-|Roles and administrators| Manage role assignments in Azure AD B2C directory. Create and manage groups that can be assigned to Azure AD B2C roles. |[Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator), [Privileged Role Administrator](../active-directory/roles/permissions-reference.md#privileged-role-administrator)|

-description: Architectural guidance on achieving OAUTH 2.0 authentication with Microsoft Entra ID.

-# OAuth 2.0 authentication with Microsoft Entra ID

-* **Microsoft Entra ID**: Microsoft Entra ID is the authorization server, also known as the Identity Provider (IdP). It securely handles anything to do with the user's information, their access, and the trust relationship. It's responsible for issuing the tokens that grant and revoke access to resources.

-| Anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Anonymous IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)[Sigma rules]<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

-1. Follow the steps at [Enable passwordless phone sign-in authentication](../authentication/howto-authentication-passwordless-phone.md#enable-passwordless-phone-sign-in-authentication-methods)

-> | Java </p> Spring |Microsoft Entra Spring Boot Starter Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) <br/> &#8226; [Protect a web API](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | &#8226; [MSAL Java](/java/api/com.microsoft.aad.msal4j) <br/> &#8226; Microsoft Entra ID Boot Starter | Authorization code |

-> | Java </p> Servlets | Spring-less Servlet Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Authorization code |

-> | Java | [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | On-Behalf-Of (OBO) |

-> | Java | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Integrated-Windows-Auth-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Integrated Windows authentication |

-> | Java | &#8226; [Call Microsoft Graph with Secret](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-secret) <br/> &#8226; [Call Microsoft Graph with Certificate](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-certificate)| [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Client credentials grant|

-> | Java | [Sign in users and invoke protected API from text-only device](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Device-Code-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Device code |

-> | Web API | [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | On-Behalf-Of (OBO) |

-> | Desktop | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Integrated-Windows-Auth-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Integrated Windows authentication |

-> | Service/</br>daemon | &#8226; [Call Microsoft Graph with Secret](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-secret) <br/> &#8226; [Call Microsoft Graph with Certificate](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-certificate)| [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Client credentials grant|

-> | Web application |Microsoft Entra Spring Boot Starter Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) <br/> &#8226; [Protect a web API](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | &#8226; [MSAL Java](/java/api/com.microsoft.aad.msal4j) <br/> &#8226; Microsoft Entra ID Boot Starter | Authorization code |

-> | Web application | Spring-less Servlet Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Authorization code |

-The "Attempt Status" field under the "AzureAdPrt" field will provide the status of the previous PRT attempt, along with other required debug information. For earlier Windows versions, extract the information from the Microsoft Entra analytics and operational logs.

-See more information on Microsoft Entra temporary partial customer data transfers from the EU Data Boundary [Services that temporarily transfer a subset of customer data out of the EU Data Boundary](/privacy/eudb/eu-data-boundary-temporary-partial-transfers.md#security-services).

-See more information on Microsoft Entra permanent partial customer data transfers from the EU Data Boundary [Services that will permanently transfer a subset of customer data out of the EU Data Boundary](/privacy/eudb/eu-data-boundary-permanent-partial-transfers.md#security-services).

-See more information on optional service capabilities that transfer customer data out of the EU Data Boundary [Optional service capabilities that transfer customer data out of the EU Data Boundary](/privacy/eudb/eu-data-boundary-transfers-for-optional-capabilities.md#microsoft-entra-id).

- $toReplace = '(?<!(name=\"[^$]*|https?:\/\/aka.ms/[a-z|0-1]*))' + $($old)

-|[Legacy MFA & SSPR policy](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2024|

-

-

-When creating a new Access Review, choose the **Select Teams + groups** option and limit the scope to **Guest users only**. In the ΓÇ£Upon completion settingsΓÇ¥ section, for **Action to apply on denied users** you can define **Block users from signing-in for 30 days, then remove user from the tenant**.

- Get-MgOauth2PermissionGrant -Filter "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' consentType eq 'AllPrincipals'"

-The `MicrosoftGraphActivityLogs` provide administrators full visibility into all HTTP requests accessing your tenant's resources through the Microsoft Graph API. You can use these logs to identify activities that a compromised user account conducted in your tenant or to investigate problematic or unexpected behaviors for client applications, such as extreme call volumes. Route these logs to the same Log Analytics workspace with `SignInLogs` to cross-reference details of token requests for sign-in logs.

-The feature is currently in public preview. For more information, see [Access Microsoft Graph activity logs (preview)](/graph/microsoft-graph-activity-logs-overview).

-You may identify Microsoft Graph events that don't correlate to a service principal sign-in if you're routing `MicrosoftGraphActivityLogs` with `SignInLogs` to the same Log Analytics workspace. This integration allows you to cross reference the token issued by the Microsoft Graph activity with the sign-in. The `UniqueTokenIdentifier` in the Microsoft Graph activity logs would be missing from the service principal sign-in logs.

-description: Provides a general overview of Microsoft Entra recommendations.

-Keeping track of all the settings and resources in your tenant can be overwhelming. The Microsoft Entra recommendations feature helps monitor the status of your tenant so you don't have to. The Microsoft Entra recommendations feature helps ensure your tenant is in a secure and healthy state while also helping you maximize the value of the features available in Microsoft Entra ID.

-The Microsoft Entra recommendations feature provides you with personalized insights with actionable guidance to:

-This article gives you an overview of how you can use Microsoft Entra recommendations. As an administrator, you should review your tenant's Microsoft Entra recommendations, and their associated resources periodically.

-## What it is

-The Microsoft Entra recommendations feature is the Microsoft Entra specific implementation of [Azure Advisor](../../advisor/advisor-overview.md), which is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. Azure Advisor analyzes your resource configuration and usage data to recommend solutions that can help you improve the cost effectiveness, performance, reliability, and security of your Azure resources.

-*Microsoft Entra recommendations* use similar data to support you with the roll-out and management of Microsoft's best practices for Microsoft Entra tenants to keep your tenant in a secure and healthy state. The Microsoft Entra recommendations feature provides a holistic view into your tenant's security, health, and usage.

-## How it works

-On a daily basis, Microsoft Entra ID analyzes the configuration of your tenant. During this analysis, Microsoft Entra ID compares the data of a recommendation with the actual configuration of your tenant. If a recommendation is flagged as applicable to your tenant, the recommendation appears in the **Recommendations** section of the Identity Overview area. The recommendations are listed in order of priority so you can quickly determine where to focus first.

-

-## Next steps

-* [Learn how to use Microsoft Entra recommendations](howto-use-recommendations.md)

-* [Explore the details of the "Turn off per-user MFA" recommendation](recommendation-turn-off-per-user-mfa.md)

-* Confluence: 7.0.1 to 8.0.4.

-| 6.3.9 | Bug Fixes: | Confluence Server: 7.20.3 to 8.0.4 |

-* Confluence: 7.0.1 to 8.0.4.

-1. Configure the LinkedIn company page with your organization DID (decentralized identity) and URL of the custom Webapp. You cannot self-service the LinkedIn company page. Today, you need to fill in [this form](https://aka.ms/enablelinkedin) and we can enable your organization.

-> The app version required is Android **4.1.813** or newer, or IOS we require **9.27.2173** or newer. Keep in mind that inside the app, the version number shows **9.27.2336**, but in the App store the version number would be **9.1.312** or higher.

-### Availability may be impacted from high memory fragmentation. Increase fragmentation memory reservation to avoid potential impact.

-### Check Point Virtual Machine may lose Network Connectivity.

-Our internal telemetry indicates that your PostgreSQL flexible server may have inactive logical replication slots. THIS NEEDS IMMEDIATE ATTENTION. This can result in degraded server performance and unavailability due to WAL file retention and buildup of snapshot files. To improve performance and availability, we STRONGLY recommend that you IMMEDIATELY either delete the inactive replication slots, or start consuming the changes from these slots so that the slots' Log Sequence Number (LSN) advances and is close to the current LSN of the server.

-### Increase Media Services quotas or limits to ensure continuity of service.

-### You are close to exceeding storage quota of 2GB. Create a Standard search service.

-### You are close to exceeding storage quota of 50MB. Create a Basic or Standard search service.

-### You are close to exceeding your available storage quota. Add additional partitions if you need more storage.

-### Consider scaling out your App Service Plan to optimize user experience and availability.

-### Consider upgrading the hosting plan of the Static Web App(s) in this subscription to Standard SKU.

-| Tuning documents | Trains the Neural Machine Translation parameters. | **Be strict**. Compose them to be optimally representative of what you are going to translation in the future. |

-description: Learn how to automatically upgrade Azure Kubernetes Service (AKS) cluster node operating system images.

-# Automatically upgrade Azure Kubernetes Service cluster node operating system images

-AKS now supports an exclusive channel dedicated to controlling node-level OS security updates. This channel, referred to as the node OS auto-upgrade channel, can't be used for cluster-level Kubernetes version upgrades. To automatically upgrade Kubernetes versions, continue to use the cluster [auto-upgrade][Autoupgrade] channel.

-Node-level OS security updates come in at a faster cadence than Kubernetes patch or minor version updates. This is the main reason for introducing a separate, dedicated Node OS auto-upgrade channel. With this feature, you can have a flexible and customized strategy for node-level OS security updates and a separate plan for cluster-level Kubernetes version [auto-upgrades][Autoupgrade].

-## Using node OS auto-upgrade

-> Node OS image auto-upgrade won't affect the cluster's Kubernetes version, but it only works for a cluster in a [supported version][supported].

-## Cadence and Ownership

-### Register the 'NodeOsUpgradeChannelPreview' feature flag

-## Using node OS auto-upgrade with Planned Maintenance

-If youΓÇÖre using Planned Maintenance and node OS auto-upgrade, your upgrade starts during your specified maintenance window.

-> Starting with Kubernetes version 1.26, in-tree persistent volume types *kubernetes.io/azure-disk* and *kubernetes.io/azure-file* are deprecated and will no longer be supported. Removing these drivers following their deprecation is not planned, however you should migrate to the corresponding CSI drivers *disks.csi.azure.com* and *file.csi.azure.com*. To review the migration options for your storage classes and upgrade your cluster to use Azure Disks and Azure Files CSI drivers, see [Migrate from in-tree to CSI drivers][migrate-from-in-tree-csi-drivers].

-> If using an Azure Linux GPU node pool, automatic security patches aren't applied, and the default behavior for the cluster is *Unmanaged*. For more information, see [Using node OS auto-upgrade](./auto-upgrade-node-image.md#using-node-os-auto-upgrade).

-> If using an Azure Linux GPU node pool, automatic security patches aren't applied, and the default behavior for the cluster is *Unmanaged*. For more information, see [Using node OS auto-upgrade](./auto-upgrade-node-image.md#using-node-os-auto-upgrade).

-description: Learn how to deploy an application that uses OpenAI on Azure Kubernetes Service (AKS). #Required; article description that is displayed in search results.

- "intervalDays": 2

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-|Name |Ojbect |Description |

-You can distribute traffic between your old and new environment using an [Application Gateway](../networking/app-gateway-with-service-endpoints.md). If you're using an Internal Load Balancer (ILB) App Service Environment, see the [considerations](../networking/app-gateway-with-service-endpoints.md#considerations-for-ilb-ase) and [create an Azure Application Gateway](integrate-with-application-gateway.md) with an extra backend pool to distribute traffic between your environments. For internet facing App Service Environments, see these [considerations](../networking/app-gateway-with-service-endpoints.md#considerations-for-external-ase). You can also use services like [Azure Front Door](../../frontdoor/quickstart-create-front-door.md), [Azure Content Delivery Network (CDN)](../../cdn/cdn-add-to-web-app.md), and [Azure Traffic Manager](../../cdn/cdn-traffic-manager.md) to distribute traffic between environments. Using these services allows for testing of your new environment in a controlled manner and allows you to move to your new environment at your own pace.

-The following sections describe the DNS considerations and configuration that apply inbound to and outbound from your App Service Environment. The examples use the domain suffix `appserviceenvironment.net` from Azure Public Cloud. If you're using other clouds like Azure Government, you need to use their respective domain suffix.

-description: Explain topics related to certificates in an App Service Environment. Learn how certificate bindings work on the single-tenanted apps in an App Service Environment.

-Applications that are hosted in an App Service Environment support the following app-centric certificate features, which are also available in the multi-tenant App Service. For requirements and instructions for uploading and managing those certificates, see [Add a TLS/SSL certificate in Azure App Service](../configure-ssl-certificate.md).

-A common use case is to configure your app as a client in a client-server model. If you secure your server with a private CA certificate, you'll need to upload the client certificate to your app. The following instructions will load certificates to the trust store of the workers that your app is running on. You only need to upload the certificate once to use it with apps that are in the same App Service plan.

-1. Go to **TLS/SSL settings** in the app. Select **Public Key Certificate (.cer)**. Select **Upload Public Key Certificate**. Provide a name. Browse and select your *.cer* file. Select upload.

-The certificate will be available by all the apps in the same app service plan as the app, which configured that setting, but all apps that depend on the private CA certificate should have the Application Setting configured to avoid timing issues.

-If you need it to be available for apps in a different App Service plan, you'll need to repeat the app setting operation for the apps in that App Service plan. To check that the certificate is set, go to the Kudu console and issue the following command in the PowerShell debug console:

-description: Describes how Application Gateway integrates with Azure App Service.

-There are three variations of App Service that require slightly different configuration of the integration with Azure Application Gateway. The variations include regular App Service - also known as multitenant, Internal Load Balancer (ILB) App Service Environment and External App Service Environment. This article walks through how to configure it with App Service (multitenant) using service endpoint to secure traffic. The article also discusses considerations around using private endpoint and integrating with ILB, and External App Service Environment. Finally the article has considerations on scm/kudu site.

-App Service (multitenant) has a public internet facing endpoint. Using [service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md) you can allow traffic only from a specific subnet within an Azure Virtual Network and block everything else. In the following scenario, we use this functionality to ensure that an App Service instance can only receive traffic from a specific Application Gateway instance.

-There are two parts to this configuration besides creating the App Service and the Application Gateway. The first part is enabling service endpoints in the subnet of the Virtual Network where the Application Gateway is deployed. Service endpoints ensure all network traffic leaving the subnet towards the App Service is tagged with the specific subnet ID. The second part is to set an access restriction of the specific web app to ensure that only traffic tagged with this specific subnet ID is allowed. You can configure it using different tools depending on preference.

-## Using Azure portal

-With Azure portal, you follow four steps to create and configure the setup. If you have existing resources, you can skip the first steps.

-1. Create an App Service using one of the Quickstarts in the App Service documentation, for example [.NET Core Quickstart](../quickstart-dotnetcore.md)

-2. Create an Application Gateway using the [portal Quickstart](../../application-gateway/quick-create-portal.md), but skip the Add backend targets section.

-3. Configure [App Service as a backend in Application Gateway](../../application-gateway/configure-web-app.md), but skip the Restrict access section.

-4. Finally create the [access restriction using service endpoints](../../app-service/app-service-ip-restrictions.md#set-a-service-endpoint-based-rule).

-You can now access the App Service through Application Gateway. If you try to access the App Service directly, you should receive a 403 HTTP error indicating that the web site is stopped.

-## Using Azure Resource Manager template

-The [Resource Manager deployment template][template-app-gateway-app-service-complete] creates a complete scenario. The scenario consists of an App Service instance locked down with service endpoints and access restriction to only receive traffic from Application Gateway. The template includes many Smart Defaults and unique postfixes added to the resource names for it to be simple. To override them, you have to clone the repo or download the template and edit it.

-To apply the template, you can use the Deploy to Azure button found in the description of the template, or you can use appropriate PowerShell/CLI.

-## Using Azure CLI

-The [Azure CLI sample](../../app-service/scripts/cli-integrate-app-service-with-application-gateway.md) creates an App Service locked down with service endpoints and access restriction to only receive traffic from Application Gateway. If you only need to isolate traffic to an existing App Service from an existing Application Gateway, the following command is sufficient.

-In the default configuration, the command ensures both setup of the service endpoint configuration in the subnet and the access restriction in the App Service.

-## Considerations when using private endpoint

-As an alternative to service endpoint, you can use private endpoint to secure traffic between Application Gateway and App Service (multitenant). You need to ensure that Application Gateway can DNS resolve the private IP of the App Service apps. Alternatively you can use the private IP in the backend pool and override the host name in the http settings.

-Application Gateway caches the DNS lookup results. If you use FQDNs and rely on DNS lookup to get the private IP address, then you may need to restart the Application Gateway if the DNS update or link to Azure private DNS zone was done after configuring the backend pool. To restart the Application Gateway, you must start and stop the instance. You restart the Application Gateway using Azure CLI:

-## Considerations for ILB ASE

-ILB App Service Environment isn't exposed to the internet and traffic between the instance and an Application Gateway is therefore already isolated to the Virtual Network. The following [how-to guide](../environment/integrate-with-application-gateway.md) configures an ILB App Service Environment and integrates it with an Application Gateway using Azure portal.

-If you want to ensure that only traffic from the Application Gateway subnet is reaching the App Service Environment, you can configure a Network security group (NSG) which affect all web apps in the App Service Environment. For the NSG, you're able to specify the subnet IP range and optionally the ports (80/443). Make sure you don't override the [required NSG rules](../environment/network-info.md#network-security-groups) for App Service Environment to function correctly.

-To isolate traffic to an individual web app, you need to use IP-based access restrictions as service endpoints doesn't work with App Service Environment. The IP address should be the private IP of the Application Gateway instance.

-## Considerations for External ASE

-External App Service Environment has a public facing load balancer like multitenant App Service. Service endpoints don't work for App Service Environment, and that's why you have to use IP-based access restrictions using the public IP of the Application Gateway instance. To create an External App Service Environment using the Azure portal, you can follow this [Quickstart](../environment/create-external-ase.md)

-[template-app-gateway-app-service-complete]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-with-app-gateway-v2/ "Azure Resource Manager template for complete scenario"

-## Considerations for kudu/scm site

-The scm site, also known as kudu, is an admin site, which exists for every web app. It isn't possible to reverse proxy the scm site and you most likely also want to lock it down to individual IP addresses or a specific subnet.

-If you want to use the same access restrictions as the main site, you can inherit the settings using the following command.

-If you want to set individual access restrictions for the scm site, you can add access restrictions using the `--scm-site` flag like shown here.

-## Considerations when using default domain

-Configuring Application Gateway to override the host name and use the default domain of App Service (typically `azurewebsites.net`) is the easiest way to configure the integration and doesn't require configuring custom domain and certificate in App Service. [This article](/azure/architecture/best-practices/host-name-preservation) discusses the general considerations when overriding the original host name. In App Service, there are two scenarios where you need to pay attention with this configuration.

-When you're using [the authentication feature](../overview-authentication-authorization.md) in App Service (also known as Easy Auth), your app will typically redirect to the sign-in page. Because App Service doesn't know the original host name of the request, the redirect would be done on the default domain name and usually result in an error. To work around default redirect, you can configure authentication to inspect a forwarded header and adapt the redirect domain to the original domain. Application Gateway uses a header called `X-Original-Host`.

-Using [file-based configuration](../configure-authentication-file-based.md) to configure authentication, you can configure App Service to adapt to the original host name. Add this configuration to your configuration file:

-In multi-instance deployments, [ARR affinity](../configure-common.md?tabs=portal#configure-general-settings) ensures that client requests are routed to the same instance for the life of the session. ARR affinity doesn't work with host name overrides and you have to configure identical custom domain and certificate in App Service and in Application Gateway and not override host name for session affinity to work.

-For more information on the App Service Environment, see [App Service Environment documentation](../environment/index.yml).

-To further secure your web app, information about Web Application Firewall on Application Gateway can be found in the [Azure Web Application Firewall documentation](../../web-application-firewall/ag/ag-overview.md).

-Tutorial on [deploying a secure, resilient site with a custom domain](https://azure.github.io/AppService/2021/03/26/Secure-resilient-site-with-custom-domain) on App Service using either Azure Front Door or Application Gateway.

-description: Describes how NAT gateway integrates with Azure App Service.

-Azure NAT gateway is a fully managed, highly resilient service, which can be associated with one or more subnets and ensures that all outbound Internet-facing traffic will be routed through the gateway. With App Service, there are two important scenarios that you can use NAT gateway for.

-The NAT gateway gives you a static predictable public IP for outbound Internet-facing traffic. It also significantly increases the available [SNAT ports](../troubleshoot-intermittent-outbound-connection-errors.md) in scenarios where you have a high number of concurrent connections to the same public address/port combination.

-For more information and pricing. Go to the [Azure NAT Gateway overview](../../virtual-network/nat-gateway/nat-overview.md).

-> [!Note]

-> * Using a NAT gateway with App Service is dependent on virtual network integration, and therefore a supported App Service plan pricing tier is required.

-> * When using a NAT gateway together with App Service, all traffic to Azure Storage must be using private endpoint or service endpoint.

-> * A NAT gateway cannot be used together with App Service Environment v1 or v2.

-## Configuring NAT gateway integration

-To configure NAT gateway integration with App Service, you need to complete the following steps:

-* Configure regional virtual network integration with your app as described in [Integrate your app with an Azure virtual network](../overview-vnet-integration.md)

-* Ensure [Route All](../overview-vnet-integration.md#routes) is enabled for your virtual network integration so the Internet bound traffic will be affected by routes in your virtual network.

-* Provision a NAT gateway with a public IP and associate it with the virtual network integration subnet.

-Set up Azure NAT Gateway through the portal:

-1. Go to the **Networking** UI in the App Service portal and select virtual network integration in the Outbound Traffic section. Ensure that your app is integrated with a subnet and **Route All** has been enabled.

-1. On the Azure portal menu or from the **Home** page, select **Create a resource**. The **New** window appears.

-1. Search for "NAT gateway" and select it from the list of results.

-1. Fill in the **Basics** information and pick the region where your app is located.

-1. In the **Outbound IP** tab, create a new or select an existing public IP.

-1. In the **Subnet** tab, select the subnet used for virtual network integration.

-1. Fill in tags if needed and **Create** the NAT gateway. After the NAT gateway is provisioned, click on the **Go to resource group** and select the new NAT gateway. You can see the public IP that your app will use for outbound Internet-facing traffic in the Outbound IP blade.

-If you prefer using CLI to configure your environment, these are the important commands. As a prerequisite, you should create an app with virtual network integration configured.

-Ensure **Route All** is configured for your virtual network integration:

-```azurecli-interactive

-az webapp config set --resource-group [myResourceGroup] --name [myWebApp] --vnet-route-all-enabled

-```

-Create Public IP and NAT gateway:

-```azurecli-interactive

-az network public-ip create --resource-group [myResourceGroup] --name myPublicIP --sku standard --allocation static

-az network nat gateway create --resource-group [myResourceGroup] --name myNATgateway --public-ip-addresses myPublicIP --idle-timeout 10

-```

-Associate the NAT gateway with the virtual network integration subnet:

-```azurecli-interactive

-az network vnet subnet update --resource-group [myResourceGroup] --vnet-name [myVnet] --name [myIntegrationSubnet] --nat-gateway myNATgateway

-```

-## Scaling a NAT gateway

-The same NAT gateway can be used across multiple subnets in the same virtual network allowing a NAT gateway to be used across multiple apps and App Service plans.

-Azure NAT Gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,512 ports (SNAT ports) allowing up to 1M available ports. Learn more in the [Scaling section](../../virtual-network/nat-gateway/nat-gateway-resource.md#scalability) of Azure NAT Gateway.

-For more information on Azure NAT Gateway, see [Azure NAT Gateway documentation](../../virtual-network/nat-gateway/nat-overview.md).

-For more information on virtual network integration, see [Virtual network integration documentation](../overview-vnet-integration.md).

-View the health of the backend resources as determined by the probe using the [backend health view](./application-gateway-diagnostics.md#backend-health).

-description: Learn how to enable and manage access logs and performance logs for Azure Application Gateway

-# Backend health and diagnostic logs for Application Gateway

-You can monitor Azure Application Gateway resources in the following ways:

-* [Backend health](#backend-health): Application Gateway provides the capability to monitor the health of the servers in the backend pools through the Azure portal and through PowerShell. You can also find the health of the backend pools through the performance diagnostic logs.

-* [Logs](#diagnostic-logging): Logs allow for performance, access, and other data to be saved or consumed from a resource for monitoring purposes.

-* [Metrics](application-gateway-metrics.md): Application Gateway has several metrics that help you verify your system is performing as expected.

-## Backend health

-Application Gateway provides the capability to monitor the health of individual members of the backend pools through the portal, PowerShell, and the command-line interface (CLI). You can also find an aggregated health summary of backend pools through the performance diagnostic logs.

-The backend health report reflects the output of the Application Gateway health probe to the backend instances. When probing is successful and the back end can receive traffic, it's considered healthy. Otherwise, it's considered unhealthy.

-> [!IMPORTANT]

-> If there is a network security group (NSG) on an Application Gateway subnet, open port ranges 65503-65534 for v1 SKUs, and 65200-65535 for v2 SKUs on the Application Gateway subnet for inbound traffic. This port range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, won't be able to initiate any changes on those endpoints.

-### View backend health through the portal

-In the portal, backend health is provided automatically. In an existing application gateway, select **Monitoring** > **Backend health**.

-Each member in the backend pool is listed on this page (whether it's a NIC, IP, or FQDN). Backend pool name, port, backend HTTP settings name, and health status are shown. Valid values for health status are **Healthy**, **Unhealthy**, and **Unknown**.

-> [!NOTE]

-> If you see a backend health status of **Unknown**, ensure that access to the back end is not blocked by an NSG rule, a user-defined route (UDR), or a custom DNS in the virtual network.

-![Backend health][10]

-### View backend health through PowerShell

-The following PowerShell code shows how to view backend health by using the `Get-AzApplicationGatewayBackendHealth` cmdlet:

-```powershell

-Get-AzApplicationGatewayBackendHealth -Name ApplicationGateway1 -ResourceGroupName Contoso

-```

-### View backend health through Azure CLI

-```azurecli

-az network application-gateway show-backend-health --resource-group AdatumAppGatewayRG --name AdatumAppGateway

-```

-### Results

-The following snippet shows an example of the response:

-```json

-{

-"BackendAddressPool": {

- "Id": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/applicationGateway1/backendAddressPools/appGatewayBackendPool"

-},

-"BackendHttpSettingsCollection": [

- {

- "BackendHttpSettings": {

- "Id": "/00000000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/applicationGateway1/backendHttpSettingsCollection/appGatewayBackendHttpSettings"

- },

- "Servers": [

- {

- "Address": "hostname.westus.cloudapp.azure.com",

- "Health": "Healthy"

- },

- {

- "Address": "hostname.westus.cloudapp.azure.com",

- "Health": "Healthy"

- }

- ]

- }

-]

-}

-```

-## <a name="diagnostic-logging"></a>Diagnostic logs

-You can use different types of logs in Azure to manage and troubleshoot application gateways. You can access some of these logs through the portal. All logs can be extracted from Azure Blob storage and viewed in different tools, such as [Azure Monitor logs](/previous-versions/azure/azure-monitor/insights/azure-networking-analytics), Excel, and Power BI. You can learn more about the different types of logs from the following list:

-You have three options for storing your logs:

-* **Storage account**: Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.

-* **Event hubs**: Event hubs are a great option for integrating with other security information and event management (SIEM) tools to get alerts on your resources.

-* **Azure Monitor logs**: Azure Monitor logs is best used for general real-time monitoring of your application or looking at trends.

-# Application Gateway health monitoring overview

-The required probes are determined based on the unique combination of the Backend Server and Backend Setting. For example, consider a gateway with a single backend pool with two servers and two backend settings, each having different port numbers. When these distinct backend settings are associated with the same backend pool using their respective rules, the gateway creates probes for each server and the combination of the backend setting. You can view this on the [Backend health page](./application-gateway-diagnostics.md#backend-health).

-Once the match criteria is specified, it can be attached to probe configuration using a `-Match` parameter in PowerShell.

-> Using UDRs on the Application Gateway subnet might cause the health status in the [backend health view](./application-gateway-diagnostics.md#backend-health) to appear as **Unknown**. It also might cause generation of Application Gateway logs and metrics to fail. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the backend health, logs, and metrics.

- URLRewrite:

-[](https://shell.azure.com)

-[](https://shell.azure.com)

-> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

-* To understand how to authenticate using the Automation Run As account, see [Run As account](automation-security-overview.md#run-as-account).

-> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](migrate-run-as-accounts-managed-identity.md?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

-1. If you use Run As accounts as the authentication mechanism for your runbooks, ensure the following:

- - Track the service principals in your inventory. Service principals often have elevated permissions.

- - Delete any unused Run As accounts to minimize your exposed attack surface.

- - [Renew the Run As certificate](./manage-runas-account.md#cert-renewal) periodically.

- - Follow the RBAC guidelines to limit the permissions assigned to Run As account using this [script](./manage-runas-account.md#limit-run-as-account-permissions). Do not assign high privilege permissions like Contributor, Owner and so on.

-> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](migrate-run-as-accounts-managed-identity.md?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

-## Run As accounts

-> [!IMPORTANT]

-> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](migrate-run-as-accounts-managed-identity.md?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

-Run As accounts in Azure Automation provide authentication for managing Azure Resource Manager resources or resources deployed on the classic deployment model. There are two types of Run As accounts in Azure Automation:

-To renew a Run As account, permissions are needed at three levels:

-To renew Classic Run As accounts, you must have the Co-administrator role at the subscription level. To learn more about classic subscription permissions, see [Azure classic subscription administrators](../role-based-access-control/classic-administrators.md#add-a-co-administrator).

-### Run As account

-Run As Account consists of the following components:

-### Azure Classic Run As account

-Azure Classic Run As Account consists of the following components:

-> [!NOTE]

-> You must be a co-administrator on the subscription to renew this type of Run As account.

-## Service principal for Run As account

-The service principal for a Run As account doesn't have permissions to read Azure AD by default. If you want to add permissions to read or manage Azure AD, you must grant the permissions on the service principal under **API permissions**. To learn more, see [Add permissions to access your web API](../active-directory/develop/quickstart-configure-app-access-web-apis.md#add-permissions-to-access-your-web-api).

-## <a name="permissions"></a>Run As account permissions

-This section defines permissions for both regular Run As accounts and Classic Run As accounts.

-* To create or update or delete a Run As account, an Application administrator in Azure Active Directory and an Owner in the subscription can complete all the tasks.

-* To configure or renew or delete a Classic Run As accounts, you must have the Co-administrator role at the subscription level. To learn more about classic subscription permissions, see [Azure classic subscription administrators](../role-based-access-control/classic-administrators.md#add-a-co-administrator).

-In a situation where you have separation of duties, the following table shows a listing of the tasks, the equivalent cmdlet, and permissions needed:

-|Task|Cmdlet |Minimum Permissions |Where you set the permissions|

-|||||

-|Create Azure AD Application|[New-AzADApplication](/powershell/module/az.resources/new-azadapplication) | Application Developer role¹ |[Azure AD](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app)</br>Home > Azure AD > App Registrations |

-|Add a credential to the application.|[New-AzADAppCredential](/powershell/module/az.resources/new-azadappcredential) | Application Administrator or Global Administrator¹ |[Azure AD](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app)</br>Home > Azure AD > App Registrations|

-|Create and get an Azure AD service principal|[New-AzADServicePrincipal](/powershell/module/az.resources/new-azadserviceprincipal)</br>[Get-AzADServicePrincipal](/powershell/module/az.resources/get-azadserviceprincipal) | Application Administrator or Global Administrator¹ |[Azure AD](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app)</br>Home > Azure AD > App Registrations|

-|Assign or get the Azure role for the specified principal|[New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment)</br>[Get-AzRoleAssignment](/powershell/module/Az.Resources/Get-AzRoleAssignment) | User Access Administrator or Owner, or have the following permissions:</br></br><code>Microsoft.Authorization/Operations/read</br>Microsoft.Authorization/permissions/read</br>Microsoft.Authorization/roleDefinitions/read</br>Microsoft.Authorization/roleAssignments/write</br>Microsoft.Authorization/roleAssignments/read</br>Microsoft.Authorization/roleAssignments/delete</code></br></br> | [Subscription](../role-based-access-control/role-assignments-portal.md)</br>Home > Subscriptions > \<subscription name\> - Access Control (IAM)|

-|Create or remove an Automation certificate|[New-AzAutomationCertificate](/powershell/module/Az.Automation/New-AzAutomationCertificate)</br>[Remove-AzAutomationCertificate](/powershell/module/az.automation/remove-azautomationcertificate) | Contributor on resource group |Automation account resource group|

-|Create or remove an Automation connection|[New-AzAutomationConnection](/powershell/module/az.automation/new-azautomationconnection)</br>[Remove-AzAutomationConnection](/powershell/module/az.automation/remove-azautomationconnection)|Contributor on resource group |Automation account resource group|

-¹ Non-administrator users in your Azure AD tenant can [register AD applications](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app) if the Azure AD tenant's **Users can register applications** option on the **User settings** page is set to **Yes**. If the application registration setting is **No**, the user performing this action must be as defined in this table.

-If you aren't a member of the subscription's Active Directory instance before you're added to the Global Administrator role of the subscription, you're added as a guest. In this situation, you receive a `You do not have permissions to create…` warning on the **Add Automation account** page.

-To verify that the situation producing the error message has been remedied:

-1. From the Azure Active Directory pane in the Azure portal, select **Users and groups**.

-2. Select **All users**.

-3. Choose your name, then select **Profile**.

-4. Ensure that the value of the **User type** attribute under your user's profile isn't set to **Guest**.

-> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

-To learn more about permissions, see [Run As account permissions](automation-security-overview.md#permissions).

-description: This article tells how to manage your Azure Automation Run As account with PowerShell or from the Azure portal.

-# Manage an Azure Automation Run As account

-> [!IMPORTANT]

-> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

-Run As accounts in Azure Automation provide authentication for managing resources on the Azure Resource Manager or Azure Classic deployment model using Automation runbooks and other Automation features.

-In this article we cover how to manage a Run as or Classic Run As account, including:

- * How to renew a self-signed certificate

- * How to renew a certificate from an enterprise or third-party certificate authority (CA)

- * Manage permissions for the Run As account

-To learn more about Azure Automation account authentication, permissions required to manage the Run as account, and guidance related to process automation scenarios, see [Automation Account authentication overview](automation-security-overview.md).

-## <a name="cert-renewal"></a>Renew a self-signed certificate

-The self-signed certificate that you have created for the Run As account expires one month from the date of creation. At some point before your Run As account expires, you must renew the certificate. You can renew it any time before it expires.

-When you renew the self-signed certificate, the current valid certificate is retained to ensure that any runbooks that are queued up or actively running, and that authenticate with the Run As account, aren't negatively affected. The certificate remains valid until its expiration date.

->[!NOTE]

->If you think that the Run As account has been compromised, you can delete and re-create the self-signed certificate.

->[!NOTE]

->If you have configured your Run As account to use a certificate issued by your enterprise or third-party CA and you use the option to renew a self-signed certificate option, the enterprise certificate is replaced by a self-signed certificate. To renew your certificate in this case, see [Renew an enterprise or third-party certificate](#renew-an-enterprise-or-third-party-certificate).

-Use the following steps to renew the self-signed certificate.

-1. Sign-in to the [Azure portal](https://portal.azure.com).

-1. Go to your Automation account and select **Run As Accounts** in the account settings section.

- :::image type="content" source="media/manage-run-as-account/automation-account-properties-pane.png" alt-text="Automation account properties pane.":::

-1. On the **Run As Accounts** properties page, select either **Run As Account** or **Classic Run As Account** depending on which account you need to renew the certificate for.

-1. On the **Properties** page for the selected account, select **Renew certificate**.

- :::image type="content" source="media/manage-run-as-account/automation-account-renew-run-as-certificate.png" alt-text="Renew certificate for Run As account.":::

-1. While the certificate is being renewed, you can track the progress under **Notifications** from the menu.

-## Renew an enterprise or third-party certificate

-Every certificate has a built-in expiration date. If the certificate you assigned to the Run As account was issued by a certification authority (CA), you need to perform a different set of steps to configure the Run As account with the new certificate before it expires. You can renew it any time before it expires.

-1. Import the renewed certificate following the steps for [Create a new certificate](./shared-resources/certificates.md#create-a-new-certificate). Automation requires the certificate to have the following configuration:

- * Specify the provider **Microsoft Enhanced RSA and AES Cryptographic Provider**

- * Marked as exportable

- * Configured to use the SHA256 algorithm

- * Saved in the `*.pfx` or `*.cer` format.

- After you import the certificate, note or copy the certificate **Thumbprint** value. This value is used to update the Run As connection properties with the new certificate.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Automation Accounts**.

-1. On the Automation Accounts page, select your Automation account from the list.

-1. In the left pane, select **Connections**.

-1. On the **Connections** page, select **AzureRunAsConnection** and update the **Certificate Thumbprint** with the new certificate thumbprint.

-1. Select **Save** to commit your changes.

-## Grant Run As account permissions in other subscriptions

-Azure Automation supports using a single Automation account from one subscription, and executing runbooks against Azure Resource Manager resources across multiple subscriptions. This configuration does not support the Azure Classic deployment model.

-You assign the Run As account service principal the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role in the other subscription, or more restrictive permissions. For more information, see [Role-based access control](automation-role-based-access-control.md) in Azure Automation. To assign the Run As account to the role in the other subscription, the user account performing this task needs to be a member of the **Owner** role in that subscription.

-> [!NOTE]

-> This configuration only supports multiple subscriptions of an organization using a common Azure AD tenant.

-Before granting the Run As account permissions, you need to first note the display name of the service principal to assign.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. From your Automation account, select **Run As Accounts** under **Account Settings**.

-1. Select **Azure Run As Account**.

-1. Copy or note the value for **Display Name** on the **Azure Run As Account** page.

-For detailed steps for how to add role assignments, check out the following articles depending on the method you want to use.

-* [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md)

-* [Assign Azure roles using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)

-* [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)

-* [Assign Azure roles using the REST API](..//role-based-access-control/role-assignments-rest.md)

-After assigning the Run As account to the role, in your runbook specify `Set-AzContext -SubscriptionId "xxxx-xxxx-xxxx-xxxx"` to set the subscription context to use. For more information, see [Set-AzContext](/powershell/module/az.accounts/set-azcontext).

-## Check role assignment for Azure Automation Run As account

-To check the role assigned to the Automation Run As account Azure AD, follow these steps:

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. Go to your Automation account and in **Account Settings**, select **Run as accounts**.

-1. Select **Azure Run as Account** to view the **Application ID**.

- :::image type="content" source="media/manage-run-as-account/automation-run-as-app-id.png" alt-text="Screenshot that describes on how to copy application ID.":::

-1. Go to Azure portal and search for **Azure Active Directory**.

-1. On the **Active Directory Overview** page, **Overview** tab, in the search box, enter the Application ID.

- :::image type="content" source="media/manage-run-as-account/active-directory-app-id-inline.png" alt-text="Screenshot that describes application ID copied in the Overview tab." lightbox="media/manage-run-as-account/active-directory-app-id-expanded.png":::

- In the **Enterprise applications** section, you will see the display name of your Run As Account.

-1. Select the application ID and in the properties page of that ID, go to **Overview** blade, **Properties**, and copy the name of the Enterprise application.

-1. Go to Azure portal and search for your **Subscription** and select your subscription.

-1. Go to **Access Control (IAM)**, **Role Assignment** and paste the name of the Enterprise application in the search box to view the App along with the role and scope assigned to it.

-For example: in the screenshot below, the Run As Account Azure AD App has the Contributor access at the subscription level.

- :::image type="content" source="media/manage-run-as-account/check-role-assignments-inline.png" alt-text="Screenshot that describes how to view the role and scope assigned to the enterprise application." lightbox="media/manage-run-as-account/check-role-assignments-expanded.png":::

-## Limit Run As account permissions

-To control the targeting of Automation against resources in Azure, you can run the [Update-AutomationRunAsAccountRoleAssignments.ps1](https://aka.ms/AA5hug8) script. This script changes your existing Run As account service principal to create and use a custom role definition. The role has permissions for all resources except [Key Vault](../key-vault/index.yml).

->[!IMPORTANT]

->After you run the **Update-AutomationRunAsAccountRoleAssignments.ps1** script, runbooks that access Key Vault through the use of Run As accounts no longer work. Before running the script, you should review runbooks in your account for calls to Azure Key Vault. To enable access to Key Vault from Azure Automation runbooks, you must [add the Run As account to Key Vault's permissions](#add-permissions-to-key-vault).

-If you need to further restrict what the Run As service principal can do, you can add other resource types to the `NotActions` element of the custom role definition. The following example restricts access to `Microsoft.Compute/*`. If you add this resource type to `NotActions` for the role definition, the role will not be able to access any Compute resource. To learn more about role definitions, see [Understand role definitions for Azure resources](../role-based-access-control/role-definitions.md).

-```powershell

-$roleDefinition = Get-AzRoleDefinition -Name 'Automation RunAs Contributor'

-$roleDefinition.NotActions.Add("Microsoft.Compute/*")

-$roleDefinition | Set-AzRoleDefinition

-```

-You can determine if the service principal used by your Run As account assigned the **Contributor** role or a custom one.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Go to your Automation account and select **Run As Accounts** in the account settings section.

-1. Select **Azure Run As Account**.

-1. Select **Role** to locate the role definition that is being used.

-You can also determine the role definition used by the Run As accounts for multiple subscriptions or Automation accounts. Do this by using the [Check-AutomationRunAsAccountRoleAssignments.ps1](https://aka.ms/AA5hug5) script in the PowerShell Gallery.

-### Add permissions to Key Vault

-You can allow Azure Automation to verify if Key Vault and your Run As account service principal are using a custom role definition. You must:

-* Grant permissions to Key Vault.

-* Set the access policy.

-You can use the [Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1](https://aka.ms/AA5hugb) script in the PowerShell Gallery to grant your Run As account permissions to Key Vault. See [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-powershell.md) for more details on setting permissions on Key Vault.

-## Next steps

-* [Application Objects and Service Principal Objects](../active-directory/develop/app-objects-and-service-principals.md).

-* [Certificates overview for Azure Cloud Services](../cloud-services/cloud-services-certs-create.md).

-* If you no longer need to use a Run As account, see [Delete a Run As account](delete-run-as-account.md).

-> Azure Automation Run As accounts will retire on *30 September 2023* and completely move to [Managed Identities](automation-security-overview.md#managed-identities). All runbook executions using RunAs accounts, including Classic Run As accounts wouldn't be supported after this date. Starting 01 April 2023, the creation of **new** Run As accounts in Azure Automation will not be possible.

-1. Assign the same role to the managed identity to access the Azure resources that match the Run As account. Follow the steps in [Check the role assignment for the Azure Automation Run As account](manage-run-as-account.md#check-role-assignment-for-azure-automation-run-as-account). Use this [script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/AssignMIRunAsRoles.ps1) to enable the System assigned identity in an Automation account and assign the same set of permissions present in Azure Automation Run as account to System Assigned identity of the Automation account.

- Ensure that you don't assign high-privilege permissions like contributor or owner to the Run As account. Follow the role-based access control (RBAC) guidelines to limit the permissions from the default contributor permissions assigned to a Run As account by using [this script](manage-run-as-account.md#limit-run-as-account-permissions).

- For example, if the Automation account is required only to start or stop an Azure VM, then the permissions assigned to the Run As account need to be only for starting or stopping the VM. Similarly, assign read-only permissions if a runbook is reading from Azure Blob Storage. For more information, see [Azure Automation security guidelines](../automation/automation-security-guidelines.md#authentication-certificate-and-identities).

-This error occurs when you attempt to use a [Run As account](../automation-security-overview.md#run-as-accounts) in a runbook that runs on a Hybrid Runbook Worker where the Run As account certificate isn't present. Hybrid Runbook Workers don't have the certificate asset locally by default. The Run As account requires this asset to operate properly.

-This error occurs when you attempt to use a [Run As account](../automation-security-overview.md#run-as-accounts) in a runbook that runs on a Hybrid Runbook Worker where the Run As account certificate isn't present. Hybrid Runbook Workers don't have the certificate asset locally by default. The Run As account requires this asset to operate properly.

- * [Renew the certificate](../manage-runas-account.md#cert-renewal) if the Run As account has expired.

-This error can occur when you're not using a Run As account or the Run As account has expired. For more information, see [Azure Automation Run As accounts overview](../automation-security-overview.md#run-as-accounts).

-[Add permissions to Key Vault](../manage-runas-account.md#add-permissions-to-key-vault) to ensure that your Run As account has sufficient permissions to access Key Vault.

-## Run As accounts

-### <a name="unable-create-update"></a>Scenario: You're unable to create or update a Run As account

-#### Issue

-When you try to create or update a Run As account, you receive an error similar to the following:

-```error

-You do not have permissions to create…

-```

-#### Cause

-You don't have the permissions that you need to create or update the Run As account, or the resource is locked at a resource group level.

-#### Resolution

-To create or update a Run As account, you must have appropriate [permissions](../automation-security-overview.md#permissions) to the various resources used by the Run As account.

-If the problem is because of a lock, verify that the lock can be removed. Then go to the resource that is locked in Azure portal, right-click the lock, and select **Delete**.

-> Azure Automation Run As account will retire on **September 30, 2023** and will be replaced with Managed Identities. Ensure that you start migrating your runbooks to use [managed identities](../automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](../migrate-run-as-accounts-managed-identity.md#sample-scripts) to start migrating the runbooks from Run As accounts to managed identities before **September 30, 2023**.

-* Verify that your [Run As account](../automation-security-overview.md#run-as-accounts) has proper permissions to the VMs you're trying to start or stop. To learn how to check the permissions on a resource, see [Quickstart: View roles assigned to a user using the Azure portal](../../role-based-access-control/check-access.md). You'll need to provide the application ID for the service principal used by the Run As account. You can retrieve this value by going to your Automation account in the Azure portal. Select **Run as accounts** under **Account Settings**, and select the appropriate Run As account.

-If your Run As account is misconfigured, delete and re-create your Run As account. For more information, see [Azure Automation Run As accounts](../automation-security-overview.md#run-as-accounts).

-If the certificate is expired for your Run As account, follow the steps in [Self-signed certificate renewal](../manage-runas-account.md#cert-renewal) to renew the certificate.

-> Requires [azure-appconfiguration-provider](https://pypi.org/project/azure-appconfiguration-provider/1.1.0b1/) package version 1.1.0b1 or later.

-None.

-Container insights provides a rich monitoring experience for the Azure Kubernetes Service (AKS) and [AKS Engine on Azure](https://github.com/Azure/aks-engine), which is a self-managed Kubernetes cluster hosted on Azure. This article describes how to enable monitoring of Kubernetes clusters hosted outside of Azure and achieve a similar monitoring experience.

- - AKS Engine on Azure and Azure Stack. For more information, see [AKS Engine on Azure Stack](/azure-stack/user/azure-stack-kubernetes-aks-engine-overview).

- - [AKS engine](https://github.com/Azure/aks-engine)

->All backups require a backup vault. If you have existing backups, you must migrate backups to a backup vault before you can perform any operation with a backup. For more information about this procedure, see [Manage backup vaults](backup-vault-manage.md).

-See [Restore a snapshot to a new volume](snapshots-restore-new-volume.md) about volume restore operations.

- The Volumes page displays the new volume that the snapshot restores to.

-### <a name="rdscal"></a>Does Azure Bastion require an RDS CAL for administrative purposes on Azure-hosted VMs?

-No, access to Windows Server VMs by Azure Bastion doesn't require an [RDS CAL](https://www.microsoft.com/p/windows-server-remote-desktop-services-cal/dg7gmgf0dvsv?activetab=pivot:overviewtab) when used solely for administrative purposes.

-

-1. On the **Add subnet page**, create the 'AzureBastionSubnet' subnet using the following values. Leave the other values as default.

-(Azure RBAC), users must have contributor access or above at the storage account level.

-If you mount an existing fileshare, the storage accounts must be located in your select Cloud Shell

-region. Retrieve the location by running `env` and checking the `ACC_LOCATION`.

-#### The `clouddrive mount` command

-1. Click the **Download** button.

- **Upload** option.

-1. Your browser will open a file dialog. Select the file you want to upload then click the **Open**

- button.

-In the workload profiles environment, user-defined routes (UDRs) and securing outbound traffic with a firewall are supported. Learn more in the [networking concepts document](./networking.md#user-defined-routes-udr).

-[](https://shell.azure.com)

-# Custom partitioning in Azure Synapse Link for Azure Cosmos DB (Preview)

-> [!IMPORTANT]

-> Custom partitioning feature is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> Azure Cosmos DB accounts should have [Azure Synapse Link](synapse-link.md) enabled to take advantage of custom partitioning.

- let topRequestsByRUcharge = CDBDataPlaneRequests

- | where TimeGenerated > ago(24h)

- | project RequestCharge , TimeGenerated, ActivityId;

- let topRequestsByRUcharge = AzureDiagnostics

- | where Category == "DataPlaneRequests" and TimeGenerated > ago(1h)

- | project requestCharge_s , TimeGenerated, activityId_g;

- let throttledRequests = CDBDataPlaneRequests

- | where StatusCode == "429"

- | project OperationName , TimeGenerated, ActivityId;

- let throttledRequests = AzureDiagnostics

- | where Category == "DataPlaneRequests"

- | where statusCode_s == "429"

- | project OperationName , TimeGenerated, activityId_g;

- let operationsbyUserAgent = CDBDataPlaneRequests

- | project OperationName, DurationMs, RequestCharge, ResponseLength, ActivityId;

- let operationsbyUserAgent = AzureDiagnostics

- | where Category=="DataPlaneRequests"

- | project OperationName, duration_s, requestCharge_s, responseLength_s, activityId_g;

-### Using Azure Resource Manager templates

- }

- ...

- "returnStoredSource": true

- }

- _id: ObjectId("645acb54413be5502badff94"),

- name: 'Eugenia Lopez',

- bio: 'Eugenia is the CEO of AdvenureWorks.',

- vectorContent: [ 0.51, 0.12, 0.23 ]

- _id: ObjectId("645acb54413be5502badff97"),

- name: 'Rory Nguyen',

- bio: 'Rory Nguyen is the founder of AdventureWorks and the president of the Our Planet initiative.',

- vectorContent: [ 0.91, 0.76, 0.83 ]

- | **MongoRequests** | Mongo | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB for MongoDB. When you enable this category, make sure to disable DataPlaneRequests. | `Requestcharge`, `opCode`, `retryCount`, `piiCommandText` |

- | **CassandraRequests** | Cassandra | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB for Cassandra. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText` |

- | **GremlinRequests** | Gremlin | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB for Gremlin. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText`, `retriedDueToRateLimiting` |

- | **QueryRuntimeStatistics** | NoSQL | This table details query operations executed against an API for NoSQL account. By default, the query text and its parameters are obfuscated to avoid logging personal data with full text query logging available by request. | `databasename`, `partitionkeyrangeid`, `querytext` |

- | **PartitionKeyRUConsumption** | API for NoSQL | Logs the aggregated per-second RU/s consumption of partition keys. This table is useful for troubleshooting hot partitions. Currently, Azure Cosmos DB reports partition keys for API for NoSQL accounts only and for point read/write, query, and stored procedure operations. | `subscriptionId`, `regionName`, `partitionKey`, `requestCharge`, `partitionKeyRangeId` |

-description: Learn how to configure an Azure AD identity for certificate-based authentication to access keys from Azure Cosmos DB.

-# Certificate-based authentication for an Azure AD identity to access keys from an Azure Cosmos DB account

-Certificate-based authentication enables your client application to be authenticated by using Azure Active Directory (Azure AD) with a client certificate. You can perform certificate-based authentication on a machine where you need an identity, such as an on-premises machine or virtual machine in Azure. Your application can then read Azure Cosmos DB keys without having the keys directly in the application. This article describes how to create a sample Azure AD application, configure it for certificate-based authentication, sign into Azure using the new application identity, and then it retrieves the keys from your Azure Cosmos DB account. This article uses Azure PowerShell to set up the identities and provides a C# sample app that authenticates and accesses keys from your Azure Cosmos DB account.

-## Prerequisites

-* Install the [latest version](/powershell/azure/install-azure-powershell) of Azure PowerShell.

-* If you don't have an [Azure subscription](../../guides/developer/azure-developer-guide.md#understanding-accounts-subscriptions-and-billing), create a [free account](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.

-## Register an app in Azure AD

-In this step, you will register a sample web application in your Azure AD account. This application is later used to read the keys from your Azure Cosmos DB account. Use the following steps to register an application:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Open the Azure **Active Directory** pane, go to **App registrations** pane, and select **New registration**.

- :::image type="content" source="./media/certificate-based-authentication/new-app-registration.png" alt-text="New application registration in Active Directory":::

-1. Fill the **Register an application** form with the following details:

- * **Name** ΓÇô Provide a name for your application, it can be any name such as "sampleApp".

- * **Supported account types** ΓÇô Choose **Accounts in this organizational directory only (Default Directory)** to allow resources in your current directory to access this application.

- * **Redirect URL** ΓÇô Choose application of type **Web** and provide a URL where your application is hosted, it can be any URL. For this example, you can provide a test URL such as `https://sampleApp.com` it's okay even if the app doesn't exist.

- :::image type="content" source="./media/certificate-based-authentication/register-sample-web-app.png" alt-text="Registering a sample web application":::

-1. Select **Register** after you fill the form.

-1. After the app is registered, make a note of the **Application(client) ID** and **Object ID**, you will use these details in the next steps.

- :::image type="content" source="./media/certificate-based-authentication/get-app-object-ids.png" alt-text="Get the application and object IDs":::

-## Install the AzureAD module

-In this step, you will install the Azure AD PowerShell module. This module is required to get the ID of the application you registered in the previous step and associate a self-signed certificate to that application.

-1. Open Windows PowerShell ISE with administrator rights. If you haven't already done, install the AZ PowerShell module and connect to your subscription. If you have multiple subscriptions, you can set the context of current subscription as shown in the following commands:

- ```powershell

- Install-Module -Name Az -AllowClobber

- Connect-AzAccount

- Get-AzSubscription

- $context = Get-AzSubscription -SubscriptionId <Your_Subscription_ID>

- Set-AzContext $context

- ```

-1. Install and import the [AzureAD](/powershell/module/azuread/) module

- ```powershell

- Install-Module AzureAD

- Import-Module AzureAD

- # On PowerShell 7.x, use the -UseWindowsPowerShell parameter

- # Import-Module AzureAD -UseWindowsPowerShell

- ```

-## Sign into your Azure AD

-Sign into your Azure AD where you have registered the application. Use the Connect-AzureAD command to sign into your account, enter your Azure account credentials in the pop-up window.

-```powershell

-Connect-AzureAD

-```

-## Create a self-signed certificate

-Open another instance of Windows PowerShell ISE, and run the following commands to create a self-signed certificate and read the key associated with the certificate:

-```powershell

-$cert = New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" -Subject "CN=sampleAppCert" -KeySpec KeyExchange

-$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())

-```

-## Create the certificate-based credential

-Next run the following commands to get the object ID of your application and create the certificate-based credential. In this example, we set the certificate to expire after a year, you can set it to any required end date.

-```powershell

-$application = Get-AzureADApplication -ObjectId <Object_ID_of_Your_Application>

-New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Key1" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue -EndDate "2020-01-01"

-```

-The above command results in the output similar to the screenshot below:

-## Configure your Azure Cosmos DB account to use the new identity

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Navigate to your Azure Cosmos DB account.

-1. Assign the Contributor role to the sample app you created in the previous section.

- For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-## Register your certificate with Azure AD

-You can associate the certificate-based credential with the client application in Azure AD from the Azure portal. To associate the credential, you must upload the certificate file with the following steps:

-In the Azure app registration for the client application:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Open the Azure **Active Directory** pane, go to the **App registrations** pane, and open the sample app you created in the previous step.

-1. Select **Certificates & secrets** and then **Upload certificate**. Browse the certificate file you created in the previous step to upload.

-1. Select **Add**. After the certificate is uploaded, the thumbprint, start date, and expiration values are displayed.

-## Access the keys from PowerShell

-In this step, you will sign into Azure by using the application and the certificate you created and access your Azure Cosmos DB account's keys.

-1. Initially clear the Azure account's credentials you have used to sign into your account. You can clear credentials by using the following command:

- ```powershell

- Disconnect-AzAccount -Username <Your_Azure_account_email_id>

- ```

-1. Next validate that you can sign into Azure portal by using the application's credentials and access the Azure Cosmos DB keys:

- ```powershell

- Login-AzAccount -ApplicationId <Your_Application_ID> -CertificateThumbprint $cert.Thumbprint -ServicePrincipal -Tenant <Tenant_ID_of_your_application>

- Get-AzCosmosDBAccountKey `

- -ResourceGroupName "<Resource_Group_Name_of_your_Azure_Cosmos_account>" `

- -Name "<Your_Azure_Cosmos_Account_Name>" `

- -Type "Keys"

- ```

-The previous command will display the primary and secondary primary keys of your Azure Cosmos DB account. You can view the Activity log of your Azure Cosmos DB account to validate that the get keys request succeeded and the event is initiated by the "sampleApp" application.

-## Access the keys from a C# application

-You can also validate this scenario by accessing keys from a C# application. The following C# console application, that can access Azure Cosmos DB keys by using the app registered in Active Directory. Make sure to update the tenantId, clientID, certName, resource group name, subscription ID, Azure Cosmos DB account name details before you run the code.

-```csharp

-using System;

-using Microsoft.IdentityModel.Clients.ActiveDirectory;

-using System.Linq;

-using System.Net.Http;

-using System.Security.Cryptography.X509Certificates;

-using System.Threading;

-using System.Threading.Tasks;

-

-namespace TodoListDaemonWithCert

-{

- class Program

- {

- private static string aadInstance = "https://login.windows.net/";

- private static string tenantId = "<Your_Tenant_ID>";

- private static string clientId = "<Your_Client_ID>";

- private static string certName = "<Your_Certificate_Name>";

-

- private static int errorCode = 0;

- static int Main(string[] args)

- {

- MainAync().Wait();

- Console.ReadKey();

-

- return 0;

- }

-

- static async Task MainAync()

- {

- string authContextURL = aadInstance + tenantId;

- AuthenticationContext authContext = new AuthenticationContext(authContextURL);

- X509Certificate2 cert = ReadCertificateFromStore(certName);

-

- ClientAssertionCertificate credential = new ClientAssertionCertificate(clientId, cert);

- AuthenticationResult result = await authContext.AcquireTokenAsync("https://management.azure.com/", credential);

- if (result == null)

- {

- throw new InvalidOperationException("Failed to obtain the JWT token");

- }

-

- string token = result.AccessToken;

- string subscriptionId = "<Your_Subscription_ID>";

- string rgName = "<ResourceGroup_of_your_Cosmos_account>";

- string accountName = "<Your_Cosmos_account_name>";

- string cosmosDBRestCall = $"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/listKeys?api-version=2015-04-08";

-

- Uri restCall = new Uri(cosmosDBRestCall);

- HttpClient httpClient = new HttpClient();

- httpClient.DefaultRequestHeaders.Remove("Authorization");

- httpClient.DefaultRequestHeaders.Add("Authorization", "Bearer " + token);

- HttpResponseMessage response = await httpClient.PostAsync(restCall, null);

-

- Console.WriteLine("Got result {0} and keys {1}", response.StatusCode.ToString(), response.Content.ReadAsStringAsync().Result);

- }

-

- /// <summary>

- /// Reads the certificate

- /// </summary>

- private static X509Certificate2 ReadCertificateFromStore(string certName)

- {

- X509Certificate2 cert = null;

- X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

- store.Open(OpenFlags.ReadOnly);

- X509Certificate2Collection certCollection = store.Certificates;

-

- // Find unexpired certificates.

- X509Certificate2Collection currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);

-

- // From the collection of unexpired certificates, find the ones with the correct name.

- X509Certificate2Collection signingCert = currentCerts.Find(X509FindType.FindBySubjectName, certName, false);

-

- // Return the first certificate in the collection, has the right name and is current.

- cert = signingCert.OfType<X509Certificate2>().OrderByDescending(c => c.NotBefore).FirstOrDefault();

- store.Close();

- return cert;

- }

- }

-}

-```

-This script outputs the primary and secondary primary keys as shown in the following screenshot:

-Similar to the previous section, you can view the Activity log of your Azure Cosmos DB account to validate that the get keys request event is initiated by the "sampleApp" application.

-## Next steps

-* [Secure Azure Cosmos DB keys using Azure Key Vault](../store-credentials-key-vault.md)

-* [Security baseline for Azure Cosmos DB](../security-baseline.md)

-> [Contact us](mailto:askcosmosdb4postgres@microsoft.com) if you're interested in participating in Azure Active Directory authentication

-> for Azure Cosmos DB for PostgreSQL preview.

->

-`tenant_id`. First [create the roles](howto-create-users.md) `tenant1` and

-Learn how to [create roles](howto-create-users.md) in a

-cluster.

-description: Learn how to set up Azure Active Directory (Azure AD) and add native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL.

-> [Contact us](mailto:askcosmosdb4postgres@microsoft.com) if you're interested in participating in Azure Active Directory authentication

-> for Azure Cosmos DB for PostgreSQL preview.

->

-* Ensure appropriate [logins](./howto-create-users.md) and database level permissions are in place.

- The **psql** string is of the form `psql "host=c-<cluster>.<uniqueID>.postgres.cosmos.azure.com port=5432 dbname=citus user=citus password={your_password} sslmode=require"`. Notice that the host name starts with a `c.`, for example `c-mycluster.12345678901234.postgres.cosmos.azure.com`. This prefix indicates the coordinator node of the cluster. The default `dbname` is `citus` and can be changed only at cluster provisioning time. The `user` can be any valid [Postgres role](./howto-create-users.md) on your cluster.

-> It's recommended to access Azure Cosmos DB is to use a [system-assigned managed identity](managed-identity-based-authentication.md). If your service cannot take advantage of managed identities then use the [certificate-based authentication](certificate-based-authentication.md). If both the managed identity solution and cert based solution do not meet your needs, please use the Azure Key vault solution in this article.

-> Defining authorization headers is a sensible option when your destination is a Webhook. It should not be used for [functions subscribed with a resource id](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update#azurefunctioneventsubscriptiondestination), Service Bus, Event Hubs, and Hybrid Connections as those destinations support their own authentication schemes when used with Event Grid.

-> During the preview, Event Grid on Kubernetes features are supported through API version [2020-10-15-Preview](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update).

-You can also specify retry policy limits on a per subscription basis. See our [API documentation](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update) for information on configuring defaults per subscriber. Subscription level defaults override the Event Grid module on Kubernetes level configurations.

-The way to configure Event Grid to send events to a destination is through the creation of an event subscription. It can be done through [Azure CLI](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create), [management SDK](../sdk-overview.md#management-sdks), or using direct HTTPs calls using the [2020-10-15-preview API](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update) version.

-Event Grid on Kubernetes offers a good level of feature parity with Azure Event Grid's support for event subscriptions. The following list enumerates the main differences in event subscription functionality. Apart from those differences, you can use Azure Event Grid's [REST api version 2020-10-15-preview](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions) as a reference when managing event subscriptions on Event Grid on Kubernetes.

-1. Use [REST api version 2020-10-15-preview](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions).

-5. Only CloudEvents schema is supported. The supported schema value is "[CloudEventSchemaV1_0](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update#eventdeliveryschema)". Cloud Events schema is extensible and based on open standards.

-6. Labels ([properties.labels](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update#request-body)) aren't applicable to Event Grid on Kubernetes. Hence, they aren't available.

-7. [Delivery with resource identity](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update#deliverywithresourceidentity) isn't supported. So, all properties for [Event Subscription Identity](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update#eventsubscriptionidentity) aren't supported.

-Event Grid on Kubernetes offers a rich set of features that help you integrate your Kubernetes workloads and realize hybrid architectures. It shares the same [rest API](/rest/api/eventgrid/controlplane-version2023-06-01-preview/topics) (starting with version 2020-10-15-preview), [Event Grid CLI](/cli/azure/eventgrid), Azure portal experience, [management SDKs](../sdk-overview.md#management-sdks), and [data plane SDKs](../sdk-overview.md#data-plane-sdks) with Azure Event Grid, the other edition of the same service. When you're ready to publish events, you can use the [data plane SDK examples provided in different languages](https://devblogs.microsoft.com/azure-sdk/event-grid-ga/) that work for both editions of Event Grid.

-| [Event Grid topics](/rest/api/eventgrid/controlplane-version2023-06-01-preview/topics) | Γ£ö | Γ£ö |

-| [Event delivery with resource identity](/rest/api/eventgrid/controlplane-version2023-06-01-preview/event-subscriptions/create-or-update) | Γ£ÿ | Γ£ö |

-**Feature** that helps you realize above requirement: [Event Grid topics](/rest/api/eventgrid/controlplane-version2023-06-01-preview/topics).

-Event Grid on Kubernetes supports [Event Grid topics](/rest/api/eventgrid/controlplane-version2023-06-01-preview/topics), which is a feature also offered by [Azure Event Grid](../custom-topics.md). Event Grid topics help you realize the [primary integration use case](#use-case) where your requirements call for integrating your system with another workload that you own or otherwise is made accessible to your system.

- * [REST APIs](/rest/api/eventgrid/controlplane-version2023-06-01-preview/partner-namespaces)

-| REST API | | [REST reference](/rest/api/eventgrid/controlplane-version2023-06-01-preview/ca-certificates) | |

-| REST API | | [REST reference](/rest/api/eventgrid/dataplanepreview-version2023-06-01/publish-cloud-events) |

-This article helps you use Azure Automation and Logic Apps to constantly monitor the number of routes advertised from the ExpressRoute gateway to on-premises networks. Monitoring can help prevent hitting the 1000 routes limit](expressroute-faqs.md#how-many-prefixes-can-be-advertised-from-a-vnet-to-on-premises-on-expressroute-private-peering).

-* You have a basic understanding of [Run As accounts](../automation/manage-runas-account.md) in Azure Automation.

-When you create an Automation account in the Azure portal, a [Run As](../automation/automation-security-overview.md#run-as-accounts) account is automatically created. This account takes following actions:

-Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection. To learn what's east-west and north-south traffic, see [East-west and north-south traffic](/azure/architecture/framework/security/design-network-flow#east-west-and-north-south-traffic).

- Azure Firewall Premium provides advanced capabilities include signature-based IDPS to allow rapid detection of attacks by looking for specific patterns. These patterns can include byte sequences in network traffic, or known malicious instruction sequences used by malware. There are more than 67,000 signatures in over 50 categories that are updated in real time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks.

-Azure Firewall Basic is intended for small and medium size (SMB) customers to secure their Azure cloud

-Azure Firewall Basic is similar to Firewall Standard, but has the following main limitations:

-In this quickstart, you'll learn how to create an Azure Front Door profile using the Azure portal. You can create an Azure Front Door profile through *Quick create* with basic configurations or through the *Custom create* which allows a more advanced configuration.

-With *Custom create*, you deploy two App services. Then, you create the Azure Front Door profile using the two App services as your origin. Lastly, you'll verify connectivity to your App services using the Azure Front Door frontend hostname.

-1. From the home page or the Azure menu, selectΓÇ»**+ Create a resource**. Search forΓÇ»*Front Door and CDN profiles*. Then select **Create**.

-1. On the **Create a Front Door profile** page, enter, or select the following settings.

-You'll now create an Azure Front Door profile using *Custom create* and deploy two App services that your Azure Front Door profile will use as your origin.

-In this example, we create two Web App instances that are deployed in two different Azure regions. Both web application instances will run in *Active/Active* mode, so either one can service incoming traffic. This configuration differs from an *Active/Stand-By* configuration, where one acts as a failover.

-Use the following steps to create two Web Apps used in this example.

-1. On the top left-hand side of the portal, select **+ Create a resource**. Then search for **Web App**. Select **Create** to begin configuring the first Web App.

-1. On the **Basics** tab of **Create Web App** page, enter, or select the following information.

-1. Select **Review + create**, review the summary, and then select **Create**. Deployment of the Web App can take up to a minute.

-1. After you create the first Web App, create a second Web App. Use the same settings as above, except for the following settings:

-Configure Azure Front Door to direct user traffic based on lowest latency between the two Web Apps origins. You'll also secure your Azure Front Door with a Web Application Firewall (WAF) policy.

-

-1. From the home page or the Azure menu, selectΓÇ»**+ Create a resource**. Search forΓÇ»*Front Door and CDN profiles*. Then select **Create**.

-1. On the **Compare offerings** page, select **Custom create**. Then select **Continue to create a Front Door**.

-1. *Optional*: **Secrets**. If you plan to use managed certificates, this step is optional. If you have an existing Key Vault in Azure that you plan to use to Bring Your Own Certificate for a custom domain, then select **Add a certificate**. You can also add a certificate in the management experience after creation.

- > You need to have the right permission to add the certificate from Azure Key Vault as a user.

-1. In the **Endpoint** tab, select **Add an endpoint** and give your endpoint a globally unique name. You can create more endpoints in your Azure Front Door profile after you complete the deployment. This example uses *contoso-frontend*. Select **Add** to add the endpoint.

-1. Next, select **+ Add a route** to configure routing to your Web App origin.

-1. On the **Add a route** page, enter, or select the following information, select **Add** to add the route to the endpoint configuration.

- | Name | Enter a name to identify the mapping between domains and origin group. |

- | Domains | A domain name has been auto-generated for you to use. If you want to add a custom domain, select **Add a new domain**. This example will use the default. |

- | Patterns to match | Set all the URLs this route will accept. This example will use the default, and accept all URL paths. |

- | Accepted protocols | Select the protocol the route will accept. This example will accept both HTTP and HTTPS requests. |

- | Redirect | Enable this setting to redirect all HTTP traffic to the HTTPS endpoint. |

- | Origin group | Select **Add a new origin group**. For the origin group name, enter **myOriginGroup**. Then select **+ Add an origin**. For the first origin, enter **WebApp1** for the *Name* and then for the *Origin Type* select **App services**. In the *Host name*, select **webapp-contoso-001.azurewebsites.net**. Select **Add** to add the origin to the origin group. Repeat the steps to add the second Web App as an origin. For the origin *Name*, enter **WebApp2**. The *Host name* is **webapp-contoso-002.azurewebsites.net**. Choose a priority, the lowest number has the highest priority, a priority of 1 if both origins are needed to be served by Azure Front Door. Choose a weight appropriately for traffic routing, equal weights of 1000 if the traffic needs to be routed to both origins equally. Once both Web App origins have been added, select **Add** to save the origin group configuration. |

- | Origin path | Leave blank. |

- | Forwarding protocol | Select the protocol that will be forwarded to the origin group. This example will match the incoming requests to origins. |

- | Caching | Select the check box if you want to cache contents closer to your users globally using Azure Front Door's edge POPs and the Microsoft network. |

- | Rules | Once you've deployed the Azure Front Door profile, you can configure Rules to apply to your route. |

-1. On the **Add security policy** page, enter a name to identify this security policy. Then select domains you want to associate the policy with. For *WAF Policy*, you can select a previously created policy or select **Create New** to create a new policy. Select **Save** to add the security policy to the endpoint configuration.

-1. SelectΓÇ»**Review + Create**, and thenΓÇ»**Create** to deploy the Azure Front Door profile. It will take a few minutes for configurations to be propagated to all edge locations.

-When you create the Azure Front Door profile, it takes a few minutes for the configuration to be deployed globally. Once completed, you can access the frontend host you created. In a browser, enter the endpoint hostname. For example `contoso-frontend.z01.azurefd.net`. Your request will automatically get routed to the nearest server from the specified servers in the origin group.

-If you created these apps in this quickstart, you'll see an information page.

-To test instant global failover, do the following steps:

-1. Open a browser, as described above, and go to the frontend address: `contoso-frontend.z01.azurefd.net`.

-1. In the Azure portal, search and select *App services*. Scroll down to find one of your Web Apps, **WebApp-Contoso-001** in this example.

-1. Select your web app, and then select **Stop**, and **Yes** to verify.

-1. Refresh your browser. You should see the same information page.

- > There is a delay between when the traffic will be directed to the second Web app. You may need to refresh again.

-1. Go to the second Web app, and stop that one as well.

-1. Refresh your browser. This time, you should see an error message.

-After you're done, you can remove all the items you created. Deleting a resource group also deletes its contents. If you don't intend to use this Azure Front Door, you should remove these resources to avoid unnecessary charges.

-1. In the Azure portal, search for and select **Resource groups**, or select **Resource groups** from the Azure portal menu.

-1. Filter or scroll down to find a resource group, such as **myAFDResourceGroup**, **myAppResourceGroup** or **myAppResourceGroup2**.

-1. Select the resource group, then select **Delete resource group**.

- > Once a resource group has been deleted, there is no way to recover the resources.

-1. Type the resource group name to verify, and then select **Delete**.

-1. Repeat the procedure for the other two resource groups.

-Advance to the next article to learn how to add a custom domain to your Front Door.

-Azure Front Door has several features and characteristics that can help to prevent distributed denial of service (DDoS) attacks. These features can prevent attackers from reaching your application and affecting your application's availability and performance.

-Front Door is protected by the default Azure infrastructure DDoS protection. The full scale and capacity of Front Door's globally deployed network provides defense against common network layer attacks through always-on traffic monitoring and real-time mitigation. This infrastructure DDoS protection has a proven track record in protecting Microsoft's enterprise and consumer services from large-scale attacks.

-Front Door only accepts traffic on the HTTP and HTTPS protocols, and will only process valid requests with a known `Host` header. This behavior helps to mitigate some common DDoS attack types including volumetric attacks that are spread across a range of protocols and ports, DNS amplification attacks, and TCP poisoning attacks.

-Front Door is a large scaled, globally distributed service. We have many customers, including Microsoft's own large-scale cloud products that receive hundreds of thousands of requests each second. Front Door is located at the edge of Azure's network, absorbing and geographically isolating large volume attacks. This can prevent malicious traffic from going any further than the edge of the Azure network.

-[Front Door's caching capabilities](./front-door-caching.md) can be used to protect backends from large traffic volumes generated by an attack. Cached resources will be returned from the Front Door edge nodes so they don't get forwarded to your backend. Even short cache expiry times (seconds or minutes) on dynamic responses can greatly reduce load on backend services. For more information about caching concepts and patterns, see [Caching considerations](/azure/architecture/best-practices/caching) and [Cache-aside pattern](/azure/architecture/patterns/cache-aside).

-[Front Door's Web Application Firewall (WAF)](../web-application-firewall/afds/afds-overview.md) can be used to mitigate many different types of attacks:

-* Using the managed rule set provides protection against many common attacks. For more information, see [Managed rules](../web-application-firewall/afds/waf-front-door-drs.md).

-* Traffic from outside a defined geographic region, or within a defined region, can be blocked or redirected to a static webpage. For more information, see [Geo-filtering](../web-application-firewall/afds/waf-front-door-geo-filtering.md).

-* IP addresses and ranges that you identify as malicious can be blocked. For more information, see [IP restrictions](../web-application-firewall/afds/waf-front-door-configure-ip-restriction.md).

-* Rate limiting can be applied to prevent IP addresses from calling your service too frequently. For more information, see [Rate limiting](../web-application-firewall/afds/waf-front-door-rate-limit.md).

-* You can create [custom WAF rules](../web-application-firewall/afds/waf-front-door-custom-rules.md) to automatically block and rate limit HTTP or HTTPS attacks that have known signatures.

-* Using the bot protection managed rule set provides protection against known bad bots. For more information, see [Configuring bot protection](../web-application-firewall/afds/waf-front-door-policy-configure-bot-protection.md).

-## Protect VNet origins

-Enable [Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md) on the origin VNet to protect your public IPs against DDoS attacks. DDoS Protection customers receive extra benefits including cost protection, SLA guarantee, and access to experts from the DDoS Rapid Response Team for immediate help during an attack.

-5. Once you've added all of the rules you'd like to your configuration, don't forget to go to your preferred route and associate your Rules engine configuration to the Route Rule. This step is required to enable the rule to work.

-description: This article explains how to restrict traffic to your origins to ensure it's been processed by Azure Front Door.

-description: This quickstart shows how to use Azure Front Door Service for your highly available and high-performance global web application by using the Azure portal.

-#Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.

-Get started with Azure Front Door by using the Azure portal to set up high availability for a web application.

-In this quickstart, Azure Front Door pools two instances of a web application that run in different Azure regions. You create a Front Door configuration based on equal weighted and same priority backends. This configuration directs traffic to the nearest site that runs the application. Azure Front Door continuously monitors the web application. The service provides automatic failover to the next available site when the nearest site is unavailable.

-This quickstart requires two instances of a web application that run in different Azure regions. Both the web application instances run in *Active/Active* mode, so either one can take traffic. This configuration differs from an *Active/Stand-By* configuration, where one acts as a failover.

-If you don't already have a web app, use the following steps to set up example web apps.

-1. On the top left-hand side of the screen, select **Create a resource** > **Web App**.

-1. In the **Basics** tab of **Create Web App** page, enter or select the following information.

- | Setting | Value |

- | | |

- | **Subscription** | Select your subscription. |

- | **Resource group** | Select **Create new** and enter *FrontDoorQS_rg1* in the text box.|

- | **Name** | Enter a unique **Name** for your web app. This example uses *WebAppContoso-1*. |

- | **Runtime stack** | Select **.NET Core 3.1 (LTS)**. |

- | **Operating System** | Select **Windows**. |

- | **Region** | Select **Central US**. |

- | **Windows Plan** | Select **Create new** and enter *myAppServicePlanCentralUS* in the text box. |

-1. Select **Review + create**, review the **Summary**, and then select **Create**. It might take several minutes for the deployment to complete.

-After your deployment is complete, create a second web app. Use the same procedure with the same values, except for the following values:

-| Setting | Value |

-| | |

-| **Resource group** | Select **Create new** and enter *FrontDoorQS_rg2* |

-| **Name** | Enter a unique name for your Web App, in this example, *WebAppContoso-2* |

-| **Region** | A different region, in this example, *East US* |

-| **App Service plan** > **Windows Plan** | Select **New** and enter *myAppServicePlanEastUS*, and then select **OK** |

-Configure Azure Front Door to direct user traffic based on lowest latency between the two web apps servers. To begin, add a frontend host for Azure Front Door.

-1. From the home page or the Azure menu, select **Create a resource**. Select **Networking** > **See All** > **Front Door and CDN profiles**.

-1. On the Compare offerings page, select **Explore other offerings**. Then select **Azure Front Door (classic)**. Then select **Continue**.

-1. In the **Basics** tab of **Create a Front Door** page, enter or select the following information, and then select **Next: Configuration**.

- | **Resource group** | Select **Create new** and enter *FrontDoorQS_rg0* in the text box.|

-1. In **Frontends/domains**, select **+** to open **Add a frontend host**.

-1. For **Host name**, enter a globally unique hostname. This example uses *contoso-frontend*. Select **Add**.

-Next, create a backend pool that contains your two web apps.

-1. Still in **Create a Front Door**, in **Backend pools**, select **+** to open **Add a backend pool**.

-1. For **Name**, enter *myBackendPool*, then select **Add a backend**.

-1. In the **Add a backend** pane, select the following information and select **Add**.

- | **Backend host name** | Select the first web app you created. In this example, the web app was *WebAppContoso-1*. |

- **Leave all other fields default.**

-1. Select **Add a backend** again. select the following information and select **Add**.

- | **Backend host name** | Select the second web app you created. In this example, the web app was *WebAppContoso-2*. |

- **Leave all other fields default.**

-1. Select **Add** on the **Add a backend pool** pane to complete the configuration of the backend pool.

-Finally, add a routing rule. A routing rule maps your frontend host to the backend pool. The rule forwards a request for `contoso-frontend.azurefd.net` to **myBackendPool**.

-1. Still in **Create a Front Door**, in **Routing rules**, select **+** to configure a routing rule.

-1. In **Add a rule**, for **Name**, enter *LocationRule*. Accept all the default values, then select **Add** to add the routing rule.

- >[!WARNING]

- > You **must** ensure that each of the frontend hosts in your Front Door has a routing rule with a default path (`/*`) associated with it. That is, across all of your routing rules there must be at least one routing rule for each of your frontend hosts defined at the default path (`/*`). Failing to do so may result in your end-user traffic not getting routed correctly.

-1. Select **Review + Create**, and then **Create**.

-Once you create a Front Door, it takes a few minutes for the configuration to be deployed globally. Once complete, access the frontend host you created. In a browser, go to your frontend host address. Your request will automatically get routed to the nearest server to you from the specified servers in the backend pool.

-If you created these apps in this quickstart, you'll see an information page.

-To test instant global failover in action, try the following steps:

-1. Open the resource group **FrontDoorQS_rg0** and select the frontend service.

-1. Open a browser, as described above, and go to your frontend address.

-1. In the Azure portal, search for and select *App services*. Scroll down to find one of your web apps, **WebAppContoso-1** in this example.

-1. Select your web app, and then select **Stop**, and **Yes** to verify.

- >[!TIP]

- >There is a little bit of delay for these actions. You might need to refresh again.

-1. Find the other web app, and stop it as well.

-After you're done, you can remove all the items you created. Deleting a resource group also deletes its contents. If you don't intend to use this Front Door, you should remove resources to avoid unnecessary charges.

-1. In the Azure portal, search for and select **Resource groups**, or select **Resource groups** from the Azure portal menu.

-1. Filter or scroll down to find a resource group, such as **FrontDoorQS_rg0**.

-1. Select the resource group, then select **Delete resource group**.

- >[!WARNING]

- >This action is irreversible.

-1. Type the resource group name to verify, and then select **Delete**.

-Repeat the procedure for the other two groups.

-Advance to the next article to learn how to add a custom domain to your Front Door.

-| HDInsight: Login Tips Enable | Unchecked | When this option is checked, there will be a prompt when logging in to Azure |

-| HDInsight Hive: Apply Localization | Unchecked | [Optional] Configuration options for localizing into VSCode's configured locale (must restart VSCode for settings to take effect)|

-| HDInsight Hive › Format: Place Select Statement References On New Line | Unchecked | Should references to objects in a select statement be split into separate lines? For example, for 'SELECT C1, C2 FROM T1' both C1 and C2 will be on separate lines

-| HDInsight Hive: Results Font Family | -apple-system,BlinkMacSystemFont,Segoe WPC,Segoe UI,HelveticaNeue-Light,Ubuntu,Droid Sans,sans-serif | Set the font family for the results grid; set to blank to use the editor font |

-| HDInsight Hive › Save As Csv: Include Headers | Checked | [Optional] When true, column headers are included when saving results as CSV |

-| HDInsight Job Submission: Cluster Conf | -- | Cluster Configuration |

-| HDInsight Job Submission: Livy Conf | -- | Livy Configuration. POST/batches |

-| HDInsight Jupyter: Append Results| Checked | Whether to append the results to results window, else clear and display. |

-| HDInsight Jupyter › Log: Verbose | Unchecked | If enable verbose logging |

-| HDInsight Jupyter › Notebook: Startup Args | Can add item | 'jupyter notebook' command-line arguments. Each argument is a separate item in the array. For a full list type 'jupyter notebook--help' in a terminal window. |

-| HDInsight Jupyter: Python Extension Enabled | Checked | Use Python-Interactive-Window of ms-python extension when submitting pySpark Interactive jobs. Otherwise, use our own jupyter window |

-| Hive Interactive: Copy Executable Folder | Unchecked | If copy the hive interactive service runtime folder to user's tmp folder |

-| Synapse Spark pool Job Submission: Livy Conf | -- | Livy Configuration. POST/batches

-| Synapse Spark pool Job Submission: Synapse Spark Pool Cluster Conf | -- | Synapse Spark Pool Configuration |

-The MedTech service provides near real-time processing and also attempts to reduce the number of requests made to the FHIR service by grouping requests into batches of 300 [normalized messages](#normalize). If there's a low volume of data, and 300 normalized messages haven't been added to the group, then the corresponding FHIR Observations in that group are persisted to the FHIR service after approximately five minutes. When there's fewer than 300 normalized messages to be processed, there may be a delay of approximately five minutes before FHIR Observations are created or updated in the FHIR service.

-description: Create or modify an Exchange peering using the Azure portal.

- >[!NOTE]

- >Once a subscription and resource group have been selected for the peering resource, it cannot be moved to another subscription or resource group.

-description: Convert a legacy Direct peering to an Azure resource using the Azure portal.

- >[!NOTE]

- >Once a subscription and resource group have been selected for the peering resource, it cannot be moved to another subscription or resource group.

-description: Convert a legacy Exchange peering to an Azure resource using the Azure portal.

- >[!NOTE]

- >Once a subscription and resource group have been selected for the peering resource, it cannot be moved to another subscription or resource group.

-2. Select **Configurations ** in Device management.

-Purge protection is an optional Key Vault behavior and is **not enabled by default**. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via [CLI](./key-vault-recovery.md?tabs=azure-cli) or [PowerShell](./key-vault-recovery.md?tabs=azure-powershell). Purge protection is recommended when using keys for encryption to prevent data loss. Most Azure services that integrate with Azure Key Vault, such as Storage, require purge protection to prevent data loss.

-This article shows you how to set up a class for emulating, configuring, testing, and troubleshooting virtual and real networks using [GNS3](https://www.gns3.com/) software.

-1. Follow the detailed instructions on the GNS3 website, to [install GNS3 on Windows](https://docs.gns3.com/docs/getting-started/installation/windows).

-To create the GNS 3 VM:

-1. Extract all files in the `GNS3.VM.Hyper-V.2.2.17.zip` file.

-To avoid that lab users need to enable nested virtualization on their lab VM and install the nested VMs inside it, you can prepare a lab template. When you publish the lab, each lab user has a lab VM that already contains the nested virtual machines.

- - Nested VM 1-1 (Ubuntu 20.04, IP 192.168.0.102)

- - Nested VM 1-2 (Windows 11, IP 192.168.0.103, remote desktop enabled and allowed)

- - Nested VM 2-1 (Ubuntu 20.04, IP 192.168.0.102)

- - Nested VM 2-2 (Windows 11, IP 192.168.0.103, remote desktop enabled and allowed)

-By default, when you create the nested virtual machine, only one virtual CPU (*vCPU*) is assigned. Depending on the operating system, and software of the nested VM, you might have to increase the number of vCPUs.

-When you create the nested virtual machine, the minimum assigned memory might not be sufficient for the operating system and installed software of the nested VM. You might have to increase the minimum amount of assigned memory for the nested VM.

-1. __Grant the workspace managed identity the 'Reader' role for storage private endpoints__. If your storage service uses a __private endpoint__, grant the workspace's managed identity __Reader__ access to the private endpoint. The workspace's managed identity in Azure AD has the same name as your Azure Machine Learning workspace.

-| Nodes in a single MPI **run** on an Azure Machine Learning compute (AmlCompute) cluster | 100 nodes but can be increased to 300 nodes |

-The sum of kubernetes online endpoints and managed online endpoints under each subscription can't exceed 50. Similarly, the sum of kubernetes online deployments and managed online deployments under each subscription can't exceed 200.

-The MPI distribution can be used for Horovod or custom multinode logic. Additionally, Apache Spark is supported via Azure Synapse Analytics Spark clusters (preview).

-> [!IMPORTANT]

-> Using Apache Spark via Azure Synapse Analytics Spark clusters is in public preview.

-> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-**Linux VMs in Azure** | Some VMs might require changes so that they can run in Azure.<br><br> For Linux, Azure Migrate makes the changes automatically for these operating systems:<br> - Red Hat Enterprise Linux 9.x, 8.x, 7.9, 7.8, 7.7, 7.6, 7.5, 7.4, 7.0, 6.x<br> - Cent OS 9.x (Release and Stream), 8.x (Release and Stream), 7.7, 7.6, 7.5, 7.4, 6.x</br> - SUSE Linux Enterprise Server 15 SP4, 15 SP3, 15 SP2, 15 SP1, 15 SP0, 12, 11 SP4, 11 SP3 <br>- Ubuntu 22.04, 21.04, 20.04, 19.04, 19.10, 18.04LTS, 16.04LTS, 14.04LTS<br> - Debian 11, 10, 9, 8, 7<br> - Oracle Linux 9, 8, 7.7-CI, 7.7, 6<br> - Kali Linux (2016, 2017, 2018, 2019, 2020, 2021, 2022) <br> - For other operating systems, you make the [required changes](prepare-for-migration.md#verify-required-changes-before-migrating) manually.

-**VMware vCenter Server** | Version 5.5, 6.0, 6.5, 6.7, 7.0.

-**Automatic installation of Azure VM agent (Windows and Linux Agent)** | Supported for Windows Server 2008 R2 onwards. Supported for RHEL 6, RHEL 7, CentOS 7, Ubuntu 14.04, Ubuntu 16.04, Ubuntu 18.04, Ubuntu 19.04, Ubuntu 19.10, Ubuntu 20.04

-**vCenter Server** | Servers that you want to discover and assess must be managed by vCenter Server version 7.0, 6.7, 6.5, 6.0, or 5.5.<br /><br /> Discovering servers by providing ESXi host details in the appliance currently isn't supported. <br /><br /> IPv6 addresses aren't supported for vCenter Server (for discovery and assessment of servers) and ESXi hosts (for replication of servers).

-To see step-by-step instructions on how to configure NAT gateway with virtual network integration, see [Configuring NAT gateway integration](../app-service/networking/nat-gateway-integration.md#configuring-nat-gateway-integration)

-The first step to configuring the example is to create the runbook. This example uses a run-as account. To learn about run-as accounts, visit [Authenticate Runbooks with Azure Run As account](../automation/manage-runas-account.md)

- volumeMode: Filesystem

-| CPU_CORES | The number of CPU cores for the virtual machine (even number, max 44 vCPUs) |

-| MEMORY_SIZE | The amount of memory (in GB, max 224 GB) for the virtual machine. |

-> [!NOTE]

-> If each server has two CPU chipsets and each CPU chip has 28 cores, then with hyperthreading enabled (default), the CPU chip supports 56 vCPUs. With 8 vCPUs in each chip reserved for infrastructure (OS and agents), the remaining 48 are available for tenant workloads.

- {

- "name": "antennaType",

- "type": {

- "name": "antennaTypeEnum",

- "type": "enum",

- "symbols": [

- "Microsoft",

- "KSAT"

- ]

- }

- },

-| contactTleLine1 | ACU: Satellite[0].Model.Value | ΓÇó String: TLE <br> ΓÇó "Empty TLE Line 1" if metric is null | First line of the TLE used for the contact. |

-| contactTLeLine2 | ACU: Satellite[0].Model.Value | ΓÇó String: TLE <br> ΓÇó "Empty TLE Line 2" if metric is null | Second line of the TLE used for the contact. |

-| antennaType | Respective 1P/3P telemetry builders set this value | MICROSOFT, KSAT, VIASAT | Antenna network used for the contact. |

-| uplinkEnabled | ACU: SBandCurrent or UHFTotalCurrent | ΓÇó NULL (Invalid CenterFrequencyMhz or Downlink direction) <br> ΓÇó False (Bands other than S and UHF or Amp Current < Threshold) <br> ΓÇó True (S/UHF-band, Uplink, Amp Current > Threshold) | Idicates whether uplink was enabled for the contact. |

-| inputRfPowerDbm | Digitizer: inputRfPower | ΓÇó NULL (Uplink) <br> ΓÇó 0 (Digitizer driver other than SNNB or SNWB) <br> ΓÇó Double: Input Rf Power | Input RF power in dBm. |

-| commandsSent | Modem: commandsSent | ΓÇó 0 (if not Uplink and QRadio) <br> ΓÇó Double: # of commands sent | Confirmation that commands were sent during the contact. |

-description: Get started to onboard Azure Peering Service.

-# Onboarding Peering Service model

-Onboarding process of Peering Service is composed of two models:

-Action plans for the above listed models are described as follows:

-| **Step** | **Action**| **What you get**|

-|--|||

-| 1 | Customer to provision the connectivity from a connectivity partner (no interaction with Microsoft).ΓÇï | An Internet provider who is well connected to Microsoft and meets the technical requirements for performant and reliable connectivity to Microsoft. ΓÇï |

-| 2 (Optional) | Customer registers locations into the Azure portal.​ A location is defined by: ISP/IXP Name​, Physical location of the customer site (state level), IP Prefix given to the location by the Service Provider or the enterprise​. ​| Telemetry​: Internet Route monitoring​, traffic prioritization from Microsoft to the user’s closest edge POP location​. |

-## Onboarding Peering Service connection

-To onboard Peering Service connection:

-## Onboarding Peering Service connection telemetry

-Customers can opt for Peering Service telemetry such as BGP route analytics to monitor networking latency and performance when accessing the Microsoft network by registering the connection into the Azure portal.

-To onboard Peering Service connection telemetry, customer must register the Peering Service connection into the Azure portal. Refer to the [Manage a Peering Service connection using the Azure portal](azure-portal.md) to learn the procedure.

-Following that, you can measure telemetry by referring [here](measure-connection-telemetry.md).

-## Next steps

-To learn step by step process on how to register Peering Service connection, see [Manage a Peering Service connection using the Azure portal](azure-portal.md).

-To learn about measure connection telemetry, see [Connection telemetry](connection-telemetry.md).

-This article provides steps to perform scaling operations for compute and storage. You will be able to change your compute tiers between burstable, general purpose, and memory optimized SKUs, including choosing the number of vCores that is suitable to run your application. You can also scale up your storage. Expected IOPS are shown based on the compute tier, vCores and the storage capacity. The cost estimate is also shown based on your selection.

-## Pre-requisites

-1. In the [Azure portal](https://portal.azure.com/), choose your flexible server that you want to restore the backup from.

- :::image type="content" source="./media/how-to-scale-compute-storage-portal/click-compute-storage.png" alt-text="compute+storage view":::

- :::image type="content" source="./media/how-to-scale-compute-storage-portal/list-compute-tiers.png" alt-text="list compute tiers":::

-5. If you are good with the default vCores and memory sizes, you can skip the next step.

- :::image type="content" source="./media/how-to-scale-compute-storage-portal/compute-general-purpose-dropdown.png" alt-text="general-purpose compute":::

- :::image type="content" source="./media/how-to-scale-compute-storage-portal/compute-memory-optimized-dropdown.png" alt-text="memory optimized compute":::

-8. You will see a confirmation message. Click **OK** if you want to proceed.

-## Scaling storage size

-1. In the [Azure portal](https://portal.azure.com/), choose your flexible server for which you want to increase the storage size.

-4. The field **Storage size in GiB** with a slide-bar is shown with the current size.

-5. Slide the bar to your desired size. Corresponding IOPS number is shown. The IOPS is dependent on the compute tier and size. The cost information is also shown.

- :::image type="content" source="./media/how-to-scale-compute-storage-portal/storage-scaleup.png" alt-text="storage scale up":::

-6. If you are good with the storage size, click **Save**.

-7. You will see a confirmation message. Click **OK** if you want to proceed.

-8. A notification about the scaling operation in progress.

-> The Single to Flex Migration tool currently supports only **Offline** migrations. Support for online migrations will be introduced later in the tool.

-| `dbsToMigrate` | Required | Specify the list of databases that you want to migrate to Flexible Server. You can include a maximum of eight database names at a time. |

-After you make the **Subscription** and **Resource Group** selections, the dropdown list for server names shows Single Servers under that resource group across regions. Select the source that you want to migrate databases from. Note that you can migrate databases from a Single Server to a target Flexible Server in the same region - cross region migrations aren't supported.

-The current minor release is 11.17. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/11/release-11-17.html) to learn more about improvements and fixes in this minor release.

-## Enter a minishell session

-You need to run minishell commands on Azure Stack Edge during this procedure. You must use a Windows machine that is on a network with access to the management port of the ASE. You should be able to view the ASE local UI to verify you have access.

-> [!TIP]

-> To access the local UI, see [Tutorial: Connect to Azure Stack Edge Pro with GPU](../databox-online/azure-stack-edge-gpu-deploy-connect.md).

-### Enable WinRM on your machine

-The following process uses PowerShell and needs WinRM to be enabled on your machine. Run the following command from a PowerShell window in Administrator mode:

-```powershell

-winrm quickconfig

-```

-WinRM may already be enabled on your machine, as you only need to do it once. Ensure your network connections are set to Private or Domain (not Public), and accept any changes.

-### Start the minishell session

-1. From a PowerShell window, enter the ASE management IP address (including quotation marks, for example `"10.10.5.90"`):

- ```powershell

- $ip = "*ASE IP address*"

-

- $sessopt = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck

- $minishellSession = New-PSSession -ComputerName $ip -ConfigurationName "Minishell" -Credential ~\EdgeUser -UseSSL -SessionOption $sessopt

- ```

-1. At the prompt, enter your Azure Stack Edge password. Ignore the following message:

- `WARNING: The Windows PowerShell interface of your device is intended to

- be used only for the initial network configuration. Please

- engage Microsoft Support if you need to access this interface

- to troubleshoot any potential issues you may be experiencing.

- Changes made through this interface without involving Microsoft

- Support could result in an unsupported configuration.`

-You now have a minishell session set up ready to enable your Azure Kubernetes Service in the next step.

-> [!TIP]

-> If there is a network change, the session can break. Run `Get-PSSession` to view the state of the session. If it is still connected, you should still be able to run minishell commands. If it is broken or disconnected, run `Remove-PSSession` to remove the session locally, then start a new session.

-## Enable Azure Kubernetes Service on the Azure Stack Edge device

-Run the following commands at the PowerShell prompt, specifying the object ID you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md).

-```powershell

-Invoke-Command -Session $minishellSession -ScriptBlock {Set-HcsKubeClusterArcInfo -CustomLocationsObjectId *object ID*}

-Invoke-Command -Session $minishellSession -ScriptBlock {Enable-HcsAzureKubernetesService -f}

-```

-Once you've run this command, you should see an updated option in the local UI ΓÇô **Kubernetes** becomes **Kubernetes (Preview)** as shown in the following image.

- - **VLAN**: 0

- - **Subnet mask** and **Gateway**: Use the correct subnet mask and gateway for the IP address configured on the ASE port (even if the gateway is not set on the ASE port itself).

- - For example, *255.255.255.0* and *10.232.44.1*

- - **Subnet mask** and **Gateway** must match the external values for the port.

- - For example, *255.255.255.0* and *10.232.44.1*

-1. The Arc enabled Kubernetes service is automatically created in the same resource group as your **Azure Stack Edge** resource. If your Azure Stack Edge resource group is not in a region that supports Azure Private 5G Core, you must change the region using the **Change** link.

-The Azure Private 5G Core deployment uses the *core* namespace. If you need to collect diagnostics, you can download a *kubeconfig* file with full access to the *core* namespace using the following minishell commands.

- ```powershell

- Invoke-Command -Session $minishellSession -ScriptBlock {New-HcsKubernetesNamespace -Namespace "core"}

- Invoke-Command -Session $minishellSession -ScriptBlock {New-HcsKubernetesUser -UserName "core"} | Out-File -FilePath .\kubeconfig-core.yaml

- Invoke-Command -Session $minishellSession -ScriptBlock {Grant-HcsKubernetesNamespaceAccess -Namespace "core" -UserName "core"}

- ```

- ```powershell

- Invoke-Command -Session $miniShellSession -ScriptBlock { Get-HcsKubernetesUserConfig -UserName "core" }

- ```

-For more information, see [Configure cluster access via Kubernetes RBAC](../databox-online/azure-stack-edge-gpu-create-kubernetes-cluster.md#configure-cluster-access-via-kubernetes-rbac).

-You need to obtain the object ID (OID) of the custom location resource provider in your Azure tenant. You will need to provide this OID when you configure your ASE to use AKS-HCI. You can obtain the OID using the Azure CLI or the Azure Cloud Shell on the portal. You'll need to be an owner of your Azure subscription.

-If any of the configuration you set while your packet core instance was running a newer version isn't supported in the version that you want to roll back to, you'll need to revert to the previous configuration before you're able to perform a rollback. Check the packet core release notes for information on when new features were introduced.

-If any of the configuration you set while your packet core instance was running a newer version isn't supported in the version that you want to roll back to, you'll need to revert to the previous configuration before you're able to perform a rollback. Check the packet core release notes for information on when new features were introduced.

-> | Variable | Description | Type | Notes |

-> | -- | -- | - | - |

-> | `environment` | Identifier for the workload zone (maximum five characters) | Mandatory | For example, `PROD` for a production environment and `NP` for a nonproduction environment. |

-> | `location` | The Azure region in which to deploy | Required | |

-> | `name_override_file` | Name override file | Optional | See [Custom naming](naming-module.md). |

-> | `network_name` | The name of the network | Optional | |

-> | `network_logical_name` | The logical name of the network, for example, `SAP01` | Required | Used for resource naming |

-> | `network_arm_id` | The Azure resource identifier for the virtual network | Optional | For brown-field deployments |

-> | `network_address_space` | The address range for the virtual network | Mandatory | For green-field deployments |

-> | `admin_subnet_name` | The name of the `admin` subnet | Optional | |

-> | `admin_subnet_address_prefix` | The address range for the `admin` subnet | Mandatory | For green-field deployments |

-> | `admin_subnet_arm_id` | The Azure resource identifier for the `admin` subnet | Mandatory | For brown-field deployments |

-> | `db_subnet_name` | The name of the `db` subnet | Optional | |

-> | `app_subnet_name` | The name of the `app` subnet | Optional | |

-> | `web_subnet_name` | The name of the `web` subnet | Optional | |

-> | `anf_subnet_name` | The name of the `ANF` subnet | Optional | |

-> | `anf_subnet_arm_id` | The Azure resource identifier for the `ANF` subnet | Required | When using existing subnets |

-> | `anf_subnet_address_prefix` | The address range for the `ANF` subnet | Required | When using `ANF` for new deployments |

-> | Variable | Description | Type |

-> | - | -- | -- |

-> | `dns_label` | If specified, is the DNS name of the private DNS zone | Optional |

-> | `dns_resource_group_name` | The name of the resource group that contains the private DNS zone | Optional |

-> | `ANF_account_name` | Name for the Azure NetApp Files account | Optional | |

-> | `ANF_service_level` | Service level for the Azure NetApp Files capacity pool | Optional | |

-> | `ANF_pool_size` | The size (in GB) of the Azure NetApp Files capacity pool | Optional | |

-> | `ANF_qos_type` | The quality of service type of the pool (auto or manual) | Optional | |

-> | `ANF_use_existing_pool` | Use existing for the Azure NetApp Files capacity pool | Optional | |

-> | `ANF_pool_name` | The name of the Azure NetApp Files capacity pool | Optional | |

-> | `ANF_account_arm_id` | Azure resource identifier for the Azure NetApp Files account | Optional | For brown-field deployments |

-> | `ANF_transport_volume_use_existing` | Defines if an existing transport volume is used | Optional | |

-> | `ANF_transport_volume_name` | Defines the transport volume name | Optional | For brown-field deployments |

-> | `ANF_transport_volume_size` | Defines the size of the transport volume in GB | Optional | |

-> | `ANF_transport_volume_throughput` | Defines the throughput of the transport volume | Optional | |

-> | `ANF_install_volume_use_existing` | Defines if an existing install volume is used | Optional | |

-> | `ANF_install_volume_name` | Defines the install volume name | Optional | For brown-field deployments |

-> | `ANF_install_volume_size` | Defines the size of the install volume in GB | Optional | |

-> | `ANF_install_volume_throughput` | Defines the throughput of the install volume | Optional | |

-> | Variable | Description | Type |

-> | -- | -- | -- |

-> | `use_custom_dns_a_registration` | Use an existing private DNS zone. | Optional |

-> | `management_dns_subscription_id` | Subscription ID for the subscription that contains the private DNS zone. | Optional |

-> | `dns_label` | DNS name of the private DNS zone. | Optional |

-> | `enable_purge_control_for_keyvaults` | If purge control is enabled on the key vault. | Optional | Use only for test deployments. |

-> | `use_private_endpoint` | Are private endpoints created for storage accounts and key vaults. | Optional | |

-> | `use_service_endpoint` | Are service endpoints defined for the subnets. | Optional | |

-> | `enable_firewall_for_keyvaults_and_storage` | Restrict access to selected subnets. | Optional |

-> | `diagnostics_storage_account_arm_id` | The Azure resource identifier for the diagnostics storage account. | Required | For brown-field deployments. |

-> | `witness_storage_account_arm_id` | The Azure resource identifier for the witness storage account. | Required | For brown-field deployments. |

- sudo crm configure primitive health-azure-events \

- ocf:heartbeat:azure-events-az op monitor interval=10s

-Only fields marked as `searchable` in the index are used for scoring. Only fields marked as `retrievable`, or fields that are specified in `searchFields` in the query, are returned in search results, along with their search score.

-Only fields marked as `searchable` in the index are used for scoring. Only fields marked as `retrievable`, or fields that are specified in `searchFields` in the query, are returned in search results, along with their search score.

->To use this preview, [request access](https://aka.ms/azure-cognitive-search/indexer-preview), and after access is enabled, use a [preview REST API (2020-06-30-preview or later)](search-api-preview.md) to index your content. There is currently limited portal support and no .NET SDK support.

-+ Azure SQL Managed Instance connection string. Managed identity is not currently supported with shared private link.

-Retrieve the FQDN of the managed instance, including the DNS zone. The DNS zone is part of the domain name of the SQL Managed Instance. For example, if the FQDN of the SQL Managed Instance is `my-sql-managed-instance.a1b22c333d44.database.windows.net`, the DNS zone is `a1b22c333d44`.

-1. [Create the data source definition](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md) as you would normally for Azure SQL. Although the format of the connection string is different, the data source type and other properties are valid for SQL Managed Instance.

- > [!NOTE]

- > If you're familiar with data source definitions in Cognitive Search, you'll notice that data source properties don't vary when using a shared private link. That's because Search will always use a shared private link on the connection if one exists.

-In Cognitive Search, replicas are copies of your index. A search service is installed with at least one replica, and can have up to 12 replicas. [Adding replicas](search-capacity-planning.md#adjust-capacity) allows Azure Cognitive Search to do machine reboots and maintenance against one replica, while query execution continues on other replicas.

-Only fields marked as `searchable` in the index are used for scoring. Only fields marked as `retrievable`, or fields that are specified in `searchFields` in the query, are returned in search results, along with their search score.

-When the health of your virtual machine is impacted by availability impacting disruptions (see [Resource types and health checks](resource-health-checks-resource-types.md)), the platform emits context as to why the disruption has occurred to assist you in responding appropriately.

-| Annotation | Description |

-||-|

-| VirtualMachineRestarted | The Virtual Machine is undergoing a reboot as requested by a restart action triggered by an authorized user or process from within the Virtual Machine. No other action is required at this time. For more information, see [understanding Virtual Machine reboots in Azure](/troubleshoot/azure/virtual-machines/understand-vm-reboot). |

-| VirtualMachineCrashed | The Virtual Machine is undergoing a reboot due to a guest OS crash. The local data remains unaffected during this process. No other action is required at this time. For more information, see [understanding Virtual Machine crashes in Azure](/troubleshoot/azure/virtual-machines/understand-vm-reboot#vm-crashes). |

-| VirtualMachineStorageOffline | The Virtual Machine is either currently undergoing a reboot or experiencing an application freeze due to a temporary loss of access to disk. No other action is required at this time, while the platform is working on reestablishing disk connectivity. |

-| VirtualMachineFailedToSecureBoot | Applicable to Azure Confidential Compute Virtual Machines when guest activity such as unsigned booting components leads to a guest OS issue preventing the Virtual Machine from booting securely. You can attempt to retry deployment after ensuring OS boot components are signed by trusted publishers. For more information, see [Secure Boot](/windows-hardware/design/device-experiences/oem-secure-boot). |

-| LiveMigrationSucceeded | The Virtual Machine was briefly paused as a Live Migration operation was successfully performed on your Virtual Machine. This operation was carried out either as a repair action, for allocation optimization or as part of routine maintenance workflows. No other action is required at this time. For more information, see [Live Migration](../virtual-machines/maintenance-and-updates.md#live-migration). |

-| LiveMigrationFailure | A Live Migration operation was attempted on your Virtual Machine as either a repair action, for allocation optimization or as part of routine maintenance workflows. This operation, however, could not be successfully completed and may have resulted in a brief pause of your Virtual Machine. No other action is required at this time. <br/> Also note that [M Series](../virtual-machines/m-series.md), [L Series](../virtual-machines/lasv3-series.md) VM SKUs are not applicable for Live Migration. For more information, see [Live Migration](../virtual-machines/maintenance-and-updates.md#live-migration). |

-| VirtualMachineAllocated | The Virtual Machine is in the process of being set up as requested by an authorized user or process. No other action is required at this time. |

-| VirtualMachineDeallocationInitiated | The Virtual Machine is in the process of being stopped and deallocated as requested by an authorized user or process. No other action is required at this time. |

-| VirtualMachineHostCrashed | The Virtual Machine has unexpectedly crashed due to the underlying host server experiencing a software failure or due to a failed hardware component. While the Virtual Machine is rebooting, the local data remains unaffected. You may attempt to redeploy the Virtual Machine to a different host server if you continue to experience issues. |

-| VirtualMachineMigrationInitiatedForPlannedMaintenance | The Virtual Machine is being migrated to a different host server as part of routine maintenance workflows orchestrated by the platform. No other action is required at this time. For more information, see [Planned Maintenance](../virtual-machines/maintenance-and-updates.md). |

-| VirtualMachineRebootInitiatedForPlannedMaintenance | The Virtual Machine is undergoing a reboot as part of routine maintenance workflows orchestrated by the platform. No other action is required at this time. For more information, see [Maintenance and updates](../virtual-machines/maintenance-and-updates.md). |

-| VirtualMachineHostRebootedForRepair | The Virtual Machine is undergoing a reboot due to the underlying host server experiencing unexpected failures. While the Virtual Machine is rebooting, the local data remains unaffected. For more information, see [understanding Virtual Machine reboots in Azure](/troubleshoot/azure/virtual-machines/understand-vm-reboot). |

-| VirtualMachineMigrationInitiatedForRepair | The Virtual Machine is being migrated to a different host server due to the underlying host server experiencing unexpected failures. Since the Virtual Machine is being migrated to a new host server, the local data will not persist. For more information, see [Service Healing](https://azure.microsoft.com/blog/service-healing-auto-recovery-of-virtual-machines/). |

-| VirtualMachineRedeployInitiatedByControlPlaneDueToPlannedMaintenance | The Virtual Machine is being migrated to a different host server as part of routine maintenance workflows triggered by an authorized user or process. Since the Virtual Machine is being migrated to a new host server, the local data will not persist. For more information, see [Maintenance and updates](../virtual-machines/maintenance-and-updates.md). |

-| VirtualMachineMigrationScheduledForDegradedHardware | The Virtual Machine is experiencing degraded availability as it is running on a host server with a degraded hardware component which is predicted to fail soon. Live Migration will be attempted to safely migrate your Virtual Machine to a healthy host server; however, the operation may fail depending on the degradation of the underlying hardware. <br/> We strongly advise you to redeploy your Virtual Machine to avoid unexpected failures by the redeploy deadline specified. For more information, see [Advancing failure prediction and mitigation](https://azure.microsoft.com/blog/advancing-failure-prediction-and-mitigation-introducing-narya/). |

-| VirtualMachinePossiblyDegradedDueToHardwareFailure | The Virtual Machine is experiencing an imminent risk to its availability as it is running on a host server with a degraded hardware component that will fail soon. Live Migration will be attempted to safely migrate your Virtual Machine to a healthy host server; however, the operation may fail. <br/> We strongly advise you to redeploy your Virtual Machine to avoid unexpected failures by the redeploy deadline specified. For more information, see [Advancing failure prediction and mitigation](https://azure.microsoft.com/blog/advancing-failure-prediction-and-mitigation-introducing-narya/). |

-| VirtualMachineScheduledForServiceHealing | The Virtual Machine is experiencing an imminent risk to its availability as it is running on a host server that is experiencing fatal errors. Live Migration will be attempted to safely migrate your Virtual Machine to a healthy host server; however, the operation may fail depending on the failure signature encountered by the host server. <br/> We strongly advise you to redeploy your Virtual Machine to avoid unexpected failures by the redeploy deadline specified. For more information, see [Advancing failure prediction and mitigation](https://azure.microsoft.com/blog/advancing-failure-prediction-and-mitigation-introducing-narya/). |

-| VirtualMachinePreempted | If you are running a Spot/Low Priority Virtual Machine, it has been preempted either due to capacity recall by the platform or due to billing-based eviction where cost exceeded user defined thresholds. No other action is required at this time. For more information, see [Spot Virtual Machines](../virtual-machines/spot-vms.md). |

-| VirtualMachineRebootInitiatedByControlPlane | The Virtual Machine is undergoing a reboot as requested by an authorized user or process from within the Virtual machine. No other action is required at this time. |

-| VirtualMachineRedeployInitiatedByControlPlane | The Virtual Machine is being migrated to a different host server as requested by an authorized user or process from within the Virtual machine. No other action is required at this time. Since the Virtual Machine is being migrated to a new host server, the local data will not persist. |

-| VirtualMachineSizeChanged | The Virtual Machine is being resized as requested by an authorized user or process. No other action is required at this time. |

-|VirtualMachineConfigurationUpdated | The Virtual Machine configuration is being updated as requested by an authorized user or process. No other action is required at this time. |

-| VirtualMachineStartInitiatedByControlPlane |The Virtual Machine is starting as requested by an authorized user or process. No other action is required at this time. |

-| VirtualMachineStopInitiatedByControlPlane | The Virtual Machine is stopping as requested by an authorized user or process. No other action is required at this time. |

-| VirtualMachineStoppedInternally | The Virtual Machine is stopping as requested by an authorized user or process, or due to a guest activity from within the Virtual Machine. No other action is required at this time. |

-| VirtualMachineProvisioningTimedOut | The Virtual Machine provisioning has failed due to Guest OS issues or incorrect user run scripts. You can attempt to either re-create this Virtual Machine or if this Virtual Machine is part of a virtual machine scale set, you can try reimaging it. |

-| AccelnetUnhealthy | Applicable if Accelerated Networking is enabled for your Virtual Machine ΓÇô We have detected that the Accelerated Networking feature is not functioning as expected. You can attempt to redeploy your Virtual Machine to potentially mitigate the issue. |

- - [Azure Automation Run As account](../automation/manage-runas-account.md).

-Operating system | Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019 with Desktop experience

-When the disk space runs out, Azure File Sync might not function correctly and can even become unusable. While it's not possible for Azure File Sync to completely prevent these occurrences, the low disk space mode (available in Azure File Sync agent versions starting from 15.1) is designed to prevent a server endpoint from reaching this situation.

-For server endpoints with cloud tiering enabled and volume free space policy set, if the free space on the volume drops below the calculated threshold, then the volume is in low disk space mode.

-| 100 GiB | 10 GiB | 7% (7 GiB) | 7 GiB = Min (10 GiB, 7 GiB, 20 GiB) | 9% (9 GiB) | No | Current Volume Free Space > Threshold |

-| 100 GiB | 10 GiB | 7% (7 GiB) | 7 GiB = Min (10 GiB, 7 GiB, 20 GiB) | 5% (5 GiB) | Yes | Current Volume Free Space < Threshold |

-| 300 GiB | 30 GiB | 8% (24 GiB) | 20 GiB = Min (30 GiB, 24 GiB, 20 GiB) | 7% (21 GiB) | No | Current Volume Free Space > Threshold |

-| 300 GiB | 30 GiB | 8% (24 GiB) | 20 GiB = Min (30 GiB, 24 GiB, 20 GiB) | 6% (18 GiB) | Yes | Current Volume Free Space < Threshold |

-Event ID 19000 is logged to the Telemetry event log every minute for each server endpoint. Use this event to determine if the server endpoint is in low disk mode (IsLowDiskMode = true). The Telemetry event log is located in Event Viewer under Applications and Services\Microsoft\FileSync\Agent.

-Invoke-AzStorageSyncChangeDetection -ResourceGroupName "myResourceGroup" -StorageSyncServiceName "myStorageSyncServiceName" -SyncGroupName "mySyncGroupName" -Path "Data","Reporting\Templates"

-The key difference between these two popular routing methods is that in Performance routing method your primary goal is to send traffic to the endpoint that can provide the lowest latency to the caller, whereas, in Geographic routing the primary goal is to enforce a geo fence for your callers so that you can deliberately route them to a specific endpoint. The overlap happens since there's a correlation between geographical closeness and lower latency, although this isn't always true. There might be an endpoint in a different geography that can provide a better latency experience for the caller and in that case Performance routing will send the user to that endpoint but Geographic routing will always send them to the endpoint you've mapped for their geographic region. To further make it clear, consider the following example - with Geographic routing you can make uncommon mappings such as send all traffic from Asia to endpoints in the US and all US traffic to endpoints in Asia. In that case, Geographic routing will deliberately do exactly what you have configured it to do and performance optimization isn't a consideration.

-No, Traffic Manager can't guarantee that the geographic region we infer from the source IP address of a DNS query will always correspond to the user's location due to the following reasons:

-In a profile with Subnet routing, if you have an endpoint with no subnets mapped to it, any request that doesn't match with other endpoints will be directed to here. It's highly recommended that you have such a fallback endpoint in your profile since Traffic Manager will return an NXDOMAIN response if a request comes in and it isn't mapped to any endpoints or if it's mapped to an endpoint but that endpoint is unhealthy.

-In a profile with Subnet routing, if you have an endpoint with that is disabled, Traffic Manager will behave as if that endpoint and the subnet mappings it has doesn't exist. If a query that would have matched with its IP address mapping is received and the endpoint is disabled, Traffic Manager will return a fallback endpoint (one with no mappings) or if such an endpoint isn't present, will return an NXDOMAIN response.

-You can specify the maximum number of endpoints to be returned and MultiValue will return no more than that many healthy endpoints when a query is received. The maximum possible value for this configuration is 10.

-We can't guarantee that the same set of endpoints will be returned in each query. This is also affected by the fact that some of the endpoints might go unhealthy at which point they won't be included in the response

-Yes, Real User Measurements is designed to ingest data collected through different type of end-user clients. This FAQ will be updated as new types of client applications get supported.

-When you embed the measurement script to a web page, it will be possible for others to see the script and your Real User Measurements (RUM) key. But it's important to know that this key is different from your subscription ID and is generated by Traffic Manager to be used only for this purpose. Knowing your RUM key won't compromise your Azure account safety.

-Real User Measurements delivers more value as the number of measurements increase. Having said that, it is your decision as to whether you need to put it in all your web pages or a select few. Our recommendation is to start by putting it in your most visited page where a user is expected to stay on that page five seconds or more.

-When the provided measurement JavaScript is used, Traffic Manager will have visibility into the client IP address of the end user and the source IP address of the local DNS resolver they use. Traffic Manager uses the client IP address only after having it truncated to not be able to identify the specific end user who sent the measurements.

-Traffic View creates its output by processing the data from the seven days preceding the day before when it's viewed by you. This is a moving window and the latest data will be used each time you visit.

-When you use external endpoints hosted outside Azure regions in a Traffic Manager profile, you can choose to have it mapped to an Azure region, which is a proxy for its latency characteristics (this is in fact needed if you use performance routing method). If it has this Azure region mapping, that Azure region's latency metrics will be used when creating the Traffic View output. If no Azure region is specified, the latency information will be empty in the data for those external endpoints.

-During the preview period, Traffic View was enabled at a subscription level. As part of the improvements we made before the general availability, you can now enable Traffic View at a profile level, allowing you to have more granular enabling of this feature. By default, Traffic View will be disabled for a profile.

-Traffic Manager supports adding endpoints using three ways to refer them ΓÇô as a DNS name, as an IPv4 address and as an IPv6 address. If the endpoint is added as an IPv4 or IPv6 address the query response will be of record type A or AAAA, respectively. If the endpoint was added as a DNS name, then the query response will be of record type CNAME. Adding endpoints as IPv4 or IPv6 address is permitted only if the endpoint is of type **External**.

-One common use case for this is specifying host headers so that Traffic Manager requests may get routed correctly to an endpoint hosted in a multi-tenant environment. Another use case of this is to identify Traffic Manager requests from an endpoint's HTTP(S) request logs

-description: This article will help you add, remove, enable and disable endpoints from Azure Traffic Manager.

-# Add, disable, enable, or delete endpoints

-1. From a browser, sign in to the [Azure portal](https://portal.azure.com).

-2. In the portalΓÇÖs search bar, search for the **Traffic Manager profile** name that you want to modify, and then click the Traffic Manager profile in the results that the displayed.

-3. In the **Traffic Manager profile** blade, in the **Settings** section, click **Endpoints**.

-4. In the **Endpoints** blade that is displayed, click **Add**.

- 1. For **Type**, click **Azure endpoint**.

- 4. For **Target resource**, click the **Choose...** selector to list resources under the same subscription in the **Resources blade**. In the **Resource** blade that is displayed, pick the service that you want to add as the first endpoint.

- 5. For **Priority**, select as **1**. This results in all traffic going to this endpoint if it is healthy.

- 7. Click **OK**

-7. When the addition of both endpoints is complete, they are displayed in the **Traffic Manager profile** blade along with their monitoring status as **Online**.

-1. From a browser, sign in to the [Azure portal](https://portal.azure.com).

-2. In the portalΓÇÖs search bar, search for the **Traffic Manager profile** name that you want to modify, and then click the Traffic Manager profile in the results that are displayed.

-3. In the **Traffic Manager profile** blade, in the **Settings** section, click **Endpoints**.

-4. Click the endpoint that you want to disable.

-5. In the **Endpoint** blade, change the endpoint status to **Disabled**, and then click **Save**.

-1. From a browser, sign in to the [Azure portal](https://portal.azure.com).

-2. In the portalΓÇÖs search bar, search for the **Traffic Manager profile** name that you want to modify, and then click the Traffic Manager profile in the results that are displayed.

-3. In the **Traffic Manager profile** blade, in the **Settings** section, click **Endpoints**.

-4. Click the endpoint that you want to enable.

-5. In the **Endpoint** blade, change the endpoint status to **Enabled**, and then click **Save**.

-1. From a browser, sign in to the [Azure portal](https://portal.azure.com).

-2. In the portalΓÇÖs search bar, search for the **Traffic Manager profile** name that you want to modify, and then click the Traffic Manager profile in the results that are displayed.

-3. In the **Traffic Manager profile** blade, in the **Settings** section, click **Endpoints**.

-4. Click the endpoint that you want to delete.

-5. In the **Endpoint** blade, click **Delete**

-1. Create a Log Analytics workspace, if you haven't already. Next, get the workspace ID and primary key by following the instructions in [Use Log Analytics for the diagnostics feature](diagnostics-log-analytics.md#before-you-get-started).

-| Pen | X | | X (as touch) | X\* | | |

-[Connection quality](connection-latency.md) is essential for good user experiences, so it's important to be able to monitor connections for potential issues and troubleshoot problems as they arise. Azure Virtual Desktop offers tools like [Log Analytics](diagnostics-log-analytics.md) that can help you monitor your deployment's connection health. This article will show you how to configure your diagnostic settings to let you collect connection quality data and query data for specific parameters.

-To start collecting connection quality data, youΓÇÖll need to [set up a Log Analytics workspace](diagnostics-log-analytics.md).

-## Before you get started

-Before you can use Log Analytics, you'll need to create a workspace. To do that, follow the instructions in one of the following two articles:

-After you've created your workspace, follow the instructions in [Connect Windows computers to Azure Monitor](../azure-monitor/agents/agent-windows.md#workspace-id-and-key) to get the following information:

-You'll need this information later in the setup process.

-Make sure to review permission management for Azure Monitor to enable data access for those who monitor and maintain your Azure Virtual Desktop environment. For more information, see [Get started with roles, permissions, and security with Azure Monitor](../azure-monitor/roles-permissions-security.md).

-description: How to enable GPU-accelerated rendering and encoding in Azure Virtual Desktop.

-# Configure graphics processing unit (GPU) acceleration for Azure Virtual Desktop

->[!IMPORTANT]

->This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without Azure Resource Manager objects, see [this article](./virtual-desktop-fall-2019/configure-vm-gpu-2019.md).

-Azure Virtual Desktop supports GPU-accelerated rendering and encoding for improved app performance and scalability. GPU acceleration is particularly crucial for graphics-intensive apps and is supported in the following operating systems:

-* Windows 10 version 1511 or newer

-* Windows Server 2016 or newer

->[!NOTE]

-> Multi-session versions of Windows are not specifically listed, however each GPU in NV-series Azure virtual machine comes with a GRID license that supports 25 concurrent users. For more information, see [NV-series](../virtual-machines/nv-series.md).

-Follow the instructions in this article to create a GPU optimized Azure virtual machine, add it to your host pool, and configure it to use GPU acceleration for rendering and encoding. This article assumes you have already [created a host pool](./create-host-pools-azure-marketplace.md) and an [application group](./manage-app-groups.md).

-## Select an appropriate GPU-optimized Azure virtual machine size

-Select one of Azure's [NV-series](../virtual-machines/nv-series.md), [NVv3-series](../virtual-machines/nvv3-series.md), [NVv4-series](../virtual-machines/nvv4-series.md), [NVadsA10 v5-series](../virtual-machines/nva10v5-series.md), or [NCasT4_v3-series](../virtual-machines/nct4-v3-series.md) VM sizes to use as a session host. These are tailored for app and desktop virtualization and enable most apps and the Windows user interface to be GPU accelerated. The right choice for your host pool depends on a number of factors, including your particular app workloads, desired quality of user experience, and cost. In general, larger and more capable GPUs offer a better user experience at a given user density, while smaller and fractional-GPU sizes allow more fine-grained control over cost and quality. Note that NV-series VMs are planned to be retired. For more information, see [NV retirement](../virtual-machines/nv-series-retirement.md).

->[!NOTE]

->Azure's NC, NCv2, NCv3, ND, and NDv2 series VMs are generally not appropriate for Azure Virtual Desktop session hosts. These VMs are tailored for specialized, high-performance compute or machine learning tools, such as those built with NVIDIA CUDA. They do not support GPU acceleration for most apps or the Windows user interface.

-To take advantage of the GPU capabilities of Azure N-series VMs in Azure Virtual Desktop, you must install the appropriate graphics drivers. Follow the instructions at [Supported operating systems and drivers](../virtual-machines/sizes-gpu.md#supported-operating-systems-and-drivers) to install drivers. Only drivers distributed by Azure are supported.

-* For Azure NV-series, NVv3-series or NCasT4_v3-series VMs, only NVIDIA GRID drivers, and not NVIDIA CUDA drivers, support GPU acceleration for most apps and the Windows user interface. If you choose to install drivers manually, be sure to install GRID drivers. If you choose to install drivers using the Azure VM extension, GRID drivers will automatically be installed for these VM sizes.

-* For Azure NVv4-series VMs, install the AMD drivers provided by Azure. You may install them automatically using the Azure VM extension, or you may install them manually.

-After driver installation, a VM restart is required. Use the verification steps in the above instructions to confirm that graphics drivers were successfully installed.

-By default, apps and desktops running on Windows Server are rendered with the CPU and do not leverage available GPUs for rendering. Configure Group Policy for the session host to enable GPU-accelerated rendering:

-1. Connect to the desktop of the VM using an account with local administrator privileges.

-2. Open the Start menu and type "gpedit.msc" to open the Group Policy Editor.

-3. Navigate the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Remote Session Environment**.

-4. Select policy **Use hardware graphics adapters for all Remote Desktop Services sessions** and set this policy to **Enabled** to enable GPU rendering in the remote session.

-Remote Desktop encodes all graphics rendered by apps and desktops (whether rendered with GPU or with CPU) for transmission to Remote Desktop clients. When part of the screen is frequently updated, this part of the screen is encoded with a video codec (H.264/AVC). By default, Remote Desktop does not leverage available GPUs for this encoding. Configure Group Policy for the session host to enable GPU-accelerated frame encoding. Continuing the steps above:

->[!NOTE]

->GPU-accelerated frame encoding is not available in NVv4-series VMs.

-1. Select policy **Configure H.264/AVC hardware encoding for Remote Desktop connections** and set this policy to **Enabled** to enable hardware encoding for AVC/H.264 in the remote session.

- >[!NOTE]

- >In Windows Server 2016, set option **Prefer AVC Hardware Encoding** to **Always attempt**.

-2. Now that the group policies have been edited, force a group policy update. Open the Command Prompt and type:

- ```cmd

- gpupdate.exe /force

- ```

-3. Sign out from the Remote Desktop session.

-## Configure fullscreen video encoding

->[!NOTE]

->Fullscreen video encoding can be enabled even without a GPU present.

-If you often use applications that produce a high-frame rate content, such as 3D modeling, CAD/CAM and video applications, you may choose to enable a fullscreen video encoding for a remote session. Fullscreen video profile provides a higher frame rate and better user experience for such applications at expense of network bandwidth and both session host and client resources. It is recommended to use GPU-accelerated frame encoding for a full-screen video encoding. Configure Group Policy for the session host to enable fullscreen video encoding. Continuing the steps above:

-1. Select policy **Prioritize H.264/AVC 444 Graphics mode for Remote Desktop connections** and set this policy to **Enabled** to force H.264/AVC 444 codec in the remote session.

-2. Now that the group policies have been edited, force a group policy update. Open the Command Prompt and type:

- ```cmd

- gpupdate.exe /force

- ```

-3. Sign out from the Remote Desktop session.

-To verify that apps are using the GPU for rendering, try any of the following:

-* For Azure VMs with a NVIDIA GPU, use the `nvidia-smi` utility as described in [Verify driver installation](../virtual-machines/windows/n-series-driver-setup.md#verify-driver-installation) to check for GPU utilization when running your apps.

-* On supported operating system versions, you can use the Task Manager to check for GPU utilization. Select the GPU in the "Performance" tab to see whether apps are utilizing the GPU.

-1. Connect to the desktop of the VM using Azure Virtual Desktop client.

-2. Launch the Event Viewer and navigate to the following node: **Applications and Services Logs** > **Microsoft** > **Windows** > **RemoteDesktopServices-RdpCoreCDV** > **Operational**

-3. To determine if GPU-accelerated encoding is used, look for event ID 170. If you see "AVC hardware encoder enabled: 1" then GPU encoding is used.

-> If you're connecting to your session host outside of Azure Virtual Desktop for testing GPU acceleration, the logs will instead be stored in **Applications and Services Logs** > **Microsoft** > **Windows** > **RemoteDesktopServices-RdpCoreTs** > **Operational** in Event Viewer.

-## Verify fullscreen video encoding

-To verify that Remote Desktop is using fullscreen video encoding:

-1. Connect to the desktop of the VM using Azure Virtual Desktop client.

-2. Launch the Event Viewer and navigate to the following node: **Applications and Services Logs** > **Microsoft** > **Windows** > **RemoteDesktopServices-RdpCoreCDV** > **Operational**

-3. To determine if fullscreen video encoding is used, look for event ID 162. If you see "AVC Available: 1 Initial Profile: 2048" then AVC 444 is used.

-> If you're connecting to your session host outside of Azure Virtual Desktop for testing GPU acceleration, the logs will instead be stored in **Applications and Services Logs** > **Microsoft** > **Windows** > **RemoteDesktopServices-RdpCoreTs** > **Operational** in Event Viewer.

-These instructions should have you up and running with GPU acceleration on one session host (one VM). Some additional considerations for enabling GPU acceleration across a larger host pool:

-* Consider using a [VM extension](../virtual-machines/extensions/overview.md) to simplify driver installation and updates across a number of VMs. Use the [NVIDIA GPU Driver Extension](../virtual-machines/extensions/hpccompute-gpu-windows.md) for VMs with NVIDIA GPUs, and use the [AMD GPU Driver Extension](../virtual-machines/extensions/hpccompute-amd-gpu-windows.md) for VMs with AMD GPUs.

-* Consider using Active Directory Group Policy to simplify group policy configuration across a number of VMs. For information about deploying Group Policy in the Active Directory domain, see [Working with Group Policy Objects](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).

-| `*.prod.warm.ingest.monitor.core.windows.net` | 443 | Agent traffic | AzureMonitor |

-| `*.prod.warm.ingest.monitor.core.usgovcloudapi.net` | 443 | Agent traffic | AzureMonitor |

-The following table lists whether the Windows Desktop client, Azure Virtual Desktop Store app or macOS client supports specific features for Teams on Azure Virtual Desktop. Other clients are not supported.

-| Noise suppression | 1.2.3316 and later | 10.8.1 and later | 1.0.2006.11001 and later | Updates within 90 days of the current version |

-The web client supports Input Method Editor (IME) in the remote session. Before you can use the IME, you must install the language pack for the keyboard you want to use in the remote session must be installed on your session host by your admin. To learn more about setting up language packs in the remote session, see [Add language packs to a Windows 10 multi-session image](../language-packs.md).

-An [Azure Automation Run As account](../../automation/manage-runas-account.md) provides authentication for managing resources in Azure with Azure cmdlets. When you create a Run As account, it creates a new service principal user in Azure Active Directory and assigns the Contributor role to the service principal user at the subscription level. An Azure Run As account is a great way to authenticate securely with certificates and a service principal name without needing to store a username and password in a credential object. To learn more about Run As account authentication, see [Limit Run As account permissions](../../automation/manage-runas-account.md#limit-run-as-account-permissions).

-| Insider | 1.2.4582 | [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233) *(most common)*<br />[Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144)<br />[Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368) |

-Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369), [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139456), [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139370)

-Depending on the workloads' Linux distro and version needs, both the [CentOS-HPC VM images](#centos-hpc-vm-images) and [Ubuntu-HPC VM images](#ubuntu-hpc-vm-images) in the Marketplace are the easiest way to get started with HPC and AI workloads on Azure.

-Currently only the [Ubuntu-HPC VM images](#ubuntu-hpc-vm-images) and [CentOS-HPC VM images](#centos-hpc-vm-images) version 7.9 come preconfigured with the NVIDIA GPU drivers and GPU compute software stack (CUDA, NCCL).

-For SR-IOV enabled [RDMA capable VMs](sizes-hpc.md#rdma-capable-instances), [Ubuntu-HPC VM images](#ubuntu-hpc-vm-images) and CentOS-HPC VM images version 7.6 and later are suitable. These VM images come preconfigured with the Mellanox OFED drivers for RDMA and commonly used MPI libraries and scientific computing packages. Refer to the [VM size support matrix](#vm-sizes-supported-by-the-hpc-vm-images).

-> Among the CentOS-HPC VM images, currently only the version 7.9 VM image additionally comes preconfigured with the NVIDIA GPU drivers and GPU compute software stack (CUDA, NCCL). CentOS 7 is currently the only supported CentOS version, which will continue to receive community security patches and bug fix updates until June 2024. Therefore, we are not releasing any new CentOS HPC images to Azure marketplace. You can still use our CentOS HPC version 7.9 images, but it is suggested to consider moving to our AlmaLinux HPC images alternatives in Azure marketplace, which have the same set of drivers installed as Ubuntu/CentOS.

-#### Ubuntu-HPC VM images

-For SR-IOV enabled [RDMA capable VMs](sizes-hpc.md#rdma-capable-instances), Ubuntu-HPC VM images versions 18.04 and 20.04 are suitable. These VM images come preconfigured with the Mellanox OFED drivers for RDMA, NVIDIA GPU drivers, GPU compute software stack (CUDA, NCCL), and commonly used MPI libraries and scientific computing packages. Refer to the [VM size support matrix](#vm-sizes-supported-by-the-hpc-vm-images).

- ```output

- "publisher": "Microsoft-DSVM",

- "offer": "Ubuntu-HPC",

- ```