-## User phone number management (beta)

-> In the current beta version, this API works only if the phone number is stored with a space between the country code and the phone number. The Azure AD B2C service doesn't currently add this space by default.

-## Self-service password reset email address (beta)

-## Software OATH token authentication method (beta)

-## User flow

-## Custom policies

-## Policy keys

-Deleted items can only be restored if they were deleted within the last 30 days.

- 1. Install the ECMA Connector host and provisioning agent on a Windows Server, using the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#download-install-and-configure-the-azure-ad-connect-provisioning-agent-package) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#download-install-and-configure-the-azure-ad-connect-provisioning-agent-package) articles.

- 1. Specify the management agent XML file that was exported from MIM Sync earlier. Continue with the configuration and schema-mapping instructions from the section "Create a connector" in either the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#create-a-generic-sql-connector) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#configure-a-generic-ldap-connector) articles.

-For more information about the native application flow, see [Native apps in Azure Active Directory](../azuread-dev/native-app.md).

-1. If a unique user is found with a Conditional Access policy that requires multifactor authentication (MFA), and the [certificate authentication binding rule](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy) satisfies MFA, then Azure AD signs the user in immediately. If the certificate satisfies only a single factor, then it requests the user for a second factor to complete Azure AD Multi-Factor Authentication.

-| FIDO2 security keys*| Yes | Yes | Yes |

-Combined registration adheres to both multifactor authentication and SSPR policies, if both are enabled for your tenant. These policies control whether a user is interrupted for registration during sign-in and which methods are available for registration. If only an SSPR policy is enabled, then users will be able to skip the registration interruption and complete it at a later time.

-| Password expiry duration (Maximum password age) |<ul><li>Default value: **90** days.</li><li>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure Active Directory Module for Windows PowerShell.</li></ul> |

-When a phone number is set for SMS-sign, it's also then available for use with [Azure AD Multi-Factor Authentication][tutorial-azure-mfa] and [self-service password reset][tutorial-sspr].

-[azure-ad-pricing]: https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing

-> This configuration option uses HRD policy. For more information, see [homeRealmDiscoveryPolicy resource type](/graph/api/resources/homeRealmDiscoveryPolicy?view=graph-rest-1.0).

-### Convert users from per-user MFA to Conditional Access based MFA

-* The Azure AD lockout duration must be set longer than the AD DS reset account lockout counter after duration. The Azure AD duration is set in seconds, while the AD duration is set in minutes.

-

-1. Identify a domain-joined host server running Windows Server 2016 or greater with minimum of 4 GB RAM and .NET 4.7.1+ runtime

-2. If there is a firewall between your servers and Azure AD, configure the following items:

- - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products you may already have these URLs unblocked.

-1. Sign in to the domain joined server. If you are using the [Basic A D and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1.

-2. Sign in to the Azure portal using cloud-only global admin credentials.

-3. On the left, select **Azure Active Directory**, click **Azure AD Connect**, and in the center select **Manage cloud sync**.

- 

-4. Click **Download agent**.

-5. Run the Azure AD Connect provisioning agent.

-6. On the splash screen, **Accept** the licensing terms and click **Install**.

- 

-7. Once this operation completes, the configuration wizard will launch. Sign in with your Azure AD global administrator account. Note that if you have IE enhanced security enabled this will block the sign-in. If this is the case, close the installation, disable IE enhanced security in Server Manager, and click the **AAD Connect Provisioning Agent Wizard** to restart the installation.

-8. On the **Connect Active Directory** screen, click **Add directory** and then sign in with your Active Directory domain administrator account. NOTE: The domain administrator account should not have password change requirements. If the password expires or changes, you will need to re-configure the agent with the new credentials. This operation will add your on-premises directory. Click **Next**.

- 

-9. On the **Configuration complete** screen, click **Confirm**. This operation will register and restart the agent.

-10. Once this operation completes you should see a notice: **Your agent configuration was successfully verified.** You can click **Exit**.</br>

-</br>

-11. If you still see the initial splash screen, click **Close**.

-To verify the agent is being seen by Azure follow these steps:

-2. On the left, select **Azure Active Directory**, click **Azure AD Connect** and in the center select **Manage cloud sync**.</br>

-</br>

-3. On the **Azure AD Connect cloud sync** screen click **Review all agents**.

-</br>

-4. On the **On-premises provisioning agents screen** you will see the agents you have installed. Verify that the agent in question is there and is marked **active**.

-</br>

-To verify that the agent is running follow these steps:

-1. Log on to the server with an administrator account

-2. Open **Services** by either navigating to it or by going to Start/Run/Services.msc.

-3. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are present and the status is **Running**.

-

- Use the following steps to configure provisioning

-1. Sign in to the Azure AD portal.

-2. Click **Azure Active Directory**

-3. Click **Azure AD Connect**

-4. Select **Manage cloud sync**

-

-5. Click **New Configuration**

-

-7. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and click **Save**.

-

-1. The configuration status should now be **Healthy**.

-

-You will now verify that the users that you had in your on-premises directory have been synchronized and now exist in your Azure AD tenant. Be aware that this may take a few hours to complete. To verify users are synchronized do the following.

-4. Verify that you see the new users in your tenant</br>

-2. Sign in with a user account that was created in your tenant. You will need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.</br>

- </br>

-You have now successfully configured a hybrid identity environment using Azure AD Connect cloud sync.

- | **additionalProperties:** | List of additional properties. Valid options are "sam_account_name", "dns_domain_and_sam_account_name", "netbios_domain_and_sam_account_name", "emit_as_roles" |

- In additionalProperties only one of "sam_account_name", "dns_domain_and_sam_account_name", "netbios_domain_and_sam_account_name" are required. If more than one is present, the first is used and any others ignored.

-It's highly recommended to configure your code to use a configuration file in your environment to set the log level as it will enable your code to change the MSAL logging level without needing to rebuild or restart the application. This is critical for diagnostic purposes, enabling us to quickly gather the required logs from the application that is currently deployed and in production. Verbose logging can be costly so it's best to use the *Information* level by default and enable verbose logging when an issue is encountered. [See JSON configuration provider](https://docs.microsoft.com/aspnet/core/fundamentals/configuration#json-configuration-provider) for an example on how to load data from a configuration file without restarting the application.

-When you acquire an access token using the Microsoft Authentication Library for .NET (MSAL.NET), the token is cached. When the application needs a token, it should first call the `AcquireTokenSilent` method to verify if an acceptable token is in the cache. In many cases, it's possible to acquire another token with more scopes based on a token in the cache. It's also possible to refresh a token when it's getting close to expiration (as the token cache also contains a refresh token).

-If you use `app.AddDistributedTokenCache`, the token cache is an adapter against the .NET `IDistributedCache` implementation. So you can choose between a SQL Server cache, a Redis cache, an Azure Cosmos DB cache, or any other cache implementing the [IDistributedCache](/dotnet/api/microsoft.extensions.caching.distributed.idistributedcache?view=dotnet-plat-ext-6.0) interface.

-[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)

-[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)

-Learn how to [setup a test environment](test-setup-environment.md).

-1. Create a new file named *auth.js* under the *router* folder and add the following code there:

-List of settings that can be configured to sync in recent Windows versions. These can be found in Windows 10 under **Settings** > **Accounts** > **Sync your settings** or **Settings** > **Accounts** > **Windows backup** > **Remember my preferences** on Windows 11.

-Learn more about [how to manage inactive user accounts in Azure AD](https://learn.microsoft.com/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts).

-2. Create a review to remove inactive external guests. Admins define inactive as period of days. They disable and later delete guests that donΓÇÖt sign in to the tenant within that time frame. By default, this doesn't affect recently created users. [Learn more about how to identify inactive accounts](https://learn.microsoft.com/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts#how-to-detect-inactive-user-accounts).

-1. Create a [dynamic group](https://learn.microsoft.com/azure/active-directory/enterprise-users/groups-create-rule) for the guest users you want to review. For example,

-2. To [create an Access Review](https://learn.microsoft.com/azure/active-directory/governance/create-access-review)

-1. Create a [dynamic group](https://learn.microsoft.com/azure/active-directory/enterprise-users/groups-create-rule) for the guest users you want to review. For example,

-2. To [create an access review](https://learn.microsoft.com/azure/active-directory/governance/create-access-review) for the dynamic group, navigate to **Azure Active Directory > Identity Governance > Access Reviews**.

->This information last updated on October 28th, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

-| Windows 365 Business 2 vCPU, 4 GB, 64 GB | CPC_B_2C_4RAM_64GB | 42e6818f-8966-444b-b7ac-0027c83fa8b5 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>(CPC_B_2C_4RAM_64GB (a790cd6e-a153-4461-83c7-e127037830b6) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Business 2 vCPU, 4 GB, 64 GB (a790cd6e-a153-4461-83c7-e127037830b6) |

-| Windows 365 Business 4 vCPU, 16 GB, 128 GB (with Windows Hybrid Benefit) | CPC_B_4C_16RAM_128GB_WHB | 439ac253-bfbc-49c7-acc0-6b951407b5ef | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CPC_B_4C_16RAM_128GB (1d4f75d3-a19b-49aa-88cb-f1ea1690b550) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Business 4 vCPU, 16 GB, 128 GB (1d4f75d3-a19b-49aa-88cb-f1ea1690b550) |

-| Windows 365 Enterprise 2 vCPU, 4 GB, 64 GB | CPC_E_2C_4GB_64GB | 7bb14422-3b90-4389-a7be-f1b745fc037f | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CPC_E_2C_4GB_64GB (23a25099-1b2f-4e07-84bd-b84606109438) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Enterprise 2 vCPU, 4 GB, 64 GB (23a25099-1b2f-4e07-84bd-b84606109438) |

-| Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB | CPC_E_2C_8GB_128GB | e2aebe6c-897d-480f-9d62-fff1381581f7 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CPC_2 (3efff3fe-528a-4fc5-b1ba-845802cc764f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB (3efff3fe-528a-4fc5-b1ba-845802cc764f) |

-| Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB (Preview) | CPC_LVL_2 | 461cb62c-6db7-41aa-bf3c-ce78236cdb9e | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CPC_2 (3efff3fe-528a-4fc5-b1ba-845802cc764f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB (3efff3fe-528a-4fc5-b1ba-845802cc764f) |

-| Windows 365 Enterprise 4 vCPU, 16 GB, 256 GB (Preview) | CPC_LVL_3 | bbb4bf6e-3e12-4343-84a1-54d160c00f40 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CPC_E_4C_16GB_256GB (9ecf691d-8b82-46cb-b254-cd061b2c02fb) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Enterprise 4 vCPU, 16 GB, 256 GB (9ecf691d-8b82-46cb-b254-cd061b2c02fb) |

-With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. Guest users sign in to your apps and services with their own work, school, or social identities.

-

-

-

-

-

-Azure AD supports external identity providers like Facebook, Microsoft accounts, Google, or enterprise identity providers. You can set up federation with identity providers so your external users can sign in with their existing social or enterprise accounts instead of creating a new account just for your application. Learn more about [identity providers for External Identities](identity-providers.md).

-

-[here.](https://learn.microsoft.com/azure/active-directory/fundamentals/secure-external-access-resources)

-applications.](https://learn.microsoft.com/azure/active-directory/external-identities/hybrid-cloud-to-on-premises)

-Once the local accounts have their user.mail attributes populated with the external identity/email that they're mapped to, admins can [convert the local accounts to Azure AD B2B by inviting the local account.](https://learn.microsoft.com/azure/active-directory/external-identities/invite-internal-users)

-To create a full user profile for an employee identity, organizations often merge information from multiple HR systems, databases, and other user data stores. MIM provides a rich set of [connectors](https://learn.microsoft.com/microsoft-identity-manager/supported-management-agents) and integration solutions interoperating with heterogeneous platforms both on-premises and in the cloud.

-3. When an external user from a partner organization is created in Azure AD using B2B, MIM can automatically provision them [into AD DS](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario) and give those guests access to [on-premises Windows-Integrated Authentication or Kerberos-based applications](https://learn.microsoft.com/azure/active-directory/external-identities/hybrid-cloud-to-on-premises). Alternatively, customers can user [PowerShell scripts](https://github.com/Azure-Samples/B2B-to-AD-Sync) to automate the creation of guest accounts on-premises.

-| 1 |Users, groups| AD DS| Azure AD| [Azure AD Connect Cloud Sync](https://learn.microsoft.com/azure/active-directory/cloud-sync/what-is-cloud-sync) |

-| 2 |Users, groups, devices| AD DS| Azure AD| [Azure AD Connect Sync](https://learn.microsoft.com/azure/active-directory/hybrid/whatis-azure-ad-connect) |

-[Learn more about Azure AD Lifecycle Workflows](https://learn.microsoft.com/azure/active-directory/governance/what-are-lifecycle-workflows)

-A new tenant provides the ability to have a separate set of administrators. Organizations can choose to use corporate identities through [Azure AD B2B collaboration](../external-identities/what-is-b2b.md). Similarly, organizations can implement [Azure Lighthouse](../../lighthouse/overview.md) for cross-tenant management of Azure resources so that non-production Azure subscriptions can be managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Intune or Microsoft Endpoint Manager. For Managed Service Providers (MSPs), [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide) is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

-**Microsoft 365 Lighthouse** - [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide) is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

-1. Under rules, select the **Property**, **Operator**, and give it a **value**. The following picture gives an example of a rule being set up for a sales department. For a full list of user properties supported by Lifecycle Workflows, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)

-To delete a workflow using API via Microsoft Graph, see: [Delete workflow (lifecycle workflow)](/graph/api/identitygovernance-workflow-delete?view=graph-rest-beta).

- - The [New-MgUser](/powershell/module/microsoft.graph.users/new-mguser?view=graph-powershell-1.0#examples) cmdlet

- 8. Next, you will configure the scope. The scope determines which users this workflow will run against. In this case, it will be on all users in the Sales department. On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**. For a full list of supported user properties, see: [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)

- 8. Next, you will configure the scope. The scope determines which users this workflow will run against. In this case, it will be on all users in the Marketing department. On the configure scope screen, under **Rule** add the following and then select **Next: Review tasks**. For a full list of supported user properties, see: [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)

-> For a full list of user properties supported by Lifecycle Workflows, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)

-Azure Active Directory (Azure AD) can provide a user's group membership information in tokens for use within applications. This feature supports two main patterns:

-1. Select **Add a group claim**.

-1. Use the options to select which groups should be included in the token.

- | `additionalProperties` | List of additional properties. Valid options are `"sam_account_name"`, `"dns_domain_and_sam_account_name"`, `"netbios_domain_and_sam_account_name"`, and `"emit_as_roles"`. |

-> The group writeback functionality is currently in Public Preview as we are collecting customer feedback and telemetry. Please refer to [the limitations](https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-group-writeback-v2#understand-limitations-of-public-preview) before you enable this functionality.

-You can also view the writeback state via Microsoft Graph. For more information, see [Get group](/graph/api/group-get?tabs=http&view=graph-rest-beta).

-To see the default behavior in your environment for newly created groups, use the [directorySetting](/graph/api/resources/directorysetting?view=graph-rest-beta) resource type in Microsoft Graph.

-To verify if Active Directory has been prepared for Exchange, see [Prepare Active Directory and domains for Exchange Server](/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019#how-do-you-know-this-worked).

-An optional prerequisite is Exchange Server 2016 CU15 or later. You need it only for configuring cloud groups with an Exchange hybrid. For more information, seeΓÇ»[Configure Microsoft 365 Groups with on-premises Exchange hybrid](/exchange/hybrid-deployment/set-up-microsoft-365-groups#prerequisites). If you haven't [prepared Active Directory for Exchange](/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019), mail-related attributes of groups won't be written back.

- * Azure AD Connect support all mainstream supported SQL Server versions up to SQL Server 2019. Please refer to the [SQL Server lifecycle article](https://learn.microsoft.com/lifecycle/products/?products=sql-server) to verify the support status of your SQL Server version. Azure SQL Database *isn't supported* as a database. This includes both Azure SQL Database and Azure SQL Managed Instance.

-Your organization may use [MAM app protection policies](https://learn.microsoft.com/mem/intune/apps/app-protection-policy) to protect corporate data in apps on end users' devices.

-IT admins should [issue a selective wipe](https://learn.microsoft.com/mem/intune/apps/apps-selective-wipe) to impacted users following UPN changes. This will force impacted end users to reauthenticate and reenroll with their new UPNs.

-* The application is using [incremental and dynamic consent](../azuread-dev/azure-ad-endpoint-comparison.md#incremental-and-dynamic-consent) to request further permissions after consent was initially granted. Incremental and dynamic consent is often used when optional features of an application require permissions beyond those required for baseline functionality.

-Understand the SP initiated flow by following the steps mentioned in [Datawiza and Azure AD authentication architecture](https://learn.microsoft.com/azure/active-directory/manage-apps/datawiza-with-azure-ad#datawiza-with-azure-ad-authentication-architecture).

- - See, [Quickstart: Create a new tenant in Azure Active Directory.](https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant)

- - See, [Azure AD Connect sync: Understand and customize synchronization](https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis).

- - See, [Azure AD built-in roles, all roles](https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#all-roles).

-portal](https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa).

- For more information on the SAML response, see [Single Sign-on SAML protocol](../develop/single-sign-on-saml-protocol.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json).

-SQL DB requires unique Azure AD display names. With this, the Azure AD accounts such as users, groups and Service Principals (applications), and VM names enabled for managed identity must be uniquely defined in AAD regarding their display names. SQL DB checks the Azure AD display name during T-SQL creation of such users and if it is not unique, the command fails requesting to provide a unique Azure AD display name for a given account.

-This section shows how to get an access token using the VM's system-assigned managed identity and use it to call Azure SQL. Azure SQL natively supports Azure AD authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. You use the **access token** method of creating a connection to SQL. This is part of Azure SQL's integration with Azure AD, and is different from supplying credentials on the connection string.

-Here's a .NET code example of opening a connection to SQL using an access token. The code must run on the VM to be able to access the VM's system-assigned managed identity's endpoint. **.NET Framework 4.6** or higher or **.NET Core 2.2** or higher is required to use the access token method. Replace the values of AZURE-SQL-SERVERNAME and DATABASE accordingly. Note the resource ID for Azure SQL is `https://database.windows.net/`.

-using System.Net;

-using System.IO;

-using System.Data.SqlClient;

-using System.Web.Script.Serialization;

-//

-// Get an access token for SQL.

-//

-HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://database.windows.net/");

-request.Headers["Metadata"] = "true";

-request.Method = "GET";

-string accessToken = null;

- // Call managed identities for Azure resources endpoint.

- HttpWebResponse response = (HttpWebResponse)request.GetResponse();

- // Pipe response Stream to a StreamReader and extract access token.

- StreamReader streamResponse = new StreamReader(response.GetResponseStream());

- string stringResponse = streamResponse.ReadToEnd();

- JavaScriptSerializer j = new JavaScriptSerializer();

- Dictionary<string, string> list = (Dictionary<string, string>) j.Deserialize(stringResponse, typeof(Dictionary<string, string>));

- accessToken = list["access_token"];

-}

-catch (Exception e)

-{

- string errorText = String.Format("{0} \n\n{1}", e.Message, e.InnerException != null ? e.InnerException.Message : "Acquire token failed");

-}

-// Open a connection to the server using the access token.

-if (accessToken != null) {

- string connectionString = "Data Source=<AZURE-SQL-SERVERNAME>; Initial Catalog=<DATABASE>;";

- SqlConnection conn = new SqlConnection(connectionString);

- conn.AccessToken = accessToken;

- conn.Open();

-}

- $SqlConnection.ConnectionString = "Data Source = <AZURE-SQL-SERVERNAME>; Initial Catalog = <DATABASE>"

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-* [Azure Virtual Desktop](https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-azure-active-directory-join)

-| Password <br>and<br>Single-factor one-time password hardware (from an OTP manufacturer) <br>and<br>(Hybrid Azure AD joined with software TPM <br>or <br> Azure AD joined with software TPM <br>or<br> [Compliant managed device](https://learn.microsoft.com/mem/intune/protect/device-compliance-get-started))| Memorized secret <br>and<br>Single-factor one-time password hardware<br> and<br>Single-factor cryptographic software |

-When onboarding users you can remove the need for error prone manual onboarding steps by using Verified ID with A10TIX account onboarding. Verified IDs can be used to digitally onboard employees, students, citizens, or others to securely access resources and services. For example, rather than an employee needing to go to a central office to activate an employee badge, they can use a Verified ID to verify their identity to activate a badge that is delivered to them remotely. Rather than a citizen receiving a code they must redeem to access governmental services, they can use a Verified ID to prove their identity and gain access. Learn more about [account onboarding](https://learn.microsoft.com/azure/active-directory/verifiable-credentials/plan-verification-solution#account-onboarding).

-Verifiable Credentials can be used to onboard employees, students, citizens, or others to access services. For example, rather than an employee needing to go to a central office to activate an employee badge, they can use a verifiable credential to verify their identity to activate a badge that is delivered to them remotely. Rather than a citizen receiving a code they must redeem to access governmental services, they can use a VC to prove their identity and gain access. Learn more about [account onboarding](https://learn.microsoft.com/azure/active-directory/verifiable-credentials/plan-verification-solution#account-onboarding).

-Learn more about [account onboarding](https://learn.microsoft.com/azure/active-directory/verifiable-credentials/plan-verification-solution#account-onboarding).

-Automatically completed upgrades are functionally the same as manual upgrades. The timing of upgrades is determined by the selected channel.

-If youΓÇÖre using Planned Maintenance and Auto-Upgrade, your upgrade will start during your specified maintenance window. For more information on Planned Maintenance, see [Use Planned Maintenance to schedule maintenance windows for your Azure Kubernetes Service (AKS) cluster][planned-maintenance].

-> An Azure Disks can only be mounted with *Access mode* type *ReadWriteOnce*, which makes it available to one node in AKS. If you need to share a persistent volume across multiple nodes, use [Azure Files][azure-files-pvc].

->For most production and development workloads, use Premium SSD.

-Since Azure Disks are mounted as *ReadWriteOnce*, they're only available to a single node. For storage volumes that can be accessed by pods on multiple nodes simultaneously, use Azure Files.

-Use *Azure Files* to mount a Server Message Block (SMB) version 3.1.1 share or Network File System (NFS) version 4.1 share backed by an Azure storage accounts to pods. Files let you share data across multiple nodes and pods and can use:

-1. Select the bottom-most deployment in the list. The **Deployment name** will match the publisher ID of the offer. It will contain the string **ibm**.

- * **cmdToConnectToCluster**

-

-Γöé Γöé Γö£ΓöÇ openlibertyapplication.yaml

-In the *aks* directory, we placed two deployment files. *db-secret.xml* is used to create [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) with DB connection credentials. The file *openlibertyapplication.yaml* is used to deploy the application image.

-

-# If you are running with Open Liberty

-# If you are running with WebSphere Liberty

- Paste the value of **cmdToConnectToCluster** into a bash shell.

- kubectl apply -f openlibertyapplication.yaml

- NAME READY STATUS RESTARTS AGE

- javaee-cafe-cluster-67cdc95bc-2j2gr 1/1 Running 0 29s

- javaee-cafe-cluster-67cdc95bc-fgtt8 1/1 Running 0 29s

- javaee-cafe-cluster-67cdc95bc-h47qm 1/1 Running 0 29s

- 1. Get endpoint of the deployed service

- kubectl get service

- 1. Go to `http://EXTERNAL-IP` to test the application.

-

-az aks nodepool upgrade \

- --node-image-only \

-Your AKS cluster has regular maintenance performed on it automatically. By default, this work can happen at any time. Planned Maintenance allows you to schedule weekly maintenance windows that will update your control plane as well as your kube-system Pods on a VMSS instance and minimize workload impact. Once scheduled, all your maintenance will occur during the window you selected. You can schedule one or more weekly windows on your cluster by specifying a day or time range on a specific day. Maintenance Windows are configured using the Azure CLI.

-When using Planned Maintenance, the following restrictions apply:

-To allow maintenance any time during a day, omit the *start-hour* parameter. For example, the following command sets the maintenance window for the full day every Monday:

-AKS accepts both integer values and a percentage value for max surge. An integer such as "5" indicates five extra nodes to surge. A value of "50%" indicates a surge value of half the current node count in the pool. Max surge percent values can be a minimum of 1% and a maximum of 100%. A percent value is rounded up to the nearest node count. If the max surge value is higher than the current node count at the time of upgrade, the current node count is used for the max surge value.

-> The feature described in this article, pod security policy (preview), will be deprecated starting with Kubernetes version 1.21, and it will be removed in version 1.25. AKS will mark the pod security policy as Deprecated with the AKS API on 04-01-2023. You can migrate pod security policy to pod security admission controller before the deprecation deadline.

-> + if they are different loggers, both of them will be used (multiplexing logs).

-> + if they are the same loggers with different settings, the single API logger (more granular level) will override the one for all APIs.

-+ - Learn about visualizing data from Application Insights using [Azure Managed Grafana](visualize-using-managed-grafana-dashboard.md)

-Your application can acquire a token to call a Web API hosted in your App Service or Function app on behalf of itself (not on behalf of a user). This scenario is useful for non-interactive daemon applications that perform tasks without a logged in user. It uses the standard OAuth 2.0 [client credentials](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md) grant.

-You can now [request an access token using the client ID and client secret](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#first-case-access-token-request-with-a-shared-secret) by setting the `resource` parameter to the **Application ID URI** of the target app. The resulting access token can then be presented to the target app using the standard [OAuth 2.0 Authorization header](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#use-the-access-token-to-access-the-secured-resource), and App Service Authentication / Authorization will validate and use the token as usual to now indicate that the caller (an application in this case, not a user) is authenticated.

-1. Similar to the previous scenario (before any roles were added), you can now [request an access token](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#first-case-access-token-request-with-a-shared-secret) for the same target `resource`, and the access token will include a `roles` claim containing the App Roles that were authorized for the client application.

-This response is the same as the [response for the Azure AD service-to-service access token request](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#service-to-service-access-token-response). To access Key Vault, you will then add the value of `access_token` to a client connection with the vault.

- --admin-user $DB_USERNAME \

- --admin-password $DB_PASSWORD \

-## Create an Azure Postgres DB

-1. Create an Azure Postgres Database server. The server is created with an administrator account, but it won't be used because we'll use the Azure Active Directory (Azure AD) admin account to perform administrative tasks.

-## Connect Postgres Database with identity connectivity

-Next, connect your app to a Postgres Database with a system-assigned managed identity using Service Connector.

-If an error originates from the backend servers, then it's passed along unmodified back to the caller. A custom error page isn't displayed. Application gateway can display a custom error page when a request can't reach the backend.

-You may reference either internal or external images/CSS for this HTML file. For externally referenced resources, use absolute URLs that are publicly accessible. Be aware of the HTML file size when using internal images (Base64-encoded inline image) or CSS. Relative links with files in the same location are currently not supported.

-After you specify an error page, the application gateway downloads it from the defined location and saves it to the local application gateway cache. Then, that HTML page is served by the application gateway, whereas the externally referenced resources are fetched directly by the client. To modify an existing custom error page, you must point to a different blob location in the application gateway configuration. The application gateway doesn't periodically check the blob location to fetch new versions.

-1. The key, endpoint URL, and subscription ID for your Form Recognizer resource. You can find these values on the resource's **Overview** tab in the [Azure portal](https://ms.portal.azure.com/#home).

-Azure provides a set of libraries, called Azure Active Directory Authentication Libraries, to simplify the process of acquiring an Azure AD token. Azure builds these libraries for multiple languages. For more information, see the [documentation](../active-directory/azuread-dev/active-directory-authentication-libraries.md).

-and PostgreSQL server (preview) services are currently available.

-* Create [custom locations](./kubernetes/custom-locations.md) on top of your [Azure Arc-enabled Kubernetes](./kubernetes/overview.md) clusters, using them as target locations for deploying Azure services instances. Deploy your Azure service cluster extensions for [Azure Arc-enabled Data Services](./dat).

-* Access and security through Azure RBAC and subscriptions

-* Learn about [Azure Arc-enabled VMware vSphere](vmware-vsphere/overview.md) and [Azure Arc-enabled Azure Stack HCI](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines)

-* Learn about [Azure Arc-enabled System Center Virtual Machine Manager](system-center-virtual-machine-manager/overview.md)

-* Experience Azure Arc-enabled services by exploring the [Jumpstart proof of concept](https://azurearcjumpstart.io/azure_arc_jumpstart/).

-For any issues encountered with the Azure Arc resource bridge, you can collect logs for further investigation. To collect the logs, use the Azure CLI [`az arcappliance logs`](/cli/azure/arcappliance/logs) command. This command needs to be run from the client machine from which you've deployed the Azure Arc resource bridge.

-The `az arcappliance logs` command requires SSH to the Azure Arc resource bridge VM. The SSH key is saved to the client machine where the deployment of the appliance was performed from. To use a different client machine to run the Azure CLI command, you need to make sure the following files are copied to the new client machine:

-To run the `az arcappliance logs` command, the path to the kubeconfig must be provided. The kubeconfig is generated after successful completion of the `az arcappliance deploy` command and is placed in the same directory as the CLI command in ./kubeconfig or as specified in `--outfile` (if the parameter was passed).

-If `az arcappliance deploy` was not completed, then the kubeconfig file may exist but may be empty or missing data, so it can't be used for logs collection. In this case, the Appliance VM IP address can be used to collect logs instead. The Appliance VM IP is assigned when the `az arcappliance deploy` command is run, after Control Plane Endpoint reconciliation. For example, if the message displayed in the command window reads "Appliance IP is 10.97.176.27", the command to use for logs collection would be:

-az arcappliance logs hci --out-dir c:\logs --ip 10.97.176.27

-```

-To view the logs, run the following command:

-```azurecli

-az arcappliance logs <provider> --kubeconfig <path to kubeconfig>

-```

-To save the logs to a destination folder, run the following command:

-```azurecli

-az arcappliance logs <provider> --kubeconfig <path to kubeconfig> --out-dir <path to specified output directory>

-If you run `az arcappliance` CLI commands for Arc Resource Bridge via remote PowerShell, you may experience various problems. For instance, you might see an [EOF error when using the `logs` command](#logs-command-fails-with-eof-error), or an [authentication handshake failure error when trying to install the resource bridge on an Azure Stack HCI cluster](#authentication-handshake-failure).

-### `logs` command fails with EOF error

-When running the `az arcappliance logs` Azure CLI command, you may see an error: `Appliance logs command failed with error: EOF when reading a line.` This may occur in scenarios similar to the following:

-```azurecli

-az arcappliance logs hci --kubeconfig .\kubeconfig --out-dir c:\temp --ip 192.168.200.127

-+ CategoryInfo : NotSpecified: (WARNING: Comman...s/CLI_refstatus:String) [], RemoteException

-+ FullyQualifiedErrorId : NativeCommandError

-Please enter cloudservice FQDN/IP: Appliance logs command failed with error: EOF when reading a line[v-Host1]: PS C:\Users\AzureStackAdminD\Documents> az arcappliance logs hci --kubeconfig .\kubeconfig --out-dir c:\temp --ip 192.168.200.127

-+ CategoryInfo : NotSpecified: (WARNING: Comman...s/CLI_refstatus:String) [], RemoteException

-+ FullyQualifiedErrorId : NativeCommandError

-Please enter cloudservice FQDN/IP: Appliance logs command failed with error: EOF when reading a line

-```

-The `az arcappliance logs` CLI command runs in interactive mode, meaning that it prompts the user for parameters. If the command is run in a scenario where it can't prompt the user for parameters, this error will occur. This is especially common when trying to use remote PowerShell to run the command.

-To avoid this error, use Remote Desktop Protocol (RDP) or a console session to sign directly in to the node and locally run the `logs` command (or any `az arcappliance` command). Remote PowerShell is not currently supported by Azure Arc resource bridge.

-You can also avoid this error by pre-populating the values that the `logs` command prompts for, thus avoiding the prompt. The example below provides these values into a variable which is then passed to the `logs` command. Be sure to replace `$loginValues` with your cloudservice IP address and the full path to your token credentials.

-```azurecli

-$loginValues="192.168.200.2

-C:\kvatoken.tok"

-$user_in = ""

-foreach ($val in $loginValues) { $user_in = $user_in + $val + "`n" }

-$user_in | az arcappliance logs hci --kubeconfig C:\Users\AzureStackAdminD\.kube\config

-```

-Make sure the URLs listed below are added to your allowlist.

-|Guest Notification service| 443 | `https://guestnotificationservice.azure.com`| Appliance VM IP and Control Plane IP need outbound connection. | Used to connect on-prem resources to Azure.|

-|SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com | Host machine, Appliance VM IP and Control Plane IP need outbound connection. | Used when downloading product catalog, product bits, and OS images from SFS. |

-|Resource bridge (appliance) image download| 80 | `*.dl.delivery.mp.microsoft.com`| Host machine, Appliance VM IP and Control Plane IP need outbound connection. | Download the Arc Resource Bridge OS images. |

-Azure Arc resource bridge is a Kubernetes management cluster that is deployed in an appliance VM directly on the on-premises infrastructure. While trying to deploy Azure Arc resource bridge, a "KVA timeout error" may appear if there is a networking problem that doesn't allow communication of the Arc Resource Bridge appliance VM to the host, DNS, network or internet. This error is typically displayed for the following reasons:

-To resolve this error, ensure that all IP addresses assigned to the Arc Resource Bridge appliance VM can be resolved by DNS and have access to the internet, and that the host can successfully route to the IP addresses.

-|RedisJSON | No | Yes (preview) | Yes (preview) |

-> [!NOTE]

-> In the current preview, Azure SQL bindings are only supported by [C# class library functions](functions-dotnet-class-library.md), [JavaScript functions](functions-reference-node.md), and [Python functions](functions-reference-python.md).

-<!### Use these pivots when we get other non-C# languages added. ###

-

->

-In [C# class libraries](functions-dotnet-class-library.md), use the [Sql](https://github.com/Azure/azure-functions-sql-extension/blob/main/src/SqlAttribute.cs) attribute, which has the following properties:

-<!### Use these pivots when we get other non-C# languages added. ###

-In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the `@Sql` annotation on parameters whose value would come from Azure SQL. This annotation supports the following elements:

-| **connectionStringSetting** | The name of an app setting that contains the connection string for the database against which the query or stored procedure is being executed. This value isn't the actual connection string and must instead resolve to an environment variable name. |

-| **commandType** | A [CommandType](/dotnet/api/system.data.commandtype) value, which is [Text](/dotnet/api/system.data.commandtype#fields) for a query and [StoredProcedure](/dotnet/api/system.data.commandtype#fields) for a stored procedure. |

-| **parameters** | Zero or more parameter values passed to the command during execution as a single string. Must follow the format `@param1=param1,@param2=param2`. Neither the parameter name nor the parameter value can contain a comma (`,`) or an equals sign (`=`). |

-The attribute's constructor takes the SQL command text, the command type, parameters, and the connection string setting name. The command can be a Transact-SQL (T-SQL) query with the command type `System.Data.CommandType.Text` or stored procedure name with the command type `System.Data.CommandType.StoredProcedure`. The connection string setting name corresponds to the application setting (in `local.settings.json` for local development) that contains the [connection string](/dotnet/api/microsoft.data.sqlclient.sqlconnection.connectionstring?view=sqlclient-dotnet-core-3.1&preserve-view=true#Microsoft_Data_SqlClient_SqlConnection_ConnectionString) to the Azure SQL or SQL Server instance.

-> [!NOTE]

-> In the current preview, Azure SQL bindings are only supported by [C# class library functions](functions-dotnet-class-library.md), [JavaScript functions](functions-reference-node.md), and [Python functions](functions-reference-python.md).

-The following example shows a SQL input binding in a function.json file and a JavaScript function that adds records to a table, using data provided in an HTTP POST request as a JSON body.

-The following example shows a SQL input binding in a function.json file and a JavaScript function that adds records to a database in two different tables (`dbo.ToDo` and `dbo.RequestLog`), using data provided in an HTTP POST request as a JSON body and multiple output bindings.

-The following example shows a SQL input binding in a function.json file and a Python function that adds records to a table, using data provided in an HTTP POST request as a JSON body.

-The following example shows a SQL input binding in a function.json file and a Python function that adds records to a database in two different tables (`dbo.ToDo` and `dbo.RequestLog`), using data provided in an HTTP POST request as a JSON body and multiple output bindings.

-<!### Use these pivots when we get other non-C# languages added. ###

-

->

-In [C# class libraries](functions-dotnet-class-library.md), use the [Sql](https://github.com/Azure/azure-functions-sql-extension/blob/main/src/SqlAttribute.cs) attribute, which has the following properties:

-<!### Use these pivots when we get other non-C# languages added. ###

-In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the `@Sql` annotation on parameters whose value would come from Azure SQL. This annotation supports the following elements:

-| **commandText** | Required. The Transact-SQL query command or name of the stored procedure executed by the binding. |

-| **connectionStringSetting** | The name of an app setting that contains the connection string for the database to which data is being written. This isn't the actual connection string and must instead resolve to an environment variable.|

-The `CommandText` property is the name of the table where the data is to be stored. The connection string setting name corresponds to the application setting that contains the [connection string](/dotnet/api/microsoft.data.sqlclient.sqlconnection.connectionstring?view=sqlclient-dotnet-core-3.1&preserve-view=true#Microsoft_Data_SqlClient_SqlConnection_ConnectionString) to the Azure SQL or SQL Server instance.

-The output bindings uses the T-SQL [MERGE](/sql/t-sql/statements/merge-transact-sql) statement which requires [SELECT](/sql/t-sql/statements/merge-transact-sql#permissions) permissions on the target database.

-This set of articles explains how to work with [Azure SQL](/azure/azure-sql/index) bindings in Azure Functions. Azure Functions supports input and output bindings for the Azure SQL and SQL Server products.

-# [Preview Bundle v3.x](#tab/extensionv3)

-You can add the preview extension bundle by adding or replacing the following code in your `host.json` file:

-```json

-{

- "version": "2.0",

- "extensionBundle": {

- "id": "Microsoft.Azure.Functions.ExtensionBundle.Preview",

- "version": "[3.*, 4.0.0)"

- }

-}

-```

-Python support isn't available with the SQL bindings extension in the v3 version of the functions runtime.

-> [!NOTE]

-> In the current preview, Azure SQL bindings are only supported by [C# class library functions](functions-dotnet-class-library.md), [JavaScript functions](functions-reference-node.md), and [Python functions](functions-reference-python.md).

-Azure SQL bindings for Azure Functions have a required property for connection string on both [input](./functions-bindings-azure-sql-input.md) and [output](./functions-bindings-azure-sql-output.md) bindings. SQL bindings passes the connection string to the Microsoft.Data.SqlClient library and supports the connection string as defined in the [SqlClient ConnectionString documentation](/dotnet/api/microsoft.data.sqlclient.sqlconnection.connectionstring?view=sqlclient-dotnet-core-3.1&preserve-view=true). Notable keywords include:

-> The retry policy support in the runtime for triggers other than Timer, Kafka, and Event Hubs is being removed after this feature becomes generally available (GA). Preview retry policy support for all triggers other than Timer and Event Hubs will be removed in October 2022. For more information, see the [Retries section below](#retries).

-# [Azure portal](#tab/portal)

-In the Azure portal, in your function app, choose **Configuration** and on the **Function runtime settings** tab turn **Runtime scale monitoring** to **On**.

-# [Azure CLI](#tab/azure-cli)

-Use the following Azure CLI command to enable runtime scale monitoring:

-```azurecli-interactive

-az resource update -g <RESOURCE_GROUP> -n <FUNCTION_APP_NAME>/config/web --set properties.functionsRuntimeScaleMonitoringEnabled=1 --resource-type Microsoft.Web/sites

-```

-When running locally the Azure Functions runtime defaults to using PowerShell Core 6. To instead use PowerShell 7 when running locally, you need to add the setting `"FUNCTIONS_WORKER_RUNTIME_VERSION" : "~7"` to the `Values` array in the local.setting.json file in the project root. When running locally on PowerShell 7, your local.settings.json file looks like the following example:

- "FUNCTIONS_WORKER_RUNTIME_VERSION" : "~7"

-Your function app must be running on version 3.x to be able to upgrade from PowerShell Core 6 to PowerShell 7. To learn how to do this, see [View and update the current runtime version](set-runtime-version.md#view-and-update-the-current-runtime-version).

- :::image type="content" source="media/functions-reference-powershell/change-powershell-version-portal.png" alt-text="Choose the PowerShell version used by the function app":::

-Replace `<SUBSCRIPTION_ID>`, `<RESOURCE_GROUP>`, and `<FUNCTION_APP>` with the ID of your Azure subscription, the name of your resource group and function app, respectively. Also, replace `<VERSION>` with either `~6` or `~7`. You can verify the updated value of the `powerShellVersion` setting in `Properties` of the returned hash table.

-| `OkObjectResult` | `OkObjectResult` | `HttpResonseData` | `HttpResonseData` |

-Communications among various components (for example, Azure Resource Manager to and from CRP, CRP to and from FC, FC to and from Hypervisor Agent) all operate on different communication channels with different identities and different permissions sets. This design follows common least-privilege models to ensure that a compromise of any single layer will prevent more actions. Separate communications channels ensure that communications can't bypass any layer in the chain. Figure 6 illustrates how the MC and MP securely communicate within the Azure cloud for Hypervisor interaction initiated by a userΓÇÖs [OAuth 2.0 authentication to Azure Active Directory](../active-directory/azuread-dev/v1-protocols-oauth-code.md).

-Maps Creator provides three core

-<!-* [Wayfinding service][wayfinding-preview] (preview). Use the [wayfinding API][wayfind] to generate a path between two points within a facility. Use the [routeset API][routeset] to create the data that the wayfinding service needs to generate paths.

->

-<!--[wayfinding-preview]: creator-indoor-maps.md# -->

-At a high level, facility ontology divides the dataset into feature classes. All feature classes share a common set of properties, such as `ID` and `Geometry`. In addition to the common property set, each feature class defines a set of properties. Each property is defined by its data type and constraints. Some feature classes have properties that are dependent on other feature classes. Dependant properties evaluate to the `ID` of another feature class.

-| Property | Type | Required | Description |

-|--|--|-|--|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-|`isOpenArea` | boolean (Default value is `null`.) |false | Represents whether the unit is an open area. If set to `true`, [structures](#structure) don't surround the unit boundary, and a navigating agent can enter the `unit` without the need of an [`opening`](#opening). By default, units are surrounded by physical barriers and are open only where an opening feature is placed on the boundary of the unit. If walls are needed in an open area unit, they can be represented as a [`lineElement`](#lineelement) or [`areaElement`](#areaelement) with an `isObstruction` property equal to `true`.|

-|`navigableBy` | enum ["pedestrian", "wheelchair", "machine", "bicycle", "automobile", "hiredAuto", "bus", "railcar", "emergency", "ferry", "boat"] | false |Indicates the types of navigating agents that can traverse the unit. If unspecified, the unit is assumed to be traversable by any navigating agent. |

-|`isRoutable` | boolean (Default value is `null`.) | false | Determines if the unit is part of the routing graph. If set to `true`, the unit can be used as source/destination or intermediate node in the routing experience. |

-|`routeThroughBehavior` | enum ["disallowed", "allowed", "preferred"] | false | Determines if navigating through the unit is allowed. If unspecified, it inherits its value from the category feature referred to in the `categoryId` property. If specified, it overrides the value given in its category feature." |

-|`nonPublic` | boolean| false | If `true`, the unit is navigable only by privileged users. Default value is `false`. |

-| `levelId` | [level.Id](#level) | true | The ID of a level feature. |

-|`occupants` | array of [directoryInfo.Id](#directoryinfo) | false | The IDs of [directoryInfo](#directoryinfo) features. Used to represent one or many occupants in the feature. |

-|`addressId` | [directoryInfo.Id](#directoryinfo) | true | The ID of a [directoryInfo](#directoryinfo) feature. Used to represent the address of the feature.|

-|`addressRoomNumber` | [directoryInfo.Id](#directoryinfo) | true | Room/Unit/Apartment/Suite number of the unit.|

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000. |

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000.|

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000. |

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-| Property | Type | Required | Description |

-|--|--|-|--|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-|`isOpenArea` | boolean (Default value is `null`.) |false | Represents whether the unit is an open area. If set to `true`, [structures](#structure) don't surround the unit boundary, and a navigating agent can enter the `unit` without the need of an [`opening`](#opening). By default, units are surrounded by physical barriers and are open only where an opening feature is placed on the boundary of the unit. If walls are needed in an open area unit, they can be represented as a [`lineElement`](#lineelement) or [`areaElement`](#areaelement) with an `isObstruction` property equal to `true`.|

-|`isRoutable` | boolean (Default value is `null`.) | false | Determines if the unit is part of the routing graph. If set to `true`, the unit can be used as source/destination or intermediate node in the routing experience. |

-| `levelId` | [level.Id](#level) | true | The ID of a level feature. |

-|`occupants` | array of [directoryInfo.Id](#directoryinfo) | false | The IDs of [directoryInfo](#directoryinfo) features. Used to represent one or many occupants in the feature. |

-|`addressId` | [directoryInfo.Id](#directoryinfo) | true | The ID of a [directoryInfo](#directoryinfo) feature. Used to represent the address of the feature.|

-|`addressRoomNumber` | [directoryInfo.Id](#directoryinfo) | true | Room/Unit/Apartment/Suite number of the unit.|

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.|

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000.|

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000.|

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-The `structure` feature class defines a physical and non-overlapping area that cannot be navigated through. Can be a wall, column, and so on.

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-| `levelId` | [level.Id](#level) | true | The ID of a [`level`](#level) feature. |

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000. |

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000. |

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000.|

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-The `zone` feature class defines a virtual area, like a WiFi zone or emergency assembly area. Zones can be used as destinations but are not meant for through traffic.

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-| `setId` | string | true |Required for zone features that represent multi-level zones. The `setId` is the unique ID for a zone that spans multiple levels. The `setId` enables a zone with varying coverage on different floors to be represented with different geometry on different levels. The `setId` can be any string and is case-sensitive. It is recommended that the `setId` is a GUID. Maximum length allowed is 1000.|

-| `levelId` | [level.Id](#level) | true | The ID of a [`level`](#level) feature. |

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.|

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000.|

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000. |

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-| `ordinal` | integer | true | The level number. Used by the [`verticalPenetration`](#verticalpenetration) feature to determine the relative order of the floors to help with travel direction. The general practice is to start with 0 for the ground floor. Add +1 for every floor upwards, and -1 for every floor going down. It can be modeled with any numbers, as long as the higher physical floors are represented by higher ordinal values. |

-| `abbreviatedName` | string | false | A four-character abbreviated level name, like what would be found on an elevator button. Maximum length allowed is 1000.|

-| `heightAboveFacilityAnchor` | double | false | Vertical distance of the level's floor above [`facility.anchorHeightAboveSeaLevel`](#facility), in meters. |

-| `verticalExtent` | double | false | Vertical extent of the level, in meters. If not provided, defaults to [`facility.defaultLevelVerticalExtent`](#facility).|

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.|

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000.|

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000.|

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-|`occupants` | array of [directoryInfo.Id](#directoryinfo) | false | The IDs of [directoryInfo](#directoryinfo) features. Used to represent one or many occupants in the feature. |

-|`addressId` | [directoryInfo.Id](#directoryinfo) | true | The ID of a [directoryInfo](#directoryinfo) feature. Used to represent the address of the feature.|

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000. |

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000. |

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000.|

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorHeightAboveSeaLevel` | double | false | Height of anchor point above sea level, in meters. Sea level is defined by EGM 2008.|

-|`defaultLevelVerticalExtent` | double| false | Default value for vertical extent of levels, in meters.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-| `setId` | string | true | Vertical penetration features must be used in sets to connect multiple levels. Vertical penetration features in the same set are considered to be the same. The `setId` can be any string, and is case-sensitive. Using a GUID as a `setId` is recommended. Maximum length allowed is 1000.|

-| `levelId` | [level.Id](#level) | true | The ID of a level feature. |

-|`direction` | string enum [ "both", "lowToHigh", "highToLow", "closed" ]| false | Travel direction allowed on this feature. The ordinal attribute on the [`level`](#level) feature is used to determine the low and high order.|

-|`navigableBy` | enum ["pedestrian", "wheelchair", "machine", "bicycle", "automobile", "hiredAuto", "bus", "railcar", "emergency", "ferry", "boat"] | false |Indicates the types of navigating agents that can traverse the unit. If unspecified, the unit is traversable by any navigating agent. |

-|`nonPublic` | boolean| false | If `true`, the unit is navigable only by privileged users. Default value is `false`. |

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.|

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000.|

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000. |

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-| `setId` | string | true | Vertical penetration features must be used in sets to connect multiple levels. Vertical penetration features in the same set are connected. The `setId` can be any string, and is case-sensitive. Using a GUID as a `setId` is recommended. Maximum length allowed is 1000. |

-| `levelId` | [level.Id](#level) | true | The ID of a level feature. |

-|`direction` | string enum [ "both", "lowToHigh", "highToLow", "closed" ]| false | Travel direction allowed on this feature. The ordinal attribute on the [`level`](#level) feature is used to determine the low and high order.|

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.|

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000.|

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000. |

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` |[category.Id](#category) |true | The ID of a category feature.|

-| `levelId` | [level.Id](#level) | true | The ID of a level feature. |

-|`navigableBy` | enum ["pedestrian", "wheelchair", "machine", "bicycle", "automobile", "hiredAuto", "bus", "railcar", "emergency", "ferry", "boat"] | false |Indicates the types of navigating agents that can traverse the unit. If unspecified, the unit is traversable by any navigating agent. |

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) y that represents the feature as a point. Can be used to position the label of the feature.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` |[category.Id](#category) |true | The ID of a category feature.|

-| `levelId` | [level.Id](#level) | true | The ID of a level feature. |

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) y that represents the feature as a point. Can be used to position the label of the feature.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`streetAddress` |string |false |Street address part of the address. Maximum length allowed is 1000. |

-|`unit` |string |false |Unit number part of the address. Maximum length allowed is 1000. |

-|`locality`| string| false |The locality of the address. For example: city, municipality, village. Maximum length allowed is 1000.|

-|`adminDivisions`| string| false |Administrative division part of the address, from smallest to largest (County, State, Country). For example: ["King", "Washington", "USA" ] or ["West Godavari", "Andhra Pradesh", "IND" ]. Maximum length allowed is 1000.|

-|`postalCode`| string | false |Postal code part of the address. Maximum length allowed is 1000.|

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.|

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000. |

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000. |

-|`phoneNumber` | string | false | Phone number. Maximum length allowed is 1000. |

-|`website` | string | false | Website URL. Maximum length allowed is 1000. |

-|`hoursOfOperation` | string | false | Hours of operation as text, following the [Open Street Map specification](https://wiki.openstreetmap.org/wiki/Key:opening_hours/specification). Maximum length allowed is 1000. |

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` |[category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-| `unitId` | string | true | The ID of a [`unit`](#unit) feature containing this feature. Maximum length allowed is 1000.|

-| `isObstruction` | boolean (Default value is `null`.) | false | If `true`, this feature represents an obstruction to be avoided while routing through the containing unit feature. |

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.|

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000. |

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` |[category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-| `unitId` | string | true | The ID of a [`unit`](#unit) feature containing this feature. Maximum length allowed is 1000. |

-| `isObstruction` | boolean (Default value is `null`.)| false | If `true`, this feature represents an obstruction to be avoided while routing through the containing unit feature. |

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000. |

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000. |

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000. |

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`obstructionArea` | [Polygon](/rest/api/maps/v2/wfs/get-features#featuregeojson)| false | A simplified geometry (when the line geometry is complicated) of the feature that is to be avoided during routing. Requires `isObstruction` set to true.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the feature with another feature in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`categoryId` |[category.Id](#category) |true | The ID of a [`category`](#category) feature.|

-| `unitId` | string | true | The ID of a [`unit`](#unit) feature containing this feature. Maximum length allowed is 1000. |

-| `isObstruction` | boolean | false | If `true`, this feature represents an obstruction to be avoided while routing through the containing unit feature. |

-|`obstructionArea` | geometry: ["Polygon","MultiPolygon" ]| false | A simplified geometry (when the line geometry is complicated) of the feature that is to be avoided during routing. Requires `isObstruction` set to true.|

-|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000. |

-|`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000.|

-|`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000.|

-|`anchorPoint` | [Point](/rest/api/maps/v2/wfs/get-features#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/v2/wfs/get-features#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The category's original ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the category with another category in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`name` | string | true | Name of the category. Suggested to use "." to represent hierarchy of categories. For example: "room.conference", "room.privateoffice". Maximum length allowed is 1000. |

-|`isRoutable` | boolean (Default value is `null`.) | false | Determines if a feature should be part of the routing graph. If set to `true`, the unit can be used as source/destination or intermediate node in the routing experience. |

-| Property | Type | Required | Description |

-|--||-|-|

-|`originalId` | string |false | The category's original ID derived from client data. Maximum length allowed is 1000.|

-|`externalId` | string |false | An ID used by the client to associate the category with another category in a different dataset, such as in an internal database. Maximum length allowed is 1000.|

-|`name` | string | true | Name of the category. Suggested to use "." to represent hierarchy of categories. For example: "room.conference", "room.privateoffice". Maximum length allowed is 1000. |

-### Custom styling (Preview)

-The [Azure Maps Web SDK](./index.yml) includes the Indoor Maps module. This module offers extended functionalities to the Azure Maps *Map Control* library. The Indoor Maps module renders indoor maps created in Creator. It integrates widgets, such as *floor picker*, that help users to visualize the different floors.

-| Country/Region | Infrared satellite tiles | Minute forecast, Radar tiles | Severe weather alerts | Other* |

-||::|:-:|::|::|

-| Anguilla | Γ£ô | | | Γ£ô |

-| Antarctica | Γ£ô | | | Γ£ô |

-| Antigua & Barbuda | Γ£ô | | | Γ£ô |

-| Argentina | Γ£ô | | | Γ£ô |

-| Aruba | Γ£ô | | | Γ£ô |

-| Bahamas | Γ£ô | | | Γ£ô |

-| Barbados | Γ£ô | | | Γ£ô |

-| Belize | Γ£ô | | | Γ£ô |

-| Bermuda | Γ£ô | | | Γ£ô |

-| Bolivia | Γ£ô | | | Γ£ô |

-| Bonaire | Γ£ô | | | Γ£ô |

-| Brazil | Γ£ô | | Γ£ô | Γ£ô |

-| British Virgin Islands | Γ£ô | | | Γ£ô |

-| Canada | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Cayman Islands | Γ£ô | | | Γ£ô |

-| Chile | Γ£ô | | | Γ£ô |

-| Colombia | Γ£ô | | | Γ£ô |

-| Costa Rica | Γ£ô | | | Γ£ô |

-| Cuba | Γ£ô | | | Γ£ô |

-| Curaçao | ✓ | | | ✓ |

-| Dominica | Γ£ô | | | Γ£ô |

-| Dominican Republic | Γ£ô | | | Γ£ô |

-| Ecuador | Γ£ô | | | Γ£ô |

-| El Salvador | Γ£ô | | | Γ£ô |

-| Falkland Islands | Γ£ô | | | Γ£ô |

-| French Guiana | Γ£ô | | | Γ£ô |

-| Greenland | Γ£ô | | | Γ£ô |

-| Grenada | Γ£ô | | | Γ£ô |

-| Guadeloupe | Γ£ô | | | Γ£ô |

-| Guatemala | Γ£ô | | | Γ£ô |

-| Guyana | Γ£ô | | | Γ£ô |

-| Haiti | Γ£ô | | | Γ£ô |

-| Honduras | Γ£ô | | | Γ£ô |

-| Jamaica | Γ£ô | | | Γ£ô |

-| Martinique | Γ£ô | | | Γ£ô |

-| Mexico | Γ£ô | | | Γ£ô |

-| Montserrat | Γ£ô | | | Γ£ô |

-| Nicaragua | Γ£ô | | | Γ£ô |

-| Panama | Γ£ô | | | Γ£ô |

-| Paraguay | Γ£ô | | | Γ£ô |

-| Peru | Γ£ô | | | Γ£ô |

-| Puerto Rico | Γ£ô | | Γ£ô | Γ£ô |

-| Saint Barthélemy | ✓ | | | ✓ |

-| Saint Kitts & Nevis | Γ£ô | | | Γ£ô |

-| Saint Lucia | Γ£ô | | | Γ£ô |

-| Saint Martin | Γ£ô | | | Γ£ô |

-| Saint Pierre & Miquelon | Γ£ô | | | Γ£ô |

-| Saint Vincent & the Grenadines | Γ£ô | | | Γ£ô |

-| Sint Eustatius | Γ£ô | | | Γ£ô |

-| Sint Maarten | Γ£ô | | | Γ£ô |

-| South Georgia & South Sandwich Islands | Γ£ô | | | Γ£ô |

-| Suriname | Γ£ô | | | Γ£ô |

-| Trinidad & Tobago | Γ£ô | | | Γ£ô |

-| Turks & Caicos Islands | Γ£ô | | | Γ£ô |

-| U.S. Outlying Islands | Γ£ô | | | Γ£ô |

-| U.S. Virgin Islands | Γ£ô | | Γ£ô | Γ£ô |

-| United States | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Uruguay | Γ£ô | | | Γ£ô |

-| Venezuela | Γ£ô | | | Γ£ô |

-| Country/Region | Infrared satellite tiles | Minute forecast, Radar tiles | Severe weather alerts | Other* |

-|--|::|:-:|::|::|

-| Afghanistan | Γ£ô | | | Γ£ô |

-| American Samoa | Γ£ô | | Γ£ô | Γ£ô |

-| Australia | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Bangladesh | Γ£ô | | | Γ£ô |

-| Bhutan | Γ£ô | | | Γ£ô |

-| British Indian Ocean Territory | Γ£ô | | | Γ£ô |

-| Brunei | Γ£ô | | | Γ£ô |

-| Cambodia | Γ£ô | | | Γ£ô |

-| China | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Christmas Island | Γ£ô | | | Γ£ô |

-| Cocos (Keeling) Islands | Γ£ô | | | Γ£ô |

-| Cook Islands | Γ£ô | | | Γ£ô |

-| Fiji | Γ£ô | | | Γ£ô |

-| French Polynesia | Γ£ô | | | Γ£ô |

-| Guam | Γ£ô | | Γ£ô | Γ£ô |

-| Heard Island & McDonald Islands | Γ£ô | | | Γ£ô |

-| Hong Kong SAR | Γ£ô | | | Γ£ô |

-| India | Γ£ô | | | Γ£ô |

-| Indonesia | Γ£ô | | | Γ£ô |

-| Japan | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Kazakhstan | Γ£ô | | | Γ£ô |

-| Kiribati | Γ£ô | | | Γ£ô |

-| Korea | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Kyrgyzstan | Γ£ô | | | Γ£ô |

-| Laos | Γ£ô | | | Γ£ô |

-| Macao SAR | Γ£ô | | | Γ£ô |

-| Malaysia | Γ£ô | | | Γ£ô |

-| Maldives | Γ£ô | | | Γ£ô |

-| Marshall Islands | Γ£ô | | Γ£ô | Γ£ô |

-| Micronesia | Γ£ô | | Γ£ô | Γ£ô |

-| Mongolia | Γ£ô | | | Γ£ô |

-| Myanmar | Γ£ô | | | Γ£ô |

-| Nauru | Γ£ô | | | Γ£ô |

-| Nepal | Γ£ô | | | Γ£ô |

-| New Caledonia | Γ£ô | | | Γ£ô |

-| New Zealand | Γ£ô | | Γ£ô | Γ£ô |

-| Niue | Γ£ô | | | Γ£ô |

-| Norfolk Island | Γ£ô | | | Γ£ô |

-| North Korea | Γ£ô | | | Γ£ô |

-| Northern Mariana Islands | Γ£ô | | Γ£ô | Γ£ô |

-| Pakistan | Γ£ô | | | Γ£ô |

-| Palau | Γ£ô | | Γ£ô | Γ£ô |

-| Papua New Guinea | Γ£ô | | | Γ£ô |

-| Philippines | Γ£ô | | Γ£ô | Γ£ô |

-| Pitcairn Islands | Γ£ô | | | Γ£ô |

-| Samoa | Γ£ô | | | Γ£ô |

-| Singapore | Γ£ô | | | Γ£ô |

-| Solomon Islands | Γ£ô | | | Γ£ô |

-| Sri Lanka | Γ£ô | | | Γ£ô |

-| Taiwan | Γ£ô | | | Γ£ô |

-| Tajikistan | Γ£ô | | | Γ£ô |

-| Thailand | Γ£ô | | | Γ£ô |

-| Timor-Leste | Γ£ô | | | Γ£ô |

-| Tokelau | Γ£ô | | | Γ£ô |

-| Tonga | Γ£ô | | | Γ£ô |

-| Turkmenistan | Γ£ô | | | Γ£ô |

-| Tuvalu | Γ£ô | | | Γ£ô |

-| Uzbekistan | Γ£ô | | | Γ£ô |

-| Vanuatu | Γ£ô | | | Γ£ô |

-| Vietnam | Γ£ô | | | Γ£ô |

-| Wallis & Futuna | Γ£ô | | | Γ£ô |

-| Country/Region | Infrared satellite tiles | Minute forecast, Radar tiles | Severe weather alerts | Other* |

-|-|::|:-:|::|::|

-| Albania | Γ£ô | | | Γ£ô |

-| Andorra | Γ£ô | | Γ£ô | Γ£ô |

-| Armenia | Γ£ô | | | Γ£ô |

-| Austria | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Azerbaijan | Γ£ô | | | Γ£ô |

-| Belarus | Γ£ô | | | Γ£ô |

-| Belgium | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Bosnia & Herzegovina | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Bulgaria | Γ£ô | | Γ£ô | Γ£ô |

-| Croatia | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Cyprus | Γ£ô | | Γ£ô | Γ£ô |

-| Czechia | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Denmark | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Estonia | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Faroe Islands | Γ£ô | | | Γ£ô |

-| Finland | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| France | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Georgia | Γ£ô | | | Γ£ô |

-| Germany | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Gibraltar | Γ£ô | Γ£ô | | Γ£ô |

-| Greece | Γ£ô | | Γ£ô | Γ£ô |

-| Guernsey | Γ£ô | | | Γ£ô |

-| Hungary | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Iceland | Γ£ô | | Γ£ô | Γ£ô |

-| Ireland | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Isle of Man | Γ£ô | | | Γ£ô |

-| Italy | Γ£ô | | Γ£ô | Γ£ô |

-| Jan Mayen | Γ£ô | | | Γ£ô |

-| Jersey | Γ£ô | | | Γ£ô |

-| Kosovo | Γ£ô | | Γ£ô | Γ£ô |

-| Latvia | Γ£ô | | Γ£ô | Γ£ô |

-| Liechtenstein | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Lithuania | Γ£ô | | Γ£ô | Γ£ô |

-| Luxembourg | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| North Macedonia | Γ£ô | | Γ£ô | Γ£ô |

-| Malta | Γ£ô | | Γ£ô | Γ£ô |

-| Moldova | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Monaco | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Montenegro | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Netherlands | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Norway | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Poland | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Portugal | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Romania | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Russia | Γ£ô | | Γ£ô | Γ£ô |

-| San Marino | Γ£ô | | Γ£ô | Γ£ô |

-| Serbia | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Slovakia | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Slovenia | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Spain | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Svalbard | Γ£ô | | | Γ£ô |

-| Sweden | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Switzerland | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Turkey | Γ£ô | | | Γ£ô |

-| Ukraine | Γ£ô | | | Γ£ô |

-| United Kingdom | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

-| Vatican City | Γ£ô | | Γ£ô | Γ£ô |

-| Country/Region | Infrared satellite tiles | Minute forecast, Radar tiles | Severe weather alerts | Other* |

-|-|::|:-:|::|::|

-| Algeria | Γ£ô | | | Γ£ô |

-| Angola | Γ£ô | | | Γ£ô |

-| Bahrain | Γ£ô | | | Γ£ô |

-| Benin | Γ£ô | | | Γ£ô |

-| Botswana | Γ£ô | | | Γ£ô |

-| Bouvet Island | Γ£ô | | | Γ£ô |

-| Burkina Faso | Γ£ô | | | Γ£ô |

-| Burundi | Γ£ô | | | Γ£ô |

-| Cameroon | Γ£ô | | | Γ£ô |

-| Cape Verde | Γ£ô | | | Γ£ô |

-| Central African Republic | Γ£ô | | | Γ£ô |

-| Chad | Γ£ô | | | Γ£ô |

-| Comoros | Γ£ô | | | Γ£ô |

-| Congo (DRC) | Γ£ô | | | Γ£ô |

-| C├┤te d'Ivoire | Γ£ô | | | Γ£ô |

-| Djibouti | Γ£ô | | | Γ£ô |

-| Egypt | Γ£ô | | | Γ£ô |

-| Equatorial Guinea | Γ£ô | | | Γ£ô |

-| Eritrea | Γ£ô | | | Γ£ô |

-| eSwatini | Γ£ô | | | Γ£ô |

-| Ethiopia | Γ£ô | | | Γ£ô |

-| French Southern Territories | Γ£ô | | | Γ£ô |

-| Gabon | Γ£ô | | | Γ£ô |

-| Gambia | Γ£ô | | | Γ£ô |

-| Ghana | Γ£ô | | | Γ£ô |

-| Guinea | Γ£ô | | | Γ£ô |

-| Guinea-Bissau | Γ£ô | | | Γ£ô |

-| Iran | Γ£ô | | | Γ£ô |

-| Iraq | Γ£ô | | | Γ£ô |

-| Israel | Γ£ô | | Γ£ô | Γ£ô |

-| Jordan | Γ£ô | | | Γ£ô |

-| Kenya | Γ£ô | | | Γ£ô |

-| Kuwait | Γ£ô | | | Γ£ô |

-| Lebanon | Γ£ô | | | Γ£ô |

-| Lesotho | Γ£ô | | | Γ£ô |

-| Liberia | Γ£ô | | | Γ£ô |

-| Libya | Γ£ô | | | Γ£ô |

-| Madagascar | Γ£ô | | | Γ£ô |

-| Malawi | Γ£ô | | | Γ£ô |

-| Mali | Γ£ô | | | Γ£ô |

-| Mauritania | Γ£ô | | | Γ£ô |

-| Mauritius | Γ£ô | | | Γ£ô |

-| Mayotte | Γ£ô | | | Γ£ô |

-| Morocco | Γ£ô | | | Γ£ô |

-| Mozambique | Γ£ô | | | Γ£ô |

-| Namibia | Γ£ô | | | Γ£ô |

-| Niger | Γ£ô | | | Γ£ô |

-| Nigeria | Γ£ô | | | Γ£ô |

-| Oman | Γ£ô | | | Γ£ô |

-| Palestinian Authority | Γ£ô | | | Γ£ô |

-| Qatar | Γ£ô | | | Γ£ô |

-| Réunion | ✓ | | | ✓ |

-| Rwanda | Γ£ô | | | Γ£ô |

-| Saint Helena, Ascension, Tristan da Cunha | Γ£ô | | | Γ£ô |

-| São Tomé & Príncipe | ✓ | | | ✓ |

-| Saudi Arabia | Γ£ô | | | Γ£ô |

-| Senegal | Γ£ô | | | Γ£ô |

-| Seychelles | Γ£ô | | | Γ£ô |

-| Sierra Leone | Γ£ô | | | Γ£ô |

-| Somalia | Γ£ô | | | Γ£ô |

-| South Africa | Γ£ô | | | Γ£ô |

-| South Sudan | Γ£ô | | | Γ£ô |

-| Sudan | Γ£ô | | | Γ£ô |

-| Syria | Γ£ô | | | Γ£ô |

-| Tanzania | Γ£ô | | | Γ£ô |

-| Togo | Γ£ô | | | Γ£ô |

-| Tunisia | Γ£ô | | | Γ£ô |

-| Uganda | Γ£ô | | | Γ£ô |

-| United Arab Emirates | Γ£ô | | | Γ£ô |

-| Yemen | Γ£ô | | | Γ£ô |

-| Zambia | Γ£ô | | | Γ£ô |

-| Zimbabwe | Γ£ô | | | Γ£ô |

-| | Azure Monitor Metrics¹ | X | | X |

-| | Azure Monitor Metrics¹ | X | | | X |

- | Any role that includes the action *Microsoft.Resources/deployments/** | <ul><li>Subscription and/or</li><li>Resource group and/or </li></ul> | To deploy Azure Resource Manager templates |

-1. Check that the `ApplicationInsightsAgent_EXTENSION_VERSION` app setting is set to a value of `~2`.

-1. Select **Change details**.

-az resource create --resource-group divyaj-test --namespace microsoft.monitor --resource-type accounts --name testmac0929 --location westus2 --properties {}

-This guide walks you through migrating from using Azure diagnostic settings storage retention to using [Azure Storage lifecycle management](../../storage/blobs/lifecycle-management-policy-configure.md?tabs=azure-portal) for retention.

- Register for the [**configurable network features**](configure-network-features.md) to create volumes with standard network features. You can create new volumes choosing *Standard* or *Basic* network features in supported regions. In regions where the Standard network features aren't supported, the volume defaults to using the Basic network features.

-## Register the feature

-Follow the registration steps if you're using the feature for the first time.

-1. Register the feature by running the following commands:

- ```azurepowershell-interactive

- Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSDNAppliance

- Register-AzProviderFeature -ProviderNamespace Microsoft.Network -FeatureName AllowPoliciesOnBareMetal

- ```

-2. Check the status of the feature registration:

- > [!NOTE]

- > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to `Registered`. Wait until the status is `Registered` before continuing.

- ```azurepowershell-interactive

- Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSDNAppliance

- Get-AzProviderFeature -ProviderNamespace Microsoft.Network -FeatureName AllowPoliciesOnBareMetal

- ```

-You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.

-> The reverse resync operation overwrites any newer data (than the most common snapshot) in the source volume with the updated destination volume data. The UI warns you about the potential for data loss. You will be prompted to confirm the resync action before the operation starts.

- Standard network features now includes Global VNet peering. You must still [register the feature](configure-network-features.md#register-the-feature) before using it.

-| Will my device still power on? | The various backend services that allow the DK and Audio Accessory to fully function will be shut down upon retirement, rending the DK and Audio Accessory effectively unusable. The SoMs, such as the camera and Audio Accessory, will no longer be identified by the DK after retirement and thus effectively unusable. |

- "audiences": [

- "https://management.core.windows.net/",

- "https://management.azure.com/"

- ],

-The following example creates one storage account for each name provided in the `storageNames` parameter.

-The next example iterates over an array to define a property. It creates two subnets within a virtual network.

-To iterate over elements in a dictionary object, use the [items function](bicep-functions-object.md#items), which converts the object to an array. Use the `value` property to get properties on the objects.

-To deploy a template spec, you need **read** access to `Microsoft.Resources/templateSpecs` and `Microsoft.Resources/templateSpecs/versions`. You also need **write** access to any resources deployed by the template spec, and access to `Microsoft.Resources/deployments/*`.

-After you've created the template spec, users with **read** access to the template spec can deploy it. For information about granting access, see [Tutorial: Grant a group access to Azure resources using Azure PowerShell](../../role-based-access-control/tutorial-role-assignments-group-powershell.md).

-Don't use the concat function to create a resource ID. The following example **fails**.

-# How to Configure a custom domain for Azure SignalR Service

-description: How to secure outbound traffic through Shared Private Endpoints to avoid traffic go to public network

-# Secure Azure SignalR outbound traffic through Shared Private Endpoints

-Currently, there is an overlap between features offered by the [Azure Video Indexer APIs](https://api-portal.videoindexer.ai/) and the [Media Services v3 APIs](https://github.com/Azure/azure-rest-api-specs/blob/master/specification/mediaservices/resource-manager/Microsoft.Media/stable/2018-07-01/Encoding.json). The following table offers the current guideline for understanding the differences and similarities.

-description: This article discusses Azure Video Indexer compliance, privacy and security.

-# Compliance, Privacy and Security

-As an important reminder, you must comply with all applicable laws in your use of Azure Video Indexer, and you may not use Azure Video Indexer or any Azure service in a manner that violates the rights of others, or that may be harmful to others.

-Before uploading any video/image to Azure Video Indexer, You must have all the proper rights to use the video/image, including, where required by law, all the necessary consents from individuals (if any) in the video/image, for the use, processing, and storage of their data in Azure Video Indexer and Azure. Some jurisdictions may impose special legal requirements for the collection, online processing and storage of certain categories of data, such as biometric data. Before using Azure Video Indexer and Azure for the processing and storage of any data subject to special legal requirements, You must ensure compliance with any such legal requirements that may apply to You.

-To learn about compliance, privacy and security in Azure Video Indexer please visit the Microsoft [Trust Center](https://www.microsoft.com/TrustCenter/CloudServices/Azure/default.aspx). For Microsoft's privacy obligations, data handling and retention practices, including how to delete your data, please review Microsoft's [Privacy Statement](https://privacy.microsoft.com/PrivacyStatement), the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products?rtc=1) ("OST") and [Data Processing Addendum](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67) ("DPA"). By using Azure Video Indexer, you agree to be bound by the OST, DPA and the Privacy Statement.

-## Next steps

-[Azure Video Indexer overview](video-indexer-overview.md)

-## Compliance, Privacy and Security

-> [!Important]

-> Before you continue with Azure Video Indexer, read [Compliance, privacy and security](compliance-privacy-security.md).

-# Platform updates for Azure VMware Solution

-## July 8, 2022

-HCX cloud manager in Azure VMware Solution can now be accessible over a public IP address. You can pair HCX sites and create a service mesh from on-premises to Azure VMware Solution private cloud using Public IP.

-HCX with public IP is especially useful in cases where On-premises sites are not connected to Azure via Express Route or VPN. HCX service mesh appliances can be configured with public IPs to avoid lower tunnel MTUs due to double encapsulation if a VPN is used for on-premises to cloud connections.

-For more information, please see [Enable HCX over the internet](./enable-hcx-access-over-internet.md)

-## July 7, 2022

-All new Azure VMware Solution private clouds are now deployed with VMware vCenter Server version 7.0 Update 3c and ESXi version 7.0 Update 3c.

-Any existing private clouds will be upgraded to those versions. For more information, please see [VMware ESXi 7.0 Update 3c Release Notes](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html) and [VMware vCenter Server 7.0 Update 3c Release Notes](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3c-release-notes.html).

-You'll receive a notification through Azure Service Health that includes the timeline of the upgrade. You can reschedule an upgrade as needed. This notification also provides details on the upgraded component, its effect on workloads, private cloud access, and other Azure services.

-## June 7, 2022

-## May 23, 2022

-All new Azure VMware Solution private clouds in regions (Germany West Central, Australia East, Central US and UK West), are now deployed with VMware vCenter Server version 7.0 Update 3c and ESXi version 7.0 Update 3c.

-Any existing private clouds in the previously mentioned regions will be upgraded to those versions. For more information, please see [VMware ESXi 7.0 Update 3c Release Notes](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html) and [VMware vCenter Server 7.0 Update 3c Release Notes](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3c-release-notes.html).

-You'll receive a notification through Azure Service Health that includes the timeline of the upgrade. You can reschedule an upgrade as needed. This notification also provides details on the upgraded component, its effect on workloads, private cloud access, and other Azure services.

-## May 9, 2022

-All new Azure VMware Solution private clouds in regions (France Central, Brazil South, Japan West, Australia Southeast, Canada East, East Asia, and Southeast Asia), are now deployed with VMware vCenter Server version 7.0 Update 3c and ESXi version 7.0 Update 3c.

-Any existing private clouds in the previously mentioned regions will be upgraded to those versions. For more information, please see [VMware ESXi 7.0 Update 3c Release Notes](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html) and [VMware vCenter Server 7.0 Update 3c Release Notes](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3c-release-notes.html).

-You'll receive a notification through Azure Service Health that includes the timeline of the upgrade. You can reschedule an upgrade as needed. This notification also provides details on the upgraded component, its effect on workloads, private cloud access, and other Azure services.

-## February 18, 2022

-## December 22, 2021

-Azure VMware Solution (AVS) has completed maintenance activities to address critical vulnerabilities in Apache Log4j.

-The fixes documented in the VMware security advisory [VMSA-2021-0028.6](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) to address CVE-2021-44228 and CVE-2021-45046 have been applied to these AVS managed VMware products: vCenter Server, NSX-T Data Center, SRM and HCX.

-We strongly encourage customers to apply the fixes to on-premises HCX connector appliances.

-

-We also recommend customers to review the security advisory and apply the fixes for other affected VMware products or workloads.

-

-If you need any assistance or have questions, please [contact us](https://portal.azure.com/#home).

-## December 12, 2021

-VMware has announced a security advisory [VMSA-2021-0028](https://www.vmware.com/security/advisories/VMSA-2021-0028.html), addressing a critical vulnerability in Apache Log4j identified by CVE-2021-44228.

-Azure VMware Solution is actively monitoring this issue. We are addressing this issue by applying VMware recommended workarounds or patches for AVS managed VMware components as they become available.

-Please note that you may experience intermittent connectivity to these components when we apply a fix.

-We strongly recommend that you read the advisory and patch or apply the recommended workarounds for any additional VMware products that you may have deployed in Azure VMware Solution.

-If you need any assistance or have questions, please [contact us](https://portal.azure.com).

-## November 23, 2021

-## September 21, 2021

-Per VMware security advisory [VMSA-2021-0020](https://www.vmware.com/security/advisories/VMSA-2021-0020.html), multiple vulnerabilities in the VMware vCenter Server have been reported to VMware.

-

-To address the vulnerabilities (CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22012,CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22018, CVE-2021-22019, CVE-2021-22020) reported in VMware security advisory [VMSA-2021-0020](https://www.vmware.com/security/advisories/VMSA-2021-0020.html), vCenter Server has been updated to 6.7 Update 3o in all Azure VMware Solution private clouds. All new Azure VMware Solution private clouds are deployed with vCenter Server version 6.7 Update 3o.

-

-For more information, see [VMware vCenter Server 6.7 Update 3o Release Notes](https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html)

-

-No further action is required.

-## September 10, 2021

-All new Azure VMware Solution private clouds are now deployed with ESXi version ESXi670-202103001 (Build number: 17700523).

-ESXi hosts in existing private clouds have been patched to this version.

-For more information on this ESXi version, see [VMware ESXi 6.7, Patch Release ESXi670-202103001](https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202103001.html).

-## July 23, 2021

-## May 25, 2021

-Per VMware security advisory [VMSA-2021-0010](https://www.vmware.com/security/advisories/VMSA-2021-0010.html), multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5) have been reported to VMware.

-To address the vulnerabilities ([CVE-2021-21985](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985) and [CVE-2021-21986](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21986)) reported in VMware security advisory [VMSA-2021-0010](https://www.vmware.com/security/advisories/VMSA-2021-0010.html), vCenter Server has been updated in all Azure VMware Solution private clouds.

-No further action is required.

-## May 21, 2021

-

-Azure VMware Solution service will do maintenance work through May 23, 2021, to apply important updates to the vCenter Server in your private cloud. You'll receive a notification through Azure Service Health that includes the timeline of the maintenance for your private cloud.

-

-During this time, VMware vCenter Server will be unavailable and you won't be able to manage VMs (stop, start, create, or delete). It's recommended that, during this time, you don't plan any other activities like scaling up private cloud, creating new networks, and so on, in your private cloud.

-

-There is no impact to workloads running in your private cloud.

-## April 26, 2021

-## March 24, 2021

-All new Azure VMware Solution private clouds are deployed with VMware vCenter Server version 6.7U3l and NSX-T Data Center version 3.1.1. Any existing private clouds will be updated and upgraded **through June 2021** to the releases mentioned above.

-You'll receive an email with the planned maintenance date and time. You can reschedule an upgrade. The email also provides details on the upgraded component, its effect on workloads, private cloud access, and other Azure services. An hour before the upgrade, you'll receive a notification and then again when it finishes.

-## March 15, 2021

-For more information on this vCenter version, see [VMware vCenter Server 6.7 Update 3l Release Notes](https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3l-release-notes.html).

-## March 4, 2021

->[!NOTE]

->This is non-disruptive and should not impact Azure VMware Services or workloads. During maintenance, various VMware alerts, such as _Lost network connectivity on DVPorts_ and _Lost uplink redundancy on DVPorts_, appear in vCenter Server and clear automatically as the maintenance progresses.

- `az network vnet subnet update --vnet-name <vnetname> -n <subnetname> --resource-group <resourcegroup> --disable-private-endpoint-network-policies`

- - Use [**nodeManagement**](private-connectivity.md) private endpoint with Batch accounts, which provides private access to Batch node management service from the virtual network. This is the preferred method.

-1. Specify the remaining required settings, including the **Node size**, **Target dedicated nodes**, and **Target Spot/low-priority nodes**, as well as any desired optional settings.

-> If the private endpoint deployment failed due to invalid groupId "nodeManagement", please check if the region is in the supported list, and you've already opted in with [Simplified compute node communication](simplified-compute-node-communication.md). Choose the right region and opt in your Batch account, then retry the deployment.

-In a pool without public IP addresses, your virtual machines won't be able to access the public internet unless you configure your network setup appropriately, such as by using [virtual network NAT](../virtual-network/nat-gateway/nat-overview.md). Note that NAT only allows outbound access to the internet from the virtual machines in the virtual network. Batch-created compute nodes won't be publicly accessible, since they don't have public IP addresses associated.

-Another way to provide outbound connectivity is to use a user-defined route (UDR). This lets you route traffic to a proxy machine that has public internet access, for example [Azure Firewall](../firewall/overview.md).

-For existing pools that use the [previous preview version of Azure Batch No Public IP pool](batch-pool-no-public-ip-address.md), it's only possible to migrate pools created in a [virtual network](batch-virtual-network.md). To migrate the pool, follow the [opt-in process for simplified node communication](simplified-compute-node-communication.md):

-1. Opt in to use simplified node communication.

-1. Optionally, you can check the box next to **Add my own test script** and select test scripts to upload. Each training generates 100 sample audio files automatically, to help you test the model with a default script. You can also provide your own test script with up to 100 utterances. The generated audio files are a combination of the automatic test scripts and custom test scripts. For more information, see [test script requirements](#test-script-requirements).

-1. Optionally, you can add up to 10 custom speaking styles. Select **Add a custom style** and enter a custom style name of your choice. Select style samples as training data.

-| `style` | Specifies the speaking style. Speaking styles are voice specific. | Required if adjusting the speaking style for a neural voice. If you're using `mstts:express-as`, the style must be provided. If an invalid value is provided, this element is ignored. |

-For a list of supported styles per neural voice, see [supported voice styles and roles](language-support.md?tabs=stt-tts#voice-styles-and-roles).

-The MathML entities are not supported by XML syntax, so you must use the their corresponding [unicode characters](https://www.w3.org/2003/entities/2007/htmlmathml.json) to represent the entities, for example, the entity `&copy;` should be represented by its unicode characters `&#x00A9;`, otherwise an error will occur.

-1. In the [Azure portal](https://ms.portal.azure.com/), select **All services**.

-* Text data that has [been uploaded](design-schema.md#data-preparation) to your storage account.

-# Move projects and question answer sources

-> This article deals with the process to move projects and knowledge bases from one Language resource to another.

-You may want to create a copy of your project for several reasons:

-* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Azure Active Directory ID, Subscription, and language resource name you selected when you created the resource.

-Exporting a project allows you to move or back up all the sources question answer sources that are contained within a single project.

-1. Select the language resource you want to move a project from.

-1. On the **Projects** page, you have the options to export in two formats, Excel or TSV. This will determine the contents of the file. The file itself will be exported as a .zip containing all of your knowledge bases.

-1. Select the language resource, which will be the destination for your previously exported project.

-1. On the **Projects** page, select **Import** and choose the format used when you selected export. Then browse to the local .zip file containing your exported project. Enter a name for your newly imported project and select **Done**.

-## Export question and answers

-1. Select the language resource you want to move an individual question answer source from.

-1. Select the project that contains the question and answer source you wish to export.

-1. Select the language resource, which will be the destination for your previously exported question and answer source.

-1. Select the project where you want to import a question and answer source.

-**Test** the question answer source by selecting the **Test** option from the toolbar in the **Edit knowledge base** page which will launch the test panel. Learn how to [test your knowledge base](../../../qnamaker/How-To/test-knowledge-base.md).

-**Deploy** the knowledge base and create a chat bot. Learn how to [deploy your knowledge base](../../../qnamaker/Quickstarts/create-publish-knowledge-base.md#publish-the-knowledge-base).

-There is no way to move chat logs with projects or knowledge bases. If diagnostic logs are enabled, chat logs are stored in the associated Azure Monitor resource.

-| Requests per second per deployment | 10 |

-# Context and Actions

-## Table of Contents

-* [Context](#context) Information about the current user or state of the system

-* [Actions](#actions) A list of options to choose from

-* [Features](#features) Attributes describing the Context and Actions

-* [Feature Engineering](#feature-engineering) Tips for constructing impactful features

-* [Namespaces](#namespaces) Grouping Features

-* [Examples](#json-examples) Examples of Context and Action features in JSON format

-* Information about the state of the system.

-In some cases, you might not want events to be trained on by default, i.e., you only want to train events when a specific condition is met. For example, The personalized part of your webpage is below the fold (users have to scroll before interacting with the personalized content). In this case you will render the entire page, but only want an event to be trained on when the user scrolls and has a chance to interact with the personalized content. For these cases, you should [Defer Event Activation](concept-active-inactive-events.md) to avoid assigning default reward (and training) events which the end user did not have a chance to interact with.

-### Context Features

-### Action Features

-* Features for a certain action ID may be available one day, but later on become unavailable.

-### How feature types affects the Machine Learning in Personalizer

-* **Strings**: For string types, every key-value (feature name, feature value) combination is treated as a One-Hot feature (e.g. category:"Produce" and category:"Meat" would internally be represented as different features in the machine learning model.

-* **Arrays** ONLY numeric arrays are supported.

-## Feature Engineering

-* Use categorical and string types for features that are not a magnitude.

-### Improve feature sets

-Artificial Intelligence and ready-to-run Cognitive Services can be a very powerful addition to Personalizer.

-* You can run a movie file via [Video Indexer](https://azure.microsoft.com/services/media-services/video-indexer/) to extract scene elements, text, sentiment, and many other attributes. These attributes can then be made more dense to reflect characteristics that the original item metadata didn't have.

-* Information in text can be augmented by extracting entities, sentiment, expanding entities with Bing knowledge graph, etc.

-### Use Embeddings as Features

-Optionally, features can be organized using namespaces (relevant for both context and action features). Namespaces can be used to group features by topic, by source, or any other grouping that makes sense in your application. You determine if namespaces are used and what they should be. Namespaces organize features into distinct sets, and disambiguate features with similar names. You can think of namespaces as a 'prefix' that is added to feature names. Namespaces should not be nested.

-## JSON Examples

-JSON objects can include nested JSON objects and simple property/values. An array can be included only if the array items are numbers.

-JSON objects can include nested JSON objects and simple property/values. An array can be included only if the array items are numbers.

-In the following JSON, `user`, `environment`, `device`, and `activity` are namespaces.

-Prices for Azure Communication Services are generally based on a pay-as-you-go model. The prices in the following examples are for illustrative purposes and may not reflect the latest Azure pricing.

-**Total cost for the VoIP + escalation call**: $0.16 + $0.13 = $.29

-With Communication Services you can enhance your application with the ability to send and receive chat messages between two or more users. Chat SDKs are available for JavaScript, .NET, Python, and Java. Refer to [this page to learn about SDKs](./sdk-options.md)

-The SMS usage price is a per-message segment charge based on the destination of the message. The carrier surcharge is calculated based on the destination of the message for sent messages and based on the sender of the message for received messages. Please refer to the [SMS Pricing Page](./sms-pricing.md) for pricing details.

-Please refer to the following links for details on Telephony pricing

-Supported in General Availability, to set up inbound calling for Dynamics 365 OC with direct routing or Voice Calling (PSTN) follow [these instructions](/dynamics365/customer-service/voice-channel-inbound-calling)

-**Inbound calling with Power Virtual Agents**

-*Coming soon*

-[Available in private preview](../voice-video-calling/call-automation.md)

-Customers participating in Azure Bot Framework Telephony Channel preview can find the [instructions here](/azure/bot-service/bot-service-channel-connect-telephony)

-Toll-free numbers are 10-digit telephone numbers with distinct area codes that can be called from any phone number free of charge. For example, `+1 (800) XXX-XXXX` is a toll-free number in the North America region. These phone numbers are generally used for customer service purposes. Azure Communication Services offers toll-free numbers in the United states. These numbers can be used to place phone calls and to send SMS messages. Toll-free numbers cannot be used by people and can only be assigned to applications.

-**For more details about call destinations and pricing, refer to the [pricing page](../pricing.md).

-## Access your server call ID

-When troubleshooting issues with the Call Automation SDK, like call recording and call management problems, you'll need to collect the Server Call ID. This ID can be collected using the ```getServerCallId``` method.

-#### JavaScript

-```

-callAgent.on('callsUpdated', (e: { added: Call[]; removed: Call[] }): void => {

- e.added.forEach((addedCall) => {

- addedCall.on('stateChanged', (): void => {

- if (addedCall.state === 'Connected') {

- addedCall.info.getServerCallId().then(result => {

- dispatch(setServerCallId(result));

- }).catch(err => {

- console.log(err);

- });

- }

- });

- });

-});

-```

-zone_pivot_groups: acs-plat-android-web

-description: Provides a quick start for playing audio to participants as part of a call.

-zone_pivot_groups: acs-csharp-java

-# Quickstart: Play action

-> [!IMPORTANT]

-> Functionality described on this document is currently in private preview. Private preview includes access to SDKs and documentation for testing purposes that are not yet available publicly.

-> Apply to become an early adopter by filling out the form for [preview access to Azure Communication Services](https://aka.ms/ACS-EarlyAdopter).

-This quickstart will help you get started with playing audio files to participants by using the play action provided through Azure Communication Services Call Automation SDK.

-## Clean up resources

-If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).

-## Next steps

-description: Provides a quick start for recognizing user input from participants on a call.

-zone_pivot_groups: acs-csharp-java

-# Quickstart: Recognize action

-> [!IMPORTANT]

-> Functionality described on this document is currently in private preview. Private preview includes access to SDKs and documentation for testing purposes that are not yet available publicly.

-> Apply to become an early adopter by filling out the form for [preview access to Azure Communication Services](https://aka.ms/ACS-EarlyAdopter).

-This quickstart will help you get started with recognizing DTMF input provided by participants through Azure Communication Services Call Automation SDK.

-## Event codes

-|Status|Code|Subcode|Message|

-|-|--|--|--|

-|RecognizeCompleted|200|8531|Action completed, max digits received.|

-|RecognizeCompleted|200|8514|Action completed as stop tone was detected.|

-|RecognizeCompleted|400|8508|Action failed, the operation was canceled.|

-|RecognizeFailed|400|8510|Action failed, initial silence timeout reached|

-|RecognizeFailed|400|8532|Action failed, inter-digit silence timeout reached.|

-|RecognizeFailed|500|8511|Action failed, encountered failure while trying to play the prompt.|

-|RecognizeFailed|500|8512|Unknown internal server error.|

-## Clean up resources

-If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).

-## Next Steps

-Your application can acquire a token to call a Web API hosted in your container app on behalf of itself (not on behalf of a user). This scenario is useful for non-interactive daemon applications that perform tasks without a logged in user. It uses the standard OAuth 2.0 [client credentials](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md) grant.

-You can now [request an access token using the client ID and client secret](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#first-case-access-token-request-with-a-shared-secret) by setting the `resource` parameter to the **Application ID URI** of the target app. The resulting access token can then be presented to the target app using the standard [OAuth 2.0 Authorization header](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#use-the-access-token-to-access-the-secured-resource), and Container Apps Authentication / Authorization will validate and use the token as usual to now indicate that the caller (an application in this case, not a user) is authenticated.

-1. Similar to the previous scenario (before any roles were added), you can now [request an access token](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#first-case-access-token-request-with-a-shared-secret) for the same target `resource`, and the access token will include a `roles` claim containing the App Roles that were authorized for the client application.

- --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME> \

- --sdk-auth

- --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME> `

- --sdk-auth

-The return value from this command is a JSON payload, which includes the service principal's `tenantId`, `clientId`, and `clientSecret`.

- --service-principal-client-id <CLIENT_ID> \

- --service-principal-client-secret <CLIENT_SECRET> \

- --service-principal-tenant-id <TENANT_ID> \

- --service-principal-client-id <CLIENT_ID> `

- --service-principal-client-secret <CLIENT_SECRET> `

- --service-principal-tenant-id <TENANT_ID> `

-This response is the same as the [response for the Azure AD service-to-service access token request](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#service-to-service-access-token-response). To access Key Vault, you'll then add the value of `access_token` to a client connection with the vault.

-Next, declare a variable to hold the VNET name.

-This is achieved by translating the leaf properties of the operational data into the analytical store with distinct columns based on the data type of values in the property. The leaf property names are extended with data types as a suffix in the analytical store schema such that they can be queries without ambiguity.

-In the full fidelity schema representation, each datatype of each property will generate a column for that datatype. Each of them count as one of the 1000 maximum properties.

-The leaf property `streetNo` within the nested object `address` will be represented in the analytical store schema as a column `address.object.streetNo.int32`. The datatype is added as a suffix to the column. This way, if another document is added to the transactional store where the value of leaf property `streetNo` is "123" (note it's a string), the schema of the analytical store automatically evolves without altering the type of a previously written column. A new column added to the analytical store as `address.object.streetNo.string` where this value of "123" is stored.

-##### Data type to suffix map for full fidelity schema

-Here's a map of all the property data types and their suffix representations in the analytical store in full fidelity schema representation:

-the MongoDB `_id` field is fundamental to every collection in MongoDB and originally has a hexadecimal representation. As you can see in the table above, `Full Fidelity Schema` will preserve its characteristics, creating a challenge for its visualization in Azure Synapse Analytics. For correct visualization, you must convert the `_id` datatype as below:

-###### Spark

-###### SQL

- ```

-## Measuing change feed request unit consumption

-#### Criteria 1

-#### Criteria 2

-Next, find the total number of physical partitions. This metric is the distinct number of **PhysicalPartitionIds** in the **PhysicalPartitionThroughput** chart we saw in Criteria 1. In our example, we have five physical partitions.

-Based on criteria 1 and 2, our container can potentially benefit from merging partitions.

-description: Presents a Python code sample you can use to connect to and query using Azure Cosmos DB's API for MongoDB.

-# Quickstart: Get started using Azure Cosmos DB for MongoDB and Python

-> [!div class="op_single_selector"]

-> * [.NET](create-mongodb-dotnet.md)

-> * [Python](quickstart-python.md)

-> * [Java](quickstart-java.md)

-> * [Node.js](create-mongodb-nodejs.md)

-> * [Golang](quickstart-go.md)

->

-This [quickstart](https://github.com/Azure-Samples/azure-cosmos-db-mongodb-python-getting-started) demonstrates how to:

-1. Create an [Azure Cosmos DB for MongoDB account](introduction.md)

-2. Connect to your account using PyMongo

-3. Create a sample database and collection

-4. Perform CRUD operations in the sample collection

-## Prerequisites to run the sample app

-* [Python](https://www.python.org/downloads/) 3.9+ (It's best to run the [sample code](https://github.com/Azure-Samples/azure-cosmos-db-mongodb-python-getting-started) described in this article with this recommended version. Although it may work on older versions of Python 3.)

-* [PyMongo](https://pypi.org/project/pymongo/) installed on your machine

-<a id="create-account"></a>

-## Create a database account

-## Learn the object model

-Before you continue building the application, let's look into the hierarchy of resources in the API for MongoDB and the object model that's used to create and access these resources. The API for MongoDB creates resources in the following order:

-* Azure Cosmos DB for MongoDB account

-* Databases

-* Collections

-* Documents

-## Get the code

-Download the sample Python code [from the repository](https://github.com/Azure-Samples/azure-cosmos-db-mongodb-python-getting-started) or use git clone:

-```shell

-git clone https://github.com/Azure-Samples/azure-cosmos-db-mongodb-python-getting-started

-```

-## Retrieve your connection string

-When running the sample code, you have to enter your API for MongoDB account's connection string. Use the following steps to find it:

-1. In the [Azure portal](https://portal.azure.com/), select your Azure Cosmos DB account.

-2. In the left navigation select **Connection String**, and then select **Read-write Keys**. You'll use the copy buttons on the right side of the screen to copy the primary connection string.

-> [!WARNING]

-> Never check passwords or other sensitive data into source code.

-## Run the code

-```shell

-python run.py

-```

-## Understand how it works

-### Connecting

-The following code prompts the user for the connection string. It's never a good idea to have your connection string in code since it enables anyone with it to read or write to your database.

-```python

-CONNECTION_STRING = getpass.getpass(prompt='Enter your primary connection string: ') # Prompts user for connection string

-```

-The following code creates a client connection to your API for MongoDB and tests to make sure it's valid.

-```python

-client = pymongo.MongoClient(CONNECTION_STRING)

-try:

- client.server_info() # validate connection string

-except pymongo.errors.ServerSelectionTimeoutError:

- raise TimeoutError("Invalid API for MongoDB connection string or timed out when attempting to connect")

-```

-### Resource creation

-The following code creates the sample database and collection that will be used to perform CRUD operations. When creating resources programmatically, it's recommended to use the API for MongoDB extension commands (as shown here) because these commands have the ability to set the resource throughput (RU/s) and configure sharding.

-Implicitly creating resources will work but will default to recommended values for throughput and will not be sharded.

-```python

-# Database with 400 RU throughput that can be shared across the DB's collections

-db.command({'customAction': "CreateDatabase", 'offerThroughput': 400})

-```

-```python

- # Creates a unsharded collection that uses the DB s shared throughput

-db.command({'customAction': "CreateCollection", 'collection': UNSHARDED_COLLECTION_NAME})

-```

-### Writing a document

-The following inserts a sample document we will continue to use throughout the sample. We get its unique _id field value so that we can query it in subsequent operations.

-```python

-"""Insert a sample document and return the contents of its _id field"""

-document_id = collection.insert_one({SAMPLE_FIELD_NAME: randint(50, 500)}).inserted_id

-### Reading/Updating a document

-The following queries, updates, and again queries for the document that we previously inserted.

-```python

-print("Found a document with _id {}: {}".format(document_id, collection.find_one({"_id": document_id})))

-collection.update_one({"_id": document_id}, {"$set":{SAMPLE_FIELD_NAME: "Updated!"}})

-print("Updated document with _id {}: {}".format(document_id, collection.find_one({"_id": document_id})))

-### Deleting a document

-Lastly, we delete the document we created from the collection.

-```python

-"""Delete the document containing document_id from the collection"""

-collection.delete_one({"_id": document_id})

-In this quickstart, you've learned how to create an API for MongoDB account, create a database and a collection with code, and perform CRUD operations.

-Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.

-* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

-* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-capacity-planner.md)

-> [Import MongoDB data into Azure Cosmos DB](../../dms/tutorial-mongodb-cosmos-db.md?toc=%2fazure%2fcosmos-db%2ftoc.json%253ftoc%253d%2fazure%2fcosmos-db%2ftoc.json)

-* `Microsoft.Azure.Documents.Document`

-* `Microsoft.Azure.Documents.Resource`

-The Microsoft.Azure.Documents.UriFactory class has been replaced by the fluent design.

-The SDK v3 now defaults to Direct + TCP connection modes compared to the previous v2 SDK, which defaulted to Gateway + HTTPS connections modes. This change provides enhanced performance and scalability.

-`FeedOptions.MaxDegreeOfParallelism` has been renamed to `QueryRequestOptions.MaxConcurrency` and default value and associated behavior remains the same, operations run client side during parallel query execution will be executed serially with no-parallelism.

-`FeedOptions.EnableCrossPartitionQuery` has been removed and the default behavior in SDK 3.0 is that cross-partition queries will be executed without the need to enable the property specifically.

-`FeedOptions.PopulateQueryMetrics` is enabled by default with the results being present in the `FeedResponse.Diagnostics` property of the response.

-`FeedOptions.RequestContinuation` has now been promoted to the query methods themselves.

-The following properties have been removed:

-* `FeedOptions.DisableRUPerMinuteUsage`

-* `FeedOptions.EnableCrossPartitionQuery`

-* `FeedOptions.JsonSerializerSettings`

-* `FeedOptions.PartitionKeyRangeId`

-* `FeedOptions.PopulateQueryMetrics`

-Some settings in `ConnectionPolicy` have been renamed or replaced:

-Increase your RU/s to: `10,000 * P * 2 ^ (ROUNDUP(LOG_2 (S/(10,000 * P)))`. This gives the closest RU/s to the desired value that will ensure all partitions are split evenly.

-For example, suppose we have five physical partitions, 50,000 RU/s and want to scale to 150,000 RU/s. We should first set: `10,000 * 5 * 2 ^ (ROUND(LOG_2(150,000/(10,000 * 5)))` = 200,000 RU/s, and then lower to 150,000 RU/s.

- :::image type="content" source="./media/database-security/regenerate-secondary-key.png" alt-text="Screenshot of the Azure portal showing how to regenerate the secondary key" border="true":::

- :::image type="content" source="./media/database-security/regenerate-primary-key.png" alt-text="Screenshot of the Azure portal showing how to regenerate the primary key" border="true":::

- :::image type="content" source="./media/database-security/regenerate-primary-key.png" alt-text="Screenshot of the Azure portal showing how to regenerate the primary key" border="true":::

- :::image type="content" source="./media/database-security/regenerate-secondary-key.png" alt-text="Screenshot of the Azure portal showing how to regenerate the secondary key" border="true":::

-For information and sample code to configure RBAC for the Azure Cosmso DB for MongoDB, see [Configure role-based access control for your Azure Cosmso DB for MongoDB](mongodb/how-to-setup-rbac.md).

-> [!NOTE]

-> Serverless containers up to 1 TB are currently in preview with Azure Cosmos DB. To try the new feature, register the *"Azure Cosmos DB Serverless 1 TB Container Preview"* [preview feature in your Azure subscription](../azure-resource-manager/management/preview-features.md).

-description: Try Azure Cosmos DB free of charge. No sign-up or credit card required. It's easy to test your apps, deploy, and run small workloads free for 30 days. Upgrade your account at any time during your trial.

-[Try Azure Cosmos DB](https://aka.ms/trycosmosdb) makes it easy to try out Azure Cosmos DB for free before you commit. There's no credit card required to get started. Your account is free for 30 days. After expiration, a new sandbox account can be created. You can extend beyond 30 days for 24 hours. You can upgrade your active Try Azure Cosmos DB account at any time during the 30 day trial period. If you're using the API for NoSQL, migrate your Try Azure Cosmos DB data to your upgraded account.

-## Try Azure Cosmos DB limits

-| Duration of the trial | 30 days (a new trial can be requested after expiration) After expiration, the information stored is deleted. Prior to expiration you can upgrade your account and migrate the information stored. |

-| Maximum containers per subscription (API for NoSQL, Gremlin, Table) | 1 |

-| Maximum containers per subscription (API for MongoDB) | 3 |

-Try Azure Cosmos DB supports global distribution in only the Central US, North Europe, and Southeast Asia regions. Azure support tickets can't be created for Try Azure Cosmos DB accounts. However, support is provided for subscribers with existing support plans.

-* [API for NoSQL Quickstart](nosql/quickstart-portal.md#create-container-database)

-* [API for PostgreSQL Quickstart](postgresql/quickstart-create-portal.md)

-* [API for MongoDB Quickstart](mongodb/quickstart-python.md#learn-the-object-model)

-You can also get started with one of the learning resources in Data Explorer.

-1. Select the option to upgrade your current account in the Dashboard page or from the [Try Azure Cosmos DB](https://aka.ms/trycosmosdb) page.

- :::image type="content" source="media/try-free/upgrade-account.png" lightbox="media/try-free/upgrade-account.png" alt-text="Confirmation page for the account upgrade experience.":::

-1. Select **Sign up for Azure Account** & create an Azure Cosmos DB account.

-You can migrate your database from Try Azure Cosmos DB to your new Azure account if you're utilizing the API for NoSQL after you've signed up for an Azure account. Here are the steps to migrate.

-### Create an Azure Cosmos DB account

-Navigate back to the **Upgrade** page and select **Next** to move on to the third step and move your data.

-> You can have up to one free tier Azure Cosmos DB account per Azure subscription and must opt-in when creating the account. If you do not see the option to apply the free tier discount, this means another account in the subscription has already been enabled with free tier.

-## Migrate your Try Azure Cosmos DB data

-If you're using the API for NoSQL, you can migrate your Try Azure Cosmos DB data to your upgraded account. HereΓÇÖs how to migrate your Try Azure Cosmos DB database to your new Azure Cosmos DB API for NoSQL account.

-### Prerequisites

-* Must be using the Azure Cosmos DB API for NoSQL.

-* Must have an active Try Azure Cosmos DB account and Azure account.

-* Must have an Azure Cosmos DB account using the API for NoSQL in your Azure subscription.

-### Migrate your data

-1. Locate your **Primary Connection string** for the Azure Cosmos DB account you created for your data.

- 1. Go to your Azure Cosmos DB Account in the Azure portal.

- 1. Find the connection string of your new Azure Cosmos DB account within the **Keys** page of your new account.

- :::image type="content" source="media/try-free/migrate-data.png" lightbox="media/try-free/migrate-data.png" alt-text="Screenshot of the Keys page for an Azure Cosmos DB account.":::

-1. Insert the connection string of the new Azure Cosmos DB account in the **Upgrade your account** page.

-1. Provide your email address to be notified by email once the migration has been completed.

-1. Go to the [Try AzureAzure Cosmos DB](https://aka.ms/trycosmosdb) page.

-1. Select Delete my account.

- :::image type="content" source="media/try-free/upgrade-account.png" lightbox="media/try-free/upgrade-account.png" alt-text="Confirmation page for the account upgrade experience.":::

- * [Get started with Azure Cosmos DB for MongoDB](mongodb/quickstart-python.md#learn-the-object-model)

- - App Domain: `localhost.com`

- - Redirect URL: `https://www.localhost.com`

-## Service account for Self-hosted integration runtime

-The default log on service account of Self-hosted integration runtime is **NT SERVICE\DIAHostService**. You can see it in **Services -> Integration Runtime Service -> Properties -> Log on**.

-### Credential Sync

- A component of Integration Runtime has become unresponsive and restarts automatically. Component name: Integration Runtime (Self-hosted).

-When your self-hosted integration runtime is recovered from crash, you can either recover credential from the one you backup before or edit linked service and let the credential be pushed to self-hosted integration runtime again. Otherwise, the pipeline doesn't work due to the lack of credential when running via self-hosted integration runtime.

- * [Adding activities](#adding-activities)

- * [Iteration & conditionals container view](#iteration-and-conditionals-container-view)

- * [Simplified default monitoring view](#simplified-default-monitoring-view)

-#### Adding activities to the canvas

-> [!NOTE]

-> This experience is now available in the default ADF settings.

-You now have the option to add an activity using the Add button in the bottom right corner of an activity in the pipeline editor canvas. Clicking the button will open a drop-down list of all activities that you can add.

-Select an activity by using the search box or scrolling through the listed activities. The selected activity will be added to the canvas and automatically linked with the previous activity on success.

-#### Iteration and conditionals container view

-> [!NOTE]

-> This experience is now available in the default ADF settings.

-You can now view the activities contained iteration and conditional activities.

-##### Adding Activities

-You have two options to add activities to your iteration and conditional activities.

-1. Use the + button in your container to add an activity.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-12.png" alt-text="Screenshot of new activity container with the add button highlighted on the left side of the center of the screen.":::

-

- Clicking this button will bring up a drop-down list of all activities that you can add.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-13.png" alt-text="Screenshot of a drop-down list in the activity container with all the activities listed.":::

-

- Select an activity by using the search box or scrolling through the listed activities. The selected activity will be added to the canvas inside of the container.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-14.png" alt-text="Screenshot of the container with three activities in the center of the container.":::

-> [!NOTE]

-> If your container includes more than 5 activities, only the first 4 will be shown in the container preview.

-2. Use the edit button in your container to see everything within the container. You can use the canvas to edit or add to your pipeline.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-15.png" alt-text="Screenshot of the container with the edit button highlighted on the right side of a box in the center of the screen.":::

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-16.png" alt-text="Screenshot of the inside of the container with three activities linked together.":::

-

- Add additional activities by dragging new activities to the canvas or click the add button on the right-most activity to bring up a drop-down list of all activities.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-17.png" alt-text="Screenshot of the Add activity button in the bottom left corner of the right-most activity.":::

-

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-18.png" alt-text="Screenshot of the drop-down list of activities in the right-most activity.":::

-

- Select an activity by using the search box or scrolling through the listed activities. The selected activity will be added to the canvas inside of the container.

-##### Adjusting activity size

-Your containerized activities can be viewed in two sizes. In the expanded size, you will be able to see all the activities in the container.

-To save space on your canvas, you can also collapse the containerized view using the **Minimize** arrows found in the top right corner of the activity.

-This will shrink the activity size and hide the nested activities.

-If you have multiple container activities, you can save time by collapsing or expanding all activities at once by right clicking on the canvas. This will bring up the option to hide all nested activities.

-Click **Hide nested activities** to collapse all containerized activities. To expand all the activities, click **Show nested activities**, found in the same list of canvas options.

-### Monitoring experimental view

-UI (user interfaces) changes have been made to the monitoring page. These changes were made to simplify and streamline your monitoring experience.

-The monitoring experience remains the same as detailed [here](monitor-visually.md), except for items detailed below.

-#### Error message relocation to Status column

-Error messages have now been relocated to the **Status** column. This will allow you to easily view errors when you see a **Failed** pipeline run.

-Find the error icon in the pipeline monitoring page and in the pipeline **Output** tab after debugging your pipeline.

-This article explains and demonstrates the Azure Data Factory pricing model with detailed examples. You can also refer to the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/calculator/) for more specific scenarios and to estimate your future costs to use the service.

-This article applies to the **Azure Stack Edge 2207** release, which maps to software version number **2.2.2037.5375**. This software can be applied to your device if you're running at least Azure Stack Edge 2106 (2.2.1636.3457) software.

-The 2207 release has the following features and enhancements:

-This article applies to the **Azure Stack Edge 2209** release, which maps to software version **2.2.2088.5593**. This software can be applied to your device if you're running at least **Azure Stack Edge 2207** (2.2.2307.5375).

-# [Model 642GT](#tab/sku-a)

-| 1 | Model 642GT | 21.0 |

-| 3 | Model 642GT install handling, 4-post (without bezel and with inner rails attached) | 20.4 |

-| 5 | Model 642GT install handling, 2-post (without bezel and with inner rails attached) | 20.4 |

-| 7 | Model 642GT install handling without bezel | 19.8 |

-| 4 | 4-post in box | 6.28 |

-| 7 | 2-post in box | 3.08 |

- The alerts page shows the more details of the alerts and provides a **Take action** link with recommendations of how to mitigate the threat.

- > Adaptive application controls calculates events once every twelve hours. The "activity start time" shown in the alerts page is the time that adaptive application controls created the alert, **not** the time that the suspicious process was active.

-1. As a user with the role **Subscription Contributor**, from the toolbar on the alerts page, select **Create sample alerts**.

-1. In the Azure portal, navigate to the Defender for Cloud's alerts page.

-1. In the Azure portal, navigate to the Defender for Cloud's alerts page.

-1. Navigate to the Alerts page.

-1. Select **Create sample alerts**.

-> A live tile on [Microsoft Defender for Cloud's overview dashboard](overview-page.md) tracks the status of active threats to all your resources including databases. Select the tile to launch the Defender for Cloud alerts page and get an overview of active threats detected on your databases.

-1. From the email, select the **View the full alert** link to launch the Azure portal and show the alerts page, which provides an overview of active threats detected on the database.

-The alerts appear in Key Vault's **Security** page, the Workload protections, and Defender for Cloud's alerts page.

-1. On Defender for Cloud's alerts page, use the **Add filter** button to filter by alert name to the alert name **Security incident detected on multiple resources**.

- :::image type="content" source="media/incidents/locating-incidents.png" alt-text="Locating the incidents on the alerts page in Microsoft Defender for Cloud.":::

- :::image type="content" source="media/incidents/incidents-list.png" alt-text="List of incidents on the alerts page in Microsoft Defender for Cloud.":::

-| Add/assign initiatives (including) regulatory compliance standards) | - | - | - | Γ£ö | Γ£ö |

-| OS Packages | **Supported** <br> ΓÇó Alpine Linux 3.12-3.15 <br> ΓÇó Red Hat Enterprise Linux 6, 7, 8 <br> ΓÇó CentOS 6, 7 <br> ΓÇó Oracle Linux 6, 7, 8 <br> ΓÇó Amazon Linux 1, 2 <br> ΓÇó openSUSE Leap 42, 15 <br> ΓÇó SUSE Enterprise Linux 11, 12, 15 <br> ΓÇó Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye <br> ΓÇó Ubuntu 10.10-22.04 <br> ΓÇó FreeBSD 11.1-13.1 <br> ΓÇó Fedora 32, 33, 34, 35|

-1. For a locally-managed sensor, version 22.1.3 or higher, continue with [Upload a diagnostics log for support](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support-public-preview).

-### Clearing sensor data to factory default

-In cases where the sensor needs to be relocated or erased, the sensor can be reset to factory default data.

-> [!NOTE]

-> Network settings such as IP/DNS/GATEWAY will not be changed by clearing system data.

-**To clear system data**:

-1. Sign in to the sensor as the **cyberx** user.

-1. Select **Support** > **Clear system data**, and confirm that you do want to reset the sensor to factory default data.

- :::image type="content" source="media/how-to-troubleshoot-the-sensor-and-on-premises-management-console/warning-screenshot.png" alt-text="Screenshot of warning message.":::

-All allowlists, policies, and configuration settings are cleared, and the sensor is restarted.

-**Cause**: A retry request was received when the migration wasn't in a state allowing retrying.

-> [!NOTE]

-> Azure SQL Database targets are only available using the [Azure Data Studio Insiders](/sql/azure-data-studio/download-azure-data-studio#download-the-insiders-build-of-azure-data-studio) version of the Azure SQL Migration extension.

-description: This article shows how to send Auth0 events received by Azure Event Grid to Azure Monitor's Application Insights.

-# Send Auth0 events to Azure Monitor's Application Insights

-This article shows how to send Auth0 events received by Azure Event Grid to Azure Monitor's Application Insights.

- > You can use steps in the article to handle events from other event sources too. For a generic example of sending Event Grid events to Azure Blob Storage or Azure Monitor's Application Insights, see [this example on GitHub](https://github.com/awkwardindustries/azure-monitor-handler).

-Contact the Event Grid team at [askgrid@microsoft.com](mailto:askgrid@microsoft.com?subject=Interested&nbsp;to&nbsp;onboard&nbsp;as&nbsp;an&nbsp;Event&nbsp;Grid&nbsp;partner) communicating your interest in becoming a partner. We'll have a conversation with you providing detailed information on Partner EventsΓÇÖ use cases, personas, onboarding process, functionality, pricing, and more.

-1. Contact the Event Grid team at [askgrid@microsoft.com](mailto:askgrid@microsoft.com?subject=Interested&nbsp;to&nbsp;onboard&nbsp;as&nbsp;an&nbsp;Event&nbsp;Grid&nbsp;partner) communicating your interest in becoming a partner. Once you contact us, we'll guide you through the onboarding process and help your service get an entry card on our [Azure Event Grid gallery](https://portal.azure.com/#create/Microsoft.EventGridPartnerTopic) so that your service can be found on the Azure portal.

-|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aks.ms/appservice-vnet-service-endpoint](https://aks.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

-|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aks.ms/appservice-vnet-service-endpoint](https://aks.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

-|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aks.ms/appservice-vnet-service-endpoint](https://aks.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

-|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aks.ms/appservice-vnet-service-endpoint](https://aks.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

-|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aks.ms/appservice-vnet-service-endpoint](https://aks.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

- Install-Module -Name Az.ResourceGraph

-> See [Manage app and resource access using Azure Active Directory groups](../../active-directory/fundamentals/active-directory-manage-groups.md), to learn more about AAD security groups. For more information on how OAuth tokens work, see [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../../active-directory/azuread-dev/v1-protocols-oauth-code.md).

-> [!NOTE]

-> Spark 3.1.2 (HDI 5.0) doesnΓÇÖt support IO Cache.

-For example like when you use [authorization code flow](../../active-directory/azuread-dev/v1-protocols-oauth-code.md), accessing a FHIR server goes through the following four steps:

-1. The client sends a request to the `/authorize` endpoint of Azure AD. Azure AD will redirect the client to a sign-in page where the user will authenticate using appropriate credentials (for example username and password or two-factor authentication). See details on [obtaining an authorization code](../../active-directory/azuread-dev/v1-protocols-oauth-code.md#request-an-authorization-code). Upon successful authentication, an *authorization code* is returned to the client. Azure AD will only allow this authorization code to be returned to a registered reply URL configured in the client application registration.

-1. The client application exchanges the authorization code for an *access token* at the `/token` endpoint of Azure AD. When you request a token, the client application may have to provide a client secret (the applications password). See details on [obtaining an access token](../../active-directory/azuread-dev/v1-protocols-oauth-code.md#use-the-authorization-code-to-request-an-access-token).

-Azure AD has two different versions of the OAuth 2.0 endpoints, which are referred to as `v1.0` and `v2.0`. Both of these versions are OAuth 2.0 endpoints and the `v1.0` and `v2.0` designations refer to differences in how Azure AD implements that standard.

-When using a FHIR server, you can use either the `v1.0` or the `v2.0` endpoints. The choice may depend on the authentication libraries you're using in your client application.

-The pertinent sections of the Azure AD documentation are:

-* `v1.0` endpoint:

- * [Authorization code flow](../../active-directory/azuread-dev/v1-protocols-oauth-code.md).

- * [Client credentials flow](../../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md).

-* `v2.0` endpoint:

- * [Authorization code flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md).

- * [Client credentials flow](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).

-1. **Confidential clients**, also known as web apps in Azure AD. Confidential clients are applications that use [authorization code flow](../../active-directory/azuread-dev/v1-protocols-oauth-code.md) to obtain a token on behalf of a signed in user presenting valid credentials. They're called confidential clients because they're able to hold a secret and will present this secret to Azure AD when exchanging the authentication code for a token. Since confidential clients are able to authenticate themselves using the client secret, they're trusted more than public clients and can have longer lived tokens and be granted a refresh token. Read the details on how to [register a confidential client](register-confidential-azure-ad-client-app.md). Note it's important to register the reply URL at which the client will be receiving the authorization code.

-1. Service clients. These clients obtain tokens on behalf of themselves (not on behalf of a user) using the [client credentials flow](../../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md). They typically represent applications that access the FHIR server in a non-interactive way. An example would be an ingestion process. When using a service client, it isn't necessary to start the process of getting a token with a call to the `/authorize` endpoint. A service client can go straight to the `/token` endpoint and present client ID and client secret to obtain a token. Read the details on how to [register a service client](register-service-azure-ad-client-app.md)

-Using [authorization code flow](../../active-directory/azuread-dev/v1-protocols-oauth-code.md) as an example, accessing a FHIR server goes through the four steps below:

-1. The client sends a request to the `/authorize` endpoint of Azure AD. Azure AD will redirect the client to a sign-in page where the user will authenticate using appropriate credentials (for example username and password or two-factor authentication). See details on [obtaining an authorization code](../../active-directory/azuread-dev/v1-protocols-oauth-code.md#request-an-authorization-code). Upon successful authentication, an *authorization code* is returned to the client. Azure AD will only allow this authorization code to be returned to a registered reply URL configured in the client application registration (see below).

-1. The client application exchanges the authorization code for an *access token* at the `/token` endpoint of Azure AD. When requesting a token, the client application may have to provide a client secret (the applications password). See details on [obtaining an access token](../../active-directory/azuread-dev/v1-protocols-oauth-code.md#use-the-authorization-code-to-request-an-access-token).

-Azure AD has two different versions of the OAuth 2.0 endpoints, which are referred to as `v1.0` and `v2.0`. Both of these versions are OAuth 2.0 endpoints and the `v1.0` and `v2.0` designations refer to differences in how Azure AD implements that standard.

-When using a FHIR server, you can use either the `v1.0` or the `v2.0` endpoints. The choice may depend on the authentication libraries you're using in your client application.

-The pertinent sections of the Azure AD documentation are:

-* `v1.0` endpoint:

- * [Authorization code flow](../../active-directory/azuread-dev/v1-protocols-oauth-code.md).

- * [Client credentials flow](../../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md).

-* `v2.0` endpoint:

- * [Authorization code flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md).

- * [Client credentials flow](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).

-description: In this tutorial, you'll learn how to enable device data routing from IoT Hub into the FHIR service through MedTech service.

-MedTech service may be used with devices created and managed through Azure IoT Hub for enhanced workflows and ease of use.

-This tutorial provides the steps to connect and route device data from IoT Hub to your MedTech service.

-Below is a diagram of the IoT device message flow from IoT Hub into MedTech service:

-## Create a managed identity for IoT Hub

-For this tutorial, we'll be using an IoT Hub with a [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to provide access from the IoT Hub to the MedTech service device message event hub.

-For more information about how to create a system-assigned managed identity with your IoT Hub, see [IoT Hub support for managed identities](../../iot-hub/iot-hub-managed-identity.md#system-assigned-managed-identity).

-For more information on Azure role-based access control, see [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).

-## Connect IoT Hub with the MedTech service

-Azure IoT Hub supports a feature called [message routing](../../iot-hub/iot-hub-devguide-messages-d2c.md). Message routing provides the capability to send device data to various Azure services (for example: event hub, Storage Accounts, and Service Buses). MedTech service uses this feature to allow an IoT Hub to connect and send device messages to the MedTech service device message event hub endpoint.

-Follow these directions to grant access to the IoT Hub system-assigned managed identity to your MedTech service device message event hub and set up message routing: [Configure message routing with managed identities](../../iot-hub/iot-hub-managed-identity.md#egress-connectivity-from-iot-hub-to-other-azure-resources).

-## Send device message to IoT Hub

-> [!TIP]

-> [Visual Studio Code with the Azure IoT Hub extension](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools) is a recommended method for sending IoT device messages to your IoT Hub for testing and troubleshooting.

-Use your device (real or simulated) to send the sample heart rate message shown below to the IoT Hub.

-This message will get routed to MedTech service, where the message will be transformed into a FHIR Observation resource and stored into FHIR service.

-> [!IMPORTANT]

-> To avoid device spoofing in device-to-cloud messages, Azure IoT Hub enriches all messages with additional properties. To learn more about these properties, see [Anti-spoofing properties](../../iot-hub/iot-hub-devguide-messages-construct.md#anti-spoofing-properties).

->

-> To learn about IoT Hub device message enrichment and IotJsonPathContentTemplate mappings usage with the MedTech service device mapping, see [How to use IotJsonPathContentTemplate mappings](how-to-use-iot-jsonpath-content-mappings.md).

-**Sample IoT device message to send to IoT Hub**

-```json

-{

- "HeartRate": 80,

- "RespiratoryRate": 12,

- "HeartRateVariability": 64,

- "BodyTemperature": 99.08839032397609,

- "BloodPressure": {

- "Systolic": 23,

- "Diastolic": 34

- },

- "Activity": "walking"

-}

-```

-> [!IMPORTANT]

-> Make sure to send the device message that conforms to the [Device mappings](how-to-use-device-mappings.md) and [FHIR destinations mappings](how-to-use-fhir-mappings.md) configured with your MedTech service.

-## View device data in FHIR service

-You can view the FHIR Observation resource(s) created by the MedTech service on the FHIR service using Postman. For information, see [Access the FHIR service using Postman](./../fhir/use-postman.md), and make a `GET` request to `https://your-fhir-server-url/Observation?code=http://loinc.org|8867-4` to view Observation FHIR resources with heart rate value submitted in the above sample message.

-> Ensure that your user has appropriate access to FHIR service data plane. Use [Azure role-based access control (Azure RBAC)](../azure-api-for-fhir/configure-azure-rbac.md) to assign required data plane roles.

-In this tutorial, you set up an Azure IoT Hub to route device data to MedTech service.

-To learn about the different stages of data flow within MedTech service, see

->[!div class="nextstepaction"]

->[MedTech service data flow](iot-data-flow.md)

-FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

-# Device mappings overview

-## How to configure device mappings

-

-> [!Note]

-> If you change your URL, your old URL can be taken by another Azure IoT Central customer. If that happens, it is no longer available for you to use. When you change your URL, the old URL no longer works, and you need to notify your users about the new URL to use.

-> [!Note]

-> To delete an application, you must also have permissions to delete resources in the Azure subscription you chose when you created the application. To learn more, see [Assign Azure roles to manage access to your Azure subscription resources](../../role-based-access-control/role-assignments-portal.md).

-In the following screenshot, the conditions check when the temperature is greater than 70&deg; F and the humidity is less than 10. When any of these statements are true, the rule evaluates to true and triggers an action.

-> Currently only Telemetry Conditions are supported.

- :::image type="content" source="media/howto-configure-rules/webhook-create.png" alt-text="Screenshot that shows the webhook creation screen.":::

- :::image type="content" source="media/howto-create-custom-analytics/data-export-1.png" alt-text="Screenshot showing data export destination.":::

- :::image type="content" source="media/howto-create-custom-analytics/data-export-2.png" alt-text="Screenshot showing data export definition.":::

-| Region | Your nearest region |

-The examples and screenshots in this article use the **United States** region. Choose a location close to you and make sure you create all your resources in the same region.

-| OS | Windows |

-| Hosting Plan | Consumption Plan |

-| Location | East US |

-1. From the Sendgrid Dashboard Settings on the left menu, select **API Keys**.

-1. Click **Create API Key.**

-1. Click **Create & View**.

- :::image type="content" source="media/howto-create-custom-rules/sendgrid-api-keys.png" alt-text="Screenshot of the Create SendGrid API key.":::

-Afterwards, you will be given an API key. Save this string for later use.

-Your Event Hubs namespace looks like the following screenshot:

-1. In the Azure portal, navigate to the **App Service** instance in the **DetectStoppedDevices** resource group.

-1. Select **+** to create a new function.

-1. Select **HTTP Trigger**.

-1. Select **Add**.

- :::image type="content" source="media/howto-create-custom-rules/add-function.png" alt-text="Image of the Default HTTP trigger function":::

-The portal creates a default function called **HttpTrigger1**:

- You may see an error message until you save the new code.

-1. Click **OK.**

- :::image type="content" source="media/howto-create-custom-rules/add-key.png" alt-text="Screenshot of Add Sangrid Key.":::

-1. Select **Integrate**.

-1. Choose **Add Output** under **HTTP ($return)**.

-1. Choose **+ New Output**.

-1. For Binding Type, then choose **SendGrid**.

-1. For SendGrid API Key Setting Type, click New.

-| Message parameter name | Choose your name |

-| To address | Choose the name of your To Address |

-| From address | Choose the name of your From Address |

-| Message subject | Enter your subject header |

-| Message text | Enter the message from your integration |

-1. Select **OK**.

- :::image type="content" source="media/howto-create-custom-rules/add-output.png" alt-text="Screenshot of Add SandGrid Output.":::

-To test the function in the portal, first choose **Logs** at the bottom of the code editor. Then choose **Test** to the right of the code editor. Use the following JSON as the **Request body**:

- :::image type="content" source="media/howto-create-custom-rules/stream-analytics.png" alt-text="Screenshot of Stream Analytics.":::

-## Configure export in IoT Central

- | Enrichments | Enter desired key / Value of how you want the exported data to be organized |

- :::image type="content" source="media/howto-create-custom-rules/cde-configuration.png" alt-text="Screenshot of the Data Export.":::

-Then select the permissions for the role:

- :::image type="content" source="media/howto-create-private-endpoint/private-dns-integrationΓÇï.png" alt-text="Screenshot from Azure portal that shows private D N S integration.":::

-

-

-

-

-

- :::image type="content" source="media/howto-customize-ui/upload-custom-text.png" alt-text="Screenshot showing how to upload custom text file.":::

- :::image type="content" source="media/howto-customize-ui/updated-ui-text.png" alt-text="Screenshot that shows updated text in the U I.":::

-1. Select **+ New job**.

-1. Choose **Cloud property**, **Property**, **Command**, **Change device template**, or **Change edge deployment manifest** as the **Job type**:

- To configure a **Property** job, select a property and set its new value. A property job can set multiple properties. To configure a **Command** job, choose the command to run. To configure a **Change device template** job, select the device template to assign to the devices in the device group. To configure a **Change edge deployment manifest** job, select the IoT Edge deployment manifest to assign to the IoT Edge devices in the device group.

-1. Select **Next** to move to the **Delivery Options** page. The **Delivery Options** page lets you set the delivery options for this job: **Batches** and **Cancellation threshold**.

- :::image type="content" source="media/howto-manage-devices-in-bulk/job-wizard-schedule-review.png" alt-text="Screenshot of scheduled job wizard review page":::

-1. In the job wizard, you can choose to not schedule a job, and run it immediately. The following screenshot shows a job without a schedule that's ready to run immediately. Select **Run** to run the job:

- When the job is complete, you can select **Results log** to download a CSV file of your job details, including the devices and their status values. This information can be useful for troubleshooting.

- :::image type="content" source="media/howto-manage-devices-in-bulk/download-details.png" alt-text="Screenshot that shows device status":::

-To copy an existing job, select an executed job. Select **Copy** on the job results page or jobs details page:

-A copy of the job configuration opens for you to edit, and **Copy** is appended to the job name.

-You can rerun a job that has failed devices. Select **Rerun on failed**:

-To register a large number of devices to your application, you can bulk import devices from a CSV file. You can find an example CSV file in the [Azure Samples repository](https://github.com/Azure-Samples/iot-central-docs-samples/tree/main/bulk-upload-devices). The CSV file should include the following column headers:

- :::image type="content" source="media/howto-manage-devices-in-bulk/bulk-import-1.png" alt-text="Screenshot showing import action settings.":::

- :::image type="content" source="media/howto-manage-devices-in-bulk/bulk-import-2.png" alt-text="Screenshot showing import success.":::

- 

-1. In the right-hand pane of the **Devices** page, you see a list of devices accessible to your organization created from that device template. Choose an individual device to see the device details page for that device:

- :::image type="content" source="media/howto-manage-devices-individually/device-list.png" alt-text="Screenshot showing device list.":::

- :::image type="content" source="media/howto-manage-devices-individually/change-device-organization.png" alt-text="Screenshot that shows how to move a device to a new organization.":::

-1. On the left panel, choose **All devices**:

- :::image type="content" source="media/howto-manage-devices-individually/unassociated-devices-1.png" alt-text="Screenshot showing unassigned devices.":::

-1. Use the filter on the grid to determine if the value in the **Device Template** column is **Unassigned** for any of your devices.

-1. Select the devices you want to assign to a template.

- :::image type="content" source="media/howto-manage-devices-individually/unassociated-devices-2.png" alt-text="Screenshot showing how to assign a device.":::

-

- :::image type="content" source="media/howto-manage-users-roles/manage-users.png" alt-text="Screenshot of manage users page in IoT Central." lightbox="media/howto-manage-users-roles/manage-users.png":::

- :::image type="content" source="media/howto-manage-users-roles/add-user.png" alt-text="Screenshot to add a user and select a role." lightbox="media/howto-manage-users-roles/add-user.png":::

- :::image type="content" source="media/howto-map-data/manage-device.png" alt-text="Screenshot that shows the **Map data** menu item.":::

- :::image type="content" source="media/howto-map-data/raw-data.png" alt-text="Screenshot that shows the **Add alias** option on the **Raw data** view.":::

-1. Select **Accounts in this organizational directory only (iot-partners only - Single tenant)**.

- :::image type="content" source="media/howto-migrate-to-iot-hub/azure-active-directry-app.png" alt-text="Screenshot that shows the Azure Active Directory application in the Azure portal.":::

- :::image type="content" source="media/howto-migrate-to-iot-hub/destination-devices.png" alt-text="Screenshot of IoT Hub in the Azure portal that shows the provisioned devices.":::

- :::image type="content" source="media/howto-migrate-to-iot-hub/destination-metrics.png" alt-text="Screenshot of IoT Hub in the Azure portal that shows telemetry metrics for the migrated devices.":::

-You want to use an IoT Edge module to transform the data and convert the temperature value from `Celsius` to `Fahrenheit` before sending it to IoT Central:

-When a device connects to the provisioning service, the service prioritizes more specific enrollment entries over less specific enrollment entries. That is, if an individual enrollment for the device exists, the provisioning service applies that entry. If there is no individual enrollment for the device and an enrollment group for the first intermediate certificate in the device's certificate chain exists, the service applies that entry, and so on, down the chain to the root. The service applies the first applicable entry that it finds, such that:

-This mechanism and the hierarchical structure of certificate chains provides powerful flexibility in how you can control access for individual devices as well as for groups of devices. For example, imagine five devices with the following certificate chains:

-Initially, you can create a single enabled group enrollment entry for the root certificate to enable access for all five devices. If certificate B later becomes compromised, you can create a disabled enrollment group entry for certificate B to prevent *Device 4* and *Device 5* from enrolling. If still later *Device 3* becomes compromised, you can create a disabled individual enrollment entry for its certificate. This revokes access for *Device 3*, but still allows *Device 1* and *Device 2* to enroll.

-## Choose regions that support availability zones

-description: This article describes the policies available for Azure Lab Services.

-# WhatΓÇÖs new with Azure Policy for Lab Services?

-Azure Policy helps you manage and prevent IT issues by applying policy definitions that enforce rules and effects for your resource. Azure Lab Services has added four built-in Azure policies. This article summarizes the new policies available in the August 2022 Update for Azure Lab Services.

-1. Lab Services should enable all options for auto shutdown

-1. Lab Services should not allow template virtual machines for labs

-1. Lab Services should require non-admin user for labs

-1. Lab Services should restrict allowed virtual machine SKU sizes

-For a full list of built-in policies, including policies for Lab Services, see [Azure Policy built-in policy definitions](../governance/policy/samples/built-in-policies.md#lab-services).

-## Lab Services should enable all options for auto shutdown

-This policy enforces that all [shutdown options](how-to-configure-auto-shutdown-lab-plans.md) are enabled while creating the lab. During policy assignment, lab administrators can choose the following effects.

-|--|--|

-|**Audit**|Labs will show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when all shutdown options are not enabled for a lab. |

-|**Deny**|Lab creation will fail if all shutdown options are not enabled. |

-## Lab Services should not allow template virtual machines for labs

-This policy can be used to restrict [customization of lab templates](tutorial-setup-lab.md). When you create a new lab, you can select to *Create a template virtual machine* or *Use virtual machine image without customization*. If this policy is enabled, only *Use virtual machine image without customization* is allowed. During policy assignment, lab administrators can choose the following effects.

-|--|--|

-|**Audit**|Labs will show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when a template virtual machine is used for a lab.|

-|**Deny**|Lab creation to fail if ΓÇ£create a template virtual machineΓÇ¥ option is used for a lab.|

-## Lab Services requires non-admin user for labs

-This policy is used to enforce using non-admin accounts while creating a lab. With the August 2022 Update, you can choose to add a non-admin account to the VM image. This new feature allows you to keep separate credentials for VM admin and non-admin users. For more information to create a lab with a non-admin user, see [Tutorial: Create and publish a lab](tutorial-setup-lab.md#create-a-lab), which shows how to give a student non-administrator account rather than default administrator account on the ΓÇ£Virtual machine credentialsΓÇ¥ page of the new lab wizard.

-During the policy assignment, the lab administrator can choose the following effects.

-|--|--|

-|**Audit**|Labs show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when non-admin accounts are not used while creating the lab.|

-|**Deny**|Lab creation will fail if ΓÇ£Give lab users a non-admin account on their virtual machinesΓÇ¥ is not checked while creating a lab.|

-## Lab Services should restrict allowed virtual machine SKU sizes

-This policy is used to enforce which SKUs can be used while creating the lab. For example, a lab administrator might want to prevent educators from creating labs with GPU SKUs since they are not needed for any classes being taught. This policy would allow lab administrators to enforce which SKUs can be used while creating the lab.

-During the policy assignment, the Lab Administrator can choose the following effects.

-|--|--|

-|**Audit**|Labs show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when a non-allowed SKU is used while creating the lab.|

-|**Deny**|Lab creation will fail if SKU chosen while creating a lab is not allowed as per the policy assignment.|

-In addition to the new built-in policies described above, you can create and apply custom policies. This technique is helpful in situations where none of the built-in policies apply or where you need more granularity.

-See the following articles:

-* **Chain** - A Gateway Load Balancer can be referenced by a Standard Public Load Balancer frontend or a Standard Public IP configuration on a virtual machine. The addition of advanced networking capabilities in a specific sequence is known as service chaining. As a result, this reference is called a chain.

-These resources are ephemeral and exist only for the duration of the load test run. If you restrict access to your virtual network, you need to [configure your virtual network](#configure-your-virtual-network) to enable communication between these Azure Load Testing and the injected VMs.

-### Creating or updating the load test fails with `Subnet ID passed is invalid`

-To configure a load test in a virtual network, you must have sufficient permissions for managing virtual networks. You require the [Network Contributor](/azure/role-based-access-control/built-in-roles#network-contributor) role, or a parent of this role, on the virtual network. See [Check access for a user to Azure resources](/azure/role-based-access-control/check-access) to verify your permissions.

-### Starting the load test fails with `Test cannot be started`

-To start a load test, you must have sufficient permissions to deploy Azure Load Testing to the virtual network. You require the [Network Contributor](/azure/role-based-access-control/built-in-roles#network-contributor) role, or a parent of this role, on the virtual network. See [Check access for a user to Azure resources](/azure/role-based-access-control/check-access) to verify your permissions.

-If you're using the [Azure Load Testing REST API](/rest/api/loadtesting/) to start a load test, check that you're using a valid subnet ID. The subnet must be in the same Azure region as your Azure Load Testing resource.

-### The load test is stuck in `Provisioning` state and then goes to `Failed`

-1. Verify that your subscription is registered with `Microsoft.Batch`.

- Run the following Azure CLI command to verify the status. The result should be `Registered`.

- az provider show --namespace Microsoft.Batch --query registrationState

-1. Verify that Microsoft Batch node management and the Azure Load Testing IPs can make inbound connections to the test engine VMs.

- 1. Enable [Network Watcher](/azure/network-watcher/network-watcher-monitoring-overview) for the virtual network region.

- ```azurecli

- az network watcher configure \

- --resource-group NetworkWatcherRG \

- --locations eastus \

- --enabled

- ```

- 1. Create a temporary VM with a Public IP in the subnet you're using for the Azure Load Testing service. You'll only use this VM to diagnose the network connectivity and delete it afterwards. The VM can be of any type.

- ```azurecli

- az vm create \

- --resource-group myResourceGroup \

- --name myVm \

- --image UbuntuLTS \

- --generate-ssh-keys \

- --subnet mySubnet

- ```

- 1. Test the inbound connectivity to the temporary VM from the `BatchNodeManagement` service tag.

- 1. In the [Azure portal](https://portal.azure.com), go to **Network Watcher**.

- 1. On the left pane, select **NSG Diagnostic**.

- 1. Enter the details of the VM you created in the previous step.

- 1. Select **Service Tag** for the **Source type**, and then select **BatchNodeManagement** for the **Service tag**.

- 1. The **Destination IP address** is the IP address of the VM you created in previous step.

- 1. For **Destination port**, you have to validate two ports: *29876* and *29877*. Enter one value at a time and move to the next step.

- 1. Press **Check** to verify that the network security group isn't blocking traffic.

- :::image type="content" source="media/how-to-test-private-endpoint/test-network-security-group-connectivity.png" alt-text="Screenshot that shows the NSG Diagnostic page to test network connectivity.":::

- If the traffic status is **Denied**, [configure your virtual network](#configure-your-virtual-network) to allow traffic for the **BatchNodeManagement** service tag.

- 1. Test the inbound connectivity to the temporary VM from the `AzureLoadTestingInstanceManagement` service tag.

- 1. In the [Azure portal](https://portal.azure.com), go to **Network Watcher**.

- 1. On the left pane, select **NSG Diagnostic**.

- 1. Enter the details of the VM you created in the previous step.

- 1. Select **Service Tag** for the **Source type**, and then select **AzureLoadTestingInstanceManagement** for the **Service tag**.

- 1. The **Destination IP address** is the IP address of the VM you created in previous step.

- 1. For **Destination port**, enter *8080*.

- 1. Press **Check** to verify that the network security group isn't blocking traffic.

- If the traffic status is **Denied**, [configure your virtual network](#configure-your-virtual-network) to allow traffic for the **AzureLoadTestingInstanceManagement** service tag.

- 1. Delete the temporary VM you created earlier.

-### The test executes and results in a 100% error rate

-Possible cause: there are connectivity issues between the subnet in which you deployed Azure Load Testing and the subnet in which the application endpoint is hosted.

-1. You might deploy a temporary VM in the subnet used by Azure Load Testing and then use the [curl](https://curl.se/) tool to test connectivity to the application endpoint. Verify that there are no firewall or NSG rules that are blocking traffic.

-1. Verify the [Azure Load Testing results file](./how-to-export-test-results.md) for error response messages:

- |Response message | Action |

- |||

- | **Non http response code java.net.unknownhostexception** | Possible cause is a DNS resolution issue. If youΓÇÖre using Azure Private DNS, verify that the DNS is set up correctly for the subnet in which Azure Load Testing instances are injected, and for the application subnet. |

- | **Non http response code SocketTimeout** | Possible cause is when thereΓÇÖs a firewall blocking connections from the subnet in which Azure Load Testing instances are injected to your application subnet. |

-¹ To request an increase beyond this limit, contact Azure Support. Default limits vary by offer category type.

-² To request an increase beyond this limit, contact Azure Support. Default limits vary by offer category type.

- | **Claims** | Yes | String | The claim types and values that your workflow accepts from inbound calls. Here are the available claim types: <br><br>- **Issuer** <br>- **Audience** <br>- **Subject** <br>- **JWT ID** (JSON Web Token identifier) <br><br>Requirements: <br><br>- At a minimum, the **Claims** list must include the **Issuer** claim, which has a value that starts with `https://sts.windows.net/` or `https://login.microsoftonline.com/` as the Azure AD issuer ID. <br>- Each claim must be a single string value, not an array of values. For example, you can have a claim with **Role** as the type and **Developer** as the value. You can't have a claim that has **Role** as the type and the values set to **Developer** and **Program Manager**. <br>- The claim value is limited to a [maximum number of characters](logic-apps-limits-and-config.md#authentication-limits). <br><br>For more information about these claim types, review [Claims in Azure AD security tokens](../active-directory/azuread-dev/v1-authentication-scenarios.md#claims-in-azure-ad-security-tokens). You can also specify your own claim type and value. |

- At a minimum, the `claims` array must include the Issuer claim type where you set the claim's `name` property to `iss` and set the `value` to start with `https://sts.windows.net/` or `https://login.microsoftonline.com/` as the Azure AD issuer ID. For more information about these claim types, review [Claims in Azure AD security tokens](../active-directory/azuread-dev/v1-authentication-scenarios.md#claims-in-azure-ad-security-tokens). You can also specify your own claim type and value.

-# Make data-driven policies and influence decision-making (preview)

-* To save on costs, **[create a schedule (preview)](how-to-create-manage-compute-instance.md#schedule-automatic-start-and-stop-preview)** to automatically start and stop the compute instance.

-# Counterfactuals analysis and what-if (preview)

-# Understand your datasets (preview)

-# Assess errors in machine learning models (preview)

-# Model performance and fairness (preview)

-Machine learning operation (MLOPs) automates the process of building machine learning models and taking the model to production. This is a complex process. It usually requires collaboration from different teams with different skills. A well-defined machine learning pipeline can abstract this complex process into a multiple steps workflow, mapping each step to a specific task such that each team can work independently.

-When you create a [compute instance](concept-compute-instance.md), the VM stays on so it is available for your work. [Set up a schedule](how-to-create-manage-compute-instance.md#schedule-automatic-start-and-stop-preview) to automatically start and stop the compute instance (preview) to save cost when you aren't planning to use it.

-# Assess AI systems by using the Responsible AI dashboard (preview)

-# What is Responsible AI (preview)?

-Install them with the following code:

-* [Create a schedule](#schedule-automatic-start-and-stop-preview) to automatically start and stop the compute instance (preview)

- * Add schedule (preview). Schedule times for the compute instance to automatically start and/or shutdown. See [schedule details](#schedule-automatic-start-and-stop-preview) below.

-## Schedule automatic start and stop (preview)

-You can [create a schedule](#schedule-automatic-start-and-stop-preview) for the compute instance to automatically start and stop based on a time and day of week.

-* [Submit a training job](v1/how-to-set-up-training-targets.md)

-# Customize the compute instance with a script (preview)

-> [!IMPORTANT]

-> Setup scripts are currently in public preview.

-> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-As an administrator, you can write a customization script to be used to provision all compute instances in the workspace according to your requirements.

- file_system=""

-> If you are using Machine Learning pipelines, like for instance [Scikit-Learn pipelines](https://scikit-learn.org/stable/modules/generated/sklearn.pipeline.Pipeline.html), use the `autolog` functionality of that flavor for logging models. Models are automatically logged when the `fit()` method is called on the pipeline object. The notebook [Training and tracking an XGBoost classifier with MLflow](https://github.com/Azure/azureml-examples/blob/main/v1/notebooks/using-mlflow/train-with-mlflow/xgboost_classification_mlflow.ipynb) demostrates how to log a model with preprocessing using pipelines.

-> * `infer_signature` is a convenient method to try to infer the signature directly from inputs and outpus.