+1. Check first if it's a valid key associated with an active subscription, either:

+1. If the key isn't valid but a product exists that includes the API but doesn't require a subscription (an *open* product), ignore the key and handle as an API request without a subscription key (see below).

+1. Check first for the existence of a product that includes the API but doesn't require a subscription (an *open* product). If the open product exists, handle the request in the context of the APIs, policies, and access rules configured for the open product. An API can be associated with at most one open product.

+|✔️ | ❌ | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/>• Other key not scoped to applicable product or API | Access allowed (API context) | • Protected API access with product-scoped subscription<br/><br/>• Anonymous access to API. If anonymous access isn’t intended, configure API-level policies to enforce authentication and authorization. |

+|Γ¥î¹ | Γ¥î | Access allowed:<br/><br/>ΓÇó Product-scoped key<br/>ΓÇó API-scoped key<br/>ΓÇó All APIs-scoped key<br/>ΓÇó Service-scoped key<br/>ΓÇó Other key not scoped to applicable product or API | Access allowed (open product context) | Anonymous access to API. If anonymous access isnΓÇÖt intended, configure with product policies to enforce authentication and authorization |

+- If an API doesn't require subscription authentication, any API request that includes a subscription key is treated the same as a request without a subscription key. The subscription key is ignored.

+ Title: Configure error pages on App Service

+description: Learn how to configure a custom error page on App Service

+# Configure error pages on App Service (preview)

+This article explains how to configure custom error pages on your web app. With App Service you can configure an error page for specific errors that will be presented to users instead of the default error page.

+### Prerequisite

+In this tutorial, we're adding a custom 403 error page to our web app hosted on App Service and test it with an IP restriction. To do so, you need the following:

+- a web app hosted on App Service w/ a Premium SKU

+- an html file under 10 kb in size

+## Upload an error page

+For this example, we're uploading and testing a 403 error page to present to the user. Name your html file to match the error code (for example, `403.hmtl`). Once you have your html file prepared, you can upload it to your web app. In the configuration blade, you should see an **Error pages (preview)** tab. Click on this tab to view the error page options. If the options are greyed out, you need to upgrade to at least a Premium SKU to use this feature.

+Select the error code that you'd like to upload an error page for and click **Edit**. On the next screen, click the folder icon to select your html file. The file must be in html format and within the 10 kb size limit. Find your .html file and click on the **Upload** button at the bottom of the screen. Notice the Status in the table updates from Not Configured to Configured. Then click **Save** to complete the upload.

+## Confirm error page

+Once the custom error page is uploaded and saved, we can trigger and view the page. In this example, we can trigger the 403 error by using an IP restriction.

+To set an IP restriction, go to the **Networking** blade and click the **Enabled with access restrictions** link under **Inbound traffic configuration**.

+Under the **Site access and rules** section, select the **+Add** button to create an IP restriction.

+In the form that follows, you need to change the Action to **Deny** and fill out the **Priority** and **IP Address Block**. In this example, we use the **Inbound address** found on the Networking blade and we're setting it to /0 (for example, `12.123.12.123/0`). This disables all public access when visiting the site.

+Once the Add rule form is filled out, select the **Add rule** button. Then click **Save**.

+Once saved, you need to restart the site for the changes to take effect. Go to your overview page and select **browse**. You should now see your custom error page load.

+## Error codes

+App Service currently supports three types of error codes that are available to customize:

+| Error code | description |

+| - | - |

+| 403 | Access restrictions |

+| 502 | Gateway errors |

+| 503 | Service unavailable |

+## FAQ

+1. I've uploaded my error page, why doesn't it show when the error is triggered?

+Currently, error pages are only triggered when the error is coming from the front end. Errors that get triggered at the app level should still be handled through the app.

+2. Why is the error page feature greyed out?

+Error pages are currently a Premium feature. You need to use at least a Premium SKU to enable the feature.

+> If the application gateway is not able to access the CRL endpoints, it might mark the backend health status as "unknown". To prevent these issues, check that your application gateway subnet is able to access `crl.microsoft.com` and `crl3.digicert.com`. This can be done by configuring your Network Security Groups to send traffic to the CRL endpoints.

+ Title: Setting HTTPOnly or Secure flag for Session Affinity cookie

+description: Learn how to set HTTPOnly or Secure flag for Session Affinity cookie

+# Setting HTTPOnly or Secure flag for Session Affinity cookie

+In this guide you learn to create a Rewrite set for your Application Gateway and configure Secure and HttpOnly [ApplicationGatewayAffinity cookie](configuration-http-settings.md#cookie-based-affinity).

+## Prerequisites

+* You must have an Azure subscription. You can create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* An existing Application Gateway resource configured with at least one Listener, Rule, Backend Setting and Backend Pool configuration. If you don't have one, you can create one by following the [QuickStart guide](quick-create-portal.md).

+## Creating a Rewrite set

+1. Sign in to the Azure portal.

+1. Navigate to the required Application Gateway resource.

+1. Select Rewrites in the left pane.

+1. Select Rewrite set.

+1. Under the Name and Association tab

+ 1. Specify a name for this new rewrite set.

+ 1. Select the routing rules for which you wish to rewrite the ApplicationGatewayAffinity cookie's flag.

+ 1. Select Next.

+1. Select "Add rewrite rule"

+ 1. Enter a name for the rewrite rule.

+ 1. Enter a numeric value for Rule Sequence field.

+1. Select "Add condition"

+1. Now open the "If" condition box and use the following details.

+ 1. Type of variable to check - HTTP header

+ 1. Header type - Response header

+ 1. Header name - Common header

+ 1. Common header - Set-Cookie

+ 1. Case-sensitive - No

+ 1. Operator - equal (=)

+ 1. Pattern to match - (.*)

+ 1. To save these details, select **OK**.

+1. Go to the **Then** box to specify action details.

+ 1. Rewrite type - Response header

+ 1. Action type - Set

+ 1. Header name - Common header

+ 1. Common header - Set-Cookie

+ 1. Header value - {http_resp_Set-Cookie_1}; HttpOnly; Secure

+ 1. Select **OK**

+1. Select Update to save the rewrite set configurations.

+## Next steps

+[Visit other configurations of a Backend Setting](configuration-http-settings.md)

+The HTTP header and URL rewrite features are only available for the [**Application Gateway v2 SKU**](application-gateway-autoscaling-zone-redundant.md).

+Application Gateway allows you to add, remove, or update HTTP request and response headers while the request and response packets move between the client and backend pools. HTTP headers allow a client and server to pass additional information with a request or response. By rewriting these headers, you can accomplish important tasks, such as adding security-related header fields like HSTS/ X-XSS-Protection, removing response header fields that might reveal sensitive information, and removing port information from X-Forwarded-For headers.

+You can rewrite all headers in requests and responses, except for the `Connection`, and `Upgrade` headers. You can also use the application gateway to **create custom headers** and add them to the requests and responses being routed through it. To learn how to rewrite request and response headers with Application Gateway using Azure portal, see [here](rewrite-http-headers-portal.md).

+## Understanding Rewrites in Application Gateway

+A rewrite set is a collection of a Routing Rule, Condition and Action.

+* **Request routing rule association:** The rewrite configuration is associated to a source listener via its routing rule. When you use a routing rule of the type Basic, the rewrite configuration is associated with its listener and works as a global rewrite. When you use a Path-based routing rule, the rewrite configuration is defined as per the URL path map. In the latter case, it applies only to a specific path area of a site. You can apply a rewrite set to multiple routing rules but a routing rule can have only one rewrite associated with it.

+* **Rewrite Condition:** This is an optional configuration. Based on the conditions that you define, the Application Gateway will evaluate the contents of the HTTP(S) requests and responses. The subsequent "rewrite action" will occur if the HTTP(S) request or response matches this condition. If you associate more than one condition with an action, the action occurs only when all the conditions are met. In other words, it is a logical AND operation.

+ You can choose the following types to look for a condition:

+ * HTTP header (Request and Response)

+ * Supported [Server variables](#server-variables)

+ A Condition lets you evaluate whether a specified header or variable exists by matching their values through text or a Regex pattern. For advanced rewrite configurations, you can also capture the value of header or server variable for later use under Rewrite Action. Know more about [pattern and capturing](#pattern-matching-and-capturing).

+* **Rewrite Action:** Rewrite action set allows you to rewrite Headers (Request or Response) or the URL components.

+ An action can have the following value types or their combinations:

+ * Text.

+ * Request header's value - To use a captured request header value, specify the syntax as `{http_req_headerName}`.

+ * Response header's value - To use a captured response header value from the preceding Condition, specify the syntax as `{http_resp_headerName}`. You can use `{capt_header_value_matcher}` when the value is captured from Action Set's "Set-Cookie" response header. Know more about [capture under Action set](#syntax-for-capturing).

+ * Server variable - To use a server variable, specify the syntax as `{var_serverVariable}`. [List of supported Server variables](#server-variables).

+ When using an Action to rewrite a URL, the following operations are supported:

+ * URL path: The new value to be set as the path.

+ * URL Query String: The new value to which the query string must be rewritten.

+ * Re-evaluate path map: Specify if the URL path map must be re-evaluated after rewrite. If kept unchecked, the original URL path will be used to match the path-pattern in the URL path map. If set to true, the URL path map will be re-evaluated to check the match with the rewritten path. Enabling this switch helps in routing the request to a different backend pool post rewrite.

+## Pattern matching and capturing

+Patten matching and capturing are supported under Condition and Action (under Action, it is supported only for a specific header).

+### Pattern matching

+Application Gateway uses regular expressions for pattern matching. You should use Regular Expression 2 (RE2) compatible expressions when writing your pattern matching syntax.

+You can use pattern matching under both Condition and Action.

+* **Condition**: This is used to match the values for a Header or Server Variable. To match a pattern under "Conditions" use the "pattern" property.

+* **Action**: Pattern matching under Action Set is only available for Response header "Set-Cookie". To match a pattern for Set-Cookie under an action, use the "HeaderValueMatcher" property. If captured, its value can be used as {capt_header_value_matcher}. As there can be multiple Set-Cookie, a pattern matching here allows you to look for a specific cookie. Example: For a certain version of user-agent, you want to rewrite the set-cookie response header for "cookie2" with max-age=3600 (one hour). In this case, you can use

+ * Condition - Type: Request header, Header name: user-agent, Pattern to match: *2.0

+ * Action - Rewrite type: Response header, Action type: Set, Header name: Set-Cookie, Header Value Matcher: cookie2=(.*), Header value: cookie2={capt_header_value_matcher_1};Max-Age=3600

+> If you are running an Application Gateway Web Application Firewall (WAF) with Core Rule Set 3.1 or earlier, you may run into issues when using Perl Compatible Regular Expressions (PCRE) while doing lookahead and lookbehind (negative or positive) assertions.

+### Syntax for capturing

+Patterns can also be used to capture a sub-string for later use. Put parentheses around a sub-pattern in the regex definition. The first pair of parentheses stores its substring in 1, the second pair in 2, and so on. You may use as many parentheses as you like; Perl just keeps defining more numbered variables for you to represent these captured strings. You can find some example in this [Perl programming guidance](https://docstore.mik.ua/orelly/perl/prog3/ch05_07.htm).

+* (\d)(\d) # Match two digits, capturing them into groups 1 and 2

+* (\d+) # Match one or more digits, capturing them all into group 1

+* (\d)+ # Match a digit one or more times, capturing the last into group 1

+Once captured, you can use them in the Action Set value using the following format:

+* For a response header capture, you must use {http_resp_headerName_groupNumber}. For example, {http_resp_Location_1} or {http_resp_Location_2}. Whereas for a response header Set-Cookie captured through "HeaderValueMatcher" property, you must use {capt_header_value_matcher_groupNumber}. For example, {capt_header_value_matcher_1} or {capt_header_value_matcher_2}.

+> * Use of / to prefix and suffix the pattern should not be specified in the pattern to match value. For example, (\d)(\d) will match two digits. /(\d)(\d)/ won't match two digits.

+> * The case of the condition variable needs to match case of the capture variable. For example, if my condition variable is User-Agent, my capture variable must be for User-Agent (i.e. {http_req_User-Agent_2}). If my condition variable is defined as user-agent, my capture variable must be for user-agent (i.e. {http_req_user-agent_2}).

+> * If you want to use the whole value, you should not mention the number. Simply use the format {http_req_headerName}, etc. without the groupNumber.

+## Common scenarios for header rewrite

+### Modify a redirection URL

+### Implement security HTTP headers to prevent vulnerabilities

+### Check for the presence of a header

+## Common scenarios for URL rewrite

+### Parameter based path selection

+### Rewrite query string parameters based on the URL

+## Rewrite configuration common pitfalls

+* Enabling 'Reevaluate path map' isn't allowed for basic request routing rules. This is to prevent infinite evaluation loop for a basic routing rule.

+* There needs to be at least 1 conditional rewrite rule or 1 rewrite rule which doesn't have 'Reevaluate path map' enabled for path-based routing rules to prevent infinite evaluation loop for a path-based routing rule.

+* Incoming requests would be terminated with a 500 error code in case a loop is created dynamically based on client inputs. The Application Gateway continues to serve other requests without any degradation in such a scenario.

+### Using URL rewrite or Host header rewrite with Web Application Firewall (WAF_v2 SKU)

+When you configure URL rewrite or host header rewrite, the WAF evaluation happens after the modification to the request header or URL parameters (post-rewrite). And when you remove the URL rewrite or host header rewrite configuration on your Application Gateway, the WAF evaluation is done before the header rewrite (pre-rewrite). This order ensures that WAF rules are applied to the final request that would be received by your backend pool.

+For example, say you have the following header rewrite rule for the header `"Accept" : "text/html"` - if the value of header `"Accept"` is equal to `"text/html"`, then rewrite the value to `"image/png"`.

+Here, with only header rewrite configured, the WAF evaluation is done on `"Accept" : "text/html"`. But when you configure URL rewrite or host header rewrite, then the WAF evaluation is done on `"Accept" : "image/png"`.

+## URL rewrite vs URL redirect

+- Request header names can contain alphanumeric characters and hyphens. Headers names containing other characters will be discarded when a request is sent to the backend target.

+ ( ) is used to capture the substring for later use in composing the expression for rewriting the URL path. For more information, see [Pattern matching and capturing](rewrite-http-headers-url.md#pattern-matching-and-capturing).

+ "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",

+ "clientSecret": "aaaaaaaa-0b0b-1c1c-2d2d-333333333333",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",

+Vaults enable support for [customer-managed keys](../security/fundamentals/encryption-models.md) (CMK) where you can control your own keys in HSMs, and use them to encrypt data at rest for [many Azure services](../security/fundamentals/encryption-models.md#services-supporting-customer-managed-keys-cmks). As mentioned previously, you can [import or generate encryption keys](/azure/key-vault/keys/hsm-protected-keys) in HSMs ensuring that keys never leave the HSM boundary to support *bring your own key (BYOK)* scenarios.

+As mentioned previously, managed HSM supports [importing keys generated](/azure/key-vault/managed-hsm/hsm-protected-keys-byok) in your on-premises HSMs, ensuring the keys never leave the HSM protection boundary, also known as *bring your own key (BYOK)* scenario. Managed HSM supports integration with Azure services such as [Azure Storage](../storage/common/customer-managed-keys-overview.md), [Azure SQL Database](/azure/azure-sql/database/transparent-data-encryption-byok-overview), [Azure Information Protection](/azure/information-protection/byok-price-restrictions), and others. For a more complete list of Azure services that work with Managed HSM, see [Data encryption models](../security/fundamentals/encryption-models.md#services-supporting-customer-managed-keys-cmks).

+- [**Customer-managed keys**](configure-customer-managed-keys.md) are stored in Azure Key Vault, allowing you to manage the lifecycle, usage permissions, and auditing of your encryption keys.

+- [**Customer-managed keys with managed Hardware Security Module (HSM)**](configure-customer-managed-keys-hardware.md) is an extension to customer-managed keys for Azure NetApp Files volume encryption feature. This HSM extension allows you to store your encryptions keys in a more secure FIPS 140-2 Level 3 HSM instead of the FIPS 140-2 Level 1 or Level 2 service used by Azure Key Vault (AKV).

+For more information about Azure NetApp Files key management, see [How are encryption keys managed](faq-security.md#how-are-encryption-keys-managed), [Configure customer-managed keys](configure-customer-managed-keys.md), or [customer-managed keys with managed HSM](configure-customer-managed-keys-hardware.md).

+Alternatively, [customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md) can be used where keys are stored in [Azure Key Vault](/azure/key-vault/general/basic-concepts). With customer-managed keys, you can fully manage the relationship between a key's life cycle, key usage permissions, and auditing operations on keys. The feature is generally available (GA) in [supported regions](configure-customer-managed-keys.md#supported-regions). [Azure NetApp Files volume encryption with customer-managed keys with the managed Hardware Security Module](configure-customer-managed-keys-hardware.md) is an extension to this feature, allowing you to store your encryption keys in a more secure FIPS 140-2 Level 3 HSM instead of the FIPS 140-2 Level 1 or Level 2 service used by Azure Key Vault.

+>[!NOTE]

+>All results published are for reference purposes only. Results are not guaranteed as performance in production workloads can vary due to numerous factors.

+## Considerations and recommendations

+- Performance from cool access can vary depending on the dataset and system load where the application is running. It's recommended to conduct relevant tests with your dataset to understand and account for performance variability from cool access.

+* Sequential writes: 100% sequential writes maxed out at ~8,500 MiB/second in these benchmarks. (A single large volumeΓÇÖs maximum throughput is capped at 12,800 MiB/second by the service, so more potential throughput is possible.)

+* Sequential reads: 100% sequential reads maxed out at ~12,761 MiB/second in these benchmarks. (A single large volume's throughput is capped at 12,800 MiB/second. This result is near the maximum achievable throughput at this time.)

+The graph represents a 256-KiB sequential workload using 12 virtual machines reading and writing to a single large volume using a 1-TiB working set. The graph shows that a single Azure NetApp Files large volume can handle between approximately 8,518 MiB/s pure sequential writes and 12,761 MiB/s pure sequential reads.

+The following graphs show 256-KiB sequential reads of approximately 10,000M iB/s withΓÇ»`nconnect`, which is roughly ten times the throughput achieved without `nconnect`.

+Note that 10,000 MiB/s is roughly the line rate of the 100 Gbps network interface card attached to the E104id_v5.

+## Non-Inherited and Inherited Configurations

+Replicas inherit most configurations from the primary resource; however, some settings must be configured directly on the replicas. Below is the list of those configurations:

+1. **SKU**: Each replica has its own SKU name and unit size. The autoscaling rules for replicas must be configured separately based on their individual metrics.

+2. **Shared private endpoints**: While shared private endpoints are automatically replicated to replicas, separate approvals are required on target private link resources. To add or remove shared private endpoints, manage them on the primary resource. **Do not** enable the replica until its shared private endpoint has been approved.

+3. **Log Destination Settings**. If not configured on the replicas, only logs from the primary resource will be transferred.

+4. **Alerts**.

+All other configurations are inherited from the primary resource. For example, access keys, identity, application firewall, custom domains, private endpoints, and access control.

+## Non-Inherited and Inherited Configurations

+Replicas inherit most configurations from the primary resource; however, some settings must be configured directly on the replicas. Below is the list of those configurations:

+1. **SKU**: Each replica has its own SKU name and unit size. The autoscaling rules for replicas must be configured separately based on their individual metrics.

+2. **Shared private endpoints**: While shared private endpoints are automatically replicated to replicas, separate approvals are required on target private link resources. To add or remove shared private endpoints, manage them on the primary resource. **Do not** enable the replica until its shared private endpoint has been approved.

+3. **Log Destination Settings**. If not configured on the replicas, only logs from the primary resource will be transferred.

+4. **Alerts**.

+All other configurations are inherited from the primary resource. For example, access keys, identity, application firewall, custom domains, private endpoints, and access control.

+| | Start/Stop audio streaming (public preview) | ✔️ | ✔️ | ✔️ | ✔️ |

+| | Start/Stop real-time transcription (public preview)| ✔️ | ✔️ | ✔️ | ✔️ |

+**Start/Stop audio streaming (public preview)** - Audio streaming allows you to subscribe to real-time audio streams from an ongoing call. For more detailed guidance on how to get started with audio streaming and information about audio streaming callback events, see our [concept](audio-streaming-concept.md) and our [quickstart](../../how-tos/call-automation/audio-streaming-quickstart.md).

+**Start/Stop real-time transcription (public preview)** - Real-time transcription allows you to access live transcriptions for the audio of an ongoing call. For more detailed guidance on how to get started with real-time transcription and information about real-time transcription callback events, see our [concept](real-time-transcription.md) and our [quickstart](../../how-tos/call-automation/real-time-transcription-tutorial.md).

+| Virtual Rooms SDKs | 2022-02-01 | Public Preview - retired |

+### Audio streaming (public preview)

+Audio streaming allows you to subscribe to real-time audio streams from an ongoing call. For more detailed guidance on how to get started with audio streaming and information about audio streaming callback events, see [this page](audio-streaming-quickstart.md).

+### Real-time transcription (public preview)

+Real-time transcription allows you to access live transcriptions for the audio of an ongoing call. For more detailed guidance on how to get started with real-time transcription and information about real-time transcription callback events, see [this page](real-time-transcription-tutorial.md).

+This article describes how to implement reactions for Azure Communication Services Calling SDKs. This capability enables participants in a group call or meeting to send and receive reactions with participants in Azure Communication Services and Microsoft Teams.

+The configuration and policy settings in Microsoft Teams control reactions for users in Teams meetings. For more information, see [Manage reactions in Teams meetings and webinars](/microsoftteams/manage-reactions-meetings) and [Meeting options in Microsoft Teams](https://support.microsoft.com/office/meeting-options-in-microsoft-teams-53261366-dbd5-45f9-aae9-a70e6354f88e).

+- Optional: Complete the quickstart to [add voice calling to your application](../../quickstarts/voice-video-calling/getting-started-with-calling.md).

+The system pulls reactions by batches at regular intervals. Current batch limitation is 20,000 reactions pulled every 3 seconds.

+If the number of reactions exceeds the limit, leftover reactions are sent in the next batch.

+## Support

+The following tables define support for reactions in Azure Communication Services.

+Teams meeting support is based on [Teams policy](/microsoftteams/manage-reactions-meetings).

+### Identities and call types

+The following table shows support for reactions in different call and identity types.

+| Identities | Teams interop meeting | Room | 1:1 call | Group call | Teams interop Group Call |

+| | | | | | |

+| Communication Services user | ✔️ | ✔️ | | ✔️ | ✔️ |

+| Microsoft 365 user | ✔️ | | | ✔️ | ✔️ |

+### Operations

+The following table shows support for reactions in Calling SDK to individual identity types.

+| Operations | Communication Services user | Microsoft 365 user |

+| | | |

+| Send specific reactions (like, love, laugh, applause, surprised) | ✔️ | ✔️ |

+| Receive specific reactions (like, love, laugh, applause, surprised) | ✔️ | ✔️ |

+### SDKs

+The following table shows support for Together Mode feature in individual Azure Communication Services SDKs.

+| Platforms | Web | Web UI | iOS | iOS UI | Android | Android UI | Windows |

+| | | | | | | | |

+| Is Supported | ✔️ | ✔️ | | | | | |

+This article explains how to subscribe to events from Azure Communication Services through the portal, Azure CLI, PowerShell, and .NET SDK.

+You can set up event subscriptions for Communication Services resources through the [Azure portal](https://portal.azure.com), Azure CLI, PowerShell, or with the Azure [Event Grid Management SDK](https://www.nuget.org/packages/Azure.ResourceManager.EventGrid/).

+This quickstart describes the process of setting up a webhook as a subscriber for SMS events from Azure Communication Services. For a full list of events, see [Azure Communication Services as an Azure Event Grid source](/azure/event-grid/event-schema-communication-services).

+ Title: Tutorial on how to attach custom tags to your client telemetry

+description: Assign a custom attribute tag to participants telemetry using the calling SDK.

+# Tutorial on adding custom tags to your client telemetry

+This tutorial shows you how to add a custom data attribute, called the **Diagnostic Option** tag, to the telemetry data that your WebJS client sends to Azure Monitor. This telemetry can be used for post-call analysis.

+## Why A/B Testing Matters

+A/B testing is an essential technique for making data-informed decisions in product development. Examining two variations of an application output, developers can identify which version excels based on specific metrics that track call reliability and quality. This method enables companies to test different designs, content, and functionalities within a controlled setting, ensuring that any modifications result in measurable enhancements. Additionally, A/B testing reduces the risks tied to introducing new features or strategies by offering evidence-based insights before a full-scale launch.

+Another key benefit of A/B testing is its capacity to reveal user preferences and behaviors that may not be evident through traditional testing techniques. Analyzing the outcomes of these tests allows developers to gain a deeper understanding how two different versions of your application result in end user improvements in calling reliability and quality. This iterative cycle of testing and optimization cultivates a culture of continual enhancement, helping developers remain competitive and adaptable to evolving market trends.

+## Benefits of the Diagnostic Option tag

+Consider the possibility that specific segments of your user base are encountering issues, and you aim to better identify and understand these problems. For instance, imagine all your customers utilizing Azure Communication Services WebJS in a single particular location face difficulty. To pinpoint the users experiencing issues, you can incorporate a diagnostic option tag on clients initiating a call in the specified location. This tagging allows you to filter and examine calling logs effectively. By applying targeted tag, you can segregate and analyze this data more efficiently. Monitoring tools such as ACS Calling Insights and Call Diagnostic Center (CDC) can help tracking these tag and identifying recurring issues or patterns. Through ongoing analysis of these tagged sessions, you gain valuable insights into user problems, enabling you to proactively address them and enhance the overall user experience.experience.

+## How to add a Diagnostic Option tag to your JavaScript code

+There are three optional fields that you can use to tag give to add various level of. Telemetry tracking for your needs.

+- `appName`

+- `appVersion`

+- `tags`

+Each value can have a maximum length of 64 characters, with support for only letters [aA, bB, cC, etc.], numbers[0-9], and basic symbols (dash "-", underscore "_", period ".", colon ":", number sign "#" ).

+Here is an example of how to use the **Diagnostic Options** parameters from within your WebJS application:

+```js

+this.callClient = new CallClient({

+ diagnostics: {

+ appName: 'contoso-healthcare-calling-services',

+ appVersion: '2.1',

+ tag: ["contoso_virtual_visits",`#clientTag:participant0001}`]

+ }

+});

+```

+## How to view the tag

+Once you add the values to your client SDK, they're populated and appear in your telemetry and metrics as you're calling. These values appear as key-value pairs appended to the user agent field that appears within the [call client log schema](../../concepts/analytics/logs/voice-and-video-logs.md#call-client-operations-log-schema)

+**contoso-healthcare-calling-services**/**2.1** azsdk-js-communication-calling/1.27.1-rc.10 (javascript_calling_sdk;**#clientTag:contoso_virtual_visits"**,**`#clientTag:participant0001**). Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0

+> [!NOTE]

+> If you doesn't set a value of `appName` and `appVersion` from within the client API, the default value of default/0.0.0 will appear within the `UserAgent` field

+## Next steps

+- Learn more about Azure Communication Services Call Diagnostic Center [here](../../concepts//voice-video-calling/call-diagnostics.md)

+- Learn more about Voice and Video calling Insights [here](../../concepts/analytics/insights/voice-and-video-insights.md)

+- Learn more about how to enable Azure Communication Services logs [here](../../concepts/analytics/enable-logging.md)

+| EnrollmentReader | Enrollment readers can view data at the enrollment, department, and account scopes. The data contains charges for all of the subscriptions under the scopes, including across tenants. Can view the Azure Prepayment (previously called monetary commitment) balance associated with the enrollment. | 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e |

+| EA purchaser | Purchase reservation orders and view reservation transactions. It has all the permissions of EnrollmentReader, which have all the permissions of DepartmentReader. It can view usage and charges across all accounts and subscriptions. Can view the Azure Prepayment (previously called monetary commitment) balance associated with the enrollment. | da6647fb-7651-49ee-be91-c43c4877f0c4 |

+| SubscriptionCreator | Create new subscriptions in the given scope of Account. | a0bcee42-bf30-4d1b-926a-48d21664ef71 |

+ | `properties.roleDefinitionId` | `/providers/Microsoft.Billing/billingAccounts/{BillingAccountName}/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e` |

+ Notice that `24f8edb6-1668-4659-b5e2-40bb5f3a7d7e` is a billing role definition ID for an EnrollmentReader.

+`"/providers/Microsoft.Billing/billingAccounts/1111111/billingRoleDefinitions/ da6647fb-7651-49ee-be91-c43c4877f0c4"`

+ | `properties.roleDefinitionId` | `/providers/Microsoft.Billing/billingAccounts/{BillingAccountID}/enrollmentAccounts/{enrollmentAccountID}/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71` |

+ The billing role definition ID of `a0bcee42-bf30-4d1b-926a-48d21664ef71` is for the subscription creator role.

+The connector supports the Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+The connector supports the Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+The connector supports the Couchbase version higher than 6.0.

+The connector now uses the following precision. The previous precision is compatible.

+ - Double values use 17 significant digits (previously 15 significant digits)

+ - Float values use 9 significant digits (previously 7 significant digits)

+The connector supports the Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+The connector no longer supports P12 keyfiles. If you rely on service accounts, you are recommended to use JSON keyfiles instead. The P12CustomPwd property used for supporting the P12 keyfile was also deprecated. For more information, see this [article](https://cloud.google.com/sdk/docs/release-notes#bigquery_6).

+The connector supports the Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+The connector supports the Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+| sslMode | This option specifies whether the driver uses TLS encryption and verification when connecting to MariaDB. E.g., `SSLMode=<0/1/2/3/4>`.<br/>Options: DISABLED (0) / PREFERRED (1) / REQUIRED (2) / VERIFY_CA (3) / VERIFY_IDENTITY (4) **(Default)** | Yes |

+| useSystemTrustStore | This option specifies whether to use a CA certificate from the system trust store, or from a specified PEM file. E.g. `UseSystemTrustStore=<0/1>`;<br/>Options: Enabled (1) / Disabled (0) **(Default)** | No |

+ "driverVersion": "v2",

+ "sslMode": <sslmode>,

+ "useSystemTrustStore": <UseSystemTrustStore>

+ "driverVersion": "v2",

+ "sslMode": <sslmode>,

+ "useSystemTrustStore": <UseSystemTrustStore>

+The connector supports the Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+The billing_on column property was removed from the following tables. For more information, see this [article](https://shopify.dev/docs/api/admin-rest/2024-07/resources/usagecharge).

+ - Recurring_Application_Charges

+ - UsageCharge

+The connector supports the Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+- OAuth 2.0 authentication.

+- Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+{"runId":"aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"}

+ "id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/<factoryName>/pipelineruns/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "runId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "runGroupId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "activityRunId": "bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f",

+ "pipelineRunId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/<factoryName>/pipelineruns/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/activityruns/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f"

+PUT https://management.azure.com/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/abnarain-rg/providers/Microsoft.DataFactory/factories/ambika-df/integrationruntimes/sample-2?api-version=2018-06-01

+ "updateResourceEndpoint": "https://management.azure.com/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/Default-MachineLearning-SouthCentralUS/providers/Microsoft.MachineLearning/webServices/myWebService?api-version=2016-05-01-preview",

+ --assignee-object-id aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

+ New-AzDataShareDataSetMapping -ResourceGroupName "share-rg" -AccountName "FabrikamDataShareAccount" -ShareSubscriptionName "fabrikamsolutions" -Name "Fabrikam Solutions" -StorageAccountResourceId "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" -DataSetId "0123abcd-ef01-2345-6789-abcdef012345" -Container "StorageContainer"

+ "tierToColdSummary": {

+ "totalObjectsCount": 0,

+ "successCount": 0,

+ "errorList": ""

+ },

+ "tierToColdSummary": {

+ "totalObjectsCount": 0,

+ "successCount": 0,

+ "errorList": ""

+ },

+# Customer intent: I want to learn how to send forward events from an Event Grid topic to an Event Grid namespace topic

+This article describes how to forward events from event subscriptions created in resources like topics, system topics, domains, and partner topics to Event Grid namespaces.

+Event Grid basic supports **Event Grid Namespace topic** as the **endpoint type**. When creating an event subscription to an Event Grid topic, system topic, domain, or partner topic, you can select an Event Grid namespace topic as the endpoint for handling events.

+Namespace topic as a destination in Event Grid basic event subscriptions helps you with transitioning to Event Grid namespaces without modifying your existing workflow. Event Grid namespaces provide new and interesting capabilities that you might be interested to use in your solutions. If you're currently using Event Grid basic resources like topics, system topics, domains, and partner topics you only need to create a new event subscription in your current topic and select Event Grid namespace topic as a handler destination.

+This article covers an example scenario where you forward Azure Storage events to an Event Grid namespace. Here are the high-level steps:

+1. Create a system topic for the Azure storage account and enable managed identity for the system topic.

+1. Assign the system topic's managed identity to the Event Grid Data Sender role on the destination Event Grid namespace.

+1. Create an event subscription to the system topic with the Event Grid namespace as the event handler, and use the managed identity for event delivery.

+## Prerequisites

+1. Create an Event Grid event subscription in a namespace topic by following instructions from [Create, view, and manage event subscriptions in namespace topics](create-view-manage-event-subscriptions.md). This step is optional, but it's useful for testing the scenario.

+## Create a system topic and enable managed identity for the storage account

+If you have an existing system topic for the storage account, navigate to the system topic page. If you don't have one, create a system topic. Then, enable managed identity for the storage account.

+1. Navigate to [Azure portal](https://portal.azure.com).

+1. In the search bar, search for **Event Grid System Topics**, and select it from the search results.

+1. On the **Event Grid System Topics** page, select **+ Create**.

+ :::image type="content" source="./media/handler-event-grid-namespace-topic/system-topics-page.png" alt-text="Screenshot that shows the System Topics page with the Create button selected." lightbox="./media/handler-event-grid-namespace-topic/system-topics-page.png":::

+1. On the **Create Event Grid System Topic** page, follow these steps:

+ 1. For **Topic Types**, select **Storage Accounts**.

+ 1. For **Subscription**, select the Azure subscription where you want to create the system topic.

+ 1. For **Resource Group**, select the resource group for the system topic.

+ 1. For **Resource**, select the Azure storage resource for which you want to create the system topic.

+ 1. In the **System Topic Details** section, for **Name**, enter a name for the topic.

+ 1. Select **Review + create** at the bottom of the page.

+ :::image type="content" source="./media/handler-event-grid-namespace-topic/create-system-topic-page.png" alt-text="Screenshot that shows the Create Event Grid System Topic page." lightbox="./media/handler-event-grid-namespace-topic/create-system-topic-page.png":::

+1. On the **Review + create** page, review settings, and select **Create**.

+ :::image type="content" source="./media/handler-event-grid-namespace-topic/create-system-topic-review-create.png" alt-text="Screenshot that shows the Create Event Grid System Topic - Review and create page." lightbox="./media/handler-event-grid-namespace-topic/create-system-topic-review-create.png":::

+1. After the deployment is successful, select **Go to resource** to navigate to the **Event Grid System Topic** page for the system topic you created.

+### Enable managed identity for the system topic

+Now, enable managed identity for the system topic you created. For this example, let's create a system-assigned managed identity for the system topic.

+1. On the **Event Grid System Topic** page, select **Identity** under **Settings** on the left navigation menu.

+1. On the **Identity** page, select **On** for **Status**.

+1. Select **Save** on the command bar.

+ :::image type="content" source="./media/handler-event-grid-namespace-topic/identity-page.png" alt-text="Screenshot that shows the Identity page for the system topic." lightbox="./media/handler-event-grid-namespace-topic/identity-page.png":::

+1. On the confirmation pop-up window, select **Yes** to confirm the creation of the managed identity.

+1. After the managed identity is created, you see the object (principal) ID for the identity.

+ Keep the **System Topic** page open in the current tab of your web browser.

+## Grant the identity permission to send events to the namespace

+In the last step, you created a system-assigned managed identity for your storage account's system topic. In this step, you grant the identity the permission to send events to the target or destination namespace.

+1. Launch a new tab or a window of the web browser. Navigate to your Event Grid namespace in the Azure portal.

+1. Select **Access control (IAM)** on the left menu.

+1. Select **Add** and then select **Add role assignment**.

+ :::image type="content" source="./media/handler-event-grid-namespace-topic/namespace-access-control-add.png" alt-text="Screenshot that shows the Access control page for the Event Grid namespace." lightbox="./media/handler-event-grid-namespace-topic/namespace-access-control-add.png":::

+1. On the **Role** page, search for and select **Event Grid Data Sender** role, and then select **Next**.

+ :::image type="content" source="./media/handler-event-grid-namespace-topic/role-page.png" alt-text="Screenshot that shows the Access control page with Event Grid Data Sender role selected." lightbox="./media/handler-event-grid-namespace-topic/role-page.png":::

+1. On the **Members** page, for **Assign access to**, select **Managed identity**, and then choose **+ Select members**.

+ :::image type="content" source="./media/handler-event-grid-namespace-topic/members-page.png" alt-text="Screenshot that shows the Members page." lightbox="./media/handler-event-grid-namespace-topic/members-page.png":::

+1. On the **Select managed identities** page, follow these steps:

+ 1. For **Subscription**, select the Azure subscription where the managed identity is created.

+ 1. For **Managed identity**, select **Event Grid System Topic**.

+ 1. For **Select**, type the name of your system topic.

+ 1. In the search results, select the managed identity. The managed identity's name is same as the system topic's name.

+

+ :::image type="content" source="./media/handler-event-grid-namespace-topic/select-identity.png" alt-text="Screenshot that shows the selection of a managed identity." lightbox="./media/handler-event-grid-namespace-topic/select-identity.png":::

+1. On the **Members** page, select **Next**.

+1. On the **Review + assign** page, review settings, and select **Review + assign** at the bottom of the page.

+## Create an event subscription to the storage system topic

+Now, you're ready to create an event subscription to the system topic for the source storage account using the namespace as an endpoint.

+1. On the **System Topic** page for the system topic, select **Overview** on the left menu if it's not already selected.

+1. Select **+ Event Subscription** on the command bar.

+ :::image type="content" source="media/handler-event-grid-namespace-topic/create-event-subscription-button.png" alt-text="Screenshot that shows the Event Grid System Topic page with the Event Subscription button selected." border="false" lightbox="media/handler-event-grid-namespace-topic/create-event-subscription-button.png":::

+1. On the **Create Event Subscription** page, follow these steps:

+ 1. For **Name**, enter the name for an event subscription.

+ 1. For **Event Schema**, select the event schema as **Cloud Events Schema v1.0**. It's the only schema type that the Event Grid Namespace Topic destination supports.

+ 1. For **Filter to Event Types**, select types of events you want to subscribe too.

+ 1. For **Endpoint type**, select **Event Grid Namespace Topic**.

+ 1. Select **Configure an endpoint**.

+

+ :::image type="content" source="media/handler-event-grid-namespace-topic/select-configure-endpoint.png" alt-text="Screenshot that shows the Create Event Subscription page with Configure an endpoint selected." border="false" lightbox="media/handler-event-grid-namespace-topic/select-configure-endpoint.png":::

+1. On the **Select Event Grid Namespace Topic** page, follow these steps:

+ 1. For **Subscription**, select the Azure subscription, resource group, and the namespace that has the namespace topic.

+ 1. For **Event Grid namespace topic**, select the namespace topic.

+ 1. Select **Confirm selection** at the bottom of the page.

+1. Now, on the **Create Event Subscription** page, for **Managed identity type**, select **System assigned**.

+1. Select **Create** at the bottom of the page.

+

+ :::image type="content" source="media/handler-event-grid-namespace-topic/namespace-topic-subscription.png" alt-text="Screenshot that shows how to create a subscription to forward events from Event Grid basic to Event Grid namespace topic." border="false" lightbox="media/handler-event-grid-namespace-topic/namespace-topic-subscription.png":::

+ To test the scenario, create a container in the Azure blob storage and upload a file to it. Verify that the event handler or endpoint for your namespace topic receives the blob created event.

+ When you upload a blob to a container in the Azure storage, here's what happens:

+ 1. Azure Blob Storage sends a **Blob Created** event to your blob storage's system topic.

+ 1. The event is forwarded to your namespace topic as it's the event handler or endpoint for the system topic.

+ 1. The endpoint for the subscription to the namespace topic receives the forwarded event.

+

+## Related content

+ Title: Frequently asked questions about Firmware analysis

+description: Find answers to some of the common questions about Firmware Analysis. This article includes the file systems that are supported by Firmware Analysis, and links to the Azure CLI and Azure PowerShell commands.

+# Frequently asked questions about Firmware analysis

+This article addresses frequent questions about Firmware analysis.

+[Firmware analysis](./overview-firmware-analysis.md) is a tool that analyzes firmware images and provides an understanding of security vulnerabilities in the firmware images.

+## What types of firmware images does Firmware analysis support?

+Firmware analysis supports unencrypted images that contain file systems with embedded Linux operating systems. Firmware analysis supports the following file system formats:

+* Android sparse image

+* bzip2 compressed data

+* CPIO ASCII archive, with CRC

+* CPIO ASCII archive, no CRC

+* CramFS filesystem

+* Flattened device tree blob (DTB)

+* EFI GUID partition table

+* EXT file system

+* POSIX tarball archive (GNU)

+* GPG signed data

+* gzip compressed data

+* ISO-9660 primary volume

+* JFFS2 filesystem, big endian

+* JFFS2 filesystem, little endian

+* LZ4 compressed data

+* LZMA compressed data

+* LZOP compressed file

+* DOS master boot record

+* RomFS filesystem

+* SquashFSv4 file system, little endian

+* POSIX tarball archive

+* UBI erase count header

+* UBI file system superblock node

+* xz compressed data

+* YAFFS filesystem, big endian

+* YAFFS filesystem, little endian

+* ZStandard compressed data

+* Zip archive

+## Where are the Firmware analysis Azure CLI/PowerShell docs?

+You can find the documentation for our Azure CLI commands [here](/cli/azure/firmwareanalysis/firmware) and the documentation for our Azure PowerShell commands [here](/powershell/module/az.firmwareanalysis/?#firmwareanalysis).

+You can also find the Quickstart for our Azure CLI [here](./quickstart-upload-firmware-using-azure-command-line-interface.md) and the Quickstart for our Azure PowerShell [here](./quickstart-upload-firmware-using-powershell.md). To run a Python script using the SDK to upload and analyze firmware images, visit [Quickstart: Upload firmware using Python](./quickstart-upload-firmware-using-python.md).

+ Title: Azure Role-Based Access Control for Firmware analysis

+description: Learn about how to use Azure Role-Based Access Control for Firmware Analysis.

+# Overview of Azure Role-Based Access Control for Firmware analysis

+As a user of Firmware analysis, you may want to manage access to your firmware image analysis results. Azure Role-Based Access Control (RBAC) is an authorization system that enables you to control who has access to your analysis results, what permissions they have, and at what level of the resource hierarchy. This article explains how to store firmware analysis results in Azure, manage access permissions, and use RBAC to share these results within your organization and with third parties. To learn more about Azure RBAC, visit [What is Azure Role-Based Access Control (Azure RBAC)?](./../role-based-access-control/overview.md).

+## Roles

+Roles are a collection of permissions packaged together. There are two types of roles:

+* **Job function roles** give users permission to perform specific job functions or tasks, such as **Key Vault Contributor** or **Azure Kubernetes Service Cluster Monitoring User**.

+* **Privileged administrator roles** give elevated access privileges, such as **Owner**, **Contributor**, or **User Access Administrator**. To learn more about roles, visit [Azure built-in roles](./../role-based-access-control/built-in-roles.md).

+In Firmware analysis, the most common roles are Owner, Contributor, Security Admin, and Firmware Analysis Admin. Learn more about [which roles you need for different permissions](./firmware-analysis-rbac.md#firmware-analysis-roles-scopes-and-capabilities), such as uploading firmware images or sharing firmware analysis results.

+## Understanding the Representation of Firmware Images in the Azure Resource Hierarchy

+Azure organizes resources into resource hierarchies, which are in a top-down structure, and you can assign roles at each level of the hierarchy. The level at which you assign a role is the "scope," and lower scopes may inherit roles assigned at higher scopes. Learn more about the [levels of hierarchy and how to organize your resources in the hierarchy](/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources).

+When you onboard your subscription to Firmware analysis and select your resource group, the action automatically creates the **default** resource within your resource group.

+

+Navigate to your resource group and select **Show hidden types** to show the **default** resource. The **default** resource has the **Microsoft.IoTFirmwareDefense.workspaces** type.

+

+Although the **default** workspace resource isn't something that you'll regularly interact with, each firmware image that you upload will be represented as a resource and stored here.

+You can use RBAC at each level of the hierarchy, including at the hidden **default Firmware Analysis Workspace** resource level.

+Here's the resource hierarchy of Firmware Analysis:

+## Apply Azure RBAC

+> [!Note]

+> To begin using Firmware analysis, the user that onboards the subscription onto Firmware analysis ***must be*** an Owner, Contributor, Firmware Analysis Admin, or Security Admin at the subscription level. Follow the tutorial at [Analyze a firmware image with Firmware analysis](./tutorial-analyze-firmware.md#onboard-your-subscription-to-use-firmware-analysis) to onboard your subscription. Once you've onboarded your subscription, a user only needs to be a Firmware Analysis Admin to use Firmware Analysis.

+>

+As a user of Firmware analysis, you may need to perform certain actions for your organization, such as uploading firmware images or sharing analysis results.

+Actions like these involve Role-Based Access Control (RBAC). To effectively use RBAC for Firmware analysis, you must know what your role assignment is, and at what scope. Knowing this information will inform you about what permissions you have, and thus whether you can complete certain actions. To check your role assignment, refer to [Check access for a user to a single Azure resource - Azure RBAC](./../role-based-access-control/check-access.md). Next, see the following table to check what roles and scopes are necessary for certain actions.

+### Common roles in Firmware analysis

+This table categorizes each role and provides a brief description of their permissions:

+**Role** | **Category** | **Description**

+||

+**Owner** | Privileged administrator role | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

+**Contributor** | Privileged administrator role | Grants full access to manage all resources, but doesn't allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

+**Security Admin** | Job function role | Allows the user to upload and analyze firmware images, add/assign security initiatives, and edit the security policy. [Learn more](/azure/defender-for-cloud/permissions).

+**Firmware Analysis Admin** | Job function role | Allows the user to upload and analyze firmware images. The user has no access beyond firmware analysis (can't access other resources in the subscription, create or delete resources, or invite other users).

+## Firmware analysis roles, scopes, and capabilities

+The following table summarizes what roles you need to perform certain actions. These roles and permissions apply at the Subscription and Resource Group levels, unless otherwise stated.

+**Action** | **Role required**

+:|:

+Analyze firmware | Owner, Contributor, Security Admin, or Firmware Analysis Admin

+Invite third party users to see firmware analysis results | Owner

+Invite users to the Subscription | Owner at the **Subscription** level (Owner at the Resource Group level **cannot** invite users to the Subscription)

+## Uploading Firmware images

+To upload firmware images:

+* Confirm that you have sufficient permission in [Firmware Analysis Roles, Scopes, and Capabilities](#firmware-analysis-roles-scopes-and-capabilities).

+* [Upload a firmware image for analysis](./tutorial-analyze-firmware.md#upload-a-firmware-image-for-analysis).

+## Invite third parties to interact with your firmware analysis results

+You might want to invite someone to interact solely with your firmware analysis results, without allowing access to other parts of your organization (like other resource groups within your subscription). To allow this type of access, invite the user as a Firmware Analysis Admin at the Resource Group level.

+To invite a third party, follow the [Assign Azure roles to external guest users using the Azure portal](./../role-based-access-control/role-assignments-external-users.md#invite-an-external-user-to-your-directory) tutorial.

+* In step 3, navigate to your resource group.

+* In step 7, select the **Firmware Analysis Admin** role.

+> [!Note]

+> If you received an email to join an organization, be sure to check your Junk folder for the invitation email if you don't see it in your inbox.

+>

+ Title: Firmware analysis overview

+description: Learn how firmware analysis helps device builders and operators to evaluate the security of IoT, OT and network devices.

+#Customer intent: As a device builder, I want to understand how firmware analysis can help secure my IoT/OT devices and products.

+# Firmware analysis

+Just like computers have operating systems, IoT devices have firmware, and it's the firmware that runs and controls IoT devices. For IoT device builders, security is a near-universal concern as IoT devices have traditionally lacked basic security measures.

+For example, IoT attack vectors typically use easily exploitable--but easily correctable--weaknesses such as hardcoded user accounts, outdated and vulnerable open-source packages, or a manufacturer's private cryptographic signing key.

+Use the Firmware analysis service to identify embedded security threats, vulnerabilities, and common weaknesses that may be otherwise undetectable.

+> [!NOTE]

+> The **Firmware analysis** page is in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+## How to be sure your firmware is secure

+Firmware analysis can analyze your firmware for common weaknesses and vulnerabilities, and provide insight into your firmware security. This analysis is useful whether you build the firmware in-house or receive firmware from your supply chain.

+- **Software bill of materials (SBOM)**: Receive a detailed listing of open-source packages used during the firmware's build process. See the package version and what license governs the use of the open-source package.

+- **CVE analysis**: See which firmware components have publicly known security vulnerabilities and exposures.

+- **Binary hardening analysis**: Identify binaries that haven't enabled specific security flags during compilation like buffer overflow protection, position independent executables, and more common hardening techniques.

+- **SSL certificate analysis**: Reveal expired and revoked TLS/SSL certificates.

+- **Public and private key analysis**: Verify that the public and private cryptographic keys discovered in the firmware are necessary and not accidental.

+- **Password hash extraction**: Ensure that user account password hashes use secure cryptographic algorithms.

+## Next steps

+- [Analyze a firmware image](./tutorial-analyze-firmware.md)

+- [Understand Role-Based Access Control for Firmware Images](./firmware-analysis-rbac.md)

+- [Frequently asked questions about Firmware analysis](./firmware-analysis-faq.md)

+ Title: "Quickstart: Upload firmware images to Firmware analysis using Azure CLI"

+description: "Learn how to upload firmware images for analysis using the Azure command line interface."

+# Quickstart: Upload firmware images to Firmware Analysis using Azure CLI

+This article explains how to use the Azure CLI to upload firmware images to Firmware analysis.

+[Firmware analysis](./overview-firmware-analysis.md) is a tool that analyzes firmware images and provides an understanding of security vulnerabilities in the firmware images.

+## Prerequisites

+This quickstart assumes a basic understanding of Firmware analysis. For more information, see [Firmware analysis for device builders](./overview-firmware-analysis.md). For a list of the file systems that are supported, see [Frequently asked Questions about Firmware analysis](./firmware-analysis-faq.md#what-types-of-firmware-images-does-firmware-analysis-support).

+### Prepare your environment for the Azure CLI

+* [Install](/cli/azure/install-azure-cli) the Azure CLI to run CLI commands locally. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see [How to run the Azure CLI in a Docker container](/cli/azure/run-azure-cli-docker).

+* Sign in to the Azure CLI by using the [az login](/cli/azure/reference-index?#az-login) command. Follow the steps displayed in your terminal to finish the authentication process. For other sign-in options, see [Sign in with the Azure CLI](/cli/azure/authenticate-azure-cli).

+* When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see [Use extensions with the Azure CLI](/cli/azure/azure-cli-extensions-overview).

+ * Install the Firmware analysis extension by running the following command:

+ ```azurecli

+ az extension add --name firmwareanalysis

+ ```

+* To find the version and dependent libraries that are installed, run the command [az version](/cli/azure/reference-index?#az-version). To upgrade to the latest version, run the command [az upgrade](/cli/azure/reference-index?#az-upgrade).

+* [Onboard](./tutorial-analyze-firmware.md#onboard-your-subscription-to-use-firmware-analysis) your subscription to Firmware analysis.

+* Select the appropriate subscription ID where you'd like to upload your firmware images by running the command [az account set](/cli/azure/account?#az-account-set).

+## Upload a firmware image to the workspace

+1. Create a firmware image to be uploaded. Insert your resource group name, subscription ID, and workspace name into the respective parameters.

+ ```azurecli

+ az firmwareanalysis firmware create --resource-group myResourceGroup --subscription 123e4567-e89b-12d3-a456-426614174000 --workspace-name default

+ ```

+The output of this command includes a `name` property, which is your firmware ID. **Save this ID for the next command.**

+2. Generate a SAS URL, which you'll use in the next step to send your firmware image to Azure Storage. Replace `sampleFirmwareID` with the firmware ID that you saved from the previous step. You can store the SAS URL in a variable for easier access for future commands:

+ ```azurecli

+ $sasURL = $(az firmwareanalysis workspace generate-upload-url --resource-group myResourceGroup --subscription 123e4567-e89b-12d3-a456-426614174000 --workspace-name default --firmware-id sampleFirmwareID --query "url")

+ ```

+3. Upload your firmware image to Azure Storage. Replace `pathToFile` with the path to your firmware image on your local machine.

+ ```azurecli

+ az storage blob upload -f pathToFile --blob-url $sasURL

+ ```

+Here's an example workflow of how you could use these commands to create and upload a firmware image. To learn more about using variables in CLI commands, visit [How to use variables in Azure CLI commands](/cli/azure/azure-cli-variables?tabs=bash):

+```azurecli

+$filePath='/path/to/image'

+$resourceGroup='myResourceGroup'

+$workspace='default'

+$fileName='file1'

+$vendor='vendor1'

+$model='model'

+$version='test'

+$FWID=$(az firmwareanalysis firmware create --resource-group $resourceGroup --workspace-name $workspace --file-name $fileName --vendor $vendor --model $model --version $version --query "name")

+$URL=$(az firmwareanalysis workspace generate-upload-url --resource-group $resourceGroup --workspace-name $workspace --firmware-id $FWID --query "url")

+$OUTPUT=(az storage blob upload -f $filePath --blob-url $URL)

+```

+## Retrieve firmware analysis results

+To retrieve firmware analysis results, you must make sure that the status of the analysis is "Ready":

+```azurecli

+az firmwareanalysis firmware show --firmware-id sampleFirmwareID --resource-group myResourceGroup --workspace-name default

+```

+Look for the "status" field to display "Ready", then run the following commands to retrieve your firmware analysis results.

+If you would like to automate the process of checking your analysis's status, you can use the [`az resource wait`](/cli/azure/resource?#az-resource-wait) command.

+The `az resource wait` command has a `--timeout` parameter, which is the time in seconds that the analysis will end if "status" does not reach "Ready" within the timeout frame. The default timeout is 3600, which is one hour. Large images may take longer to analyze, so you can set the timeout using the `--timeout` parameter according to your needs. Here's an example of how you can use the `az resource wait` command with the `--timeout` parameter to automate checking your analysis's status, assuming that you have already created a firmware and stored the firmware ID in a variable named `$FWID`:

+```azurecli

+$ID=$(az firmwareanalysis firmware show --resource-group $resourceGroup --workspace-name $workspace --firmware-id $FWID --query "id")

+Write-Host (ΓÇÿSuccessfully created a firmware image with the firmware ID of ΓÇÿ + $FWID + ΓÇÿ, recognized in Azure by this resource ID: ΓÇÿ + $ID + ΓÇÿ.ΓÇÖ)

+$WAIT=$(az resource wait --ids $ID --custom "properties.status=='Ready'" --timeout 10800)

+$STATUS=$(az resource show --ids $ID --query 'properties.status')

+Write-Host ('Firmware analysis completed with status: ' + $STATUS)

+```

+Once you've confirmed that your analysis status is "Ready", you can run commands to pull the results.

+### SBOM

+The following command retrieves the SBOM in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```azurecli

+az firmwareanalysis firmware sbom-component --resource-group myResourceGroup --subscription 123e4567-e89b-12d3-a456-426614174000 --workspace-name default --firmware-id sampleFirmwareID

+```

+### Weaknesses

+The following command retrieves CVEs found in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```azurecli

+az firmwareanalysis firmware cve --resource-group myResourceGroup --subscription 123e4567-e89b-12d3-a456-426614174000 --workspace-name default --firmware-id sampleFirmwareID

+```

+### Binary hardening

+The following command retrieves analysis results on binary hardening in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```azurecli

+az firmwareanalysis firmware binary-hardening --resource-group myResourceGroup --subscription 123e4567-e89b-12d3-a456-426614174000 --workspace-name default --firmware-id sampleFirmwareID

+```

+### Password hashes

+The following command retrieves password hashes in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```azurecli

+az firmwareanalysis firmware password-hash --resource-group myResourceGroup --subscription 123e4567-e89b-12d3-a456-426614174000 --workspace-name default --firmware-id sampleFirmwareID

+```

+### Certificates

+The following command retrieves vulnerable crypto certificates that were found in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```azurecli

+az firmwareanalysis firmware crypto-certificate --resource-group myResourceGroup --subscription 123e4567-e89b-12d3-a456-426614174000 --workspace-name default --firmware-id sampleFirmwareID

+```

+### Keys

+The following command retrieves vulnerable crypto keys that were found in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```azurecli

+az firmwareanalysis firmware crypto-key --resource-group myResourceGroup --subscription 123e4567-e89b-12d3-a456-426614174000 --workspace-name default --firmware-id sampleFirmwareID

+```

+ Title: "Quickstart: Upload firmware images to Firmware analysis using Azure PowerShell"

+description: "Learn how to upload firmware images for analysis using the Azure PowerShell."

+# Quickstart: Upload firmware images to Firmware analysis using Azure PowerShell

+This article explains how to use Azure PowerShell to upload firmware images to Firmware analysis.

+[Firmware analysis](./overview-firmware-analysis.md) is a tool that analyzes firmware images and provides an understanding of security vulnerabilities in the firmware images.

+## Prerequisites

+This quickstart assumes a basic understanding of Firmware analysis. For more information, see [Firmware analysis for device builders](./overview-firmware-analysis.md). For a list of the file systems that are supported, see [Frequently asked Questions about Firmware analysis](./firmware-analysis-faq.md#what-types-of-firmware-images-does-firmware-analysis-support).

+### Prepare your environment for Azure PowerShell

+1. [Install Azure PowerShell](/powershell/azure/install-azure-powershell) or [Use Azure Cloud Shell](/azure/cloud-shell/get-started/classic).

+2. Sign in to Azure PowerShell by running the command [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount). Skip this step if you're using Cloud Shell.

+3. If this is your first use of Firmware analysis's Azure PowerShell, install the extension:

+ ```powershell

+ Find-Module -Name Az.FirmwareAnalysis | Install-Module

+ ```

+4. [Onboard](tutorial-analyze-firmware.md#onboard-your-subscription-to-use-firmware-analysis) your subscription to Firmware analysis.

+5. Run [Set-AzContext](/powershell/module/az.accounts/set-azcontext) to set your subscription to use in the current session. Select the subscription where you would like to upload your firmware images.

+## Upload a firmware image to the workspace

+1. Create a firmware image to be uploaded. Insert your resource group name, workspace name, and any additional details about your firmware image that you'd like into include in the respective parameters, such as a `Description`, `FileName`, `Vendor`, `Model`, or `Version`.

+ ```powershell

+ New-AzFirmwareAnalysisFirmware -ResourceGroupName myResourceGroup -WorkspaceName default -Description 'sample description' -FileName file -Vendor vendor -Model model -Version version

+ ```

+The output of this command includes a `Name` property, which is your firmware ID. **Save this ID for the next command.**

+2. Generate a SAS URL that you'll use in the next step to send your firmware image to Azure Storage. Replace `sampleFirmwareID` with the firmware ID that you saved from the previous step. You can store the SAS URL in a variable for easier access for future commands:

+ ```powershell

+ $sasUrl = New-AzFirmwareAnalysisWorkspaceUploadUrl -FirmwareId sampleFirmwareID -ResourceGroupName myResourceGroup -WorkspaceName default

+ ```

+3. Use the following script to upload your firmware image to Azure Storage. Replace '`pathToFile`' with the path to your firmware image on your local machine. Wrap the path in quotation marks.

+ ```powershell

+ $uri = [System.Uri] $sasURL.Url

+ $storageAccountName = $uri.DnsSafeHost.Split(".")[0]

+ $container = $uri.LocalPath.Substring(1)

+ $containerName, $blob = $container -split '/', 2

+ $sasToken = $uri.Query

+ $filePath = 'pathToFile'

+ $storageContext = New-AzStorageContext -StorageAccountName $storageAccountName -SasToken $sasToken

+ Set-AzStorageBlobContent -File $filePath -Container $containerName -Context $storageContext -Blob $blob -Force

+ ```

+Here's an example workflow from end-to-end of how you could use the Azure PowerShell commands to create and upload a firmware image. Replace the values for the variables set at the beginning to reflect your environment.

+```powershell

+$filePath='/path/to/image'

+$resourceGroup='myResourceGroup'

+$workspace='default'

+$fileName='file1'

+$vendor='vendor1'

+$model='model'

+$version='test'

+$FWID = (New-AzFirmwareAnalysisFirmware -ResourceGroupName $resourceGroup -WorkspaceName $workspace -FileName $fileName -Vendor $vendor -Model $model -Version $version).Name

+$sasUrl = New-AzFirmwareAnalysisWorkspaceUploadUrl -FirmwareId $FWID -ResourceGroupName $resourceGroup -WorkspaceName $workspace

+$uri = [System.Uri] $sasURL.Url

+$storageAccountName = $uri.DnsSafeHost.Split(".")[0]

+$container = $uri.LocalPath.Substring(1)

+$containerName, $blob = $container -split '/', 2

+$sasToken = $uri.Query

+$storageContext = New-AzStorageContext -StorageAccountName $storageAccountName -SasToken $sasToken

+Set-AzStorageBlobContent -File $filePath -Container $containerName -Context $storageContext -Blob $blob -Force

+```

+## Retrieve firmware analysis results

+To retrieve firmware analysis results, you must make sure that the status of the analysis is "Ready". Replace `sampleFirmwareID` with your firmware ID, `myResourceGroup` with your resource group name, and `default` with your workspace name:

+```powershell

+Get-AzFirmwareAnalysisFirmware -FirmwareId sampleFirmwareID -ResourceGroupName myResourceGroup -WorkspaceName default

+```

+Look for the "status" field to display "Ready", then run the respective commands to retrieve your firmware analysis results.

+If you would like to automate the process of checking your analysis's status, you can use the following script to check the resource status periodically until it reaches "Ready". You can set the `$timeoutInSeconds` variable depending on the size of your image - larger images may take longer to analyze, so adjust this variable according to your needs.

+```powershell

+$ID = Get-AzFirmwareAnalysisFirmware -ResourceGroupName $resourceGroup -WorkspaceName default -FirmwareId $FWID | Select-Object -ExpandProperty Id

+Write-Host "Successfully created a firmware image, recognized in Azure by this resource id: $ID."

+$timeoutInSeconds = 10800

+$startTime = Get-Date

+while ($true) {

+ $resource = Get-AzResource -ResourceId $ID

+ $status = $resource.Properties.Status

+ if ($status -eq 'ready') {

+ Write-Host "Firmware analysis completed with status: $status"

+ break

+ }

+ $elapsedTime = (Get-Date) - $startTime

+ if ($elapsedTime.TotalSeconds -ge $timeoutInSeconds) {

+ Write-Host "Timeout reached. Firmware analysis status: $status"

+ break

+ }

+ Start-Sleep -Seconds 10

+}

+```

+### SBOM

+The following command retrieves the SBOM in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```powershell

+Get-AzFirmwareAnalysisSbomComponent -FirmwareId sampleFirmwareID -ResourceGroupName myResourceGroup -WorkspaceName default

+```

+### Weaknesses

+The following command retrieves CVEs found in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```powershell

+Get-AzFirmwareAnalysisCve -FirmwareId sampleFirmwareID -ResourceGroupName myResourceGroup -WorkspaceName default

+```

+### Binary hardening

+The following command retrieves analysis results on binary hardening in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```powershell

+Get-AzFirmwareAnalysisBinaryHardening -FirmwareId sampleFirmwareID -ResourceGroupName myResourceGroup -WorkspaceName default

+```

+### Password hashes

+The following command retrieves password hashes in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```powershell

+Get-AzFirmwareAnalysisPasswordHash -FirmwareId sampleFirmwareID -ResourceGroupName myResourceGroup -WorkspaceName default

+```

+### Certificates

+The following command retrieves vulnerable crypto certificates that were found in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```powershell

+Get-AzFirmwareAnalysisCryptoCertificate -FirmwareId sampleFirmwareID -ResourceGroupName myResourceGroup -WorkspaceName default

+```

+### Keys

+The following command retrieves vulnerable crypto keys that were found in your firmware image. Replace each argument with the appropriate value for your resource group, subscription, workspace name, and firmware ID.

+```powershell

+Get-AzFirmwareAnalysisCryptoKey -FirmwareId sampleFirmwareID -ResourceGroupName myResourceGroup -WorkspaceName default

+```

+ Title: "Quickstart: Upload firmware images to Firmware analysis using Python"

+description: "Learn how to upload firmware images for analysis using a Python script."

+# Quickstart: Upload firmware images to Firmware analysis using Python

+This article explains how to use a Python script to upload firmware images to Firmware analysis.

+[Firmware analysis](./overview-firmware-analysis.md) is a tool that analyzes firmware images and provides an understanding of security vulnerabilities in the firmware images.

+## Prerequisites

+This quickstart assumes a basic understanding of Firmware Analysis. For more information, see [Firmware analysis for device builders](./overview-firmware-analysis.md). For a list of the file systems that are supported, see [Frequently asked Questions about Firmware Analysis](./firmware-analysis-faq.md#what-types-of-firmware-images-does-firmware-analysis-support).

+### Prepare your environment

+1. Python version 3.8+ is required to use this package. Run the command `python --version` to check your Python version.

+2. Make note of your Azure subscription ID, the name of your Resource Group where you'd like to upload your images, your workspace name, and the name of the firmware image that you'd like to upload.

+3. Ensure that your Azure account has the necessary permissions to upload firmware images to Firmware analysis for your Azure subscription. You must be an Owner, Contributor, Security Admin, or Firmware Analysis Admin at the Subscription or Resource Group level to upload firmware images. For more information, visit [Firmware Analysis Roles, Scopes, and Capabilities](./firmware-analysis-rbac.md#firmware-analysis-roles-scopes-and-capabilities).

+4. Ensure that your firmware image is stored in the same directory as the Python script.

+5. Install the packages needed to run this script:

+ ```python

+ pip install azure-mgmt-iotfirmwaredefense

+ pip install azure-identity

+ ```

+6. Log in to your Azure account by running the command [`az login`](/cli/azure/reference-index?#az-login).

+## Run the following Python script

+Copy the following Python script into a `.py` file and save it to the same directory as your firmware image. Replace the `subscription_id` variable with your Azure subscription ID, `resource_group_name` with the name of your Resource Group where you'd like to upload your firmware image, and `firmware_file` with the name of your firmware image, which is saved in the same directory as the Python script.

+```python

+from azure.identity import AzureCliCredential

+from azure.mgmt.iotfirmwaredefense import *

+from azure.mgmt.iotfirmwaredefense.models import *

+from azure.core.exceptions import *

+from azure.storage.blob import BlobClient

+import uuid

+from time import sleep

+from halo import Halo

+from tabulate import tabulate

+subscription_id = "subscription-id"

+resource_group_name = "resource-group-name"

+workspace_name = "default"

+firmware_file = "firmware-image-name"

+def main():

+ firmware_id = str(uuid.uuid4())

+ fw_client = init_connections(firmware_id)

+ upload_firmware(fw_client, firmware_id)

+ get_results(fw_client, firmware_id)

+def init_connections(firmware_id):

+ spinner = Halo(text=f"Creating client for firmware {firmware_id}")

+ cli_credential = AzureCliCredential()

+ client = IoTFirmwareDefenseMgmtClient(cli_credential, subscription_id, 'https://management.azure.com')

+ spinner.succeed()

+ return client

+def upload_firmware(fw_client, firmware_id):

+ spinner = Halo(text="Uploading firmware to Azure...", spinner="dots")

+ spinner.start()

+ token = fw_client.workspaces.generate_upload_url(resource_group_name, workspace_name, {"firmware_id": firmware_id})

+ fw_client.firmwares.create(resource_group_name, workspace_name, firmware_id, {"properties": {"file_name": firmware_file, "vendor": "Contoso Ltd.", "model": "Wifi Router", "version": "1.0.1", "status": "Pending"}})

+ bl_client = BlobClient.from_blob_url(token.url)

+ with open(file=firmware_file, mode="rb") as data:

+ bl_client.upload_blob(data=data)

+ spinner.succeed()

+def get_results(fw_client, firmware_id):

+ fw = fw_client.firmwares.get(resource_group_name, workspace_name, firmware_id)

+ spinner = Halo("Waiting for analysis to finish...", spinner="dots")

+ spinner.start()

+ while fw.properties.status != "Ready":

+ sleep(5)

+ fw = fw_client.firmwares.get(resource_group_name, workspace_name, firmware_id)

+ spinner.succeed()

+ print("-"*107)

+ summary = fw_client.summaries.get(resource_group_name, workspace_name, firmware_id, summary_name=SummaryName.FIRMWARE)

+ print_summary(summary.properties)

+ print()

+ components = fw_client.sbom_components.list_by_firmware(resource_group_name, workspace_name, firmware_id)

+ if components is not None:

+ print_components(components)

+ else:

+ print("No components found")

+def print_summary(summary):

+ table = [[summary.extracted_size, summary.file_size, summary.extracted_file_count, summary.component_count, summary.binary_count, summary.analysis_time_seconds, summary.root_file_systems]]

+ header = ["Extracted Size", "File Size", "Extracted Files", "Components", "Binaries", "Analysis Time", "File Systems"]

+ print(tabulate(table, header))

+def print_components(components):

+ table = []

+ header = ["Component", "Version", "License", "Paths"]

+ for com in components:

+ table.append([com.properties.component_name, com.properties.version, com.properties.license, com.properties.file_paths])

+ print(tabulate(table, header, maxcolwidths=[None, None, None, 57]))

+if __name__ == "__main__":

+ exit(main())

+```

+ Title: Analyze a firmware image with the Firmware analysis service.

+description: Learn to analyze a compiled firmware image using Firmware analysis.

+#Customer intent: As a device builder, I want to see what vulnerabilities or weaknesses might exist in my firmware image.

+# Tutorial: Analyze an IoT/OT firmware image with Firmware analysis

+This tutorial describes how to use the **Firmware analysis** page to upload a firmware image for security analysis and view analysis results.

+> [!NOTE]

+> The **Firmware analysis** page is in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+## Prerequisites

+> [!NOTE]

+> The **Firmware analysis** feature is automatically available if you currently access Defender for IoT using the Security Admin, Contributor, or Owner role. If you only have the Security Reader role or want to use **Firmware analysis** as a standalone feature, then your Admin must give the Firmware Analysis Admin role. For additional information, please see [Firmware analysis Azure RBAC](./firmware-analysis-rbac.md).

+>

+* If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

+* If you have a subscription but don't have a resource group where you could upload your firmware images, [create a resource group](/azure/azure-resource-manager/management/manage-resource-groups-portal#create-resource-groups).

+* If you already have a subscription and resource group, move on to the next section.

+To use the **Firmware analysis** page to analyze your firmware security, your firmware image must have the following prerequisites:

+- You must have access to the compiled firmware image.

+- Your image must be an unencrypted, Linux-based firmware image.

+- Your image must be less than 5 GB in size.

+## Onboard your subscription to use Firmware analysis

+> [!NOTE]

+> To onboard a subscription to use Firmware analysis, you must be an Owner, Contributor, Firmware Analysis Admin, or Security Admin at the subscription level. To learn more about roles and their capabilities in Firmware Analysis, visit [Firmware Analysis Roles, Scopes, and Capabilities](./firmware-analysis-rbac.md#firmware-analysis-roles-scopes-and-capabilities).

+>

+If this is your first interaction with **Firmware analysis**, then you'll need to onboard your subscription to the service and select a region in which to upload and store your firmware images.

+1. Sign into the Azure portal and go to Defender for IoT.

+ :::image type="content" source="media/tutorial-firmware-analysis/defender-portal.png" alt-text="Screenshot of the 'Getting started' page." lightbox="media/tutorial-firmware-analysis/defender-portal.png":::

+2. Select **Set up a subscription** in the **Get Started** card, or select the **Subscription management** subtab.

+ :::image type="content" source="media/tutorial-firmware-analysis/subscription-management.png" alt-text="Screenshot of the 'Subscription management' page." lightbox="media/tutorial-firmware-analysis/subscription-management.png":::

+3. Select **Onboard a new subscription**

+ :::image type="content" source="media/tutorial-firmware-analysis/onboard-subscription.png" alt-text="Screenshot of the 'Onboard subscription' pane appearing on the right side of the screen." lightbox="media/tutorial-firmware-analysis/onboard-subscription.png":::

+4. In the **Onboard subscription** pane, select a subscription from the drop-down list.

+5. Select a resource group from the **Resource group** drop-down or create a new resource group.

+6. Select a region to use for storage in the **Location** drop-down.

+7. Select **Onboard** to onboard your subscription to Firmware analysis.

+ :::image type="content" source="media/tutorial-firmware-analysis/completed-onboarding.png" alt-text="Screenshot of the 'Onboard subscription' pane when it's completed." lightbox="media/tutorial-firmware-analysis/completed-onboarding.png":::

+## Upload a firmware image for analysis

+If you've just onboarded your subscription, are signed into the Azure portal, and already in the Defender for IoT portal, skip to step two.

+1. Sign into the Azure portal and go to Defender for IoT.

+1. Select **Firmware analysis** > **Firmware inventory** > **Upload**.

+1. In the **Upload a firmware image** pane, select **Choose file**. Browse to and select the firmware image file you want to upload.

+ :::image type="content" source="media/tutorial-firmware-analysis/upload.png" alt-text="Screenshot that shows clicking the Upload option within Firmware Analysis." lightbox="media/tutorial-firmware-analysis/upload.png":::

+1. Select a **Subscription** that you have onboarded onto Defender for IoT Firmware Analysis. Then select a **Resource group** that you would like to upload your firmware image to.

+1. Enter the following details:

+ - The firmware's vendor

+ - The firmware's model

+ - The firmware's version

+ - An optional description of your firmware

+

+1. Select **Upload** to upload your firmware for analysis.

+ Your firmware appears in the grid on the **Firmware inventory** page.

+## View firmware analysis results

+The analysis time will vary based on the size of the firmware image and the number of files discovered in the image. While the analysis is taking place, the status will say *Extracting* and then *Analyzing*. When the status is *Ready*, you can see the firmware analysis results.

+1. Sign into the Azure portal and go to Microsoft Defender for IoT > **Firmware analysis** > **Firmware inventory**.

+1. Select the row of the firmware you want to view. The **Firmware overview** pane shows basic data about the firmware on the right.

+ :::image type="content" source="media/tutorial-firmware-analysis/firmware-details.png" alt-text="Screenshot that shows clicking the row with the firmware image to see the side panel details." lightbox="media/tutorial-firmware-analysis/firmware-details.png":::

+

+1. Select **View results** to drill down for more details.

+ :::image type="content" source="media/tutorial-firmware-analysis/overview.png" alt-text="Screenshot that shows clicking view results button for a detailed analysis of the firmware image." lightbox="media/tutorial-firmware-analysis/overview.png":::

+

+1. The firmware details page shows security analysis results on the following tabs:

+ |Name |Description |

+ |||

+ |**Overview** | View an overview of all of the analysis results.|

+ |**Software Components** | View a software bill of materials with the following details: <br><Br> - A list of open source components used to create firmware image <br>- Component version information <br>- Component license <br>- Executable path of the binary |

+ |**Weaknesses** | View a listing of common vulnerabilities and exposures (CVEs). <br><br>Select a specific CVE to view more details. |

+ |**Binary Hardening** | View if executables compiled using recommended security settings: <br><br>- NX <br>- PIE<br>- RELRO<br>- CANARY<br>- STRIPPED<br><br> Select a specific binary to view more details.|

+ |**Password Hashes** | View embedded accounts and their associated password hashes.<br><br>Select a specific user account to view more details.|

+ |**Certificates** | View a list of TLS/SSL certificates found in the firmware.<br><br>Select a specific certificate to view more details.|

+ |**Keys** | View a list of public and private crypto keys in the firmware.<br><br>Select a specific key to view more details.|

+ :::image type="content" source="media/tutorial-firmware-analysis/weaknesses.png" alt-text="Screenshot that shows the weaknesses (CVE) analysis of the firmware image." lightbox="media/tutorial-firmware-analysis/weaknesses.png":::

+## Delete a firmware image

+Delete a firmware image from Firmware analysis when you no longer need it analyzed.

+After you delete an image, there's no way to retrieve the image or the associated analysis results. If you need the results, you'll need to upload the firmware image again for analysis.

+**To delete a firmware image**:

+1. Select the checkbox for the firmware image you want to delete and then select **Delete**.

+## Next steps

+For more information, see [Firmware analysis for device builders](./overview-firmware-analysis.md).

+To use the Azure CLI commands for Firmware analysis, refer to the [Azure CLI Quickstart](./quickstart-upload-firmware-using-azure-command-line-interface.md), and see [Azure PowerShell Quickstart](./quickstart-upload-firmware-using-powershell.md) to use the Azure PowerShell commands. See [Quickstart: Upload firmware using Python](./quickstart-upload-firmware-using-python.md) to run a Python script using the SDK to upload and analyze firmware images.

+Visit [FAQs about Firmware analysis](./firmware-analysis-faq.md) for answers to frequent questions.

+export subnet="/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/MyRG/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/subnet1"

+export domain="/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/MyRG/providers/Microsoft.AAD/domainServices/MyDomain.onmicrosoft.com"

+export userAssignedIdentity="/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/MyMsiRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MyMSI"

+export userAssignedIdentity="/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/MyMsiRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MyMSI"

+"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myresourcegroup/providers/Microsoft.Network/virtualNetworks/myvnet"

+Reason: Bad Request, Detailed Response: {"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: 0000aaaa-11bb-cccc-dd22-eeeeee333333\r\n Correlation ID: aaaa0000-bb11-2222-33cc-444444dddddd\r\nTimestamp: 2019-01-28 17:49:58Z","error_codes":[70002,50126], "timestamp":"2019-01-28 17:49:58Z","trace_id":"0000aaaa-11bb-cccc-dd22-eeeeee333333","correlation_id":"aaaa0000-bb11-2222-33cc-444444dddddd"}

+{"error":"invalid_grant","error_description":"AADSTS50034: The user account Microsoft.AzureAD.Telemetry.Diagnostics.PII doesn't exist in the 0c349e3f-1ac3-4610-8599-9db831cbaf62 directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 2222cccc-33dd-eeee-ff44-aaaaaa555555\r\nCorrelation ID: cccc2222-dd33-4444-55ee-666666ffffff\r\nTimestamp: 2019-04-29 15:52:16Z", "error_codes":[50034],"timestamp":"2019-04-29 15:52:16Z","trace_id":"2222cccc-33dd-eeee-ff44-aaaaaa555555", "correlation_id":"cccc2222-dd33-4444-55ee-666666ffffff"}

+{"error":"unauthorized_client","error_description":"AADSTS50053: You've tried to sign in too many times with an incorrect user ID or password.\r\nTrace ID: 00aa00aa-bb11-cc22-dd33-44ee44ee44ee\r\nCorrelation ID: 11bb11bb-cc22-dd33-ee44-55ff55ff55ff\r\nTimestamp: 2019-06-06 09:47:23Z","error_codes":[50053],"timestamp":"2019-06-06 09:47:23Z","trace_id":"aaaa0000-bb11-2222-33cc-444444dddddd","correlation_id":"aaaa0000-bb11-2222-33cc-444444dddddd"}

+{"error":"user_password_expired","error_description":"AADSTS50055: Password is expired.\r\nTrace ID: 6666aaaa-77bb-cccc-dd88-eeeeee999999\r\nCorrelation ID: eeee4444-ff55-6666-77aa-888888bbbbbb\r\nTimestamp: 2019-06-06 17:29:37Z","error_codes":[50055],"timestamp":"2019-06-06 17:29:37Z","trace_id":"6666aaaa-77bb-cccc-dd88-eeeeee999999","correlation_id":"eeee4444-ff55-6666-77aa-888888bbbbbb","suberror":"user_password_expired","password_change_url":"https://portal.microsoftonline.com/ChangePassword.aspx"}

+* AppId: 00001111-aaaa-2222-bbbb-3333cccc4444

+ Trace ID: 0000aaaa-11bb-cccc-dd22-eeeeee333333

+ Correlation ID: aaaa0000-bb11-2222-33cc-444444dddddd

+tenant_id = 'aaaabbbb-0000-cccc-1111-dddd2222eeee'

+client_id = '00001111-aaaa-2222-bbbb-3333cccc4444'

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Default-Storage-WestUS",

+ "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/GenevaWarmPathManageRG",

+ "/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/GenevaWarmPathManageRG",

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/Default-Storage-CanadaCentral",

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/cancstorage",

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/GenevaWarmPathManageRG",

+ "/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/hdi31distrorelease",

+ "/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/bigdatadistro"

+ [String[]]$resources = @("/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Default-Storage-WestUS",`

+ "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/GenevaWarmPathManageRG",`

+ "/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/GenevaWarmPathManageRG",`

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/Default-Storage-CanadaCentral",`

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/cancstorage",`

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/GenevaWarmPathManageRG",

+ "/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/hdi31distrorelease",

+ "/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/bigdatadistro")

+ [String[]]$resources = @("/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Default-Storage-WestUS",

+ "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/GenevaWarmPathManageRG",

+ "/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/GenevaWarmPathManageRG",

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/Default-Storage-CanadaCentral",

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/cancstorage",

+ "/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/GenevaWarmPathManageRG",

+ "/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/hdi31distrorelease",

+ "/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/bigdatadistro")

+1. In the search box at the top of the portal, enter ***service health***. Select **Service Health** in the search results.

+ Once maintenance is completed, a status update is sent. You'll be able to view and review the maintenance event in the **Health history** page after it's complete.

+ :::image type="content" source="./media/walkthrough-device-maintenance-notification/add-service-health-alert.png" alt-text="Screenshot shows how to add an alert." lightbox="./media/walkthrough-device-maintenance-notification/add-service-health-alert.png":::

+ | Regions | Select the Azure regions of the resources that you want to get notified whenever there are planned maintenance events. |

+1. In the **Basics** tab of **Create action group**, enter, or select the following information:

+1. Select **Test action group** to send test notifications to the contact information you previously entered in the action group (to change the contact information, select the pencil icon next to the notification).

+## Next step

+> [!div class="nextstepaction"]

+> [Prerequisites to set up peering with Microsoft](prerequisites.md)

+| [Debian 12](https://www.debian.org/releases/bookworm/) |  |  |  | [June 2028](https://wiki.debian.org/LTS) |

+az stack group create --name <DEPLOYMENT_NAME> --resource-group

+<RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou

+deleteResources --yes

+az stack group create --name <DEPLOYMENT_NAME> --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou deleteResources --yes

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings: {}

+If you need to override the system-assigned managed identity audience, see the [System-assigned managed identity](#system-assigned-managed-identity) section.

+### Use access token authentication

+Follow the steps in the [access token](#access-token) section to get a SAS token for the storage account and store it in a Kubernetes secret.

+Then, create the *DataflowEndpoint* resource and specify the access token authentication method. Here, replace `<SAS_SECRET_NAME>` with name of the secret containing the SAS token as well as other placeholder values.

+az stack group create --name <DEPLOYMENT_NAME> --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou deleteResources --yes

+```

+# [Kubernetes](#tab/kubernetes)

+Create a Kubernetes manifest `.yaml` file with the following content.

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: DataflowEndpoint

+metadata:

+ name: <ENDPOINT_NAME>

+ namespace: azure-iot-operations

+spec:

+ endpointType: DataLakeStorage

+ dataLakeStorageSettings:

+ host: https://<ACCOUNT>.blob.core.windows.net

+ authentication:

+ method: AccessToken

+ accessTokenSettings:

+ secretRef: <SAS_SECRET_NAME>

+```

+Then apply the manifest file to the Kubernetes cluster.

+```bash

+kubectl apply -f <FILE>.yaml

+ systemAssignedManagedIdentitySettings: {}

+If you need to override the system-assigned managed identity audience, you can specify the `audience` setting.

+# [Kubernetes](#tab/kubernetes)

+```yaml

+dataLakeStorageSettings:

+ authentication:

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings:

+ audience: https://<ACCOUNT>.blob.core.windows.net

+```

+ method: AccessToken

+ accessTokenSettings:

+ secretRef: <SAS_SECRET_NAME>

+#### User-assigned managed identity

+To use a user-assigned managed identity, specify the `UserAssignedManagedIdentity` authentication method and provide the `clientId` and `tenantId` of the managed identity.

+# [Kubernetes](#tab/kubernetes)

+```yaml

+dataLakeStorageSettings:

+ authentication:

+ method: UserAssignedManagedIdentity

+ userAssignedManagedIdentitySettings:

+ clientId: <ID>

+ tenantId: <ID>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+fabricOneLakeSettings:

+ batching:

+ latencySeconds: 100

+ maxMessages: 1000

+```

+## Next steps

+- [Create a dataflow](howto-create-dataflow.md)

+az stack group create --name <DEPLOYMENT_NAME> --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou deleteResources --yes

+```

+# [Kubernetes](#tab/kubernetes)

+Create a Kubernetes manifest `.yaml` file with the following content.

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: DataflowEndpoint

+metadata:

+ name: <ENDPOINT_NAME>

+ namespace: azure-iot-operations

+spec:

+ endpointType: DataExplorer

+ dataExplorerSettings:

+ host: 'https://<CLUSTER>.<region>.kusto.windows.net'

+ database: <DATABASE_NAME>

+ authentication:

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings: {}

+```

+Then apply the manifest file to the Kubernetes cluster.

+```bash

+kubectl apply -f <FILE>.yaml

+ systemAssignedManagedIdentitySettings: {}

+If you need to override the system-assigned managed identity audience, you can specify the `audience` setting.

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings:

+ audience: https://<AUDIENCE_URL>

+#### User-assigned managed identity

+To use a user-assigned managed identity, specify the `UserAssignedManagedIdentity` authentication method and provide the `clientId` and `tenantId` of the managed identity.

+# [Kubernetes](#tab/kubernetes)

+```yaml

+dataExplorerSettings:

+ authentication:

+ method: UserAssignedManagedIdentity

+ userAssignedManagedIdentitySettings:

+ clientId: <ID>

+ tenantId: <ID>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+dataExplorerSettings:

+ batching:

+ latencySeconds: 100

+ maxMessages: 1000

+```

+## Next steps

+- [Create a dataflow](howto-create-dataflow.md)

+## Next steps

+- Create a dataflow endpoint:

+ - [MQTT or Event Grid](howto-configure-mqtt-endpoint.md)

+ - [Kafka or Event Hubs](howto-configure-kafka-endpoint.md)

+ - [Data Lake](howto-configure-adlsv2-endpoint.md)

+ - [Microsoft Fabric OneLake](howto-configure-fabric-endpoint.md)

+ - [Local storage](howto-configure-local-storage-endpoint.md)

+## Next steps

+- [Create a dataflow](howto-create-dataflow.md)

+az stack group create --name <DEPLOYMENT_NAME> --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou deleteResources --yes

+```

+# [Kubernetes](#tab/kubernetes)

+Create a Kubernetes manifest `.yaml` file with the following content.

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: DataflowEndpoint

+metadata:

+ name: <ENDPOINT_NAME>

+ namespace: azure-iotoperations

+spec:

+ endpointType: FabricOneLake

+ fabricOneLakeSettings:

+ # The default Fabric OneLake host URL in most cases

+ host: https://onelake.dfs.fabric.microsoft.com

+ oneLakePathType: Tables

+ authentication:

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings: {}

+ names:

+ workspaceName: <WORKSPACE_NAME>

+ lakehouseName: <LAKEHOUSE_NAME>

+```

+Then apply the manifest file to the Kubernetes cluster.

+```bash

+kubectl apply -f <FILE>.yaml

+ {}

+If you need to override the system-assigned managed identity audience, you can specify the `audience` setting.

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings:

+ audience: https://<ACCOUNT>.onelake.dfs.fabric.microsoft.com

+#### User-assigned managed identity

+# [Kubernetes](#tab/kubernetes)

+To use a user-assigned managed identity, specify the `UserAssignedManagedIdentity` authentication method and provide the `clientId` and `tenantId` of the managed identity.

+```yaml

+fabricOneLakeSettings:

+ authentication:

+ method: UserAssignedManagedIdentity

+ userAssignedManagedIdentitySettings:

+ clientId: <ID>

+ tenantId: <ID>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+fabricOneLakeSettings:

+ oneLakePathType: Tables # Or Files

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+fabricOneLakeSettings:

+ batching:

+ latencySeconds: 100

+ maxMessages: 1000

+```

+## Next steps

+- [Create a dataflow](howto-create-dataflow.md)

+az stack group create --name <DEPLOYMENT_NAME> --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou deleteResources --yes

+```

+# [Kubernetes](#tab/kubernetes)

+Create a Kubernetes manifest `.yaml` file with the following content.

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: DataflowEndpoint

+metadata:

+ name: <ENDPOINT_NAME>

+ namespace: azure-iot-operations

+spec:

+ endpointType: Kafka

+ kafkaSettings:

+ host: <NAMESPACE>.servicebus.windows.net:9093

+ authentication:

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings: {}

+ tls:

+ mode: Enabled

+```

+Then apply the manifest file to the Kubernetes cluster.

+```bash

+kubectl apply -f <FILE>.yaml

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ authentication:

+ method: Sasl

+ saslSettings:

+ saslType: Plain

+ secretRef: <SECRET_NAME>

+ tls:

+ mode: Enabled

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: DataflowEndpoint

+metadata:

+ name: kafka

+ namespace: azure-iot-operations

+spec:

+ endpointType: Kafka

+ kafkaSettings:

+ host: <KAFKA-HOST>:<PORT>

+ authentication:

+ method: Sasl

+ saslSettings:

+ saslType: ScramSha256

+ secretRef: <SECRET_NAME>

+ tls:

+ mode: Enabled

+ consumerGroupId: mqConnector

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ authentication:

+ method: Sasl

+ saslSettings:

+ saslType: Plain # Or ScramSha256, ScramSha512

+ secretRef: <SECRET_NAME>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ authentication:

+ method: X509Certificate

+ x509CertificateSettings:

+ secretRef: <SECRET_NAME>

+```

+ {}

+This configuration creates a managed identity with the default audience, which is the same as the Event Hubs namespace host value in the form of `https://<NAMESPACE>.servicebus.windows.net`. However, if you need to override the default audience, you can set the `audience` field to the desired value.

+# [Portal](#tab/portal)

+Not supported in the operations experience.

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ authentication:

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings:

+ audience: <YOUR_AUDIENCE_OVERRIDE_VALUE>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ authentication:

+ method: UserAssignedManagedIdentity

+ userAssignedManagedIdentitySettings:

+ clientId: <CLIENT_ID>

+ tenantId: <TENANT_ID>

+ scope: <SCOPE>

+```

+# [Bicep](#tab/bicep)

+Not yet supported with Bicep. See [known issues](../troubleshoot/known-issues.md).

+# [Kubernetes](#tab/kubernetes)

+Under `kafkaSettings`, you can configure additional settings for the Kafka endpoint.

+```yaml

+kafkaSettings:

+ consumerGroupId: <ID>

+ compression: Gzip

+ copyMqttProperties: true

+ kafkaAcknowledgement: All

+ partitionHandlingStrategy: Default

+ tls:

+ mode: Enabled

+ trustedCaCertificateConfigMapRef: <YOUR_CA_CERTIFICATE>

+ batching:

+ enabled: true

+ latencyMs: 1000

+ maxMessages: 100

+ maxBytes: 1024

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ tls:

+ mode: Enabled # Or Disabled

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ tls:

+ trustedCaCertificateConfigMapRef: <YOUR_CA_CERTIFICATE>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+spec:

+ kafkaSettings:

+ consumerGroupId: <ID>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ compression: Gzip # Or Snappy, Lz4

+```

+# [Bicep](#tab/bicep)

+```bicep

+kafkaSettings: {

+ batching: {

+ }

+}

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ batching:

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ partitionHandlingStrategy: Default # Or Static, Topic, Property

+ partitionKeyProperty: <PROPERTY_NAME>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ kafkaAcknowledgement: All # Or None, One, Zero

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ copyMqttProperties: Enabled # Or Disabled

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+kafkaSettings:

+ cloudEventAttributes: Propagate # Or CreateOrRemap

+```

+## Next steps

+- [Create a dataflow](howto-create-dataflow.md)

+az stack group create --name <DEPLOYMENT_NAME> --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou deleteResources --yes

+```

+# [Kubernetes](#tab/kubernetes)

+Create a Kubernetes manifest `.yaml` file with the following content.

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: DataflowEndpoint

+metadata:

+ name: <ENDPOINT_NAME>

+ namespace: azure-iot-operations

+spec:

+ endpointType: localStorage

+ localStorageSettings:

+ persistentVolumeClaimRef: <PVC_NAME>

+```

+Then apply the manifest file to the Kubernetes cluster.

+```bash

+kubectl apply -f <FILE>.yaml

+The only supported serialization format is Parquet.

+## Next steps

+- [Create a dataflow](howto-create-dataflow.md)

+## Azure IoT Operations local MQTT broker

+az stack group create --name MyDeploymentStack --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou deleteResources --yes

+```

+# [Kubernetes](#tab/kubernetes)

+You can view the default MQTT broker endpoint settings in the Kubernetes cluster. To view the settings, use the following command:

+```bash

+kubectl get dataflowendpoint default -n azure-iot-operations -o yaml

+# [Kubernetes](#tab/kubernetes)

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: DataflowEndpoint

+metadata:

+ name: <ENDPOINT_NAME>

+ namespace: azure-iot-operations

+spec:

+ endpointType: Mqtt

+ mqttSettings:

+ host: "<HOSTNAME>:<PORT>"

+ tls:

+ mode: Enabled

+ trustedCaCertificateConfigMapRef: <TRUST_BUNDLE>

+ authentication:

+ method: ServiceAccountToken

+ serviceAccountTokenSettings:

+ audience: <SA_AUDIENCE>

+```

+az stack group create --name <DEPLOYMENT_NAME> --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep --dm None --aou deleteResources --yes

+```

+# [Kubernetes](#tab/kubernetes)

+Create a Kubernetes manifest `.yaml` file with the following content.

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: DataflowEndpoint

+metadata:

+ name: <ENDPOINT_NAME>

+ namespace: azure-iot-operations

+spec:

+ endpointType: Mqtt

+ mqttSettings:

+ host: <NAMESPACE>.<REGION>-1.ts.eventgrid.azure.net:8883

+ authentication:

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings:

+ {}

+ tls:

+ mode: Enabled

+```

+Then apply the manifest file to the Kubernetes cluster.

+```bash

+kubectl apply -f <FILE>.yaml

+# [Kubernetes](#tab/kubernetes)

+```yaml

+spec:

+ endpointType: Mqtt

+ mqttSettings:

+ host: <HOST>:<PORT>

+ authentication:

+ # See available authentication methods below

+ tls:

+ mode: Enabled # or Disabled

+ trustedCaCertificateConfigMapRef: <YOUR-CA-CERTIFICATE-CONFIG-MAP>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ authentication:

+ method: X509Certificate

+ x509CertificateSettings:

+ secretRef: <YOUR-X509-SECRET-NAME>

+```

+ {}

+If you need to set a different audience, you can specify it in the settings.

+# [Portal](#tab/portal)

+Not supported.

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ authentication:

+ method: SystemAssignedManagedIdentity

+ systemAssignedManagedIdentitySettings:

+ audience: https://<AUDIENCE>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ authentication:

+ method: UserAssignedManagedIdentity

+ userAssignedManagedIdentitySettings:

+ clientId: <ID>

+ tenantId: <ID>

+ scope: <SCOPE>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ authentication:

+ method: ServiceAccountToken

+ serviceAccountTokenSettings:

+ audience: <YOUR_SERVICE_ACCOUNT_AUDIENCE>

+```

+# [Bicep](#tab/bicep)

+Not yet supported with Bicep. See [known issues](../troubleshoot/known-issues.md).

+# [Bicep](#tab/bicep)

+```bicep

+mqttSettings: {

+ clientIdPrefix: 'dataflow'

+ CloudEventAttributes: 'Propagate' // or 'CreateOrRemap'

+}

+# [Kubernetes](#tab/kubernetes)

+You can set these settings in the dataflow endpoint manifest file.

+```yaml

+mqttSettings:

+ clientIdPrefix: dataflow

+ CloudEventAttributes: Propagate # or CreateOrRemap

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ tls:

+ mode: Enabled # or Disabled

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ tls:

+ trustedCaCertificateConfigMapRef: <YOUR_CA_CERTIFICATE>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ clientIdPrefix: <YOUR_PREFIX>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ qos: 1 # Or 0

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ retain: Keep # or Never

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ sessionExpirySeconds: 3600

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ protocol: WebSockets

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ maxInflightMessages: 100

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ keepAliveSeconds: 60

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+mqttSettings:

+ CloudEventAttributes: Propagate # or CreateOrRemap

+```

+## Next steps

+- [Create a dataflow](howto-create-dataflow.md)

+# [Kubernetes](#tab/kubernetes)

+Create a Kubernetes manifest `.yaml` file to start creating a dataflow. This example shows the structure of the dataflow containing the source, transformation, and destination configurations.

+```yaml

+apiVersion: connectivity.iotoperations.azure.com/v1beta1

+kind: Dataflow

+metadata:

+ name: <DATAFLOW_NAME>

+ namespace: azure-iot-operations

+spec:

+ # Reference to the default dataflow profile

+ # This field is required when configuring via Kubernetes YAML

+ # The syntax is different when using Bicep

+ profileRef: default

+ mode: Enabled

+ operations:

+ - operationType: Source

+ sourceSettings:

+ # See source configuration section

+ - operationType: BuiltInTransformation

+ builtInTransformationSettings:

+ # See transformation configuration section

+ - operationType: Destination

+ destinationSettings:

+ # See destination configuration section

+```

+# [Bicep](#tab/bicep)

+# [Kubernetes](#tab/kubernetes)

+# [Kubernetes](#tab/kubernetes)

+For example, to configure a source using an MQTT endpoint and two MQTT topic filters, use the following configuration:

+```yaml

+sourceSettings:

+ endpointRef: default

+ dataSources:

+ - thermostats/+/telemetry/temperature/#

+ - humidifiers/+/telemetry/humidity/#

+```

+Because `dataSources` allows you to specify MQTT or Kafka topics without modifying the endpoint configuration, you can reuse the endpoint for multiple dataflows even if the topics are different. To learn more, see [Configure data sources](#configure-data-sources-mqtt-or-kafka-topics).

+# [Kubernetes](#tab/kubernetes)

+```yaml

+sourceSettings:

+ endpointRef: <CUSTOM_ENDPOINT_NAME>

+ dataSources:

+ - <TOPIC_1>

+ - <TOPIC_2>

+ # See section on configuring MQTT or Kafka topics for more information

+```

+# [Kubernetes](#tab/kubernetes)

+

+```yaml

+sourceSettings:

+ endpointRef: <MQTT_ENDPOINT_NAME>

+ dataSources:

+ - <MQTT_TOPIC_FILTER_1>

+ - <MQTT_TOPIC_FILTER_2>

+ # Add more MQTT topic filters as needed

+```

+Example with multiple MQTT topic filters with wildcards:

+```yaml

+sourceSettings:

+ endpointRef: default

+ dataSources:

+ - thermostats/+/telemetry/temperature/#

+ - humidifiers/+/telemetry/humidity/#

+```

+Here, the wildcard `+` is used to select all devices under the `thermostats` and `humidifiers` topics. The `#` wildcard is used to select all telemetry messages under all subtopics of the `temperature` and `humidity` topics.

+# [Kubernetes](#tab/kubernetes)

+```yaml

+sourceSettings:

+ endpointRef: <KAFKA_ENDPOINT_NAME>

+ dataSources:

+ - <KAFKA_TOPIC_1>

+ - <KAFKA_TOPIC_2>

+ # Add more Kafka topics as needed

+```

+# [Bicep](#tab/bicep)

+```bicep

+sourceSettings: {

+}

+# [Kubernetes](#tab/kubernetes)

+```yaml

+sourceSettings:

+# [Kubernetes](#tab/kubernetes)

+```yaml

+sourceSettings:

+ dataSources:

+ - $shared/<GROUP_NAME>/<TOPIC_FILTER>

+```

+# [Kubernetes](#tab/kubernetes)

+```yaml

+builtInTransformationSettings:

+ datasets:

+ # See section on enriching data

+ filter:

+ # See section on filtering data

+ map:

+ # See section on mapping data

+```

+# [Bicep](#tab/bicep)

+This example shows how you could use the `deviceId` field in the source data to match the `asset` field in the dataset:

+```bicep

+builtInTransformationSettings: {

+ datasets: [

+ {

+ key: 'assetDataset'

+ inputs: [

+ '$source.deviceId', // $1

+ '$context(assetDataset).asset' // - $2

+ ]

+ expression: '$1 == $2'

+ }

+ ]

+}

+# [Kubernetes](#tab/kubernetes)

+For example, you could use the `deviceId` field in the source data to match the `asset` field in the dataset:

+```yaml

+builtInTransformationSettings:

+ datasets:

+ - key: assetDataset

+ inputs:

+ - $source.deviceId # - $1

+ - $context(assetDataset).asset # - $2

+ expression: $1 == $2

+# [Kubernetes](#tab/kubernetes)

+For example, you could use the `temperature` field in the source data to filter the data:

+```yaml

+builtInTransformationSettings:

+ filter:

+ - inputs:

+ - temperature ? $last # - $1

+ expression: "$1 > 20"

+```

+If the `temperature` field is greater than 20, the data is passed to the next stage. If the `temperature` field is less than or equal to 20, the data is filtered.

+# [Kubernetes](#tab/kubernetes)

+For example, you could use the `temperature` field in the source data to convert the temperature to Celsius and store it in the `temperatureCelsius` field. You could also enrich the source data with the `location` field from the contextualization dataset:

+```yaml

+builtInTransformationSettings:

+ map:

+ - inputs:

+ - temperature # - $1

+ expression: "($1 - 32) * 5/9"

+ output: temperatureCelsius

+ - inputs:

+ - $context(assetDataset).location

+ output: location

+```

+# [Bicep](#tab/bicep)

+```bicep

+builtInTransformationSettings: {

+}

+# [Kubernetes](#tab/kubernetes)

+```yaml

+builtInTransformationSettings:

+# [Kubernetes](#tab/kubernetes)

+```yaml

+destinationSettings:

+ endpointRef: <CUSTOM_ENDPOINT_NAME>

+ dataDestination: <TOPIC_OR_TABLE> # See section on configuring data destination

+```

+# [Bicep](#tab/bicep)

+```bicep

+destinationSettings: {

+}

+```bicep

+destinationSettings: {

+}

+```bicep

+destinationSettings: {

+}

+```bicep

+destinationSettings: {

+}

+# [Kubernetes](#tab/kubernetes)

+```yaml

+destinationSettings:

+```yaml

+destinationSettings:

+```yaml

+destinationSettings:

+```yaml

+destinationSettings:

+# [Bicep](#tab/bicep)

+Bicep is infrastructure as code and no export is required. Use the [Bicep template file to create a dataflow](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/quickstarts/dataflow.bicep) to quickly set up and configure dataflows.

+## Next steps

+- [Map data by using dataflows](concept-dataflow-mapping.md)

+- [Convert data by using dataflows](concept-dataflow-conversions.md)

+- [Enrich data by using dataflows](concept-dataflow-enrich.md)

+- [Understand message schemas](concept-schema-registry.md)

+- [Manage dataflow profiles](howto-configure-dataflow-profile.md)

+ --cluster-name $CLUSTER_NAME \

+## Understand the default Azure IoT Operations MQTT broker dataflow endpoint

+By default, Azure IoT Operations deploys an MQTT broker as well as an MQTT broker dataflow endpoint. The MQTT broker dataflow endpoint is used to connect to the MQTT broker. The default configuration uses the built-in service account token for authentication. The endpoint is named `default` and is available in the same namespace as Azure IoT Operations. The endpoint is used as the source for the dataflows you create in the next steps.

+To learn more about the default MQTT broker dataflow endpoint, see [Azure IoT Operations local MQTT broker default endpoint](../connect-to-cloud/howto-configure-mqtt-endpoint.md#default-endpoint).

+## Create an Azure Event Grid dataflow endpoint

+Create dataflow endpoint for the Azure Event Grid. This endpoint is the destination for the dataflow that sends messages to Azure Event Grid. Replace `<EVENT_GRID_HOSTNAME>` with the MQTT hostname you got from the previous step. Include the port number `8883`.

+# [Bicep](#tab/bicep)

+The dataflow and dataflow endpoints Azure Event Grid can be deployed as standard Azure resources since they have Azure Resource Provider (RPs) implementations. This Bicep template file from [Bicep File for MQTT-bridge dataflow Tutorial](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/quickstarts/dataflow.bicep) deploys the necessary dataflow and dataflow endpoints.

+Download the file to your local, and make sure to replace the values for `customLocationName`, `aioInstanceName`, `eventGridHostName` with yours.

+```bicep

+param customLocationName string = '<CUSTOM_LOCATION_NAME>'

+param aioInstanceName string = '<AIO_INSTANCE_NAME>'

+param eventGridHostName string = '<EVENT_GRID_HOSTNAME>:8883'

+resource customLocation 'Microsoft.ExtendedLocation/customLocations@2021-08-31-preview' existing = {

+ name: customLocationName

+}

+resource aioInstance 'Microsoft.IoTOperations/instances@2024-08-15-preview' existing = {

+ name: aioInstanceName

+}

+ host: eventGridHostName

+Next, execute the following command in your terminal. Replace `<FILE>` with the name of the Bicep file you downloaded.

+```azurecli

+az stack group create --name DeployDataflowEndpoint --resource-group $RESOURCE_GROUP --template-file <FILE>.bicep --action-on-unmanage 'deleteResources' --deny-settings-mode 'none' --yes

+```

+# [Kubernetes](#tab/kubernetes)

+ host: <EVENT_GRID_HOSTNAME>:8883

+Create two dataflows with the Azure IoT Operations MQTT broker endpoint as the source and the Azure Event Grid endpoint as the destination, and vice versa. No need to configure transformation.

+# [Bicep](#tab/bicep)

+param customLocationName string = '<CUSTOM_LOCATION_NAME>'

+param aioInstanceName string = '<AIO_INSTANCE_NAME>'

+resource customLocation 'Microsoft.ExtendedLocation/customLocations@2021-08-31-preview' existing = {

+ name: customLocationName

+}

+resource aioInstance 'Microsoft.IoTOperations/instances@2024-08-15-preview' existing = {

+ name: aioInstanceName

+}

+resource defaultDataflowProfile 'Microsoft.IoTOperations/instances/dataflowProfiles@2024-08-15-preview' existing = {

+ parent: aioInstance

+ name: 'default'

+}

+ endpointRef: 'default'

+ dataDestination: 'telemetry/aio'

+ endpointRef: 'default'

+Like the dataflow endpoint, execute the following command in your terminal:

+```azurecli

+az stack group create --name DeployDataflows --resource-group $RESOURCE_GROUP --template-file <FILE>.bicep --action-on-unmanage 'deleteResources' --deny-settings-mode 'none' --yes

+```

+ endpointRef: default

+ dataDestination: telemetry/aio

+ endpointRef: default

+* Use the topic map to map the `tutorial/local` topic to the `telemetry/aio` topic on the remote broker

+When you publish to the `tutorial/local` topic on the local Azure IoT Operations MQTT broker, the message is bridged to the `telemetry/aio` topic on the remote Event Grid MQTT broker. Then, the message is bridged back to the `tutorial/cloud` topic (because the `telemetry/#` wildcard topic captures it) on the local Azure IoT Operations MQTT broker. Similarly, when you publish to the `telemetry/aio` topic on the remote Event Grid MQTT broker, the message is bridged to the `tutorial/cloud` topic on the local Azure IoT Operations MQTT broker.

+kind: ServiceAccount

+metadata:

+ name: mqtt-client

+ namespace: azure-iot-operations

+apiVersion: v1

+ # Use the "mqtt-client" service account from above

+ name: azure-iot-operations-aio-ca-trust-bundle # Default root CA cert

+ name: azure-iot-operations-aio-ca-trust-bundle

+ name: azure-iot-operations-aio-ca-trust-bundle

+ name: azure-iot-operations-aio-ca-trust-bundle

+ name: azure-iot-operations-aio-ca-trust-bundle

+ kind: ServiceAccount

+ metadata:

+ name: mqtt-client

+ namespace: azure-iot-operations

+

+ apiVersion: v1

+ # Use the "mqtt-client" service account created from above

+To use the default root CA certificate, download it from the `azure-iot-operations-aio-ca-trust-bundle` ConfigMap:

+kubectl get configmap azure-iot-operations-aio-ca-trust-bundle -n azure-iot-operations -o jsonpath='{.data.ca\.crt}' > ca.crt

+- Access to the Azure portal.

+| **Backend pool endpoints** | Any virtual machines or virtual machine scale sets in a single virtual network. This includes usage of a single availability set. | Virtual machines in a single availability set or virtual machine scale set. |

+ [!INCLUDE [Visual Studio Code - logic app project structure](includes/logic-apps-single-tenant-project-structure-visual-studio-code.md)]

+ Title: DevOps deployment for Standard logic apps

+description: Learn about DevOps deployment for Standard logic apps in single-tenant Azure Logic Apps.

+# Customer intent: As a developer, I want to learn about DevOps deployment support for Standard logi apps in single-tenant Azure Logic Apps.

+# DevOps deployment for Standard logic apps in single-tenant Azure Logic Apps

+This article provides an introduction and overview about the current continuous integration and continuous deployment (CI/CD) experience for Standard logic app workflows in single-tenant Azure Logic Apps.

+In the *multi-tenant* Azure Logic Apps, resource deployment is based on Azure Resource Manager templates (ARM templates), which combine and handle resource provisioning for both your Consumption logic app resources and infrastructure. In *single-tenant* Azure Logic Apps, deployment becomes easier because you can separate resource provisioning between Standard logic app resources and infrastructure.

+When you create a Standard logic app resource, workflows are powered by the redesigned single-tenant Azure Logic Apps runtime. This runtime uses the [Azure Functions extensibility model](../azure-functions/functions-bindings-register.md) extensibility and is [hosted as an extension on the Azure Functions runtime](https://techcommunity.microsoft.com/t5/integrations-on-azure/azure-logic-apps-running-anywhere-runtime-deep-dive/ba-p/1835564). This design provides portability, flexibility, and more performance for Standard logic apps plus other capabilities and benefits inherited from the Azure Functions platform and Azure App Service ecosystem.

+For example, you can package the redesigned containerized runtime and workflows together as part of your Standard logic app. You can use generic steps or tasks that build, assemble, and zip your logic app resources into ready-to-deploy artifacts. To deploy Standard logic apps, copy the artifacts to the host environment, and then start your apps to run your workflows. Or, integrate your artifacts into deployment pipelines using the tools and processes that you already know and use. For example, if your scenario requires containers, you can containerize Standard logic apps and integrate them into your existing pipelines.

+When you use Visual Studio Code with the **Azure Logic Apps (Standard)** extension, you can locally develop, build, and run Standard logic app workflows in your development environment without having to deploy to Azure. If your scenario requires containers, you can create and deploy through [Azure Arc enabled Logic Apps](azure-arc-enabled-logic-apps-overview.md).

+The single-tenant model gives you the capability to separate the concerns between your logic app and the underlying infrastructure. For example, you can develop, build, zip, and deploy your app separately as an immutable artifact to different environments. Logic app workflows typically have "application code" that you update more often than the underlying infrastructure. By separating these layers, you can focus more on building out your logic app's workflow and spend less on your effort to deploy the required resources across multiple environments.

+The Azure Logic Apps ecosystem provides [over 1,000 Microsoft-managed and Azure-hosted connectors](/connectors/connector-reference/connector-reference-logicapps-connectors) and [built-in operations](/azure/logic-apps/connectors/built-in/reference) as part of a constantly growing collection that you can use in single-tenant Azure Logic Apps. The way that Microsoft maintains managed connectors stays mostly the same in single-tenant Azure Logic Apps as in multi-tenant Azure Logic Apps.

+The most significant improvement is that the single-tenant service makes more popular managed connectors available as built-in operations. For example, you can use built-in operations for Azure Service Bus, Azure Event Hubs, SQL, and many others. Meanwhile, the managed connector versions are still available and continue to work.

+The connections that you create using Azure Service-based built-in operations are called built-in connections, or *service provider-based connections*. Built-in operations and their connections run locally in the same process that runs your workflows. Both are hosted on the redesigned Azure Logic Apps runtime. In contrast, managed connections, or API connections, are created and run separately as Azure resources, which you deploy using ARM templates. As a result, built-in operations and their connections provide better performance due to their proximity to your workflows. This design also works well with deployment pipelines because the service provider connections are packaged into the same build artifact.

+In Visual Studio Code, when you use the designer to develop or make changes to your workflows, the single-tenant Azure Logic Apps engine automatically generates any necessary connection metadata in your project's **connections.json** file. The following sections describe the three kinds of connections that you can create in your workflows. Each connection type has a different JSON structure, which is important to understand because endpoints change when you move between environments.

+In your Standard logic app project, each workflow has a **workflow.json** file that contains the workflow's underlying JSON definition. This workflow definition then references the necessary connection strings in your project's **connections.json** file.

+The following example shows how the service provider connection for an Azure Service Bus built-in operation appears in your project's **connections.json** file:

+In Visual Studio Code, while you continue to create and develop your workflow using the designer, the single-tenant Azure Logic Apps engine automatically creates the necessary resources in Azure for the managed connectors in your workflow. The engine automatically adds these connection resources to the Azure resource group that you designed to contain your logic app.

+The following example shows how an API connection for the Azure Service Bus managed connector appears in your project's **connections.json** file:

+To call functions created and hosted in Azure Functions, you use the Azure Functions built-in operation. Connection metadata for Azure Functions calls is different from other built-in-connections. This metadata is stored in your logic app project's **connections.json** file, but looks different:

+In single-tenant Azure Logic Apps, the hosting model for logic app workflows is a single Microsoft Entra tenant where your workloads benefit from more isolation than in the multi-tenant model. Plus, the single-tenant Azure Logic Apps runtime is portable, which means you can run your workflows in other environments, for example, locally in Visual Studio Code. Still, this design requires a way for logic apps to authenticate their identity so they can access the managed connector ecosystem in Azure. Your apps also need the correct permissions to run operations when using managed connections.

+The following sections provide more information about the authentication types that you can use to authenticate managed connections, based on where your logic app runs. For each managed connection, your logic app project's **connections.json** file has an **`authentication`** object that specifies the authentication type that your logic app can use to authenticate that managed connection.

+For a logic app that is hosted and run in Azure, a [managed identity](create-managed-service-identity.md) is the default and recommended authentication type to use for authenticating managed connections that are hosted and run in Azure. In your logic app project's **connections.json** file, the managed connection has an **`authentication`** object that specifies **`ManagedServiceIdentity`** as the authentication type:

+For logic apps that run in your local development environment using Visual Studio Code, raw authentication keys are used for authenticating managed connections that are hosted and run in Azure. These keys are designed for development use only, not production, and have a 7-day expiration. In your logic app project's **connections.json** file, the managed connection has an **`authentication`** object specifies the following the authentication information:

+description: How to set up DevOps deployment for Standard logic apps in single-tenant Azure Logic Apps.

+ai-usage: ai-assisted

+# Customer intent: As a developer, I want to automate deployment for Standard logic apps hosted in single-tenant Azure Logic Apps by using DevOps tools and processes.

+# Set up DevOps deployment for Standard logic apps in single-tenant Azure Logic Apps

+This guide primarily shows how to set up deployment for a Standard logic app project in Visual Studio Code to your infrastructure using DevOps tools and processes. If your Standard logic app exists in the Azure portal instead, you can download your logic app's artifact files for use with DevOps deployment. Based on whether you want to use GitHub or Azure DevOps, you then choose the path and tools that work best for your deployment scenario.

+If you don't have a Standard logic app, you can still follow this guide using the linked sample Standard logic app projects plus examples for deployment to Azure through GitHub or Azure DevOps. For more information, review [DevOps deployment overview for single-tenant Azure Logic Apps](devops-deployment-single-tenant-azure-logic-apps.md).

+- [Visual Studio Code, which is free, the Azure Logic Apps (Standard) extension for Visual Studio Code, and other related prerequisites](create-single-tenant-workflows-visual-studio-code.md#prerequisites).

+- The Standard logic app to use with your DevOps tools and processes.

+ You can either download the artifact files for your Standard logic app resource from the Azure portal, or you can use a Standard logic app project created with [Visual Studio Code and the Azure Logic Apps (Standard) extension for Visual Studio Code](create-single-tenant-workflows-visual-studio-code.md#prerequisites).

+ - **Portal**: The downloaded zip file contains Standard logic app artifact files, such as **workflow.json**, **connections.json**, **host.json**, and **local.settings.json**. See [Download Standard logic app artifact files from portal](#download-artifacts).

+

+ - **Visual Studio Code**: You need an empty Standard logic app resource in the Azure portal for your deployment destination. To quickly create an empty Standard logic app resource, review [Create single-tenant based logic app workflows - Portal](create-single-tenant-workflows-azure-portal.md).

+ If you don't have an existing logic app or infrastructure, you can use the linked sample Standard logic app projects to deploy an example logic app and infrastructure, based whether you want to use GitHub or Azure DevOps. For more information about the included sample projects and resources to run the example logic app, review [Deploy infrastructure resources](#deploy-infrastructure).

+To try the DevOps deployment experience without prior Standard logic app or infrastructure setup, use the following sample projects so you can set up deployment for an example Standard logic app and infrastructure, based whether you want to use GitHub or Azure DevOps:

+ This sample includes an example Standard logic app project plus examples for Azure deployment and GitHub Actions.

+ This sample includes an example Standard logic app project plus examples for Azure deployment and Azure Pipelines.

+Both samples include the following resources that a Standard logic app uses to run:

+| Standard logic app | Yes | This Azure resource contains the workflows that run in single-tenant Azure Logic Apps. <br><br>**Important**: In your logic app project, each workflow has a **workflow.json** file that contains the workflow definition, which includes the trigger and action definitions. |

+| API connections | Yes, if API connections exist | These Azure resources define any managed API connections that your workflows use to run managed connector operations, such as Office 365, SharePoint, and so on. <br><br>**Important**: In your logic app project, the **connections.json** file contains metadata, endpoints, and keys for any managed API connections and Azure functions that your workflows use. To use different connections and functions in each environment, make sure that you parameterize the **connections.json** file and update the endpoints. <br><br>For more information, review [API connection resources and access policies](#api-connection-resources). |

+| Functions Premium or App Service hosting plan | Yes | This Azure resource specifies the hosting resources to use for running your logic app, such as compute, processing, storage, networking, and so on. <br><br>**Important**: In the current experience, the Standard logic app resource requires the [**Workflow Standard** hosting plan](logic-apps-pricing.md#standard-pricing), which is based on the Azure Functions Premium hosting plan. |

+In single-tenant Azure Logic Apps, every managed API connection resource in your workflow requires an associated access policy. This policy needs your logic app's identity to provide the correct permissions for accessing the managed connector infrastructure. The included sample projects include an ARM template that includes all the necessary infrastructure resources, including these access policies.

+For example, the following diagram shows the dependencies between a Standard logic app project and infrastructure resources:

+

+<a name="download-artifacts"></a>

+## Download Standard logic app artifacts from portal

+If your Standard logic app is in the Azure portal, you can download a zip file that contains your logic app's artifact files, including **workflow.json**, **connections.json**, **host.json**, and **local.settings.json**.

+1. In the [Azure portal](https://portal.azure.com), find and open your Standard logic app resource.

+1. On the logic app menu, select **Overview**.

+1. On the **Overview** toolbar, select **Download app content**. In the confirmation box that appears, select **Download**.

+1. When the prompt appears, select **Save as**, browse to the local folder that you want, and select **Save** to save the zip file.

+1. Extract the zip file.

+1. In Visual Studio Code, open the folder that contains the unzipped files.

+ When you open the folder, Visual Studio Code automatically creates a [workspace](https://code.visualstudio.com/docs/editor/workspaces).

+1. Edit the folder's contents to include only the folders and files required for deployment using DevOps.

+1. When you finish, save your changes.

+## Build and deploy logic app (zip deploy)

+You can set up build and release pipelines either inside or outside Azure that deploy Standard logic apps to your infrastructure.

+1. Push your Standard logic app project and artifact files to your source repository, for example, either GitHub or Azure DevOps.

+1. Set up a build pipeline based on your logic app project type by completing the following corresponding actions:

+ | Project type | Description and steps |

+ |--|--|

+ | Nuget-based | The NuGet-based project structure is based on the .NET Framework. To build these projects, make sure to follow the build steps for .NET Standard. For more information, review the documentation for [Create a NuGet package using MSBuild](/nuget/create-packages/creating-a-package-msbuild). |

+ | Bundle-based | The extension bundle-based project isn't language-specific and doesn't require any language-specific build steps. |

+1. Zip your project files using any method that you want.

+ > [!IMPORTANT]

+ >

+ > Make sure that your zip file contains your project's actual build artifacts at the root level,

+ > including all workflow folders, configuration files such as **host.json**, **connections.json**,

+ > **local.settings.json**, and any other related files. Don't add any extra folders nor put any

+ > artifacts into folders that don't already exist in your project structure.

+ >

+ > For example, the following list shows an example **MyBuildArtifacts.zip** file structure:

+ >

+ > ```

+ > MyStatefulWorkflow1-Folder

+ > MyStatefulWorkflow2-Folder

+ > connections.json

+ > host.json

+ > local.settings.json

+ > ```

+### Before you release to Azure

+For each managed API connection that uses authentication, you have to update the **`authentication`** object from the local format in Visual Studio Code to the Azure portal format, as shown by the first and second code examples, respectively:

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Web/locations/westus/managedApis/sql"

+ },

+ "connection": {

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ase/providers/Microsoft.Web/connections/sql-2"

+ },

+ "connectionRuntimeUrl": "https://xxxxxxxxxxxxxx.01.common.logic-westus.azure-apihub.net/apim/sql/xxxxxxxxxxxxxxxxxxxxxxxxx/",

+ "authentication": {

+ "type": "Raw",

+ "scheme": "Key",

+ "parameter": "@appsetting('sql-connectionKey')"

+ }

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Web/locations/westus/managedApis/sql"

+ },

+ "connection": {

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ase/providers/Microsoft.Web/connections/sql-2"

+ },

+ "connectionRuntimeUrl": "https://xxxxxxxxxxxxxx.01.common.logic-westus.azure-apihub.net/apim/sql/xxxxxxxxxxxxxxxxxxxxxxxxx/",

+ "authentication": {

+ "type": "ManagedServiceIdentity",

+ }

+If you're deploying your Standard logic app to an Azure region or subscription different from your local development environment, you must also make sure to create these managed API connections before deployment. Azure Resource Manager template (ARM template) deployment is the easiest way to create managed API connections.

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Web/locations/{Azure-region-location}/managedApis/sql"

+To find the required values for the **`properties`** object so that you can complete the connection resource definition, use the following API for a specific connector:

+In the response, find the **`connectionParameters`** object, which contains the necessary information to complete the resource definition for that specific connector. The following example shows an example resource definition for a SQL managed connection:

+As an alternative, you can capture and review the network trace for when you create a connection using the workflow designer in Azure Logic Apps. Find the **`PUT`** call that is sent to the managed connector's API as previously described, and review the request body for all the necessary information.

+- The zip file that contains your actual build artifacts, including all workflow folders, configuration files such as **host.json**, **connections.json**, **local.settings.json**, and any other related files.

+For more information, review [Continuous delivery by using GitHub Action](../azure-functions/functions-how-to-github-actions.md).

+### [Azure DevOps](#tab/azure-devops)

+- The zip file that contains your actual build artifacts, including all workflow folders, configuration files such as **host.json**, **connections.json**, **local.settings.json**, and any other related files.

+For more information, review [Deploy an Azure Function using Azure Pipelines](/azure/devops/pipelines/targets/azure-functions-windows).

+If you use other deployment tools, you can deploy your Standard logic app by using the Azure CLI. Before you start, you need the following items:

+ - If you're not sure that you have the latest version, [check your environment and CLI version](#check-environment-cli-version).

+ - If you don't have the Azure CLI extension, [install the extension by following the installation guide for your operating system or platform](/cli/azure/install-azure-cli).

+ > [!NOTE]

+ >

+ > If you get a **pip** error when you try to install the Azure CLI, make sure that you

+ > have the standard package installer for Python (PIP). This package manager is written

+ > in Python and is used to install software packages. For more information, see

+ > [Check "pip" installation and version](#check-pip-version).

+- The *preview* single-tenant **Azure Logic Apps (Standard)** extension for Azure CLI.

+ If you don't have this extension, [install the extension](#install-logic-apps-cli-extension). Although the single-tenant Azure Logic Apps service is already generally available, the single-tenant Azure Logic Apps extension for Azure CLI is still in preview.

+- An Azure resource group to use for deploying your logic app project to Azure.

+ If you don't have this resource group, [create the resource group](#create-resource-group).

+ If you don't have this storage account, [create a storage account](/cli/azure/storage/account#az-storage-account-create).

+<a name="check-pip-version"></a>

+##### Check pip installation

+1. On a Windows or Mac operating system, open a command prompt, and enter the following command:

+ `pip --version`

+ - If you get a **pip** version, then **pip** is installed. Make sure that you have the most recent version by using the following command:

+ `python -m pip install -upgrade pip`

+ - If you get errors instead, then **pip** isn't installed or added to your **PATH** environment.

+1. To install **pip**, [follow the **pip** installation steps for your operating system](https://pip.pypa.io/en/latest/installation/).

+1. Sign in to the [Azure portal](https://portal.azure.com). In a terminal or command window, confirm that your subscription is active by running the command, [**`az login`**](/cli/azure/authenticate-azure-cli):

+ ```azurecli

+1. In the terminal or command window, check your version of the Azure CLI version by running the command, **`az`**, with the following required parameter:

+ ```azurecli

+ For more information about the latest version, review the [most recent release notes](/cli/azure/release-notes-azure-cli?tabs=azure-cli). For troubleshooting guidance, see the following resources:

+ - [Azure CLI GitHub issues](https://github.com/Azure/azure-cli/issues)

+ - [Azure CLI documentation](/cli/azure/)

+Currently, only the *preview* version for this extension is available. If you didn't install this extension yet, run the command, **`az extension add`**, with the following required parameters:

+```azurecli

+```azurecli

+>

+##### Create resource group

+If you don't have an existing Azure resource group to use for deployment, create the group by running the command, **`az group create`**. Unless you already set a default subscription for your Azure account, make sure to use the **`--subscription`** parameter with your subscription name or identifier. Otherwise, you don't have to use the **`--subscription`** parameter.

+>

+> To set a default subscription, run the following command, and replace

+> **`MySubscription`** with your subscription name or identifier.

+For example, the following command creates a resource group named **`MyResourceGroupName`** using the Azure subscription named **`MySubscription`** in the location **`eastus`**:

+If your resource group is successfully created, the output shows the **`provisioningState`** as **`Succeeded`**:

+Now, you can deploy your zipped artifacts to the Azure resource group that you created.

+Run the command, **`az logicapp deployment`**, with the following required parameters:

+```azurecli

+## After deployment to Azure

+Each API connection has access policies. After the zip deployment completes, you must open your Standard logic app resource in the Azure portal, and create access policies for each API connection to set up permissions for the deployed logic app. The zip deployment doesn't create app settings for you. After deployment, you must create these app settings based on the **local.settings.json** file in your logic app project.

+## Related content

+Metadata discovered by the Azure Migrate appliance helps you to assess server readiness for migration to Azure, right-size servers, and plan costs. Microsoft doesn't use this data in any license compliance audit.

+The appliance collects configuration, performance metadata, data about installed applications, roles, and features (software inventory) and dependency data (if agentless dependency analysis is enabled) from servers running in your VMware environment.

+The appliance collects configuration, performance metadata, data about installed applications, roles, and features (software inventory) and dependency data (if agentless dependency analysis is enabled) from servers running in your Hyper-V environment.

+Maximum memory that the server can consume | Msvm_MemorySettingData | Limit

+The appliance collects configuration, performance metadata, data about installed applications, roles, and features (software inventory) and dependency data (if agentless [dependency analysis](concepts-dependency-visualization.md) is enabled) from physical servers or server running on other clouds like AWS, GCP, etc.

+Processor core count | cat /proc/cpuinfo \| awk '/^processor/{print $3}' \| wc -l

+The appliance collects data about installed applications, roles, and features (software inventory) from servers running in VMware environment/Hyper-V environment/physical servers or servers running on other clouds like AWS, GCP etc.

+1. To remove NAT gateway from **all** subnets, select **Disassociate**.

+2. To remove NAT gateway from only one of multiple subnets, unselect the checkbox next to the subnet and select **Save**.

+Virtual network flow logs are generally available in all Azure public regions and are currently in preview in Azure Government.

+| nf-sku |Fabric SKU ID is the SKU of the ordered BoM version. See [Network Fabric SKUs](./reference-operator-nexus-fabric-skus.md). | M4-A400-A100-C16-ab |True | String|

+ * Firmware versions are logged as informational. The following component firmware versions are typically logged (depending on hardware model):

+ * BIOS

+ * iDRAC

+ * Complex Programmable Logic Device (CPLD)

+ * RAID Controller

+ * Backplane

+ * The HWV framework identifies problematic firmware versions and attempts to auto fix. The following example shows a successful iDRAC firmware fix (versions and task ID are illustrational only).

+ ```yaml

+ {

+ "system_info": {

+ "system_info_result": "Pass",

+ "result_detail": [

+ {

+ "field_name": "Integrated Dell Remote Access Controller - unsupported_firmware_check",

+ "comparison_result": "Pass",

+ "expected": "6.00.30.00 - unsupported_firmware",

+ "fetched": "7.10.30.00"

+ }

+ ],

+ "result_log": [

+ "Firmware autofix task /redfish/v1/TaskService/Tasks/JID_274085357727 completed"

+ ]

+ },

+ }

+ ```

+ * Allow listed critical alarms and warning alarms are logged as informational starting with Nexus release 3.14.

+ ```yaml

+ {

+ "field_name": "LCLog_Warning_Alarms - Non-Failing",

+ "comparison_result": "Info",

+ "expected": "Warning Alarm",

+ "fetched": "104473 2024-07-26T16:05:19-05:00 The Embedded NIC 1 Port 1 network link is down."

+ }

+ ```

+* Virtual Flea Drain

+ * HWV attempts a virtual flea drain for most failing checks. Flea drain attempts are logged under `health_info` -> `result_log`.

+ ```yaml

+ "result_log": [

+ "flea drain completed successfully",

+ ]

+ ```

+ * If the virtual flea drain fails, perform a physical flea drain as a first troubleshooting step.

+ * The `device_login` check fails if the iDRAC isn't reachable or if the hardware validation plugin isn't able to sign-in.

+ ```yaml

+ {

+ "device_login": "Fail - Unreachable"

+ }

+ ```

+ "device_login": "Fail - Unauthorized"

+This release can be installed with as an update on top of release 2.0.2804-144. See [learn documentation](manage-network-function-operator.md) for more installation guidance.

+If you use a [non-paired region](cross-region-replication-azure.md#regions-with-availability-zones-and-no-region-pair), then regardless of the data residency configuration you select, your metadata will only be replicated within the region.

+Platform as a Service (PaaS) customer's data typically resides in a storage service such as Blob Storage but may also be cached or stored in the application execution environment, such as a virtual machine. To see the encryption at rest options available to you, examine the [Data encryption models](encryption-models.md) for the storage and application platforms that you use.

+Like PaaS, IaaS solutions can leverage other Azure services that store data encrypted at rest. In these cases, you can enable the Encryption at Rest support as provided by each consumed Azure service. The [Data encryption models](encryption-models.md) enumerates the major storage, services, and application platforms and the model of Encryption at Rest supported.

+## Services supporting customer managed keys (CMKs)

+Here are the services that support server-side encryption using customer managed keys:

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+| | | | |

+| **AI and Machine Learning** | | | |

+| [Azure AI Search](/azure/search/) | Yes | | |

+| [Azure AI services](/azure/cognitive-services/) | Yes | Yes | |

+| [Azure AI Studio](/azure/ai-studio) | Yes | | [CMKs for encryption](/azure/ai-studio/concepts/encryption-keys-portal) |

+| [Azure Machine Learning](/azure/machine-learning/) | Yes | | |

+| [Azure OpenAI](/azure/ai-services/openai/) | Yes | Yes | |

+| [Content Moderator](/azure/cognitive-services/content-moderator/) | Yes | Yes | |

+| [Dataverse](/powerapps/maker/data-platform/) | Yes | Yes | |

+| [Dynamics 365](/dynamics365/) | Yes | Yes | |

+| [Face](/azure/cognitive-services/face/) | Yes | Yes | |

+| [Language Understanding](/azure/cognitive-services/luis/) | Yes | Yes | |

+| [Personalizer](/azure/cognitive-services/personalizer/) | Yes | Yes | |

+| [Power Platform](/power-platform/) | Yes | Yes | |

+| [QnA Maker](/azure/cognitive-services/qnamaker/) | Yes | Yes | |

+| [Speech Services](/azure/cognitive-services/speech-service/) | Yes | Yes | |

+| [Translator Text](/azure/cognitive-services/translator/) | Yes | Yes | |

+| **Analytics** | | | |

+| [Azure Data Explorer](/azure/data-explorer/) | Yes | | |

+| [Azure Data Factory](/azure/data-factory/) | Yes | Yes | |

+| [Azure Data Lake Store](/azure/data-lake-store/) | Yes, RSA 2048-bit | | |

+| [Azure HDInsight](/azure/hdinsight/) | Yes | | |

+| [Azure Monitor Application Insights](/azure/azure-monitor/app/app-insights-overview) | Yes | | |

+| [Azure Monitor Log Analytics](/azure/azure-monitor/logs/log-analytics-overview) | Yes | Yes | |

+| [Azure Stream Analytics](/azure/stream-analytics/) | Yes\*\* | Yes | |

+| [Event Hubs](/azure/event-hubs/) | Yes | | |

+| [Functions](/azure/azure-functions/) | Yes | | |

+| [Microsoft Fabric](/fabric) | Yes | | [CMK encryption](/fabric/security/security-scenario#customer-managed-key-cmk-encryption-and-microsoft-fabric) |

+| [Power BI Embedded](/power-bi) | Yes | | [BYOK for Power BI](/power-bi/enterprise/service-encryption-byok) |

+| **Containers** | | | |

+| [App Configuration](/azure/azure-app-configuration/) | Yes | | [Use CMKs to encrypt App Configuration data](/azure/azure-app-configuration/concept-customer-managed-keys) |

+| [Azure Kubernetes Service](/azure/aks/) | Yes | Yes | |

+| [Azure Red Hat OpenShift](/azure/openshift/) | Yes | | [CMK encryption](/azure/openshift/howto-byok) |

+| [Container Instances](/azure/container-instances/) | Yes | | |

+| [Container Registry](/azure/container-registry/) | Yes | | |

+| **Compute** | | | |

+| [App Service](/azure/app-service/) | Yes\*\* | Yes | |

+| [Automation](/azure/automation/) | Yes | | |

+| [Azure Functions](/azure/azure-functions/) | Yes\*\* | Yes | |

+| [Azure portal](/azure/azure-portal/) | Yes\*\* | Yes | |

+| [Azure VMware Solution](/azure/azure-vmware/) | Yes | Yes | |

+| [Azure-managed applications](/azure/azure-resource-manager/managed-applications/overview) | Yes\*\* | Yes | |

+| [Batch](/azure/batch/) | Yes | | [Configure CMKs](/azure/batch/batch-customer-managed-key) |

+| [Logic Apps](/azure/logic-apps/) | Yes | | |

+| [SAP HANA](/azure/sap/large-instances/hana-overview-architecture) | Yes | | |

+| [Service Bus](/azure/service-bus-messaging/) | Yes | | |

+| [Site Recovery](/azure/site-recovery/) | Yes | | |

+| [Virtual Machine Scale Set](/azure/virtual-machine-scale-sets/) | Yes | Yes | |

+| [Virtual Machines](/azure/virtual-machines/) | Yes | Yes | |

+| **Databases** | | | |

+| [Azure Cosmos DB](/azure/cosmos-db/) | Yes | Yes | [Configure CMKs (Key Vault)](/azure/cosmos-db/how-to-setup-cmk) and [Configure CMKs (Managed HSM)](/azure/cosmos-db/how-to-setup-customer-managed-keys-mhsm) |

+| [Azure Database for MySQL](/azure/mysql/) | Yes | Yes | |

+| [Azure Database for PostgreSQL](/azure/postgresql/) | Yes | Yes | |

+| [Azure Database Migration Service](/azure/dms/) | N/A\* | | |

+| [Azure Databricks](/azure/databricks/) | Yes | Yes | |

+| [Azure Managed Instance for Apache Cassandra](/azure/managed-instance-apache-cassandra/) | Yes | | [CMKs](/azure/managed-instance-apache-cassandra/customer-managed-keys) |

+| [Azure SQL Database](/azure/azure-sql/database/) | Yes, RSA 3072-bit | Yes | |

+| [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/) | Yes, RSA 3072-bit | Yes | |

+| [Azure Synapse Analytics (dedicated SQL pool (formerly SQL DW) only)](/azure/synapse-analytics/) | Yes, RSA 3072-bit | Yes | |

+| [SQL Server on Virtual Machines](/azure/virtual-machines/windows/sql/) | Yes | | |

+| [SQL Server Stretch Database](/sql/sql-server/stretch-database/) | Yes, RSA 3072-bit | | |

+| [Table Storage](/azure/storage/tables/) | Yes | | |

+| **Hybrid + multicloud** | | | |

+| [Azure Stack Edge](/azure/databox-online/) | Yes | | [Azure Stack Edge: Security baseline](/security/benchmark/azure/baselines/azure-stack-edge-security-baseline#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required) |

+| **Identity** | | | |

+| [Microsoft Entra Domain Services](/azure/active-directory-domain-services/) | Yes | | |

+| **Integration** | | | |

+| [Azure Health Data Services](/azure/healthcare-apis/) | Yes | | [Configure CMKs for DICOM](/azure/healthcare-apis/dicom/configure-customer-managed-keys), [Configure CMKs for FHIR](/azure/healthcare-apis/fhir/configure-customer-managed-keys) |

+| [Service Bus](/azure/service-bus-messaging/) | Yes | | |

+| **IoT Services** | | | |

+| [IoT Hub](/azure/iot-hub/) | Yes | | |

+| [IoT Hub Device Provisioning](/azure/iot-dps/) | Yes | | |

+| **Management and Governance** | | | |

+| [Azure Migrate](/azure/migrate/) | Yes | | |

+| [Azure Monitor](/azure/azure-monitor) | Yes | | [CMKs](/azure/azure-monitor/logs/customer-managed-keys?tabs=portal) |

+| **Media** | | | |

+| [Media Services](/azure/media-services/) | Yes | | |

+| **Security** | | | |

+| [Microsoft Defender for Cloud](/azure/defender-for-cloud/) | Yes | | [Security baseline: CMKs](/security/benchmark/azure/baselines/microsoft-defender-for-cloud-security-baseline#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required) |

+| [Microsoft Defender for IoT](/azure/defender-for-iot/) | Yes | | |

+| [Microsoft Sentinel](/azure/sentinel/) | Yes | Yes | |

+| **Storage** | | | |

+| [Archive Storage](/azure/storage/blobs/archive-blob) | Yes | | |

+| [Azure Backup](/azure/backup/) | Yes | Yes | |

+| [Azure Cache for Redis](/azure/azure-cache-for-redis/) | Yes\*\* | Yes | |

+| [Azure Managed Lustre](/azure/azure-managed-lustre/) | Yes | | [CMKs](/azure/azure-managed-lustre/customer-managed-encryption-keys) |

+| [Azure NetApp Files](/azure/azure-netapp-files/) | Yes | Yes | |

+| [Azure Stack Edge](/azure/databox-online/azure-stack-edge-overview/) | Yes | | |

+| [Blob Storage](/azure/storage/blobs/) | Yes | Yes | |

+| [Data Lake Storage Gen2](/azure/storage/blobs/data-lake-storage-introduction/) | Yes | Yes | |

+| [Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | |

+| [File Premium Storage](/azure/storage/files/) | Yes | Yes | |

+| [File Storage](/azure/storage/files/) | Yes | Yes | |

+| [File Sync](/azure/storage/file-sync/file-sync-introduction) | Yes | Yes | |

+| [Managed Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | |

+| [Premium Blob Storage](/azure/storage/blobs/) | Yes | Yes | |

+| [Queue Storage](/azure/storage/queues/) | Yes | Yes | |

+| [StorSimple](/azure/storsimple/) | Yes | | |

+| [Ultra Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | |

+| **Other** | | | |

+| [Azure Data Manager for Energy](/azure/energy-data-services/overview-microsoft-energy-data-services) | Yes | | |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5, SP6) | 9.63 | All [stock SUSE 15 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150500.33.63-azure:5 <br> 5.14.21-150500.33.66-azure:5 <br> 6.4.0-150600.6-azure:6 <br>6.4.0-150600.8.11-azure:6 <br> 6.4.0-150600.8.5-azure:6 <br> 6.4.0-150600.8.8-azure:6 |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5) | 9.62 | All [stock SUSE 15 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150500.33.54-azure:5 <br> 5.14.21-150500.33.57-azure:5 <br> 5.14.21-150500.33.60-azure:5 |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5) | [9.61](https://support.microsoft.com/topic/update-rollup-73-for-azure-site-recovery-d3845f1e-2454-4ae8-b058-c1fec6206698) | All [stock SUSE 15 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150500.33.37-azure <br> 5.14.21-150500.33.42-azure <br> 5.14.21-150500.33.48-azure:5 <br> 5.14.21-150500.33.51-azure:5 |

+[Rollup 76](https://support.microsoft.com/en-us/topic/update-rollup-76-for-azure-site-recovery-6ca6833a-5b0f-4bdf-9946-41cd0aa8d6e4) | NA | NA | 9.63.7187.1 | 5.24.0902.11 | 2.0.9938.0

+[Rollup 75](https://support.microsoft.com/topic/update-rollup-75-for-azure-site-recovery-4884b937-8976-454a-9b80-57e0200eb2ec) | NA | NA | 9.62.7172.1 | 5.24.0814.2 | 2.0.9932.0

+[Rollup 74](https://support.microsoft.com/topic/update-rollup-74-for-azure-site-recovery-584e3586-4c55-4cc2-8b1c-63038b6b4464) | NA | NA | 9.62.7096.1 | 5.24.0614.1 | 2.0.9919.0

+Update [rollup 76](https://support.microsoft.com/topic/update-rollup-76-for-azure-site-recovery-6ca6833a-5b0f-4bdf-9946-41cd0aa8d6e4) provides the following updates:

+ Set-AzContext -SubscriptionId <subscription-ID>

+- [Storage task conditions](storage-tasks/storage-task-conditions.md)

+- [Storage task operations](storage-tasks/storage-task-operations.md)

+In the **Blob property** drop-down list, choose a property. See [Supported blob properties](storage-task-conditions.md#supported-properties).

+In the **Property value** box, enter a value and in the **Operator** drop-down list, choose an operator. See [Supported Operators](storage-task-conditions.md#supported-operators).

+In the **Operation** drop-down list, choose an operation. See [Supported operations](storage-task-operations.md#supported-operations).

+ Title: Storage task conditions

+description: Learn about the elements of a storage task condition.

+# Storage task conditions

+A storage task contains a set of conditions and operations. This article describes the JSON format of a condition. Understanding that format is important if you plan to create a storage task by using a tool other than the Azure portal (For example: Azure PowerShell, or Azure CLI). This article also lists the properties and operators that you can use to compose the clauses of a condition.

+This article focuses on **conditions**. To learn more about **operations**, see [Storage task operations](storage-task-operations.md).

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Condition format

+A condition a collection of one or more _clauses_. Each clause contains a _property_, a _value_, and an _operator_. When the storage task runs, it uses the operator to compare a property with a value to determine whether a clause is met by the target object. In a clause, the **operator** always appears first followed by the **property**, and then the **value**. The following image shows how each element is positioned in the expression.

+> [!div class="mx-imgBorder"]

+> 

+The following clause allows operations only on Microsoft Word documents. This clause targets all documents that end with the file extension `.docx`. Therefore, the operator is `endsWith`, the property is `Name`, and the value is `.docx`.

+```json

+{

+ "condition": "[[[endsWith(Name, '.docx')]]"

+}

+```

+For a complete list of operator and property names, see the [Supported operators](#supported-operators) and [Supported properties](#supported-properties) section of this article.

+### Multiple clauses in a condition

+A condition can contain multiple clauses separated by a comma along with either the string `and` or `or`. The string `and` targets objects that meet the criteria in all clauses in the condition while `or` targets objects that meet the criterion in any of the clauses in the condition. The following image shows the position of the `and` and `or` string along with two clauses.

+> [!div class="mx-imgBorder"]

+> 

+The following JSON shows a condition that contains two clauses. Because the `and` string is used in this expression, both clauses must evaluate to `true` before an operation is performed on the object.

+```json

+{

+"condition": "[[and(endsWith(Name, '.docx'), equals(Tags.Value[readyForLegalHold], 'Yes'))]]"

+}

+```

+### Groups of conditions

+Grouped clauses operate as a single unit separate from the rest of the clauses. Grouping clauses is similar to putting parentheses around a mathematical equation or logic expression. The `and` or `or` string for the first clause in the group applies to the whole group.

+ The following image shows two clauses grouped together.

+> [!div class="mx-imgBorder"]

+> 

+The following condition allows operations only on Microsoft Word documents where the `readyForLegalHold` tag of the document is set to a value of `Yes`. Operations are also performed on objects that are greater than 100 bytes even if the other two conditions aren't true.

+```json

+{

+"condition": "[[[or(and(endsWith(Name, '.docx'), equals(Tags.Value[readyForLegalHold], 'Yes')), greater(Content-Length, '100'))]]"

+}

+```

+## Code view in the Azure portal

+The visual editor available in the Azure portal, can generate the JSON of a condition for you. You can define your conditions by using the editor, and then obtain the JSON expression by opening **Code** tab. This approach can be useful when creating complicated sets of conditions as JSON expressions can become large, unwieldy, and difficult to create by hand. The following image shows the **Code** tab in the visual editor.

+> [!div class="mx-imgBorder"]

+> 

+To learn more about the visual editor, see [Define storage task conditions and operations](storage-task-conditions-operations-edit.md).

+## Supported properties

+The following table shows the properties that you can use to compose each clause of a condition. A clause can contain string, boolean, numeric, and date and time properties.

+| String | Date and time³ | Numeric | Boolean |

+|--||-||

+| AccessTier¹ | AccessTierChangeTime | Content-Length | Deleted |

+| Metadata.Value | Creation-Time | TagCount | IsCurrentVersion |

+| Name | DeletedTime | | |

+| BlobType² | LastAccessTime | | |

+| Container.Metadata.Value[Name] | Last-Modified | | |

+| Container.Name | | | |

+| Container.Metadata.Value[Name] | | | |

+| Container.Name | | | |

+| Tags.Value[Name] | | | |

+| VersionId | | | |

+¹ Allowed values are `Hot`, `Cool`, or `Archive`.

+² Allowed values are `BlockBlob`, `PageBlob`, or `AppendBlob`

+³ Can be set to a specific time or to a metadata value dynamically obtained from objects. See [Reference a value from object metadata](storage-task-conditions-operations-edit.md#reference-a-value-from-object-metadata).

+## Supported operators

+The following table shows the operators that you can use in a clause to evaluate the value of each type of property.

+| String | Date and time | Numeric | Boolean |

+|||||

+| contains | equals |equals | equals |

+| empty | greater | greater | not |

+| equals | greaterOrEquals |greaterOrEquals ||

+| endsWith | less | less ||

+| length | lessOrEquals | lessOrEquals ||

+| startsWith | addToTime | ||

+| Matches | | ||

+## See also

+- [Storage task operations](storage-task-operations.md)

+- [Define conditions and operations](storage-task-conditions-operations-edit.md)

+| Instance details | Storage task name | Required | Choose a unique name for your storage task. Storage task names must be between 3 and 18 characters in length and might contain only lowercase letters and numbers. |

+| If | Blob property | Required | The blob or container property that you like to use in the clause. See [Supported blob properties](storage-task-conditions.md#supported-properties)|

+| If | Operator | Required | The operator that defines how each property in the clause must relate to the corresponding value. See [Supported operators](storage-task-conditions.md#supported-operators)|

+| Then | Operations | Required | The action to perform when objects meet the conditions defined in this task. See [Supported operations](storage-task-operations.md#supported-operations)|

+ Title: Storage task operations

+description: Learn about the elements of a storage task operation.

+# Storage task operations

+A storage task contains a set of conditions and operations. An operation is an action that a storage task performs on each object that meets the requirements of each condition. This article describes the JSON format of a storage task operation. Understanding that format is important if you plan to create a storage task by using a tool other than the Azure portal (For example: Azure PowerShell, or Azure CLI). This article also lists the operations, operation parameters, and the allowable values of each parameter.

+This article focuses on **operations**. To learn more about **conditions**, see [Storage task conditions](storage-task-conditions.md).

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Operation format

+An operation has a name along with zero, one, or multiple parameters. The following image shows how these elements appear for an operation in the JSON template of a storage task.

+> [!div class="mx-imgBorder"]

+> 

+The following table describes each element.

+| Element | Description |

+||--|

+| `name` | The name of the operation.¹ |

+| `parameters` | A collection of one or more parameters. Each parameter has parameter name and a parameter value.¹ |

+| `onSuccess` | The action to take when the operation is successful for an object. `continue` is the only allowable value during the preview. |

+| `onFailure` | The action to take when the operation fails for an object. `break` is the only allowable value during the preview. |

+¹ For a complete list of operation names, operation parameters, and parameter values, see the [Supported operations](#supported-operations) section of this article.

+

+The following operation applies a time-based immutability policy to the object.

+```json

+{

+ "operations": [

+ {

+ "name": "SetBlobImmutabilityPolicy",

+ "parameters": {

+ "untilDate": "2024-11-15T21:54:22",

+ "mode": "locked"

+ },

+ "onSuccess": "continue",

+ "onFailure": "break"

+ }

+ ]

+}

+```

+### Multiple operations

+Separate multiple operations by using a comma. The following image shows the position of two operations in list of operations.

+> [!div class="mx-imgBorder"]

+> 

+The following JSON shows two operations separate by a comma.

+```json

+"operations": [

+ {

+ "name": "SetBlobImmutabilityPolicy",

+ "parameters": {

+ "untilDate": "2024-11-15T21:54:22",

+ "mode": "locked"

+ },

+ "onSuccess": "continue",

+ "onFailure": "break"

+ },

+ {

+ "name": "SetBlobTags",

+ "parameters": {

+ "ImmutabilityUpdatedBy": "contosoStorageTask"

+ },

+ "onSuccess": "continue",

+ "onFailure": "break"

+ }

+]

+```

+## Supported operations

+The following table shows the supported operations, parameters, and parameter values:

+| Operation | Parameters | Values |

+||-||

+| SetBlobTier | tier | Hot \| Cold \| Archive |

+| SetBlobExpiry | expiryTime, expiryOption |(expiryTime): Number of milliseconds<br>(expiryOption): Absolute \| NeverExpire \| RelativeToCreation \| RelativeToNow |

+| DeleteBlob | None | None |

+| UndeleteBlob | None | None |

+| SetBlobTags | Tag name¹ | Tag value |

+| SetBlobImmutabilityPolicy | untilDate, mode | (untilDate): DateTime of when policy ends<br><br>(mode): locked \| unlocked |

+| SetBlobLegalHold | legalHold | true \| false |

+¹ The name of this parameter is the name of the tag.

+## See also

+- [Storage task conditions](storage-task-conditions.md)

+- [Define conditions and operations](storage-task-conditions-operations-edit.md)

+Id : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

+aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

+New-AzRoleAssignment -ObjectID "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" `

+ --assignee-object-id "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" \

+To get the OID for the service principal that corresponds to an app registration, you can use the `az ad sp show` command. Specify the Application ID as the parameter. Here's an example of obtaining the OID for the service principal that corresponds to an app registration with App ID = ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0. Run the following command in the Azure CLI:

+The `LifecyclePolicyCompleted` event is generated when the actions defined by a lifecycle management policy are performed. A summary section appears for each action that is included in the policy definition. The following json shows an example `LifecyclePolicyCompleted` event for a policy. Because the policy definition includes the `delete`, `tierToCool`, `tierToCold`, and `tierToArchive` actions, a summary section appears for each one.

+ "tierToColdSummary": {

+ "totalObjectsCount": 0,

+ "successCount": 0,

+ "errorList": ""

+ },

+|tierToColdSummary|vector\<byte\>|The results summary of blobs scheduled for tier-to-cold operation|

+> | **Examples** | `@Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'`<br/>[Example: Allow read access to a container only from a specific private endpoint](storage-auth-abac-examples.md#example-allow-access-to-a-container-only-from-a-specific-private-endpoint) |

+> | **Examples** | `@Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'`<br/>[Example: Allow access to blobs in specific containers from a specific subnet](storage-auth-abac-examples.md#example-allow-access-to-blobs-in-specific-containers-from-a-specific-subnet) |

+- West US 2

+- West Central US

+> | **Examples** | `@Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'`<br/>[Example: Allow read access to a container only from a specific private endpoint](../blobs/storage-auth-abac-examples.md#example-allow-access-to-a-container-only-from-a-specific-private-endpoint) |

+> | **Examples** | `@Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'`<br/>[Example: Allow access to blobs in specific containers from a specific subnet](../blobs/storage-auth-abac-examples.md#example-allow-access-to-blobs-in-specific-containers-from-a-specific-subnet) |

+- [Troubleshoot Azure role assignment conditions](../../role-based-access-control/conditions-troubleshoot.md)

+"message":"First Occurred: 02/04/2019 17:11:48 | Resource Name: ASAjob | Message: Source 'ASAjob' had 24 data errors of kind 'LateInputEvent' between processing times '2019-02-04T17:10:49.7250696Z' and '2019-02-04T17:11:48.7563961Z'. Input event with application timestamp '2019-02-04T17:05:51.6050000' and arrival time '2019-02-04T17:10:44.3090000' was sent later than configured tolerance.","type":"DiagnosticMessage","correlation ID":"aaaa0000-bb11-2222-33cc-444444dddddd"}

+ -ObjectId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

+MaintenanceConfigurationId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_Default

+- To learn more about dedicated SQL pools in Azure Synapse Analytics, see [What is dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics?](sql-data-warehouse-overview-what-is.md)

+ "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",

+ "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee"

+SystemAssigned aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb aaaabbbb-0000-cccc-1111-dddd2222eeee

+PS C:\> Get-AzADServicePrincipal -ObjectId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

+ServicePrincipalNames : {00001111-aaaa-2222-bbbb-3333cccc4444, https://identity.azure.net/P86P8g6nt1QxfPJx22om8MOooMf/Ag0Qf/nnREppHkU=}

+ApplicationId : 00001111-aaaa-2222-bbbb-3333cccc4444

+Id : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

+ "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",

+ "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222"