+Example: If you're using a Salesforce Sandbox, you might need to append another suffix to all your user names before synchronizing them.

+The CDate function returns a UTC DateTime from a string. DateTime isn't a native attribute type but it can be used within date functions such as [FormatDateTime](#formatdatetime) and [DateAdd](#dateadd).

+Returns the first source value that isn't NULL. If all arguments are NULL and defaultValue is present, the defaultValue will be returned. If all arguments are NULL and defaultValue isn't present, Coalesce returns NULL.

+Example: You wish to flow the mail attribute if it is present. If it isn't, you wish to flow the value of userPrincipalName instead.

+When passing a date string as input, use [CDate](#cdate) function to wrap the datetime string. To get system time in UTC, use the [Now](#now) function.

+When passing a date string as input, use [CDate](#cdate) function to wrap the datetime string. To get system time in UTC, use the [Now](#now) function.

+| **dateTimeStyles** | Optional | String | Use this parameter to specify the formatting options that customize string parsing for some date and time parsing methods. For supported values, see [DateTimeStyles doc](/dotnet/api/system.globalization.datetimestyles). If left empty, the default value used is DateTimeStyles.RoundtripKind, DateTimeStyles.AllowLeadingWhite, DateTimeStyles.AllowTrailingWhite |

+The above expression first evaluates the [Switch](#switch) function. If the *prefix* attribute doesn't have any of the values listed within the *Switch* function, then *Switch* will return an empty string and the attribute *personalTitle* will not be included in the provisioning flow to on-premises Active Directory.

+* The IIF function currently doesn't support AND and OR logical operators.

+Returns True if the attribute isn't present.

+Returns True if the attribute isn't present or is an empty string.

+If the expression evaluates to a string that isn't Null and isn't empty, then the IsPresent function returns true. The inverse of this function is named IsNullOrEmpty.

+`Item([proxyAddresses], 1)` returns the first item in the multi-valued attribute. Index 0 shouldn't be used.

+| **length** |Required |Integer |Length of the substring. If length ends outside the **source** string, function will return substring from **start** index until end of **source** string. |

+* If the *wordSeparators* parameter isn't specified, then PCase internally invokes the .NET function [ToTitleCase](/dotnet/api/system.globalization.textinfo.totitlecase) to convert the *source* string to proper case. The .NET function *ToTitleCase* supports a comprehensive set of the [Unicode character categories](https://www.unicode.org/reports/tr44/#General_Category_Values) as word separators.

+Let's say you're sourcing the attributes *firstName* and *lastName* from SAP SuccessFactors and in HR both these attributes are in upper-case. Using the PCase function, you can convert the name to proper case as shown below.

+| `PCase([firstName])` | *firstName* = "PABLO GONSALVES (SECOND)" | "Pablo Gonsalves (Second)" | As the *wordSeparators* parameter isn't specified, the *PCase* function uses the default word separators character set. |

+| `PCase(Join(" ",[firstName],[lastName]))` | *firstName* = GREGORY, *lastName* = "JAMES" | "Gregory James" | You can nest the Join function within PCase. As the *wordSeparators* parameter isn't specified, the *PCase* function uses the default word separators character set. |

+RandomString(Length, MinimumNumbers, MinimumSpecialCharacters, MinimumCapital, MinimumLowerCase, CharactersToAvoid)

+Let's say you want to always generate login ID in the format `<username>@contoso.com`. There is a source attribute called **UserID** and you want that value to be used for the `<username>` portion of the login ID.

+Let's say you have a source attribute `telephoneNumber` that has components `country code` and `phone number` separated by a space character. For example, `+91 9998887777`

+Let's say your source system has an attribute AddressLineData with two components street number and street name. As part of a recent move, let's say the street number of the address changed, and you want to update only the street number portion of the address line.

+Here is another example where the domain suffix from a UPN is replaced with an empty string to generate login ID without domain suffix.

+Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory. The first unique value found will be the one returned. If all of the values already exist in the target, the entry will get escrowed, and the reason gets logged in the audit logs. There is no upper bound to the number of arguments that can be provided.

+ - The LDAP search that *SelectUniqueValue* function performs in on-premises Active Directory doesn't escape special characters like diacritics. If you pass a string like "Jéssica Smith" that contains a special character, you will encounter processing errors. Nest the [NormalizeDiacritics](#normalizediacritics) function as shown in the example below to normalize special characters.

+Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application. This function is required to convert the appRoleAssignments object into a single role name string. The best practice is to ensure only one appRoleAssignment is assigned to one user at a time. This function isn't supported in scenarios where users have multiple app role assignments.

+When **source** value matches a **key**, returns **value** for that **key**. If **source** value doesn't match any keys, returns **defaultValue**. **Key** and **value** parameters must always come in pairs. The function always expects an even number of parameters. The function shouldn't be used for referential attributes such as manager.

+> [!CAUTION]

+> For the **source** parameter, do not use the nested functions IsPresent, IsNull or IsNullOrEmpty. Instead use a literal empty string as one of the key values.

+> Example: `Switch([statusFlag], "Default Value", "true", "1", "", "0")`. In this example, if the **source** attribute `statusFlag` is empty, the Switch function will return the value 0.

+If you would like to set existing values in the target system to lower case, [update the schema for your target application](./customize-application-attributes.md#editing-the-list-of-supported-attributes) and set the property caseExact to 'true' for the attribute that you're interested in.

+| **culture** |Optional |String |The format for the culture name based on RFC 4646 is *languagecode2-country/regioncode2*, where *languagecode2* is the two-letter language code and *country/regioncode2* is the two-letter subculture code. Examples include ja-JP for Japanese (Japan) and en-US for English (United States). In cases where a two-letter language code isn't available, a three-letter code derived from ISO 639-2 is used.|

+If you would like to set existing values in the target system to upper case, [update the schema for your target application](./customize-application-attributes.md#editing-the-list-of-supported-attributes) and set the property caseExact to 'true' for the attribute that you're interested in.

+| **culture** |Optional |String |The format for the culture name based on RFC 4646 is *languagecode2-country/regioncode2*, where *languagecode2* is the two-letter language code and *country/regioncode2* is the two-letter subculture code. Examples include ja-JP for Japanese (Japan) and en-US for English (United States). In cases where a two-letter language code isn't available, a three-letter code derived from ISO 639-2 is used.|

+If string contains less than number words, or string doesn't contain any words identified by delimiters, an empty string is returned.

+- [Require a password change for users that are high-risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-policy-in-conditional-access)

+- [Require MFA for users with medium or high sign in risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#sign-in-risk-policy-in-conditional-access)

+- [OAuth 2.0 authorization code flow on the Microsoft identity platform](v2-oauth2-auth-code-flow.md)

+- [OpenID Connect on the Microsoft identity platform](v2-protocols-oidc.md)

+- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.

+- For information about the required format of JWTs created by external identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format).

+- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.

+*issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+- *Issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+- *issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+- For information about the required format of JWTs created by external identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format).

+ Title: Create an access review of Privileged Access Groups - Azure AD (preview)

+description: Learn how to create an access review of Privileged Access Groups in Azure Active Directory.

+editor: markwahl-msft

+ na

+

+# Create an access review of Privileged Access Groups in Azure AD (preview)

+This article describes how to create one or more access reviews for Privileged Access Groups, which will include the active members of the group as well as the eligible members. Reviews can be performed on both active members of the group, who are active at the time the review is created, and the eligible members of the group.

+## Prerequisites

+- Azure AD Premium P2.

+- Only Global administrators and Privileged Role administrators can create reviews on Privileged Access Groups. For more information, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md).

+For more information, see [License requirements](access-reviews-overview.md#license-requirements).

+## Create a Privileged Access Group access review

+### Scope

+1. Sign in to the Azure portal and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.

+2. On the left menu, select **Access reviews**.

+3. Select **New access review** to create a new access review.

+ 

+4. In the **Select what to review** box, select **Teams + Groups**.

+ 

+5. Select **Teams + Groups** and then select **Select Teams + groups** under **Review Scope**. A list of groups to choose from appears on the right.

+ 

+> [!NOTE]

+> When a Privileged Access Group (PAG) is selected, the users under review for the group will include all eligible users and active users in that group.

+6. Now you can select a scope for the review. Your options are:

+ - **Guest users only**: This option limits the access review to only the Azure AD B2B guest users in your directory.

+ - **Everyone**: This option scopes the access review to all user objects associated with the resource.

+7. If you are conducting group membership review, you can create access reviews for only the inactive users in the group. In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review will focus on inactive users only, those who have not signed in either interactively or non-interactively to the tenant. Then, specify **Days inactive** with a number of days inactive up to 730 days (two years). Users in the group inactive for the specified number of days will be the only users in the review.

+> [!NOTE]

+> Recently created users are not affected when configuring the inactivity time. The Access Review will check if a user has been created in the time frame configured and disregard users who havenΓÇÖt existed for at least that amount of time. For example, if you set the inactivity time as 90 days and a guest user was created or invited less than 90 days ago, the guest user will not be in scope of the Access Review. This ensures that a user can sign in at least once before being removed.

+8. Select **Next: Reviews**.

+After you have reached this step, you may follow the instructions outlined under **Next: Reviews** in the [Create an access review of groups or applications](create-access-review.md#next-reviews) article to complete your access review.

+> [!NOTE]

+> Review of Privileged Access Groups will only assign active owner(s) as the reviewers. Eligible owners are not included. At least one fallback reviewer is required for a Privileged Access Groups review. If there are no active owner(s) when the review begins, the fallback reviewer(s) will be assigned to the review.

+## Next steps

+- [Create an access review of groups or applications](create-access-review.md)

+- [Approve activation requests for privileged access group members and owners (preview)](../privileged-identity-management/groups-approval-workflow.md)

+ >[!IMPORTANT]

+ > For Privileged Access Groups (Preview), you must select **Group owner(s)**. It is mandatory to assign at least one fallback reviewer to the review. The review will only assign active owner(s) as the reviewer(s). Eligible owners are not included. If there are no active owners when the review begins, the fallback reviewer(s) will be assigned to the review.

+- [Complete an access review of groups or applications](complete-access-review.md)

+- [Create an access review of Privileged Access Groups (preview)](create-access-review-privileged-access-groups.md)

+1. If you selected **Manager** as the first approver, select **Add fallback to select one, or more users or groups in your directory to be a fallback approver. Fallback approvers receive the request if entitlement management can't find the manager for the user requesting access.

+1. If you selected **Choose specific approvers**, select **Add approvers** to choose one, or more, users or groups in your directory to be approvers.

+ Requests can only be forwarded to alternate approvers a day after the request duration reaches half-life, and the decision of the main approver(s) has to time out after at least four days. If the request time-out is less or equal than three, there isn't enough time to forward the request to alternate approver(s). In this example, the duration of the request is 14 days. So, the request duration reaches half-life at day 7. So the request can't be forwarded earlier than day 8. Also, requests can't be forwarded on the last day of the request duration. So in the example, the latest the request can be forwarded is day 13.

+In order to make sure users are getting access to the right access packages, you can require requestors to answer custom text field or Multiple Choice questions at the time of request. There's a limit of 20 questions per policy and a limit of 25 answers for Multiple Choice questions. The questions will then be shown to approvers to help them make a decision.

+1. Select the **Answer format** in which you would like requestors to answer. Answer formats include: *short text*, *Multiple Choice*, and *long text*.

+1. If selecting Multiple Choice, select on the **Edit and localize** button to configure the answer options.

+ 1. If you would like to add your own localization for the Multiple Choice options, select the **Optional language code** for the language in which you want to localize a specific option.

+ 1. Once you've added all of the localizations needed for each Multiple Choice option, select **Save**.

+1. If you would like to include a syntax check for text answers to questions, you can also specify a custom regex pattern.

+ :::image type="content" source="media/entitlement-management-access-package-approval-policy/add-regex-localization.png" alt-text="Screenshot of the add regex localization policy." lightbox="media/entitlement-management-access-package-approval-policy/add-regex-localization.png":::

+ Title: How to use the BypassDirSyncOverrides feature of an Azure AD tenant

+description: Describes how to use bypassdirsyncoverrides tenant feature to restore synchronization of Mobile and OtherMobile attributes from on-premises Active Directory.

+# How to use the BypassDirSyncOverrides feature of an Azure AD tenant.

+This article describes the _BypassDirsyncOverrides_ΓÇ» feature and how to restore synchronization of Mobile and otherMobile attributes from Azure AD to on-premises Active Directory.

+Generally, synchronized users cannot be changed from Azure or Microsoft 365 admin portals, neither through PowerShell using AzureAD or MSOnline modules. The exception to this is the Azure AD user’s attributes called _MobilePhone_ and _AlternateMobilePhones_. These attributes are synchronized from on-premises Active Directory attributes mobile and otherMobile, respectively, but end users can update their own phone number in _MobilePhone_ attribute in Azure AD through their profile page. Admins can also update synchronized user’s _MobilePhone_ and _AlternateMobilePhones_ values in Azure AD using MSOnline PowerShell module.

+Giving users and admins the ability to update phone numbers directly in Azure AD enables enterprises to reduce the administrative overhead of managing userΓÇÖs phone numbers in local Active Directory as these can change more frequently.

+The caveat however, is that once a synchronized user's _MobilePhone_ or _AlternateMobilePhones_ number is updated via admin portal or PowerShell, the synchronization API will no longer honor updates to these attributes when they originate from on-premises Active Directory. This is commonly known as a _“DirSyncOverrides”_ feature. Administrators will notice this behavior when updates to Mobile or otherMobile attributes in Active Directory, do not update the correspondent user’s MobilePhone or AlternateMobilePhones in Azure AD accordingly, even though, the object is successfully synchronized through Azure AD Connect's engine.

+## Identifying users with different Mobile and otherMobile values

+You can export a list of users with different Mobile and otherMobile values between Active Directory and Azure Active Directory using _‘Compare-ADSyncToolsDirSyncOverrides’_ from _ADSyncTools_ PowerShell module. This will allow you to determine the users and respective values that are different between on-premises Active Directory and Azure Active Directory. This is important to know because enabling the _BypassDirSyncOverrides_ feature will overwrite all the different values in Azure Active Directory with the value coming from on-premises Active Directory.

+### Using Compare-ADSyncToolsDirSyncOverrides

+As a prerequisite you need to be running Azure AD Connect version 2 or later and install the latest ADSyncTools module from PowerShell Gallery with the following command:

+```powershell

+Install-Module ADSyncTools

+```

+To compare all the synchronized userΓÇÖs Mobile and OtherMobile values, run the following command:

+```powershell

+Compare-ADSyncToolsDirSyncOverrides -Credential $(Get-Credential)

+```

+>[!NOTE]

+> The target API used by this feature does not handle authentication user interactions. MFA or conditional policies will block authentication. When prompted to enter credentials, please use a Global Administrator account that doesn't have MFA enabled or any conditional access policy applied. As a last resort, please create a temporary Global Administrator user account without MFA or Conditional Access that can be deleted after completing the desired operations using the BypassDirSyncOverridees feature.

+This function will export a CSV file with a list of users where Mobile or OtherMobile values in on-premises Active Directory are different than the respective MobilePhone or AlternateMobilePhones in Azure AD.

+At this stage you can use this data to reset the values of the on-premises Active Directory _Mobile_ and _otherMobile_ properties to the values that are present in Azure Active Directory. This way you can capture the most updated phone numbers from Azure AD and persist this data in on-premises Active Directory, before enabling _BypassDirSyncOverrides_ feature. To do this, import the data from the resulting CSV file and then use the _'Set-ADSyncToolsDirSyncOverrides'_ from _ADSyncTools_ module to persist the value in on-premises Active Directory.

+For example, to import data from the CSV file and extract the values in Azure AD for a given UserPrincipalName, use the following command:

+```powershell

+$upn = '<UserPrincipalName>'

+$user = Import-Csv 'ADSyncTools-DirSyncOverrides_yyyyMMMdd-HHmmss.csv' |

+where UserPrincipalName -eq $upn |

+select UserPrincipalName,*InAAD

+Set-ADSyncToolsDirSyncOverridesUser -Identity $upn -MobileInAD $user.MobileInAAD

+```

+## Enabling BypassDirSyncOverrides feature

+By default, _BypassDirSyncOverrides_ feature is turned off. Enabling _BypassDirSyncOverrides_ allows your tenant to bypass any changes made in _MobilePhone_ or _AlternateMobilePhones_ by users or admins directly in Azure AD and always honor the values present in on-premises Active Directory _Mobile_ or _OtherMobile_.

+If you do not wish to have end users updating their own mobile phone number or there is no requirement to have admins updating mobile or alternative mobile phone numbers using PowerShell, you should leave the feature _BypassDirsyncOverrides_ enabled on the tenant.

+With this feature turned on, even if an end user or admin updates either _MobilePhone_ or _AlternateMobilePhones_ in Azure Active Directory, the values synchronized from on-premises Active Directory will persist upon the next sync cycle. This means that any updates to these values only persist when the update is performed in on-premises Active Directory and then synchronized to Azure Active Directory.

+### Enable the _BypassDirSyncOverrides_ feature:

+To enable BypassDirSyncOverrides  feature use the MSOnline PowerShell module.

+```powershell

+Set-MsolDirSyncFeature -Feature BypassdirSyncOverrides -Enable $true

+```

+Once the feature is enabled, start a full synchronization cycle in Azure AD Connect using the following command:

+```powershell

+Start-ADSyncSyncCycle -PolicyType Initial

+```

+[!NOTE] Only objects with a different _MobilePhone_ or _AlternateMobilePhones_ value from on-premises Active Directory will be updated.

+### Verify the status of the _BypassDirSyncOverrides_ feature:

+```powershell

+Get-MsolDirSyncFeatures -Feature BypassdirSyncOverrides

+```

+## Disabling _BypassDirSyncOverrides_ feature

+If you desire to restore the ability to update mobile phone numbers from the portal or PowerShell, you can disable _BypassDirSyncOverrides_ feature using the following Microsoft Online PowerShell module command:

+```powershell

+Set-MsolDirSyncFeature -Feature BypassdirSyncOverrides -Enable $false

+```

+When this feature is turned off, anytime a user or admin updates the _MobilePhone_ or _AlternateMobilePhones_ directly in Azure AD, a _DirSyncOverrides_ is created which prevents any future updates to these attributes coming from on-premises Active Directory. From this point on, a user or admin can only manage these attributes from Azure AD as any new updates from on-premises _Mobile_ or _OtherMobile_ will be dismissed.

+## Managing mobile phone numbers in Azure AD and on-premises Active Directory

+To manage the userΓÇÖs phone numbers, an admin can use the following set of functions from _ADSyncTools_ module to read, write and clear the values in either Azure AD or on-premises Active Directory.

+### Get _Mobile_ and _OtherMobile_ properties from on-premises Active Directory:

+```powershell

+Get-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -FromAD

+```

+### Get _MobilePhone_ and _AlternateMobilePhones_ properties from Azure AD:

+```powershell

+Get-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -FromAzureAD

+```

+### Set _MobilePhone_ and _AlternateMobilePhones_ properties in Azure AD:

+```powershell

+Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD '999888777' -OtherMobileInAD '0987654','1234567'

+```

+### Set _Mobile_ and _otherMobile_ properties in on-premises Active Directory:

+```powershell

+Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD '999888777' -AlternateMobilePhonesInAAD '0987654','1234567'

+```

+### Clear _MobilePhone_ and _AlternateMobilePhones_ properties in Azure AD:

+```powershell

+Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD -OtherMobileInAD

+```

+### Clear _Mobile_ and _otherMobile_ properties in on-premises Active Directory:

+```powershell

+Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD -AlternateMobilePhonesInAAD

+```

+## Next Steps

+Learn more about [Azure AD Connect: ADSyncTools PowerShell Module](reference-connect-adsynctools.md)

+## 2.1.18.0

+### Release status:

+10/5/2022: Released for download

+### Bug fixes

+ - we fixed a bug where upgrade from version 1.6 to version 2.1 got stuck in a loop due to IsMemberOfLocalGroup enumeration.

+ - we fixed a bug where the Azure AD Connect Configuration Wizard was sending incorrect credentials (username format) while validating if Enterprise Admin.

+ Title: Azure AD Identity Protection risk-based access policies

+description: Identifying risk-based Conditional Access policies

+# Risk-based access policies

+Access control policies can be applied to protect organizations when a sign-in or user is detected to be at risk. Such policies are called **risk-based policies**.

+Azure AD Conditional Access offers two risk conditions: **Sign-in risk** and **User risk**. Organizations can create risk-based Conditional Access policies by configuring these two risk conditions and choosing an access control method. During each sign-in, Identity Protection sends the detected risk levels to Conditional Access, and the risk-based policies will apply if the policy conditions are satisfied.

+

+For example, as shown in the diagram below, if organizations have a sign-in risk policy that requires multifactor authentication when the sign-in risk level is medium or high, their users must complete multifactor authentication when their sign-in risk is medium or high.

+

+The example above also demonstrates a main benefit of a risk-based policy: **automatic risk remediation**. When a user successfully completes the required access control, like a secure password change, their risk is remediated. That sign-in session and user account won't be at risk, and no action is needed from the administrator.

+Allowing users to self-remediate using this process will significantly reduce the risk investigation and remediation burden on the administrators while protecting your organizations from security compromises. More information about risk remediation can be found in the article, [Remediate risks and unblock users](howto-identity-protection-remediate-unblock.md).

+## Sign-in risk-based Conditional Access policy

+During each sign-in, Identity Protection analyzes hundreds of signals in real-time and calculates a sign-in risk level that represents the probability that the given authentication request isn't authorized. This risk level then gets sent to Conditional Access, where the organization's configured policies are evaluated. Administrators can configure sign-in risk-based Conditional Access policies to enforce access controls based on sign-in risk, including requirements such as:

+If risks are detected on a sign-in, users can perform the required access control such as multifactor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.

+

+> [!NOTE]

+> Users must have previously registered for Azure AD multifactor authentication before triggering the sign-in risk policy.

+## User risk-based Conditional Access policy

+Identity Protection analyzes signals about user accounts and calculates a risk score based on the probability that the user has been compromised. If a user has risky sign-in behavior, or their credentials have been leaked, Identity Protection will use these signals to calculate the user risk level. Administrators can configure user risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as:

+- Block access

+- Allow access but require a secure password change using [Azure AD self-service password reset](../authentication/howto-sspr-deployment.md).

+A secure password change will remediate the user risk and close the risky user event to prevent unnecessary noise for administrators.

+## Identity Protection policies

+While Identity Protection also offers a user interface for creating user risk policy and sign-in risk policy, we highly recommend that you [use Azure AD Conditional Access to create risk-based policies](howto-identity-protection-configure-risk-policies.md) for the following benefits:

+- Rich set of conditions to control access: Conditional Access offers a rich set of conditions such as applications and locations for configuration. The risk conditions can be used in combination with other conditions to create policies that best enforce your organizational requirements.

+- Multiple risk-based policies can be put in place to target different user groups or apply different access control for different risk levels.

+- Conditional Access policies can be created through Microsoft Graph API and can be tested first in report-only mode.

+- Manage all access policies in one place in Conditional Access.

+If you already have Identity Protection risk policies set up, we encourage you to [migrate them to Conditional Access](howto-identity-protection-configure-risk-policies.md#migrate-risk-policies-from-identity-protection-to-conditional-access).

+## Azure AD MFA registration policy

+Identity Protection can help organizations roll out Azure AD multifactor authentication (MFA) using a policy requiring registration at sign-in. Enabling this policy is a great way to ensure new users in your organization have registered for MFA on their first day. Multifactor authentication is one of the self-remediation methods for risk events within Identity Protection. Self-remediation allows your users to take action on their own to reduce helpdesk call volume.

+More information about Azure AD multifactor authentication can be found in the article, [How it works: Azure AD multifactor authentication](../authentication/concept-mfa-howitworks.md).

+- [Enable Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md)

+- [Enable Azure AD multifactor authentication registration policy](howto-identity-protection-configure-mfa-policy.md)

+Identity Protection categorizes risk into three tiers: low, medium, and high. When configuring [Identity protection policies](./concept-identity-protection-policies.md), you can also configure it to trigger upon **No risk** level. No Risk means there's no active indication that the user's identity has been compromised.

+* Require users to register for Azure AD multifactor authentication (MFA)

+1. Complete the guided steps to register for Azure AD multifactor authentication and complete your sign-in.

+# How To: Configure the Azure AD multifactor authentication registration policy

+Azure Active Directory (Azure AD) Identity Protection helps you manage the roll-out of Azure AD multifactor authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you're signing in to.

+## What is the Azure AD multifactor authentication registration policy?

+Azure AD multifactor authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins. In order for users to be able to respond to MFA prompts, they must first register for Azure AD multifactor authentication.

+We recommend that you require Azure AD multifactor authentication for user sign-ins because it:

+For more information on Azure AD multifactor authentication, see [What is Azure AD multifactor authentication?](../authentication/howto-mfa-getstarted.md)

+- [Enable Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md)

+As we learned in the previous article, [Risk-based access policies](concept-identity-protection-policies.md), there are two types of risk policies in Azure Active Directory (Azure AD) Conditional Access you can set up to automate the response to risks and allow users to self-remediate when risk is detected:

+

+Organizations must decide the level of risk they want to require access control on balancing user experience and security posture.

+Choosing to apply access control on a **High** risk level reduces the number of times a policy is triggered and minimizes the impact to users. However, it excludes **Low** and **Medium** risks from the policy, which may not block an attacker from exploiting a compromised identity. Selecting a **Low** risk level to require access control introduces more user interrupts.

+Organizations can choose to block access when risk is detected. Blocking sometimes stops legitimate users from doing what they need to. A better solution is to allow self-remediation using Azure AD multifactor authentication (MFA) and secure self-service password reset (SSPR).

+### Microsoft's recommendation

+Microsoft recommends the below risk policy configurations to protect your organization:

+- User risk policy

+ - Require a secure password reset when user risk level is **High**. Azure AD MFA is required before the user can create a new password with SSPR to remediate their risk.

+- Sign-in risk policy

+ - Require Azure AD MFA when sign-in risk level is **Medium** or **High**, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.

+Requiring access control when risk level is low will introduce more user interrupts. Choosing to block access rather than allowing self-remediation options, like secure password reset and multifactor authentication, will impact your users and administrators. Weigh these choices when configuring your policies.

+## Exclusions

+Policies allow for excluding users such as your [emergency access or break-glass administrator accounts](../roles/security-emergency-access.md). Organizations may need to exclude other accounts from specific policies based on the way the accounts are used. Exclusions should be reviewed regularly to see if they're still applicable.

+## Enable policies

+Organizations can choose to deploy risk-based policies in Conditional Access using the steps outlined below or using the [Conditional Access templates (Preview)](../conditional-access/concept-conditional-access-policy-common.md#conditional-access-templates-preview).

+### User risk policy in Conditional Access

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ 1. Under **Configure user risk levels needed for policy to be enforced**, select **High**. ([This guidance is based on Microsoft recommendations and may be different for each organization](#choosing-acceptable-risk-levels))

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+After confirming your settings using [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+### Sign-in risk policy in Conditional Access

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Under **Conditions** > **Sign-in risk**, set **Configure** to **Yes**. Under **Select the sign-in risk level this policy will apply to**. ([This guidance is based on Microsoft recommendations and may be different for each organization](#choosing-acceptable-risk-levels))

+ 1. Select **Grant access**, **Require multifactor authentication**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+After confirming your settings using [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+## Migrate risk policies from Identity Protection to Conditional Access

+While Identity Protection also provides two risk policies with limited conditions, we highly recommend setting up risk-based policies in Conditional Access for the following benefits:

+ - Enhanced diagnostic data

+ - Report-only mode integration

+ - Graph API support

+ - Use more Conditional Access attributes like sign-in frequency in the policy

+If you already have risk policies enabled in Identity Protection, we highly recommend that you migrate them to Conditional Access:

+

+### Migrating to Conditional Access

+1. **Create an equivalent** [user risk-based](#user-risk-policy-in-conditional-access) and [sign-in risk-based ](#sign-in-risk-policy-in-conditional-access) policy in Conditional Access in report-only mode. You can create a policy with the steps above or using [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md#common-conditional-access-policies) based on Microsoft's recommendations and your organizational requirements.

+ 1. Ensure that the new Conditional Access risk policy works as expected by testing it in [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md).

+1. **Enable** the new Conditional Access risk policy. You can choose to have both policies running side-by-side to confirm the new policies are working as expected before turning off the Identity Protection risk policies.

+ 1. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**.

+ 1. Select this new policy to edit it.

+ 1. Set **Enable policy** to **On** to enable the policy

+1. **Disable** the old risk policies in Identity Protection.

+ 1. Browse to **Azure Active Directory** > **Identity Protection** > Select the **User risk** or **Sign-in risk** policy.

+ 1. Set **Enforce policy** to **Off**

+1. Create other risk policies if needed in [Conditional Access](../conditional-access/concept-conditional-access-policy-common.md).

+- [Enable Azure AD multifactor authentication registration policy](howto-identity-protection-configure-mfa-policy.md)

+- [Require reauthentication every time](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time)

+If you allow users to self-remediate, with Azure AD multifactor authentication (MFA) and self-service password reset (SSPR) in your risk policies, they can unblock themselves when risk is detected. These detections are then considered closed. Users must have previously registered for Azure AD MFA and SSPR for use when risk is detected.

+- A test account that isn't yet registered for Azure AD multifactor authentication.

+- Azure AD multifactor authentication enabled.

+- [Create an access review of Privileged Access Groups (preview)](../governance/create-access-review-privileged-access-groups.md)

+As an IT administrator, you need to understand trends in identity risks and gaps in your policy implementations, to ensure you're best protecting your organizations from identity compromise. The identity protection risk analysis workbook helps you analyze the state of risk in your organization.

+- **[Enable risky sign-in policies](../identity-protection/concept-identity-protection-policies.md#sign-in-risk-based-conditional-access-policy)** - To prompt for multi-factor authentication (MFA) on medium risk or above. Enabling the policy reduces the proportion of active real-time risk detections by allowing legitimate users to self-remediate the risk detections with MFA.

+- **[Enable a risky user policy](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-policy-in-conditional-access)** - To enable users to securely remediate their accounts when they're high risk. Enabling the policy reduces the number of active at-risk users in your organization by returning the userΓÇÖs credentials to a safe state.

+- To add existing users, groups, or devices:

+ - Privileged Role Administrator or Global Administrator

+- To create new groups:

+ - Groups Administrator (scoped to the administrative unit or entire directory) or Global Administrator

+- Manage all aspects of Entra Permissions Management, when the service is present

+## OIDC Issuer

+> Enable or disable OIDC Issuer changes the current service account token issuer to a new value, which can cause down time and restarts the API server. If the application pods using a service token remain in a failed state after you enable or disable the OIDC Issuer, we recommend you manually restart the pods.

+### Prerequisites

+* The Azure CLI version 2.42.0 or higher. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+* AKS version 1.22 and higher. If your cluster is running version 1.21 and the OIDC Issuer preview is enabled, we recommend you upgrade the cluster to the minimum required version supported.

+### Rotate the OIDC key

+To rotate the OIDC key, perform the following command. Replace the default values for the cluster name and the resource group name.

+```azurecli-interactive

+az aks oidc-issuer rotate-signing-keys -n myAKSCluster -g myResourceGroup

+```

+> [!Important]

+> Once you rotate the key, the old key (key1) expires after 24 hours. This means that both the old key (key1) and the new key (key2) are valid within the 24-hour period. If you want to invalidate the old key (key1) immediately, you need to rotate the OIDC key twice. Then key2 and key3 are valid, and key1 is invalid.

+- Learn how to [upgrade the node images](node-image-upgrade.md) in your cluster.

+[enable-oidc-issuer]: cluster-configuration.md#oidc-issuer

+You must have registered the `Microsoft.ContainerService` and `Microsoft.KubernetesConfiguration` providers on your subscription using the `az provider register` command:

+az provider register --namespace Microsoft.KubernetesConfiguration --wait

+ >

+ > To ensure you're searching for Kubernetes applications, include the term `KubernetesApps` in your search.

+* The Azure CLI version 2.28.0 and higher.

+* The aks-preview extension 0.5.29 or higher.

+* If using ARM or the Azure REST API, the AKS API version must be 2021-05-01 or higher.

+* Azure Private Link service is supported on Standard Azure Load Balancer only. Basic Azure Load Balancer isn't supported.

+* To use a custom DNS server, add the Azure public IP address 168.63.129.16 as the upstream DNS server in the custom DNS server. For more information about the Azure IP address, see [What is IP address 168.63.129.16?][virtual-networks-168.63.129.16]

+### Default basic networking

+Where `--enable-private-cluster` is a mandatory flag for a private cluster.

+## Use custom domains

+If you want to configure custom domains that can only be resolved internally, see [Use custom domains][use-custom-domains] for more information.

+## Configure Private DNS Zone

+2. Select the private DNS zone.

+## Limitations

+* Deleting or modifying the private endpoint in the customer subnet will cause the cluster to stop functioning.

+[use-custom-domains]: coredns-custom.md#use-custom-domains

+By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, an implicit *deny all* exists at the end of the list. To learn more about access restrictions, go to the [access restrictions overview](./overview-access-restrictions.md).

+|`WEBSITE_HEALTHCHECK_MAXUNHEALTHYWORKERPERCENT` | 1 - 100 | By default, no more than half of the instances will be excluded from the load balancer at one time to avoid overwhelming the remaining healthy instances. For example, if an App Service Plan is scaled to four instances and three are unhealthy, two will be excluded. The other two instances (one healthy and one unhealthy) will continue to receive requests. In the worst-case scenario where all instances are unhealthy, none will be excluded. <br /> To override this behavior, set app setting to a value between `0` and `100`. A higher value means more unhealthy instances will be removed (default value is `50`). |

+* When **Route All** is enabled, the source address for your outbound public traffic from your app is still one of the IP addresses that are listed in your app properties. If you route your traffic through a firewall or a NAT gateway, the source IP address will then originate from this service.

+ - Update scope to include Windows apps

+ - Update scope to include Windows apps

+- **App Service Environment apps should not be reachable over public internet**

+ - Modify policy definition to remove check on API version

+You can do that by passing a custom name resolver during configuration. You include placeholders in trigger or binding attribute constructor parameters, and your resolver code provides the actual values to be used in place of those placeholders. You identify placeholders by surrounding them with percent (%) signs, as shown here:

+There's a default resolver that takes effect if you don't provide a custom one. The default gets values from app settings or environment variables.

+Starting in .NET Core 3.1, the [`ConfigurationManager`](/dotnet/api/system.configuration.configurationmanager) you use requires the [System.Configuration.ConfigurationManager NuGet package](https://www.nuget.org/packages/System.Configuration.ConfigurationManager). The sample requires the following `using` statement:

+```cs

+using System.Configuration;

+```

+Your `NameResolver` class gets the queue name from app settings, as shown here:

+ In this guide, you'll learn how to add Form Recognizer to your applications and workflows using a programming language SDK of your choice or the REST API. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key text and structure elements from documents. We recommend that you use the free service as you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+Choose from the following Form Recognizer models to analyze and extract data and values from forms and documents:

+> * The [prebuilt-invoice](../concept-invoice.md) model extracts key fields and line items from sales invoices in various formats and quality including phone-captured images, scanned documents, and digital PDFs.

+> * The [prebuilt-idDocument](../concept-id-document.md) model extracts key information from US drivers licenses, international passport biographical pages, US state IDs, social security cards, and permanent resident (green) cards.

+> * With the release of API versions 2022-06-30-preview and later, custom template models will add support for [cross page tabular fields (tables)](../concept-custom-template.md#tabular-fields).

+> * With the release of API versions 2022-06-30-preview and later, custom neural models will support [tabular fields (tables)](../concept-custom-template.md#tabular-fields) and models trained with API version 2022-08-31, or later will accept tabular field labels.

+Curl on provided ODS endpoint.

+| OpenShift 4.10.32 | v1.23.5 | v1.11.0_2022-09-13 | 16.0.312.4243 | postgres 12.3 (Ubuntu 12.3-1)|

+To disconnect using a service principal, run the command below. Be sure to specify a service principal that has the required roles for disconnecting servers; this will not be the same service principal that was used to onboard the server:

+ --template-uri "https://raw.githubusercontent.com/Azure-Samples/azure-event-grid-viewer/main/azuredeploy.json" \

+ -TemplateUri "https://raw.githubusercontent.com/Azure-Samples/azure-event-grid-viewer/main/azuredeploy.json" `

+For more information, see the [StackExchange.Redis](https://github.com/StackExchange/StackExchange.Redis) documentation on GitHub. For more usage scenarios, see the [StackExchange.Redis.Tests](https://github.com/StackExchange/StackExchange.Redis/tree/main/tests) unit tests.

+## Cancellation tokens

+A function can accept a [CancellationToken](/dotnet/api/system.threading.cancellationtoken) parameter, which enables the operating system to notify your code when the function is about to be terminated. You can use this notification to make sure the function doesn't terminate unexpectedly in a way that leaves data in an inconsistent state.

+Cancellation tokens are supported in .NET functions when running in an isolated process. The following example shows how to use a cancellation token in a function:

+## ReadyToRun

+You can compile your function app as [ReadyToRun binaries](/dotnet/core/deploying/ready-to-run). ReadyToRun is a form of ahead-of-time compilation that can improve startup performance to help reduce the impact of [cold-start](event-driven-scaling.md#cold-start) when running in a [Consumption plan](consumption-plan.md).

+ReadyToRun is available in .NET 3.1, .NET 6 (both in-process and isolated process), and .NET 7, and it requires [version 3.0 or later](functions-versions.md) of the Azure Functions runtime.

+To compile your project as ReadyToRun, update your project file by adding the `<PublishReadyToRun>` and `<RuntimeIdentifier>` elements. The following is the configuration for publishing to a Windows 32-bit function app.

+```xml

+<PropertyGroup>

+ <TargetFramework>net6.0</TargetFramework>

+ <AzureFunctionsVersion>v4</AzureFunctionsVersion>

+ <RuntimeIdentifier>win-x86</RuntimeIdentifier>

+ <PublishReadyToRun>true</PublishReadyToRun>

+</PropertyGroup>

+```

+| .NET versions | .NET Core 3.1<br/>.NET 6.0 | .NET 6.0<br/>.NET 7.0 (Preview)<br/>.NET Framework 4.8 (GA) |

+| Cancellation tokens | [Supported](functions-dotnet-class-library.md#cancellation-tokens) | [Supported](#cancellation-tokens) |

+| ReadyToRun | [Supported](functions-dotnet-class-library.md#readytorun) | [Supported](#readytorun) |

+|FUNCTIONS\_EXTENSION\_VERSION|`~4`|

+The following major runtime version values are supported:

+| Value | Runtime target | Comment |

+| | -- | |

+| `~4` | 4.x | Recommended |

+| `~3` | 3.x | Support ends December 13, 2022 |

+| `~2` | 2.x | No longer supported |

+| `~1` | 1.x | Supported |

+Requires that [FUNCTIONS\_EXTENSION\_VERSION](#functions_extension_version) be set to `~3`.

+The value for this setting indicates an extra index URL for custom packages for Python apps, to use in addition to the `--index-url`. Use this setting when you need to run a remote build using custom dependencies that are found in an extra package index. Should follow the same rules as --index-url.

+## App Service site settings

+Some configurations must be maintained at the App Service level as site settings, such as language versions. These settings are usually set in the portal, by using REST APIs, or by using Azure CLI or Azure PowerShell. The following are site settings that could be required, depending on your runtime language, OS, and versions:

+### linuxFxVersion

+For function apps running on Linux, `linuxFxVersion` indicates the language and version for the language-specific worker process. This information is used, along with [`FUNCTIONS_EXTENSION_VERSION`](#functions_extension_version), to determine which specific Linux container image is installed to run your function app. This setting can be set to a pre-defined value or a custom image URI.

+This value is set for you when you create your Linux function app. You may need to set it for ARM template and Bicep deployments and in certain upgrade scenarios.

+#### Valid linuxFxVersion values

+You can use the following Azure CLI command to see a table of current `linuxFxVersion` values, by supported Functions runtime version:

+```azurecli-interactive

+az functionapp list-runtimes --os linux --query "[].{stack:join(' ', [runtime, version]), LinuxFxVersion:linux_fx_version, SupportedFunctionsVersions:to_string(supported_functions_versions[])}" --output table

+```

+The previous command requires you to upgrade to version 2.40 of the Azure CLI.

+#### Custom images

+When you create and maintain your own custom linux container for your function app, the `linuxFxVersion` value is also in the format `DOCKER|<IMAGE_URI>`, as in the following example:

+```

+linuxFxVersion = "DOCKER|contoso.com/azurefunctionsimage:v1.0.0"

+```

+For more information, see [Create a function on Linux using a custom container](functions-create-function-linux-custom-image.md).

+### netFrameworkVersion

+Sets the specific version of .NET for C# functions. For more information, see [Migrating from 3.x to 4.x](functions-versions.md#migrating-from-3x-to-4x).

+### powerShellVersion

+Sets the specific version of PowerShell on which your functions run. For more information, see [Changing the PowerShell version](functions-reference-powershell.md#changing-the-powershell-version).

+When running locally, you instead use the [`FUNCTIONS_WORKER_RUNTIME_VERSION`](functions-reference-powershell.md#running-local-on-a-specific-version) setting in the local.settings.json file.

+When you set the `isSessionsEnabled` property or attribute on [the trigger](functions-bindings-service-bus-trigger.md) to `true`, the `sessionHandlerOptions` is honored. When you set the `isSessionsEnabled` property or attribute on [the trigger](functions-bindings-service-bus-trigger.md) to `false`, the `messageHandlerOptions` is honored.

+The `clientRetryOptions` settings only apply to interactions with the Service Bus service. They don't affect retries of function executions. For more information, see [Retries](functions-bindings-error-pages.md#retries).

+After you see the `HttpExample` endpoint written to the output, navigate to `http://localhost:7071/api/HttpExample?name=Functions`. The browser must display a "hello" message that echoes back `Functions`, the value supplied to the `name` query parameter.

+1. If you haven't already signed in to Docker, do so with the [`docker login`](https://docs.docker.com/engine/reference/commandline/login/) command, replacing `<docker_id>` with your Docker Hub account ID. This command prompts you for your username and password. A "sign in Succeeded" message confirms that you're signed in.

+1. After you've signed in, push the image to Docker Hub by using the [`docker push`](https://docs.docker.com/engine/reference/commandline/push/) command, again replace the `<docker_id>` with your Docker Hub account ID.

+ The [`az login`](/cli/azure/reference-index#az-login) command signs you into your Azure account.

+ The [`az group create`](/cli/azure/group#az-group-create) command creates a resource group. In the above command, replace `<REGION>` with a region near you, using an available region code returned from the [az account list-locations](/cli/azure/account#az-account-list-locations) command.

+ The [`New-AzResourceGroup`](/powershell/module/az.resources/new-azresourcegroup) command creates a resource group. You generally create your resource group and resources in a region near you, using an available region returned from the [`Get-AzLocation`](/powershell/module/az.resources/get-azlocation) cmdlet.

+ The [`az storage account create`](/cli/azure/storage/account#az-storage-account-create) command creates the storage account.

+ The [`New-AzStorageAccount`](/powershell/module/az.storage/new-azstorageaccount) cmdlet creates the storage account.

+ The command also creates an associated Azure Application Insights instance in the same resource group, with which you can monitor your function app and view logs. For more information, see [Monitor Azure Functions](functions-monitoring.md). The instance incurs no costs until you activate it.

+ In the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command, the *deployment-container-image-name* parameter specifies the image to use for the function app. You can use the [az functionapp config container show](/cli/azure/functionapp/config/container#az-functionapp-config-container-show) command to view information about the image used for deployment. You can also use the [`az functionapp config container set`](/cli/azure/functionapp/config/container#az-functionapp-config-container-set) command to deploy from a different image.

+ The connection string for the storage account is returned by using the [`az storage account show-connection-string`](/cli/azure/storage/account) command.

+ The key returned by the [`Get-AzStorageAccountKey`](/powershell/module/az.storage/get-azstorageaccountkey) cmdlet is used to construct the connection string for the storage account.

+ The [`az functionapp config appsettings set`](/cli/azure/functionapp/config/appsettings#az-functionapp-config-ppsettings-set) command creates the setting.

+ The [`Update-AzFunctionAppSetting`](/powershell/module/az.functions/update-azfunctionappsetting) cmdlet creates the setting.

+ The [`az functionapp deployment container config`](/cli/azure/functionapp/deployment/container#az-functionapp-deployment-container-config) command enables continuous deployment and returns the deployment webhook URL. You can retrieve this URL at any later time by using the [`az functionapp deployment container show-cd-url`](/cli/azure/functionapp/deployment/container#az-functionapp-deployment-container-show-cd-url) command.

+ The `DOCKER_ENABLE_CI` application setting controls whether continuous deployment is enabled from the container repository. The [`Get-AzWebAppContainerContinuousDeploymentUrl`](/powershell/module/az.websites/get-azwebappcontainercontinuousdeploymenturl) cmdlet returns the URL of the deployment webhook.

+You can compile your function app as [ReadyToRun binaries](/dotnet/core/deploying/ready-to-run). ReadyToRun is a form of ahead-of-time compilation that can improve startup performance to help reduce the impact of [cold-start](event-driven-scaling.md#cold-start) when running in a [Consumption plan](consumption-plan.md).

+ReadyToRun is available in .NET 3.1 and .NET 6 (in-proc and isolated) and .NET 7 and requires [version 3.0 or 4.0 of the Azure Functions runtime](functions-versions.md).

+ <TargetFramework>net6.0</TargetFramework>

+ <AzureFunctionsVersion>v4</AzureFunctionsVersion>

+> Starting in .NET 6, support for Composite ReadyToRun compilation has been added. Check out [ReadyToRun Cross platform and architecture restrictions](/dotnet/core/deploying/ready-to-run).

+| 4.x (recommended) | PowerShell 7.2 (recommended) <br/>PowerShell 7 | .NET 6 |

+| 3.x | PowerShell 7 | .NET Core 3.1 |

+The simplest way to upgrade to v4.x is to set the `FUNCTIONS_EXTENSION_VERSION` application setting to `~4` on your function app in Azure. You must follow a [different procedure](#migrate-using-slots) on a site with slots.

+# [Windows](#tab/windows/azure-cli)

+When running on Windows, you also need to enable .NET 6.0, which is required by version 4.x of the runtime.

+.NET 6 is required for function apps in any language running on Windows.

+# [Windows](#tab/windows/azure-powershell)

+When running on Windows, you also need to enable .NET 6.0, which is required by version 4.x of the runtime.

+.NET 6 is required for function apps in any language running on Windows.

+# [Linux](#tab/linux/azure-cli)

+When running .NET apps on Linux, you also need to update the `linuxFxVersion` site setting for .NET 6.0.

+```azurecli

+az functionapp config set --name <APP_NAME> --resource-group <RESOURCE_GROUP_NAME> --linux-fx-version "DOTNET|6.0"

+```

+# [Linux](#tab/linux/azure-powershell)

+When running .NET apps on Linux, you also need to update the `linuxFxVersion` site setting. Unfortunately, Azure PowerShell can't be used to set the `linuxFxVersion` at this time. Use the Azure CLI instead.

+In this example, replace `<APP_NAME>` with the name of your function app and `<RESOURCE_GROUP_NAME>` with the name of the resource group.

+1. Version 4.x of the Functions runtime requires .NET 6 in Windows. On Linux, .NET apps must also upgrade to .NET 6. Use the following command so that the runtime can run on .NET 6:

+ # [Windows](#tab/windows)

+ When running on Windows, you also need to enable .NET 6.0, which is required by version 4.x of the runtime.

+ az functionapp config set --net-framework-version v6.0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME>

+ .NET 6 is required for function apps in any language running on Windows.

+ # [Linux](#tab/linux/azure-cli)

+ When running .NET functions on Linux, you also need to update the `linuxFxVersion` site setting for .NET 6.0.

+ ```azurecli

+ az functionapp config set --name <APP_NAME> --resource-group <RESOURCE_GROUP_NAME> --linux-fx-version "DOTNET|6.0"

+ ```

+

+ In this example, replace `<APP_NAME>` with the name of your function app and `<RESOURCE_GROUP_NAME>` with the name of the resource group.

+1. Version 4.x of the Functions runtime requires .NET 6 in Windows. On Linux, .NET apps must also upgrade to .NET 6. Use the following command so that the runtime can run on .NET 6:

+ # [Windows](#tab/windows)

+ When running on Windows, you also need to enable .NET 6.0, which is required by version 4.x of the runtime.

+ az functionapp config set --net-framework-version v6.0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME>

+ .NET 6 is required for function apps in any language running on Windows.

+ # [Linux](#tab/linux/azure-cli)

+ When running .NET functions on Linux, you also need to update the `linuxFxVersion` site setting for .NET 6.0.

+ ```azurecli

+ az functionapp config set --name <APP_NAME> --resource-group <RESOURCE_GROUP_NAME> --linux-fx-version "DOTNET|6.0"

+ ```

+

+ In this example, replace `<APP_NAME>` with the name of your function app and `<RESOURCE_GROUP_NAME>` with the name of the resource group.

+Using the Azure CLI, view the current runtime version with the [`az functionapp config appsettings list`](/cli/azure/functionapp/config/appsettings) command.

+Choose **Try it** in the previous code example to run the command in [Azure Cloud Shell](../cloud-shell/overview.md). You can also run the [Azure CLI locally](/cli/azure/install-azure-cli) to execute this command. When running locally, you must first run [`az login`](/cli/azure/reference-index#az-login) to sign in.

+## <a name="manual-version-updates-on-linux"></a>Pin to a specific version on Linux

+To pin a Linux function app to a specific host version, you set a version-specific base image URL in the [`linuxFxVersion` site setting][`linuxFxVersion`] in the format `DOCKER|<PINNED_VERSION_IMAGE_URI>`.

+> [!IMPORTANT]

+> Pinned function apps on Linux don't receive regular security and host functionality updates. Unless recommended by a support professional, use the [`FUNCTIONS_EXTENSION_VERSION`](functions-app-settings.md#functions_extension_version) setting and a standard [`linuxFxVersion`] value for your language and version, such as `Python|3.9`. For valid values, see the [`linuxFxVersion` reference article][`linuxFxVersion`].

+>

+> For apps running in a Consumption plan, setting [`linuxFxVersion`] to a specific image may also increase cold start times. This is because pinning to a specific image prevents Functions from using some cold start optimizations.

+The following table provides an example of [`linuxFxVersion`] values required to pin a Node.js 18 function app to a specific runtime version of 4.11.2:

+| [Hosting plan](functions-scale.md) | [`linuxFxVersion` value][`linuxFxVersion`] |

+| | |

+| Consumption | `DOCKER\|mcr.microsoft.com/azure-functions/mesh:4.11.2-node18` |

+| Premium/Dedicated | `DOCKER\|mcr.microsoft.com/azure-functions/node:4.11.2-node18-appservice` |

+When needed, a support professional can provide you with a valid base image URI for your application.

+Use the following Azure CLI commands to view and set the [`linuxFxVersion`]. You can't currently set [`linuxFxVersion`] in the portal or by using Azure PowerShell.

+In this code, replace `<function_app>` with the name of your function app. Also replace `<my_resource_group>` with the name of the resource group for your function app. The current value of [`linuxFxVersion`] is returned.

+To update the [`linuxFxVersion`] setting in the function app, use the [az functionapp config set](/cli/azure/functionapp/config) command.

+Replace `<FUNCTION_APP>` with the name of your function app. Also replace `<RESOURCE_GROUP>` with the name of the resource group for your function app. Finally, replace `<LINUX_FX_VERSION>` with the value of a specific image provided to you by a support professional.

+You can run this command from the [Azure Cloud Shell](../cloud-shell/overview.md) by choosing **Try it** in the preceding code sample. You can also use the [Azure CLI locally](/cli/azure/install-azure-cli) to execute this command after executing [`az login`](/cli/azure/reference-index#az-login) to sign in.

+[`linuxFxVersion`]: functions-app-settings.md#linuxfxversion

+### System.IO.FileNotFoundException after 2.8.44 upgrade

+2.8.44 version of auto instrumentation upgrades Application Insights SDK to 2.20.0. Application Insights SDK has an indirect reference to `System.Runtime.CompilerServices.Unsafe.dll` through `System.Diagnostics.DiagnosticSource.dll`. If application has [binding redirect](https://learn.microsoft.com/dotnet/framework/configure-apps/file-schema/runtime/bindingredirect-element) for `System.Runtime.CompilerServices.Unsafe.dll` and if this library is not present in application folder it may throw `System.IO.FileNotFoundException`.

+To resolve this issue, remove the binding redirect entry for `System.Runtime.CompilerServices.Unsafe.dll` from web.config file. If the application wanted to use `System.Runtime.CompilerServices.Unsafe.dll` then set the binding redirect as below.

+```

+<dependentAssembly>

+ <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />

+ <bindingRedirect oldVersion="0.0.0.0-4.0.4.1" newVersion="4.0.4.1" />

+</dependentAssembly>

+```

+As a temporary workaround, you could set the app setting, ApplicationInsightsAgent_EXTENSION_VERSION to a value of 2.8.37. This will trigger App Service to use the old Application Insights extension. Please note that temporary mitigations should only be used as an interim.

+| time-generated-field | The name of a field in the data that contains the timestamp of the data item. If you specify a field, its contents are used for **TimeGenerated**. If you don't specify this field, the default for **TimeGenerated** is the time that the message is ingested. The contents of the message field should follow the ISO 8601 format YYYY-MM-DDThh:mm:ssZ. The Time Generated value cannot be older than 2 days before received time or the time that the message is ingested will be used.|

+ // If charset=utf-8 is part of the content-type header, the API call may return forbidden.

+ Title: Retirement of Azure Percept DK

+description: Information about the retirement of the Azure Percept DK.

+# Retirement of Azure Percept DK

+The [Azure Percept](https://azure.microsoft.com/products/azure-percept/) public preview will be evolving to support new edge device platforms and developer experiences. As part of this evolution the Azure Percept DK and Audio Accessory and associated supporting Azure services for the Percept DK will be retired March 30, 2023.

+Effective March 30, 2023, the Azure Percept DK and Audio Accessory will no longer be supported by any Azure services including Azure Percept Studio, OS updates, containers updates, view web stream, and Custom Vision integration. Microsoft will no longer provide customer success support and any associated supporting services

+1. Select **Access policies**.

+ :::image type="content" source="./media/key-vault-access/enable-template.png" alt-text="Screenshot of the key vault's access policies that enable Azure Resource Manager for template deployment.":::

+Assign the **Contributor** role to the **Appliance Resource Provider** user at the key vault scope. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+The **Appliance Resource Provider** is a service principal in your Azure Active Directory's tenant. From the Azure portal, you can see if it's registered by going to **Azure Active Directory** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it's not found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider.

+ "apiVersion": "2022-02-01-preview",

+- To learn more about key vault security, see [Azure Key Vault security](../../key-vault/general/security-features.md) and [Authentication in Azure Key Vault](../../key-vault/general/authentication.md).

+The **Appliance Resource Provider** is a service principal in your Azure Active Directory's tenant. From the Azure portal, you can see if it's registered by going to **Azure Active Directory** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it's not found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider.

+## Artifact files

+If you plan to download artifact files, beware of the following:

+

+This article shows you how to view and edit the Azure Video Indexer insights of a video.

+4. Select which insights you want to view. For example, faces, keywords, sentiments. You can see the faces of people and the time ranges each face appears in and the % of the time it's shown.

+ The **Timeline** tab shows transcripts with timelines and other information that you can choose from the **View** drop-down.

+ > [!div class="mx-imgBorder"]

+ > :::image type="content" source="./media/video-indexer-view-edit/timeline.png" alt-text="Screenshot that shows how to select the Insights." lightbox="./media/video-indexer-view-edit/timeline.png":::

+ For more information, see [Insights output](video-indexer-output-json-v2.md).

+## Considerations

+- [!INCLUDE [insights](./includes/insights.md)]

+- If you plan to download artifact files, beware of the following:

+ Title: Configure customer-managed key encryption at rest in Azure VMware Solution

+description: Learn how to encrypt data in Azure VMware Solution with customer-managed keys using Azure Key Vault.

+# Configure customer-managed key encryption at rest in Azure VMware Solution

+This article illustrates how to encrypt VMware vSAN Key Encryption Keys (KEKs) with customer-managed keys (CMKs) managed by customer-owned Azure Key Vault.

+When CMK encryptions are enabled on your Azure VMware Solution private cloud, Azure VMware Solution uses the CMK from your key vault to encrypt the vSAN KEKs. Each ESXi host that participates in the vSAN cluster uses randomly generated Disk Encryption Keys (DEKs) that ESXi uses to encrypt disk data at rest. vSAN encrypts all DEKs with a KEK provided by Azure VMware Solution key management system (KMS). Azure VMware Solution private cloud and Azure Key Vault don't need to be in the same subscription.

+When managing your own encryption keys, you can do the following actions:

+- Control Azure access to vSAN keys.

+- Centrally manage the lifecycle of CMKs.

+- Revoke Azure from accessing the KEK.

+The Customer-managed keys (CMKs) feature supports the following key types. See the following key types, shown by key type and key size.

+- RSA: 2048, 3072, 4096

+- RSA-HSM: 2048, 3072, 4096

+## Topology

+The following diagram shows how Azure VMware Solution uses Azure Active Directory (Azure AD) and a key vault to deliver the customer-managed key.

+## Prerequisites

+Before you begin to enable customer-managed key (CMK) functionality, ensure the following listed requirements are met:

+- You'll need an Azure Key Vault to use CMK functionality. If you don't have an Azure Key Vault, you can create one using [Quickstart: Create a key vault using the Azure portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal).

+- If you enabled restricted access to key vault, you'll need to allow Microsoft Trusted Services to bypass the Azure Key Vault firewall. Go to [Configure Azure Key Vault networking settings](https://docs.microsoft.com/azure/key-vault/general/how-to-azure-key-vault-network-security?tabs=azure-portal) to learn more.

+ >[!NOTE]

+ >After firewall rules are in effect, users can only perform Key Vault [data plane](https://docs.microsoft.com/azure/key-vault/general/security-features#privileged-access) operations when their requests originate from allowed VMs or IPv4 address ranges. This also applies to accessing key vault from the Azure portal. This also affects the key vault Picker by Azure VMware Solution. Users may be able to see a list of key vaults, but not list keys, if firewall rules prevent their client machine or user does not have list permission in key vault.

+- Enable **System Assigned identity** on your Azure VMware Solution private cloud if you didn't enable it during software-defined data center (SDDC) provisioning.

+ # [Portal](#tab/azure-portal)

+

+ Use the following steps to enable System Assigned identity:

+ 1. Sign in to Azure portal.

+ 2. Navigate to **Azure VMware Solution** and locate your SDDC.

+ 3. From the left navigation, open **Manage** and select **Identity**.

+ 4. In **System Assigned**, check **Enable** and select **Save**.

+ 1. **System Assigned identity** should now be enabled.

+ Once System Assigned identity is enabled, you'll see the tab for **Object ID**. Make note of the Object ID for use later.

+ # [Azure CLI](#tab/azure-cli)

+ Get the private cloud resource ID and save it to a variable. You'll need this value in the next step to update resource with system assigned identity.

+

+ ```azurecli-interactive

+ privateCloudId=$(az vmware private-cloud show --name $privateCloudName --resource-group $resourceGroupName --query id | tr -d '"')

+ ```

+

+ To configure the system-assigned identity on Azure VMware Solution private cloud with Azure CLI, call [az-resource-update](https://docs.microsoft.com/cli/azure/resource?view=azure-cli-latest#az-resource-update) and provide the variable for the private cloud resource ID that you previously retrieved.

+

+ ```azurecli-interactive

+ az resource update --ids $privateCloudId --set identity.type=SystemAssigned --api-version "2021-12-01"

+ ```

+- Configure the key vault access policy to grant permissions to the managed identity. It will be used to authorize access to the key vault.

+

+ # [Portal](#tab/azure-portal)

+ 1. Sign in to Azure portal.

+ 1. Navigate to **Key vaults** and locate the key vault you want to use.

+ 1. From the left navigation, underΓÇ»**Settings**, selectΓÇ»**Access policies**.

+ 1. InΓÇ»**Access policies**, selectΓÇ»**Add Access Policy**.

+ 1. From the Key Permissions drop-down, check **Select all**, **Unwrap Key**, and **Wrap Key**.

+ 1. Under Select principal, select **None selected**. A new **Principal** window with a search box will open.

+ 1. In the search box, paste the **Object ID** from the previous step, or search the private cloud name you want to use. Choose **Select** when you're done.

+ 1. Select **ADD**.

+ 1. Verify the new policy appears under the current policy's Application section.

+ 1. Select **Save** to commit changes.

+ # [Azure CLI](#tab/azure-cli)

+ Get the principal ID for the system-assigned managed identity and save it to a variable. You'll need this value in the next step to create the key vault access policy.

+

+ ```azurecli-interactive

+ principalId=$(az vmware private-cloud show --name $privateCloudName --resource-group $resourceGroupName --query identity.principalId | tr -d '"')

+ ```

+

+ To configure the key vault access policy with Azure CLI, call [az keyvault set-policy](https://docs.microsoft.com/cli/azure/keyvault#az-keyvault-set-policy) and provide the variable for the principal ID that you previously retrieved for the managed identity.

+ ```azurecli-interactive

+ az keyvault set-policy --name $keyVault --resource-group $resourceGroupName --object-id $principalId --key-permissions get unwrapKey wrapKey

+ ```

+ Learn more about how to [Assign an Azure Key Vault access policy](https://docs.microsoft.com/azure/key-vault/general/assign-access-policy?tabs=azure-portal).

+## Customer-managed key version lifecycle

+You can change the customer-managed key (CMK) by creating a new version of the key. The creation of a new version won't interrupt the virtual machine (VM) workflow.

+In Azure VMware Solution, CMK key version rotation will depend on the key selection setting you've chosen during CMK setup.

+**Key selection setting 1**

+A customer enables CMK encryption without supplying a specific key version for CMK. Azure VMware Solution selects the latest key version for CMK from the customer's key vault to encrypt the vSAN Key Encryption Keys (KEKs). Azure VMware Solution tracks the CMK for version rotation. When a new version of the CMK key in Azure Key Vault is created, it's captured by Azure VMware Solution automatically to encrypt vSAN KEKs.

+>[!NOTE]

+>Azure VMware Solution can take up to ten minutes to detect a new auto-rotated key version.

+**Key selection setting 2**

+A customer can enable CMK encryption for a specified CMK key version to supply the full key version URI under the **Enter Key from URI** option. When the customer's current key expires, they'll need to extend the CMK key expiration or disable CMK.

+## Enable CMK with system-assigned identity

+System-assigned identity is restricted to one per resource and is tied to the lifecycle of the resource. You can grant permissions to the managed identity on Azure resource. The managed identity is authenticated with Azure AD, so you don't have to store any credentials in code.

+>[!IMPORTANT]

+> Ensure that key vault is in the same region as the Azure VMware Solution private cloud.

+# [Portal](#tab/azure-portal)

+Navigate to your **Azure Key Vault** and provide access to the SDDC on Azure Key Vault using the Principal ID captured in the **Enable MSI** tab.

+1. From your Azure VMware Solution private cloud, under **Manage**, select **Encryption**, then select **Customer-managed keys (CMK)**.

+1. CMK provides two options for **Key Selection** from Azure Key Vault.

+

+ **Option 1**

+ 1. Under **Encryption key**, choose the **select from Key Vault** button.

+ 1. Select the encryption type, then the **Select Key Vault and key** option.

+ 1. Select the **Key Vault and key** from the drop-down, then choose **Select**.

+

+ **Option 2**

+ 1. Under **Encryption key**, choose the **Enter key from URI** button.

+ 1. Enter a specific Key URI in the **Key URI** box.

+ > [!IMPORTANT]

+ > If you want to select a specific key version instead of the automatically selected latest version, you'll need to specify the key URI with key version. This will affect the CMK key version life cycle.

+1. Select **Save** to grant access to the resource.

+# [Azure CLI](#tab/azure-cli)

+To configure customer-managed keys for an Azure VMware Solution private cloud with automatic updating of the key version, call [az vmware private-cloud add-cmk-encryption](https://docs.microsoft.com/cli/azure/vmware/private-cloud?view=azure-cli-latest#az-vmware-private-cloud-add-cmk-encryption). Get the key vault URL and save it to a variable. You'll need this value in the next step to enable CMK.

+

+```azurecli-interactive

+keyVaultUrl =$(az keyvault show --name <keyvault_name> --resource-group <resource_group_name> --query properties.vaultUri --output tsv)

+```

+Option 1 and 2 below demonstrate the difference between not providing a specific key version and providing one.

+**Option 1**

+This example shows the customer not providing a specific key version.

+

+```azurecli-interactive

+az vmware private-cloud add-cmk-encryption --private-cloud <private_cloud_name> --resource-group <resource_group_name> --enc-kv-url $keyVaultUrl --enc-kv-key-name <keyvault_key_name>

+```

+**Option 2**

+Supply key version as argument to use customer-managed keys with a specific key version, same as mentioned above in Azure portal option 2. The following example shows the customer providing a specific key version.

+

+```azurecli-interactive

+az vmware private-cloud add-cmk-encryption --private-cloud <private_cloud_name> --resource-group <resource_group_name> --enc-kv-url $keyVaultUrl --enc-kv-key-name --enc-kv-key-version <keyvault_key_keyVersion>

+```

+## Change from customer-managed key to Microsoft managed key

+When a customer wants to change from a customer-managed key (CMK) to a Microsoft managed key (MMK), it won't interrupt VM workload. To make the change from CMK to MMK, use the following steps.

+1. Select **Encryption**, located under **Manage** from your Azure VMware Solution private cloud.

+2. Select **Microsoft-managed keys (MMK)**.

+3. Select **Save**.

+

+## Limitations

+The Azure Key Vault must be configured as recoverable.

+- Configure Azure Key Vault with the **Soft Delete** option.

+- Turn on **Purge Protection** to guard against force deletion of the secret vault, even after soft delete.

+Updating CMK settings won't work if the key is expired or the Azure VMware Solution access key has been revoked.

+## Troubleshooting and best practices

+**Accidental deletion of a key**

+If you accidentally delete your key in the Azure Key Vault, private cloud won't be able to perform some cluster modification operations. To avoid this scenario, we recommend that you keep soft deletes enabled on key vault. This option ensures that, if a key is deleted, it can be recovered within a 90-day period as part of the default soft-delete retention. If you are within the 90-day period, you can restore the key in order to resolve the issue.

+**Restore key vault permission**

+If you have a private cloud that lost access to the customer managed key, check if Managed System Identity (MSI) requires permissions in key vault. The error notification returned from Azure may not correctly indicate MSI requiring permissions in key vault as the root cause. Remember, the required permissions are: get, wrapKey, and unwrapKey. See step 4 in [Prerequisites](#prerequisites).

+**Fix expired key**

+If you aren't using the auto-rotate function and the Customer Managed Key has expired in key vault, you can change the expiration date on key.

+**Restore key vault access**

+Ensure Managed System Identity (MSI) is used for providing private cloud access to key vault.

+**Deletion of MSI**

+If you accidentally delete the Managed System Identity (MSI) associated with private cloud, you'll need to disable CMK, then follow the steps to enable CMK from start.

+## Next steps

+Learn about [Azure Key Vault backup and restore](https://docs.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli)

+Learn about [Azure Key Vault recovery](https://docs.microsoft.com/azure/key-vault/general/key-vault-recovery?tabs=azure-portal#list-recover-or-purge-a-soft-deleted-key-vault)

+4. Complete the DHCP configuration by [providing DHCP ranges on the logical segments](tutorial-nsx-t-network-segment.md#use-azure-portal-to-add-an-nsx-t-data-center-segment) and then select **OK**.

+- **Segments** - Create segments that display in NSX-T Manager and vCenter Server. For more information, see [Add an NSX-T Data Center segment using the Azure portal](tutorial-nsx-t-network-segment.md#use-azure-portal-to-add-an-nsx-t-data-center-segment).

+ Title: Deploy vSAN stretched clusters (Preview)

+# Deploy vSAN stretched clusters (Preview)

+The following diagram depicts a vSAN cluster stretched across two AZs.

+ - Despite various layers of redundancy built into the fabric, if an inter-AZ failure results in the partitioning of the secondary site, vSphere HA starts powering off the workload VMs on the secondary site.

+

+ The following diagram shows the secondary site partitioning scenario.

+ - If the secondary site partitioning progressed into the failure of the primary site instead, or resulted in a complete partitioning, vSphere HA would attempt to restart the workload VMs on the secondary site. If vSphere HA attempted to restart the workload VMs on the secondary site, it would put the workload VMs in an unsteady state.

+

+ The following diagram shows the preferred site failure or complete partitioning scenario.

+It should be noted that these types of failures, although rare, fall outside the scope of the protection offered by a stretched cluster private cloud. Because of those types of rare failures, a stretched cluster solution should be regarded as a multi-AZ high availability solution reliant upon vSphere HA. It's important you understand that a stretched cluster solution isn't meant to replace a comprehensive multi-region Disaster Recovery strategy that can be employed to ensure application availability. The reason is because a Disaster Recovery solution typically has separate management and control planes in separate Azure regions. Azure VMware Solution stretched clusters have a single management and control plane stretched across two availability zones within the same Azure region. For example, one vCenter Server, one NSX-T Manager cluster, one NSX-T Data Center Edge VM pair.

+Currently, Azure VMware Solution stretched clusters is in the (preview) phase. While in the (preview) phase, you must contact Microsoft to request and qualify for support.

+### What kind of SLA does Azure VMware Solution provide with the stretched clusters (preview) release?

+- Preview and recent GA features for standard private cloud environments aren't supported in a stretched cluster environment.

+vSAN stretched clusters operate within a 5-milliseconds round trip time (RTT) and 10 Gb/s or greater bandwidth between the AZs that host the workload VMs. The Azure VMware Solution stretched cluster deployment follows that guiding principle. Consider that information when deploying applications (with SFTT of dual site mirroring, which uses synchronous writes) that have stringent latency requirements.

+No. While in (preview), customers won't see a charge for the witness node and the inter-AZ traffic. The witness node is entirely service managed, and Azure VMware Solution provides the required lifecycle management of the witness node. As the entire solution is service managed, the customer only needs to identify the appropriate SPBM policy to set for the workload virtual machines. The rest is managed by Microsoft.

+After deploying Azure VMware Solution, you can configure an NSX-T Data Center network segment from NSX-T Manager or the Azure portal. Once configured, the segments are visible in Azure VMware Solution, NSX-T Manager, and vCenter Server. NSX-T Data Center comes pre-provisioned by default with an NSX-T Data Center Tier-0 gateway in **Active/Active** mode and a default NSX-T Data Center Tier-1 gateway in **Active/Standby** mode. These gateways let you connect the segments (logical switches) and provide East-West and North-South connectivity.

+>The Azure portal presents a simplified view of NSX-T Data Center operations a VMware administrator needs regularly and targeted at users not familiar with NSX-T Manager.

+## Use Azure portal to add an NSX-T Data Center segment

+The virtual machines (VMs) created in vCenter Server are placed onto the network segments created in NSX-T Data Center and are visible in vCenter Server.

+ :::image type="content" source="media/nsxt/nsxt-new-segment-overview-2.png" alt-text="Screenshot showing the confirmation and status of the new network segment is present in NSX-T Data Center.":::

+In this tutorial, you created an NSX-T Data Center network segment to use for VMs in vCenter Server.

+* Maximum of 13 bare metal nodes.

+Azure Cloud Shell runs on **Common Base Linux - Mariner** (CBL-Mariner),

+Microsoft's Linux distribution for cloud-infrastructure-edge products and services.

+Microsoft internally compiles all the packages included in the **CBL-Mariner** repository to help

+guard against supply chain attacks. Tooling has been updated to reflect the new base image

+CBL-Mariner. You can get a full list of installed package versions using the following command:

+`tdnf list installed`. If these changes affected your Cloud Shell environment, please contact

+Azuresupport or create an issue in the

+[Cloud Shell repository](https://github.com/Azure/CloudShell/issues).

+With the [Speech SDK](speech-sdk.md) you can add phrases individually and then run speech recognition.

+With the [Speech SDK](speech-sdk.md) you can add phrases individually and then run speech recognition.

+With the [Speech SDK](speech-sdk.md) you can add phrases individually and then run speech recognition.

+With the [Speech SDK](speech-sdk.md) you can add phrases individually and then run speech recognition.

+With the [Speech SDK](speech-sdk.md) you can add phrases individually and then run speech recognition.

+std::string GetEnvironmentVariable(const char* name);

+ auto value = GetEnvironmentVariable("ENVIRONMENT_VARIABLE_KEY");

+std::string GetEnvironmentVariable(const char* name)

+> [!NOTE]

+> For container apps in internal Container Apps environments, [additional configuration](./networking.md#dns) is required to use custom domains with VNET-scope ingress.

+> [Authentication in Azure Container Apps](authentication.md)

+ Title: Set up HTTPS or TCP ingress in Azure Container Apps

+# Set up HTTPS or TCP ingress in Azure Container Apps

+Azure Container Apps allows you to expose your container app to the public web, to your VNET, or to other container apps within your environment by enabling ingress. When you enable ingress, you don't need to create an Azure Load Balancer, public IP address, or any other Azure resources to enable incoming HTTPS requests.

+Each container app can be configured with different ingress settings. For example, you can have one container app that is exposed to the public web and another that is only accessible from within your Container Apps environment.

+## Ingress types

+Azure Container Apps supports two types of ingress: HTTPS and TCP.

+### HTTPS

+With HTTPS ingress enabled, your container app features the following characteristics:

+- Endpoints always expose ports 80 (for HTTP) and 443 (for HTTPS)

+ - By default, HTTP requests to port 80 are automatically redirected to HTTPS on 443

+- The container app is accessed via its fully qualified domain name (FQDN)

+- Request timeout is 240 seconds

+### <a name="tcp"></a>TCP (preview)

+TCP ingress is useful for exposing container apps that use a TCP-based protocol other than HTTP or HTTPS.

+> [!NOTE]

+> TCP ingress is in public preview and is only supported in Container Apps environments that use a [custom VNET](vnet-custom.md).

+>

+> To enable TCP ingress, use ARM or Bicep (API version `2022-06-01-preview` or above), or the Azure CLI.

+With TCP ingress enabled, your container app features the following characteristics:

+- The container app is accessed via its fully qualified domain name (FQDN) and exposed port number

+- Other container apps in the same environment can also access a TCP ingress-enabled container app by using its name (defined by the `name` property in the Container Apps resource) and exposed port number

+ "transport": "auto"

+| `external` | Whether your ingress-enabled app is accessible outside its Container Apps environment. |`true` for visibility from internet or VNET, depending on app environment endpoint configured, `false` for visibility within app environment only. (default) | Yes |

+| `exposedPort` | (TCP ingress only) The port used to access the app. If `external` is `true`, the value must be unique in the Container Apps environment and cannot be `80` or `443`. | A port number from `1` to `65535`. | No |

+| `transport` | The transport type. | `http` for HTTP/1, `http2` for HTTP/2, `auto` to automatically detect HTTP/1 or HTTP/2 (default), `tcp` for TCP. | No |

+> To disable ingress for your application, omit the `ingress` configuration property entirely.

+For HTTP ingress, traffic is routed to individual applications based on the FQDN in the host header.

+For TCP ingress, traffic is routed to individual applications based on the FQDN and its *exposed* port number. Other container apps in the same environment can also access a TCP ingress-enabled container app by using its name (defined by the container app's `name` property) and its *exposedPort* number.

+For applications with external ingress visibility, the following conditions apply:

+- An internal Container Apps environment has a single private IP address for applications. For container apps in internal environments, you must configure [DNS](./networking.md#dns) for VNET-scope ingress.

+- An external Container Apps environment or Container Apps environment that is not in a VNET has a single public IP address for applications.

+## Next steps

+- [TCP traffic](#tcp): Scaling based on the number of concurrent TCP requests to your revision.

+## TCP

+With a TCP scaling rule, you have control over the threshold that determines when to scale out.

+| Scale property | Description | Default value | Min value | Max value |

+||||||

+| `concurrentRequests`| When the number of requests exceeds this value, then another replica is added. Replicas will continue to be added up to the `maxReplicas` amount as the number of concurrent requests increase. | 10 | 1 | n/a |

+In the following example, the container app scales out up to five replicas and can scale down to zero. The scaling threshold is set to 100 concurrent requests per second.

+```json

+{

+ ...

+ "resources": {

+ ...

+ "properties": {

+ ...

+ "template": {

+ ...

+ "scale": {

+ "minReplicas": 0,

+ "maxReplicas": 5,

+ "rules": [{

+ "name": "tcp-rule",

+ "tcp": {

+ "metadata": {

+ "concurrentRequests": "100"

+ }

+ }

+ }]

+ }

+ }

+ }

+ }

+}

+```

+> You can use an existing virtual network, but a dedicated subnet with a CIDR range of `/23` or larger is required for use with Container Apps.

+- To use VNET-scope ingress, you must set up [DNS](./networking.md#dns).

+> Network address prefixes requires a CIDR range of `/23` or larger (`/23`, `/22` etc.).

+> You can use an existing virtual network, but a dedicated subnet with a CIDR range of `/23` or larger is required for use with Container Apps.

+description: Get started creating and managing a geo-replicated Azure container registry, which enables the registry to serve multiple regions with multi-primary regional replicas. Geo-replication is a feature of the Premium service tier.

+Companies that want a local presence, or a hot backup, choose to run services from multiple Azure regions. As a best practice, placing a container registry in each region where images are run allows network-close operations, enabling fast, reliable image layer transfers. Geo-replication enables an Azure container registry to function as a single registry, serving multiple regions with multi-primary regional registries.

+>* Enabling the soft delete policy with AZ through ARM template leaves the registry stuck in the `creation` state. If you see this error, please delete and recreate the registry disabling either soft delete policy or Geo-replication on the registry.

+ * Not all artifacts, or none, are transferred. Confirm spelling of artifacts in export run, and name of blob in export and import runs. Confirm you're transferring a maximum of 50 artifacts.

+ * To create ACR Transfer resources such as `exportPipelines`,` importPipelines`, and `pipelineRuns`, the user must have at least Contributor access on the ACR subscription. Otherwise, they'll see authorization to perform the transfer denied or scope is invalid errors.

+ * If you see errors regarding foreign layers or attempts to resolve mcr.microsoft.com when attempting to pull an image in a physically isolated environment, your image manifest likely has non-distributable layers. Due to the nature of a physically isolated environment, these images will often fail to pull. You can confirm that this is the case by checking the image manifest for any references to external registries. If so, you'll need to push the non-distributable layers to your public cloud ACR prior to deploying an export pipeline-run for that image. For guidance on how to do this, see [How do I push non-distributable layers to a registry?](./container-registry-faq.yml#how-do-i-push-non-distributable-layers-to-a-registry-)

+|[CosmosBackupOperator](../role-based-access-control/built-in-roles.md#cosmosbackupoperator)| Can submit a restore request in the Azure portal for a periodic backup enabled database or a container. Can modify the backup interval and retention in the Azure portal. Cannot access any data or use Data Explorer. |

+| [CosmosRestoreOperator](../role-based-access-control/built-in-roles.md#cosmosrestoreoperator) | Can perform a restore action for an Azure Cosmos DB account with continuous backup mode.|

+|[Cosmos DB Operator](../role-based-access-control/built-in-roles.md#cosmos-db-operator)|Can provision Azure Cosmos DB accounts, databases, and containers. Cannot access any data or use Data Explorer.|

+| ID | Unique ID of the object to be copied. |

+- [Quickstart: Create a data factory using the Copy Data tool](quickstart-hello-world-copy-data-tool.md)

+- [Tutorial: Copy data in Azure using the Copy Data tool](tutorial-copy-data-tool.md)

+- [Tutorial: Copy on-premises data to Azure using the Copy Data tool](tutorial-hybrid-copy-data-tool.md)

+To start the Copy Data tool, click the **Ingest** tile on the home page of the Data Factory or Synapse Studio UI.

+- [Quickstart: Create a data factory using the Copy Data tool](quickstart-hello-world-copy-data-tool.md)

+- [Tutorial: Copy data in Azure using the Copy Data tool](tutorial-copy-data-tool.md)

+- [Tutorial: Copy on-premises data to Azure using the Copy Data tool](tutorial-hybrid-copy-data-tool.md)

+- [Copy Data tool in the Azure portal](quickstart-hello-world-copy-data-tool.md)

+ Title: Create an Azure Data Factory

+description: Learn how to create a data factory using UI from the Azure portal.

+# Quickstart: Create a data factory by using the Azure portal

+This quickstart describes how to use either the [Azure Data Factory Studio](https://adf.azure.com) or the [Azure portal UI](https://portal.azure.com) to create a data factory.

+> [!NOTE]

+> If you are new to Azure Data Factory, see [Introduction to Azure Data Factory](introduction.md) before trying this quickstart.

+## Prerequisites

+### Azure subscription

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Azure roles

+To learn about the Azure role requirements to create a data factory, refer to [Azure Roles requirements](quickstart-create-data-factory-dot-net.md?#azure-roles).

+## Create a data factory

+A simple creation experience provided in the Azure Data Factory Studio to enable users to create a data factory within seconds. More advanced creation options are available in Azure portal.

+### Simple creation in the Azure Data Factory Studio

+1. Launch **Microsoft Edge** or **Google Chrome** web browser. Currently, Data Factory UI is supported only in Microsoft Edge and Google Chrome web browsers.

+1. Go to the [Azure Data Factory Studio](https://adf.azure.com) and choose the **Create a new data factory** radio button.

+1. You can use the default values to create directly, or enter a unique name and choose a preferred location and subscription to use when creating the new data factory.

+

+ :::image type="content" source="media/quickstart-create-data-factory/create-with-azure-data-factory-studio.png" alt-text="Shows a screenshot of the Azure Data Factory Studio page to create a new data factory.":::

+1. After creation, you can directly enter the homepage of the Azure Data Factory Studio.

+ :::image type="content" source="media/quickstart-create-data-factory/azure-data-factory-studio-home-page.png" alt-text="Shows a screenshot of the Azure Data Factory Studio home page.":::

+### Advanced creation in the Azure portal

+1. Launch **Microsoft Edge** or **Google Chrome** web browser. Currently, Data Factory UI is supported only in Microsoft Edge and Google Chrome web browsers.

+1. Go to the [Azure portal data factories page](https://portal.azure.com).

+1. After landing on the data factories page of the Azure portal, click **Create**.

+ :::image type="content" source="media/quickstart-create-data-factory/data-factory-create-from-portal.png" alt-text="Shows a screenshot of the Azure portal data factories Create button.":::

+1. For **Resource Group**, take one of the following steps:

+ 1. Select an existing resource group from the drop-down list.

+ 1. Select **Create new**, and enter the name of a new resource group.

+

+ To learn about resource groups, see [Use resource groups to manage your Azure resources](../azure-resource-manager/management/overview.md).

+1. For **Region**, select the location for the data factory.

+ The list shows only locations that Data Factory supports, and where your Azure Data Factory meta data will be stored. The associated data stores (like Azure Storage and Azure SQL Database) and computes (like Azure HDInsight) that Data Factory uses can run in other regions.

+

+1. For **Name**, enter **ADFTutorialDataFactory**.

+

+ The name of the Azure data factory must be *globally unique*. If you see the following error, change the name of the data factory (for example, **&lt;yourname&gt;ADFTutorialDataFactory**) and try creating again. For naming rules for Data Factory artifacts, see the [Data Factory - naming rules](naming-rules.md) article.

+ :::image type="content" source="./media/doc-common-process/name-not-available-error.png" alt-text="New data factory error message for duplicate name.":::

+1. For **Version**, select **V2**.

+1. Select **Next: Git configuration**, and then select **Configure Git later** check box.

+1. Select **Review + create**, and select **Create** after the validation is passed. After the creation is complete, select **Go to resource** to navigate to the **Data Factory** page.

+1. Select **Open** on the **Open Azure Data Factory Studio** tile to start the Azure Data Factory user interface (UI) application on a separate browser tab.

+

+ :::image type="content" source="./media/doc-common-process/data-factory-home-page.png" alt-text="Home page for the Azure Data Factory, with the Open Azure Data Factory Studio tile highlighted.":::

+

+ > [!NOTE]

+ > If you see that the web browser is stuck at "Authorizing", clear the **Block third-party cookies and site data** check box. Or keep it selected, create an exception for **login.microsoftonline.com**, and then try to open the app again.

+## Next steps

+Learn how to use Azure Data Factory to copy data from one location to another with the [Hello World - How to copy data](tutorial-copy-data-portal.md) tutorial.

+Lean how to create a data flow with Azure Data Factory[data-flow-create.md].

+ Title: Get started to try out your first data factory pipeline

+description: Get started with your first data factory demo to copy data from one blob storage to another.

+ms.devlang: bicep

+# Quickstart: Get started with Azure Data Factory

+> [!div class="op_single_selector" title1="Select the version of Data Factory service you are using:"]

+> * [Version 1](v1/data-factory-copy-data-from-azure-blob-storage-to-sql-database.md)

+> * [Current version](quickstart-create-data-factory-rest-api.md)

+Welcome to Azure Data Factory! This getting started article will let you create your first data factory and pipeline within 5 minutes. The ARM template below will create and configure everything you need to try it out. Then you only need to navigate to your demo data factory and make one more click to trigger the pipeline, which moves some sample data from one Azure blob storage to another.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+## Video introduction

+Select the button below to try it out!

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.datafactory%2Fdata-factory-get-started%2Fazuredeploy.json)

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE583aX]

+## Try your first demo with one click

+In your first demo scenario you will use the [Copy activity](copy-activity-overview.md) in a data factory to copy an Azure blob named moviesDB2.csv from an input folder on an Azure Blob Storage to an output folder. In a real world scenario this copy operation could be between any of the many supported data sources and sinks available in the service. It could also involve transformations in the data.

+Try it now with one click! After clicking the button below, the following objects will be created in Azure:

+- A data factory account

+- A pipeline within the data factory with one copy activity

+- An Azure blob storage with [moviesDB2.csv](https://raw.githubusercontent.com/kromerm/adfdataflowdocs/master/sampledata/moviesDB2.csv) uploaded into an input folder as source

+- A linked service to connect the data factory to the Azure blob storage

+## Step 1: Click the button to start

+Select the button below to try it out! (If you clicked the one above already, you don't need to do it again.)

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.datafactory%2Fdata-factory-get-started%2Fazuredeploy.json)

+You will be redirected to the configuration page shown in the image below to deploy the template. Here, you only need to create a **new resource group**. (You can leave all the other values with their defaults.) Then click **Review + create** and click **Create** to deploy the resources.

+All of the resources referenced above will be created in the new resource group, so you can easily clean them up after trying the demo.

+## Step 2: Review deployed resources

+1. Select **Go to resource group** after your deployment is complete.

+ :::image type="content" source="media/quickstart-get-started/deployment-complete.png" alt-text="A screenshot of the deployment complete page in the Azure portal after successfully deploying the template.":::

+1. In the resource group, you will see the new data factory, Azure blob storage account, and managed identity that were created by the deployment.

+ :::image type="content" source="media/quickstart-get-started/resource-group-contents.png" alt-text="A screenshot of the contents of the resource group created for the demo.":::

+1. Select the data factory in the resource group to view it. Then select the **Open Azure Data Factory Studio** button to continue.

+ :::image type="content" source="media/quickstart-get-started/open-data-factory-studio.png" alt-text="A screenshot of the Azure portal on the newly created data factory page, highlighting the location of the Open Azure Data Factory Studio button.":::

+1. Select on the **Author** tab <img src="media/quickstart-get-started/author-button.png" alt="Author tab"/> and then the **Pipeline** created by the template. Then check the source data by selecting **Open**.

+ :::image type="content" source="media/quickstart-get-started/view-pipeline.png" alt-text="Screenshot of the Azure Data Factory Studio showing the pipeline created by the template.":::

+1. In the source dataset that you will see, select **Browse**, and note the moviesDB2.csv file, which has been uploaded into the input folder already.

+ :::image type="content" source="media/quickstart-get-started/source-dataset-browse.png" alt-text="Screenshot of the source dataset highlighting the Browse button where the user can see the input file created for the demo.":::

+ :::image type="content" source="media/quickstart-get-started/input-contents.png" alt-text="Screenshot of the contents of the input folder showing the moviesDB2.csv file used in the demo.":::

+## Step 3: Trigger the demo pipeline to run

+1. Select **Add Trigger**, and then **Trigger Now**.

+ :::image type="content" source="media/quickstart-get-started/trigger-now.png" alt-text="Screenshot of the Trigger Now button for the pipeline in the demo.":::

+1. In the right pane under **Pipeline run**, select **OK**.

+## Monitor the pipeline

+1. Select the **Monitor** tab <img src="media/quickstart-get-started/monitor-button.png" alt="Monitor tab"/>.

+1. You can see an overview of your pipeline runs in the Monitor tab, such as run start time, status, etc.

+

+ :::image type="content" source="media/quickstart-get-started/monitor-overview.png" alt-text="Screenshot of the data factory monitoring tab.":::

+1. In this quickstart, the pipeline has only one activity type: Copy. Click on the pipeline name and you can see the details of the copy activity's run results.

+ :::image type="content" source="media/quickstart-get-started/copy-activity-run-results.png" alt-text="Screenshot of the run results of a copy activity in the data factorying monitoring tab.":::

+1. Click on details, and the detailed copy process is displayed. From the results, data read and written size are the same, and 1 file was read and written, which also proves all the data has been successfully copied to the destination.

+ :::image type="content" source="media/quickstart-get-started/copy-activity-detailed-run-results.png" alt-text="Screenshot of the detailed copy activity run results.":::

+## Clean up resources

+You can clean up all the resources you created in this quickstart in either of two ways. You can [delete the entire Azure resource group](../azure-resource-manager/management/delete-resource-group.md), which includes all the resources created in it. Or if you want to keep some resources intact, browse to the resource group and delete only the specific resources you want, keeping the others. For example, if you are using this template to create a data factory for use in another tutorial, you can delete the other resources but keep only the data factory.

+## Next steps

+In this quickstart, you created an Azure Data Factory containing a pipeline with a copy activity. To learn more about Azure Data Factory, continue on to the article and Learn module below.

+- [Hello World - How to copy data](quickstart-hello-world-copy-data-tool.md)

+- [Learn module: Introduction to Azure Data Factory](/learn/modules/intro-to-azure-data-factory/)

+ Title: Copy data by using the copy data tool

+description: Create an Azure Data Factory and then use the copy data tool to copy data from one location in Azure Blob storage to another location.

+# Quickstart: Use the copy data tool in the Azure Data Factory Studio to copy data

+In this quick start, you will use the Copy Data tool to create a pipeline that copies data from the source folder in Azure Blob storage to target folder.

+## Prerequisites

+### Azure subscription

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Prepare source data in Azure Blob Storage

+Select the button below to try it out!

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.datafactory%2Fdata-factory-copy-data-tool%2Fazuredeploy.json)

+You will be redirected to the configuration page shown in the image below to deploy the template. Here, you only need to create a **new resource group**. (You can leave all the other values with their defaults.) Then click **Review + create** and click **Create** to deploy the resources.

+> [!NOTE]

+> The user deploying the template needs to assign a role to a managed identity. This requires permissions that can be granted through the Owner, User Access Administrator or Managed Identity Operator roles.

+A new blob storage account will be created in the new resource group, and the moviesDB2.csv file will be stored in a folder called **input** in the blob storage.

+### Create a data factory

+You can use your existing data factory or create a new one as described in [Quickstart: Create a data factory by using the Azure portal](quickstart-create-data-factory.md).

+

+## Use the copy data tool to copy data

+The steps below will walk you through how to easily copy data with the copy data tool in Azure Data Factory.

+### Step 1: Start the copy data Tool

+1. On the home page of Azure Data Factory, select the **Ingest** tile to start the Copy Data tool.

+ :::image type="content" source="./media/doc-common-process/get-started-page.png" alt-text="Screenshot that shows the Azure Data Factory home page.":::

+1. On the **Properties** page of the Copy Data tool, choose **Built-in copy task** under **Task type**, then select **Next**.

+ :::image type="content" source="./media/quickstart-hello-world-copy-data-tool/copy-data-tool-properties-page.png" alt-text="Screenshot that shows the Properties page.":::

+### Step 2: Complete source configuration

+1. Click **+ Create new connection** to add a connection.

+1. Select the linked service type that you want to create for the source connection. In this tutorial, we use **Azure Blob Storage**. Select it from the gallery, and then select **Continue**.

+

+ :::image type="content" source="./media/quickstart-hello-world-copy-data-tool/select-blob-source.png" alt-text="Screenshot that shows the Select Blob dialog.":::

+1. On the **New connection (Azure Blob Storage)** page, specify a name for your connection. Select your Azure subscription from the **Azure subscription** list and your storage account from the **Storage account name** list, test connection, and then select **Create**.

+ :::image type="content" source="./media/quickstart-hello-world-copy-data-tool/configure-blob-storage.png" alt-text="Screenshot that shows where to configure the Azure Blob storage account.":::

+1. Select the newly created connection in the **Connection** block.

+1. In the **File or folder** section, select **Browse** to navigate to the **adftutorial/input** folder, select the **emp.txt** file, and then click **OK**.

+1. Select the **Binary copy** checkbox to copy file as-is, and then select **Next**.

+ :::image type="content" source="./media/quickstart-hello-world-copy-data-tool/source-data-store.png" alt-text="Screenshot that shows the Source data store page.":::

+### Step 3: Complete destination configuration

+1. Select the **AzureBlobStorage** connection that you created in the **Connection** block.

+1. In the **Folder path** section, enter **adftutorial/output** for the folder path.

+ :::image type="content" source="./media/quickstart-hello-world-copy-data-tool/destination-data-store.png" alt-text="Screenshot that shows the Destination data store page.":::

+1. Leave other settings as default and then select **Next**.

+### Step 4: Review all settings and deployment

+1. On the **Settings** page, specify a name for the pipeline and its description, then select **Next** to use other default configurations.

+ :::image type="content" source="./media/quickstart-hello-world-copy-data-tool/settings.png" alt-text="Screenshot that shows the settings page.":::

+1. On the **Summary** page, review all settings, and select **Next**.

+1. On the **Deployment complete** page, select **Monitor** to monitor the pipeline that you created.

+ :::image type="content" source="./media/quickstart-hello-world-copy-data-tool/deployment-page.png" alt-text="Screenshot that shows the Deployment complete page.":::

+### Step 5: Monitor the running results

+1. The application switches to the **Monitor** tab. You see the status of the pipeline on this tab. Select **Refresh** to refresh the list. Click the link under **Pipeline name** to view activity run details or rerun the pipeline.

+

+ :::image type="content" source="./media/quickstart-hello-world-copy-data-tool/refresh-pipeline.png" alt-text="Screenshot that shows the refresh pipeline button.":::

+1. On the Activity runs page, select the **Details** link (eyeglasses icon) under the **Activity name** column for more details about copy operation. For details about the properties, see [Copy Activity overview](copy-activity-overview.md).

+## Next steps

+The pipeline in this sample copies data from one location to another location in Azure Blob storage. To learn about using Data Factory in more scenarios, go through the [tutorials](tutorial-copy-data-portal.md).

+ Title: A summary of introductory training modules

+description: Get started learning about Azure Data Factory fast with our introductory training modules.

+# Introductory training modules for Azure Data Factory

+Azure Data Factory provides a number of training modules to help you master the basics, as well as more in-depth modules to give you mastery over some of the deeper capabilities of the service. Below we provide links and descriptions of our introductory modules to get you started fast! You can also [view the entire catalog](/training/browse/?filter-products=factory&products=azure-data-factory) of available data factory training, including more advanced modules.

+## Introduction to Azure Data Factory

+This is the best place to start if you are completely new to the product.

+[Visit this module now.](/training/modules/intro-to-azure-data-factory)

+## Integrate data with Azure Data Factory or Azure Synapse Pipeline

+This module helps you master the basic functionality of the service and learn how to use the integration runtime to access on-premises resources within your own network.

+[Visit this module now.](/training/modules/data-integration-azure-data-factory)

+## Petabyte scale ingestion with Azure Data Factory or Azure Synapse Pipeline

+This module introduces you to the details of Azure Data Factory's ingestion methods and demonstrates how you can ingest large volumes of data even at petabyte scale using the service.

+[Visit this module now.](/training/modules/petabyte-scale-ingestion-azure-data-factory)

+## Next steps

+- [Quickstart: Get started with Azure Data Factory](quickstart-get-started.md)

+- [Quickstart: Create data factory using UI](quickstart-create-data-factory-portal.md)

+- [Quickstart: Copy data tool](quickstart-hello-world-copy-data-tool.md)

+- [Quickstart: Create data factory - ARM template](quickstart-create-data-factory-resource-manager-template.md)

+- [Quickstart: Create data flow](data-flow-create.md)

+- [All Learn modules for Azure Data Factory](/training/browse/?filter-products=fact&products=azure-data-factory)

+1. Expand the menu at the top left and select **Create a resource**. Then select > **Integration** > **Data Factory**:

+ :::image type="content" source="./media/tutorial-control-flow-portal/create-resource.png" alt-text="Shows a screenshot of the &quot;Create a resource&quot; button in the Azure portal.":::

+ :::image type="content" source="./media/tutorial-control-flow-portal/new-azure-data-factory-menu.png" alt-text="Shows a screenshot of the Data Factory selection in the &quot;New&quot; pane.":::

+1. In the **New data factory** page, enter **ADFTutorialDataFactory** for the **name**.

+1. Select your Azure **subscription** in which you want to create the data factory.

+1. For the **Resource Group**, do one of the following steps:

+1. Select **V2** for the **version**.

+1. Select the **location** for the data factory. Only locations that are supported are displayed in the drop-down list. The data stores (Azure Storage, Azure SQL Database, etc.) and computes (HDInsight, etc.) used by data factory can be in other regions.

+1. Select **Pin to dashboard**.

+1. Click **Create**.

+1. After the creation is complete, you see the **Data Factory** page as shown in the image.

+ :::image type="content" source="./media/tutorial-control-flow-portal/data-factory-home-page.png" alt-text="Shows a screenshot of the data factory home page.":::

+1. Click **Open Azure Data Factory Studio** tile to launch the Azure Data Factory user interface (UI) in a separate tab.

+ :::image type="content" source="media/tutorial-data-flow/orchestrate.png" alt-text="Shows a screenshot of the data factory home page with the Orchestrate tile highlighted.":::

+1. In the properties window for the pipeline, switch to the **Parameters** tab, and use the **New** button to add the following three parameters of type String: sourceBlobContainer, sinkBlobContainer, and receiver.

+ :::image type="content" source="./media/tutorial-control-flow-portal/pipeline-parameters.png" alt-text="Shows a screenshot of the New pipeline menu.":::

+1. In the **Activities** toolbox, search for **Copy** and drag-drop the **Copy** activity to the pipeline designer surface.

+ :::image type="content" source="./media/tutorial-control-flow-portal/drag-drop-copy-activity.png" alt-text="Shows a screenshot demonstrating how to drag and drop the copy activity onto the pipeline designer.":::

+1. Select the **Copy** activity you dragged onto the pipeline designer surface. In the **Properties** window for the **Copy** activity at the bottom, switch to the **Source** tab, and click **+ New**. You create a source dataset for the copy activity in this step.

+ :::image type="content" source="./media/tutorial-control-flow-portal/new-source-dataset-button.png" alt-text="Screenshot that shows how to create a source dataset for the copy activity.":::

+1. In the **New Dataset** window, select the **Azure** tab at the top, and then choose **Azure Blob Storage**, and select **Continue**.

+ :::image type="content" source="./media/tutorial-control-flow-portal/select-azure-blob-storage.png" alt-text="Shows a screenshot of the select Azure Blob Storage button.":::

+1. In the **Select format** window, choose **DelimitedText** and select **Continue**.

+ :::image type="content" source="media/tutorial-control-flow-portal/select-format.png" alt-text="Shows a screenshot of the &quot;Select Format&quot; window with the DelimitedText format highlighted.":::

+1. You see a new **tab** titled **Set properties**. Change the name of the dataset to **SourceBlobDataset**. Select the **Linked Service** dropdown, and choose **+New** to create a new linked service to your source dataset.

+ :::image type="content" source="./media/tutorial-control-flow-portal/create-new-linked-service.png" alt-text="Shows a screenshot of the &quot;Set properties&quot; window for the dataset, with the &quot;+New&quot; button highlighted under the &quot;Linked service&quot; dropdown.**":::

+1. You will see the **New linked service** window where you can fill out the required properties for the linked service.

+ :::image type="content" source="./media/tutorial-control-flow-portal/new-linked-service-window.png" alt-text="Shows a screenshot fo the dataset connection window with the new linked service button highlighted.":::

+1. In the **New Linked Service** window, complete the following steps:

+ 1. Select your Azure storage account for the **Storage account name**.

+ 1. Click **Create**.

+1. On the **Set properties** window that appears next, select **Open this dataset** to enter a parameterized value for the file name.

+ :::image type="content" source="media/tutorial-control-flow-portal/dataset-set-properties.png" alt-text="Shows a screenshot of the dataset &quot;Set properties&quot; window with the &quot;Open this dataset&quot; link highlighted.":::

+1. Enter `@pipeline().parameters.sourceBlobContainer` for the folder and `emp.txt` for the file name.

+ :::image type="content" source="./media/tutorial-control-flow-portal/source-dataset-settings.png" alt-text="Shows a screenshot of the source dataset settings.":::

+1. Switch back to the **pipeline** tab (or click the pipeline in the treeview on the left), and select the **Copy** activity on the designer. Confirm that your new dataset is selected for **Source Dataset**.

+ :::image type="content" source="./media/tutorial-control-flow-portal/pipeline-source-dataset-selected.png" alt-text="Shows a screenshot of the source dataset.":::

+1. In the properties window, switch to the **Sink** tab, and click **+ New** for **Sink Dataset**. You create a sink dataset for the copy activity in this step similar to the way you created the source dataset.

+ :::image type="content" source="./media/tutorial-control-flow-portal/new-sink-dataset-button.png" alt-text="Shows a screenshot of the new sink dataset button":::

+1. In the **New Dataset** window, select **Azure Blob Storage**, and click **Continue**, and then select **DelimitedText** again on the **Select format** window and click **Continue** again.

+1. In the **Set properties** page for the dataset, enter **SinkBlobDataset** for **Name**, and select **AzureStorageLinkedService** for **LinkedService**.

+1. Expand the Advanced section of the properties page and select **Open this dataset**.

+

+1. On the dataset **Connection** tab, edit the **File path**. Enter `@pipeline().parameters.sinkBlobContainer` for the folder, and `@concat(pipeline().RunId, '.txt')` for the file name. The expression uses the ID of the current pipeline run for the file name. For the supported list of system variables and expressions, see [System variables](control-flow-system-variables.md) and [Expression language](control-flow-expression-language-functions.md).

+ :::image type="content" source="./media/tutorial-control-flow-portal/sink-dataset-settings.png" alt-text="Shows a screenshot of the Sink dataset settings.":::

+1. Switch back to the **pipeline** tab at the top. Search for **Web** in the search box, and drag-drop a **Web** activity to the pipeline designer surface. Set the name of the activity to **SendSuccessEmailActivity**. The Web Activity allows a call to any REST endpoint. For more information about the activity, see [Web Activity](control-flow-web-activity.md). This pipeline uses a Web Activity to call the Logic Apps email workflow.

+ :::image type="content" source="./media/tutorial-control-flow-portal/success-web-activity-general.png" alt-text="Shows a screenshot demonstrating how to drag and drop the first Web activity.":::

+1. Switch to the **Settings** tab from the **General** tab, and do the following steps:

+ 1. Select **POST** for **Method**.

+ 1. Click **+ Add header** link in the **Headers** section.

+ 1. Add a header **Content-Type** and set it to **application/json**.

+ 1. Specify the following JSON for **Body**.

+ :::image type="content" source="./media/tutorial-control-flow-portal/web-activity1-settings.png" alt-text="Shows a screenshot of the settings for the first Web activity.":::

+1. Connect the **Copy** activity to the **Web** activity by dragging the green checkbox button next to the Copy activity and dropping on the Web activity.

+ :::image type="content" source="./media/tutorial-control-flow-portal/connect-copy-web-activity1.png" alt-text="Shows a screenshot demonstrating how to connect the Copy activity with the first Web activity.":::

+1. Drag-drop another **Web** activity from the Activities toolbox to the pipeline designer surface, and set the **name** to **SendFailureEmailActivity**.

+ :::image type="content" source="./media/tutorial-control-flow-portal/web-activity2-name.png" alt-text="Shows a screenshot of the name of the second Web activity.":::

+1. Switch to the **Settings** tab, and do the following steps:

+ 1. Select **POST** for **Method**.

+ 1. Click **+ Add header** link in the **Headers** section.

+ 1. Add a header **Content-Type** and set it to **application/json**.

+ 1. Specify the following JSON for **Body**.

+ :::image type="content" source="./media/tutorial-control-flow-portal/web-activity2-settings.png" alt-text="Shows a screenshot of the settings for the second Web activity.":::

+1. Select the red **X** button on the right side of the **Copy** activity in the pipeline designer and drag and drop it onto the **SendFailureEmailActivity** you just created.

+1. To validate the pipeline, click **Validate** button on the toolbar. Close the **Pipeline Validation Output** window by clicking the **>>** button.

+ :::image type="content" source="./media/tutorial-control-flow-portal/validate-pipeline.png" alt-text="Shows a screenshot of the Validate pipeline button.":::

+1. To publish the entities (datasets, pipelines, etc.) to Data Factory service, select **Publish All**. Wait until you see the **Successfully published** message.

+ :::image type="content" source="./media/tutorial-control-flow-portal/publish-button.png" alt-text="Shows a screenshot of the Publish button in the data factory portal.":::

+ :::image type="content" source="./media/tutorial-control-flow-portal/trigger-now-menu.png" alt-text="Shows a screenshot of the Trigger Now button.":::

+1. In the **Pipeline Run** window, do the following steps:

+ 1. Enter **adftutorial/adfv2branch/output** for the **sinkBlobContainer** parameter.

+ 1. Enter an **email address** of the **receiver**.

+ 1. Click **Finish**

+1. To **view activity runs** associated with this pipeline run, click the first link in the **Actions** column. You can switch back to the previous view by clicking **Pipelines** at the top. Use the **Refresh** button to refresh the list.

+1. To **trigger** a pipeline run, click **Trigger** on the toolbar, and click **Trigger Now**.

+1. In the **Pipeline Run** window, do the following steps:

+ 1. Enter **adftutorial/dummy/output** for the **sinkBlobContainer** parameter.

+1. Click **Error** link for the pipeline run to see details about the error.

+1. To **view activity runs** associated with this pipeline run, click the first link in the **Actions** column. Use the **Refresh** button to refresh the list. Notice that the Copy activity in the pipeline failed. The Web activity succeeded to send the failure email to the specified receiver.

+1. Click **Error** link in the **Actions** column to see details about the error.

+ :::image type="content" source="./media/doc-common-process/new-azure-data-factory-menu.png" alt-text="Screenshot that shows the data factory selection in the New pane.":::

+* **Image**: Windows 10 Pro, Version 21H2 - Gen2

+First, [create an Azure IoT Hub instance](../iot-hub/iot-hub-create-through-portal.md). For this article, you can create an instance in the **F1: Free** tier (if you're using the Azure portal to create the hub, that option is on the **Management** tab of setup).

+After you've created the Azure IoT Hub instance, select **IoT Edge** from the instance's left navigation menu, and select **Add IoT Edge Device**.

+Once your device is created, copy either the **Primary Connection String** or **Secondary Connection String** value. You'll need this value in the next section when you set up the edge device.

+#### Create Ubuntu VM with IoT Edge

+Use the [ARM Template to deploy IoT Edge enabled VM](https://github.com/Azure/iotedge-vm-deploy/tree/1.4) to deploy an Ubuntu virtual machine with IoT Edge. You can use the **Deploy to Azure** button to set the template options through the Azure portal. Fill in the values for the VM, keeping in mind these specifics:

+* Remember the value you use for the **Dns Label Prefix**, as you'll use it to identify the device later.

+* For **VM Size**, enter *Standard_B1ms*.

+* For **Device Connection String**, enter the *primary connection string* you collected in the previous section while [setting up the IoT Edge device](#set-up-iot-edge-device).

+When you're finished setting up the values, select **Review + create**. This will create the new VM, which you can find in the Azure portal under a resource name with the prefix *vm-* (the exact name is generated randomly).

+Once the installation completes, connect to the new gateway VM.

+Run the following command on the VM to verify the status of your IoT Edge installation:

+sudo iotedge check

+> [!NOTE]

+> You may see one error in the output related to IoT Edge Hub:

+>

+> **× production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error**

+>

+> **Could not check current state of edgeHub container**

+>

+> This error is expected on a newly provisioned device because the IoT Edge Hub module isn't yet running. After the next step of installing the OPC Publisher module, this error will disappear.

+#### Install OPC Publisher module

+Next, install the OPC Publisher module on your gateway device. You'll complete the first part of this section on your main working device (not the gateway device), and you'll provide information about the gateway device where the module should be installed.

+Follow the installation steps documented in the [OPC Publisher GitHub Repo](https://github.com/Azure/Industrial-IoT/blob/main/docs/modules/publisher.md) to install the module on your gateway device VM. Here are some things to keep in mind during this process:

+* You'll be asked to connect to your IoT Hub and select the device where the module should be installed. You should see the **Dns label prefix** you created for the IoT Edge device earlier, and be able to select it as the gateway device.

+* In the step for [specifying container create options](https://github.com/Azure/Industrial-IoT/blob/main/docs/modules/publisher.md#specifying-container-create-options-in-the-azure-portal), add the following json:

+ ```JSON

+ {

+ "Hostname": "opcpublisher",

+ "Cmd": [

+ "--pf=/appdata/publishednodes.json",

+ "--aa"

+ ],

+ "HostConfig": {

+ "Binds": [

+ "/iiotedge:/appdata"

+ ]

+ }

+ ```

+* On the **Routes** tab for the module creation, create a route with the value _FROM /* INTO $upstream_.

+ :::image type="content" source="media/how-to-ingest-opcua-data/set-route.png" alt-text="Screenshot of the Azure portal creating the route for the device module.":::

+Follow the rest of the prompts to create the module.

+Finally, go to the `/iiotedge` directory on your gateway device, and create a *publishednodes.json* file. Use the following example file body to create your own similar file. Update the `EndpointUrl` value to match the connection address with the public IP value that you created while [installing the OPC UA simulation software](#install-opc-ua-simulation-software). Then, update the IDs in the file as needed to match the `NodeId` values that you [gathered earlier from the OPC Server](#install-opc-ua-simulation-software).

+Then, run the following command on the gateway device:

+To monitor the messages flowing into Azure IoT hub, you can run the following command for the Azure CLI on your main development machine:

+> [!NOTE]

+> Azure SQL Database targets are only available using the [Azure Data Studio Insiders](/sql/azure-data-studio/download-azure-data-studio#download-the-insiders-build-of-azure-data-studio) version of the Azure SQL Migration extension.

+The following Azure PowerShell script finds unhealthy DNS records in Azure DNS public zones.

+ 1. Install Pre requisites Az PowerShell modules (https://learn.microsoft.com/powershell/azure/install-az-ps?view=azps-5.7.0)

+ 2. Sign in to your Azure Account using Login-AzAccount or Connect-AzAccount.

+ 3. From an elevated PowerShell prompt, navigate to folder where the script is saved and run the following command:

+ Replace subscription id with the subscription id of interest.

+ Replace ZoneName with the actual zone name.

+$context = Get-AzAccessToken;

+if ($context.Token -eq $null) {

+ Write-host -ForegroundColor Yellow "Please sign in to your Azure Account using Login-AzAccount or Connect-AzAccount before running the script."

+| [Get-AzDnsZone](/powershell/module/az.dns/get-azdnszone) | Gets an Azure public DNS zone. |

+> Event Hubs dedicated clusters require at least 8 Capacity Units(CUs) to enable availability zones. Clusters with self-serve scaling does not support availability zones yet. Availability zone support is only available in [Azure regions with availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones).

+> Availability zone support is only available in [Azure regions with availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones).

+### Virtual network (Vnet) Peering

+FastPath will send traffic directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway. This feature is available for both IPv4 and IPv6 connectivity.

+**FastPath support for vnet peering is only available for ExpressRoute Direct connections.**

+> [!NOTE]

+> * FastPath Vnet peering connectivity is not supported for Azure Dedicated Host workloads.

+## User Defined Routes (UDRs)

+FastPath will honor UDRs configured on the GatewaySubnet and send traffic directly to an Azure Firewall or third party NVA.

+**FastPath support for UDRs is only available for ExpressRoute Direct connections**

+> [!NOTE]

+> * FastPath UDR connectivity is not supported for Azure Dedicated Host workloads.

+> * FastPath UDR connectivity is not supported for IPv6 workloads.

+To enroll in the preview, send an email to **exrpm@microsoft.com**, providing the following information:

+* Azure Subscription ID

+* Virtual Network (VNet) Resource ID

+* ExpressRoute Circuit Resource ID

+**FastPath support for virtual network peering and UDRs is only available for ExpressRoute Direct connections**.

+> * Virtual network peering and UDR support is enabled by default for all new FastPath connections

+> * To enable virtual network peering and UDR support for FastPath connections configured before 9/19/2022, disable and enable FastPath on the target connection.

+| **Tokyo2** | [AT TOKYO](https://www.attokyo.com/) | 2 | Japan East | Supported | AT TOKYO, China Unicom Global, Colt, Equinix, Fibrenoire, IX Reach, Megaport, PCCW Global Limited, Tokai Communications |

+| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** |Supported |Supported | Amsterdam, Amsterdam2, Atlanta, Berlin, Bogota, Canberra2, Chicago, Dallas, Dubai2, Dublin, Frankfurt, Frankfurt2, Geneva, Hong Kong SAR, Hong Kong2, London, London2, Los Angeles*, Los Angeles2, Melbourne, Miami, Milan, New York, Osaka, Paris, Paris2, Quebec City, Rio de Janeiro, Sao Paulo, Seattle, Seoul, Silicon Valley, Singapore, Singapore2, Stockholm, Sydney, Tokyo, Tokyo2, Toronto, Washington DC, Zurich</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Please create new circuits in Los Angeles2.* |

+> [!TIP]

+> Policy Analytics has a dependency on both Log Analytics and Azure Firewall resource specific logging. Verify the Firewall is configured appropriately or follow the previous instructions. Be aware that logs take 60 minutes to appear after enabling them for the first time. This is because logs are aggregated in the backend every hour. You can check logs are configured appropriately by running a log analytics query on the resource specific tables such as **AZFWNetworkRuleAggregation**, **AZFWApplicationRuleAggregation**, and **AZFWNatRuleAggregation**.

+ Title: Tutorial - Configure HTTPS on a custom domain for Azure Front Door (classic) | Microsoft Docs

+description: In this tutorial, you learn how to enable and disable HTTPS on your Azure Front Door (classic) configuration for a custom domain.

+#Customer intent: As a website owner, I want to enable HTTPS on the custom domain in my Front Door (classic) so that my users can use my custom domain to access their content securely.

+# Tutorial: Configure HTTPS on a Front Door (classic) custom domain

+This tutorial shows how to enable the HTTPS protocol for a custom domain that's associated with your Front Door (classic) under the frontend hosts section. By using the HTTPS protocol on your custom domain (for example, https:\//www.contoso.com), you ensure that your sensitive data is delivered securely via TLS/SSL encryption when it's sent across the internet. When your web browser is connected to a web site via HTTPS, it validates the web site's security certificate and verifies it's issued by a legitimate certificate authority. This process provides security and protects your web applications from attacks.

+> * This action requires you to have Global Administrator permissions in Azure AD. The registration only needs to be performed **once per Azure AD tenant**.

+> * Azure Front Door (classic) has a different *Application Id* than Azure Front Door Standard/Premium tier.

+* Have a functioning Azure Front Door profile. Refer to [Create a Front Door - CLI](../create-front-door-cli.md) to learn how to create one.

+ Title: 'Connect Azure Front Door Premium to a Storage Account origin with Private Link - Azure CLI'

+description: Learn how to connect your Azure Front Door Premium to a Storage Account privately - Azure CLI.

+# Connect Azure Front Door Premium to a Storage Account origin with Private Link with Azure CLI

+This article will guide you through how to configure Azure Front Door Premium tier to connect to your Storage Account privately using the Azure Private Link service with Azure CLI.

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* Have a functioning Azure Front Door Premium profile, an endpoint and an origin group. For more information on how to create an Azure Front Door profile, see [Create a Front Door - CLI](../create-front-door-cli.md).

+* Have a functioning Storage Account that is also private. Refer this [doc](../../storage/common/storage-private-endpoints.md) to learn how to do the same.

+> [!NOTE]

+> Private endpoints requires your Storage Account to meet certain requirements. For more information, see [Using Private Endpoints for Azure Storage](../../storage/common/storage-private-endpoints.md).

+## Enable Private Link to a Storage Account in Azure Front Door Premium

+

+Run [az afd origin create](/cli/azure/afd/origin#az-afd-origin-create) to create a new Azure Front Door origin. Enter the following settings to configure the Storage Account you want Azure Front Door Premium to connect with privately. Notice the `private-link-location` must be in one of the [available regions](../private-link.md#region-availability) and the `private-link-sub-resource-type` must be **blob**.

+```azurecli-interactive

+az afd origin create --enabled-state Enabled \

+ --resource-group myRGFD \

+ --origin-group-name og1 \

+ --origin-name mystorageorigin \

+ --profile-name contosoAFD \

+ --host-name mystorage.blob.core.windows.net \

+ --origin-host-header mystorage.blob.core.windows.net \

+ --http-port 80 \

+ --https-port 443 \

+ --priority 1 \

+ --weight 500 \

+ --enable-private-link true \

+ --private-link-location EastUS \

+ --private-link-request-message 'AFD storage origin Private Link request.' \

+ --private-link-resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Storage/storageAccounts/mystorage \

+ --private-link-sub-resource-type blob

+```

+## Approve Azure Front Door Premium private endpoint connection from Azure Storage

+1. Run [az network private-endpoint-connection list](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-list) to list the private endpoint connections for your storage account. Make note of the `Resource ID` of the private endpoint connection available in the first line of the output.

+ ```azurecli-interactive

+ az network private-endpoint-connection list --name mystorage --resource-group myRGFD --type Microsoft.Storage/storageAccounts

+ ```

+1. Run [az network private-endpoint-connection approve](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-approve) to approve the private endpoint connection

+ ```azurecli-interactive

+ az network private-endpoint-connection approve --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Storage/storageAccounts/mystorage/privateEndpointConnections/mystorage.00000000-0000-0000-0000-000000000000

+ ```

+1. Once approved, it will take a few minutes for the connection to fully establish. You can now access your storage account from Azure Front Door Premium. Direct access to the storage account from the public internet gets disabled after private endpoint gets enabled.

+## Next steps

+Learn about [Private Link service with storage account](../../storage/common/storage-private-endpoints.md).

+ Title: 'Connect Azure Front Door Premium to an App Service origin with Private Link - Azure CLI'

+description: Learn how to connect your Azure Front Door Premium to a webapp privately using Azure CLI.

+# Connect Azure Front Door Premium to an App Service origin with Private Link using Azure CLI

+This article will guide you through how to configure Azure Front Door Premium tier to connect to your App service privately using the Azure Private Link service with Azure CLI.

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* Have a functioning Azure Front Door Premium profile, an endpoint and an origin group. For more information on how to create an Azure Front Door profile, see [Create a Front Door - CLI](../create-front-door-cli.md).

+* Have a functioning Web App that is also private. Refer this [doc](../../private-link/create-private-link-service-cli.md) to learn how to do the same.

+> [!NOTE]

+> Private endpoints requires your App Service plan or function hosting plan to meet some requirements. For more information, see [Using Private Endpoints for Azure Web App](../../app-service/networking/private-endpoint.md).

+## Enable Private Link to an App Service in Azure Front Door Premium

+

+Run [az afd origin create](/cli/azure/afd/origin#az-afd-origin-create) to create a new Azure Front Door origin. Enter the following settings to configure the App service you want Azure Front Door Premium to connect with privately. Notice the `private-link-location` must be in one of the [available regions](../private-link.md#region-availability) and the `private-link-sub-resource-type` must be **sites**.

+```azurecli-interactive

+az afd origin create --enabled-state Enabled \

+ --resource-group myRGFD \

+ --origin-group-name og1 \

+ --origin-name pvtwebapp \

+ --profile-name contosoAFD \

+ --host-name example.contoso.com \

+ --origin-host-header example.contoso.com \

+ --http-port 80 \

+ --https-port 443 \

+ --priority 1 \

+ --weight 500 \

+ --enable-private-link true \

+ --private-link-location EastUS \

+ --private-link-request-message 'AFD app service origin Private Link request.' \

+ --private-link-resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Web/sites/webapp1/appServices\

+ --private-link-sub-resource-type sites

+```

+## Approve Azure Front Door Premium private endpoint connection from App Service

+1. Run [az network private-endpoint-connection list](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-list) to list the private endpoint connections for your web app. Note down the `Resource ID` of the private endpoint connection available in the first line of the output.

+ ```azurecli-interactive

+ az network private-endpoint-connection list --name webapp1 --resource-group myRGFD --type Microsoft.Web/sites

+ ```

+1. Run [az network private-endpoint-connection approve](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-approve) to approve the private endpoint connection

+ ```azurecli-interactive

+ az network private-endpoint-connection approve --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRGFD/providers/Microsoft.Web/sites/webapp1/privateEndpointConnections/00000000-0000-0000-0000-000000000000

+ ```

+1. Once approved, it will take a few minutes for the connection to fully establish. You can now access your app service from Azure Front Door Premium. Direct access to the App Service from the public internet gets disabled after private endpoint gets enabled.

+## Next steps

+Learn about [Private Link service with App service](../../app-service/networking/private-endpoint.md).

+> [!NOTE]

+ | Origin Type | App services |

+When you create the cache, make sure you select the type and size that will support the number of storage targets you need.

+The number of supported storage targets depends on the cache type and the cache capacity. Cache capacity is a combination of throughput capacity (in GB/s) and storage capacity (in TB).

+ For example, if you choose 2 GB/second throughput and don't choose the largest cache storage size (12 TB), your cache supports a maximum of 10 storage targets.

+ * All read-only high-throughput caches (which have preconfigured cache storage sizes) can support up to 20 storage targets.

+Read [Choose cache type and capacity](hpc-cache-create.md#choose-cache-type-and-capacity) to learn more about throughput and cache size settings.

+ Client reads and client writes are both cached. Files in the cache are assumed to be newer than files on the back-end storage system. Cached files are only automatically checked against the files on back-end storage every eight hours. Modified files in the cache are written to the back-end storage system after they have been in the cache for an hour with no other changes.

+## Choose cache type and capacity

+<!-- referenced from GUI - update aka.ms/hpc-cache-iops link if you change this header text - also check for cross-reference from add storage article -->

+On the **Cache** page, specify the type and size of cache to create. These values determine your cache's capabilities, including:

+* How quickly the cache can service client requests

+* How much data the cache can hold

+* Whether or not the cache supports read/write caching mode

+* How many storage targets it can have

+* The cache's cost

+First, choose the type of cache you want. Options include:

+* **Read-write standard caching** - A flexible, general-purpose cache

+* **Read-only caching** - A high-throughput cache designed to minimize latency for file access

+Read more about these cache type options below in [Choose the cache type for your needs](#choose-the-cache-type-for-your-needs).

+Second, select the cache's capacity. Cache capacity is a combination of two values:

+* **Maximum throughput** - The data transfer rate for the cache, in GB/second

+* **Cache size** - The amount of storage allocated for cached data, in TB

+

+Throughput and cache size also affect how many storage targets are supported for a particular cache. If you want to use more than 10 storage targets with your cache, you must choose the highest available cache storage size value available for your throughput size, or choose the high-throughput read-only configuration. Learn more in [Add storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets).

+When you choose your cache capacity, you might notice that some cache types have one fixed cache size, and others let you select from multiple cache size options for each throughput value. This is because they use different styles of cache infrastructure.

+* Standard caches - Cache type **Read-write caching**

+* High-throughput caches - Cache type **Read-only caching**

+ The high-throughput read-only caches are preconfigured with only one cache size option per throughput value. They're designed to optimize file read access only.

+

+| Attribute | Standard cache | Read-only high-throughput cache |

+| Cache type |"Read-write standard caching"| "Read-only caching"|

+| Compatible storage target types | Azure Blob, on-premises NFS storage, NFS-enabled blob | on-premises NFS storage <br/>NFS-enabled blob storage is in preview for this combination |

+This article describes how to enable [Azure Peering Service](/articles/peering-service/about.md) on a Direct peering by using the Azure portal.

+For frequently asked questions, see the [Peering Service FAQ](service-faqs.yml).

+This article describes how to enable [Azure Peering Service](/articles/peering-service/about.md) on a Direct peering by using PowerShell cmdlets and the Azure Resource Manager deployment model.

+Using X.509 certificates as an attestation mechanism is the recommended way to scale production and simplify device provisioning. Typically, X.509 certificates are arranged in a certificate chain of trust. Starting with a self-signed or trusted root certificate, each certificate in the chain signs the next lower certificate. This pattern creates a delegated chain of trust from the root certificate down through each intermediate certificate to the final "leaf" certificate installed on a device.

+You create two X.509 identity certificates and place them on the device. When you create a new device identity in IoT Hub, you provide thumbprints from both certificates. When the device authenticates to IoT Hub, it presents one certificate and IoT Hub verifies that the certificate matches its thumbprint. The X.509 keys on the device should be stored in a Hardware Security Module (HSM). For example, PKCS#11 modules, ATECC, dTPM, etc.

+This authentication method is more secure than symmetric keys and supports group enrollments which provides a simplified management experience for a high number of devices. This authentication method is recommended for production scenarios.

+Using TPM attestation is a method for device provisioning that uses authentication features in both software and hardware. Each TPM chip uses a unique endorsement key to verify its authenticity.

+### Symmetric keys attestation

+Symmetric key attestation is a simple approach to authenticating a device. This attestation method represents a "Hello world" experience for developers who are new to device provisioning, or don't have strict security requirements.

+When you create a new device identity in IoT Hub, the service creates two keys. You place one of the keys on the device, and it presents the key to IoT Hub when authenticating.

+This authentication method is faster to get started but not as secure. Device provisioning using a TPM or X.509 certificates is more secure and should be used for solutions with more stringent security requirements.

+If you are a device manufacturer then refer to guidance on [integrating a TPM into the manufacturing process](../iot-dps/concepts-device-oem-security-practices.md#integrating-a-tpm-into-the-manufacturing-process).

+<!-- 1.1 -->

+<!-- end 1.1 -->

+<!-- iotedge-1.4 -->

+> [!NOTE]

+> This article previously used the `tpm_device_provision` tool from the IoT C SDK to generate provisioning info. If you relied on that tool previously, then be aware the steps below generate a different registration ID for the same public endorsement key. If you need to recreate the registration ID as before then refer to how the C SDK's [tpm_device_provision tool](https://github.com/Azure/azure-iot-sdk-c/tree/main/provisioning_client/tools/tpm_device_provision) generates it. Be sure the registration ID for the individual enrollment in DPS matches the regisration ID the IoT Edge device is configured to use.

+In this section, you use the TPM2 software tools to retrieve the endorsement key for your TPM and then generate a unique registration ID. This section corresponds with [Step 3: Device has firmware and software installed](../iot-dps/concepts-device-oem-security-practices.md#step-3-device-has-firmware-and-software-installed) in the process for [integrating a TPM into the manufacturing process](../iot-dps/concepts-device-oem-security-practices.md#integrating-a-tpm-into-the-manufacturing-process).

+### Install the TPM2 Tools

+Sign in to your device, and install the `tpm2-tools` package.

+# [Ubuntu / Debian / Raspberry Pi OS](#tab/ubuntu+debian+rpios)

+ ```bash

+ sudo apt-get install tpm2-tools

+ ```

+# [Red Hat Enterprise Linux](#tab/rhel)

+ ```bash

+ sudo yum install tpm2-tools

+ ```

+Run the following script to read the endorsement key, creating one if it does not already exist.

+ ```bash

+ #!/bin/sh

+ if [ "$USER" != "root" ]; then

+ SUDO="sudo "

+ fi

+ $SUDO tpm2_readpublic -Q -c 0x81010001 -o ek.pub 2>

+ if [ $? -gt 0 ]; then

+ # Create the endorsement key (EK)

+ $SUDO tpm2_createek -c 0x81010001 -G rsa -u ek.pub

+ # Create the storage root key (SRK)

+ $SUDO tpm2_createprimary -Q -C o -c srk.ctx >

+ # make the SRK persistent

+ $SUDO tpm2_evictcontrol -c srk.ctx 0x81000001 >

+ # open transient handle space for the TPM

+ $SUDO tpm2_flushcontext -t >

+ fi

+ printf "Gathering the registration information...\n\nRegistration Id:\n%s\n\nEndorsement Key:\n%s\n" $(sha256sum -b ek.pub | cut -d' ' -f1 | sed -e 's/[^[:alnum:]]//g') $(base64 -w0 ek.pub)

+ $SUDO rm ek.pub srk.ctx 2>

+ ```

+The output window displays the device's **Endorsement key** and a unique **Registration ID**. Copy these values for use later when you create an individual enrollment for your device in the device provisioning service.

+<!-- end iotedge-1.4 -->

+> [!TIP]

+> If you don't want to use the TPM2 software tools to retrieve the information, you need to find another way to obtain the provisioning information. The endorsement key, which is unique to each TPM chip, is obtained from the TPM chip manufacturer associated with it. You can derive a unique registration ID for your TPM device. For example, as shown above you can create an SHA-256 hash of the endorsement key.

+> [!TIP]

+> If your device has a Hardware Security Module (HSM) such as a TPM 2.0, then we recommend storing the X.509 keys securely in the HSM. Learn more about how to implement the zero-touch provisioning at scale described in [this blueprint](https://azure.microsoft.com/blog/the-blueprint-to-securely-solve-the-elusive-zerotouch-provisioning-of-iot-devices-at-scale) with the [iotedge-tpm2cloud](https://aka.ms/iotedge-tpm2cloud) sample.

+Objects in Key Vault can be retrived by specifying a version or by omitting version to get latest version of the object. Performing operations on objects requires providing version to use specific version of the object.

+Schools typically approach content filtering by installing third-party software that performs content filtering on each computer. Azure Lab Services does not support network-level filtering.

+- [Manage costs for labs](cost-management-guide.md)

+>[!Important]

+>On September 30, 2025, Basic Load Balancer will be retired. For more information, see the [official announcement(https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/)]. If you are currently using Basic Load Balancer, make sure to upgrade to Standard Load Balancer prior to the retirement date. This article will help guide you through the upgrade process.

+>[!Important]

+>On September 30, 2025, Basic Load Balancer will be retired. For more information, see the [official announcement(https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/)]. If you are currently using Basic Load Balancer, make sure to upgrade to Standard Load Balancer prior to the retirement date. See [Upgrading from Basic Load Balancer - Guidance](load-balancer-basic-upgrade-guidance.md) for upgrade guidance.

+>[!Important]

+>On September 30, 2025, Basic Load Balancer will be retired. For more information, see the [official announcement(https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/)]. If you are currently using Basic Load Balancer, make sure to upgrade to Standard Load Balancer prior to the retirement date. See [Upgrading from Basic Load Balancer - Guidance](load-balancer-basic-upgrade-guidance.md) for upgrade guidance.

+>[!Important]

+>On September 30, 2025, Basic Load Balancer will be retired. For more information, see the [official announcement(https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/)]. If you are currently using Basic Load Balancer, make sure to upgrade to Standard Load Balancer prior to the retirement date. See [Upgrading from Basic Load Balancer - Guidance](load-balancer-basic-upgrade-guidance.md) for upgrade guidance.

+>[!Important]

+>On September 30, 2025, Basic Load Balancer will be retired. For more information, see the [official announcement(https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/)]. If you are currently using Basic Load Balancer, make sure to upgrade to Standard Load Balancer prior to the retirement date. See [Upgrading from Basic Load Balancer - Guidance](load-balancer-basic-upgrade-guidance.md) for upgrade guidance.

+>[!Important]

+>On September 30, 2025, Basic Load Balancer will be retired. For more information, see the [official announcement(https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/)]. If you are currently using Basic Load Balancer, make sure to upgrade to Standard Load Balancer prior to the retirement date. See [Upgrading from Basic Load Balancer - Guidance](load-balancer-basic-upgrade-guidance.md) for upgrade guidance.

+ >

+ > The Azure gateway resource, which you create later, and your logic app resource must use the same Azure subscription, although these resources can exist in different resource groups.

+ * Your logic app resource and the Azure gateway resource, which you create after you install the gateway, must use the same Azure subscription. However, these resources can exist in different Azure resource groups.

+| **No-code deployment** | Supported ([MLflow](how-to-deploy-mlflow-models-online-endpoints.md) and [Triton](how-to-deploy-with-triton.md) models) | Supported ([MLflow](how-to-deploy-mlflow-models-online-endpoints.md) and [Triton](how-to-deploy-with-triton.md) models) |

+| Supported DSVM editions | Windows 2019, Linux (SQL Server 2019) |

+For more detailed info about creating Azure Data Lake Storage service credentials, see [Authentication with Azure Data Lake Storage Gen1](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). After the credentials for Blob storage or Azure Data Lake Storage are entered in the core-site.xml file, you can reference the data stored in those sources through the URI prefix of wasb:// or adl://.

+| Supported DSVM editions | Windows Server 2019<br>Linux |

+| Supported DSVM editions | Linux |

+| Supported DSVM editions | Windows Server 2019<br>Linux |

+| Version(s) supported | 1.9.0 (Linux, Windows 2019) |

+| Supported DSVM editions | Windows Server 2019<br>Linux |

+| Supported DSVM editions | Windows Server 2019<br>Linux |

+| Supported DSVM versions | Windows 2019, Linux |

+| Supported DSVM editions | Windows Server 2019, Linux |

+| Tool | Windows 2019 Server DSVM | Linux DSVM | Usage notes |

+This quickstart will show you how to create an Ubuntu Data Science Virtual Machine using Bicep. Data Science Virtual Machines are cloud-based virtual machines preloaded with a suite of data science and machine learning frameworks and tools. When deployed on GPU-powered compute resources, all tools and libraries are configured to use the GPU.

+* [Microsoft.Compute/virtualMachines](/azure/templates/microsoft.compute/virtualmachines): Create a cloud-based virtual machine. In this template, the virtual machine is configured as a Data Science Virtual Machine running Ubuntu.

+This quickstart will show you how to create an Ubuntu Data Science Virtual Machine using an Azure Resource Manager template (ARM template). Data Science Virtual Machines are cloud-based virtual machines preloaded with a suite of data science and machine learning frameworks and tools. When deployed on GPU-powered compute resources, all tools and libraries are configured to use the GPU.

+* [Microsoft.Compute/virtualMachines](/azure/templates/microsoft.compute/virtualmachines): Create a cloud-based virtual machine. In this template, the virtual machine is configured as a Data Science Virtual Machine running Ubuntu.

+> [!IMPORTANT]

+> Items marked (preview) in this article are currently in public preview.

+> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+Get up and running with the Ubuntu 20.04 Data Science Virtual Machine and Azure DSVM for PyTorch (preview).

+To create an Ubuntu 20.04 Data Science Virtual Machine or an Azure DSVM for PyTorch, you must have an Azure subscription. [Try Azure for free](https://azure.com/free).

+Here are the steps to create an instance of the Ubuntu 20.04 Data Science Virtual Machine or the Azure DSVM for PyTorch:

+1. Find the virtual machine listing by typing in "data science virtual machine" and selecting "Data Science Virtual Machine- Ubuntu 20.04" or "Azure DSVM for PyTorch (preview)"

+If you configured your VM with SSH authentication, you can log on using the account credentials that you created in the **Basics** section of step 3 for the text shell interface. On Windows, you can download an SSH client tool like [PuTTY](https://www.putty.org). If you prefer a graphical desktop (X Window System), you can use X11 forwarding on PuTTY.

+> This walkthrough was created by using a D2 v2-size Linux DSVM. You can use a DSVM this size to complete the procedures that are demonstrated in this walkthrough.

+> [!IMPORTANT]

+> Items marked (preview) in this article are currently in public preview.

+> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+| Tool | Windows Server 2019 DSVM | Ubuntu 20.04 DSVM | Azure DSVM for PyTorch (preview) | Usage notes |

+| Tool | Windows Server 2019 DSVM | Ubuntu 20.04 DSVM | Azure DSVM for PyTorch (preview) | Usage notes |

+| Tool | Windows Server 2019 DSVM | Ubuntu 20.04 DSVM | Azure DSVM for PyTorch (preview) | Usage notes |

+**Ubuntu 20.04 DSVM, Azure DSVM for PyTorch (preview) and Windows Server 2019 DSVM** have the following Jupyter Kernels:-</br>

+**Ubuntu 20.04 DSVM, Azure DSVM for PyTorch (preview) and Windows Server 2019 DSVM** have the following conda environments:-</br>

+| Tool | Windows Server 2019 DSVM | Ubuntu 20.04 DSVM | Azure DSVM for PyTorch (preview) | Usage notes |

+| Tool | Windows Server 2019 DSVM | Ubuntu 20.04 DSVM | Azure DSVM for PyTorch (preview) | Usage notes |

+ Title: How to upgrade your Data Science Virtual Machine to Ubuntu 20.04

+description: Learn how to upgrade from CentOS and Ubuntu 18.04 to the latest Ubuntu 20.04 Data Science Virtual Machine.

+# Upgrade your Data Science Virtual Machine to Ubuntu 20.04

+If you have a Data Science Virtual Machine running an older release such as Ubuntu 18.04 or CentOS, you should migrate your DSVM to Ubuntu 20.04. Migrating will ensure that you get the latest operating system patches, drivers, preinstalled software, and library versions. This document tells you how to migrate from either older versions of Ubuntu or from CentOS.

+- In-place migration, also called "same server" migration. This migration upgrades the existing VM without creating a new virtual machine. In-place migration is the easier way to migrate from Ubuntu 18.04 to Ubuntu 20.04.

+- Side-by-side migration, also called "inter-server" migration. This migration transfers data from the existing virtual machine to a newly created VM. Side-by-side migration is the way to migrate from Centos to Ubuntu 20.04. You may prefer side-by-side migration for upgrading between Ubuntu versions if you feel your old install has become needlessly cluttered.

+And you should see that you're running Ubuntu 20.04.

+- [What tools are included on the Azure Data Science Virtual Machine?](./tools-included.md)

+## Known Issues

+Dealing with very low scores, or higher loss values:

+For certain datasets, regardless of the NLP task, the scores produced may be very low, sometimes even zero. This would be accompanied by higher loss values implying that the neural network failed to converge. This can happen more frequently on certain GPU SKUs.

+While such cases are uncommon, they're possible and the best way to handle it is to leverage hyperparameter tuning and provide a wider range of values, especially for hyperparameters like learning rates. Until our hyperparameter tuning capability is available in production we recommend users, who face such issues, to leverage the NC6 or ND6 compute clusters, where we've found training outcomes to be fairly stable.

+* Lower your compute cluster cost with low priority VMs

+ ## Lower your compute cluster cost with low priority VMs

+Using Azure Low Priority Virtual Machines allows you to take advantage of Azure's unused capacity at a significant cost savings. At any point in time when Azure needs the capacity back, the Azure infrastructure will evict Azure Low Priority Virtual Machines. Therefore, Azure Low Priority Virtual Machines are great for workloads that can handle interruptions. The amount of available capacity can vary based on size, region, time of day, and more. When deploying Azure Low Priority Virtual Machines, Azure will allocate the VMs if there's capacity available, but there's no SLA for these VMs. An Azure Low Priority Virtual Machine offers no high availability guarantees. At any point in time when Azure needs the capacity back, the Azure infrastructure will evict Azure Low Priority Virtual Machines

+Triton is multi-framework, open-source software that is optimized for inference. It supports popular machine learning frameworks like TensorFlow, ONNX Runtime, PyTorch, NVIDIA TensorRT, and more. It can be used for your CPU or GPU workloads. No-code deployment for Triton models is supported in both [managed online endpoints and Kubernetes online endpoints](concept-endpoints.md#managed-online-endpoints-vs-kubernetes-online-endpoints).

+The information in this article is based on the [online-endpoints-triton.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/online/triton/single-model/online-endpoints-triton.ipynb) notebook contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste files, clone the repo, and then change directories to the `sdk/endpoints/online/triton/single-model/` directory in the repo:

+cd azureml-examples/sdk/python/endpoints/online/triton/single-model/

+* An Azure Machine Learning workspace. If you don't have one, use the steps in [Manage Azure Machine Learning workspaces in the portal, or with the Python SDK](how-to-manage-workspace.md) to create one.

+Azure Machine Learning studio provides the ability to test endpoints with JSON. However, serialized JSON is not currently included for this example.

+To test an endpoint using Azure Machine Learning studio, click `Test` from the Endpoint page.

+The example code in this article train a TensorFlow model to classify handwritten digits, using a deep neural network (DNN); register the model; and deploy it to an online endpoint.

+- Run the code in this article using either an Azure Machine Learning compute instance or your own Jupyter notebook.

+If you prefer to use a browser to sign in and authenticate, you should uncomment the following code and use it instead.

+1. Look for your workspace name in the upper-right corner of the Azure Machine Learning studio toolbar.

+In the following example script, we provision a Linux [`compute cluster`](/azure/machine-learning/how-to-create-attach-compute-cluster?tabs=python). You can see the [`Azure Machine Learning pricing`](https://azure.microsoft.com/pricing/details/machine-learning/) page for the full list of VM sizes and prices. Since we need a GPU cluster for this example, let's pick a *STANDARD_NC6* model and create an AzureML compute.

+- An input layer with 28 * 28 = 784 neurons. Each neuron represents an image pixel.

+- Two hidden layers. The first hidden layer has 300 neurons and the second hidden layer has 100 neurons.

+- The inputs for this command include the data location, batch size, number of neurons in the first and second layer, and learning rate. Notice that we've passed in the web path directly as an input.

+It's now time to submit the job to run in AzureML. This time, you'll use `create_or_update` on `ml_client.jobs`.

+- **Scaling**: The cluster attempts to scale up if it requires more nodes to execute the run than are currently available.

+As a first step to deploying your model, you need to create your online endpoint. The endpoint name must be unique in the entire Azure region. For this article, you'll create a unique name using a universally unique identifier (UUID).

+After you've created the endpoint, you can deploy the model with the entry script. An endpoint can have multiple deployments. Using rules, the endpoint can then direct traffic to these deployments.

+- deploys the best version of the model that you registered earlier;

+- scores the model, using the `core.py` file; and

+- uses the same curated environment (that you declared earlier) to perform inferencing.

+ Title: Upgrade steps for Azure Container Instances web services to managed online endpoints

+Azure Machine Learning supports accessing data from Azure Blob storage, Azure Files, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure SQL Database, and Azure Database for PostgreSQL. If you're using unsupported storage, we recommend that you move your data to supported Azure storage solutions by using [Azure Data Factory and these steps](../../data-factory/quickstart-hello-world-copy-data-tool.md). Moving data to supported storage can help you save data egress costs during machine learning experiments.

+> [!IMPORTANT]

+> If you plan to publish a Kubernetes application-based offer, ensure your offer is categorized correctly and discoverable by customers by adding the term `KubernetesApps` to your description.

+[Cluster extensions][cluster-extensions] enable an Azure Resource Manager driven experience for your application. The following limitations apply when setting the cluster extension type name value:

+- If you're not setting up either of these or you've finished, it's time to [Review and publish your offer](review-publish-offer.md).

+<!-- LINKS -->

+[cluster-extensions]: ../aks/cluster-extensions.md

+- Working knowledge of [Azure Resource Manager (ARM) templates][arm-template-overview]

+> [!NOTE]

+> If your account doesn't have permission to create a service principal, `az ad sp create` will return an error message containing "Insufficient privileges to complete the operation". Contact your Azure Active Directory admin to create a service principal.

+Next, create a role assignment to grant the service principal the ability to pull from your registry using the values you obtained earlier:

+> [!NOTE]

+> If your account doesn't have permission to create a service principal, `New-AzADServicePrincipal` will return an error message containing "Insufficient privileges to complete the operation". Contact your Azure Active Directory admin to create a service principal.

+ :::image type="content" source="./media/azure-container/image-references.png" alt-text="A screenshot of a properly formatted deployment.yaml file is shown. The parameterized image references are shown, resembling the content in the sample deployment.yaml file linked in this article.":::

+

+ :::image type="content" source="./media/azure-container/billing-identifier.png" alt-text="A screenshot of a properly formatted values.yaml file is shown. The images are using digests. The content resembles the sample values.yaml file linked in this article.":::

+ :::image type="content" source="./media/azure-container/billing-identifier-label.png" alt-text="A screenshot of a properly formatted billing identifier label in a deployment.yaml file. The content resembles the sample depoyment.yaml file linked in this article":::

+ :::image type="content" source="./media/azure-container/resources.png" alt-text="A screenshot of CPU resource requests in a deployment.yaml file. The content resembles the sample depoyment.yaml file linked in this article.":::

+ :::image type="content" source="./media/azure-container/billing-identifier-value.png" alt-text="A screenshot of a properly formatted values.yaml file, showing the global > azure > billingIdentifier field.":::

+[azure-voting-app]: https://github.com/Azure-Samples/kubernetes-offer-samples/tree/main/samples/k8s-offer-azure-vote/azure-vote

+Use this method if you're new to Partner Center and are not enrolled in the Microsoft Cloud Partner Program. Complete the steps in this section to create a new Partner Center account and publisher profile.

+As part of the commercial marketplace registration process, you need to agree to the terms and conditions in the [Microsoft Publisher Agreement](/legal/marketplace/msft-publisher-agreement). If youΓÇÖre new to Microsoft Cloud Partner Program, you also need to agree to the terms and conditions in the Microsoft Cloud Partner Program Agreement.

+*What if I'm already enrolled in the Microsoft Cloud Partner Program?*

+ > You must have an **account admin** or a **global admin** role to sign in to Microsoft Cloud Partner Program.

+1. Have a valid [Microsoft Cloud Partner Program account](/partner-center/mpn-create-a-partner-center-account).

+1. Have a valid [Microsoft Cloud Partner Program account](/partner-center/mpn-create-a-partner-center-account).

+- If you're new to Partner Center, and have never enrolled in the Microsoft Cloud Partner Program, see [Create an account using the Partner Center enrollment page](/azure/marketplace/partner-center-portal/create-account#create-an-account-using-the-partner-center-enrollment-page).

+- If you're already enrolled in the Microsoft Cloud Partner Program, [create an account directly from Partner Center using existing Microsoft Partner Center enrollments](#create-an-account-using-an-existing-partner-center-enrollment).

+The Microsoft commercial marketplace is a catalog of solutions from our independent software vendor (ISV) partners. As an ISV member of the Microsoft Cloud Partner Program, you can create, publish, and manage your commercial marketplace offers in Partner Center. Your solutions are listed together with our Microsoft solutions, connecting you to businesses, organizations, and government agencies around the world.

+> For some primary products, you must have a Gold or Silver Microsoft competency in your solution area. For more information, see [Microsoft Cloud Partner Program Competencies](https://partner.microsoft.com/membership/competencies).

+To publish a Managed Service offer, you must have earned a Gold or Silver Microsoft Competency in Cloud Platform. This competency demonstrates your expertise to customers. For more information, see [Microsoft Cloud Partner Program Competencies](https://partner.microsoft.com/membership/competencies).

+For more information about managing roles and permissions in other areas of Partner Center, such as Azure Active Directory (AD), Cloud Solution Provider (CSP), Control Panel Vendor (CPV), Guest users, or Microsoft Cloud Partner Program, see [Assign users roles and permissions in Partner Center](/partner-center/permissions-overview).

+ Title: 'Tutorial: Delete network functions on Azure Stack Edge'

+description: In this tutorial, learn how to delete a network function as a managed application.

+# Tutorial: Delete network functions on Azure Stack Edge

+In this tutorial, you learn how to delete Azure Network Function Manager - Network Function and Azure Network Function Manager - Device using the Azure portal.

+## Delete network function

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to the **Azure Network Manager - Devices** resource in which you have deployed a network function and select **Network Function**.

+ 

+1. Select **Delete** Network Function.

+ 

+ > [!NOTE]

+ > Incase you encounter following error while deleting the network function.

+ > *Failed to delete resource. Error: The client 'user@mail.com' with object id 'xxxx-9999-xxxx-9999-xxxx' has permission to perform action 'Microsoft.HybridNetwork/networkFunctions/delete' on scope 'mrg-ResourceGroup/providers/Microsoft.HybridNetwork/networkFunctions/NetworkFunction01'; however, the access is denied because of the deny assignment with name 'System deny assignment created by managed application /subscriptions/xxxx-0000-xxxx-0000-xxxx/resourceGroups/ResourceGroup/providers/Microsoft.Solutions/applications/managedApplication01' and Id 'xxxxxxxxxxxxxxxxxxxxxx' at scope '/subscriptions/xxxx-0000-xxxx-0000-xxxx/resourceGroups/mrg-ResourceGroup and refer **Step 4**.*

+ > 

+

+1. Navigate to search box within the **Azure portal** and search for the **Managed Application** which was seen as an exception in **Step 3**.

+ 

+1. Select **Delete** Managed Application

+ 

+## Delete network function manager - device

+ > [!IMPORTANT]

+ > Ensure that all the Network Function deployed within the Azure Network Function Manager is deleted before proceeding to the next step.

+ >

+1. Navigate to the **Azure Network Manager - Devices** resource in which you have deleted a network function and select **Delete** Azure Network Function Manager - Device

+ 

+### Does Network Function Manager support move of resources?

+Network Function Manager supports moving resources across resource groups and subscriptions in the same region. Moving network function resources cross-region is not supported due to dependencies on other regional resources.

+az network watcher packet-capture create --resource-group {resourceGroupName} --vm {vmName} --name packetCaptureName --storage-account {storageAccountName} --filters "[{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"20\"},{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"80\"},{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"443\"},{\"protocol\":\"UDP\"}]"

+ "remoteIpAddress": "1.1.1.1-255.255.255.255",

+ "remoteIpAddress": "1.1.1.1-255.255.255.255",

+ "remoteIpAddress": "1.1.1.1-255.255.255.255",

+ Title: Azure Notification Hubs cross-region disaster recovery

+description: Learn about cross-region disaster recovery options in Azure Notification Hubs.

+# Cross-region disaster recovery (preview)

+> [!NOTE]

+> The ability to edit your cross region disaster recovery options is available in preview. If you are interested in using this feature, contact your customer success manager at Microsoft, or create an Azure support ticket which will be triaged by the support team.

+[Azure Notification Hubs](notification-hubs-push-notification-overview.md) provides an easy-to-use and scaled-out push engine that enables you to send notifications to any platform (iOS, Android, Windows, etc.) from any back-end (cloud or on-premises). This article describes the cross-region disaster recovery configuration options currently available.

+Cross-region disaster recovery provides *metadata* disaster recovery coverage. This is supported in paired and flexible region recovery

+options. Each Azure region is paired with another region within the same geography. All Notification Hubs tiers support [Azure paired regions](/azure/availability-zones/cross-region-replication-azure#azure-cross-region-replication-pairings-for-all-geographies)

+(where available) or a flexible recovery region option that enables you to choose from a list of supported regions.

+## Enable cross region disaster recovery

+Cross-region disaster recovery options can be modified at any time.

+### Use existing namespace

+Use the Azure portal to edit an existing namespace:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **All services** on the left menu.

+3. Select **Notification Hub Namespaces** in the **Internet of Things** section.

+4. On the **Notification Hub Namespaces** page, select the namespace for which you want to modify the disaster recovery settings.

+5. On the **Notification Hub Namespace** page for your namespace, you can see the current disaster recovery setting in the **Essentials** section.

+6. In the following example, paired recovery region is enabled. To modify your disaster recovery region selection, select the **(edit)** link next to the current selection.

+ :::image type="content" source="media/cross-region-recovery/cedr1.png" alt-text="Azure portal namespace":::

+7. On the **Edit Disaster** recovery pop-up screen, you can change your selections. Save your changes.

+ :::image type="content" source="media/cross-region-recovery/cedr2.png" alt-text="Azure portal edit recovery":::

+### Use new namespace

+To create a new namespace with disaster recovery, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **All services** on the left menu.

+3. Select **Notification Hubs** in the **Mobile** section.

+4. Select the star icon next to the service name to add the service to the **FAVORITES** section on the left menu. After you add **Notification Hubs** to **FAVORITES**, select it on the left menu.

+ :::image type="content" source="media/cross-region-recovery/cedr3.png" alt-text="Azure portal favorites":::

+5. On the **Notification Hubs** page, select **Create** on the toolbar.

+ :::image type="content" source="media/cross-region-recovery/cedr4.png" alt-text="Create notification hub":::

+6. In the **Basics** tab on the **Notification Hub** page, perform the following steps:

+ 1. In **Subscription**, select the name of the Azure subscription you want to use, and then select an existing resource group, or create a

+ new one.

+ 1. Enter a unique name for the new namespace in **Namespace Details**.

+ 1. A namespace contains one or more notification hubs, so type a name for the hub in **Notification Hub Details**. Or, select an existing

+ namespace from the drop-down.

+ 1. Select a value from the **Location** drop-down list box. This value specifies the location in which you want to create the hub.

+ 1. Choose your **Disaster recovery** option ΓÇô None, Paired recovery region or Flexible recovery region. If you choose **Paired recovery region**, the failover region is displayed.

+ :::image type="content" source="media/cross-region-recovery/cedr5.png" alt-text="Notification hub properties":::

+ 1. If you select **Flexible recovery region**, use the drop-down to choose from a list of recovery regions.

+ :::image type="content" source="media/cross-region-recovery/cedr6.png" alt-text="Select region":::

+ 1. Select **Create**.

+### Add resiliency

+Paired and flexible region recovery only backs up metadata. You must implement a solution to repopulate the registration data into your new

+hub post-recovery:

+1. Create a secondary notification hub in a different datacenter. We recommend creating one from the beginning, to shield you from a disaster recovery event that might affect your management capabilities. You can also create one at the time of the disaster recovery event.

+2. Keep the secondary notification hub in sync with the primary notification hub using one of the following options:

+ - Use an app backend that simultaneously creates and updates installations in both notification hubs. Installations allow you to specify your own unique device identifier, making it more suitable for the replication scenario. For more information, [see this sample](https://github.com/Azure/azure-notificationhubs-dotnet/tree/main/Samples/RedundantHubSample).

+ - Use an app backend that gets a regular dump of registrations from the primary notification hub as a backup. It can then perform a bulk insert into the secondary notification hub.

+The secondary notification hub might end up with expired installations/registrations. When the push is made to an expired handle, Notification Hubs automatically cleans the associated installation/registration record based on the response received from the PNS server. To clean expired records from a secondary notification hub, add custom logic that processes feedback from each send. Then, expire installation/registration in the secondary notification hub.

+If you don't have a backend, when the app starts on target devices, they perform a new registration in the secondary notification hub. Eventually the secondary notification hub will have all the active devices registered.

+There will be a time period when devices with unopened apps won't receive notifications.

+## Next steps

+- [Azure Notification Hubs](notification-hubs-push-notification-overview.md)

+ Title: Workflow HTTP connector

+description: This article describes how to use HTTP connector in Purview workflows

+# Workflows HTTP connector

+You can use [workflows](concept-workflow.md) to automate some business processes through Microsoft Purview. HTTP connector allows Purview workflows to integrate with external applications. HTTP connectors use Representational State Transfer (REST) architecture, which allows Microsoft Purview workflows to interact directly with third party applications by using web requests.

+HTTP connector is available in all workflow templates.

+>[!NOTE]

+> To create or edit a workflow, you need the [workflow admin role](catalog-permissions.md) in Microsoft Purview. You can also contact the workflow admin in your collection, or reach out to your collection administrator, for permissions.

+1. To add a HTTP connector, click on the **+** icon in the template where you want to add and select HTTP connector.

+ :::image type="content" source="./media/how-to-use-workflow-http-connector/add-http-connector.png" alt-text="Screenshot of how to add HTTP connector.":::

+1. Once you select HTTP connector, you will see the following parameters:

+ 1. Host - Request URL you want to call when this connector is executed.

+ 1. Method - Select one of the following methods. GET, PUT, PATCH, POST and DELETE. These correspond to create, read, update and delete operations.

+ 1. Path - Optionally you can enter request URL Path. You can use dynamic content for this parameter.

+ 1. Headers - Optionally, you can enter HTTP headers. HTTP headers let the client and the server pass additional information with an HTTP request or response

+ 1. Queries - Optionally, you can pass queries.

+ 1. Body - Optionally, you can pass HTTP body while invoking the URL

+ 1. Authentication - HTTP connector is integrated with Purview credentials. Depending on the URL you may invoke the endpoint with None (no authentication) or you can use credentials to create a basic authentication. To learn more about credentials see the [Microsoft Purview credentials article](manage-credentials.md).

+ :::image type="content" source="./media/how-to-use-workflow-http-connector/add-http-properties.png" alt-text="Screenshot of how to add HTTP connector properties.":::

+1. By default, secure settings are turned on for HTTP connectors. To turn OFF secure inputs and outputs select the ellipsis icon (**...**) to go to settings.

+ :::image type="content" source="./media/how-to-use-workflow-http-connector/add-http-settings.png" alt-text="Screenshot of how to add HTTP connector settings.":::

+1. You will be now presented with the settings for HTTP connector and you can turn secure inputs and outputs OFF.

+ :::image type="content" source="./media/how-to-use-workflow-http-connector/add-http-secure.png" alt-text="Screenshot of how to add HTTP connector secure input and outputs.":::

+## Next steps

+For more information about workflows, see these articles:

+- [Workflows in Microsoft Purview](concept-workflow.md)

+- [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)

+- [Manage workflow requests and approvals](how-to-workflow-manage-requests-approvals.md)

+> A managed event hub is created automatically when your *Microsoft Purview* account is created. See, [Microsoft Purview account creation](create-catalog-portal.md). You can publish messages to Event Hubs Kafka topic, ATLAS_HOOK. Microsoft Purview will receive it, process it and notify Kafka topic ATLAS_ENTITIES of entity changes. This quickstart uses the new **Azure.Messaging.EventHubs** library.

+## Publish messages to Microsoft Purview

+Let's create a .NET Core console application that sends events to Microsoft Purview via Event Hubs Kafka topic, **ATLAS_HOOK**.

+ You can get the Event Hubs namespace associated with the Microsoft Purview account by looking at the Atlas kafka endpoint primary/secondary connection strings. These can be found in **Properties** tab of your account.

+ The event hub name for sending messages to Microsoft Purview is **ATLAS_HOOK**.

+3. Replace the `Main` method with the following `async Main` method and add an `async ProduceMessage` to push messages into Microsoft Purview. See the comments in the code for details.

+## Receive Microsoft Purview messages

+Next learn how to write a .NET Core console application that receives messages from event hubs using an event processor. The event processor manages persistent checkpoints and parallel receptions from event hubs. This simplifies the process of receiving events. You need to use the ATLAS_ENTITIES event hub to receive messages from Microsoft Purview.

+ You can get event hub namespace associated with your Microsoft Purview account by looking at your Atlas kafka endpoint primary/secondary connection strings. This can be found in the **Properties** tab of your Microsoft Purview account.

+ Use **ATLAS_ENTITIES** as the event hub name when sending messages to Microsoft Purview.

+### An example of a Message received from Microsoft Purview

+## Data Estate Insights

+An area of the Microsoft Purview governance portal that provides up-to-date reports and actionable insights about the data estate.

+A role that provides read-only access to Data Estate Insights reports. Insight readers must have at least data reader role access to a collection to view reports about that specific collection.

+## Physical asset

+An asset that represents a physical data object. Physical assets are different from business assets because they represent real data. For example, a database is a physical asset.

+### Access policy pre-requisites on Azure Storage accounts

+### Configure the Microsoft Purview account for policies

+### Register the data source in Microsoft Purview for Data Use Management

+The Azure Storage resource needs to be registered first with Microsoft Purview before you can create access policies.

+To register your resource, follow the **Prerequisites** and **Register** sections of this guide:

+- [Register and scan Azure Data Lake Storage (ADLS) Gen2 - Microsoft Purview](register-scan-adls-gen2.md#prerequisites)

+After you've registered the data source, you'll need to enable Data Use Management. This is a pre-requisite before you can create policies on the data source. Data Use Management can impact the security of your data, as it delegates to certain Microsoft Purview roles managing access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md)

+Once your data source has the **Data Use Management** option set to **Enabled**, it will look like this screenshot:

+

+### Create a policy

+To create an access policy for Azure Data Lake Storage Gen2, follow these guides:

+* [Data owner policy on a single storage account](./how-to-policies-data-owner-storage.md#create-and-publish-a-data-owner-policy) - This guide will allow you to provision access on a single Azure Storage account in your subscription.

+* [Data owner policy covering all sources in a subscription or resource group](./how-to-policies-data-owner-resource-group.md) - This guide will allow you to provision access on all enabled data sources in a resource group, or across an Azure subscription. The pre-requisite is that the subscription or resource group is registered with the Data use management option enabled.

+## Next steps

+Follow the below guides to learn more about Microsoft Purview and your data.

+- [Data owner policies in Microsoft Purview](concept-policies-data-owner.md)

+### Access policy pre-requisites on Azure Storage accounts

+### Configure the Microsoft Purview account for policies

+### Register the data source in Microsoft Purview for Data Use Management

+The Azure Storage resource needs to be registered first with Microsoft Purview before you can create access policies.

+To register your resource, follow the **Prerequisites** and **Register** sections of this guide:

+- [Register and scan Azure Storage Blob - Microsoft Purview](register-scan-azure-blob-storage-source.md#prerequisites)

+After you've registered the data source, you'll need to enable Data Use Management. This is a pre-requisite before you can create policies on the data source. Data Use Management can impact the security of your data, as it delegates to certain Microsoft Purview roles managing access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md)

+Once your data source has the **Data Use Management** option set to **Enabled**, it will look like this screenshot:

+

+### Create a policy

+To create an access policy for Azure Blob Storage, follow these guides:

+* [Data owner policy on a single storage account](./how-to-policies-data-owner-storage.md#create-and-publish-a-data-owner-policy) - This guide will allow you to provision access on a single Azure Storage account in your subscription.

+* [Data owner policy covering all sources in a subscription or resource group](./how-to-policies-data-owner-resource-group.md) - This guide will allow you to provision access on all enabled data sources in a resource group, or across an Azure subscription. The pre-requisite is that the subscription or resource group is registered with the Data use management option enabled.

+## Next steps

+Follow the below guides to learn more about Microsoft Purview and your data.

+- [Data owner policies in Microsoft Purview](concept-policies-data-owner.md)

+- [Data Estate Insights in Microsoft Purview](concept-insights.md)

+- [Data Sharing in Microsoft Purview](concept-data-share.md)

+- [Lineage in Microsoft Purview](catalog-lineage-user-guide.md)

+- [Search Data Catalog](how-to-search-catalog.md)

+### Access policy pre-requisites on Azure SQL Database

+### Configure the Microsoft Purview account for policies

+### Register the data source and enable Data use management

+The Azure SQL Database resource needs to be registered first with Microsoft Purview before you can create access policies.

+To register your resources, follow the **Prerequisites** and **Register** sections of this guide:

+[Register Azure SQL Database](./register-scan-azure-sql-database.md#prerequisites)

+After you've registered the data source, you'll need to enable Data Use Management. This is a pre-requisite before you can create policies on the data source. Data Use Management can impact the security of your data, as it delegates to certain Microsoft Purview roles managing access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md)

+Once your data source has the **Data Use Management** option *Enabled*, it will look like this screenshot.

+

+### Create a policy

+* [Data owner policy on a single Azure SQL Database account](./how-to-policies-data-owner-azure-sql-db.md#create-and-publish-a-data-owner-policy) - This guide will allow you to provision access on a single Azure SQL Database account in your subscription.

+* [Data owner policy covering all sources in a subscription or resource group](./how-to-policies-data-owner-resource-group.md) - This guide will allow you to provision access on all enabled data sources in a resource group, or across an Azure subscription. The pre-requisite is that the subscription or resource group is registered with the Data use management option enabled.

+Follow the below guides to learn more about Microsoft Purview and your data.

+- [Data owner policies in Microsoft Purview](concept-policies-data-owner.md)

+description: Learn how to create and manage search objects in a .NET application using C# and the Azure.Search.Documents (v11) client library.

+The client library doesn't provide [service management operations](/rest/api/searchmanagement/), such as creating and scaling search services and managing API keys. If you need to manage your search resources from a .NET application, use the [Microsoft.Azure.Management.Search](/dotnet/api/overview/azure/search/management) library in the Azure SDK for .NET.

+If you have been using the previous version of the .NET SDK and you'd like to upgrade to the current generally available version, see [Upgrade to Azure Cognitive Search .NET SDK version 11](search-dotnet-sdk-migration-version-11.md).

+Azure SDK for .NET conforms to [.NET Standard 2.0](/dotnet/standard/net-standard#net-implementation-support).

+In the early stages of development, you might want to include a [`DeleteIndex`](/dotnet/api/azure.search.documents.indexes.searchindexclient.deleteindex) statement to delete a work-in-progress index so that you can recreate it with an updated definition. Sample code for Azure Cognitive Search often includes a deletion step so that you can rerun the sample.

+Exactly one field in your index must serve as the document key (`IsKey = true`). It must be a string, and it must uniquely identify each document. It's also required to have `IsHidden = true`, which means it can't be visible in search results.

+The `JsonIgnore` attribute on this property tells the `FieldBuilder` to not serialize it to the index as a field. This is a great way to create client-side calculated properties you can use as helpers in your application. In this case, the `SmokingAllowed` property reflects whether any `Room` in the `Rooms` collection allows smoking. If all are false, it indicates that the entire hotel doesn't allow smoking.

+The next step is query execution. Running the search is done using the `SearchClient.Search` method. For each query, pass the search text to use as a string (or `"*"` if there's no search text), plus the search options created earlier. We also specify `Hotel` as the type parameter for `SearchClient.Search`, which tells the SDK to deserialize documents in the search results into objects of type `Hotel`.

+Let's take a closer look at each of the queries in turn. Here's the code to execute the first query:

+In the third query, find the top two hotels that have been most recently renovated, and show the hotel name and last renovation date. Here's the code:

+This section concludes this introduction to the .NET SDK, but don't stop here. The next section suggests other resources for learning more about programming with Azure Cognitive Search.

+* [Azure SQL Database](https://azure.microsoft.com/services/sql-database/)

+* [Visual Studio](https://visualstudio.microsoft.com/downloads/)

+* [Create](search-create-service-portal.md) or [find an existing search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices)

+> [!NOTE]

+ :::image type="content" source="media/search-indexer-tutorial/indexer-new-sqldb.png" alt-text="Screenshot of the Create SQL Database page in Azure portal." border="true":::

+1. Select **Review + create** to deploy the new server and database. Wait for the server and database to deploy. Go to the resource.

+1. On the navigate pane, select **Getting started** and then select **Configure** to allow access.

+1. Under Public access, click **Selected networks**.

+1. Under Firewall rules, add your client IPv4 address. This is the portal client.

+1. Under Exception, select **Allow Azure services and resources to access this server**.

+1. Save your changes and then close the Networking page.

+1. On the navigation pane, select **Query editor (preview)** and enter the user name and password of server admin.

+ You'll probably get an access denied error. Copy the client IP address from the error message. Return to the firewall rules page to add a rule that allows access from your client.

+1. In Query editor, select **Open query** and navigate to the location of *hotels.sql* file on your local computer.

+1. Select the file and select **Open**. The script should look similar to the following screenshot:

+ :::image type="content" source="media/search-indexer-tutorial/sql-script.png" alt-text="Screenshot of SQL script in a Query Editor window." border="true":::

+1. Select **Run** to execute the query. In the Results pane, you should see a query succeeded message, for three rows.

+You'll need this connection string in the next exercise, setting up your environment.

+ :::image type="content" source="media/search-get-started-rest/get-url-key.png" alt-text="Screenshot of Azure portal pages showing the HTTP endpoint and access key location for a search service." border="false":::

+1. For `SearchServiceEndPoint`, if the full URL on the service overview page is "https://my-demo-service.search.windows.net", then the value to provide is the entire URL.

+ "SearchServiceEndPoint": "<placeholder-search-full-url>",

+1. Replace the user password in the SQL connection string to a valid password. While the database and user names will copy over, the password must be entered manually.

+* **hotel.cs**, containing a schema that defines the index

+* **Program.cs**, containing functions for creating and managing structures in your service

+The data source object is configured with settings that are specific to Azure SQL Database resources, including [partial or incremental indexing](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md#CaptureChangedRows) for using the built-in [change detection features](/sql/relational-databases/track-changes/about-change-tracking-sql-server) of Azure SQL. The source demo hotels database in Azure SQL has a "soft delete" column named **IsDeleted**. When this column is set to true in the database, the indexer removes the corresponding document from the Azure Cognitive Search index.

+ :::image type="content" source="media/search-indexer-tutorial/console-output.png" alt-text="Screenshot showing the console output for the program." border="true":::

+* Search service connection information that you provide is the full URL. If you entered just the service name, operations stop at index creation, with a failure to connect error.

+* Database connection information in **appsettings.json**. It should be the ADO.NET connection string obtained from the portal, modified to include a username and password that are valid for your database. The user account must have permission to retrieve data. Your local client IP address must be allowed inbound access through the firewall.

+* Resource limits. Recall that the Free tier has limits of three indexes, indexers, and data sources. A service at the maximum limit can't create new objects.

+ :::image type="content" source="media/search-indexer-tutorial/tiles-portal.png" alt-text="Screenshot of the indexer and data source tiles in the Azure portal search service page." border="true":::

+1. On the Indexes tab, select the hotels index. On the hotels page, **Search explorer** is the first tab.

+1. Select **Search** to issue an empty query.

+ :::image type="content" source="media/search-indexer-tutorial/portal-search.png" alt-text="Screenshot of a Search Explorer query for the target index." border="true":::

+1. Next, enter a search string: `search=river&$count=true`.

+1. Lastly, enter a search string that limits the JSON output to fields of interest: `search=river&$count=true&$select=hotelId, baseRate, description`.

+ Repositories content needs to be stored as [ARM templates](/azure/azure-resource-manager/templates/overview). The repositories deployment doesn't validate the content except to confirm it's in the correct JSON format.

+Smart deployments are enabled by default on newly created connections. If you prefer all source control content to be deployed every time a deployment is triggered, regardless of whether that content was modified or not, you can modify your workflow to disable smart deployments. For more information, see [Customize the workflow or pipeline](ci-cd-custom-deploy.md#customize-the-workflow-or-pipeline).

+A number of customization options are available to consider when deploying content with Microsoft Sentinel repositories.

+#### Customize the workflow or pipeline

+You may want to customize the workflow or pipeline in one of the following ways:

+- turn off smart deployments

+These customizations are defined in a .yml file specific to your workflow or pipeline. For more details on how to implement, see [Customize repository deployments](ci-cd-custom-deploy.md#customize-the-workflow-or-pipeline)

+#### Customize the deployment

+Once the workflow or pipeline is triggered, the deployment supports the following scenarios:

+- prioritize content to be deployed before the rest of the repo content

+- exclude content from deployment

+- specify ARM template parameter files

+These options are available through a feature of the PowerShell deployment script called from the workflow or pipeline. For more details on how to implement these customizations, see [Customize repository deployments](ci-cd-custom-deploy.md#customize-your-connection-configuration).

+- [Sentinel CICD sample repository](https://github.com/SentinelCICD/RepositoriesSampleContent)

+ Title: Customize repository deployments

+description: This article describes how to customize repository deployments for the repositories feature in Microsoft Sentinel.

+#Customer intent: As a SOC collaborator or MSSP analyst, I want to know how to optimize my source control repositories for continuous integration and continuous delivery (CI/CD). Specifically as an MSSP content manager, I want to know how to deploy one solution to many customer workspaces and still be able to tailor custom content for their environments.

+# Customize repository deployments (Public Preview)

+There are two primary ways to customize the deployment of your repository content to Microsoft Sentinel workspaces. Each method uses different files and syntax, so consider these examples to get you started.

+- Modify the GitHub workflow or DevOps pipeline to customize deployment options such as your connection's deployment trigger, deployment path or usage of smart deployments.

+- Utilize the newly introduced configuration file to control the prioritized order of your content deployments, choose to *exclude* specific content files from those deployments, or map parameter files to specific content files.

+> [!IMPORTANT]

+>

+> The Microsoft Sentinel **Repositories** feature is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Prerequisites and scope

+Microsoft Sentinel currently supports connections to GitHub and Azure DevOps repositories. Before connecting your Microsoft Sentinel workspace to your source control repository, make sure that you have:

+- An **Owner** role in the resource group that contains your Microsoft Sentinel workspace *or* a combination of **User Access Administrator** and **Sentinel Contributor** roles to create the connection

+- Contributor access to your GitHub or Azure DevOps repository

+- Actions enabled for GitHub and Pipelines enabled for Azure DevOps

+- Ensure custom content files you want to deploy to your workspaces are in relevant [Azure Resource Manager (ARM) templates](../azure-resource-manager/templates/index.yml).

+For more information, see [Validate your content](ci-cd-custom-content.md#validate-your-content)

+## Customize the workflow or pipeline

+The default workflow only deploys content that has been modified since the last deployment based on commits to the repository. But you may want to turn off smart deployments or perform other customizations. For example, you can configure different deployment triggers, or deploy content exclusively from a specific root folder.

+Select one of the following tabs depending on your connection type:

+# [GitHub](#tab/github)

+**To customize your GitHub deployment workflow**:

+1. In GitHub, go to your repository and find your workflow in the *.github/workflows* directory.

+ The workflow file is the YML file starting with *sentinel-deploy-xxxxx.yml*. Open that file and the workflow name is shown in the first line and has the following default naming convention: `Deploy Content to <workspace-name> [<deployment-id>]`.

+ For example: `name: Deploy Content to repositories-demo [xxxxx-dk5d-3s94-4829-9xvnc7391v83a]`

+1. Select the pencil button at the top-right of the page to open the file for editing, and then modify the deployment as follows:

+ - **To modify the deployment trigger**, update the `on` section in the code, which describes the event that triggers the workflow to run.

+ By default, this configuration is set to `on: push`, which means that the workflow is triggered at any push to the connected branch, including both modifications to existing content and additions of new content to the repository. For example:

+ ```yml

+ on:

+ push:

+ branches: [ main ]

+ paths:

+ - `**`

+ - `!.github/workflows/**` # this filter prevents other workflow changes from triggering this workflow

+ - `.github/workflows/sentinel-deploy-<deployment-id>.yml`

+ ```

+ You may want to change these settings, for example, to schedule the workflow to run periodically, or to combine different workflow events together.

+ For more information, see the [GitHub documentation](https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#configuring-workflow-events) on configuring workflow events.

+ - **To disable smart deployments**:

+ The smart deployments behavior is separate from the deployment trigger discussed above. Navigate to the `jobs` section of your workflow. Switch the `smartDeployment` default value from `true` to `false`. This will turn off the smart deployments functionality and all future deployments for this connection will redeploy all the repository's relevant content files to the connected workspace(s) once this change is committed.

+ - **To modify the deployment path**:

+ In the default configuration shown above for the `on` section, the wildcards (`**`) in the first line in the `paths` section indicate that the entire branch is in the path for the deployment triggers.

+ This default configuration means that a deployment workflow is triggered anytime that content is pushed to any part of the branch.

+ Later on in the file, the `jobs` section includes the following default configuration: `directory: '${{ github.workspace }}'`. This line indicates that the entire GitHub branch is in the path for the content deployment, without filtering for any folder paths.

+ To deploy content from a specific folder path only, add it to both the `paths` and the `directory` configuration. For example, to deploy content only from a root folder named `SentinelContent`, update your code as follows:

+ ```yml

+ paths:

+ - `SentinelContent/**`

+ - `!.github/workflows/**` # this filter prevents other workflow changes from triggering this workflow

+ - `.github/workflows/sentinel-deploy-<deployment-id>.yml`

+ ...

+ directory: '${{ github.workspace }}/SentinelContent'

+ ```

+For more information, see the [GitHub documentation](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpaths) on GitHub Actions and editing GitHub workflows.

+# [Azure DevOps](#tab/azure-devops)

+**To customize your Azure DevOps deployment pipeline**:

+1. In Azure DevOps, go to your repository and find your pipeline definition file in the *.sentinel* directory.

+ The pipeline name is shown in the first line of the pipeline file, and has the following default naming convention: `Deploy Content to <workspace-name> [<deployment-id>]`.

+ For example: `name: Deploy Content to repositories-demo [xxxxx-dk5d-3s94-4829-9xvnc7391v83a]`

+1. Select the pencil button at the top-right of the page to open the file for editing, and then modify the deployment as follows:

+ - **To modify the deployment trigger**, update the `trigger` section in the code, which describes the event that triggers the workflow to run.

+ By default, this configuration is set to detect any push to the connected branch, including both modifications to existing content and additions of new content to the repository.

+ Modify this trigger to any available Azure DevOps Triggers, such as a scheduling trigger or a pull request triggers. For more information, see the [Azure DevOps trigger documentation](/azure/devops/pipelines/yaml-schema).

+ - **To disable smart deployments**:

+ The smart deployments behavior is separate from the deployment trigger discussed above. Navigate to the `ScriptArguments` section of your pipeline. Switch the `smartDeployment` default value from `true` to `false`. This will turn off the smart deployments functionality and all future deployments for this connection will redeploy all the repository's relevant content files to the connected workspace(s) once this change is committed.

+ - **To modify the deployment path**:

+ The default configuration for the `trigger` section has the following code, which indicates that the `main` branch is in the path for the deployment triggers:

+ ```yml

+ trigger:

+ branches:

+ include:

+ - main

+ ```

+ This default configuration means that a deployment pipeline is triggered anytime that content is pushed to any part of the `main` branch.

+ To deploy content from a specific folder path only, add the folder name to the `include` section, for the trigger, and the `steps` section, for the deployment path, below as needed.

+ For example, to deploy content only from a root folder named `SentinelContent` in your `main` branch, add `include` and `workingDirectory` settings to your code as follows:

+ ```yml

+ paths:

+ exclude:

+ - .sentinel/*

+ include:

+ - .sentinel/sentinel-deploy-39d8ekc8-397-5963-49g8-5k63k5953829.yml

+ - SentinelContent

+ ....

+ steps:

+ - task: AzurePowerShell@5

+ inputs:

+ azureSubscription: `Sentinel_Deploy_ServiceConnection_0000000000000000`

+ workingDirectory: `SentinelContent`

+ ```

+For more information, see the [Azure DevOps documentation](/azure/devops/pipelines/yaml-schema) on the Azure DevOps YAML schema.

+> [!IMPORTANT]

+> In both GitHub and Azure DevOps, make sure that you keep the trigger path and deployment path directories consistent.

+>

+## Customize your connection configuration

+The deployment script for repositories supports the usage of a deployment configuration file for each repository branch as of July 2022. The configuration JSON file helps you map parameter files to relevant content files, prioritize specific content in deployments, and exclude specific content from deployments.

+1. Create the file *sentinel-deployment.config* at the root of your repository. Adding, deleting, or modifying this configuration file will cause a full deployment of all the content in the repository according to the updated configuration.

+ :::image type="content" source="media/ci-cd-custom-deploy/deployment-config.png" alt-text="Screenshot of a repository root directory. The RepositoriesSampleContent is shown with the location of the sentinel-deployment.config file." lightbox="media/ci-cd-custom-deploy/deployment-config.png":::

+1. Include JSON structured content in three optional sections, `"prioritizedcontentfiles":`, `"excludecontentfiles":`, and `"parameterfilemappings":`. If no sections are included or the .config file is omitted, the deployment process will still run. Invalid or unrecognized sections will be ignored.

+Here's an example of the entire contents of a valid *sentinel-deployment.config* file. This sample can also be found at the [Sentinel CICD repositories sample](https://github.com/SentinelCICD/RepositoriesSampleContent).

+```json

+{

+ "prioritizedcontentfiles": [

+ "parsers/Sample/ASimAuthenticationAWSCloudTrail.json",

+ "workbooks/sample/TrendMicroDeepSecurityAttackActivity_ARM.json",

+ "Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/azuredeploy.json"

+ ],

+ "excludecontentfiles": [

+ "Detections/Sample/PaloAlto-PortScanning.json",

+ "parameters"

+ ],

+ "parameterfilemappings": {

+ "879001c8-2181-4374-be7d-72e5dc69bd2b": {

+ "Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/azuredeploy.json": "parameters/samples/parameter-file-1.json"

+ },

+ "9af71571-7181-4cef-992e-ef3f61506b4e": {

+ "Playbooks/Enrich-SentinelIncident-GreyNoiseCommunity-IP/azuredeploy.json": "path/to/any-parameter-file.json"

+ }

+ },

+ "DummySection": "This shouldn't impact deployment"

+}

+```

+> [!NOTE]

+> Don't use the backslash "\\" character in any of the content paths. Use the forward slash "/" instead.

+>

+- **To prioritize content files**:

+

+ As the amount of content in your repository grows, deployment times may increase. Add time sensitive content to this section to prioritize its deployment when a trigger occurs.

+

+ Add full path names to the `"prioritizedcontentfiles":` section. Wildcard matching is not supported at this time.

+- **To exclude content files**, modify the `"excludecontentfiles":` section with full path names of individual .json deployment files.

+- **To map parameters**:

+ The deployment script will accept three methods to map parameters. The precedence is determined for each included .json deployment file in your repository as follows:

+

+ :::image type="content" source="media/ci-cd-custom-deploy/deploy-parameter-file-precedence.svg" alt-text="A diagram showing the precedence of parameter file mappings.":::

+ 1. Is there a mapping in the sentinel-deployment.config?

+ 1. Is there a workspace parameter file?

+ 1. Is there a default parameter file?

+Modifying the mapped parameter file listed in the sentinel-deployment.config will trigger the deployment of its paired content file. Adding or modifying a *.parameters-\<workspaceID\>.json* file or *.parameters.json* file triggers a deployment of that corresponding content file along with the newly modified parameters, unless a higher precedence parameter mappings is in place. Other content files won't be deployed if the smart deployments feature is still enabled.

+## Next steps

+A sample repository is available with demonstrating the deployment config file and all three parameter mapping methods.

+For more information, see:

+- [Sentinel CICD repositories sample](https://github.com/SentinelCICD/RepositoriesSampleContent)

+- [Create Resource Manager parameter file](/../../azure/azure-resource-manager/templates/parameter-files.md)

+- [Parameters in ARM templates](/../../azure/azure-resource-manager/templates/parameters.md)

+**Create your connection**:

+1. Make sure that you're signed into your source control app with the credentials you want to use for your connection. If you're currently signed in using different credentials, sign out first.

+ - For all other content types, selecting a content type in the **Create a new connection** pane deploys only that content to Microsoft Sentinel. Content of other types isn't deployed.

+ You're automatically authorized to Azure DevOps using your current Azure credentials. To ensure valid connectivity, [verify that you've authorized to the same Azure DevOps organization](https://aex.dev.azure.com/) that you're connecting to from Microsoft Sentinel or use an InPrivate browser window to create your connection.

+ - For all other content types, selecting a content type in the **Create a new connection** pane deploys only that content to Microsoft Sentinel. Content of other types isn't deployed.

+The default workflow only deploys content that has been modified since the last deployment based on commits to the repository. But you may want to turn off smart deployments or perform other customizations. For example, you can configure different deployment triggers, or deploy content exclusively from a specific root folder. To learn more about how this is done visit [customize repository deployments](ci-cd-custom-deploy.md).

+When you successfully create a connection to your source control repository, your content is deployed to Sentinel. We recommend that you edit content stored in a connected repository *only* in the repository, and not in Microsoft Sentinel. For example, to make changes to your analytics rules, do so directly in GitHub or Azure DevOps.

+If you edit the content in Microsoft Sentinel instead, make sure to export it to your source control repository to prevent your changes from being overwritten the next time the repository content is deployed to your workspace.

+After you've removed your connection, content that was previously deployed via the connection remains in your Microsoft Sentinel workspace. Content added to the repository after removing the connection isn't deployed.

+- [Customize repository deployments](ci-cd-custom-deploy.md)

+- [Microsoft Sentinel data connectors](connect-data-sources.md)

+3. To copy the data, use the [Copy data tool](../data-factory/quickstart-hello-world-copy-data-tool.md). Alternatively, you can use method such as PowerShell, Azure portal, a .NET SDK, and so on.

+* Use the [built-in threat intelligence analytics rule templates](understand-threat-intelligence.md#detect-threats-with-threat-indicator-analytics) to generate security alerts and incidents by using your imported threat intelligence.

+ Title: Threat intelligence integration in Microsoft Sentinel

+> If you have multiple workspaces in the same tenant, such as for [Managed Security Service Providers (MSSPs)](mssp-protect-intellectual-property.md), it may be more cost effective to connect threat indicators only to the centralized workspace.

+ Title: Understand threat intelligence in Microsoft Sentinel

+Microsoft Sentinel is a cloud native Security Information and Event Management (SIEM) solution with the ability to quickly pull threat intelligence from numerous sources.

+Cyber threat intelligence (CTI) is information describing existing or potential threats to systems and users. This intelligence takes many forms, from written reports detailing a particular threat actor's motivations, infrastructure, and techniques, to specific observations of IP addresses, domains, file hashes, and other artifacts associated with known cyber threats. CTI is used by organizations to provide essential context to unusual activity, so security personnel can quickly take action to protect their people, information, and assets. CTI can be sourced from many places, such as open-source data feeds, threat intelligence-sharing communities, commercial intelligence feeds, and local intelligence gathered in the course of security investigations within an organization.

+For SIEM solutions like Microsoft Sentinel, the most common forms of CTI are threat indicators, also known as Indicators of Compromise (IoC) or Indicators of Attack (IoA). Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called *tactical threat intelligence* because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions.

+Threat Intelligence also provides useful context within other Microsoft Sentinel experiences such as **Hunting** and **Notebooks**. For more information, see [Jupyter Notebooks in Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/using-threat-intelligence-in-your-jupyter-notebooks/ba-p/860239) and [Tutorial: Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel](notebook-get-started.md).

+Microsoft enriches IP and domain indicators with extra GeoLocation and WhoIs data, providing more context for investigations where the selected indicator of compromise (IOC) is found.

+You can view GeoLocation and WhoIs data on the **Threat Intelligence** pane for each of those types of threat indicator you've imported into Microsoft Sentinel.

+For example, use GeoLocation data to find details like *Organization* or *Country* for an IP indicator, and WhoIs data to find data like *Registrar* and *Record creation* data from a domain indicator.

+## Detect threats with threat indicator analytics

+The most important use case for threat indicators in SIEM solutions like Microsoft Sentinel is to power analytics rules for threat detection. These indicator-based rules compare raw events from your data sources against your threat indicators to detect security threats in your organization. In Microsoft Sentinel **Analytics**, you create analytics rules that run on a schedule and generate security alerts. The rules are driven by queries, along with configurations that determine how often the rule should run, what kind of query results should generate security alerts and incidents, and optionally trigger an automated response.

+While you can always create new analytics rules from scratch, Microsoft Sentinel provides a set of built-in rule templates, created by Microsoft security engineers, to leverage your threat indicators. These built-in rule templates are based on the type of threat indicators (domain, email, file hash, IP address, or URL) and data source events you want to match. Each template lists the required sources needed for the rule to function, so you can see at a glance if you have the necessary events already imported in Microsoft Sentinel.

+By default, when these built-in rules are triggered, an alert will be created. In Microsoft Sentinel, the alerts generated from analytics rules also generate security incidents which can be found in **Incidents** under **Threat Management** on the Microsoft Sentinel menu. Incidents are what your security operations teams will triage and investigate to determine the appropriate response actions. You can find detailed information in this [Tutorial: Investigate incidents with Microsoft Sentinel](./investigate-cases.md).

+For more details on using threat indicators in your analytics rules, see [Use threat intelligence to detect threats](use-threat-indicators-in-analytics-rules.md).

+- [Investigate incidents](./investigate-cases.md) in Microsoft Sentinel.

+ Title: Use matching analytics to detect threats

+description: This article explains how to detect threats with Microsoft generated threat intelligence in Microsoft Sentinel.

+# Use matching analytics to detect threats

+Take advantage of threat intelligence produced by Microsoft to generate high fidelity alerts and incidents with the **Microsoft Threat Intelligence Analytics** rule. This rule will match Common Event Format (CEF) logs, Syslog data or Windows DNS events with domain, IP and URL threat indicators.

+> [!IMPORTANT]

+> Matching analytics is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+## Prerequisites

+One or more of the following data sources must be connected:

+- Common Event Format (CEF)

+- DNS (Preview)

+- Syslog

+## Configure the matching analytics rule

+Matching analytics is configured when you enable the **Microsoft Threat Intelligence Analytics** rule.

+1. Click the **Analytics** menu from the **Configuration** section.

+1. Select the **Rule templates** menu tab.

+1. In the search window type *threat intelligence*.

+1. Select the **Microsoft Threat Intelligence Analytics** rule template.

+1. Click **Create rule**. The rule details are read only, and the default status of the rule is enabled.

+1. Click **Review** > **Create**.

+Alerts are grouped on a per-observable basis. For example, all alerts generated in a 24-hour time period that match the `contoso.com` domain are grouped into a single incident with the appropriate severity.

+## Data sources and indicators

+Microsoft Threat Intelligence Analytics matches your logs with domain, IP and URL indicators in the following way:

+- **CEF** logs ingested into the Log Analytics **CommonSecurityLog** table will match URL and domain indicators if populated in the `RequestURL` field, and IPv4 indicators in the `DestinationIP` field.

+- Windows **DNS** logs where event `SubType == "LookupQuery"` ingested into the **DnsEvents** table will match domain indicators populated in the `Name` field, and IPv4 indicators in the `IPAddresses` field.

+- **Syslog** events where `Facility == "cron"` ingested into the **Syslog** table will match domain and IPv4 indicators directly from the `SyslogMessage` field.

+## Triage an incident generated by matching analytics

+If Microsoft's analytics finds a match, any alerts generated are grouped into incidents.

+Use the following steps to triage through the incidents generated by the **Microsoft Threat Intelligence Analytics** rule:

+1. In the Microsoft Sentinel workspace where you've enabled the **Microsoft Threat Intelligence Analytics** rule, select **Incidents** and search for **Microsoft Threat Intelligence Analytics**.

+ Any incidents found are shown in the grid.

+1. Select **View full details** to view entities and other details about the incident, such as specific alerts.

+ For example:

+ :::image type="content" source="media/work-with-threat-indicators/matching-analytics.png" alt-text="Screenshot of incident generated by matching analytics with details pane.":::

+When a match is found, the indicator is also published to the Log Analytics **ThreatIntelligenceIndicators**, and displayed in the **Threat Intelligence** page. For any indicators published from this rule, the source is defined as **Microsoft Threat Intelligence Analytics**.

+For example, in the **ThreatIntelligenceIndicators** log:

+In the **Threat Intelligence** page:

+## Get additional context from Microsoft Defender Threat Intelligence

+Part of the Microsoft Threat Intelligence available through matching analytics is sourced from Microsoft Defender Threat Intelligence (MDTI). Along with high fidelity alerts and incidents, MDTI indicators include the link to a reference article in their community portal.

+For more information, see the [MDTI portal](https://ti.defender.microsoft.com).

+## Next steps

+In this article, you learned how to connect threat intelligence produced by Microsoft to generate alerts and incidents. For more information about threat intelligence in Microsoft Sentinel, see the following articles:

+- [Work with threat indicators in Microsoft Sentinel](work-with-threat-indicators.md).

+- Connect Microsoft Sentinel to [STIX/TAXII threat intelligence feeds](./connect-threat-intelligence-taxii.md).

+- [Connect threat intelligence platforms](./connect-threat-intelligence-tip.md) to Microsoft Sentinel.

+- See which [TIP platforms, TAXII feeds, and enrichments](threat-intelligence-integration.md) can be readily integrated with Microsoft Sentinel.

+ Title: Use threat indicators in analytics rules

+description: This article explains how to generate alerts and incidents with threat intelligence indicators in Microsoft Sentinel.

+# Use threat indicators in analytics rules

+Power your analytics rules with your threat indicators to automatically generate alerts based on the threat intelligence you've integrated.

+## Prerequisites

+- Threat indicators. These can be from threat intelligence feeds, threat intelligence platforms, bulk import from a flat file, or manual input.

+- Data sources. Events from your data connectors must be flowing to your Sentinel workspace.

+- An analytics rule of the format, "*TI map*..." that can map the threat indicators you have with the events you've ingested.

+## Configure a rule to generate security alerts

+Below is an example of how to enable and configure a rule to generate security alerts using the threat indicators you've imported into Microsoft Sentinel. For this example, use the rule template called **TI map IP entity to AzureActivity**. This rule will match any IP address-type threat indicator with all your Azure Activity events. When a match is found, an **alert** will be generated along with a corresponding **incident** for investigation by your security operations team. This particular analytics rule requires the **Azure Activity** data connector (to import your Azure subscription-level events), and one or both of the **Threat Intelligence** data connectors (to import threat indicators). This rule will also trigger from imported indicators or manually created ones.

+1. From the [Azure portal](https://portal.azure.com/), navigate to the **Microsoft Sentinel** service.

+1. Choose the **workspace** to which you imported threat indicators using the **Threat Intelligence** data connectors and Azure activity data using the **Azure Activity** data connector.

+1. Select **Analytics** from the **Configuration** section of the Microsoft Sentinel menu.

+1. Select the **Rule templates** tab to see the list of available analytics rule templates.

+1. Find the rule titled **TI map IP entity to AzureActivity** and ensure you have connected all the required data sources as shown below.

+ :::image type="content" source="media/work-with-threat-indicators/threat-intel-required-data-sources.png" alt-text="Screenshot of required data sources for the TI map IP entity to AzureActivity analytics rule.":::

+1. Select the **TI map IP entity to AzureActivity** rule and then select **Create rule** to open a rule configuration wizard. Configure the settings in the wizard and then select **Next: Set rule logic >**.

+ :::image type="content" source="media/work-with-threat-indicators/threat-intel-create-analytics-rule.png" alt-text="Screenshot of the create analytics rule configuration wizard.":::

+1. The rule logic portion of the wizard has been pre-populated with the following items:

+ - The query that will be used in the rule.

+ - Entity mappings, which tell Microsoft Sentinel how to recognize entities like Accounts, IP addresses, and URLs, so that **incidents** and **investigations** understand how to work with the data in any security alerts generated by this rule.

+ - The schedule to run this rule.

+ - The number of query results needed before a security alert is generated.

+ The default settings in the template are:

+ - Run once an hour.

+ - Match any IP address threat indicators from the **ThreatIntelligenceIndicator** table with any IP address found in the last one hour of events from the **AzureActivity** table.

+ - Generate a security alert if the query results are greater than zero, meaning if any matches are found.

+

+ - The rule is enabled.

+ You can leave the default settings or change them to meet your requirements, and you can define incident-generation settings on the **Incident settings** tab. For more information, see [Create custom analytics rules to detect threats](detect-threats-custom.md). When you are finished, select the **Automated response** tab.

+1. Configure any automation youΓÇÖd like to trigger when a security alert is generated from this analytics rule. Automation in Microsoft Sentinel is done using combinations of **automation rules** and **playbooks** powered by Azure Logic Apps. To learn more, see this [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](./tutorial-respond-threats-playbook.md). When finished, select the **Next: Review >** button to continue.

+1. When you see the message that the rule validation has passed, select the **Create** button and you are finished.

+You can find your enabled rules in the **Active rules** tab of the **Analytics** section of Microsoft Sentinel. You can edit, enable, disable, duplicate, or delete the active rule from there. The new rule runs immediately upon activation, and from then on will run on its defined schedule.

+According to the default settings, each time the rule runs on its schedule, any results found will generate a security alert. Security alerts in Microsoft Sentinel can be viewed in the **Logs** section of Microsoft Sentinel, in the **SecurityAlert** table under the **Microsoft Sentinel** group.

+In Microsoft Sentinel, the alerts generated from analytics rules also generate security incidents, which can be found in **Incidents** under **Threat Management** on the Microsoft Sentinel menu. Incidents are what your security operations teams will triage and investigate to determine the appropriate response actions. You can find detailed information in this [Tutorial: Investigate incidents with Microsoft Sentinel](./investigate-cases.md).

+Since analytic rules constrain lookups beyond 14 days, Microsoft Sentinel refreshes indicators every 12 days to make sure they are available for matching purposes through the analytic rules.

+## Next steps

+In this article, you learned how to use threat intelligence indicators to detect threats. For more about threat intelligence in Microsoft Sentinel, see the following articles:

+- [Work with threat indicators in Microsoft Sentinel](work-with-threat-indicators.md).

+- Connect Microsoft Sentinel to [STIX/TAXII threat intelligence feeds](./connect-threat-intelligence-taxii.md).

+- [Connect threat intelligence platforms](./connect-threat-intelligence-tip.md) to Microsoft Sentinel.

+- See which [TIP platforms, TAXII feeds, and enrichments](threat-intelligence-integration.md) can be readily integrated with Microsoft Sentinel.

+For more information, see [Detect threats using matching analytics (Public preview)](use-matching-analytics-to-detect-threats.md).

+ Title: Work with threat indicators in Microsoft Sentinel

+description: This article explains how to view, create, manage, and visualize threat intelligence indicators in Microsoft Sentinel.

+Advanced Messaging Queuing Protocol (AMQP) is the only protocol supported for .NET Standard, Java, JavaScript, Python, and Go clients. For [.NET Framework clients](service-bus-amqp-dotnet.md), you can use Service Bus Messaging Protocol (SBMP) or AMQP. When you use the AMQP protocol, message transfers and settlements are pipelined and asynchronous. We recommend that you use the asynchronous programming model API variants.

+

+> [!div class="nextstepaction"]

+> [Define a migration job](job-definition-create.md)

+To configure cross-tenant customer-managed keys for a new storage account in PowerShell, first install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage/4.4.2-preview), version 4.4.2-preview.

+Next, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Provide the key vault URI and key name from the customer's key vault.

+Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

+```azurepowershell

+$accountName = "<storage-account>"

+$kvUri = "<key-vault-uri>"

+$keyName = "<keyName>"

+$multiTenantAppId = "<multi-tenant-app-id>"

+Set-AzStorageAccount -ResourceGroupName $rgName `

+ -Name $accountName `

+ -KeyvaultEncryption `

+ -UserAssignedIdentityId $userIdentity.Id `

+ -IdentityType SystemAssignedUserAssigned `

+ -KeyName $keyName `

+ -KeyVaultUri $kvUri `

+ -KeyVaultUserAssignedIdentityId $userIdentity.Id `

+ -KeyVaultFederatedClientId $multiTenantAppId

+```

+Next, call [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Provide the key vault URI and key name from the customer's key vault.

+Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

+$kvUri = "<key-vault-uri>"

+ -KeyVaultUri $kvUri `

+> [!CAUTION]

+> By design, access to a storage account from trusted services takes the highest precedence over other network access restrictions. For this reason, if you set **Public network access** to **Disabled** after previously setting it to **Enabled from selected virtual networks and IP addresses**, any [resource instances](#grant-access-from-azure-resource-instances) and [exceptions](#manage-exceptions) you had previously configured, including [Allow Azure services on the trusted services list to access this storage account](#grant-access-to-trusted-azure-services), will remain in effect. As a result, those resources and services may still have access to the storage account after setting **Public network access** to **Disabled**.

+> For updating the existing service endpoints to access a storage account in another region, perform an [update subnet](/cli/azure/network/vnet/subnet?view=azure-cli-latest#az-network-vnet-subnet-update&preserve-view=true) operation on the subnet after registering the subscription with the `AllowGlobalTagsForStorage` feature. Similarly, to go back to the old configuration, perform an [update subnet](/cli/azure/network/vnet/subnet?view=azure-cli-latest#az-network-vnet-subnet-update&preserve-view=true) operation after deregistering the subscription with the `AllowGlobalTagsForStorage` feature.

+| Maximum concurrent handles per file, directory, and share root | 2,000 handles | 2,000 handles |

+* [Create a new Synapse workspace](https://portal.azure.com/#create/Microsoft.Synapse) to get Azure Synapse Link for SQL. The current tutorial is to create Synapse link for SQL in public network. The assumption is that you have checked "Disable Managed virtual network" and "Allow connections from all IP address" when creating Synapse workspace. If you want to configure Synapse link for Azure SQL Database with network security, please also refer to [Configure Synapse link for Azure SQL Database with network security](connect-synapse-link-sql-database-vnet.md).

+* [Get or set a managed identity for an Azure SQL Database logical server or managed instance](/sql/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity.md#get-or-set-a-managed-identity-for-a-logical-server-or-managed-instance)

+ 1. For most data sets, the default ADX partitioning is enough.

+ 1. Data partitioning is beneficial in a very specific set of scenarios, and shouldn't be applied otherwise:

+ 1. Improving query latency in big data sets where most queries filter on a high cardinality string column, e.g. a time-series ID.

+ 1. When ingesting out-of-order data, e.g. when events from the past may be ingested days or weeks after their generation in the origin.

+ 1. For more information, check [ADX Data Partitioning Policy](/azure/data-explorer/kusto/management/partitioningpolicy).

+## September 2022

+Here's what changed in September 2022:

+### Single sign-on and passwordless authentication now in public preview

+The ability to enable an Azure Active Directory (AD)-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys) is now in public preview. This feature is available for Windows 10, Windows, 11 and Windows Server 2022 session hosts with the September Cumulative Update Preview installed. The single sign-on experience is currently compatible with the Windows Desktop and web clients. For more information, see [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-public-preview-of-sso-and-passwordless-authentication/ba-p/3638244).

+### Connection graphics data logs for Azure Virtual Desktop now in public preview

+The ability to collect graphics data for your Azure Virtual Desktop connections through Azure Log Analytics is now in public preview. This data can help administrators understand factors across the server, client, and network that contribute to slow or choppy experiences for a user. For more information, see [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop/collect-and-query-graphics-data-for-azure-virtual-desktop/m-p/3638565).

+### Multimedia redirection enhancements now in public preview

+An upgraded version of multimedia redirection (MMR) for Azure Virtual Desktop is now in public preview. We've made various improvements to this version, including more supported websites, remote app browser support, and enhancements to media controls for better clarity and one-click tracing. Learn more at [Use multimedia redirection on Azure Virtual Desktop (preview)](multimedia-redirection.md) and [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop/new-multimedia-redirection-upgrades-on-azure-virtual-desktop-are/m-p/3639520).

+### Grouping costs by Azure Virtual Desktop host pool now in public preview

+Microsoft Cost Management has a new feature in public preview that lets you group Azure Virtual Desktop costs with Azure tags by using the cm-resource-parent tag key. Cost grouping makes it easier to understand and manage costs by host pool. Learn more at [Tag Azure Virtual Desktop resources to manage costs](tag-virtual-desktop-resources.md) and [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/group-costs-by-host-pool-with-cost-management-now-in-public/ba-p/3638285).

+### Azure portal updates

+We've made the following updates to the Azure portal:

+- Improved search, filtering, and performance.

+- Added Windows Server 2022 images to the image selection list.

+- Added "Preferred group type" to the "Basics" tab in the host pool creation process.

+- Enabled custom images for trusted launch VMs.

+- New selectable cards, including the following:

+ - Unavailable machines.

+ - User session.

+- Removed the "Advanced" tab for the process to add a VM to the host pool.

+- Removed the storage blob image option from the host pool creation and adding VM processes.

+- Bug fixes.

+- Made the following improvements to the "getting started" setup process:

+ - Unchecked link Azure template.

+ - Removed validation on existing domain admins.

+We've updated the public preview version of the Azure Files integration with Azure AD Kerberos for hybrid identities so that it's now simpler to deploy and manage. The update should give users using FSLogix user profiles on Azure AD-joined session host an overall better experience. For more information, see [the Azure Files blog post](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-leverage-azure-active-directory-kerberos-with/ba-p/3612111).

+In the Windows Insider build of Windows 11 22H2, you can now enable a preview version of the Azure AD-based single sign-on experience. This Windows Insider build also supports passwordless authentication with Windows Hello and security devices like FIDO2 keys. For more information, see [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop/insider-preview-single-sign-on-and-passwordless-authentication/m-p/3608842).

+- Currently this feature is only available in the North Central US, West Central US, West US, East US 2, and North Europe regions.

+> [!NOTE]

+> Note that zonal configuration for a load balancer works differently from NAT gateway. The load balancer's availability zone selection is synonymous with its frontend IP configuration's zone selection. For public load balancers, if the public IP in the Load balancer's frontend is zone redundant then the load balancer is also zone-redundant. If the public IP in the load balancer's frontend is zonal, then the load balancer will also be designated to the same zone.

+|3|Virtual hub router upgrade: More than 100 Spoke VNets connected to the Virtual hub.|If there are more than 100 spoke VNets connected to the virtual hub, then the virtual hub router can't be upgraded.|September 2022|The Virtual WAN team is working on removing this limitation of 100 spoke VNets connected to the virtual hub during the router upgrade.|

+> * Every Dynamic NAT rule can be assigned to a single connection.

+Some of the built-in DRS rules are disabled by default because they've been replaced by newer rules in the Microsoft Threat Intelligence Collection. For example, rule ID 942440, *SQL Comment Sequence Detected.*, has been disabled, and replaced by the Microsoft Threat Intelligence Collection rule 99031002. The replaced rule reduces the risk of false positive detections from legitimate requests.

+## Prerequisites

+Before you begin to set up a rate limit policy, set up your Azure CLI environment and create a Front Door profile.

+### Set up your Azure CLI environment

+The Azure CLI provides a set of commands that use the [Azure Resource Manager](../../azure-resource-manager/management/overview.md) model for managing your Azure resources.

+You can install the [Azure CLI](/cli/azure/install-azure-cli) on your local machine and use it in any shell session. Here you sign in with your Azure credentials and install the Azure CLI extension for Front Door Standard/Premium.

+#### Connect to Azure with an interactive dialog for sign-in

+Sign in to Azure by running the following command:

+```azurecli

+az login

+```

+#### Install the Front Door extension for the Azure CLI

+Install the `front-door` extension to work with the Front Door WAF from the Azure CLI:

+```azurecli

+az extension add --name front-door

+```

+You use the `az afd` commands to work with Front Door Standard/Premium resources, and you use the `az network front-door waf-policy` commands to work with WAF resources.

+### Create a resource group

+Use the [az group create](/cli/azure/group#az-group-create) command to create a new resource group for your Front Door profile and WAF policy. Update the resource group name and location for your own requirements:

+```azurecli

+resourceGroupName='FrontDoorRateLimit'

+az group create \

+ --name $resourceGroupName \

+ --location westus

+```

+## Create a Front Door profile

+Use the [az afd profile create](/cli/azure/afd/profile#az-afd-profile-create) command to create a new Front Door profile.

+In this example, you create a Front Door standard profile named *MyFrontDoorProfile*:

+```azurecli

+frontDoorProfileName='MyFrontDoorProfile'

+az afd profile create \

+ --profile-name $frontDoorProfileName \

+ --resource-group $resourceGroupName \

+ --sku Standard_AzureFrontDoor

+```

+### Create a Front Door endpoint

+Use the [az afd endpoint create](/cli/azure/afd/endpoint#az-afd-endpoint-create) command to add an endpoint to your Front Door profile.

+Front Door endpoints must have globally unique names, so update the value of the `frontDoorEndpointName` variable to something unique.

+```azurecli

+frontDoorEndpointName='<unique-front-door-endpoint-name>'

+az afd endpoint create \

+ --endpoint-name $frontDoorEndpointName \

+ --profile-name $frontDoorProfileName \

+ --resource-group $resourceGroupName \

+```

+## Create a WAF policy

+Use the [az network front-door waf-policy create](/cli/azure/network/front-door/waf-policy#az-network-front-door-waf-policy-create) command to create a WAF policy:

+```azurecli

+wafPolicyName='MyWafPolicy'

+az network front-door waf-policy create \

+ --name $wafPolicyName \

+ --resource-group $resourceGroupName \

+ --sku Standard_AzureFrontDoor

+```

+## Prepare to add a custom rate limit rule

+Use the [az network front-door waf-policy rule create](/cli/azure/network/front-door/waf-policy/rule#az-network-front-door-waf-policy-rule-create) command to create a custom rate limit rule. The following example sets the limit to 1000 requests per minute.

+Rate limit rules must contain a match condition, which you create in the next step. So, in this command, you include the `--defer` argument, which tells the Azure CLI not to submit the rule to Azure just yet.

+```azurecli

+az network front-door waf-policy rule create \

+ --name rateLimitRule \

+ --policy-name $wafPolicyName \

+ --resource-group $resourceGroupName \

+ --rule-type RateLimitRule \

+ --rate-limit-duration 1 \

+ --rate-limit-threshold 1000 \

+ --action Block \

+ --priority 1 \

+ --defer

+```

+When any client IP address sends more than 1000 requests within one minute, the WAF blocks subsequent requests until the next minute starts.

+## Add a match condition

+Use the [az network front-door waf-policy rule match-condition add](/cli/azure/network/front-door/waf-policy/rule/match-condition#az-network-front-door-waf-policy-rule-match-condition-add) command to add a match condition to your custom rule. The match condition identifies requests that should have the rate limit applied.

+The following example matches requests where the *RequestUri* variable contains the string */promo*:

+```azurecli

+az network front-door waf-policy rule match-condition add \

+ --match-variable RequestUri \

+ --operator Contains \

+ --values '/promo' \

+ --name rateLimitRule \

+ --policy-name $wafPolicyName \

+ --resource-group $resourceGroupName

+```

+When you submit this command, the Azure CLI creates the rate limit rule and match condition together.

+## Configure a security policy to associate your Front Door profile with your WAF policy

+Use the [az afd security-policy create](/cli/azure/afd/security-policy#az-afd-security-policy-create) command to create a security policy for your Front Door profile. A security policy associates your WAF policy with domains that you want to be protected by the WAF rule.

+In this example, you associate the endpoint's default hostname with your WAF policy:

+```azurecli

+securityPolicyName='MySecurityPolicy'

+wafPolicyResourceId=$(az network front-door waf-policy show --name $wafPolicyName --resource-group $resourceGroupName --query id --output tsv)

+frontDoorEndpointResourceId=$(az afd endpoint show --endpoint-name $frontDoorEndpointName --profile-name $frontDoorProfileName --resource-group $resourceGroupName --query id --output tsv)

+az afd security-policy create \

+ --security-policy-name $securityPolicyName \

+ --profile-name $frontDoorProfileName \

+ --resource-group $resourceGroupName \

+ --domains $frontDoorEndpointResourceId \

+ --waf-policy $wafPolicyResourceId

+```

+The preceding code looks up the Azure resource identifiers for the WAF policy and Front Door endpoint so that it can associate them with your security policy.