+# Conditional Access: Users, groups, and workload identities

+A Conditional Access policy must include a user, group, or workload identity assignment as one of the signals in the decision process. These can be included or excluded from Conditional Access policies. Azure Active Directory evaluates all policies and ensures that all requirements are met before granting access.

+## Workload identities (Preview)

+A workload identity is an identity that allows an application or service principal access to resources, sometimes in the context of a user. Conditional Access policies can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities aren't covered by policy.

+Organizations can target specific workload identities to be included or excluded from policy.

+For more information, see the article [Conditional Access for workload identities preview](workload-identity.md).

+ Title: Filter for applications in Conditional Access policy (Preview) - Azure Active Directory

+description: Use filter for applications in Conditional Access to manage conditions.

+# Conditional Access: Filter for applications (Preview)

+Currently Conditional Access policies can be applied to all apps or to individual apps. Organizations with a large number of apps may find this process difficult to manage across multiple Conditional Access policies.

+

+Application filters are a new feature for Conditional Access that allows organizations to tag service principals with custom attributes. These custom attributes are then added to their Conditional Access policies. Filters for applications are evaluated at token issuance runtime, a common question is if apps are assigned at runtime or configuration time.

+

+In this document, you create a custom attribute set, assign a custom security attribute to your application, and create a Conditional Access policy to secure the application.

+> [!NOTE]

+> Filter for applications is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Assign roles

+Custom security attributes are security sensitive and can only be managed by delegated users. Even global administrators don't have default permissions for custom security attributes. One or more of the following roles should be assigned to the users who manage or report on these attributes.

+| Role name | Description |

+| | |

+| Attribute assignment administrator | Assign custom security attribute keys and values to supported Azure AD objects. |

+| Attribute assignment reader | Read custom security attribute keys and values for supported Azure AD objects. |

+| Attribute definition administrator | Define and manage the definition of custom security attributes. |

+| Attribute definition reader | Read the definition of custom security attributes. |

+1. Assign the appropriate role to the users who will manage or report on these attributes at the directory scope.

+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+## Create custom security attributes

+Follow the instructions in the article, [Add or deactivate custom security attributes in Azure AD (Preview)](../fundamentals/custom-security-attributes-add.md) to add the following **Attribute set** and **New attributes**.

+- Create an **Attribute set** named *ConditionalAccessTest*.

+- Create **New attributes** named *policyRequirement* that **Allow multiple values to be assigned** and **Only allow predefined values to be assigned**. We add the following predefined values:

+ - legacyAuthAllowed

+ - blockGuesUsers

+ - requireMFA

+ - requireCompliantDevice

+ - requireHybridJoinedDevice

+ - requireCompliantApp

+> [!NOTE]

+> Conditional Access filters for devices only works with custom security attributes of type "string".

+## Create a Conditional Access policy

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **All users**.

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+ 1. Select **Done**.

+1. Under **Cloud apps or actions**, select the following options:

+ 1. Select what this policy applies to **Cloud apps**.

+ 1. Include **Select apps**.

+ 1. Select **Edit filter**.

+ 1. Set **Configure** to **Yes**.

+ 1. Select the **Attribute** we created earlier called *policyRequirement*.

+ 1. Set **Operator** to **Contains**.

+ 1. Set **Value** to **requireMFA**.

+ 1. Select **Done**.

+1. Under **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and select **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+## Configure custom attributes

+### Step 1: Set up a sample application

+If you already have a test application that makes use of a service principal, you can skip this step.

+Set up a sample application that, demonstrates how a job or a Windows service can run with an application identity, instead of a user's identity. Follow the instructions in the article [Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity](../develop/quickstart-v2-netcore-daemon.md) to create this application.

+### Step 2: Assign a custom security attribute to an application

+When you don't have a service principal listed in your tenant, it can't be targeted. The Office 365 suite is an example of one such service principal.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Enterprise applications**.

+1. Select the service principal you want to apply a custom security attribute to.

+1. Under **Manage** > **Custom security attributes (preview)**, select **Add assignment**.

+1. Under **Attribute set**, select **ConditionalAccessTest**.

+1. Under **Attribute name**, select **policyRequirement**.

+1. Under **Assigned values**, select **Add values**, select **requireMFA** from the list, then select **Done**.

+1. Select **Save**.

+### Step 3: Test the policy

+Sign in as a user who the policy would apply to and test to see that MFA is required when accessing the application.

+## Other scenarios

+- Blocking legacy authentication

+- Blocking external access to applications

+- Requiring compliant device or Intune app protection policies

+- Enforcing sign in frequency controls for specific applications

+- Requiring a privileged access workstation for specific applications

+- Require session controls for high risk users and specific applications

+## Next steps

+[Conditional Access common policies](concept-conditional-access-policy-common.md)

+[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

+## Prerequisites

+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](/azure/active-directory/managed-identities-azure-resources/overview). Be sure to review the [difference between a system-assigned and user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types).

+- If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.

+- Get the information for your external IdP and software workload, which you need in the following steps.

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.

+- To run the example scripts, you have two options:

+ - Use [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open by using the **Try It** button in the upper-right corner of code blocks.

+ - Run scripts locally with Azure PowerShell, as described in the next section.

+- [Create a user-assigned manged identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-powershell#list-user-assigned-managed-identities-2)

+- Find the object ID of the user-assigned managed identity, which you need in the following steps.

+### Configure Azure PowerShell locally

+To use Azure PowerShell locally for this article instead of using Cloud Shell:

+1. Install [the latest version of Azure PowerShell](/powershell/azure/install-az-ps) if you haven't already.

+1. Sign in to Azure.

+ ```azurepowershell

+ Connect-AzAccount

+ ```

+1. Install the [latest version of PowerShellGet](/powershell/scripting/gallery/installing-psget#for-systems-with-powershell-50-or-newer-you-can-install-the-latest-powershellget).

+ ```azurepowershell

+ Install-Module -Name PowerShellGet -AllowPrerelease

+ ```

+ You might need to `Exit` out of the current PowerShell session after you run this command for the next step.

+1. Install the `Az.ManagedServiceIdentity` module to perform the user-assigned managed identity operations in this article.

+ ```azurepowershell

+ Install-Module -Name Az.ManagedServiceIdentity

+ ```

+## Configure a federated identity credential on a user-assigned managed identity

+Run the New-AzFederatedIdentityCredentials command to create a new federated identity credential on your user-assigned managed identity (specified by the object ID of the app). Specify the *name*, *issuer*, *subject*, and other parameters.

+```azurepowershell

+New-AzFederatedIdentityCredentials -ResourceGroupName azure-rg-test -IdentityName uai-pwsh01 `

+ -Name fic-pwsh01 -Issuer "https://kubernetes-oauth.azure.com" -Subject "system:serviceaccount:ns:svcaccount"

+```

+## List federated identity credentials on a user-assigned managed identity

+Run the Get-AzFederatedIdentityCredentials command to read all the federated identity credentials configured on a user-assigned managed identity:

+```azurepowershell

+Get-AzFederatedIdentityCredentials -ResourceGroupName azure-rg-test -IdentityName uai-pwsh01

+```

+## Get a federated identity credential on a user-assigned managed identity

+Run the Get-AzFederatedIdentityCredentials command to show a federated identity credential (by ID):

+```azurepowershell

+Get-AzFederatedIdentityCredentials -ResourceGroupName azure-rg-test -IdentityName uai-pwsh01 -Name fic-pwsh01

+```

+## Delete a federated identity credential from a user-assigned managed identity

+Run the Remove-AzFederatedIdentityCredentials command to delete a federated identity credential under an existing user assigned identity.

+```azurepowershell

+Remove-AzFederatedIdentityCredentials -ResourceGroupName azure-rg-test -IdentityName uai-pwsh01 -Name fic-pwsh01

+```

+You must add exactly 1 audience to a federated identity credential. The audience is verified during token exchange. Use ΓÇ£api://AzureADTokenExchangeΓÇ¥ as the default value.

+Delete a federated identity credential on the specified user-assigned managed identity.

+- [Close your Microsoft account](/microsoft-365/commerce/close-your-account)

+ 1. If you select User-to-Group Affiliation, reviewers will get the recommendation to Approve or Deny access for the users based on userΓÇÖs average distance in the organizationΓÇÖs reporting-structure. Users who are very distant from all the other users within the group are considered to have "low affiliation" and will get a deny recommendation in the group access reviews.

+| Azure Event Hubs | [Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources](../../event-hubs/authenticate-managed-identity.md)

+ Attribute|Type|Supported for filtering|Required by LawVu|

+ |||||

+ |userName|String|✓|✓|

+ |active|Boolean||✓|

+ |emails[type eq "work"].value|String||✓|

+ |name.givenName|String|||

+ |name.familyName|String|||

+ |name.formatted|String||✓|

+ |phoneNumbers[type eq "mobile"].value|String|||

+ |locale|String|||

+## Change Log

+* 10/25/2022 - Drop core user attribute **nickName**.

+* 10/25/2022 - Changed the mapping of core user attribute **name.formatted** to **Join(" ", [givenName], [surname]) -> name.formatted**.

+* 10/25/2022 - Domain name of all OAuth config urls of Atea app changed to Atea owned domain.

+ **The email attribute will be used to match Atlassian Cloud accounts with your Azure AD accounts.**

+1. In the **Admin Credentials** section, click on Authorize, make sure that you enter your Gong account's Admin credentials. Click **Test Connection** to ensure Azure AD can connect to Gong. If the connection fails, ensure your Gong account has Admin permissions and try again.

+

+> Azure CNI Overlay is currently available in the following regions:

+> - North Central US

+> - West Central US

+ Title: Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS) (Preview)

+description: Learn how to create an Azure Kubernetes Service (AKS) cluster with Azure CNI Powered by Cilium.

+# Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS) (Preview)

+Azure CNI Powered by Cilium combines the robust control plane of Azure CNI with the dataplane of [Cilium](https://cilium.io/) to provide high-performance networking and security.

+By making use of eBPF programs loaded into the Linux kernel and a more efficient API object structure, Azure CNI Powered by Cilium provides the following benefits:

+- Functionality equivalent to existing Azure CNI and Azure CNI Overlay plugins

+- Faster service routing

+- More efficient network policy enforcement

+- Better observability of cluster traffic

+- Support for larger clusters (more nodes, pods, and services)

+## IP Address Management (IPAM) with Azure CNI Powered by Cilium

+Azure CNI Powered by Cilium can be deployed using two different methods for assigning pod IPs:

+- assign IP addresses from a VNet (similar to existing Azure CNI with Dynamic Pod IP Assignment)

+- assign IP addresses from an overlay network (similar to Azure CNI Overlay mode)

+

+> [!NOTE]

+> Azure CNI Overlay networking currently requires the `Microsoft.ContainerService/AzureOverlayPreview` feature and may be available only in certain regions. For more information, see [Azure CNI Overlay networking](./azure-cni-overlay.md).

+If you aren't sure which option to select, read ["Choosing a network model to use"](./azure-cni-overlay.md#choosing-a-network-model-to-use).

+## Network Policy Enforcement

+Cilium enforces [network policies to allow or deny traffic between pods](./operator-best-practices-network.md#control-traffic-flow-with-network-policies). With Cilium, you don't need to install a separate network policy engine such as Azure Network Policy Manager or Calico.

+## Limitations

+Azure CNI powered by Cilium currently has the following limitations:

+* Available only for new clusters.

+* Available only for Linux and not for Windows.

+* Cilium L7 policy enforcement is disabled.

+* Hubble is disabled.

+* Kubernetes services with `internalTrafficPolicy=Local` aren't supported ([Cilium issue #17796](https://github.com/cilium/cilium/issues/17796)).

+* Multiple Kubernetes services can't use the same host port with different protocols (for example, TCP or UDP) ([Cilium issue #14287](https://github.com/cilium/cilium/issues/14287)).

+* Network policies may be enforced on reply packets when a pod connects to itself via service cluster IP ([Cilium issue #19406](https://github.com/cilium/cilium/issues/19406)).

+## Prerequisites

+* Azure CLI version 2.41.0 or later. Run `az --version` to see the currently installed version. If you need to install or upgrade, see [Install Azure CLI][/cli/azure/install-azure-cli].

+* Azure CLI with aks-preview extension 0.5.109 or later.

+* If using ARM templates or the REST API, the AKS API version must be 2022-09-02-preview or later.

+### Install the aks-preview CLI extension

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+### Register the `CiliumDataplanePreview` preview feature

+To create an AKS cluster with Azure CNI powered by Cilium, you must enable the `CiliumDataplanePreview` feature flag on your subscription.

+Register the `CiliumDataplanePreview` feature flag by using the `az feature register` command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "CiliumDataplanePreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the `az feature list` command:

+```azurecli-interactive

+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/CiliumDataplanePreview')].{Name:name,State:properties.state}"

+```

+When the feature has been registered, refresh the registration of the *Microsoft.ContainerService* resource provider by using the `az provider register` command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+## Create a new AKS Cluster with Azure CNI Powered by Cilium

+### Option 1: Assign IP addresses from a VNet

+Run the following commands to create a resource group and VNet with a subnet for nodes and a subnet for pods.

+```azurecli-interactive

+# Create the resource group

+az group create --name <resourceGroupName> --location <location>

+```

+```azurecli-interactive

+# Create a VNet with a subnet for nodes and a subnet for pods

+az network vnet create -g <resourceGroupName> --location <location> --name <vnetName> --address-prefixes <address prefix, example: 10.0.0.0/8> -o none

+az network vnet subnet create -g <resourceGroupName> --vnet-name <vnetName> --name nodesubnet --address-prefixes <address prefix, example: 10.240.0.0/16> -o none

+az network vnet subnet create -g <resourceGroupName> --vnet-name <vnetName> --name podsubnet --address-prefixes <address prefix, example: 10.241.0.0/16> -o none

+```

+Create the cluster using `--enable-cilium-dataplane`:

+```azurecli-interactive

+az aks create -n <clusterName> -g <resourceGroupName> -l <location> \

+ --max-pods 250 \

+ --node-count 2 \

+ --network-plugin azure \

+ --vnet-subnet-id /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/nodesubnet \

+ --pod-subnet-id /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/podsubnet \

+ --enable-cilium-dataplane

+```

+### Option 2: Assign IP addresses from an overlay network

+Run these commands to create a resource group and VNet with a single subnet:

+```azurecli-interactive

+# Create the resource group

+az group create --name <resourceGroupName> --location <location>

+```

+```azurecli-interactive

+# Create a VNet with a subnet for nodes and a subnet for pods

+az network vnet create -g <resourceGroupName> --location <location> --name <vnetName> --address-prefixes <address prefix, example: 10.0.0.0/8> -o none

+az network vnet subnet create -g <resourceGroupName> --vnet-name <vnetName> --name nodesubnet --address-prefixes <address prefix, example: 10.240.0.0/16> -o none

+```

+Then create the cluster using `--enable-cilium-dataplane`:

+```azurecli-interactive

+az aks create -n <clusterName> -g <resourceGroupName> -l <location> \

+ --max-pods 250 \

+ --node-count 2 \

+ --network-plugin azure \

+ --network-plugin-mode overlay \

+ --pod-cidr 192.168.0.0/16 \

+ --vnet-subnet-id /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/nodesubnet \

+ --enable-cilium-dataplane

+```

+## Frequently asked questions

+- *Can I customize Cilium configuration?*

+ No, the Cilium configuration is managed by AKS can't be modified. We recommend that customers who require more control use [AKS BYO CNI](./use-byo-cni.md) and install Cilium manually.

+- *Can I use `CiliumNetworkPolicy` custom resources instead of Kubernetes `NetworkPolicy` resources?*

+ `CiliumNetworkPolicy` custom resources aren't officially supported. We recommend that customers use Kubernetes `NetworkPolicy` resources to configure network policies.

+## Next steps

+Learn more about networking in AKS in the following articles:

+* [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md)

+* [Use an internal load balancer with Azure Container Service (AKS)](internal-lb.md)

+* [Create a basic ingress controller with external network connectivity][aks-ingress-basic]

+* [Enable the HTTP application routing add-on][aks-http-app-routing]

+* [Create an ingress controller that uses an internal, private network and IP address][aks-ingress-internal]

+* [Create an ingress controller with a dynamic public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-tls]

+* [Create an ingress controller with a static public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-static-tls]

+<!-- LINKS - Internal -->

+[aks-ingress-basic]: ingress-basic.md

+[aks-ingress-tls]: ingress-tls.md

+[aks-ingress-static-tls]: ingress-static-ip.md

+[aks-http-app-routing]: http-application-routing.md

+[aks-ingress-internal]: ingress-internal-ip.md

+| [Use energy efficient hardware](#use-energy-efficient-hardware) | | ✔️ |

+### Use energy efficient hardware

+Ampere's Cloud Native Processors are uniquely designed to meet both the high performance and power efficiency needs of the cloud.

+* Evaluate if nodes with [Ampere Altra ArmΓÇôbased processors](https://azure.microsoft.com/blog/azure-virtual-machines-with-ampere-altra-arm-based-processors-generally-available/) are a good option for your workloads.

+ Title: Configure kube-proxy (iptables/IPVS) (preview)

+description: Learn how to configure kube-proxy to utilize different load balancing configurations with Azure Kubernetes Service (AKS).

+#Customer intent: As a cluster operator, I want to utilize a different kube-proxy configuration.

+# Configure `kube-proxy` in Azure Kubernetes Service (AKS) (preview)

+`kube-proxy` is a component of Kubernetes that handles routing traffic for services within the cluster. There are two backends available for Layer 3/4 load balancing in upstream `kube-proxy` - iptables and IPVS.

+- iptables is the default backend utilized in the majority of Kubernetes clusters. It is simple and well supported, but is not as efficient or intelligent as IPVS.

+- IPVS utilizes the Linux Virtual Server, a layer 3/4 load balancer built into the Linux kernel. IPVS provides a number of advantages over the default iptables configuration, including state awareness, connection tracking, and more intelligent load balancing.

+The AKS managed `kube-proxy` DaemonSet can also be disabled entirely if that is desired to support [bring-your-own CNI][aks-byo-cni].

+## Prerequisites

+* Azure CLI with aks-preview extension 0.5.105 or later.

+* If using ARM or the REST API, the AKS API version must be 2022-08-02-preview or later.

+### Install the aks-preview CLI extension

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+### Register the `KubeProxyConfigurationPreview` preview feature

+To create an AKS cluster with custom `kube-proxy` configuration, you must enable the `KubeProxyConfigurationPreview` feature flag on your subscription.

+Register the `KubeProxyConfigurationPreview` feature flag by using the `az feature register` command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the `az feature list` command:

+```azurecli-interactive

+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/KubeProxyConfigurationPreview')].{Name:name,State:properties.state}"

+```

+When the feature has been registered, refresh the registration of the *Microsoft.ContainerService* resource provider by using the `az provider register` command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+## Configurable options

+The full `kube-proxy` configuration structure can be found in the [AKS Cluster Schema][aks-schema-kubeproxyconfig].

+- `enabled` - whether or not to deploy the `kube-proxy` DaemonSet. Defaults to true.

+- `mode` - can be set to `IPTABLES` or `IPVS`. Defaults to `IPTABLES`.

+- `ipvsConfig` - if `mode` is `IPVS`, this object contains IPVS-specific configuration properties.

+ - `scheduler` - which connection scheduler to utilize. Supported values:

+ - `LeastConnections` - sends connections to the backend pod with the fewest connections

+ - `RoundRobin` - distributes connections evenly between backend pods

+ - `tcpFinTimeoutSeconds` - the value used for timeout after a FIN has been received in a TCP session

+ - `tcpTimeoutSeconds` - the value used for timeout length for idle TCP sessions

+ - `udpTimeoutSeconds` - the value used for timeout length for idle UDP sessions

+> [!NOTE]

+> IPVS load balancing operates in each node independently and is still only aware of connections flowing through the local node. This means that while `LeastConnections` results in more even load under higher number of connections, when low numbers of connections (# connects < 2 * node count) occur traffic may still be relatively unbalanced.

+## Utilize `kube-proxy` configuration in a new or existing AKS cluster using Azure CLI

+`kube-proxy` configuration is a cluster-wide setting. No action is needed to update your services.

+>[!WARNING]

+> Changing the kube-proxy configuration may cause a slight interruption in cluster service traffic flow.

+To begin, create a JSON configuration file with the desired settings:

+### Create a configuration file

+```json

+{

+ "enabled": true,

+ "mode": "IPVS",

+ "ipvsConfig": {

+ "scheduler": "LeastConnection",

+ "TCPTimeoutSeconds": 900,

+ "TCPFINTimeoutSeconds": 120,

+ "UDPTimeoutSeconds": 300

+ }

+}

+```

+### Deploy a new cluster

+Deploy your cluster using `az aks create` and pass in the configuration file:

+```bash

+az aks create -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json

+```

+### Update an existing cluster

+Configure your cluster using `az aks update` and pass in the configuration file:

+```bash

+az aks update -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json

+```

+## Next steps

+Learn more about utilizing the Standard Load Balancer for inbound traffic at the [AKS Standard Load Balancer documentation][load-balancer-standard.md].

+Learn more about using Internal Load Balancer for Inbound traffic at the [AKS Internal Load Balancer documentation](internal-lb.md).

+Learn more about Kubernetes services at the [Kubernetes services documentation][kubernetes-services].

+<!-- LINKS - External -->

+[kubernetes-services]: https://kubernetes.io/docs/concepts/services-networking/service/

+[aks-schema-kubeproxyconfig]: /azure/templates/microsoft.containerservice/managedclusters?pivots=deployment-language-bicep#containerservicenetworkprofilekubeproxyconfig

+<!-- LINKS - Internal -->

+[aks-byo-cni]: use-byo-cni.md

+* While API Management can protect backend services from DDoS attacks, it may be vulnerable to those attacks itself. Deploy a bot protection service in front of API Management (for example, [Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md), [Azure Front Door](front-door-api-management.md), or [Azure DDoS Protection](protect-with-ddos-protection.md)) to better protect against DDoS attacks. When using a WAF with Azure Application Gateway or Azure Front Door, consider using [Microsoft_BotManagerRuleSet_1.0](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set).

+* [Modern Web Application Firewall (WAF) policies](https://github.com/SpiderLabs/ModSecurity) cover many common injection vulnerabilities. While API Management doesnΓÇÖt have a built-in WAF component, deploying a WAF upstream (in front) of the API Management instance is strongly recommended. For example, use [Azure Application Gateway](/azure/architecture/reference-architectures/apis/protect-apis) or [Azure Front Door](front-door-api-management.md).

+- Learn about visualizing Azure Monitor data using [Azure Managed Grafana](visualize-using-managed-grafana-dashboard.md)

+ Title: Defend API Management against DDoS attacks

+description: Learn how to protect your API Management instance in an external virtual network against volumetric and protocol DDoS attacks by using Azure DDoS Protection Standard.

+# Defend your Azure API Management instance against DDoS attacks

+This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling [Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md). Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.ΓÇï

+## Supported configurations

+Enabling Azure DDoS Protection for API Management is currently available only for instances deployed (injected) in a VNet in [external mode](api-management-using-with-vnet.md).

+Currently, Azure DDoS Protection can't be enabled for the following API Management configurations:

+* Instances that aren't VNet-injected

+* Instances deployed in a VNet in [internal mode](api-management-using-with-internal-vnet.md)

+* Instances configured with a [private endpoint](private-endpoint.md)

+## Prerequisites

+* An API Management instance

+ * The instance must be deployed in an Azure VNet in [external mode](api-management-using-with-vnet.md)

+ * The instance to be configured with an Azure public IP address resource, which is supported only on the API Management `stv2` [compute platform](compute-infrastructure.md).

+ * If the instance is hosted on the `stv1` platform, you must [migrate](compute-infrastructure.md#how-do-i-migrate-to-the-stv2-platform) to the `stv2` platform.

+* An Azure DDoS Protection [plan](../ddos-protection/manage-ddos-protection.md)

+ * The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Azure Active Directory tenant.

+ * You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU (preview). See [Azure DDoS Protection SKU Comparison](../ddos-protection/ddos-protection-sku-comparison.md).

+ > [!NOTE]

+ > Azure DDoS Protection plans incur additional charges. For more information, see [Pricing](https://azure.microsoft.com/pricing/details/ddos-protection/).

+

+## Enable DDoS Protection

+Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.

+### Enable DDoS Protection on the virtual network used for your API Management instance

+1. In the [Azure portal](https://portal.azure.com), navigate to the VNet where your API Management is injected.

+1. In the left menu, under **Settings**, select **DDoS protection**.

+1. Select **Enable**, and then select your **DDoS protection plan**.

+1. Select **Save**.

+ :::image type="content" source="media/protect-with-ddos-protection/enable-ddos-protection.png" alt-text="Screenshot of enabling a DDoS Protection plan on a VNet in the Azure portal.":::

+### Enable DDoS protection on the API Management public IP address

+If your plan uses the IP DDoS Protection SKU, see [Enable DDoS IP Protection for a public IP address](../ddos-protection/manage-ddos-protection-powershell-ip.md#disable-ddos-ip-protection-for-an-existing-public-ip-address).

+## Next steps

+* Learn how to verify DDoS protection of your API Management instance by [testing with simulation partners](../ddos-protection/test-through-simulations.md)

+* Learn how to [view and configure Azure DDoS Protection telemetry](../ddos-protection/telemetry.md)

+* [Defend your Azure API Management instance against DDoS attacks](protect-with-ddos-protection.md)

+ Title: Visualize Azure API Management monitoring data with Azure Managed Grafana

+description: Learn how to use an Azure Managed Grafana dashboard to visualize monitoring data from Azure API Management.

+# Visualize API Management monitoring data using a Managed Grafana dashboard

+You can use [Azure Managed Grafana](../managed-grafana/index.yml) to visualize API Management monitoring data that is collected into a Log Analytics workspace. Use a prebuilt [API Management dashboard](https://grafana.com/grafana/dashboards/16604-azure-api-management) for real-time visualization of logs and metrics collected from your API Management instance.

+* [Learn more about Azure Managed Grafana](../managed-grafan)

+* [Learn more about observability in Azure API Management](observability.md)

+## Prerequisites

+* API Management instance

+ * To visualize resource logs and metrics for API Management, configure [diagnostic settings](api-management-howto-use-azure-monitor.md#resource-logs) to collect resource logs and send them to a Log Analytics workspace

+

+ * To visualize detailed data about requests to the API Management gateway, [integrate](api-management-howto-app-insights.md) your API Management instance with Application Insights.

+ > [!NOTE]

+ > To visualize data in a single dashboard, configure the Log Analytics workspace for the diagnostic settings and the Application Insights instance in the same resource group as your API Management instance.

+* Managed Grafana workspace

+ * To create a Managed Grafana instance and workspace, see the quickstart for the [portal](../managed-grafan).

+ * The Managed Grafana instance must be in the same subscription as the API Management instance.

+

+ * When created, the Grafana workspace is automatically assigned an Azure Active Directory managed identity, which is assigned the Monitor Reader role on the subscription. This gives you immediate access to Azure Monitor from the new Grafana workspace without needing to set permissions manually. Learn more about [configuring data sources](../managed-grafan) for Managed Grafana.

+

+## Import API Management dashboard

+First import the [API Management dashboard](https://grafana.com/grafana/dashboards/16604-azure-api-management) to your Management Grafana workspace.

+To import the dashboard:

+1. Go to your Azure Managed Grafana workspace. In the portal, on the **Overview** page of your Managed Grafana instance, select the **Endpoint** link.

+1. In the Managed Grafana workspace, go to **Dashboards** > **Browse** > **Import**.

+1. On the **Import** page, under **Import via grafana.com**, enter *16604* and select **Load**.

+1. Select an **Azure Monitor data source**, review or update the other options, and select **Import**.

+## Use API Management dashboard

+1. In the Managed Grafana workspace, go to **Dashboards** > **Browse** and select your API Management dashboard.

+1. In the dropdowns at the top, make selections for your API Management instance. If configured, select an Application Insights instance and a Log Analytics workspace.

+Review the default visualizations on the dashboard, which will appear similar to the following screenshot:

+## Next steps

+* For more information about managing your Grafana dashboard, see the [Grafana docs](https://grafana.com/docs/grafana/v9.0/dashboards/).

+* Easily pin log queries and charts from the Azure portal to your Managed Grafana dashboard. For more information, see [Monitor your Azure services in Grafana](../azure-monitor/visualize/grafana-plugin.md#pin-charts-from-the-azure-portal-to-azure-managed-grafana).

+### Print text in preview (API version 2022-06-30-preview)

+|French | 'fr' |

+| Spanish | `es` |

+### Language expansion

+### New Prebuilt Contract model

+A new prebuilt that extracts information from contracts such as parties, title, contract ID, execution date and more. Contracts is currenlty in preview, please request access [here](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUQTRDQUdHMTBWUDRBQ01QUVNWNlNYMVFDViQlQCN0PWcu_).

+You can automate common tasks with resources in Amazon Web Services (AWS) using Automation runbooks in Azure. You can automate many tasks in AWS using Automation runbooks similar to the resources in Azure. Ensure that you have the Azure subscription to authenticate.

+Ensure that you obtain an AWS subscription and specify a set of AWS credentials to authenticate your runbooks running from Azure Automation. Specific credentials required are the AWS Access Key and Secret Key. See [Using AWS Credentials](https://docs.aws.amazon.com/powershell/latest/userguide/specifying-your-aws-credentials.html).

+You must store the AWS credentials as assets in Azure Automation. See [Managing Access Keys for your AWS Account](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) for instructions on how to create the Access Key and the Secret Key. When the keys are available, copy the Access Key ID and the Secret Key ID in a safe place. You can download your key file to store it safely.

+### Create credential asset

+After you have created and copied your AWS security keys, you must create a Credential asset with the Automation account. The asset allows you to securely store the AWS keys and reference them in your runbooks. See [Create a new credential asset with the Azure portal](shared-resources/credentials.md#create-a-new-credential-asset-with-the-azure-portal).

+Enter the following AWS information in the fields provided:

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> **Applies to:** :heavy_check_mark: Windows PowerShell 5.1

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> [!IMPORTANT]

+> The article refers to a solution that is maintained by the Open Source community. Support is only available in the form of GitHub collaboration, not from Microsoft.

+This article explains how to create configuration from existing servers for an Azure Automation state configuration. To create configurations from an existing servers is a challenging task as you need to know the right settings and the order they must be applied to ensure that configuration is successful.

+## Community project: ReverseDSC

+ The [ReverseDSC](https://github.com/microsoft/reversedsc) is a community maintained solution created to work in this area beginning with the SharePoint. The solution builds on the [SharePointDSC resource](https://github.com/powershell/sharepointdsc) and extends it to orchestrate by [gathering information](https://github.com/Microsoft/sharepointDSC.reverse#how-to-use) from existing servers running SharePoint.

+The latest version has multiple [extraction modes](https://github.com/Microsoft/SharePointDSC.Reverse/wiki/Extraction-Modes) to determine the level of information to include. The result of using the solution is generating

+[Configuration Data](https://github.com/Microsoft/sharepointDSC.reverse#configuration-data) that must be used with SharePointDSC configuration scripts.

+## Create configuration from existing servers for an Azure Automation state configuration

+Follow the steps to create a configuration from existing servers for an Azure Automation state configuration:

+1. After you generate the data files, you can use them with [DSC Configuration scripts](/powershell/dsc/overview) to generate *MOF* files.

+1. upload the [MOF files to Azure Automation](./tutorial-configure-servers-desired-state.md#create-and-upload-a-configuration-to-azure-automation).

+1. Register your servers from either [on-premises](./automation-dsc-onboarding.md#enable-physicalvirtual-linux-machines)

+or [in Azure](./automation-dsc-onboarding.md#enable-azure-vms) to pull configurations.

+For more information on ReverseDSC, visit the [PowerShell Gallery](https://www.powershellgallery.com/packages/ReverseDSC/) and download the solution or select **Project Site** to view the [documentation](https://github.com/Microsoft/sharepointDSC.reverse).

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+The Azure Desired State Configuration (DSC) VM [extension](../virtual-machines/extensions/dsc-overview.md) is updated as-needed to support enhancements and new capabilities delivered by Azure, Windows Server, and the Windows Management Framework (WMF) that includes Windows PowerShell.

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+This article provides a step-by-step guide for doing the most common tasks with Azure Automation State Configuration, such as creating, importing, and compiling configurations, enabling machines to manage, and viewing reports. For an overview State Configuration, see [State Configuration overview](automation-dsc-overview.md). For Desired State Configuration (DSC) documentation, see [Windows PowerShell Desired State Configuration Overview](/powershell/dsc/overview).

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+This topic describes how you can set up your machines for management with Azure Automation State Configuration. For details of this service, see [Azure Automation State Configuration overview](automation-dsc-overview.md).

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> [!NOTE]

+> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

+> [!IMPORTANT]

+> The desired state configuration VM extension for Linux will be [retired on **September 30, 2023**](https://aka.ms/dscext4linuxretirement). If you're currently using the desired state configuration VM extension for Linux, you should start planning your migration to the machine configuration feature of Azure Automanage by using the information in this article.

+This article describes the information that you should gather before you open a case for Azure Automation with Microsoft Azure Support. Even though this information isn't required to open a case. However, it helps the support team to quickly resolve a problem.

+

+> [!NOTE]

+> For more information, refer the Knowledge Base article [4034605 - How to capture Azure Automation-scripted diagnostics](https://support.microsoft.com/help/4034605/how-to-capture-azure-automation-scripted-diagnostics).

+1. Run the following log collection tool, in addition to the details in KB [4034605](https://support.microsoft.com/help/4034605/how-to-capture-azure-automation-scripted-diagnostics).

+ - [OMS Linux Agent Log Collector](https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/tools/LogCollector/OMS_Linux_Agent_Log_Collector.md)

+1. Compress the contents of the **/var/opt/microsoft/omsagent/run/automationworker/** folder, and send the compressed file to Azure Support.

+1. Verify that the ID for the workspace that the Log Analytics agent for Linux reports to is the same as the ID for the workspace being monitored for updates.

+1. Export the following event logs into the EVTX format:

+1. Verify that the ID of the workspace that the agent reports to is the same as the ID for the workspace being monitored by Windows Updates.

+ :::image type="content" source="./media/collect-data-microsoft-azure-automation-case/select-jobs.png" alt-text="Screenshot showing to select jobs menu from automation account.":::

+ 5. In the Job Summary pane, check for the GUID value in **Job ID**.

+ :::image type="content" source="./media/collect-data-microsoft-azure-automation-case/job-summary-job-id.png" alt-text="Screenshot Job ID within Job Summary Pane.":::

+ In the pane below, you can collect the data.

+ :::image type="content" source="./media/collect-data-microsoft-azure-automation-case/all-logs-data.png" alt-text="Screenshot of Data listed under All Logs.":::

+

+In addition to the knowledge Base article [4034605 - How to capture Azure Automation-scripted diagnostics](https://support.microsoft.com/help/4034605/how-to-capture-azure-automation-scripted-diagnostics), obtain the following information:

+* The steps you followed, so that the problem can be reproduced.

+The following are the possible causes:

+- A bad or expired certificate. See [Re-register a node](../automation-dsc-onboarding.md#re-register-a-node).

+- A proxy configuration that isn't allowing access to ***.azure-automation.net**. For more information, see [Configuration of private networks](../automation-dsc-overview.md#network-planning).

+- When you disable local authentication in Azure Automation. See [Disable local authentication](../disable-local-authentication.md). To fix it, see [re-enable local authentication](../disable-local-authentication.md#re-enable-local-authentication).

+- Additional [partner-validated Kubernetes distributions](./validation-program.md)

+GitOps on Azure Arc-enabled Kubernetes or Azure Kubernetes Service uses [Flux](https://fluxcd.io/docs/), a popular open-source tool set. Flux provides support for common file sources (Git and Helm repositories, Buckets, Azure Blob Storage) and template types (YAML, Helm, and Kustomize). Flux also supports multi-tenancy and deployment dependency management, among [other features](https://fluxcd.io/docs/).

+* [Flux Source controller](https://toolkit.fluxcd.io/components/source/controller/): Watches the source.toolkit.fluxcd.io custom resources. Handles the synchronization between the Git repositories, Helm repositories, Buckets and Azure Blob storage. Handles authorization with the source for private Git, Helm repos and Azure blob storage accounts. Surfaces the latest changes to the source through a tar archive file.

+You create Flux configuration resources (`Microsoft.KubernetesConfiguration/fluxConfigurations`) to enable GitOps management of the cluster from your Git repos, Bucket sources or Azure Blob Storage. When you create a `fluxConfigurations` resource, the values you supply for the parameters, such as the target Git repo, are used to create and configure the Kubernetes objects that enable the GitOps process in that cluster. To ensure data security, the `fluxConfigurations` resource data is stored encrypted at rest in an Azure Cosmos DB database by the Cluster Configuration service.

+Each `fluxConfigurations` resource in Azure will be associated in a Kubernetes cluster with one Flux `GitRepository` or `Bucket` custom resource and one or more `Kustomization` custom resources. When you create a `fluxConfigurations` resource, you'll specify, among other information, the URL to the source (Git repository, Bucket or Azure Blob storage) and the sync target in the source for each `Kustomization`. You can configure dependencies between `Kustomization` custom resources to control deployment sequencing. Also, you can create multiple namespace-scoped `fluxConfigurations` resources on the same cluster for different applications and app teams.

+### Flux v2 - Installing the `microsoft.flux` extension in a cluster with Kubelet Identity enabled

+When working with Azure Kubernetes clusters, one of the authentication options to use is kubelet identity. In order to let Flux use this, add a parameter --config useKubeletIdentity=true at the time of Flux extension installation.

+```console

+az k8s-extension create --resource-group <resource-group> --cluster-name <cluster-name> --cluster-type managedClusters --name flux --extension-type microsoft.flux --config useKubeletIdentity=true

+```

+### Using Kubelet identity as authentication method for Azure Kubernetes Clusters

+When working with Azure Kubernetes clusters, one of the authentication options to use is kubelet identity. In order to let Flux use this, add a parameter --config useKubeletIdentity=true at the time of Flux extension installation.

+```console

+az k8s-extension create --resource-group <resource-group> --cluster-name <cluster-name> --cluster-type managedClusters --name flux --extension-type microsoft.flux --config useKubeletIdentity=true

+```

+ --container-name : Name of the Azure Blob Storage container to sync

+ --kind : Source kind to reconcile. Allowed values: bucket, git, azblob.

+

+Azure Blob Storage Account Auth Arguments

+ --sp_client_id : The client ID for authenticating a service principal with Azure Blob, required for this authentication method

+ --sp_tenant_id : The tenant ID for authenticating a service principal with Azure Blob, required for this authentication method

+ --sp_client_secret : The client secret for authenticating a service principal with Azure Blob

+ --sp_client_cert : The Base64 encoded client certificate for authenticating a service principal with Azure Blob

+ --sp_client_cert_password : The password for the client certificate used to authenticate a service principal with Azure Blob

+ --sp_client_cert_send_chain : Specifies whether to include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the client certificate

+ --account_key : The Azure Blob Shared Key for authentication

+ --sas_token : The Azure Blob SAS Token for authentication

+ --mi_client_id : The client ID of the managed identity for authentication with Azure Blob

+

+ Create a Kubernetes v2 Flux Configuration with Azure Blob Storage Source Kind

+ az k8s-configuration flux create --resource-group my-resource-group \

+ --cluster-name mycluster --cluster-type connectedClusters \

+ --name myconfig --scope cluster --namespace my-namespace \

+ --kind azblob --url https://mystorageaccount.blob.core.windows.net \

+ --container-name my-container --kustomization name=my-kustomization \

+ --account-key my-account-key

+| `--kind` | String | Source kind to reconcile. Allowed values: `bucket`, `git`, `azblob`. Default: `git`. |

+### Azure Blob Storage Account source arguments

+If you use a `azblob` source, here are the blob-specific command arguments.

+| Parameter | Format | Notes |

+| - | - | - |

+| `--url` `-u` | URL String | The URL for the `azblob`. |

+| `--container-name` | String | Name of the Azure Blob Storage container to sync |

+| `--sp_client_id` | String | The client ID for authenticating a service principal with Azure Blob, required for this authentication method |

+| `--sp_tenant_id` | String | The tenant ID for authenticating a service principal with Azure Blob, required for this authentication method |

+| `--sp_client_secret` | String | The client secret for authenticating a service principal with Azure Blob |

+| `--sp_client_cert` | String | The Base64 encoded client certificate for authenticating a service principal with Azure Blob |

+| `--sp_client_cert_password` | String | The password for the client certificate used to authenticate a service principal with Azure Blob |

+| `--sp_client_cert_send_chain` | String | Specifies whether to include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the client certificate |

+| `--account_key` | String | The Azure Blob Shared Key for authentication |

+| `--sas_token` | String | The Azure Blob SAS Token for authentication |

+| `--mi_client_id` | String | The client ID of the managed identity for authentication with Azure Blob |

+You can use a local Kubernetes secret for authentication with a `git`, `bucket` or `azBlob` source. The local secret must contain all of the authentication parameters needed for the source and must be created in the same namespace as the Flux configuration.

+ **Name:** Content Lab - Install Arc Connected Machine Agent

+ **Name:** Content Lab - Replace Log Analytics agent with Arc Connected Machine agent

+1. Set **Node Type** to "Job Template" and select **Content Lab - Replace Log Analytics with Arc Connected Machine Agent**.

+1. Hover over the **Content Lab - Replace Log Analytics with Arc Connected Machine Agent** node and select the **+** button.

+You'll first need to set up a local remote share and define a configuration file specifying the Arc-enabled server's landing zone within Azure. You will then define a Group Policy Object to run an onboarding script using a scheduled task. This Group Policy can be applied at the site, domain, or organizational unit level. Assignment can also use Access Control List (ACL) and other security filtering native to Group Policy. Machines in the scope of the Group Policy will be onboarded to Azure Arc-enabled servers.

+Prepare a remote share to host the configuration file and onboarding script. You need to be able to add files to the distributed location.

+## Save the onboarding script to the remote share

+It's common to use Azure Arc to monitor your servers with Azure Monitor and Microsoft Sentinel and secure them with Microsoft Defender for Cloud. The following configuration samples can help you configure the Azure Arc Connected Machine agent to only allow these scenarios.

+> * For JavaScript, Python, and PowerShell apps, Durable timers are limited to six days. To work around this limitation, you can use the timer APIs in a `while` loop to simulate a longer delay. Up-to-date .NET and Java apps support arbitrarily long timers.

+> * Depending on the version of the SDK and [storage provider](durable-functions-storage-providers.md) being used, long timers of 6 days or more may be internally implemented using a series of shorter timers (e.g., of 3 day durations) until the desired expiration time is reached. This can be observed in the underlying data store but won't impact the the orchestration behavior.

+ms.revewer: jagummersall

+Alert context (payload) | The rule applies only to alerts that contain any of the filter's strings within the [alert context](./alerts-common-schema-definitions.md#alert-context) section of the alert. This section includes fields specific to each alert type. This filter does not apply to log alert search results. |

+|Metric alert|Metric data is stored in the system already pre-computed. Metric alerts are useful when you want to be alerted about data that requires little or no manipulation. We recommend using metric alerts if the data you want to monitor is available in metric data.|Each metric alert rule is charged based on the number of time-series that are monitored. |

+|Log alert|Log alerts allow you to perform advanced logic operations on your data. If the data you want to monitor is available in logs, or requires advanced logic, you can use the robust features of KQL for data manipulation using log alerts.|Each log alert rule is billed based on the interval at which the log query is evaluated (more frequent query evaluation results in a higher cost). Additionally, for log alerts configured for [at scale monitoring](#splitting-by-dimensions-in-log-alert-rules), the cost also depends on the number of time series created by the dimensions resulting from your query. |

+ * [Export telemetry](../app/export-telemetry.md) to a [database](../../stream-analytics/app-insights-export-sql-stream-analytics.md) or [to Power BI](../logs/log-powerbi.md), where you can analyze it yourself.

+Yes, the [data access API](https://dev.applicationinsights.io/). Other ways to extract data include [Power BI](..\logs\log-powerbi.md) if you've [migrated to a workspace-based resource](convert-classic-resource.md) or [continuous export](./export-telemetry.md) if you're still on a classic resource.

+* If you're looking to [explore your data in Power BI](../logs/log-powerbi.md), you can do that without using Continuous Export if you've [migrated to a workspace-based resource](convert-classic-resource.md).

+When telemetry is sent to Azure, Application Insights uses the IP address to do a geolocation lookup. Application Insights uses the results of this lookup to populate the fields `client_City`, `client_StateOrProvince`, and `client_CountryOrRegion`. The address is then discarded, and `0.0.0.0` is written to the `client_IP` field.

+* [Power BI for workspace-based resources](../logs/log-powerbi.md)

+ * [Export to Power BI](../logs/log-powerbi.md) if you've [migrated to a workspace-based resource](convert-classic-resource.md)

+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.useAADAuth=true

+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.resources.daemonset.limits.cpu=150m omsagent.resources.daemonset.limits.memory=600Mi omsagent.resources.deployment.limits.cpu=1 omsagent.resources.deployment.limits.memory=750Mi

+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.logsettings.custommountpath=/home/data/docker

+az k8s-extension create --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.useAADAuth=true logAnalyticsWorkspaceResourceID=\<workspace-resource-id\>

+ | `metricAnnotationsAllowList` | Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric. |

+- [Export metrics to storage, Event Hub, or Log Analytics](../essentials/platform-logs-overview.md)

+### Configure system identity

+* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

+* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

+* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

+> [!div class="nextstepaction"]

+> [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

+- [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

+-

+* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

+> If Azure NetApp Files cannot reach a discovered AD DS LDAP server during the creation of the Azure NetApp Files LDAP client, the creation of the LDAP enabled volume will fail. In large or complex AD DS topologies, you might need to implement [DNS Policies](/windows-server/networking/dns/deploy/dns-policies-overview) or [DNS subnet prioritization](/previous-versions/windows/it-pro/windows-2000-server/cc961422(v=technet.10)?redirectedfrom=MSDN) to ensure that the AD DS LDAP servers assigned to the AD DS site specified in the AD connection are returned. Contact your Microsoft CSA for guidance on how to best configure your DNS to support LDAP-enabled NFS volumes.

+The use of high availability (HA) architectures with availability zones are now a default and best practice recommendation inΓÇ»[AzureΓÇÖs Well-Architected Framework](/azure/architecture/framework/resiliency/design-best-practices#use-zone-aware-services). Enterprise applications and resources are increasingly deployed into multiple availability zones to achieve this level of high availability (HA) or failure domain (zone) isolation.

+>Azure NetApp Files availability zone volume placement provides zonal placement. It ***does not*** provide proximity placement towards compute. As such, it ***does not*** provide lowest latency guarantee. VM-to-storage latencies are within the availability zone latency envelopes.

+ Azure availability zones are highly available, fault tolerant, and more scalable than traditional single or multiple data center infrastructures. Using Azure availability zones lets you design and operate applications and databases that automatically transition between zones without interruption. Azure NetApp Files lets you deploy new volumes in the logical availability zone of your choice to support enterprise, mission-critical HA deployments across multiple AZs. AzureΓÇÖs push towards the use of [availability zones (AZs)](../availability-zones/az-overview.md#availability-zones) has increased, and the use of high availability (HA) deployments with availability zones are now a default and best practice recommendation in AzureΓÇÖs [Well-Architected Framework](/azure/architecture/framework/resiliency/design-best-practices#use-zone-aware-services).

+ "loginEndpoint": "https://login.microsoftonline.com/",

+- create an object in Azure Active Directory (Azure AD)

+If you would rather learn about deployment scripts through step-by-step guidance, see [Extend ARM templates by using deployment scripts](/training/modules/extend-resource-manager-template-deployment-scripts).

+- [Sample 4](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad): manually create a user-assigned managed identity and assign it permission to use the Microsoft Graph API to create Azure AD applications; in the Bicep file, use a deployment script to create an Azure AD application and service principal, and output the object IDs and client ID.

+## Use Microsoft Graph within a deployment script

+A deployment script can use [Microsoft Graph](/graph/overview) to create and work with objects in Azure AD.

+### Commands

+When you use Azure CLI deployment scripts, you can use commands within the `az ad` command group to work with applications, service principals, groups, and users. You can also directly invoke Microsoft Graph APIs by using the `az rest` command.

+When you use Azure PowerShell deployment scripts, you can use the `Invoke-RestMethod` cmdlet to directly invoke the Microsoft Graph APIs.

+### Permissions

+The identity that your deployment script uses needs to be authorized to work with the Microsoft Graph API, with the appropriate permissions for the operations it performs. You must authorize the identity outside of your Bicep file, such as by pre-creating a user-assigned managed identity and assigning it an app role for Microsoft Graph. For more information, [see this quickstart example](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad).

+- Create an object in Azure Active Directory (Azure AD).

+If you would rather learn about deployment scripts through step-by-step guidance, see [Extend ARM templates by using deployment scripts](/training/modules/extend-resource-manager-template-deployment-scripts).

+- [Sample 6](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad): manually create a user-assigned managed identity and assign it permission to use the Microsoft Graph API to create Azure AD applications; in the Bicep file, use a deployment script to create an Azure AD application and service principal, and output the object IDs and client ID.

+## Use Microsoft Graph within a deployment script

+A deployment script can use [Microsoft Graph](/graph/overview) to create and work with objects in Azure AD.

+### Commands

+When you use Azure CLI deployment scripts, you can use commands within the `az ad` command group to work with applications, service principals, groups, and users. You can also directly invoke Microsoft Graph APIs by using the `az rest` command.

+When you use Azure PowerShell deployment scripts, you can use the `Invoke-RestMethod` cmdlet to directly invoke the Microsoft Graph APIs.

+### Permissions

+The identity that your deployment script uses needs to be authorized to work with the Microsoft Graph API, with the appropriate permissions for the operations it performs. You must authorize the identity outside of your template deployment, such as by pre-creating a user-assigned managed identity and assigning it an app role for Microsoft Graph. For more information, [see this quickstart example](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad).

+Azure DevOps provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications. Developers can work in the cloud using Azure DevOps Services. Azure DevOps provides an integrated set of features that you can access through your web browser or IDE client. Azure Pipelines is one of these features. Azure Pipelines is a fully featured continuous integration (CI) and continuous delivery (CD) service. It works with your preferred Git provider and can deploy to most major cloud services. Then you can automate the build, testing, and deployment of your code to Microsoft Azure, Google Cloud Platform, or Amazon Web Services.

+- **[Send messages from server to clients via REST API](signalr-reference-data-plane-rest-api.md)** - Azure SignalR Service provides REST API to enable applications to post messages to clients connected with SignalR Service, in any REST capable programming languages.

+- Q. Can I migrate my existing Citrix desktops and apps to Azure VMware Solution, or operate a hybrid environment that consists of on-premises and Azure VMware Solution-based Citrix workloads?

+- Q. Can Citrix be deployed as a standalone environment within Azure VMware Solution?

+ A. Yes. YouΓÇÖre free to migrate, operate a hybrid environment, or deploy a standalone directly into Azure VMware Solution.

+- Q. Does Azure VMware Solution support both PVS and MCS?

+ A. Yes.

+- Q. Are GPU-based workloads supported in Citrix on Azure VMware Solution?

+ A. Not at this time. However, Citrix workloads on Microsoft Azure support GPU if that use case is important to you.

+- Q. Is Azure VMware Solution supported with on-premesis Citrix deployments or LTSR?

+- Q. Who do I call for support?

+ A. Customers should contact Citrix support www.citrix.com/support for assistance.

+ A. No. Azure Virtual Desktop benefits are applicable to native Microsoft Azure workloads only. Citrix Virtual Apps and Desktops service, as a native Azure offering, can apply your Azure Virtual Desktop benefit alongside your Azure VMware Solution deployment.

+- Q. How do I purchase Citrix Virtual Apps and Desktops service to use Azure VMware Solution?

+ A. You can purchase Citrix offerings via your Citrix partner or directly from the Azure Marketplace.

+The API Management configuration is the same for backend services that run on Azure VMware Solution virtual machines (VMs) and on-premises. API Management also configures the virtual IP on the load balancer as the backend endpoint for both deployments when the backend server is placed behind an NSX Load Balancer on Azure VMware Solution.

+API Management has an Azure Public API, and activating Azure DDoS Protection Service is recommended.

+* Internal traffic routes through ExpressRoute Gateway to Azure Firewall and then to API Management, directly or through traffic rules.

+- Use the domain controllers deployed on the Hub (described in [Identity considerations](#identity-considerations)) as name servers.

+- Deploy and configure an Azure DNS private zone.

+You can use Azure Private DNS, where the Azure Private DNS zone links to the virtual network. The DNS servers are used as hybrid resolvers with conditional forwarding to on-premises or Azure VMware Solution running DNS using customer Azure Private DNS infrastructure.

+- On-premises to Azure VMware Solution private cloud management access.

+# Azure VMware Solution private cloud and cluster concepts

+- Dedicated bare-metal server hosts provisioned with VMware ESXi hypervisor

+- VMware vCenter Server for managing ESXi and vSAN

+As with other resources, private clouds are installed and managed from within an Azure subscription. The number of private clouds within a subscription is scalable. Initially, there's a limit of one private cloud per subscription. There's a logical relationship between Azure subscriptions, Azure VMware Solution private clouds, vSAN clusters, and hosts.

+The diagram shows a single Azure subscription with two private clouds that represent a development and production environment. In each of those private clouds are two clusters.

+Azure VMware Solution continuously monitors the health of both the underlay and the VMware components. When Azure VMware Solution detects a failure, it takes action to repair the failed components. When Azure VMware Solution detects a degradation or failure on an Azure VMware Solution node, it triggers the host remediation process.

+- Processor status

+- Memory status

+- Connection and power state

+- Hardware fan status

+- Network connectivity loss

+- Hardware system board status

+- Errors occurred on the disk(s) of a vSAN host

+- Hardware voltage

+- Hardware temperature status

+- Hardware power status

+- Storage status

+- Connection failure

+# Run command in Azure VMware Solution

+In Azure VMware Solution, vCenter Server has a built-in local user called *cloudadmin* assigned to the CloudAdmin role. The CloudAdmin role has vCenter Server [privileges](concepts-identity.md#vcenter-server-access-and-identity) that differ from other VMware cloud solutions and on-premises deployments. The Run command feature lets you perform operations that would normally require elevated privileges through a collection of PowerShell cmdlets.

+ - **Error** - Error messages generated in the execution of the cmdlet. This is in addition to the terminating error message on the details pane.

+ - **Warning** - Warning messages generated during the execution.

+ - **Information** - Progress and diagnostic generated messages during the execution of a cmdlet.

+- [Deploy disaster recovery using JetStream](deploy-disaster-recovery-using-jetstream.md) - Store data directly to a recovery cluster in vSAN. The data gets captured through I/O filters that run within vSphere. The underlying data store can be VMFS, VSAN, vVol, or any HCI platform.

+In this article, you'll learn how to enable Public IP to the NSX-T Data Center Edge for your Azure VMware Solution.

+Public IP to the NSX-T Data Center Edge is a feature in Azure VMware Solution that enables inbound and outbound internet access for your Azure VMware Solution environment.

+- DDoS Security protection against network traffic in and out of the Internet.

+## Reference architecture

+>The use of Public IP down to the NSX-T Data Center Edge is not compatible with reverse DNS Lookup.

+1. Log in to the Azure portal.

+1. Select the Azure VMware Solution private cloud.

+1. In the left navigation, under **Workload Networking**, select **Internet connectivity**.

+1. Select the **Connect using Public IP down to the NSX-T Edge** button.

+6. Select **Public IP**.

+6. Enter the **Public IP name** and select a subnet size from the **Address space** dropdown and select **Configure**.

+7. This Public IP should be configured within 20 minutes and will show the subnet.

+9. After configuring the Public IP, select the **Connect using the Public IP down to the NSX-T Edge** checkbox to disable all other Internet options.

+10. Select **Save**.

+You have successfully enabled Internet connectivity for your Azure VMware Solution private cloud and reserved a Microsoft allocated Public IP. You can now configure this Public IP down to the NSX-T Data Center Edge for your workloads. The NSX-T Data Center is used for all VM communication. There are several options for configuring your reserved Public IP down to the NSX-T Data Center Edge.

+1. From your Azure VMware Solution private cloud, select **vCenter Server Credentials**

+2. Locate your NSX-T Manager URL and credentials.

+3. Log in to **VMware NSX-T Manager**.

+4. Navigate to **NAT Rules**.

+5. Select the T1 Router.

+1. Select **ADD NAT RULE**.

+1. Select **SNAT**.

+1. Log in to **VMware NSX-T Manager** and then select **NAT Rules**.

+1. From your Azure VMware Solution private cloud, select **VMware credentials**.

+2. Locate your NSX-T Manager URL and credentials.

+3. Log in to **VMware NSX-T Manager**.

+1. Select **SAVE**.

+You can provide security protection for your network traffic in and out of the public internet through your Gateway Firewall.

+3. Log in to **VMware NSX-T Manager**.

+4. From the NSX-T home screen, select **Gateway Policies**.

+5. Select **Gateway Specific Rules**, choose the T1 Gateway and select **ADD POLICY**.

+6. Select **New Policy** and enter a policy name.

+7. Select the Policy and select **ADD RULE**.

+If **Match Internal Address** was specified, the destination would be the internal or private IP address of the VM.

+For more information on the NSX-T Data Center Gateway Firewall see the [NSX-T Data Center Gateway Firewall Administration Guide]( https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-A52E1A6F-F27D-41D9-9493-E3A75EC35481.html).

+## Next steps

+### <a name="azure-ad-guests"></a>Does Bastion support Azure AD guest accounts?

+Yes, [Azure AD guest accounts](../active-directory/external-identities/what-is-b2b.md) can be granted access to Bastion and can connect to virtual machines.

+- Phonemes in [SAPI](/previous-versions/windows/desktop/ee431828(v=vs.85)#american-english-phoneme-table) or [IPA](https://en.wikipedia.org/wiki/IPA) format

+> The syllable group, phoneme name, and spoken phoneme of pronunciation assessment are currently only available for the en-US locale.

+>

+> Usage of pronunciation assessment is charged the same as standard Speech to Text [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services).

+> For information about availability of pronunciation assessment, see [supported languages](language-support.md?tabs=pronunciation-assessment) and [available regions](regions.md#speech-service).

+For `en-US` locale, the phoneme name is provided together with the score, to help identify which phonemes were pronounced accurately or inaccurately. For other locales, you can only get the phoneme score.

+> [!NOTE]

+> Usage of pronunciation assessment is charged the same as standard Speech to Text [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services).

+>

+> For information about availability of pronunciation assessment, see [supported languages](language-support.md?tabs=pronunciation-assessment) and [available regions](regions.md#speech-service).

+| Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 3.7.0 | Generally available |

+| Custom speech-to-text | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | 3.7.0 | Generally available |

+| Neural text-to-speech | Converts text to natural-sounding speech by using deep neural network technology, which allows for more natural synthesized speech. | 2.6.0 | Generally available |

+| `number_digit` | None | The text is spoken as a sequence of individual digits. The speech synthesis engine pronounces:<br /><br />`<say-as interpret-as="number_digit">123456789</say-as>`<br /><br />As "1 2 3 4 5 6 7 8 9." |

+Release note for `3.7.0-amd64`:

+**Features**

+* Security upgrade.

+| Image Tags | Notes | Digest |

+|-|:|:-|

+| `latest` | | `sha256:551113f7df4840bde91bbe3d9902af5a09153462ca450490347547d95ab1c08e`|

+| `3.7.0-amd64` | | `sha256:551113f7df4840bde91bbe3d9902af5a09153462ca450490347547d95ab1c08e`|

+# [Previous version](#tab/previous)

+Release note for `3.7.0-amd64-<locale>`:

+**Features**

+* Security upgrade.

+* Support for latest model versions.

+| Image Tags | Notes |

+|-|:--|

+| `latest` | Container image with the `en-US` locale. |

+| `3.7.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `3.7.0-amd64-en-us`. |

+This container has the following locales available.

+| Locale for v3.7.0 | Notes | Digest |

+|--|:--|:--|

+| `ar-ae`| Container image with the `ar-AE` locale. | `sha256:06b50c123adb079c470ad37912bf6f0e37578e39f0432bf79d5f1c334f4013b2` |

+| `ar-bh`| Container image with the `ar-BH` locale. | `sha256:37a9ba7b309c5d43fc23d47dd7aaaf9f0775851295d674c0ca546aa9484f3d38` |

+| `ar-eg`| Container image with the `ar-EG` locale. | `sha256:80b7ad3d3d37d99782c8473cb5a36724bec381e321ae13fb2069a88472cea1af` |

+| `ar-iq`| Container image with the `ar-IQ` locale. | `sha256:dce00ea6b3c2ba9f12d8f8b7cee7762d8762c396f41667ed438a4f4420e8109b` |

+| `ar-jo`| Container image with the `ar-JO` locale. | `sha256:cf84e78c25edbd01e42645db3f7d08fcb0b702cbf9648cd0f504f6d5873c916f` |

+| `ar-kw`| Container image with the `ar-KW` locale. | `sha256:7c2548a1073e6bbee58193ba20353d9fb62cff17f57c1618b99d1dd9ca3a457b` |

+| `ar-lb`| Container image with the `ar-LB` locale. | `sha256:dae94f065cf026098181068ee5a21cb0e7d070f62fa36abdaa31c53de6ee5561` |

+| `ar-om`| Container image with the `ar-OM` locale. | `sha256:ae47c7c004161cd424cb8387eb82c7b75a76e5c97516e936a143b800427272e7` |

+| `ar-qa`| Container image with the `ar-QA` locale. | `sha256:07da7898b38f98a33d4dbf61bfab145de3549023988b1f0501227dee6b446799` |

+| `ar-sa`| Container image with the `ar-SA` locale. | `sha256:e58608eae7548c617677973031774bd61a12385162cc281d4d9ec14b10f50123` |

+| `ar-sy`| Container image with the `ar-SY` locale. | `sha256:a8fa1046c2ac8d87a58b6ea80811d8bec70bcde0ccf57f04fb73e18e485dfdad` |

+| `az-az`| Container image with the `az-AZ` locale. | `sha256:0a15dfda36aac86dfe12f5682d952ad38a4e02f5f322314787585cd16f985ba3` |

+| `bg-bg`| Container image with the `bg-BG` locale. | `sha256:638ca1a3c8e0a7e7e56750c013a1006a5c55d246eb6475cc977b017162cddad8` |

+| `bn-in`| Container image with the `bn-IN` locale. | `sha256:b35b74967c70d9480ec0aae95567db5f4eb25a9e78189690cc6fcb5580f3dae6` |

+| `bs-ba`| Container image with the `bs-BA` locale. | `sha256:6c9a35c675274dc358660a70bf01a71ff3d0c28eff7b4b40045acb606c52c311` |

+| `ca-es`| Container image with the `ca-ES` locale. | `sha256:8163db1b99645795a7e427eb31fead772e40423cddb4e99f3dc573c4b6c4e2ec` |

+| `cs-cz`| Container image with the `cs-CZ` locale. | `sha256:b3eeec75abe1d50f4e325dcb3d8ff0c94516eaeacc24493685ac21c5bb7b723f` |

+| `cy-gb`| Container image with the `cy-GB` locale. | `sha256:686c50efe91f4addab5fdb9b25d5b1eac45303d9ac4517150ae7d3b14ba76680` |

+| `da-dk`| Container image with the `da-DK` locale. | `sha256:0375770ab3eae63184fba644ffc820f42bebc28fdabff91e8529a2aeca0a5ab3` |

+| `de-at`| Container image with the `de-AT` locale. | `sha256:00020ceb473244a65aa3c74ac6afe5798c9488e1e6de75991a1ff45b64f639b2` |

+| `de-ch`| Container image with the `de-CH` locale. | `sha256:48e11b783237f1ac3b83f5d9da400c9b785404a0bbd880512b5ca1044c9e5da0` |

+| `de-de`| Container image with the `de-DE` locale. | `sha256:12c854473d84fdafac5095ac4eb1e1dce6bbf4557ecfe74c24270ff5afbb61d4` |

+| `el-gr`| Container image with the `el-GR` locale. | `sha256:d988b1046e8da4b41b1762ffc4a5e1e4463b6563d6466bd268ad5bc70d685ff7` |

+| `en-au`| Container image with the `en-AU` locale. | `sha256:510c056ee039636eacf49558357546553f84d1733ee79be1b7cbb8a00a255b4f` |

+| `en-ca`| Container image with the `en-CA` locale. | `sha256:8ee1190b738ed21bb98398bf485bb6150f8d88283458f4b3be07154ea78802fd` |

+| `en-gb`| Container image with the `en-GB` locale. | `sha256:7983af189b737c91a940e8be9f8859a7b9c069240d68348e1a5468ba1afea8bc` |

+| `en-gh`| Container image with the `en-GH` locale. | `sha256:e1a9bd5b21cbd8c017deb2339175d36a88a29ffaf15413bf530080cb44da8653` |

+| `en-hk`| Container image with the `en-HK` locale. | `sha256:3f6227c250f0f925dab6a6f2c92fb0e9b024cb9fc3ab38fd4556d2302a68b72b` |

+| `en-ie`| Container image with the `en-IE` locale. | `sha256:eae5b1864dd845aafddd8632b0bf86f70d322cbd9f91f4aa38681b9cff78f4b9` |

+| `en-in`| Container image with the `en-IN` locale. | `sha256:1e3c288591fc0df20ae381f520f78ac33aee1f7251037044312c947fd0b8589d` |

+| `en-ke`| Container image with the `en-KE` locale. | `sha256:975515ac47703c0b0a454fe23a5c6174bf5d69be723304449b6ff07d49fb9b3f` |

+| `en-nz`| Container image with the `en-NZ` locale. | `sha256:33f7a214071ec7719f4c697e18225262694198387c7a00ae624b3dc8d6236b7c` |

+| `en-ph`| Container image with the `en-PH` locale. | `sha256:94cb8c27aa2ce700914e4766de48f01f8b6420631c78538c5fcab2e325bc2cc9` |

+| `en-sg`| Container image with the `en-SG` locale. | `sha256:60933b58d251356dc35de461887f0bcfe0f5c47c559a570b98c9f69bbe4ef1f6` |

+| `en-tz`| Container image with the `en-TZ` locale. | `sha256:66d4f800c0a02d2f9dbf4ed4328d5032ced8b1f4d830c0f68ec669c333160962` |

+| `en-us`| Container image with the `en-US` locale. | `sha256:7f1a36eb10de11651d3077387a6e2ee89adb80d2efb1aa7648b9572cde505c64` |

+| `en-za`| Container image with the `en-ZA` locale. | `sha256:536d8edc033d00fda69791681ff15e91ff297edbe6fb0a771685139964857a8c` |

+| `es-ar`| Container image with the `es-AR` locale. | `sha256:a9b2765ed5eb3f18b265b0d088f347ddfb54dc1b21cb6a0a94ffbf1e0ec69f51` |

+| `es-bo`| Container image with the `es-BO` locale. | `sha256:2c1b8297e362ab6df9d2bab4268149656c28ef0a0704d51a608a54e4bf61d643` |

+| `es-cl`| Container image with the `es-CL` locale. | `sha256:d981571c6455c587188782488234852b50cae3b7319147f81f3a46c48c0cc628` |

+| `es-co`| Container image with the `es-CO` locale. | `sha256:07e0fab0ab15f411de6b56a6c5a4bb5dbf6882b7abd49c9dcb54de3ce2b0a20b` |

+| `es-cr`| Container image with the `es-CR` locale. | `sha256:db7c55da662e5e8a52b726819ec8bfe4f9b7a21903f9c8d949a6ddd65f7ca56e` |

+| `es-cu`| Container image with the `es-CU` locale. | `sha256:adbb56aeee08651b2dd030d2010c5c0e81c99fd59ae361302b444116c1086cfa` |

+| `es-do`| Container image with the `es-DO` locale. | `sha256:5dedfebb025725ce9391a324659cc8567f90c02c1b6e4554bada022922457463` |

+| `es-ec`| Container image with the `es-EC` locale. | `sha256:72a267f458b66cc3935d96ebffdacb12fbb8f6f91f5347464f2e9af34273260c` |

+| `es-es`| Container image with the `es-ES` locale. | `sha256:42540849cb394203a81a14ce02ac4a890916b025636666a77ba32cf347200915` |

+| `es-gt`| Container image with the `es-GT` locale. | `sha256:095cb31ec78862831db242fa69dc2f3db564ac7d5caa86274357cee137c62d82` |

+| `es-hn`| Container image with the `es-HN` locale. | `sha256:864179bf6de0d66db3bef50e6aa551b6c124ab37ce10a255c5aa33d03f7dae03` |

+| `es-mx`| Container image with the `es-MX` locale. | `sha256:af4b1d78f141a15ff27adc3c1d20a5bf82c00a4fa3f3cfa52ba17ac50260cb76` |

+| `es-ni`| Container image with the `es-NI` locale. | `sha256:5280d1e305ad3a0d403633cda6a65dc1c402e561ef0fca0ccefd73b99331838e` |

+| `es-pa`| Container image with the `es-PA` locale. | `sha256:5e9326793966a0e0d963bece1bd10b0d8bf9917990773eb65e28a26ef782f91f` |

+| `es-pe`| Container image with the `es-PE` locale. | `sha256:3d014bd060833953b5895f3431f00da332bdb6d8d4e224699045a11ec11a8975` |

+| `es-pr`| Container image with the `es-PR` locale. | `sha256:b8377678b543eea2c581f6fd7ef7d6ca59765c5094aa3303935c350cc3b30030` |

+| `es-py`| Container image with the `es-PY` locale. | `sha256:d5e7400cead88820b888e529d2c5c1ce6333147e210e1e8c4dea21cab8866e4e` |

+| `es-sv`| Container image with the `es-SV` locale. | `sha256:641ce9b02848542c786e1ca8c63134bb3fb97d260b4091b31c56831b1f0da684` |

+| `es-us`| Container image with the `es-US` locale. | `sha256:9b22ebc2b757dbf57205cace1a995b0e5f17c4402b089b41367bae459e45bcf0` |

+| `es-uy`| Container image with the `es-UY` locale. | `sha256:95baf4be71d34a9864d21f0499f7fd36b76e83fa8b8ae2486e56d38f7eb270ad` |

+| `es-ve`| Container image with the `es-VE` locale. | `sha256:552ec7b4df6cf143795ee78e6c3cefbc252baa7389486657390164686f369b87` |

+| `et-ee`| Container image with the `et-EE` locale. | `sha256:d96975024d81899a7c93a2634b8399ab142941a63db743f99471f3519c4aa760` |

+| `eu-es`| Container image with the `eu-ES` locale. | `sha256:789aec61fa61500adb7d60e5441755781b9241e2526d1100afcc1db4b9ea28f7` |

+| `fa-ir`| Container image with the `fa-IR` locale. | `sha256:a7d7d368f6493fcc6efdab07dc51a536da3ae3db92eb374725dba758f464ca99` |

+| `fi-fi`| Container image with the `fi-FI` locale. | `sha256:26370a84499831a50615337fb3de77530b1bcc3245313fd59078549f21b12a1c` |

+| `fil-ph`| Container image with the `fil-PH` locale. | `sha256:de11d47b9b1099f1b418b347c198b98e8cefbce74991773800e954e286f7f766` |

+| `fr-ca`| Container image with the `fr-CA` locale. | `sha256:dc747e1dafda312fcc79f9d0ec1b9b137de149fdde55cdbe9e9da04647e2216f` |

+| `fr-ch`| Container image with the `fr-CH` locale. | `sha256:962366fa475d196f09a932ae002d5479482996d827b2822d48e4632c0a118f53` |

+| `fr-fr`| Container image with the `fr-FR` locale. | `sha256:32dcc215732ed60c149f3a7f27e400fe17c2c885e5788eaa00db694e3b61c6fa` |

+| `ga-ie`| Container image with the `ga-IE` locale. | `sha256:5cfd9b63ed99df7eff27c94466c8f795ce56bddbd519bddce4dd960a4d85f1a0` |

+| `gl-es`| Container image with the `gl-ES` locale. | `sha256:13023950f7630296d2699a2211e7ae45a38188d82fb212a7a6780354087f815e` |

+| `gu-in`| Container image with the `gu-IN` locale. | `sha256:5511eb7c2e0a33ed7b16213297b3a530b1fdb858ea526b5bdaaea709966dac0b` |

+| `he-il`| Container image with the `he-IL` locale. | `sha256:99aa9f70c301f61a6f39793f874d70a45791ec6fd705b84639dc920b3c8b10a5` |

+| `hi-in`| Container image with the `hi-IN` locale. | `sha256:86147556e59e221a8c2c5ceb56fb5a40cead3c6e677aab8ddbbaffa39addd28a` |

+| `hr-hr`| Container image with the `hr-HR` locale. | `sha256:3123fa32f7322e3ab3bedf8c006b34a3d254b9d737f3e747312c45ca9d6c6271` |

+| `hu-hu`| Container image with the `hu-HU` locale. | `sha256:cede22619c83c84cb8356807a589c7992fdc5879f8987dc7fc1ff81abd123961` |

+| `hy-am`| Container image with the `hy-AM` locale. | `sha256:63c8b2e155d453666a5e842a270bc988a41fc7af09bb95e6508698713412a272` |

+| `id-id`| Container image with the `id-ID` locale. | `sha256:6e28166255a2ae55eb7d41aac3fb133403f01dd27fef583a12ac30d4a584ce50` |

+| `it-ch`| Container image with the `it-CH` locale. | `sha256:2065ef047c7704abda14134abd8508a7de7c3b2e30fdb051ee5525b8a8daee32` |

+| `it-it`| Container image with the `it-IT` locale. | `sha256:9ef3c51329c2c44585f8cf41847fd83dcaadeb783d51df55e15b57ff7cabfac7` |

+| `ja-jp`| Container image with the `ja-JP` locale. | `sha256:0d75f2e00c7a93375a56c315961c61cb2a93a7eb83deab210dfcd4c56fc4c519` |

+| `ka-ge`| Container image with the `ka-GE` locale. | `sha256:e05f315a34dec1efe527790c84082358cf9155def79be058f772b8cb05111d0a` |

+| `kk-kz`| Container image with the `kk-KZ` locale. | `sha256:e8d700480fe77edf46f2c8a02838b5bee1b6b76ae22cded45c3297febbd97725` |

+| `ko-kr`| Container image with the `ko-KR` locale. | `sha256:7fc44d9110f3e127d49b74146a9c8cde20f922a6aa8dc58643295d6e1c139fb6` |

+| `lt-lt`| Container image with the `lt-LT` locale. | `sha256:58d583963cc54edf4be231a1681774bc9213befa6a72aab20f556d5040e92f64` |

+| `lv-lv`| Container image with the `lv-LV` locale. | `sha256:37d8f5ce4734c8e3a7096a4e1148258c0b987261dc4911df37dae2586409d1f4` |

+| `mk-mk`| Container image with the `mk-MK` locale. | `sha256:388311b1e87277cc7c2d346eed8e2d8f456900aac8bfd735d26fefddcd1c7ce2` |

+| `mn-mn`| Container image with the `mn-MN` locale. | `sha256:41bdb6afea3c27f4ef67ca6eb9302b0207a8f631481bc16815993e131caf130a` |

+| `mr-in`| Container image with the `mr-IN` locale. | `sha256:2c9bb428c66e0238c65e9f6fedf09524398c2e9348971951b16502576005e244` |

+| `ms-my`| Container image with the `ms-MY` locale. | `sha256:8f61a55cdf6340b1327c2533ff0d6371b70d817308efd4546fce9bffef80ef5e` |

+| `mt-mt`| Container image with the `mt-MT` locale. | `sha256:7573d303239a4e99b646c8b2aa95d4903a37e31fcdc597c29952f0a555c1829e` |

+| `nb-no`| Container image with the `nb-NO` locale. | `sha256:408641de59d99085a8755c3e2f42b430ccf6af4f6b4fb12d7b2a4136d60383ff` |

+| `ne-np`| Container image with the `ne-NP` locale. | `sha256:ee5f5fae979352b572f093bf38e59c6edb636cffbbb49494da8c194b324e1956` |

+| `nl-nl`| Container image with the `nl-NL` locale. | `sha256:22e6b1734be2048c7dbe09f75bf49caae2c864b31687bd03025cbcf6b98ec7c6` |

+| `pl-pl`| Container image with the `pl-PL` locale. | `sha256:86a8c47e03eb75ea55b3b3dd43bb408f9e7cd7e58cc8b22004acb8d9e54d8e16` |

+| `ps-af`| Container image with the `ps-AF` locale. | `sha256:87b30023526044fa4917696128c84f08fa5355a0471c4768b66c6a340565ba98` |

+| `pt-br`| Container image with the `pt-BR` locale. | `sha256:79cd07b0be7249935a581758e3e3c0ce6af08d447c8063b8c580d09385bf0067` |

+| `pt-pt`| Container image with the `pt-PT` locale. | `sha256:c5c248c679122726427d6ca69fed8234331bf20be97f482707ba8ae7c6cdb67e` |

+| `ro-ro`| Container image with the `ro-RO` locale. | `sha256:6e5e203cbba8c60319a2f6dec7bd0b49d2915d6dc726882f633165dc4e239e64` |

+| `ru-ru`| Container image with the `ru-RU` locale. | `sha256:fd896f373deb0e70c394af235c00401b98333ffb70d5ca4ace0869192bd091ca` |

+| `sk-sk`| Container image with the `sk-SK` locale. | `sha256:962aca8128e74a30525d9c0a53a2a410e18f2fb679ecdf1a281d23e337e040a1` |

+| `sl-si`| Container image with the `sl-SI` locale. | `sha256:e4a8b4bbe5d70bf378bead62ccd1d54e994a970729061add43f0ba5c5d9d70b5` |

+| `so-so`| Container image with the `so-SO` locale. | `sha256:999b5f6b1708e0f012481db3e62eae14ab3b99fd12bba9c84a03b7bc79534b0c` |

+| `sq-al`| Container image with the `sq-AL` locale. | `sha256:5d230ed821290893fe90f833d8c6a7468bfd456709cb85abb9b953455fedb132` |

+| `sv-se`| Container image with the `sv-SE` locale. | `sha256:9c900b80eca404751c894ab47a8367d67f26c8a2710815d926c9f542a507990b` |

+| `ta-in`| Container image with the `ta-IN` locale. | `sha256:568c89e3d7ededa5c38682d724a884e59b16221e2945640ce0790d2eafdd9b28` |

+| `te-in`| Container image with the `te-IN` locale. | `sha256:cc66d2d64e62c64f0dd582becc8fdfc54b1cd590be68409bde034d32e5c8c165` |

+| `th-th`| Container image with the `th-TH` locale. | `sha256:ad4fe647e5d37860b1351f8f9c1536269dbef6200af78a35a534994697bf9887` |

+| `tr-tr`| Container image with the `tr-TR` locale. | `sha256:5b8c6de12d72c367c74d695fa90b16cbc96b6fcc2fa891e62475c346520fd10a` |

+| `uk-ua`| Container image with the `uk-UA` locale. | `sha256:552ce967cc23a8629acc6e297ae01d765658724fb711b105afee768b92dc4e7e` |

+| `vi-vn`| Container image with the `vi-VN` locale. | `sha256:4668f0b5f895dd85d2b1ffcf0ce9b9ff23339a82d290b973bfd91113bc0eb68a` |

+| `wuu-cn`| Container image with the `wuu-CN` locale. | `sha256:2c2321e7610bfcd812df267c044281801f5f470f023cfe37273ce6c4ee1748a9` |

+| `yue-cn`| Container image with the `yue-CN` locale. | `sha256:f2eeefd4926e4714e5996a6e13f00e58a985835923113679f40c0f8dcd86000b` |

+| `zh-cn`| Container image with the `zh-CN` locale. | `sha256:5691c41fedfb89d7738afabd5624aad43cf8c427c4de1608e7381674fdcb88a2` |

+| `zh-cn-sichuan`| Container image with the `zh-CN-sichuan` locale. | `sha256:192a125987d397018734c57f952e68df04d7fd550cfb6ae9434f200b7bd44d13` |

+| `zh-hk`| Container image with the `zh-HK` locale. | `sha256:f3f8b50f982c19f31eea553ed92ebfb6c7e333a4d2fa55c81a1c8b680afd6101` |

+| `zh-tw`| Container image with the `zh-` locale. | `sha256:20245c6b1b4da4a393e6d0aaa3c1a013f03de69eec351d9b7e5fe9d542c1f098` |

+# [Previous version](#tab/previous)

+Release notes for `v2.6.0`:

+**Features**

+* Security upgrade.

+| Image Tags | Notes |

+||:|

+| `latest` | Container image with the `en-US` locale and `en-US-AriaNeural` voice. |

+| `2.6.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `2.6.0-amd64-en-us-arianeural`. |

+| v2.6.0 Locales and voices | Notes |

+|-|:|

+| `am-et-amehaneural`| Container image with the `am-ET` locale and `am-ET-amehaneural` voice.|

+| `am-et-mekdesneural`| Container image with the `am-ET` locale and `am-ET-mekdesneural` voice.|

+| `ar-bh-lailaneural`| Container image with the `ar-BH` locale and `ar-BH-lailaneural` voice.|

+| `ar-eg-salmaneural`| Container image with the `ar-EG` locale and `ar-EG-salmaneural` voice.|

+| `ar-eg-shakirneural`| Container image with the `ar-EG` locale and `ar-EG-shakirneural` voice.|

+| `ar-sa-hamedneural`| Container image with the `ar-SA` locale and `ar-SA-hamedneural` voice.|

+| `ar-sa-zariyahneural`| Container image with the `ar-SA` locale and `ar-SA-zariyahneural` voice.|

+| `az-az-babekneural`| Container image with the `az-AZ` locale and `az-AZ-babekneural` voice.|

+| `az-az-banuneural`| Container image with the `az-AZ` locale and `az-AZ-banuneural` voice.|

+| `cs-cz-antoninneural`| Container image with the `cs-CZ` locale and `cs-CZ-antoninneural` voice.|

+| `cs-cz-vlastaneural`| Container image with the `cs-CZ` locale and `cs-CZ-vlastaneural` voice.|

+| `de-ch-janneural`| Container image with the `de-CH` locale and `de-CH-janneural` voice.|

+| `de-ch-lenineural`| Container image with the `de-CH` locale and `de-CH-lenineural` voice.|

+| `de-de-conradneural`| Container image with the `de-DE` locale and `de-DE-conradneural` voice.|

+| `de-de-katjaneural`| Container image with the `de-DE` locale and `de-DE-katjaneural` voice.|

+| `en-au-natashaneural`| Container image with the `en-AU` locale and `en-AU-natashaneural` voice.|

+| `en-au-williamneural`| Container image with the `en-AU` locale and `en-AU-williamneural` voice.|

+| `en-ca-claraneural`| Container image with the `en-CA` locale and `en-CA-claraneural` voice.|

+| `en-ca-liamneural`| Container image with the `en-CA` locale and `en-CA-liamneural` voice.|

+| `en-gb-libbyneural`| Container image with the `en-GB` locale and `en-GB-libbyneural` voice.|

+| `en-gb-ryanneural`| Container image with the `en-GB` locale and `en-GB-ryanneural` voice.|

+| `en-gb-sonianeural`| Container image with the `en-GB` locale and `en-GB-sonianeural` voice.|

+| `en-us-arianeural`| Container image with the `en-US` locale and `en-US-arianeural` voice.|

+| `en-us-guyneural`| Container image with the `en-US` locale and `en-US-guyneural` voice.|

+| `en-us-jennyneural`| Container image with the `en-US` locale and `en-US-jennyneural` voice.|

+| `es-es-alvaroneural`| Container image with the `es-ES` locale and `es-ES-alvaroneural` voice.|

+| `es-es-elviraneural`| Container image with the `es-ES` locale and `es-ES-elviraneural` voice.|

+| `es-mx-dalianeural`| Container image with the `es-MX` locale and `es-MX-dalianeural` voice.|

+| `es-mx-jorgeneural`| Container image with the `es-MX` locale and `es-MX-jorgeneural` voice.|

+| `fa-ir-dilaraneural`| Container image with the `fa-IR` locale and `fa-IR-dilaraneural` voice.|

+| `fa-ir-faridneural`| Container image with the `fa-IR` locale and `fa-IR-faridneural` voice.|

+| `fil-ph-angeloneural`| Container image with the `fil-PH` locale and `fil-PH-angeloneural` voice.|

+| `fil-ph-blessicaneural`| Container image with the `fil-PH` locale and `fil-PH-blessicaneural` voice.|

+| `fr-ca-antoineneural`| Container image with the `fr-CA` locale and `fr-CA-antoineneural` voice.|

+| `fr-ca-jeanneural`| Container image with the `fr-CA` locale and `fr-CA-jeanneural` voice.|

+| `fr-ca-sylvieneural`| Container image with the `fr-CA` locale and `fr-CA-sylvieneural` voice.|

+| `fr-fr-deniseneural`| Container image with the `fr-FR` locale and `fr-FR-deniseneural` voice.|

+| `fr-fr-henrineural`| Container image with the `fr-FR` locale and `fr-FR-henrineural` voice.|

+| `he-il-avrineural`| Container image with the `he-IL` locale and `he-IL-avrineural` voice.|

+| `he-il-hilaneural`| Container image with the `he-IL` locale and `he-IL-hilaneural` voice.|

+| `hi-in-madhurneural`| Container image with the `hi-IN` locale and `hi-IN-madhurneural` voice.|

+| `hi-in-swaraneural`| Container image with the `hi-IN` locale and `hi-IN-swaraneural` voice.|

+| `id-id-ardineural`| Container image with the `id-ID` locale and `id-ID-ardineural` voice.|

+| `id-id-gadisneural`| Container image with the `id-ID` locale and `id-ID-gadisneural` voice.|

+| `it-it-diegoneural`| Container image with the `it-IT` locale and `it-IT-diegoneural` voice.|

+| `it-it-elsaneural`| Container image with the `it-IT` locale and `it-IT-elsaneural` voice.|

+| `it-it-isabellaneural`| Container image with the `it-IT` locale and `it-IT-isabellaneural` voice.|

+| `ja-jp-keitaneural`| Container image with the `ja-JP` locale and `ja-JP-keitaneural` voice.|

+| `ja-jp-nanamineural`| Container image with the `ja-JP` locale and `ja-JP-nanamineural` voice.|

+| `ka-ge-ekaneural`| Container image with the `ka-GE` locale and `ka-GE-ekaneural` voice.|

+| `ka-ge-giorgineural`| Container image with the `ka-GE` locale and `ka-GE-giorgineural` voice.|

+| `ko-kr-injoonneural`| Container image with the `ko-KR` locale and `ko-KR-injoonneural` voice.|

+| `ko-kr-sunhineural`| Container image with the `ko-KR` locale and `ko-KR-sunhineural` voice.|

+| `pt-br-antonioneural`| Container image with the `pt-BR` locale and `pt-BR-antonioneural` voice.|

+| `pt-br-franciscaneural`| Container image with the `pt-BR` locale and `pt-BR-franciscaneural` voice.|

+| `so-so-muuseneural`| Container image with the `so-SO` locale and `so-SO-muuseneural` voice.|

+| `so-so-ubaxneural`| Container image with the `so-SO` locale and `so-SO-ubaxneural` voice.|

+| `sv-se-hillevineural`| Container image with the `sv-SE` locale and `sv-SE-hillevineural` voice.|

+| `sv-se-mattiasneural`| Container image with the `sv-SE` locale and `sv-SE-mattiasneural` voice.|

+| `sv-se-sofieneural`| Container image with the `sv-SE` locale and `sv-SE-sofieneural` voice.|

+| `th-th-acharaneural`| Container image with the `th-TH` locale and `th-TH-acharaneural` voice.|

+| `th-th-niwatneural`| Container image with the `th-TH` locale and `th-TH-niwatneural` voice.|

+| `th-th-premwadeeneural`| Container image with the `th-TH` locale and `th-TH-premwadeeneural` voice.|

+| `tr-tr-ahmetneural`| Container image with the `tr-TR` locale and `tr-TR-ahmetneural` voice.|

+| `tr-tr-emelneural`| Container image with the `tr-TR` locale and `tr-TR-emelneural` voice.|

+| `zh-cn-xiaochenneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaochenneural` voice.|

+| `zh-cn-xiaohanneural`| Container image with the `zh-CN` locale and `zh-CN-xiaohanneural` voice.|

+| `zh-cn-xiaomoneural`| Container image with the `zh-CN` locale and `zh-CN-xiaomoneural` voice.|

+| `zh-cn-xiaoqiuneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoqiuneural` voice.|

+| `zh-cn-xiaoruineural`| Container image with the `zh-CN` locale and `zh-CN-xiaoruineural` voice.|

+| `zh-cn-xiaoshuangneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoshuangneural` voice.|

+| `zh-cn-xiaoxiaoneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoxiaoneural` voice.|

+| `zh-cn-xiaoxuanneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoxuanneural` voice.|

+| `zh-cn-xiaoyanneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoyanneural` voice.|

+| `zh-cn-xiaoyouneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoyouneural` voice.|

+| `zh-cn-yunxineural`| Container image with the `zh-CN` locale and `zh-CN-yunxineural` voice.|

+| `zh-cn-yunyangneural`| Container image with the `zh-CN` locale and `zh-CN-yunyangneural` voice.|

+| `zh-cn-yunyeneural`| Container image with the `zh-CN` locale and `zh-CN-yunyeneural` voice.|

+# [Previous version](#tab/previous)

+* Your organization should be identified as strategic customer or partner with Microsoft.

+The service provides access to many different models, grouped by family and capability. A model family typically associates models by their intended task. The following table describes model families currently available in Azure OpenAI. Not all models are available in all regions currently. Please refer to the capability table at the bottom for a full breakdown.

+## Model Summary table and region availability

+### GPT-3 Models

+| Model | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions |

+| | | | | |

+| Ada | Yes | No | N/A | East US, South Central US, West Europe |

+| Text-Ada-001 | Yes | No | East US, South Central US, West Europe | N/A |

+| Babbage | Yes | No | N/A | East US, South Central US, West Europe |

+| Text-Babbage-001 | Yes | No | East US, South Central US, West Europe | N/A |

+| Curie | Yes | No | N/A | East US, South Central US, West Europe |

+| Text-curie-001 | Yes | No | East US, South Central US, West Europe | N/A |

+| Davinci* | Yes | No | N/A | East US, South Central US, West Europe |

+| Text-davinci-001 | Yes | No | South Central US, West Europe | N/A |

+| Text-davinci-002 | Yes | No | East US, South Central US, West Europe | N/A |

+| Text-davinci-fine-tune-002* | Yes | No | N/A | East US, West Europe |

+\*Models available by request only. Please open a support request.

+### Codex Models

+| Model | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions |

+| | | | | |

+| Code-Cushman-001* | Yes | No | South Central US, West Europe | East US, South Central US, West Europe |

+| Code-Davinci-002 | Yes | No | East US, West Europe | N/A |

+| Code-Davinci-Fine-tune-002* | Yes | No | N/A | East US, West Europe |

+\*Models available for Fine-tuning by request only. Please open a support request.

+### Embeddings Models

+| Model | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions |

+| | | | | |

+| text-similarity-ada-001 | No | Yes | East US, South Central US, West Europe | N/A |

+| text-similarity-babbage-001 | No | Yes | South Central US, West Europe | N/A |

+| text-similarit-curie-001 | No | Yes | East US, South Central US, West Europe | N/A |

+| text-similarity-davinci-001 | No | Yes | South Central US, West Europe | N/A |

+| text-search-ada-doc-001 | No | Yes | South Central US, West Europe | N/A |

+| text-search-ada-query-001 | No | Yes | South Central US, West Europe | N/A |

+| text-search-babbage-doc-001 | No | Yes | South Central US, West Europe | N/A |

+| text-search-babbage-query-001 | No | Yes | South Central US, West Europe | N/A |

+| text-search-curie-doc-001 | No | Yes | South Central US, West Europe | N/A |

+| text-search-curie-query-001 | No | Yes | South Central US, West Europe | N/A |

+| text-search-davinci-doc-001 | No | Yes | South Central US, West Europe | N/A |

+| text-search-davinci-query-001 | No | Yes | South Central US, West Europe | N/A |

+| code-search-ada-code-001 | No | Yes | South Central US, West Europe | N/A |

+| code-search-ada-text-001 | No | Yes | South Central US, West Europe | N/A |

+| code-search-babbage-code-001 | No | Yes | South Central US, West Europe | N/A |

+| code-search-babbage-text-001 | No | Yes | South Central US, West Europe | N/A |

+

+| Fine-tuning | Ada <br> Babbage <br> Curie <br> Cushman* <br> Davinci* <br> \* available by request. Please open a support request|

+| Price | [Available here](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/) |

+| Regional availability | East US <br> South Central US <br> West Europe |

+| Requests per second per deployment | 5 |

+| Total size of all files per resource | 1 GB |

+| Max training job size (tokens in training file * # of epochs) | **Ada**: 40-M tokens <br> **Babbage**: 40-M tokens <br> **Curie**: 40-M tokens <br> **Cushman**: 40-M tokens <br> **Davinci**: 10-M |

+ Title: "How-to: Use Inference Explainability"

+description: Personalizer can return feature scores in each Rank call to provide insight on what features are important to the model's decision.

+ms.

+# Inference Explainability

+Personalizer can help you to understand which features of a chosen action are the most and least influential to then model during inference. When enabled, inference explainability includes feature scores from the underlying model into the Rank API response, so your application receives this information at the time of inference.

+Feature scores empower you to better understand the relationship between features and the decisions made by Personalizer. They can be used to provide insight to your end-users into why a particular recommendation was made, or to analyze whether your model is exhibiting bias toward or against certain contextual settings, users, and actions.

+## How do I enable inference explainability?

+Setting the service configuration flag IsInferenceExplainabilityEnabled in your service configuration enables Personalizer to include feature values and weights in the Rank API response. To update your current service configuration, use the [Service Configuration ΓÇô Update API](/rest/api/personalizer/1.1preview1/service-configuration/update?tabs=HTTP). In the JSON request body, include your current service configuration and add the additional entry: ΓÇ£IsInferenceExplainabilityEnabledΓÇ¥: true. If you donΓÇÖt know your current service configuration, you can obtain it from the [Service Configuration ΓÇô Get API](/rest/api/personalizer/1.1preview1/service-configuration/get?tabs=HTTP)

+```JSON

+{

+ "rewardWaitTime": "PT10M",

+ "defaultReward": 0,

+ "rewardAggregation": "earliest",

+ "explorationPercentage": 0.2,

+ "modelExportFrequency": "PT5M",

+ "logMirrorEnabled": true,

+ "logMirrorSasUri": "https://testblob.blob.core.windows.net/container?se=2020-08-13T00%3A00Z&sp=rwl&spr=https&sv=2018-11-09&sr=c&sig=signature",

+ "logRetentionDays": 7,

+ "lastConfigurationEditDate": "0001-01-01T00:00:00Z",

+ "learningMode": "Online",

+ "isAutoOptimizationEnabled": true,

+ "autoOptimizationFrequency": "P7D",

+ "autoOptimizationStartDate": "2019-01-19T00:00:00Z",

+"isInferenceExplainabilityEnabled": true

+}

+```

+> [!NOTE]

+> Enabling inference explainability will significantly increase the latency of calls to the Rank API. We recommend experimenting with this capability and measuring the latency in your scenario to see if it satisfies your applicationΓÇÖs latency requirements.

+## How to interpret feature scores?

+Enabling inference explainability will add a collection to the JSON response from the Rank API called *inferenceExplanation*. This contains a list of feature names and values that were submitted in the Rank request, along with feature scores learned by PersonalizerΓÇÖs underlying model. The feature scores provide you with insight on how influential each feature was in the model choosing the action.

+```JSON

+{

+ "ranking": [

+ {

+ "id": "EntertainmentArticle",

+ "probability": 0.8

+ },

+ {

+ "id": "SportsArticle",

+ "probability": 0.15

+ },

+ {

+ "id": "NewsArticle",

+ "probability": 0.05

+ }

+ ],

+ "eventId": "75269AD0-BFEE-4598-8196-C57383D38E10",

+ "rewardActionId": "EntertainmentArticle",

+ "inferenceExplanation": [

+ {

+ "idΓÇ¥: "EntertainmentArticle",

+ "features": [

+ {

+ "name": "user.profileType",

+ "score": 3.0

+ },

+ {

+ "name": "user.latLong",

+ "score": -4.3

+ },

+ {

+ "name": "user.profileType^user.latLong",

+ "score" : 12.1

+ },

+ ]

+ ]

+}

+```

+In the example above, three action IDs are returned in the _ranking_ collection along with their respective probabilities scores. The action with the largest probability is the_ best action_ as determined by the model trained on data sent to the Personalizer APIs, which in this case is `"id": "EntertainmentArticle"`. The action ID can be seen again in the _inferenceExplanation_ collection, along with the feature names and scores determined by the model for that action and the features and values sent to the Rank API.

+Recall that Personalizer will either return the _best action_ or an _exploratory action_ chosen by the exploration policy. The best action is the one that the model has determined has the highest probability of maximizing the average reward, whereas exploratory actions are chosen among the set of all possible actions provided in the Rank API call. Actions taken during exploration do not leverage the feature scores in determining which action to take, therefore **feature scores for exploratory actions should not be used to gain an understanding of why the action was taken.** [You can learn more about exploration here](concepts-exploration.md).

+For the best actions returned by Personalizer, the feature scores can provide general insight where:

+* Larger positive scores provide more support for the model choosing this action.

+* Larger negative scores provide more support for the model not choosing this action.

+* Scores close to zero have a small effect on the decision to choose this action.

+## Important considerations for Inference Explainability

+* **Increased latency.** Enabling _Inference Explainability_ will significantly increase the latency of Rank API calls due to processing of the feature information. Run experiments and measure the latency in your scenario to see if it satisfies your applicationΓÇÖs latency requirements.

+* **Correlated Features.** Features that are highly correlated with each other can reduce the utility of feature scores. For example, suppose Feature A is highly correlated with Feature B. It may be that Feature AΓÇÖs score is a large positive value while Feature BΓÇÖs score is a large negative value. In this case, the two features may effectively cancel each other out and have little to no impact on the model. While Personalizer is very robust to highly correlated features, when using _Inference Explainability_, ensure that features sent to Personalizer are not highly correlated

+* **Default exploration only.** Currently, Inference Explainability supports only the default exploration algorithm.

+## Next steps

+[Reinforcement learning](concepts-reinforcement-learning.md)

+| Media | Support for early media | ✔️ |

+Azure Communication Services supports sending and receiving of long messages over SMS. However, some wireless carriers or devices may act differently when receiving long messages. We recommend keeping SMS messages to a length of 320 characters and reducing the use of accents to ensure maximum delivery.

+*Limitation of US short code - There is a known limit of ~4 segments when sending/receiving a message with Non-ASCII characters. Beyond 4 segments, the message may not be delivered with the right formatting.

+| | Support for early media | ✔️ | ✔️ | ✔️ | ✔️ |

+> Resource deletion is **permanent** and no data, including event grid filters, phone numbers, or other data tied to your resource, can be recovered if you delete the resource.

+$groupId=$(az group show \

+$registryId=$(az acr show \

+Azure Container Instances is a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. For scenarios where you need full container orchestration, including service discovery across multiple containers, automatic scaling, and coordinated application upgrades, we recommend [Azure Kubernetes Service (AKS)](../aks/index.yml). We recommend reading through the [considerations and limitations](#considerations) and the [FAQs](./container-instances-faq.yml) to understand the best practices when deploying container instances.

+## Considerations

+There are default limits that require quota increases. Not all quota increases may be approved: [Service quotas and region availability - Azure Container Instances | Microsoft Learn](./container-instances-quotas.md)

+Different regions have different default limits, so you should consider the limits in your region: [Resource availability by region - Azure Container Instances | Microsoft Learn](./container-instances-region-availability.md)

+If your container group stops working, we suggest trying to restart your container, checking your application code, or your local network configuration before opening a [support request][azure-support].

+Container Images cannot be larger than 15 GB, any images above this size may cause unexpected behavior: [How large can my container image be?](./container-instances-faq.yml)

+Some Windows Server base images are no longer compatible with Azure Container Instances:

+[What Windows base OS images are supported?](./container-instances-faq.yml)

+If a container group restarts, the container groupΓÇÖs IP may change. We advise against using a hard coded IP address in your scenario. If you need a static public IP address, use Application Gateway: [Static IP address for container group - Azure Container Instances | Microsoft Learn](./container-instances-application-gateway.md)

+There are ports that are reserved for service functionality. We advise you not to use these ports since this will lead to unexpected behavior: [Does the ACI service reserve ports for service functionality?](./container-instances-faq.yml)

+ If youΓÇÖre having trouble deploying or running your container, first check the [Troubleshooting Guide](./container-instances-troubleshooting.md) for common mistakes and issues

+Your container groups may restart due to platform maintenance events. These maintenance events are done to ensure the continuous improvement of the underlying infrastructure: [Container had an isolated restart without explicit user input](./container-instances-faq.yml)

+ACI does not allow [privileged container operations](./container-instances-faq.yml). We advise you to not depend on using the root directory for your scenario

+[azure-support]: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest

+* Canada Central

+* East Asia

+* East US

+* North Europe

+* Norway East

+* Southeast Asia

+* West Central US

+* West Europe

+Azure Cosmos DB for PostgreSQL is a managed service for running PostgreSQL at any scale, with the [Citus open source](https://github.com/citusdata/citus) superpower of distributed tables. It stores data either on a single node, or distributed in a multi-node configuration.

+Azure Cosmos DB for PostgreSQL is built on native PostgreSQL--rather than a PostgreSQL fork--and lets you choose any major database versions supported by the PostgreSQL community. It's ideal for starting on a single-node database with rich indexing, geospatial capabilities, and JSONB support. Later, if your performance needs grow, you can add nodes to the cluster with zero downtime.

+If youΓÇÖre looking for a managed open source relational database with high performance and geo-replication, Azure Cosmos DB for PostgreSQL is the recommended choice. To learn more, see the [Azure Cosmos DB for PostgreSQL introduction](postgresql/introduction.md).

+Every time an item is stored in a container, its content is projected as a JSON document, then converted into a tree representation. This means that every property of that item gets represented as a node in a tree. A pseudo root node is created as a parent to all the first-level properties of the item. The leaf nodes contain the actual scalar values carried by an item.

+Spatial indexes can be used on correctly formatted [GeoJSON](./sql-query-geospatial-intro.md) objects. Points, LineStrings, Polygons, and MultiPolygons are currently supported. To learn how to configure spatial indexes, see [Spatial indexing policy examples](how-to-manage-indexing-policy.md#spatial-index)

+When writing queries, you should use filter predicate that uses the index as efficiently as possible. For example, if either `StartsWith` or `Contains` would work for your use case, you should opt for `StartsWith` since it will do a precise index scan instead of a full index scan.

+Since this query has an equality filter, after traversing this tree, we can quickly identify the index pages that contain the query results. In this case, the query engine would read index pages that contain Item 1. An index seek is the most efficient way to use the index. With an index seek, we only read the necessary index pages and load only the items in the query results. Therefore, the index lookup time and RU charge from index lookup are incredibly low, regardless of the total data volume.

+To execute this query, the query engine must do an index seek on `headquarters/employees` and full index scan on `headquarters/country`. The query engine has internal heuristics that it uses to evaluate the query filter expression as efficiently as possible. In this case, the query engine would avoid needing to read unnecessary index pages by doing the index seek first. If for example, only 50 items matched the equality filter, the query engine would only need to evaluate `Contains` on the index pages that contained those 50 items. A full index scan of the entire container wouldn't be necessary.

+For most queries, loading false positive index matches will not have any noticeable impact on index utilization.

+> You can track the progress of index transformation in the [Azure portal](how-to-manage-indexing-policy.md#use-the-azure-portal) or by [using one of the SDKs](how-to-manage-indexing-policy.md#dotnet-sdk).

+The RU charge is exposed by a custom database command named `getLastRequestStatistics`. The command returns a document that contains the name of the last operation executed, its request charge, and its duration. If you use the Azure Cosmos DB for MongoDB, you have multiple options for retrieving the RU charge.

+## Programmatically

+### [Mongo Shell](#tab/mongo-shell)

+When you use the Mongo shell, you can execute commands by using runCommand().

+```javascript

+db.runCommand('getLastRequestStatistics')

+```

+| `EnableUniqueCompoundNestedDocs` | Enables support for compound and unique indexes on nested fields, as long as the nested field is not an array. | No |

+Compounded indexes on nested fields are not supported by default due to limiations with arrays. If your nested field does not contain an array, the index will work as intended. If your nested field contains an array (anywhere on the path), that value will be ignored in the index.

+For example a compound index containing people.tom.age will work in this case since there's no array on the path:

+```javascript

+{ "people": { "tom": { "age": "25" }, "mark": { "age": "30" } } }

+```

+but won't won't work in this case since there's an array in the path:

+```javascript

+{ "people": { "tom": [ { "age": "25" } ], "mark": [ { "age": "30" } ] } }

+```

+This feature can be enabled for your database account by [enabling the 'EnableUniqueCompoundNestedDocs' capability](how-to-configure-capabilities.md).

+> You can't create compound indexes on arrays.

+Unique indexes on nested fields are not supported by default due to limiations with arrays. If your nested field does not contain an array, the index will work as intended. If your nested field contains an array (anywhere on the path), that value will be ignored in the unique index and uniqueness wil not be preserved for that value.

+For example a unique index on people.tom.age will work in this case since there's no array on the path:

+```javascript

+{ "people": { "tom": { "age": "25" }, "mark": { "age": "30" } } }

+```

+but won't won't work in this case since there's an array in the path:

+```javascript

+{ "people": { "tom": [ { "age": "25" } ], "mark": [ { "age": "30" } ] } }

+```

+This feature can be enabled for your database account by [enabling the 'EnableUniqueCompoundNestedDocs' capability](how-to-configure-capabilities.md).

+In addition to including or excluding paths for individual properties, you can also specify a composite index. If you would like to perform a query that has an `ORDER BY` clause for multiple properties, a [composite index](../index-policy.md#composite-indexes) on those properties is required. Additionally, composite indexes will have a performance benefit for queries that have multiple filters or both a filter and an ORDER BY clause.

+The SDK V3's fluent API lets you write this definition in a concise and efficient way when defining a custom indexing policy while creating a new container:

+# [.NET SDK V2](#tab/dotnetv2)

+The `DocumentCollection` object from the [.NET SDK v2](https://www.nuget.org/packages/Microsoft.Azure.DocumentDB/) exposes an `IndexingPolicy` property that lets you change the `IndexingMode` and add or remove `IncludedPaths` and `ExcludedPaths`.

+```csharp

+// Retrieve the container's details

+ResourceResponse<DocumentCollection> containerResponse = await client.ReadDocumentCollectionAsync(UriFactory.CreateDocumentCollectionUri("database", "container"));

+// Set the indexing mode to consistent

+containerResponse.Resource.IndexingPolicy.IndexingMode = IndexingMode.Consistent;

+// Add an included path

+containerResponse.Resource.IndexingPolicy.IncludedPaths.Add(new IncludedPath { Path = "/*" });

+// Add an excluded path

+containerResponse.Resource.IndexingPolicy.ExcludedPaths.Add(new ExcludedPath { Path = "/name/*" });

+// Add a spatial index

+containerResponse.Resource.IndexingPolicy.SpatialIndexes.Add(new SpatialSpec() { Path = "/locations/*", SpatialTypes = new Collection<SpatialType>() { SpatialType.Point } } );

+// Add a composite index

+containerResponse.Resource.IndexingPolicy.CompositeIndexes.Add(new Collection<CompositePath> {new CompositePath() { Path = "/name", Order = CompositePathSortOrder.Ascending }, new CompositePath() { Path = "/age", Order = CompositePathSortOrder.Descending }});

+// Update container with changes

+await client.ReplaceDocumentCollectionAsync(containerResponse.Resource);

+```

+To track the index transformation progress, pass a `RequestOptions` object that sets the `PopulateQuotaInfo` property to `true`.

+```csharp

+// retrieve the container's details

+ResourceResponse<DocumentCollection> container = await client.ReadDocumentCollectionAsync(UriFactory.CreateDocumentCollectionUri("database", "container"), new RequestOptions { PopulateQuotaInfo = true });

+// retrieve the index transformation progress from the result

+long indexTransformationProgress = container.IndexTransformationProgress;

+```

+{

+ "coordinates":[

+ ]

+}

+* [ST_AREA](st-area.md)

+ Title: ST_AREA in Azure Cosmos DB query language

+description: Learn about SQL system function ST_AREA in Azure Cosmos DB.

+# ST_AREA (Azure Cosmos DB)

+ Returns the total area of a GeoJSON Polygon or MultiPolygon expression. To learn more, see the [Geospatial and GeoJSON location data](geospatial-intro.md) article.

+

+## Syntax

+

+```sql

+ST_AREA (<spatial_expr>)

+```

+

+## Arguments

+

+*spatial_expr*

+ Is any valid GeoJSON Polygon or MultiPolygon object expression.

+

+## Return types

+

+ Returns the total area of a set of points. This is expressed in square meters for the default reference system.

+

+## Examples

+

+ The following example shows how to return the area of a polygon using the `ST_AREA` built-in function.

+

+```sql

+SELECT ST_AREA({

+ "type":"Polygon",

+ "coordinates":[ [

+ [ 31.8, -5 ],

+ [ 32, -5 ],

+ [ 32, -4.7 ],

+ [ 31.8, -4.7 ],

+ [ 31.8, -5 ]

+ ] ]

+}) as Area

+```

+Here is the result set.

+```json

+[

+ {

+ "Area": 735970283.0522614

+ }

+]

+```

+## Remarks

+Using the ST_AREA function to calculate the area of zero or one-dimensional figures like GeoJSON Points and LineStrings will result in an area of 0.

+> [!NOTE]

+> The GeoJSON specification requires that points within a Polygon be specified in counter-clockwise order. A Polygon specified in clockwise order represents the inverse of the region within it.

+## Next steps

+- [Spatial functions Azure Cosmos DB](spatial-functions.md)

+- [System functions Azure Cosmos DB](system-functions.md)

+- [Introduction to Azure Cosmos DB](../../introduction.md)

+ The following example shows how to return all family documents that are within 30 km of the specified location using the `ST_DISTANCE` built-in function.

+SET client_encoding TO 'UTF8';

+SET client_encoding TO 'UTF8';

+Azure Cosmos DB for PostgreSQL is available in the following Azure regions:

+ * Sweden Central

+ * Switzerland WestΓÇá

+ΓÇá This Azure region is a [restricted one](../../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies). To use it you need to request access to it by opening a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).

+Some of these regions may not be activated on all Azure

+SET client_encoding TO 'UTF8';

+- **Microsoft Customer Agreement**: A billing account for a Microsoft Customer Agreement is created when your organization works with a Microsoft representative to sign a Microsoft Customer Agreement. Some customers in select regions, who sign up through the Azure website for an [account with pay-as-you-go rates](https://azure.microsoft.com/offers/ms-azr-0003p/) or an [Azure Free Account](https://azure.microsoft.com/offers/ms-azr-0044p/) may have a billing account for a Microsoft Customer Agreement as well. You can have a maximum of 5 subscriptions in a Microsoft Customer Agreement for an individual. A Microsoft Customer Agreement for an enterprise can have up to 5000 subscriptions under it.

+## What's an associated tenant?

+An associated tenant is a tenant that is linked to your primary billing tenantΓÇÖs billing account. You can move Microsoft 365 subscriptions to these tenants. You can also assign billing account roles to users in associated billing tenants. Read more about associated tenants [Manage billing across multiple tenants using associated billing tenants](../manage/manage-billing-across-tenants.md).

+- Your billing account is associated with a single, primary tenant. Users who are part of the primary tenant or who are part of associated tenants can access your billing account if they have the appropriate billing role assigned.

+- When you create a new Azure subscription for your billing account, it's created in your tenant or one of the other tenants you have access to. You can choose the tenant while creating the subscription.

+- You can move subscriptions to other tenants. You can also link existing subscriptions from other tenants to your billing account. This flexibility allows you to centrally manage billing through one tenant while keeping resources and subscriptions in other tenants based on your needs.

+The following diagram shows how billing account and subscriptions are linked to tenants. Let's assume Contoso would like to streamline their billing management through an MCA. The Contoso MCA billing account is in Tenant 1 while Contoso PAYG account is in Tenant 2. They can use a billing ownership transfer to link the subscription to their MCA billing account. The subscription and its resources will still be associated with Tenant 2, but they're paid for using the MCA billing account.

+Billing owners can create subscriptions when they have the [appropriate permissions](../manage/understand-mca-roles.md#subscription-billing-roles-and-tasks) to the billing account. By default, any new subscriptions created under the Microsoft Customer Agreement are in the current userΓÇÖs tenant. Different tenants can be selected from the list of tenants to which the user has access to create subscriptions.

+## Assign roles to users to your Microsoft Customer Agreement

+There are three ways users with billing owner access can assign roles to users to MCA

+- Assign billing roles to users in the primary tenant

+- Assign billing roles to external users (outside of your primary tenant) if they are part of an associated tenant

+- If tenants are not associated, [create guest users in primary tenant and assign roles](#add-guest-users-to-your-microsoft-customer-agreement-tenant).

+

+

+

+ # [Azure Data Factory](#tab/data-factory)

+ :::image type="content" source="media/connector-github/new-linked-service.png" alt-text="Screenshot of creating a new linked service with Azure Data Factory UI.":::

+ # [Azure Synapse](#tab/synapse-analytics)

+ :::image type="content" source="media/connector-github/new-linked-service-synapse.png" alt-text="Screenshot of creating a new linked service with Azure Synapse UI.":::

+

+Create a [source dataset](data-flow-source.md) in mapping data flow.

+- An Azure subscription linked to Azure DevOps Server (formerly Visual Studio Team Foundation Server) or Azure Repos that uses the [Azure Resource Manager service endpoint](/azure/devops/pipelines/library/service-endpoints#sep-azure-resource-manager).

+- **Exposure control and feature flags**. When working in a team, there are instances where you may merge changes, but don't want them to be run in elevated environments such as PROD and QA. To handle this scenario, the ADF team recommends [the DevOps concept of using feature flags](/devops/operate/progressive-experimentation-feature-flags). In ADF, you can combine [global parameters](author-global-parameters.md) and the [if condition activity](control-flow-if-condition-activity.md) to hide sets of logic based upon these environment flags.

+1. Search for _Set Variable_ in the pipeline Activities pane, and drag a Set Variable activity to the pipeline canvas.

+1. Select the Set Variable activity on the canvas if it is not already selected, and its **Variables** tab, to edit its details.

+1. Enter an expression to set the value for the variables. This expression can be a literal string expression, or any combination of dynamic [expressions, functions](control-flow-expression-language-functions.md), [system variables](control-flow-system-variables.md), or [outputs from other activities](how-to-expression-language-functions.md#examples-of-using-parameters-in-expressions).

+A common scenario involving variables is using a variable as an iterator within an until or foreach activity. In a set variable activity, you cannot reference the variable being set in the `value` field. To work around this limitation, set a temporary variable and then create a second set variable activity. The second set variable activity sets the value of the iterator to the temporary variable.

+description: The Validation activity in Azure Data Factory and Synapse Analytics delays execution of the pipeline until a dataset is validated with user-defined criteria.

+"name": "Validation_Activity",

+"type": "Validation",

+"typeProperties": {

+"dataset": {

+"referenceName": "Storage_File",

+"type": "DatasetReference"

+},

+"timeout": "0.12:00:00",

+"sleep": 10,

+"minimumSize": 20

+}

+"name": "Validation_Activity_Folder",

+"type": "Validation",

+"typeProperties": {

+"dataset": {

+"referenceName": "Storage_Folder",

+"type": "DatasetReference"

+},

+"timeout": "0.12:00:00",

+"sleep": 10,

+"childItems": true

+}

+|Property | Description | Allowed values | Required|

+|-- | -- | -- | --|

+|name | Name of the 'Validation' activity | String | Yes |

+|type | Must be set to **Validation**. | String | Yes |

+|dataset | Activity will block execution until it has validated this dataset reference exists and that it meets the specified criteria, or timeout has been reached. Dataset provided should support "MinimumSize" or "ChildItems" property. | Dataset reference | Yes |

+|timeout | Specifies the timeout for the activity to run. If no value is specified, default value is 12 hours ("0.12:00:00"). Format is d.hh:mm:ss | String | No |

+|sleep | A delay in seconds between validation attempts. If no value is specified, default value is 10 seconds. | Integer | No |

+|childItems | Checks if the folder has child items. Can be set to-true : Validate that the folder exists and that it has items. Blocks until at least one item is present in the folder or timeout value is reached.-false: Validate that the folder exists and that it is empty. Blocks until folder is empty or until timeout value is reached. If no value is specified, activity will block until the folder exists or until timeout is reached. | Boolean | No |

+|minimumSize | Minimum size of a file in bytes. If no value is specified, default value is 0 bytes | Integer | No |

+- [Until Activity](control-flow-until-activity.md)

+> [!NOTE]

+> In case if a self-hosted integration runtime is used in either source or sink data store within a copy activity, than both the source and sink must be accessible from the server hosting the integartion runtime for the copy activity to be successful.

+```

+ :::image type="content" source="media/create-azure-integration-runtime/get-started-page-manage-button.png" alt-text="Screenshot showing the home page Manage button.":::

+ :::image type="content" source="media/doc-common-process/get-started-page-manage-button-synapse.png" alt-text="Screenshot showing the home page Manage button.":::

+

+

+1. Select **Integration runtimes** on the left pane, and then select **+New**.

+

+ :::image type="content" source="media/create-azure-integration-runtime/manage-new-integration-runtime.png" alt-text="Screenshot that highlights integration runtimes in the left pane and the +New button.":::

+ :::image type="content" source="media/doc-common-process/manage-new-integration-runtime-synapse.png" alt-text="Screenshot that highlights integration runtimes in the left pane and the +New button.":::

+

+

+1. On the **Integration runtime setup** page, select **Azure, Self-Hosted**, and then select **Continue**.

+ :::image type="content" source="media/create-azure-integration-runtime/integration-runtime-setup.png" alt-text="Screenshot showing the Azure self-hosted integration runtime option.":::

+ :::image type="content" source="media/create-azure-integration-runtime/new-azure-integration-runtime.png" alt-text="Screenshot that shows create an Azure integration runtime.":::

+ :::image type="content" source="media/create-azure-integration-runtime/create-azure-integration-runtime.png" alt-text="Screenshot that shows the final step to create the Azure integration runtime.":::

+ :::image type="content" source="media/create-azure-integration-runtime/integration-runtime-in-the-list.png" alt-text="Screenshot showing the Azure integration runtime in the list.":::

+

+ > The Storage Event Trigger currently supports only Azure Data Lake Storage Gen2 and General-purpose version 2 storage accounts. If you are working with SFTP Storage Events you need to specify the SFTP Data API under the filtering section too. Due to an Azure Event Grid limitation, Azure Data Factory only supports a maximum of 500 storage event triggers per storage account. If you hit the limit, please contact support for recommendations and increasing the limit upon evaluation by Event Grid team.

+You can achieve greater data movement speeds by applying different levels of parallelism:

+In Data Factory, the [Data Lake Storage Gen1 connector](connector-azure-data-lake-store.md) supports service principal and managed identity for Azure resource authentications. The [Data Lake Storage Gen2 connector](connector-azure-data-lake-storage.md) supports account key, service principal, and managed identity for Azure resource authentications. To make Data Factory able to navigate and copy all the files or access control lists (ACLs) you will need to grant high enough permissions to the account to access, read, or write all files and set ACLs if you choose to. You should grant the account a super-user or owner role during the migration period and remove the elevated permissions once the migration is completed.

+> [Azure Data Lake Storage Gen2 connector](connector-azure-data-lake-storage.md)

+ Title: Programmatically monitor an Azure Data Factory

+# Programmatically monitor an Azure Data Factory

+> [!NOTE]

+> In data flow expressions, string interpolation (substituting variables inside of the string) is not supported. Instead, concatenate the expression into string values. For example, `'string part 1' + $variable + 'string part 2'`

+ Title: Create an Azure Data Factory using REST API

+description: Create an Azure Data Factory pipeline to copy data from one location in Azure Blob storage to another location.

+# Quickstart: Create an Azure Data Factory and pipeline by using the REST API

+This quickstart describes how to use REST API to create an Azure Data Factory. The pipeline in this data factory copies data from one location to another location in an Azure blob storage.

+* The name of the Azure Data Factory must be globally unique. If you receive the following error, change the name and try again.

+Learn how to use Azure Data Factory to copy data from one location to another with the [Hello World - How to copy data](quickstart-hello-world-copy-data-tool.md) tutorial.

+In this tutorial, you create an Azure Data Factory with a pipeline that loads delta data from multiple tables in a SQL Server database to a database in Azure SQL Database.

+ The name of the Azure Data Factory must be **globally unique**. If you see a red exclamation mark with the following error, change the name of the data factory (for example, yournameADFIncCopyTutorialDF) and try creating again. See [Data Factory - Naming Rules](naming-rules.md) article for naming rules for Data Factory artifacts.

+>[Incrementally load data from Azure SQL Database to Azure Blob storage by using Change Tracking technology](tutorial-incremental-copy-change-tracking-feature-portal.md)

+| Table.TransformColumnTypes | This is supported in most cases. The following scenarios are unsupported: transforming string to currency type, transforming string to time type, transforming string to Percentage type and tranfoming with locale. |

+| Memory: usable | 96 GB RAM |

+ Copy files to a folder within *AzureFile* folder. All files under *AzureFile* folder will be uploaded as files to a default container of type ΓÇ£databox-format-GuidΓÇ¥ (ex: databox-azurefile-7ee19cfb3304122d940461783e97bf7b4290a1d7).

+- [Identify vulnerabilities in images in Azure container registries](defender-for-containers-va-acr.md)

+- [Identify vulnerabilities in images in AWS Elastic Container Registry](defender-for-containers-va-ecr.md)

+This article explains how to use Defender for Containers to scan the container images stored in your Azure Resource Manager-based Azure Container Registry, as part of the protections provided within Microsoft Defender for Cloud.

+When a scan is triggered, findings are available as Defender for Cloud recommendations from 2 minutes up to 15 minutes after the scan is complete.

+Also, check out the ability scan container images for vulnerabilities as the images are built in your CI/CD GitHub workflows. Learn more in [Defender for DevOps](defender-for-devops-introduction.md).

+## Prerequisites

+Before you can scan your ACR images:

+- [Enable Defender for Containers](defender-for-containers-enable.md) for your subscription. Defender for Containers is now ready to scan images in your registries.

+- If you want to find vulnerabilities in images stored in other container registries, you can import the images into ACR and scan them.

+ Use the ACR tools to bring images to your registry from Docker Hub or Microsoft Container Registry. When the import completes, the imported images are scanned by the built-in vulnerability assessment solution.

+ You can also [scan images in Amazon AWS Elastic Container Registry](defender-for-containers-va-ecr.md) directly from the Azure portal.

+For a list of the types of images and container registries supported by Microsoft Defender for Containers, see [Availability](supported-machines-endpoint-solutions-clouds-containers.md?tabs=azure-aks#registries-and-images).

+To enable scanning of vulnerabilities in containers, you have to [connect your AWS account to Defender for Cloud](quickstart-onboard-aws.md) and [enable Defender for Containers](defender-for-containers-enable.md). The agentless scanner, powered by the open-source scanner Trivy, scans your ECR repositories and reports vulnerabilities.

+Defender for Containers creates resources in your AWS account to build an inventory of the software in your images. The scan then sends only the software inventory to Defender for Cloud. This architecture protects your information privacy and intellectual property, and also keeps the outbound network traffic to a minimum. Defender for Containers creates an ECS cluster in a dedicated VPC, an internet gateway, and an S3 bucket in the us-east-1 and eu-central-1 regions to build the software inventory.

+Defender for Cloud filters and classifies findings from the software inventory that the scanner creates. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.

+- You must have at least one free VPC in the `us-east-1` and `eu-central-1` regions to host the AWS resources that build the software inventory.

+For a list of the types of images not supported by Microsoft Defender for Containers, see [Availability](supported-machines-endpoint-solutions-clouds-containers.md?tabs=aws-eks#images).

+1. Select **Save** > **Next: Configure access**.

+- Identity recommendations don't support Azure AD conditional access policies with included Directory Roles instead of users and groups.

+- [Protecting your network in Microsoft Defender for Cloud](protect-network-resources.md)

+| OS Packages | **Supported** <br> ΓÇó Alpine Linux 3.12-3.15 <br> ΓÇó Red Hat Enterprise Linux 6, 7, 8 <br> ΓÇó CentOS 6, 7 <br> ΓÇó Oracle Linux 6, 7, 8 <br> ΓÇó Amazon Linux 1, 2 <br> ΓÇó openSUSE Leap 42, 15 <br> ΓÇó SUSE Enterprise Linux 11, 12, 15 <br> ΓÇó Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye <br> ΓÇó Ubuntu 10.10-22.04 <br> ΓÇó FreeBSD 11.1-13.1 <br> ΓÇó Fedora 32, 33, 34, 35|

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you'll need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+Defender for Containers relies on the Defender profile\extension for several features. The Defender profile\extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+## Additional environment information

+### Images

+| Aspect | Details |

+|--|--|

+| Registries and images | **Unsupported** <br>ΓÇó Images that have at least one layer over 2 GB<br> ΓÇó Public repositories and manifest lists <br>ΓÇó Images in the AWS management account aren't scanned so that we don't create resources in the management account. |

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you'll need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+Defender for Containers relies on the Defender profile\extension for several features. The Defender profile\extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you'll need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+Defender for Containers relies on the Defender profile\extension for several features. The Defender profile\extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+| OS Packages | **Supported** <br> ΓÇó Alpine Linux 3.12-3.15 <br> ΓÇó Red Hat Enterprise Linux 6, 7, 8 <br> ΓÇó CentOS 6, 7 <br> ΓÇó Oracle Linux 6, 7, 8 <br> ΓÇó Amazon Linux 1, 2 <br> ΓÇó openSUSE Leap 42, 15 <br> ΓÇó SUSE Enterprise Linux 11, 12, 15 <br> ΓÇó Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye <br> ΓÇó Ubuntu 10.10-22.04 <br> ΓÇó FreeBSD 11.1-13.1 <br> ΓÇó Fedora 32, 33, 34, 35|

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you'll need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+Defender for Containers relies on the Defender profile\extension for several features. The Defender profile\extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+Here's an example of a schema that might be used to represent shared data. The example follows the Azure Data Explorer [data history schema](concepts-data-history.md#data-schema).

+## Resources and data flow

+### History from multiple Azure Digital Twins instances

+If you'd like, you can have multiple Azure Digital Twins instances historize twin property updates to the same Azure Data Explorer cluster.

+Each Azure Digital Twins instance will have its own data history connection targeting the same Azure Data Explorer cluster. Within the cluster, instances can send their twin data to either...

+* **different tables** in the Azure Data Explorer cluster.

+* **the same table** in the Azure Data Explorer cluster. To do this, specify the same Azure Data Explorer table name while [creating the data history connections](how-to-use-data-history.md#set-up-data-history-connection). In the [data history table schema](#data-schema), the `ServiceId` column will contain the URL of the source Azure Digital Twins instance, so you can use this field to resolve which Azure Digital Twins instance emitted each record.

+## Required permissions

+Once all the [resources](#resources-and-data-flow) and [permissions](#required-permissions) are set up, you can use the [Azure CLI](/cli/azure/what-is-azure-cli), [Azure portal](https://portal.azure.com), or the [Azure Digital Twins SDK](concepts-apis-sdks.md) to create the data history connection between them. The CLI command set is [az dt data-history](/cli/azure/dt/data-history).

+Use the command in this section to create a data history connection.

+By default, this command assumes all resources are in the same resource group as the Azure Digital Twins instance. You can specify resources that are in different resource groups using the parameter options for this command, which can be displayed by running `az dt data-history connection create adx -h`. You can also see the full list of optional parameters, including how to specify a table name and more, in its reference documentation: [az dt data-history connection create adx](/cli/azure/dt/data-history/connection/create#az-dt-data-history-connection-create-adx).

+The command below uses several local variables (`$connectionname`, `$dtname`, `$clustername`, `$databasename`, `$eventhub`, and `$eventhubnamespace`) that were created earlier in [Set up local variables for CLI session](#set-up-local-variables-for-cli-session).

+1. Open the "Data Partitions" menu-item from left-panel of MEDS overview page.

+2. Select "Create".

+3. Choose a name for your data partition.

+In this article, you'll learn how to start collecting Airflow Logs for your Microsoft Energy Data Services instances into Azure Monitor. This integration feature helps you debug Airflow DAG ([Directed Acyclic Graph](https://airflow.apache.org/docs/apache-airflow/stable/concepts/dags.html)) run failures.

+| Part | Description |

+1. Open Microsoft Energy Data Services' *Overview* page

+1. Select *Diagnostic Settings* from the left panel

+1. Select *Add diagnostic setting*

+1. Select *Airflow Task Logs* under Logs

+1. Select *Archive to a storage account*

+1. Navigate through *Containers*, available on the left panel.

+Use Kusto Query Language (KQL) to retrieve desired data on collected Airflow logs from your Log Analytics Workspace.

+In this article, you'll learn how to start collecting Elasticsearch logs for your Microsoft Energy Data Services instances in Azure Monitor. This integration feature is developed to help you debug Elasticsearch related issues inside Azure Monitor.

+- You need to have a Log Analytics workspace. It will be used to query the Elasticsearch logs dataset using the Kusto Query Language (KQL) query editor in the Log Analytics workspace. [Create a log Analytics workspace in Azure portal](../azure-monitor/logs/quick-create-workspace.md).

+| Part | Description |

+1. Choose Subscription and the Log Analytics workspace name. You would have created it already as a prerequisite.

+1. Choose Subscription and storage account name. You would have created it already as a prerequisite.

+The Microsoft Energy Data Services Preview DDMS service enables energy companies to access their data in a manner that is fast, portable, testable and extendible. As a result, they'll achieve unparalleled streaming performance and use the standards and output from OSDU&trade;. The Azure DDMS service will onboard the OSDU&trade; DDMS and SLB proprietary DMS. Microsoft also continues to contribute to the OSDU&trade; community DDMS to ensure compatibility and architectural alignment.

+Well Logs are measurements taken while drilling, which tells energy companies information about the subsurface. Ultimately, they reveal whether hydrocarbons are present (or if the well is dry). Logs contain many attributes that inform geoscientists about the type of rock, its quality, and whether it contains oil, water, gas, or a mix. Energy companies use these attributes to determine the quality of a reservoir ΓÇô how much oil or gas is present, its quality, and ultimately, economic viability. Maintaining Well Log data and ensuring easy access to historical logs is critical to energy companies. The Wellbore DMS facilitates access to this data in any OSDU&trade; compliant application. The Wellbore DMS was contributed by SLB to OSDU&trade;.

+Microsoft Energy Data Services Preview is a secure, reliable, hyperscale, fully managed cloud-based data platform solution for the energy industry. It is an enterprise-grade data platform that brings together the capabilities of OSDU&trade; Data Platform, Microsoft's secure and trusted Azure cloud platform, and SLB's extensive domain expertise. It allows customers to free data from silos, provides strong data management, storage, and federation strategy. Microsoft Energy Data Services ensures compatibility with evolving community standards like OSDU&trade; and enables value addition through interoperability with both first-party and third-party solutions.

+As an Azure-based service, it also provides elasticity with auto-scaling to handle dynamically varying workload requirements. The service provides out-of-the-box compatibility and built-in integration with industry-leading applications from SLB, including Petrel to provide quick time to value.

+- [SAP](subscribe-to-sap-events.md)

+ Title: Azure Event Grid - Subscribe to SAP events

+description: This article explains how to subscribe to events published by SAP.

+# Subscribe to events published by SAP

+This article describes steps to subscribe to events published by an SAP S/4HANA system.

+## High-level steps

+The common steps to subscribe to events published by any partner, including SAP, are described in [subscribe to partner events](subscribe-to-partner-events.md). For your quick reference, the steps are provided again here with the addition of a step to make sure that your SAP system has the required components. This article deals with steps 1 and 3.

+1. [Ensure you meet all prerequisites](#prerequisites).

+1. Register the Event Grid resource provider with your Azure subscription.

+1. Authorize partner to create a partner topic in your resource group.

+1. [Enable SAP S/4HANA events to flow to a partner topic](#enable-events-to-flow-to-your-partner-topic).

+1. Activate partner topic so that your events start flowing to your partner topic.

+1. Subscribe to events.

+## Prerequisites

+Following are the prerequisites that your system needs to meet before attempting to configure your SAP system to send events to Azure Event Grid.

+1. SAP S/4HANA system (on-premises) version 2020 or later.

+1. SAP's [Business Technology Platform](https://www.sap.com/products/technology-platform.html)(BTP).

+1. On the Business Technology Platform, [SAP Event Mesh](https://help.sap.com/docs/SAP_EM/bf82e6b26456494cbdd197057c09979f/df532e8735eb4322b00bfc7e42f84e8d.html) is enabled.

+If you have any questions, contact us at <a href="mailto:ask-grid-and-ms-sap@microsoft.com">ask-grid-and-ms-sap@microsoft.com</a>

+## Enable events to flow to your partner topic

+SAP's capability to send events to Azure Event Grid is available through SAP's [beta program](https://influence.sap.com/sap/ino/#campaign/3314). Using this program, you can let SAP know about your desire to have your S4/HANA events available on Azure. You can find the SAP's announcement of this new feature [here](https://blogs.sap.com/2022/10/11/sap-event-mesh-event-bridge-to-microsoft-azure-to-go-beta/). Through SAP's Beta program, you'll be provided with the documentation on how to configure your SAP S4/HANA system to flow events to Event Grid. At at that point, you may proceed with the next step in the process described in the [High-level steps](#high-level-steps) section.

+SAP's BETA program started in October 2022 and will last a couple of months. Thereafter, the feature will be released by SAP as a generally available (GA) capability. Event Grid's capability to receive events from a partner, like SAP, is already a GA feature.

+If you have any questions, you can contact us at <a href="mailto:ask-grid-and-ms-sap@microsoft.com">ask-grid-and-ms-sap@microsoft.com</a>.

+## Next steps

+See [subscribe to partner events](subscribe-to-partner-events.md).

+### Inbound vs. outbound

+An **inbound** firewall rule protects your network from threats that originate from outside your network (traffic sourced from the Internet) and attempts to infiltrate your network inwardly.

+An **outbound** firewall rule protects against nefarious traffic that originates internally (traffic sourced from a private IP address within Azure) and travels outwardly. This is usually traffic from within Azure resources being redirected via the Firewall before reaching a destination.

+### Rule types

+#### DNAT rules

+#### Network rules

+#### Application rules

+| MultiDelimitSerDe returns wrong results in last column when the loaded file has more columns than the onc is present in table schema|[HIVE-22360](https://issues.apache.org/jira/browse/HIVE-22360)|

+| Update repo URLs in poms - branch 3.1 version|[HIVE-21786](https://issues.apache.org/jira/browse/HIVE-21786)|

+HDInsight 3.6 version is deprecated effective Oct 01, 2022.

+As customer scenarios grow more mature and diverse, we've identified some limitations with Interactive Query (LLAP) load-based Autoscale. These limitations are caused by the nature of LLAP query dynamics, future load prediction accuracy issues, and issues in the LLAP scheduler's task redistribution. Due to these limitations, users may see their queries run slower on LLAP clusters when Autoscale is enabled. The effect on performance can outweigh the cost benefits of Autoscale.

+A pricing error was corrected on April 25, 2021, for the Dv2 VM series on HDInsight. The pricing error resulted in a reduced charge on some customer's bills prior to April 25, and with the correction, prices now match what had been advertised on the HDInsight pricing page and the HDInsight pricing calculator. The pricing error impacted customers in the following regions who used Dv2 VMs:

+HDInsight 3.6 will continue to run on Ubuntu 16.04. It will change to Basic support (from Standard support) beginning 1 July 2021. For more information about dates and support options, see [Azure HDInsight versions](./hdinsight-component-versioning.md#supported-hdinsight-versions). Ubuntu 18.04 won't be supported for HDInsight 3.6. If you'd like to use Ubuntu 18.04, you'll need to migrate your clusters to HDInsight 4.0.

+HDInsight cluster Head Node is responsible for initializing and managing the cluster. Standard_A5 VM size has reliability issues as Head Node for HDInsight 4.0. Starting from this release, customers won't be able to create new clusters with Standard_A5 VM size as Head Node. You can use other two-core VMs like E2_v3 or E2s_v3. Existing clusters will run as is. A four-core VM is highly recommended for Head Node to ensure the high availability and reliability of your production HDInsight clusters.

+As customer scenarios grow more mature and diverse, we've identified some limitations with Interactive Query (LLAP) load-based Autoscale. These limitations are caused by the nature of LLAP query dynamics, future load prediction accuracy issues, and issues in the LLAP scheduler's task redistribution. Due to these limitations, users may see their queries run slower on LLAP clusters when Autoscale is enabled. The effect on performance can outweigh the cost benefits of Autoscale.

+HDInsight now uses Azure virtual machines to provision the cluster. The service is gradually migrating to [Azure virtual machine scale sets](../virtual-machine-scale-sets/overview.md). This migration will change the cluster host name FQDN name format, and the numbers in the host name won't be guarantee in sequence. If you want to get the FQDN names for each node, refer to [Find the Host names of Cluster Nodes](./find-host-name.md).

+As customer scenarios grow more mature and diverse, we've identified some limitations with Interactive Query (LLAP) load-based Autoscale. These limitations are caused by the nature of LLAP query dynamics, future load prediction accuracy issues, and issues in the LLAP scheduler's task redistribution. Due to these limitations, users may see their queries run slower on LLAP clusters when Autoscale is enabled. The impact on performance can outweigh the cost benefits of Autoscale.

+HDInsight 3.6 will continue to run on Ubuntu 16.04. It will reach the end of standard support by 30 June 2021, and will change to Basic support starting on 1 July 2021. For more information about dates and support options, see [Azure HDInsight versions](./hdinsight-component-versioning.md#supported-hdinsight-versions). Ubuntu 18.04 won't be supported for HDInsight 3.6. If youΓÇÖd like to use Ubuntu 18.04, youΓÇÖll need to migrate your clusters to HDInsight 4.0.

+ItΓÇÖs highly recommended that you test your script actions and custom applications deployed on edge nodes on an Ubuntu 18.04 virtual machine (VM) in advance. You can [create Ubuntu Linux VM on 18.04-LTS](https://azure.microsoft.com/resources/templates/vm-simple-linux/), then create and use a [secure shell (SSH) key pair](../virtual-machines/linux/mac-create-ssh-keys.md#ssh-into-your-vm) on your VM to run and test your script actions and custom applications deployed on edge nodes.

+HDInsight cluster Head Node is responsible for initializing and managing the cluster. Standard_A5 VM size has reliability issues as Head Node for HDInsight 4.0. Starting from the next release in May 2021, customers won't be able to create new clusters with Standard_A5 VM size as Head Node. You can use other 2-core VMs like E2_v3 or E2s_v3. Existing clusters will run as is. A 4-core VM is highly recommended for Head Node to ensure the high availability and reliability of your production HDInsight clusters.

+Starting from July 1 2020, customers can't create new Spark clusters with Spark 2.1 and 2.2 on HDInsight 3.6. Existing clusters will run as is without the support from Microsoft. Consider to move to Spark 2.3 on HDInsight 3.6 by June 30 2020 to avoid potential system/support interruption.

+Starting from July 1 2020, customers can't create new Spark clusters with Spark 2.3 on HDInsight 4.0. Existing clusters will run as is without the support from Microsoft. Consider moving to Spark 2.4 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption.

+Starting from July 1 2020, customers won't be able to create new Kafka clusters with Kafka 1.1 on HDInsight 4.0. Existing clusters will run as is without the support from Microsoft. Consider moving to Kafka 2.1 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption.

+Starting from July 1 2020, customers can't create new Spark clusters with Spark 2.1 and 2.2 on HDInsight 3.6. Existing clusters will run as is without the support from Microsoft. Consider to move to Spark 2.3 on HDInsight 3.6 by June 30 2020 to avoid potential system/support interruption.

+Starting from July 1 2020, customers can't create new Spark clusters with Spark 2.3 on HDInsight 4.0. Existing clusters will run as is without the support from Microsoft. Consider moving to Spark 2.4 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption.

+Starting from July 1 2020, customers won't be able to create new Kafka clusters with Kafka 1.1 on HDInsight 4.0. Existing clusters will run as is without the support from Microsoft. Consider moving to Kafka 2.1 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption.

+Starting from July 1 2020, customers can't create new Spark clusters with Spark 2.1 and 2.2 on HDInsight 3.6. Existing clusters will run as is without the support from Microsoft. Consider to move to Spark 2.3 on HDInsight 3.6 by June 30 2020 to avoid potential system/support interruption.

+Starting from July 1 2020, customers can't create new Spark clusters with Spark 2.3 on HDInsight 4.0. Existing clusters will run as is without the support from Microsoft. Consider moving to Spark 2.4 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption.

+Starting from July 1 2020, customers won't be able to create new Kafka clusters with Kafka 1.1 on HDInsight 4.0. Existing clusters will run as is without the support from Microsoft. Consider moving to Kafka 2.1 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption.

+Previously, with cluster creation, customers can create a new service principal to access the connected ADLS Gen 1 account in Azure portal. Starting June 15 2020, customers can't create new service principal in HDInsight creation workflow, only existing service principal is supported. See [Create Service Principal and Certificates using Azure Active Directory](../active-directory/develop/howto-create-service-principal-portal.md).

+There's an issue for Hive Warehouse Connector in this release. The fix will be included in the next release. Existing clusters created before this release are not impacted. Avoid dropping and recreating the cluster if possible. Open support ticket if you need further help on this.

+Starting July 1, 2020, customers won't be able to create new Spark clusters with Spark 2.1 and 2.2 on HDInsight 3.6. Existing clusters will run as is without support from Microsoft. Consider moving to Spark 2.3 on HDInsight 3.6 by June 30, 2020 to avoid potential system/support interruption.

+Starting July 1, 2020, customers won't be able to create new Spark clusters with Spark 2.3 on HDInsight 4.0. Existing clusters will run as is without support from Microsoft. Consider moving to Spark 2.4 on HDInsight 4.0 by June 30, 2020 to avoid potential system/support interruption.

+Starting July 1 2020, customers won't be able to create new Kafka clusters with Kafka 1.1 on HDInsight 4.0. Existing clusters will run as is without support from Microsoft. Consider moving to Kafka 2.1 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption. For more information, see [Migrate Apache Kafka workloads to Azure HDInsight 4.0](./kafk).

+From this release, the use of Dv1 VMs with HDInsight is deprecated. Any customer request for Dv1 will be served with Dv2 automatically. There's no price difference between Dv1 and Dv2 VMs.

+There's no component version change for this release. You could find the current component versions for HDInsight 4.0 and HDInsight 3.6 [here](./hdinsight-component-versioning.md).

+- [HDFS-11711](https://issues.apache.org/jira/browse/HDFS-11711): DN shouldn't delete the block On "Too many open files" Exception.

+- [KAFKA-6185](https://issues.apache.org/jira/browse/KAFKA-6185): Selector memory leak with high likelihood of OOM if there's a down conversion.

+- There's a small possibility that some Mahout jobs may encounter "ClassNotFoundException" or "could not load class" errors related to "org.apache.commons.httpclient", "net.java.dev.jets3t", or related class name prefixes. If these errors happen, you may consider whether to manually install the needed jars in your classpath for the job, if the risk of security issues in the obsolete library is acceptable in your environment.

+- There's an even smaller possibility that some Mahout jobs may encounter crashes in Mahout's hbase-client code calls to the hadoop-common libraries, due to binary compatibility problems. Regrettably, there's no way to resolve this issue except revert to the HDP-2.4.2 version of Mahout, which may have security issues. Again, this should be unusual, and is unlikely to occur in any given Mahout job suite.

+- [PHOENIX-3452](https://issues.apache.org/jira/browse/PHOENIX-3452): NULLS FIRST/NULL LAST shouldn't impact whether GROUP BY is order preserving.

+- [PHOENIX-4560](https://issues.apache.org/jira/browse/PHOENIX-4560): ORDER BY with GROUP BY doesn't work if there's WHERE on pk column.

+- [SPARK-23434](https://issues.apache.org/jira/browse/SPARK-23434): Spark shouldn't warn \`metadata directory\` for a HDFS file path.

+- [SPARK-23524](https://issues.apache.org/jira/browse/SPARK-23524): Big local shuffle blocks shouldn't be checked for corruption.

+- [SPARK-23553](https://issues.apache.org/jira/browse/SPARK-23553): Tests shouldn't assume the default value of \`spark.sql.sources.default\`.

+- [SPARK-23628](https://issues.apache.org/jira/browse/SPARK-23628): calculateParamLength shouldn't return 1 + num of expressions.

+| BUG-93946 | [ATLAS-2319](https://issues.apache.org/jira/browse/ATLAS-2319) | UI: Deleting a tag, which at 25+ position in the tag list in both Flat and Tree structure needs a refresh to remove the tag from the list. |

+| BUG-97223 | [SPARK-23434](https://issues.apache.org/jira/browse/SPARK-23434) | Spark shouldn't warn \`metadata directory\` for a HDFS file path |

+| BUG-100834 | [PHOENIX-4658](https://issues.apache.org/jira/browse/PHOENIX-4658) | IllegalStateException: requestSeek can't be called on ReversedKeyValueHeap |

+| BUG-98353 | [HADOOP-13707](https://issues.apache.org/jira/browse/HADOOP-13707) | Revert of "If kerberos is enabled while HTTP SPNEGO isn't configured, some links can't be accessed" |

+| BUG-93485 | N/A | can'tcan'tCan't get table mytestorg.apache.hadoop.hive.ql.metadata.InvalidTableException: Table not found when running analyze table on columns in LLAP |

+| BUG-95200 | [HDFS-13061](https://issues.apache.org/jira/browse/HDFS-13061) | SaslDataTransferClient\#checkTrustAndSend shouldn'tshould'n trust a partially trusted channel |

+|Spark |[**HIVE-12505**](https://issues.apache.org/jira/browse/HIVE-12505) |Spark job completes successfully but there's an HDFS disk quota full error |**Scenario:** Running **insert overwrite** when a quota is set on the Trash folder of the user who runs the command.<br /><br />**Previous Behavior:** The job succeeds even though it fails to move the data to the Trash. The result can wrongly contain some of the data previously present in the table.<br /><br />**New Behavior:** When the move to the Trash folder fails, the files are permanently deleted.|

+ 2. Find out definition of renderPolicyCondtion function (line no: 404).

+ 3. Remove following line from that function i.e under display function(line no: 434)

+ 2. Permissions on /hdp are currently not set to 751. This needs to be set to

+- **OMS Portal:** We've removed the link from HDInsight resource page that was pointing to OMS portal. Azure Monitor logs initially used its own portal called the OMS portal to manage its configuration and analyze collected data. All functionality from this portal has been moved to the Azure portal where it will continue to be developed. HDInsight has deprecated the support for OMS portal. Customers will use HDInsight Azure Monitor logs integration in Azure portal.

+* The cluster version is [Retired](hdinsight-retired-versions.md) or if you're having a cluster issue that would be resolved with a newer version.

+# Create a Kafka 2.4.0 cluster

+$kafkaConfig.Add("kafka", "2.4.0")

+### Destination settings

+ "errorHref": "https://dicomexport.blob.core.windows.net/export/4853cda8c05c44e497d2bc071f8e92c4/errors.log",

+| Export is GA |The export feature for the DICOM service is now generally available. Export enables a user-supplied list of studies, series, and/or instances to be exported in bulk to an Azure Storage account. Learn more about the [export feature](dicom/export-dicom-files.md). |

+ Title: Overview of Azure IoT Hub Device Provisioning Service

+description: Describes production scale device provisioning in Azure with the Device Provisioning Service (DPS) and IoT Hub

+Many of the manual steps traditionally involved in provisioning are automated with DPS to reduce the time to deploy IoT devices and lower the risk of manual error. The following diagram describes what goes on behind the scenes to get a device provisioned. The first step is manual, all of the following steps are automated.

+Before the device provisioning flow begins, there are two manual steps to prepare. On the device side, the device manufacturer prepares the device for provisioning by preconfiguring it with its authentication credentials and assigned Device Provisioning Service ID and endpoint. On the cloud side, you or the device manufacturer prepares the Device Provisioning Service instance with individual enrollments and enrollments groups that identify valid devices and define how they should be provisioned.

+Once the device and cloud are set up for provisioning, the following steps kick off automatically as soon as the device powers on for the first time:

+1. When the device first powers on, it connects to the DPS endpoint and presents it authentication credentials.

+1. The DPS instance checks the identity of the device against its enrollment list. Once the device identity is verified, DPS assigns the device to an IoT hub and registers it in the hub.

+1. The DPS instance receives the device ID and registration information from the assigned hub and passes that information back to the device.

+1. The device uses its registration information to connect directly to its assigned IoT hub and authenticate.

+1. Once authenticated, the device and IoT hub begin communicating directly. The DPS instance has no further role as an intermediary unless the device needs to reprovision.

+Provisioning of nested IoT Edge devices (parent/child hierarchies) is not currently supported by DPS.

+After the service has been configured for automatic provisioning, it must be prepared to enroll devices. This step is done by the device operator, who knows the desired configuration of the device(s) and is in charge of making sure the provisioning service can properly attest to the device's identity when it looks for its IoT hub. The device operator takes the identifying key information from the manufacturer and adds it to the enrollment list. There can be subsequent updates to the enrollment list as new entries are added or existing entries are updated with the latest information about the devices.

+* **Multiple allocation policies** to control how DPS assigns devices to IoT hubs in support of your scenarios: Lowest latency, evenly weighted distribution (default), and static configuration. Latency is determined using the same method as [Traffic Manager](../traffic-manager/traffic-manager-routing-methods.md#performance). Custom allocation, which lets you implement your own allocation policies via webhooks hosted in Azure Functions is also supported.

+You can learn more about the concepts and features involved in device provisioning by reviewing the [DPS terminology](concepts-service.md) article along with the other conceptual articles in the same section.

+Just like all Azure IoT services, DPS works cross-platform with various operating systems. Azure offers open-source SDKs in various [languages](https://github.com/Azure/azure-iot-sdks) to facilitate connecting devices and managing the service. DPS supports the following protocols for connecting devices:

+- [Provision devices across IoT Hubs](how-to-use-allocation-policies.md)

+The service operations endpoint is the endpoint for managing the service settings and maintaining the enrollment list. This endpoint is only used by the service administrator; it isn't used by devices.

+DPS can only provision devices to IoT hubs that have been linked to it. Linking an IoT hub to a DPS instance gives the service read/write permissions to the IoT hub's device registry. With these permissions, DPS can register a device ID and set the initial configuration in the device twin. Linked IoT hubs may be in any Azure region. You may link hubs in other subscriptions to your DPS instance. Settings on a linked IoT hub, for example, the allocation weight setting, determine how it participates in allocation policies.

+Allocation policies determine how DPS assigns devices to an IoT hub. Each DPS instance has a default allocation policy, but this policy can be overridden by an allocation policy set on an enrollment. Only IoT hubs [linked](#linked-iot-hubs) to the DPS instance can participate in allocation.

+There are four supported allocation policies:

+* **Evenly weighted distribution**: devices are provisioned to an IoT hub using a weighted hash. By default, linked IoT hubs have the same allocation weight setting, so they're equally likely to have devices provisioned to them. The allocation weight of an IoT hub may be adjusted to increase or decrease its likelihood of being assigned. This is the default allocation policy for a DPS instance. If you're provisioning devices to only one IoT Hub, we recommend using this policy.

+* **Lowest latency**: devices are provisioned to an IoT hub with the lowest latency to the device. If multiple linked IoT hubs would provide the same lowest latency, DPS hashes devices across those IoT hubs based on their configured allocation weight.

+* **Static configuration**: devices are provisioned to a single IoT hub, which must be specified on the enrollment.

+* **Custom (Use Azure Function)**: A [custom allocation policy](concepts-custom-allocation.md) gives you more control over how devices are assigned to an IoT hub. This is accomplished by using a custom webhook hosted in Azure Functions to assign devices to an IoT hub. DPS calls your webhook providing all relevant information about the device and the enrollment. Your webhook returns the IoT hub and initial device twin (optional) used to provision the device. Can't be set as the DPS instance default policy.

+* the [attestation mechanism](#attestation-mechanism) used by the device

+* the optional initial desired configuration

+* the [allocation policy](#allocation-policy) to use to assign devices to an IoT hub; if not specified on the enrollment, the DPS instance default allocation policy is used.

+* the [linked IoT hub(s)](#linked-iot-hubs) to apply the allocation policy to. For the *Static configuration* allocation policy, a single IoT hub must be specified. For all other allocation policies, one or more IoT hubs may be specified; if no IoT hubs are specified on the enrollment, all the IoT hubs linked to the DPS instance are used.

+* the desired device ID (individual enrollments only)

+The name of the enrollment group and the registration IDs presented by devices must be case-insensitive strings of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The enrollment group name can be up to 128 characters long. In symmetric key enrollment groups, the registration IDs presented by devices can be up to 128 characters long. However, in X.509 enrollment groups, because the maximum length of the subject common name in an X.509 certificate is 64 characters, the registration IDs are limited to 64 characters.

+* **Trusted Platform Module (TPM)** based on a nonce challenge, using the TPM standard for keys to present a signed Shared Access Signature (SAS) token. This doesn't require a physical TPM on the device, but the service expects to attest using the endorsement key per the [TPM spec](https://trustedcomputinggroup.org/work-groups/trusted-platform-module/). For more information, see [TPM attestation](concepts-tpm-attestation.md).

+Device secrets may also be stored in software (memory), but it's a less secure form of storage than an HSM.

+The ID scope is assigned to a Device Provisioning Service when it's created by the user and is used to uniquely identify the specific provisioning service the device will register through. The ID scope is generated by the service and is immutable, which guarantees uniqueness.

+A registration is the record of a device successfully registering/provisioning to an IoT Hub via the Device Provisioning Service. Registration records are created automatically; they can be deleted, but they can't be updated.

+* With TPM attestation, the registration ID is provided by the TPM itself.

+* With X.509-based attestation, the registration ID is set to the subject common name (CN) of the device certificate. For this reason, the common name must adhere to the registration ID string format. However, the registration ID is limited to 64 characters because that's the maximum length of the subject common name in an X.509 certificate.

+The device ID is the ID as it appears in IoT Hub. The desired device ID may be set in the enrollment entry, but it isn't required to be set. Setting the desired device ID is only supported in individual enrollments. If no desired device ID is specified in the enrollment list, the registration ID is used as the device ID when registering the device. Learn more about [device IDs in IoT Hub](../iot-hub/iot-hub-devguide-identity-registry.md).

+A *device enrollment* creates a record of a single device or a group of devices that may at some point register with the Azure IoT Hub Device Provisioning Service (DPS). The enrollment record contains the initial configuration for the device(s) as part of that enrollment. Included in the configuration is either the IoT hub to which a device will be assigned, or an allocation policy that configures the IoT hub from a set of IoT hubs. This article shows you how to manage device enrollments for your provisioning service.

+ | **Select how you want to assign devices to hubs** |Select *Static configuration* so that you can assign to a specific IoT hub. To learn more about allocation policies, see [How to use allocation policies](how-to-use-allocation-policies.md).|

+ | **Select the IoT hubs this group can be assigned to** |Select one of your linked IoT hubs. To learn more about linking IoT hubs to your DPS instance, see [How to link and manage IoT hubs](how-to-manage-linked-iot-hubs.md).|

+ | **Select how you want to assign devices to hubs** |Select *Static configuration* so that you can assign to a specific IoT hub. To learn more about allocation policies, see [How to use allocation policies](how-to-use-allocation-policies.md).|

+ | **Select the IoT hubs this group can be assigned to** |Select one of your linked IoT hubs. To learn more about linking IoT hubs to your DPS instance, see [How to link and manage IoT hubs](how-to-manage-linked-iot-hubs.md).|

+ | **Select how you want to assign devices to hubs** |Select *Static configuration* so that you can assign to a specific IoT hub. To learn more about allocation policies, see [How to use allocation policies](how-to-use-allocation-policies.md).|

+ | **Select the IoT hubs this group can be assigned to** |Select one of your linked IoT hubs. To learn more about linking IoT hubs to your DPS instance, see [How to link and manage IoT hubs](how-to-manage-linked-iot-hubs.md).|

+ | **Select how you want to assign devices to hubs** |Select *Static configuration* so that you can assign to a specific IoT hub. To learn more about allocation policies, see [How to use allocation policies](how-to-use-allocation-policies.md).|

+ | **Select the IoT hubs this group can be assigned to** |Select one of your linked IoT hubs. To learn more about linking IoT hubs to your DPS instance, see [How to link and manage IoT hubs](how-to-manage-linked-iot-hubs.md).|

+ Title: How to manage linked IoT hubs with Device Provisioning Service (DPS)

+description: This article shows how to link and manage IoT hubs with the Device Provisioning Service (DPS).

+# How to link and manage IoT hubs

+Azure IoT Hub Device Provisioning Service (DPS) can provision devices across one or more IoT hubs. Before DPS can provision devices to an IoT hub, it must be linked to your DPS instance. Once linked, an IoT hub can be used in an allocation policy. Allocation policies determine how devices are assigned to IoT hubs by DPS. This article provides instruction on how to link IoT hubs and manage them in your DPS instance.

+## Linked IoT hubs and allocation policies

+DPS can only provision devices to IoT hubs that have been linked to it. Linking an IoT hub to a DPS instance gives the service read/write permissions to the IoT hub's device registry. With these permissions, DPS can register a device ID and set the initial configuration in the device twin. Linked IoT hubs may be in any Azure region. You may link hubs in other subscriptions to your DPS instance.

+After an IoT hub is linked to DPS, it's eligible to participate in allocation. Whether and how it will participate in allocation depends on settings in the enrollment that a device provisions through and settings on the linked IoT hub itself.

+The following settings control how DPS uses linked IoT hubs:

+* **Connection string**: Sets the IoT Hub connection string that DPS uses to connect to the linked IoT hub. The connection string is based on one of the IoT hub's shared access policies. DPS needs the following permissions on the IoT hub: *RegistryWrite* and *ServiceConnect*. The connection string must be for a shared access policy that has these permissions. To learn more about IoT Hub shared access policies, see [IoT Hub access control and permissions](../iot-hub/iot-hub-dev-guide-sas.md#access-control-and-permissions).

+* **Allocation weight**: Determines the likelihood of an IoT hub being selected when DPS hashes device assignment across a set of IoT hubs. The value can be between one and 1000. The default is one (or **null**). Higher values increase the IoT hub's probability of being selected.

+* **Apply allocation policy**: Sets whether the IoT hub participates in allocation policy. The default is **Yes** (true). If set to **No** (false), devices won't be assigned to the IoT hub. The IoT hub can still be selected on an enrollment, but it won't participate in allocation. You can use this setting to temporarily or permanently remove an IoT hub from participating in allocation; for example, if it's approaching the allowed number of devices.

+To learn about DPS allocation policies and how linked IoT hubs participate in them, see [Manage allocation policies](how-to-use-allocation-policies.md).

+## Add a linked IoT hub

+When you link an IoT hub to your DPS instance, it becomes available to participate in allocation. You can add IoT hubs that are inside or outside of your subscription. When you link an IoT hub, it may or may not be available for allocations in existing enrollments:

+* For enrollments that don't explicitly set the IoT hubs to apply allocation policy to, a newly linked IoT hub immediately begins participating in allocation.

+* For enrollments that do explicitly set the IoT hubs to apply allocation policy to, you'll need to manually or programmatically add the new IoT hub to the enrollment settings for it to participate in allocation.

+### Use the Azure portal to link an IoT hub

+In the Azure portal, you can link an IoT hub either from the left menu of your DPS instance or from the enrollment when creating or updating an enrollment. In both cases, the IoT hub is scoped to the DPS instance (not just the enrollment).

+To link an IoT hub to your DPS instance in the Azure portal:

+1. On the left menu of your DPS instance, select **Linked IoT hubs**.

+1. At the top of the page, select **+ Add**.

+1. On the **Add link to IoT hub** page, select the subscription that contains the IoT hub and then choose the name of the IoT hub from the **IoT hub** list.

+1. After you select the IoT hub, choose an access policy that DPS will use to connect to the IoT hub. The **Access Policy** list shows all shared access policies defined on the selected IoT Hub that have both *RegistryWrite* and *ServiceConnect* permissions defined. The default is the *iothubowner* policy. Select the policy you want to use.

+1. Select **Save**.

+When you're creating or updating an enrollment, you can use the **Link a new IoT hub** button on the enrollment. You'll be presented with the same page and choices as above. After you save the linked hub, it will be available on your DPS instance and can be selected from your enrollment.

+> [!NOTE]

+>

+> In the Azure portal, you can't set the *Allocation weight* and *Apply allocation policy* settings when you add a linked IoT hub. Instead, You can update these settings after the IoT hub is linked. To learn more, see [Update a linked IoT hub](#update-a-linked-iot-hub).

+### Use the Azure CLI to link an IoT hub

+Use the [az iot dps linked-hub create](/cli/azure/iot/dps/linked-hub#az-iot-dps-linked-hub-create) Azure CLI command to link an IoT hub to your DPS instance.

+For example, the following command links an IoT hub named *MyExampleHub* using a connection string for its *iothubowner* shared access policy. This command leaves the *Allocation weight* and *Apply allocation policy* settings at their defaults, but you can specify values for these settings if you want to.

+```azurecli

+az iot dps linked-hub create --dps-name MyExampleDps --resource-group MyResourceGroup --connection-string "HostName=MyExampleHub.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=XNBhoasdfhqRlgGnasdfhivtshcwh4bJwe7c0RIGuWsirW0=" --location westus

+```

+DPS also supports linking IoT Hubs using the [Create or Update DPS resource](/rest/api/iot-dps/iot-dps-resource/create-or-update?tabs=HTTP) REST API, [Resource Manager templates](/azure/templates/microsoft.devices/provisioningservices?pivots=deployment-language-arm-template), and the [DPS Management SDKs](libraries-sdks.md#management-sdks).

+## Update a linked IoT hub

+You can update the settings on a linked IoT hub to change its allocation weight, whether it can have allocation policies applied to it, and the connection string that DPS uses to connect to it. When you update the settings for an IoT hub, the changes take effect immediately, whether the IoT hub is specified on an enrollment or used by default.

+### Use the Azure portal to update a linked IoT hub

+In the Azure portal, you can update the *Allocation weight* and *Apply allocation policy* settings.

+To update the settings for a linked IoT hub using the Azure portal:

+1. On the left menu of your DPS instance, select **Linked IoT hubs**, then select the IoT hub from the list.

+1. On the **Linked IoT hub details** page:

+ :::image type="content" source="media/how-to-manage-linked-iot-hubs/set-linked-iot-hub-properties.png" alt-text="Screenshot that shows the linked IoT hub details page.":::.

+ * Use the **Allocation weight** slider or text box to choose a weight between one and 1000. The default is one.

+ * Set the **Apply allocation policy** switch to specify whether the linked IoT hub should be included in allocation.

+1. Save your settings.

+> [!NOTE]

+>

+> You can't update the connection string that DPS uses to connect to the IoT hub from the Azure portal. Instead, you can use the Azure CLI to update the connection string, or you can delete the linked IoT hub from your DPS instance and relink it. To learn more, see [Update keys for linked IoT hubs](#update-keys-for-linked-iot-hubs).

+### Use the Azure CLI to update a linked IoT hub

+With the Azure CLI, you can update the *Allocation weight*, *Apply allocation policy*, and *Connection string* settings.

+Use the [az iot dps linked-hub update](/cli/azure/iot/dps/linked-hub#az-iot-dps-linked-hub-update) command to update the allocation weight or apply allocation policies settings. For example, the following command sets the allocation weight and apply allocation policy for a linked IoT hub:

+```azurecli

+az iot dps linked-hub update --dps-name MyExampleDps --resource-group MyResourceGroup --linked-hub MyExampleHub --allocation-weight 2 --apply-allocation-policy true

+```

+Use the [az iot dps update](/cli/azure/iot/dps#az-iot-dps-update) command to update the connection string for a linked IoT hub. You can use the `--set` parameter along with the connection string for the IoT hub shared access policy you want to use. For details, see [Update keys for linked IoT hubs](#update-keys-for-linked-iot-hubs).

+DPS also supports updating linked IoT Hubs using the [Create or Update DPS resource](/rest/api/iot-dps/iot-dps-resource/create-or-update?tabs=HTTP) REST API, [Resource Manager templates](/azure/templates/microsoft.devices/provisioningservices?pivots=deployment-language-arm-template), and the [DPS Management SDKs](libraries-sdks.md#management-sdks).

+## Delete a linked IoT hub

+When you delete a linked IoT hub from your DPS instance, it will no longer be available to set in future enrollments. However, it may or may not be removed from allocations in existing enrollments:

+* For enrollments that don't explicitly set the IoT hubs to apply allocation policy to, a deleted linked IoT hub is no longer available for allocation.

+* For enrollments that do explicitly set the IoT hubs to apply allocation policy to, you'll need to manually or programmatically remove the IoT hub from the enrollment settings for it to be removed from participation in allocation. Failure to do so may result in an error when a device tries to provision through the enrollment.

+### Use the Azure portal to delete a linked IoT hub

+To delete a linked IoT hub from your DPS instance in the Azure portal:

+1. On the left menu of your DPS instance, select **Linked IoT hubs**.

+1. From the list of IoT hubs, select the check box next to the IoT hub or IoT hubs you want to delete. Then select **Delete** at the top of the page and confirm your choice when prompted.

+### Use the Azure CLI to delete a linked IoT hub

+Use the [az iot dps linked-hub delete](/cli/azure/iot/dps/linked-hub#az-iot-dps-linked-hub-delete) command to remove a linked IoT hub from the DPS instance. For example, the following command removes the IoT hub named MyExampleHub:

+```azurecli

+az iot dps linked-hub delete --dps-name MyExampleDps --resource-group MyResourceGroup --linked-hub MyExampleHub

+```

+DPS also supports deleting linked IoT Hubs from the DPS instance using the [Create or Update DPS resource](/rest/api/iot-dps/iot-dps-resource/create-or-update?tabs=HTTP) REST API, [Resource Manager templates](/azure/templates/microsoft.devices/provisioningservices?pivots=deployment-language-arm-template), and the [DPS Management SDKs](libraries-sdks.md#management-sdks).

+## Update keys for linked IoT hubs

+It may become necessary to either rotate or update the symmetric keys for an IoT hub that's been linked to DPS. In this case, you'll also need to update the connection string setting in DPS for the linked IoT hub. Note that provisioning to an IoT hub will fail during the interim between updating a key on the IoT hub and updating your DPS instance with the new connections string based on that key.

+### Use the Azure portal to update keys

+You can't update the connection string setting for a linked IoT Hub when using Azure portal. Instead, you need to delete the linked IoT hub from your DPS instance and then re-add it.

+To update symmetric keys for a linked IoT hub in the Azure portal:

+1. On the left menu of your DPS instance in the Azure portal, select the IoT hub that you want to update the key(s) for.

+1. On the **Linked IoT hub details** page, note down the values for *Allocation weight* and *Apply allocation policy*, you'll need these values when you relink the IoT hub to your DPS instance later. Then, select **Manage Resource** to go to the IoT hub.

+1. On the left menu of the IoT hub, under **Security settings**, select **Shared access policies**.

+1. On **Shared access policies**, under **Manage shared access policies**, select the policy that your DPS instance uses to connect to the linked IoT hub.

+1. At the top of the page, select **Regenerate primary key**, **Regenerate secondary key**, or **Swap keys**, and confirm your choice when prompted.

+1. Navigate back to your DPS instance.

+1. Follow the steps in [Delete an IoT hub](#use-the-azure-portal-to-delete-a-linked-iot-hub) to delete the IoT hub from your DPS instance.

+1. Follow the steps in [Link an IoT hub](#use-the-azure-portal-to-link-an-iot-hub) to relink the IoT hub to your DPS instance with the new connection string for the policy.

+1. If you need to restore the allocation weight and apply allocation policy settings, follow the steps in [Update a linked IoT hub](#use-the-azure-portal-to-update-a-linked-iot-hub) using the values you saved in step 2.

+### Use the Azure CLI to update keys

+To update symmetric keys for a linked IoT hub with Azure CLS:

+1. Use the [az iot hub policy renew-key](/cli/azure/iot/hub/policy#az-iot-hub-policy-renew-key) command to swap or regenerate the symmetric keys for the shared access policy on the IoT hub. For example, the following command renews the primary key for the *iothubowner* shared access policy on an IoT hub:

+ ```azurecli

+ az iot hub policy renew-key --hub-name MyExampleHub --name owner --rk primary

+ ```

+1. Use the [az iot hub connection-string show](/cli/azure/iot/hub/policy#az-iot-hub-az-iot-hub-connection-string-show) command to get the new connection string for the shared access policy. For example, the following command gets the primary connection string for the *iothubowner* shared access policy that the primary key was regenerated for in the previous command:

+ ```azurecli

+ az iot hub connection-string show --hub-name MyExampleHub --policy-name owner --key-type primary

+ ```

+1. Use the [az iot dps linked-hub list](/cli/azure/iot/dps/linked-hub#az-iot-dps-linked-hub-show) command to find the position of the IoT hub in the collection of linked IoT hubs for your DPS instance. For example, the following command gets the primary connection string for the *owner* shared access policy that the primary key was regenerated for in the previous command:

+ ```azurecli

+ az iot dps linked-hub list --dos-name MyExampleDps

+ ```

+ The output will show the position of the linked IoT hub you want to update the connection string for in the table of linked IoT hubs maintained by your DPS instance. In this case, it's the first IoT hub in the list, *MyExampleHub*.

+ ```json

+ [

+ {

+ "allocationWeight": null,

+ "applyAllocationPolicy": null,

+ "connectionString": "HostName=MyExampleHub.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=****",

+ "location": "centralus",

+ "name": "MyExampleHub.azure-devices.net"

+ },

+ {

+ "allocationWeight": null,

+ "applyAllocationPolicy": null,

+ "connectionString": "HostName=MyExampleHub-2.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=****",

+ "location": "centralus",

+ "name": "NyExampleHub-2.azure-devices.net"

+ }

+ ]

+ ```

+1. Use the [az iot dps update](/cli/azure/iot/dps#az-iot-dps-update) command to update the connection string for the linked IoT hub. You use the `--set` parameter and the position of the linked IoT hub in the `properties.iotHubs[]` table to target the IoT hub. For example, the following command updates the connection string for *MyExampleHub* returned first in the previous command:

+ ```azurecli

+ az iot dps update --name MyExampleDps --set properties.iotHubs[0].connectionString="HostName=MyExampleHub-2.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=NewTokenValue"

+ ```

+## Limitations

+There are some limitations when working with linked IoT hubs and private endpoints. For more information, see [Private endpoint limitations](virtual-network-support.md#private-endpoint-limitations).

+## Next steps

+* To learn more about allocation policies, see [Manage allocation policies](how-to-use-allocation-policies.md).

+During the lifecycle of an IoT solution, it's common to move devices between IoT hubs. This topic is written to assist solution operators configuring reprovisioning policies.

+The allocation policy determines how the devices associated with the enrollment will be allocated, or assigned, to an IoT hub once reprovisioned. To learn more about allocation polices, see [How to use allocation policies](how-to-use-allocation-policies.md).

+2. Select **Manage enrollments**, and then select the enrollment group or individual enrollment that you want to configure for reprovisioning.

+ * **Lowest latency**: This policy assigns devices to the IoT hub that will result in the lowest latency communications between the device and IoT Hub. This option enables the device to communicate with the closest IoT hub based on location.

+ * **Evenly weighted distribution**: This policy distributes devices across IoT hubs based on the allocation weight configured on each IoT hub. IoT hubs with a higher allocation weight are more likely to be assigned. If you're provisioning devices to only one IoT Hub, we recommend this setting. This setting is the default.

+ * **Static configuration**: This policy requires a desired IoT hub be listed in the enrollment entry for a device to be provisioned. This policy allows you to designate a single IoT hub that you want to assign devices to.

+ * **Custom (Use Azure Function)**: This policy uses a custom webhook hosted in Azure Functions to assign devices to one or more IoT hubs. Custom allocation policies give you more control over how devices are assigned to your IoT hubs. To learn more, see [Understand custom allocation policies](concepts-custom-allocation.md).

+4. Under **Select the IoT hubs this group can be assigned to**, select the linked IoT hubs that you want included in your allocation policy. Optionally, add a new linked Iot hub using the **Link a new IoT Hub** button.

+ * With the **Lowest latency** allocation policy, the IoT hubs you select will be included in the latency evaluation to determine the closest IoT hub for device assignment.

+ * With the **Evenly weighted distribution** allocation policy, devices will be hashed across the IoT hubs you select based on their configured allocation weights.

+ * With the **Static configuration** allocation policy, select the IoT hub you want devices assigned to.

+ * With the **Custom** allocation policy, select the IoT hubs you want evaluated for assignment by your custom allocation webhook.

+5. Select **Save**, or proceed to the next section to set the reprovisioning policy.

+ 

+2. Select **Manage enrollments**, and the select the enrollment group or individual enrollment that you want to configure for reprovisioning.

+4. Select **Save** to enable the reprovisioning of the device based on your changes.

+ 

+>

+>

+* To learn more Reprovisioning, see [IoT Hub Device reprovisioning concepts](concepts-device-reprovision.md).

+* To learn more Deprovisioning, see [How to deprovision devices that were previously auto-provisioned](how-to-unprovision-devices.md).

+ Title: How to use allocation policies with Device Provisioning Service (DPS)

+description: This article shows how to use the Device Provisioning Service (DPS) allocation policies to automatically provision device across one or more IoT hubs.

+# How to use allocation policies to provision devices across IoT hubs

+Azure IoT Hub Device Provisioning Service (DPS) supports several built-in allocation policies that determine how it assigns devices across one or more IoT hubs. DPS also includes support for custom allocation policies, which let you create and use your own allocation policies when your IoT scenario requires functionality not provided by the built-in policies.

+This article helps you understand how to use and manage DPS allocation policies.

+## Understand allocation policies

+Allocation policies determine how DPS assigns devices to an IoT hub. Each DPS instance has a default allocation policy, but this policy can be overridden by an allocation policy set on an enrollment. Only IoT hubs that have been linked to the DPS instance can participate in allocation. Whether a linked IoT hub will participate in allocation depends on settings on the enrollment that a device provisions through.

+DPS supports four allocation policies:

+* **Evenly weighted distribution**: devices are provisioned to an IoT hub using a weighted hash. By default, linked IoT hubs have the same allocation weight setting, so they're equally likely to have devices provisioned to them. The allocation weight of an IoT hub may be adjusted to increase or decrease its likelihood of being assigned. *Evenly weighted distribution* is the default allocation policy for a DPS instance. If you're provisioning devices to only one IoT hub, we recommend using this policy.

+* **Lowest latency**: devices are provisioned to the IoT hub with the lowest latency to the device. If multiple IoT hubs would provide the lowest latency, DPS hashes devices across those hubs based on their configured allocation weight.

+* **Static configuration**: devices are provisioned to a single IoT hub, which must be specified on the enrollment.

+* **Custom (Use Azure Function)**: A custom allocation policy gives you more control over how devices are assigned to an IoT hub. This is accomplished by using a custom webhook hosted in Azure Functions to assign devices to an IoT hub. DPS calls your webhook providing all relevant information about the device and the enrollment. Your webhook returns the IoT hub and initial device twin (optional) used to provision the device. Custom payloads can also be passed to and from the device. To learn more, see [Understand custom allocation policies](concepts-custom-allocation.md). Can't be set as the DPS instance default policy.

+> [!NOTE]

+> The preceding list shows the names of the allocation policies as they appear in the Azure portal. When setting the allocation policy using the DPS REST API, Azure CLI, and DPS service SDKs, they are referred to as follows: **hashed**, **geolatency**, **static**, and **custom**.

+There are two settings on a linked IoT hub that control how it participates in allocation:

+* **Allocation weight**: sets the weight that the IoT hub will have when participating in allocation policies that involve multiple IoT hubs. It can be a value between one and 1000. The default is one (or **null**).

+ * With the *Evenly weighted distribution* allocation policy, IoT hubs with higher allocation weight values have a greater likelihood of being selected compared to those with lower weight values.

+ * With the *Lowest latency* allocation policy, the allocation weight value will affect the probability of an IoT hub being selected when more than one IoT hub satisfies the lowest latency requirement.

+

+ * With a *Custom* allocation policy, whether and how the allocation weight value is used will depend on the webhook logic.

+* **Apply allocation policy**: specifies whether the IoT hub participates in allocation policy. The default is **Yes** (true). If set to **No** (false), devices won't be assigned to the IoT hub. The IoT hub can still be selected on an enrollment, but it won't participate in allocation. You can use this setting to temporarily or permanently remove an IoT hub from participating in allocation; for example, if it's approaching the allowed number of devices.

+To learn more about linking and managing IoT hubs in your DPS instance, see [Link and manage IoT hubs](how-to-manage-linked-iot-hubs.md).

+When a device provisions through DPS, the service assigns it to an IoT hub according to the following guidelines:

+* If the enrollment specifies an allocation policy, use that policy; otherwise, use the default allocation policy for the DPS instance.

+* If the enrollment specifies one or more IoT hubs, apply the allocation policy across those IoT hubs; otherwise, apply the allocation policy across all of the IoT hubs linked to the DPS instance. Note that if the allocation policy is *Static configuration*, the enrollment *must* specify an IoT hub.

+> [!IMPORTANT]

+> When you change an allocation policy or the IoT hubs it applies to, the changes only affect subsequent device registrations. Devices already provisioned to an IoT hub won't be affected. If you want your changes to apply retroactively to these devices, you'll need to reprovision them. To learn more, see [How to reprovision devices](how-to-reprovision.md).

+## Set the default allocation policy for the DPS instance

+The default allocation policy for the DPS instance is used when an allocation policy isn't specified on an enrollment. Only *Evenly weighted distribution*, *Lowest latency*, and *Static configuration* are supported for the default allocation policy. *Custom* allocation isn't supported. When a DPS instance is created, its default policy is automatically set to *Evenly weighted distribution*. However, you can update your DPS instance to set a different allocation policy.

+> [!NOTE]

+> If you set *Static configuration* as the default allocation policy for a DPS instance, a linked IoT hub *must* be specified in enrollments that rely on the default policy.

+### Use the Azure portal to the set default allocation policy

+To set the default allocation policy for the DPS instance in the Azure portal:

+1. On the left menu of your DPS instance, select **Manage allocation policy**.

+2. Select the button for the allocation policy you want to set: **Lowest latency**, **Evenly weighted distribution**, or **Static configuration**. (Custom allocation isn't supported for the default allocation policy.)

+3. Select **Save**.

+### Use the Azure CLI to set the default allocation policy

+Use the [az iot dps update](/cli/azure/iot/dps#az-iot-dps-update) Azure CLI command to set the default allocation policy for the DPS instance. You use `--set properties.allocationPolicy` to specify the policy. For example, the following command sets the allocation policy to *Evenly weighted distribution* (the default):

+```azurecli

+az iot dps update --name MyExampleDps --set properties.allocationPolicy=hashed

+```

+DPS also supports setting the default allocation policy using the [Create or Update DPS resource](/rest/api/iot-dps/iot-dps-resource/create-or-update?tabs=HTTP) REST API, [Resource Manager templates](/azure/templates/microsoft.devices/provisioningservices?pivots=deployment-language-arm-template), and the [DPS Management SDKs](libraries-sdks.md#management-sdks).

+## Set allocation policy and IoT hubs for enrollments

+Individual enrollments and enrollment groups can specify an allocation policy and the linked IoT hubs that it should apply to. If no allocation policy is specified by the enrollment, then the default allocation policy for the DPS instance is used.

+In either case, the following conditions apply:

+* For *Evenly weighted distribution*, *Lowest latency*, and *Custom* allocation policies, the enrollment *may* specify which linked IoT hubs should be used. If no IoT hubs are selected in the enrollment, then all of the linked IoT hubs in the DPS instance will be used.

+* For *Static configuration*, the enrollment *must* specify a single IoT hub from the list of linked IoT hubs.

+For both individual enrollments and enrollment groups, you can specify an allocation policy and the linked IoT hubs to apply it to when you create or update an enrollment.

+### Use the Azure portal to manage enrollment allocation policy and IoT hubs

+To set allocation policy and select IoT hubs on an enrollment in the Azure portal:

+1. On the left menu of your DPS instance, select **Manage enrollments**.

+1. On the **Manage enrollments** page:

+ * To create a new enrollment, select either **+ Add enrollment group** or **+ Add individual enrollment** at the top of the page.

+ * To update an existing enrollment, select it from the list under either the **Enrollment Groups** or **Individual Enrollments** tab.

+1. On the **Add Enrollment** page (on create) or the **Enrollment details** page (on update), you can select the allocation policy you want applied to the enrollment and select the IoT hubs that should be used:

+ :::image type="content" source="media/how-to-use-allocation-policies/select-enrollment-policy-and-hubs.png" alt-text="Screenshot that shows the allocation policy and selected hubs settings on Add Enrollment page.":::.

+ * Select the allocation policy you want to apply from the drop-down. The default allocation policy for the DPS instance is selected by default. For custom allocation, you'll also need to specify a custom allocation policy webhook in Azure Functions. For details, see the [Use custom allocation policies](tutorial-custom-allocation-policies.md) tutorial.

+ * Select the IoT hubs that devices can be assigned to. If you've selected the *Static configuration* allocation policy, you'll be limited to selecting a single linked IoT hub. For all other allocation policies, all the linked IoT hubs will be selected by default, but you can modify this selection using the drop-down. To have the enrollment automatically use linked IoT hubs as they're added to (or deleted from) the DPS instance, unselect all IoT hubs.

+ * Optionally, you can select the **Link a new IoT hub** button to link a new IoT hub to the DPS instance and make it available in the list of IoT hubs that can be selected. For details about linking an IoT hub, see [Link an IoT Hub](how-to-manage-linked-iot-hubs.md#use-the-azure-portal-to-link-an-iot-hub).

+1. Set any other properties needed for the enrollment and then save your settings.

+### Use the Azure CLI to manage enrollment allocation policy and IoT hubs

+Use the [az iot dps enrollment create](/cli/azure/iot/dps/enrollment#az-iot-dps-enrollment-create), [az iot dps enrollment update](/cli/azure/iot/dps/enrollment#az-iot-dps-enrollment-update), [az iot dps enrollment-group create](/cli/azure/iot/dps/enrollment#az-iot-dps-enrollment-group-create), [az iot dps enrollment-group update](/cli/azure/iot/dps/enrollment#az-iot-dps-enrollment-group-update) Azure CLI commands to create or update individual enrollments or enrollment groups.

+For example, the following command creates a symmetric key enrollment group that defaults to using the default allocation policy set on the DPS instance and all the IoT hubs linked to the DPS instance:

+```azurecli

+az iot dps enrollment-group create --dps-name MyExampleDps --enrollment-id MyEnrollmentGroup

+```

+The following command updates the same enrollment group to use the *Lowest latency* allocation policy with IoT hubs named *MyExampleHub* and *MyExampleHub-2*:

+```azurecli

+az iot dps enrollment-group update --dps-name MyExampleDps --enrollment-id MyEnrollmentGroup --allocation-policy geolatency --iot-hubs "MyExampleHub.azure-devices.net MyExampleHub-2.azure-devices.net"

+```

+DPS also supports setting allocation policy and selected IoT hubs on the enrollment using the [Create or Update individual enrollment](/rest/api/iot-dps/service/individual-enrollment/create-or-update) and [Create or Update enrollment group](/rest/api/iot-dps/service/enrollment-group/create-or-update) REST APIs, and the [DPS service SDKs](libraries-sdks.md#service-sdks).

+## Allocation behavior

+Note the following behavior when using allocation policies with IoT hub:

+* With the Azure CLI, the REST API, and the DPS service SDKs, you can create enrollments with no allocation policy. In this case, DPS uses the default policy for the DPS instance when a device provisions through the enrollment. Changing the default policy setting on the DPS instance will change how devices are provisioned through the enrollment.

+* With the Azure portal, the allocation policy setting for the enrollment is pre-populated with the default allocation policy. You can keep this setting or change it to another policy, but, when you save the enrollment, the allocation policy is set on the enrollment. Subsequent changes to the service default allocation policy, won't change how devices are provisioned through the enrollment.

+* For the *Equally weighted distribution*, *Lowest latency* and *Custom* allocation policies you can configure the enrollment to use all the IoT hubs linked to the DPS instance:

+ * With the Azure CLI and the DPS service SDKs, create the enrollment without specifying any IoT hubs.

+ * With the Azure portal, the enrollment is pre-populated with all the IoT hubs linked to the DPS instance selected; unselect all the IoT hubs before you save the enrollment.

+ If no IoT hubs are selected on the enrollment, then whenever a new IoT hub is linked to the DPS instance, it will participate in allocation; and vice-versa for an IoT hub that is removed from the DPS instance.

+* If IoT hubs are specified on an enrollment, the IoT hubs setting on the enrollment must be manually or programmatically updated for a newly linked IoT hub to be added or a deleted IoT hub to be removed from allocation.

+* Changing the allocation policy or IoT hubs used for an enrollment only affects subsequent registrations through that enrollment. If you want the changes to affect prior registrations, you'll need to reprovision all previously registered devices.

+## Limitations

+There are some limitations when working with allocation policies and private endpoints. For more information, see [Private endpoint limitations](virtual-network-support.md#private-endpoint-limitations).

+## Next steps

+* To learn more about linking and managing linked IoT hubs, see [Manage linked IoT hubs](how-to-manage-linked-iot-hubs.md).

+* To learn more about custom allocation policies, see [Understand custom allocation policies](concepts-custom-allocation.md).

+* For an end-to-end example using the lowest latency allocation policy, see the [Provision for geolatency](how-to-provision-multitenant.md) tutorial.

+* For an end-to-end example using a custom allocation policy, see the [Use custom allocation policies](tutorial-custom-allocation-policies.md) tutorial.

+In this tutorial, you provisioned an X.509 device using a custom HSM to your IoT hub. To learn how to provision IoT devices across multiple IoT hubs, see:

+> [How to use allocation policies](how-to-use-allocation-policies.md)

+If your IoT Edge solution requires more than one device, autoprovisioning using DPS saves you the effort of manually entering provisioning information into the configuration files of each device. This automated model can be scaled to millions of IoT Edge devices.

+| [1.4](https://github.com/Azure/azure-iotedge/releases/tag/1.4.0) | Long-term support (LTS) | August 2022 | November 12, 2024 | IoT Edge 1.4 LTS is supported through November 12, 2024 to match the [.NET 6 release lifecycle](https://dotnet.microsoft.com/platform/support/policy/dotnet-core#lifecycle). <br> Automatic image clean-up of unused Docker images <br> Ability to pass a [custom JSON payload to DPS on provisioning](../iot-dps/how-to-send-additional-data.md#iot-edge-support) <br> Ability to require all modules in a deployment be downloaded before restart <br> Use of the TCG TPM2 Software Stack which enables TPM hierarchy authorization values, specifying the TPM index at which to persist the DPS authentication key, and accommodating more [TPM configurations](http://github.com/Azure/iotedge/blob/897aed8c5573e8cad4b602e5a1298bdc64cd28b4/edgelet/contrib/config/linux/template.toml#L262-L288) |

+- The [fail criteria](./how-to-define-test-criteria.md) for the test.

+- *Client-side metrics* give you telemetry reported by the test engine. These metrics include the number of virtual users, the request response time, the number of failed requests, or the number of requests per second. You can [define test fail criteria](./how-to-define-test-criteria.md) based on these client-side metrics.

+ Title: Get load test insights from App Service diagnostics

+description: 'Learn how to get detailed application performance insights from App Service diagnostics and Azure Load Testing.'

+# Get performance insights from App Service diagnostics and Azure Load Testing Preview

+Azure Load Testing Preview collects detailed resource metrics across your Azure app components to help identify performance bottlenecks. In this article, you learn how to use App Service Diagnostics to get additional insights when load testing Azure App Service workloads.

+[App Service diagnostics](/azure/app-service/overview-diagnostics.md) is an intelligent and interactive way to help troubleshoot your app, with no configuration required. When you run into issues with your app, App Service diagnostics can help you resolve the issue easily and quickly.

+## Use App Service diagnostics for your load test

+Azure Load Testing lets you monitor server-side metrics for your Azure app components for a load test. You can then visualize and analyze these metrics in the Azure Load Testing dashboard.

+When the application you're load testing is hosted on Azure App Service, you can get extra insights by using [App Service diagnostics](/azure/app-service/overview-diagnostics.md).

+To view the App Service diagnostics information for your application under load test:

+1. Go to the [Azure portal](https://portal.azure.com).

+1. Add your App Service resource to the load test app components. Follow the steps in [monitor server-side metrics](./how-to-monitor-server-side-metrics.md) to add your app service.

+ :::image type="content" source="media/how-to-appservice-insights/test-monitoring-app-service.png" alt-text="Screenshot of the Monitoring tab when editing a load test in the Azure portal, highlighting the App Service resource.":::

+1. Select **Run** to run the load test.

+ :::image type="content" source="media/how-to-appservice-insights/test-result-app-service-diagnostics.png" alt-text="Screenshot that shows the 'App Service' section on the load testing dashboard in the Azure portal.":::

+1. Select the link in **Additional insights** to view the App Service diagnostics information.

+ App Service diagnostics enables you to view in-depth information and dashboard about the performance, resource usage, and stability of your app service.

+ In the screenshot, you notice that there are concerns about the CPU usage, app performance, and failed requests.

+ On the left pane, you can drill deeper into specific issues by selecting one the diagnostics reports. For example, the following screenshot shows the **High CPU Analysis** report.

+ The following screenshot shows the **Web App Slow** report, which gives details and recommendations about application performance.

+ :::image type="content" source="media/how-to-appservice-insights/app-diagnostics-web-app-slow.png" alt-text="Screenshot that shows the App Service diagnostics slow application report.":::

+ > [!NOTE]

+- Learn how to [parameterize a load test with secrets and environment variables](./how-to-parameterize-load-tests.md).

+- Learn how to [identify performance bottlenecks](./tutorial-identify-bottlenecks-azure-portal.md) for Azure applications.

+- Learn how to [configure automated performance testing](./tutorial-identify-performance-regression-with-cicd.md).

+ Title: Define load test fail criteria

+description: 'Learn how to configure fail criteria for load tests with Azure Load Testing. Fail criteria let you define conditions that your load test results should meet.'

+# Define fail criteria for load tests by using Azure Load Testing Preview

+In this article, you'll learn how to define test fail criteria for your load tests with Azure Load Testing Preview. Fail criteria let you define performance and quality expectations for your application under load. Azure Load Testing supports various client metrics for defining fail criteria. Criteria can apply to the entire load test, or to an individual request in the JMeter script.

+- An Azure load testing resource. If you need to create an Azure Load Testing resource, see the quickstart [Create and run a load test](./quickstart-create-and-run-load-test.md).

+## Load test fail criteria

+Load test fail criteria are conditions for client-side metrics, that your test should meet. You define test criteria at the load test level in Azure Load Testing. A load test can have one or more test criteria. When at least one of the test criteria evaluates to true, the load test gets the *failed* status.

+You can define test criteria at two levels. A load test can combine criteria at the different levels.

+- At the load test level. For example, to ensure that the total error percentage doesn't exceed a threshold.

+- At the JMeter request level (JMeter sampler). For example, you could specify a threshold for the response time of the *getProducts* request, but disregard the response time of the *sign in* request.

+You can define a maximum of 10 test criteria for a load test. If there are multiple criteria for the same client metric, the criterion with the lowest threshold value is used.

+### Fail criteria structure

+The format of fail criteria in Azure Load Testing follows that of a conditional statement for a [supported metric](#supported-client-metrics-for-fail-criteria). For example, ensure that the average number of requests per second is greater than 500.

+Fail criteria have the following structure:

+- Test criteria at the load test level: `Aggregate_function (client_metric) condition threshold`.

+- Test criteria applied to specific JMeter requests: `Request: Aggregate_function (client_metric) condition threshold`.

+|Parameter |Description |

+||-|

+|`Client metric` | *Required.* The client metric on which the condition should be applied. |

+|`Aggregate function` | *Required.* The aggregate function to be applied on the client metric. |

+|`Condition` | *Required.* The comparison operator, such as `greater than`, or `less than`. |

+|`Threshold` | *Required.* The numeric value to compare with the client metric. |

+|`Request` | *Optional.* Name of the sampler in the JMeter script to which the criterion applies. If you don't specify a request name, the criterion applies to the aggregate of all the requests in the script. |

+### Supported client metrics for fail criteria

+Azure Load Testing supports the following client metrics:

+|Metric |Aggregate function |Threshold |Condition | Description |

+|||||-|

+|`response_time_ms` | `avg` (average)<BR> `min` (minimum)<BR> `max` (maximum)<BR> `pxx` (percentile), xx can be 50, 90, 95, 99 | Integer value, representing number of milliseconds (ms). | `>` (greater than)<BR> `<` (less than) | Response time or elapsed time, in milliseconds. Learn more about [elapsed time in the Apache JMeter documentation](https://jmeter.apache.org/usermanual/glossary.html). |

+|`latency_ms` | `avg` (average)<BR> `min` (minimum)<BR> `max` (maximum)<BR> `pxx` (percentile), xx can be 50, 90, 95, 99 | Integer value, representing number of milliseconds (ms). | `>` (greater than)<BR> `<` (less than) | Latency, in milliseconds. Learn more about [latency in the Apache JMeter documentation](https://jmeter.apache.org/usermanual/glossary.html). |

+|`error` | `percentage` | Numerical value in the range 0-100, representing a percentage. | `>` (greater than) <BR> `<` (less than) | Percentage of failed requests. |

+|`requests_per_sec` | `avg` (average) | Numerical value with up to two decimal places. | `>` (greater than) <BR> `<` (less than) | Number of requests per second. |

+|`requests` | `count` | Integer value. | `>` (greater than) <BR> `<` (less than) | Total number of requests. |

+## Define load test fail criteria

+# [Azure portal](#tab/portal)

+1. On the left pane, select **Tests** to view the list of load tests.

+1. Select your load test from the list, and then select **Edit**.

+ :::image type="content" source="media/how-to-define-test-criteria/edit-test.png" alt-text="Screenshot of the list of tests for an Azure load testing resource in the Azure portal, highlighting the 'Edit' button.":::

+1. On the **Test criteria** pane, fill the **Metric**, **Aggregate function**, **Condition**, and **Threshold** values for your test.

+ :::image type="content" source="media/how-to-define-test-criteria/test-creation-criteria.png" alt-text="Screenshot of the 'Test criteria' pane for a load test in the Azure portal and highlights the fields for adding a test criterion.":::

+ Optionally, enter the **Request name** information to add a test criterion for a specific JMeter request. The value should match the name of the JMeter sampler in the JMX file.

+ :::image type="content" source="media/how-to-define-test-criteria/jmeter-request-name.png" alt-text="Screenshot of the JMeter user interface, highlighting the request name.":::

+ When you now run the load test, Azure Load Testing uses the test criteria to determine the status of the load test run.

+1. Run the test and view the status in the load test dashboard.

+ The dashboard shows each of the test criteria and their status. The overall test status will be failed if at least one criterion was met.

+ :::image type="content" source="media/how-to-define-test-criteria/test-criteria-dashboard.png" alt-text="Screenshot that shows the test criteria on the load test dashboard.":::

+# [Azure Pipelines](#tab/pipelines)

+In this section, you configure test criteria for a load test, as part of an Azure Pipelines CI/CD workflow. Learn how to [set up automated performance testing with CI/CD](./tutorial-identify-performance-regression-with-cicd.md).

+For CI/CD workflows, you configure the load test settings in a [YAML test configuration file](./reference-test-config-yaml.md). You store the load test configuration file alongside the JMeter test script file in the source control repository.

+To specify fail criteria in the YAML configuration file:

+1. Open the YAML test configuration file for your load test in your editor of choice.

+1. Add your test criteria in the `failureCriteria` setting.

+ Use the [fail criteria format](#fail-criteria-structure), as described earlier. You can add multiple fail criteria for a load test.

+ The following example defines three fail criteria. The first two criteria apply to the overall load test, and the last one specifies a condition for the `GetCustomerDetails` request.

+ ```yaml

+ version: v0.1

+ testName: SampleTest

+ testPlan: SampleTest.jmx

+ description: Load test website home page

+ engineInstances: 1

+ failureCriteria:

+ - avg(response_time_ms) > 300

+ - percentage(error) > 50

+ - GetCustomerDetails: avg(latency_ms) >200

+ ```

+

+ When you define a test criterion for a specific JMeter request, the request name should match the name of the JMeter sampler in the JMX file.

+ :::image type="content" source="media/how-to-define-test-criteria/jmeter-request-name.png" alt-text="Screenshot of the JMeter user interface, highlighting the request name.":::

+1. Save the YAML configuration file, and commit the changes to source control.

+1. After the CI/CD workflow runs, verify the test status in the CI/CD log.

+ The log shows the overall test status, and the status of each of the test criteria. The status of the CI/CD workflow run also reflects the test run status.

+ :::image type="content" source="media/how-to-define-test-criteria/azure-pipelines-log.png" alt-text="Screenshot that shows the test criteria in the CI/CD workflow log.":::

+# [GitHub Actions](#tab/github)

+In this section, you configure test criteria for a load test, as part of a GitHub Actions CI/CD workflow. Learn how to [set up automated performance testing with CI/CD](./tutorial-identify-performance-regression-with-cicd.md).

+For CI/CD workflows, you configure the load test settings in a [YAML test configuration file](./reference-test-config-yaml.md). You store the load test configuration file alongside the JMeter test script file in the source control repository.

+To specify fail criteria in the YAML configuration file:

+1. Open the YAML test configuration file for your load test in your editor of choice.

+1. Add your test criteria in the `failureCriteria` setting.

+ Use the [fail criteria format](#fail-criteria-structure), as described earlier. You can add multiple fail criteria for a load test.

+ The following example defines three fail criteria. The first two criteria apply to the overall load test, and the last one specifies a condition for the `GetCustomerDetails` request.

+ ```yaml

+ version: v0.1

+ testName: SampleTest

+ testPlan: SampleTest.jmx

+ description: Load test website home page

+ engineInstances: 1

+ failureCriteria:

+ - avg(response_time_ms) > 300

+ - percentage(error) > 50

+ - GetCustomerDetails: avg(latency_ms) >200

+

+ When you define a test criterion for a specific JMeter request, the request name should match the name of the JMeter sampler in the JMX file.

+ :::image type="content" source="media/how-to-define-test-criteria/jmeter-request-name.png" alt-text="Screenshot of the JMeter user interface, highlighting the request name.":::

+1. Save the YAML configuration file, and commit the changes to source control.

+1. After the CI/CD workflow runs, verify the test status in the CI/CD log.

+ The log shows the overall test status, and the status of each of the test criteria. The status of the CI/CD workflow run also reflects the test run status.

+ :::image type="content" source="media/how-to-define-test-criteria/github-actions-log.png" alt-text="Screenshot that shows the test criteria in the CI/CD workflow log.":::

+This article shows how to create a managed identity for Azure Load Testing Preview. You can use a managed identity to authenticate with and read secrets from Azure Key Vault.

+A managed identity from Azure Active Directory (Azure AD) allows your load testing resource to easily access other Azure AD-protected resources, such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to manage or rotate any secrets. For more information about managed identities in Azure AD, see [Managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/overview).

+- A **system-assigned identity** is associated with your load testing resource and is deleted when your resource is deleted. A resource can only have one system-assigned identity.

+- A **user-assigned identity** is a standalone Azure resource that you can assign to your load testing resource. When you delete the load testing resource, the managed identity remains available. You can assign multiple user-assigned identities to the load testing resource.

+- An Azure load testing resource. If you need to create an Azure load testing resource, see the quickstart [Create and run a load test](./quickstart-create-and-run-load-test.md).

+- To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.

+## Assign a system-assigned identity to a load testing resource

+To assign a system-assigned identity for your Azure load testing resource, enable a property on the resource. You can set this property by using the Azure portal or by using an Azure Resource Manager (ARM) template.

+To set up a managed identity in the portal, you first create an Azure load testing resource and then enable the feature.

+1. In the [Azure portal](https://portal.azure.com), go to your Azure load testing resource.

+1. Select the **System assigned** tab.

+1. Switch the **Status** to **On**, and then select **Save**.

+ :::image type="content" source="media/how-to-use-a-managed-identity/system-assigned-managed-identity.png" alt-text="Screenshot that shows how to assign a system-assigned managed identity for Azure Load Testing in the Azure portal.":::

+1. On the confirmation window, select **Yes** to confirm the assignment of the managed identity.

+1. After assigning the managed identity finishes, the page will show the **Object ID** of the managed identity, and let you assign permissions to it.

+ :::image type="content" source="media/how-to-use-a-managed-identity/system-assigned-managed-identity-completed.png" alt-text="Screenshot that shows the system-assigned managed identity information for a load testing resource in the Azure portal.":::

+You can now [grant your load testing resource access to your Azure key vault](#grant-access-to-your-azure-key-vault).

+You can use an ARM template to automate the deployment of your Azure resources. For more information about using ARM templates with Azure Load Testing, see the [Azure Load Testing ARM reference documentation](/azure/templates/microsoft.loadtestservice/allversions).

+You can assign a system-assigned managed identity when you create a resource of type `Microsoft.LoadTestService/loadtests`. Configure the `identity` property with the `SystemAssigned` value in the resource definition:

+By adding the system-assigned identity type, you're telling Azure to create and manage the identity for your resource. For example, an Azure load testing resource might look like the following:

+After the resource creation finishes, the following properties are configured for the resource:

+```output

+ "tenantId": "00000000-0000-0000-0000-000000000000",

+ "principalId": "00000000-0000-0000-0000-000000000000"

+The `tenantId` property identifies which Azure AD tenant the managed identity belongs to. The `principalId` is a unique identifier for the resource's new identity. Within Azure AD, the service principal has the same name as the Azure load testing resource.

+You can now [grant your load testing resource access to your Azure key vault](#grant-access-to-your-azure-key-vault).

+## Assign a user-assigned identity to a load testing resource

+Before you can add a user-assigned managed identity to an Azure load testing resource, you must first create this identity in Azure AD. Then, you can assign the identity by using its resource identifier.

+You can add multiple user-assigned managed identities to your resource. For example, if you need to access multiple Azure resources, you can grant different permissions to each of these identities.

+1. Create a user-assigned managed identity by following the instructions mentioned in [Create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity).

+ :::image type="content" source="media/how-to-use-a-managed-identity/create-user-assigned-managed-identity.png" alt-text="Screenshot that shows how to create a user-assigned managed identity in the Azure portal.":::

+1. In the [Azure portal](https://portal.azure.com/), go to your Azure load testing resource.

+1. Select the **User assigned** tab, and select **Add**.

+1. Search and select the managed identity you created previously. Then, select **Add** to add it to the Azure load testing resource.

+You can now [grant your load testing resource access to your Azure key vault](#grant-access-to-your-azure-key-vault).

+You can create an Azure load testing resource by using an ARM template and the resource type `Microsoft.LoadTestService/loadtests`. For more information about using ARM templates with Azure Load Testing, see the [Azure Load Testing ARM reference documentation](/azure/templates/microsoft.loadtestservice/allversions).

+1. Create a user-assigned managed identity by following the instructions mentioned in [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-arm#create-a-user-assigned-managed-identity-3).

+

+1. Specify the user-assigned managed identity in the `identity` section of the resource definition.

+ Replace the `<RESOURCEID>` text placeholder with the resource ID of your user-assigned identity:

+ ```json

+ }

+ ```

+ The following code snippet shows an example of an Azure Load Testing ARM resource definition with a user-assigned identity:

+ ```json

+ {

+ "type": "Microsoft.LoadTestService/loadtests",

+ "apiVersion": "2021-09-01-preview",

+ "name": "[parameters('name')]",

+ "location": "[parameters('location')]",

+ "tags": "[parameters('tags')]",

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "<RESOURCEID>": {}

+ }

+ }

+ ```

+ After the Load Testing resource is created, Azure provides the `principalId` and `clientId` properties in the output:

+ ```output

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "<RESOURCEID>": {

+ "principalId": "00000000-0000-0000-0000-000000000000",

+ "clientId": "00000000-0000-0000-0000-000000000000"

+ }

+ ```

+ The `principalId` is a unique identifier for the identity that's used for Azure AD administration. The `clientId` is a unique identifier for the resource's new identity that's used for specifying which identity to use during runtime calls.

+You can now [grant your load testing resource access to your Azure key vault](#grant-access-to-your-azure-key-vault).

+Using managed identities for Azure resources, your Azure load testing resource can access tokens that enable authentication to your Azure key vault. Grant the managed identity access by assigning the [appropriate role](/azure/role-based-access-control/built-in-roles) to the managed identity.

+To grant your Azure load testing resource permissions to read secrets from your Azure key vault:

+1. In the [Azure portal](https://portal.azure.com/), go to your Azure key vault resource.

+ If you don't have a key vault, follow the instructions in [Azure Key Vault quickstart](/azure/key-vault/secrets/quick-create-cli) to create one.

+1. Select **Select principal**, and then select the system-assigned or user-assigned principal for your Azure load testing resource.

+ If you're using a system-assigned managed identity, the name matches that of your Azure load testing resource.

+You've now granted access to your Azure load testing resource to read the secret values from your Azure key vault.

+* Learn how to [Parameterize a load test with secrets](./how-to-parameterize-load-tests.md).

+* Learn how to [Manage users and roles in Azure Load Testing](./how-to-assign-roles.md).

+* [What are managed identities for Azure resources?](/azure/active-directory/managed-identities-azure-resources/overview)

+In the test configuration, [specify test fail criteria](./how-to-define-test-criteria.md) to catch application performance or stability regressions early in the development cycle. For example, get alerted when the average response time or the number of errors exceed a specific threshold.

+| `failureCriteria` | object | | Criteria that indicate when a test should fail. The structure of a fail criterion is: `Request: Aggregate_function (client_metric) condition threshold`. For more information on the supported values, see [Define load test fail criteria](./how-to-define-test-criteria.md#load-test-fail-criteria). |

+ You've now specified fail criteria for your load test based on the average response time and the error rate. The test will fail if at least one of these conditions is met:

+ In the CI/CD output log, you find that the test failed because one of the fail criteria was met. The load test average response time was higher than the value that you specified in the fail criteria.

+1. Edit the *SampleApp.yml* file and change the test's fail criteria to increase the criterion for average response time:

+* Learn more about [Defining test fail criteria](./how-to-define-test-criteria.md).

+resource_id = "<resource-id>"

+ml_client = MLClient(ManagedIdentityCredential(resource_id), subscription_id, resource_group, workspace)

+> - [**URIs**](#uris) - A **U**niform **R**esource **I**dentifier that is a reference to a storage location on your local computer or in the cloud that makes it very easy to access data in your jobs. Azure Machine Learning distinguishes two types of URIs:`uri_file` and `uri_folder`. If you want to consume a file as an input of a job, You can define this job input by providing `type` as `uri_file`, `path` as where the file is.

+> - [**MLTable**](#mltable) - `MLTable` helps you to abstract the schema definition for tabular data so it is more suitable for complex/changing schema or to be leveraged in automl. If you just want to create an data asset for a job or you want to write your own parsing logic in python you could use `uri_file`, `uri_folder`.

+> - [**Data asset**](#data-asset) - If you plan to share your data (URIs or MLTables) in your workspace to team members, or you want to track data versions, or track lineage, you can create data assets from URIs or MLTables you have. But if you didn't create data asset, you can still consume the data in jobs without lineange tracking, version management, etc.

+> - [**Datastore**](#datastore) - Azure Machine Learning Datastores securely keep the connection information(storage container name, credentials) to your data storage on Azure, so you don't have to code it in your scripts. You can use AzureML datastore uri and relative path to your data to point to your data. You can also register files/folders in your AzureML datastore into data assets.

+To consume a registered/created data asset in a job, you can define your job specification in a YAML file, you need to specify the type of your data asset (type will be set as ` uri_folder` by default if you don't provide a type value), and you can specify the path to be `azureml:<NAME_OF_DATA_ASSET>:<VERSION>` to spare the effort of checking what is the datastore uri or storage uri (these 2 paths are also supported).

+For example:

+This article focuses on serving a TensorFlow model with TensorFlow Serving. You can find [various examples](https://github.com/Azure/azureml-examples/tree/main/cli/endpoints/online/custom-container) for TorchServe, Triton Inference Server, Plumber R package, and AzureML Inference Minimal image.

+|[Method/API in SDK v1](/python/api/azurzeml-core/azureml.data)|[Method/API in SDK v2](/python/api/azure-ai-ml/azure.ai.ml.entities)|

+ Title: 'CLI (v2) mltable YAML schema'

+description: Reference documentation for the CLI (v2) MLTable YAML schema.

+# CLI (v2) mltable YAML schema

+`MLTable` is a way to abstract the schema definition for tabular data so that it is easier for consumers of the data to materialize the table into a Pandas/Dask/Spark dataframe.

+The ideal scenarios to use mltable are:

+- The schema of your data is complex and/or changes frequently.

+- You only need a subset of data. (for example: a sample of rows or files, specific columns, etc.)

+- AutoML jobs requiring tabular data.

+If your scenario does not fit the above, then it is likely that [URIs](reference-yaml-data.md) are a more suitable type.

+The source JSON schema can be found at https://azuremlschemas.azureedge.net/latest/MLTable.schema.json.

+> [!Note]

+> If you just want to create an data asset for a job or you want to write your own parsing logic in python you could just use `uri_file`, `uri_folder` as mentioned in [CLI (v2) data YAML schema](reference-yaml-data.md).

+## YAML syntax

+| Key | Type | Description | Allowed values | Default value |

+| | - | -- | -- | - |

+| `$schema` | string | The YAML schema. If you use the Azure Machine Learning VS Code extension to author the YAML file, including `$schema` at the top of your file enables you to invoke schema and resource completions. | | |

+| `type` | const | `mltable` to abstract the schema definition for tabular data so that it is easier for consumers of the data to materialize the table into a Pandas/Dask/Spark dataframe | `mltable` | `mltable`|

+| `paths` | array | Paths can be a `file` path, `folder` path or `pattern` for paths. `pattern` specifies a search pattern to allow globbing(* and **) of files and folders containing data. Supported URI types are `azureml`, `https`, `wasbs`, `abfss`, and `adl`. See [Core yaml syntax](reference-yaml-core-syntax.md) for more information on how to use the `azureml://` URI format. |`file`, `folder`, `pattern` | |

+| `transformations`| array | Defined sequence of transformations that are applied to data loaded from defined paths. |`read_delimited`, `read_parquet` , `read_json_lines` , `read_delta_lake`, `take` to take the first N rows from dataset, `take_random_sample` to take a random sample of records in the dataset approximately by the probability specified, `drop_columns`, `keep_columns`,... ||

+## Examples

+Examples are available in the [examples GitHub repository](https://github.com/Azure/azureml-examples/tree/main/sdk/python/assets/data). And please find examples below.

+## MLTable paths: file

+```yaml

+type: mltable

+paths:

+ - file: https://dprepdata.blob.core.windows.net/demo/Titanic2.csv

+transformations:

+ - take: 1

+```

+## MLTable paths: pattern

+```yaml

+type: mltable

+paths:

+ - pattern: ./*.txt

+transformations:

+ - read_delimited:

+ delimiter: ,

+ encoding: ascii

+ header: all_files_same_headers

+ - columns: [Trip_Pickup_DateTime, Trip_Dropoff_DateTime]

+ column_type:

+ datetime:

+ formats: ['%Y-%m-%d %H:%M:%S']

+```

+## MLTable transformations

+These transformations apply to all mltable-artifact files:

+- `take`: Takes the first *n* records of the table

+- `take_random_sample`: Takes a random sample of the table where each record has a *probability* of being selected. The user can also include a *seed*.

+- `drop_columns`: Drops the specified columns from the table. This transform supports regex so that users can drop columns matching a particular pattern.

+- `keep_columns`: Keeps only the specified columns in the table. This transform supports regex so that users can keep columns matching a particular pattern.

+- `convert_column_types`

+ - `columns`: The column name you want to convert type of.

+ - `column_type`: The type you want to convert the column to. For example: string, float, int, or datetime with specified formats.

+## MLTable transformations: read_delimited

+```yaml

+paths:

+ - file: https://dprepdata.blob.core.windows.net/demo/Titanic2.csv

+transformations:

+ - read_delimited:

+ infer_column_types: false

+ delimiter: ','

+ encoding: 'ascii'

+ empty_as_string: false

+ - take: 10

+```

+## Delimited files transformations

+The following transformations are specific to delimited files.

+- infer_column_types: Boolean to infer column data types. Defaults to `True`. Type inference requires that the data source is accessible from the current compute. Currently type inference will only pull first 200 rows.

+- encoding: Specify the file encoding. Supported encodings are `utf8`, `iso88591`, `latin1`, `ascii`, `utf16`, `utf32`, `utf8bom` and `windows1252`. Defaults to `utf8`.

+- header: user can choose one of the following options: `no_header`, `from_first_file`, `all_files_different_headers`, `all_files_same_headers`. Defaults to `all_files_same_headers`.

+- delimiter: The separator used to split columns.

+- empty_as_string: Specify if empty field values should be loaded as empty strings. The default (`False`) will read empty field values as nulls. Passing this setting as `True` will read empty field values as empty strings. If the values are converted to numeric or datetime, then this setting has no effect, as empty values will be converted to nulls.

+- include_path_column: Boolean to keep path information as column in the table. Defaults to `False`. This setting is useful when you are reading multiple files, and want to know which file a particular record originated from. And you can also keep useful information in file path.

+- support_multi_line: By default (support_multi_line=`False`), all line breaks, including those in quoted field values, will be interpreted as a record break. Reading data this way is faster and more optimized for parallel execution on multiple CPU cores. However, it may result in silently producing more records with misaligned field values. This setting should be set to `True` when the delimited files are known to contain quoted line breaks.

+## MLTable transformations: read_json_lines

+```yaml

+paths:

+ - file: ./order_invalid.jsonl

+transformations:

+ - read_json_lines:

+ encoding: utf8

+ invalid_lines: drop

+ include_path_column: false

+```

+## MLTable transformations: read_json_lines, convert_column_types

+```yaml

+paths:

+ - file: ./train_annotations.jsonl

+transformations:

+ - read_json_lines:

+ encoding: utf8

+ invalid_lines: error

+ include_path_column: false

+ - convert_column_types:

+ - columns: image_url

+ column_type: stream_info

+```

+### Json lines transformations

+Only flat Json files are supported.

+Below are the supported transformations that are specific for json lines:

+- `include_path_column` Boolean to keep path information as column in the MLTable. Defaults to False. This setting is useful when you are reading multiple files, and want to know which file a particular record originated from. And you can also keep useful information in file path.

+- `invalid_lines` How to handle lines that are invalid JSON. Supported values are `error` and `drop`. Defaults to `error`.

+- `encoding` Specify the file encoding. Supported encodings are `utf8`, `iso88591`, `latin1`, `ascii`, `utf16`, `utf32`, `utf8bom` and `windows1252`. Default is `utf8`.

+## MLTable transformations: read_parquet

+```yaml

+type: mltable

+traits:

+ index_columns: ID

+paths:

+ - file: ./crime.parquet

+transformations:

+ - read_parquet

+```

+### Parquet files transformations

+If the user doesn't define options for `read_parquet` transformation, default options will be selected (see below).

+- `include_path_column`: Boolean to keep path information as column in the table. Defaults to False. This setting is useful when you are reading multiple files, and want to know which file a particular record originated from. And you can also keep useful information in file path.

+## MLTable transformations: read_delta_lake

+```yaml

+type: mltable

+paths:

+- abfss://my_delta_files

+transforms:

+ - read_delta_lake:

+ timestamp_as_of: '2022-08-26T00:00:00Z'

+```

+### Delta lake transformations

+- `timestamp_as_of`: Timestamp to be specified for time-travel on the specific Delta Lake data.

+- `version_as_of`: Version to be specified for time-travel on the specific Delta Lake data.

+## Next steps

+- [Install and use the CLI (v2)](how-to-configure-cli.md)

+ :::image type="content" source="./media/tutorial-assess-vmware-azure-vm/assess.png" alt-text="Screenshot of Get started screen.":::

+ :::image type="content" source="./media/tutorial-assess-vmware-azure-vm/assess-servers.png" alt-text="Screenshot of Assess VM selection.":::

+ :::image type="content" source="./media/tutorial-assess-vmware-azure-vm/assessment-name.png" alt-text="Screenshot of View all button to review assessment properties.":::

+

+ - Size and cost recommendations are based on the location that you specify. Once you change the target location from default, you'll be prompted to specify **Reserved Instances** and **VM series**.

+ - If you select to use a reserved instance, you can't specify '**Discount (%)**, or **VM uptime**. [Learn more](https://aka.ms/azurereservedinstances).

+ :::image type="content" source="./media/tutorial-assess-vmware-azure-vm/assessment-properties.png" alt-text="Screenshot of Assessment properties.":::

+ :::image type="content" source="./media/tutorial-assess-vmware-azure-vm/assess-group.png" alt-text="Screenshot of adding VMs to a group.":::

+2. In **Assessments**, select an assessment to open it. As an example (estimations and costs, for example, only):

+ :::image type="content" source="./media/how-to-create-assessment/assessment-summary.png" alt-text="Screenshot of an Assessment summary.":::

+You can use the Azure Migrate Discovery and assessment tool to create assessments for on-premises VMware VMs and Hyper-V VMs, in preparation for migration to Azure. The Discovery and assessment tool assesses on-premises servers for migration to Azure IaaS virtual machines and Azure VMware Solution (AVS).

+Assessments that you create with the Discovery and assessment tool are a point-in-time snapshot of data. There are two types of assessments that you can create using Azure Migrate: Discovery and assessment.

+**Azure VM** | Assessments to migrate your on-premises servers to Azure virtual machines. <br/><br/> You can assess your on-premises [VMware VMs](how-to-set-up-appliance-vmware.md), [Hyper-V VMs](how-to-set-up-appliance-hyper-v.md), and [physical servers](how-to-set-up-appliance-physical.md) for migration to Azure using this assessment type.[Learn more](concepts-assessment-calculation.md).

+**Azure VMware Solution (AVS)** | Assessments to migrate your on-premises servers to [Azure VMware Solution (AVS)](../azure-vmware/introduction.md). <br/><br/> You can assess your on-premises [VMware VMs](how-to-set-up-appliance-vmware.md) for migration to Azure VMware Solution (AVS) using this assessment type.[Learn more](concepts-azure-vmware-solution-assessment-calculation.md).

+**Performance-based** | Assessments that make recommendations based on collected performance data. | **Azure VM assessment**: VM size recommendation is based on CPU and memory utilization data.<br/><br/> Disk type recommendation (standard HDD/SSD or premium-managed disks) is based on the IOPS and throughput of the on-premises disks.<br/><br/>**Azure SQL assessment**: The Azure SQL configuration is based on performance data of SQL instances and databases, which includes CPU utilization, Memory utilization, IOPS (Data and Log files), throughput, and latency of IO operations<br/><br/>**Azure VMware Solution (AVS) assessment**: AVS nodes recommendation is based on CPU and memory utilization data.

+An assessment done in Azure Migrate Discovery and assessment has three stages. Assessment starts with a suitability analysis, followed by sizing, and lastly, a monthly cost estimation. A machine only moves along to a later stage if it passes the previous one. For example, if a machine fails the Azure suitability check, itΓÇÖs marked as unsuitable for Azure, and sizing and costing won't be done. [Learn more](./concepts-assessment-calculation.md).

+**Azure Hybrid Benefit** | Specify whether you have software assurance and are eligible for [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/). If set to Yes, non-Windows Azure prices are considered for Windows VMs. By default, Azure Hybrid Benefit is set to Yes.

+| **Target location** | Specifies the AVS private cloud location to which you want to migrate.<br/><br/> AVS Assessment currently supports these target regions: East US, West Europe, and West US. |

+| **Storage type** | Specifies the storage engine to be used in AVS.<br/><br/> Note that AVS assessments only support vSAN as a default storage type. |

+**FTT Setting, RAID Level** | Specifies the applicable Failure to Tolerate (FTT) and Raid combinations. The selected FTT option combined with the on-premises VM disk requirement will determine the total vSAN storage required in AVS. |

+**Azure Hybrid Benefit** | Specifies whether you have software assurance and are eligible for [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/). Although this has no impact on the Azure VMware solution's pricing due to the node-based price, customers can still apply their on-premises OS licenses (Microsoft-based) in AVS using Azure Hybrid Benefits. Other software OS vendors such as RHEL, for example, will have to provide their own licensing terms. |

+**Target deployment type** | The target deployment type you want to run the assessment on: <br/><br/> Select **Recommended** if you want Azure Migrate to assess the readiness of your SQL servers for migrating to Azure SQL MI and Azure SQL DB, and recommend the best suited target deployment option, target tier, Azure SQL configuration, and monthly estimates.<br/><br/>Select **Azure SQL DB** if you want to assess your SQL servers for migrating to Azure SQL Databases only and review the target tier, Azure SQL DB configuration, and monthly estimates.<br/><br/>Select **Azure SQL MI** if you want to assess your SQL servers for migrating to Azure SQL Databases only and review the target tier, Azure SQL MI configuration, and monthly estimates.

+**Sizing criteria** | This property is used to right-size the Azure SQL configuration. <br/><br/> It is defaulted to **Performance-based** which means the assessment will collect the SQL Server instances and databases performance metrics to recommend an optimal-sized Azure SQL Managed Instance and/or Azure SQL Database tier/configuration recommendation.

+**Performance history** | Performance history specifies the duration used when the performance data is evaluated.

+**Offer/Licensing program** | The [Azure offer](https://azure.microsoft.com/support/legal/offer-details/) in which you're enrolled. Currently, you can only choose from **Pay-as-you-go** and **Pay-as-you-go Dev/Test**. Note that you can avail additional discount by applying reserved capacity and Azure Hybrid Benefit on top of Pay-as-you-go offer.

+1. In the Azure Migrate project, select **Servers**.

+2. In **Azure Migrate: Discovery and assessment**, select the assessments count.

+3. In **Assessment**, select the relevant assessment > **Edit properties**.

+6. Select **Save** to update the assessment.

+You can also edit the assessment properties when you're creating an assessment.

+For more information about performing a geo-restore, see the [how-to guide](how-to-restore-server-portal.md#perform-geo-restore).

+> [!div class="mx-tableFixed"]

+With public access, the Azure Database for PostgreSQL server is accessed through a public endpoint. By default, the firewall blocks all access to the server. To specify which IP hosts can access the server, you create server-level *firewall rules*. Firewall rules specify allowed public IP address ranges. The firewall grants access to the server based on the originating IP address of each request. With [private access](concepts-networking.md#private-access-vnet-integration) no public endpoint is available and only hosts located on the same network can access Azure Database for PostgreSQL - Flexible Server.

+1. From the overview page of the server, click **Restore** to [perform a PITR](how-to-restore-server-portal.md#restore-to-the-latest-restore-point). Choose **Latest restore point**.

+ Title: Point-in-time restore of a flexible server - Azure portal

+# Point-in-time restore of a flexible server

+This article provides a step-by-step procedure for using the Azure portal to perform point-in-time recoveries in a flexible server through backups. You can perform this procedure to the latest restore point or to a custom restore point within your retention period.

+## Prerequisites

+To complete this how-to guide, you need Azure Database for PostgreSQL - Flexible Server. The procedure is also applicable for a flexible server that's configured with zone redundancy.

+## Restore to the latest restore point

+Follow these steps to restore your flexible server to the latest restore point by using an existing backup:

+1. In the [Azure portal](https://portal.azure.com/), choose the flexible server that you want to restore the backup from.

+2. Select **Overview** from the left pane, and then select **Restore**.

+ :::image type="content" source="./media/how-to-restore-server-portal/restore-overview.png" alt-text="Screenshot that shows a server overview and the Restore button.":::

+3. Under **Source details**, select **Latest restore point (Now)**.

+4. Under **Server details**, for **Name**, provide a server name. For **Availability zone**, you can optionally choose an availability zone to restore to.

+ :::image type="content" source="./media/how-to-restore-server-portal/restore-latest.png" alt-text="Screenshot that shows selections for restoring to the latest restore point.":::

+5. Select **OK**. A notification shows that the restore operation has started.

+## Restore to a custom restore point

+Follow these steps to restore your flexible server to a custom restore point by using an existing backup:

+1. In the [Azure portal](https://portal.azure.com/), choose the flexible server that you want to restore the backup from.

+2. Select **Overview** from the left pane, and then select **Restore**.

+

+ :::image type="content" source="./media/how-to-restore-server-portal/restore-overview.png" alt-text="Screenshot that shows a server overview and the Restore button.":::

+4. Under **Source details**, choose **Select a custom restore point**.

+5. Under **Server details**, for **Name**, provide a server name. For **Availability zone**, you can optionally choose an availability zone to restore to.

+ :::image type="content" source="./media/how-to-restore-server-portal/restore-custom-2.png" alt-text="Screenshot that shows selections for restoring to a custom restore point.":::

+6. Select **OK**. A notification shows that the restore operation has started.

+## Restore by using fast restore

+Follow these steps to restore your flexible server by using a fast restore option:

+1. In the [Azure portal](https://portal.azure.com/), choose the flexible server that you want to restore the backup from.

+2. Select **Overview** from the left pane, and then select **Restore**.

+ :::image type="content" source="./media/how-to-restore-server-portal/restore-overview.png" alt-text="Screenshot that shows a server overview and the Restore button.":::

+4. Under **Source details**, choose **Select Fast restore point (Restore using full backup only)**. For **Fast Restore point (UTC)**, select the full backup of your choice.

+5. Under **Server details**, for **Name**, provide a server name. For **Availability zone**, you can optionally choose an availability zone to restore to.

+ :::image type="content" source="./media/how-to-restore-server-portal/fast-restore.png" alt-text="Screenshot that shows selections for a fast restore point.":::

+6. Select **OK**. A notification shows that the restore operation has started.

+## Perform geo-restore

+If your source server is configured with geo-redundant backup, you can restore the servers in a paired region.

+> [!NOTE]

+> For the first time that you perform a geo-restore, wait at least one hour after you create the source server.

+1. In the [Azure portal](https://portal.azure.com/), choose the flexible server that you want to geo-restore the backup from.

+2. Select **Overview** from the left pane, and then select **Restore**.

+

+ :::image type="content" source="./media/how-to-restore-server-portal/geo-restore-click.png" alt-text="Screenshot that shows the Restore button.":::

+3. Under **Source details**, for **Geo-redundant restore (preview)**, select the **Restore to paired region** checkbox.

+ :::image type="content" source="./media/how-to-restore-server-portal/geo-restore-choose-checkbox.png" alt-text="Screenshot that shows the option for restoring to a paired region for geo-redundant restore.":::

+

+4. Under **Server details**, the region and the database version are pre-selected. The server will be restored to the last available data at the paired region. For **Availability zone**, you can optionally choose an availability zone to restore to.

+5. Select **OK**. A notification shows that the restore operation has started.

+By default, the backups for the restored server are configured with geo-redundant backup. If you don't want geo-redundant backup, you can select **Configure Server** and then clear the **Restore to paired region** checkbox.

+If the source server is configured with *private access*, you can restore only to another virtual network in the remote region. You can either choose an existing virtual network or create a new virtual network and restore your server into that network.

+- Learn about [business continuity](./concepts-business-continuity.md).

+- Learn about [zone-redundant high availability](./concepts-high-availability.md).

+- Learn about [backup and recovery](./concepts-backup-restore.md).

+

+ 2. If service principal is used, under **API permissions**, the following **delegated permissions** are assigned with read for the following APIs:

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+

+ 3. If delegated authentication is used, under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:

+ - Power BI Service Tenant.Read.All

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+

+

+ 2. If service principal is used, under **API permissions**, the following **delegated permissions** are assigned with read for the following APIs:

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+

+ 3. If delegated authentication is used, under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:

+ - Power BI Service Tenant.Read.All

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+

+1. Create an app registration in your Azure AD tenant where Power BI is located. Provide a web URL in the **Redirect URI**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-cross-tenant-app-registration.png" alt-text="Screenshot how to create App in Azure AD for cross tenant.":::

+

+3. Take note of the client ID (app ID).

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions on Power BI and Microsoft Graph.":::

+1. Create an app registration in your Azure AD tenant where Power BI is located. Provide a web URL in the **Redirect URI**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-cross-tenant-app-registration.png" alt-text="Screenshot how to create App in Azure AD for cross tenant.":::

+

+2. Take note of the client ID (app ID).

+1. From the Azure AD dashboard, select the newly created application, and then select **App permissions**. Assign the application the following delegated permissions:

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-spn-api-permissions.png" alt-text="Screenshot of delegated permissions on Microsoft Graph.":::

+

+ 2. If service principal is used, under **API permissions**, the following **delegated permissions** are assigned with read for the following APIs:

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+

+ 3. If delegated authentication is used, under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:

+ - Power BI Service Tenant.Read.All

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+

+

+ 2. If service principal is used, under **API permissions**, the following **delegated permissions** are assigned with read for the following APIs:

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+

+ 3. If delegated authentication is used, under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:

+ - Power BI Service Tenant.Read.All

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-app-registration.png" alt-text="Screenshot how to create App in Azure AD.":::

+1. From Azure Active Directory dashboard, select newly created application and then select **App registration**. From **API Permissions**, assign the application the following delegated permissions:

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-spn-api-permissions.png" alt-text="Screenshot of delegated permissions on Microsoft Graph.":::

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-app-registration.png" alt-text="Screenshot how to create App in Azure AD.":::

+1. From Azure Active Directory dashboard, select newly created application and then select **App registration**. Assign the application the following delegated permissions, and grant admin consent for the tenant:

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions on Power BI Service and Microsoft Graph.":::

+The following image shows where ingestion-time data transformation enters the data ingestion flow in Microsoft Sentinel.

+Microsoft Sentinel collects data into the Log Analytics workspace from multiple sources.

+- Data from built-in data connectors is processed in Log Analytics using some combination of hardcoded workflows and ingestion-time transformations in the workspace DCR. This data can be stored in standard tables or in a specific set of custom tables.

+- Data ingested directly into the Logs ingestion API endpoint is processed by a DCR that may include an ingestion-time transformation, and then stored in either standard or custom tables. This data can then be stored in either standard or custom tables of any kind.

+To view all analytics rules and detections in Microsoft Sentinel, go to **Analytics** > **Rule templates**. This tab contains all the Microsoft Sentinel built-in rules, as well as the **Threat Intelligence** rule type.

+| **Threat Intelligence** | Take advantage of threat intelligence produced by Microsoft to generate high fidelity alerts and incidents with the **Microsoft Threat Intelligence Analytics** rule. This unique rule is not customizable, but when enabled, will automatically match Common Event Format (CEF) logs, Syslog data or Windows DNS events with domain, IP and URL threat indicators from Microsoft Threat Intelligence. Certain indicators will contain additional context information through MDTI (**Microsoft Defender Threat Intelligence**).<br><br>For more information on how to enable this rule, see [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md).<br>For more details on MDTI, see [What is Microsoft Defender Threat Intelligence](/../defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti)

+Search results are stored in a table that has a *_SRCH suffix.

+- [Basic logs](../azure-monitor/logs/basic-logs-configure.md)

+You can also search analytics or basic log data stored in [archived logs](../azure-monitor/logs/data-retention-archive.md).

+- Search date range is up to seven years.

+- [Search across long time spans in large datasets](search-jobs.md)

+- [Restore archived logs from search](restore.md)

+ Title: Deploy SAP Change Requests (CRs) and configure authorization

+# Deploy SAP Change Requests and configure authorization

+This article shows you how to deploy SAP Change Requests (CRs), which prepare the environment for the installation of the SAP agent, so that it can properly connect to your SAP systems.

+> [!IMPORTANT]

+> - This article presents a [**step-by-step guide**](#deploy-crs) to deploying the relevant CRs. It's recommended for SOC engineers or implementers who may not necessarily be SAP experts.

+> - Experienced SAP administrators that are familiar with the CR deployment process may prefer to get the appropriate CRs directly from the [**SAP environment validation steps**](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#sap-environment-validation-steps) section of the guide and deploy them. Note that the *NPLK900271* CR deploys a sample role, and the administrator may prefer to manually define the role according to the information in the [**Required ABAP authorizations**](#required-abap-authorizations) section below.

+## Required and optional CRs

+This article discusses the installation of the following CRs:

+|CR |Required/optional |Description |

+||||

+|NPLK900271 |Required |This CR creates and configures a role. Alternatively, you can can load the authorizations directly from a file. [Review how to create and configure a role](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#create-and-configure-a-role-required). |

+|NPLK900201 or NPLK900202 |Optional |[Retrieves additional information from SAP](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#retrieve-additional-information-from-sap-optional). You select one of these CRs according to your SAP version. |

+## Prerequisites

+1. Make sure you've copied the details of the **SAP system version**, **System ID (SID)**, **System number**, **Client number**, **IP address**, **administrative username** and **password** before beginning the deployment process. For the following example, the following details are assumed:

+ - **SAP system version:** `SAP ABAP Platform 1909 Developer edition`

+ - **SID:** `A4H`

+ - **System number:** `00`

+ - **Client number:** `001`

+ - **IP address:** `192.168.136.4`

+ - **Administrator user:** `a4hadm`, however, the SSH connection to the SAP system is established with `root` user credentials.

+1. Review the [SAP environment validation steps](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#sap-environment-validation-steps) to determine which CRs to install.

+1. If you installed the NPLK900202 [optional CR](#required-and-optional-crs) used to retrieve additional information, make sure you've installed the [relevant SAP note](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#deploy-sap-note-optional).

+To deploy the CRs, follow the steps outlined below. The steps below may differ according to the version of the SAP system and should be considered for demonstration purposes only.

+## Deploy CRs

+### Set up the files

+1. Sign in to the SAP system using SSH.

+1. Transfer the CR files to the SAP system. Learn more about [the CRs in this step](#required-and-optional-crs).

+ Alternatively, you can download the files directly onto the SAP system from the SSH prompt. Use the following commands:

+ - Download NPLK900271 (required)

+ ```bash

+ wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900271.NPL

+ wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900271.NPL

+ ```

+ Alternatively, you can [load these authorizations directly from a file](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#create-and-configure-a-role-required).

+

+ - Download NPLK900202 (optional)

+ - Download NPLK900201 (optional)

+ ```

+1. If you plan to deploy more CRs, repeat the procedure in the preceding 5 steps for the remaining CRs.

+1. If you have remaining Transport Requests to add to the deployment, repeat step 9.

+1. If you deployed the *NPLK900202* CR, it is expected to display a **Warning**. Select the entry to verify that the warnings displayed are of type "Table \<tablename\> was activated."

+

+ The CRs and versions in the screenshots below may change according to your installed CR version.

+After the *NPLK900271* CR is deployed, a **/MSFTSEN/SENTINEL_CONNECTOR** role is created in SAP. If the role is created manually, it may bear a different name.

+> To create a role with all the required authorizations, deploy the SAP *NPLK900271* CR on the SAP system, or load the role authorizations from the [MSFTSEN_SENTINEL_CONNECTOR_ROLE_V0.0.27.SAP](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Sample%20Authorizations%20Role%20File) file. This CR creates the **/MSFTSEN/SENTINEL_CONNECTOR** role that has all the necessary permissions for the data connector to operate.

+> Alternatively, you can create a role that has minimal permissions by deploying the *NPLK900268* CR, or loading the role authorizations from the [MSFTSEN_SENTINEL_AGENT_BASIC_ROLE_V0.0.1.SAP](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Sample%20Authorizations%20Role%20File) file. This CR or authorizations file creates the **/MSFTSEN/SENTINEL_AGENT_BASIC** role. This role has the minimal required permissions for the data connector to operate. Note that if you choose to deploy this role, you might need to update it frequently.

+| **Supported SAP versions** | The SAP data connector agent support SAP NetWeaver systems and was tested on [SAP_BASIS versions 731](https://support.sap.com/en/my-support/software-downloads/support-package-stacks/product-versions.html#:~:text=SAP%20NetWeaver%20%20%20%20SAP%20Product%20Version,%20%20SAPKB710%3Cxx%3E%20%207%20more%20rows) and above. <br><br>Certain steps in this tutorial provide alternative instructions if you're working on the older [SAP_BASIS version 740](https://support.sap.com/en/my-support/software-downloads/support-package-stacks/product-versions.html#:~:text=SAP%20NetWeaver%20%20%20%20SAP%20Product%20Version,%20%20SAPKB710%3Cxx%3E%20%207%20more%20rows). |

+## SAP environment validation steps

+> Step-by-step instructions for deploying a CR and assigning the required role are available in the [**Deploying SAP CRs and configuring authorization**](preparing-sap.md) guide. Determine which CRs need to be deployed, retrieve the relevant CRs from the links in the tables below, and proceed to the step-by-step guide.

+- [Create and configure a role (required)](#create-and-configure-a-role-required)

+- [Retrieve additional information from SAP (optional)](#retrieve-additional-information-from-sap-optional)

+### Create and configure a role (required)

+To allow the SAP data connector to connect to your SAP system, you must create a role. Create the role by deploying CR **NPLK900271** or by loading the role authorizations from the [MSFTSEN_SENTINEL_CONNECTOR_ROLE_V0.0.27.SAP](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Sample%20Authorizations%20Role%20File) file.

+| Any version | *NPLK900271*: [K900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900271.NPL), [R900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900271.NPL) |

+### Retrieve additional information from SAP (optional)

+You can deploy additional CRs from the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/CR) to enable the SAP data connector to retrieve certain information from your SAP system.

+- **SAP BASIS 7.5 SP12 and above**: Client IP Address information from security audit log

+- **ANY SAP BASIS version**: DB Table logs, Spool Output log

+| SAP BASIS versions | Recommended CR |Notes |

+| | | |

+| - 750 and later | *NPLK900202*: [K900202.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900202.NPL), [R900202.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900202.NPL) | Deploy the relevant [SAP note](#deploy-sap-note-optional). |

+| - 740 | *NPLK900201*: [K900201.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900201.NPL), [R900201.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900201.NPL) | |

+#### Deploy SAP note (optional)

+If you choose to retrieve additional information with the [NPLK900202 optional CR](#retrieve-additional-information-from-sap-optional), ensure that the following SAP note is deployed in your SAP system, according to its version:

+| SAP BASIS versions | Notes |

+| | |

+| - 750 SP01 to SP12<br>- 751 SP01 to SP06<br>- 752 SP01 to SP03 | [2641084 - Standardized read access to data of Security Audit Log](https://launchpad.support.sap.com/#/notes/2641084)* |

+| The "SAP User Config" watchlist | User's Microsoft Azure Active Directory (Azure AD) Object ID | Azure AD Object ID |

+| The "SAP User Config" watchlist | User on-premises Sid | |

+ Available by using RFC based on standard SAP table and standard services of XBP interface. This log is generated per client.

+ Available by using RFC based on standard SAP tables. This log is generated per client.

+ Available by using RFC based on standard tables and standard SAP services. This log is generated with data across all clients.

+ Available by using RFC based on standard SAP table and standard services of XBP interfaces. This log is generated with data across all clients.

+ Available by using RFC based on standard SAP table. This log is generated with data across all clients.

+ Available by using RFC based on standard SAP tables. This log is generated per client.

+ :::image type="content" source="media/search-jobs/search-job-criteria.png" alt-text="Screenshot of search page with search criteria of administrator, time range last 90 days, and table selected." lightbox="media/search-jobs/search-job-criteria.png":::

+ :::image type="content" source="media/search-jobs/search-job-advanced-kql.png" alt-text="Screenshot of KQL editor with the initial search and the results for a seven day period." lightbox="media/search-jobs/search-job-advanced-kql.png":::

+ :::image type="content" source="media/search-jobs/search-job-advanced-kql-revise.png" alt-text="Screenshot of KQL editor with revised search." lightbox="media/search-jobs/search-job-advanced-kql-revise.png":::

+ :::image type="content" source="media/search-jobs/search-job-advanced-kql-ellipsis.png" alt-text="Screenshot of KQL editor with revised search with ellipsis highlighted for Search job mode." lightbox="media/search-jobs/search-job-advanced-kql-ellipsis.png":::

+ :::image type="content" source="media/search-jobs/search-job-advanced-kql-custom-time-range.png" alt-text="Screenshot of KQL editor with revised search, and custom time range." lightbox="media/search-jobs/search-job-advanced-kql-custom-time-range.png":::

+ :::image type="content" source="media/search-jobs/view-search-results.png" alt-text="Screenshot that shows the link to view search results at the bottom of the search job card." lightbox="media/search-jobs/view-search-results.png":::

+ :::image type="content" source="media/search-jobs/search-results-filter.png" alt-text="Screenshot that shows search job results with added filters." lightbox="media/search-jobs/search-results-filter.png":::

+ :::image type="content" source="media/search-jobs/search-results-add-bookmark.png" alt-text="Screenshot that shows search job results with a bookmark in the process of being added." lightbox="media/search-jobs/search-results-add-bookmark.png":::

+The most widely adopted industry standard for the transmission of threat intelligence is a [combination of the STIX data format and the TAXII protocol](https://oasis-open.github.io/cti-documentation/). If your organization obtains threat indicators from solutions that support the current STIX/TAXII version (2.0 or 2.1), you can use the **Threat Intelligence - TAXII** data connector to bring your threat indicators into Microsoft Sentinel. The Threat Intelligence - TAXII data connector enables a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.

+Microsoft provides access to its threat intelligence through the **Microsoft Threat Intelligence Analytics** rule. For more information on how to take advantage of this rule which generates high fidelity alerts and incidents, see [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md)

+- [Investigate incidents](./investigate-cases.md) in Microsoft Sentinel.

+ // the processor that reads and processes messages from the queue

+ ServiceBusProcessor processor;

+* Do not apply any parallelism within a transaction.

+* Consider dispose transaction as soon as possible after commit completes (especially if using ConcurrentQueue).

+* Do not perform any blocking code inside a transaction.

+We'll make use of the step-by-step Azure deployment templates used in the [Scale up a Service Fabric cluster primary node type](service-fabric-scale-up-primary-node-type.md) guide. However, we'll modify them so they aren't specific to primary node types. The templates are [available on GitHub](https://github.com/microsoft/service-fabric-scripts-and-templates/tree/master/templates/nodetype-upgrade).

+Let's set up the initial Service Fabric test cluster. First, [download](https://github.com/microsoft/service-fabric-scripts-and-templates/tree/master/templates/nodetype-upgrade) the Azure Resource Manager sample templates that we'll use to complete this scenario.

+Next open the [*parameters.json*](https://github.com/microsoft/service-fabric-scripts-and-templates/blob/master/templates/nodetype-upgrade/parameters.json) file and update the value for `clusterName` to something unique (within Azure).

+Most of the required changes for this step have already been made for you in the [*Step1-AddPrimaryNodeType.json*](https://github.com/microsoft/service-fabric-scripts-and-templates/blob/master/templates/nodetype-upgrade/Step1-AddPrimaryNodeType.json) template file. However, an additional change must be made so the template file works for non-primary node types. The following sections will explain these changes in detail, and call outs will be made when you must make a change.

+Most of the required changes for this step have already been made for you in the [*Step3-CleanupOriginalPrimaryNodeType.json*](https://github.com/microsoft/service-fabric-scripts-and-templates/blob/master/templates/nodetype-upgrade/Step3-CleanupOriginalPrimaryNodeType.json) template file. However, an additional change must be made so the template file works for non-primary node types. The following sections will explain these changes in detail, and call outs will be made when you must make a change.

+* [Scale a standalone cluster in or out](service-fabric-cluster-windows-server-add-remove-nodes.md).

+* Azure Spring Apps offers three pricing tiers: Basic, Standard, and Enterprise. The Basic tier is targeted for Dev/Test and trying out Azure Spring Apps. The Standard tier is optimized to run general purpose production traffic. The Enterprise tier is for production workloads with VMware Tanzu components. See [Azure Spring Apps pricing details](https://azure.microsoft.com/pricing/details/spring-apps/) for limits and feature level comparison.

+| Azure Spring Apps instance type | Default number of outbound public IP addresses |

+|||

+| Basic tier instances | 1 |

+| Standard/Enterprise tier instances | 2 |

+| VNet injection instances | 1 |

+Multiple Storage service operations can be associated with a single permission or DataAction. However, each of these operations that are associated with the same permission might support different parameters. *Suboperations* enable you to differentiate between service operations that require the same permission but support a different set of attributes for conditions. Thus, by using a suboperation, you can specify one condition for access to a subset of operations that support a given parameter. Then, you can use another access condition for operations with the same action that doesn't support that parameter.

+For example, the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` action is required for over a dozen different service operations. Some of these operations can accept blob index tags as a request parameter, while others don't. For operations that accept blob index tags as a parameter, you can use blob index tags in a Request condition. However, if such a condition is defined on the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` action, all operations that don't accept tags as a request parameter cannot evaluate this condition, and will fail the authorization access check.

+> Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md).

+The `Read content from a blob with tag conditions` suboperation has been deprecated. Although it is currently supported for compatibility with conditions implemented during the ABAC feature preview, Microsoft recommends using the [Read a blob](#read-a-blob) action instead.

+When configuring ABAC conditions in the Azure portal, you might see **DEPRECATED: Read content from a blob with tag conditions**. Microsoft recommends removing the operation and replacing it with the `Read a blob` action.

+If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to [Example: Read blobs with a blob index tag](storage-auth-abac-examples.md#example-read-blobs-with-a-blob-index-tag).

+> | **Learn more** | [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md) |

+> | **Learn more** | [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md) |

+> | **Learn more** | [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md) |

+> | **Learn more** | [Azure Data Lake Storage Gen2 hierarchical namespace](data-lake-storage-namespace.md) |

+> | **Learn more** | [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md)<br/>[Azure Data Lake Storage Gen2 hierarchical namespace](data-lake-storage-namespace.md) |

+> | **Learn more** | [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md)<br/>[Azure Data Lake Storage Gen2 hierarchical namespace](data-lake-storage-namespace.md) |

+> | **Learn more** | [Create and manage encryption scopes](encryption-scope-manage.md) |

+> | **Learn more** | [Azure Data Lake Storage Gen2 hierarchical namespace](data-lake-storage-namespace.md) |

+> | **Learn more** | [Blob snapshots](snapshots-overview.md)<br/>[Azure Data Lake Storage Gen2 hierarchical namespace](data-lake-storage-namespace.md) |

+> | **Learn more** | [Azure Data Lake Storage Gen2 hierarchical namespace](data-lake-storage-namespace.md) |

+In most cases, a role assignment will grant the permissions you need to Azure resources. However, in some cases you might want to provide more granular access control by adding a role assignment condition.

+You can authorize access to Blob storage from the Azure CLI either with Azure AD credentials or by using the storage account access key. This article shows how to authorize Blob storage operations using Azure AD. For more information, see [Quickstart: Create, download, and list blobs with Azure CLI](storage-quickstart-blobs-cli.md)

+1. Use [az storage account](/cli/azure/storage/account) to create a storage account that is compatible with the blob index feature. For more information, see [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md#regional-availability-and-storage-account-support).

+1. Add the following blob index tag to the text file. For more information, see [Use blob index tags to manage and find data on Azure Blob Storage](storage-blob-index-how-to.md).

+This section includes examples involving blob index tags.

+> [!NOTE]

+> Although the `Read content from a blob with tag conditions` suboperation is currently supported for compatibility with conditions implemented during the ABAC feature preview, it has been deprecated and Microsoft recommends using the [`Read a blob`](storage-auth-abac-attributes.md#read-a-blob) action instead.

+> When configuring ABAC conditions in the Azure portal, you might see **DEPRECATED: Read content from a blob with tag conditions**. Microsoft recommends removing the operation and replacing it with the `Read a blob` action.

+> If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to [Example: Read blobs with a blob index tag](storage-auth-abac-examples.md#example-read-blobs-with-a-blob-index-tag).

+This condition allows users to read blobs with a [blob index tag](storage-blob-index-how-to.md) key of Project and a value of Cascade. Attempts to access blobs without this key-value tag will not be allowed.

+This condition requires that any new blobs must include a [blob index tag](storage-blob-index-how-to.md) key of Project and a value of Cascade.

+This condition requires that any existing blobs be tagged with at least one of the allowed [blob index tag](storage-blob-index-how-to.md) keys: Project or Program. This condition is useful for adding governance to existing blobs.

+This condition requires that any existing blobs to have a [blob index tag](storage-blob-index-how-to.md) key of Project and values of Cascade, Baker, or Skagit. This condition is useful for adding governance to existing blobs.

+This condition allows a user to read blobs with a [blob index tag](storage-blob-index-how-to.md) key of Program, a value of Alpine, and a blob path of logs*. The blob path of logs* also includes the blob name.

+This condition allows a user to only read blobs in storage accounts with [hierarchical namespace](data-lake-storage-namespace.md) enabled. This condition is applicable only at resource group scope or above.

+This condition allows read or write access to blobs if the user has a [custom security attribute](../../active-directory/fundamentals/custom-security-attributes-overview.md) that matches the [blob index tag](storage-blob-index-how-to.md).

+This condition allows read access to blobs if the user has a [custom security attribute](../../active-directory/fundamentals/custom-security-attributes-overview.md) with any values that matches the [blob index tag](storage-blob-index-how-to.md).

+In most cases, a role assignment will grant the permissions you need to Azure resources. However, in some cases you might want to provide more granular access control by adding a role assignment condition.

+1. Create a storage account that is compatible with the blob index tags feature. For more information, see [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md#regional-availability-and-storage-account-support).

+ If you don't see the Blob index tags section and you just registered your subscription, you might need to wait a few minutes for changes to propagate. For more information, see [Use blob index tags to manage and find data on Azure Blob Storage](storage-blob-index-how-to.md).

+In most cases, a role assignment will grant the permissions you need to Azure resources. However, in some cases you might want to provide more granular access control by adding a role assignment condition.

+1. Use [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount) to create a storage account that is compatible with the blob index feature. For more information, see [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md#regional-availability-and-storage-account-support).

+1. Add the following blob index tag to the text file. For more information, see [Use blob index tags to manage and find data on Azure Blob Storage](storage-blob-index-how-to.md).

+Similarly, conditions are not evaluated when access is granted using [access control lists (ACLs)](data-lake-storage-access-control.md) in storage accounts with a [hierarchical namespace](data-lake-storage-namespace.md) (HNS).

+[Blob index tags](storage-manage-find-blobs.md) are used as free-form attributes for conditions in storage. If you author any access conditions by using these tags, you must also protect the tags themselves. Specifically, the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write` DataAction allows users to modify the tags on a storage object. You can restrict this action to prevent users from manipulating a tag key or value to gain access to unauthorized objects.

+Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources and requests. With ABAC, you can grant a security principal access to a resource based on a condition expressed as a predicate using these attributes.

+You can [use Azure Active Directory](../common/authorize-data-access.md) (Azure AD) to authorize requests to Azure storage resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access Azure storage data. You can also define custom roles with select sets of permissions. Azure Storage supports role assignments for both storage accounts and blob containers.

+The trade-off of using conditions is that you need a structured and consistent taxonomy when using attributes across your organization. Attributes must be protected to prevent access from being compromised. Also, conditions must be carefully designed and reviewed for their effect.

+Role-assignment conditions in Azure Storage are supported for Azure blob storage. You can also use conditions with accounts that have the [hierarchical namespace](data-lake-storage-namespace.md) (HNS) feature enabled on them (Data Lake Storage Gen2).

+You can use conditions with custom roles as long as the role includes [actions that support conditions](storage-auth-abac-attributes.md#azure-blob-storage-actions-and-suboperations).

+If you're working with conditions based on [blob index tags](storage-manage-find-blobs.md), you should use the *Storage Blob Data Owner* since permissions for tag operations are included in this role.

+The [Azure role assignment condition format](../../role-based-access-control/conditions-format.md) allows the use of `@Principal`, `@Resource` or `@Request` attributes in the conditions. A `@Principal` attribute is a custom security attribute on a principal, such as a user, enterprise application (service principal), or managed identity. A `@Resource` attribute refers to an existing attribute of a storage resource that is being accessed, such as a storage account, a container, or a blob. A `@Request` attribute refers to an attribute or parameter included in a storage operation request.

+[Azure RBAC supports a limited number of role assignments per subscription](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits). If you need to create thousands of Azure role assignments, you may encounter this limit. Managing hundreds or thousands of role assignments can be difficult. In some cases, you can use conditions to reduce the number of role assignments on your storage account and make them easier to manage. You can [scale the management of role assignments](../../role-based-access-control/conditions-custom-security-attributes-example.md) using conditions and [Azure AD custom security attributes]() for principals.

+ > When deployed to Azure, this same code can be used to authorize requests to Azure Storage from an application running in Azure. However, you'll need to enable managed identity on your app in Azure. Then configure your storage account to allow that managed identity to connect. For detailed instructions on configuring this connection between Azure services, see the [Auth from Azure-hosted apps](/azure/developer/java/sdk/identity-azure-hosted-auth) tutorial.

+ > When deployed to Azure, this same code can be used to authorize requests to Azure Storage from an application running in Azure. However, you'll need to enable managed identity on your app in Azure. Then configure your storage account to allow that managed identity to connect. For detailed instructions on configuring this connection between Azure services, see the [Auth from Azure-hosted apps](/azure/developer/python/sdk/authentication-azure-hosted-apps) tutorial.

+- **Azure Active Directory Domain Services (Azure AD DS) authentication** for Azure Files. Azure Files supports identity-based authorization over Server Message Block (SMB) through Azure AD DS. You can use Azure RBAC for granular control over a client's access to Azure Files resources in a storage account. For more information about Azure Files authentication using domain services, see the [overview](../files/storage-files-active-directory-overview.md).

+- **Define a stored access policy for a service SAS.** Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. Set the expiration on these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the future. There is a limit of five stored access policies per container.

+ There is no direct way to identify which clients have accessed a resource. However, you can use the unique fields in the SAS, the signed IP (`sip`), signed start (`st`), and signed expiry (`se`) fields, to track access. For example, you can generate a SAS token with a unique expiry time that you can then correlate with client to whom it was issued.

+ az elastic-san volume-group update -e $sanName -g $resourceGroupName --name $volumeGroupName --network-acls "{virtual-network-rules:[{id:/'subscriptions/subscriptionID/resourceGroups/RGName/providers/Microsoft.Network/virtualNetworks/vnetName/subnets/default',action:Allow}]}"

+ Title: Troubleshoot Azure File Sync sync group management

+> [!Note]

+> Different Windows versions support different TLS cipher suites and priority order. See [TLS Cipher Suites in Windows](/windows/win32/secauthn/cipher-suites-in-schannel) for the corresponding Windows version and the supported cipher suites and default order in which they are chosen by the Microsoft Schannel Provider.

+Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard [Server Message Block (SMB) protocol](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) or [Network File System (NFS) protocol](https://en.wikipedia.org/wiki/Network_File_System). In this tutorial, you'll learn a few ways you can use an SMB Azure file share in a Windows virtual machine (VM).

+Before you can work with an Azure file share, you must create an Azure storage account.

+description: How to create and delete an SMB Azure file share by using the Azure portal, Azure PowerShell, or Azure CLI.

+1. Log in to your Azure account. To use multi-factor authentication, you'll need to supply your Azure tenant ID.

+## Getting started

+> There are much better and easier [recommended ways to display Application Insights data in Power BI](../azure-monitor/logs/log-powerbi.md) if you've [migrated to a workspace-based resource](../azure-monitor/app/convert-classic-resource.md). The path illustrated here is just an example to illustrate how to process exported data.

+> There are much better and easier [recommended ways to display Application Insights data in Power BI](../azure-monitor/logs/log-powerbi.md) if you've [migrated to a workspace-based resource](../azure-monitor/app/convert-classic-resource.md). The path illustrated here is just an example to illustrate how to process exported data.

+principal_client_id = "<< service principal client id >>"

+principal_secret = "<< service principal secret ho>>"

+import msal

+# Define scope of the Service for the app registration before requesting from AAD

+scope ="https://database.windows.net/.default"

+authority = "https://login.microsoftonline.net/" + tenant_id

+# Get service principal

+service_principal_id = mssparkutils.credentials.getSecret('azure key vault name','principal_client_id')

+service_principal_secret = mssparkutils.credentials.getSecret('azure key vault name','principal_secret')

+context = msal.ConfidentialClientApplication(

+ service_principal_id, service_principal_secret, authority

+ )

+token = app.acquire_token_silent([scope])

+access_token = token["access_token"]

+ Title: Configure Azure Synapse Link for Azure SQL Database with network security (preview)

+description: Learn how to configure Azure Synapse Link for Azure SQL Database with network security (preview).

+# Configure Azure Synapse Link for Azure SQL Database with network security (preview)

+This article is a guide for configuring Azure Synapse Link for Azure SQL Database with network security. Before you begin, you should know how to create and start Azure Synapse Link for Azure SQL Database from [Get started with Azure Synapse Link for Azure SQL Database](connect-synapse-link-sql-database.md).

+> Azure Synapse Link for SQL is currently in preview.

+## Create a managed workspace virtual network without data exfiltration

+In this section, you create an Azure Synapse workspace with a managed virtual network enabled. For **Managed virtual network**, you'll select **Enable**, and for **Allow outbound data traffic only to approved targets**, you'll select **No**. For an overview, see [Azure Synapse Analytics managed virtual network](../security/synapse-workspace-managed-vnet.md).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to your Azure Synapse workspace, select **Networking**, and then select the **Allow Azure Synapse Link for Azure SQL Database to bypass firewall rules** checkbox.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/enable-bypass-firewall-rules.png" alt-text="Screenshot that shows how to enable bypassing firewall rules.":::

+1. Open Synapse Studio, go to **Manage**, select **Integration runtimes**, and then select **AutoResolvingIntegrationRuntime**.

+1. In the pop-up window, select the **Virtual network** tab, and then enable **Interactive authoring**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/enable-interactive-authoring.png" alt-text="Screenshot that shows how to enable interactive authoring.":::

+1. From the **Integrate** pane, create a link connection to replicate data from your Azure SQL database to an Azure Synapse SQL pool.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-link.png" alt-text="Screenshot that shows how to create a link to an Azure Synapse SQL pool.":::

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-link-sql-db.png" alt-text="Screenshot that shows how to create a link connection from an Azure SQL database.":::

+1. Start your link connection.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/start-link.png" alt-text="Screenshot of starting a link connection.":::

+## Create a managed workspace virtual network with data exfiltration

+In this section, you create an Azure Synapse workspace with managed virtual network enabled. You'll enable **Managed virtual network**, and you'll select **Yes** to limit outbound traffic from the managed workspace virtual network to targets through managed private endpoints. For an overview, see [Azure Synapse Analytics managed virtual network](../security/synapse-workspace-managed-vnet.md).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to your Azure Synapse workspace, select **Networking**, and then select the **Allow Azure Synapse Link for Azure SQL Database to bypass firewall rules** checkbox.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/enable-bypass-firewall-rules.png" alt-text="Screenshot that shows how to enable bypassing firewall rules.":::

+1. Open Synapse Studio, go to **Manage**, select **Integration runtimes**, and then select **AutoResolvingIntegrationRuntime**.

+1. In the pop-up window, select the **Virtual network** tab, and then enable **Interactive authoring**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/enable-interactive-authoring.png" alt-text="Screenshot that shows how to enable interactive authoring.":::

+1. Create a linked service that connects to your Azure SQL database with a managed private endpoint enabled.

+ a. Create a linked service that connects to your Azure SQL database.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/new-sql-db-linked-service-pe.png" alt-text="Screenshot of a new Azure SQL database linked service private endpoint.":::

+ b. Create a managed private endpoint in a linked service for the Azure SQL database.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/new-sql-db-linked-service-pe1.png" alt-text="Screenshot of a new Azure SQL database linked service private endpoint 1.":::

+ c. Complete the managed private endpoint creation in the linked service for the Azure SQL database.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/new-sql-db-linked-service-pe2.png" alt-text="Screenshot of a new Azure SQL database linked service private endpoint 2.":::

+ d. Go to the Azure portal for your SQL Server instance that hosts an Azure SQL database as a source store, and then approve the private endpoint connections.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/new-sql-db-linked-service-pe3.png" alt-text="Screenshot of a new Azure SQL database linked service private endpoint 3.":::

+1. Now you can create a link connection from the **Integrate** pane to replicate data from your Azure SQL database to an Azure Synapse SQL pool.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-link.png" alt-text="Screenshot that shows how to create a link.":::

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-link-sql-db.png" alt-text="Screenshot of creating a link to the SQL database.":::

+1. Start your link connection.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/start-link.png" alt-text="Screenshot that shows how to start the link connection.":::

+If you're using a database other than an Azure SQL database, see:

+ Title: Get started with Azure Synapse Link for Azure SQL Database (preview)

+description: Learn how to connect an Azure SQL database to an Azure Synapse workspace with Azure Synapse Link (preview).

+# Get started with Azure Synapse Link for Azure SQL Database (preview)

+This article is a step-by-step guide for getting started with Azure Synapse Link for Azure SQL Database. For an overview of this feature, see [Azure Synapse Link for Azure SQL Database (preview)](sql-database-synapse-link.md).

+> Azure Synapse Link for SQL is currently in preview.

+* To get Azure Synapse Link for SQL, see [Create a new Azure Synapse workspace](https://portal.azure.com/#create/Microsoft.Synapse). The current tutorial is to create Azure Synapse Link for SQL in a public network. This article assumes that you selected **Disable Managed virtual network** and **Allow connections from all IP address** when you created an Azure Synapse workspace. If you want to configure Azure Synapse Link for Azure SQL Database with network security, also see [Configure Azure Synapse Link for Azure SQL Database with network security](connect-synapse-link-sql-database-vnet.md).

+* For database transaction unit (DTU)-based provisioning, make sure that your Azure SQL Database service is at least Standard tier with a minimum of 100 DTUs. Free, Basic, or Standard tiers with fewer than 100 DTUs provisioned aren't supported.

+## Configure your source Azure SQL database

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to your Azure SQL logical server, select **Identity**, and then set **System assigned managed identity** to **On**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/set-identity-sql-database.png" alt-text="Screenshot of turning on the system-assigned managed identity.":::

+1. Go to **Networking**, and then select the **Allow Azure services and resources to access this server** checkbox.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/configure-network-firewall-sql-database.png" alt-text="Screenshot that shows how to configure firewalls for your SQL database by using the Azure portal.":::

+1. Using Microsoft SQL Server Management Studio (SSMS) or Azure Data Studio, connect to the logical server. If you want to have your Azure Synapse workspace connect to your Azure SQL database by using a managed identity, set the Azure Active Directory admin permissions on the logical server. To apply the privileges in step 6, use the same admin name to connect to the logical server with administrative privileges.

+1. Expand **Databases**, right-click the database you've created, and then select **New Query**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/ssms-new-query.png" alt-text="Screenshot that shows how to select your database and create a new query.":::

+1. If you want to have your Azure Synapse workspace connect to your source Azure SQL database by using a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), run the following script to provide the managed identity permission to the source database.

+ **You can skip this step** if you instead want to have your Azure Synapse workspace connect to your source Azure SQL database via SQL authentication.

+1. You can create a table with your own schema. The following code is just an example of a `CREATE TABLE` query. You can also insert some rows into this table to ensure that there's data to be replicated.

+## Create your target Azure Synapse SQL pool

+1. Open [Synapse Studio](https://web.azuresynapse.net/).

+1. Go to the **Manage** hub, select **SQL pools**, and then select **New**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-new-sql-pool.png" alt-text="Screenshot that shows how to create a new SQL dedicated pool from Synapse Studio.":::

+1. You need to create a schema if your expected schema isn't available in the target Azure Synapse SQL database. If your schema is *database owner* (dbo), you can skip this step.

+1. On the left pane of the Azure portal, select **Integrate**.

+1. On the **Integrate** pane, select the plus sign (**+**), and then select **Link connection (Preview)**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-new-link-connection.png" alt-text="Screenshot that shows how to select a new link connection from Synapse Studio.":::

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-new-linked-service-dropdown.png" alt-text="Screenshot that shows how to select a new linked service.":::

+1. Enter the information for your source Azure SQL database.

+ * Select the subscription, server, and database corresponding to your Azure SQL database.

+ * Do either of the following:

+ * To connect your Azure Synapse workspace to the source database by using the workspace's managed identity, set **Authentication type** to **Managed Identity**.

+ * To use SQL authentication instead, if you know the username and password to use, select **SQL Authentication**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-new-linked-service.png" alt-text="Screenshot that shows how to enter the server and database details to create a new linked service.":::

+1. Select **Test connection** to ensure that the firewall rules are properly configured and the workspace can successfully connect to the source Azure SQL database.

+ > The linked service that you create here isn't dedicated to Azure Synapse Link for SQL. It can be used by any workspace user who has the appropriate permissions. Take time to understand the scope of users who might have access to this linked service and its credentials. For more information about permissions in Azure Synapse workspaces, see [Azure Synapse workspace access control overview - Azure Synapse Analytics](../security/synapse-workspace-access-control-overview.md).

+1. Select one or more source tables to replicate to your Azure Synapse workspace, and then select **Continue**.

+ > A specified source table can be enabled in only one link connection at a time.

+1. Select a target Azure Synapse SQL database and pool.

+ > We recommend starting low and increasing the number of cores as needed.

+1. With the new Azure Synapse Link connection open, you can update the target table name, distribution type, and structure type.

+ > * Consider using *heap table* for the structure type when your data contains varchar(max), nvarchar(max), and varbinary(max).

+ > * Make sure that the schema in your Azure Synapse SQL dedicated pool has already been created before you start the link connection. Azure Synapse Link for SQL will create tables automatically under your schema in the Azure Synapse SQL dedicated pool.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-edit-link.png" alt-text="Screenshot that shows where to edit the Azure Synapse Link connection from Synapse Studio.":::

+Select **Start**, and then wait a few minutes for the data to be replicated.

+ > A link connection will start from a full initial load from your source database, followed by incremental change feeds via the change feed feature in Azure SQL Database. For more information, see [Azure Synapse Link for SQL change feed](/sql/sql-server/synapse-link/synapse-link-sql-server-change-feed).

+You can monitor the status of your Azure Synapse Link connection, see which tables are being initially copied over (*snapshotting*), and see which tables are in continuous replication mode (*replicating*).

+1. Go to the **Monitor** hub, and then select **Link connections**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-link-connections.png" alt-text="Screenshot that shows how to monitor the status of the Azure Synapse Link connection from the monitor hub.":::

+1. Open the Azure Synapse Link connection that you started, and view the status of each table.

+## Query the replicated data

+Wait for a few minutes, and then check to ensure that the target database has the expected table and data. You can also now explore the replicated tables in your target Azure Synapse SQL dedicated pool.

+1. In the **Data** hub, under **Workspace**, open your target database.

+1. Under **Tables**, right-click one of your target tables.

+1. Select **New SQL script**, and then select **Top 100 rows**.

+1. Run this query to view the replicated data in your target Azure Synapse SQL dedicated pool.

+1. You can also query the target database by using SSMS or other tools. Use the SQL dedicated endpoint for your workspace as the server name. This name is usually `<workspacename>.sql.azuresynapse.net`. Add `Database=databasename@poolname` as an extra connection string parameter when you're connecting via SSMS or other tools.

+## Add or remove a table in an existing Azure Synapse Link connection

+To add or remove tables in Synapse Studio, do the following:

+1. Open the **Integrate** hub.

+1. Select the link connection that you want to edit, and then open it.

+1. Do either of the following:

+ * To add a table, select **New table**.

+ * To remove a table, select the trash can icon next to it.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/link-connection-add-remove-tables.png" alt-text="Screenshot of the link connection pane for adding or removing tables.":::

+To stop the Azure Synapse Link connection in Synapse Studio, do the following:

+1. In your Azure Synapse workspace, open the **Integrate** hub.

+1. Select the link connection that you want to edit, and then open it.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/stop-link-connection.png" alt-text="Screenshot of the pane for stopping a link connection.":::

+ > If you restart a link connection after stopping it, it will start from a full initial load from your source database, and incremental change feeds will follow.

+If you're using a database other than an Azure SQL database, see:

+* [Get or set a managed identity for an Azure SQL Database logical server or managed instance](/sql/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity.md#get-or-set-a-managed-identity-for-a-logical-server-or-managed-instance)

+ Title: Configure Azure Synapse Link for SQL Server 2022 with network security (preview)

+description: Learn how to configure Azure Synapse Link for SQL Server 2022 with network security (preview).

+# Configure Azure Synapse Link for SQL Server 2022 with network security (preview)

+This article is a guide for configuring Azure Synapse Link for SQL Server 2022 with network security. Before you begin this process, you should know how to create and start Azure Synapse Link for SQL Server 2022. For information, see [Get started with Azure Synapse Link for SQL Server 2022](connect-synapse-link-sql-server-2022.md).

+> Azure Synapse Link for SQL is currently in preview.

+## Create a managed workspace virtual network without data exfiltration

+In this section, you create an Azure Synapse workspace with a managed virtual network enabled. You'll enable **managed virtual network**, and then select **No** to allow outbound traffic from the workspace to any target. For an overview, see [Azure Synapse Analytics managed virtual network](../security/synapse-workspace-managed-vnet.md).

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-synapse-workspace-allow-outbound-traffic.png" alt-text="Screenshot that shows how to create an Azure Synapse workspace that allows outbound traffic.":::

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to your Azure Synapse workspace, select **Networking**, and then select the **Allow Azure Synapse Link for Azure SQL Database to bypass firewall rules** checkbox.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/enable-bypass-firewall-rules.png" alt-text="Screenshot that shows how to enable bypassing firewall rules.":::

+1. Open Synapse Studio, go to **Manage**, select **Integration runtimes**, and then select **AutoResolvingIntegrationRuntime**.

+1. In the pop-up window, select the **Virtual network** tab, and then enable **Interactive authoring**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/enable-interactive-authoring.png" alt-text="Screenshot that shows how to enable interactive authoring.":::

+1. On the **Integrate** pane, create a link connection to replicate data from your SQL Server 2022 instance to the Azure Synapse SQL pool.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-link.png" alt-text="Screenshot that shows how to create a link to an Azure Synapse SQL pool.":::

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-link-sql-server.png" alt-text="Screenshot that shows how to create a link connection from an Azure SQL Server 2022 instance.":::

+1. Start your link connection.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/start-link.png" alt-text="Screenshot of starting a link connection.":::

+## Create a managed workspace virtual network with data exfiltration

+In this section, you create an Azure Synapse workspace with managed virtual network enabled. You'll enable **managed virtual network** and select **Yes** to limit outbound traffic from the managed workspace virtual network to targets through managed private endpoints. For an overview, see [Azure Synapse Analytics managed virtual network](../security/synapse-workspace-managed-vnet.md).

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-synapse-workspace-disallow-outbound-traffic.png" alt-text="Screenshot that shows how to create an Azure Synapse workspace that disallows outbound traffic.":::

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to your Azure Synapse workspace, select **Networking**, and then select the **Allow Azure Synapse Link for Azure SQL Database to bypass firewall rules** checkbox.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/enable-bypass-firewall-rules.png" alt-text="Screenshot that shows how to enable bypassing firewall rules.":::

+1. Open Synapse Studio, go to **Manage**, select **Integration runtimes**, and then select **AutoResolvingIntegrationRuntime**.

+1. In the pop-up window, select the **Virtual network** tab, and then enable **Interactive authoring**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/enable-interactive-authoring.png" alt-text="Screenshot that shows how to enable interactive authoring.":::

+1. Create a linked service that connects to your SQL Server 2022 instance.

+ To learn how, see the "Create a linked service for your source SQL Server 2022 database" section of [Get started with Azure Synapse Link for SQL Server 2022 (preview)](connect-synapse-link-sql-server-2022.md#create-a-linked-service-for-your-source-sql-server-2022-database).

+1. Add a role assignment to ensure that you've granted your Azure Synapse workspace managed identity permissions to your Azure Data Lake Storage Gen2 storage account that's used as the landing zone.

+ To learn how, see the "Create a linked service to connect to your landing zone on Azure Data Lake Storage Gen2" section of [Get started with Azure Synapse Link for SQL Server 2022 (preview)](connect-synapse-link-sql-server-2022.md#create-a-linked-service-to-connect-to-your-landing-zone-on-azure-data-lake-storage-gen2).

+1. Create a linked service that connects to your Azure Data Lake Storage Gen2 storage (landing zone) with managed private endpoint enabled.

+ a. Create a managed private endpoint in the linked service for Azure Data Lake Storage Gen2 storage.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/new-sql-server-linked-service-pe1.png" alt-text="Screenshot of a new Azure SQL Server 2022 database linked service private endpoint 1.":::

+ b. Complete the managed private endpoint creation in the linked service for Azure Data Lake Storage Gen2 storage.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/new-sql-server-linked-service-pe2.png" alt-text="Screenshot of a new Azure SQL Server 2022 database linked service private endpoint 2.":::

+ c. Go to the Azure portal for your Azure Data Lake Storage Gen2 storage as a landing zone, and then approve the private endpoint connections.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/new-sql-server-linked-service-pe3.png" alt-text="Screenshot of a new Azure SQL Server 2022 database linked service private endpoint 3.":::

+ d. Complete the creation of the linked service for Azure Data Lake Storage Gen2 storage.

+1. Now you can create a link connection from the **Integrate** pane to replicate data from your SQL Server 2022 instance to an Azure Synapse SQL pool.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-link.png" alt-text="Screenshot that shows how to create a link.":::

+ :::image type="content" source="../media/connect-synapse-link-sql-database/create-link-sql-server.png" alt-text="Screenshot that shows how to create a link from the SQL Server 2022 instance.":::

+1. Start your link connection.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/start-link.png" alt-text="Screenshot that shows how to start the link connection.":::

+If you're using a database other than a SQL Server 2022 instance, see:

+ Title: Create Azure Synapse Link for SQL Server 2022 (preview)

+description: Learn how to create and connect a SQL Server 2022 instance to an Azure Synapse workspace by using Azure Synapse Link (preview).

+# Get started with Azure Synapse Link for SQL Server 2022 (preview)

+This article is a step-by-step guide for getting started with Azure Synapse Link for SQL Server 2022. For an overview, see [Azure Synapse Link for SQL Server 2022](sql-server-2022-synapse-link.md).

+> Azure Synapse Link for SQL is currently in preview.

+* Before you begin, see [Create a new Azure Synapse workspace](https://portal.azure.com/#create/Microsoft.Synapse) to get Azure Synapse Link for SQL. The current tutorial is to create Azure Synapse Link for SQL in a public network. This article assumes that you selected **Disable Managed virtual network** and **Allow connections from all IP addresses** when you created an Azure Synapse workspace. If you want to configure Azure Synapse Link for SQL Server 2022 with network security, also see [Configure Azure Synapse Link for SQL Server 2022 with network security (preview)](connect-synapse-link-sql-server-2022-vnet.md).

+* Create an Azure Data Lake Storage Gen2 account, which is different from the account you create with the Azure Synapse Analytics workspace. You'll use this account as the landing zone to stage the data submitted by SQL Server 2022. For more information, see [Create an Azure Data Lake Storage Gen2 account](../../storage/blobs/create-data-lake-storage-account.md).

+* Make sure that your SQL Server 2022 database has a master key created.

+## Create your target Azure Synapse SQL dedicated pool

+1. Open [Synapse Studio](https://ms.web.azuresynapse.net/).

+1. Open the **Manage** hub, go to **SQL pools**, and then select **New**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-new-sql-pool.png" alt-text="Screenshot that shows how to create a new Azure Synapse SQL dedicated pool from Synapse Studio.":::

+1. From the **Data** hub, under **Workspace**, your new Azure Synapse SQL database should be listed under **Databases**. From your new Azure Synapse SQL database, select **New SQL script**, and then select **Empty script**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/studio-new-empty-sql-script.png" alt-text="Screenshot that shows how to create a new empty SQL script from Synapse Studio.":::

+1. To create the master key for your target Azure Synapse SQL database, paste the following script, and then select **Run**.

+## Create a linked service for your source SQL Server 2022 database

+1. Select the **Manage** hub button, and then select **Linked services**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/studio-linked-service-navigation.png" alt-text="Go to linked services from Synapse Studio.":::

+1. Press **New**, select **SQL Server** and select **Continue**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/studio-linked-service-select.png" alt-text="Screenshot that shows how to create a SQL server linked service.":::

+1. In the **Name** box, enter the name of the linked service of SQL Server 2022.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/studio-linked-service-new.png" alt-text="Screenshot that shows where to enter the server and database names to connect.":::

+1. When you're choosing the integration runtime, select your self-hosted integration runtime. If your Azure Synapse workspace doesn't have an available self-hosted integration runtime, create one.

+1. (Optional) To create a self-hosted integration runtime to connect to your source SQL Server 2022, do the following:

+ a. Select **New**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/create-new-integration-runtime.png" alt-text="Screenshot that shows how to create a new self-hosted integration runtime.":::

+ b. Select **Self-hosted**, and then select **Continue**.

+ c. In the **Name** box, enter the name of the self-hosted integration runtime, and then select **Create**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/input-name-integration-runtime.png" alt-text="Screenshot that shows where to enter a name for the self-hosted integration runtime.":::

+ A self-hosted integration runtime is now available in your Azure Synapse workspace.

+

+ d. Follow the prompts to download, install, and use the key to register your integration runtime agent on your Windows machine, which has direct access to your SQL Server 2022 instance. For more information, see [Create a self-hosted integration runtime - Azure Data Factory and Azure Synapse](../../data-factory/create-self-hosted-integration-runtime.md?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext&tabs=synapse-analytics#install-and-register-a-self-hosted-ir-from-microsoft-download-center).

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/set-up-integration-runtime.png" alt-text="Screenshot that shows where to download, install, and register the integration runtime.":::

+ e. Select **Close**.

+ f. Go to the monitoring page, and then ensure that your self-hosted integration runtime is running by selecting **Refresh** to get the latest status of integration runtime.

+1. Continue to enter the remaining information for your linked service, including **SQL Server name**, **Database name**, **Authentication type**, **User name**, and **Password** to connect to your SQL Server 2022 instance.

+ > We recommend that you enable encryption on this connection. To do so, add the `Encrypt` property with a value of `true` as an additional connection property. Also set the `Trust Server Certificate` property to either `true` or `false`, depending on your server configuration. For more information, see [Enable encrypted connections to the database engine](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine).

+1. Select **Test Connection** to ensure that your self-hosted integration runtime can access your SQL Server instance.

+1. Select **Create**.

+ Your new linked service will be connected to the SQL Server 2022 instance that's available in your workspace.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/view-linked-service-connection.png" alt-text="Screenshot that shows where to view the linked service connection.":::

+ > The linked service that you create here isn't dedicated to Azure Synapse Link for SQL. It can be used by any workspace user who has the appropriate permissions. Take time to understand the scope of users who might have access to this linked service and its credentials. For more information about permissions in Azure Synapse workspaces, see [Azure Synapse workspace access control overview - Azure Synapse Analytics](../security/synapse-workspace-access-control-overview.md).

+## Create a linked service to connect to your landing zone on Azure Data Lake Storage Gen2

+1. Go to your newly created Azure Data Lake Storage Gen2 account, select **Access Control (IAM)**, select **Add**, and then select **Add role assignment**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/adls-gen2-access-control.png" alt-text="Screenshot of the 'Access Control (IAM)' pane of the Data Lake Storage Gen2 account.":::

+1. Select **Storage Blob Data Contributor** for the chosen role, select **Managed identity** and then, under **Members**, select your Azure Synapse workspace. Adding this role assignment might take a few minutes.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/adls-gen2-assign-blob-data-contributor-role.png" alt-text="Screenshot that shows how to add a role assignment.":::

+ > Make sure that you've granted your Azure Synapse workspace managed identity permissions to the Azure Data Lake Storage Gen2 storage account that's used as the landing zone. For more information, see [Grant permissions to a managed identity in an Azure Synapse workspace - Azure Synapse Analytics](../security/how-to-grant-workspace-managed-identity-permissions.md#grant-the-managed-identity-permissions-to-adls-gen2-storage-account).

+1. Open the **Manage** hub in your Azure Synapse workspace, and go to **Linked services**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/studio-linked-service-navigation.png" alt-text="Screenshot that shows how to go to the linked service.":::

+1. Select **New**, and then select **Azure Data Lake Storage Gen2**.

+1. Do the following:

+ a. In the **Name** box, enter the name of the linked service for your landing zone.

+ b. For **Authentication method**, enter **Managed Identity**.

+ c. Select the **Storage account name**, which has already been created.

+1. Select **Test Connection** to ensure that you can access your Azure Data Lake Storage Gen2 account.

+1. Select **Create**.

+ Your new linked service will be connected to the Azure Data Lake Storage Gen2 account.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/storage-gen2-linked-service-created.png" alt-text="Screenshot that shows the new linked service to Azure Data Lake Storage Gen2.":::

+ > The linked service that you create here isn't dedicated to Azure Synapse Link for SQL. It can be used by any workspace user who has the appropriate permissions. Take time to understand the scope of users who might have access to this linked service and its credentials. For more information about permissions in Azure Synapse workspaces, see [Azure Synapse workspace access control overview - Azure Synapse Analytics](../security/synapse-workspace-access-control-overview.md).

+1. From Synapse Studio, open the **Integrate** hub.

+1. On the **Integrate** pane, select the plus sign (**+**), and then select **Link connection (Preview)**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/new-link-connection.png" alt-text="Screenshot that shows the 'Link connection (Preview)' button.":::

+1. Enter your source database:

+ a. For **Source type**, select **SQL Server**.

+ b, For your source **Linked service**, select the service that connects to your SQL Server 2022 instance.

+ c. For **Table names**, select names from your SQL Server instance to be replicated to your Azure Synapse SQL pool.

+ d. Select **Continue**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/input-source-database-details-link-connection.png" alt-text="Screenshot that shows where to enter source database details.":::

+1. From **Synapse SQL Dedicated Pools**, select a target database name.

+1. Enter your link connection settings:

+ a. For **Link connection name**, enter the name.

+ b. For **Core count** for the [link connection compute](sql-server-2022-synapse-link.md#link-connection), enter the number of cores. These cores will be used for the movement of data from the source to the target. We recommend that you start with a small number and increase the count as needed.

+ c. For **Linked service**, select the service that will connect to your landing zone.

+ d. Enter your Azure Data Lake Storage Gen2 **container name or container/folder name** as a landing zone folder path for staging the data. The container must be created first.

+ e. Enter your Azure Data Lake Storage Gen2 shared access signature token. The token is required for the SQL change feed to access the landing zone. If your Azure Data Lake Storage Gen2 account doesn't have a shared access signature token, you can create one by selecting **Generate token**.

+ f. Select **OK**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/link-connection-compute-settings.png" alt-text="Screenshot that shows where to enter the link connection settings.":::

+1. With the new Azure Synapse Link connection open, you can now update the target table name, distribution type, and structure type.

+ > * Consider using *heap table* for the structure type when your data contains varchar(max), nvarchar(max), and varbinary(max).

+ > * Make sure that the schema in your Azure Synapse SQL dedicated pool has already been created before you start the link connection. Azure Synapse Link for SQL will create tables automatically under your schema in the Azure Synapse SQL pool.

+Select **Start**, and then wait a few minutes for the data to be replicated.

+> [!NOTE]

+> A link connection will start from a full initial load from your source database, followed by incremental change feeds via the change feed feature in SQL Server 2022. For more information, see [Azure Synapse Link for SQL change feed](/sql/sql-server/synapse-link/synapse-link-sql-server-change-feed).

+You can monitor the status of your Azure Synapse Link connection, see which tables are being initially copied over (*snapshotting*), and see which tables are in continuous replication mode (*replicating*).

+1. Go to the **Monitor hub** of your Azure Synapse workspace, and then select **Link connections**.

+1. Open the link connection you started, and view the status of each table.

+## Query the replicated data

+Wait for a few minutes, and then check to ensure that the target database has the expected table and data. See the data available in your Azure Synapse SQL dedicated pool destination store. You can also now explore the replicated tables in your target Azure Synapse SQL dedicated pool.

+1. In the **Data** hub, under **Workspace**, open your target database.

+1. Under **Tables**, right-click one of your target tables.

+1. Select **New SQL script**, and then select **Top 100 rows**.

+1. Run this query to view the replicated data in your target Azure Synapse SQL dedicated pool.

+1. You can also query the target database by using Microsoft SQL Server Management Studio (SSMS) or other tools. Use the SQL dedicated endpoint for your workspace as the server name. This name is usually `<workspacename>.sql.azuresynapse.net`. Add `Database=databasename@poolname` as an extra connection string parameter when connecting via SSMS or other tools.

+## Add or remove a table in an existing Azure Synapse Link connection

+To add or remove tables in Synapse Studio, do the following:

+1. In your Azure Synapse workspace, open the **Integrate** hub.

+1. Select the link connection that you want to edit, and then open it.

+1. Do either of the following:

+ * To add a table, select **New table**.

+ * To remove a table, select the trash can icon next to it.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/link-connection-add-remove-tables.png" alt-text="Screenshot of the link connection pane for adding or removing tables.":::

+To stop the Azure Synapse Link connection in Synapse Studio, do the following:

+1. In your Azure Synapse workspace, open the **Integrate** hub.

+1. Select the link connection that you want to edit, and then open it.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/stop-link-connection.png" alt-text="Screenshot of the pane for stopping a link connection.":::

+ > If you restart a link connection after stopping it, it will start from a full initial load from your source database and incremental change feeds will follow.

+## Rotate the shared access signature token for the landing zone

+A shared access signature token is required for the SQL change feed to get access to the landing zone and push data there. It has an expiration date, so you need to rotate the token before that date. Otherwise, Azure Synapse Link will fail to replicate the data from the SQL Server instance to the Azure Synapse SQL dedicated pool.

+1. In your Azure Synapse workspace, open the **Integrate** hub.

+1. Select the link connection that you want to edit, and then open it.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/link-connection-locate-rotate-token.png" alt-text="Screenshot that shows where to rotate a shared access signature token.":::

+1. To get the new shared access signature token, select **Generate automatically** or **Input manually**, and then select **OK**.

+ :::image type="content" source="../media/connect-synapse-link-sql-server-2022/landing-zone-rotate-sas-token.png" alt-text="Screenshot that shows how to get a new shared access signature token.":::

+If you're using a database other than SQL Server 2022, see:

+Azure Virtual Desktop supports in-session passwordless authentication (preview) using [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) or security devices like FIDO keys when using the [Windows Desktop client](users/connect-windows.md). Passwordless authentication is enabled automatically when the session host and local PC are using the following operating systems:

+ Title: Compare the features of the Remote Desktop clients for Azure Virtual Desktop - Azure Virtual Desktop

+description: Compare the features of the Remote Desktop clients when connecting to Azure Virtual Desktop.

+# Compare the features of the Remote Desktop clients when connecting to Azure Virtual Desktop

+There are some differences between the features of each of the Remote Desktop clients when connecting to Azure Virtual Desktop. Below you can find information about what these differences are.

+> [!TIP]

+> Some clients and features differ when using Azure Virtual Desktop to using Remote Desktop Services. If you want to see the clients and features for Remote Desktop Services, see [Compare the clients: features](/windows-server/remote/remote-desktop-services/clients/remote-desktop-features) and [Compare the clients: redirections](/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare).

+## Features comparison

+The following table compares the features of each Remote Desktop client when connecting to Azure Virtual Desktop.

+| Feature | Windows Desktop | Microsoft Store | Android or Chrome OS | iOS or iPadOS | macOS | Web | Description |

+|--|--|--|--|--|--|--|--|

+| Remote Desktop sessions | X | X | X | X | X | X | Desktop of a remote computer presented in a full screen or windowed mode. |

+| Integrated RemoteApp sessions | X | | | | X | | Individual remote apps integrated into the local desktop as if they are running locally. |

+| Immersive RemoteApp sessions | | X | X | X | | X | Individual remote apps presented in a window or maximized to a full screen. |

+| Multiple monitors | 16 monitor limit | | | | 16 monitor limit | | Lets the user run Remote Desktop or remote apps on all local monitors.<br /><br />Each monitor can have a maximum resolution of 8K, with the total resolution limited to 32K. These limits depend on factors such as session host specification and network connectivity. |

+| Dynamic resolution | X | X | | | X | X | Resolution and orientation of local monitors is dynamically reflected in the remote session. If the client is running in windowed mode, the remote desktop is resized dynamically to the size of the client window. |

+| Smart sizing | X | X | | | X | | Remote Desktop in Windowed mode is dynamically scaled to the window's size. |

+| Localization | X | X | English only | X | | X | Client user interface is available in multiple languages. |

+| Multi-factor authentication | X | X | X | X | X | X | Supports multi-factor authentication for remote connections. |

+| Teams optimization for Azure Virtual Desktop | X | | | | X | | Media optimizations for Microsoft Teams to provide high quality calls and screen sharing experiences. Learn more at [Use Microsoft Teams on Azure Virtual Desktop](/azure/virtual-desktop/teams-on-avd). |

+## Redirections comparison

+The following tables compare support for device and other redirections across the different Remote Desktop clients when connecting to Azure Virtual Desktop. Organizations can configure redirections centrally through Azure Virtual Desktop RDP properties or Group Policy.

+> [!IMPORTANT]

+> You can only enable redirections with binary settings that apply to both to and from the remote machine. One-way blocking of redirections from only one side of the connection is not supported.

+### Input redirection

+| Input | Windows Desktop | Microsoft Store client | Android or Chrome OS | iOS or iPadOS | macOS | Web client |

+|--|--|--|--|--|--|--|

+| Keyboard | X | X | X | X | X | X |

+| Mouse | X | X | X | X | X | X |

+| Touch | X | X | X | X | | X |

+| Pen | X | | X (as touch) | X (as touch) | | |

+### Port redirection

+| Redirection | Windows Desktop | Microsoft Store client | Android or Chrome OS | iOS or iPadOS | macOS | Web client |

+|--|--|--|--|--|--|--|

+| Serial port | X | | | | | |

+| USB | X | | | | | |

+When you enable USB port redirection, all USB devices attached to USB ports are automatically recognized in the remote session. For devices to work as expected, you must make sure to install their required drivers on both the local device and session host. You will need to make sure the drivers are certified to run in remote scenarios. If you need more information about using your USB device in remote scenarios, talk to the device manufacturer.

+### Other redirection (devices, etc.)

+| Redirection | Windows Desktop | Microsoft Store client | Android or Chrome OS | iOS or iPadOS | macOS | Web client |

+|--|--|--|--|--|--|--|

+| Cameras | X | | | X | X | |

+| Clipboard | X | X | Text | Text, images | X | Text |

+| Local drive/storage | X | | X | X | X | X\* |

+| Location | X | | | | | |

+| Microphones | X | X | X | X | X | X |

+| Printers | X | | | | X\*\* (CUPS only) | PDF print |

+| Scanners | X | | | | | |

+| Smart cards | X | | | | X (Windows sign-in not supported) | |

+| Speakers | X | X | X | X | X | X |

+| Third-party virtual channel plugins | X | | | | | |

+| WebAuthn | X | | | | | |

+\* Limited to uploading and downloading files through the Remote Desktop Web client.

+\*\* For printer redirection, the macOS app supports the Publisher Imagesetter printer driver by default. The app doesn't support the native printer drivers.

+* [Windows Desktop client](./users/connect-windows.md)

+* [Web client](./users/connect-web.md)

+* [Connect with the Windows Desktop client](./users/connect-windows.md)

+* [Connect with the web client](./users/connect-web.md)

+- [Connect with the Windows Desktop client](./users/connect-windows.md)

+- [Connect with the web client](./users/connect-web.md)

+- [Connect with the Android client](./users/connect-android-chrome-os.md)

+- [Connect with the iOS client](./users/connect-ios-ipados.md)

+- [Connect with the macOS client](./users/connect-macos.md)

+- A client device running the [Remote Desktop client for Windows](users/connect-windows.md), version 1.2.3488 or later. Currently, non-Windows clients aren't supported.

+- A client device running the [Remote Desktop client for Windows](users/connect-windows.md), version 1.2.3488 or later. Currently, non-Windows clients aren't supported.

+- A client device running the [Remote Desktop client for Windows](users/connect-windows.md), version 1.2.3488 or later. Currently, non-Windows clients aren't supported.

+You can use the [Windows Desktop client](users/connect-windows.md) on local PCs running Windows 10 or later. There's no requirement for the local PC to be joined to a domain or Azure AD. You can also have a single sign-on experience when using the [web client](users/connect-web.md).

+- If you're accessing Azure Virtual Desktop from our Windows Desktop client, see [Connect with the Windows Desktop client](./users/connect-windows.md).

+- If you're accessing Azure Virtual Desktop from our web client, see [Connect with the web client](./users/connect-web.md).

+ * [Connect with Windows](./users/connect-windows.md)

+ * [Connect with the web client](./users/connect-web.md)

+ * [Connect with the Android client](./users/connect-android-chrome-os.md)

+ * [Connect with the iOS client](./users/connect-ios-ipados.md)

+ * [Connect with the macOS client](./users/connect-macos.md)

+- [Connect with the Windows Desktop client](./users/connect-windows.md)

+- [Connect with the web client](./users/connect-web.md)

+- [Connect with the Android client](./users/connect-android-chrome-os.md)

+- [Connect with the macOS client](./users/connect-macos.md)

+- [Connect with the iOS client](./users/connect-ios-ipados.md)

+The default configuration supports connections from Windows 11 or Windows 10 using the [Windows Desktop client](users/connect-windows.md). You can use your credentials, smart card, [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) or [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:

+- [Connect with the Windows Desktop client](users/connect-windows.md)

+- [Connect with the web client](users/connect-web.md)

+## Recommended disaster recovery methods

+To publish resources to users, you must assign them to app groups. When assigning users to app groups, consider the following things:

+- We don't support assigning both the RemoteApp and desktop app groups in a single host pool to the same user. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active user sessions at the same time, as this can cause the following things to happen:

+ - The session hosts become overloaded

+ - Users get stuck when trying to login

+ - Connections won't work

+ - The screen turns black

+ - The application crashes

+ - Other negative effects on end-user experience and session performance

+- A user can be assigned to multiple app groups within the same host pool, and their feed will be an accumulation of both app groups.

+- Personal host pools only allow and support RemoteApp app groups.

+- [Connect with Windows](./users/connect-windows.md)

+- [Connect with a web browser](./users/connect-web.md)

+- [Connect with the Android client](./users/connect-android-chrome-os.md)

+- [Connect with the macOS client](./users/connect-macos.md)

+- [Connect with the iOS client](./users/connect-ios-ipados.md)

+- [Connect with the Windows Desktop client](./users/connect-windows.md)

+- [Connect with the web client](./users/connect-web.md)

+- [Connect with the Android client](./users/connect-android-chrome-os.md)

+- [Connect with the macOS client](./users/connect-macos.md)

+- [Connect with the iOS client](./users/connect-ios-ipados.md)

+Once the deployment has completed successfully, if you created a test account or assigned an existing user during deployment, you can connect to it following the steps for one of the supported Remote Desktop clients. For example, you can follow the steps to [Connect with the Windows Desktop client](users/connect-windows.md).

+- [Windows Desktop client](./users/connect-windows.md)

+- [Web client](./users/connect-web.md)

+- [macOS client](./users/connect-macos.md)

+- [iOS and iPadOS client](./users/connect-ios-ipados.md)

+- [Android and Chrome OS client](./users/connect-android-chrome-os.md)

+- [Microsoft Store client](./users/connect-microsoft-store.md)

+For more information about proxy support on Linux based thin clients, see [Thin client support](users/connect-thin-clients.md).

+ Title: Supported RDP properties with Azure Virtual Desktop - Azure Virtual Desktop

+description: Learn about the supported RDP properties you can use with Azure Virtual Desktop.

+# Supported RDP properties with Azure Virtual Desktop

+Organizations can configure RDP properties centrally in Azure Virtual Desktop to determine how a connection to Azure Virtual Desktop should behave. There are a wide range of RDP properties that can be be set, such as for device redirection, display settings, session behavior, and more.

+Supported RDP properties differ when using Azure Virtual Desktop compared to Remote Desktop Services. Use the following tables to understand each setting and whether it applies when connecting to Azure Virtual Desktop, Remote Desktop Services, or both.

+## Connection information

+| Display name | RDP setting | Azure Virtual Desktop | Remote Desktop Services | Description | Values | Default value |

+|--|--|:-:|:-:|--|--|:-:|

+| Azure AD authentication | enablerdsaadauth:i:*value* | Γ£ö | Γ£ö | Determines whether the client will use Azure AD to authenticate to the remote PC if it's available. | - 0: RDP won't use Azure AD authentication, even if the remote PC supports it.</br>- 1: RDP will use Azure AD authentication if the remote PC supports it. | 0 |

+| Credential Security Support Provider | enablecredsspsupport:i:*value* | Γ£ö | Γ£ö | Determines whether the client will use the Credential Security Support Provider (CredSSP) for authentication if it's available. | - 0: RDP won't use CredSSP, even if the operating system supports CredSSP.</br>- 1: RDP will use CredSSP if the operating system supports CredSSP. | 1 |

+| Alternate shell | alternate shell:s:*value* | Γ£ö | Γ£ö | Specifies a program to be started automatically in the remote session as the shell instead of explorer. | Valid path to an executable file, such as "C:\ProgramFiles\Office\word.exe". | None |

+| KDC proxy name | kdcproxyname:s:*value* | Γ£ö | Γ£ù | Specifies the fully qualified domain name of a KDC proxy. | Valid path to a KDC proxy server, such as `kdc.contoso.com`. | None |

+| Address | full address:s:value | Γ£ù | Γ£ö | This setting specifies the hostname or IP address of the remote computer that you want to connect to.</br></br>This is the only required setting in an RDP file. | A valid name, IPv4 address, or IPv6 address. | None |

+| Alternate address | alternate full address:s:value | Γ£ù | Γ£ö | Specifies an alternate name or IP address of the remote computer. | A valid name, IPv4 address, or IPv6 address. | None |

+| Username | username:s:value | Γ£ù | Γ£ö | Specifies the name of the user account that will be used to sign in to the remote computer. | Any valid username. | None |

+| Domain | domain:s:value | Γ£ù | Γ£ö | Specifies the name of the domain in which the user account that will be used to sign in to the remote computer is located. | A valid domain name, such as *CONTOSO*. | None |

+| RD Gateway hostname | gatewayhostname:s:value | Γ£ù | Γ£ö | Specifies the RD Gateway host name. | A valid name, IPv4 address, or IPv6 address. | None |

+| RD Gateway authentication | gatewaycredentialssource:i:value | Γ£ù | Γ£ö | Specifies the RD Gateway authentication method. | - 0: Ask for password (NTLM).</br>- 1: Use smart card.</br>- 2: Use the credentials for the currently signed in user.</br>- 3: Prompt the user for their credentials and use basic authentication.</br>- 4: Allow user to select later.</br>- 5: Use cookie-based authentication. | 0 |

+| Use RD Gateway | gatewayusagemethod:i:value | Γ£ù | Γ£ö | Specifies when to use an RD Gateway for the connection. | - 0: Don't use an RD Gateway.</br>- 1: Always use an RD Gateway.</br>- 2: Use an RD Gateway if a direct connection can't be made to the RD Session Host.</br>- 3: Use the default RD Gateway settings.</br>- 4: Don't use an RD Gateway, bypass gateway for local addresses.</br>Setting this property value to 0 or 4 are effectively equivalent, but setting this property to 4 enables the option to bypass local addresses. | 0 |

+| Save credentials | promptcredentialonce:i:value | Γ£ù | Γ£ö | Determines whether a user's credentials are saved and used for both the RD Gateway and the remote computer. | - 0: Remote session won't use the same credentials.</br>- 1: Remote session will use the same credentials. | 1 |

+| Server authentication | authentication level:i:value | Γ£ù | Γ£ö | Defines the server authentication level settings. | - 0: If server authentication fails, connect to the computer without warning (Connect and don't warn me).</br>- 1: If server authentication fails, don't establish a connection (Don't connect).</br>- 2: If server authentication fails, show a warning, and allow me to connect or refuse the connection (Warn me).</br>- 3: No authentication requirement specified. | 3 |

+| Connection sharing | disableconnectionsharing:i:value | Γ£ù | Γ£ö | Determines whether the client reconnects to any existing disconnected session or initiate a new connection when a new connection is launched. | - 0: Reconnect to any existing session.</br>- 1: Initiate new connection. | 0 |

+## Session behavior

+| Display name | RDP setting | Azure Virtual Desktop | Remote Desktop Services | Description | Values | Default value |

+|--|--|:-:|:-:|--|--|:-:|

+| Reconnection | autoreconnection enabled:i:*value* | Γ£ö | Γ£ö | Determines whether the client will automatically try to reconnect to the remote computer if the connection is dropped, such as when there's a network connectivity interruption. | - 0: Client doesn't automatically try to reconnect.</br>- 1: Client automatically tries to reconnect. | 1 |

+| Bandwidth auto detect | bandwidthautodetect:i:*value* | Γ£ö | Γ£ö | Determines whether or not to use automatic network bandwidth detection. Requires bandwidthautodetect to be set to 1. | - 0: Disable automatic network type detection.</br>- 1: Enable automatic network type detection. | 1 |

+| Network auto detect | networkautodetect:i:*value* | Γ£ö | Γ£ö | Determines whether automatic network type detection is enabled. | - 0: Don't use automatic network bandwidth detection.</br> - 1: Use automatic network bandwidth detection. | 1 |

+| Compression | compression:i:*value* | Γ£ö | Γ£ö | Determines whether bulk compression is enabled when it's transmitted by RDP to the local computer. | - 0: Disable RDP bulk compression.</br>- 1: Enable RDP bulk compression. | 1 |

+| Video playback | videoplaybackmode:i:*value* | Γ£ö | Γ£ö | Determines if the connection will use RDP-efficient multimedia streaming for video playback. | - 0: Don't use RDP efficient multimedia streaming for video playback.</br>- 1: Use RDP-efficient multimedia streaming for video playback when possible | 1 |

+## Device redirection

+> [!IMPORTANT]

+> You can only enable redirections with binary settings that apply to both to and from the remote machine. The service doesn't currently support one-way blocking of redirections from only one side of the connection.

+| Display name | RDP setting | Azure Virtual Desktop | Remote Desktop Services | Description | Values | Default value |

+|--|--|:-:|:-:|--|--|:-:|

+| Microphone redirection | audiocapturemode:i:*value* | Γ£ö | Γ£ö | Indicates whether audio input redirection is enabled. | - 0: Disable audio capture from the local device.</br>- 1: Enable audio capture from the local device and redirection to an audio application in the remote session. | 0 |

+| Redirect video encoding | encode redirected video capture:i:*value* | Γ£ö | Γ£ö | Enables or disables encoding of redirected video. | - 0: Disable encoding of redirected video.</br>- 1: Enable encoding of redirected video. | 1 |

+| Encoded video quality | redirected video capture encoding quality:i:*value* | Γ£ö | Γ£ö | Controls the quality of encoded video. | - 0: High compression video. Quality may suffer when there's a lot of motion. </br>- 1: Medium compression.</br>- 2: Low compression video with high picture quality. | 0 |

+| Audio output location | audiomode:i:*value* | Γ£ö | Γ£ö | Determines whether the local or remote machine plays audio. | - 0: Play sounds on the local computer (Play on this computer).</br>- 1: Play sounds on the remote computer (Play on remote computer).</br>- 2: Don't play sounds (Do not play). | 0 |

+| Camera redirection | camerastoredirect:s:*value* | Γ£ö | Γ£ö | Configures which cameras to redirect. This setting uses a semicolon-delimited list of KSCATEGORY_VIDEO_CAMERA interfaces of cameras enabled for redirection. | - * : Redirect all cameras.</br> - List of cameras, such as `\\?\usb#vid_0bda&pid_58b0&mi`.</br>- You can exclude a specific camera by prepending the symbolic link string with "-". | Don't redirect any cameras |

+| Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP) | devicestoredirect:s:*value* | Γ£ö | Γ£ö | Determines which devices on the local computer will be redirected and available in the remote session. | - *: Redirect all supported devices, including ones that are connected later.</br> - Valid hardware ID for one or more devices.</br> - DynamicDevices: Redirect all supported devices that are connected later. | Don't redirect any devices |

+| Drive/storage redirection | drivestoredirect:s:*value* | Γ£ö | Γ£ö | Determines which disk drives on the local computer will be redirected and available in the remote session. | - No value specified: don't redirect any drives.</br>- * : Redirect all disk drives, including drives that are connected later.</br>- DynamicDrives: redirect any drives that are connected later.</br>- The drive and labels for one or more drives, such as `drivestoredirect:s:C\:;E\:;`, redirect the specified drive(s). | Don't redirect any drives |

+| Windows key combinations | keyboardhook:i:*value* | Γ£ö | Γ£ö | Determines when Windows key combinations (Windows key, Alt+Tab) are applied to the remote session for desktop and RemoteApp connections. | - 0: Windows key combinations are applied on the local computer.</br>- 1: (Desktop only) Windows key combinations are applied on the remote computer when in focus.</br>- 2: (Desktop only) Windows key combinations are applied on the remote computer in full screen mode only.</br>- 3: (RemoteApp only) Windows key combinations are applied on the RemoteApp when in focus. We recommend you use this value only when publishing the Remote Desktop Connection app (*mstsc.exe*) from the host pool on Azure Virtual Desktop. This value is only supported when using the [Windows Desktop client](users/connect-windows.md). | 2 |

+| Clipboard redirection | redirectclipboard:i:*value* | Γ£ö | Γ£ö | Determines whether clipboard redirection is enabled. | - 0: Clipboard on local computer isn't available in remote session.</br>- 1: Clipboard on local computer is available in remote session. | 1 |

+| COM ports redirection | redirectcomports:i:*value* | Γ£ö | Γ£ö | Determines whether COM (serial) ports on the local computer will be redirected and available in the remote session. | - 0: COM ports on the local computer aren't available in the remote session.</br>- 1: COM ports on the local computer are available in the remote session. | 0 |

+| Location service redirection | redirectlocation:i:*value* | Γ£ö | Γ£ö | Determines whether the location of the local device will be redirected and available in the remote session. | - 0: The remote session uses the location of the remote computer or virtual machine.</br>- 1: The remote session uses the location of the local device. | 0 |

+| Printer redirection | redirectprinters:i:*value* | Γ£ö | Γ£ö | Determines whether printers configured on the local computer will be redirected and available in the remote session. | - 0: The printers on the local computer aren't available in the remote session.</br>- 1: The printers on the local computer are available in the remote session. | 1 |

+| Smart card redirection | redirectsmartcards:i:*value* | Γ£ö | Γ£ö | Determines whether smart card devices on the local computer will be redirected and available in the remote session. | - 0: The smart card device on the local computer isn't available in the remote session.</br>- 1: The smart card device on the local computer is available in the remote session. | 1 |

+| WebAuthn redirection | redirectwebauthn:i:*value* | Γ£ö | Γ£ö | Determines whether WebAuthn requests on the remote computer will be redirected to the local computer allowing the use of local authenticators (such as Windows Hello for Business, security key, and so on). | - 0: WebAuthn requests from the remote session aren't sent to the local computer for authentication and must be completed in the remote session.</br>- 1: WebAuthn requests from the remote session are sent to the local computer for authentication. | 1 |

+| USB device redirection | usbdevicestoredirect:s:*value* | Γ£ö | Γ£ö | Determines which supported RemoteFX USB devices on the client computer will be redirected and available in the remote session when you connect to a remote session that supports RemoteFX USB redirection. | - \*: Redirect all USB devices that aren't already redirected by another high-level redirection.</br> - {*Device Setup Class GUID*}: Redirect all devices that are members of the specified [device setup class](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors/).</br> - *USBInstanceID*: Redirect a specific USB device identified by the instance ID. | Don't redirect any USB devices |

+## Display settings

+| Display name | RDP setting | Azure Virtual Desktop | Remote Desktop Services | Description | Values | Default value |

+|--|--|:-:|:-:|--|--|:-:|

+| Muitiple displays | use multimon:i:*value* | Γ£ö | Γ£ö | Determines whether the remote session will use one or multiple displays from the local computer. | - 0: Don't enable multiple display support.</br>- 1: Enable multiple display support. | 0 |

+| Selected monitors | selectedmonitors:s:*value* | Γ£ö | Γ£ö | Specifies which local displays to use from the remote session. The selected displays must be contiguous. Requires use multimon to be set to 1.</br></br>Only available on the Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients. | Comma separated list of machine-specific display IDs. You can retrieve IDs by calling `mstsc.exe /l`. The first ID listed will be set as the primary display in the session. | All displays |

+| Maximize to current displays | maximizetocurrentdisplays:i:*value* | Γ£ö | Γ£ö | Determines which display the remote session goes full screen on when maximizing. Requires use multimon to be set to 1.</br></br>Only available on the Windows Desktop (MSRDC) client. | - 0: Session goes full screen on the displays initially selected when maximizing.</br>- 1: Session dynamically goes full screen on the displays touched by the session window when maximizing. | 0 |

+| Multi to single display switch | singlemoninwindowedmode:i:*value* | Γ£ö | Γ£ö | Determines whether a multi display remote session automatically switches to single display when exiting full screen. Requires use multimon to be set to 1.</br></br>Only available on the Windows Desktop (MSRDC) client. | - 0: Session retains all displays when exiting full screen.</br>- 1: Session switches to single display when exiting full screen. | 0 |

+| Screen mode | screen mode id:i:*value* | Γ£ö | Γ£ö | Determines whether the remote session window appears full screen when you launch the connection. | - 1: The remote session will appear in a window.</br>- 2: The remote session will appear full screen. | 2 |

+| Smart sizing | smart sizing:i:*value* | Γ£ö | Γ£ö | Determines whether or not the local computer scales the content of the remote session to fit the window size. | - 0: The local window content won't scale when resized.</br>- 1: The local window content will scale when resized. | 0 |

+| Dynamic resolution | dynamic resolution:i:*value* | Γ£ö | Γ£ö | Determines whether the resolution of the remote session is automatically updated when the local window is resized. | - 0: Session resolution remains static during the session.</br>- 1: Session resolution updates as the local window resizes. | 1 |

+| Desktop size | desktop size id:i:*value* | ✔ | ✔ | Specifies the dimensions of the remote session desktop from a set of predefined options. This setting is overridden if desktopheight and desktopwidth are specified. | - 0: 640×480</br>- 1: 800×600</br>- 2: 1024×768</br>- 3: 1280×1024</br>- 4: 1600×1200 | Match the local computer |

+| Desktop height | desktopheight:i:*value* | Γ£ö | Γ£ö | Specifies the resolution height (in pixels) of the remote session. | Numerical value between 200 and 8192. | Match the local computer |

+| Desktop width | desktopwidth:i:*value* | Γ£ö | Γ£ö | Specifies the resolution width (in pixels) of the remote session. | Numerical value between 200 and 8192. | Match the local computer |

+| Desktop scale factor | desktopscalefactor:i:*value* | Γ£ö | Γ£ö | Specifies the scale factor of the remote session to make the content appear larger. | Numerical value from the following list: 100, 125, 150, 175, 200, 250, 300, 400, 500. | Match the local computer |

+## RemoteApp

+| Display name | RDP setting | Azure Virtual Desktop | Remote Desktop Services | Description | Values | Default value |

+|--|--|:-:|:-:|--|--|:-:|

+| Command-line parameters | remoteapplicationcmdline:s:value | Γ£ù | Γ£ö | Optional command-line parameters for the RemoteApp. | Valid command-line parameters. | N/A |

+| Command-line variables | remoteapplicationexpandcmdline:i:value | Γ£ù | Γ£ö | Determines whether environment variables contained in the RemoteApp command-line parameter should be expanded locally or remotely. | - 0: Environment variables should be expanded to the values of the local computer.</br>- 1: Environment variables should be expanded to the values of the remote computer. | 1 |

+| Working directory variables | remoteapplicationexpandworkingdir:i:value | Γ£ù | Γ£ö | Determines whether environment variables contained in the RemoteApp working directory parameter should be expanded locally or remotely. | - 0: Environment variables should be expanded to the values of the local computer.</br> - 1: Environment variables should be expanded to the values of the remote computer.</br>The RemoteApp working directory is specified through the shell working directory parameter. | 1 |

+| Open file | remoteapplicationfile:s:value | Γ£ù | Γ£ö | Specifies a file to be opened on the remote computer by the RemoteApp.</br>For local files to be opened, you must also enable drive redirection for the source drive. | Valid file path. | N/A |

+| Icon file | remoteapplicationicon:s:value | Γ£ù | Γ£ö | Specifies the icon file to be displayed in the client UI while launching a RemoteApp. If no file name is specified, the client will use the standard Remote Desktop icon. Only ".ico" files are supported. | Valid file path. | N/A |

+| Application mode | remoteapplicationmode:i:value | Γ£ù | Γ£ö | Determines whether a connection is launched as a RemoteApp session. | - 0: Don't launch a RemoteApp session.</br>- 1: Launch a RemoteApp session. | 1 |

+| Application display name | remoteapplicationname:s:value | Γ£ù | Γ£ö | Specifies the name of the RemoteApp in the client interface while starting the RemoteApp. | App display name. For example, "Excel 2016". | N/A |

+| Alias/executable name | remoteapplicationprogram:s:value | Γ£ù | Γ£ö | Specifies the alias or executable name of the RemoteApp. | Valid alias or name. For example, "EXCEL". | N/A |

+Any [Remote Desktop clients](users/connect-windows.md?toc=/azure/virtual-desktop/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) you use to connect to Azure Virtual Desktop must have access to the following URLs. Select the relevant tab based on which cloud you're using. Opening these URLs is essential for a reliable client experience. Blocking access to these URLs is unsupported and will affect service functionality.

+> [Connect to the Remote Desktop client on Windows 7 and Windows 10](./users/connect-windows.md)

+ - The [Windows client](./users/connect-windows.md?toc=/azure/virtual-desktop/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) (version 1.2.2061 or later)

+ - The [Web client](./users/connect-web.md?toc=/azure/virtual-desktop/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json)

+ - The [macOS client](./users/connect-macos.md?toc=/azure/virtual-desktop/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) (version 10.6.4 or later)

+ - The [iOS and iPadOS client](./users/connect-ios-ipados.md?toc=/azure/virtual-desktop/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) (version 10.2.5 or later)

+ - The [Android and Chrome OS client](./users/connect-android-chrome-os.md?toc=/azure/virtual-desktop/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) (version 10.0.10 or later)

+ - The [Microsoft Store client](./users/connect-microsoft-store.md?toc=/azure/virtual-desktop/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) (version 10.2.2005.0 or later)

+ - Thin clients listed in [Thin client support](./users/connect-thin-clients.md?toc=/azure/virtual-desktop/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json)

+- Install the [Remote Desktop client](./users/connect-windows.md) on a Windows 10, Windows 10 IoT Enterprise, Windows 11, or macOS 10.14 or later device that meets the [hardware requirements for Microsoft Teams](/microsoftteams/hardware-requirements-for-the-teams-app#hardware-requirements-for-teams-on-a-windows-pc/).

+ Title: Use features of the Remote Desktop client for Android and Chrome OS - Azure Virtual Desktop

+description: Learn how to use features of the Remote Desktop client for Android and Chrome OS when connecting to Azure Virtual Desktop.

+# Use features of the Remote Desktop client for Android and Chrome OS when connecting to Azure Virtual Desktop

+Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's important to know how to use the features. This article shows you how to use the features available in the Remote Desktop client for Android and Chrome OS. If you want to learn how to connect to Azure Virtual Desktop, see [Connect to Azure Virtual Desktop with the Remote Desktop client for Android and Chrome OS](connect-android-chrome-os.md).

+You can find a list of all the Remote Desktop clients at [Remote Desktop clients overview](remote-desktop-clients-overview.md). For more information about the differences between the clients, see [Compare the Remote Desktop clients](../compare-remote-desktop-clients.md).

+> [!NOTE]

+> Your admin can choose to override some of these settings in Azure Virtual Desktop, such as being able to copy and paste between your local device and your remote session. If some of these settings are disabled, please contact your admin.

+## Edit, refresh, or delete a workspace

+To edit, refresh or delete a workspace:

+1. Open the **RD Client** app on your device, then tap **Workspaces**.

+1. Tap the three dots to the right-hand side of the name of a workspace where you'll see a menu with options for **Edit**, **Refresh**, and **Delete**.

+ - **Edit** allows you to specify a user account to use each time you connect to the workspace without having to enter the account each time. To learn more, see [Manage user accounts](#manage-user-accounts).

+ - **Refresh** makes sure you have the latest desktops and apps and their settings provided by your admin.

+ - **Delete** removes the workspace from the Remote Desktop client.

+## User accounts

+### Add user credentials to a workspace

+You can save a user account and associate it with workspaces to simplify the connection sequence, as the sign-in credentials will be used automatically.

+1. Open the **RD Client** app on your device, then tap **Workspaces**.

+1. Tap the three dots to the right-hand side of the name of a workspace, then select **Edit**.

+1. For **User account**, tap the drop-down menu, then select **Add User Account** to add a new account, or select an account you've previously added.

+1. If you selected **Add User Account**, enter a username and password, then tap **Save**.

+1. Tap **Save** again to return to Workspaces.

+### Manage user accounts

+You can save a user account and associate it with workspaces to simplify the connection sequence, as the sign-in credentials will be used automatically. You can also remove accounts you no longer want to use.

+To save a user account:

+1. Open the **RD Client** app on your device.

+1. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap **User Accounts**.

+1. Tap the plus icon (**+**).

+1. Enter a username and password, then tap **Save**. You can then add this account to a workspace by following the steps in [Add user credentials to a workspace](#add-user-credentials-to-a-workspace).

+1. Tap the back arrow (**<**) to return to Workspaces.

+To remove an account you no longer want to use:

+1. Open the **RD Client** app on your device.

+1. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap **User Accounts**.

+1. Tap and hold the account you want to remove.

+1. Tap delete (the bin icon). Confirm you want to delete the account.

+1. Tap the back arrow (**<**) to return to Workspaces.

+## Display preferences

+### Set orientation

+You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-adjust, where it will match the orientation of your device. Auto-adjust is supported when your remote session is running Windows 10 and Windows Server 2012 R2 or later. The window will maintain the same scaling and update the resolution to match the new orientation. This setting applies to all workspaces.

+To set the orientation:

+1. Open the **RD Client** app on your device.

+1. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap **Display**.

+1. For orientation, tap your preference from **Auto-adjust**, **Lock to landscape** or **Lock to portrait**.

+1. Tap the back arrow (**<**) to return to Workspaces.

+### Set display resolution

+You can choose the resolution for your remote session from a predefined list. This setting applies to all workspaces. You'll need to reconnect to remote sessions if you changed the resolution while connected.

+To set the resolution:

+1. Open the **RD Client** app on your device.

+1. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap **Display**.

+1. You can tap **Default**, **Match this device**, or tap **+ Customized** for a drop-down list of predefined resolutions. If you choose a customized resolution, you can also choose the scaling percentage.

+1. Tap the back arrow (**<**) to return to Workspaces.

+## DeX

+You can use *Samsung DeX* with a remote session, which enables you to extend your Android or Chromebook device's display to a larger monitor or TV.

+## Connection bar and session overview menu

+When you've connected to Azure Virtual Desktop, you'll see a bar at the top, which is called the **connection bar**. This gives you quick access to a zoom control, represented by a magnifying glass icon, and the ability to toggle between showing and hiding the on-screen keyboard. You can move the connection bar around the top edge of the display by tapping and dragging it to where you want it.

+The middle icon in the connection bar is of the Remote Desktop logo. If you tap this, it shows the *session overview* screen. The *session overview* screen enables you to:

+- Go to the *Connection Center* using the **Home** icon.

+- Switch inputs between touch and the mouse pointer (when not using a separate mouse).

+- Switch between active desktops and apps.

+- Disconnect all active sessions.

+You can return back to an active session from the Connection Center using the **Return Arrow** button found in the bottom right corner of the Connection Center.

+## Input methods

+The Remote Desktop client supports native touch gestures, keyboard, mouse, and trackpad.

+### Use touch gestures and mouse modes in a remote session

+You can use touch gestures to replicate mouse actions in your remote session. Two mouse modes are available:

+- **Direct touch**: where you tap on the screen is the equivalent to clicking a mouse in that position. The mouse pointer isn't shown on screen.

+- **Mouse pointer**: The mouse pointer is shown on screen. When you tap the screen and move your finger, the mouse pointer will move.

+If you use Windows 10 or later with Azure Virtual Desktop, native Windows touch gestures are supported in direct touch mode.

+The following table shows which mouse operations map to which gestures in specific mouse modes:

+| Mouse mode | Mouse operation | Gesture |

+|:--|:|:|

+| Direct touch | Left-click | Tap with one finger |

+| Direct touch | Right-click | Tap and hold with one finger |

+| Mouse pointer | Left-click | Tap with one finger |

+| Mouse pointer | Left-click and drag | Double-tap and hold with one finger, then drag |

+| Mouse pointer | Right-click | Tap with two fingers, or tap and hold with one finger |

+| Mouse pointer | Right-click drag | Double-tap and hold with two fingers, then drag

+| Mouse pointer | Mouse wheel | Tap and hold with two fingers, then drag up or down |

+| Mouse pointer | Zoom | With two fingers, pinch to zoom out and spread fingers apart to zoom in |

+#### Input Method Editor

+The Remote Desktop client supports Input Method Editor (IME) in a remote session for input sources. The local Android or Chrome OS IME experience will be accessible in the remote session.

+> [!IMPORTANT]

+> For an IME to work, the input mode needs to be in Unicode Mode. To learn more, see [Keyboard modes](#keyboard-modes).

+### Keyboard

+You can use some familiar keyboard shortcuts when using a keyboard with your Android or Chrome OS device and Azure Virtual Desktop, for example using <kbd>CTRL</kbd>+<kbd>C</kbd> for copy.

+Some Windows keyboard shortcuts are also used as shortcuts on Android and Chrome OS devices, for example using <kbd>ALT</kbd>+<kbd>TAB</kbd> to switch between open applications. By default, these shortcuts won't be passed through to a remote session. Depending on your Android or Chrome OS device, you may be able to disable certain shortcuts being used locally, where they'll then be passed through to a remote session.

+#### Keyboard modes

+There are two different modes you can use that control how keyboard input is interpreted in a remote session: *Scancode* and *Unicode*.

+With *Scancode*, user input is redirected by sending key press *up* and *down* information to the remote session. Each key is identified by its physical position on the keyboard and uses the keyboard layout of the remote session, not the keyboard of the local device. For example, scancode 31 is the key next to <kbd>Caps Lock</kbd>. On a US keyboard this key would produce the character "A", while on a French keyboard this key would produce the character "Q".

+With *Unicode*, user input is redirected by sending each character to the remote session. When a key is pressed, the locale of the user is used to translate this input to a character. This can be as simple as the character "a" by simply pressing the "a" key, but it can enable an Input Method Editor (IME), allowing you to input multiple keystrokes to create more complex characters, such as for Chinese and Japanese input sources. Below are some examples of when to use each mode.

+When to use *Scancode*:

+- Dealing with characters that aren't printable, such as <kbd>Arrow Up</kbd> or shortcut combinations.

+- Certain applications that don't accept Unicode input for characters such as: Hyper-V VMConnect (for example, no way to input a BitLocker password), VMware Remote Console, all applications written using the *Qt framework* (for example R Studio, TortoiseHg, QtCreator).

+- Applications that utilize scancode input for actions, such as <kbd>Space bar</kbd> to check/uncheck a checkbox, or individual keys as shortcuts, for example applications in browser.

+When to use *Unicode*:

+- To avoid a mismatch in expectations. A user who expects the keyboard to behave in a certain way can run into issues where there are differences for the same locale/region layout.

+- When the keyboard layout used on the client might not be available on the server.

+By default, the Remote Desktop client uses *Unicode*. To switch between keyboard modes:

+1. Open the **RD Client** app on your device.

+1. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap **General**.

+1. Toggle **Use scancode input when available** to **On** to use *scancode*, or **Off** to use *Unicode*.

+## Redirections

+You can allow the remote computer to the clipboard on your local device. When you connect to a remote session, you'll be prompted whether you want to allow access to local resources. The Remote Desktop client supports copying and pasting text only.

+To use the clipboard between your local device and your remote session:

+1. Open the **RD Client** app on your device.

+1. Tap one of the icons to launch a session to Azure Virtual Desktop.

+1. For the prompt **Make sure you trust the remote PC before you connect**, check the box for **Clipboard**, then select **Connect**.

+## General app settings

+To set other general settings of the Remote Desktop app to use with Azure Virtual Desktop:

+1. Open the **RD Client** app on your device.

+1. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap **General**.

+1. You can change the following settings:

+ | Setting | Value | Description |

+ |--|--|--|

+ | Show desktop previews | Toggle **On** or **Off** | Show thumbnails of remote sessions. |

+ | Use HTTP Proxy | Toggle **On** or **Off** | Use the HTTP proxy specified in Android or Chrome OS network settings. |

+ | Help improve Remote Desktop | Toggle **On** or **Off** | Send anonymous data to Microsoft. |

+ | Theme | Select from **Light**, **Dark**, or **System** | Set the appearance of the Remote Desktop client. |

+## Test the beta client

+If you want to help us test new builds before they're released, you should download our beta client. Organizations can use the beta client to validate new versions for their users before they're generally available.

+> [!NOTE]

+> The beta client shouldn't be used in production environments.

+You can download the beta client for Android and Chrome OS from the [Google Play Store](https://play.google.com/apps/testing/com.microsoft.rdc.androidx). You'll need to give consent to access preview versions and download the client. You'll receive preview versions directly through the Google Play Store.

+## Provide feedback

+If you want to provide feedback to us on the Remote Desktop client for Android and Chrome OS, you can do so in the app:

+1. Open the **RD Client** app on your device.

+1. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap **General**.

+1. Tap **Submit feedback**, which will open the feedback page in your browser.

+## Next steps

+If you're having trouble with the Remote Desktop client, see [Troubleshoot the Remote Desktop client](../troubleshoot-client.md).

+ Title: Use features of the Remote Desktop client for iOS and iPadOS - Azure Virtual Desktop

+description: Learn how to use features of the Remote Desktop client for iOS and iPadOS when connecting to Azure Virtual Desktop.

+# Use features of the Remote Desktop client for iOS and iPadOS when connecting to Azure Virtual Desktop

+Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's important to know how to use the features. This article shows you how to use the features available in the Remote Desktop client for iOS and iPadOS. If you want to learn how to connect to Azure Virtual Desktop, see [Connect to Azure Virtual Desktop with the Remote Desktop client for iOS and iPadOS](connect-ios-ipados.md).

+You can find a list of all the Remote Desktop clients at [Remote Desktop clients overview](remote-desktop-clients-overview.md). For more information about the differences between the clients, see [Compare the Remote Desktop clients](../compare-remote-desktop-clients.md).

+> [!NOTE]

+> Your admin can choose to override some of these settings in Azure Virtual Desktop, such as being able to copy and paste between your local device and your remote session. If some of these settings are disabled, please contact your admin.

+## Edit, refresh, or delete a workspace

+To edit, refresh or delete a workspace:

+1. Open the **RD Client** application on your device, then tap **Workspaces**.

+1. Tap and hold the name of a workspace and you'll see a menu with options for **Edit**, **Refresh**, and **Delete**. You can also pull down to refresh all workspaces.

+ - **Edit** allows you to specify a user account to use each time you connect to the workspace without having to enter the account each time. To learn more, see [Manage user accounts](#manage-user-accounts).

+ - **Refresh** makes sure you have the latest desktops and apps and their settings provided by your admin.

+ - **Delete** removes the workspace from the Remote Desktop client.

+## User accounts

+Learn how to add user credentials to a workspace and manage them.

+### Add user credentials to a workspace

+You can save a user account and associate it with workspaces to simplify the connection sequence, as the sign-in credentials will be used automatically.

+1. Open the **RD Client** application on your device, then tap **Workspaces**.

+1. Tap and hold the name of a workspace, then select **Edit**.

+1. Tap **User account**, then select **Add User Account** to add a new account, or select an account you've previously added.

+1. If you selected **Add User Account**, enter a username, password, and optionally a friendly name, then tap the back arrow (**<**).

+1. Tap the **X** mark to return to Workspaces.

+### Manage user accounts

+You can save a user account and associate it with workspaces to simplify the connection sequence, as the sign-in credentials will be used automatically. You can also remove accounts you no longer want to use.

+To save a user account:

+1. Open the **RD Client** application on your device.

+1. In the top left-hand corner, tap the menu icon (the circle with three dots inside), then tap **Settings**.

+1. Tap **User Accounts**, then tap **Add User Account**.

+1. Enter a username, password, and optionally a friendly name, then tap the back arrow (**<**). You can then add this account to a workspace by following the steps in [Add user credentials to a workspace](#add-user-credentials-to-a-workspace).

+1. Tap the back arrow (**<**), then tap the **X** mark.

+To remove an account you no longer want to use:

+1. Open the **RD Client** application on your device.

+1. In the top left-hand corner, tap the menu icon (the circle with three dots inside), then tap **Settings**.

+1. Tap **User Accounts**, then select the account you want to remove.

+1. Tap **Delete**. The account will be removed immediately.

+1. Tap the back arrow (**<**), then tap the **X** mark.

+## Display preferences

+Learn how to set display preferences, such as orientation and resolution.

+### Set orientation

+You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-adjust, where it will match the orientation of your device. Auto-adjust is supported when your remote session is running Windows 10 and Windows Server 2012 R2 or later. The window will maintain the same scaling and update the resolution to match the new orientation. This setting applies to all workspaces.

+To set the orientation:

+1. Open the **RD Client** application on your device.

+1. In the top left-hand corner, tap the menu icon (the circle with three dots inside), then tap **Settings**.

+1. Tap **Display**, then tap **Orientation**.

+1. Tap your preference from **Auto-adjust**, **Lock to Landscape** or **Lock to Portrait**.

+1. You can also set **Use Home Indicator Area**. Toggling this on will show graphics from the remote session in the area at the bottom of the screen occupied by the Home indicator. This setting only applies in landscape orientation.

+1. Tap the back arrow (**<**), then tap the **X** mark.

+### Set display resolution

+You can choose the resolution for your remote session from a predefined list. This setting applies to all workspaces.

+To set the resolution:

+1. Open the **RD Client** application on your device.

+1. In the top left-hand corner, tap the menu icon (the circle with three dots inside), then tap **Settings**.

+1. Tap **Display**.

+1. Tap a resolution from the list.

+1. You can also set **Use Home Indicator Area**. Toggling this on will show graphics from the remote session in the area at the bottom of the screen occupied by the Home indicator. This setting only applies in landscape orientation. For more information about display orientation, see [Set orientation](#set-orientation).

+1. Tap the back arrow (**<**), then tap the **X** mark.

+## Connection bar and session overview menu

+When you've connected to Azure Virtual Desktop, you'll see a bar at the top, which is called the **connection bar**. This gives you quick access to a zoom control, represented by a magnifying glass icon, and the ability to toggle between showing and hiding the on-screen keyboard. You can move the connection bar around the top and side edges of the display by tapping and dragging it to where you want it. If you tap and hold the zoom control, you can choose the percentage by which to zoom by using the slider. If you use a keyboard, you can also show and hide the connection bar by pressing <kbd>Shift</kbd>+<kbd>CMD</kbd>+<kbd>Space bar</kbd>.

+The middle icon in the connection bar is of the Remote Desktop logo. If you tap this, it shows the *session overview* screen. The *session overview* screen enables you to:

+- Go to the *Connection Center* using the **Home** icon.

+- Switch inputs between touch and the mouse pointer (when not using a separate mouse).

+- Switch between active desktops and apps.

+- Disconnect all active sessions.

+Pressing <kbd>Tab</kbd> on a keyboard will switch between the PCs and Apps tab in the *session overview* menu. You can also use arrow keys to navigate and select an active session to open.

+You can return back to an active session from the Connection Center using the **Return Arrow** button found in the bottom right corner of the Connection Center.

+## Input methods

+The Remote Desktop client supports native touch gestures, keyboard, mouse, and trackpad.

+### Use touch gestures and mouse modes in a remote session

+You can use touch gestures to replicate mouse actions in your remote session. Two mouse modes are available:

+- **Direct touch**: where you tap on the screen is the equivalent to clicking a mouse in that position. The mouse pointer isn't shown on screen.

+- **Mouse pointer**: The mouse pointer is shown on screen. When you tap the screen and move your finger, the mouse pointer will move.

+If you use Windows 10 or later with Azure Virtual Desktop, native Windows touch gestures are supported in direct touch mode.

+The following table shows which mouse operations map to which gestures in specific mouse modes:

+| Mouse mode | Mouse operation | Gesture |

+|:--|:|:|

+| Direct touch | Left-click | Tap with one finger |

+| Direct touch | Right-click | Tap and hold with one finger |

+| Mouse pointer | Left-click | Tap with one finger |

+| Mouse pointer | Left-click and drag | Double-tap and hold with one finger, then drag |

+| Mouse pointer | Right-click | Tap with two fingers, or tap and hold with one finger |

+| Mouse pointer | Right-click drag | Double-tap and hold with two fingers, then drag |

+| Mouse pointer | Mouse wheel | Tap and hold with two fingers, then drag up or down |

+| Mouse pointer | Zoom | With two fingers, pinch to zoom out and spread fingers apart to zoom in |

+### Keyboard

+You can use familiar keyboard shortcuts when using a keyboard with your iPad or iPhone and Azure Virtual Desktop. Mac and Windows keyboard layouts differ slightly - for example, the <kbd>Command</kbd> key on a Mac keyboard equals the <kbd>Windows</kbd> key on a Windows keyboard. To help with the differences this makes when using keyboard shortcuts, the Remote Desktop client automatically maps common shortcuts found in iOS and iPadOS so they'll work in Windows. These are:

+| Key combination | Function |

+|--||

+| <kbd>CMD</kbd>+<kbd>C</kbd> | Copy |

+| <kbd>CMD</kbd>+<kbd>X</kbd> | Cut |

+| <kbd>CMD</kbd>+<kbd>V</kbd> | Paste |

+| <kbd>CMD</kbd>+<kbd>A</kbd> | Select all |

+| <kbd>CMD</kbd>+<kbd>Z</kbd> | Undo |

+| <kbd>CMD</kbd>+<kbd>F</kbd> | Find |

+| <kbd>CMD</kbd>+<kbd>+</kbd> | Zoom in |

+| <kbd>CMD</kbd>+<kbd>-</kbd> | Zoom out |

+In addition, the <kbd>Alt</kbd> key to the right of the space bar on a Mac keyboard equals the <kbd>Alt Gr</kbd> in Windows.

+### Mouse and trackpad

+You can use a mouse or trackpad with the Remote Desktop client. However, support for these devices depends on whether you're using iOS or iPadOS. iPadOS natively supports a mouse and trackpad as an input method, whereas support can only be enabled in iOS with *AssistiveTouch*. For more information, see [Connect a Bluetooth mouse or trackpad to your iPad](https://support.apple.com/HT211009) or [How to use a pointer device with AssistiveTouch on your iPhone, iPad, or iPod touch](https://support.apple.com/HT210546).

+## Redirections

+The Remote Desktop client enables you to make your local clipboard available in your remote session. By default, text you copy on your iOS or iPadOS device is available to paste in your remote session, and text you copy in your remote session is available to paste on your iOS or iPadOS device.

+## General app settings

+To set other general settings of the Remote Desktop app to use with Azure Virtual Desktop:

+1. Open the **RD Client** application on your device.

+1. In the top left-hand corner, tap the menu icon (the circle with three dots inside), then tap **Settings**.

+1. You can change the following settings:

+ | Setting | Value | Description |

+ |--|--|--|

+ | Show PC Thumbnails | Toggle **On** or **Off** | Show thumbnails of remote sessions. |

+ | Allow Display Auto-Lock | Toggle **On** or **Off** | Allow your device to turn off its screen. |

+ | Use HTTP Proxy | Toggle **On** or **Off** | Use the HTTP proxy specified in iOS/iPadOS network settings. |

+ | Appearance | Select from **Light**, **Dark**, or **System** | Set the appearance of the Remote Desktop client. |

+ | Send Data to Microsoft | Toggle **On** or **Off** | Help improve the Remote Desktop client by sending anonymous data to Microsoft. |

+## Test the beta client

+If you want to help us test new builds before they're released, you should download our beta client. Organizations can use the beta client to validate new versions for their users before they're generally available.

+> [!NOTE]

+> The beta client shouldn't be used in production.

+You can download the beta client for iOS and iPadOS from TestFlight. To get started, see [Microsoft Remote Desktop for iOS](https://testflight.apple.com/join/vkLIflUJ).

+## Provide feedback

+If you want to provide feedback to us on the Remote Desktop client for iOS and iPadOS, you can do so in the app:

+1. Open the **RD Client** application on your device.

+1. In the top left-hand corner, tap the menu icon (the circle with three dots inside), then tap **Settings**.

+1. Tap **Submit feedback**, which will open the feedback page in your browser.

+## Next steps

+If you're having trouble with the Remote Desktop client, see [Troubleshoot the Remote Desktop client](../troubleshoot-client.md).

+ Title: Use features of the Remote Desktop client for macOS - Azure Virtual Desktop

+description: Learn how to use features of the Remote Desktop client for macOS when connecting to Azure Virtual Desktop.

+# Use features of the Remote Desktop client for macOS when connecting to Azure Virtual Desktop

+Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's important to know how to use the features. This article shows you how to use the features available in the Remote Desktop client for macOS. If you want to learn how to connect to Azure Virtual Desktop, see [Connect to Azure Virtual Desktop with the Remote Desktop client for macOS](connect-macos.md).

+You can find a list of all the Remote Desktop clients at [Remote Desktop clients overview](remote-desktop-clients-overview.md). For more information about the differences between the clients, see [Compare the Remote Desktop clients](../compare-remote-desktop-clients.md).

+> [!NOTE]

+> Some of the settings in this article can be overridden by your admin, such as being able to copy and paste between your local device and your remote session. If some of these settings are disabled, please contact your admin.

+## Edit, refresh, or delete a workspace

+To edit, refresh or delete a workspace:

+1. Open the **Microsoft Remote Desktop** application on your device, then select **Workspaces**.

+1. Right-click the name of a workspace or hover your mouse cursor over it and you'll see a menu with options for **Edit**, **Refresh**, and **Delete**.

+ - **Edit** allows you to specify a user account to use each time you connect to the workspace without having to enter the account each time. To learn more, see [Manage user accounts](#manage-user-accounts).

+ - **Refresh** makes sure you have the latest desktops and apps and their settings provided by your admin.

+ - **Delete** removes the workspace from the Remote Desktop client.

+## User accounts

+### Add user credentials to a workspace

+You can save a user account and associate it with workspaces to simplify the connection sequence, as the sign-in credentials will be used automatically.

+1. Open the **Microsoft Remote Desktop** application on your device, then select **Workspaces**.

+1. Right-click the name of a workspace, then select **Edit**.

+1. For **User account**, select **Add User Account...** to add a new account, or select an account you've previously added.

+1. If you selected **Add User Account...**, enter a username, password, and optionally a friendly name, then select **Add**.

+1. Select **Save**.

+### Manage user accounts

+You can save a user account and associate it with workspaces to simplify the connection sequence, as the sign-in credentials will be used automatically. You can also remove accounts you no longer want to use.

+To save a user account:

+1. Open the **Microsoft Remote Desktop** application on your device.

+1. From the macOS menu bar, select **Microsoft Remote Desktop**, then select **Preferences**.

+1. Select the **User Accounts** tab, then the **+** (plus) icon.

+1. Enter a username, password, and optionally a friendly name, then select **Add**. You can then add this account to a workspace by following the steps in [Add user credentials to a workspace](#add-user-credentials-to-a-workspace).

+1. Close Preferences.

+To remove an account you no longer want to use:

+1. Open the **Microsoft Remote Desktop** application on your device.

+1. From the macOS menu bar, select **Microsoft Remote Desktop**, then select **Preferences**.

+1. Select the **User Accounts** tab, then select the account you want to remove.

+1. Select the **-** (minus) icon, then confirm you want to delete the user account.

+1. Close Preferences.

+## Display preferences

+### Add, remove, or restore display resolutions

+To add, remove or restore display resolutions:

+1. Open the **Microsoft Remote Desktop** application on your device.

+1. From the macOS menu bar, select **Microsoft Remote Desktop**, then select **Preferences**.

+1. Select the **Resolutions** tab.

+1. To add a custom resolution, select the **+** (plus) icon and enter in the **width** and **height** in pixels, then select **Add**.

+1. To remove a resolution, select the resolution you want to remove, then select the **-** (minus) icon. Confirm you want to delete the resolution by selecting **Delete**.

+1. To restore default resolutions, select **Restore Defaults**.

+### Display settings for each remote desktop

+If you want to use different display settings to those specified by your admin, you can configure custom settings.

+1. Open the **Microsoft Remote Desktop** application on your device, then select **Workspaces**.

+1. Right-click the name of a desktop, for example **SessionDesktop**, then select **Edit**.

+1. Check the box for **Use custom settings**.

+1. On the **Display** tab, you can select from the following options:

+| Option | Description |

+|--|--|

+| Resolution | Select the resolution to use for the desktop. You can select from a predefined list, or add custom resolutions. |

+| Use all monitors | Automatically use all monitors for the desktop. If you have multiple monitors, all of them will be used.<br /><br />For information on limits, see [Compare the features of the Remote Desktop clients](../compare-remote-desktop-clients.md). |

+| Start session in full screen | The desktop will be displayed full screen, rather than windowed. |