+The AD FS adapter supports number matching after installing an update. Unpatched versions of Windows Server don't support number matching. Users will continue to see the **Approve**/**Deny** experience and won't see number matching unless these updates are applied.

+In ASP.NET MVC, the **Sign in** button is exposed in `Views\Shared\_LoginPartial.cshtml`. It's displayed only when the user isn't authenticated. That is, it's displayed when the user hasn't yet signed in or has signed out.

+In ASP.NET, Sign in is triggered from the `SignIn()` method on a controller (for instance, [AccountController.cs#L16-L23](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/a2da310539aa613b77da1f9e1c17585311ab22b7/WebApp/Controllers/AccountController.cs#L16-L23)). This method isn't part of the ASP.NET framework (contrary to what happens in ASP.NET Core). It sends an OpenID sign-in challenge after proposing a redirect URI.

+Occurs when a consumer account is used for app registration (Hotmail, Messenger, OneDrive, MSN, Xbox Live, or Microsoft 365).

+The general structure of the naming convention is ΓÇÿPrefix[GroupName]SuffixΓÇÖ. While you can define multiple prefixes and suffixes, you can only have one instance of the [GroupName] in the setting. The prefixes or suffixes can be either fixed strings or user attributes such as \[Department\] that are substituted based on the user who is creating the group. The total allowable number of characters for your prefix and suffix strings including group name is 63 characters.

+## Required Azure AD roles

+To reset a user's redemption status, you'll need one of the following roles:

+- [Guest Inviter](../roles/permissions-reference.md#guest-inviter) (least privileged)

+- [User Administrator](../roles/permissions-reference.md#user-administrator)

+- [Global Administrator](../roles/permissions-reference.md#global-administrator)

+1. Sign in to the [Azure portal](https://portal.azure.com/) using an account that has one of the [required Azure AD roles](#required-azure-ad-roles).

+2. Search for and select **Azure Active Directory**.

+3. Select **Users**.

+4. In the list, select the user's name to open their user profile.

+5. If the user wants to sign in using a different email:

+Allows users to be added to Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).

+|taskDefinitionId | d79d1fcc-16be-490c-a865-f4533b1639ee |

+|argument | Argument contains a name parameter that is the "customTaskExtensionID", and a value parameter that is the ID of the previously created extension that contains information about the Logic App. |

+ "name": "customTaskExtensionID",

+Allows users to be removed from Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).

+Allows users to be removed from every Microsoft 365 and cloud-only security group they're a member of. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).

+While new versions of these workflows are made as soon as you make the updates in the Azure portal, creating a new version of a workflow using the API with Microsoft Graph requires running the createNewVersion method. For a step by step guide for updating either tasks, or execution conditions, see: [Manage Workflow Versions](manage-workflow-tasks.md).

+As you think about your approach to operations, there are a couple levels of administration to consider. The first level places the burden of administration on your Hybrid Identity Administrator(s). Always using the Hybrid Identity Administrator role, might be appropriate for smaller companies. But for larger organizations with help desk personnel and administrators responsible for specific tasks, assigning the role of Hybrid Identity Administrator can be a security risk since it provides those individuals with the ability to manage tasks that are above and beyond what they should be capable of doing.

+Learn more about [Azure AD Connect: ADSyncTools PowerShell Module](reference-connect-adsynctools.md)

+Connect to Azure AD by running the following command: `Connect-MsolService`, and then, enter your Hybrid Identity Administrator credentials.

+2. On the **Connect to Azure AD** page, provide your Hybrid Identity Administrator credentials for Azure AD, and click **Next**.

+2. On the **Connect to Azure AD** page, enter your Hybrid Identity Administratoristrator credentials for Azure AD, and click **Next**.

+2. Provide the Azure Hybrid Identity Administrator credentials.

+AD FS customers may expose password authentication endpoints to the internet to provide authentication services for end users to access SaaS applications such as Microsoft 365. It is possible for a bad actor to attempt logins against your AD FS system to guess an end userΓÇÖs password and get access to application resources. AD FS provides the extranet account lockout functionality to prevent these types of attacks since AD FS in Windows Server 2012 R2. If you are on a lower version, we strongly recommend that you upgrade your AD FS system to Windows Server 2016. <br />

+Additionally, it is possible for a single IP address to attempt multiple logins against multiple users. In these cases, the number of attempts per user may be under the threshold for account lockout protection in AD FS. Azure AD Connect Health now provides the ΓÇ£Risky IP reportΓÇ¥ that detects this condition and notifies administrators. The following are the key benefits for this report:

+- Email notification to alert administrators with customizable email settings

+The failed sign in activity client IP addresses are aggregated through Web Application Proxy servers. Each item in the Risky IP report shows aggregated information about failed AD FS sign-in activities that have exceeded the designated threshold. It provides the following information:

+| Trigger Type | Shows the type of detection time window. The aggregation trigger types are per hour or per day. Helpful in determing between a high frequency brute force attack versus a slow attack where the number of attempts is distributed throughout the day. |

+| IP Address | The single risky IP address that had either bad password or extranet lockout sign-in activities. It can be either IPv4 or an IPv6 address. |

+| Extranet Lock Out Error Count | The count of Extranet Lockout error occurred from the IP address during the detection time window. The Extranet Lockout errors can happen multiple times to certain users. This will only be seen if Extranet Lockout is configured in AD FS (versions 2012R2 or higher). <b>Note</b> We strongly recommend enabling this feature if you allow extranet logins using passwords. |

+| Unique Users Attempted | The count of unique user accounts attempted from the IP address during the detection time window. Differentiates between a single user attack pattern versus multi-user attack pattern. |

+Load balancer aggregate failed sign-in activities and hit the alert threshold. If you are seeing load balancer IP addresses, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server. Configure your load balancer correctly to pass forward client IP address.

+Like generic alert notification settings in Connect Health, it allows you to customize designated notification recipient list about risky IP report from here. You can also notify all Hybrid Identity Administrators while making the change.

+If you are seeing load balancer IP addresses, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server. Configure your load balancer correctly to pass forward client IP address.

+Global Admin or [Security Reader](../../role-based-access-control/built-in-roles.md#security-reader) permission is required. Contact your global admin to get access.

+| You're a Hybrid Identity Administrator in Azure AD. |By default, only Hybrid Identity Administrators or global administrators can install and configure the health agents, access the portal, and do any operations within Azure AD Connect Health. For more information, see [Administering your Azure AD directory](../fundamentals/active-directory-whatis.md). <br /><br /> By using Azure role-based access control (Azure RBAC), you can allow other users in your organization to access Azure AD Connect Health. For more information, see [Azure RBAC for Azure AD Connect Health](how-to-connect-health-operations.md#manage-access-with-azure-rbac). <br /><br />**Important**: Use a work or school account to install the agents. You can't use a Microsoft account. For more information, see [Sign up for Azure as an organization](../fundamentals/sign-up-organization.md). |

+A PowerShell window opens to start the agent registration process. When you're prompted, sign in by using an Azure AD account that has permissions to register the agent. By default, the Hybrid Identity Administrator account has permissions.

+6. Select the check box if you want all Hybrid Identity Administrators to receive email notifications.

+[Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md) for Azure AD Connect Health provides access to users and groups other than Hybrid Identity Administratoristrators. Azure RBAC assigns roles to the intended users and groups, and provides a mechanism to limit the Hybrid Identity Administrators within your directory.

+| Owner |Owners can *manage access* (for example, assign a role to a user or group), *view all information* (for example, view alerts) from the portal, and *change settings* (for example, email notifications) within Azure AD Connect Health. <br>By default, Azure AD Hybrid Identity Administrators are assigned this role, and this cannot be changed. |

+On the **Connect to Azure AD** page, enter a Hybrid Identity Administrator account and password. If you selected **Federation with AD FS** on the previous page, don't sign in with an account that's in a domain you plan to enable for federation.

+1. On the **Connect to Azure AD** screen, you must provide the credentials of a Hybrid Identity Administrator of your Azure AD directory. The recommendation is to use an account in the default onmicrosoft.com domain. This account is only used to create a service account in Azure AD and is not used after the wizard has completed.

+5. On the Connect to Azure AD screen, enter the username and password of a Hybrid Identity Administrator for your Azure AD. Click **Next**.

+13. On the **Connect to Azure AD** screen, you must provide the credentials of a Hybrid Identity Administrator of your Azure AD directory. The recommendation is to use an account in the default onmicrosoft.com domain. This account is only used to create a service account in Azure AD and is not used after the wizard has completed.

+Federating multiple, top-level domains with Azure AD requires some extra configuration that is not required when federating with one top-level domain.

+Looking at the screenshot for the bmfabrikam.com domain you can see the following settings:

+The following customized claim rule implements this logic:

+4. On a machine that has [Azure Active Directory Module for Windows PowerShell](/previous-versions/azure/jj151815(v=azure.100)) installed on it run the following PowerShell: `$cred=Get-Credential`.

+5. Enter the username and password of a Hybrid Identity Administrator for the Azure AD domain you are federating with.

+1. On a machine that has [Azure Active Directory Module for Windows PowerShell](/previous-versions/azure/jj151815(v=azure.100)) installed on it run the following PowerShell: `$cred=Get-Credential`.

+2. Enter the username and password of a Hybrid Identity Administratoristrator for the Azure AD domain you are federating with

+Use the following claim:

+The last number in the regular expression set is how many parent domains there are in your root domain. Here bmcontoso.com is used, so two parent domains are necessary. If three parent domains were to be kept (that is, corp.bmcontoso.com), then the number would have been three. Eventually a range can be indicated, the match will always be made to match the maximum of domains. "{2,3}" will match two to three domains (that is, bmfabrikam.com and corp.bmcontoso.com).

+- If your Hybrid Identity Administrators have MFA enabled, the URL https://secure.aadcdn.microsoftonline-p.com *must* be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. You can use Internet Explorer to add it to your trusted sites.

+* You must have an Azure AD Global Administrator account or Hybrid Identity Administrator account for the Azure AD tenant you want to integrate with. This account must be a *school or organization account* and can't be a *Microsoft account*.

+Before you begin, ensure that you have the following prerequisite.

+ If you don't already have an agent, you can install it.

+ 1. Install the feature by running either of the following commands.

+- An Azure Hybrid Identity Administrator account for running the PowerShell cmdlets.

+1. Create a cloud-only Hybrid Identity Administrator account or a Hybrid Identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only Hybrid Identity Administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.

+1. Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with the Hybrid Identity Administratoristrator credentials for your tenant.

+1. To download the latest version of the Authentication Agent (version 1.5.193.0 or later), sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with your tenant's Hybrid Identity Administrator credentials.

+Only Hybrid Identity Administrators or Hybrid Identity administrators can install an Authentication Agent (by using Azure AD Connect or standalone) on an on-premises server. Installation adds two new entries to the **Control Panel** > **Programs** > **Programs and Features** list:

+1. Azure AD first requests that a Hybrid Identity Administratoristrator or hybrid identity administrator sign in to Azure AD with their credentials. During sign-in, the Authentication Agent acquires an access token that it can use on behalf of the

+4. Azure AD validates the access token in the registration request and verifies that the request came from a Hybrid Identity Administrator or hybrid identity administrator.

+1. Sign in to the [Azure Active Directory administrative center](https://aad.portal.azure.com) with the Hybrid Identity Administrator or hybrid identity administrator credentials for your tenant.

+- To use the Staged Rollout feature, you need to be a Hybrid Identity Administrator on your tenant.

+4. Run PowerShell as an administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command opens a pane where you can enter your tenant's Hybrid Identity Administratoristrator credentials.

+3. Collect Azure AD Hybrid Identity Administrator password

+For staged rollout, you need to be a Hybrid Identity Administrator on your tenant.

+[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

+The first task addresses determining the organizations business needs. This task can be broad and scope creep can occur if you are not careful. In the beginning, keep it simple but always remember to plan for a design that will accommodate and facilitate change in the future. Regardless of whether it is a simple design or a complex one, Azure Active Directory is the Microsoft Identity platform that supports Microsoft 365, Microsoft Online Services, and cloud aware applications.

+Microsoft has three main integration scenarios: cloud identities, synchronized identities, and federated identities. You should plan on adopting one of these integration strategies. The strategy you choose can vary. Decisions in choosing one may include, what type of user experience you want to provide, do you have an existing infrastructure, and what is the most cost effective.

+* **Cloud identities**: identities that exist solely in the cloud. In the case of Azure AD, they would reside specifically in your Azure AD directory.

+* **Synchronized**: identities that exist on-premises and in the cloud. Using Azure AD Connect, users are either created or joined with existing Azure AD accounts. The userΓÇÖs password hash is synchronized from the on-premises environment to the cloud in what is called a password hash. Remember that if a user is disabled in the on-premises environment, it can take up to three hours for that account status to show up in Azure AD. This behavior is due to the synchronization time interval.

+* **Federated**: identities exist both on-premises and in the cloud. Using Azure AD Connect, users are either created or joined with existing Azure AD accounts.

+| **Cloud identities** |Easier to manage for small organization. <br> Nothing to install on-premises. No extra hardware needed<br>Easily disabled if the user leaves the company |Users will need to sign in when accessing workloads in the cloud <br> Passwords may or may not be the same for cloud and on-premises identities |

+| **Federated** |Users can have single sign-on (SSO) <br>If a user is terminated or leaves, the account can be immediately disabled and access revoked,<br> Supports advanced scenarios that cannot be accomplished with synchronized |More steps to set up and configure <br> Higher maintenance <br> May require extra hardware for the STS infrastructure <br> May require extra hardware to install the federation server. Other software is required if AD FS is used <br> Require extensive setup for SSO <br> Critical point of failure if the federation server is down, users wonΓÇÖt be able to authenticate |

+If you have a third-party IdP or are going to use one to provide federation with Azure AD, you need to be aware of the following supported capabilities:

+This task defines the tools that will be used to synchronize the organizationΓÇÖs on-premises data to the cloud and what topology you should use. Because, most organizations use Active Directory, information on using Azure AD Connect to address the questions above is provided in some detail. For environments that do not have Active Directory, there is information about using FIM 2010 R2 or MIM 2016 to help plan this strategy. However, future releases of Azure AD Connect will support LDAP directories, so depending on your timeline, this information may be able to assist.

+The single forest, single Azure AD topology is the most common and consists of a single Active Directory forest and a single instance of Azure AD. This topology is going to be used in a most scenarios and is the expected topology when using Azure AD Connect Express installation as shown in the figure below.

+The multi-forest single Azure AD topology should be considered if the following items are true:

+* Users have only 1 identity across all forests ΓÇô the uniquely identifying users section below describes this scenario in more detail.

+* All forests are accessible by Azure AD Connect ΓÇô meaning it does not need to be domain joined and can be placed in a DMZ.

+* If there is no mailbox on the user, then any forest may be used to contribute values

+> Objects that exist in both on-premises and in the cloud are ΓÇ£connectedΓÇ¥ via a unique identifier. In the context of Directory Synchronization, this unique identifier is referred to as the SourceAnchor. In the context of Single Sign-On, this identifier is referred to as the ImmutableId. [Design concepts for Azure AD Connect](plan-connect-design-concepts.md#sourceanchor) for more considerations regarding the use of SourceAnchor.

+If the above are not true and you have more than one active account or more than one mailbox, Azure AD Connect will pick one and ignore the other. If you have linked mailboxes but no other account, accounts will not be exported to Azure AD and that user will not be a member of any groups. This behavior is different from how it was in the past with DirSync and is intentional to better support multi-forest scenarios. A multi-forest scenario is shown in the figure below.

+It is recommended to have just a single directory in Azure AD for an organization. However, it is supported if a 1:1 relationship is kept between an Azure AD Connect sync server and an Azure AD directory. For each instance of Azure AD, you need an installation of Azure AD Connect. Also, Azure AD, by design is isolated and users in one instance of Azure AD, will not be able to see users in another instance.

+The following statements must be true:

+* Mutual exclusivity also applies to write-back. Thus, some write-back features are not supported with this topology since it is assumed to be a single on-premises configuration.

+The following items are not supported and should not be chosen as an implementation:

+In this task, you will define the multi-factor authentication strategy to use. Azure AD Multi-Factor Authentication comes in two different versions. One is a cloud-based and the other is on-premises based using the Azure MFA Server. Based on the evaluation you did above you can determine which solution is the correct one for your strategy. Use the table below to determine which design option best fulfills your companyΓÇÖs security requirement:

+Even though you may have settled on a solution for your strategy, you still need to use the evaluation from above. This decision may cause the solution to change. Use the table below to assist you determining this:

+Multi-factor authentication is available by default for Hybrid Identity Administrators who have an Azure Active Directory tenant. However, if you wish to extend multi-factor authentication to all of your users and/or want to your Hybrid Identity Administrators to be able to take advantage features such as the management portal, custom greetings, and reports, then you must purchase and configure Multi-Factor Authentication Provider.

+- **Azure AD Global Administrator account**: used to create the Azure AD Connector account and configure Azure AD. You can view Hybrid Identity Administrator accounts in the Azure portal. See [List Azure AD role assignments](../../active-directory/roles/view-assignments.md).

+Azure AD Connect Health also provides the option to stop data collection of **all** registered services in the tenant. We recommend careful consideration and full acknowledgement of all Hybrid Identity Administrators before taking the action. Once the process begins, Connect Health service will stop receiving, processing, and reporting any data of all your services. Existing data in Connect Health service will be retained for no more than 30 days.

+Includes a public preview of the functionality to export the configuration of an existing Azure AD Connect server into a .JSON file. This file can be used when installing a new Azure AD Connect server to create a copy of the original server.

+This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA wasn't able to enable DSSO.

+This hotfix build fixes an issue in build 1.5.20.0 if you've cloned the **In from AD - Group Join** rule and haven't cloned the **In from AD - Group Common** rule.

+- This hotfix build fixes an issue with build 1.5.18.0 if you've the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.

+> If you've cloned the **In from AD - Group Join** sync rule and haven't cloned the **In from AD - Group Common** sync rule and plan to upgrade, complete the following steps as part of the upgrade:

+- Added support for the mS-DS-ConsistencyGuid feature for group objects. Allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed. For more information, see [Moving groups between forests](how-to-connect-migrate-groups.md).

+- The mS-DS-ConsistencyGuid attribute is automatically set on all synced groups and you don't have to do anything to enable this feature.

+- Removed the Get-ADSyncRunProfile because it's no longer in use.

+- Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it's replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.

+- Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account hasn't propagated across all service replicas before attempted use.

+- Fixed a bug in the sync errors compression utility that wasn't handling surrogate characters correctly.

+- Fixed a bug in the auto upgrade that left the server in the scheduler suspended state.

+- We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos hashes. Provides a performance improvement during password synchronization from Azure AD to Azure AD Domain Services.

+- Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login Windows credentials instead of the admin credentials provided while running ps. As a result of which it wasn't possible to enable DSSO in multiple forest through the Azure AD Connect user interface.

+This rule change may cause deletion of obsolete devices from Azure AD. These device objects aren't used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it's advised to allow the deletions to go through. [How to allow deletes to flow when they exceed the deletion threshold](how-to-connect-sync-feature-prevent-accidental-deletes.md)

+Under certain circumstances, servers that were auto upgraded to version 1.4.18.0 didn't re-enable Self-service password reset and Password Writeback after the upgrade was completed. This auto upgrade release fixes that issue and re-enables Self-service password reset and Password Writeback.

+We fixed a bug in the sync errors compression utility that wasn't handling surrogate characters correctly.

+>With this version of Azure AD Connect some customers may see some or all of their Windows devices disappear from Azure AD. These device identities aren't used by Azure AD during Conditional Access authorization. For more information, see [Understanding Azure AD Connect 1.4.xx.x device disappearnce](/troubleshoot/azure/active-directory/reference-connect-device-disappearance)

+- When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema, but not added to the connector, the attributes will automatically be added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next sync cycle.

+- In the Synchronization Manager, a full sync is run on rule creation/edit/deletion. A pop-up will appear on any rule change notifying the user if full import or full sync is going to be run.

+- Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain/OU of the entered group is already filtered out. Group filtering will keep the user from moving forward until the issue is resolved.

+- Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This limit will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object.

+- Improved diagnostics and troubleshooting around group policies that don't allow the ADSync service to start when initially installed.

+> To resolve this issue, you need to import the **AdSync** module and then run the `Set-ADSyncDirSyncConfiguration` PowerShell cmdlet on the Azure AD Connect server. You can use the following steps:

+- Fixed an elevation of privilege vulnerability that exists in Microsoft Azure Active Directory Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two PowerShell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information, see [security update](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1000).

+- Added a new agent running as a Windows service. This agent, named ΓÇ£Admin AgentΓÇ¥, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent, see [What is the Azure AD Connect Admin Agent?](whatis-aadc-admin-agent.md).

+This hotfix build allows the user to select a target domain, within the specified forest, for the RegisteredDevices container when enabling device writeback. In the previous versions that contain the new Device Options functionality (1.1.819.0 ΓÇô 1.2.68.0), the RegisteredDevices container location was limited to the forest root and didn't allow child domains. This limitation only manifested itself on new deployments ΓÇô in-place upgrades were unaffected.

+If any build containing the updated Device Options functionality was deployed to a new server and device writeback was enabled, you will need to manually specify the location of the container if you don't want it in the forest root. To do this, you need to disable device writeback and re-enable it which will allow you to specify the container location on the ΓÇ£Writeback forestΓÇ¥ page.

+- Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to AD. These same diagnostics can also be run directly through PowerShell using the Start-ConnectivityValidation function in the ADConnectivityTools PowerShell module. For more information, see [What is the ADConnectivityTool PowerShell Module?](how-to-connect-adconnectivitytools.md)

+- Added full support for TLS 1.2. This release supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Azure AD Connect is installed. For more information, see [TLS 1.2 enforcement for Azure AD Connect](reference-connect-tls-enforcement.md)

+- Fixed a bug where 'Set-ADSyncRestrictedPermissionsΓÇÖ wasn't called correctly

+- When changing sign in method from Password Hash Sync to AD FS, Password Hash Sync wasn't disabled.

+- Azure AD Connect Wizard: AD FS Claims aren't updated for added domain when converting a managed domain to federated

+>When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so.

+* Changed the **User Sign-in** page option "Password Synchronization" to "Password Hash Synchronization". Azure AD Connect synchronizes password hashes, not passwords, so this aligns with what is actually occurring. For more information, see [Implement password hash synchronization with Azure AD Connect sync](how-to-connect-password-hash-synchronization.md)

+>When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, please make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so.

+* Adding Privacy Settings for the General Data Protection Regulation (GDPR). For more information, see the article [here](reference-connect-user-privacy.md).

+- When setting up Azure AD Connect, the installing administrator can either provide an existing AD DS account, or let Azure AD Connect automatically create the account. The permission changes are automatically applied to the AD DS account that is created by Azure AD Connect during setup. They aren't applied to existing AD DS account provided by the installing administrator.

+> There is a known compatibility issue between Azure AD Connect version 1.1.647.0 and Azure AD Connect Health Agent (for sync) version 3.0.127.0. This issue prevents the Health Agent from sending health data about the Azure AD Connect Synchronization Service (including object synchronization errors and run history data) to Azure AD Health Service. Before manually upgrading your Azure AD Connect deployment to version 1.1.647.0, please verify the current version of Azure AD Connect Health Agent installed on your Azure AD Connect server. You can do so by going to *Control Panel → Add Remove Programs* and look for application *Microsoft Azure AD Connect Health Agent for Sync*. If its version is 3.0.127.0, it's recommended that you wait for the next Azure AD Connect version to be available before upgrade. If the Health Agent version isn't 3.0.127.0, it's fine to proceed with the manual, in-place upgrade. This issue does not affect swing upgrade or customers who are performing new installation of Azure AD Connect.

+ * The issue occurs when you've an existing Azure AD Connect deployment with Password Synchronization **enabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt.

+ * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Azure AD Connect deployment with Password Synchronization enabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt.

+ * The issue occurs when you've an existing Azure AD Connect deployment with Password Synchronization **disabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. When the change is applied, the wizard enables both Pass-through Authentication and Password Synchronization. With this fix, the wizard no longer enables Password Synchronization.

+ * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Azure AD Connect deployment with Password Synchronization disabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". When the change is applied, the wizard enables Password Synchronization. With this fix, the wizard no longer enables Password Synchronization.

+* When performing manual in-place upgrade of Azure AD Connect, the customer is required to provide the Global Administrator credentials of the corresponding Azure AD tenant. Previously, upgrade could proceed even though the Global Administrator's credentials belonged to a different Azure AD tenant. While upgrade appears to complete successfully, certain configurations aren't correctly persisted with the upgrade. With this change, the wizard prevents the upgrade from proceeding if the credentials provided don't match the Azure AD tenant.

+* Added logic to simplify the steps required to set up Azure AD Connect with Microsoft Germany Cloud. Previously, you are required to update specific registry keys on the Azure AD Connect server for it to work correctly with Microsoft Germany Cloud, as described in this article. Now, Azure AD Connect can automatically detect if your tenant is in Microsoft Germany Cloud based on the Hybrid Identity Administrator credentials provided during setup.

+* Fixed an issue related to the use of [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. This issue affects customers who have configured *Federation with AD FS* as the user sign-in method. When you execute *Configure Source Anchor* task in the wizard, Azure AD Connect switches to using *ms-DS-ConsistencyGuid as source attribute for immutableId. As part of this change, Azure AD Connect attempts to update the claim rules for ImmutableId in AD FS. However, this step failed because Azure AD Connect didn't have the administrator credentials required to configure AD FS. With this fix, Azure AD Connect now prompts you to enter the administrator credentials for AD FS when you execute the *Configure Source Anchor* task.

+* There is a known issue that is causing Azure AD Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. Dbo permissions aren't sufficient.

+* When Azure AD Connect Password Synchronization Agent starts up, it tries to connect to Azure AD well-known endpoint for password synchronization. Upon successful connection, it's redirected to a region-specific endpoint. Previously, the Password Synchronization Agent caches the region-specific endpoint until it's restarted. Now, the agent clears the cache and retries with the well-known endpoint if it encounters connection issue with the region-specific endpoint. This change ensures that password synchronization can failover to a different region-specific endpoint when the cached region-specific endpoint is no longer available.

+ * You've enabled the device writeback feature.

+ * You've enabled the group writeback feature.

+ * You've more than 100,000 objects in the metaverse.

+ * You've enabled the user writeback feature.

+ >The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. If you don't want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).

+ * You've enabled the device writeback feature.

+ * You've enabled the group writeback feature.

+ * You've more than 100,000 objects in the metaverse.

+ * You've enabled the user writeback feature.

+ >The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. If you don't want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).

+* Fixed an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain configured on the existing service connection point object to be changed even if it's still a valid domain. This issue occurs when your Azure AD tenant has more than one verified domains that can be used for configuring the service connection point.

+* Fixed an issue related to the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature where Azure AD Connect does not writeback to on-premises AD ms-DS-ConsistencyGuid attribute. The issue occurs when there are multiple on-premises AD forests added to Azure AD Connect and the *User identities exist across multiple directories option* is selected. When such configuration is used, the resultant synchronization rules don't populate the sourceAnchorBinary attribute in the Metaverse. The sourceAnchorBinary attribute is used as the source attribute for ms-DS-ConsistencyGuid attribute. As a result, writeback to the ms-DSConsistencyGuid attribute does not occur. To fix the issue, following sync rules have been updated to ensure that the sourceAnchorBinary attribute in the Metaverse is always populated:

+* Previously, the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature was available to new deployments only. Now, it's available to existing deployments. More specifically:

+* Previously, the ADFS Certificate Management feature provided by Azure AD Connect can only be used with ADFS farms managed through Azure AD Connect. Now, you can use the feature with ADFS farms that aren't managed using Azure AD Connect.

+* There was an issue with build 443 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization aren't created. Healing logic is included in this build of Azure AD Connect. When customer upgrades to this build, Azure AD Connect detects missing run profiles and creates them.

+* To configure OU filtering, you can either use the Azure AD Connect wizard or the Synchronization Service Manager. Previously, if you use the Azure AD Connect wizard to configure OU filtering, new OUs created afterwards are included for directory synchronization. If you don't want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using Azure AD Connect wizard.

+* Azure AD Connect now automatically enables the use of ConsistencyGuid attribute as the Source Anchor attribute for on-premises AD objects. Further, Azure AD Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it's empty. This feature is applicable to new deployment only. To find out more about this feature, refer to article section [Azure AD Connect: Design concepts - Using ms-DS-ConsistencyGuid as sourceAnchor](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor).

+* Azure AD Connect now supports SQL AOA. You must enable SQL AOA before installing Azure AD Connect. During installation, Azure AD Connect detects whether the SQL instance provided is enabled for SQL AOA or not. If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication. When setting up the Availability Group Listener, it's recommended that you set the RegisterAllProvidersIP property to 0. This recommendation is because Azure AD Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property.

+* Fixed an issue where the Synchronization Service immediately stops processing a run profile when it's encounters an issue with one of the run steps. This fix ensures that the Synchronization Service skips that run step and continues to process the rest. For example, you've a Delta Import run profile for your AD connector with multiple run steps (one for each on-premises AD domain). The Synchronization Service will run Delta Import with the other AD domains even if one of them has network connectivity issues.

+* On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it's easy for the service configuration to be incorrectly configured by Azure AD Connect when you've an active and a staging server. Now, Azure AD Connect will attempt to keep the service configuration consistent with your active Azure AD Connect server only.

+* Previously, if you change the Azure AD Connect sync service account password, the Synchronization Service will not be able start correctly until you've abandoned the encryption key and reinitialized the Azure AD Connect sync service account password. Now, this process is no longer required.

+* Fixed an issue which causes the error ΓÇ£The dimage has an anchor that is different than the imageΓÇ¥ to occur on an Azure AD Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing.

+* Fixed an issue which causes the error ΓÇ£The object located by DN is a phantomΓÇ¥ to occur on an Azure AD Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing.

+* Sometimes, installing Azure AD Connect fails because it's unable to create a local service account whose password meets the level of complexity specified by the organization's password policy.

+* Fixed an issue where join rules aren't reevaluated when an object in the connector space simultaneously becomes out-of-scope for one join rule and become in-scope for another. This can happen if you've two or more join rules whose join conditions are mutually exclusive.

+* Fixed an issue where inbound synchronization rules (from Azure AD), which don't contain join rules, aren't processed if they have lower precedence values than those containing join rules.

+* Changes to sync interval don't take place until after the next sync cycle is complete.

+* Configuration changes to password synchronization and password writeback aren't persisted by Azure AD Connect wizard when server is in staging mode.

+* Updated the Start-ADSyncSyncCycle cmdlet to indicate whether it's able to successfully start a new sync cycle or not.

+* Upgrade from DirSync with a custom filter configuration didn't work as expected.

+* Support for the Hybrid Identity Administrator by using Azure AD Multi-Factor Authentication and Privileged Identity Management in the installation wizard.

+* The on-premises AD accounts aren't recognized by the installation wizard if located in a domain with a different DNS tree than the root domain.

+* When you've a proxy server, authentication to Azure AD might fail during installation, or if an upgrade is canceled on the configuration page.

+* Updating from a previous release of Azure AD Connect with a full SQL Server instance fails if you aren't a SQL Server system administrator (SA).

+* If a previous uninstallation of Azure AD Connect fails to uninstall Azure AD Connect sync cleanly, it's not possible to reinstall.

+* When a group has exceeded the membership limit (by default, the limit's set to 50,000 objects), the group was deleted in Azure Active Directory. With the new behavior, the group is not deleted, an error is thrown, and new membership changes aren't exported.

+If you already have Azure AD Sync installed, there is one additional step you've to take in case you've changed any of the out-of-box synchronization rules. After you've upgraded to the 1.0.470.1023 release, the synchronization rules you've modified are duplicated. For each modified sync rule, do the following:

+1. Locate the sync rule you've modified and take a note of the changes.

+This error appears if the endpoint **https://secure.aadcdn.microsoftonline-p.com** cannot be reached and your Hybrid Identity Administrator has MFA enabled.

+Authentication was successful. Privileged identity management has been enabled and you are currently not a Hybrid Identity Administrator. For more information, see [Privileged Identity Management](../privileged-identity-management/pim-getting-started.md).

+3. Azure AD tenant Hybrid Identity Administrator credentials

+

+1. Run PowerShell as an administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. When prompted, enter your tenant's Hybrid Identity Administrator or hybrid identity administrator credentials.

+1. The next sync cycle will take care of soft-matching the on-premises user to the cloud account because the cloud user is now no longer a Hybrid Identity Administrator.

+- A computer with [Hyper-V](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) installed. It's suggested to do this on either a [Windows 10](/virtualization/hyper-v-on-windows/about/supported-guest-os) or a [Windows Server 2016](/windows-server/virtualization/hyper-v/supported-windows-guest-operating-systems-for-hyper-v-on-windows) computer.

+>If you have never run a script in PowerShell on your host machine you'll need to run `Set-ExecutionPolicy remotesigned` and say yes in PowerShell, prior to running scripts.

+3. You'll be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.

+Now we'll create a TLS/SSL certificate that will be used by AD FS. This is will be a self-signed certificate and is only for testing purposes. Microsoft doesn't recommend using a self-signed certificate in a production environment. Do the following:

+## Create a Hybrid Identity Administrator in Azure AD

+Now that we have an Azure AD tenant, we'll create a Hybrid Identity Administratoristrator account. This account is used to create the Azure AD Connector account during Azure AD Connect installation. The Azure AD Connector account is used to write information to Azure AD. To create the Hybrid Identity Administrator account do the following.

+</br>

+3. Provide a name and username for this user. This will be your Hybrid Identity Administrator for the tenant. You'll also want to change the **Directory role** to **Hybrid Identity Administrator.** You can also show the temporary password. When you're done, select **Create**.</br>

+5. Change the password for the Hybrid Identity Administrator to something that you'll remember.

+Now that we have a tenant and a Hybrid Identity Administrator, we need to add our custom domain so that Azure can verify it. Do the following:

+5. On the custom domain name screen you'll be supplied with either TXT or MX information. This information must be added to the DNS information of the domain registrar under your domain. So you need to go to your domain registrar, enter either the TXT or MX information in the DNS settings for your domain. This will allow Azure to verify your domain. This may take up to 24 hours for Azure to verify it. For more information, see the [add a custom domain](../../active-directory/fundamentals/add-custom-domain.md) documentation.</br>

+6. To ensure that it's verified, click the Verify button.</br>

+Now it's time to download and install Azure AD Connect. Once it has been installed we'll run through the express installation. Do the following:

+12. Enter DC1 in the search box and select it when it's found. Click **Ok**.

+1. On the AD FS server screen, click **Browse** and enter DC1 in the search box and select it when it's found. Click **Ok**. Click **Next**.

+We'll now verify that the users that we had in our on-premises directory have been synchronized and now exist in out Azure AD tenant. Be aware that this may take a few hours to complete. To verify users are synchronized do the following.

+2. Sign-in with a user account that was created in our new tenant. You'll need to sign-in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign-in on-premises.

+## Create a Hybrid Identity Administrator in Azure AD

+Now that we have an Azure AD tenant, we will create a Hybrid Identity Administratoristrator account. This account is used to create the Azure AD Connector account during Azure AD Connect installation. The Azure AD Connector account is used to write information to Azure AD. To create the Hybrid Identity Administrator account do the following.

+</br>

+3. Provide a name and username for this user. This will be your Global Admin for the tenant. You will also want to change the **Directory role** to **Hybrid Identity Administrator.** You can also show the temporary password. When you are done, select **Create**.</br>

+</br>

+4. Once this has completed, open a new web browser and sign-in to myapps.microsoft.com using the new Hybrid Identity Administrator account and the temporary password.

+5. Change the password for the Hybrid Identity Administrator to something that you will remember.

+Now that we have a tenant and a Hybrid Identity Administrator, we need to add our custom domain so that Azure can verify it. Do the following:

+## Create a Hybrid Identity Administrator in Azure AD

+Now that we have an Azure AD tenant, we will create a Hybrid Identity Administratoristrator account. This account is used to create the Azure AD Connector account during Azure AD Connect installation. The Azure AD Connector account is used to write information to Azure AD. To create the Hybrid Identity Administrator account do the following.

+</br>

+3. Provide a name and username for this user. This will be your Hybrid Identity Administrator for the tenant. You will also want to change the **Directory role** to **Hybrid Identity Administrator.** You can also show the temporary password. When you are done, select **Create**.</br>

+</br>

+4. Once this has completed, open a new web browser and sign-in to myapps.microsoft.com using the new Hybrid Identity Administrator account and the temporary password.

+5. Change the password for the Hybrid Identity Administrator to something that you will remember.

+5. On the Connect to Azure AD screen, enter the username and password the Hybrid Identity Administrator for Azure AD. Click **Next**.

+4. Enter the username and password for your Hybrid Identity Administrator or your hybrid identity administrator. This account was created [here](tutorial-federation.md#create-a-hybrid-identity-administrator-in-azure-ad) in the previous tutorial.

+4. Enter the username and password for your Hybrid Identity Administratoristrator or your hybrid identity administrator. This account was created [here](tutorial-federation.md#create-a-hybrid-identity-administrator-in-azure-ad) in the previous tutorial.

+4. Enter the username and password for your Hybrid Identity Administrator or your hybrid identity administrator. This is the account that was created [here](tutorial-federation.md#create-a-hybrid-identity-administrator-in-azure-ad) in the previous tutorial.

+When prompted, please enter your Azure AD Hybrid Identity Administrator credentials. These credentials should be the same credentials entered during Azure AD Connect installation.

+Users can be members of multiple administrative units. For example, you might add users to administrative units by geography and division; Megan Bowen might be in the "Seattle" and "Marketing" administrative units.

+> | [Microsoft Hardware Warranty Administrator](#microsoft-hardware-warranty-administrator) | Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens. | 1501b917-7653-4ff9-a4b5-203eaf33784f |

+> | [Microsoft Hardware Warranty Specialist](#microsoft-hardware-warranty-specialist) | Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens. | 281fe777-fb20-4fbb-b7a3-ccebce5b0d96 |

+> | [Organizational Messages Writer](#organizational-messages-writer) | Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. | 507f53e4-4e52-4077-abd3-d2e1558b6ea2 |

+Users in this role can read and update basic information of users, groups, and service principals.

+> | microsoft.office365.organizationalMessages/allEntities/allProperties/allTasks | Manage all authoring aspects of Microsoft 365 Organizational Messages |

+> | microsoft.office365.organizationalMessages/allEntities/allProperties/read | Read all aspects of Microsoft 365 Organizational Messages |

+> | microsoft.office365.organizationalMessages/allEntities/allProperties/read | Read all aspects of Microsoft 365 Organizational Messages |

+## Microsoft Hardware Warranty Administrator

+Assign the Microsoft Hardware Warranty Administrator role to users who need to do the following tasks:

+- Create new warranty claims for Microsoft manufactured hardware, like Surface and HoloLens

+- Search and read opened or closed warranty claims

+- Search and read warranty claims by serial number

+- Create, read, update, and delete shipping addresses

+- Read shipping status for open warranty claims

+- Create and manage service requests in the Microsoft 365 admin center

+- Read Message center announcements in the Microsoft 365 admin center

+A warranty claim is a request to have the hardware repaired or replaced in accordance with the terms of the warranty. For more information, see [Self-serve your Surface warranty & service requests](/surface/self-serve-warranty-service).

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages |

+> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |

+> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |

+## Microsoft Hardware Warranty Specialist

+Assign the Microsoft Hardware Warranty Specialist role to users who need to do the following tasks:

+- Create new warranty claims for Microsoft manufactured hardware, like Surface and HoloLens

+- Read warranty claims that they created

+- Read and update existing shipping addresses

+- Read shipping status for open warranty claims they created

+- Create and manage service requests in the Microsoft 365 admin center

+A warranty claim is a request to have the hardware repaired or replaced in accordance with the terms of the warranty. For more information, see [Self-serve your Surface warranty & service requests](/surface/self-serve-warranty-service).

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |

+> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |

+## Organizational Messages Writer

+Assign the Organizational Messages Writer role to users who need to do the following tasks:

+- Write, publish, and delete organizational messages using Microsoft 365 admin center or Microsoft Endpoint Manager

+- Manage organizational message delivery options using Microsoft 365 admin center or Microsoft Endpoint Manager

+- Read organizational message delivery results using Microsoft 365 admin center or Microsoft Endpoint Manager

+- View usage reports and most settings in the Microsoft 365 admin center, but can't make changes

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | microsoft.office365.organizationalMessages/allEntities/allProperties/allTasks | Manage all authoring aspects of Microsoft 365 Organizational Messages |

+> | microsoft.office365.usageReports/allEntities/standard/read | Read tenant-level aggregated Office 365 usage reports |

+> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |

+- Confluence: 7.0.1 to 7.20.0

+- JIRA Core and Software 6.4 to 9.1.0 or JIRA Service Desk 3.0 to 4.22.1 should installed and configured on Windows 64-bit version.

+* JIRA Core and Software: 6.4 to 9.1.0

+* Jira Core and Software: 6.0 to 9.1.0

+* Confluence: 7.0.1 to 7.20.0.

+* Jira Core and Software: 6.0 to 9.1.0.

+* Confluence: 7.0.1 to 7.20.0.

+* How multi-pod applications can be appropriately distributed across the cluster.

+> **Best practice guidance:**

+When you create your AKS cluster, you can deploy nodes with GPU support or a large number of powerful CPUs. You can use these nodes for large data processing workloads such as machine learning (ML) or artificial intelligence (AI).

+Because this node resource hardware is typically expensive to deploy, limit the workloads that can be scheduled on these nodes. Instead, dedicate some nodes in the cluster to run ingress services and prevent other workloads.

+This support for different nodes is provided by using multiple node pools. An AKS cluster supports one or more node pools.

+When you deploy a pod to an AKS cluster, Kubernetes only schedules pods on nodes whose taint aligns with the toleration. Taints and tolerations work together to ensure that pods are not scheduled onto inappropriate nodes. One or more taints are applied to a node, marking the the node so that it does not accept any pods that do not tolerate the taints.

+For example, assume you added a node pool in your AKS cluster for nodes with GPU support. You define name, such as *gpu*, then a value for scheduling. Setting this value to *NoSchedule* restricts the Kubernetes scheduler from scheduling pods with undefined toleration on the node.

+> **Best practice guidance**

+>

+ hardware:

+ values: highmem

+A node selector is a basic solution for assigning pods to a given node. *Node affinity* provides more flexibility, allowing you to define what happens if the pod can't be matched with a node. You can:

+ values:

+ - highmem

+For example, you have a web application that also uses an Azure Cache for Redis.

+* You use pod anti-affinity rules to request that the Kubernetes scheduler distributes replicas across nodes.

+* You use affinity rules to ensure each web app component is scheduled on the same host as a corresponding cache.

+Inter-pod affinity and anti-affinity provide a more complex deployment than node selectors or node affinity. With the deployment, you logically isolate resources and control how Kubernetes schedules pods on nodes.

+## Performance

+We recommend reducing container logs to warnings (`warn`) to improve for performance. Learn more in our [self-hosted gateway configuration reference](self-hosted-gateway-settings-reference.md).

+- [https://mcr.microsoft.com/windows/servercore:ltsc2022](https://mcr.microsoft.com/product/windows/servercore/about)

+- [https://mcr.microsoft.com/windows/servercore:ltsc2019](https://mcr.microsoft.com/product/windows/servercore/about)

+- [https://mcr.microsoft.com/dotnet/framework/aspnet](https://mcr.microsoft.com/product/dotnet/framework/aspnet/tags):4.8-windowsservercore-ltsc2022

+- [https://mcr.microsoft.com/dotnet/framework/aspnet](https://mcr.microsoft.com/product/dotnet/framework/aspnet/tags):4.8-windowsservercore-ltsc2019

+- [https://mcr.microsoft.com/dotnet/runtime](https://mcr.microsoft.com/product/dotnet/runtime/tags):6.0-nanoserver-ltsc2022

+- [https://mcr.microsoft.com/dotnet/runtime](https://mcr.microsoft.com/product/dotnet/runtime/tags):6.0-nanoserver-1809

+- [https://mcr.microsoft.com/dotnet/aspnet](https://mcr.microsoft.com/product/dotnet/aspnet/tags):6.0-nanoserver-ltsc2022

+- [https://mcr.microsoft.com/dotnet/aspnet](https://mcr.microsoft.com/product/dotnet/aspnet/tags):6.0-nanoserver-1809

+> If you're provisioning a **Private Endpoint** from within another tenant, you will need to utilize the Azure Application Gateway Resource ID and the _Name_ of the Frontend IP configuration as the target sub-resource. For example, if I had a private IP associated to the Application Gateway and the Name listed in Frontend IP configuration of the portal for the private IP is _PrivateFrontendIp_, the target sub-resource value would be: _PrivateFrontendIp_.

+Automated backups can be enabled by including the `--storage-class-backups` argument when creating an Azure Arc-enabled PostgreSQL server. Restore is not supported in the current preview release.

+ - To set the storage class for the backups, indicate the parameter `--storage-class-backups` followed by the name of the storage class. Excluding this parameter disables automated backups

+ - To set the storage class for the data, indicate the parameter `--storage-class-data` followed by the name of the storage class.

+ - To set the storage class for the logs, indicate the parameter `--storage-class-logs` followed by the name of the storage class.

+## Backup and restore

+Enable automated backups. Include the `--storage-class-backups` argument when you create an Azure Arc-enabled PostgreSQL server. Restore has been temporarily removed as we finalize designs and experiences.

+description: This article provides highlights for the latest release, and a history of features introduced in previous releases.

+## November 8, 2022

+### Image tag

+`v1.13.0_2022-11-08`

+For complete release version information, see [Version log](version-log.md#november-8-2022).

+New for this release:

+- Azure Arc data controller

+ - Support database as resource in Azure Arc data resource provider

+- Arc-enabled PostgreSQL server

+ - Add support for automated backups

+- `arcdata` Azure CLI extension

+ - CLI support for automated backups: Setting the `--storage-class-backups` parameter for the create command will enable automated backups

+PostgreSQL is at its best when you use it with extensions.

+For this preview, the following standard [`contrib`](https://www.postgresql.org/docs/14/contrib.html) extensions are already deployed in the containers of your Azure Arc-enabled PostgreSQL server:

+- adminpack

+- amcheck

+- autoinc

+- bloombtree_gin

+- btree_gist

+- citext

+- cube

+- dblink

+- dict_int

+- dict_xsyn

+- earthdistance

+- file_fdw

+- fuzzystrmatch

+- hstore

+- insert_username

+- intagg

+- intarray

+- isn

+- lo

+- ltree

+- moddatetime

+- old_snapshot

+- pageinspect

+- pg_buffercache

+- pg_freespacemap

+- pg_prewarm

+- pg_stat_statements

+- pg_surgery

+- pg_trgm

+- pg_visibility

+- pgcrypto

+- pgrowlocks

+- pgstattuple

+- postgres_fdw

+- refint

+- seg

+- sslinfo

+- tablefunc

+- tcn

+- tsm_system_rows

+- tsm_system_time

+- unaccent

+- xml2

+> While you may bring to your server an extension other than those listed above, in this Preview, it will not be persisted to your system. It means that it will not be available after a restart of the system and you would need to bring it again.

+Connect to your server with the client tool of your choice and run the standard PostgreSQL query:

+Connect to your server with the client tool of your choice and run the standard PostgreSQL query:

+Connect to your server with the client tool of your choice and run the standard PostgreSQL query:

+- **Try it out.** Get started quickly with [Azure Arc Jumpstart](https://github.com/microsoft/azure_arc#azure-arc-enabled-data-services) on Azure Kubernetes Service (AKS), AWS Elastic Kubernetes Service (EKS), Google Cloud Kubernetes Engine (GKE) or in an Azure VM.

+## November 8, 2022

+|Component|Value|

+|--|--|

+|Container images tag |`v1.13.0_2022-11-08`|

+|CRD names and version|`datacontrollers.arcdata.microsoft.com`: v1beta1, v1 through v6<br/>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`kafkas.arcdata.microsoft.com`: v1beta1, v1beta2<br/>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1 through v7<br/>`postgresqls.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3<br/>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1<br/>`failovergroups.sql.arcdata.microsoft.com`: v1beta1, v1beta2, v1 through v2<br/>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1, v1beta2, v1<br/>`sqlmanagedinstancereprovisionreplicatask.tasks.sql.arcdata.microsoft.com`: v1beta1<br/>`telemetrycollectors.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3 *use to be otelcollectors*<br/>`telemetryrouters.arcdata.microsoft.com`: v1beta1, v1beta2<br/>|

+|Azure Resource Manager (ARM) API version|2022-06-15-preview|

+|`arcdata` Azure CLI extension version|1.4.8 ([Download](https://aka.ms/az-cli-arcdata-ext))|

+|Arc-enabled Kubernetes helm chart extension version|1.13.0|

+|Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|<br/>1.7.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.7.0 ([Download](https://aka.ms/ads-azcli-ext))|

+- [Redisson (Java)](cache-best-practices-client-libraries.md#redisson-java)

+## Redisson (Java)

+We _recommend_ you use redisson 3.14.1 or higher. Older versions contain known connection leak issues that cause problems after failovers. Monitor the Redisson changelog for other known issues can affect features used by your application. For more information, see[`CHANGELOG`](https://github.com/redisson/redisson/blob/master/CHANGELOG.md) and the [Redisson FAQ](https://github.com/redisson/redisson/wiki/16.-FAQ).

+Other notes:

+- Redisson defaults to 'read from replica' strategy, unlike some other clients. To change this, modify the 'readMode' config setting.

+- Redisson has a connection pooling strategy with configurable minimum and maximum settings, and the default minimum values are large. The large defaults could contribute to aggressive reconnect behaviors or 'connection storms'. To reduce the risk, consider using fewer connections because you can efficiently pipeline commands, or batches of commands, over a few connections.

+- Redisson has a default idle connection timeout of 10 seconds, which leads to more closing and reopening of connections than ideal.

+Here's a recommended baseline configuration for cluster mode that you can modify as needed:

+```yml

+clusterServersConfig:

+ idleConnectionTimeout: 30000

+ connectTimeout: 15000

+ timeout: 5000

+ retryAttempts: 3

+ retryInterval: 3000

+ failedSlaveReconnectionInterval: 15000

+ failedSlaveCheckInterval: 60000

+ subscriptionsPerConnection: 5

+ clientName: "redisson"

+ loadBalancer: !<org.redisson.connection.balancer.RoundRobinLoadBalancer> {}

+ subscriptionConnectionMinimumIdleSize: 1

+ subscriptionConnectionPoolSize: 50

+ slaveConnectionMinimumIdleSize: 2

+ slaveConnectionPoolSize: 24

+ masterConnectionMinimumIdleSize: 2

+ masterConnectionPoolSize: 24

+ readMode: "MASTER"

+ subscriptionMode: "MASTER"

+ nodeAddresses:

+ - "redis://mycacheaddress:6380"

+ scanInterval: 1000

+ pingConnectionInterval: 60000

+ keepAlive: false

+ tcpNoDelay: true

+```

+Besides the reference documentation, you can find tutorials showing how to get started with Azure Cache for Redis using different languages and cache clients.

+By definition, Azure Functions executions are stateless. If you need to connect your code to services in a more stateful way, consider instead using [Durable Functions](durable/durable-functions-overview.md) or [Azure Logic Apps](../logic-apps/logic-apps-overview.md).

+> [!NOTE]

+> The Azure SQL trigger is only supported on **Premium and Dedicated** plans. Consumption is not supported.

+> [!NOTE]

+> The Azure SQL trigger is only supported on **Premium and Dedicated** plans. Consumption is not supported. Azure SQL input/output bindings are supported for all plans.

+* [Azure Service Bus](functions-bindings-service-bus.md)

+[func init]: functions-core-tools-reference.md#func-init

+|`originalId` | string |false | When the dataset is created through the [conversion service][conversion], the original ID is automatically set to the Azure Maps internal ID. When the [dataset][datasetv20220901] is created from a GeoJSON package, the original ID can be user defined. Maximum length allowed is 1,000 characters.|

+| `abbreviatedName` | string | false | A four-character abbreviated level name, like what would be found on an elevator button. |

+| `abbreviatedName` | string | false | A four-character abbreviated level name, like what would be found on an elevator button.|

+ Title: How to create Azure Maps applications using the JavaScript REST SDK (preview)

+description: How to develop applications that incorporate Azure Maps using the JavaScript SDK Developers Guide.

+# JavaScript/TypeScript REST SDK Developers Guide (preview)

+The Azure Maps JavaScript/TypeScript REST SDK (JavaScript SDK) supports searching using the [Azure Maps search Rest API][search], like searching for an address, fuzzy searching for a point of interest (POI), and searching by coordinates. This article will help you get started building location-aware applications that incorporate the power of Azure Maps.

+> [!NOTE]

+> Azure Maps JavaScript SDK supports the LTS version of Node.js. For more information, seeΓÇ»[Node.js Release Working Group][Node.js Release].

+## Prerequisites

+- [Azure Maps account][Azure Maps account].

+- [Subscription key][Subscription key] or other form of [authentication][authentication].

+- [Node.js][Node.js].

+> [!TIP]

+> You can create an Azure Maps account programmatically, Here's an example using the Azure CLI:

+>

+> ```azurecli

+> az maps account create --kind "Gen2" --account-name "myMapAccountName" --resource-group "<resource group>" --sku "G2"

+> ```

+## Install the search package

+To use Azure Maps JavaScript SDK, you'll need to install the search package. Each of the Azure Maps services including search, routing, rendering and geolocation are each in their own package.

+```powershell

+npm install @azure/maps-search

+```

+Once the package is installed, create a `search.js` file in the `mapsDemo` directory:

+```text

+mapsDemo

+```

+### Azure Maps search service

+| Service Name  | NPM package  | Samples  |

+||-|--|

+| [Search][search readme] | [Azure.Maps.Search][search package] | [search samples][search sample] |

+| [Route][js route readme] | [@azure-rest/maps-route][js route package] | [route samples][js route sample] |

+## Create a Node.js project

+The example below creates a new directory then a Node.js program named _mapsDemo_ using NPM:

+```powershell

+mkdir mapsDemo

+cd mapsDemo

+npm init

+```

+## Create and authenticate a MapsSearchClient

+You'll need a `credential` object for authentication when creating the `MapsSearchClient` object used to access the Azure Maps search APIs. You can use either an Azure Active Directory (Azure AD) credential or an Azure subscription key to authenticate. For more information on authentication, see [Authentication with Azure Maps][authentication].

+> [!TIP]

+> The`MapsSearchClient` is the primary interface for developers using the Azure Maps search library. See [Azure Maps Search client library][JS-SDK] to learn more about the search methods available.

+### Using an Azure AD credential

+You can authenticate with Azure AD using the [Azure Identity library][Identity library]. To use the [DefaultAzureCredential][defaultazurecredential] provider, you'll need to install the `@azure/identity` package:

+```powershell

+npm install @azure/identity

+```

+You'll need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources][Host daemon]. During this process you'll get an Application (client) ID, a Directory (tenant) ID, and a client secret. Copy these values and store them in a secure place. You'll need them in the following steps.

+Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Azure AD application, and the map resourceΓÇÖs client ID as environment variables:

+| Environment Variable | Description |

+|--|--|

+| AZURE_CLIENT_ID | Application (client) ID in your registered application |

+| AZURE_CLIENT_SECRET | The value of the client secret in your registered application |

+| AZURE_TENANT_ID | Directory (tenant) ID in your registered application |

+| MAPS_CLIENT_ID | The client ID in your Azure Map account |

+You can use a `.env` file for these variables. You'll need to install the [dotenv][dotenv] package:

+```powershell

+npm install dotenv

+```

+Next, add a `.env` file in the **mapsDemo** directory and specify these properties:

+```text

+AZURE_CLIENT_ID="<client-id>"

+AZURE_CLIENT_SECRET="<client-secret>"

+AZURE_TENANT_ID="<tenant-id>"

+MAPS_CLIENT_ID="<maps-client-id>"

+```

+Once your environment variables are created, you can access them in your JavaScript code:

+```JavaScript

+const { MapsSearchClient } = require("@azure/maps-search");

+const { DefaultAzureCredential } = require("@azure/identity");

+require("dotenv").config();

+

+const credential = new DefaultAzureCredential();

+const client = new MapsSearchClient(credential, process.env.MAPS_CLIENT_ID);

+```

+### Using a subscription key credential

+You can authenticate with your Azure Maps subscription key. Your subscription key can be found in the **Authentication** section in the Azure Maps account as shown in the following screenshot:

+You need to pass the subscription key to the `AzureKeyCredential` class provided by the [Azure Maps Search client library for JavaScript/TypeScript][JS-SDK]. For security reasons, it's better to specify the key as an environment variable than to include it in your source code.

+You can accomplish this by using a `.env` file to store the subscription key variable. You'll need to install the [dotenv][dotenv] package to retrieve the value:

+```powershell

+npm install dotenv

+```

+Next, add a `.env` file in the **mapsDemo** directory and specify the property:

+```text

+MAPS_SUBSCRIPTION_KEY="<subscription-key>"

+```

+Once your environment variable is created, you can access it in your JavaScript code:

+```JavaScript

+const { MapsSearchClient, AzureKeyCredential } = require("@azure/maps-search");

+require("dotenv").config();

+const credential = new AzureKeyCredential(process.env.MAPS_SUBSCRIPTION_KEY);

+const client = new MapsSearchClient(credential);

+```

+## Fuzzy search an entity

+The following code snippet demonstrates how, in a simple console application, to import the `azure-maps-search` package and perform a fuzzy search on ΓÇ£StarbucksΓÇ¥ near Seattle:

+```JavaScript

+const { MapsSearchClient, AzureKeyCredential } = require("@azure/maps-search");

+require("dotenv").config();

+

+async function main() {

+ // Authenticate with Azure Map Subscription Key

+ const credential = new AzureKeyCredential(process.env.MAPS_SUBSCRIPTION_KEY);

+ const client = new MapsSearchClient(credential);

+

+ // Setup the fuzzy search query

+ const response = await client.fuzzySearch({

+ query: "Starbucks",

+ coordinates: [47.61010, -122.34255],

+ countryCodeFilter: ["US"],

+ });

+

+ // Log the result

+ console.log(`Starbucks search result nearby Seattle:`);

+ response.results.forEach((result) => {

+ console.log(`\

+ * ${result.address.streetNumber} ${result.address.streetName}

+ ${result.address.municipality} ${result.address.countryCode} ${result.address.postalCode}

+ Coordinate: (${result.position[0].toFixed(4)}, ${result.position[1].toFixed(4)})\

+ `);

+}

+

+main().catch((err) => {

+ console.error(err);

+});

+```

+In the above code snippet, you create a `MapsSearchClient` object using your Azure credentials. This is done using your Azure Maps subscription key, however you could use the [Azure AD credential](#using-an-azure-ad-credential) discussed in the previous section. You then pass the search query and options to the `fuzzySearch` method. Search for Starbucks (`query: "Starbucks"`) near Seattle (`coordinates: [47.61010, -122.34255], countryFilter: ["US"]`). For more information, see [FuzzySearchRequest][FuzzySearchRequest] in the [Azure Maps Search client library for JavaScript/TypeScript][JS-SDK].

+The method `fuzzySearch` provided by `MapsSearchClient` will forward the request to Azure Maps REST endpoints. When the results are returned, they're written to the console. For more information, see [SearchAddressResult][SearchAddressResult].

+Run `search.js` with Node.js:

+```powershell

+node search.js

+```

+## Search an Address

+The [searchAddress][searchAddress] method can be used to get the coordinates of an address. Modify the `search.js` from the sample as follows:

+```JavaScript

+const { MapsSearchClient, AzureKeyCredential } = require("@azure/maps-search");

+require("dotenv").config();

+async function main() {

+ const credential = new AzureKeyCredential(process.env.MAPS_SUBSCRIPTION_KEY);

+ const client = new MapsSearchClient(credential);

+ const response = await client.searchAddress(

+ "1912 Pike Pl, Seattle, WA 98101, US"

+ );

+ console.log(`The coordinate is: ${response.results[0].position}`);}

+main().catch((err) => {

+ console.error(err);

+});

+```

+The results returned from `client.searchAddress` are ordered by confidence score and in this example only the first result returned with be displayed to the screen.

+## Batch reverse search

+Azure Maps Search also provides some batch query methods. These methods will return Long Running Operations (LRO) objects. The requests might not return all the results immediately, so you can wait until completion or query the result periodically. The example below demonstrates how to call batched reverse search method:

+```JavaScript

+ const poller = await client.beginReverseSearchAddressBatch([

+ // This is an invalid query

+ { coordinates: [148.858561, 2.294911] },

+ {

+ coordinates: [47.61010, -122.34255],

+ },

+ { coordinates: [47.6155, -122.33817] },

+ options: { radiusInMeters: 5000 },

+ ]);

+```

+In this example, three queries are passed into the _batched reverse search_ request. The first query is invalid, see [Handing failed requests](#handing-failed-requests) for an example showing how to handle the invalid query.

+Use the `getResult` method from the poller to check the current result. You check the status using `getOperationState` to see if the poller is still running. If it is, you can keep calling `poll` until the operation is finished:

+```JavaScript

+ while (poller.getOperationState().status === "running") {

+ const partialResponse = poller.getResult();

+ logResponse(partialResponse)

+ await poller.poll();

+ }

+```

+Alternatively, you can wait until the operation has completed, by using `pollUntilDone()`:

+```JavaScript

+const response = await poller.pollUntilDone();

+logResponse(response)

+```

+A common scenario for LRO is to resume a previous operation later. Do that by serializing the pollerΓÇÖs state with the `toString` method, and rehydrating the state with a new poller using `resumeReverseSearchAddressBatch`:

+```JavaScript

+ const serializedState = poller.toString();

+ const rehydratedPoller = await client.resumeReverseSearchAddressBatch(

+ serializedState

+ );

+ const response = await rehydratedPoller.pollUntilDone();

+ logResponse(response);

+```

+Once you get the response, you can log it:

+```JavaScript

+function logResponse(response) {

+ console.log(

+ `${response.totalSuccessfulRequests}/${response.totalRequests} succeed.`

+ );

+ response.batchItems.forEach((item, idx) => {

+ console.log(`The result for ${idx + 1}th request:`);

+ // Check if the request is failed

+ if (item.response.error) {

+ console.error(item.response.error);

+ } else {

+ item.response.results.forEach((result) => {

+ console.log(result.address.freeformAddress);

+ });

+ }

+ });

+}

+```

+### Handing failed requests

+Handle failed requests by checking for the `error` property in the response batch item. See the `logResponse` function in the completed batch reverse search example below.

+### Completed batch reverse search example

+The complete code for the reverse address batch search example:

+```JavaScript

+const { MapsSearchClient, AzureKeyCredential } = require("@azure/maps-search");

+require("dotenv").config();

+async function main() {

+ const credential = new AzureKeyCredential(process.env.MAPS_SUBSCRIPTION_KEY);

+ const client = new MapsSearchClient(credential);

+ const poller = await client.beginReverseSearchAddressBatch([

+ // This is an invalid query

+ { coordinates: [148.858561, 2.294911] },

+ {

+ coordinates: [47.61010, -122.34255],

+ },

+ { coordinates: [47.6155, -122.33817] },

+ options: { radiusInMeters: 5000 },

+ ]);

+ // Get the partial result and keep polling

+ while (poller.getOperationState().status === "running") {

+ const partialResponse = poller.getResult();

+ logResponse(partialResponse);

+ await poller.poll();

+ }

+ // You can simply wait for the operation is done

+ // const response = await poller.pollUntilDone();

+ // logResponse(response)

+ // Resume the poller

+ const serializedState = poller.toString();

+ const rehydratedPoller = await client.resumeReverseSearchAddressBatch(

+ serializedState

+ );

+ const response = await rehydratedPoller.pollUntilDone();

+ logResponse(response);

+}

+function logResponse(response) {

+ console.log(

+ `${response.totalSuccessfulRequests}/${response.totalRequests} succeed.`

+ );

+ response.batchItems.forEach((item, idx) => {

+ console.log(`The result for ${idx + 1}th request:`);

+ if (item.response.error) {

+ console.error(item.response.error);

+ } else {

+ item.response.results.forEach((result) => {

+ console.log(result.address.freeformAddress);

+ });

+ }

+ });

+}

+main().catch((err) => {

+ console.error(err);

+});

+```

+## Additional information

+- The [Azure Maps Search client library for JavaScript/TypeScript][JS-SDK].

+[JS-SDK]: /javascript/api/overview/azure/maps-search-readme?view=azure-node-preview

+[defaultazurecredential]: https://github.com/Azure/azure-sdk-for-js/tree/@azure/maps-search_1.0.0-beta.1/sdk/identity/identity#defaultazurecredential

+[searchAddress]: /javascript/api/@azure/maps-search/mapssearchclient?view=azure-node-preview#@azure-maps-search-mapssearchclient-searchaddress

+[FuzzySearchRequest]: /javascript/api/@azure/maps-search/fuzzysearchrequest?view=azure-node-preview

+[SearchAddressResult]: /javascript/api/@azure/maps-search/searchaddressresult?view=azure-node-preview

+[search]: /rest/api/maps/search

+[Node.js Release]: https://github.com/nodejs/release#release-schedule

+[Node.js]: https://nodejs.org/en/download/

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[Subscription key]: quick-demo-map-app.md#get-the-primary-key-for-your-account

+[authentication]: azure-maps-authentication.md

+[Identity library]: /javascript/api/overview/azure/identity-readme

+[Host daemon]: /azure/azure-maps/how-to-secure-daemon-app#host-a-daemon-on-non-azure-resources

+[dotenv]: https://github.com/motdotla/dotenv#readme

+[search package]: https://www.npmjs.com/package/@azure/maps-search

+[search readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-search/README.md

+[search sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-search/samples/v1-beta

+[js route readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-route-rest/README.md

+[js route package]: https://www.npmjs.com/package/@azure-rest/maps-route

+[js route sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-route-rest/samples/v1-beta

+| [Route][py route readme] | [azure-maps-route][py route package] | [route samples][py route sample] |

+| [Render][py render readme]| [azure-maps-render][py render package]|[render sample][py render sample] |

+| [Search][js search readme] | [@azure/maps-search][js search package] | [search samples][js search sample] |

+| [Route][js route readme] | [@azure/maps-route][js route package] | [route samples][js route sample] |

+[py route package]: https://pypi.org/project/azure-maps-route

+[py route readme]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/maps/azure-maps-routing/README.md

+[py route sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/maps/azure-maps-routing/samples

+[py render package]: https://pypi.org/project/azure-maps-render

+[py render readme]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/maps/azure-maps-render/README.md

+[py render sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/maps/azure-maps-render/samples

+[js search package]: https://www.npmjs.com/package/@azure/maps-search

+[js route readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-route-rest/README.md

+[js route package]: https://www.npmjs.com/package/@azure-rest/maps-route

+[js route sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-route-rest/samples/v1-beta

+>* The configuration change can take a few minutes to complete before it takes effect. All ama-logs pods in the cluster will restart.

+>* The restart is a rolling restart for all ama-logs pods. It won't restart all of them at the same time.

+A single Azure Monitor workspace can collect data from multiple sources, but there may be circumstances where you require multiple workspaces to address your particular business requirements. Azure Monitor workspace design is similar to [Log Analytics workspace design](../logs/workspace-design.md), and you choose to match that design. Since Azure Monitor workspaces currently only contain Prometheus metrics, and metric data is typically not as sensitive as log data, you may choose to further consolidate your Azure Monitor workspaces for simplicity.

+There are several reasons that you may consider creating additional workspaces including the following.

+## Limitations

+See [Azure Monitor service limits](../service-limits.md#prometheus-metrics) for performance related service limits for Azure Monitor managed service for Prometheus.

+- Private Links aren't supported for Prometheus metrics collection into Azure monitor workspace.

+- Azure monitor workspaces are currently only supported in public clouds.

+See [Azure Monitor service limits](../service-limits.md#prometheus-metrics) for performance related service limits for Azure Monitor workspaces.

+- Private Links aren't supported for data collection into Azure monitor workspace.

+You can also decompile ARM template JSON to Bicep from Visual Studio Code by using the **Decompile into Bicep** command. For more information, see [Visual Studio Code](./visual-studio-code.md#decompile-into-bicep).

+There are many benefits to defining your Azure resources in Bicep including: simpler syntax, modularization, automatic dependency management, type validation and IntelliSense, and an improved authoring experience.

+When migrating existing JSON Azure Resource Manager templates (ARM templates) to Bicep, we recommend following the five-phase workflow:

+The first step in the process is to capture an initial representation of your Azure resources. If necessary, you then decompile the JSON file to an initial Bicep file, which you improve upon by refactoring. When you have a working file, you test and deploy using a process that minimizes the risk of breaking changes to your Azure environment.

+In this article, we summarize this recommended workflow. For detailed guidance, see [Migrate Azure resources and JSON ARM templates to use Bicep](/training/modules/migrate-azure-resources-bicep/).

+1. **If required, convert the JSON representation to Bicep using the _decompile_ command.** [The Bicep tooling includes the `decompile` command to convert templates.](decompile.md) You can invoke the `decompile` command from [Visual Studio Code with the Bicep extension](./visual-studio-code.md#decompile-into-bicep), the [Azure CLI](./bicep-cli.md#decompile), or from the [Bicep CLI](./bicep-cli.md#decompile). The decompilation process is a best-effort process and doesn't guarantee a full mapping from JSON to Bicep. You may need to revise the generated Bicep file to meet your template best practices before using the file to deploy resources.

+1. **Identify and recreate any missing resources.** Not all Azure resource types can be exported through the Azure portal, Azure CLI, or Azure PowerShell. For example, virtual machine extensions such as the DependencyAgentWindows and MMAExtension (Microsoft Monitoring Agent) aren't supported resource types for export. For any resource that wasn't exported, such as virtual machine extensions, you'll need to recreate those resources in your new Bicep file. You can recreate resources using a variety of tools and approaches, including [Azure Resource Explorer](../templates/export-template-portal.md?azure-portal=true), the [Bicep and ARM template reference documentation](/azure/templates/?azure-portal=true), and the [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates?azure-portal=true) site.

+In the _refactor_ phase of migrating your resourced to Bicep, the goal is to improve the quality of your Bicep code. These enhancements may include changes such as adding code comments that align the template with your template standards.

+1. **Review resource API versions.** When you export Azure resources, the exported template may not contain the most recent API version for a resource type. If there are specific properties that you need for future deployments, update the API to the appropriate version. It's good practice to review the API versions for each exported resource.

+1. **Review the linter suggestions in your new Bicep file.** When you use the [Bicep extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep&azure-portal=true) to create Bicep files, the [Bicep linter](linter.md) runs automatically and highlights suggestions and errors in your code. Many of the suggestions and errors include an option to apply a quick fix of the issue. Review these recommendations and adjust your Bicep file.

+1. **Review child and extension resources.** There are several ways to declare [child resources](child-resource-name-type.md) and [extension resources](scope-extension-resources.md) in Bicep, including concatenating the names of your resources, using the `parent` keyword, and using nested resources. Consider reviewing these resources after decompilation and make sure the structure meets your standards. For example, ensure that you don't use string concatenation to create child resource names - you should use the `parent` property or a nested resource. Similarly, subnets can either be referenced as properties of a virtual network, or as a separate resource.

+1. **Prepare a rollback plan.** The ability to recover from a failed deployment is crucial. Create a rollback strategy in the event that any breaking changes are introduced into your environments. Take inventory of the types of resources that are deployed, such as virtual machines, web apps, and databases. Each resource's data plane should be considered as well. Do you have a way to recover a virtual machine and its data? Do you have a way to recover a database after deletion? A well-developed rollback plan will help to keep your downtime to a minimum if any issues arise from a deployment.

+1. **Deploy manually.** If you're going to use the converted template in a pipeline, such as [Azure DevOps](add-template-to-azure-pipelines.md) or [GitHub Actions](deploy-github-actions.md), consider running the deployment from your local machine first. It's preferable to test the template's functionality before incorporating it into your production pipeline. That way, you can respond quickly if there's a problem.

+1. **Run smoke tests.** After your deployment is complete, you should run a series of *smoke tests* to ensure that your application or workload is working properly. For example, test to see if your web app is accessible through normal access channels, such as the public Internet or across a corporate VPN. For databases, attempt to make a database connection and execute a series of queries. With virtual machines, log in to the virtual machine and make sure that all services are up and running.

+- [Decompile into Bicep](#decompile-into-bicep)

+When you right-click a JSON file:

+1. Save the configuration file when you're done.

+### Decompile into Bicep

+This command decompiles an ARM JSON template into a Bicep file, and places it in the same directory as the ARM JSON template. The new file has the same file name with the *.bicep* extension. If a Bicep file with the same file name already exists in the same folder, Visual Studio Code prompts you to overwrite the existing file or create a copy.

+To delete a resource group, you need access to the delete action for the **Microsoft.Resources/subscriptions/resourceGroups** resource.

+- **Images with impending end-of-life (EOL) dates:** We strongly recommended avoiding images with impending Batch support end of life (EOL) dates. These dates can be discovered via the [`ListSupportedImages` API](/rest/api/batchservice/account/listsupportedimages), [PowerShell](/powershell/module/az.batch/get-azbatchsupportedimage), or [Azure CLI](/cli/azure/batch/pool/supported-images). It's your responsibility to periodically refresh your view of the EOL dates pertinent to your pools and migrate your workloads before the EOL date occurs. If you're using a custom image with a specified node agent, ensure that you follow Batch support end-of-life dates for the image for which your custom image is derived or aligned with. An image without a specified `batchSupportEndOfLife` date indicates that such a date has not been determined yet by the Batch service. Absence of a date does not indicate that the respective image will be supported indefinitely. An EOL date may be added or updated in the future at anytime.

+Before you recreate or resize your pool, you should download any node agent logs for debugging purposes if you're experiencing issues with your Batch pool or compute nodes. This process is further discussed in the [Nodes](#nodes) section.

+Any HTTP requests with 5xx level status codes along with a "Connection: close" header in the response requires adjusting your Batch service client behavior. Your Batch service client should observe the recommendation by closing the existing connection, re-resolving DNS for the Batch account service URL, and attempt following requests on a new connection.

+* [Python version 3.7+](https://www.python.org/downloads/)

+> `outputFormat` is also optional. By default, the audio output is set to `riff-24khz-16bit-mono-pcm`. For more information about supported audio output formats, see [Audio output formats](#audio-output-formats).

+ 'outputformat': 'riff-24khz-16bit-mono-pcm',

+ "outputFormat": "riff-24khz-16bit-mono-pcm",

+ "outputFormat": "riff-24khz-16bit-mono-pcm",

+ "outputFormat": "riff-24khz-16bit-mono-pcm",

+> The default audio format is riff-24khz-16bit-mono-pcm.

+## Download the quickstart trained model.

+If you'd like download a Personalizer model that has been trained on 5,000 events from the QuickStart example, you can visit the [Azure-Samples repository](https://github.com/Azure-Samples/cognitive-services-personalizer-samples/tree/master/quickstarts) and download the model zip file, then upload this to your Personalizer instance under the "Setup" -> "Model Import/Export" section.

+## Create a Python application

+ Title: Verify if an application is active in multiple tabs of a browser

+description: Learn how to detect if an application is active in multiple tabs of a browser using the Azure Communication Services Calling SDK for JavaScript

+# How to detect if an application using Azure Communication Services' SDK is active in multiple tabs of a browser

+Based on best practices, your application should not connect to calls from multiple browser tabs simultaneously. Handling multiple calls on multiple tabs of a browser on mobile can cause undefined behavior due to resource allocation for microphone and camera on the device.

+In order to detect if an application is active in multiple tabs of a browser, a developer can use the method `isCallClientActiveInAnotherTab` and the event `isCallClientActiveInAnotherTabChanged` of a `CallClient` instance.

+```javascript

+const callClient = new CallClient();

+// Check if an application is active in multiple tabs of a browser

+const isCallClientActiveInAnotherTab = callClient.feature(SDK.Features.DebugInfo).isCallClientActiveInAnotherTab;

+...

+// Subscribe to the event to listen for changes

+callClient.feature(Features.DebugInfo).on('isCallClientActiveInAnotherTabChanged', () => {

+ // callback();

+});

+...

+// Unsubscribe from the event to stop listening for changes

+callClient.feature(Features.DebugInfo).off('isCallClientActiveInAnotherTabChanged', () => {

+ // callback();

+});

+```

+> Container group deployment to a virtual network is generally available for Linux and Windows containers, in most regions where Azure Container Instances is available. For more details on which regions have virtual network capabilities, see [Regions and resource availability](container-instances-region-availability.md).

+1. If **high availability and low latency reads** are required, use the **NEAREST** read preference mode. This setting directs the read operations to the nearest available region. Note that if the nearest region is the WRITE region, then these operations are directed to that region.

+For applications with a primary read/write region and a secondary region for disaster recovery (DR) scenarios, we recommend setting your collection's read preference to *primary preferred*. A read preference of *primary preferred* is configured to read from the secondary region when the primary region is unavailable.

+### To activate an enrollment account with a .onmicrosoft.com email account

+If you're a new EA account owner with a .onmicrosoft.com email account, you might not have a forwarding email address by default. In that situation, you might not receive the activation email. If this situation applies to you, use the following steps to activate your account ownership.

+1. Sign into the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/AllBillingScopes).

+1. Navigate to **Cost Management + Billing** and select a billing scope.

+1. Select your account.

+1. In the left menu under **Settings**, select **Activate Account**.

+1. On the Activate Account page, select **Yes, I wish to continue** and the select **Activate this account**.

+ :::image type="content" source="./media/direct-ea-administration/activate-account.png" alt-text="Screenshot showing the Activate Account page for onmicrosoft.com accounts." lightbox="./media/direct-ea-administration/activate-account.png" :::

+1. After the activation process completes, copy and paste the following link to your browser. The page will open and create a subscription that's associated with your enrollment.

+ `https://signup.azure.com/signup?offer=MS-AZR-0017P&appId=IbizaCatalogBlade`

+### Error code: ADLSGen2ForbiddenError

+- **Message**: `ADLS Gen2 failed for forbidden: Storage operation % on % get failed with 'Operation returned an invalid status code 'Forbidden'.`

+- **Cause**: There are two possible causes:

+ 1. The integration runtime is blocked by network access in Azure storage account firewall settings.

+ 2. The service principal or managed identity doesnΓÇÖt have enough permission to access the data.

+- **Recommendation**:

+ 1. Check your Azure storage account network settings to see whether the public network access is disabled. If disabled, use a managed virtual network integration runtime and create a private endpoint to access. For more information, see [Managed virtual network](managed-virtual-network-private-endpoint.md) and [Build a copy pipeline using managed VNet and private endpoints](tutorial-copy-data-portal-private.md).

+ 1. If you have enabled selected virtual networks and IP addresses in your Azure storage account network setting:

+ 1. It's possible because some IP address ranges of your integration runtime are not allowed by your storage account firewall settings. Add the Azure integration runtime IP addresses or the self-hosted integration runtime IP address to your storage account firewall. For Azure integration runtime IP addresses, see [Azure Integration Runtime IP addresses](azure-integration-runtime-ip-addresses.md), and to learn how to add IP ranges in the storage account firewall, see [Managing IP network rules](../storage/common/storage-network-security.md#managing-ip-network-rules).

+ 1. If you allow trusted Azure services to access this storage account in the firewall, you must use [managed identity authentication](connector-azure-data-lake-storage.md#managed-identity) in copy activity.

+ For more information about the Azure storage account firewalls settings, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md).

+ 1. If you use service principal or managed identity authentication, grant service principal or managed identity appropriate permissions to do copy. For source, at least the **Storage Blob Data Reader** role. For sink, at least the **Storage Blob Data Contributor** role. For more information, see [Copy and transform data in Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#service-principal-authentication).

+Run `npm run build export <rootFolder> <factoryId> [outputFolder]` to export the ARM template by using the resources of a given folder. This command also runs a validation check prior to generating the ARM template. Here's an example using a resource group named **testResourceGroup**:

+1. Checkpoint key is used to set the checkpoint when data flow is used for changed data capture. You can overwrite it. Data flow activities use a guid value as checkpoint key instead of ΓÇ£pipeline name + activity nameΓÇ¥ so that it can always keep tracking customerΓÇÖs change data capture state even thereΓÇÖs any renaming actions. All existing data flow activity will use the old pattern key for backward compatibility. Checkpoint key option after publishing a new data flow activity with change data capture enabled data flow resource is shown as below.

+1. Any activity outputs are displayed and can be used when defining your dynamic content by selecting them in the **Pipeline expression builder** pane.

+> You can use [SDK](/dotnet/api/microsoft.azure.management.synapse?preserve-view=true&view=azure-dotnet-preview)/ [PowerShell](/powershell/module/az.synapse/?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext&view=azps-9.1.0)/ [REST APIs](/rest/api/synapse/) for the above actions.

+- **Recommendation**: Log in to Azure Cosmos DB account, and manually change container throughput to be auto scale or add a custom activity after mapping data flows to reset the throughput.

+### Error code: DF-CSVWriter-InvalidQuoteSetting

+- **Message**: Job failed while writing data with error: Quote character and escape character cannot be empty if column value contains column delimiter

+- **Cause**: Both quote characters and escape characters are empty when the column value contains column delimiter.

+- **Recommendation**: Set your quote character or escape character.

+### Error code: DF-Dynamics-InvalidNullAlternateKeyColumn

+- **Message**: Any column value of alternate Key can't be NULL.

+- **Cause**: Your alternate key column value can't be null.

+- **Recommendation**: Confirm that your column value of your alternate key is not NULL.

+### Error code: DF-Dynamics-TooMuchAlternateKey

+- **Cause**: One lookup field with more than one alternate key reference is not valid.

+- **Recommendation**: Check your schema mapping and confirm that each lookup field has a single alternate key.

+### Error code: DF-Executor-UnauthorizedStorageAccess

+- **Cause**: You are not permitted to access the storage account either due to missing roles for managed identity/service principal authentication or network firewall settings.

+- **Recommendation**: When using managed identity/service principal authentication,

+ 1. For source: In Storage Explorer, grant the managed identity/service principal at least **Execute** permission for ALL upstream folders and the file system, along with **Read** permission for the files to copy. Alternatively, in Access control (IAM), grant the managed identity/service principal at least the **Storage Blob Data Reader** role.

+ 2. For sink: In Storage Explorer, grant the managed identity/service principal at least **Execute** permission for ALL upstream folders and the file system, along with **Write** permission for the sink folder. Alternatively, in Access control (IAM), grant the managed identity/service principal at least the **Storage Blob Data Contributor** role. <br>

+ Also please ensure that the network firewall settings in the storage account are configured correctly, as turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses.

+### Error code: DF-Executor-UnreachableStorageAccount

+- **Message**: System is not able to resolve the IP address of the host. Please verify that your host name is correct or check if your DNS server is able to resolve the host to an IP address successfully

+- **Cause**: Unable to reach the given storage account.

+- **Recommendation**: Check the name of the storage account and make sure the storage account exists.

+### Error code: DF-SAPODP-DataflowSystemError

+- **Recommendation**: Reconfigure the activity and run it again. If the issue persists, you can contact Microsoft support for further assistance.

+### Error code: DF-SAPODP-DataParsingFailed

+- **Cause**: Mostly you have hidden column settings in your SAP table. When you use SAP mapping data flow to read data from SAP server, it returns all the schema (columns, including hidden ones), but returned data do not contain related values. So, data misalignment happened and led to parse value issue or wrong data value issue.

+- **Recommendation**: There are two recommendations for this issue：

+ 1. Remove hidden settings from the related column(s) through SAP GUI.

+ 2. If you want to keep existed SAP settings unchanged, use hidden feature (manually add DSL property `enableProjection:true` in script) in SAP mapping data flow to filter the hidden column(s) and continue to read data.

+- **Cause**: SAP Table connector has its limitation for big table extraction. SAP Table underlying relies on an RFC which will read all the data from the table into the memory of SAP system, so out of memory (OOM) issue will happen when extracting big tables.

+ Title: Incrementally copy data by using change tracking in the Azure portal

+description: Learn how to create a data factory with a pipeline that loads delta data based on change tracking information from Azure SQL Database and moves it to Azure Blob Storage.

+# Incrementally copy data from Azure SQL Database to Blob Storage by using change tracking in the Azure portal

+In a data integration solution, incrementally loading data after initial data loads is a widely used scenario. The changed data within a period in your source data store can be easily sliced (for example, `LastModifyTime`, `CreationTime`). But in some cases, there's no explicit way to identify the delta data from the last time that you processed the data. You can use the change tracking technology supported by data stores such as Azure SQL Database and SQL Server to identify the delta data.

+This tutorial describes how to use Azure Data Factory with change tracking to incrementally load delta data from Azure SQL Database into Azure Blob Storage. For more information about change tracking, see [Change tracking in SQL Server](/sql/relational-databases/track-changes/about-change-tracking-sql-server).

+## High-level solution

+In this tutorial, you create two pipelines that perform the following operations.

+> This tutorial uses Azure SQL Database as the source data store. You can also use SQL Server.

+1. **Initial loading of historical data**: You create a pipeline with a copy activity that copies the entire data from the source data store (Azure SQL Database) to the destination data store (Azure Blob Storage):

+ 1. Enable change tracking technology in the source database in Azure SQL Database.

+ 2. Get the initial value of `SYS_CHANGE_VERSION` in the database as the baseline to capture changed data.

+ 3. Load full data from the source database into Azure Blob Storage.

+ :::image type="content" source="media/tutorial-incremental-copy-change-tracking-feature-portal/full-load-flow-diagram.png" alt-text="Diagram that shows full loading of data.":::

+1. **Incremental loading of delta data on a schedule**: You create a pipeline with the following activities and run it periodically:

+ 1. Create *two lookup activities* to get the old and new `SYS_CHANGE_VERSION` values from Azure SQL Database.

+ 2. Create *one copy activity* to copy the inserted, updated, or deleted data (the delta data) between the two `SYS_CHANGE_VERSION` values from Azure SQL Database to Azure Blob Storage.

+ You load the delta data by joining the primary keys of changed rows (between two `SYS_CHANGE_VERSION` values) from `sys.change_tracking_tables` with data in the source table, and then move the delta data to the destination.

+ 3. Create *one stored procedure activity* to update the value of `SYS_CHANGE_VERSION` for the next pipeline run.

+ :::image type="content" source="media/tutorial-incremental-copy-change-tracking-feature-portal/incremental-load-flow-diagram.png" alt-text="Diagram that shows incremental loading of data.":::

+## Prerequisites

+* **Azure subscription**. If you don't have one, create a [free account](https://azure.microsoft.com/free/) before you begin.

+* **Azure SQL Database**. You use a database in Azure SQL Database as the *source* data store. If you don't have one, see [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) for steps to create it.

+* **Azure storage account**. You use Blob Storage as the *sink* data store. If you don't have an Azure storage account, see [Create a storage account](../storage/common/storage-account-create.md) for steps to create one. Create a container named *adftutorial*.

+## Create a data source table in Azure SQL Database

+1. Open SQL Server Management Studio, and connect to SQL Database.

+2. In Server Explorer, right-click your database, and then select **New Query**.

+3. Run the following SQL command against your database to create a table named `data_source_table` as the source data store:

+4. Enable change tracking on your database and the source table (`data_source_table`) by running the following SQL query.

+ > - Replace `<your database name>` with the name of the database in Azure SQL Database that has `data_source_table`.

+ > - The changed data is kept for two days in the current example. If you load the changed data for every three days or more, some changed data is not included. You need to either change the value of `CHANGE_RETENTION` to a bigger number or ensure that your period to load the changed data is within two days. For more information, see [Enable change tracking for a database](/sql/relational-databases/track-changes/enable-and-disable-change-tracking-sql-server#enable-change-tracking-for-a-database).

+5. Create a new table and store called `ChangeTracking_version` with a default value by running the following query:

+ > If the data is not changed after you enable change tracking for SQL Database, the value of the change tracking version is `0`.

+6. Run the following query to create a stored procedure in your database. The pipeline invokes this stored procedure to update the change tracking version in the table that you created in the previous step.

+

+## Create a data factory

+1. Open the Microsoft Edge or Google Chrome web browser. Currently, only these browsers support the Data Factory user interface (UI).

+1. In the [Azure portal](https://ms.portal.azure.com/), on the left menu, select **Create a resource**.

+1. Select **Integration** > **Data Factory**.

+ 

+1. On the **New data factory** page, enter **ADFTutorialDataFactory** for the name.

+

+ The name of data factory must be globally unique. If you get an error that says the name that you chose is not available, change the name (for example, to **yournameADFTutorialDataFactory**) and try creating the data factory again. For more information, see [Azure Data Factory naming rules](naming-rules.md).

+

+1. Select the Azure subscription in which you want to create the data factory.

+1. For **Resource Group**, take one of the following steps:

+ - Select **Use existing**, and then select an existing resource group from the dropdown list.

+ - Select **Create new**, and then enter the name of a resource group.

+

+ To learn about resource groups, see [Using resource groups to manage your Azure resources](../azure-resource-manager/management/overview.md).

+1. For **Version**, select **V2**.

+1. For **Region**, select the region for the data factory.

+ The dropdown list displays only locations that are supported. The data stores (for example, Azure Storage and Azure SQL Database) and computes (for example, Azure HDInsight) that a data factory uses can be in other regions.

+1. Select **Next: Git configuration**. Set up the repository by following the instructions in [Configuration method 4: During factory creation](/azure/data-factory/source-control#configuration-method-4-during-factory-creation), or select the **Configure Git later** checkbox.

+ 

+1. Select **Review + create**.

+1. Select **Create**.

+ On the dashboard, the **Deploying Data Factory** tile shows the status.

+ :::image type="content" source="media/tutorial-incremental-copy-change-tracking-feature-portal/deploying-data-factory.png" alt-text="Screenshot of the tile that shows the status of deploying a data factory.":::

+1. After the creation is complete, the **Data Factory** page appears. Select the **Launch studio** tile to open the Azure Data Factory UI on a separate tab.

+## Create linked services

+You create linked services in a data factory to link your data stores and compute services to the data factory. In this section, you create linked services to your Azure storage account and your database in Azure SQL Database.

+### Create an Azure Storage linked service

+To link your storage account to the data factory:

+1. In the Data Factory UI, on the **Manage** tab, under **Connections**, select **Linked services**. Then select **+ New** or the **Create linked service** button.

+ 

+1. In the **New Linked Service** window, select **Azure Blob Storage**, and then select **Continue**.

+1. Enter the following information:

+ 1. For **Name**, enter **AzureStorageLinkedService**.

+ 1. For **Connect via integration runtime**, select the integration runtime.

+ 1. For **Authentication type**, select an authentication method.

+ 1. For **Storage account name**, select your Azure storage account.

+1. Select **Create**.

+### Create an Azure SQL Database linked service

+To link your database to the data factory:

+1. In the Data Factory UI, on the **Manage** tab, under **Connections**, select **Linked services**. Then select **+ New**.

+1. In the **New Linked Service** window, select **Azure SQL Database**, and then select **Continue**.

+1. Enter the following information:

+ 1. For **Name**, enter **AzureSqlDatabaseLinkedService**.

+ 1. For **Server name**, select your server.

+ 1. For **Database name**, select your database.

+ 1. For **Authentication type**, select an authentication method. This tutorial uses SQL authentication for demonstration.

+ 1. For **User name**, enter the name of the user.

+ 1. For **Password**, enter a password for the user. Or, provide the information for **Azure Key Vault - AKV linked service**, **Secret name**, and **Secret version**.

+1. Select **Test connection** to test the connection.

+1. Select **Create** to create the linked service.

+ 

+In this section, you create datasets to represent the data source and data destination, along with the place to store the `SYS_CHANGE_VERSION` values.

+1. In the Data Factory UI, on the **Author** tab, select the plus sign (**+**). Then select **Dataset**, or select the ellipsis for dataset actions.

+

+ 

+1. Select **Azure SQL Database**, and then select **Continue**.

+1. In the **Set Properties** window, take the following steps:

+ 1. For **Name**, enter **SourceDataset**.

+ 1. For **Linked service**, select **AzureSqlDatabaseLinkedService**.

+ 1. For **Table name**, select **dbo.data_source_table**.

+ 1. For **Import schema**, select the **From connection/store** option.

+ 1. Select **OK**.

+ 

+### Create a dataset to represent data copied to the sink data store

+In the following procedure, you create a dataset to represent the data that's copied from the source data store. You created the *adftutorial* container in Azure Blob Storage as part of the prerequisites. Create the container if it doesn't exist, or set it to the name of an existing one. In this tutorial, the output file name is dynamically generated from the expression `@CONCAT('Incremental-', pipeline().RunId, '.txt')`.

+1. In the Data Factory UI, on the **Author** tab, select **+**. Then select **Dataset**, or select the ellipsis for dataset actions.

+ 

+1. Select **Azure Blob Storage**, and then select **Continue**.

+1. Select the format of the data type as **DelimitedText**, and then select **Continue**.

+1. In the **Set properties** window, take the following steps:

+ 1. For **Name**, enter **SinkDataset**.

+ 1. For **Linked service**, select **AzureBlobStorageLinkedService**.

+ 1. For **File path**, enter **adftutorial/incchgtracking**.

+ 1. Select **OK**.

+1. After the dataset appears in the tree view, go to the **Connection** tab and select the **File name** text box. When the **Add dynamic content** option appears, select it.

+

+ 

+1. The **Pipeline expression builder** window appears. Paste `@concat('Incremental-',pipeline().RunId,'.csv')` in the text box.

+1. Select **OK**.

+In the following procedure, you create a dataset for storing the change tracking version. You created the `table_store_ChangeTracking_version` table as part of the prerequisites.

+1. In the Data Factory UI, on the **Author** tab, select **+**, and then select **Dataset**.

+1. Select **Azure SQL Database**, and then select **Continue**.

+1. In the **Set Properties** window, take the following steps:

+ 1. For **Name**, enter **ChangeTrackingDataset**.

+ 1. For **Linked service**, select **AzureSqlDatabaseLinkedService**.

+ 1. For **Table name**, select **dbo.table_store_ChangeTracking_version**.

+ 1. For **Import schema**, select the **From connection/store** option.

+ 1. Select **OK**.

+In the following procedure, you create a pipeline with a copy activity that copies the entire data from the source data store (Azure SQL Database) to the destination data store (Azure Blob Storage):

+1. In the Data Factory UI, on the **Author** tab, select **+**, and then select **Pipeline** > **Pipeline**.

+ 

+1. A new tab appears for configuring the pipeline. The pipeline also appears in the tree view. In the **Properties** window, change the name of the pipeline to **FullCopyPipeline**.

+1. In the **Activities** toolbox, expand **Move & transform**. Take one of the following steps:

+ - Drag the copy activity to the pipeline designer surface.

+ - On the search bar under **Activities**, search for the copy data activity, and then set the name to **FullCopyActivity**.

+1. Switch to the **Source** tab. For **Source Dataset**, select **SourceDataset**.

+1. Switch to the **Sink** tab. For **Sink Dataset**, select **SinkDataset**.

+1. To validate the pipeline definition, select **Validate** on the toolbar. Confirm that there is no validation error. Close the pipeline validation output.

+1. To publish entities (linked services, datasets, and pipelines), select **Publish all**. Wait until you see the **Successfully published** message.

+ :::image type="content" source="./media/tutorial-incremental-copy-change-tracking-feature-portal/publishing-succeeded.png" alt-text="Screenshot of the message that says publishing succeeded.":::

+1. To see notifications, select the **Show Notifications** button.

+1. In the Data Factory UI, on the toolbar for the pipeline, select **Add trigger**, and then select **Trigger now**.

+ 

+1. In the **Pipeline run** window, select **OK**.

+ 

+1. In the Data Factory UI, select the **Monitor** tab. The pipeline run and its status appear in the list. To refresh the list, select **Refresh**. Hover over the pipeline run to get the **Rerun** or **Consumption** option.

+

+ 

+1. To view activity runs associated with the pipeline run, select the pipeline name from the **Pipeline name** column. There's only one activity in the pipeline, so there's only one entry in the list. To switch back to the view of pipeline runs, select the **All pipeline runs** link at the top.

+The *incchgtracking* folder of the *adftutorial* container includes a file named `incremental-<GUID>.csv`.

+

+Run the following query against your database to add a row and update a row:

+In the following procedure, you create a pipeline with activities and run it periodically. When you run the pipeline:

+- The *lookup activities* get the old and new `SYS_CHANGE_VERSION` values from Azure SQL Database and pass them to the copy activity.

+- The *copy activity* copies the inserted, updated, or deleted data between the two `SYS_CHANGE_VERSION` values from Azure SQL Database to Azure Blob Storage.

+- The *stored procedure activity* updates the value of `SYS_CHANGE_VERSION` for the next pipeline run.

+1. In the Data Factory UI, switch to the **Author** tab. Select **+**, and then select **Pipeline** > **Pipeline**.

+

+ 

+2. A new tab appears for configuring the pipeline. The pipeline also appears in the tree view. In the **Properties** window, change the name of the pipeline to **IncrementalCopyPipeline**.

+3. Expand **General** in the **Activities** toolbox. Drag the lookup activity to the pipeline designer surface, or search in the **Search activities** box. Set the name of the activity to **LookupLastChangeTrackingVersionActivity**. This activity gets the change tracking version used in the last copy operation that's stored in the `table_store_ChangeTracking_version` table.

+4. Switch to the **Settings** tab in the **Properties** window. For **Source Dataset**, select **ChangeTrackingDataset**.

+5. Drag the lookup activity from the **Activities** toolbox to the pipeline designer surface. Set the name of the activity to **LookupCurrentChangeTrackingVersionActivity**. This activity gets the current change tracking version.

+6. Switch to the **Settings** tab in the **Properties** window, and then take the following steps:

+ 1. For **Source dataset**, select **SourceDataset**.

+ 2. For **Use query**, select **Query**.

+ 3. For **Query**, enter the following SQL query:

+ 

+7. In the **Activities** toolbox, expand **Move & transform**. Drag the copy data activity to the pipeline designer surface. Set the name of the activity to **IncrementalCopyActivity**. This activity copies the data between the last change tracking version and the current change tracking version to the destination data store.

+8. Switch to the **Source** tab in the **Properties** window, and then take the following steps:

+ 1. For **Source dataset**, select **SourceDataset**.

+ 2. For **Use query**, select **Query**.

+ 3. For **Query**, enter the following SQL query:

+ 

+9. Switch to the **Sink** tab. For **Sink Dataset**, select **SinkDataset**.

+10. Connect both lookup activities to the copy activity one by one. Drag the green button that's attached to the lookup activity to the copy activity.

+11. Drag the stored procedure activity from the **Activities** toolbox to the pipeline designer surface. Set the name of the activity to **StoredProceduretoUpdateChangeTrackingActivity**. This activity updates the change tracking version in the `table_store_ChangeTracking_version` table.

+12. Switch to the **Settings** tab, and then take the following steps:

+ 1. For **Linked service**, select **AzureSqlDatabaseLinkedService**.

+ 4. In the **Stored procedure parameters** section, specify the following values for the parameters:

+ | Name | Type | Value |

+ | - | - | -- |

+ | `CurrentTrackingVersion` | Int64 | `@{activity('LookupCurrentChangeTrackingVersionActivity').output.firstRow.CurrentChangeTrackingVersion}` |

+ | `TableName` | String | `@{activity('LookupLastChangeTrackingVersionActivity').output.firstRow.TableName}` |

+ 

+13. Connect the copy activity to the stored procedure activity. Drag the green button that's attached to the copy activity to the stored procedure activity.

+14. Select **Validate** on the toolbar. Confirm that there are no validation errors. Close the **Pipeline Validation Report** window.

+15. Publish entities (linked services, datasets, and pipelines) to the Data Factory service by selecting the **Publish all** button. Wait until the **Publishing succeeded** message appears.

+ 

+1. Select **Add trigger** on the toolbar for the pipeline, and then select **Trigger now**.

+ 

+1. Select the **Monitor** tab. The pipeline run and its status appear in the list. To refresh the list, select **Refresh**.

+ 

+1. To view activity runs associated with the pipeline run, select the **IncrementalCopyPipeline** link in the **Pipeline name** column. The activity runs appear in a list.

+ 

+The second file appears in the *incchgtracking* folder of the *adftutorial* container.

+

+The file should have only the delta data from your database. The record with `U` is the updated row in the database, and `I` is the one added row.

+The first three columns are changed data from `data_source_table`. The last two columns are the metadata from the table for the change tracking system. The fourth column is the `SYS_CHANGE_VERSION` value for each changed row. The fifth column is the operation: `U` = update, `I` = insert. For details about the change tracking information, see [CHANGETABLE](/sql/relational-databases/system-functions/changetable-transact-sql).

+Advance to the following tutorial to learn about copying only new and changed files, based on `LastModifiedDate`:

+> [!div class="nextstepaction"]

+> [Incrementally copy new and changed files based on LastModifiedDate by using the Copy Data tool](tutorial-incremental-copy-lastmodified-copy-data-tool.md)

+

+Perform the following steps to connect and unlock your disks.

+ > [!NOTE]

+ > Don't format or modify the contents or existing file structure of the disk.

+Perform the following steps to connect and unlock your disks.

+ > [!NOTE]

+ > Don't format or modify the contents or existing file structure of the disk.

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%2520DDoS%2520Protection%2FAlert%2520-%2520DDOS%2520Mitigation%2520started%2520azure%2520monitor%2520alert%2FDDoSMitigationStarted.json)

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%2520DDoS%2520Protection%2FAutomation%2520-%2520DDoS%2520Mitigation%2520Alert%2520Enrichment%2FEnrich-DDoSAlert.json)

+ Title: Get Azure recommendations for your SQL Server migration

+description: Learn how to use the Azure SQL Migration extension in Azure Data Studio to get SKU recommendation when you migrate SQL Server databases to the Azure SQL Managed Instance, SQL Server on Azure Virtual Machines, or Azure SQL Database.

+# Get Azure recommendations to migrate your SQL Server database (preview)

+Learn how to use the unified experience in the [Azure SQL Migration extension for Azure Data Studio](/sql/azure-data-studio/extensions/azure-sql-migration-extension) to assess your database requirements, get right-sized SKU recommendations for Azure resources, and migrate your SQL Server databases to Azure.

+Before you migrate your SQL Server databases to Azure, it's important to assess the databases to identify any potential migration issues. You can remediate anticipated issues, and then confidently migrate your databases to Azure.

+It's equally important to identify the right-sized Azure resource to migrate to so that your database workload performance requirements are met with minimal cost.

+The Azure SQL Migration extension for Azure Data Studio provides both the assessment and SKU recommendations when you're trying to choose the best option to migrate your SQL Server databases to Azure SQL Managed Instance, SQL Server on Azure Virtual Machines, or Azure SQL Database (preview). The extension has an intuitive interface to help you efficiently run the assessment and generate recommendations.

+> Assessment and the Azure recommendation feature in the Azure SQL Migration extension for Azure Data Studio supports source SQL Server instances running on Windows or Linux.

+## Prerequisites

+To get an Azure recommendation for your SQL Server database migration, you must meet the following prerequisites:

+- [Download and install Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/sql/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+- Ensure that the logins that you use to connect the source SQL Server instance are members of the SYSADMIN server role or have CONTROL SERVER permissions.

+The Azure SQL Migration extension first collects performance data from your SQL Server instance. Then, it analyzes the data to generate a recommended SKU for Azure SQL Managed Instance, SQL Server on Azure Virtual Machines, or Azure SQL Database. The SKU recommendation is designed to meet your database performance requirements at the lowest cost in the Azure service.

+The following diagram shows the workflow for data collection and SKU recommendations:

+The following list describes each step in the workflow:

+(1) **Performance data collection**: To start the performance data collection process in the migration wizard, select **Get Azure recommendation** and choose the option to collect performance data. Enter the folder path where the collected data will be saved, and then select **Start**.

+

+When you start the data collection process in the migration wizard, the Azure SQL Migration extension for Azure Data Studio collects data from your SQL Server instance. The data collection includes hardware configuration and aggregated SQL Server-specific performance data from system Dynamic Management Views like CPU utilization, memory utilization, storage size, input/output (I/O), throughput, and I/O latency.

+> [!IMPORTANT]

+>

+> - The data collection process runs for 10 minutes to generate the first recommendation. It's important to start the data collection process when your active database workload reflects usage that's similar to your production scenarios.

+> - After the first recommendation is generated, you can continue to run the data collection process to refine recommendations. This option is especially useful if your usage patterns vary over time.

+(2) **Save generated data files locally**: The performance data is periodically aggregated and written to the local folder that you selected in the migration wizard. You typically see a set of CSV files with the following suffixes in the folder:

+- **_CommonDbLevel_Counters.csv** : Contains static configuration data about the database file layout and metadata.

+- **_CommonInstanceLevel_Counters.csv** : Contains static data about the hardware configuration of the server instance.

+- **_PerformanceAggregated_Counters.csv** : Contains aggregated performance data that's updated frequently.

+(3) **Analyze and recommend SKU**: The SKU recommendation process analyzes the captured common and performance data to recommend the minimum configuration with the least cost that will meet your database's performance requirements. You can also view details about the reason behind the recommendation and the source properties that were analyzed. *For SQL Server on Azure Virtual Machines, the process also includes a recommendation for storage configuration for data files, log files, and tempdb.*

+You can use optional parameters as inputs about the production workload to refine recommendations:

+- **Scale factor**: Scale (*comfort*) factor is used to inflate or deflate a SKU recommendation based on your understanding of the production workload. For example, if you determine that a four-vCore CPU requirement has a scale factor of 150%, the true CPU requirement is six vCores. The default scale factor volume is 100%.

+- **Percentage utilization**: The percentile of data points to be used as performance data is aggregated. The default value is the 95th percentile.

+- **Enable preview features**: Enabling this option includes the latest hardware generations that have improved performance and scalability. Currently, these SKUs are in preview, and they might not be available yet in all regions. This option is enabled by default.

+> [!IMPORTANT]

+> The data collection process terminates if you close Azure Data Studio. The data that was collected up to that point is saved in your folder.

+>

+> If you close Azure Data Studio while data collection is in progress, use one of the following options to restart data collection:

+>

+> - Reopen Azure Data Studio and import the data files that are saved in your local folder. Then, generate a recommendation from the collected data.

+> - Reopen Azure Data Studio and start data collection again by using the migration wizard.

+You can import any existing performance data that you collected earlier by using the Azure SQL Migration extension or by using the [console application in Data Migration Assistant](/sql/dma/dma-sku-recommend-sql-db).

+In the migration wizard, enter the folder path where the performance data files are saved. Then, select **Start** to view the recommendation and related details.

+- Learn how to [migrate databases by using the Azure SQL Migration extension in Azure Data Studio](migration-using-azure-data-studio.md).

+ Title: Migrate databases by using the Azure SQL Migration extension for Azure Data Studio

+description: Learn how to use the Azure SQL Migration extension in Azure Data Studio to migrate databases with Azure Database Migration Service.

+# Migrate databases by using the Azure SQL Migration extension for Azure Data Studio

+Learn how to use the unified experience in [Azure SQL Migration extension for Azure Data Studio](/sql/azure-data-studio/extensions/azure-sql-migration-extension) to assess your database requirements, get right-sized SKU recommendations for Azure resources, and migrate your SQL Server database to Azure.

+The Azure SQL Migration extension for Azure Data Studio offers these key benefits:

+- A responsive UI for an end-to-end migration experience. The extension starts with a migration readiness assessment and SKU recommendation (preview) (based on performance data).

+- An enhanced assessment mechanism that can evaluate SQL Server instances. The extension identifies databases that are ready to migrate to Azure SQL targets.

+ > [!NOTE]

+ > You can use the Azure SQL Migration extension to assess SQL Server databases running on Windows or Linux.

+- An SKU recommendation engine that collects performance data from the on-premises source SQL Server instance and then generates right-sized SKU recommendations based on your Azure SQL target.

+- You can run your migration online (for migrations that require minimal downtime) or offline (for migrations where downtime persists through the migration) depending on your business requirements.

+- You can create and configure a self-hosted integration runtime to use your own compute resources to access the source SQL Server instance and backups in your on-premises environment.

+For information about specific migration scenarios and Azure SQL targets, see the list of tutorials in the following table:

+SQL Server to SQL Server on an Azure virtual machine|[Online](./tutorial-sql-server-to-virtual-machine-online-ads.md) / [Offline](./tutorial-sql-server-to-virtual-machine-offline-ads.md)

+SQL Server to Azure SQL Database (preview)| [Offline](./tutorial-sql-server-azure-sql-database-offline-ads.md)

+> If your target is Azure SQL Database, make sure you deploy the database schema before you begin the migration. You can use tools like the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) for Azure Data Studio.

+The following 16-minute video explains recent updates and features added to the Azure SQL Migration extension for Azure Data Studio, including the new workflow for SQL Server database assessments and SKU recommendations:

+<br />

+> [!VIDEO https://learn-video.azurefd.net/vod/player?show=data-exposed&ep=assess-get-recommendations-migrate-sql-server-to-azure-using-azure-data-studio]

+## Architecture of the Azure SQL Migration extension for Azure Data Studio

+Azure Database Migration Service is a core component of the Azure SQL Migration extension architecture. Database Migration Service provides a reliable migration orchestrator to support database migrations to Azure SQL. You can create an instance of Database Migration Service or use an existing instance by using the Azure SQL Migration extension in Azure Data Studio.

+Database Migration Service uses the Azure Data Factory self-hosted integration runtime to access and upload valid backup files from your on-premises network share or from your Azure storage account.

+The workflow of the migration process is illustrated in the following diagram:

+The following list describes each step in the workflow:

+(1) **Source SQL Server**: An on-premises instance of SQL Server that's in a private cloud or an instance of SQL Server on a virtual machine in a public cloud. SQL Server 2008 and later versions on Windows or Linux are supported.

+(2) **Target Azure SQL**: Supported Azure SQL targets are Azure SQL Managed Instance, SQL Server on Azure Virtual Machines (registered with the SQL infrastructure as a service extension in [full management mode](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management#management-modes)), and Azure SQL Database.

+(3) **Network file share**: A Server Message Block (SMB) network file share where backup files are stored for the databases to be migrated. Azure storage blob containers and Azure storage file share also are supported.

+(4) **Azure Data Studio**: Download and install the [Azure SQL Migration extension for Azure Data Studio](/sql/azure-data-studio/extensions/azure-sql-migration-extension).

+(5) **Azure Database Migration Service**: An Azure service that orchestrates migration pipelines to do data movement activities from an on-premises environment to Azure. Database Migration Service is associated with the Azure Data Factory self-hosted integration runtime and provides the capability to register and monitor the self-hosted integration runtime.

+(6) **Self-hosted integration runtime**: Install a self-hosted integration runtime on a computer that can connect to the source SQL Server instance and to the location of the backup file. Database Migration Service provides the authentication keys and registers the self-hosted integration runtime.

+(7) **Backup files upload to your Azure storage account**: Database Migration Service uses a self-hosted integration runtime to upload valid backup files from the on-premises backup location to your Azure storage account. Data movement activities and pipelines are automatically created in the migration workflow to upload the backup files.

+(8) **Restore backups on target Azure SQL**: Database Migration Service restores backup files from your Azure storage account to the supported target Azure SQL instance.

+> [!NOTE]

+> If your migration target is Azure SQL Database, you don't need backups for this migration. Database migration to Azure SQL Database is considered a logical migration that involves the database's pre-creation and data movement (performed by Database Migration Service).

+> [!IMPORTANT]

+> In online migration mode, Database Migration Service continuously uploads the backup source files to your Azure storage account and restores them to the target until you complete the final step of cutting over to the target.

+>

+> In offline migration mode, Database Migration Service uploads the backup source files to Azure storage and restores them to the target without requiring a cutover.

+### [Azure SQL Database (preview)](#tab/azure-sql-db)

+### Recommendations for using a self-hosted integration runtime for database migrations

+- Install only one instance of a self-hosted integration runtime on any single computer.

+- Associate only one self-hosted integration runtime with one instance of Database Migration Service.

+- The self-hosted integration runtime uses resources (memory and CPU) on the computer it's installed on. Install the self-hosted integration runtime on a computer that's separate from your source SQL Server instance. But the two computers should be in close proximity. Having the self-hosted integration runtime close to the data source reduces the time it takes for the self-hosted integration runtime to connect to the data source.

+- Use the self-hosted integration runtime only when you have your database backups in an on-premises SMB network share. A self-hosted integration runtime isn't required for database migrations if your source database backups are already in the storage blob container.

+- We recommend up to 10 concurrent database migrations per self-hosted integration runtime on a single computer. To increase the number of concurrent database migrations, scale out the self-hosted runtime to up to four nodes or create separate instances of the self-hosted integration runtime on different computers.

+- Configure the self-hosted integration runtime to auto-update and automatically apply any new features, bug fixes, and enhancements that are released. For more information, see [Self-hosted integration runtime auto-update](../data-factory/self-hosted-integration-runtime-auto-update.md).

+## Monitor database migration progress in the Azure portal

+When you migrate databases by using the Azure SQL Migration extension for Azure Data Studio, the migrations are orchestrated by the Database Migration Service instance that you selected in the migration wizard.

+To monitor database migrations in the Azure portal:

+1. In the [Azure portal](https://portal.azure.com/), search for your instance of Database Migration Service by using the resource name.

+

+ :::image type="content" source="media/migration-using-azure-data-studio/search-dms-portal.png" alt-text="Screenshot that shows how to search for a resource name in the Azure portal.":::

+1. In the Database Migration Service instance overview, select **Monitor migrations** to view the details of your database migrations.

+ :::image type="content" source="media/migration-using-azure-data-studio/dms-ads-monitor-portal.png" alt-text="Screenshot that shows how to monitor migrations in the Azure portal.":::

+- Overwriting existing databases by using Database Migration Service in your target instance of Azure SQL Managed Instance or SQL Server on Azure Virtual Machines isn't supported.

+- Configuring high availability and disaster recovery on your target to match source topology isn't supported by Database Migration Service.

+ - Logins

+ - SQL Server Agent jobs

+ - Credentials

+ - SQL Server Integration Services packages

+ - Server roles

+ - Server audit

+- SQL Server 2008 and earlier as target versions aren't supported for migrations to SQL Server on Azure Virtual Machines.

+- If you use SQL Server 2014 or SQL Server 2012, you must store your source database backup files in an Azure storage blob container instead of by using the network share option. Store the backup files as page blobs. Block blobs are supported only in SQL Server 2016 and later versions.

+- You can't use an existing self-hosted integration runtime that was created in Azure Data Factory for database migrations with Database Migration Service. Initially, create the self-hosted integration runtime by using the Azure SQL Migration extension for Azure Data Studio. You can reuse that self-hosted integration runtime in future database migrations.

+- Azure Database Migration Service is free to use with the Azure SQL Migration extension for Azure Data Studio. You can migrate multiple SQL Server databases by using Database Migration Service at no charge.

+- No data movement or data ingress costs are assessed when you migrate your databases from an on-premises environment to Azure. If the source database is moved from another region or from an Azure virtual machine, you might incur [bandwidth charges](https://azure.microsoft.com/pricing/details/bandwidth/) depending on your bandwidth provider and routing scenario.

+- Use a virtual machine or an on-premises server to install Azure Data Studio.

+- A self-hosted integration runtime is required to access database backups from your on-premises network share.

+## Region availability

+For the list of Azure regions that support database migrations by using the Azure SQL Migration extension for Azure Data Studio (powered by Azure Database Migration Service), see [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=database-migration).

+- Learn how to install the [Azure SQL Migration extension for Azure Data Studio](/sql/azure-data-studio/extensions/azure-sql-migration-extension).

+* Create an instance of Azure SQL Database, which you do by following the detail in the article [Create a database in Azure SQL Database in the Azure portal](/azure/azure-sql/database/single-database-create-quickstart).

+For an overview of the Azure Database Migration Service and regional availability, see the article [What is the Azure Database Migration Service](dms-overview.md).

+ Title: "Custom roles for SQL Server to Azure SQL Database (preview) migrations in Azure Data Studio"

+description: Learn how to use custom roles for SQL Server to Azure SQL Database (preview) migrations in Azure Data Studio.

+# Custom roles for SQL Server to Azure SQL Database (preview) migrations in Azure Data Studio

+This article explains how to set up a custom role in Azure for SQL Server database migrations. A custom role will have only the permissions that are required to create and run an instance of Azure Database Migration Service with Azure SQL Database (preview) as a target.

+Use the AssignableScopes section of the role definition JSON string to control where the permissions appear in the **Add role assignment** UI in the Azure portal. To avoid cluttering the UI with extra roles, you might want to define the role at the level of the resource group, or even the level of the resource. The resource that the custom role applies to doesn't perform the actual role assignment.

+ "/subscriptions/<SQLDatabaseSubscription>/resourceGroups/<SQLDatabaseResourceGroup>",

+ "/subscriptions/<DatabaseMigrationServiceSubscription>/resourceGroups/<DatabaseMigrationServiceResourceGroup>"

+You can use either the Azure portal, Azure PowerShell, the Azure CLI, or the Azure REST API to create the roles.

+For more information, see [Create custom roles by using the Azure portal](../role-based-access-control/custom-roles-portal.md) and [Azure custom roles](../role-based-access-control/custom-roles.md).

+## Permissions required to migrate to Azure SQL Database (preview)

+| Permission action | Description |

+| Microsoft.Sql/servers/read | Return the list of SQL database resources or get the properties for the specified SQL database. |

+| Microsoft.Sql/servers/write | Create a SQL database with the specified parameters or update the properties or tags for the specified SQL database. |

+| Microsoft.Sql/servers/databases/read | Get an existing SQL database. |

+| Microsoft.Sql/servers/databases/write | Create a new database or update an existing database. |

+| Microsoft.Sql/servers/databases/delete | Delete an existing SQL database. |

+| Microsoft.DataMigration/locations/operationResults/read | Get the results of a long-running operation related to a 202 Accepted response. |

+| Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read | Retrieve service operation results. |

+| Microsoft.DataMigration/databaseMigrations/write | Create or update a database migration resource. |

+| Microsoft.DataMigration/databaseMigrations/read | Retrieve a database migration resource. |

+| Microsoft.DataMigration/databaseMigrations/delete | Delete a database migration resource. |

+| Microsoft.DataMigration/sqlMigrationServices/write | Create a new service or change the properties of an existing service. |

+| Microsoft.DataMigration/sqlMigrationServices/delete | Delete an existing service. |

+| Microsoft.DataMigration/sqlMigrationServices/read | Retrieve the details of the migration service. |

+| Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action | Retrieve the list of authentication keys. |

+| Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action | Regenerate authentication keys. |

+| Microsoft.DataMigration/sqlMigrationServices/deleteNode/action | Deregister the integration runtime node. |

+| Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action | List the monitoring data for all migrations. |

+| Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read | Retrieve the monitoring data. |

+## Assign a role

+To assign a role to a user or an app ID:

+1. In the Azure portal, go to the resource.

+1. In the left menu, select **Access control (IAM)**, and then scroll to find the custom roles you created.

+1. Select the roles to assign, select the user or app ID, and then save the changes.

+ The user or app ID now appears on the **Role assignments** tab.

+- Review the [migration guidance for your scenario](https://datamigration.microsoft.com/).

+ Title: Supported database migration scenarios

+description: Learn which migration scenarios are currently supported for Azure Database Migration Service and their availability status.

+# Azure Database Migration Service supported scenarios

+Azure Database Migration Service supports a mix of database migration scenarios (source and target pairs) for both offline (one-time) and online (continuous sync) database migrations. New scenarios are added over time to extend Database Migration Service scenario coverage. This article is updated over time to list the migration scenarios that are currently supported by Database Migration Service and their availability status, preview or generally available.

+## Offline vs. online migration

+In Database Migration Service, you can migrate your databases offline or while they're online. In an *offline* migration, application downtime starts when the migration starts. To limit downtime to the time it takes you to cut over to the new environment after the migration, use an *online* migration. We recommend that you test an offline migration to determine whether the downtime is acceptable. If the expected downtime isn't acceptable, do an online migration.

+The status of migration scenarios that are supported by Database Migration Service varies over time. Generally, scenarios are first released in *preview*. In preview, Database Migration Service users can try out migration scenarios directly in the UI. No sign-up is required. Migration scenarios that have a preview release status might not be available in all regions, and they might be revised before final release.

+After preview, the scenario status changes to *general availability* (GA). GA is the final release status. Scenarios that have a status of GA have complete functionality and are accessible to all users.

+## Supported migration scenarios

+The tables in the following sections show the status of specific migration scenarios that are supported in Database Migration Service.

+> If a supported scenario doesn't appear in the UI, contact [Ask Azure Database Migrations](mailto:AskAzureDatabaseMigrations@service.microsoft.com) for information.

+The following table describes the current status of Database Migration Service support for *offline* migrations:

+| **Azure SQL Database** | SQL Server ¹ | Γ£ö | Preview |

+| | Amazon RDS SQL Server | Γ£ö | Preview |

+| **Azure SQL Database Managed Instance** | SQL Server ¹ | Γ£ö | GA |

+| **Azure Database for MySQL - Single Server** | MySQL | Γ£ö | GA |

+| | Azure Database for MySQL ² | Γ£ö | GA |

+| **Azure Database for MySQL - Flexible Server** | MySQL | Γ£ö | GA |

+| | Azure Database for MySQL ² | Γ£ö | GA |

+| **Azure Database for PostgreSQL - Single Server** | PostgreSQL | X |

+| **Azure Database for PostgreSQL - Flexible Server** | PostgreSQL | X |

+| **Azure Database for PostgreSQL - Hyperscale (Citus)** | PostgreSQL | X |

+¹ Offline migrations through the Azure SQL Migration extension for Azure Data Studio are supported for Azure SQL Managed Instance, SQL Server on Azure Virtual Machines, and Azure SQL Database. For more information, see [Migrate databases by using the Azure SQL Migration extension for Azure Data Studio](migration-using-azure-data-studio.md).

+² If your source database is already in an Azure platform as a service (PaaS) like Azure Database for MySQL or Azure Database for PostgreSQL, choose the corresponding engine when you create your migration activity. For example, if you're migrating from Azure Database for MySQL - Single Server to Azure Database for MySQL - Flexible Server, choose MySQL as the source engine when you create your scenario. If you're migrating from Azure Database for PostgreSQL - Single Server to Azure Database for PostgreSQL - Flexible Server, choose PostgreSQL as the source engine when you create your scenario.

+The following table describes the current status of Database Migration Service support for *online* migrations:

+| **Azure SQL Database** | SQL Server ¹| X | |

+| **Azure SQL Database MI** | SQL Server ¹| Γ£ö | GA |

+| **Azure Database for MySQL - Flexible Server** | Azure Database for MySQL - Single Server | Γ£ö | Preview |

+| **Azure Database for PostgreSQL - Single Server** | PostgreSQL | Γ£ö | GA |

+| | Azure Database for PostgreSQL - Single Server ² | Γ£ö | GA |

+| **Azure Database for PostgreSQL - Flexible Server** | PostgreSQL | Γ£ö | GA |

+| | Azure Database for PostgreSQL - Single Server ² | Γ£ö | GA |

+| **Azure Database for PostgreSQL - Hyperscale (Citus)** | PostgreSQL | Γ£ö | GA |

+¹ Online migrations (minimal downtime) through the Azure SQL Migration extension for Azure Data Studio are supported for Azure SQL Managed Instance and SQL Server on Azure Virtual Machines targets. For more information, see [Migrate databases by using the Azure SQL Migration extension for Azure Data Studio](migration-using-azure-data-studio.md).

+² If your source database is already in an Azure PaaS like Azure Database for MySQL or Azure Database for PostgreSQL, choose the corresponding engine when you create your migration activity. For example, if you're migrating from Azure Database for MySQL - Single Server to Azure Database for MySQL - Flexible Server, choose MySQL as the source engine when you create the scenario. If you're migrating from Azure Database for PostgreSQL - Single Server to Azure Database for PostgreSQL - Flexible Server, choose PostgreSQL as the source engine when you create the scenario.

+- Learn more about [Azure Database Migration Service](dms-overview.md) and region availability.

+ Title: "Tutorial: Migrate SQL Server to Azure SQL Database (preview) offline in Azure Data Studio"

+description: Learn how to migrate on-premises SQL Server to Azure SQL Database (preview) offline by using Azure Data Studio and Azure Database Migration Service.

+# Tutorial: Migrate SQL Server to Azure SQL Database (preview) offline in Azure Data Studio

+You can use Azure Database Migration Service and the Azure SQL Migration extension for Azure Data Studio to migrate databases from an on-premises instance of SQL Server to Azure SQL Database (preview) offline and with minimal downtime.

+> [!NOTE]

+> The option to migrate a SQL Server database to Azure SQL Database by using Azure Data Studio currently is in preview. Azure SQL Database migration targets are available only by using the [Azure Data Studio Insiders](/sql/azure-data-studio/download-azure-data-studio#download-the-insiders-build-of-azure-data-studio) version of the Azure SQL Migration extension.

+In this tutorial, learn how to migrate the example AdventureWorks2019 database from an on-premises instance of SQL Server to an instance of Azure SQL Database by using the Azure SQL Migration extension for Azure Data Studio. This tutorial uses offline migration mode, which considers an acceptable downtime during the migration process.

+> - Open the Migrate to Azure SQL wizard in Azure Data Studio

+> - Run an assessment of your source SQL Server databases

+> - Collect performance data from your source SQL Server instance

+> - Get a recommendation of the Azure SQL Database SKU that will work best for your workload

+> - Deploy your on-premises database schema to Azure SQL Database

+> - Create an instance of Azure Database Migration Service

+> - Start your migration and monitor progress to completion

+> Currently, *online* migrations for Azure SQL Database targets aren't available.

+Before you begin the tutorial:

+- [Download and install Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/sql/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+- Have an Azure account that's assigned to one of the following built-in roles:

+ - Contributor for the target instance of Azure SQL Database

+ - Reader role for the Azure resource group that contains the target instance of Azure SQL Database

+ - Owner or Contributor role for the Azure subscription (required if you create a new instance of Azure Database Migration Service)

+

+ As an alternative to using one of these built-in roles, you can [assign a custom role](resource-custom-roles-sql-database-ads.md).

+

+ > [!IMPORTANT]

+ > An Azure account is required only when you configure the migration steps. An Azure account isn't required for the assessment or to view Azure recommendations in the migration wizard in Azure Data Studio.

+- Create a target instance of [Azure SQL Database](/azure/azure/azure-sql/database/single-database-create-quickstart).

+- Make sure that the SQL Server login that connects to the source SQL Server instance is a member of the db_datareader role and that the login for the target SQL Server instance is a member of the db_owner role.

+- Migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio.

+- If you're using Azure Database Migration Service for the first time, make sure that the Microsoft.DataMigration [resource provider is registered in your subscription](quickstart-create-data-migration-service-portal.md#register-the-resource-provider).

+## Open the Migrate to Azure SQL wizard in Azure Data Studio

+To open the Migrate to Azure SQL wizard:

+1. In Azure Data Studio, go to **Connections**. Select and connect to your on-premises instance of SQL Server. You also can connect to SQL Server on an Azure virtual machine.

+1. Right-click the server connection and select **Manage**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/azure-data-studio-manage-panel.png" alt-text="Screenshot that shows a server connection and the Manage option in Azure Data Studio." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/azure-data-studio-manage-panel.png":::

+1. In the server menu under **General**, select **Azure SQL Migration**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/launch-migrate-to-azure-sql-wizard-1.png" alt-text="Screenshot that shows the Azure Data Studio server menu.":::

+1. In the Azure SQL Migration dashboard, select **Migrate to Azure SQL** to open the migration wizard.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/launch-migrate-to-azure-sql-wizard-2.png" alt-text="Screenshot that shows the Migrate to Azure SQL wizard.":::

+1. On the first page of the wizard, start a new session or resume a previously saved session.

+## Run database assessment, collect performance data, and get Azure recommendations

+1. In **Step 1: Databases for assessment** in the Migrate to Azure SQL wizard, select the databases you want to assess. Then, select **Next**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/assessment-database-selection.png" alt-text="Screenshot that shows selecting a database for assessment.":::

+1. In **Step 2: Assessment results and recommendations**, complete the following steps:

+ 1. In **Choose your Azure SQL target**, select **Azure SQL Database (PREVIEW)**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/assessment-target-selection.png" alt-text="Screenshot that shows selecting the Azure SQL Database target.":::

+ 1. Select **View/Select** to view the assessment results.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/assessment.png" alt-text="Screenshot that shows view/select assessment results.":::

+ 1. In the assessment results, select the database, and then review the assessment report to make sure no issues were found.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/assessment-issues-details.png" alt-text="Screenshot that shows assessment report.":::

+ 1. Select **Get Azure recommendation** to open the recommendations pane.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/get-azure-recommendation.png" alt-text="Screenshot that shows Azure recommendations.":::

+ 1. Select **Collect performance data now**. Select a folder on your local computer to store the performance logs, and then select **Start**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/get-azure-recommendation-zoom.png" alt-text="Screenshot that shows performance data collection.":::

+ Azure Data Studio collects performance data until you either stop data collection or you close Azure Data Studio.

+ After 10 minutes, Azure Data Studio indicates that a recommendation is available for Azure SQL Database. After the first recommendation is generated, you can select **Restart data collection** to continue the data collection process and refine the SKU recommendation. An extended assessment is especially helpful if your usage patterns vary over time.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/get-azure-recommendation-collected.png" alt-text="Screenshot that shows performance data collected.":::

+ 1. In the selected **Azure SQL Database (PREVIEW)** target, select **View details** to open the detailed SKU recommendation report:

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/get-azure-recommendation-view-details.png" alt-text="Screenshot that shows the View details link for the target database recommendations.":::

+ 1. In **Review Azure SQL Database Recommendations**, review the recommendation. To save a copy of the recommendation, select **Save recommendation report**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/azure-sku-recommendation-zoom.png" alt-text="Screenshot that shows SKU recommendation details.":::

+1. Select **Close** to close the recommendations pane.

+1. Select **Next** to continue your database migration in the wizard.

+1. In **Step 3: Azure SQL target** in the Migrate to Azure SQL wizard, complete these steps for your target Azure SQL Database instance:

+ 1. Select your Azure account, Azure subscription, the Azure region or location, and the resource group that contains the Azure SQL Database deployment.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/configuration-azure-target-account.png" alt-text="Screenshot that shows Azure account details.":::

+

+ 1. For **Azure SQL Database Server**, select the target Azure SQL Database server (logical server). Enter a username and password for the target database deployment. Then, select **Connect**. Enter the credentials to verify connectivity to the target database.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/configuration-azure-target-database.png" alt-text="Screenshot that shows Azure SQL Database details.":::

+ 1. Next, map the source database and the target database for the migration. For **Target database**, select the Azure SQL Database target. Then, select **Next** to move to the next step in the migration wizard.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/configuration-azure-target-map.png" alt-text="Screenshot that shows source and target mapping.":::

+1. In **Step 4: Migration mode**, select **Offline migration**, and then select **Next**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/migration-mode.png" alt-text="Screenshot that shows offline migrations selection.":::

+1. In **Step 5: Data source configuration**, complete the following steps:

+ 1. Under **Source credentials**, enter the source SQL Server credentials.

+ 1. Under **Select tables**, select the **Edit** pencil icon.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/migration-source-credentials.png" alt-text="Screenshot that shows source SQL Server credentials.":::

+ 1. In **Select tables for \<database-name\>**, select the tables to migrate to the target. The **Has rows** column indicates whether the target table has rows in the target database. You can select one or more tables. Then, select **Update**.

+ You can update the list of selected tables anytime before you start the migration.

+ In the following example, a text filter is applied to select only tables that contain the word **Employee**. Select a list of tables based on your migration needs.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/migration-source-tables.png" alt-text="Screenshot that shows table selection.":::

+1. Review your table selections, and then select **Next** to move to the next step in the migration wizard.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/migration-target-tables.png" alt-text="Screenshot that shows selected tables to migrate.":::

+> If no tables are selected or if a username and password aren't entered, the **Next** button isn't available to select.

+## Create a Database Migration Service instance

+In **Step 6: Azure Database Migration Service** in the Migrate to Azure SQL wizard, create a new instance of Azure Database Migration Service or reuse an existing instance that you created earlier.

+> [!NOTE]

+> If you previously created a Database Migration Service instance by using the Azure portal, you can't reuse the instance in the migration wizard in Azure Data Studio. You can reuse an instance only if you created the instance by using Azure Data Studio.

+### Use an existing instance of Database Migration Service

+To use an existing instance of Database Migration Service:

+1. In **Resource group**, select the resource group that contains an existing instance of Database Migration Service.

+1. In **Azure Database Migration Service**, select an existing instance of Database Migration Service that's in the selected resource group.

+1. Select **Next**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/create-dms.png" alt-text="Screenshot that shows Database Migration Service selection.":::

+### Create a new instance of Database Migration Service

+To create a new instance of Database Migration Service:

+1. In **Resource group**, create a new resource group to contain a new instance of Database Migration Service.

+

+1. Under **Azure Database Migration Service**, select **Create new**.

+1. In **Create Azure Database Migration Service**, enter a name for your Database Migration Service instance, and then select **Create**.

+1. Under **Set up integration runtime**, complete the following steps:

+ 1. Select the **Download and install integration runtime** link to open the download link in a web browser. Download the integration runtime, and then install it on a computer that meets the prerequisites to connect to the source SQL Server instance.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/create-dms-integration-runtime-download.png" alt-text="Screenshot that shows the Download and install integration runtime link.":::

+ When installation is finished, Microsoft Integration Runtime Configuration Manager automatically opens to begin the registration process.

+ 1. In the **Authentication key** table, copy one of the authentication keys that are provided in the wizard and paste it in Azure Data Studio.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/create-dms-integration-runtime-authentication-key.png" alt-text="Screenshot that highlights the authentication key table in the wizard.":::

+ If the authentication key is valid, a green check icon appears in Integration Runtime Configuration Manager. A green check indicates that you can continue to **Register**.

+ After you register the self-hosted integration runtime, close Microsoft Integration Runtime Configuration Manager.

+ > [!NOTE]

+ > For more information about how to use the self-hosted integration runtime, see [Create and configure a self-hosted integration runtime](../data-factory/create-self-hosted-integration-runtime.md).

+1. In **Create Azure Database Migration Service** in Azure Data Studio, select **Test connection** to validate that the newly created Database Migration Service instance is connected to the newly registered self-hosted integration runtime.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/create-dms-integration-runtime-connected.png" alt-text="Screenshot that shows IR connectivity test.":::

+1. Return to the migration wizard in Azure Data Studio.

+## Start the database migration

+In **Step 7: Summary** in the Migrate to Azure SQL wizard, review the configuration you created, and then select **Start migration** to start the database migration.

+## Monitor the database migration

+1. In Azure Data Studio, in the server menu under **General**, select **Azure SQL Migration** to go to the dashboard for your Azure SQL Database migrations.

+ Under **Database migration status**, you can track migrations that are in progress, completed, and failed (if any), or you can view all database migrations.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard.png" alt-text="Screenshot that shows monitor migration dashboard." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard.png":::

+1. Select **Database migrations in progress** to view active migrations.

+ To get more information about a specific migration, select the database name.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-details.png" alt-text="Screenshot that shows database migration details." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-details.png":::

+ Database Migration Service returns the latest known migration status each time migration status refreshes. The following table describes possible statuses:

+ |Preparing for copy| The service is disabling autostats, triggers, and indexes in the target table. |

+ |Copying| Data is being copied from the source database to the target database. |

+ |Copy finished| Data copy is finished. The service is waiting on other tables to finish copying to begin the final steps to return tables to their original schema. |

+ |Rebuilding indexes| The service is rebuilding indexes on target tables. |

+ |Succeeded| All data is copied and the indexes are rebuilt. |

+1. Check the migration details page to view the current status for each database.

+ Here's an example of the AdventureWorks2019 database migration with the status **Creating**:

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-creating.png" alt-text="Screenshot that shows a creating migration status." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-creating.png":::

+1. In the menu bar, select **Refresh** to update the migration status.

+ After migration status is refreshed, the updated status for the example AdventureWorks2019 database migration is **In progress**:

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-in-progress.png" alt-text="Screenshot that shows a migration in progress status." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-in-progress.png":::

+1. Select a database name to open the table view. In this view, you see the current status of the migration, the number of tables that currently are in that status, and a detailed status of each table.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-monitoring-panel-in-progress.png" alt-text="Screenshot that shows monitoring table migration." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-monitoring-panel-in-progress.png":::

+ When all table data is migrated to the Azure SQL Database target, Database Migration Service updates the migration status from **In progress** to **Succeeded**.

+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-monitoring-panel-succeeded.png" alt-text="Screenshot that shows succeeded migration." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-monitoring-panel-succeeded.png":::

+> Database Migration Service optimizes migration by skipping tables with no data (0 rows). Tables that don't have data don't appear in the list, even if you select the tables when you create the migration.

+You've completed the migration to Azure SQL Database. We encourage you to go through a series of post-migration tasks to ensure that everything functions smoothly and efficiently.

+> Be sure to take advantage of the advanced cloud-based features of Azure SQL Database. The features include [built-in high availability](/azure/azure-sql/database/high-availability-sla), [threat detection](/azure/azure-sql/database/azure-defender-for-sql), and [monitoring and tuning your workload](/azure/azure-sql/database/monitor-tune-overview).

+- Complete a quickstart to [create an Azure SQL Database instance](/azure/azure-sql/database/single-database-create-quickstart).

+- Learn more about [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview).

+- Learn how to [connect apps to Azure SQL Database](/azure/azure-sql/database/connect-query-content-reference-guide).

+ Title: "Tutorial: Migrate SQL Server to Azure SQL Managed Instance offline in Azure Data Studio"

+description: Learn how to migrate on-premises SQL Server to Azure SQL Managed Instance offline by using Azure Data Studio and Azure Database Migration Service.

+# Tutorial: Migrate SQL Server to Azure SQL Managed Instance offline in Azure Data Studio

+You can use Azure Database Migration Service and the Azure SQL Migration extension in Azure Data Studio to migrate databases from an on-premises instance of SQL Server to Azure SQL Managed Instance offline and with minimal downtime.

+For database migration methods that might require some manual configuration, see [SQL Server instance migration to Azure SQL Managed Instance](/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide).

+In this tutorial, learn how to migrate the AdventureWorks database from an on-premises instance of SQL Server to an instance of Azure SQL Managed Instance by using Azure Data Studio and Database Migration Service. This tutorial uses offline migration mode, which considers an acceptable downtime during the migration process.

+> - Open the Migrate to Azure SQL wizard in Azure Data Studio

+> - Run an assessment of your source SQL Server databases

+> - Collect performance data from your source SQL Server instance

+> - Get a recommendation of the Azure SQL Managed Instance SKU that will work best for your workload

+> - Specify details of your source SQL Server instance, backup location, and target instance of Azure SQL Managed Instance

+> - Create an instance of Azure Database Migration Service

+> - Start your migration and monitor progress to completion

+This tutorial describes an offline migration from SQL Server to Azure SQL Managed Instance. For an online migration, see [Migrate SQL Server to Azure SQL Managed Instance online in Azure Data Studio](tutorial-sql-server-managed-instance-online-ads.md).

+Before you begin the tutorial:

+- [Download and install Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/sql/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+- Have an Azure account that's assigned to one of the following built-in roles:

+ - Contributor for the target instance of Azure SQL Managed Instance and for the storage account where you upload your database backup files from a Server Message Block (SMB) network share

+ - Reader role for the Azure resource groups that contain the target instance of Azure SQL Managed Instance or your Azure storage account

+ - Owner or Contributor role for the Azure subscription (required if you create a new Database Migration Service instance)

+ As an alternative to using one of these built-in roles, you can [assign a custom role](resource-custom-roles-sql-database-ads.md).

+ > [!IMPORTANT]

+ > An Azure account is required only when you configure the migration steps. An Azure account isn't required for the assessment or to view Azure recommendations in the migration wizard in Azure Data Studio.

+- Create a target instance of [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).

+- Ensure that the logins that you use to connect the source SQL Server instance are members of the SYSADMIN server role or have CONTROL SERVER permission.

+- Provide an SMB network share, Azure storage account file share, or Azure storage account blob container that contains your full database backup files and subsequent transaction log backup files. Database Migration Service uses the backup location during database migration.

+ > [!IMPORTANT]

+ >

+ > - If your database backup files are in an SMB network share, [create an Azure storage account](../storage/common/storage-account-create.md) that Database Migration Service can use to upload database backup files to and to migrate databases. Make sure you create the Azure storage account in the same region where you create your instance of Database Migration Service.

+ > - Database Migration Service doesn't initiate any backups. Instead, the service uses existing backups for the migration. You might already have these backups as part of your disaster recovery plan.

+ > - Make sure you [create backups by using the WITH CHECKSUM option](/sql/relational-databases/backup-restore/enable-or-disable-backup-checksums-during-backup-or-restore-sql-server?preserve-view=true&view=sql-server-2017).

+ > - You can write each backup to either a separate backup file or to multiple backup files. Appending multiple backups such as full and transaction logs into a single backup media isn't supported.

+ > - You can provide compressed backups to reduce the likelihood of experiencing potential issues associated with migrating large backups.

+- Ensure that the service account that's running the source SQL Server instance has read and write permissions on the SMB network share that contains database backup files.

+- If you're migrating a database that's protected by Transparent Data Encryption (TDE), the certificate from the source SQL Server instance must be migrated to your target managed instance before you restore the database. To learn more, see [Migrate a certificate of a TDE-protected database to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/tde-certificate-migrate).

+ > If your database contains sensitive data that's protected by [Always Encrypted](/sql/relational-databases/security/encryption/configure-always-encrypted-using-sql-server-management-studio), the migration process automatically migrates your Always Encrypted keys to your target managed instance.

+- If your database backups are on a network file share, provide a computer on which you can install a [self-hosted integration runtime](../data-factory/create-self-hosted-integration-runtime.md) to access and migrate database backups. The migration wizard gives you the download link and authentication keys to download and install your self-hosted integration runtime.

+ In preparation for the migration, ensure that the computer on which you install the self-hosted integration runtime has the following outbound firewall rules and domain names enabled:

+ | Domain names | Outbound port | Description |

+ | Public cloud: `{datafactory}.{region}.datafactory.azure.net`<br />or `*.frontend.clouddatahub.net` <br /><br /> Azure Government: `{datafactory}.{region}.datafactory.azure.us` <br /><br /> Azure China: `{datafactory}.{region}.datafactory.azure.cn` | 443 | Required by the self-hosted integration runtime to connect to Database Migration Service. <br/><br/>For a newly created data factory in a public cloud, locate the fully qualified domain name (FQDN) from your self-hosted integration runtime key, in the format `{datafactory}.{region}.datafactory.azure.net`. <br /><br /> For an existing data factory, if you don't see the FQDN in your self-hosted integration key, use `*.frontend.clouddatahub.net` instead. |

+ | `*.core.windows.net` | 443 | Used by the self-hosted integration runtime that connects to the Azure storage account to upload database backups from your network share |

+ > If your database backup files are already provided in an Azure storage account, a self-hosted integration runtime isn't required during the migration process.

+- If you use a self-hosted integration runtime, make sure that the computer on which the runtime is installed can connect to the source SQL Server instance and the network file share where backup files are located.

+- Enable outbound port 445 to allow access to the network file share. For more information, see [recommendations for using a self-hosted integration runtime](migration-using-azure-data-studio.md#recommendations-for-using-a-self-hosted-integration-runtime-for-database-migrations).

+- If you're using Database Migration Service for the first time, make sure that the Microsoft.DataMigration resource provider is registered in your subscription. You can complete the steps to [register the resource provider](quickstart-create-data-migration-service-portal.md#register-the-resource-provider).

+## Open the Migrate to Azure SQL wizard in Azure Data Studio

+To open the Migrate to Azure SQL wizard:

+1. In Azure Data Studio, go to **Connections**. Select and connect to your on-premises instance of SQL Server. You also can connect to SQL Server on an Azure virtual machine.

+1. Right-click the server connection and select **Manage**.

+1. In the server menu, under **General**, select **Azure SQL Migration**.

+1. In the Azure SQL Migration dashboard, select **Migrate to Azure SQL** to open the migration wizard.

+1. On the first page of the wizard, start a new session or resume a previously saved session.

+## Run a database assessment, collect performance data, and get Azure recommendations

+1. In **Step 1: Databases for assessment** in the Migrate to Azure SQL wizard, select the databases you want to assess. Then, select **Next**.

+1. In **Step 2: Assessment results and recommendations**, complete the following steps:

+ 1. In **Choose your Azure SQL target**, select **Azure SQL Managed Instance**.

+1. Select **View/Select** to view the assessment results.

+1. In the assessment results, select the database, and then review the assessment report to make sure no issues were found.

+ 1. Select **Get Azure recommendation** to open the recommendations pane.

+ 1. Select **Collect performance data now**. Select a folder on your local computer to store the performance logs, and then select **Start**.

+ Azure Data Studio collects performance data until you either stop data collection or you close Azure Data Studio.

+ After 10 minutes, Azure Data Studio indicates that a recommendation is available for Azure SQL Managed Instance. After the first recommendation is generated, you can select **Restart data collection** to continue the data collection process and refine the SKU recommendation. An extended assessment is especially helpful if your usage patterns vary over time.

+ 1. In the selected **Azure SQL Managed Instance** target, select **View details** to open the detailed SKU recommendation report:

+ 1. In **Review Azure SQL Managed Instance Recommendations**, review the recommendation. To save a copy of the recommendation, select the **Save recommendation report** checkbox.

+1. Select **Close** to close the recommendations pane.

+1. Select **Next** to continue your database migration in the wizard.

+1. In **Step 3: Azure SQL target** in the Migrate to Azure SQL wizard, select your Azure account, Azure subscription, the Azure region or location, and the resource group that contains the target instance of Azure SQL Managed Instance. Then, select **Next**.

+1. In **Step 4: Migration mode**, select **Offline migration**, and then select **Next**.

+ > In offline migration mode, the source SQL Server database shouldn't be used for write activity while database backups are restored on a target instance of Azure SQL Managed Instance. Application downtime needs to be considered until the migration is finished.

+1. In **Step 5: Data source configuration**, select the location of your database backups. Your database backups can be located either on an on-premises network share or in an Azure storage blob container.

+ - For backups that are located on a network share, enter or select the following information:

+ |Name |Description |

+ ||-|

+ |**Source Credentials - Username** |The credential (Windows and SQL authentication) to connect to the source SQL Server instance and validate the backup files. |

+ |**Source Credentials - Password** |The credential (Windows and SQL authentication) to connect to the source SQL Server instance and validate the backup files. |

+ |**Network share location that contains backups** |The network share location that contains the full and transaction log backup files. Any invalid files or backup files in the network share that don't belong to the valid backup set are automatically ignored during the migration process. |

+ |**Windows user account with read access to the network share location** |The Windows credential (username) that has read access to the network share to retrieve the backup files. |

+ |**Password** |The Windows credential (password) that has read access to the network share to retrieve the backup files. |

+ |**Target database name** |You can modify the target database name during the migration process. |

+ |**Storage account details** |The resource group and storage account where backup files are uploaded. You don't need to create a container. Database Migration Service automatically creates a blob container in the specified storage account during the upload process. |

+ - For backups that are stored in an Azure storage blob container, enter or select the following information:

+ |Name |Description |

+ ||-|

+ |**Target database name** |You can modify the target database name during the migration process. |

+ |**Storage account details** |The resource group, storage account, and container where backup files are located.

+ |**Last Backup File** |The file name of the last backup of the database you're migrating.

+ > [!IMPORTANT]

+ > If loopback check functionality is enabled and the source SQL Server instance and file share are on the same computer, the source can't access the file share by using an FQDN. To fix this issue, [disable loopback check functionality](https://support.microsoft.com/help/926642/error-message-when-you-try-to-access-a-server-locally-by-using-its-fqd).

+## Create a Database Migration Service instance

+In **Step 6: Azure Database Migration Service** in the Migrate to Azure SQL wizard, create a new instance of Azure Database Migration Service or reuse an existing instance that you created earlier.

+> [!NOTE]

+> If you previously created a Database Migration Service instance by using the Azure portal, you can't reuse the instance in the migration wizard in Azure Data Studio. You can reuse an instance only if you created the instance by using Azure Data Studio.

+### Use an existing instance of Database Migration Service

+To use an existing instance of Database Migration Service:

+1. In **Resource group**, select the resource group that contains an existing instance of Database Migration Service.

+1. In **Azure Database Migration Service**, select an existing instance of Database Migration Service that's in the selected resource group.

+1. Select **Next**.

+### Create a new instance of Database Migration Service

+To create a new instance of Database Migration Service:

+1. In **Resource group**, create a new resource group to contain a new instance of Database Migration Service.

+

+1. Under **Azure Database Migration Service**, select **Create new**.

+1. In **Create Azure Database Migration Service**, enter a name for your Database Migration Service instance, and then select **Create**.

+1. Under **Set up integration runtime**, complete the following steps:

+ 1. Select the **Download and install integration runtime** link to open the download link in a web browser. Download the integration runtime, and then install it on a computer that meets the prerequisites to connect to the source SQL Server instance.

+ When installation is finished, Microsoft Integration Runtime Configuration Manager automatically opens to begin the registration process.

+ 1. In the **Authentication key** table, copy one of the authentication keys that are provided in the wizard and paste it in Azure Data Studio. If the authentication key is valid, a green check icon appears in Integration Runtime Configuration Manager. A green check indicates that you can continue to **Register**.

+ After you register the self-hosted integration runtime, close Microsoft Integration Runtime Configuration Manager.

+ > [!NOTE]

+ > For more information about how to use the self-hosted integration runtime, see [Create and configure a self-hosted integration runtime](../data-factory/create-self-hosted-integration-runtime.md).

+1. In **Create Azure Database Migration Service** in Azure Data Studio, select **Test connection** to validate that the newly created Database Migration Service instance is connected to the newly registered self-hosted integration runtime.

+ :::image type="content" source="media/tutorial-sql-server-to-managed-instance-offline-ads/test-connection-integration-runtime-complete.png" alt-text="Test connection integration runtime":::

+1. Return to the migration wizard in Azure Data Studio.

+## Start the database migration

+In **Step 7: Summary** in the Migrate to Azure SQL wizard, review the configuration you created, and then select **Start migration** to start the database migration.

+## Monitor the database migration

+1. In Azure Data Studio, in the server menu, under **General**, select **Azure SQL Migration** to go to the dashboard for your Azure SQL migrations.

+ Under **Database migration status**, you can track migrations that are in progress, completed, and failed (if any), or you can view all database migrations.

+1. Select **Database migrations in progress** to view active migrations.

+ To get more information about a specific migration, select the database name.

+ The migration details pane displays the backup files and their corresponding status:

+ | Arrived | The backup file arrived in the source backup location and was validated. |

+ | Uploading | The integration runtime is uploading the backup file to the Azure storage account. |

+ | Uploaded | The backup file was uploaded to the Azure storage account. |

+ | Restoring | The service is restoring the backup file to Azure SQL Managed Instance. |

+ | Restored | The backup file is successfully restored in Azure SQL Managed Instance. |

+ | Canceled | The migration process was canceled. |

+ | Ignored | The backup file was ignored because it doesn't belong to a valid database backup chain. |

+After all database backups are restored on the instance of Azure SQL Managed Instance, an automatic migration cutover is initiated by Database Migration Service to ensure that the migrated database is ready to use. The migration status changes from **In progress** to **Succeeded**.

+> After the migration, the availability of SQL Managed Instance with Business Critical service tier might take significantly longer than the General Purpose tier because three secondary replicas have to be seeded for an Always On High Availability group. The duration of this operation depends on the size of the data. For more information, see [Management operations duration](/azure/azure-sql/managed-instance/management-operations-overview#duration).

+- Complete a quickstart to [migrate a database to SQL Managed Instance by using the T-SQL RESTORE command](/azure/azure-sql/managed-instance/restore-sample-database-quickstart).

+- Learn more about [SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview).

+- Learn how to [connect apps to SQL Managed Instance](/azure/azure-sql/managed-instance/connect-application-instance).

+ Title: "Tutorial: Migrate SQL Server to Azure SQL Managed Instance online by using Azure Data Studio"

+description: Migrate SQL Server to an Azure SQL Managed Instance online by using Azure Data Studio with Azure Database Migration Service

+# Tutorial: Migrate SQL Server to an Azure SQL Managed Instance online by using Azure Data Studio with DMS

+Use the Azure SQL migration extension in Azure Data Studio to migrate database(s) from a SQL Server instance to an [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview) with minimal downtime. For methods that might require some manual effort, see the article [SQL Server instance migration to Azure SQL Managed Instance](/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide).

+> * Launch the *Migrate to Azure SQL* wizard in Azure Data Studio

+> * Create a new Azure Database Migration Service and install the self-hosted integration runtime to access source server and backups

+> * Start and monitor the progress for your migration

+> * Perform the migration cutover when you are ready

+ > - Azure Database Migration Service does not initiate any backups, and instead uses existing backups, which you might already have as part of your disaster recovery plan, for the migration.

+ > - Each backup can be written to either a separate backup file or multiple backup files. However, appending multiple backups (that is, full and t-log) into a single backup media isn't supported.

+* The source SQL Server instance certificate from a database protected by Transparent Data Encryption (TDE) needs to be migrated to the target Azure SQL Managed Instance or SQL Server on Azure virtual machine before you migrate data. To learn more, see [Migrate a certificate of a TDE-protected database to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/tde-certificate-migrate) and [Move a TDE Protected Database to Another SQL Server](/sql/relational-databases/security/encryption/move-a-tde-protected-database-to-another-sql-server).

+ > If your database contains sensitive data that is protected by [Always Encrypted](/sql/relational-databases/security/encryption/configure-always-encrypted-using-sql-server-management-studio), the migration process that uses Azure Data Studio with DMS will automatically migrate your Always Encrypted keys to your target Azure SQL Managed Instance or SQL Server on Azure virtual machine.

+ | Public Cloud: `{datafactory}.{region}.datafactory.azure.net`<br> or `*.frontend.clouddatahub.net` <br> Azure Government: `{datafactory}.{region}.datafactory.azure.us` <br> China: `{datafactory}.{region}.datafactory.azure.cn` | 443 | Required by the self-hosted integration runtime to connect to the Data Migration service. <br>For a newly created data factory in the public cloud, locate the FQDN from your self-hosted integration runtime key, which is in format `{datafactory}.{region}.datafactory.azure.net`. For the old data factory, if you don't see the FQDN in your self-hosted integration key, use *.frontend.clouddatahub.net instead. |

+ > If your database backup files are already provided in an Azure storage account, a self-hosted integration runtime is not required during the migration process.

+* When you're using a self-hosted integration runtime, make sure that the machine where the runtime is installed can connect to the source SQL Server instance and the network file share where backup files are located. Outbound port 445 should be enabled to allow access to the network file share. Also see [recommendations for using a self-hosted integration runtime](migration-using-azure-data-studio.md#recommendations-for-using-a-self-hosted-integration-runtime-for-database-migrations)

+1. Open Azure Data Studio and select the server icon to connect to your on-premises SQL Server (or SQL Server on Azure virtual machine).

+1. On the server's home page, select **Azure SQL Migration** extension.

+ > If your database backups are provided in an on-premises network share, DMS will require you to set up a self-hosted integration runtime in the next step of the wizard. If a self-hosted integration runtime is required to access your source database backups, check the validity of the backup set and upload them to your Azure storage account.<br/> If your database backups are already on an Azure storage blob container, you don't need to set up a self-hosted integration runtime.

+* For backups located on a network share, provide the following details of your source SQL Server, source backup location, target database name, and Azure storage account for the backup files to be uploaded to:

+ Title: "Tutorial: Migrate SQL Server to SQL Server on Azure Virtual Machines offline in Azure Data Studio"

+description: Learn how to migrate on-premises SQL Server to SQL Server on Azure Virtual Machines offline by using Azure Data Studio and Azure Database Migration Service.

+# Tutorial: Migrate SQL Server to SQL Server on Azure Virtual Machines offline in Azure Data Studio

+You can use Azure Database Migration Service and the Azure SQL Migration extension in Azure Data Studio to migrate databases from an on-premises instance of SQL Server to [SQL Server on Azure Virtual Machines (SQL Server 2016 and later)](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview) offline and with minimal downtime.

+For database migration methods that might require some manual configuration, see [SQL Server instance migration to SQL Server on Azure Virtual Machines](/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview).

+In this tutorial, learn how to migrate the example AdventureWorks database from an on-premises instance of SQL Server to an instance of SQL Server on Azure Virtual Machines by using Azure Data Studio and Azure Database Migration Service. This tutorial uses offline migration mode, which considers an acceptable downtime during the migration process.

+> - Open the Migrate to Azure SQL wizard in Azure Data Studio

+> - Run an assessment of your source SQL Server databases

+> - Collect performance data from your source SQL Server instance

+> - Get a recommendation of the SQL Server on Azure Virtual Machines SKU that will work best for your workload

+> - Set the details of your source SQL Server instance, backup location, and target instance of SQL Server on Azure Virtual Machines

+> - Create an instance of Azure Database Migration Service

+> - Start your migration and monitor progress to completion

+This tutorial describes an offline migration from SQL Server to SQL Server on Azure Virtual Machines. For an online migration, see [Migrate SQL Server to SQL Server on Azure Virtual Machines online in Azure Data Studio](tutorial-sql-server-to-virtual-machine-online-ads.md).

+Before you begin the tutorial:

+- [Download and install Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/sql/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+- Have an Azure account that's assigned to one of the following built-in roles:

+ - Contributor for the target instance of SQL Server on Azure Virtual Machines and for the storage account where you upload your database backup files from a Server Message Block (SMB) network share

+ - Reader role for the Azure resource group that contains the target instance of SQL Server on Azure Virtual Machines or for your Azure Storage account

+ - Owner or Contributor role for the Azure subscription

+

+ As an alternative to using one of these built-in roles, you can [assign a custom role](resource-custom-roles-sql-database-ads.md).

+ > [!IMPORTANT]

+ > An Azure account is required only when you configure the migration steps. An Azure account isn't required for the assessment or to view Azure recommendations in the migration wizard in Azure Data Studio.

+- Create a target instance of [SQL Server on Azure Virtual Machines](/azure/azure-sql/virtual-machines/windows/create-sql-vm-portal).

+ > If you have an existing Azure virtual machine, it should be registered with the [SQL IaaS Agent extension in Full management mode](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management#management-modes).

+- Ensure that the logins that you use to connect the source SQL Server instance are members of the SYSADMIN server role or have CONTROL SERVER permission.

+- Provide an SMB network share, Azure storage account file share, or Azure storage account blob container that contains your full database backup files and subsequent transaction log backup files. Database Migration Service uses the backup location during database migration.

+ > [!IMPORTANT]

+ >

+ > - If your database backup files are in an SMB network share, [create an Azure storage account](../storage/common/storage-account-create.md) that Database Migration Service can use to upload database backup files to and to migrate databases. Make sure you create the Azure storage account in the same region where you create your instance of Database Migration Service.

+ > - Database Migration Service doesn't initiate any backups. Instead, the service uses existing backups for the migration. You might already have these backups as part of your disaster recovery plan.

+ > - You can write each backup to either a separate backup file or to multiple backup files. Appending multiple backups such as full and transaction logs into a single backup media isn't supported.

+ > - You can provide compressed backups to reduce the likelihood of experiencing potential issues associated with migrating large backups.

+- Ensure that the service account that's running the source SQL Server instance has read and write permissions on the SMB network share that contains database backup files.

+- If you're migrating a database that's protected by Transparent Data Encryption (TDE), the certificate from the source SQL Server instance must be migrated to SQL Server on Azure Virtual Machines before you migrate data. To learn more, see [Move a TDE-protected database to another SQL Server instance](/sql/relational-databases/security/encryption/move-a-tde-protected-database-to-another-sql-server).

+ > If your database contains sensitive data that's protected by [Always Encrypted](/sql/relational-databases/security/encryption/configure-always-encrypted-using-sql-server-management-studio), the migration process automatically migrates your Always Encrypted keys to your target instance of SQL Server on Azure Virtual Machines.

+- If your database backups are on a network file share, provide a computer on which you can install a [self-hosted integration runtime](../data-factory/create-self-hosted-integration-runtime.md) to access and migrate database backups. The migration wizard gives you the download link and authentication keys to download and install your self-hosted integration runtime.

+ In preparation for the migration, ensure that the computer on which you install the self-hosted integration runtime has the following outbound firewall rules and domain names enabled:

+ | Domain names | Outbound port | Description |

+ | Public cloud: `{datafactory}.{region}.datafactory.azure.net`<br />or `*.frontend.clouddatahub.net` <br /><br /> Azure Government: `{datafactory}.{region}.datafactory.azure.us` <br /><br /> Azure China: `{datafactory}.{region}.datafactory.azure.cn` | 443 | Required by the self-hosted integration runtime to connect to Database Migration Service. <br/><br/>For a newly created data factory in a public cloud, locate the fully qualified domain name (FQDN) from your self-hosted integration runtime key, in the format `{datafactory}.{region}.datafactory.azure.net`. <br /><br /> For an existing data factory, if you don't see the FQDN in your self-hosted integration key, use `*.frontend.clouddatahub.net` instead. |

+ | `*.core.windows.net` | 443 | Used by the self-hosted integration runtime that connects to the Azure storage account to upload database backups from your network share |

+ > If your database backup files are already provided in an Azure storage account, a self-hosted integration runtime isn't required during the migration process.

+- If you use a self-hosted integration runtime, make sure that the computer on which the runtime is installed can connect to the source SQL Server instance and the network file share where backup files are located.

+- Enable outbound port 445 to allow access to the network file share. For more information, see [recommendations for using a self-hosted integration runtime](migration-using-azure-data-studio.md#recommendations-for-using-a-self-hosted-integration-runtime-for-database-migrations).

+- If you're using Azure Database Migration Service for the first time, make sure that the Microsoft.DataMigration [resource provider is registered in your subscription](quickstart-create-data-migration-service-portal.md#register-the-resource-provider).

+## Open the Migrate to Azure SQL wizard in Azure Data Studio

+To open the Migrate to Azure SQL wizard:

+1. In Azure Data Studio, go to **Connections**. Select and connect to your on-premises instance of SQL Server. You also can connect to SQL Server on an Azure virtual machine.

+1. Right-click the server connection and select **Manage**.

+1. In the server menu under **General**, select **Azure SQL Migration**.

+1. In the Azure SQL Migration dashboard, select **Migrate to Azure SQL** to open the migration wizard.

+ :::image type="content" source="media/tutorial-sql-server-to-virtual-machine-online-ads/launch-migrate-to-azure-sql-wizard.png" alt-text="Screenshot that shows how to open the Migrate to Azure SQL wizard.":::

+1. On the first page of the wizard, start a new session or resume a previously saved session.

+## Run a database assessment, collect performance data, and get Azure recommendations

+1. In **Step 1: Databases for assessment** in the Migrate to Azure SQL wizard, select the databases you want to assess. Then, select **Next**.

+1. In **Step 2: Assessment results and recommendations**, complete the following steps:

+ 1. In **Choose your Azure SQL target**, select **SQL Server on Azure Virtual Machine**.

+ :::image type="content" source="media/tutorial-sql-server-to-virtual-machine-offline-ads/assessment-complete-target-selection.png" alt-text="Screenshot that shows an assessment confirmation.":::

+ 1. Select **View/Select** to view the assessment results.

+ 1. In the assessment results, select the database, and then review the assessment report to make sure no issues were found.

+ 1. Select **Get Azure recommendation** to open the recommendations pane.

+ 1. Select **Collect performance data now**. Select a folder on your local computer to store the performance logs, and then select **Start**.

+ Azure Data Studio collects performance data until you either stop data collection or you close Azure Data Studio.

+ After 10 minutes, Azure Data Studio indicates that a recommendation is available for SQL Server on Azure Virtual Machines. After the first recommendation is generated, you can select **Restart data collection** to continue the data collection process and refine the SKU recommendation. An extended assessment is especially helpful if your usage patterns vary over time.

+ 1. In the selected **SQL Server on Azure Virtual Machines** target, select **View details** to open the detailed SKU recommendation report:

+ 1. In **Review SQL Server on Azure Virtual Machines Recommendations**, review the recommendation. To save a copy of the recommendation, select the **Save recommendation report** checkbox.

+1. Select **Close** to close the recommendations pane.

+1. Select **Next** to continue your database migration in the wizard.

+1. In **Step 3: Azure SQL target** in the Migrate to Azure SQL wizard, select your Azure account, Azure subscription, the Azure region or location, and the resource group that contains the target SQL Server to Azure Virtual Machines instance. Then, select **Next**.

+1. In **Step 4: Migration mode**, select **Offline migration**, and then select **Next**.

+ > In offline migration mode, the source SQL Server database shouldn't be used for write activity while database backup files are restored on the target instance of SQL Server to Azure Virtual Machines. Application downtime persists from the start of the migration process until it's finished.

+

+1. In **Step 5: Data source configuration**, select the location of your database backups. Your database backups can be located either on an on-premises network share or in an Azure storage blob container.

+ > If your database backups are provided in an on-premises network share, you must set up a self-hosted integration runtime in the next step of the wizard. A self-hosted integration runtime is required to access your source database backups, check the validity of the backup set, and upload backups to Azure storage account.

+ >

+ > If your database backups are already in an Azure storage blob container, you don't need to set up a self-hosted integration runtime.

+

+ For backups that are located on a network share, enter or select the following information:

+ |Name |Description |

+ |**Source Credentials - Username** |The credential (Windows and SQL authentication) to connect to the source SQL Server instance and validate the backup files. |

+ |**Source Credentials - Password** |The credential (Windows and SQL authentication) to connect to the source SQL Server instance and validate the backup files. |

+ |**Network share location that contains backups** |The network share location that contains the full and transaction log backup files. Any invalid files or backup files in the network share that don't belong to the valid backup set are automatically ignored during the migration process. |

+ |**Target database name** |You can modify the target database name during the migration process. |

+ For backups that are stored in an Azure storage blob container, enter or select the following information:

+ |Name |Description |

+ |**Target database name** |You can modify the target database name during the migration process. |

+ |**Storage account details** |The resource group, storage account, and container where backup files are located.

+ |**Last Backup File** |The file name of the last backup of the database you're migrating.

+ > If loopback check functionality is enabled and the source SQL Server and file share are on the same computer, the source won't be able to access the file share by using the FQDN. To fix this issue, [disable loopback check functionality](https://support.microsoft.com/help/926642/error-message-when-you-try-to-access-a-server-locally-by-using-its-fqd).

+## Create a Database Migration Service instance

+In **Step 6: Azure Database Migration Service** in the Migrate to Azure SQL wizard, create a new instance of Azure Database Migration Service or reuse an existing instance that you created earlier.

+> [!NOTE]

+> If you previously created a Database Migration Service instance by using the Azure portal, you can't reuse the instance in the migration wizard in Azure Data Studio. You can reuse an instance only if you created the instance by using Azure Data Studio.

+### Use an existing instance of Database Migration Service

+To use an existing instance of Database Migration Service:

+1. In **Resource group**, select the resource group that contains an existing instance of Database Migration Service.

+1. In **Azure Database Migration Service**, select an existing instance of Database Migration Service that's in the selected resource group.

+1. Select **Next**.

+### Create a new instance of Database Migration Service

+To create a new instance of Database Migration Service:

+1. In **Resource group**, create a new resource group to contain a new instance of Database Migration Service.

+

+1. Under **Azure Database Migration Service**, select **Create new**.

+1. In **Create Azure Database Migration Service**, enter a name for your Database Migration Service instance, and then select **Create**.

+1. Under **Set up integration runtime**, complete the following steps:

+ 1. Select the **Download and install integration runtime** link to open the download link in a web browser. Download the integration runtime, and then install it on a computer that meets the prerequisites to connect to the source SQL Server instance.

+ When installation is finished, Microsoft Integration Runtime Configuration Manager automatically opens to begin the registration process.

+ 1. In the **Authentication key** table, copy one of the authentication keys that are provided in the wizard and paste it in Azure Data Studio. If the authentication key is valid, a green check icon appears in Integration Runtime Configuration Manager. A green check indicates that you can continue to **Register**.

+ After you register the self-hosted integration runtime, close Microsoft Integration Runtime Configuration Manager.

+ > [!NOTE]

+ > For more information about how to use the self-hosted integration runtime, see [Create and configure a self-hosted integration runtime](../data-factory/create-self-hosted-integration-runtime.md).

+1. In **Create Azure Database Migration Service** in Azure Data Studio, select **Test connection** to validate that the newly created Database Migration Service instance is connected to the newly registered self-hosted integration runtime.

+1. Return to the migration wizard in Azure Data Studio.

+## Start the database migration

+In **Step 7: Summary** in the Migrate to Azure SQL wizard, review the configuration you created, and then select **Start migration** to start the database migration.

+## Monitor the database migration

+1. In Azure Data Studio, in the server menu under **General**, select **Azure SQL Migration** to go to the dashboard for your Azure SQL migrations.

+ Under **Database migration status**, you can track migrations that are in progress, completed, and failed (if any), or you can view all database migrations.

+1. Select **Database migrations in progress** to view active migrations.

+ To get more information about a specific migration, select the database name.

+ The migration details pane displays the backup files and their corresponding status:

+ | Arrived | The backup file arrived in the source backup location and was validated. |

+ | Uploading | The integration runtime is uploading the backup file to Azure storage. |

+ | Uploaded | The backup file has been uploaded to Azure storage. |

+ | Restoring | The service is restoring the backup file to SQL Server on Azure Virtual Machines. |

+ | Restored | The backup file was successfully restored on SQL Server on Azure Virtual Machines. |

+ | Canceled | The migration process was canceled. |

+ | Ignored | The backup file was ignored because it doesn't belong to a valid database backup chain. |

+After all database backups are restored on the instance of SQL Server on Azure Virtual Machines, an automatic migration cutover is initiated by Database Migration Service to ensure that the migrated database is ready to use. The migration status changes from **In progress** to **Succeeded**.

+- Complete a quickstart to [migrate a database to SQL Server on Azure Virtual Machines by using the T-SQL RESTORE command](/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide).

+- Learn more about [SQL Server on Azure Windows Virtual Machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview).

+-Learn how to [connect apps to SQL Server on Azure Virtual Machines](/azure/azure-sql/virtual-machines/windows/ways-to-connect-to-sql).

+* Runtime is installed on the machine using self-hosted integration runtime. The machine will connect to the source SQL Server instance and the network file share where backup files are located. Outbound port 445 should be enabled to allow access to the network file share. Also see [recommendations for using self-hosted integration runtime](migration-using-azure-data-studio.md#recommendations-for-using-a-self-hosted-integration-runtime-for-database-migrations)

+For more information on additional design considerations of a multitenant application, see [Hosting a Multi-Tenant Application on Azure][Hosting a Multi-Tenant Application on Azure] and [Cross-Tenant Communication using Azure Service Bus Sample][Cross-Tenant Communication using Azure Service Bus Sample]. For information on common data architecture patterns of multi-tenant software-as-a-service (SaaS) database applications, see [Design Patterns for Multi-tenant SaaS Applications with Azure SQL Database](/azure/azure-sql/database/saas-tenancy-app-design-patterns).

+## Cross-Tenant Communication using Azure Service Bus Sample

+The [Cross-Tenant Communication using Azure Service Bus Sample][Cross-Tenant Communication using Azure Service Bus Sample] demonstrates a multi-tenanted solution handling cross-tenant communication between a provider and one or more of its customers using Service Bus message queues. The provider comunicates securely with each of its customers, and each customer securely with the provider. To download the complete sample with instructions, see [Cross-Tenant Communication using Azure Service Bus Sample][Cross-Tenant Communication using Azure Service Bus Sample].

+## Azure features for Multitenant Applications

+[Cross-Tenant Communication using Azure Service Bus Sample]: https://github.com/Azure-Samples/Cross-Tenant-Communication-Using-Azure-Service-Bus

+| **[Fastweb](https://www.fastweb.it/grandi-aziende/dati-voce/scheda-prodotto/fast-company/)** | Supported |Supported | Milan |

+| **[Tivit](https://tivit.com/solucoes/public-cloud/)** |Supported |Supported | Sao Paulo2 |

+| **[Fastweb S.p.A](https://www.fastweb.it/grandi-aziende/dati-voce/scheda-prodotto/fast-company/)** | Equinix | Amsterdam |

+| **[Spectrum Enterprise](https://enterprise.spectrum.com/services/internet-networking/wan/cloud-connect.html)** | Equinix | Chicago, Dallas, Los Angeles, New York, Silicon Valley |

+| **[United Information Highway (UIH)](https://www.uih.co.th/en/network-solutions/global-network/cloud-direct-for-microsoft-azure-expressroute)**| Equinix | Singapore |

+Azure Firewall supports both Classic rules and policies, but policies is the recommended configuration. The following table compares policies and classic rules:

+> [!NOTE]

+> Migration capability for Azure Front Door is currently in Public Preview without an SLA and isn't recommended for production environments.

+> [!NOTE]

+> Migration capability for Azure Front Door is currently in Public Preview without an SLA and isn't recommended for production environments.

+ Title: 'Paginate Azure Resource Graph query results using Azure PowerShell'

+description: In this quickstart, you control the volume Azure Resource Graph query output by using pagination in Azure PowerShell.

+# Quickstart: Paginate Azure Resource Graph query results using Azure PowerShell

+By default, Azure Resource Graph returns a maximum of 1000 records for each query. However, you can

+use the *Search-AzGraph* cmdlet's `skipToken` parameter to adjust how many records you return per

+request.

+At the end of this quickstart, you'll be able to customize the output volume returned by your Azure Resource

+Graph queries by using Azure PowerShell.

+## Prerequisites

+If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account

+before you begin.

+## Add the Resource Graph module

+To enable Azure PowerShell to query Azure Resource Graph, the **Az.ResourceGraph** module must be

+added. This module can be used with locally installed PowerShell, with

+[Azure Cloud Shell](https://shell.azure.com), or with the

+[PowerShell Docker image](https://hub.docker.com/_/microsoft-powershell).

+### Base requirements

+The Azure Resource Graph module requires the following software:

+- Azure PowerShell 8.x or higher. If it isn't yet installed, follow

+ [these instructions](/powershell/azure/install-az-ps).

+- PowerShellGet 2.0.1 or higher. If it isn't installed or updated, follow

+ [these instructions](/powershell/scripting/gallery/installing-psget).

+### Install the module

+The Resource Graph module for PowerShell is **Az.ResourceGraph**.

+1. From a PowerShell prompt, run the following command:

+ ```powershell

+ # Install the Resource Graph module from PowerShell Gallery

+ Install-Module -Name Az.ResourceGraph -Scope CurrentUser -Repository PSGallery -Force

+ ```

+1. Validate that the module has been imported and is at least version `0.11.0`:

+ ```powershell

+ # Get a list of commands for the imported Az.ResourceGraph module

+ Get-Command -Module Az.ResourceGraph

+ ```

+## Paginate Azure Resource Graph query results

+With the Azure PowerShell module added to your environment of choice, it's time to try out a simple

+tenant-based Resource Graph query and work with paginating the results. We'll start with an ARG

+query that returns a list of all virtual machines (VMS) across all subscriptions associated with a

+given Azure Active Directory (Azure AD) tenant.

+We'll then configure the query to return five records (VMs) at a time.

+> [!NOTE]

+> This example query is adapted from the work of Microsoft Most Valuable Professional (MVP)

+> [Oliver Mossec](https://github.com/omiossec).

+1. Run the initial Azure Resource Graph query using the `Search-AzGraph` cmdlet:

+ ```powershell

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ # Run Azure Resource Graph query Search-AzGraph -Query "Resources | join kind=leftouter

+ (ResourceContainers | where type=='microsoft.resources/subscriptions' | project subscriptionName

+ = name, subscriptionId) on subscriptionId | where type =~ 'Microsoft.Compute/virtualMachines' |

+ project VMResourceId = id, subscriptionName, resourceGroup, name"

+ ```

+1. Update the query to implement the `skipToken` parameter and return 5 VMs in each batch:

+ ```powershell

+ $kqlQuery = "Resources | join kind=leftouter (ResourceContainers | where

+ type=='microsoft.resources/subscriptions' | project subscriptionName = name,subscriptionId) on

+ subscriptionId | where type =~ 'Microsoft.Compute/virtualMachines' | project VMResourceId = id,

+ subscriptionName, resourceGroup,name"

+ $batchSize = 5

+ $skipResult = 0

+ [System.Collections.Generic.List[string]]$kqlResult

+ while ($true) {

+ if ($skipResult -gt 0) {

+ $graphResult = Search-AzGraph -Query $kqlQuery -First $batchSize -SkipToken $graphResult.SkipToken

+ }

+ else {

+ $graphResult = Search-AzGraph -Query $kqlQuery -First $batchSize

+ }

+ $kqlResult += $graphResult.data

+ if ($graphResult.data.Count -lt $batchSize) {

+ break;

+ }

+ $skipResult += $skipResult + $batchSize

+ }

+ ```

+## Clean up resources

+If you wish to remove the Resource Graph module from your Azure PowerShell environment, you can do

+so by using the following command:

+```powershell

+# Remove the Resource Graph module from the current session

+Remove-Module -Name Az.ResourceGraph

+# Uninstall the Resource Graph module from your computer

+Uninstall-Module -Name Az.ResourceGraph

+```

+## Next steps

+In this quickstart, you learned how to paginate Azure Resource Graph query results by using

+Azure PowerShell. To learn more about the Resource Graph language, review any of the following

+Microsoft Learn resources.

+- [Work with large data sets - Azure Resource Graph](concepts/work-with-data.md)

+- [Az.ResourceGraph PowerShell module reference](/powershell/module/az.resourcegraph)

+- [What is Azure Resource Graph?](overview.md)

+# SMART on FHIR

+Below tutorial describes how to use the proxy to enable SMART on FHIR applications with Azure API for FHIR.

+## Tutorial: SMART on FHIR proxy

+**Prerequisites**

+ :::image type="content" source="media/tutorial-iot-central-smart-meter/smart-meter-build.png" alt-text="Screenshot showing the Azure IoT Central build site with the energy app templates.":::

+## Customize your application

+## Clean up resources

+ :::image type="content" source="media/tutorial-iot-central-solar-panel/solar-panel-build.png" alt-text="Screenshot showing the Azure IoT Central build site with the energy app templates.":::

+Select the sample device, **SP0123456789**. From the **Update Properties** tab, you can update the writable properties of the device and see a visual of the updated values on the dashboard.

+## Customize your application

+## Clean up resources

+ :::image type="content" source="media/tutorial-connected-waste-management/iot-central-government-tab-overview.png" alt-text="Screenshot showing the Azure IoT Central build site with the government app templates.":::

+### Dashboard

+As a builder, you can create and customize views on the dashboard for operators. First, let's explore the dashboard.

+>All data shown in the dashboard is based on simulated device data, which you'll see more of in the next section.

+* **Wide World Waste utility image tile**: The first tile in the dashboard is an image tile of a fictitious waste utility, "Wide World Waste." You can customize the tile and put in your own image, or you can remove it.

+* **Waste bin image tile**: You can use image and content tiles to create a visual representation of the device that's being monitored, along with a description.

+* **Fill level KPI tile**: This tile displays a value reported by a *fill level* sensor in a waste bin. Fill level and other sensors, like *odor meter* or *weight* in a waste bin, can be remotely monitored. An operator can take action, like dispatching a trash collection truck.

+ :::image type="content" source="media/tutorial-connected-waste-management/connected-waste-management-dashboard-bar-chart.png" alt-text="Screenshot of the expanded bar chart on the connected waste management application dashboard." lightbox="media/tutorial-connected-waste-management/connected-waste-management-dashboard-bar-chart.png":::

+* **Field Services**: The dashboard includes a link to how to integrate with Dynamics 365 Field Services from your Azure IoT Central application. For example, you can use Field Services to create tickets for dispatching trash collection services.

+### Customize the dashboard

+You can customize the dashboard by selecting the **Edit** menu. Then you can add new tiles or configure existing ones. Here's what the dashboard looks like in editing mode:

+You can also select **+ New** to create a new dashboard and configure from scratch. You can have multiple dashboards, and you can switch between your dashboards from the dashboard menu.

+A device template in Azure IoT Central defines the capabilities of a device, which can include telemetry, properties, or commands. As a builder, you can define device templates that represent the capabilities of the devices you will connect.

+The connected waste management application comes with a sample template for a connected waste bin device.

+1. In Azure IoT Central, from the left pane of your app, select **Device templates**.

+ :::image type="content" source="media/tutorial-connected-waste-management/connected-waste-management-device-template-connected-bin.png" alt-text="Screenshot of the connected waste management device template." lightbox="media/tutorial-connected-waste-management/connected-waste-management-device-template-connected-bin.png":::

+1. Select **Save**.

+### Add a cloud property

+1. Select **Save**.

+### Views

+The connected waste bin device template comes with predefined views. Explore the views, and update them if you want to. The views define how operators see the device data and input cloud properties.

+### Publish

+If you made any changes, remember to publish the device template.

+### Create a new device template

+To create a new device template, select **+ New**, and follow the steps. You can create a custom device template from scratch, or you can choose a device template from the Azure device catalog.

+In Azure IoT Central, you can create simulated devices to test your device template and application.

+The connected waste management application has two simulated devices associated with the connected waste bin device template.

+ :::image type="content" source="media/tutorial-connected-waste-management/connected-waste-management-devices-bin.png" alt-text="Screenshot of the connected waste management application devices page." lightbox="media/tutorial-connected-waste-management/connected-waste-management-devices-bin.png":::

+Explore the **Device Properties** and **Device Dashboard** tabs.

+You can add new devices by selecting **+ New** on the **Devices** tab.

+The connected waste management application has four sample rules.

+ :::image type="content" source="media/tutorial-connected-waste-management/connected-waste-management-bin-full-alert.png" alt-text="Screenshot of the connected waste management application bin full rule." lightbox="media/tutorial-connected-waste-management/connected-waste-management-bin-full-alert.png":::

+1. The **Bin full alert** checks the following condition: **Fill level is greater than or equal to Bin full alert threshold**.

+ The **Bin full alert threshold** is a cloud property that's defined in the connected waste bin device template.

+Now create an email action.

+1. Select **+ Email**.

+1. For **To**, enter the email address associated with your Azure IoT Central account.

+1. Select **Done** > **Save**.

+>The application sends email each time a condition is met. Disable the rule to stop receiving email from the automated rule.

+In Azure IoT Central, jobs allow you to trigger device or cloud properties updates on multiple devices. You can also use jobs to trigger device commands on multiple devices. Azure IoT Central automates the workflow for you.

+1. From the left pane of Azure IoT Central, select **Jobs**.

+1. Select **+New**, and configure one or more jobs.

+## Customize your application

+1. On the **Commands** tab, you can see the three device commands (**Close valve**, **Open valve**, and **Set valve position**) that are defined in the **Smart Valve** device template.

+ :::image type="content" source="media/tutorial-waterconsumptionmonitoring/water-consumption-monitor-device-1.png" alt-text="Screenshot showing the water consumption monitoring application smart valve device." lightbox="media/tutorial-waterconsumptionmonitoring/water-consumption-monitor-device-1.png":::

+> The views you see on this page are configured using the **Device Template > Views** page.

+ :::image type="content" source="media/tutorial-waterconsumptionmonitoring/water-consumption-monitoring-high-flow-alert.png" alt-text="Screenshot showing the water consumption monitoring application rule." lightbox="media/tutorial-waterconsumptionmonitoring/water-consumption-monitoring-high-flow-alert.png":::

+The suggested next step is to learn about [Water quality monitoring](./tutorial-water-quality-monitoring.md).

+1. Select a simulated device.

+ :::image type="content" source="media/tutorial-waterqualitymonitoring/water-quality-monitor-device.png" alt-text="Screenshot showing a water quality monitoring device." lightbox="media/tutorial-waterqualitymonitoring/water-quality-monitor-device.png":::

+ :::image type="content" source="media/tutorial-waterqualitymonitoring/water-quality-monitoring-high-ph-alert.png" alt-text="Screenshot showing the water quality monitoring dashboard high pH alert rule." lightbox="media/tutorial-waterqualitymonitoring/water-quality-monitoring-high-ph-alert.png":::

+

+ :::image type="content" source="media/create-update-group/device-details-2.png" alt-text="Screenshot of device details view in IoT hub." lightbox="media/create-update-group/device-details-2.png":::

+## View device groups

+Device Update uses groups to organize devices. Device Update automatically sorts devices into groups based on their assigned tags and compatibility properties. Each device belongs to only one group, but groups can have multiple subgroups to sort different device classes.

+1. View the list of groups and the update compliance chart. The update compliance chart shows the count of devices in various states of compliance: **On latest update**, **New updates available**, and **Updates in progress**. [Learn about update compliance](device-update-compliance.md).

+1. You should see a device group that contains the simulated device you set up in this tutorial along with any available updates for the devices in the new group. If there are devices that don't meet the device class requirements of the group, they'll show up in a corresponding invalid group. To deploy the best available update to the new user-defined group from this view, select **Deploy** next to the group.

+For more information about tags and groups, see [Manage device groups](create-update-group.md).

+## Deployment monitoring

+Deployment details give you information on the devices that are part of the deployment as well as their status. As the deployment progresses, devices will move from In progress to Completed or Failed state. If the deployment is Canceled, then all the devices within the deployment will also reflect the Canceled state.

+The devices may move directly to a terminal state i.e. Completed or Failed state, if the deployed update is very small or the network latency is high. These states are set when the service receives the deployment status from the Device Update agent. They cannot be manually changed.

+-

+For more detail about the permissions assigned to each role, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles#lab-assistant)

+ model = mlflow.pyfunc.load_model(model_path)

+| 18881 | Used to connect to the language server to enable IntelliSense for notebooks on a compute instance. |

+- script: pip install -r sdk/python/dev-requirements.txt

+ filePath: 'sdk/python/setup.sh'

+ workingDirectory: 'sdk/python/jobs/single-step/scikit-learn/diabetes'

+| Qatar Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

+| Sweden Central | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |

+| USGov Virginia | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |

+| USGov Arizona | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |

+| USGov Texas | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |

+## November 2022

+- **General availability in Azure US Government regions**

+ The Azure Database for MySQL - Flexible Server is now available in the following Azure regions:

+ - USGov Virginia

+ - USGov Arizona

+ - USGov Texas

+| Brazil South | :heavy_check_mark: (v3 only) | :heavy_check_mark: | :heavy_check_mark: | :x: |

+This article describes how to work with the business glossary in Microsoft Purview. It provides steps to create a business glossary term in the Microsoft Purview Data Catalog. It also shows you how to import and export glossary terms by using .CSV files, and how to delete terms that you no longer need.

+1. On the **Glossary terms** page, select **+ New term**.

+ A pane opens with the **System default** template selected. Choose the template, or templates, that you want to use to create a glossary term, and then select **Continue**.

+ Selecting multiple templates will allow you to use the custom attributes from those templates.

+1. If you selected multiple templates, you can select and deselect templates from the **Term template** dropdown at the top of the page.

+1. Give your new term a name, which must be unique in the catalog.

+1. For **Definition**, add a definition for the term.

+1. For **Status**, select the status for the term. New terms default to **Draft**.

+1. Add **Resources** and **Acronym** information. If the term is part of a hierarchy, you can add parent terms at **Parent** on the **Overview** tab.

+1. Add **Synonyms** and **Related terms** information on the **Related** tab, and then select **Apply**.

+1. Optionally, select the **Contacts** tab to add experts and stewards to your term.

+1. Select **Create** to create your term.

+The Microsoft Purview Data Catalog provides a template .CSV file for you to import terms from the catalog into your glossary. Duplicate terms include both spelling and capitalization, because term names are case-sensitive.

+1. Select the template, or templates, for the terms you want to import, and then select **Continue**.

+ You can select multiple templates and import terms for different templates from a single .csv file.

+1. Download the .csv template and use it to enter the terms that you want to add.

+1. After you finish filling out your .CSV file, select your file to import, and then select **OK**.

+When you're in the glossary, the **Export terms** button is disabled by default. After you select the terms that you want to export, the **Export terms** button is enabled.

+> [!NOTE]

+> Selected terms **don't** need to be from the same term template to be able to export them.

+> | [Lab Assistant](#lab-assistant) | Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. | ce40b423-cede-4313-a93f-9b28290b72e1 |

+> | [Lab Contributor](#lab-contributor) | Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. | 5daaa2af-1fe8-407c-9122-bba179798270 |

+> | [Lab Operator](#lab-operator) | Gives you limited ability to manage existing labs. | a36e6959-b6be-4b12-8e9f-ef4b474d304d |

+> | [Lab Services Contributor](#lab-services-contributor) | Enables you to fully control all Lab Services scenarios in the resource group. | f69b8690-cc87-41d6-b77a-a4bc3c0a966f |

+> | [Lab Services Reader](#lab-services-reader) | Enables you to view, but not change, all lab plans and lab resources. | 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc |

+### Lab Assistant

+Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/read | Get the properties of a lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/read | Get the properties of a user. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/start | Start a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/stop | Stop and deallocate a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/reimage | Reimage a virtual machine to the last published image. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/redeploy | Redeploy a virtual machine to a different compute node. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/locations/usages/read | Get Usage in a location |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1",

+ "properties": {

+ "roleName": "Lab Assistant",

+ "description": "The lab assistant role",

+ "assignableScopes": [

+ "/"

+ ],

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Insights/alertRules/*",

+ "Microsoft.LabServices/labPlans/images/read",

+ "Microsoft.LabServices/labPlans/read",

+ "Microsoft.LabServices/labs/read",

+ "Microsoft.LabServices/labs/schedules/read",

+ "Microsoft.LabServices/labs/users/read",

+ "Microsoft.LabServices/labs/users/invite/action",

+ "Microsoft.LabServices/labs/virtualMachines/read",

+ "Microsoft.LabServices/labs/virtualMachines/start/action",

+ "Microsoft.LabServices/labs/virtualMachines/stop/action",

+ "Microsoft.LabServices/labs/virtualMachines/reimage/action",

+ "Microsoft.LabServices/labs/virtualMachines/redeploy/action",

+ "Microsoft.LabServices/locations/usages/read",

+ "Microsoft.LabServices/skus/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ]

+ }

+}

+```

+### Lab Contributor

+Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/read | Get the properties of a lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/write | Create new or update an existing lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/delete | Delete the lab and all its users, schedules and virtual machines. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/publish/action | Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/syncGroup/action | Updates the list of users from the Active Directory group assigned to the lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/write | Create new or update an existing schedule. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/delete | Delete the schedule. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/read | Get the properties of a user. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/write | Create new or update an existing user. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/delete | Delete the user. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/start | Start a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/stop | Stop and deallocate a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/reimage | Reimage a virtual machine to the last published image. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/redeploy | Redeploy a virtual machine to a different compute node. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/resetPassword/action | Reset local user's password on a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/locations/usages/read | Get Usage in a location |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/createLab/action | Create a new lab from a lab plan. |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270",

+ "properties": {

+ "roleName": "Lab Contributor",

+ "description": "The lab contributor role",

+ "assignableScopes": [

+ "/"

+ ],

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Insights/alertRules/*",

+ "Microsoft.LabServices/labPlans/images/read",

+ "Microsoft.LabServices/labPlans/read",

+ "Microsoft.LabServices/labPlans/saveImage/action",

+ "Microsoft.LabServices/labs/read",

+ "Microsoft.LabServices/labs/write",

+ "Microsoft.LabServices/labs/delete",

+ "Microsoft.LabServices/labs/publish/action",

+ "Microsoft.LabServices/labs/syncGroup/action",

+ "Microsoft.LabServices/labs/schedules/read",

+ "Microsoft.LabServices/labs/schedules/write",

+ "Microsoft.LabServices/labs/schedules/delete",

+ "Microsoft.LabServices/labs/users/read",

+ "Microsoft.LabServices/labs/users/write",

+ "Microsoft.LabServices/labs/users/delete",

+ "Microsoft.LabServices/labs/users/invite/action",

+ "Microsoft.LabServices/labs/virtualMachines/read",

+ "Microsoft.LabServices/labs/virtualMachines/start/action",

+ "Microsoft.LabServices/labs/virtualMachines/stop/action",

+ "Microsoft.LabServices/labs/virtualMachines/reimage/action",

+ "Microsoft.LabServices/labs/virtualMachines/redeploy/action",

+ "Microsoft.LabServices/labs/virtualMachines/resetPassword/action",

+ "Microsoft.LabServices/locations/usages/read",

+ "Microsoft.LabServices/skus/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.LabServices/labPlans/createLab/action"

+ ],

+ "notDataActions": []

+ }

+ ]

+ }

+}

+```

+### Lab Operator

+Gives you limited ability to manage existing labs.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/publish/action | Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/read | Get the properties of a lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/write | Create new or update an existing schedule. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/delete | Delete the schedule. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/read | Get the properties of a user. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/write | Create new or update an existing user. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/delete | Delete the user. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/start/action | Start a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/stop/action | Stop and deallocate a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/reimage/action | Reimage a virtual machine to the last published image. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/redeploy/action | Redeploy a virtual machine to a different compute node. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/resetPassword/action | Reset local user's password on a virtual machine. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/locations/usages/read | Get Usage in a location. |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d",

+ "properties": {

+ "roleName": "Lab Operator",

+ "description": "The lab operator role",

+ "assignableScopes": [

+ "/"

+ ],

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Insights/alertRules/*",

+ "Microsoft.LabServices/labPlans/images/read",

+ "Microsoft.LabServices/labPlans/read",

+ "Microsoft.LabServices/labPlans/saveImage/action",

+ "Microsoft.LabServices/labs/publish/action",

+ "Microsoft.LabServices/labs/read",

+ "Microsoft.LabServices/labs/schedules/read",

+ "Microsoft.LabServices/labs/schedules/write",

+ "Microsoft.LabServices/labs/schedules/delete",

+ "Microsoft.LabServices/labs/users/read",

+ "Microsoft.LabServices/labs/users/write",

+ "Microsoft.LabServices/labs/users/delete",

+ "Microsoft.LabServices/labs/users/invite/action",

+ "Microsoft.LabServices/labs/virtualMachines/read",

+ "Microsoft.LabServices/labs/virtualMachines/start/action",

+ "Microsoft.LabServices/labs/virtualMachines/stop/action",

+ "Microsoft.LabServices/labs/virtualMachines/reimage/action",

+ "Microsoft.LabServices/labs/virtualMachines/redeploy/action",

+ "Microsoft.LabServices/labs/virtualMachines/resetPassword/action",

+ "Microsoft.LabServices/locations/usages/read",

+ "Microsoft.LabServices/skus/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ]

+ }

+}

+```

+### Lab Services Contributor

+Enables you to fully control all Lab Services scenarios in the resource group.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/* | Create and manage lab services components. |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/createLab/action | Create a new lab from a lab plan. |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f",

+ "properties": {

+ "roleName": "Lab Services Contributor",

+ "description": "The lab services contributor role",

+ "assignableScopes": [

+ "/"

+ ],

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.LabServices/*",

+ "Microsoft.Insights/alertRules/*",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.LabServices/labPlans/createLab/action"

+ ],

+ "notDataActions": []

+ }

+ ]

+ }

+}

+```

+### Lab Services Reader

+Enables you to view, but not change, all lab plans and lab resources.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/*/read | Read lab services properties. |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc",

+ "properties": {

+ "roleName": "Lab Services Reader",

+ "description": "The lab services reader role",

+ "assignableScopes": [

+ "/"

+ ],

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.LabServices/*/read",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ]

+ }

+}

+```

+It is recommended that whenever possible, IaaS applications leverage Azure Disk Encryption and Encryption at Rest options provided by any consumed Azure services. In some cases, such as irregular encryption requirements or non-Azure based storage, a developer of an IaaS application may need to implement encryption at rest themselves. Developers of IaaS solutions can better integrate with Azure management and customer expectations by leveraging certain Azure components. Specifically, developers should use the Azure Key Vault service to provide secure key storage as well as provide their customers with consistent key management options with that of most Azure platform services. Additionally, custom solutions should use Azure managed service identities to enable service accounts to access encryption keys. For developer information on Azure Key Vault and Managed Service Identities, see their respective SDKs.

+In this quickstart, you'll do the following steps:

+> - This quick start shows you two ways of connecting to Azure Service Bus: **connection string** and **passwordless**. The first option shows you how to use a connection string to connect to a Service Bus namespace. The second option shows you how to use your security principal in Azure Active Directory and the role-based access control (RBAC) to connect to a Service Bus namespace. You don't need to worry about having hard-coded connection string in your code or in a configuration file or in secure storage like Azure Key Vault. If you are new to Azure, you may find the connection string option easier to follow. We recommend using the passwordless option in real-world applications and production environments. For more information, see [Authentication and authorization](service-bus-authentication-and-authorization.md).

+## Launch Visual Studio and sign-in to Azure

+You can authorize access to the service bus namespace using the following steps:

+1. Launch Visual Studio. If you see the **Get started** window, select the **Continue without code** link in the right pane.

+1. Select the **Sign in** button in the top right of Visual Studio.

+ :::image type="content" source="./media/service-bus-dotnet-get-started-with-queues/azure-sign-button-visual-studio.png" alt-text="Screenshot showing the button to sign in to Azure using Visual Studio.":::

+1. Sign-in using the Azure AD account you assigned a role to previously.

+ :::image type="content" source="..//storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-account-small.png" alt-text="Screenshot showing the account selection.":::

+1. In Visual Studio, select **File** -> **New** -> **Project** menu.

+ 1. Select **Console App** from the results list.

+### [Passwordless](#tab/passwordless)

+1. Select **Tools** > **NuGet Package Manager** > **Package Manager Console** from the menu.

+1. Run the following command to install the **Azure.Messaging.ServiceBus** NuGet package.

+ ```powershell

+ Install-Package Azure.Messaging.ServiceBus

+ ```

+1. Run the following command to install the **Azure.Identity** NuGet package.

+ ```powershell

+ Install-Package Azure.Identity

+ ```

+### [Connection String](#tab/connection-string)

+ ### [Passwordless](#tab/passwordless)

+ * Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the `DefaultAzureCredential` object. `DefaultAzureCredential` will automatically discover and use the credentials of your Visual Studio login to authenticate to Azure Service Bus.

+ > [!IMPORTANT]

+ > Update placeholder values (`<NAMESPACE-CONNECTION-STRING>` and `<QUEUE-NAME>`) in the code snippet with names of your Service Bus namespace and queue.

+ using Azure.Identity;

+

+ // name of your Service Bus queue

+ // Set the transport type to AmqpWebSockets so that the ServiceBusClient uses the port 443.

+ // If you use the default AmqpTcp, ensure that ports 5671 and 5672 are open.

+ var clientOptions = new ServiceBusClientOptions

+ //TODO: Replace the "<NAMESPACE-NAME>" and "<QUEUE-NAME>" placeholders.

+ client = new ServiceBusClient(

+ "<NAMESPACE-NAME>.servicebus.windows.net",

+ new DefaultAzureCredential(),

+ clientOptions);

+ ### [Connection string](#tab/connection-string)

+ * Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the connection string.

+ > [!IMPORTANT]

+ > Update placeholder values (`<NAMESPACE-CONNECTION-STRING>` and `<QUEUE-NAME>`) in the code snippet with names of your Service Bus namespace and queue.

+ // set the transport type to AmqpWebSockets so that the ServiceBusClient uses the port 443.

+ // If you use the default AmqpTcp, you will need to make sure that the ports 5671 and 5672 are open

+

+ // TODO: Replace the <NAMESPACE-CONNECTION-STRING> and <QUEUE-NAME> placeholders

+ var clientOptions = new ServiceBusClientOptions()

+ client = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>", clientOptions);

+ > [!IMPORTANT]

+ > In most cases, it will take a minute or two for the role assignment to propagate in Azure. In rare cases, it may take up to **eight minutes**. If you receive authentication errors when you first run your code, wait a few moments and try again.

+### [Passwordless](#tab/passwordless)

+1. Select **QueueReceiver** for **Default project**.

+ :::image type="content" source="media/service-bus-dotnet-get-started-with-queues/package-manager-console.png" alt-text="Screenshot showing QueueReceiver project selected in the Package Manager Console.":::

+1. Run the following command to install the **Azure.Messaging.ServiceBus** NuGet package.

+1. Run the following command to install the **Azure.Identity** NuGet package.

+ ```powershell

+ Install-Package Azure.Identity

+ ```

+### [Connection String](#tab/connection-string)

+1. Run the following command to install the **Azure.Messaging.ServiceBus** NuGet package:

+ ### [Passwordless](#tab/passwordless)

+ using Azure.Identity;

+ ### [Connection string](#tab/connection-string)

+

+ ### [Passwordless](#tab/passwordless)

+ * Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the `DefaultAzureCredential` object. `DefaultAzureCredential` will automatically discover and use the credentials of your Visual Studio login to authenticate to Azure Service Bus.

+ * Invokes the [CreateProcessor](/dotnet/api/azure.messaging.servicebus.servicebusclient.createprocessor) method on the `ServiceBusClient` object to create a [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object for the specified Service Bus queue.

+ * Starts processing messages by invoking the [StartProcessingAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.startprocessingasync) on the `ServiceBusProcessor` object.

+ * When user presses a key to end the processing, invokes the [StopProcessingAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.stopprocessingasync) on the `ServiceBusProcessor` object.

+ > [!IMPORTANT]

+ > Update placeholder values (`<NAMESPACE-NAME>` and `<QUEUE-NAME>`) in the code snippet with names of your Service Bus namespace and queue.

+ // TODO: Replace the <NAMESPACE-NAME> placeholder

+ client = new ServiceBusClient(

+ "<NAMESPACE-NAME>.servicebus.windows.net",

+ new DefaultAzureCredential(),

+ clientOptions);

+ ### [Connection string](#tab/connection-string)

+ * Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the connection string.

+ * Invokes the [CreateProcessor](/dotnet/api/azure.messaging.servicebus.servicebusclient.createprocessor) method on the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object to create a [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object for the specified Service Bus queue.

+ * Starts processing messages by invoking the [StartProcessingAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.startprocessingasync) on the [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object.

+ * When user presses a key to end the processing, invokes the [StopProcessingAsync](/dotnet/api/azure.messaging.servicebus.servicebusprocessor.stopprocessingasync) on the [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) object.

+ // TODO: Replace the <NAMESPACE-CONNECTION-STRING> and <QUEUE-NAME> placeholders

+ client = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>", clientOptions);

+ ### [Passwordless](#tab/passwordless)

+ using Azure.Messaging.ServiceBus;

+ using Azure.Identity;

+ // Set the transport type to AmqpWebSockets so that the ServiceBusClient uses port 443.

+ // TODO: Replace the <NAMESPACE-NAME> and <QUEUE-NAME> placeholders

+ var clientOptions = new ServiceBusClientOptions()

+ client = new ServiceBusClient("<NAMESPACE-NAME>.servicebus.windows.net",

+ new DefaultAzureCredential(), clientOptions);

+

+ ### [Connection string](#tab/connection-string)

+ using System;

+ using System.Threading.Tasks;

+ // Set the transport type to AmqpWebSockets so that the ServiceBusClient uses port 443.

+

+ // TODO: Replace the <NAMESPACE-CONNECTION-STRING> and <QUEUE-NAME> placeholders

+ var clientOptions = new ServiceBusClientOptions()

+ client = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>", clientOptions);

+

+> - This quick start shows you two ways of connecting to Azure Service Bus: **connection string** and **passwordless**. The first option shows you how to use a connection string to connect to a Service Bus namespace. The second option shows you how to use your security principal in Azure Active Directory and the role-based access control (RBAC) to connect to a Service Bus namespace. You don't need to worry about having hard-coded connection string in your code or in a configuration file or in secure storage like Azure Key Vault. If you are new to Azure, you may find the connection string option easier to follow. We recommend using the passwordless option in real-world applications and production environments. For more information, see [Authentication and authorization](service-bus-authentication-and-authorization.md).

+## Launch Visual Studio and sign-in to Azure

+You can authorize access to the service bus namespace using the following steps:

+1. Launch Visual Studio. If you see the **Get started** window, select the **Continue without code** link in the right pane.

+1. Select the **Sign in** button in the top right of Visual Studio.

+ :::image type="content" source="./media/service-bus-dotnet-get-started-with-queues/azure-sign-button-visual-studio.png" alt-text="Screenshot showing the button to sign in to Azure using Visual Studio.":::

+1. Sign-in using the Azure AD account you assigned a role to previously.

+ :::image type="content" source="..//storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-account-small.png" alt-text="Screenshot showing the account selection.":::

+1. In Visual Studio, select **File** -> **New** -> **Project** menu.

+ 1. Select **Console App** from the results list.

+### [Passwordless](#tab/passwordless)

+1. Run the following command to install the **Azure.Messaging.ServiceBus** NuGet package.

+1. Run the following command to install the **Azure.Identity** NuGet package.

+ ```powershell

+ Install-Package Azure.Identity

+ ```

+### [Connection String](#tab/connection-string)

+1. Select **Tools** > **NuGet Package Manager** > **Package Manager Console** from the menu.

+1. Run the following command to install the **Azure.Messaging.ServiceBus** NuGet package:

+ ```Powershell

+ Install-Package Azure.Messaging.ServiceBus

+ ```

+ ## [Passwordless](#tab/passwordless)

+ 1. Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the `DefaultAzureCredential` object. `DefaultAzureCredential` will automatically discover and use the credentials of your Visual Studio login to authenticate to Azure Service Bus.

+ > [!IMPORTANT]

+ > Update placeholder values (`<NAMESPACE-NAME>` and `<TOPIC-NAME>`) in the code snippet with names of your Service Bus namespace and topic.

+ using Azure.Identity;

+ //TODO: Replace the "<NAMESPACE-NAME>" and "<TOPIC-NAME>" placeholders.

+ client = new ServiceBusClient(

+ "<NAMESPACE-NAME>.servicebus.windows.net",

+ new DefaultAzureCredential());

+ ## [Connection String](#tab/connection-string)

+ > [!IMPORTANT]

+ > Update placeholder values (`<NAMESPACE-CONNECTION-STRING>` and `<TOPIC-NAME>`) in the code snippet with actual values you noted down earlier.

+ //TODO: Replace the "<NAMESPACE-CONNECTION-STRING>" and "<TOPIC-NAME>" placeholders.

+ client = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>");

+ > [!IMPORTANT]

+ > In most cases, it will take a minute or two for the role assignment to propagate in Azure. In rare cases, it may take up to **eight minutes**. If you receive authentication errors when you first run your code, wait a few moments and try again.

+ 1. On the **Service Bus Topic** page, In the **Messages** chart in the bottom **Metrics** section, you can see that there are three incoming messages for the topic. If you don't see the value, wait for a few minutes, and refresh the page to see the updated chart.

+### [Passwordless](#tab/passwordless)

+1. Select **SubscriptionReceiver** for **Default project** drop-down list.

+1. Run the following command to install the **Azure.Messaging.ServiceBus** NuGet package.

+ ```powershell

+1. Run the following command to install the **Azure.Identity** NuGet package.

+ ```powershell

+ Install-Package Azure.Identity

+ ```

+### [Connection String](#tab/connection-string)

+1. Run the following command to install the **Azure.Messaging.ServiceBus** NuGet package:

+ ```Powershell

+ ## [Passwordless](#tab/passwordless)

+ using Azure.Identity;

+ Console.WriteLine($"Received: {body} from subscription.");

+ ## [Connection String](#tab/connection-string)

+ // TODO: Replace the <TOPIC-SUBSCRIPTION-NAME> placeholder

+ Console.WriteLine($"Received: {body} from subscription: <TOPIC-SUBSCRIPTION-NAME>");

+ ## [Passwordless](#tab/passwordless)

+ * Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the `DefaultAzureCredential` object. `DefaultAzureCredential` will automatically discover and use the credentials of your Visual Studio login to authenticate to Azure Service Bus.

+ > [!IMPORTANT]

+ > Update placeholder values (`<NAMESPACE-NAME>`, `<TOPIC-NAME>`, `<SUBSCRIPTION-NAME>`) in the code snippet with names of your Service Bus namespace, topic, and subscription.

+ // TODO: Replace the <NAMESPACE-NAME> placeholder

+ client = new ServiceBusClient(

+ "<NAMESPACE-NAME>.servicebus.windows.net",

+ new DefaultAzureCredential());

+ ## [Connection String](#tab/connection-string)

+ > [!IMPORTANT]

+ > Update placeholder values (`<NAMESPACE-CONNECTION-STRING>`, `<TOPIC-NAME>`, `<SUBSCRIPTION-NAME>`) in the code snippet with actual values you noted down earlier.

+ * Creates a [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object using the connection string to the namespace.

+ // TODO: Replace the <NAMESPACE-CONNECTION-STRING> placeholder

+ client = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>">);

+ ## [Passwordless](#tab/passwordless)

+

+ using Azure.Identity;

+ // TODO: Replace the <NAMESPACE-NAME> placeholder

+ client = new ServiceBusClient(

+ "<NAMESPACE-NAME>.servicebus.windows.net",

+ new DefaultAzureCredential());

+ ## [Connection String](#tab/connection-string)

+ // TODO: Replace the <NAMESPACE-CONNECTION-STRING> placeholder

+ client = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>">);

+[Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health/) helps customers view any health events that impact their Subscriptions and Tenants. The Service Issues blade on Service Health shows any ongoing problems in Azure services that are impacting your resources. You can understand when the issue began, and what services and regions are impacted. Previously, the Potential Impact tab on the Service Issues blade was within the details of an incident. It showed any resources under a customer's Subscriptions that may be impacted by an outage, and their resource health signal to help customers evaluate impact.

+18.04 LTS | [9.51](https://support.microsoft.com/en-us/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) |4.15.0-1151-azure </br> 4.15.0-193-generic </br> 5.4.0-1091-azure </br> 5.4.0-126-generic</br>4.15.0-1153-azure </br>4.15.0-194-generic </br>5.4.0-1094-azure </br>5.4.0-128-generic </br>5.4.0-131-generic |

+20.04 LTS | [9.51](https://support.microsoft.com/en-us/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) |5.13.0-1009-azure </br> 5.13.0-1012-azure </br> 5.13.0-1013-azure </br> 5.13.0-1014-azure </br> 5.13.0-1017-azure </br> 5.13.0-1021-azure </br> 5.13.0-1022-azure </br> 5.13.0-1023-azure </br> 5.13.0-1025-azure </br> 5.13.0-1028-azure </br> 5.13.0-1029-azure </br> 5.13.0-1031-azure </br> 5.13.0-21-generic </br> 5.13.0-22-generic </br> 5.13.0-23-generic </br> 5.13.0-25-generic </br> 5.13.0-27-generic </br> 5.13.0-28-generic </br> 5.13.0-30-generic </br> 5.13.0-35-generic </br> 5.13.0-37-generic </br> 5.13.0-39-generic </br> 5.13.0-40-generic </br> 5.13.0-41-generic </br> 5.13.0-44-generic </br> 5.13.0-48-generic </br> 5.13.0-51-generic </br> 5.13.0-52-generic </br> 5.15.0-1007-azure </br> 5.15.0-1008-azure </br> 5.15.0-1013-azure </br> 5.15.0-1014-azure </br> 5.15.0-1017-azure </br> 5.15.0-1019-azure </br> 5.15.0-1020-azure </br> 5.15.0-33-generic </br> 5.15.0-51-generic </br> 5.15.0-43-generic </br> 5.15.0-46-generic </br> 5.15.0-48-generic </br> 5.4.0-1091-azure </br> 5.4.0-126-generic </br> 5.15.0-1021-azure </br> 5.15.0-1022-azure </br> 5.15.0-50-generic </br> 5.15.0-52-generic </br> 5.4.0-1094-azure </br> 5.4.0-128-generic </br> 5.4.0-131-generic |

+Debian 10 | [9.51](https://support.microsoft.com/en-us/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) | 4.19.0-22-amd64 </br> 4.19.0-22-cloud-amd64 </br> 5.10.0-0.deb10.19-amd64 </br> 5.10.0-0.deb10.19-cloud-amd64 |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.51](https://support.microsoft.com/en-us/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.106-azure:5 </br> 4.12.14-16.112-azure |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3) | [9.51](https://support.microsoft.com/en-us/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) | By default, all [stock SUSE 15, SP1, SP2, SP3 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.3.18-150300.38.80-azure |

+ Title: Connect to an app instance for troubleshooting

+description: Learn how to connect to an app instance in Azure Spring Apps for troubleshooting.

+# Connect to an app instance for troubleshooting

+This article describes how to access the shell environment inside your application instances to do advanced troubleshooting.

+Although Azure Spring Apps offers various managed troubleshooting approaches, you may want to do advanced troubleshooting using the shell environment. For example, you may want to accomplish the following troubleshooting tasks:

+- Directly use Java Development Kit (JDK) tools.

+- Diagnose against an appΓÇÖs back-end services for network connection and API call latency for both virtual-network and non-virtual-network instances.

+- Diagnose storage capacity, performance, and CPU/memory issues.

+## Prerequisites

+- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the `spring-cloud` extension, uninstall it to avoid configuration and version mismatches.

+ ```azurecli

+ az extension remove --name spring

+ az extension add --name spring

+ az extension remove --name spring-cloud

+ ```

+- A deployed application in Azure Spring Apps.

+- If you've deployed a custom container, a shell program. The default is `/bin/sh`.

+## Assign an Azure role

+Before connecting to an app instance, you must be granted the role *Azure Spring Apps Connect Role*. Connecting to an app instance requires the data action permission `Microsoft.AppPlatform/Spring/apps/deployments/connect/action`.

+Use the following command to assign the *Azure Spring Apps Connect Role* role:

+```azurecli

+az role assignment create \

+ --role 'Azure Spring Apps Connect Role' \

+ --scope '<service-instance-resource-id>' \

+ --assignee '<your-identity>'

+```

+## Connect to an app instance

+If your app contains only one instance, use the following command to connect to the instance:

+```azurecli

+az spring app connect \

+ --service <your-service-instance> \

+ --resource-group <your-resource-group> \

+ --name <app-name>

+```

+Otherwise, use the following command to specify the instance:

+```azurecli

+az spring app connect \

+ --service <your-service-instance> \

+ --resource-group <your-resource-group> \

+ --name <app-name> \

+ --instance <instance_name>

+```

+Use the following command to specify another deployment of the app:

+```azurecli

+az spring app connect \

+ --service <your-service-instance> \

+ --resource-group <your-resource-group> \

+ --name <app-name> \

+ --deployment green

+```

+By default, Azure Spring Apps launches the app instance with `/bin/sh` bundled in the base image of the container. Use the following command to switch to another bundled shell such as `/bin/bash`:

+```azurecli

+az spring app connect \

+ --service <your-service-instance> \

+ --resource-group <your-resource-group> \

+ --name <app-name> \

+ --shell-cmd /bin/bash

+```

+If your app is deployed with a custom image and shell, you can also use the `--shell-cmd` parameter to specify your shell.

+## Troubleshoot your app instance

+After you connect to an app instance, you can check the status of the heap memory.

+Use the following command to find the Java process ID, which is usually `1`:

+```azurecli

+jps

+```

+The output should look like the following example:

+Then use the following command to run the JDK tool to check the result:

+```azurecli

+jstat -gc 1

+```

+The output should look like the following example:

+## Disconnect from your app instance

+When you're done troubleshooting, use the `exit` command to disconnect from the app instance, or press `Ctrl+d`.

+## Troubleshooting tools

+The following list describes some of the pre-installed tools that you can use for troubleshooting:

+- `lsof` - Lists open files.

+- `top` - Displays system summary information and current utilization.

+- `ps` - Gets a snapshot of the running process.

+- `netstat` - Prints network connections and interface statistics.

+- `nslookup` - Queries internet name servers interactively.

+- `ping` - Tests whether a network host can be reached.

+- `nc` - Reads from and writes to network connections using TCP or UDP.

+- `wget` - Lets you download files and interact with REST APIs.

+- `df` - Displays the amount of available disk space.

+You can also use JDK-bundled tools such as `jps`, `jcmd`, and `jstat`.

+The available tools depend on your service tier and type of app deployment. The following table describes the availability of troubleshooting tools:

+| Tier | Deployment type | Common tools | JDK tools | Notes |

+||--|--||-|

+| Basic / Standard tier | Source code / Jar | Y | Y (for Java workloads only) | |

+| Basic / Standard tier | Custom image | N | N | Up to your installed tool set. |

+| Enterprise Tier | Source code / Artifacts | Y (for full OS stack), N (for base OS stack) | Y (for Java workloads only) | Depends on the OS stack of your builder. |

+| Enterprise Tier | Custom image | N | N | Depends on your installed tool set. |

+## Limitations

+Using the shell environment inside your application instances has the following limitation:

+- Because the app is running as a non-root user, you can't execute some actions requiring root permission. For example, you can't install new tools by using the system package manager `apt / yum`.

+- Because some Linux capabilities are prohibited, tools that require special privileges, such as `tcpdump`, don't work.

+## Next steps

+- [Self-diagnose and solve problems in Azure Spring Apps](./how-to-self-diagnose-solve.md)

+ <td><strong>$2.00</strong></td>

+| Price of high priority data retrieval (per GB) | $0.10 | N/A |

+ - uses: actions/checkout@v3

+ - uses: actions/checkout@v3

+ - uses: actions/checkout@v3

+ - uses: actions/checkout@v3

+ > [!TIP]

+ > - To view an Excel template which can help you to itemize the amount of storage and number of operations required by your workloads, see [Estimating Pricing for Azure Block Blob Deployments](https://azure.github.io/Storage/docs/application-and-user-data/code-samples/estimate-block-blob/).

+ >

+ > You can use that information as input to the Azure pricing calculator.

+ >

+ > - For more information about how to estimate the cost of archiving data that is rarely used, see [Estimate the cost of archiving data](../blobs/archive-cost-estimation.md).

+This article focuses on enabling and configuring Azure Active Directory (Azure AD) for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which are on-premises AD DS identities that are synced to Azure AD. This allows Azure AD users to access Azure file shares using Kerberos authentication. This configuration uses Azure AD to issue the necessary Kerberos tickets to access the file share with the SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs. However, configuring Windows access control lists (ACLs)/directory and file-level permissions for a user or group requires line-of-sight to the on-premises domain controller.

+Once your share-level permissions are in place, you must assign directory/file-level permissions to the user or group. **This requires using a device with line-of-sight to an on-premises AD**. To use Windows File Explorer, the device also needs to be domain-joined.

+There are two options for configuring directory and file-level permissions with Azure AD Kerberos authentication:

+- **Windows File Explorer:** If you choose this option, then the client must be domain-joined to the on-premises AD.

+- **icacls utility:** If you choose this option, then the client doesn't need to be domain-joined, but needs line-of-sight to the on-premises AD.

+To configure directory and file-level permissions through Windows File Explorer, you also need to specify domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or from an on-premises AD-joined client. If you prefer to configure using icacls, this step is not required.

+ Title: Choose a developer tool for building Stream Analytic jobs

+# Choose developer tool for building Stream Analytic jobs

+Beside building your Stream Analytic jobs in the Azure portal, you can use the [Azure Stream Analytics Tools extension for Visual Studio Code](quick-create-visual-studio-code.md) to write, debug and run your streaming query locally for better development experience.

+This table shows what features are supported between Azure portal and Visual Studio Code.

+> Visual Studio Code tools don't support jobs in the China East, China North, Germany Central, and Germany NorthEast regions.

+|Feature |Portal |Visual Studio Code |

+||||

+|Cross platform |Mac</br>Linux</br>Windows |Mac</br>Linux</br>Windows |

+|Script authoring |Yes |Yes |

+|Script Intellisense |Syntax highlighting |Syntax highlighting</br>Code completion</br>Error marker |

+|Define all types of inputs, outputs, and job configurations |Yes |Yes |

+|Source control |No |Yes |

+|CI/CD support |Partial |Yes |

+|Share inputs and outputs across multiple queries |No |Yes |

+|Query testing with a sample file |Yes |Yes |

+|Live data local testing |No |Yes |

+|List jobs and view job entities |Yes |Yes |

+|Export a job to a local project |No |Yes |

+|Submit, start, and stop jobs |Yes |Yes |

+|View job metrics and diagram |Yes |Yes |

+|View job runtime errors |Yes |Yes |

+|Resource logs |Yes |Yes |

+|Custom message properties |Yes |Yes |

+|C# custom code function and Deserializer|Read-only mode|Yes|

+|JavaScript UDF and UDA |Yes |Windows only |

+|Azure Machine Learning |Yes |Yes |

+|Compatibility level |1.0</br>1.1</br>1.2 (default) |1.0</br>1.1</br>1.2 (default) |

+|Built-in ML-based Anomaly Detection functions |Yes |Yes |

+|Built-in GeoSpatial functions |Yes |Yes |

+<!--

+ -->

+<!--

+|CI/CD support |No |No |No | -->

+ Title: Quickstart - Create a Stream Analytics job using Visual Studio Code

+description: This quickstart shows you how to create a Stream Analytics job using the ASA extension for Visual Studio Code.

+# Quickstart: Create a Stream Analytics job using Visual Studio Code

+This quickstart shows you how to create, run and submit an Azure Stream Analytics (ASA) job using the ASA Tools extension for Visual Studio Code in your local machine. You learn to build an ASA job that reads real-time streaming data from IoT Hub and filters events with a temperature greater than 27┬░. The output results are sent to a file in blob storage. The input data used in this quickstart is generated by a Raspberry Pi online simulator.

+> Visual Studio Code tools don't support jobs in the China East, China North, Germany Central, and Germany NorthEast regions.

+* Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/).

+* [Visual Studio Code](https://code.visualstudio.com/).

+1. Open Visual Studio Code (VS Code).

+2. From **Extensions** on the left pane, search for **stream analytics** and select **Install** on the **Azure Stream Analytics Tools** extension.

+3. After it's installed, select the **Azure** icon on the activity bar and sign in to Azure.

+4. Once you're signed in, you can see the subscriptions under your Azure account.

+> [!NOTE]

+> The ASA Tools extension will automatically sign you in every time you open VS Code. If your account has two-factor authentication, we recommend that you use phone authentication rather than using a PIN. To sign out your Azure account, press `Ctrl + Shift + P` and enter `Azure: Sign Out`.

+Before defining the Stream Analytics job, you should prepare the input data. The real-time sensor data is ingested to IoT Hub, which later configured as the job input. To prepare the input data required by the job, follow these steps:

+2. Select **Create a resource > Internet of Things > IoT Hub**.

+3. On the **IoT Hub** page, enter the following information:

+ * **Subscription**, select your Azure subscription.

+ * **Resource group**, select an existing resource group or create a new resource group.

+ * **IoT hub name**, enter a name for your IoT hub.

+ * **Region**, select the region that's closest to you.

+4. Go to **Management** page, for **Pricing and scale tier**, select **F1: Free tier**, if it's still available on your subscription. For more information, see [Azure IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub/).

+

+ :::image type="content" source="./media/quick-create-visual-studio-code/iot-management-page.png" alt-text="Screenshot showing the IoT Hub management page.":::

+

+5. Select **Review + create**. Review your IoT hub information and select **Create**. This process may take a few minutes to deploy your IoT hub.

+6. After your IoT hub is created, select **Go to resource** to navigate to the **IoT Hub** page. '

+7. On the **IoT Hub** page, select **Devices** on the left menu, and then select **\+ Add Device**.

+9. Enter a **Device ID** and select **Save**.

+10. Once the device is created, you should see the device from the **IoT devices** list. Select **Refresh** button on the page if you don't see it.

+11. Select your device from the list. Copy **Primary Connection String** and save it to a notepad to use later.

+1. Open the [Raspberry Pi Azure IoT Online Simulator](https://azure-samples.github.io/raspberry-pi-web-simulator/) in a new browser tab.

+2. In the **Create storage account** pane, enter a storage account name, location, and resource group. Choose the same location and resource group as the IoT hub that you created. Then select **Review** and **Create** to create the storage account.

+ :::image type="content" source="./media/quick-create-visual-studio-code/create-storage-account.png" alt-text="Screenshot showing the Create storage account page.":::

+

+1. In Visual Studio Code, press **Ctrl+Shift+P** and enter **ASA: Create New Project**.

+3. An ASA project is added to your workspace. It consists of three folders: **Inputs**, **Outputs**, and **Functions**. It also has the query script **(*.asaql)**, a **JobConfig.json** file, and an **asaproj.json** configuration file.

+ The **asaproj.json** file contains the inputs, outputs, and job configuration settings for submitting the Stream Analytics job to Azure.

+1. Open **myASAproj.asaql** file and add the following query:

+## Configure job input

+ Or press **Ctrl+Shift+P** to open the command palette and enter **ASA: Add Input**.

+3. Select an ASA script **\*.asaql** and **Azure Subscriptions** from the drop-down menu, and then press **ENTER**.

+4. Under **Inputs** folder, you see an **IoTHub1.json** file is created. Replace settings with following suggested values and keep default values for fields not mentioned here.

+ |Setting|Suggested Value|Description|

+ |-||--|

+ |Name|**Input**|This input name is used for **FROM** statement in the query.|

+ |IotHubNamespace|**spiothub** |Name of your IoT hub. The IoT hub names are automatically detected if you **Select from your subscription**.|

+ |SharedAccessPolicyName|**iothubowner**||

+ :::image type="content" source="./media/quick-create-visual-studio-code/iothub-configuration.png" lightbox="./media/quick-create-visual-studio-code/iothub-configuration.png" alt-text="Screenshot showing the IoT Hub configuration in VS Code.":::

+ <!-- You can use the CodeLens feature to help you enter a string, select from a drop-down list, or change the text directly in the file. The following screenshot shows **Select from your Subscriptions** as an example. The credentials are auto-listed and saved in local credential manager.

+ :::image type="content" source="./media/quick-create-visual-studio-code/select-iot-hub.png" lightbox="./media/quick-create-visual-studio-code/select-iot-hub.png" alt-text="Screenshot showing the selection of your IoT hub in VS Code."::: -->

+5. Select **Preview data** to see if the input data is successfully configured for your job. It will fetch a sample of your IoT Hub and show in the preview window.

+ :::image type="content" source="./media/quick-create-visual-studio-code/preview-live-input.png" lightbox="./media/quick-create-visual-studio-code/preview-live-input.png" alt-text="Screenshot showing the preview of input data in your IoT hub.":::

+## Configure job output

+1. Press **Ctrl+Shift+P** to open the command palette and enter **ASA: Add Output**.

+3. Select the query script using this output.

+4. Enter **BlobStorage1** as output file name.

+5. Edit the settings using the following values. Keep default values for fields not mentioned here.

+ |Name| **Output** | This output name is used for **INTO** statement in the query.|

+ |Storage Account| **spstorageaccount0901** |Choose or enter the name of your storage account. Storage account names are automatically detected if they're created in the same subscription.|

+ |Container|**spcontainer**|Select the existing container that you created in your storage account.|

+

+ <!-- |Path Pattern|output|Enter the name of a file path to be created within the container.| -->

+## Compile the script and submit to Azure

+Script compilation checks syntax and generates the Azure Resource Manager templates for automatic deployment.

+1. Right-click the script and select **ASA: Compile Script**.

+2. After compilation, you see a **Deploy** folder under your project with two Azure Resource Manager templates. These two files are used for automatic deployment.

+ :::image type="content" source="./media/quick-create-visual-studio-code/deployment-templates.png" lightbox="./media/quick-create-visual-studio-code/deployment-templates.png" alt-text="Screenshot showing the generated deployment templates in the project folder.":::

+3. Select **Submit to Azure** in the query editor.

+ :::image type="content" source="./media/quick-create-visual-studio-code/submit-job.png" lightbox="./media/quick-create-visual-studio-code/submit-job.png" alt-text="Screenshot showing the submit job button to submit the Stream Analytics job to Azure.":::

+ Then follow the instructions to complete the process: **Select subscription > Select a job > Create New Job > Enter job name > Choose resource group and region.**

+4. Select **Publish to Azure** and complete. Wait for it to open a new tab **Cloud Job View** showing your job's status.

+

+ :::image type="content" source="./media/quick-create-visual-studio-code/publish-to-azure.png" lightbox="./media/quick-create-visual-studio-code/publish-to-azure.png" alt-text="Screenshot showing the publish to Azure button in VS Code.":::

+1. On the **Cloud Job View** tab, select **Start** to run your job in the cloud. This process may take a few minutes to complete.

+2. If your job starts successfully, the job status is changed to **Running**. You can see a logical diagram showing how your ASA job is running.

+ :::image type="content" source="./media/quick-create-visual-studio-code/job-running-status.png" lightbox="./media/quick-create-visual-studio-code/job-running-status.png" alt-text="Screenshot showing the job running status in VS Code.":::

+3. To view the output results, you can open the blob storage in the Visual Studio Code extension or in the Azure portal.

+When no longer needed, delete the resource group, the Stream Analytics job, and all related resources. Deleting the job avoids billing the streaming units consumed by the job. If you're planning to use the job in future, you can stop it and restart it later when you need. If you aren't going to continue to use this job, delete all resources created by this quickstart by using the following steps:

+To learn more about ASA Tools extension for Visual Studio Code, continue to the following articles:

+ Title: Build a clickstream analyzer using one-click deployment

+description: This quickstart shows you how to get started ASA using a GitHub repository and PowerShell scripts with data generator.

+# Build a clickstream analyzer using one-click deployment

+This quickstart shows how to build a streaming application to analyze a website clickstream using a PowerShell script. It's an easy way to deploy Azure resources with auto-generated data streams and help you explore different stream analytic scenarios.

+You can choose the following scenarios for deployment:

+- Filter clickstream requests

+- Join clickstream with a file

+## Prerequisites

+* Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/).

+* Install [Git](https://git-scm.com/downloads).

+* Azure PowerShell module. See [here](https://learn.microsoft.com/powershell/azure/install-Az-ps) to install or upgrade.

+## Filter clickstream requests

+In this example, you learn to extract `GET` and `POST` requests from a website clickstream and store the output results to an Azure Blob Storage. Here's the architecture for this example:

+

+Sample of a website clickstream:

+```json

+{

+ "EventTime": "2022-09-09 08:58:59 UTC",

+ "UserID": 465,

+ "IP": "145.140.61.170",

+ "Request": {

+ "Method": "GET",

+ "URI": "/https://docsupdatetracker.net/index.html",

+ "Protocol": "HTTP/1.1"

+ },

+ "Response": {

+ "Code": 200,

+ "Bytes": 42682

+ },

+ "Browser": "Chrome"

+}

+```

+This guide is going to use [GitHub repository](https://github.com/Azure/azure-stream-analytics) for demo. Follow these steps to deploy resources:

+1. Open **PowerShell** from the Start menu, clone this GitHub repository to your working directory.

+ ```powershell

+ git clone https://github.com/Azure/azure-stream-analytics.git

+ ```

+2. Go to **BuildApplications** folder.

+ ```powershell

+ cd .\azure-stream-analytics\BuildApplications\

+ ```

+3. Sign in to Azure and enter your Azure credentials in the pop-up browser.

+ ```powershell

+ Connect-AzAccount

+ ```

+4. Replace `$subscriptionId` with your Azure subscription ID and run the following command to deploy Azure resources. This process may take a few minutes to complete.

+ ```powershell

+ .\CreateJob.ps1 -job ClickStream-Filter -eventsPerMinute 11 -subscriptionid $subscriptionId

+ ```

+ * `eventsPerMinute` is the input rate for generated data. In this case, the input source generates 11 events per minute.

+ * You can find your subscription ID in **Azure portal > Subscriptions**.

+5. Once the deployment is completed, it opens your browser automatically, and you can see a resource group named **ClickStream-Filter-rg-\*** in the Azure portal. The resource group contains the following five resources:

+ | Resource Type | Name | Description |

+ | | | -- |

+ | Azure Function | clickstream* | Generate clickstream data |

+ | Event Hubs | clickstream* | Ingest clickstream data for consuming |

+ | Stream Analytics Job | ClickStream-Filter | Define a query to extract `GET` requests from the clickstream input |

+ | Blob Storage | clickstream* | Output destination for the ASA job |

+ | App Service Plan | clickstream* | A necessity for Azure Function |

+6. **Congratulation!** You've deployed a streaming application to extract requests from a website clickstream.

+7. The ASA job **ClickStream-Filter** uses the following query to extract HTTP requests from the clickstream. Select **Test query** in the query editor to preview the output results.

+ ```sql

+ SELECT System.Timestamp Systime, UserId, Request.Method, Response.Code, Browser

+ INTO BlobOutput

+ FROM ClickStream TIMESTAMP BY Timestamp

+ WHERE Request.Method = 'GET' or Request.Method = 'POST'

+ ```

+ 

+8. There are sample codes in the query comments that you can use for other stream analytic scenarios with one stream input.

+ * Count clicks for every hour

+ ```sql

+ select System.Timestamp as Systime, count( * )

+ FROM clickstream

+ TIMESTAMP BY EventTime

+ GROUP BY TumblingWindow(hour, 1)

+ ```

+ * Select distinct user

+ ```sql

+ SELECT *

+ FROM clickstream

+ TIMESTAMP BY Time

+ WHERE ISFIRST(hour, 1) OVER(PARTITION BY userId) = 1

+ ```

+8. All output results are stored as `JSON` file in the Blog Storage. You can find it via: **Blob Storage > Containers > job-output**.

+

+## Clickstream-RefJoin

+If you want to find out the username for the clickstream using a user file in storage, you can join the clickstream with a reference input as following architecture:

+

+Assume you've completed the steps for previous example, run following commands to create a new resource group:

+1. Replace `$subscriptionId` with your Azure subscription ID and run the following command to deploy Azure resources. This process may take a few minutes to complete.

+ ```powershell

+ .\CreateJob.ps1 -job ClickStream-RefJoin -eventsPerMinute 11 -subscriptionid $subscriptionId

+ ```

+2. Once the deployment is completed, it opens your browser automatically, and you can see a resource group named **ClickStream-RefJoin-rg-\*** in the Azure portal. The resource group contains five resources.

+3. The ASA job **ClickStream-RefJoin** uses the following query to join the clickstream with reference sql input.

+ ```sql

+ CREATE TABLE UserInfo(

+ UserId bigint,

+ UserName nvarchar(max),

+ Gender nvarchar(max)

+ );

+ SELECT System.Timestamp Systime, ClickStream.UserId, ClickStream.Response.Code, UserInfo.UserName, UserInfo.Gender

+ INTO BlobOutput

+ FROM ClickStream TIMESTAMP BY EventTime

+ LEFT JOIN UserInfo ON ClickStream.UserId = UserInfo.UserId

+ ```

+4. **Congratulation!** You've deployed a streaming application to join your user file with a website clickstream.

+## Clean up resources

+If you've tried out this project and no longer need the resource group, run this command on PowerShell to delete the resource group.

+```powershell

+Remove-AzResourceGroup -Name $resourceGroup

+```

+If you're planning to use this project in the future, you can skip deleting it, and stop the job for now.

+## Next steps

+To learn about Azure Stream Analytics, continue to the following articles:

+* [Quickstart: Create an Azure Stream Analytics job in VS Code](quick-create-visual-studio-code.md)

+* [Test ASA queries locally against live stream input](visual-studio-code-local-run-live-input.md)

+* [Use Visual Studio Code to view Azure Stream Analytics jobs](visual-studio-code-explore-jobs.md)

+* [Set up CI/CD pipelines by using the npm package](./cicd-overview.md)

+searchScope:

+ - Continuous deployment

+ - CICD

+ - Synapse

+searchScope:

+ - Git integration

+ - CICD

+ - Synapse

+ Title: Monitor Azure Synapse Link for Azure SQL Database through Synapse Studio and Azure Monitor

+description: Learn how to monitor your Azure Synapse Link for Azure SQL Database link connections.

+# Monitor Azure Synapse Link for Azure SQL Database through Synapse Studio and Azure Monitor

+This article provides a guide on how to get started with monitoring your Azure Synapse Link for Azure SQL Database connections. Before you go through this article, you should know how to create and start an Azure Synapse Link for Azure SQL Database link connection from [Get started with Azure Synapse Link for Azure SQL Database](connect-synapse-link-sql-database.md). Once you've created and started your Synapse Link connection, you can monitor your link connection through Synapse Studio or Azure Monitor.

+> [!IMPORTANT]

+> Azure Synapse Link for SQL is currently in preview.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Monitor the status of an Azure Synapse Link for Azure SQL Database connection in Synapse Studio

+You can monitor the status of your Azure Synapse Link connection, see which tables are being initially copied over (*snapshotting*), and see which tables are in continuous replication mode (*replicating*) directly in Synapse Studio. In this section, we'll deep dive link-level monitoring and table-level monitoring:

+### Link-level monitoring

+1. Once your link connection is running in your Azure Synapse workspace, navigate to the **Monitor** hub, and then select **Link connections**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-link-connections-1.png" alt-text="Screenshot that shows how to monitor the status of the Azure Synapse Link connection from the monitor hub.":::

+1. Automatically all your link connections will show up on this page, along with link-level monitoring metrics that summarize a few details of your link connection.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-show-all-link-connections.png" alt-text="Screenshot that shows how to all of the Azure Synapse Link connections under the Link Connections tab." lightbox="../media/connect-synapse-link-sql-database/studio-monitor-show-all-link-connections.png":::

+1. The link-level connection grid contains the following columns:

+ | **Column Name** | **Description** |

+ | | |

+ | Link connection name | Name of the Link Connection |

+ | Source name | The name of the data source where the data is coming from (Azure SQL Database or SQL Server 2022) |

+ | Target name | The name of the destination location where the data is being replicated into (a dedicated SQL Pool) |

+ | Status | **Initial**, **Starting**, **Running**, **Stopping**, **Stopped**, **Pausing**, **Paused**, or **Resuming**. Details of what each status means can be found here: [Azure Synapse Link for Azure SQL Database](sql-database-synapse-link.md)|

+ | Start time | Start date and time for the link connection run (Month, Date, Year, HH:MM:SS AM/PM) |

+ | End time | End date and time for the link connection run (Month, Date, Year, HH:MM:SS AM/PM) |

+ | Landing zone SAS token expire time | Expiration date/time for the SAS token that is used to access the landing zone storage. More details can be found here: [Configure an expiration policy for shared accessed signatures (SAS)](/azure/storage/common/sas-expiration-policy.md?context=/azure/synapse-analytics/context/context) |

+ | Continuous run ID | ID of the link connection run *Helpful when troubleshooting any issues and contacting Microsoft support. |

+1. You need to manually select the **Refresh** button to refresh the list of link connections and their corresponding monitoring details. Autorefresh is currently not supported.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-refresh-link-connections.png" alt-text="Screenshot that shows where to press the Refresh button to refresh the statuses and details of the Azure Synapse Link connections.":::

+### Table-level monitoring

+1. Follow the same steps 1 and 2 above from the link-level monitoring.

+1. Click on the Link connection name of the **link connection** that you want to monitor.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-click-on-link-connection.png" alt-text="Screenshot of clicking on an Azure Synapse Link connection.":::

+1. After clicking on your link connection, you'll see the tables and their corresponding table-level metrics that summarize a few details about the tables that you're replicating over in your link connection.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-show-all-tables.png" alt-text="Screenshot that shows the details of each of the tables under a particular Azure Synapse Link connection." lightbox="../media/connect-synapse-link-sql-database/studio-monitor-show-all-tables.png":::

+1. The table-level connection grid contains the following columns:

+

+ | **Column Name** | **Description** |

+ |||

+ | Source schema/table name | Name of the source table that is being replicated from |

+ | Target schema/table name | Name of the destination table that the source table is being replicated to |

+ | Status | **Waiting**, **Snapshotting**, **Replicating**, **Failed**, **Suspended**. Details of what each status means can be found here: [Azure Synapse Link for Azure SQL Database](sql-database-synapse-link.md) |

+ | Link table ID | ID of the table in the link connection. *Helpful when troubleshooting any issues and contacting Microsoft support. |

+ | Processed rows | Row counts processed by Synapse Link for SQL |

+ | Processed data volume | Data volume in bytes processed by Synapse Link for SQL |

+ | Time of last processed data | Time when last processed change data arrived in the landing zone (Month, Date, Year, HH:MM:SS AM/PM) |

+1. You need to manually select the **Refresh** button to refresh the list of tables in the link connections and their corresponding monitoring details. Autorefresh is currently not supported.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-refresh-tables.png" alt-text="Screenshot that shows where to press the Refresh button to refresh the statuses and details of the tables under a particular Azure Synapse Link connection.":::

+

+## Advanced monitoring with Azure Monitor

+No matter what cloud applications you're using, it's hard to manage and keep track of all the moving pieces. Azure Monitor provides base-level infrastructure metrics, alerts, and logs for most Azure services. Azure diagnostic logs are emitted by a resource and provide rich, frequent data about the operation of that resource. Azure Synapse Analytics can write diagnostic logs in Azure Monitor, to help you understand deep insights about your applications, improve application performance, and more.

+For more information, refer to [How to monitor Synapse Analytics using Azure Monitor](../monitoring/how-to-monitor-using-azure-monitor.md)

+In this section, we'll deep dive into setting up metrics, alerts, and logs in Azure Monitor to ensure that you understand more of the advanced capabilities of monitoring your link connection.

+### Metrics

+The most important type of Monitor data is the metric, which is also called the performance counter. Metrics are emitted by most Azure resources. Azure Monitor provides several ways to configure and consume these metrics for monitoring and troubleshooting.

+Azure Synapse Link emits the following metrics to Azure Monitor:

+

+| **Metric** | **Aggregation types** | **Description** |

+||||

+| Link connection events | Sum | Number of Synapse Link connection events, including start, stop, and failure |

+| Link latency in seconds | Max, Min, Avg | Synapse Link data processing latency in seconds |

+| Link processed data volume (bytes) | Sum | Data volume in bytes processed by Synapse Link |

+| Link processed rows | Sum | Row counts processed by Synapse Link |

+| Link table events | Sum | Number of Synapse Link table events, including snapshot, removal, and failure |

+Now letΓÇÖs step through how we can see these metrics in the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for your **Synapse workspace** that your link connection resides in.

+1. Once you've landed on the overview page for your Synapse Workspace, click on the **Metrics** tab underneath ΓÇ£MonitoringΓÇ¥.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-click-on-metrics.png" alt-text="Screenshot that shows where to go to get to the Metrics tab to create a new metric in the Azure portal.":::

+1. You'll then see a new chart that is automatically generated for you.

+1. Under the **Metric dropdown**, you'll see many different categories of metrics. You want to scroll down to the **INTEGRATION** category, and choose any one of the 5 Link metrics:

+ * Link connection events

+ * Link latency in seconds

+ * Link processed data volume (bytes)

+ * Link processed rows

+ * Link table events

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-select-a-metric.png" alt-text="Screenshot that shows how to select a link metric.":::

+1. After selecting a metric of your choosing, you can see a graph representation of the data below.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-display-of-metric.png" alt-text="Screenshot that shows the graph representation of the link metric that was chosen in the previous step." lightbox="../media/connect-synapse-link-sql-database/monitor-display-of-metric.png":::

+1. A few things that you can adjust on this screen (refer to the letter on the screenshot above to the bullet point letter below):

+ 1. You can add another chart.

+ 2. You can add another metric to the same chart. Then you can click between the metrics and their corresponding graphs.

+ 3. You can customize the aggregation. Some of the metrics only have one aggregation, but others have many. Refer to the chart above for the aggregations available for each metric.

+ 4. You can pick how far back you want the metrics to go. By default, the metrics show the past 24 hours, but you've the ability to customize the time period by clicking on the time.

+

+ 5. You can pin your metrics chart to your dashboard. This functionality makes it easy to look at your specific chart whenever you log in into your Azure portal.

+### Alerts

+Azure Monitor has set up built-in functionality to set up alerts to monitor all your Azure resources efficiently. Alerts allow you to monitor your telemetry and capture signals that indicate that something is happening on the specified resource. Once the signals are captured, an alert rule a defined to see if the signal meets the criteria of the condition. If the conditions are met, an alert is triggered, and notifications are sent through the appropriate channels.

+In this section, we're going to walk through how you can set up alerts for your Azure Synapse Link connection through Azure Synapse Analytics. LetΓÇÖs say, for example, that you're running your link connection and realize that you want to monitor the latency of your link connection. The workload requirements for this scenario require that any link connection with a maximum latency over 900 seconds (or 15 minutes) needs to be alerted to your Engineering team. LetΓÇÖs walk through how we would set up an alert for this example:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for your **Synapse workspace** that your link connection resides in.

+

+1. Once you've landed on the overview page for your Synapse Workspace, click on the **Alerts** tab underneath ΓÇ£MonitoringΓÇ¥.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-click-on-alerts.png" alt-text="Screenshot that shows where to go to get to the Alerts tab to create a new alert in the Azure portal.":::

+1. Click on the dropdown **Create**.

+1. Click on **Alert rule** to add a new alert rule.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-create-an-alert.png" alt-text="Screenshot that shows how to create a new alert.":::

+1. The first step is to define the **scope**. The scope is the target resource that you want to monitor, and in this case, your scope should be Azure Synapse Analytics. The scope should automatically be filled out as current Azure Synapse Analytics workspace that you're creating the alert for.

+1. Second, we need to define the **condition**. The condition defines the logic of when the alert rule should trigger.

+ a. Click **+Add condition**

+

+ b. You can see the 5 link connection **signal names**. For this example, letΓÇÖs choose the **Link latency in seconds** signal.

+

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-select-an-alert.png" alt-text="Screenshot that shows how to select one of the Link signals.":::

+1. Third, we need to configure the alert logic, or when the alert rule should be triggered.

+ 1. Select **Static** for the **Threshold** field

+

+ 1. Enter the following values for **Aggregation type**, **Operator**, and **Unit** fields:

+ * **Aggregation type**: **Maximum**

+ * **Operator**: **Greater than**

+ * **Unit**: **Count**

+ 1. Input a **Threshold value** of **900** (***Note: this value is in seconds***)

+1. You can also configure the **Split by dimensions** value that monitors specific time series and provides context to the fired alert. These additions do have their own separate charge. For this example, we'll leave it blank.

+1. Choose **30 minutes** for **Check every** and **1 hour** for **Lookback period** fields. These fields define how often you want the checks to happen.

+1. The graph in the Preview shows the events based on the alert logic that we defined, along with the estimated cost per month.

+

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-create-an-alert-rule.png" alt-text="Screenshot that shows all of the details, configurations, and preview of the price when creating an alert rule." lightbox="../media/connect-synapse-link-sql-database/monitor-create-an-alert-rule.png":::

+1. Fourth, we now need to set up **Actions**. we'll configure an action group, which is a set of actions that can be applied to an alert rule.

+ a. The **Select action group** option is chosen if you already have an action group that you want to choose. Let's click on **create action group**.

+1. On the **Basic** tab, pick a **Subscription**, **resource group**, and **region**. Then provide appropriate values for the **Action group name** and **Display name**. Then press **Next**.

+1. On the **Notifications** tab, under the Notification type, select **Email/SMS message/Push/Voice**. And give it an appropriate name.

+ a. Check the boxes for **Email** and **SMS**, and then provide the corresponding values. Then press **OK**.

+

+ b. Then press **Next**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-create-action-group.png" alt-text="Screenshot that shows how to create an action group and specify notifications when an alert rule's conditions are met.":::

+1. On the **Actions** tab, letΓÇÖs select an option for **Action type**.

+

+1. In this example, let's use the **Event Hubs** action type, so we'll need to input the **subscription name**, **Event Hub namespace**, and select an **Event Hub name**. Then click on **OK**.

+ a. If you donΓÇÖt have an Event Hub created, refer to the document here to create one: [Configure an expiration policy for shared accessed signatures (SAS)](/azure/event-hubs/event-hub-create.md?context=/azure/synapse-analytics/context/context)

+

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-create-action-group-2.png" alt-text="Screenshot that shows how to create an action group and specify an action type when an alert rule's conditions are met.":::

+1. Click on **Review + Create** to review the settings, and then hit **Create**.

+1. Immediately we're taken back to the **Alerts homepage**. If we click on the **Alert Rules** on the top, we can see our newly created alert.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-display-alert-rules.png" alt-text="Screenshot that shows all of the alert rules that were created, including the one we just created.":::

+This was just one example of how to create an alert rule following an example. You've the ability to create multiple alerts for your Azure Synapse Link connections through Azure Synapse Analytics.

+### Logs

+Azure Monitor Logs is a feature of Azure Monitor that collects and organizes log and performance data from monitored resources. Several features of Azure Monitor store their data in Logs and present this data in various ways to assist you in monitoring the performance and availability of your cloud and hybrid applications and their supporting components. You can analyze Logs data by using a sophisticated query language thatΓÇÖs capable of quickly analyzing millions of records.

+Now letΓÇÖs step through how we can see logs for our Azure Synapse Link connections in the Azure portal:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for your **Synapse workspace** that your link connection resides in.

+1. Once you've landed on the overview page for your Synapse Workspace, click on the **Logs** tab underneath ΓÇ£MonitoringΓÇ¥.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-click-on-logs.png" alt-text="Screenshot that shows where to go to get to the Logs tab to create a new log in the Azure portal.":::

+1. You're immediately greeted with a workspace that is roughly the equivalent of a database in Azure Data Explorer. Tables are structured the same, and both use [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/)

+ a. There is a table called ΓÇ£**SynapseLinkEvent**ΓÇ¥ that stores many different values for each of the link connections. The table and the details are shown on the left-hand side.

+

+ b. You can perform a query in the query pane that retrieves a specific set of records. In this case, we'll type in ΓÇ£**SynapseLinkEvent**ΓÇ¥ in the query pane and then press the blue **Run** button. We can see the link connections that ran in the Results section where you can see details about each of the link connections.

+

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-display-results-of-log-query.png" alt-text="Screenshot that shows the tables, query, and results of the log query that was run." lightbox="../media/connect-synapse-link-sql-database/monitor-display-results-of-log-query.png":::

+## Next steps

+If you're using a database other than an Azure SQL database, see:

+* [Configure Azure Synapse Link for Azure Cosmos DB](../../cosmos-db/configure-synapse-link.md?context=/azure/synapse-analytics/context/context)

+* [Configure Azure Synapse Link for Dataverse](/powerapps/maker/data-platform/azure-synapse-link-synapse?context=/azure/synapse-analytics/context/context)

+* [Get started with Azure Synapse Link for SQL Server 2022](connect-synapse-link-sql-server-2022.md)

+ Title: Monitor Azure Synapse Link for SQL Server 2022 through Synapse Studio and Azure Monitor

+description: Learn how to monitor your Azure Synapse Link for SQL Server 2022 link connections.

+# Monitor Azure Synapse Link for SQL Server 2022 through Synapse Studio and Azure Monitor

+This article provides a guide on how to get started with monitoring your Azure Synapse Link for SQL Server 2022 connections. Before you go through this article, you should know how to create and start an Azure Synapse Link for SQL Server 2022 link connection from [Get started with Azure Synapse Link for SQL Server 2022](connect-synapse-link-sql-server-2022.md). Once you've'created and started your Synapse Link connection, you can monitor your link connection through Synapse Studio or Azure Monitor.

+> [!IMPORTANT]

+> Azure Synapse Link for SQL is currently in preview.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Monitor the status of an Azure Synapse Link for SQL Server 2022 connection in Synapse Studio

+You can monitor the status of your Azure Synapse Link connection, see which tables are being initially copied over (*snapshotting*), and see which tables are in continuous replication mode (*replicating*) directly in Synapse Studio. In this section, we'll deep dive link-level monitoring and table-level monitoring:

+### Link-level monitoring

+1. Once your link connection is running in your Azure Synapse workspace, navigate to the **Monitor** hub, and then select **Link connections**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-link-connections-1.png" alt-text="Screenshot that shows how to monitor the status of the Azure Synapse Link connection from the monitor hub.":::

+1. Automatically all your link connections will show up on this page, along with link-level monitoring metrics that summarize a few details of your link connection.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-show-all-link-connections.png" alt-text="Screenshot that shows how to all of the Azure Synapse Link connections under the Link Connections tab." lightbox="../media/connect-synapse-link-sql-database/studio-monitor-show-all-link-connections.png":::

+1. The link-level connection grid contains the following columns:

+ | **Column Name** | **Description** |

+ |||

+ | Link connection name | Name of the Link Connection |

+ | Source name | The name of the data source where the data is coming from (Azure SQL Database or SQL Server 2022) |

+ | Target name | The name of the destination location where the data is being replicated into (a dedicated SQL Pool) |

+ | Status | **Initial**, **Starting**, **Running**, **Stopping**, **Stopped**, **Pausing**, **Paused**, or **Resuming**. Details of what each status means can be found here: [Azure Synapse Link for SQL Server 2022](sql-server-2022-synapse-link.md) |

+ | Start time | Start date and time for the link connection run (Month, Date, Year, HH:MM:SS AM/PM) |

+ | End time | End date and time for the link connection run (Month, Date, Year, HH:MM:SS AM/PM) |

+ | Landing zone SAS token expire time | Expiration date/time for the SAS token that is used to access the landing zone storage. More details can be found here: [Configure an expiration policy for shared accessed signatures (SAS)](/azure/storage/common/sas-expiration-policy.md?context=/azure/synapse-analytics/context/context) |

+ | Continuous run ID | ID of the link connection run *Helpful when troubleshooting any issues and contacting Microsoft support. |

+1. You need to manually select the **Refresh** button to refresh the list of link connections and their corresponding monitoring details. Autorefresh is currently not supported.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-refresh-link-connections.png" alt-text="Screenshot that shows where to press the Refresh button to refresh the statuses and details of the Azure Synapse Link connections.":::

+### Table-level monitoring

+1. Follow the same steps 1 and 2 above from the link-level monitoring.

+1. Click on the Link connection name of the **link connection** that you want to monitor.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-click-on-link-connection.png" alt-text="Screenshot of clicking on an Azure Synapse Link connection.":::

+1. After clicking on your link connection, you'll see the tables and their corresponding table-level metrics that summarize a few details about the tables that you're replicating over in your link connection.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-show-all-tables.png" alt-text="Screenshot that shows the details of each of the tables under a particular Azure Synapse Link connection." lightbox="../media/connect-synapse-link-sql-database/studio-monitor-show-all-tables.png":::

+1. The table-level connection grid contains the following columns:

+

+ | **Column Name** | **Description** |

+ |||

+ | Source schema/table name | Name of the source table that is being replicated from |

+ | Target schema/table name | Name of the destination table that the source table is being replicated to |

+ | Status | **Waiting**, **Snapshotting**, **Replicating**, **Failed**, **Suspended**. Details of what each status means can be found here: [Azure Synapse Link for SQL Server 2022](sql-server-2022-synapse-link.md) |

+ | Link table ID | ID of the table in the link connection. *Helpful when troubleshooting any issues and contacting Microsoft support. |

+ | Processed rows | Row counts processed by Synapse Link for SQL |

+ | Processed data volume | Data volume in bytes processed by Synapse Link for SQL |

+ | Time of last processed data | Time when last processed change data arrived in the landing zone (Month, Date, Year, HH:MM:SS AM/PM) |

+1. You need to manually select the **Refresh** button to refresh the list of tables in the link connections and their corresponding monitoring details. Autorefresh is currently not supported.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/studio-monitor-refresh-tables.png" alt-text="Screenshot that shows where to press the Refresh button to refresh the statuses and details of the tables under a particular Azure Synapse Link connection.":::

+

+## Advanced monitoring with Azure Monitor

+No matter what cloud applications you're using, it's hard to manage and keep track of all the moving pieces. Azure Monitor provides base-level infrastructure metrics, alerts, and logs for most Azure services. Azure diagnostic logs are emitted by a resource and provide rich, frequent data about the operation of that resource. Azure Synapse Analytics can write diagnostic logs in Azure Monitor, to help you understand deep insights about your applications, improve application performance, and more.

+For more information, refer to [How to monitor Synapse Analytics using Azure Monitor](../monitoring/how-to-monitor-using-azure-monitor.md)

+In this section, we'll deep dive into setting up metrics, alerts, and logs in Azure Monitor to ensure that you understand more of the advanced capabilities of monitoring your link connection.

+### Metrics

+The most important type of Monitor data is the metric, which is also called the performance counter. Metrics are emitted by most Azure resources. Azure Monitor provides several ways to configure and consume these metrics for monitoring and troubleshooting.

+Azure Synapse Link emits the following metrics to Azure Monitor:

+| **Metric** | **Aggregation types** | **Description** |

+||||

+| Link connection events | Sum | Number of Synapse Link connection events, including start, stop, and failure |

+| Link latency in seconds | Max, Min, Avg | Synapse Link data processing latency in seconds |

+| Link processed data volume (bytes) | Sum | Data volume in bytes processed by Synapse Link |

+| Link processed rows | Sum | Row counts processed by Synapse Link |

+| Link table events | Sum | Number of Synapse Link table events, including snapshot, removal, and failure |

+Now letΓÇÖs step through how we can see these metrics in the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for your **Synapse workspace** that your link connection resides in.

+1. Once you've landed on the overview page for your Synapse Workspace, click on the **Metrics** tab underneath ΓÇ£MonitoringΓÇ¥.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-click-on-metrics.png" alt-text="Screenshot that shows where to go to get to the Metrics tab to create a new metric in the Azure portal.":::

+1. You'll then see a new chart that is automatically generated for you.

+1. Under the **Metric dropdown**, you'll see many different categories of metrics. You want to scroll down to the **INTEGRATION** category, and choose any one of the 5 Link metrics:

+ * Link connection events

+ * Link latency in seconds

+ * Link processed data volume (bytes)

+ * Link processed rows

+ * Link table events

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-select-a-metric.png" alt-text="Screenshot that shows how to select a link metric.":::

+1. After selecting a metric of your choosing, you can see a graph representation of the data below.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-display-of-metric.png" alt-text="Screenshot that shows the graph representation of the link metric that was chosen in the previous step." lightbox="../media/connect-synapse-link-sql-database/monitor-display-of-metric.png":::

+1. A few things that you can adjust on this screen (refer to the letter on the screenshot above to the bullet point letter below):

+ 1. You can add another chart.

+ 2. You can add another metric to the same chart. Then you can click between the metrics and their corresponding graphs.

+ 3. You can customize the aggregation. Some of the metrics only have one aggregation, but others have many. Refer to the chart above for the aggregations available for each metric.

+ 4. You can pick how far back you want the metrics to go. By default, the metrics show the past 24 hours, but you've the ability to customize the time period by clicking on the time.

+

+ 5. You can pin your metrics chart to your dashboard. This functionality makes it easy to look at your specific chart whenever you log in into your Azure portal.

+### Alerts

+Azure Monitor has set up built-in functionality to set up alerts to monitor all your Azure resources efficiently. Alerts allow you to monitor your telemetry and capture signals that indicate that something is happening on the specified resource. Once the signals are captured, an alert rule a defined to see if the signal meets the criteria of the condition. If the conditions are met, an alert is triggered, and notifications are sent through the appropriate channels.

+In this section, we're going to walk through how you can set up alerts for your Azure Synapse Link connection through Azure Synapse Analytics. LetΓÇÖs say, for example, that you're running your link connection and realize that you want to monitor the latency of your link connection. The workload requirements for this scenario require that any link connection with a maximum latency over 900 seconds (or 15 minutes) needs to be alerted to your Engineering team. LetΓÇÖs walk through how we would set up an alert for this example:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for your **Synapse workspace** that your link connection resides in.

+

+1. Once you've landed on the overview page for your Synapse Workspace, click on the **Alerts** tab underneath ΓÇ£MonitoringΓÇ¥.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-click-on-alerts.png" alt-text="Screenshot that shows where to go to get to the Alerts tab to create a new alert in the Azure portal.":::

+1. Click on the dropdown **Create**.

+1. Click on **Alert rule** to add a new alert rule.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-create-an-alert.png" alt-text="Screenshot that shows how to create a new alert.":::

+1. The first step is to define the **scope**. The scope is the target resource that you want to monitor, and in this case, your scope should be Azure Synapse Analytics. The scope should automatically be filled out as current Azure Synapse Analytics workspace that you're creating the alert for.

+1. Second, we need to define the **condition**. The condition defines the logic of when the alert rule should trigger.

+ a. Click **+Add condition**

+

+ b. You can see the 5 link connection **signal names**. For this example, letΓÇÖs choose the **Link latency in seconds** signal.

+

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-select-an-alert.png" alt-text="Screenshot that shows how to select one of the Link signals.":::

+1. Third, we need to configure the alert logic, or when the alert rule should be triggered.

+ 1. Select **Static** for the **Threshold** field

+

+ 1. Enter the following values for **Aggregation type**, **Operator**, and **Unit** fields:

+ * **Aggregation type**: **Maximum**

+ * **Operator**: **Greater than**

+ * **Unit**: **Count**

+ 1. Input a **Threshold value** of **900** (***Note: this value is in seconds***)

+1. You can also configure the **Split by dimensions** value that monitors specific time series and provides context to the fired alert. These additions do have their own separate charge. For this example, we'll leave it blank.

+1. Choose **30 minutes** for **Check every** and **1 hour** for **Lookback period** fields. These fields define how often you want the checks to happen.

+1. The graph in the Preview shows the events based on the alert logic that we defined, along with the estimated cost per month.

+

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-create-an-alert-rule.png" alt-text="Screenshot that shows all of the details, configurations, and preview of the price when creating an alert rule." lightbox="../media/connect-synapse-link-sql-database/monitor-create-an-alert-rule.png":::

+1. Fourth, we now need to set up **Actions**. we'll configure an action group, which is a set of actions that can be applied to an alert rule.

+ a. The **Select action group** option is chosen if you already have an action group that you want to choose. Let's click on **create action group**.

+1. On the **Basic** tab, pick a **Subscription**, **resource group**, and **region**. Then provide appropriate values for the **Action group name** and **Display name**. Then press **Next**.

+1. On the **Notifications** tab, under the Notification type, select **Email/SMS message/Push/Voice**. And give it an appropriate name.

+ a. Check the boxes for **Email** and **SMS**, and then provide the corresponding values. Then press **OK**.

+

+ b. Then press **Next**.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-create-action-group.png" alt-text="Screenshot that shows how to create an action group and specify notifications when an alert rule's conditions are met.":::

+1. On the **Actions** tab, letΓÇÖs select an option for **Action type**.

+

+1. In this example, let's use the **Event Hubs** action type, so we'll need to input the **subscription name**, **Event Hub namespace**, and select an **Event Hub name**. Then click on **OK**.

+ a. If you donΓÇÖt have an Event Hub created, refer to the document here to create one: [Configure an expiration policy for shared accessed signatures (SAS)](/azure/event-hubs/event-hub-create.md?context=/azure/synapse-analytics/context/context)

+

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-create-action-group-2.png" alt-text="Screenshot that shows how to create an action group and specify an action type when an alert rule's conditions are met.":::

+1. Click on **Review + Create** to review the settings, and then hit **Create**.

+1. Immediately we're taken back to the **Alerts homepage**. If we click on the **Alert Rules** on the top, we can see our newly created alert.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-display-alert-rules.png" alt-text="Screenshot that shows all of the alert rules that were created, including the one we just created.":::

+This was just one example of how to create an alert rule following an example. You've the ability to create multiple alerts for your Azure Synapse Link connections through Azure Synapse Analytics.

+### Logs

+Azure Monitor Logs is a feature of Azure Monitor that collects and organizes log and performance data from monitored resources. Several features of Azure Monitor store their data in Logs and present this data in various ways to assist you in monitoring the performance and availability of your cloud and hybrid applications and their supporting components. You can analyze Logs data by using a sophisticated query language thatΓÇÖs capable of quickly analyzing millions of records.

+Now letΓÇÖs step through how we can see logs for our Azure Synapse Link connections in the Azure portal:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for your **Synapse workspace** that your link connection resides in.

+1. Once you've landed on the overview page for your Synapse Workspace, click on the **Logs** tab underneath ΓÇ£MonitoringΓÇ¥.

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-click-on-logs.png" alt-text="Screenshot that shows where to go to get to the Logs tab to create a new log in the Azure portal.":::

+1. You're immediately greeted with a workspace that is roughly the equivalent of a database in Azure Data Explorer. Tables are structured the same, and both use [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/)

+ a. There's a table called ΓÇ£**SynapseLinkEvent**ΓÇ¥ that stores many different values for each of the link connections. The table and the details are shown on the left-hand side.

+

+ b. You can perform a query in the query pane that retrieves a specific set of records. In this case, we'll type in ΓÇ£**SynapseLinkEvent**ΓÇ¥ in the query pane and then press the blue **Run** button. We can see the link connections that ran in the Results section where you can see details about each of the link connections.

+

+ :::image type="content" source="../media/connect-synapse-link-sql-database/monitor-display-results-of-log-query.png" alt-text="Screenshot that shows the tables, query, and results of the log query that was run." lightbox="../media/connect-synapse-link-sql-database/monitor-display-results-of-log-query.png":::

+## Next steps

+If you're using a database other than a SQL Server 2022 instance, see:

+* [Configure Azure Synapse Link for Azure Cosmos DB](../../cosmos-db/configure-synapse-link.md?context=/azure/synapse-analytics/context/context)

+* [Configure Azure Synapse Link for Dataverse](/powerapps/maker/data-platform/azure-synapse-link-synapse?context=/azure/synapse-analytics/context/context)

+* [Get started with Azure Synapse Link for Azure SQL Database](connect-synapse-link-sql-database.md)

+* While enabling Azure Synapse Link for SQL on Azure SQL Database or SQL Server, please be aware that the aggressive log truncation feature of Accelerated Database Recovery (ADR) is automatically disabled. This is because Azure Synapse Link for SQL accesses the database transaction log. This behavior is similar to Changed Data Capture (CDC). Active transactions will continue to hold the transaction log truncation until the transaction commits and Azure Synapse Link for SQL catches up, or transaction aborts. This might result in the transaction log filling up more than usual and should be monitored so that the transaction log does not fill.

+ Title: Troubleshooting guide for Azure Synapse Link for Azure SQL Database and Azure Active Directory user impersonation

+description: Learn how to troubleshoot user impersonation issues with Azure Synapse Link for Azure SQL Database and Azure Active Directory

+# Troubleshoot: Azure Synapse Link for Azure SQL Database and Azure Active Directory user impersonation

+This article is a guide to troubleshoot Azure Synapse Link for Azure SQL Database and Azure Active Directory (Azure AD) user impersonation. This article applies only to databases in Azure SQL Database.

+## Symptom

+If you create database using a login connected to Microsoft Azure Active Directory and then try to perform Azure Synapse Link database operations signed in with any SQL Authenticated principal, you will receive error messages due to an impersonation failure. The following sample errors are all a symptom of the same problem.

+| Database Operation | Sample Error |

+|:--|:--|

+| sp_change_feed_enable_db, sp_change_feed_disable_db | `The error/state returned was 33171/1: 'Only active directory users can impersonate other active directory users.'. Use the action and error to determine the cause of the failure and resubmit the request.` |

+| Restore an Azure Synapse Link enabled database | `Non retriable error occurred while restoring backup with index 11 - 22729 Could not remove the metadata. The failure occurred when executing the command 'sp_MSchange_feed_ddl_database_triggers 'drop''. The error/state returned was 33171/1: 'Only active directory users can impersonate other active directory users.'. Use the action and error to determine the cause of the failure and resubmit the request. RESTORE DATABASE successfully processed 0 pages in 0.751 seconds (0.000 MB/sec). `|

+| Restore a blank database and then enable Azure Synapse Link | `The error returned was 33171: 'Only active directory users can impersonate other active directory users.'. Use the action and error to determine the cause of the failure and resubmit the request.` |

+## Resolution

+Sign in to the Azure SQL Database with an Azure AD database principal. It doesn't have to be the same Azure AD account that created the database.

+## See also

+ - [Change data capture limitations](/sql/relational-databases/track-changes/about-change-data-capture-sql-server#limitations)

+## Next steps

+ - [Get started with Azure Synapse Link for Azure SQL Database](../connect-synapse-link-sql-database.md)

+ Title: Troubleshooting guide for Azure Synapse Link for Azure SQL Database after failover of an Azure SQL Database.

+description: Learn how to troubleshoot and configure Azure Synapse Link for Azure SQL Database after failover of an Azure SQL Database.

+# Troubleshoot: Azure Synapse Link for Azure SQL Database after failover of an Azure SQL Database

+This article is a guide to troubleshoot and configure Azure Synapse Link for Azure SQL Database after failover of an Azure SQL Database. This article applies only to databases in Azure SQL Database.

+## Symptom

+For the safety of data, users may choose to set [auto-failover group](/sql/azure-sql/database/failover-group-add-single-database-tutorial) for Azure SQL Database. By setting failover group, users can group multiple geo-replicated databases that can protect a potential data loss. However, when Azure Synapse Link for Azure SQL Database has been started for the table in the Azure SQL Database and the database experiences failover, Synapse Link will be disabled in the backend even though its status is still displayed as running.

+## Resolution

+You must stop Synapse Link manually and configure Synapse Link according to the new primary server's information so that it can continue to work normally.

+1. Launch [Synapse Studio](https://web.azuresynapse.net).

+1. Open the **Integrate** hub.

+1. Select the Synapse Link whose database has failover occurred.

+1. Select the **Stop** button.

+ :::image type="content" source="media/troubleshoot-sql-database-failover/synapse-studio-stop-link-connection.png" alt-text="A screenshot of Synapse Studio. The Integrate hub is open and the Link Connection linkconnection1 is selected. The Stop button is highlighted." lightbox="media/troubleshoot-sql-database-failover/synapse-studio-stop-link-connection.png":::

+1. Open the **Manage** hub. Under **External connections**, select **Linked services**.

+1. In the list of **Linked services**, select the linked service whose database failed over.

+ :::image type="content" source="media/troubleshoot-sql-database-failover/synapse-studio-linked-services.png" alt-text="A screenshot of Synapse Studio. The Manage hub is open. In the list of Linked services, the AzureSqlDatabase1 linked service is highlighted." lightbox="media/troubleshoot-sql-database-failover/synapse-studio-linked-services.png":::

+1. You must reset the linked service connection string based on the new primary server after failover so that Synapse Link can connect to the new primary logical server's database. There are two options:

+ * Use [the auto-failover group read/write listener endpoint](/sql/azure-sql/managed-instance/auto-failover-group-configure-sql-mi#locate-listener-endpoint) and use the Synapse workspace's managed identity (SMI) to connect your Synapse workspace to the source database. Because of Read/Write listener endpoint that automatically maps to the new primary server after failover, so you only need to set it once. If failover occurs later, it will automatically use the fully-qualified domain name (FQDN) of the listener endpoint. Note that you still need to take action on every failover to update the Resource ID and Managed Identity ID for the new primary (see next step).

+ * After each failover, edit the linked service **Connection string** with the **Server name**, **Database name**, and authentication information for the new primary server. You can use a managed identity or SQL Authentication.

+ The authentication account used to connect to the database, whether it be a managed identity or SQL Authenticated login to the Azure SQL Database, must have at least the CONTROL permission inside the database to perform the actions necessary for the linked service. The db_owner permission is similar to CONTROL.

+ To use the auto-failover group read/write listener endpoint:

+ :::image type="content" source="media/troubleshoot-sql-database-failover/synapse-studio-edit-linked-service-system-assigned-managed-identity.png" alt-text="Screenshot of the Azure Synapse Studio Edit linked service dialog. The FQDN of the read/write listener endpoint is entered manually." lightbox="media/troubleshoot-sql-database-failover/synapse-studio-edit-linked-service-system-assigned-managed-identity.png":::

+1. You must refresh the Resource ID and Managed Identity ID after every failover. Open the **Integrate** hub. Select your Synapse Link.

+1. The next step depends on the connection string you chose previously.

+ - If you choose to use the Read/Write listener endpoint for updating linked service connection string, you must update the **SQL logical server resource ID** and **Managed identity ID** corresponding to the new primary server manually.

+ - If you provided the new primary server's connection information, select the **Refresh** button.

+

+ :::image type="content" source="media/troubleshoot-sql-database-failover/synapse-studio-integrate-link-connection-refresh.png" alt-text="A screenshot of the Integrate hub of Synapse Studio. The Refresh button updates the SQL logical server resource ID and the managed identity ID." lightbox="media/troubleshoot-sql-database-failover/synapse-studio-integrate-link-connection-refresh.png":::

+1. Azure Synapse Link for Azure SQL Database currently cannot restart the synchronization from before the failover. Before restarting the Link connection, you must empty the target table in Azure Synapse if data is present. Or, check the option to **Drop and recreate table on target**, as seen in the following screenshot.

+ :::image type="content" source="media/troubleshoot-sql-database-failover/synapse-studio-start-drop-recreate-table-target.png" alt-text="A screenshot of the Integrate hub of Synapse Studio. The Drop and recreate table on target option is highlighted. The Start button is highlighted." lightbox="media/troubleshoot-sql-database-failover/synapse-studio-start-drop-recreate-table-target.png":::

+1. Finally, restart the Azure Synapse Link. On the **Integrate** hub and with the desired Link connection open, select the **Start** button.

+

+## Next steps

+ - [Tutorial: Add an Azure SQL Database to an auto-failover group](/sql/azure-sql/database/failover-group-add-single-database-tutorial)

+ - [Get started with Azure Synapse Link for Azure SQL Database](../connect-synapse-link-sql-database.md)

+| **Azure Synapse Link for SQL** | Azure Synapse Link is in preview for both SQL Server 2022 and Azure SQL Database. The Azure Synapse Link feature provides low- and no-code, near real-time data replication from your SQL-based operational stores into Azure Synapse Analytics. Provide BI reporting on operational data in near real-time, with minimal impact on your operational store. To learn more, read [Announcing the Public Preview of Azure Synapse Link for SQL](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/announcing-the-public-preview-of-azure-synapse-link-for-sql/ba-p/3372986) and [watch our YouTube video](https://www.youtube.com/embed/pgusZy34-Ek). |

+| July 2022 | **Batch mode** | Decide between cost and latency in Azure Synapse Link for SQL by selecting *continuous* or *batch* mode to replicate your data. Batch mode allows you to save even more on costs by only paying for ingestion service during the batch loads instead of it being continuously on. You can select between 20 and 60 minutes for batch processing.|

+To create a nested profile, you add a 'child' profile as an endpoint to a 'parent' profile. Some examples are provided in this article.

+## MinChildEndpoints

+When you add a child profile as an endpoint in the parent profile, the **MinChildEndpoints** parameter is created and assigned a default value of **1**. This parameter determines the minimum number of endpoints that must be available in the child profile for it to be healthy. Below this threshold, the parent profile will consider the entire child profile as unavailable, and direct traffic to the other parent profile endpoints.

+The following parameters are available in the parent profile:

+- **MinChildEndpoints**: The minimum number of healthy child endpoints for the nested profile status to be healthy.

+- **MinChildEndpointsIPv4**: The minimum number of healthy IPv4 child endpoints for the nested profile status to be healthy.

+- **MinChildEndpointsIPv6**: The minimum number of healthy IPv6 child endpoints for the nested profile status to be healthy.

+> [!IMPORTANT]

+> There must be at least one IPv4 and one IPv6 endpoint for any nested MultiValue profile. Always configure values for MinChildEndpointsIPv4 and MinChildEndpointsIPv6 based on your multivalue routing mechanism and do not simply use the default values.<br>

+> The value of **MinChildEndpoints** must be high enough to allow for all endpoint types to be available. An error message is displayed for values that are too low.

+You might be happy with this arrangement. Or you might be concerned that all traffic for West Europe is now going to the test deployment instead of a limited subset traffic. Regardless of the health of the test deployment, you want to fail over to the other regions when the production deployment in West Europe fails.

+In the scenario below, the **MinChildEndpoints** value is set to 2. Below this threshold, the parent profile considers the entire child profile to be unavailable and directs traffic to the other endpoints:

+## Ways to apply an Azure Virtual Desktop license

+Azure Virtual Desktop licensing allows you to apply a license to any Windows or Windows Server virtual machine (VM) that's registered as a session host in a host pool and receives user connections. This license doesn't apply to virtual machines running as file share servers, domain controllers, and so on.

+You can apply an Azure Virtual Desktop license to your VMs with the following methods:

+- You can create a host pool and its session host virtual machines [in the Azure portal](./create-host-pools-azure-marketplace.md). Creating VMs in the Azure portal automatically applies the license.

+- You can create a host pool and its session host virtual machines using the [GitHub Azure Resource Manager template](https://github.com/Azure/RDS-Templates/tree/master/ARM-wvd-templates). Creating VMs with this method automatically applies the license.

+- You can manually apply a license to an existing session host virtual machine. To apply the license this way, first follow the instructions in [Create a host pool with PowerShell or the Azure CLI](./create-host-pools-powershell.md) to create a host pool and associated VMs, then return to this article to learn how to apply the license.

+Before you start, make sure you've [installed and configured the latest version of Azure PowerShell](/powershell/azure/).

+Next, run the following PowerShell cmdlet to apply the Windows license:

+## Known limitations

+If you create a Windows Server VM using the Azure Virtual Desktop host pool creation process, the process might automatically assign it an incorrect license type. To change the license type using PowerShell, follow the instructions in [Convert an existing VM using Azure Hybrid Benefit for Windows Server](../virtual-machines/windows/hybrid-use-benefit-licensing.md#powershell-1).

+> [!IMPORTANT]

+> Per-user access pricing with Azure Virtual Desktop doesn't currently support Citrix DaaS and VMware Horizon Cloud.

+- Scale sets need to have [automatic OS upgrades](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md) enabled in order to use maintenance configurations.

+According to Oracle Support note [Doc ID 2178595.1](https://support.oracle.com/knowledge/JD%20Edwards%20EnterpriseOne/2178595_1.html), JD Edwards EnterpriseOne versions 9.2 and above are supported on **any public cloud offering** that meets their specific `Minimum Technical Requirements` (MTR). You need to create custom images that meet their MTR specifications for OS and software application compatibility.

+> [Create an Oracle database on Azure](oracle-database-quick-create.md)

+You can find detailed documentation on the solution template [here](https://azuremarketplace.microsoft.com/marketplace/apps/oracle.oraclelinux-wls-cluster).

+> [WLS on AKS marketplace solution documentation](https://azuremarketplace.microsoft.com/marketplace/apps/oracle.oraclelinux-wls-cluster)

+| **SAP ABAP Platform 1909, Developer Edition** June 21 2021 | [Create Appliance](https://cal.sap.com/registration?sguid=7bd4548f-a95b-4ee9-910a-08c74b4f6c37&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+|The SAP ABAP Platform on SAP HANA gives you access to SAP ABAP Platform 1909 Developer Edition on SAP HANA. Note that this solution is preconfigured with many additional elements ΓÇô including: SAP ABAP RESTful Application Programming Model, SAP Fiori launchpad, SAP gCTS, SAP ABAP Test Cockpit, and preconfigured frontend / backend connections, etc It also includes all the standard ABAP AS infrastructure: Transaction Management, database operations / persistence, Change and Transport System, SAP Gateway, interoperability with ABAP Development Toolkit and SAP WebIDE, and much more. | [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/7bd4548f-a95b-4ee9-910a-08c74b4f6c37) |

+| **SAP ERP 6.0 EhP 6 for Data Migration to SAP S/4HANA** October 24 2022 | [Create Appliance](https://cal.sap.com/registration?sguid=56825489-df3a-4b6d-999c-329a63ef5e8a&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+|update password of DDIC 100, SAP* 000 .This system can be used as source system for the "direct transfer" data migration scenarios of the SAP S/4HANA Fully-Activated Appliance. It might also be useful as an "open playground" for SP ERP 6.0 EhP6 scenarios, however, the contained business processes and data structures are not documented explicitly. | [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/56825489-df3a-4b6d-999c-329a63ef5e8a) |

+## <a name="ba74712c-4b1f-44c2-9412-de101dbb1ccc"></a>Manually configure the Azure VM extension for SAP solutions

+If you want to use Azure Resource Manager, Terraform or other tools to deploy the VM Extension for SAP, please use the following publisher and extension type:

+For Linux:

+* **Publisher**: Microsoft.AzureCAT.AzureEnhancedMonitoring

+* **Extension Type**: MonitorX64Linux

+* **Version**: 1.*

+For Windows:

+* **Publisher**: Microsoft.AzureCAT.AzureEnhancedMonitoring

+* **Extension Type**: MonitorX64Windows

+* **Version**: 1.*

+If you want to disable automatic updates for the VM extension or want to deploy a spefici version of the extension, you can retrieve the available versions with Azure CLI or Azure PowerShell.

+**Azure PowerShell**

+```powershell

+# Windows

+Get-AzVMExtensionImage -Location westeurope -PublisherName Microsoft.AzureCAT.AzureEnhancedMonitoring -Type MonitorX64Windows

+# Linux

+Get-AzVMExtensionImage -Location westeurope -PublisherName Microsoft.AzureCAT.AzureEnhancedMonitoring -Type MonitorX64Linux

+```

+**Azure CLI**

+```azurecli

+# Windows

+az vm extension image list --location westeurope --publisher Microsoft.AzureCAT.AzureEnhancedMonitoring --name MonitorX64Windows

+# Linux

+az vm extension image list --location westeurope --publisher Microsoft.AzureCAT.AzureEnhancedMonitoring --name MonitorX64Linux

+```

+| **Internet** | The IP address space that's outside the virtual network and reachable by the public internet.<br/><br/>This service tag only applies where the traffic does not hit any other service tag.<br/><br/>The address range includes the [Azure-owned public IP address space](https://www.microsoft.com/download/details.aspx?id=56519). | Both | No | No |

+ * **Tenant**: `https://login.microsoftonline.com/{TenantID}`

+ * **Issuer**: `https://sts.window.net/{TenantID}` For the Issuer value, make sure to include a trailing **/** at the end.

+## Add the bot protection rule set