exclude CSC.exe files for all versions of .NET Framework on the affected server. <li>The scratch folder or cache location. <br>The default location for the scratch folder or the cache path is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch.<li>The bin folder at C:\Program Files\Microsoft Azure Recovery Services Agent\Bin.

-| <br />Failed to set the encryption key for secure backups. Activation did not succeed completely but the encryption passphrase was saved to the following file. |<li>The server is already registered with another vault.<li>During configuration, the passphrase was corrupted.| Unregister the server from the vault and register it again with a new passphrase.

-|<br />The activation did not complete successfully. The current operation failed due to an internal service error [0x1FC07]. Retry the operation after some time. If the issue persists, please contact Microsoft support. | <li> The scratch folder is located on a volume that doesn't have enough space. <li> The scratch folder has been incorrectly moved. <li> The OnlineBackup.KEK file is missing. | <li>Upgrade to the [latest version](https://aka.ms/azurebackup_agent) of the MARS agent.<li>Move the scratch folder or cache location to a volume with free space that's between 5% and 10% of the total size of the backup data. To correctly move the cache location, refer to the steps in [Common questions about backing up files and folders](./backup-azure-file-folder-backup-faq.yml).<li> Ensure that the OnlineBackup.KEK file is present. <br>*The default location for the scratch folder or the cache path is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch*. |

-| <br />Error 34506. The encryption passphrase stored on this computer is not correctly configured. | <li> The scratch folder is located on a volume that doesn't have enough space. <li> The scratch folder has been incorrectly moved. <li> The OnlineBackup.KEK file is missing. | <li>Upgrade to the [latest version](https://aka.ms/azurebackup_agent) of the MARS Agent.<li>Move the scratch folder or cache location to a volume with free space that's between 5% and 10% of the total size of the backup data. To correctly move the cache location, refer to the steps in [Common questions about backing up files and folders](./backup-azure-file-folder-backup-faq.yml).<li> Ensure that the OnlineBackup.KEK file is present. <br>*The default location for the scratch folder or the cache path is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch*. <li> If you've recently moved your scratch folder, ensure that the path of your scratch folder location matches the values of the registry key entries shown below: <br><br> **Registry path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config` <br> **Registry Key**: ScratchLocation <br> **Value**: *New cache folder location* <br><br>**Registry path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config\CloudBackupProvider` <br> **Registry Key**: ScratchLocation <br> **Value**: *New cache folder location* |

-The current operation failed due to an internal service error "Resource not provisioned in service stamp". Please retry the operation after some time. (ID: 230006) | The protected server was renamed. | <li> Rename the server back to the original name as registered with the vault. <br> <li> Re-register the server to the vault with the new name.

-# Back up a SharePoint farm on Azure Stack

-You back up a SharePoint farm on Azure Stack to Microsoft Azure by using Microsoft Azure Backup Server (MABS) in much the same way that you back up other data sources. Azure Backup provides flexibility in the backup schedule to create daily, weekly, monthly, or yearly backup points and gives you retention policy options for various backup points. It also provides the capability to store local disk copies for quick recovery-time objectives (RTO) and to store copies to Azure for economical, long-term retention.

-## SharePoint supported versions and related protection scenarios

-## Before you start

-There are a few things you need to confirm before you back up a SharePoint farm to Azure.

-### What's not supported

-### Prerequisites

-Before you continue, make sure that you've met all the [prerequisites for using Microsoft Azure Backup](backup-azure-dpm-introduction.md#prerequisites-and-limitations) to protect workloads. Some tasks for prerequisites include: create a backup vault, download vault credentials, install Azure Backup Agent, and register the Azure Backup Server with the vault.

-* By default when you protect SharePoint, all content databases (and the SharePoint_Config and SharePoint_AdminContent* databases) will be protected. If you want to add customizations such as search indexes, templates or application service databases, or the user profile service you'll need to configure these for protection separately. Be sure that you enable protection for all folders that include these types of features or customization files.

-* You can't protect SharePoint databases as a SQL Server data source. You can recover individual databases from a farm backup.

-* Remember that MABS runs as **Local System**, and to back up SQL Server databases it needs sysadmin privileges on that account for the SQL server. On the SQL Server you want to back up, set NT AUTHORITY\SYSTEM to **sysadmin**.

-* For every 10 million items in the farm, there must be at least 2 GB of space on the volume where the MABS folder is located. This space is required for catalog generation. To enable you to use MABS to perform a specific recovery of items (site collections, sites, lists, document libraries, folders, individual documents, and list items), catalog generation creates a list of the URLs contained within each content database. You can view the list of URLs in the recoverable item pane in the Recovery task area of the MABS Administrator Console.

-To back up the SharePoint farm, configure protection for SharePoint by using ConfigureSharePoint.exe and then create a protection group in MABS.

-1. **Run ConfigureSharePoint.exe** - This tool configures the SharePoint VSS Writer service \(WSS\) and provides the protection agent with credentials for the SharePoint farm. After you've deployed the protection agent, the ConfigureSharePoint.exe file can be found in the `<MABS Installation Path\>\bin` folder on the front\-end Web server. If you have multiple WFE servers, you only need to install it on one of them. Run as follows:

- * On the WFE server, at a command prompt navigate to `\<MABS installation location\>\\bin\\` and run `ConfigureSharePoint \[\-EnableSharePointProtection\] \[\-EnableSPSearchProtection\] \[\-ResolveAllSQLAliases\] \[\-SetTempPath <path>\]`, where:

- * Enter the farm administrator credentials. This account should be a member of the local Administrator group on the WFE server. If the farm administrator isn't a local admin, grant the following permissions on the WFE server:

-1. In **Select Group Members**, expand the server that holds the WFE role. If there's more than one WFE server, select the one on which you installed ConfigureSharePoint.exe.

-1. In the Review disk allocation page, review the storage pool disk space allocated for the protection group.

-## Monitoring

-After the protection group's been created, the initial replication occurs and MABS starts backing up and synchronizing the SharePoint data. MABS monitors the initial synchronization and subsequent backups. You can monitor the SharePoint data in a couple of ways:

-In the following example, the *Recovering SharePoint item* has been accidentally deleted and needs to be recovered.

-

-1. Open the **MABS Administrator Console**. All SharePoint farms that are protected by MABS are shown in the **Protection** tab.

- 

-2. To begin to recover the item, select the **Recovery** tab.

- 

-3. You can search SharePoint for *Recovering SharePoint item* by using a wildcard-based search within a recovery point range.

- 

-5. You can also browse through various recovery points and select a database or item to recover. Select **Date > Recovery time**, and then select the correct **Database > SharePoint farm > Recovery point > Item**.

- 

-6. Right-click the item, and then select **Recover** to open the **Recovery Wizard**. Select **Next**.

- 

- 

- 

- 

- 

- 

-1. To recover a SharePoint content database, browse through various recovery points (as shown previously), and select the recovery point that you want to restore.

- 

- 

- 

- 

- 

-## Switching the Front-End Web Server

-### To change the front-end Web server that MABS uses to protect the farm

-1. In the Modify Group Wizard, on the **Select Group Members** page, expand *Server2* and select the server farm, and then complete the wizard.

-No, Azure Bastion does not currently support private link.

-This feature doesn't work with AADJ VM extension-joined machines using Azure AD users. For more information, see [Windows Azure VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#requirements).

-For more VM features, see [About VM connections and features](vm-about.md).

-Azure Chaos Studio enables you to improve service resilience by systematically injecting faults into your Azure resources. Fault injection is a powerful way to improve service resilience, but it can also be dangerous. Causing failures in your application can have more impact than originally intended and open opportunities for malicious actors to infiltrate your applications. Chaos Studio has a robust permission model that prevents faults from being run unintentionally or by a bad actor. In this article, you will learn how you can secure resources that are targeted for fault injection using Chaos Studio.

-Second, a chaos experiment has a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) that executes faults on a resource. When you create an experiment, the system-assigned managed identity is created in your Azure Active Directory tenant with no permissions. Before running your chaos experiment, you must grant its identity [appropriate permissions](chaos-studio-fault-providers.md) to all target resources. If the experiment identity does not have appropriate permission to a resource, it will not be able to execute a fault against that resource.

-Finally, each resource must be onboarded to Chaos Studio as [a target with corresponding capabilities enabled](chaos-studio-targets-capabilities.md). If a target or the capability for the fault being executed does not exist, the experiment fails without impacting the resource.

-When running agent-based faults, you need to install the Chaos Studio agent on your virtual machine or virtual machine scale set. The agent uses a [user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) to authenticate to Chaos Studio and an *agent profile* to establish relationship to a specific VM resource. When onboarding a virtual machine or virtual machine scale set for agent-based faults, you first create an agent target. The agent target must have a reference to the user-assigned managed identity that will be used for authentication. The agent target contains an *agent profile ID*, which is provided as configuration when installing the agent. Agent profiles are unique to each target and targets are unique per resource.

-* Service-direct faults - Most service-direct faults are executed through Azure Resource Manager. Target resources do not require any allowlisted network endpoints.

-Azure Chaos Studio does not support Service Tags or Private Link.

-# Reading text (preview)

-Version 4.0 of Image Analysis offers the ability to extract text from images. Contextual information like line number and position is also returned. Text reading is also available through the [OCR service](overview-ocr.md), but the latest model version is available through Image Analysis. This version is optimized for image inputs as opposed to documents.

-## Reading text example

-The following JSON response illustrates what the Analyze API returns when reading text in the given image.

-## Use the API

-The text reading feature is part of the [Analyze Image](https://aka.ms/vision-4-0-ref) API. You can call this API using REST. Include `Read` in the **visualFeatures** query parameter. Then, when you get the full JSON response, parse the string for the contents of the `"readResult"` section.

-Follow the [quickstart](./quickstarts-sdk/image-analysis-client-library.md) to read text from an image using the Analyze API.

-Version 4.0 preview of Image Analysis offers the ability to extract text from images. Contextual information like line number and position is also returned. Text reading is also available through the main [OCR service](overview-ocr.md), but in Image Analysis this feature is optimized for image inputs as opposed to documents. [Reading text in images](concept-ocr.md)

-description: The optical character recognition (OCR) service extracts visible text in an image and returns it as structured strings.

-Optical character recognition (OCR) allows you to extract printed or handwritten text from images, such as posters, street signs and product labels, as well as from documents like articles, reports, forms, and invoices. Microsoft's **Read** OCR technology is built on top of multiple deep learning models supported by universal script-based models for global language support. This allows them to extract printed and handwritten text in [several languages](./language-support.md), including mixed languages and writing styles. **Read** is available as cloud service and on-premises container for deployment flexibility. With the latest preview, it's also available as a synchronous API for single, non-document, image-only scenarios with performance enhancements that make it easier to implement OCR-assisted user experiences.

-## Start with Vision Studio

-Try out OCR by using Vision Studio.

-Batch transcription is used to transcribe a large amount of audio in storage. Batch transcription can read audio files from a public URI (such as "https://crbn.us/hello.wav") or a [shared access signature (SAS)](../../storage/common/storage-sas-overview.md) URI.

-You should provide multiple files per request or point to an Azure Blob Storage container with the audio files to transcribe. The batch transcription service can handle a large number of submitted transcriptions. The service transcribes the files concurrently, which reduces the turnaround time.

-## Azure Blob Storage example

-Batch transcription can read audio files from a public URI (such as "https://crbn.us/hello.wav") or a [shared access signature (SAS)](../../storage/common/storage-sas-overview.md) URI. You can provide individual audio files, or an entire Azure Blob Storage container. You can also read or write transcription results in a container. This example shows how to transcribe audio files in [Azure Blob Storage](../../storage/blobs/storage-blobs-overview.md).

-The [SAS URI](../../storage/common/storage-sas-overview.md) must have `r` (read) and `l` (list) permissions. The storage container must have at most 5GB of audio data and a maximum number of 10,000 blobs. The maximum size for a blob is 2.5GB.

-Follow these steps to create a storage account, upload wav files from your local directory to a new container, and generate a SAS URL that you can use for batch transcriptions.

-1. Set the `RESOURCE_GROUP` environment variable to the name of an existing resource group where the new storage account will be created.

-1. Generate a SAS URL with read (r) and list (l) permissions for the container with the [`az storage container generate-sas`](/cli/azure/storage/container#az-storage-container-generate-sas) command. Replace `<mycontainer>` with the name of your container.

- az storage container generate-sas -n <mycontainer> --expiry 2022-09-09 --permissions rl --https-only

-To create a transcription and connect it to an existing project, use the `spx batch transcription create` command. Construct the request parameters according to the following instructions:

- "self": "https://eastus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/637d9333-6559-47a6-b8de-c7d732c1ddf3",

- "self": "https://eastus.api.cognitive.microsoft.com/speechtotext/v3.0/models/base/aaa321e9-5a4e-4db1-88a2-f251bbe7b555"

- "files": "https://eastus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/637d9333-6559-47a6-b8de-c7d732c1ddf3/files"

- "wordLevelTimestampsEnabled": true,

- "displayFormWordLevelTimestampsEnabled": false,

- "lastActionDateTime": "2022-09-10T18:39:07Z",

- "createdDateTime": "2022-09-10T18:39:07Z",

- "displayName": "My Transcription"

- "self": "https://eastus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/637d9333-6559-47a6-b8de-c7d732c1ddf3",

- "self": "https://eastus.api.cognitive.microsoft.com/speechtotext/v3.0/models/base/aaa321e9-5a4e-4db1-88a2-f251bbe7b555"

- "files": "https://eastus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/637d9333-6559-47a6-b8de-c7d732c1ddf3/files"

- "displayFormWordLevelTimestampsEnabled": false,

- "lastActionDateTime": "2022-09-10T18:39:07Z",

- "createdDateTime": "2022-09-10T18:39:07Z",

-|`contentContainerUrl`| You can submit individual audio files, or a whole storage container. You must specify the audio data location via either the `contentContainerUrl` or `contentUrls` property. For more information, see [Azure storage for audio files](batch-transcription-audio-data.md#azure-blob-storage-example).|

-|`contentUrls`| You can submit individual audio files, or a whole storage container. You must specify the audio data location via either the `contentContainerUrl` or `contentUrls` property. For more information, see [Azure storage for audio files](batch-transcription-audio-data.md#azure-blob-storage-example).|

-|`destinationContainerUrl`|The result can be stored in an Azure container. Specify the [ad hoc SAS](../../storage/common/storage-sas-overview.md) with write permissions. SAS with stored access policies isn't supported. If you don't specify a container, the Speech service stores the results in a container managed by Microsoft. When the transcription job is deleted, the transcription result data is also deleted.|

-Optionally, you can set the `model` property to use a specific base model or [Custom Speech](how-to-custom-speech-train-model.md) model.

- "contentContainerUrl": "https://YourStorageAccountName.blob.core.windows.net/YourContainerName?YourSASToken",

- "displayName": "My Transcription",

-To use a Custom Speech model for batch transcription, you need the model's URI. You can retrieve the model location when you create or get a model. The top-level `self` property in the response body is the model's URI. For an example, see the JSON response example in the [Create a model](how-to-custom-speech-train-model.md?pivots=rest-api#create-a-model) guide. A [deployed custom endpoint](how-to-custom-speech-deploy-model.md) isn't needed for the batch transcription service.

-|`itn`|The inverse text normalized (ITN) form of the recognized text. Abbreviations such as "doctor smith" to "dr smith", phone numbers, and other transformations are applied.|

-|9|Not supported|<img src="media/text-to-speech/viseme-id-9.jpg" width="200" height="200" alt="The mouth position when viseme ID is 9">|

-|10|Not supported|<img src="media/text-to-speech/viseme-id-10.jpg" width="200" height="200" alt="The mouth position when viseme ID is 10">|

-|11|Not supported|<img src="media/text-to-speech/viseme-id-11.jpg" width="200" height="200" alt="The mouth position when viseme ID is 11">|

-The SVG output is a xml string that contains the animation.

-> [!NOTE]

-> Logging is available in all supported Speech SDK programming languages, with the exception of JavaScript.

-* [Azure CLI](/cli/azure/overview). This quickstart requires that you are running the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

-* **Connection mode: Use Direct mode**

-Java SDK default connection mode is direct. You can configure the connection mode in the client builder using the *directMode()* or *gatewayMode()* methods, as shown below. To configure either mode with default settings, call either method without arguments. Otherwise, pass a configuration settings class instance as the argument (*DirectConnectionConfig* for *directMode()*, *GatewayConnectionConfig* for *gatewayMode()*.). To learn more about different connectivity options, see the [connectivity modes](sdk-connection-modes.md) article.

-# [Async](#tab/api-async)

-Java SDK V4 (Maven com.azure::azure-cosmos) Async API

-[!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/documentationsnippets/async/SampleDocumentationSnippetsAsync.java?name=PerformanceClientConnectionModeAsync)]

-# [Sync](#tab/api-sync)

-Java SDK V4 (Maven com.azure::azure-cosmos) Sync API

-[!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/documentationsnippets/sync/SampleDocumentationSnippets.java?name=PerformanceClientConnectionModeSync)]

-

-The *directMode()* method has an additional override, for the following reason. Control plane operations such as database and container CRUD *always* utilize Gateway mode; when the user has configured Direct mode for data plane operations, control plane operations use default Gateway mode settings. This suits most users. However, users who want Direct mode for data plane operations as well as tunability of control plane Gateway mode parameters can use the following *directMode()* override:

-# [Async](#tab/api-async)

-Java SDK V4 (Maven com.azure::azure-cosmos) Async API

-[!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/documentationsnippets/async/SampleDocumentationSnippetsAsync.java?name=PerformanceClientDirectOverrideAsync)]

-# [Sync](#tab/api-sync)

-Java SDK V4 (Maven com.azure::azure-cosmos) Sync API

-[!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/documentationsnippets/sync/SampleDocumentationSnippets.java?name=PerformanceClientDirectOverrideSync)]

-

-* **Tuning ConnectionPolicy**

-By default, Direct mode Azure Cosmos DB requests are made over TCP when using Azure Cosmos DB Java SDK v4. Internally Direct mode uses a special architecture to dynamically manage network resources and get the best performance.

-In Azure Cosmos DB Java SDK v4, Direct mode is the best choice to improve database performance with most workloads.

-* ***Overview of Direct mode***

-<a id="direct-connection"></a>

-The client-side architecture employed in Direct mode enables predictable network utilization and multiplexed access to Azure Cosmos DB replicas. The diagram above shows how Direct mode routes client requests to replicas in the Azure Cosmos DB backend. The Direct mode architecture allocates up to 130 **Channels** on the client side per DB replica. A Channel is a TCP connection preceded by a request buffer, which is 30 requests deep. The Channels belonging to a replica are dynamically allocated as needed by the replica's **Service Endpoint**. When the user issues a request in Direct mode, the **TransportClient** routes the request to the proper service endpoint based on the partition key. The **Request Queue** buffers requests before the Service Endpoint.

-* ***Configuration options for Direct mode***

-If non-default Direct mode behavior is desired, create a *DirectConnectionConfig* instance and customize its properties, then pass the customized property instance to the *directMode()* method in the Azure Cosmos DB client builder.

-These configuration settings control the behavior of the underlying Direct mode architecture discussed above.

-As a first step, use the following recommended configuration settings below. These *DirectConnectionConfig* options are advanced configuration settings which can affect SDK performance in unexpected ways; we recommend users avoid modifying them unless they feel very comfortable in understanding the tradeoffs and it is absolutely necessary. Please contact the [Azure Cosmos DB team](mailto:CosmosDBPerformanceSupport@service.microsoft.com) if you run into issues on this particular topic.

-| Configuration option | Default |

-| :: | :--: |

-| idleConnectionTimeout | "PT0" |

-| maxConnectionsPerEndpoint | "130" |

-| connectTimeout | "PT5S" |

-| idleEndpointTimeout | "PT1H" |

-| maxRequestsPerConnection | "30" |

-If you have more than one client cumulatively operating consistently above the request rate, the default retry count currently set to 9 internally by the client may not suffice; in this case, the client throws a *CosmosClientException* with status code 429 to the application. The default retry count can be changed by using setRetryOptions on the ConnectionPolicy instance. By default, the *CosmosClientException* with status code 429 is returned after a cumulative wait time of 30 seconds if the request continues to operate above the request rate. This occurs even when the current retry count is less than the max retry count, be it the default of 9 or a user-defined value.

-By default, connections are permanently maintained to benefit the performance of future operations (opening a connection has computational overhead). There might be some scenarios where you might want to close connections that are unused for some time understanding that this might affect future operations slightly. For the .NET SDK this configuration is set by [CosmosClientOptions.IdleTcpConnectionTimeout](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.idletcpconnectiontimeout), and for the Java SDK you can customize using [DirectConnectionConfig.setIdleConnectionTimeout](/java/api/com.azure.cosmos.directconnectionconfig.setidleconnectiontimeout). It isn't recommended to set these configurations to low values as it might cause connections to be frequently closed and affect overall performance.

-* [Java SDK direct mode information](performance-tips-java-sdk-v4.md#direct-connection)

- - If you have only UPN (User Principal Name) entities configured as full EA administrators without access to e-mail, you must perform one of the following actions:

- - Create a temporary full EA administrator account in the EA portal

- &mdash; Or &mdash;

- - Provide EA portal screenshot evidence of a user account associated with the UPN account

-To complete the setup, you need the following access:

-ΓÇö And ΓÇö

-**Enable change data capture:** If true, you will get new or changed files only from the last run. Initial load of full snapshot data will always be gotten in the first run, followed by capturing new or changed files only in next runs. For more details, see [Change data capture](#change-data-capture-preview).

-## Change data capture (preview)

-Azure Data Factory can get new or changed files only from Azure Blob Storage by enabling **Enable change data capture (Preview)** in the mapping data flow source transformation. With this connector option, you can read new or updated files only and apply transformations before loading transformed data into destination datasets of your choice.

-Make sure you keep the pipeline and activity name unchanged, so that the checkpoint can always be recorded from the last run to get changes from there. If you change your pipeline name or activity name, the checkpoint will be reset, and you will start from the beginning in the next run.

-When you debug the pipeline, the **Enable change data capture (Preview)** works as well. Be aware that the checkpoint will be reset when you refresh your browser during the debug run. After you are satisfied with the result from debug run, you can publish and trigger the pipeline. It will always start from the beginning regardless of the previous checkpoint recorded by debug run.

-In the monitoring section, you always have the chance to rerun a pipeline. When you are doing so, the changes are always gotten from the checkpoint record in your selected pipeline run.

-**Enable native change data capture(Preview)**: Use this option to tell ADF to only process delta data captured by [SQL change data capture technology](https://learn.microsoft.com/sql/relational-databases/track-changes/about-change-data-capture-sql-server) since the last time that the pipeline executed. With this option, the delta data including row insert, update and deletion will be loaded automatically without any incremental date column required. You need to [enable change data capture](https://learn.microsoft.com/sql/relational-databases/track-changes/enable-and-disable-change-data-capture-sql-server) on Azure SQL DB before using this option in ADF. For more information about this option in ADF, see [native change data capture](#native-change-data-capture).

-* Only **net changes** from SQL CDC will be loaded by ADF via [cdc.fn_cdc_get_net_changes_](https://learn.microsoft.com/sql/relational-databases/system-functions/cdc-fn-cdc-get-net-changes-capture-instance-transact-sql?source=recommendations).

-| Enable native change data capture(Preview) | Use this option to tell ADF to only process delta data captured by [SQL change data capture technology](https://learn.microsoft.com/sql/relational-databases/track-changes/about-change-data-capture-sql-server) since the last time that the pipeline executed. With this option, the delta data including row insert, update and deletion will be loaded automatically without any incremental date column required. You need to [enable change data capture](https://learn.microsoft.com/sql/relational-databases/track-changes/enable-and-disable-change-data-capture-sql-server) on Azure SQL MI before using this option in ADF. For more information about this option in ADF, see [native change data capture](#native-change-data-capture). | No | - |- |

-* Only **net changes** from SQL CDC will be loaded by ADF via [cdc.fn_cdc_get_net_changes_](https://learn.microsoft.com/sql/relational-databases/system-functions/cdc-fn-cdc-get-net-changes-capture-instance-transact-sql?source=recommendations).

-| Enable native change data capture(Preview) | Use this option to tell ADF to only process delta data captured by [SQL change data capture technology](https://learn.microsoft.com/sql/relational-databases/track-changes/about-change-data-capture-sql-server) since the last time that the pipeline executed. With this option, the delta data including row insert, update and deletion will be loaded automatically without any incremental date column required. You need to [enable change data capture](https://learn.microsoft.com/sql/relational-databases/track-changes/enable-and-disable-change-data-capture-sql-server) on SQL Server before using this option in ADF. For more information about this option in ADF, see [native change data capture](#native-change-data-capture). | No | - |- |

-* Only **net changes** from SQL CDC will be loaded by ADF via [cdc.fn_cdc_get_net_changes_](https://learn.microsoft.com/sql/relational-databases/system-functions/cdc-fn-cdc-get-net-changes-capture-instance-transact-sql?source=recommendations).

-Expression functions use single quote for string value parameters. Use two single quotes to escape a ' character in string functions. For example, expression `@concat('Baba', '''s ', 'book store')` will return below result.

-The Until activity provides the same functionality that a do-until looping structure provides in programming languages. It executes a set of activities in a loop until the condition associated with the activity evaluates to true. You can specify a timeout value for the until activity.

-1. Search for _Until_ in the pipeline Activities pane, and drag a Set Variable activity to the pipeline canvas.

-Your Azure SQL Database can work well in the data copy, dataset preview-data, and test-connection in the linked service, but it fails when the same Azure SQL Database is used as a source or sink in the data flow with error like `Cannot connect to SQL database: 'jdbc:sqlserver://powerbasenz.database.windows.net;..., Please check the linked service configuration is correct, and make sure the SQL database firewall allows the integration runtime to access`

- * You want to monitor across data factories. You can route data from multiple data factories to a single Monitor workspace.

-You can also use a storage account or event-hub namespace that isn't in the subscription of the resource that emits logs. The user who configures the setting must have appropriate Azure role-based access control (Azure RBAC) access to both subscriptions.

-Use the [ADF pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=data-factory) to get an estimate of the cost of running your ETL workload in Azure Data Factory. .To use the calculator, you have to input details such as number of activity runs, number of data integration unit hours, type of compute used for Data Flow, core count, instance count, execution duration, and etc.

-One of the commonly asked questions for the pricing calculator is what values should be used as inputs. During the proof-of-concept phase, you can conduct trial runs using sample datasets to understand the consumption for various ADF meters. Then based on the consumption for the sample dataset, you can project out the consumption for the full dataset and operationalization schedule.

-Azure Data Factory costs can be monitored at the factory, pipeline-run and activity-run levels.

-1. Under _Monitor_ tab, select _Factory setting_ in _General_ section

-description: Get started with your first data factory demo to copy data from one blob storage to another.

-|[TDC Switch](https://klastelecom.com/voyager-tdc/) | |

-|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Azure China 21Vianet)<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected AWS accounts <br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected GCP projects|

- :::image type="content" source="./media/protect-network-resources/opening-network-map.png" alt-text="Opening the network map from the Workload protections." lightbox="./media/protect-network-resources/opening-network-map.png":::

-1. (**Servers/SQL only**) Select **Azure-Arc for servers onboarding**

- :::image type="content" source="media/quickstart-onboard-gcp/unique-numeric-id.png" alt-text="Screenshot showing the Azure-Arc for servers onboarding section of the screen." lightbox="media/quickstart-onboard-gcp/unique-numeric-id.png":::

- Enter the service account unique ID, which is generated automatically after running the GCP Cloud Shell.

-| `Ensure that 'Python version' is the latest, if used as a part of the API app` | `App Service apps that use Python should use the latest 'Python version` |

-| `Ensure that 'Java version' is the latest, if used as a part of the API app` | `App Service apps that use Java should use the latest 'Java version` |

-| - [Integration with Microsoft Defender for Cloud Apps](./other-threat-protections.md#display-recommendations-in-microsoft-defender-for-cloud-apps) | GA | Not Available | Not Available |

-| - [Adaptive network hardening](./adaptive-network-hardening.md) | GA | Not Available | Not Available |

-| None | None |

-| Database Login Failed | A failed sign-in attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. | Major | Authentication |

-| Abnormal Exception Pattern in Slave | An excessive number of errors were detected on a source device. This alert may be the result of an operational issue. | Minor | Abnormal Communication Behavior |

-| Abnormal Termination of Applications | An excessive number of stop commands were detected on a source device. This alert may be the result of an operational issue or an attempt to manipulate the device. | Major | Abnormal Communication Behavior |

-| Address Scan Detected | A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device. | Critical | Scan |

-| ARP Address Scan Detected | A source device was detected scanning network devices using Address Resolution Protocol (ARP). This device address hasn't been authorized as valid ARP scanning address. | Critical | Scan |

-| ARP Spoofing | An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack. | Warning | Abnormal Communication Behavior |

-| Excessive Login Attempts | A source device was seen performing excessive sign-in attempts to a destination server. This alert may indicate a brute force attack. The server may be compromised by a malicious actor. | Critical | Authentication |

-| Excessive Number of Sessions | A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor. | Critical | Abnormal Communication Behavior |

-| Excessive Restart Rate of an Outstation | An excessive number of restart commands were detected on a source device. These alerts may be the result of an operational issue or an attempt to manipulate the device. | Major | Restart/ Stop Commands |

-| Excessive SMB login attempts | A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor. | Critical | Authentication |

-| ICMP Flooding | An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack. | Warning | Abnormal Communication Behavior |

-| Inactive Communication Channel | A communication channel between two devices was inactive during a period in which activity is usually observed. This might indicate that the program generating this traffic was changed, or the program might be unavailable. It's recommended to review the configuration of installed program and verify that it's configured properly. | Warning | Unresponsive |

-| Long Duration Address Scan Detected | A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device. | Critical | Scan |

-| Password Guessing Attempt Detected | A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor. | Critical | Authentication |

-| PLC Scan Detected | A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device. | Critical | Scan |

-| Port Scan Detected | A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device. | Critical | Scan |

-| Unexpected message length | The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device. | Critical | Abnormal Communication Behavior |

-| Excessive Malformed Packets In a Single Session | An abnormal number of malformed packets sent from the source device to the destination device. This alert might indicate erroneous communications, or an attempt to manipulate the targeted device. | Major | Illegal Commands |

-| Suspicion of Denial Of Service Attack | A source device attempted to initiate an excessive number of new connections to a destination device. This may indicate a Denial Of Service (DOS) attack against the destination device, and might interrupt device functionality, affect performance and service availability, or cause unrecoverable errors. | Critical | Suspicion of Malicious Activity |

-| Suspicion of Malicious Activity (Name Queries) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major | Suspicion of Malicious Activity |

-| Continuous Event Buffer Overflow at Outstation | A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code. | Major | Buffer Overflow |

-| Device is Suspected to be Disconnected (Unresponsive) | A source device didn't respond to a command sent to it. It may have been disconnected when the command was sent. | Major | Unresponsive |

-| Expected Backup Operation Did Not Occur | Expected backup/file transfer activity didn't occur between two devices. This alert may indicate errors in the backup / file transfer process. | Major | Backup |

-| Outstation Restarts Frequently | An excessive number of cold restarts were detected on a source device. This means the device was physically turned off and back on again an excessive number of times. | Minor | Restart/ Stop Commands |

-| Suspicion of Unresponsive MODBUS Device | A source device didn't respond to a command sent to it. It may have been disconnected when the command was sent. | Minor | Unresponsive |

-> * Get a recommendation of the Azure SQL Managed Instance SKU best suited for your workload

- - Contributor for the target Azure SQL Managed Instance (and Storage Account to upload your database backup files from SMB network share).

- - Reader role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

- | Restoring | Azure Database Migration Service is currently restoring the backup file to Azure SQL Managed Instance|

- | Restored | Backup file is successfully restored on Azure SQL Managed Instance |

-> * Get a recommendation of the Azure SQL Managed Instance SKU best suited for your workload

- - Contributor for the target Azure SQL Managed Instance (and Storage Account to upload your database backup files from SMB network share).

- - Reader role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

- | Restoring | Azure Database Migration Service is currently restoring the backup file to Azure SQL Managed Instance|

- | Restored | Backup file is successfully restored on Azure SQL Managed Instance |

-Unix

-Other requirements are addressed in the [installation](#installation) section below.

-## Installation

-Follow the directions in the sdutil documentation for [running sdutil in Azure environments](https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil/-/tree/azure/stable#setup-and-usage-for-azure-env).

-The utility requires other modules noted in [requirements.txt](https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil/-/blob/azure/stable/requirements.txt). You could either install the modules as is or install them in virtualenv to keep your host clean from package conflicts. If you don't want to install them in a virtual environment, jump directly to step 3.

- # if not install it via pip

- # run it from the extracted sdutil folder

-1. Clone the [sdutil repository](https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil/-/tree/azure/stable) and open in your favorite editor.

- ```yaml

- seistore:

- service: '{"azure": {"azureGlabEnv":{"url": "https://<meds-instance-url>/seistore-svc/api/v3", "appkey": ""}}}'

- url: 'https://<meds-instance-url>/seistore-svc/api/v3'

- cloud_provider: 'azure'

- env: 'glab'

- auth-mode: 'JWT Token'

- ssl_verify: False

- auth_provider:

- azure: '{

- "provider": "azure",

- "authorize_url": "https://login.microsoftonline.com/",

- "oauth_token_host_end": "/oauth2/token",

- "scope_end":"/.default openid profile offline_access",

- "redirect_uri":"http://localhost:8080",

- "login_grant_type": "refresh_token",

- "refresh_token": "<put refresh token here from auth_token.http authorize request>"

- }'

- azure:

- empty: 'none'

- ```

-

- > [!NOTE]

- > Follow the directions in [How to Generate a Refresh Token](how-to-generate-refresh-token.md) to obtain a token if not already present.

- ```bash

- export AZURE_TENANT_ID=check-env-provisioning-team-as-specific-to-cluster

- export AZURE_CLIENT_ID=check-env-provisioning-team-as-specific-to-cluster

- export AZURE_CLIENT_SECRET=check-env-provisioning-team-as-specific-to-cluster

- ```

- ```bash

- python sdutil

- ```

- If no arguments are specified, this menu will be displayed:

- ```code

- Seismic Store Utility

- > python sdutil [command]

- available commands:

- * auth : authentication utilities

- * unlock : remove a lock on a seismic store dataset

- * version : print the sdutil version

- * rm : delete a subproject or a space separated list of datasets

- * mv : move a dataset in seismic store

- * config : manage the utility configuration

- * mk : create a subproject resource

- * cp : copy data to(upload)/from(download)/in(copy) seismic store

- * stat : print information like size, creation date, legal tag(admin) for a space separated list of tenants, subprojects or datasets

- * patch : patch a seismic store subproject or dataset

- * app : application authorization utilities

- * ls : list subprojects and datasets

- * user : user authorization utilities

- ```

- ```bash

- python sdutil config init

- ```

- ```bash

- python sdutil auth login

- ```

- Once you've successfully logged in, your credentials will be valid for a week. You don't need to sign in again unless the credentials expired (after one week), in this case the system will require you to sign in again.

- > [!NOTE]

- > If you aren't getting the "sign in Successful!" message, make sure your three environment variables are set and you've followed all steps in the "Configuration" section above.

-## Setup and usage for Microsoft Energy Data Services

-Below steps are for Windows Subsystem for Linux - Ubuntu 20.04

-Microsoft Energy Data Services instance is using OSDU&trade; M12 Version of sdutil

-1. Download the source code from community [sdutil](https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil/-/tree/azure/stable/) Azure Stable branch.

-2. In case python virtual env isn't installed, use below commands. Otherwise, skip to next section

- ```bash

- sudo apt-get update

- sudo apt-get install python3-venv

- ```

-3. Create a new virtual environment and install package

- ```bash

- #create new virtual env with name : sdutilenv

- python3 -m venv sdutilenv

- #activate the virtual end

- source sdutilenv/bin/Activate

- #install python package for sdutil

- pip install -r requirements.txt

- ```

-4. Replace the contents of `config.yaml` in the `sdlib` folder with the following yaml and fill in the three templatized values (tow `<meds-instance-url>` and `<put refresh token here...>`):

- ```yaml

- seistore:

- service: '{"azure": {"azureGlabEnv":{"url": "https://<meds-instance-url>/seistore-svc/api/v3", "appkey": ""}}}'

- url: 'https://<meds-instance-url>/seistore-svc/api/v3'

- cloud_provider: 'azure'

- env: 'glab'

- auth-mode: 'JWT Token'

- ssl_verify: False

- auth_provider:

- azure: '{

- "provider": "azure",

- "authorize_url": "https://login.microsoftonline.com/",

- "oauth_token_host_end": "/oauth2/token",

- "scope_end":"/.default openid profile offline_access",

- "redirect_uri":"http://localhost:8080",

- "login_grant_type": "refresh_token",

- "refresh_token": "<put refresh token here from auth_token.http authorize request>"

- }'

- azure:

- empty: 'none'

- ```

-

- > [!NOTE]

- > Follow the directions in [How to Generate a Refresh Token](how-to-generate-refresh-token.md) to obtain a token if not already present.

-5. Export or set below environment variables

- ```bash

- export AZURE_TENANT_ID=check-env-provisioning-team-as-specific-to-cluster

- export AZURE_CLIENT_ID=check-env-provisioning-team-as-specific-to-cluster

- export AZURE_CLIENT_SECRET=check-env-provisioning-team-as-specific-to-cluster

- ```

-6. Run below commands to sign in, list, upload and download files in the seismic store.

- - Initialize

- ```code

- (sdutilenv) > python sdutil config init

- [one] Azure

- Select the cloud provider: **enter 1**

- Insert the Azure (azureGlabEnv) application key: **just press enter--no need to provide a key**

- sdutil successfully configured to use Azure (azureGlabEnv)

- Should display sign in success message. Credentials expiry set to 1 hour.

- ```

- - Sign in

- ```bash

- python sdutil config init

- python sdutil auth login

- ```

- - List files in your seismic store

- ```bash

- python sdutil ls sd://<tenant> # e.g. sd://<instance-name>-<datapartition>

- python sdutil ls sd://<tenant>/<subproject> # e.g. sd://<instance-name>-<datapartition>/test

- ```

- - Upload a file from your local machine to the seismic store

- ```bash

- python sdutil cp local-dir/file-name-at-source.txt sd://<datapartition>/test/file-name-at-destination.txt

- ```

- - Download a file from the seismic store to your local machine

- ```bash

- python sdutil cp sd://<datapartition>/test/file-name-at-ddms.txt local-dir/file-name-at-destination.txt

- ```

- > [!NOTE]

- > Don't use `cp` command to download VDS files. The VDS conversion results in multiple files, therefore the `cp` command won't be able to download all of them in one command. Use either the [SEGYExport](https://osdu.pages.opengroup.org/platform/domain-data-mgmt-services/seismic/open-vds/tools/SEGYExport/README.html) or [VDSCopy](https://osdu.pages.opengroup.org/platform/domain-data-mgmt-services/seismic/open-vds/tools/VDSCopy/README.html) tool instead. These tools use a series of REST calls accessing a [naming scheme](https://osdu.pages.opengroup.org/platform/domain-data-mgmt-services/seismic/open-vds/connection.html) to retrieve information about all the resulting VDS files.

- | User Name |Enter HDInsight cluster HTTP user username. The default username is **admin**. |

- > The application name that is used for streaming must be surrounded by the \` (backtick) character when aliased, and by the ' (single quote) character when used with `SHIP`.

- |Cluster login username and password | The default login name is **admin**. The password must be at least 10 characters in length and must contain at least one digit, one uppercase, and one lower case letter, one non-alphanumeric character (except characters ' " ` \). Make sure you **do not provide** common passwords such as "Pass@word1".|

- |Secure Shell (SSH) username | The default username is **sshuser**. You can provide another name for the SSH username. |

-2. Enter the Hadoop username and password that you specified while creating the cluster. The default username is **admin**.

- |Cluster Login User Name|Provide the username, default is **admin**.|

- |Cluster Login Password|Provide a password. The password must be at least 10 characters in length and must contain at least one digit, one uppercase, and one lower case letter, one non-alphanumeric character (except characters ' " ` ). |

- |Ssh User Name|Provide the username, default is **sshuser**|

- > [!NOTE]

- > The values you provide must be unique and should follow the naming guidelines. The template does not perform validation checks. If the values you provide are already in use, or do not follow the guidelines, you get an error after you have submitted the template.

-To create a new table, specify a `TableSchema` and columns. The following code checks whether the table 'RestSDKTable` already exists - if not, the table is created.

- |Cluster login name and password|The default login name is **admin**.|

- |SSH username and password|The default username is **sshuser**.|

- Other parameters are optional.

- |Cluster Login User Name|Provide the username, default is **admin**.|

- |Cluster Login Password|Provide a password. The password must be at least 10 characters in length and must contain at least one digit, one uppercase, and one lower case letter, one non-alphanumeric character (except characters ' " ` ). |

- |Ssh User Name|Provide the username, default is sshuser|

-> ```

-> " ' ` / \ < % ~ | $ & !

-> ```

- | User Name |Enter HDInsight cluster HTTP user username. The default username is **admin**. |

-1. Optional: Select **Advanced Options**.

- |Cluster Login User Name|Provide the username, default is **admin**.|

- |Cluster Login Password|Provide a password. The password must be at least 10 characters in length and must contain at least one digit, one uppercase, and one lower case letter, one non-alphanumeric character (except characters ' " ` ). |

- * `var brokerHost = '176.16.0.13:9092`: Replace `176.16.0.13` with the internal IP address of one of the broker hosts for your cluster.

- |Cluster login username and password | The default login name is **admin**. The password must be at least 10 characters in length and must contain at least one digit, one uppercase, and one lower case letter, one non-alphanumeric character (except characters ' " ` \). Make sure you **do not provide** common passwords such as "Pass@word1".|

- |Secure Shell (SSH) username | The default username is **sshuser**. You can provide another name for the SSH username. |

- |Cluster Login User Name|Provide the username, default is **admin**.|

- |Cluster Login Password|Provide a password. The password must be at least 10 characters in length and must contain at least one digit, one uppercase, and one lower case letter, one non-alphanumeric character (except characters ' " ` ). |

- |Ssh User Name|Provide the username, default is **sshuser**|

- |Cluster Login User Name|Provide the username, default is **admin**.|

- |Cluster Login Password|Provide a password. The password must be at least 10 characters in length and must contain at least one digit, one uppercase, and one lower case letter, one non-alphanumeric character (except characters ' " ` ). |

- |Ssh User Name|Provide the username, default is **sshuser**|

-This tutorial shows how to use Azure Logic Apps to process Azure Health Data Services Fast Healthcare Interoperability Resources (FHIR&#174;) events. Logic Apps create and run automated workflows to process event data from other applications. You will learn how to register a FHIR event with your Logic App, meet a specified event criteria, and perform a service operation.

-Before you begin this tutorial, you need to have deployed a FHIR service and enabled events. For more information about deploying events, see [Deploy Events in the Azure portal](./events-deploy-portal.md).

-3. Click "Add".

-This example will not use tagging.

-If you're satisfied with the proposed configuration, click "Create". If not, click "Previous" to go back and specify new details.

-If there are no errors, you will finally see a notification telling you that your deployment is complete.

-2. Click "Logic Apps" in Azure services.

-4. Click "Workflows" in the Workflow menu on the left.

-5. Click "Add" to add a workflow.

-You will see a new panel on the right for creating a workflow.

-When you have specified the details, click "Create" to begin designing your workflow.

-In your new workflow, click the name of the enabled workflow.

-Next, click "Choose an operation" to display the "Add a Trigger" blade on the right. Then search for "Azure Event Grid" and click the "Azure" tab below. The Event Grid is not a Logic App Built-in.

-When you see the "Azure Event Grid" icon, click on it to display the Triggers and Actions available from Event Grid. For more information about Event Grid, see [What is Azure Event Grid?](./../../event-grid/overview.md).

-Click "When a resource event occurs" to set up a trigger for the Azure Event Grid.

-For more information about event types, see [What FHIR resource events does Events support?](./events-faqs.md).

-Once you have specified the trigger events, you must add more details. Click the "+" below the "When a resource event occurs" button.

-You need to add a specific action. Click "Choose an operation" to continue. Then, for the operation, search for "HTTP" and click on "Built-in" to select an HTTP operation. The HTTP action will allow you to query the FHIR service.

-1. The first step is to go back to your Logic App and click the Identity menu item.

-3. Click on Azure role assignments. Click "Add role assignment".

-4. Specify the following:

-When you have specified the first four steps, add the role assignment by Managed identity, using Subscription, Managed identity (Logic App Standard), and select your Logic App by clicking the name and then clicking the Select button. Finally, click "Review + assign" to assign the role.

-After you have given FHIR Reader access to your app, go back to the Logic App workflow Designer. Then add a condition to determine whether the event is one you want to process. Click the "+" below HTTP to "Choose an operation". On the right, search for the word "condition". Click on "Built-in" to display the Control icon. Next click Actions and choose Condition.

-In order to specify whether you want to take action for the specific event, begin specifying the criteria by clicking on "Condition" in the workflow on the left. You will then see a set of condition choices on the right.

-Here is an example of the Condition criteria:

-When you have entered the condition criteria, save your workflow.

-To check the status of your workflow, click Overview in the workflow menu. Here is a dashboard for a workflow:

-Here is an example of a workflow trigger success operation:

-For more information about FHIR events, see

->[!div class="nextstepaction"]

->[What are Events?](./events-overview.md)

-In this quickstart, youΓÇÖll learn how to deploy the Azure Health Data Services Events feature in the Azure portal to send Fast Healthcare Interoperability Resources (FHIR&#174;) event messages.

- >[!NOTE]

- >[!TIP]

- >For more information about providing access using an Azure Managed identity, see [Assign a system-managed identity to an Event Grid system topic](../../event-grid/enable-identity-system-topics.md) and [Event delivery with a managed identity](../../event-grid/managed-service-identity.md)

- >For more information about managed identities, see [What are managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md)

- >For more information about Azure role-based access control (Azure RBAC), see [What is Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md)

-To learn how to display the Events metrics, see

->[!div class="nextstepaction"]

->[How to display Events metrics](./events-display-metrics.md)

->[!div class="nextstepaction"]

->[How to export Events diagnostic logs and metrics](./events-display-metrics.md)

-# Disable Events and delete workspaces

->[!div class="nextstepaction"]

->[Troubleshoot Events](./events-troubleshooting-guide.md)

-|South Africa West | South Africa North |

-| Application Insights | Datahub & Accelerator |

-| App Service | Datahub & Accelerator |

-| App Service Plan | Datahub & Accelerator |

-| API Connection | Datahub |

-| Azure Cache for Redis | Datahub |

-| Azure Cosmos DB | Datahub |

-| Azure Data Factory V2 | Datahub & Accelerator |

-| Azure Batch account | Datahub |

-| Azure Key Vault | Datahub & Accelerator |

-| Event Hub Namespace | Datahub |

-| Logic App | Datahub |

-| Storage Account | Datahub & Accelerator |

-| Time Series Insights | Datahub |

-1. Download the [AAD app generator script](https://aka.ms/FarmBeatsAADScript)

-You are now ready to install FarmBeats. Follow the steps below to start the installation:

-8. Once the entered details are validated, select **OK**. The Terms of use page appear. Review the terms and select **Create** to start the installation. You will be redirected to the page where you can follow the installation progress.

-**Datahub** can be found at https://\<FarmBeats-website-name>-api.azurewebsites.net/swagger. Here you will see the different FarmBeats API objects and perform REST operations on the APIs.

-1. Download the [upgrade script](https://aka.ms/FarmBeatsUpgradeScript)

-To uninstall Azure FarmBeats Datahub or Accelerator, complete the following steps:

-You have learned how to install Azure FarmBeats in your Azure subscription. Now, learn how to [add users](manage-users-in-azure-farmbeats.md#manage-users) to your Azure FarmBeats instance.

-1. Near the top of the file uncomment the `#define ENABLE_DPS_SAMPLE` directive.

-1. Near the top of the file uncomment the `#define ENABLE_DPS_SAMPLE` directive.

-1. Near the top of the file uncomment the `#define ENABLE_DPS_SAMPLE` directive.

-* Download the [MIMXRT1060-EVK SDK 2.9.0 or later](https://mcuxpresso.nxp.com/en/builder). After you sign in, the website lets you build a custom SDK archive to download. After you select the EVK MIMXRT1060 board and click the option to build the SDK, you can download the zip archive. The only SDK component to include is the preselected **SDMMC Stack**.

-1. Near the top of the file uncomment the `#define ENABLE_DPS_SAMPLE` directive.

-1. Select the **Start Debugging project [project name]** toolbar button. This downloads the project to the device, and runs it.

-If you need help debugging the application, see the selections under **Help** in **IAR EW for ARM**.

-If you need help debugging the application, in MCUXpresso open the **Help > MCUXPresso IDE User Guide** and see the content on Azure RTOS debugging.

-You will complete the following tasks:

-1. On the STM DevKit MCU, locate the **Reset** button (1), the Micro USB port (2), which is labeled **USB STLink**, and the board part number (3). You will refer to these items in the next steps. All of them are highlighted in the following picture:

-You can also use IoT Central to call a direct method that you have implemented on your device. Direct methods have a name, and can optionally have a JSON payload, configurable connection, and method timeout. In this section, you call a method that enables you to turn an LED on or off.

-You can also use IoT Central to call a direct method that you have implemented on your device. Direct methods have a name, and can optionally have a JSON payload, configurable connection, and method timeout.

-You can download a free version of STM32Cube IDE, but you will need to create an account. Follow the instructions on the ST website. THe STM32Cube IDE can be downloaded from this website:

-The sample distribution zip file contains the following sub-folders that you will use later:

-In STM32CubeIDE, select ***Project > Build All*** to build sample projects and its dependent libraries. You will observe compilation and linking of the sample project.

-1. On the STM DevKit MCU, locate the **Reset** button (1), the Micro USB port (2), which is labeled **USB STLink**, and the board part number (3). You will refer to these items in the next steps. All of them are highlighted in the following picture:

-You can also use IoT Central to call a direct method that you have implemented on your device. Direct methods have a name, and can optionally have a JSON payload, configurable connection, and method timeout.

-You can also use IoT Central to call a direct method that you have implemented on your device. Direct methods have a name, and can optionally have a JSON payload, configurable connection, and method timeout. In this section, you call a method that enables you to turn an LED on or off.

-In this quickstart, you built a custom image that contains Azure RTOS sample code, and then flashed the image to the STM DevKit device. You also used the IoT Central portal to create Azure resources, connect the STM DevKit securely to Azure, view customer content, and send messages.

-> There is no 'Key Vault Certificate User` because applications require secrets portion of certificate with private key. 'Key Vault Secrets User` role should be used for applications to retrieve certificate.

- Console.Write("Creating a secret in " + keyVaultName + " called '" + secretName + "' with the value '" + secretValue + "` ...");

- System.out.print("Creating a secret in " + keyVaultName + " called '" + secretName + "' with value '" + secretValue + "` ... ");

- 1. Once the virtual machine is created, select it in the Hyper-V Manager. Don't turn on the machine yet.

- 1. The Kali-Linux image is now ready for use. From **Hyper-V Manager**, choose **Action** -> **Start**, then choose **Action** -> **Connect** to connect to the virtual machine. The default username is **kali** and the password is **kali**.

- 1. The Metasploitable image is now ready for use. From **Hyper-V Manager**, choose **Action** -> **Start**, then choose **Action** -> **Connect** to connect to the virtual machine. The default username is **msfadmin** and the password is **msfadmin**.

-> `message='Http request failed with unhandled exception of type 'InvalidOperationException' and message: 'System.InvalidOperationException: Synchronous operations are disallowed. Call ReadAsync or set AllowSynchronousIO to true instead.`

- 

-||||

-| ' | To use a string literal as input or in expressions and functions, wrap the string only with single quotation marks, for example, `'<myString>'`. Do not use double quotation marks (""), which conflict with the JSON formatting around an entire expression. For example: <p>**Yes**: length('Hello') </br>**No**: length("Hello") <p>When you pass arrays or numbers, you don't need wrapping punctuation. For example: <p>**Yes**: length([1, 2, 3]) </br>**No**: length("[1, 2, 3]") |

-| [] | To reference a value at a specific position (index) in an array, use square brackets. For example, to get the second item in an array: <p>`myArray[1]` |

-| . | To reference a property in an object, use the dot operator. For example, to get the `name` property for a `customer` JSON object: <p>`"@parameters('customer').name"` |

-| ? | To reference null properties in an object without a runtime error, use the question mark operator. For example, to handle null outputs from a trigger, you can use this expression: <p>`@coalesce(trigger().outputs?.body?.<someProperty>, '<property-default-value>')` |

- + All internal intermediate artifacts that are produced by AutoML are now stored transparently on the parent run (instead of being sent to the default workspace blob store). Users should be able to see the artifacts that AutoML generates under the 'outputs/` directory on the parent run.

- az ml batch-endpoint create -f endpoint.yml

- JOB_NAME = $(az ml batch-endpoint invoke --name $ENDPOINT_NAME --input azureml:heart-dataset-unlabeled@latest | jq -r '.name')

- az ml batch-endpoint create -f endpoint.yml

-1. At this point, our batch endpoint is ready to be used.

-6. At this point, our batch endpoint is ready to be used.

- az ml batch-endpoint create -f endpoint.yml

-3. At this point, our batch endpoint is ready to be used.

-> The proposed Logic App will create a batch deployment job for each file that triggers the event of *blog created*. However, keep in mind that batch deployments distribute the work at the file level. Since this execution is specifying only one file, then, there will not be any parallelization happening in the deployment. Instead, you will be taking advantage of the capability of batch deployments of executing multiple scoring jobs under the same compute cluster. If you need to run jobs on folders, we recommend you to switch to [Invoking batch endpoints from Azure Data Factory](how-to-use-batch-azure-data-factory.md).

-A taxonomy of the workspace is illustrated in the following diagram:

-[](./media/concept-workspace/azure-machine-learning-taxonomy.png#lightbox)

-The diagram shows the following components of a workspace:

- |`installVolcano`| `True` or `False`, default `True`. AzureML extension needs volcano scheduler to schedule the job. Set to `False` to reuse existing volcano scheduler. For more information about reusing the existing vocano scheduler, refer to [reusing volcano scheduler](./how-to-troubleshoot-kubernetes-extension.md#volcano-scheduler) | Optional| N/A | Optional |

- `No module named 'sklearn.decomposition._truncated_svd`

- `AttributeError: 'SimpleImputer' object has no attribute 'add_indicator`

-* `ml_client` and `online_deployment` are instances for `MLClient` class and `ManagedOnlineDeployment` class, respectively.

-For more, see [Deploy locally in Deploy and score a machine learning model with a managed online endpoint](how-to-deploy-managed-online-endpoints.md#deploy-and-debug-locally-by-using-local-endpoints).

-However, you can [manually call for a synchronization of keys](https://learn.microsoft.com/cli/azure/ml/workspace#az-ml-workspace-sync-keys) which may resolve the authorization failure.

-Container registries that are behind a virtual network may also encounter this error if set up incorrectly. You must verify that the virtual network been set up properly.

- from azure.keyvault.secret import SecretClient

-For an example of submitting a training job using the Azure Machine Learning Python SDK v2, see [Train models with the Python SDK v2](how-to-train-sdk.md).

- credentials={

- "sas_token": "?xx=XXXX-XX-XX&xx=xxxx&xxx=xxx&xx=xxxxxxxxxxx&xx=XXXX-XX-XXXXX:XX:XXX&xx=XXXX-XX-XXXXX:XX:XXX&xxx=xxxxx&xxx=XXxXXXxxxxxXXXXXXXxXxxxXXXXXxxXXXXXxXXXXxXXXxXXxXX"

- },

-step1_output_ds = step1_output_data.register_on_complete(name='processed_data',

- description = 'files from step1`)

-This article describes how to create an Azure VM assessment for on-premises servers in you VMware, Hyper-V or physical/other cloud environment with Azure Migrate: Discovery and assessment.

-[Azure Migrate](migrate-services-overview.md) helps you to migrate to Azure. Azure Migrate provides a centralized hub to track discovery, assessment, and migration of on-premises infrastructure, applications, and data to Azure. The hub provides Azure tools for assessment and migration, as well as third-party independent software vendor (ISV) offerings.

-There are two types of sizing criteria you can use to create an Azure VM assessment using Azure Migrate: Discovery and assessment.

-**Performance-based** | Assessments based on collected performance data | **Recommended VM size**: Based on CPU and memory utilization data.<br/><br/> **Recommended disk type (standard or premium managed disk)**: Based on the IOPS and throughput of the on-premises disks.

-**As on-premises** | Assessments based on on-premises sizing. | **Recommended VM size**: Based on the on-premises VM size<br/><br> **Recommended disk type**: Based on the storage type setting you select for the assessment.

-1. On the **Overview** page > **Windows, Linux and SQL Server**, click **Assess and migrate servers**.

- 

-2. In **Azure Migrate: Discovery and assessment**, click **Assess** and select **Azure VM**

- 

-3. In **Assess servers** > **Assessment type**

-1. Click **Edit** to review the assessment properties.

- 

- - In Azure Government, you can target assessments in [these regions](migrate-support-matrix.md#azure-government)

- - In **Performance history**, indicate the data duration on which you want to base the assessment

- - In **VM Series**, specify the Azure VM series you want to consider.

- - Tweak settings as needed. For example, if you don't have a production environment that needs A-series VMs in Azure, you can exclude A-series from the list of series.

- - In **VM Uptime**, specify the duration (days per month/hour per day) that VMs will run.

-1. Click **Save** if you make changes.

- 

-1. In **Assess Servers** > click **Next**.

- 

-1. Select the appliance, and select the VMs you want to add to the group. Then click **Next**.

-1. In **Review + create assessment**, review the assessment details, and click **Create Assessment** to create the group and run the assessment.

-1. After the assessment is created, view it in **Servers** > **Azure Migrate: Discovery and assessment** > **Assessments**.

-1. Click **Export assessment**, to download it as an Excel file.

-1. In **Windows, Linux and SQL Server** > **Azure Migrate: Discovery and assessment**, click the number next to **Azure VM assessment**.

- 

- - **Ready for Azure**: Azure Migrate recommends a VM size and cost estimates for VMs in the assessment.

- - **Not ready for Azure**: Shows issues and suggested remediation.

-3. Click on an **Azure readiness** status. You can view server readiness details, and drill down to see server details, including compute, storage, and network settings.

-

-```

-If creating a cluster results in an error that `No registered resource provider found for location '<location>' and API version '2019-04-30' for type 'openShiftManagedClusters'. The supported api-versions are '2018-09-30-preview`, then you were part of the preview and now need to [purchase Azure virtual machine reserved instances](https://aka.ms/openshift/buy) to use the generally available product. A reservation reduces your spend by pre-paying for fully managed Azure services. Refer to [*What are Azure Reservations*](../cost-management-billing/reservations/save-compute-costs-reservations.md) to learn more about reservations and how they save you money.

-# Connect to and manage Cassandra in Microsoft Purview (Preview)

-# Connect to and manage Db2 in Microsoft Purview (Preview)

-# Connect to and manage erwin Mart servers in Microsoft Purview (Preview)

-# Connect to and manage Google BigQuery projects in Microsoft Purview (Preview)

-# Connect to and manage MongoDB in Microsoft Purview (Preview)

-# Connect to and manage MySQL in Microsoft Purview (Preview)

-# Connect to and manage PostgreSQL in Microsoft Purview (Preview)

-# Connect to and manage Salesforce in Microsoft Purview (Preview)

-# Connect to and manage SAP Business Warehouse in Microsoft Purview (Preview)

-# Connect to and manage SAP HANA in Microsoft Purview (Preview)

-# Connect to and manage Snowflake in Microsoft Purview (Preview)

- :::image type="content" source="media/search-get-started-portal/import-datasource-sample.png" alt-text="Screenshot of the select sample dataset page in the wizard.":::

- :::image type="content" source="media/search-get-started-portal/skip-cog-skill-step.png" alt-text="Screenshot of the Skip cognitive skill button in the wizard.":::

-Fields have data types and attributes. The check boxes across the top are *index attributes* controlling how the field is used.

-+ **Key** is the unique document identifier. It's always a string, and it's required.

-Storage requirements don't vary as a result of your selection. For example, if you set the **Retrievable** attribute on multiple fields, storage requirements don't go up.

- :::image type="content" source="media/search-get-started-portal/hotels-indexer.png" alt-text="Screenshot of the hotels indexer definition in the wizard.":::

- :::image type="content" source="media/search-get-started-portal/indexers-inprogress.png" alt-text="Screenshot of the indexer progress message in the wizard.":::

- :::image type="content" source="media/search-get-started-portal/indexes-list.png" alt-text="Screenshot of the Indexes list on the service dashboard.":::

- :::image type="content" source="media/search-get-started-portal/sample-index-def.png" alt-text="Screenshot of the sample index definition in Azure portal.":::

- :::image type="content" source="medi.png" alt-text="Screenshot of the Search Explorer command on the command bar.":::

- :::image type="content" source="media/search-get-started-portal/search-explorer-changeindex.png" alt-text="Screenshot of the Index and API selection lists in Search Explorer.":::

- :::image type="content" source="media/search-get-started-portal/search-explorer-query-string-example.png" alt-text="Screenshot of the query string text field and search button in Search Explorer.":::

-You learned how to create a search index using the **Import data** wizard. You created your first [indexer](search-indexer-overview.md) and learned the basic workflow for index design.

-Once data is indexed, the physical data structures of the index are locked in. For guidance on what can and cannot be changed, see [Drop and rebuild an index](search-howto-reindex.md).

-Indexing is not a background process. A search service will balance indexing and query workloads, but if [query latency is too high](search-performance-analysis.md#impact-of-indexing-on-queries), you can either [add capacity](search-capacity-planning.md#add-or-reduce-replicas-and-partitions) or identify periods of low query activity for loading an index.

-Using Azure portal, the sole means for loading an index is the [Import Data wizard](search-import-data-portal.md). The wizard creates objects. If you want to load an existing index, you will need to use an alternative approach.

-1. [Find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2storageAccounts/) and on the Overview page, click **Import data** on the command bar to create and populate a search index.

-1. Follow this link to review the workflow: [Quickstart: Create an Azure Cognitive Search index in the Azure portal](search-get-started-portal.md).

-When the document key or ID is new, **null** becomes the value for any field that is unspecified in the document. For actions on an existing document, updated values replace the previous values. Any fields that were not specified in a "merge" or "mergeUpload" are left intact in the search index.

-1. Is the field list accurate? If your data source contains fields that were not picked up in sampling, you can manually add any new fields that sampling missed, and remove any that don't add value to a search experience or that won't be used in a [filter expression](search-query-odata-filter.md) or [scoring profile](index-add-scoring-profiles.md).

- Take your time with this step because attributes determine the physical expression of fields in the index. If you want to change attributes later, even programmatically, you will almost always need to drop and rebuild the index. Core attributes like **Searchable** and **Retrievable** have a [negligible impact on storage](search-what-is-an-index.md#index-size). Enabling filters and using suggesters increase storage requirements.

- "token_filter_name_1

- "option1":value1,

- "option2":value2,

- "option1":value1,

- "option2":value2,

- ],,

-integer_literal ::= digit+

- - http://www&#46;d-trust&#46;net

- - http://root-c3-ca2-2009&#46;ocsp&#46;d-trust&#46;net

- - http://www&#46;microsoft&#46;com/pkiops

-As of **October 24, 2022**, [Microsoft 365 Defender](/microsoft-365/security/defender/) will be integrating [Azure Active Directory Identity Protection (AADIP)](../active-directory/identity-protection/index.yml) alerts and incidents. Customers can choose between two levels of integration:

-This integration can't be disabled.

- | **1** | Keep the default AADIP integration of **Selective alerts**. | Disable any [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |

- | **2** | Choose the **All alerts** AADIP integration. | Create automation rules to automatically close incidents with unwanted alerts.<br><br>Disable any [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |

- | **3** | Don't use Microsoft 365 Defender for AADIP alerts:<br>Choose either option for AADIP integration. | Create automation rules to close all incidents where <br>- the *incident provider* is `Microsoft 365 Defender` and <br>- the *alert provider* is `Azure Active Directory Identity Protection`. <br><br>Leave enabled those [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |

-3. Write a .NET Core console application to send a set of messages to the queue.

-4. Write a .NET Core console application to receive those messages from the queue.

-This section shows you how to create a .NET Core console application to send messages to a Service Bus queue.

-1. Start Visual Studio 2019.

-### Add the Service Bus NuGet package

- ```cmd

-### Add code to send messages to the queue

-1. In **Program.cs**, add the following `using` statements at the top of the namespace definition, before the class declaration.

- ```csharp

- using System.Threading.Tasks;

- using Azure.Messaging.ServiceBus;

- ```

-2. Within the `Program` class, declare the following properties, just before the `Main` method.

- Replace `<NAMESPACE CONNECTION STRING>` with the primary connection string to your Service Bus namespace. And, replace `<QUEUE NAME>` with the name of your queue.

- ```csharp

- // connection string to your Service Bus namespace

- static string connectionString = "<NAMESPACE CONNECTION STRING>";

- static string queueName = "<QUEUE NAME>";

- static ServiceBusClient client;

- static ServiceBusSender sender;

- private const int numOfMessages = 3;

-3. Replace code in the `Main` method with the following code. See code comments for details about the code. Here are the important steps from the code.

- 1. Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the primary connection string to the namespace.

- 1. Invokes the [CreateSender](/dotnet/api/azure.messaging.servicebus.servicebusclient.createsender) method on the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object to create a [ServiceBusSender](/dotnet/api/azure.messaging.servicebus.servicebussender) object for the specific Service Bus queue.

- 1. Creates a [ServiceBusMessageBatch](/dotnet/api/azure.messaging.servicebus.servicebusmessagebatch) object by using the [ServiceBusSender.CreateMessageBatchAsync](/dotnet/api/azure.messaging.servicebus.servicebussender.createmessagebatchasync) method.

- 1. Add messages to the batch using the [ServiceBusMessageBatch.TryAddMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessagebatch.tryaddmessage).

- 1. Sends the batch of messages to the Service Bus queue using the [ServiceBusSender.SendMessagesAsync](/dotnet/api/azure.messaging.servicebus.servicebussender.sendmessagesasync) method.

- ```csharp

- static async Task Main()

- {

- // The Service Bus client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when messages are being published or read

- // regularly.

- //

- // set the transport type to AmqpWebSockets so that the ServiceBusClient uses the port 443.

- // If you use the default AmqpTcp, you will need to make sure that the ports 5671 and 5672 are open

- var clientOptions = new ServiceBusClientOptions() { TransportType = ServiceBusTransportType.AmqpWebSockets };

- client = new ServiceBusClient(connectionString, clientOptions);

- sender = client.CreateSender(queueName);

-

- // create a batch

- using ServiceBusMessageBatch messageBatch = await sender.CreateMessageBatchAsync();

-

- for (int i = 1; i <= numOfMessages; i++)

- {

- // try adding a message to the batch

- if (!messageBatch.TryAddMessage(new ServiceBusMessage($"Message {i}")))

- {

- // if it is too large for the batch

- throw new Exception($"The message {i} is too large to fit in the batch.");

- }

- }

-

- try

- {

- // Use the producer client to send the batch of messages to the Service Bus queue

- await sender.SendMessagesAsync(messageBatch);

- Console.WriteLine($"A batch of {numOfMessages} messages has been published to the queue.");

- }

- finally

- {

- // Calling DisposeAsync on client types is required to ensure that network

- // resources and other unmanaged objects are properly cleaned up.

- await sender.DisposeAsync();

- await client.DisposeAsync();

- }

-

- Console.WriteLine("Press any key to end the application");

- Console.ReadKey();

- }

- ```

-4. Here's what your Program.cs file should look like:

- using System;

- using System.Threading.Tasks;

- namespace QueueSender

- class Program

- // connection string to your Service Bus namespace

- static string connectionString = "<NAMESPACE CONNECTION STRING>";

- // name of your Service Bus queue

- static string queueName = "<QUEUE NAME>";

-

- // the client that owns the connection and can be used to create senders and receivers

- static ServiceBusClient client;

-

- // the sender used to publish messages to the queue

- static ServiceBusSender sender;

-

- // number of messages to be sent to the queue

- private const int numOfMessages = 3;

-

- static async Task Main()

- {

- // The Service Bus client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when messages are being published or read

- // regularly.

- //

- // set the transport type to AmqpWebSockets so that the ServiceBusClient uses the port 443.

- // If you use the default AmqpTcp, you will need to make sure that the ports 5671 and 5672 are open

-

- var clientOptions = new ServiceBusClientOptions() { TransportType = ServiceBusTransportType.AmqpWebSockets };

- client = new ServiceBusClient(connectionString, clientOptions);

- sender = client.CreateSender(queueName);

-

- // create a batch

- using ServiceBusMessageBatch messageBatch = await sender.CreateMessageBatchAsync();

-

- for (int i = 1; i <= numOfMessages; i++)

- {

- // try adding a message to the batch

- if (!messageBatch.TryAddMessage(new ServiceBusMessage($"Message {i}")))

- {

- // if it is too large for the batch

- throw new Exception($"The message {i} is too large to fit in the batch.");

- }

- }

-

- try

- {

- // Use the producer client to send the batch of messages to the Service Bus queue

- await sender.SendMessagesAsync(messageBatch);

- Console.WriteLine($"A batch of {numOfMessages} messages has been published to the queue.");

- }

- finally

- {

- // Calling DisposeAsync on client types is required to ensure that network

- // resources and other unmanaged objects are properly cleaned up.

- await sender.DisposeAsync();

- await client.DisposeAsync();

- }

-

- Console.WriteLine("Press any key to end the application");

- Console.ReadKey();

- }

- }

-5. Replace `<NAMESPACE CONNECTION STRING>` with the primary connection string to your Service Bus namespace. And, replace `<QUEUE NAME>` with the name of your queue.

- :::image type="content" source="./media/service-bus-dotnet-get-started-with-queues/sent-messages-essentials.png" alt-text="Image showing the number of messages received and the size of the queue" lightbox="./media/service-bus-dotnet-get-started-with-queues/sent-messages-essentials.png":::

-In this section, you'll create a .NET Core console application that receives messages from the queue.

-> This quick start provides step-by-step instructions to implement a simple scenario of sending a batch of messages to a Service Bus queue and then receiving them. For more samples on other and advanced scenarios, see [Service Bus .NET samples on GitHub](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/servicebus/Azure.Messaging.ServiceBus/samples).

-### Add the Service Bus NuGet package to the Receiver project

-1. In the **Package Manager Console** window, confirm that **QueueReceiver** is selected for the **Default project**. If not, use the drop-down list to select **QueueReceiver**.

- :::image type="content" source="./media/service-bus-dotnet-get-started-with-queues/package-manager-console.png" alt-text="Screenshot showing QueueReceiver project selected in the Package Manager Console":::

- ```cmd

-1. In **Program.cs**, add the following `using` statements at the top of the namespace definition, before the class declaration.

-2. Within the `Program` class, declare the following properties, just before the `Main` method.

- Replace `<NAMESPACE CONNECTION STRING>` with the primary connection string to your Service Bus namespace. And, replace `<QUEUE NAME>` with the name of your queue.

- // connection string to your Service Bus namespace

- static string connectionString = "<NAMESPACE CONNECTION STRING>";

- // name of your Service Bus queue

- static string queueName = "<QUEUE NAME>";

- static ServiceBusClient client;

- static ServiceBusProcessor processor;

-3. Add the following methods to the `Program` class to handle received messages and any errors.

- static async Task MessageHandler(ProcessMessageEventArgs args)

- static Task ErrorHandler(ProcessErrorEventArgs args)

-4. Replace code in the `Main` method with the following code. See code comments for details about the code. Here are the important steps from the code.

- 1. Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the primary connection string to the namespace.

- 1. Invokes the [CreateProcessor](/dotnet/api/azure.messaging.servicebus.servicebusclient.createprocessor) method on the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object to create a [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object for the specified Service Bus queue.

- 1. Specifies handlers for the [ProcessMessageAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.processmessageasync) and [ProcessErrorAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.processerrorasync) events of the [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object.

- 1. Starts processing messages by invoking the [StartProcessingAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.startprocessingasync) on the [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object.

- 1. When user presses a key to end the processing, invokes the [StopProcessingAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.stopprocessingasync) on the [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object.

- For more information, see code comments.

- ```csharp

- static async Task Main()

- {

- // The Service Bus client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when messages are being published or read

- // regularly.

- //

- // set the transport type to AmqpWebSockets so that the ServiceBusClient uses the port 443.

- // If you use the default AmqpTcp, you will need to make sure that the ports 5671 and 5672 are open

-

- var clientOptions = new ServiceBusClientOptions() { TransportType = ServiceBusTransportType.AmqpWebSockets };

- client = new ServiceBusClient(connectionString, clientOptions);

-

- // create a processor that we can use to process the messages

- processor = client.CreateProcessor(queueName, new ServiceBusProcessorOptions());

-

- try

- {

- // add handler to process messages

- processor.ProcessMessageAsync += MessageHandler;

-

- // add handler to process any errors

- processor.ProcessErrorAsync += ErrorHandler;

-

- // start processing

- await processor.StartProcessingAsync();

-

- Console.WriteLine("Wait for a minute and then press any key to end the processing");

- Console.ReadKey();

-

- // stop processing

- Console.WriteLine("\nStopping the receiver...");

- await processor.StopProcessingAsync();

- Console.WriteLine("Stopped receiving messages");

- }

- finally

- {

- // Calling DisposeAsync on client types is required to ensure that network

- // resources and other unmanaged objects are properly cleaned up.

- await processor.DisposeAsync();

- await client.DisposeAsync();

- }

- }

- ```

-5. Here's what your `Program.cs` should look like:

- using System;

- namespace QueueReceiver

- class Program

- {

- // connection string to your Service Bus namespace

- static string connectionString = "<NAMESPACE CONNECTION STRING>";

-

- // name of your Service Bus queue

- static string queueName = "<QUEUE NAME>";

-

-

- // the client that owns the connection and can be used to create senders and receivers

- static ServiceBusClient client;

-

- // the processor that reads and processes messages from the queue

- static ServiceBusProcessor processor;

-

- // handle received messages

- static async Task MessageHandler(ProcessMessageEventArgs args)

- {

- string body = args.Message.Body.ToString();

- Console.WriteLine($"Received: {body}");

-

- // complete the message. messages is deleted from the queue.

- await args.CompleteMessageAsync(args.Message);

- }

-

- // handle any errors when receiving messages

- static Task ErrorHandler(ProcessErrorEventArgs args)

- {

- Console.WriteLine(args.Exception.ToString());

- return Task.CompletedTask;

- }

-

- static async Task Main()

- {

- // The Service Bus client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when messages are being published or read

- // regularly.

- //

- // set the transport type to AmqpWebSockets so that the ServiceBusClient uses the port 443.

- // If you use the default AmqpTcp, you will need to make sure that the ports 5671 and 5672 are open

-

- var clientOptions = new ServiceBusClientOptions() { TransportType = ServiceBusTransportType.AmqpWebSockets };

- client = new ServiceBusClient(connectionString, clientOptions);

-

- // create a processor that we can use to process the messages

- processor = client.CreateProcessor(queueName, new ServiceBusProcessorOptions());

-

- try

- {

- // add handler to process messages

- processor.ProcessMessageAsync += MessageHandler;

-

- // add handler to process any errors

- processor.ProcessErrorAsync += ErrorHandler;

-

- // start processing

- await processor.StartProcessingAsync();

-

- Console.WriteLine("Wait for a minute and then press any key to end the processing");

- Console.ReadKey();

-

- // stop processing

- Console.WriteLine("\nStopping the receiver...");

- await processor.StopProcessingAsync();

- Console.WriteLine("Stopped receiving messages");

- }

- finally

- {

- // Calling DisposeAsync on client types is required to ensure that network

- // resources and other unmanaged objects are properly cleaned up.

- await processor.DisposeAsync();

- await client.DisposeAsync();

- }

- }

- }

-6. Replace `<NAMESPACE CONNECTION STRING>` with the primary connection string to your Service Bus namespace. And, replace `<QUEUE NAME>` with the name of your queue.

-7. Build the project, and ensure that there are no errors.

-8. Run the receiver application. You should see the received messages. Press any key to stop the receiver and the application.

-9. Check the portal again. Wait for a few minutes and refresh the page if you don't see `0` for **Active** messages.

-4. Write a .NET Core console application to send a set of messages to the topic.

-5. Write a .NET Core console application to receive those messages from the subscription.

-If you're new to the service, see [Service Bus overview](service-bus-messaging-overview.md) before you do this quickstart.

-This section shows you how to create a .NET Core console application to send messages to a Service Bus topic.

-1. Start Visual Studio 2019.

-1. Select **Create a new project**.

-1. On the **Create a new project** dialog box, do the following steps: If you don't see this dialog box, select **File** on the menu, select **New**, and then select **Project**.

- 1. Select **Console** for the type of the application.

- 1. Select **Console Application** from the results list.

- 1. Then, select **Next**.

-### Add the Service Bus NuGet package

-1. Select **Tools** > **NuGet Package Manager** > **Package Manager Console** from the menu.

-1. Run the following command to install the [Azure.Messaging.ServiceBus](https://www.nuget.org/packages/Azure.Messaging.ServiceBus/) NuGet package:

- ```cmd

-1. In **Program.cs**, add the following `using` statements at the top of the namespace definition, before the class declaration.

- ```

-2. Within the `Program` class, declare the following properties, just before the `Main` method. Replace `<NAMESPACE CONNECTION STRING>` with the connection string to your Service Bus namespace. And, replace `<TOPIC NAME>` with the name of your Service Bus topic.

- ```csharp

- // connection string to your Service Bus namespace

- static string connectionString = "<NAMESPACE CONNECTION STRING>";

- // name of your Service Bus topic

- static string topicName = "<TOPIC NAME>";

- static ServiceBusClient client;

- static ServiceBusSender sender;

- private const int numOfMessages = 3;

- ```

-1. Replace code in the **Program.cs** with the following code. Here are the important steps from the code.

- 1. Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the connection string to the namespace.

- 1. Invokes the [CreateSender](/dotnet/api/azure.messaging.servicebus.servicebusclient.createsender) method on the `ServiceBusClient` object to create a [ServiceBusSender](/dotnet/api/azure.messaging.servicebus.servicebussender) object for the specific Service Bus topic.

- 1. Creates a [ServiceBusMessageBatch](/dotnet/api/azure.messaging.servicebus.servicebusmessagebatch) object by using the [ServiceBusSender.CreateMessageBatchAsync](/dotnet/api/azure.messaging.servicebus.servicebussender.createmessagebatchasync).

- 1. Add messages to the batch using the [ServiceBusMessageBatch.TryAddMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessagebatch.tryaddmessage).

- 1. Sends the batch of messages to the Service Bus topic using the [ServiceBusSender.SendMessagesAsync](/dotnet/api/azure.messaging.servicebus.servicebussender.sendmessagesasync) method.

-

- ```csharp

- static async Task Main()

- {

- // The Service Bus client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when messages are being published or read

- // regularly.

- //

- // Create the clients that we'll use for sending and processing messages.

- client = new ServiceBusClient(connectionString);

- sender = client.CreateSender(topicName);

- // create a batch

- using ServiceBusMessageBatch messageBatch = await sender.CreateMessageBatchAsync();

- for (int i = 1; i <= numOfMessages; i++)

- {

- // try adding a message to the batch

- if (!messageBatch.TryAddMessage(new ServiceBusMessage($"Message {i}")))

- {

- // if it is too large for the batch

- throw new Exception($"The message {i} is too large to fit in the batch.");

- }

- }

- try

- {

- // Use the producer client to send the batch of messages to the Service Bus topic

- await sender.SendMessagesAsync(messageBatch);

- Console.WriteLine($"A batch of {numOfMessages} messages has been published to the topic.");

- }

- finally

- // Calling DisposeAsync on client types is required to ensure that network

- // resources and other unmanaged objects are properly cleaned up.

- await sender.DisposeAsync();

- await client.DisposeAsync();

- Console.WriteLine("Press any key to end the application");

- Console.ReadKey();

-1. Here's what your Program.cs file should look like:

-

- For more information, see code comments.

- using System;

-

- namespace TopicSender

- class Program

- // connection string to your Service Bus namespace

- static string connectionString = "<NAMESPACE CONNECTION STRING>";

-

- // name of your Service Bus topic

- static string topicName = "<TOPIC NAME>";

-

- // the client that owns the connection and can be used to create senders and receivers

- static ServiceBusClient client;

-

- // the sender used to publish messages to the topic

- static ServiceBusSender sender;

-

- // number of messages to be sent to the topic

- private const int numOfMessages = 3;

-

- static async Task Main()

- {

- // The Service Bus client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when messages are being published or read

- // regularly.

- //

- // Create the clients that we'll use for sending and processing messages.

- client = new ServiceBusClient(connectionString);

- sender = client.CreateSender(topicName);

-

- // create a batch

- using ServiceBusMessageBatch messageBatch = await sender.CreateMessageBatchAsync();

-

- for (int i = 1; i <= numOfMessages; i++)

- {

- // try adding a message to the batch

- if (!messageBatch.TryAddMessage(new ServiceBusMessage($"Message {i}")))

- {

- // if it is too large for the batch

- throw new Exception($"The message {i} is too large to fit in the batch.");

- }

- }

-

- try

- {

- // Use the producer client to send the batch of messages to the Service Bus topic

- await sender.SendMessagesAsync(messageBatch);

- Console.WriteLine($"A batch of {numOfMessages} messages has been published to the topic.");

- }

- finally

- {

- // Calling DisposeAsync on client types is required to ensure that network

- // resources and other unmanaged objects are properly cleaned up.

- await sender.DisposeAsync();

- await client.DisposeAsync();

- }

-

- Console.WriteLine("Press any key to end the application");

- Console.ReadKey();

- }

- }

-1. Replace `<NAMESPACE CONNECTION STRING>` with the connection string to your Service Bus namespace. And, replace `<TOPIC NAME>` with the name of your Service Bus topic.

-In this section, you'll create a .NET Core console application that receives messages from the subscription to the Service Bus topic.

-### Add the Service Bus NuGet package

-1. Select **Tools** > **NuGet Package Manager** > **Package Manager Console** from the menu.

-1. In the **Package Manager Console** window, confirm that **SubscriptionReceiver** is selected for the **Default project**. If not, use the drop-down list to select **SubscriptionReceiver**.

- :::image type="content" source="./media/service-bus-dotnet-how-to-use-topics-subscriptions/select-subscription-receiver-project.png" alt-text="Image showing the selection of SubscriptionReceiver project in the Package Manager Console window." lightbox="./media/service-bus-dotnet-how-to-use-topics-subscriptions/select-subscription-receiver-project.png":::

- ```cmd

-1. In **Program.cs**, add the following `using` statements at the top of the namespace definition, before the class declaration.

- ```

-2. Within the `Program` class, declare the following properties, just before the `Main` method. Replace the placeholders with correct values:

- - `<NAMESPACE CONNECTION STRING>` with the connection string to your Service Bus namespace

- - `<TOPIC NAME>` with the name of your Service Bus topic

- - `<SERVICE BUS - TOPIC SUBSCRIPTION NAME>` with the name of the subscription to the topic.

- ```csharp

- // connection string to your Service Bus namespace

- static string connectionString = "<NAMESPACE CONNECTION STRING>";

- // name of the Service Bus topic

- static string topicName = "<SERVICE BUS TOPIC NAME>";

- // name of the subscription to the topic

- static string subscriptionName = "<SERVICE BUS - TOPIC SUBSCRIPTION NAME>";

- // the client that owns the connection and can be used to create senders and receivers

- static ServiceBusClient client;

- // the processor that reads and processes messages from the subscription

- static ServiceBusProcessor processor;

-3. Add the following methods to the `Program` class to handle received messages and any errors.

- static async Task MessageHandler(ProcessMessageEventArgs args)

- Console.WriteLine($"Received: {body} from subscription: {subscriptionName}");

- static Task ErrorHandler(ProcessErrorEventArgs args)

-1. Replace code in the **Program.cs** with the following code. Here are the important steps from the code:

- 1. Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the connection string to the namespace.

- 1. Invokes the [CreateProcessor](/dotnet/api/azure.messaging.servicebus.servicebusclient.createprocessor) method on the `ServiceBusClient` object to create a [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object for the specified Service Bus queue.

- 1. Specifies handlers for the [ProcessMessageAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.processmessageasync) and [ProcessErrorAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.processerrorasync) events of the `ServiceBusProcessor` object.

- 1. Starts processing messages by invoking the [StartProcessingAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.startprocessingasync) on the `ServiceBusProcessor` object.

- 1. When user presses a key to end the processing, invokes the [StopProcessingAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.stopprocessingasync) on the `ServiceBusProcessor` object.

-

- static async Task Main()

- // The Service Bus client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when messages are being published or read

- // regularly.

- //

- // Create the clients that we'll use for sending and processing messages.

- client = new ServiceBusClient(connectionString);

- // create a processor that we can use to process the messages

- processor = client.CreateProcessor(topicName, subscriptionName, new ServiceBusProcessorOptions());

- try

- {

- // add handler to process messages

- processor.ProcessMessageAsync += MessageHandler;

- // add handler to process any errors

- processor.ProcessErrorAsync += ErrorHandler;

- // start processing

- await processor.StartProcessingAsync();

- Console.WriteLine("Wait for a minute and then press any key to end the processing");

- Console.ReadKey();

- // stop processing

- Console.WriteLine("\nStopping the receiver...");

- await processor.StopProcessingAsync();

- Console.WriteLine("Stopped receiving messages");

- }

- finally

- {

- // Calling DisposeAsync on client types is required to ensure that network

- // resources and other unmanaged objects are properly cleaned up.

- await processor.DisposeAsync();

- await client.DisposeAsync();

- }

- }

- namespace SubscriptionReceiver

- class Program

- {

- // connection string to your Service Bus namespace

- static string connectionString = "<NAMESPACE CONNECTION STRING>";

-

- // name of the Service Bus topic

- static string topicName = "<SERVICE BUS TOPIC NAME>";

-

- // name of the subscription to the topic

- static string subscriptionName = "<SERVICE BUS - TOPIC SUBSCRIPTION NAME>";

-

- // the client that owns the connection and can be used to create senders and receivers

- static ServiceBusClient client;

-

- // the processor that reads and processes messages from the subscription

- static ServiceBusProcessor processor;

-

- // handle received messages

- static async Task MessageHandler(ProcessMessageEventArgs args)

- {

- string body = args.Message.Body.ToString();

- Console.WriteLine($"Received: {body} from subscription: {subscriptionName}");

-

- // complete the message. messages is deleted from the subscription.

- await args.CompleteMessageAsync(args.Message);

- }

-

- // handle any errors when receiving messages

- static Task ErrorHandler(ProcessErrorEventArgs args)

- {

- Console.WriteLine(args.Exception.ToString());

- return Task.CompletedTask;

- }

-

- static async Task Main()

- {

- // The Service Bus client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when messages are being published or read

- // regularly.

- //

- // Create the clients that we'll use for sending and processing messages.

- client = new ServiceBusClient(connectionString);

-

- // create a processor that we can use to process the messages

- processor = client.CreateProcessor(topicName, subscriptionName, new ServiceBusProcessorOptions());

-

- try

- {

- // add handler to process messages

- processor.ProcessMessageAsync += MessageHandler;

-

- // add handler to process any errors

- processor.ProcessErrorAsync += ErrorHandler;

- // start processing

- await processor.StartProcessingAsync();

- Console.WriteLine("Wait for a minute and then press any key to end the processing");

- Console.ReadKey();

- // stop processing

- Console.WriteLine("\nStopping the receiver...");

- await processor.StopProcessingAsync();

- Console.WriteLine("Stopped receiving messages");

- }

- finally

- {

- // Calling DisposeAsync on client types is required to ensure that network

- // resources and other unmanaged objects are properly cleaned up.

- await processor.DisposeAsync();

- await client.DisposeAsync();

- }

- }

- }

-1. Replace the placeholders with correct values:

- - `<NAMESPACE CONNECTION STRING>` with the connection string to your Service Bus namespace

- - `<TOPIC NAME>` with the name of your Service Bus topic

- - `<SERVICE BUS - TOPIC SUBSCRIPTION NAME>` with the name of the subscription to the topic.

-> When upgrading from V1 to V2, ensure the `Remoting` namespace is updated to use V2. Example: 'Microsoft.ServiceFabric.Services.Remoting.V2.FabricTransport.Client`

->

->

-description: Learn how to customize Azure Spring Cloud egress with a user-defined route.

-# Customize Azure Spring Cloud egress with a user-defined route

-For more information, see [Migrate Spring applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-cloud-to-azure-spring-cloud).

-1. Access the composed endpoint with the access token. Put the access token in a header to provide authorization: `--header 'Authorization: Bearer {TOKEN_FROM_PREVIOUS_STEP}`.

- a. Access an endpoint like *'https://SERVICE_NAME.svc.azuremicroservices.io/config/actuator/health'* to see the health status of Config Server.

- b. Access an endpoint like *'https://SERVICE_NAME.svc.azuremicroservices.io/eureka/eureka/apps'* to see the registered apps in Spring Cloud Service Registry (Eureka here).

- If the response is *401 Unauthorized*, check to see if the role is successfully assigned. It will take several minutes for the role to take effect or to verify that the access token has not expired.

-* [Azure CLI](/cli/azure/install-azure-cli).

-> [!NOTE]

-> This command requires you to run the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

-* [Azure CLI](/cli/azure/install-azure-cli).

-> [!NOTE]

-> This command requires you to run the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

-description: How to bring your own storage as persistent storages in Azure Spring Apps

-When you use the built-in persistent storage in Azure Spring Apps, artifacts generated by your application are uploaded into Azure Storage Accounts. Microsoft controls the encryption-at-rest and lifetime management policies for those artifacts.

-With Bring Your Own Storage, these artifacts are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy and network access. You will, however, be responsible for the costs associated with that storage account.

-* An existing Azure Storage Account and a pre-created Azure File Share. If you need to create a storage account and file share in Azure, see [Create an Azure file share](../storage/files/storage-how-to-create-file-share.md).

-* The [Azure Spring Apps extension](/cli/azure/azure-cli-extensions-overview) for the Azure CLI

-> If you deployed your Azure Spring Apps in your own virtual network and you want the storage account to be accessed only from the virtual network, consult the following guidance:

-> - [Use private endpoints for Azure Storage](../storage/common/storage-private-endpoints.md)

-> - [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md), especially the [Grant access from a virtual network using service endpoint](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) section

-> Updating persistent storage will result in the restart of applications.

-1. Go to the service **Overview** page, then select **Storage** in the left-hand navigation pane.

-1. On the **Storage** page, select **Add storage**, add the values in the following table, and then select **Apply**.

- :::image type="content" source="media/how-to-custom-persistent-storage/add-storage-resource.png" alt-text="Screenshot of Azure portal showing the Storage page and the 'Add storage' pane." lightbox="media/how-to-custom-persistent-storage/add-storage-resource.png":::

-1. Go to the **Apps** page, then select an application to mount the persistent storage.

-1. Select **Configuration**, then select **Persistent Storage**.

-1. Select **Add persistent storage**, add the values in the following table, and then select **Apply**.

- :::image type="content" source="media/how-to-custom-persistent-storage/add-persistent-storage.png" alt-text="Screenshot of Azure portal 'Add persistent storage' form.":::

-1. Select **Save** to apply all the configuration changes.

- :::image type="content" source="media/how-to-custom-persistent-storage/save-persistent-storage-changes.png" alt-text="Screenshot of Azure portal Persistent Storage section of the Configuration page." lightbox="media/how-to-custom-persistent-storage/save-persistent-storage-changes.png":::

-You can enable your own storage with the Azure CLI by using the following steps.

-1. Use the following command to bind your Azure Storage account as a storage resource in your Azure Spring Apps instance:

- Here's a sample of the JSON file that is passed to the `--persistent-storage` parameter in the create command:

-1. Optionally, add extra persistent storage to an existing app using the following command:

-1. Optionally, list all existing persistent storage of a specific storage resource using the following command:

-## Use best practices

-Use the following best practices when adding your own persistent storage to Azure Spring Apps.

-* To avoid potential latency issues, place the Azure Spring Apps instance and the Azure Storage Account in the same Azure region.

-* In the Azure Storage Account, avoid regenerating the account key that's being used. The storage account contains two different keys. Use a step-by-step approach to ensure that the persistent storage remains available to the applications during key regeneration.

- For example, assuming that you used key1 to bind a storage account to Azure Spring Apps, you would use the following steps:

- 1. Regenerate key2.

- 1. Update the account key of the storage resource to use the regenerated key2.

- 1. Restart the applications that mount the persistent storage from this storage resource. (You can use `az spring storage list-persistent-storage` to list all related applications.)

- 1. Regenerate key1.

-* If you delete an Azure Storage Account or Azure File Share, remove the corresponding storage resource or persistent storage in the applications to avoid possible errors.

-## FAQs

-The following are frequently asked questions (FAQ) about using your own persistent storage with Azure Spring Apps.

-* If I have built-in persistent storage enabled, and then I enabled my own storage as extra persistent storage, will my data be migrated into my Storage Account?

-* What are the reserved mount paths?

- *These mount paths are reserved by the Azure Spring Apps service:*

- * */tmp*

- * */persistent*

- * */secrets*

- * */app-insights/agents*

- * */etc/azure-spring-cloud/certs*

- * */app-insights/agents/settings*

- * */app-lifecycle/settings*

-* What are the available mount options?

- *We currently support the following mount options:*

- * `uid`

- * `gid`

- * `file_mode`

- * `dir_mode`

-* I'm using the service endpoint to configure the storage account to allow access only from my own virtual network. Why did I receive *Permission Denied* while trying to mount custom persistent storage to my applications?

- *A service endpoint provides network access on a subnet level only. Be sure you've added both subnets used by the Azure Spring Apps instance to the scope of the service endpoint.*

-* [How to use Logback to write logs to custom persistent storage](how-to-write-log-to-custom-persistent-storage.md).

-* [Scale an application in Azure Spring Apps](how-to-scale-manual.md).

-* [Migrate Spring Boot applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-boot-to-azure-spring-cloud)

-* [Migrate Spring Cloud applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-cloud-to-azure-spring-cloud?pivots=sc-standard-tier)

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-description: Learn how to use the completion fish command to generate the autocompletion script for BlobFuse2 (preview).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-description: Learn how to use the "completion powershell" command to generate the autocompletion script for BlobFuse2 (preview).

-# BlobFuse2 completion powershell command (preview)

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-description: Learn how to use the completion zsh command to generate the autocompletion script for BlobFuse2 (preview).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-description: Learn how to use the completion command to generate the autocompletion script for BlobFuse2 (preview).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-description: Learn how to use BlobFuse2 help to get help info for the BlobFuse2 command and subcommands (preview).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-description: Learn how to use the BlobFuse2 mount all command to mount all blob containers in a storage account as a Linux file system (preview).

-Use the `BlobFuse2 mount all` command to mount all blob containers in a storage account as a Linux file system. Each container will be mounted to a unique subdirectory under the path specified. The subdirectory names will correspond to the container names.

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use the BlobFuse2 mount list command to display all BlobFuse2 mount points. (preview)

-Use the `BlobFuse2 mount list` command to display all existing BlobFuse2 mount points.

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use the BlobFuse2 mount command to mount a Blob Storage container as a file system in Linux, or to display and manage existing mount points (preview).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-description: Learn how to use the BlobFuse2 secure decrypt command to decrypt a BlobFuse2 configuration file (preview).

-Use the `BlobFuse2 secure decrypt` command to decrypt a BlobFuse2 configuration file.

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use the BlobFuse2 secure encrypt command to encrypt a BlobFuse2 configuration file. (preview)

-Use the `BlobFuse2 secure encrypt` command to encrypt a BlobFuse2 configuration file.

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use the BlobFuse2 secure get command to display the value of a parameter from an encrypted BlobFuse2 configuration file (preview)

-Use the `BlobFuse2 secure get` command to display the value of a specified parameter from an encrypted BlobFuse2 configuration file.

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use the BlobFuse2 secure set command to change the value of a parameter in an encrypted BlobFuse2 configuration file (preview)

-Use the `BlobFuse2 secure set` command to change the value of a specified parameter in an encrypted BlobFuse2 configuration file.

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use the BlobFuse2 secure command to encrypt, decrypt, or access settings in a BlobFuse2 configuration file (preview).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use the BlobFuse2 unmount all command to unmount all blob containers in a storage account as a Linux file system (preview).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: How to use the BlobFuse2 unmount command to unmount an existing mount point. (preview)

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use the BlobFuse2 version command to get the current version and optionally check for a newer one (preview).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and is currently in preview.

-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> If you need to use BlobFuse in a production environment, BlobFuse v1 is generally available (GA). For information about the GA version, see:

->

-> - [The BlobFuse v1 setup documentation](storage-how-to-mount-container-linux.md)

-> - [The BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn about your options for setting and changing configuration settings for BlobFuse2 Preview.

-# Configure settings for BlobFuse2 Preview

-You can use configuration settings to manage BlobFuse2 Preview in your deployment. Through configuration settings, you can set these aspects of how BlobFuse2 works in your environment:

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and currently is in preview. The preview version is provided without a service-level agreement. We recommend that you don't use the preview version for production workloads. In BlobFuse2 Preview, some features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> To use BlobFuse in a production environment, use the BlobFuse v1 general availability (GA) version. For information about the GA version, see:

->

-> - [Mount Azure Blob Storage as a file system by using BlobFuse v1](storage-how-to-mount-container-linux.md)

-> - [BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to use BlobFuse2 Health Monitor to gain insights into BlobFuse2 Preview mount activities and resource usage.

-# Use Health Monitor to gain insights into BlobFuse2 Preview mounts

-This article provides references to help you deploy and use BlobFuse2 Preview Health Monitor to gain insights into BlobFuse2 mount activities and resource usage.

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and currently is in preview. The preview version is provided without a service-level agreement. We recommend that you don't use the preview version for production workloads. In BlobFuse2 Preview, some features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> To use BlobFuse in a production environment, use the BlobFuse v1 general availability (GA) version. For information about the GA version, see:

->

-> - [Mount Azure Blob Storage as a file system by using BlobFuse v1](storage-how-to-mount-container-linux.md)

-> - [BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to mount an Azure Blob Storage container on Linux by using BlobFuse2 Preview.

-# Mount an Azure Blob Storage container on Linux by using BlobFuse2 Preview

-[BlobFuse2 Preview](blobfuse2-what-is.md) is a virtual file system driver for Azure Blob Storage. BlobFuse2 allows you to access your existing Azure block blob data in your storage account through the Linux file system. For more information, see [What is BlobFuse2?](blobfuse2-what-is.md).

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and currently is in preview. The preview version is provided without a service-level agreement. We recommend that you don't use the preview version for production workloads. In BlobFuse2 Preview, some features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> To use BlobFuse in a production environment, use the BlobFuse v1 general availability (GA) version. For information about the GA version, see:

->

-> - [Mount Azure Blob Storage as a file system by using BlobFuse v1](storage-how-to-mount-container-linux.md)

-> - [BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Learn how to troubleshoot issues in BlobFuse2 Preview.

-# Troubleshoot issues in BlobFuse2 Preview

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and currently is in preview. The preview version is provided without a service-level agreement. We recommend that you don't use the preview version for production workloads. In BlobFuse2 Preview, some features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> To use BlobFuse in a production environment, use the BlobFuse v1 general availability (GA) version. For information about the GA version, see:

->

-> - [Mount Azure Blob Storage as a file system by using BlobFuse v1](storage-how-to-mount-container-linux.md)

-> - [BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-description: Get an overview of BlobFuse2 Preview and how to use it, including migration options if you use BlobFuse v1.

-# What is BlobFuse2 Preview?

-BlobFuse2 Preview is a virtual file system driver for Azure Blob Storage. Use BlobFuse2 to access your existing Azure block blob data in your storage account through the Linux file system. BlobFuse2 also supports storage accounts that have a hierarchical namespace enabled.

-> [!IMPORTANT]

-> BlobFuse2 is the next generation of BlobFuse and currently is in preview. The preview version is provided without a service-level agreement. We recommend that you don't use the preview version for production workloads. In BlobFuse2 Preview, some features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-> To use BlobFuse in a production environment, use the BlobFuse v1 general availability (GA) version. For information about the GA version, see:

->

-> - [Mount Azure Blob Storage as a file system by using BlobFuse v1](storage-how-to-mount-container-linux.md)

-> - [BlobFuse v1 project on GitHub](https://github.com/Azure/azure-storage-fuse/tree/master)

-The following steps demonstrate how to create a system-assigned managed identity for various web hosting services. The managed identity can securely connect to other Azure Services using the app configurations you setup previously.

-You can assign a managed identity to an Azure Container Apps instance with the [az containerapp identity assign](/cli/azure/containerapp/identity) command.

- If you plan to lift and shift your application to the cloud, replacing traditional file servers with Azure file shares, then you may want your application to authenticate with either on-premises AD DS or Azure AD DS credentials to access file data. Azure Files supports using both on-premises AD DS or Azure AD DS credentials to access Azure file shares over SMB from either on-premises AD DS or Azure AD DS domain-joined VMs.

- You can grant permissions to a specific identity at the share, directory, or file level. For example, suppose that you have several teams using a single Azure file share for project collaboration. You can grant all teams access to non-sensitive directories, while limiting access to directories containing sensitive financial data to your Finance team only.

-The following diagram depicts on-premises AD DS authentication to Azure file shares over SMB. The on-premises AD DS must be synced to Azure AD using Azure AD Connect sync. Only hybrid users that exist in both on-premises AD DS and Azure AD can be authenticated and authorized for Azure file share access. This is because the share level permission is configured against the identity represented in Azure AD where the directory/file level permission is enforced with that in AD DS. Make sure that you configure the permissions correctly against the same hybrid user.

-For Azure AD DS authentication, you should enable Azure AD Domain Services and domain join the VMs you plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your Azure AD DS.

-## Mount an NFS share

-If your mount failed, it's possible that your private endpoint was not set up correctly or is inaccessible. For details on confirming connectivity, see the [Verify connectivity](storage-files-networking-endpoints.md#verify-connectivity) section of the networking endpoints article.

-If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md) that exists in both on-premises AD DS and Azure AD. For example, say you have a user in your AD that is user1@onprem.contoso.com and you have synced to Azure AD as user1@contoso.com using Azure AD Connect sync. For this user to access Azure Files, you must assign the share-level permissions to user1@contoso.com. The same concept applies to groups or service principals.

-Share-level permissions must be assigned to the Azure AD identity representing the same user or group in your AD DS to support AD DS authentication to your Azure file share. Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), are not supported with AD DS authentication.

-Enabling AD DS authentication for your Azure file shares allows you to authenticate to your Azure file shares with your on-premises AD DS credentials. Further, it allows you to better manage your permissions to allow granular access control. Doing this requires synching identities from on-premises AD DS to Azure AD with AD Connect. You assign share-level permissions to hybrid identities synced to Azure AD while managing file/directory level access using Windows ACLs.

-This feature doesn't currently support user accounts that you create and manage solely in Azure AD. User accounts must be [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which means you'll also need AD DS and Azure AD Connect. You must create these accounts in Active Directory and sync them to Azure AD. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Azure AD.

- > The provided mounting script will mount the NFS share only until the Linux machine is rebooted. To automatically mount the share every time the machine reboots, [add an entry in /etc/fstab](storage-how-to-use-files-linux.md#static-mount-with-etcfstab). For more information, enter the command `man fstab` from the Linux command line.

-description: How to create an SMB Azure file share by using the Azure portal, PowerShell, or Azure CLI.

-To delete an Azure file share, you can use the Azure portal, Azure PowerShell, or Azure CLI. Shares can be recovered within the [soft delete](storage-files-prevent-file-share-deletion.md) retention period.

-description: Learn how to mount an Azure file share over SMB on Linux. See the list of prerequisites. Review SMB security considerations on Linux clients.

-The recommended way to mount an Azure file share on Linux is using SMB 3.1.1. By default, Azure Files requires encryption in transit, which is supported by SMB 3.0+. Azure Files also supports SMB 2.1, which doesn't support encryption in transit, but you may not mount Azure file shares with SMB 2.1 from another Azure region or on-premises for security reasons. Unless your application specifically requires SMB 2.1, use SMB 3.1.1.

- Share-level permission assignments are supported for groups and users that have been synced from Active Directory Domain Services (AD DS) to Azure Active Directory (Azure AD) using Azure AD Connect. Confirm that groups and users being assigned share-level permissions are not unsupported "cloud-only" groups.

->[!NOTE]

->Media optimization for Microsoft Teams is only available for the following two clients:

->

->- Windows Desktop client for Windows 10 or 11 machines, version 1.2.1026.0 or later.

->- macOS Remote Desktop client, version 10.7.7 or later.

-With media optimization for Microsoft Teams, the Remote Desktop client handles audio and video locally for Teams calls and meetings. You can still use Microsoft Teams on Azure Virtual Desktop with other clients without optimized calling and meetings. Teams chat and collaboration features are supported on all platforms. To redirect local devices in your remote session, check out [Customize Remote Desktop Protocol properties for a host pool](#customize-remote-desktop-protocol-properties-for-a-host-pool).

-## Install the Teams desktop app

-This section will show you how to install the Teams desktop app on your Windows 10 or 11 Multi-session or Windows 10 or 11 Enterprise VM image. To learn more, check out [Install or update the Teams desktop app on VDI](/microsoftteams/teams-for-vdi#install-or-update-the-teams-desktop-app-on-vdi).

-### Install the Teams WebSocket Service

-Install the latest version of the [Remote Desktop WebRTC Redirector Service](https://aka.ms/msrdcwebrtcsvc/msi) on your VM image. If you encounter an installation error, install the [latest Microsoft Visual C++ Redistributable](https://support.microsoft.com/help/2977003/the-latest-supported-visual-c-downloads) and try again.

-#### Latest WebSocket Service versions

-The following table lists the latest versions of the WebSocket Service:

-|Version |Release date |

-||--|

-|1.17.2205.23001|06/20/2022 |

-|1.4.2111.18001 |12/02/2021 |

-|1.1.2110.16001 |10/15/2021 |

-|1.0.2106.14001 |07/29/2021 |

-|1.0.2006.11001 |07/28/2020 |

-|0.11.0 |05/29/2020 |

-### Updates for version 1.17.2205.23001

-#### Updates for version 1.4.2111.18001

-#### Updates for version 1.1.2110.16001

-#### Updates for version 1.0.2106.14001

-Increased the connection reliability between the WebRTC redirector service and the WebRTC client plugin.

-#### Updates for version 1.0.2006.11001

-### Install Microsoft Teams

-You can deploy the Teams desktop app using a per-machine or per-user installation. To install Microsoft Teams in your Azure Virtual Desktop environment:

-2. Run one of the following commands to install the MSI to the host VM:

- - Per-user installation

- ```powershell

- msiexec /i <path_to_msi> /l*v <install_logfile_name>

- ```

- This process is the default installation, which installs Teams to the **%AppData%** user folder. Teams won't work properly with per-user installation on a non-persistent setup.

- - Per-machine installation

- msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSER=1

- There are two flags that may be set when installing teams, **ALLUSER=1** and **ALLUSERS=1**. It's important to understand the difference between these parameters. The **ALLUSER=1** parameter is used only in VDI environments to specify a per-machine installation. The **ALLUSERS=1** parameter can be used in non-VDI and VDI environments. When you set this parameter, **Teams Machine-Wide Installer** appears in Program and Features in Control Panel as well as Apps & features in Windows Settings. All users with admin credentials on the machine can uninstall Teams.

-3. To uninstall the MSI from the host VM, run this command:

- ```powershell

- msiexec /passive /x <msi_name> /l*v <uninstall_logfile_name>

- ```

- This uninstalls Teams from the Program Files (x86) folder or Program Files folder, depending on the operating system environment.

- > [!NOTE]

- > When you install Teams with the MSI setting ALLUSER=1, automatic updates will be disabled. We recommend you make sure to update Teams at least once a month. To learn more about deploying the Teams desktop app, check out [Deploy the Teams desktop app to the VM](/microsoftteams/teams-for-vdi#deploy-the-teams-desktop-app-to-the-vm/).

->[!IMPORTANT]

->If you're using a version of the Remote Desktop client for macOS that's earlier than 10.7.7, in order to use our latest Teams optimization features, you'll need to update your client to version 10.7.7 or later, then go to **Microsoft Remote Desktop Preferences** > **General** and enable Teams optimizations. If you're using the client for the first time and already have version 10.7.7 or later installed, you won't need to do this, because Teams optimizations are enabled by default.

-### Verify media optimizations loaded

-2. Select your user profile image, then select **About**.

-3. Select **Version**.

-4. Select your user profile image, then select **Settings**.

-## Known issues and limitations

-Using Teams in a virtualized environment is different from using Teams in a non-virtualized environment. For more information about the limitations of Teams in virtualized environments, check out [Teams for Virtualized Desktop Infrastructure](/microsoftteams/teams-for-vdi#known-issues-and-limitations).

-### Client deployment, installation, and setup

-### Calls and meetings

-For Teams known issues that aren't related to virtualized environments, see [Support Teams in your organization](/microsoftteams/known-issues).

-### Known issues for Teams for macOS

-## Collect Teams logs

-If you encounter issues with the Teams desktop app in your Azure Virtual Desktop environment, collect client logs under **%appdata%\Microsoft\Teams\logs.txt** on the host VM.

-If you encounter issues with calls and meetings, collect Teams Web client logs with the key combination **Ctrl** + **Alt** + **Shift** + **1**. Logs will be written to **%userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME.txt** on the host VM.

-## Contact Microsoft Teams support

-To contact Microsoft Teams support, go to the [Microsoft 365 admin center](/microsoft-365/admin/contact-support-for-business-products).

-Ubuntu now publishes official Azure VHDs for download at [https://cloud-images.ubuntu.com/](https://cloud-images.ubuntu.com/). If you need to build your own specialized Ubuntu image for Azure, rather than use the manual procedure below it is recommended to start with these known working VHDs and customize as needed. The latest image releases can always be found at the following locations:

-* Ubuntu 18.04/Bionic: [bionic-server-cloudimg-amd64-azure.vhd.zip](https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-amd64-azure.vhd.zip)

-* Ubuntu 20.04/Focal: [focal-server-cloudimg-amd64-azure.vhd.zip](https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64-azure.vhd.zip)

-This article assumes that you have already installed an Ubuntu Linux operating system to a virtual hard disk. Multiple tools exist to create .vhd files, for example a virtualization solution such as Hyper-V. For instructions, see [Install the Hyper-V Role and Configure a Virtual Machine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh846766(v=ws.11)).

-* The VHDX format is not supported in Azure, only **fixed VHD**. You can convert the disk to VHD format using Hyper-V Manager or the `Convert-VHD` cmdlet.

-* When installing the Linux system it is recommended that you use standard partitions rather than LVM (often the default for many installations). This will avoid LVM name conflicts with cloned VMs, particularly if an OS disk ever needs to be attached to another VM for troubleshooting. [LVM](/previous-versions/azure/virtual-machines/linux/configure-lvm) or [RAID](/previous-versions/azure/virtual-machines/linux/configure-raid) may be used on data disks if preferred.

-* Do not configure a swap partition or swapfile on the OS disk. The cloud-init provisioning agent can be configured to create a swap file or a swap partition on the temporary resource disk. More information about this can be found in the steps below.

- Before editing `/etc/apt/sources.list`, it is recommended to make a backup:

-14. Azure only accepts fixed-size VHDs. If the VM's OS disk is not a fixed-size VHD, use the `Convert-VHD` PowerShell cmdlet and specify the `-VHDType Fixed` option. Please have a look at the docs for `Convert-VHD` here: [Convert-VHD](/powershell/module/hyper-v/convert-vhd).

-The `-ScriptString' parameter requires version `4.27.0` or later of the 'Az.Compute` module.

-2. Navigate to your storage account.

-3. In the **Settings** section, click **Migrate to Azure Resource Manager**.

-5. If validation passes, click on **Prepare** to create a migrated storage account.

-6. Type **yes** to confirm migration and click **Commit** to finish the migration.

- 

-

- 

-

- 

-| Compute | Cloud services that contain more than one availability set or multiple availability sets. |This is currently not supported. Please move the Virtual Machines to the same availability set before migrating. |

-| Network |Virtual networks that contain virtual machines and web/worker roles |This is currently not supported. Please move the Web/Worker roles to their own Virtual Network before migrating. Once the classic Virtual Network is migrated, the migrated Azure Resource Manager Virtual Network can be peered with the classic Virtual Network to achieve similar configuration as before.|

-> `Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -Name <string> -Value <object>`,

-description: In this article, learn how to upgrade a basic SKU public IP address using the Azure portal.

-* An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

-* A static basic SKU public IP address in your subscription. For more information, see [Create public IP address - Azure portal](./create-public-ip-portal.md#create-a-basic-sku-public-ip-address).

-In order to upgrade a public IP, it must not be associated with any resource (see [this page](/azure/virtual-network/virtual-network-public-ip-address#view-modify-settings-for-or-delete-a-public-ip-address) for more information about how to disassociate public IPs).

- :::image type="content" source="./media/public-ip-upgrade-portal/upgrade-ip-portal.png" alt-text="Upgrade basic IP address in Azure portal" border="true":::

- > The basic public IP you are upgrading must have the static allocation type. You'll receive a warning that the IP can't be upgraded if you try to upgrade a dynamically allocated IP address.

-6. Select the **I acknowledge** check box. Select **Upgrade**.

- > Upgrading a basic public IP to standard sku can't be reversed. Public IPs upgraded from basic to standard SKU continue to have no guaranteed [availability zones](../../availability-zones/az-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json#availability-zones).

- :::image type="content" source="./media/public-ip-upgrade-portal/verify-upgrade-ip.png" alt-text="Verify public IP address is standard SKU." border="true":::

-In this article, you upgrade a basic SKU public IP address to standard SKU.

-NAT gateway can support up to 50,000 concurrent connections per public IP address **to the same destination endpoint** over the internet for TCP and UDP. NAT gateway can process 1M packets per second and scale up to 5M packets per second.

-# About user groups and IP address pools for P2S User VPNs (preview)

-# Configure user groups and IP address pools for P2S User VPNs (preview)

-# RADIUS - Configure NPS for vendor-specific attributes - P2S user groups (preview)

- 1. On the **Add Vendor Specific Attribute** page, scroll to select **Vendor-Specific**.

-1. Select **Association**, and then select **+ Associate a Front door profile**, enter the following settings, and then select **Add**:

- | Front door profile | Select your Front Door profile name. |

-To see WAF in action, you can change the mode settings from **Detection** to **Prevention**. In **Prevention** mode, requests that match rules that are defined in Default Rule Set (DRS) are blocked and logged at WAF logs.

- :::image type="content" source="../media/waf-front-door-create-portal/policy.png" alt-text="Screenshot of the Policy settings section. The Mode toggle is set to Prevention.":::

-Azure-managed Default Rule Set (DRS) is enabled by default. Current default version is Microsoft_DefaultRuleSet_2.0. From **Managed rules** page, select **Assign** to assign a different DRS.

-When no longer needed, remove the resource group and all related resources.

-|932130|Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found|

-|941210|XSS using obfuscated JavaScript|

-|932130|Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found|

-|941210|IE XSS Filters - Attack Detected.|

-|932130|Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found|

-|941210|XSS using obfuscated JavaScript|

-|932130|Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found|

-|941210|XSS using obfuscated JavaScript|

-|932130|Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found|

-|941210|XSS using obfuscated JavaScript|

-|932130|**Application Gateway WAF v2**: Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found<br><br>**Application Gateway WAF v1**: Remote Command Execution: Unix Shell Expression|

-|941210|XSS using obfuscated JavaScript|

-1. On the **Frontends** tab, verify **Frontend IP address type** is set to **Public**. <br>You can configure the Frontend IP to be Public or Private as per your use case. In this example, you'll choose a Public Frontend IP.

- > For the Application Gateway v2 SKU, you can only choose **Public** frontend IP configuration. Private frontend IP configuration is currently not enabled for this v2 SKU.