+- Apply [Conditional Access to user flows in Azure Active Directory B2C](conditional-access-user-flow.md)

+ "/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/resource-group-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/firstIdentity": {},

+ "/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/resource-group-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/secondIdentity": {}

+https://management.azure.com/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview

+ "principalId": "ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0",

+ "tenantId": "ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0",

+ "PrincipalId": "ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0",

+ "ClientId": "00001111-aaaa-2222-bbbb-3333cccc4444"

+ "PrincipalId": "ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0",

+ "ClientId": "00001111-aaaa-2222-bbbb-3333cccc4444"

+RoleAssignmentId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Automation/automationAccounts/myAutomationAccount/provid

+ ers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000

+Scope : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Automation/automationAccounts/myAutomationAccount

+ObjectId : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

+RoleAssignmentId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myResourceGroup/Providers/Microsoft.Automation/automationAccounts/myAutomationAccount/provid

+ ers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000

+Scope : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myResourceGroup/Providers/Microsoft.Automation/automationAccounts/myAutomationAccount

+ObjectId : bbbbbbbb-1111-2222-3333-cccccccccccc

+PATCH https://management.azure.com/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name",

+PUT https://management.azure.com/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2018-02-14

+PATCH https://management.azure.com/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name",

+> - Change Tracking and Inventory using Log Analytics agent has retired on **31 August 2024** and will work on limited support till **01 February 2025**. Follow the guidelines for [migration from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version](guidance-migration-log-analytics-monitoring-agent.md)

+- For [multiple Azure VMs](enable-vms-monitoring-agent.md) by selecting them from the Virtual machines page in the Azure portal.

+> Change Tracking and Inventory using Log Analytics agent has retired on **31 August 2024** and will work on limited support till **01 February 2025**. We recommend that you use Azure Monitoring Agent as the new supporting agent. Follow the guidelines for [migration from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version](guidance-migration-log-analytics-monitoring-agent.md).

+When an account signs on that can access several subscriptions, any of those subscriptions may be added to the user's context. To guarantee the correct subscription, you must declare it when connecting. For example, use `Add-AzAccount -Credential $Cred -subscription 'aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'`. However, issues can arise when your runbooks managing one subscription runs in the same sandbox process as your other runbooks managing resources in another subscription from the same Automation account. Changes to the context made by one runbook can affect your other runbooks using the default context. As the context includes information, such as the credentials to use and the subscription to target, cmdlets could target the wrong subscription resulting in `not found` or permissions errors. This issue is known as **Context Switching**.

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/firstIdentity": {},

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/secondIdentity": {}

+PATCH https://management.azure.com/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview

+- For an overview of Automation account security, see [Automation account authentication overview](automation-security-overview.md).

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkID": {},

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkID2": {}

+PATCH https://management.azure.com/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview

+ "message": "Resource 'Start_VMS' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Enforce Jobs on Automation Hybrid Runbook Workers\",\"id\":\"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/MAIC-RG/providers/Microsoft.Authorization/policyAssignments/fd5e2cb3842d4eefbc857917\"},\"policyDefinition\":{\"name\":\"Enforce Jobs on Automation Hybrid Runbook Workers\",\"id\":\"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/policyDefinitions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f\"}}]'.",

+ "policyDefinitionId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/policyDefinitions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f",

+ "policyDefinitionName": "bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f",

+ "policyAssignmentId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/MAIC-RG/providers/Microsoft.Authorization/policyAssignments/fd5e2cb3842d4eefbc857917",

+ "policyAssignmentScope": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/MAIC-RG",

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/firstIdentity": null

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/firstIdentity": null

+https://management.azure.com/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview

+ AZURE_RESOURCE_ID=/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/re sourcegroups/myresourcegroup/providers/microsoft.compute/virtualmachines/linuxvm 2

+ where (subscriptionId in~ ("aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e", "bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f") and type =~ "microsoft.compute/virtualmachines" and properties.storageProfile.osDisk.osType == "Windows" and resourceGroup in~ ("testRG","withinvnet-2020-01-06-10-global-resources-southindia") and location in~ ("australiacentral","australiacentral2","brazilsouth") )

+The client has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resourceGroupName/providers/Microsoft.Automation/automationAccounts/automationAccountName/softwareUpdateConfigurations/updateDeploymentName', however the current tenant '00000000-0000-0000-0000-000000000000' is not authorized to access linked subscription '00000000-0000-0000-0000-000000000000'.

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resourceGroupName/providers/Microsoft.Compute/virtualMachines/vm-01"

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/vm-01",

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/vm-02",

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/vm-03"

+| [AACAudit](/azure/azure-monitor/reference/tables/AACAudit) | Azure App Configuration audit logs. |

+| [AACHttpRequest](/azure/azure-monitor/reference/tables/AACHttpRequest) | Entries of every Http request sent to a selected app configuration resource. |

+| [AzureActivity](/azure/azure-monitor/reference/tables/AzureActivity) | Entries from the Azure Activity log that provide insight into any subscription-level or management group level events that have occurred in Azure. |

+For a reference of all Azure Monitor Logs / Log Analytics tables, see the [Azure Monitor Log Table Reference](/azure/azure-monitor/reference/tables/microsoft-appconfiguration_configurationstores).

+* Volumes enabled for cool access can be moved between capacity pools only if those capacity pools are enabled for cool access. Once a volume has been enabled for cool access, it can only reside in a cool access-enabled capacity pool even if cool access has been disabled on the volume.

+[VMSA-2024-0020](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25047) VMware NSX command injection, local privilege escalation & content spoofing vulnerability| October 2024 | The vulnerability mentioned in the Broadcom document is not applicable to Azure VMware Solution, as attack vector mentioned does not apply. | N/A |

+[TypeScript sample](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/web-pubsub/web-pubsub-client/samples/v1/typescript)

+### Switch SAP HSR to standalone databases and configure backup

+To switch HANA System Replication (HSR) to standalone databases and configure backup, follow these steps:

+1. [Stop protection and retain data for thes currently protected databases](#stop-protection-for-an-sap-hana-database-or-hana-instance).

+2. Run [pre-registration script](tutorial-backup-sap-hana-db.md#what-the-pre-registration-script-does) on both the nodes as Standalone.

+3. [Re-discover the databases](backup-azure-sap-hana-database.md#discover-the-databases) on both nodes.

+4. [Protect the databases as Standalone](backup-azure-sap-hana-database.md#configure-backup) on both the nodes.

+cluster with locked-down access.

+- Virtual network isolation requires you to use [Azure Relay][02], which is a paid service. In the

+![Illustration of a Cloud Shell isolated virtual network architecture.][04]

+- **Azure Relay**: [Azure Relay][02] allows two endpoints that aren't directly reachable to

+## Pricing

+sessions. Storage incurs regular costs. When you deploy Azure Cloud Shell in a private virtual

+[Pricing of Azure Cloud Shell][01].

+## Next steps

+When you're ready to deploy your own instance of Cloud Shell, see

+[Deploy Azure Cloud Shell in a virtual network with quickstart templates][03].

+[01]: ../pricing.md

+[02]: /azure/azure-relay/relay-what-is-it

+[03]: deployment.md

+[04]: media/overview/data-diagram.png

+## Verify you have the correct permissions

+## When all else fails

+1. Open a support ticket

+After you remove the resources, you can redeploy Cloud Shell by following the steps in the

+### Open a support ticket

+If you want to open a support ticket, you can do so from the Azure portal. Be sure to capture any

+error messages, including the **Correlation Id** and **Activity Id** values. Don't change any

+settings or delete any resources until instructed to by a support technician.

+Follow these steps to open a support ticket:

+1. Select the **Support & Troubleshooting** icon on the top navigation bar in the Azure portal.

+1. From the **Support & Troubleshooting** pane, select **Help + support**.

+1. Select **Create a support request** at the top of the center pane.

+1. Follow the instructions to create a support ticket.

+ [![Screenshot of creating a support ticket in the Azure portal.][ss05a]][ss05x]

+In the following code example, the `.` (dot) tells `containerapp up` to run in the current directory of the extracted sample API application.

+> - Microsoft Customer Agreement (MCA) that your partner manages

+> [!NOTE]

+> You can create a budget in Azure Cost Management and link it to an Azure Automation runbook to automatically stop resources when a specified threshold is reached.

+Any Azure Marketplace consumption-based products in your Enterprise agreement enrollment are moved along with the subscriptions. There are no changes to the service access of the Marketplace products during the transition. Purchases continue to remain in the source agreement.

+| Dev box configuration | Different teams have different software requirements for their dev box. | Create one or more dev box definitions to represent different operating system/software/hardware requirements across your organization. A dev box definition uses a particular VM image, which can be purpose-built. For example, create a dev box definition for data scientists which has data science tooling, and other resources. Dev box definitions are shared across a dev center. When you create a dev box pool within a project, you can then select from the list of dev box definitions. |

+A dev box definition contains the configuration of a dev box by specifying the VM image, compute resources, such as memory and CPUs, and storage.

+- Development teams have different compute resource requirements. For example, database administrators might need a machine with lots of storage and memory.

+ LocalContentPath = "C:\Local\Path\To\Package" # Required parameter for managed identity

+ ManagedIdentityResourceId = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}" # Required parameter for managed identity

+> You can retrieve the resorceId of a managed identity using the `Get-AzUserAssignedIdentity`

+ Title: Support for URL customization for the DICOM service in Azure Health Data Services

+description: Learn how to customize the URL of the image location that is in response object.

+# What is URL manipulation

+Using URL manipulation allows you to customize the URL of the image location that is in the response object.

+For the following API operations the DICOM service returns the fully qualified URL of the image location in the response object under a DICOM tag (UR) in the response object.

+- Retrieve Instance

+- Retrieve WorkItems

+- Retrieve OperationStatus

+- Resolve QueryTag

+- Resolve QueryTagError

+Here's an example of a fully qualified image location URL. The URL could be found in the standard response for a STOW operation for a DICOM service that has data partition enabled, with partition name "foo".

+`https://localhost:63838/v2/partitions/foo/studies/1.2.826.0.1.3680043.8.498.13230779778012324449356534479549187420/series/1.2.826.0.1.3680043.8.498.77033797676425927098669402985243398207/instances/1.2.826.0.1.3680043.8.498.13273713909719068980354078852867170114`

+ The preceding URL consists of three parts:

+ - hostname -> `https://localhost:63838` (the hostname of DICOM service)

+ - path -> `v2/partitions/foo` (the path that represents the version of DICOM service being used and the datapartition name, if enabled)

+ - The DICOM web standard path -> `studies/1.2.826.0.1.3680043.8.498.13230779778012324449356534479549187420/series/1.2.826.0.1.3680043.8.498.77033797676425927098669402985243398207/instances/1.2.826.0.1.3680043.8.498.13273713909719068980354078852867170114`

+ This feature allows you to customize the path of the image URL, if directed by the client, based on the request headers provided.

+## How it works

+The modified URL is based on following two headers.

+- X-Forwarded-Host: The domain name of the original host (the one the client requested before the proxy or load balancer handled the request). For example: `X-Forwarded-Host: www.example.com`

+- X-Forwarded-Prefix: the original URL path or prefix that was part of the clientΓÇÖs request before the proxy forwarded or changed the request. For example: `X-Forwarded-Prefix: /prefix`

+These headers are a part of .NET core standard forwarded headers.

+If `x-forwarded-host` header is present in the request object, it replaces the host name with the value provided.

+If `x-forwarded-prefix` header is present in the request object, it replaces the path with the value provided.

+## List of services that can use forwarded headers for URL manipulation

+ - Store(STOW-RS): Upload DICOM objects to the server.

+ - Retrieve(WADO-RS): Download DICOM objects from the server.

+ - Worklist Service (UPS Push and Pull SOPs): Manage and track medical imaging workflows.

+ - Extended query tags: Define custom tags for querying DICOM data.

+ - Operation Status

+Here are the details of a request header for a STOW operation with the forwarded headers:

+* Path: ../studies/{study}

+* Method: POST

+* Headers:

+ * Accept: application/DICOM+json

+ * Content-Type: multipart/related; type="application/DICOM"

+ * Authorization: Bearer {token value}

+ * X-Forwarded-Host: {Domain name of the original host}

+ * X-Forwarded-Prefix: {the original URL path}

+* Body:

+ * Content-Type: application/DICOM for each file uploaded, separated by a boundary value

+### Example:

+An example of a DICOM tag with VR = UR for a STOW operation when the forwarded headers aren't provided is shown below.

+`https://localhost:63838/v2/partitions/foo/studies/1.2.826.0.1.3680043.8.498.13230779778012324449356534479549187420/series/1.2.826.0.1.3680043.8.498.77033797676425927098669402985243398207/instances/1.2.826.0.1.3680043.8.498.13273713909719068980354078852867170114`

+An example of a DICOM tag with VR = UR for a STOW operation when the forwarded headers are provided is shown below.

+Sample Request object:

+* Path: https://localhost:63838/v2/partitions/foo/studies/studies/{study}

+* Method: POST

+* Headers:

+ * Accept: application/DICOM+json

+ * Content-Type: multipart/related; type="application/DICOM"

+ * Authorization: Bearer {token value}

+ * X-Forwarded-Host: API.powershare.com

+ * X-Forwarded-Prefix: /newbasePath

+* Body:

+ * Content-Type: application/DICOM for each file uploaded, separated by a boundary value

+URL of image:

+ `https://API.powershare.com/newbasePath/studies/1.2.826.0.1.3680043.8.498.13230779778012324449356534479549187420/series/1.2.826.0.1.3680043.8.498.45787841905473114233124723359129632652/instances/1.2.826.0.1.3680043.8.498.12714725698140337137334606354172323212`

+ ## Things to remember

+ - Forwarded headers don't have to be used together. If there's a need to, replace hostname and not path. Only the forwarded host header can be used. Similarly, if there's a need to replace the path, only the forwarded prefix header can be used.

+ - The client is responsible for mapping the hostname and path provided in forwarded headers to the correct DICOM service hostname and pathbase.

+ [!INCLUDE [DICOM trademark statement](../includes/healthcare-APIs-DICOM-trademark.md)]

+- **FHIR service deployed in Azure**. For more information, see [Deploy a FHIR service](fhir-portal-quickstart.md).

+- **User Access Administrator** role for role assignments on FHIR service.

+## Setup steps

+To access **FHIR service** from **Postman** application, review the steps:

+1. Register a client application(App Registration) in Microsoft Entra ID.

+2. Assign **FHIR Data Contributor** role under the **FHIR service**.

+3. Setup Postman - Create Workspace, collection and environment

+## Register a client application in Microsoft Entra ID

+1. In the [Azure portal](https://ms.portal.azure.com), select **Microsoft Entra ID** tile.

+[](media/postman/microsoft-entra-id.png#lightbox)

+2. Select **App registrations** under **Manage** section.

+[](media/postman/app-registration.png#lightbox)

+3. Select **+ New registrations**.

+4. Enter a name for app registration. Under Supported account types, select **Accounts in this organization directory only**. select **Register**.

+[](media/postman/app-registration-configuration.png#lightbox)

+### Application ID (client ID)

+After registering a new application, you can find the Application (client) ID and Directory (tenant) ID in the Overview section. **Make a note of these values for later use, as you will need them when configuring your Postman environment**.

+[](media/postman/app-registration-overview.png#lightbox)

+### Authentication setting: confidential vs. public

+* Select Authentication to review the settings. The default value for Allow public client flows is "No".

+* If you keep this default value, the application registration is a confidential client application and a certificate or secret is required.

+[](media/postman/authentication-settings.png#lightbox)

+* If you change the default value to "Yes" for the "Allow public client flows" option in the advanced setting, the application registration is a public client application and a certificate or secret isn't required.<br>

+* The "Yes" value is useful when you want to use the client application in your mobile app or a JavaScript app where you don't want to store any secrets.

+* For tools that require a redirect URL, select Add a platform to configure the platform.

+[](media/postman/add-platform.png#lightbox)

+* For Postman, select Mobile and desktop applications. Enter "https://www.getpostman.com/oauth2/callback" in the Custom redirect URIs section. Select the Configure button to save the setting.

+[](media/postman/add-platform-mobile-desktop-applications.png#lightbox)

+### Certificates & secrets

+1. Click on **Certificates and secrets**. Click **+New client secret**.

+[](media/postman/create-client-secret.png#lightbox)

+2. Under **Add a client secret**, enter a name for the secret in the **Description** field. The guidance is to set 6 months for secret expiration. Click **Add**.

+[](media/postman/add-secret-description.png#lightbox)

+3. It is important that you save the **secret value**, not the secret ID.

+[](media/postman/client-secret-value.png#lightbox)

+>[!NOTE]

+>Use grant_type of client_credentials when trying to obtain an access token for the FHIR service using tools such as Postman or REST Client.

+## Assign FHIR Data Contributor role in **FHIR service**

+This section shows the steps to assign **FHIR Data Contributor** role to a registered application for the FHIR® service in Azure Health Data Services.

+1. In the Azure portal, navigate to your FHIR service.

+2. In the left-hand menu, select the **Access Control (IAM)** blade.Click on + Add and then select Add role assignment. If the option for adding a role assignment is unavailable, ask your Azure administrator to assign you permission to perform this step.

+[](media/postman/fhir-service-access-control.png#lightbox)

+3. In **Add** role assignment under the **Role** tab, scroll down in the list and select **FHIR Data Contributor**. Then click **Next**.

+[](media/postman/add-role-assignment.png#lightbox)

+4. Under the **Members** tab, click on **+Select members**. Type in the name of your Postman service client app in the **Select** field on the right. Select the app.

+[](media/postman/select-members-client-app.png#lightbox)

+5. In same way, Type in the name of your username in the **Select**. Select your user so it is added to list along with app registration and click **Select**. Then click **Next**.

+[](media/postman/select-members-user.png#lightbox)

+6. Under the **Review + assign** tab, click **Review + assign**.

+[](media/postman/review-assign-role.png#lightbox)

+## Setup Postman - Create Workspace, collection and environment.

+[](media/postman/postman-create-new-workspace.png#lightbox)

+[](media/postman/postman-create-a-new-collection.png#lightbox)

+[](media/postman/postman-import-data.png#lightbox)

+[](media/postman/postman-environments-variable.png#lightbox)

+[](media/postman/postman-capability-statement.png#lightbox)

+[](media/postman/postman-save-request.png#lightbox)

+[](media/postman/postman-send-button.png#lightbox)

+[](media/postman/postman-access-token-claims.png#lightbox)

+2. Ensure that you configured the redirect URL `https://oauth.pstmn.io/v1/callback` for the web platform in the client application registration.

+[](media/postman/callback-url.png#lightbox)

+3. In the client application registration under **API Permissions**, add the **User_Impersonation** delegated permission for **Azure Healthcare APIS** from **APIs my organization uses**.

+[](media/postman/app-registration-permissions.png#lightbox)

+[](media/postman/app-registration-permissions-2.png#lightbox)

+4. In Postman, select the **Authorization** tab of either a collection or a specific REST Call, select **Type** as OAuth 2.0 and under **Configure New Token** section, set these values:

+[](media/postman/postman-configuration.png#lightbox)

+5. Choose **Get New Access Token** at the bottom of the page.

+6. Provide User credentials for sign-in.

+7. Once you receive the token, choose **Use Token.**

+8. Ensure the token is in the **Authorization Header** of the REST call.

+[](media/postman/postman-create-new-request.png#lightbox)

+[](media/postman/postman-select-bearer-token.png#lightbox)

+[](media/postman/postman-send-create-new-patient.png#lightbox)

+[](media/postman/postman-202-accepted-response.png#lightbox)

+This article provides answers to some of the frequently asked questions about Internet peering.

+## Related content

+description: Learn about Internet peering for Peering Service Voice Services, its requirements, the steps to establish direct interconnect, and how to register a prefix.

+A peering with standard PNI or PNI enabled for Azure Peering Service can be converted to Voice PNI. This conversion must be made at the peering level, which means all the connections within the peering are converted.

+You need to be a Peering Service partner to enable Peering Service on a connection. See the [partner requirements page](prerequisites.md) and make sure you sign the agreement with Microsoft. For questions, reach out to [Azure Peering group](mailto:peeringservice@microsoft.com).

+Connections remain in the **TypeChangeRequested** state until they're approved. After approval, the connections converted one at a time to ensure that the redundant connections are always up and carrying traffic. The **Connection State** changes to **TypeChangeInProgress**.

+**Q.** I have two different peerings, Peering A with standard PNI connections and peering B with Voice connections. I would like to convert the standard PNI peering connections to Voice. What happens to the peering resources in this case?

+- Peering service prefix events: shows various BGP events like route announcements, withdrawals, and routes becoming active on the primary or backup links for each prefix in the **Prefix events** page of the Peering Service prefix.

+ :::image type="content" source="./media/walkthrough-monitoring-telemetry/peering-service-prefix-events.png" alt-text="Screenshot shows how to view the prefix events under a specific peering service prefix in the Azure portal." lightbox="./media/walkthrough-monitoring-telemetry/peering-service-prefix-events.png":::

+Use the **Delete** button to permanently delete your IoT Central application. This action permanently deletes all data associated with the application.

+ Title: Export IoT Central data to a secure virtual network destination

+description: Learn how to use IoT Central data export to send data to a destination in a secure virtual network. Data export destinations include Blob Storage and Azure Event Hubs.

+Data export in IoT Central lets you continuously stream device data to destinations such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus Messaging, or Azure Data Explorer. You can lock down these destinations by using Azure Virtual Network and private endpoints.

+Currently, it's not possible to connect an IoT Central application directly to a virtual network for data export. However, because IoT Central is a trusted Azure service, it's possible to configure an exception to the firewall rules and connect to a secure destination on a virtual network. In this scenario, you typically use a managed identity to authenticate and authorize with the destination.

+To configure Azure Blob Storage to use a virtual network and private endpoint see:

+To configure Azure Event Hubs to use a virtual network and private endpoint see:

+To configure Azure Service Bus Messaging to use a virtual network and private endpoint see:

+To allow IoT Central to connect to a destination on a virtual network, enable a firewall exception on the virtual network to allow connections from trusted Azure services.

+Now that you've learned how to export data to a destination locked down on a virtual network, here's the suggested next step:

+- When a new user is added to an existing IoT Central application, the user's email ID might be stored outside of the geography until the invited user accesses the application for the first time.

+- IoT Central dashboard map tiles use [Azure Maps](../../azure-maps/about-azure-maps.md). When you add a map tile to an existing IoT Central application, the location data might be processed or stored in accordance with the geolocation rules of the Azure Maps service.

+- IoT Central uses the Device Provisioning Service (DPS) internally. DPS uses the same device provisioning endpoint for all provisioning service instances, and performs traffic load balancing to the nearest available service endpoint. As a result, authentication secrets might be temporarily transferred outside of the region where the DPS instance was initially created. However, once the device is connected, the device data flows directly to the original region of the DPS instance.

+description: Azure IoT Central can be accessed across modern desktops, tablets, and browsers. This article outlines the list of supported browsers.

+* Install the latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/downloads) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository.

+* If you're running in Windows, install the latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/downloads) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository. On Windows, you'll enter all commands on your local system in a GitBash prompt.

+* If you're running in Windows, install the latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/downloads) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository. On Windows, you'll enter all commands on your local system in a GitBash prompt.

+* Install the latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/downloads) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository.

+* Install the latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/downloads) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository.

+* Install the latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/downloads) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository.

+* Install [Git](https://git-scm.com/downloads) and make sure that the path is added to the environment variable `PATH`.

+* Install the latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/downloads) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository.

+- Git installed. For more information, see [Git downloads](https://git-scm.com/downloads).

+* Install the latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window.

+- The latest version of [Git](https://git-scm.com/downloads).

+* The latest version of [Git](https://git-scm.com/downloads). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/downloads) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository.

+* If you're going to deploy Azure IoT Operations to a multi-node cluster with fault tolerance enabled, review the hardware and storage requirements in [Prepare Linux for Edge Volumes](/azure/azure-arc/container-storage/prepare-linux-edge-volumes).

+1. Upload any other files that you reference in the test script. For example, if your test script uses CSV data sets, you can upload the corresponding *.csv* file(s). To use a configuration file with your Locust script, upload the file and select **Locust configuration** as the **File relevance**

+1. To install any dependencies from a 'requirements.txt' file, upload the 'requirements.txt' file along with the other artifacts. Add this code in your Locust script to install the dependencies

+ ```Python

+ import subprocess

+ subprocess.check_output("python3 -m pip install -r requirements.txt", shell=True)

+ ```

+1. To use supporting Python files along with your Locust, create a wheel (.whl) file of the supporting Python files and upload the wheel file along with the other artifacts. Add this code in your Locust script to install the wheel file during Locust startup

+ ```Python

+ import subprocess

+ subprocess.check_output("python3 -m pip install your_wheel.whl", shell=True)

+ ```

+ > Include the code snippets to install dependencies and supporting files in the import section of your Locust script. Do not include these in the load test section.

+You've now created a workflow that can send IDocs and communicate with your SAP server. Now that you've set up an SAP connection for your workflow, you can try experimenting with BAPI and RFC.

+#### Workflow timeout issues

+Your workflow times out in any of the following scenarios:

+- All the steps required for the response don't finish within the [request timeout limit](../logic-apps-limits-and-config.md). If this condition happens, requests might get blocked. To help you diagnose problems, learn [how to check and monitor your logic app workflows](../monitor-logic-apps.md).

+- Your SAP system's processing mode is set to the default **Trigger immediately** setting, which causes your SAP system to block the inbound call for IDoc transmission until an IDoc finishes processing.

+ If your SAP system is under load, for example, when your workflow sends a batch of IDocs all at one time to SAP, the queued IDoc calls time out. The default processing mode causes your SAP system to block the inbound call for IDoc transmission until an IDoc finishes processing. In Azure Logic Apps, workflow actions have a 2-minute timeout, by default.

+ To resolve this problem, follow the [steps in the **Prerequisites** section that change the setting to **Trigger by background program**](sap.md#prerequisites).

+* For scenarios where you want to send IDocs from your logic app workflow to SAP, change your SAP processing mode from the default **Trigger immediately** setting to **Trigger by background program** so that your workflow doesn't time out.

+ If your SAP system is under load, for example, when your workflow sends a batch of IDocs all at one time to SAP, the queued IDoc calls time out. The default processing mode causes your SAP system to block the inbound call for IDoc transmission until an IDoc finishes processing. In Azure Logic Apps, workflow actions have a 2-minute timeout, by default.

+ To change your SAP system's processing mode, follow these steps:

+ 1. In SAP, find the SAP partner profile, and open the **Partner profiles** settings. You can use the **we20** transaction code (T-Code) with the **/n** prefix.

+ 1. On the **Inbound options** tab, under **Processing by Function Module**, change the setting to **Trigger by background program** from **Trigger immediately**.

+ The **Trigger by background program** setting lets the underlying IDoc transport tRFC call **`IDOC_INBOUND_ASYNCHRONOUS`** to complete immediately, rather than block the connection until the IDoc finishes processing. However, this setting works only if the IDoc doesn't include the [Express behavior overwriting segment, per SAP Support Note 1777090 - IDocs are processed immediately despite having the "Trigger by background program" option selected in WE20 - SAP for Me](https://me.sap.com/notes/0001777090).

+ For more information, see the following resources:

+ - [SAP Support Note 1845390 - Poor performance when posting IDocs with report RBDAPP01 - SAP for Me](https://me.sap.com/notes/1845390/E)

+ - [SAP Support Note 1333417 - Performance problems when processing IDocs immediately - SAP for Me](https://me.sap.com/notes/1333417/E)

+### Set up and test sending IDocs from SAP to your workflow

+To send IDocs from SAP to your logic app workflow, follow these steps to set up and test your SAP configuration with your logic app workflow. These steps apply only to testing as production environments require additional configuration.

+ > * **Non-ABAP RFC client (partner type) not supported**

+#### Create sender port

+1. In the settings box that opens, select **own port name**.

+1. For your test port, enter a **Name** that starts with **SAP**. Save your changes.

+ All sender port names must start with the letters **SAP**, for example, **SAPTEST**.

+1. In the settings for your new sender port, for **RFC destination**, enter the identifier for [your ABAP connection](#create-abap-connection).

+#### Create receiver port

+1. In the settings box that opens, select **own port name**. For your test port, enter a **Name**. Save your changes.

+1. In the settings for your new receiver port, for **RFC destination**, enter the identifier for [your test RFC destination](#create-rfc-destination).

+For production environments, you must create the following two partner profiles:

+- One profile for the sender, which is your organization and SAP system.

+- One profile for the receiver, which is your logic app resource and workflow.

+ If you didn't [create the logical system partner](#create-logical-system-partner), you get the error, **Enter a valid partner number**.

+1. Open the **$SAP_RFC_TRACE_DIRECTORY** folder, which contains the following files:

+# Set up Azure Managed Grafana authentication and permissions (preview)

+To process data, Azure Managed Grafana needs permission to access data sources. In this guide, learn how to set up authentication in an Azure Managed Grafana instance, so that Grafana can access data sources using a managed identity or a service principal. This guide also introduces the action of adding a Monitoring Reader role assignment on the target subscription to provide read-only access to monitoring data across all resources within the subscription.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+- An Azure Managed Grafana workspace. [Create an Azure Managed Grafana instance](./quickstart-managed-grafana-portal.md).

+- Owner or User Access Administrator permissions on the Azure Managed Grafana resource

+## Use a system-assigned managed identity

+The system-assigned managed identity is the default authentication method provided in Azure Managed Grafana. The managed identity is authenticated with Microsoft Entra ID, so you donΓÇÖt have to store any credentials in code. Although you can opt out, it's enabled by default when you create a new workspace, as long as you have the Owner or User Access Administrator role for the subscription. If system-assigned managed identity is disabled in your workspace and you have the necessary permissions, you can enable it later on.

+To enable a system-assigned managed identity:

+1. Go to **Settings** > **Identity (Preview)**.

+1. In the **System assigned (Preview)** tab, set the status for **System assigned** to **On**.

+ > [!NOTE]

+ > Assigning multiple managed identities to a single Azure Managed Grafana resource isn't possible. If a user-assigned managed identity is already assigned to the Azure Managed Grafana resource, you must first remove the assignment from the **User assigned (Preview)** tab before you can enable the system-assigned managed identity.

+ > [!NOTE]

+ > Disabling a system-assigned managed identity is irreversible. Each time you enable a system-assigned managed identity, Azure creates a new identity.

+ :::image type="content" source="media/authentication/system-assigned-managed-identity.png" alt-text="Screenshot of the Azure portal. Enabling a system-assigned managed identity.":::

+1. Under permissions, select **Azure role assignments** and assign the **Monitoring Reader** role to this managed identity on the target subscription.

+1. When done, select **Save**

+## Use a user-assigned managed identity

+User-assigned managed identities enable Azure resources to authenticate to cloud services without storing credentials in code. This type of managed identity is created as a standalone Azure resource, and has its own lifecycle. A single user-assigned managed identity can be shared across multiple resources.

+To assign a user-assigned managed identity to a workspace, you must have the Owner or User Access Administrator permissions on the resource.

+To assign a user-assigned managed identity:

+1. Go to **Settings** > **Identity (Preview)**.

+1. In the **User assigned (Preview)** tab, select **Add**.

+ > [!NOTE]

+ > Assigning multiple managed identities to a single Azure Managed Grafana resource isn't possible. You can only use one managed identity per resource. If a system-assigned identity is enabled, you must first disable it from the **System assigned (Preview)** tab before you can enable the user-assigned identity.

+1. In the side panel, select a subscription and an identity, then select **Add**.

+1. Once the identity is successfully added, open it by selecting its name and go to **Azure role assignments** to assign it the **Monitoring Reader** role on the target subscription.

+1. When done, select **Save**

+ :::image type="content" source="media/authentication/user-assigned-managed-identity.png" alt-text="Screenshot of the Azure portal. Enabling a user-assigned managed identity.":::

+ > [!NOTE]

+ > You can only assign one user-assigned managed identity per Azure Managed Grafana instance.

+## Use a service principal

+Azure Managed Grafana can also access data sources using service principals for authentication, using client IDs and secrets.

+Assign this service principal the **Monitoring Reader** role on the target subscription by opening your subscription in the Azure portal and going to **Access control (IAM)** > **Add** > **Add role assignment**.

+1. In the **Settings** tab, authenticate through **Managed Identity** and select your subscription from the dropdown list, or alternatively enter your **App Registration** details. When you select **Managed identity**, the authentication and authorization are made through the system-assigned or the user-assigned managed identity you [configured in your Azure Managed Grafana workspace](how-to-authentication-permissions.md). Using a managed identity lets you assign permissions for your Managed Grafana instance to access Azure Monitor data without having to manually manage service principals in Microsoft Entra ID.

+ Title: Monitor an Azure Managed Grafana instance with logs

+description: Learn how to monitor your instance of Azure Managed Grafana by configuring diagnostic settings and accessing event logs.

+#customer intent: I want to set up logs in Azure Managed Grafana instance so that I can monitor my Azure Managed Grafana workspace.

+In this article, you learn how to monitor an Azure Managed Grafana instance by configuring diagnostic settings and accessing event logs.

+To monitor an Azure Managed Grafana instance, the first step to take is to configure diagnostic settings. In this process, you configure the streaming export of your instance's logs to a destination of your choice.

+ - **audit** streams all audit logs (Currently not supported. See the following link for additional information about the types of logs available for the Microsoft.Dashboard/grafana resource type: [Supported logs for Microsoft.Dashboard/grafana](/azure/azure-monitor/reference/supported-logs/microsoft-dashboard-grafana-logs)).

+ - **AllMetrics** streams all metrics (Currently not supported. See the following link for additional information about metrics available for the Microsoft.Dashboard/grafana resource type: [Supported metrics for Microsoft.Dashboard/grafana](/azure/azure-monitor/reference/supported-metrics/microsoft-dashboard-grafana-metrics)).

+Now that you've configured your diagnostic settings, Azure streams all new events to your selected destinations and generate logs. You can now create queries and access logs to monitor your application.

+1. Select **Schema and Filter** on the left side of the screen to access tables, queries, and functions. You can also filter and group results, and find your favorites.

+#customer intent: I want to grant the Azure Monitor role to an Azure Managed Grafana instance so that I can start monitoring an Azure service in Grafana.

+description: Learn how to configure SMTP settings to generate email notifications to monitor your services in Azure Managed Grafana.

+#customer intent: I want configure SMTP settings in Azure Managed Grafana to generate email notifications, so that I can be alerted when incidents or events happen.

+In this guide, you learn how to configure SMTP (Simple Mail Transfer Protocol) settings to generate email alerts in Azure Managed Grafana. Notifications alert users when some given scenarios occur on a Grafana dashboard.

+ 1. Once the process is complete, the message "Updating the selections. Update successful" is displayed in the Azure **Notifications**. In the **Overview** page, the provisioning state of the instance turns to **Updating**, and then **Succeeded** once the update is complete.

+ 1. A notification "Test alert sent" is displayed, meaning that the email setup is successfully configured. The test email has been sent to the provided email address. If there's a misconfiguration, an error message is shown instead.

+## Managed identities

+Each Azure Managed Grafana instance can only have one user-assigned managed identity, or one user-assigned managed identity assigned.

+## Related links

+ Title: Create an Azure Managed Grafana instance using the Azure CLI

+Get started by creating an Azure Managed Grafana workspace using the Azure CLI. Creating a workspace will generate a Grafana instance.

+>[!NOTE]

+ > [!NOTE]

+ >Azure Managed Grafana has a system-assigned managed identity enabled by default. You can use a user-assigned managed identity or a service principal instead. To learn more, go to [Set up Azure Managed Grafana authentication and permissions (preview)](how-to-authentication-permissions.md).

+In this quickstart, you get started with Azure Managed Grafana by creating an Azure Managed Grafana workspace using the Azure portal. Creating a workspace will generate a Grafana instance.

+ >[!NOTE]

+ >You can use a user-assigned managed identity instead of the default system-assigned managed identity once the Azure Managed Grafana resource is deployed. To learn more, go to [Set up Azure Managed Grafana authentication and permissions (preview)](how-to-authentication-permissions.md).

+1. In the Managed Grafana UI, select **Configurations** > **Data Sources** from the left menu, and select **Azure Monitor**.

+1. If the data source is configured to use a managed identity:

+ Check if a system-assigned or a user-assigned managed identity is enabled in your workspace by going to **Settings** > **Identity (Preview)**. Go to [Set up Azure Managed Grafana authentication and permissions](how-to-authentication-permissions.md) to learn how to enable and configure the managed identity.

+ 1. Once you've selected your subscription, select **Save & test**. If you see *No Log Analytics workspaces found*, you may need to assign the Reader role to the managed identity in the Log Analytics workspace. Open your Log Analytics workspace, go to **Settings** > **Access control (IAM)**, **Add** > **Add role assignment**..

+

+ 1. Check if the service principal has the Monitoring Reader role assigned to the Managed Grafana instance. If not, add it from the Azure portal by opening your subscription in the Azure portal and going to **Access control (IAM)** > **Add** > **Add role assignment**.

+ 1. If needed, reapply the client secret.

+VMwareApplianc /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.OffAzure/VMwareSites/VMwareApplianca8basite

+Copy the value of the SiteId string corresponding to the Azure Migrate appliance that the VM is discovered through. In the example shown above, the SiteId is *"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.OffAzure/VMwareSites/VMwareApplianca8basite"*

+$SiteId = "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.OffAzure/VMwareSites/VMwareApplianca8basite"

+/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.OffAzure/VMwareSites/VMwareApplianca8basite/machines/10-150-8-52-b090bef3-b733-5e34-bc8f-eb6f2701432a_50098f99-f949-22ca-642b-724ec6595210

+ "policyId": "/Subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/ContosoMigration/providers/Microsoft.RecoveryServices/vaults/ContosoMigration7371rsvault/replicationPolicies/migrateVMware104e4sitepolicy",

+ "vmwareMachineId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/ContosoMigration/providers/Microsoft.OffAzure/VMwareSites/VMware104e4site/machines/10-150-8-52-b090bef3-b733-5e34-bc8f-eb6f2701432a_500937f3-805e-9414-11b1-f22923456e08",

+ "targetResourceGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/PayrollRG",

+ "targetNetworkId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/PayrollRG/providers/Microsoft.Network/virtualNetworks/PayrollNW",

+ "logStorageAccountId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/ContosoMigration/providers/Microsoft.Storage/storageAccounts/migratelsa1432469187",

+ "dataMoverRunAsAccountId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/ContosoMigration/providers/Microsoft.OffAzure/VMwareSites/VMware104e4site/runasaccounts/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a",

+ "snapshotRunAsAccountId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/ContosoMigration/providers/Microsoft.OffAzure/VMwareSites/VMware104e4site/runasaccounts/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a",

+ "targetBootDiagnosticsStorageAccountId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/ContosoMigration/providers/Microsoft.Storage/storageAccounts/migratelsa1432469187",

+ "policyId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.RecoveryServices/vaults/ContosoVMwareCMK00ddrsvault/replicationPolicies/migrateVMwareApplianca8basitepolicy",

+ "vmwareMachineId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.OffAzure/VMwareSites/VMwareApplianca8basite/machines/10-150-8-52-b090bef3-b733-5e34-bc8f-eb6f2701432a_50098f99-f949-22ca-642b-724ec6595210",

+ "targetResourceGroupId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoMigrationTarget",

+ "targetNetworkId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/cmkRTest/providers/Microsoft.Network/virtualNetworks/cmkvm1_vnet",

+ "logStorageAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.Storage/storageAccounts/migratelsa1671875959",

+ "diskEncryptionSetId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/CONTOSOMIGRATIONTARGET/providers/Microsoft.Compute/diskEncryptionSets/ContosoCMKDES",

+ "logStorageAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.Storage/storageAccounts/migratelsa1671875959",

+ "diskEncryptionSetId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/CONTOSOMIGRATIONTARGET/providers/Microsoft.Compute/diskEncryptionSets/ContosoCMKDES",

+ "logStorageAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.Storage/storageAccounts/migratelsa1671875959",

+ "diskEncryptionSetId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/CONTOSOMIGRATIONTARGET/providers/Microsoft.Compute/diskEncryptionSets/ContosoCMKDES",

+ "dataMoverRunAsAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.OffAzure/VMwareSites/VMwareApplianca8basite/runasaccounts/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a",

+ "snapshotRunAsAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.OffAzure/VMwareSites/VMwareApplianca8basite/runasaccounts/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a",

+ "targetBootDiagnosticsStorageAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoVMwareCMK/providers/Microsoft.Storage/storageAccounts/migratelsa1671875959",

+Set-AzContext -SubscriptionId aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+6. Flow Tuples ΓÇô a table showing the information contained within each flow tuple, and its corresponding NGS and rule.

+## Next step

+description: Learn how to use Power BI to visualize network security group flow logs to allow you to view information about your IP traffic.

+1. Enter the access key for your storage account. You can find valid access keys by going to your storage account in the Azure portal and selecting **Access keys** under **Security + networking**. Select **Connect** then apply changes.

+4. Your logs are downloaded and parsed and you can now utilize the pre-created visuals.

+| Japan East | Japan East(Tokyo) | Γ£ô | Γ£ô |

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/contoso-Rgp/providers/Microsoft.Orbital/contactProfiles/CONTOSO-CP",

+ "eventHubUri": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/contoso-Rgp/providers/Microsoft.EventHub/namespaces/contosoHub/eventhubs/contosoHub",

+ "subnetId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/contoso-Rgp/providers/Microsoft.Network/virtualNetworks/contoso-vnet/subnets/orbital-delegated-subnet"

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/Demo/providers/Microsoft.Orbital/contactProfiles/Aqua-directbroadcast",

+ "eventHubUri": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Demo/providers/Microsoft.EventHub/namespaces/demo-orbital-eventhub/eventhubs/antenna-metrics-stream",

+- Accelerate build pipelines by running tests in parallel using cloud-hosted browsers.

+- Simplify troubleshooting by publishing test results and artifacts to the service, making them easily accessible through the service portal.

+2. Add the following content to it:

+ By default, the service configuration enables you to:

+ - Accelerate build pipelines by running tests in parallel using cloud-hosted browsers.

+ - Simplify troubleshooting with easy access to test results and artifacts published to the service.

+ However, you can choose to use either of these features or both. See [How to use service features](./how-to-use-service-features.md#manage-features-while-running-tests) and update the service configuration file as per your requirement.

+3. Save and commit the file to your source code repository.

+```typescript

+## Enable artifacts in Playwright configuration

+In the `playwright.config.ts` file of your project, make sure you are collecting all the required artifacts.

+```typescript

+ use: {

+ trace: 'on-first-retry',

+ video:'retain-on-failure',

+ screenshot:'on'

+ },

+ ```

+ # Choose how to set up authentication to Azure from GitHub Actions. This is one example.

+## View test runs and results in the Playwright portal

+You can now troubleshoot the CI pipeline in the Playwright portal,

+> You can use Microsoft Playwright Testing service features independently. You can publish test results to the portal without using the cloud-hosted browsers feature and you can also use only cloud-hosted browsers to expedite your test suite without publishing test results. For details, see [How to use service features](./how-to-use-service-features.md).

+> [!NOTE]

+> The test results and artifacts that you publish are retained on the service for 90 days. After that, they are automatically deleted.

+ Title: 'Quickstart: Generate rich reports for Playwright tests'

+description: 'This quickstart shows how to troubleshoot your test runs using Microsoft Playwright Testing Preview.'

+# Quickstart: Troubleshoot tests with Microsoft Playwright Testing Preview

+In this quickstart, you learn how to troubleshoot your Playwright tests easily using reports and artifacts published on Microsoft Playwright Testing Preview. Additionally, this guide demonstrates how to utilize the reporting feature, regardless of whether you're running tests on the cloud-hosted browsers provided by the service.

+After you complete this quickstart, you'll have a Microsoft Playwright Testing workspace to view test results and artifacts in the service portal.

+> [!IMPORTANT]

+> Microsoft Playwright Testing is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Background

+Microsoft Playwright Testing service enables you to:

+- Accelerate build pipelines by running tests in parallel using cloud-hosted browsers.

+- Simplify troubleshooting by publishing test results and artifacts to the service, making them accessible through the service portal.

+These two features of the service can be used independently of each other and each has its own [pricing plan](https://aka.ms/mpt/pricing). This means you can:

+- Expedite test runs and streamline troubleshooting by running tests in cloud-hosted browsers and publishing results to the service.

+- Run tests only in cloud-hosted browsers to finish test runs faster.

+- Publish test results to the service while continuing to run tests locally for efficient troubleshooting.

+## Prerequisites

+* An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* Your Azure account needs the [Owner](/azure/role-based-access-control/built-in-roles#owner), [Contributor](/azure/role-based-access-control/built-in-roles#contributor), or one of the [classic administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles).

+* A Playwright project. If you don't have project, create one by using the [Playwright getting started documentation](https://playwright.dev/docs/intro) or use our [Microsoft Playwright Testing sample project](https://github.com/microsoft/playwright-testing-service/tree/main/samples/get-started).

+* Azure CLI. If you don't have Azure CLI, see [Install Azure CLI](/cli/azure/install-azure-cli).

+## Create a workspace

+To get started with publishing test results on Playwright Testing service, first create a Microsoft Playwright Testing workspace in the Playwright portal.

+When the workspace creation finishes, you're redirected to the setup guide.

+## Install Microsoft Playwright Testing package

+To use the service, install the Microsoft Playwright Testing package.

+```npm

+npm init @azure/microsoft-playwright-testing

+```

+This command generates `playwright.service.config.ts` file which serves to:

+- Direct and authenticate your Playwright client to the Microsoft Playwright Testing service.

+- Adds a reporter to publish test results and artifacts.

+If you already have this file, the prompt asks you to override it.

+To use only reporting feature for the test run, disable cloud-hosted browsers by setting `useCloudHostedBrowsers` as false.

+```typescript

+export default defineConfig(

+ config,

+ getServiceConfig(config, {

+ timeout: 30000,

+ os: ServiceOS.LINUX,

+ useCloudHostedBrowsers: false // Do not use cloud hosted browsers

+ }),

+ {

+ reporter: [['list'], ['@azure/microsoft-playwright-testing/reporter']], // Reporter for Microsoft Playwright Testing service

+ }

+);

+```

+Setting the value as `false` ensures that cloud-hosted browsers aren't used to run the tests. The tests run on your local machine but the results and artifacts are published on the service.

+> [!TIP]

+> If you wish to accelerate your test run using cloud-hosted browser, you can set `useCloudHostedBrowsers` as true. This will run your tests on the service managed browsers.

+## Configure the service region endpoint

+In your setup, you have to provide the region-specific service endpoint. The endpoint depends on the Azure region you selected when creating the workspace.

+To get the service endpoint URL:

+1. In **Add region endpoint in your setup**, copy the region endpoint for your workspace.

+ The endpoint URL matches the Azure region that you selected when creating the workspace.

+ :::image type="content" source="./media/quickstart-run-end-to-end-tests/playwright-testing-region-endpoint.png" alt-text="Screenshot that shows how to copy the workspace region endpoint in the Playwright Testing portal." lightbox="./media/quickstart-run-end-to-end-tests/playwright-testing-region-endpoint.png":::

+## Set up your environment

+To set up your environment, you have to configure the `PLAYWRIGHT_SERVICE_URL` environment variable with the value you obtained in the previous steps.

+We recommend that you use the `dotenv` module to manage your environment. With `dotenv`, you define your environment variables in the `.env` file.

+1. Add the `dotenv` module to your project:

+ ```shell

+ npm i --save-dev dotenv

+ ```

+1. Create a `.env` file alongside the `playwright.config.ts` file in your Playwright project:

+ ```

+ PLAYWRIGHT_SERVICE_URL={MY-REGION-ENDPOINT}

+ ```

+ Make sure to replace the `{MY-REGION-ENDPOINT}` text placeholder with the value you copied earlier.

+## Set up authentication

+To publish test results and artifacts to your Microsoft Playwright Testing workspace, you need to authenticate the Playwright client where you're running the tests with the service. The client could be your local dev machine or CI machine.

+The service offers two authentication methods: Microsoft Entra ID and Access Tokens.

+Microsoft Entra ID uses your Azure credentials, requiring a sign-in to your Azure account for secure access. Alternatively, you can generate an access token from your Playwright workspace and use it in your setup.

+##### Set up authentication using Microsoft Entra ID

+Microsoft Entra ID is the default and recommended authentication for the service. From your local dev machine, you can use [Azure CLI](/cli/azure/install-azure-cli) to sign-in

+```CLI

+az login

+```

+> [!NOTE]

+> If you're a part of multiple Microsoft Entra tenants, make sure you sign in to the tenant where your workspace belongs. You can get the tenant ID from Azure portal. See [Find your Microsoft Entra Tenant](/azure/azure-portal/get-subscription-tenant-id#find-your-microsoft-entra-tenant). Once you get the ID, sign-in using the command `az login --tenant <TenantID>`

+##### Set up authentication using access tokens

+You can generate an access token from your Playwright Testing workspace and use it in your setup. However, we strongly recommend Microsoft Entra ID for authentication due to its enhanced security. Access tokens, while convenient, function like long-lived passwords and are more susceptible to being compromised.

+1. Authentication using access tokens is disabled by default. To use, [Enable access-token based authentication](./how-to-manage-authentication.md#enable-authentication-using-access-tokens)

+2. [Set up authentication using access tokens](./how-to-manage-authentication.md#set-up-authentication-using-access-tokens)

+> [!CAUTION]

+> We strongly recommend using Microsoft Entra ID for authentication to the service. If you are using access tokens, see [How to Manage Access Tokens](./how-to-manage-access-tokens.md)

+## Enable artifacts in Playwright configuration

+In the `playwright.config.ts` file of your project, make sure you're collecting all the required artifacts.

+```typescript

+ use: {

+ trace: 'on-first-retry',

+ video:'retain-on-failure',

+ screenshot:'on'

+ },

+```

+## Run your tests and publish results on Microsoft Playwright Testing

+You've now prepared the configuration for publishing test results and artifacts with Microsoft Playwright Testing. Run tests using the newly created `playwright.service.config.ts` file and publish test results and artifacts to the service.

+ ```bash

+ npx playwright test --config=playwright.service.config.ts

+```

+> [!NOTE]

+> For the Reporting feature of Microsoft Playwright Testing, you get charged based on the number test results published. If you're a first-time user or [getting started with a free trial](./how-to-try-playwright-testing-free.md), you might start with publishing single test result instead of your full test suite to avoid exhausting your free trial limits.

+After the test completes, you can view the test status in the terminal.

+```output

+Running 6 test using 2 worker

+ 5 passed, 1 failed (20.2s)

+

+Test report: https://playwright.microsoft.com/workspaces/<workspace-id>/runs/<run-id>

+```

+> [!CAUTION]

+> Depending on the size of your test suite, you might incur additional charges for the test results beyond your allotted free test results.

+## View test runs and results in the Playwright portal

+You can now troubleshoot the failed test cases in the Playwright portal.

+> [!TIP]

+> You can also use Microsoft Playwright Testing service to run tests in parallel using cloud-hosted browsers. Both Reporting and cloud-hosted browsers are independent features and are billed separately. You can use either of these or both. For details, see [How to use service features](./how-to-use-service-features.md)

+> [!NOTE]

+> The test results and artifacts that you publish are retained on the service for 90 days. After that, they are automatically deleted.

+## Next step

+You've successfully created a Microsoft Playwright Testing workspace in the Playwright portal and run your Playwright tests on cloud browsers.

+Advance to the next quickstart to set up continuous end-to-end testing by running your Playwright tests in your CI/CD workflow.

+> [!div class="nextstepaction"]

+> [Set up continuous end-to-end testing in CI/CD](./quickstart-automate-end-to-end-testing.md)

+## Enable artifacts in Playwright configuration

+In the `playwright.config.ts` file of your project, make sure you are collecting all the required artifacts.

+```typescript

+ use: {

+ trace: 'on-first-retry',

+ video:'retain-on-failure',

+ screenshot:'on'

+ }

+```

+> Depending on the size of your test suite, you might incur additional charges for the test minutes and test results beyond your allotted free test minutes and free test results.

+ Test report: https://playwright.microsoft.com/workspaces/<workspace-id>/runs/<run-id>

+You can now troubleshoot the failed test cases in the Playwright portal.

+| East US | Norway East | | | *Japan West |

+| Product, Feature, or Service | Server-Side Using Customer-Managed Key | Documentation |

+| | | |

+| **AI and Machine Learning** | | |

+| [Azure AI Search](/azure/search/) | Yes | |

+| [Azure AI services](/azure/cognitive-services/) | Yes, including Managed HSM | |

+| [Azure Machine Learning](/azure/machine-learning/) | Yes | |

+| [Content Moderator](/azure/cognitive-services/content-moderator/) | Yes, including Managed HSM | |

+| [Face](/azure/cognitive-services/face/) | Yes, including Managed HSM | |

+| [Language Understanding](/azure/cognitive-services/luis/) | Yes, including Managed HSM | |

+| [Azure OpenAI](/azure/ai-services/openai/) | Yes, including Managed HSM | |

+| [Personalizer](/azure/cognitive-services/personalizer/) | Yes, including Managed HSM | |

+| [QnA Maker](/azure/cognitive-services/qnamaker/) | Yes, including Managed HSM | |

+| [Speech Services](/azure/cognitive-services/speech-service/) | Yes, including Managed HSM | |

+| [Translator Text](/azure/cognitive-services/translator/) | Yes, including Managed HSM | |

+| [Power Platform](/power-platform/) | Yes, including Managed HSM | |

+| [Dataverse](/powerapps/maker/data-platform/) | Yes, including Managed HSM | |

+| [Dynamics 365](/dynamics365/) | Yes, including Managed HSM | |

+| **Analytics** | | |

+| [Azure Stream Analytics](/azure/stream-analytics/) | Yes\*\*, including Managed HSM | |

+| [Event Hubs](/azure/event-hubs/) | Yes | |

+| [Functions](/azure/azure-functions/) | Yes | |

+| [Azure Analysis Services](/azure/analysis-services/) | - | |

+| [Azure Data Catalog](/azure/data-catalog/) | - | |

+| [Azure HDInsight](/azure/hdinsight/) | Yes | |

+| [Azure Monitor Application Insights](/azure/azure-monitor/app/app-insights-overview) | Yes | |

+| [Azure Monitor Log Analytics](/azure/azure-monitor/logs/log-analytics-overview) | Yes, including Managed HSM | |

+| [Azure Data Explorer](/azure/data-explorer/) | Yes | |

+| [Azure Data Factory](/azure/data-factory/) | Yes, including Managed HSM | |

+| [Azure Data Lake Store](/azure/data-lake-store/) | Yes, RSA 2048-bit | |

+| **Containers** | | |

+| [Azure Kubernetes Service](/azure/aks/) | Yes, including Managed HSM | |

+| [Container Instances](/azure/container-instances/) | Yes | |

+| [Container Registry](/azure/container-registry/) | Yes | |

+| **Compute** | | |

+| [Virtual Machines](/azure/virtual-machines/) | Yes, including Managed HSM | |

+| [Virtual Machine Scale Set](/azure/virtual-machine-scale-sets/) | Yes, including Managed HSM | |

+| [SAP HANA](/azure/sap/large-instances/hana-overview-architecture) | Yes | |

+| [App Service](/azure/app-service/) | Yes\*\*, including Managed HSM | |

+| [Automation](/azure/automation/) | Yes | |

+| [Azure Functions](/azure/azure-functions/) | Yes\*\*, including Managed HSM | |

+| [Azure portal](/azure/azure-portal/) | Yes\*\*, including Managed HSM | |

+| [Azure VMware Solution](/azure/azure-vmware/) | Yes, including Managed HSM | |

+| [Logic Apps](/azure/logic-apps/) | Yes | |

+| [Azure-managed applications](/azure/azure-resource-manager/managed-applications/overview) | Yes\*\*, including Managed HSM | |

+| [Service Bus](/azure/service-bus-messaging/) | Yes | |

+| [Site Recovery](/azure/site-recovery/) | Yes | |

+| **Databases** | | |

+| [SQL Server on Virtual Machines](/azure/virtual-machines/windows/sql/) | Yes | |

+| [Azure SQL Database](/azure/azure-sql/database/) | Yes, RSA 3072-bit, including Managed HSM | |

+| [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/) | Yes, RSA 3072-bit, including Managed HSM | |

+| [Azure Database for MariaDB](/azure/mariadb/) | - | |

+| [Azure Database for MySQL](/azure/mysql/) | Yes, including Managed HSM | |

+| [Azure Database for PostgreSQL](/azure/postgresql/) | Yes, including Managed HSM | |

+| [Azure Synapse Analytics (dedicated SQL pool (formerly SQL DW) only)](/azure/synapse-analytics/) | Yes, RSA 3072-bit, including Managed HSM | |

+| [SQL Server Stretch Database](/sql/sql-server/stretch-database/) | Yes, RSA 3072-bit | |

+| [Table Storage](/azure/storage/tables/) | Yes | |

+| [Azure Cosmos DB](/azure/cosmos-db/) | Yes, including Managed HSM | [Configure CMKs (Key Vault)](/azure/cosmos-db/how-to-setup-cmk) and [Configure CMKs (Managed HSM)](/azure/cosmos-db/how-to-setup-customer-managed-keys-mhsm) |

+| [Azure Databricks](/azure/databricks/) | Yes, including Managed HSM | |

+| [Azure Database Migration Service](/azure/dms/) | N/A\* | |

+| **Identity** | | |

+| [Microsoft Entra ID](/azure/active-directory/) | - | |

+| [Microsoft Entra Domain Services](/azure/active-directory-domain-services/) | Yes | |

+| **Integration** | | |

+| [Service Bus](/azure/service-bus-messaging/) | Yes | |

+| [Event Grid](/azure/event-grid/) | - | |

+| [API Management](/azure/api-management/) | - | |

+| **IoT Services** | | |

+| [IoT Hub](/azure/iot-hub/) | Yes | |

+| [IoT Hub Device Provisioning](/azure/iot-dps/) | Yes | |

+| **Management and Governance** | | |

+| [Azure Managed Grafana](/azure/managed-grafana/) | - | |

+| [Azure Site Recovery](/azure/site-recovery/) | - | |

+| [Azure Migrate](/azure/migrate/) | Yes | |

+| **Media** | | |

+| [Media Services](/azure/media-services/) | Yes | |

+| **Security** | | |

+| [Microsoft Defender for IoT](/azure/defender-for-iot/) | Yes | |

+| [Microsoft Sentinel](/azure/sentinel/) | Yes, including Managed HSM | |

+| **Storage** | | |

+| [Blob Storage](/azure/storage/blobs/) | Yes, including Managed HSM | |

+| [Premium Blob Storage](/azure/storage/blobs/) | Yes, including Managed HSM | |

+| [Disk Storage](/azure/virtual-machines/disks-types/) | Yes, including Managed HSM | |

+| [Ultra Disk Storage](/azure/virtual-machines/disks-types/) | Yes, including Managed HSM | |

+| [Managed Disk Storage](/azure/virtual-machines/disks-types/) | Yes, including Managed HSM | |

+| [File Storage](/azure/storage/files/) | Yes, including Managed HSM | |

+| [File Premium Storage](/azure/storage/files/) | Yes, including Managed HSM | |

+| [File Sync](/azure/storage/file-sync/file-sync-introduction) | Yes, including Managed HSM | |

+| [Queue Storage](/azure/storage/queues/) | Yes, including Managed HSM | |

+| [Data Lake Storage Gen2](/azure/storage/blobs/data-lake-storage-introduction/) | Yes, including Managed HSM | |

+| [Avere vFXT](/azure/avere-vfxt/) | - | |

+| [Azure Cache for Redis](/azure/azure-cache-for-redis/) | Yes\*\*\*, including Managed HSM | |

+| [Azure NetApp Files](/azure/azure-netapp-files/) | Yes, including Managed HSM | |

+| [Archive Storage](/azure/storage/blobs/archive-blob) | Yes | |

+| [StorSimple](/azure/storsimple/) | Yes | |

+| [Azure Backup](/azure/backup/) | Yes, including Managed HSM | |

+| [Data Box](/azure/databox/) | - | |

+| [Azure Stack Edge](/azure/databox-online/azure-stack-edge-overview/) | Yes | |

+| **Other** | | |

+| [Azure Data Manager for Energy](/azure/energy-data-services/overview-microsoft-energy-data-services) | Yes | |

+If you're creating a Google Cloud Platform (GCP) CCP data connector, package the deployment template using the [example GCP CCP template](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Templates/Connector_GCP_CCP_template.json). For information on how to fill out the GCP CCP template, see [GCP data connector connection rules reference](data-connection-rules-reference-gcp.md).

+description: Learn about current limitations in Service Connector used to connect apps and Cloud services in Azure.

+Service Connector is designed to bring the benefits of easy, secure, and consistent backing service connections to as many Azure services as possible. To do so, Service Connector is developed as an extension resource provider.

+IaC support comes with some limitations, as Service Connector modifies the infrastructure on the users' behalf. In this scenario, users begin by using Azure Resource Manager (ARM), Bicep, Terraform, or other IaC templates to create resources. Afterwards, they use Service Connector to set up resource connections. During this step, Service Connector modifies resource configurations on behalf of the user. If the user reruns their IaC template at a later time, modifications made by Service Connector disappear as they weren't reflected in the original IaC templates. As an example of this behavior, Azure Container Apps resources deployed with ARM templates usually have the managed identity authentication disabled by default. Service Connector enables the managed identity when setting up connections on the users' behalf. If users trigger the same ARM templates without updating the managed identity settings, the managed identity will be disabled once again in the redeployed Azure Container Apps resource.

+- If your CI/CD pipelines contain templates of source compute or backing services, we suggested reapplying the templates, adding a sanity check or smoke tests to make sure the application is up and running, then allowing live traffic to the application. The flow adds a verification step before allowing live traffic.

+- The order in which automation operations are performed matters. Ensure your connection endpoints are there before the connection itself is created. Ideally, create the backing service, then the compute service, and then the connection between the two. This way, Service Connector can configure both the compute service and the backing service appropriately.

+ Title: 'Quickstart: Create a service connection in App Service'

+ ### [System-assigned managed identity (recommended)](#tab/SMI)

+ Title: 'Quickstart: Create a service connection in Container Apps'

+ ### [System-assigned managed identity (recommended)](#tab/SMI)

+ ### [User-assigned managed identity](#tab/UMI)

+If you encounter any permission-related errors, confirm the Azure CLI signed-in user with the command `az account show`. Make sure you sign in with the correct account. Next, confirm that you have the following permissions that might be required to create a passwordless connection with Service Connector.

+ Title: 'Tutorial: Connect Azure services and store secrets in Key Vault'

+description: Tutorial showing how to store your web application's secrets in Azure Key Vault using Service Connector.

+#customer intent: As a web developer, I want store my app's secrets in Azure Key Vault so they can be managed and protected by Azure's security features.

+Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. When you create a service connection, you can securely store access keys and secrets into connected Key Vault. In this tutorial, you complete the following tasks using the Azure portal. Both methods are explained in the following procedures.

+* Another target service instance supported by Service Connector. In this tutorial, you use [Azure Blob Storage](../storage/blobs/storage-quickstart-blobs-portal.md)

+* Read and write access to the App Service, Key Vault, and the target service.

+Now you can create a service connection to another target service and directly store access keys into a connected Key Vault when using a connection string/access key or a service principal for authentication. We use Blob Storage as an example below. Follow the same process for other target services.

+ Select **Next: Authentication** to select the authentication type and select **Service Principal** to use a service principal to connect your storage account.

+ | **Service Principal object ID or name** | Choose the service principal you want to use to connect to Blob Storage from the list | The service principal in your subscription that is used to connect to target service. |

+1. Select the **Key Vault** in the Service Type column of your Key Vault connection. You'll be redirected to the Key Vault portal page.

+description: Learn how you can connect a Python function to a storage blob as input using Service Connector in Azure.

+#customer intent: As a developer, I want to configure a Python function with Storage Blob as input function binding so that I can process and manage large volumes of data stored in Azure Blob Storage.

+In this tutorial, you learn how to configure a Python function with Azure Blob storage as input by completing the following tasks:

+You created a Python function project with Azure Storage Queue as trigger. The local project connects to Azure Storage using the connection string saved into the `local.settings.json` file. Finally, the `main` function in `__init__.py` file of the function can consume the connection string with the help of the Function Binding defined in the `function.json` file.

+1. To verify the trigger works properly, keep the function running locally and open the Storage Queue pane in Azure portal, select **Add message** and provide a test message. You should see the function is triggered and processed as a queue item in your Visual Studio Code terminal.

+1. Open the Storage Queue pane in the Azure portal, select **Add message** and provide a test message. You should see the function is triggered and processed as a queue item in your function logs.

+If there are any errors related with the storage host, such as `No such host is known (<acount-name>.queue.core.windows.net:443)`, check whether the connection string you use to connect to Azure Storage contains the queue endpoint or not. If it doesn't, go to Azure Storage in the Azure portal, copy the connection string from the `Access keys` pane, and replace the values.

+Red Hat Enterprise Linux | 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6,[7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9](https://support.microsoft.com/help/4578241/), [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609/), [8.3](https://support.microsoft.com/help/4597409/), [8.4](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-305.30.1.el8_4.x86_64 or higher), [8.5](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-348.5.1.el8_5.x86_64 or higher), [8.6](https://support.microsoft.com/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, 9.4 <br> RHEL `9.x` is supported for the [following kernel versions](#supported-kernel-versions-for-red-hat-enterprise-linux-for-azure-virtual-machines).

+SUSE Linux Enterprise Server 12 | SP1, SP2, SP3, SP4, SP5, SP6 [(Supported kernel versions)](#supported-suse-linux-enterprise-server-12-kernel-versions-for-azure-virtual-machines)

+SUSE Linux Enterprise Server 15 | 15, SP1, SP2, SP3, SP4, SP5, SP6 [(Supported kernel versions)](#supported-suse-linux-enterprise-server-15-kernel-versions-for-azure-virtual-machines)

+Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4573888/), [7.9](https://support.microsoft.com/help/4597409), [8.0](https://support.microsoft.com/help/4573888/), [8.1](https://support.microsoft.com/help/4573888/), [8.2](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.3](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) (running the Red Hat compatible kernel or Unbreakable Enterprise Kernel Release 3, 4, 5, and 6 (UEK3, UEK4, UEK5, UEK6), [8.4](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), 8.5, 8.6, 8.7, 8.8 , 8.9, 9.0, 9.1, 9.2, 9.3, 9.4. <br/><br/>8.1 (running on all UEK kernels and RedHat kernel <= 3.10.0-1062.* are supported in [9.35](https://support.microsoft.com/help/4573888/) Support for rest of the RedHat kernels is available in [9.36](https://support.microsoft.com/help/4578241/)). <br> Oracle Linux 9.x is supported for the [following kernel versions](#supported-red-hat-linux-kernel-versions-for-oracle-linux-on-azure-virtual-machines).

+RHEL 9.0 <br> RHEL 9.1 <br> RHEL 9.2 <br> RHEL 9.3 <br> RHEL 9.4 | 9.63 | 5.14.0-284.73.1.el9_2.x86_64 <br> 5.14.0-284.75.1.el9_2.x86_64 <br> 5.14.0-284.77.1.el9_2.x86_64 <br> 5.14.0-284.79.1.el9_2.x86_64 <br> 5.14.0-284.80.1.el9_2.x86_64 <br> 5.14.0-284.82.1.el9_2.x86_64 <br> 5.14.0-284.84.1.el9_2.x86_64 <br> 5.14.0-284.85.1.el9_2.x86_64 <br> 5.14.0-284.86.1.el9_2.x86_64 <br> 5.14.0-427.24.1.el9_4.x86_64 <br> 5.14.0-427.26.1.el9_4.x86_64 <br> 5.14.0-427.28.1.el9_4.x86_64 <br> 5.14.0-427.31.1.el9_4.x86_64 <br> 5.14.0-427.33.1.el9_4.x86_64 <br> 5.14.0-427.35.1.el9_4.x86_64 <br> 5.14.0-427.37.1.el9_4.x86_64|

+14.04 LTS | 9.63| No new 14.04 LTS kernels supported in this release. |

+16.04 LTS | 9.63| No new 16.04 LTS kernels supported in this release. |

+18.04 LTS | 9.63 | 5.4.0-1135-azure <br> 5.4.0-192-generic <br> 4.15.0-1180-azure <br> 4.15.0-228-generic <br> 5.4.0-1136-azure <br> 5.4.0-193-generic <br> 5.4.0-1137-azure <br> 5.4.0-1138-azure <br> 5.4.0-195-generic <br> 5.4.0-196-generic <br> 4.15.0-1181-azure <br> 4.15.0-229-generic|

+18.04 LTS | 9.62| 4.15.0-226-generic <br>5.4.0-1131-azure <br>5.4.0-186-generic <br>5.4.0-187-generic <br> 4.15.0-1178-azure <br> 5.4.0-1132-azure <br> 5.4.0-1133-azure <br> 5.4.0-1134-azure <br> 5.4.0-190-generic <br> 5.4.0-189-generic |

+20.04 LTS | 9.63| 5.15.0-1070-azure <br> +5.4.0-1135-azure <br> 5.4.0-192-generic <br> 5.15.0-1071-azure <br> 5.15.0-118-generic <br> 5.15.0-119-generic <br> 5.4.0-1136-azure <br> 5.4.0-193-generic <br> 5.15.0-1072-azure <br> 5.15.0-1073-azure <br> 5.15.0-121-generic <br> 5.15.0-122-generic <br> 5.4.0-1137-azure <br> 5.4.0-1138-azure <br> 5.4.0-195-generic <br> 5.4.0-196-generic |

+20.04 LTS | 9.62| 5.15.0-1065-azure <br>5.15.0-1067-azure <br>5.15.0-113-generic <br>5.4.0-1131-azure <br>5.4.0-1132-azure <br>5.4.0-186-generic <br> 5.4.0-187-generic <br> 5.15.0-1068-azure <br> 5.15.0-116-generic <br> 5.15.0-117-generic <br> 5.4.0-1133-azure <br> 5.4.0-1134-azure <br> 5.4.0-189-generic <br> 5.4.0-190-generic |

+22.04 LTS | 9.63| 5.15.0-1070-azure <br> 5.15.0-118-generic <br> 5.15.0-1071-azure <br> 5.15.0-119-generic <br> 5.15.0-1072-azure <br> 5.15.0-1073-azure <br> 5.15.0-121-generic <br> 5.15.0-122-generic |

+22.04 LTS | 9.62| 5.15.0-1066-azure <br> 5.15.0-1067-azure <br>5.15.0-112-generic <br>5.15.0-113-generic <br>6.5.0-1022-azure <br>6.5.0-1023-azure <br>6.5.0-41-generic <br> 5.15.0-1068-azure <br> 5.15.0-116-generic <br> 5.15.0-117-generic <br> 6.5.0-1024-azure <br> 6.5.0-1025-azure <br> 6.5.0-44-generic <br> 6.5.0-45-generic |

+Debian 7 | 9.63| No new Debian 7 kernels supported in this release. |

+Debian 8 | 9.63| No new Debian kernels supported in this release. |

+Debian 9.1 | 9.62| No new Debian kernels supported in this release. |

+Debian 10 | 9.63| No new Debian 10 kernels supported in this release. |

+Debian 11 | 9.63 | 5.10.0-26-amd64 <br> 5.10.0-26-cloud-amd64 <br> 5.10.0-31-amd64 <br> 5.10.0-31-cloud-amd64 <br> 5.10.0-32-amd64 <br> 5.10.0-32-cloud-amd64 <br> 6.1.0-0.deb11.13-amd64 <br> 6.1.0-0.deb11.13-cloud-amd64 <br> 6.1.0-0.deb11.17-amd64 <br> 6.1.0-0.deb11.17-cloud-amd64 <br> 6.1.0-0.deb11.18-amd64 <br> 6.1.0-0.deb11.18-cloud-amd64 <br> 6.1.0-0.deb11.21-amd64 <br> 6.1.0-0.deb11.21-cloud-amd64 <br> 6.1.0-0.deb11.22-amd64 <br> 6.1.0-0.deb11.22-cloud-amd64 |

+Debian 12 | 9.63 | 6.1.0-25-amd64 <br>6.1.0-25-cloud-amd64 <br>6.1.0-26-amd64 <br> 6.1.0-26-cloud-amd64 |

+Debian 12 | 9.62| 6.1.0-22-amd64 <br> 6.1.0-22-cloud-amd64 <br> 6.1.0-23-amd64 <br> 6.1.0-23-cloud-amd64 <br> 6.5.0-0.deb12.4-cloud-amd64 |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | 9.63 | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.194-azure:5 <br> 4.12.14-16.197-azure:5 |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | 9.62 | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.185-azure:5 <br> 4.12.14-16.188-azure:5 <br> 4.12.14-16.191-azure:5 |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5, SP6) | 9.63 | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150500.33.63-azure:5 <br> 5.14.21-150500.33.66-azure:5 <br> 6.4.0-150600.6-azure:6 <br>6.4.0-150600.8.11-azure:6 <br> 6.4.0-150600.8.5-azure:6 <br> 6.4.0-150600.8.8-azure:6 |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5) | 9.62 | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150500.33.54-azure:5 <br> 5.14.21-150500.33.57-azure:5 <br> 5.14.21-150500.33.60-azure:5 |

+Oracle Linux 9.0 <br> Oracle Linux 9.1 <br> Oracle Linux 9.2 <br> Oracle Linux 9.3 <br> Oracle Linux 9.4 | 9.63 | 5.14.0-284.73.1.el9_2.x86_64 <br> 5.14.0-284.75.1.el9_2.x86_64 <br> 5.14.0-284.77.1.el9_2.x86_64 <br> 5.14.0-284.79.1.el9_2.x86_64 <br> 5.14.0-284.80.1.el9_2.x86_64 <br> 5.14.0-284.82.1.el9_2.x86_64 <br> 5.14.0-284.84.1.el9_2.x86_64 <br> 5.14.0-284.85.1.el9_2.x86_64 <br> 5.14.0-284.86.1.el9_2.x86_64 <br> 5.14.0-427.13.1.el9_4.x86_64 <br> 5.14.0-427.16.1.el9_4.x86_64 <br> 5.14.0-427.18.1.el9_4.x86_64 <br> 5.14.0-427.20.1.el9_4.x86_64 <br> 5.14.0-427.22.1.el9_4.x86_64 <br> 5.14.0-427.24.1.el9_4.x86_64 <br> 5.14.0-427.26.1.el9_4.x86_64 <br> 5.14.0-427.28.1.el9_4.x86_64 <br> 5.14.0-427.31.1.el9_4.x86_64 <br> 5.14.0-427.33.1.el9_4.x86_64 <br> 5.14.0-427.35.1.el9_4.x86_64 <br> 5.14.0-427.37.1.el9_4.x86_64 |

+> Mobility service versions`9.56`, `9.60`, `9.62` and `9.63` are only available for Modernized experience. <br>

+Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4573888/), [7.9](https://support.microsoft.com/help/4597409/), [8.0](https://support.microsoft.com/help/4573888/), [8.1](https://support.microsoft.com/help/4573888/), [8.2](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.3](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.4](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), 8.5, 8.6, 8.7, 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3, 9.4 <br/><br/> **Notes:** <br> - Support for Oracle Linux `8.9`, `9.0`, `9.1`, `9.2`, and `9.3` is only available for Modernized experience and isn't available for Classic experience. <br><br> Running the Red Hat compatible kernel or Unbreakable Enterprise Kernel Release 3, 4 & 5 (UEK3, UEK4, UEK5)<br/><br/>8.1<br/>Running on all UEK kernels and RedHat kernel <= 3.10.0-1062.* are supported in [9.35](https://support.microsoft.com/help/4573888/) Support for rest of the RedHat kernels is available in [9.36](https://support.microsoft.com/help/4578241/). <br> Oracle Linux `9.x` is supported for the [following kernel versions](#supported-red-hat-linux-kernel-versions-for-oracle-linux-on-azure-virtual-machines) |

+RHEL 9.0 <br> RHEL 9.1 <br> RHEL 9.2 <br> RHEL 9.3 <br> RHEL 9.4 | 9.63 | 5.14.0-284.73.1.el9_2.x86_64 <br> 5.14.0-284.75.1.el9_2.x86_64 <br>5.14.0-284.77.1.el9_2.x86_64 <br>5.14.0-284.79.1.el9_2.x86_64 <br>5.14.0-284.80.1.el9_2.x86_64 <br>5.14.0-284.82.1.el9_2.x86_64 <br> 5.14.0-284.84.1.el9_2.x86_64 <br>5.14.0-284.85.1.el9_2.x86_64 <br> 5.14.0-284.86.1.el9_2.x86_64 <br> 5.14.0-427.24.1.el9_4.x86_64 <br> 5.14.0-427.26.1.el9_4.x86_64 <br> 5.14.0-427.28.1.el9_4.x86_64 <br> 5.14.0-427.31.1.el9_4.x86_64 <br> 5.14.0-427.33.1.el9_4.x86_64 <br> 5.14.0-427.35.1.el9_4.x86_64 <br> 5.14.0-427.37.1.el9_4.x86_64 |

+> Mobility service versions`9.56` `9,60`, `9.61` and `9.62` are only available for Modernized experience. <br>

+14.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d), [9.57](https://support.microsoft.com/topic/update-rollup-70-for-azure-site-recovery-kb5034599-e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60, [9.61](https://support.microsoft.com/topic/update-rollup-73-for-azure-site-recovery-d3845f1e-2454-4ae8-b058-c1fec6206698), 9.62, 9.63 | 3.13.0-24-generic to 3.13.0-170-generic,<br/>3.16.0-25-generic to 3.16.0-77-generic,<br/>3.19.0-18-generic to 3.19.0-80-generic,<br/>4.2.0-18-generic to 4.2.0-42-generic,<br/>4.4.0-21-generic to 4.4.0-148-generic,<br/>4.15.0-1023-azure to 4.15.0-1045-azure |

+16.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60, [9.61](https://support.microsoft.com/topic/update-rollup-73-for-azure-site-recovery-d3845f1e-2454-4ae8-b058-c1fec6206698), 9.62, 9.63 | 4.4.0-21-generic to 4.4.0-210-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic, 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-142-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1113-azure </br> 4.15.0-101-generic to 4.15.0-107-generic |

+18.04 LTS | 9.63 | 4.15.0-1180-azure <br> 4.15.0-228-generic <br> 5.4.0-1136-azure <br> 5.4.0-193-generic |

+18.04 LTS | 9.62 | 4.15.0-1178-azure <br>4.15.0-1179-azure <br>4.15.0-226-generic <br> 4.15.0-227-generic <br> 5.4.0-1131-azure <br> 5.4.0-1132-azure <br> 5.4.0-1133-azure <br>5.4.0-1134-azure <br>5.4.0-1135-azure <br> 5.4.0-186-generic <br>5.4.0-187-generic <br> 5.4.0-189-generic <br> 5.4.0-190-generic <br> 5.4.0-192-generic |

+18.04 LTS | 9.60 | 4.15.0-1168-azure <br> 4.15.0-1169-azure <br> 4.15.0-1170-azure <br> 4.15.0-1171-azure <br> 4.15.0-1172-azure <br> 4.15.0-1173-azure <br> 4.15.0-214-generic <br> 4.15.0-216-generic <br> 4.15.0-218-generic <br> 4.15.0-219-generic <br> 4.15.0-220-generic <br> 4.15.0-221-generic <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-1112-azure <br> 5.4.0-1113-azure <br> 5.4.0-1115-azure <br> 5.4.0-1116-azure <br> 5.4.0-1117-azure <br> 5.4.0-1118-azure <br> 5.4.0-1119-azure <br> 5.4.0-1120-azure <br> 5.4.0-1121-azure <br> 5.4.0-1122-azure <br> 5.4.0-1123-azure <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-156-generic <br> 5.4.0-159-generic <br> 5.4.0-162-generic <br> 5.4.0-163-generic <br> 5.4.0-164-generic <br> 5.4.0-165-generic <br> 5.4.0-166-generic <br> 5.4.0-167-generic <br> 5.4.0-169-generic <br> 5.4.0-170-generic <br> 5.4.0-171-generic <br> 4.15.0-1174-azure <br> 4.15.0-222-generic <br> 5.4.0-1124-azure <br> 5.4.0-172-generic |

+20.04 LTS | 9.63 | 5.15.0-1071-azure <br> 5.15.0-119-generic <br> 5.4.0-1136-azure <br> 5.4.0-193-generic |

+20.04 LTS | 9.62 | 5.15.0-1065-azure <br>5.15.0-1067-azure <br>5.15.0-1068-azure <br>5.15.0-1070-azure <br>5.15.0-113-generic <br>5.15.0-116-generic <br>5.15.0-117-generic <br>5.15.0-118-generic <br>5.4.0-1131-azure <br>5.4.0-1132-azure <br>5.4.0-1133-azure <br> 5.4.0-1134-azure <br>5.4.0-1135-azure <br>5.4.0-186-generic <br>5.4.0-187-generic <br>5.4.0-189-generic <br> 5.4.0-190-generic <br> 5.4.0-192-generic |

+22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. | 9.63 | 5.15.0-1071-azure <br> 5.15.0-119-generic |

+22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. | 9.62 | 5.15.0-1066-azure <br> 5.15.0-1067-azure <br>5.15.0-1068-azure <br>5.15.0-1070-azure <br>5.15.0-112-generic <br>5.15.0-113-generic <br>5.15.0-116-generic <br>5.15.0-117-generic <br>5.15.0-118-generic <br>6.5.0-1022-azure <br>6.5.0-1023-azure <br>6.5.0-1024-azure <br>6.5.0-1025-azure <br>6.5.0-41-generic <br>6.5.0-44-generic <br>6.5.0-45-generic |

+22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. | 9.60 | 5.19.0-1025-azure <br> 5.19.0-1026-azure <br> 5.19.0-1027-azure <br> 6.2.0-1005-azure <br> 6.2.0-1006-azure <br> 6.2.0-1007-azure <br> 6.2.0-1008-azure <br> 6.2.0-1011-azure <br> 6.2.0-1012-azure <br> 6.2.0-1014-azure <br> 6.2.0-1015-azure <br> 6.2.0-1016-azure <br> 6.2.0-1017-azure <br> 6.2.0-1018-azure <br> 6.5.0-1007-azure <br> 6.5.0-1009-azure <br> 6.5.0-1010-azure <br> 5.19.0-41-generic <br> 5.19.0-42-generic <br> 5.19.0-43-generic <br> 5.19.0-45-generic <br> 5.19.0-46-generic <br> 5.19.0-50-generic <br> 6.2.0-25-generic <br> 6.2.0-26-generic <br> 6.2.0-31-generic <br> 6.2.0-32-generic <br> 6.2.0-33-generic <br> 6.2.0-34-generic <br> 6.2.0-35-generic <br> 6.2.0-36-generic <br> 6.2.0-37-generic <br> 6.2.0-39-generic <br> 6.5.0-14-generic <br> 5.15.0-1054-azure <br> 5.15.0-92-generic <br> 5.15.0-94-generic <br> 6.2.0-1019-azure <br> 6.5.0-1011-azure <br> 6.5.0-15-generic <br> 6.5.0-17-generic <br> 5.15.0-1056-azure <br>5.15.0-1057-azure <br> 5.15.0-97-generic <br>6.5.0-1015-azure <br>6.5.0-18-generic <br>6.5.0-21-generic |

+> Mobility service versions`9.56` `9,60`, `9.61` and `9.62` are only available for Modernized experience. <br>

+Debian 7 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d), [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60, [9.61](https://support.microsoft.com/topic/update-rollup-73-for-azure-site-recovery-d3845f1e-2454-4ae8-b058-c1fec6206698), 9.62, 9.63 | 3.2.0-4-amd64 to 3.2.0-6-amd64, 3.16.0-0.bpo.4-amd64 |

+Debian 8 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60, [9.61](https://support.microsoft.com/topic/update-rollup-73-for-azure-site-recovery-d3845f1e-2454-4ae8-b058-c1fec6206698), 9.62, 9.63 | 3.16.0-4-amd64 to 3.16.0-11-amd64, 4.9.0-0.bpo.4-amd64 to 4.9.0-0.bpo.12-amd64 |

+Debian 9.1 | 9.63 | No new Debian 9.1 kernels supported in this release. |

+Debian 9.1 | 9.62 | No new Debian 9.1 kernels supported in this release. |

+Debian 10 | 9.63 | No new Debian kernels in this release. |

+Debian 10 | 9.62 | 4.19.0-27-amd64 <br> 4.19.0-27-cloud-amd64 <br> 5.10.0-0.deb10.30-amd64 <br> 5.10.0-0.deb10.30-cloud-amd64 |

+Debian 10 | 9.60| 4.19.0-26-amd64 <br> 4.19.0-26-cloud-amd64 <br> 5.10.0-0.deb10.27-amd64 <br> 5.10.0-0.deb10.27-cloud-amd64 <br> 5.10.0-0.deb10.28-amd64 <br> 5.10.0-0.deb10.28-cloud-amd64 |

+Debian 10 | 9.59 | No new Debian 10 kernels supported in this release. |

+Debian 11 | 9.63 | No new Debian kernels in this release. |

+Debian 11 | 9.62 | **Debian 11 kernels support added for Modernized experience:** <br> 5.10.0-30-amd64 <br> 5.10.0-30-cloud-amd64 <br> 6.1.0-0.deb11.21-amd64 <br> 6.1.0-0.deb11.21-cloud-amd64 <br> 5.10.0-31-amd64 <br> 5.10.0-31-cloud-amd64 <br> 5.10.0-32-amd64 <br> 5.10.0-32-cloud-amd64 <br> 6.1.0-0.deb11.13-amd64 <br> 6.1.0-0.deb11.13-cloud-amd64 <br> 6.1.0-0.deb11.17-amd64 <br> 6.1.0-0.deb11.17-cloud-amd64 <br> 6.1.0-0.deb11.18-amd64 <br> 6.1.0-0.deb11.18-cloud-amd64 <br> 6.1.0-0.deb11.21-amd64 <br> 6.1.0-0.deb11.21-cloud-amd64 <br> 6.1.0-0.deb11.22-amd64 <br> 6.1.0-0.deb11.22-cloud-amd64 <br> <br> **Debian 11 kernels support added for Classic experience:** <br> No new Debian 11 kernels supported for Classic version. |

+Debian 12 <br> **Note**: Support for Debian 12 is available for Modernized experience only and not available for Classic experience. | 9.63 | 6.1.0-25-amd64 <br> 6.1.0-25-cloud-amd64 |

+Debian 12 <br> **Note**: Support for Debian 12 is available for Modernized experience only and not available for Classic experience. | 9.62 | 6.1.0-15-cloud-amd64 <br> 6.1.0-22-amd64 <br> 6.1.0-22-cloud-amd64 <br> 6.1.0-23-amd64 <br> 6.1.0-23-cloud-amd64 |

+> Mobility service versions`9.56` `9,60`, `9.62`, and `9.63` are only available for Modernized experience. <br>

+SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4, SP5 | 9.63 | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new kernels in this release. |

+SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4, SP5 | 9.62 | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> **SUSE 12 Azure kernels support added for Modernized experience:** <br> 4.12.14-16.185-azure:5 <br> 4.12.14-16.188-azure:5 <br> 4.12.14-16.191azure:5 <br> 4.12.14-16.194-azure:5 |

+SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | 9.60 | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.163-azure:5 <br> 4.12.14-16.168-azure |

+SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | 9.59 | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 12 kernels supported in this release. |

+> Mobility service versions`9.56` `9,60`, `9.61`, and `9.63` are only available for Modernized experience. <br>

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4, SP5 | 9.63 | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new kernels in this release. |

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4, SP5 | 9.62 | By default, all [stock SUSE 15 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> **SUSE 15 Azure kernels support added for Modernized experience:** <br> 5.14.21-150500.33.54-azure:5 <br> 5.14.21-150500.33.57-azure:5 <br> 5.14.21-150500.33.60-azure:5 <br> 5.14.21-150500.33.63-azure:5 |

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | 9.60 | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 5.14.21-150500.33.29-azure <br>5.14.21-150500.33.34-azure |

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | 9.59 | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 15 kernels supported in this release. |

+Oracle Linux 9.0 <br> Oracle Linux 9.1 <br> Oracle Linux 9.2 <br> Oracle Linux 9.3 <br> Oracle Linux 9.4 | 9.63 | 5.14.0-284.73.1.el9_2.x86_64 <br> 5.14.0-284.75.1.el9_2.x86_64 <br> 5.14.0-284.77.1.el9_2.x86_64 <br> 5.14.0-284.79.1.el9_2.x86_64 <br> 5.14.0-284.80.1.el9_2.x86_64 <br> 5.14.0-284.82.1.el9_2.x86_64 <br> 5.14.0-284.84.1.el9_2.x86_64 <br> 5.14.0-284.85.1.el9_2.x86_64 <br> 5.14.0-284.86.1.el9_2.x86_64 <br> 5.14.0-427.13.1.el9_4.x86_64 <br> 5.14.0-427.16.1.el9_4.x86_64 <br> 5.14.0-427.18.1.el9_4.x86_64 <br> 5.14.0-427.20.1.el9_4.x86_64 <br> 5.14.0-427.22.1.el9_4.x86_64 <br>5.14.0-427.24.1.el9_4.x86_64 <br> 5.14.0-427.26.1.el9_4.x86_64 <br> 5.14.0-427.28.1.el9_4.x86_64 <br> 5.14.0-427.31.1.el9_4.x86_64 <br> 5.14.0-427.33.1.el9_4.x86_64 <br> 5.14.0-427.35.1.el9_4.x86_64 <br> 5.14.0-427.37.1.el9_4.x86_64 |

+This article demonstrates how to create and deploy a [Gatsby](https://www.gatsbyjs.com/docs/) web application to [Azure Static Web Apps](overview.md). The final result is a new Static Web Apps site (with the associated GitHub Actions) that give you control over how the app is built and published.

+### Enable SMB Multichannel on older operating systems

+Support for SMB Multichannel in Azure Files requires ensuring Windows has all the relevant patches applied. Several older Windows versions, including Windows Server 2016, Windows 10 version 1607, and Windows 10 version 1507, require additional registry keys to be set for all relevant SMB Multichannel fixes to be applied on fully patched installations. If you're running a version of Windows that's newer than these three versions, no additional action is required.

+#### Windows Server 2016 and Windows 10 version 1607

+To enable all SMB Multichannel fixes for Windows Server 2016 and Windows 10 version 1607, run the following PowerShell command:

+```PowerShell

+Set-ItemProperty `

+ -Path "HKLM:SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" `

+ -Name "2291605642" `

+ -Value 1 `

+ -Force

+```

+#### Windows 10 version 1507

+To enable all SMB Multichannel fixes for Windows 10 version 1507, run the following PowerShell command:

+```PowerShell

+Set-ItemProperty `

+ -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MRxSmb\KBSwitch" `

+ -Name "{FFC376AE-A5D2-47DC-A36F-FE9A46D53D75}" `

+ -Value 1 `

+ -Force

+```

+Customers using NFS Azure file shares can create, list, and delete file share snapshots. This capability allows users to roll back entire file systems or recover files that were accidentally deleted or corrupted. See [Use share snapshots with Azure Files](storage-snapshots-files.md#nfs-file-share-snapshots).

+description: This tutorial covers how to create an SMB Azure file share using the Azure portal, connect it to a Windows VM, and upload a file to the file share.

+> * Create an Azure storage account

+> * Create an SMB Azure file share

+> * Mount the file share to your VM

+Azure Files supports [SMB Multichannel](files-smb-protocol.md#smb-multichannel) on premium file shares only.

+| Windows Server 2016 | SMB 3.1.1 | Yes, with KB5004238 or newer and [applied registry key](files-smb-protocol.md#windows-server-2016-and-windows-10-version-1607) | AES-128-GCM |

+| Windows 10, version 1607 | SMB 3.1.1 | Yes, with KB5004238 or newer and [applied registry key](files-smb-protocol.md#windows-server-2016-and-windows-10-version-1607) | AES-128-GCM |

+| Windows 10, version 1507 | SMB 3.1.1 | Yes, with KB5004249 or newer and [applied registry key](files-smb-protocol.md#windows-10-version-1507) | AES-128-GCM |

+ Title: Use Azure Files share snapshots

+description: A share snapshot is a read-only, point-in-time copy of an Azure file share that you can use to recover previous versions of a file. Learn how to take snapshots using the Azure portal, Azure PowerShell, and Azure CLI.

+# Use share snapshots with Azure Files

+Azure Files provides the capability to take snapshots of SMB and NFS file shares. Share snapshots capture the share state at that point in time. This article describes the capabilities that file share snapshots provide and how you can use them to recover previous versions of files.

+> [!IMPORTANT]

+> Share snapshots provide only file-level protection. They don't prevent fat-finger deletions on a file share or storage account. To help protect a storage account from accidental deletion, you can either [enable soft delete](storage-files-prevent-file-share-deletion.md), or lock the storage account and/or the resource group.

+After you create a file share, you can periodically create a share snapshot of the file share to use it for data backup. A share snapshot, when taken periodically, helps maintain previous versions of data that can be used for future audit requirements or disaster recovery. We recommend using [Azure file share backup](../../backup/azure-file-share-backup-overview.md) for taking and managing snapshots. You can also take and manage snapshots yourself, using the Azure portal, [Azure PowerShell](/powershell/module/az.storage/new-azrmstorageshare), or [Azure CLI](/cli/azure/storage/share#az-storage-share-snapshot).

+A share snapshot is a point-in-time, read-only copy of your data. Share snapshot capability is provided at the file share level. Retrieval is provided at the individual file level, to allow for restoring individual files. Share snapshots have the same redundancy as the Azure file share for which they were taken. If you've selected geo-redundant storage for your account, your share snapshot also is stored redundantly in the paired region.

+You can restore a complete file share by using SMB, NFS, REST API, the Azure portal, the client library, or PowerShell/CLI. You can view snapshots of a share by using the REST API, SMB, or NFS. You can retrieve the list of versions of the directory or file, and you can mount a specific version directly as a drive (only available on Windows - see [Limits](#limits)).

+Share snapshots persist until they are explicitly deleted, or until the file share is deleted. You can't delete a file share and keep the share snapshots. The delete workflow will automatically delete the snapshots when you delete the share. You can enumerate the snapshots associated with the base file share to track your current snapshots.

+Share snapshots are incremental in nature. Only the data that has changed after your most recent share snapshot is saved. This minimizes the time required to create the share snapshot and saves on storage costs, because you're billed only for the changed content. Any write operation to the object or property or metadata update operation is counted toward "changed content" and is stored in the share snapshot.

+Snapshots don't count towards the maximum share size limit of 100 TiB. There's no limit to how much space share snapshots occupy in total, or that share snapshots of a particular file share can consume. Storage account limits still apply.

+There's no limit to the simultaneous calls for creating share snapshots.

+## SMB file share snapshots

+Customers using SMB Azure file shares can create, list, delete, and restore from share snapshots.

+### Create an SMB file share snapshot

+You can create a snapshot of an SMB Azure file share using the Azure portal, Azure PowerShell, or Azure CLI.

+# [Azure portal](#tab/portal)

+To create a snapshot of an existing file share, sign in to the Azure portal and follow these steps.

+1. In the portal, navigate to your file share.

+1. Select **Snapshots**, then select **+ Add snapshot** and then **OK**.

+ :::image type="content" source="media/storage-snapshots-files/create-snapshot.png" alt-text="Screenshot of the storage account snapshots tab.":::

+# [Azure PowerShell](#tab/powershell)

+To create a snapshot of an existing file share, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values.

+```azurepowershell

+New-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -Snapshot

+```

+# [Azure CLI](#tab/cli)

+To create a snapshot of an existing file share, run the following Azure CLI command. Replace `<file-share-name>` and `<storage-account-name>` with your own values.

+```azurecli

+az storage share snapshot --name <file-share-name> --account-name <storage-account-name>

+```

+### List SMB file share snapshots

+You can list all the snapshots for a file share using the Azure portal, Azure PowerShell, or Azure CLI.

+# [Azure portal](#tab/portal)

+To list all the snapshots for an existing file share, sign in to the Azure portal and follow these steps.

+1. In the portal, navigate to your file share.

+1. On your file share, select **Snapshots**.

+1. On the **Snapshots** tab, select a snapshot from the list.

+ :::image type="content" source="media/storage-snapshots-files/snapshot-list.png" alt-text="Screenshot of the Snapshots tab, the first snapshot is highlighted.":::

+1. Open that snapshot to browse the files it contains.

+# [Azure PowerShell](#tab/powershell)

+To list all file shares and snapshots in a storage account, run the following PowerShell command. Replace `<resource-group-name>` and `<storage-account-name>` with your own values.

+```azurepowershell

+Get-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -IncludeSnapshot

+```

+# [Azure CLI](#tab/cli)

+To list all file shares and snapshots in a storage account, run the following Azure CLI command. Replace `<storage-account-name>` with your own value.

+```azurecli

+az storage share list --account-name <storage-account-name> --include-snapshots

+```

+### Restore from an SMB file share snapshot

+To restore files from a snapshot, sign in to the Azure portal and follow these steps.

+1. In the portal, navigate to your file share.

+1. On your file share, select **Snapshots**.

+1. From the file share snapshot tab, right-click on the file you want to restore, and select the **Restore** button.

+ :::image type="content" source="media/storage-snapshots-files/restore-share-snapshot.png" alt-text="Screenshot of the snapshot tab, qstestfile is selected, restore is highlighted.":::

+1. Select **Overwrite original file** and then select **OK**.

+ :::image type="content" source="media/storage-snapshots-files/snapshot-download-restore-portal.png" alt-text="Screenshot of the Restore pop up, overwrite original file is selected.":::

+The unmodified version of the file should now be restored.

+### Delete SMB file share snapshots

+Existing share snapshots are never overwritten. They must be deleted explicitly. You can delete share snapshots using the Azure portal, Azure PowerShell, or Azure CLI.

+Before you can delete a share snapshot, you'll need to remove any locks on the storage account. Navigate to the storage account and select **Settings** > **Locks**. If any locks are listed, delete them.

+# [Azure portal](#tab/portal)

+To delete a snapshot of an existing file share, sign in to the Azure portal and follow these steps.

+1. In the search box at the top of the Azure portal, type and select *storage accounts*.

+1. Select the storage account that contains the file share for which you want to delete snapshots.

+1. Select **Data storage** > **File shares**.

+1. Select the file share for which you want to delete one or more snapshots, then select **Operations** > **Snapshots**. Any existing snapshots for the file share will be listed.

+1. Select the snapshot(s) that you want to delete, and then select **Delete**.

+ :::image type="content" source="media/storage-snapshots-files/portal-snapshots-delete.png" alt-text="Screenshot of the Snapshots tab, the last snapshot is selected and the delete button is highlighted.":::

+# [Azure PowerShell](#tab/powershell)

+To delete a file share snapshot, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values. The `SnapshotTime` parameter must follow the correct name format, such as `2024-05-10T08:04:08Z`.

+```azurepowershell

+Remove-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -SnapshotTime "<snapshot-time>"

+```

+To delete a file share and all its snapshots, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values.

+```azurepowershell

+Remove-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -Include Snapshots

+```

+# [Azure CLI](#tab/cli)

+To delete a file share snapshot, run the following Azure CLI command. Replace `<storage-account-name>` and `<file-share-name>` with your own values. The `--snapshot` parameter must follow the correct name format, such as `2024-05-10T08:04:08Z`.

+```azurecli

+az storage share delete --account-name <storage-account-name> --name <file-share-name> --snapshot <snapshot-time>

+```

+To delete a file share and all its snapshots, run the following Azure CLI command. Replace `<storage-account-name>` and `<file-share-name>` with your own values.

+```azurecli

+az storage share delete --account-name <storage-account-name> --name <file-share-name> --delete-snapshots include

+```

+### Use an SMB file share snapshot in Windows

+Just like with on-premises Volume Shadow Copy (VSS) snapshots, you can view the snapshots from your mounted Azure file share by using the **Previous versions** tab in Windows.

+1. In File Explorer, locate the mounted share.

+ :::image type="content" source="media/storage-snapshots-files/snapshot-windows-mount.png" alt-text="Screenshot of a mounted share in File Explorer.":::

+1. Browse to the item or parent item that needs to be restored. Right-click and select **Properties** from the menu.

+ :::image type="content" source="media/storage-snapshots-files/snapshot-windows-previous-versions.png" alt-text="Screenshot of the right click menu for a selected directory.":::

+1. Select **Previous Versions** to see the list of share snapshots for this directory.

+1. Select **Open** to open the snapshot.

+ :::image type="content" source="media/storage-snapshots-files/snapshot-windows-list.png" alt-text="Screenshot of the Previous versions tab.":::

+1. Select **Restore**. This copies the contents of the entire directory recursively to the original location at the time the share snapshot was created.

+ :::image type="content" source="media/storage-snapshots-files/snapshot-windows-restore.png" alt-text="Screenshot of the Previous versions tab, the restore button in warning message is highlighted.":::

+

+ > [!NOTE]

+ > If your file hasn't changed, you won't see a previous version for that file because that file is the same version as the snapshot. This is consistent with how this works on a Windows file server.

+### Mount an SMB file share snapshot on Linux

+If you want to mount a specific snapshot of an SMB Azure file share on Linux, you must supply the `snapshot` option as part of the `mount` command, where `snapshot` is the time that the particular snapshot was created in a format such as @GMT-2023.01.05-00.08.20. The `snapshot` option has been supported in the Linux kernel since version 4.19.

+After you've created the file share snapshot, follow these instructions to mount it.

+1. In the Azure portal, navigate to the storage account that contains the file share that you want to mount a snapshot of.

+2. Select **Data storage > File shares** and select the file share.

+3. Select **Operations > Snapshots** and take note of the name of the snapshot you want to mount. The snapshot name will be a GMT timestamp, such as in the screenshot below.

+ :::image type="content" source="media/storage-snapshots-files/mount-smb-snapshot-on-linux.png" alt-text="Screenshot showing how to locate a file share snapshot name and timestamp in the Azure portal." border="true" :::

+4. Convert the timestamp to the format expected by the `mount` command, which is **@GMT-year.month.day-hour.minutes.seconds**. In this example, you'd convert **2023-01-05T00:08:20.0000000Z** to **@GMT-2023.01.05-00.08.20**.

+5. Run the `mount` command using the GMT time to specify the `snapshot` value. Be sure to replace `<storage-account-name>`, `<file-share-name>`, and the GMT timestamp with your values. The .cred file contains the credentials to be used to mount the share.

+ ```bash

+ sudo mount -t cifs //<storage-account-name>.file.core.windows.net/<file-share-name> /media/<file-share-name>/snapshot1 -o credentials=/etc/smbcredentials/snapshottestlinux.cred,snapshot=@GMT-2023.01.05-00.08.20

+ ```

+6. If you're able to browse the snapshot under the path `/media/<file-share-name>/snapshot1`, then the mount succeeded.

+If the mount fails, see [Troubleshoot Azure Files connectivity and access issues (SMB)](/troubleshoot/azure/azure-storage/files-troubleshoot-smb-connectivity?toc=/azure/storage/files/toc.json).

+## NFS file share snapshots

+Customers using NFS Azure file shares can create, list, delete, and restore from share snapshots.

+> [!IMPORTANT]

+> You should mount your file share before creating snapshots. If you create a new NFS file share and take snapshots before mounting the share, attempting to list the snapshots for the share will return an empty list. We recommend deleting any snapshots taken before the first mount and re-creating them after you've mounted the share.

+### NFS snapshot limitations

+Only file management APIs (`AzRmStorageShare`) are supported for NFS Azure file share snapshots. File data plane APIs (`AzStorageShare`) aren't supported.

+Azure Backup isn't currently supported for NFS file shares.

+AzCopy isn't currently supported for NFS file shares. To copy data from an NFS Azure file share or share snapshot, use file system copy tools such as rsync or fpsync.

+NFS Azure file share snapshots are available in all Azure public cloud regions.

+### Create an NFS file share snapshot

+You can create a snapshot of an NFS Azure file share using the Azure portal, Azure PowerShell, or Azure CLI.

+# [Azure portal](#tab/portal)

+To create a snapshot of an existing file share, sign in to the Azure portal and follow these steps.

+1. In the search box at the top of the Azure portal, type and select *storage accounts*.

+1. Select the FileStorage storage account that contains the NFS Azure file share that you want to take a snapshot of.

+1. Select **Data storage** > **File shares**.

+1. Select the file share that you want to snapshot, then select **Operations** > **Snapshots**.

+1. Select **+ Add snapshot**. Add an optional comment, and select **OK**.

+ :::image type="content" source="media/storage-snapshots-files/add-file-share-snapshot.png" alt-text="Screenshot of adding a file share snapshot.":::

+# [Azure PowerShell](#tab/powershell)

+To create a snapshot of an existing file share, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values.

+```azurepowershell

+New-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -Snapshot

+```

+# [Azure CLI](#tab/cli)

+To create a snapshot of an existing file share, run the following Azure CLI command. Replace `<file-share-name>` and `<storage-account-name>` with your own values.

+```azurecli

+az storage share snapshot --name <file-share-name> --account-name <storage-account-name>

+```

+### List NFS file share snapshots

+You can list all the snapshots for a file share using the Azure portal, Azure PowerShell, or Azure CLI.

+# [Azure portal](#tab/portal)

+To list all the snapshots for an existing file share, sign in to the Azure portal and follow these steps.

+1. In the search box at the top of the Azure portal, type and select *storage accounts*.

+1. Select the storage account that contains the NFS Azure file share that you want to list the snapshots of.

+1. Select **Data storage** > **File shares**.

+1. Select the file share for which you want to list the snapshots.

+1. Select **Operations** > **Snapshots**, and any existing snapshots for the file share will be listed.

+# [Azure PowerShell](#tab/powershell)

+To list all file shares and snapshots in a storage account, run the following PowerShell command. Replace `<resource-group-name>` and `<storage-account-name>` with your own values.

+```azurepowershell

+Get-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -IncludeSnapshot

+```

+# [Azure CLI](#tab/cli)

+To list all file shares and snapshots in a storage account, run the following Azure CLI command. Replace `<storage-account-name>` with your own value.

+```azurecli

+az storage share list --account-name <storage-account-name> --include-snapshots

+```

+### Restore from an NFS Azure file share snapshot

+To mount an NFS Azure file share snapshot to a Linux VM (NFS client) and restore files, follow these steps.

+1. Run the following command in a console. See [Mount options](storage-files-how-to-mount-nfs-shares.md#mount-options) for other recommended mount options. To improve copy performance, mount the snapshot with [nconnect](nfs-performance.md#nconnect) to use multiple TCP channels.

+

+ ```bash

+ sudo mount -o vers=4,minorversion=1,proto=tcp,sec=sys $server:/nfs4account/share /media/nfs

+ ```

+

+1. Change the directory to `/media/nfs/.snapshots` so you can view the available snapshots. The `.snapshots` directory is hidden by default, but you can access and read from it like any directory.

+

+ ```bash

+ cd /media/nfs/.snapshots

+ ```

+

+1. List the contents of the `.snapshots` folder.

+

+ ```bash

+ ls

+ ```

+

+1. Each snapshot has its own directory that serves as a recovery point. Change to the snapshot directory for which you want to restore files.

+

+ ```bash

+ cd <snapshot-name>

+ ```

+

+1. List the contents of the directory to view a list of files and directories that can be recovered.

+

+ ```bash

+ ls

+ ```

+

+1. Copy all files and directories from the snapshot to a *restore* directory to complete the restore.

+

+ ```bash

+ cp -r <snapshot-name> ../restore

+ ```

+

+The files and directories from the snapshot should now be available in the `/media/nfs/restore` directory.

+### Delete NFS file share snapshots

+Existing share snapshots are never overwritten. They must be deleted explicitly. You can delete share snapshots using the Azure portal, Azure PowerShell, or Azure CLI.

+Before you can delete a share snapshot, you'll need to remove any locks on the storage account. Navigate to the storage account and select **Settings** > **Locks**. If any locks are listed, delete them.

+# [Azure portal](#tab/portal)

+To delete a snapshot of an existing file share, sign in to the Azure portal and follow these steps.

+1. In the search box at the top of the Azure portal, type and select *storage accounts*.

+1. Select the FileStorage storage account that contains the NFS Azure file share for which you want to delete snapshots.

+1. Select **Data storage** > **File shares**.

+1. Select the file share for which you want to delete one or more snapshots, then select **Operations** > **Snapshots**. Any existing snapshots for the file share will be listed.

+1. Select the snapshot(s) that you want to delete, and then select **Delete**.

+ :::image type="content" source="media/storage-snapshots-files/delete-file-share-snapshot.png" alt-text="Screenshot of deleting file share snapshots.":::

+# [Azure PowerShell](#tab/powershell)

+To delete a file share snapshot, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values. The `SnapshotTime` parameter must follow the correct name format, such as `2024-05-10T08:04:08Z`.

+```azurepowershell

+Remove-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -SnapshotTime "<snapshot-time>"

+```

+To delete a file share and all its snapshots, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values.

+```azurepowershell

+Remove-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -Include Snapshots

+```

+# [Azure CLI](#tab/cli)

+To delete a file share snapshot, run the following Azure CLI command. Replace `<storage-account-name>` and `<file-share-name>` with your own values. The `--snapshot` parameter must follow the correct name format, such as `2024-05-10T08:04:08Z`.

+```azurecli

+az storage share delete --account-name <storage-account-name> --name <file-share-name> --snapshot <snapshot-time>

+```

+To delete a file share and all its snapshots, run the following Azure CLI command. Replace `<storage-account-name>` and `<file-share-name>` with your own values.

+```azurecli

+az storage share delete --account-name <storage-account-name> --name <file-share-name> --delete-snapshots include

+```

+ | Time of last processed data | Time when last processed change data arrived in data warehouse (Month, Date, Year, HH:MM:SS AM/PM) |

+ | Time of last data commit on source store | Time when last processed change data arrived in the landing zone (Month, Date, Year, HH:MM:SS AM/PM) |

+ | Time of last processed data | Time when last processed change data arrived in data warehouse (Month, Date, Year, HH:MM:SS AM/PM) |

+ | Time of last data commit on source store | Time when last processed change data arrived in the landing zone (Month, Date, Year, HH:MM:SS AM/PM) |

+PUT on '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestAdv2?api-version=2021-09-01-preview

+PUT on '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/atscalepatching/providers/Microsoft.Compute/virtualMachines/win-atscalepatching-1/providers/Microsoft.Maintenance/configurationAssignments/TestAzureInGuestAdv?api-version=2021-09-01-preview

+ "maintenanceConfigurationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+PUT on '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestAdv2?api-version=2021-09-01-preview

+PUT on '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/atscalepatching/providers/Microsoft.Compute/virtualMachines/win-atscalepatching-1/providers/Microsoft.Maintenance/configurationAssignments/TestAzureInGuestAdv?api-version=2021-09-01-preview

+ "maintenanceConfigurationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ > If the PowerShell dependencies are failing to load. Check the latest versions of AZ, and AZ.ResourceGraph.

+ 'Az'='12.*'

+ 'Az.ResourceGraph'='1.0.0'

+ Install-Module -Name Az.ResourceGraph

+ - High Efficiency Video Coding (HEVC), also known as H.265. This allows for 25-50% data compression compared to AVC/H.264, at the same video quality or improved quality at the same bitrate.

+> - You can enable full-screen video encoding with AVC/H.264 even without GPU acceleration, but HEVC/H.265 requires a compatible GPU-enabled remote virtual machine.

+ Title: Graphics encoding over the Remote Desktop Protocol - Azure Virtual Desktop

+description: Learn how graphics data, including text, images, and video, is encoded and delivered over the Remote Desktop Protocol. It applies to Azure Virtual Desktop, Windows 365, and Microsoft Dev Box.

+# Graphics encoding over the Remote Desktop Protocol

+Graphics data from a remote session is transmitted to a local device via the Remote Desktop Protocol (RDP). The process involves encoding the graphics data on the remote virtual machine before sending it to the local device. Each frame is processed based on its content, passing through image processors, a classifier, and a codec, before being delivered to the local device using RDP's graphics transport.

+The aim of encoding and transmitting graphics data is to provide optimal performance and quality, with an experience that is the same as using a device locally. This process is important when using Azure Virtual Desktop, Cloud PCs in Windows 365, and Microsoft Dev Box, where users expect a high-quality experience when working remotely.

+RDP uses a range of features and techniques to process and transmit graphics data that make it suitable for a wide range of scenarios, such as office productivity, video playback, and gaming. These features and techniques include:

+- **Hardware and software-based encoding**: uses the CPU or GPU to encode graphics data.

+ - **Hardware-acceleration encoding**: offloads the processing of graphics encoding from the CPU to the GPU on a remote virtual machine with a discrete GPU. A GPU provides better performance for graphics-intensive applications, such as 3D modeling or high-definition video editing.

+ - **Software encoding**: uses the CPU to encode graphics data at a low cost. Software encoding is the default encoding profile used on a remote virtual machine without a discrete GPU.

+- **Mixed-mode**: separates text and image encoding using different codecs to provide the best quality and lowest encoding cost for each type of content. Mixed-mode is only available with software encoding.

+- **Adaptive graphics**: adjusts the encoding quality based on the available bandwidth and the content of the screen.

+- **Full-screen video encoding**: provides a higher frame rate and better user experience.

+- **Delta detection and caching**: reduces the amount of data that needs to be transmitted.

+- **Multiple codec support**: uses hardware decoders on a local device. Codecs include the Advanced Video Coding (AVC) video codec, also known as H.264, and the High Efficiency Video Coding (HEVC) video codec, also known as H.265. HEVC/H.265 support is in preview and requires a compatible GPU-enabled remote virtual machine.

+- **4:2:0 and 4:4:4 chroma subsampling**: provides a balance between image quality and bandwidth usage.

+You can use a combination of these features and techniques depending on the available resources of the remote session, local device, and network, and the user experience you want to provide.

+This article describes the process of encoding and delivering graphics data over RDP using some of these features and techniques.

+> [!TIP]

+> We recommend you use multimedia redirection where possible, which redirects video playback to the local device. Multimedia redirection provides a better user experience for video playback by sending the bitstream of video data to the local device where it decodes and renders the video in the correct place on the screen. This method also lowers processing cost on the remote virtual machine regardless of encoding configuration. To learn more, see [Multimedia redirection for video playback and calls in a remote session](multimedia-redirection-video-playback-calls.md).

+## Mixed-mode

+By default, graphics data is separated depending on its content. Text and images are encoded using a mix of codecs to achieve optimal encoding performance across different content types when using software encoding only. This process is known as mixed-mode.

+On average, approximately 80% of the graphics data for a remote session is text. In order to provide the lowest encoding cost and best quality for text, RDP uses a custom codec that's optimized for text. Due to image content being more challenging to encode effectively, it's critical to use a codec that adapts well to available bitrate.

+The rest of the content is separated to images and video:

+- Images are software encoded with either AVC/H.264 or RemoteFX graphics, depending on the capabilities of the local device and if multimedia redirection is enabled. AVC/H.264 encoding of images isn't available when using multimedia redirection.

+- Video is software encoded with AVC/H.264.

+AVC/H.264 is a widely supported codec that has good compression ratio for images, is capable of progressive encoding, and has ability to adjust quality based on bitrate. It relies on the hardware decoder on the local device, which is widely supported on modern devices. Using the hardware decoder on the local device reduces the CPU usage on the local device and provides a better user experience. Check with the device manufacturer to ensure that it supports AVC/H.264 hardware decoding.

+The following diagram shows the process of encoding and delivering graphics data over RDP using mixed-mode in a software encoding scenario:

+This process is described as follows:

+1. A frame bitmap is first processed by detecting whether it contains video. If it does contain video, the frame is sent to the video codec, which in a software-based scenario is encoded with AVC/H.264, and then the frame passes to the graphics channel.

+1. If the frame doesn't contain video, the image processors determine if there are delta changes, motion is detected, or if content is available in the cache. If the content matches certain criteria, the frame passes to the graphics channel.

+1. If the frame needs further processing, the image classifier determines whether it contains text or images.

+1. Text and images are encoded using different codecs to provide the best quality and lowest encoding cost for each type of content. Once encoded, the frame passes to the graphics channel.

+Instead of using two separate codecs for text and images with mixed-mode, you can enable [full-screen video encoding](#full-screen-video-encoding) to process all screen content using the AVC/H.264 video codec.

+## Full-screen video encoding

+Full-screen video encoding is useful for scenarios where the screen content is largely image based and is used as an alternative to mixed-mode. Full-screen video encoding processes all graphics data with either AVC/H.264 or HEVC/H.265. As a result, it performs worse than mixed-mode encoding when the screen content is largely text based.

+A full-screen video profile provides a higher frame rate and better user experience, but uses more network bandwidth and resources on both the remote virtual machine and local device. It benefits applications such as 3D modeling, CAD/CAM, or video playback and editing.

+If you enable both HEVC/H.265 and AVC/H.264 hardware acceleration, but HEVC/H.265 isn't available on the local device, AVC/H.264 is used instead. HEVC/H.265 allows for 25-50% data compression compared to AVC/H.264, at the same video quality, or improved quality, at the same bitrate.

+You can enable full-screen video encoding with AVC/H.264 even without GPU acceleration, but HEVC/H.265 requires a compatible GPU-enabled remote virtual machine.

+To learn more, see [Enable GPU acceleration for Azure Virtual Desktop](enable-gpu-acceleration.md).

+## Hardware GPU acceleration

+Azure Virtual Desktop, Cloud PCs in Windows 365, and Microsoft Dev Box support graphics processing unit (GPU) acceleration in rendering and encoding for improved app performance and scalability using the Remote Desktop Protocol (RDP). GPU acceleration is crucial for graphics-intensive applications, such as those used by graphic designers, video editors, 3D modelers, data analysts, or visualization specialists.

+There are two components to GPU acceleration that work together to improve the user experience:

+- **GPU-accelerated application rendering**: Use the GPU to render graphics in a remote session.

+- **GPU-accelerated frame encoding**: RDP encodes all graphics rendered for transmission to the local device. When part of the screen is frequently updated, it's encoded with AVC/H.264.

+If the screen content in your workloads is largely image based, you can also enable [full-screen video encoding](#full-screen-video-encoding) to process all screen content to provide a higher frame rate and better user experience.

+To learn more, see [Enable GPU acceleration](enable-gpu-acceleration.md).

+## Chroma subsampling support for 4:2:0 and 4:4:4

+The chroma value determines the color space used for encoding. By default, the chroma value is set to 4:2:0, which provides a good balance between image quality and network bandwidth. When you use AVC/H.264, you can increase the chroma value to 4:4:4 to improve image quality, but it also increases network bandwidth. You don't need to use GPU acceleration to change the chroma value.

+To learn more, see [Increase the chroma value to 4:4:4 using the Advanced Video Coding (AVC) video codec](graphics-chroma-value-increase-4-4-4.md).

+ "clientIp": "203.0.113.145",

+ "clientIP": "203.0.113.97",

+ "clientIP": "203.0.113.97",

+ "clientIp": "203.0.113.147",

+ "clientIp": "203.0.113.139",

+ "resourceId": "/SUBSCRIPTIONS/66667777-aaaa-8888-bbbb-9999cccc0000/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",

+ "clientIp": "203.0.113.139",

+ "resourceId": "/SUBSCRIPTIONS/66667777-aaaa-8888-bbbb-9999cccc0000/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",

+ "resourceId": "/SUBSCRIPTIONS/66667777-aaaa-8888-bbbb-9999cccc0000/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",

+ "clientIp": "203.0.113.139",

+- "resourceId": "/SUBSCRIPTIONS/66667777-aaaa-8888-bbbb-9999cccc0000/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",

+- "resourceId": "/SUBSCRIPTIONS/66667777-aaaa-8888-bbbb-9999cccc0000/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",

+- "clientIp": "203.0.113.139",

+- "resourceId": "/SUBSCRIPTIONS/66667777-aaaa-8888-bbbb-9999cccc0000/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",

+- "clientIp": "203.0.113.139",

+- "resourceId": "/SUBSCRIPTIONS/66667777-aaaa-8888-bbbb-9999cccc0000/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",

+- "clientIp": "203.0.113.139",