+#### November 2023 (preview) release

+### [**.NET (C#)**](#tab/csharp)

+* Document Intelligence **1.0.0-beta.1**

+* **Targets REST API 2023-10-31-preview by default**

+[**Package (NuGet)**](https://www.nuget.org/packages/Azure.AI.DocumentIntelligence/1.0.0-beta.1)

+[**ReadMe**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/documentintelligence/Azure.AI.DocumentIntelligence/README.md)

+[**Samples**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/documentintelligence/Azure.AI.DocumentIntelligence/samples/README.md)

+### [**Java**](#tab/java)

+* Document Intelligence **1.0.0-beta.1**

+* **Targets REST API 2023-10-31-preview by default**

+[**Package (MVN)**](https://repo1.maven.org/maven2/com/azure/azure-ai-documentintelligence/1.0.0-beta.1/)

+[**ReadMe**](https://github.com/Azure/azure-sdk-for-jav#azure-documentintelligence-client-library-for-java)

+[**Samples**](https://github.com/Azure/azure-sdk-for-java/tree/azure-ai-documentintelligence_1.0.0-beta.1/sdk/documentintelligence/azure-ai-documentintelligence/src/samples#examples)

+### [**JavaScript**](#tab/javascript)

+* Document Intelligence **1.0.0-beta.1**

+* **Targets REST API 2023-10-31-preview by default**

+[**Package (npm)**](https://www.npmjs.com/package/@azure-rest/ai-document-intelligence)

+[**ReadMe**](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/documentintelligence/ai-document-intelligence-rest#readme)

+[**Samples**](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/documentintelligence/ai-document-intelligence-rest/samples/v1-beta/typescript)

+### [**Python**](#tab/python)

+* Document Intelligence **1.0.0b1**

+* **Targets REST API 2023-10-31-preview by default**

+[**Package (PyPi)**](https://pypi.org/project/azure-ai-documentintelligence/)

+[**ReadMe**](https://github.com/Azure/azure-sdk-for-python/blob/7c42462ac662522a6fd21b17d2a20f4cd40d0356/sdk/documentintelligence/azure-ai-documentintelligence/README.md)

+[**Samples**](https://github.com/Azure/azure-sdk-for-python/tree/7c42462ac662522a6fd21b17d2a20f4cd40d0356/sdk/documentintelligence/azure-ai-documentintelligence/samples)

+* Form Recognizer **4.1.0 (2023-08-10)**

+* **Targets REST API 2023-07-31 by default**

+* **REST API target 2023-02-28-preview is no longer supported**

+* Form Recognizer **4.1.0 (2023-08-10)**

+* **Targets REST API 2023-07-31 by default**

+* **REST API target 2023-02-28-preview is no longer supported**

+* Form Recognizer **5.0.0 (2023-08-08)**

+* **Targets REST API 2023-07-31 by default**

+* **REST API target 2023-02-28-preview is no longer supported**

+* Form Recognizer **3.3.0 (2023-08-08)**

+* **Targets REST API 2023-07-31 by default**

+* **REST API target 2023-02-28-preview is no longer supported**

+* Form Recognizer **4.1.0-beta.1 (2023-04-13**)

+* Form Recognizer **4.1.0-beta.1 (2023-04-12**)

+* Form Recognizer **4.1.0-beta.1 (2023-04-11**)

+* Form Recognizer **3.3.0b1 (2023-04-13**)

+> The `DocumentAnalysisClient` and `DocumentModelAdministrationClient` now target API v3.0 GA, released 2022-08-31. These clients are no longer supported by APIs 2020-06-30-preview or earlier.

+* Form Recognizer **4.0.0 GA (2022-09-08)**

+* Form Recognizer **4.0.0 GA (2022-09-08)**

+* Form Recognizer **4.0.0 GA (2022-09-08)**

+* Form Recognizer **3.2.0 GA (2022-09-08)**

+* Form Recognizer **4.0.0-beta.5 (2022-08-09)**

+* **Supports REST API 2022-06-30-preview clients**

+* Form Recognizer **4.0.0-beta.6 (2022-08-10)**

+* **Supports REST API 2022-06-30-preview and earlier clients**

+* Form Recognizer **4.0.0-beta.6 (2022-08-09)**

+* **Supports REST API 2022-06-30-preview and earlier clients**

+* Form Recognizer **3.2.0b6 (2022-08-09)**

+* **Supports REST API 2022-06-30-preview and earlier clients**

+* Form Recognizer **4.0.0-beta.4 (2022-06-08)**

+* Form Recognizer **4.0.0-beta.5 (2022-06-07)**

+* Form Recognizer **4.0.0-beta.4 (2022-06-07)**

+* Form Recognizer **3.2.0b5 (2022-06-07**

+)

+ prompt="<prompt>")

+ - You also need your network relay token for real-time avatar synthesis. After deploying your Communication resource, select **Go to resource** to view the endpoint and connection string under **Settings** -> **Keys** tab, and then follow [Access TURN relays](/azure/communication-services/quickstarts/relay-token) to generate the relay token with the endpoint and connection string filled.

+const { v4: uuidv4 } = require('uuid');

+let key = "<your-translator-key>";

+let endpoint = "https://api.cognitive.microsofttranslator.com";

+// location, also known as region.

+// required if you're using a multi-service or regional (not global) resource. It can be found in the Azure portal on the Keys and Endpoint page.

+let location = "<YOUR-RESOURCE-LOCATION>";

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+params.append("from", "en");

+params.append("to", "sw");

+params.append("to", "it");

+ params: params,

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+params.append("to", "en");

+params.append("to", "it");

+ params: params,

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+ params: params,

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+params.append("to", "th");

+params.append("toScript", "latn");

+ params: params,

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+params.append("language", "th");

+params.append("fromScript", "thai");

+params.append("toScript", "latn");

+ params: params,

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+params.append("to", "es");

+params.append("includeSentenceLength", true);

+ params: params,

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+ params: params,

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+params.append("from", "en");

+params.append("to", "es");

+ params: params,

+let params = new URLSearchParams();

+params.append("api-version", "3.0");

+params.append("from", "en");

+params.append("to", "es");

+ params: params,

+A private endpoint is automatically created for a connection if the target resource is an Azure resource listed above. A valid target ID is expected for the private endpoint. A valid target ID for the connection can be the ARM ID of a parent resource. The target ID is also expected in the target of the connection or in `metadata.resourceid`. For more on connections, see [How to add a new connection in Azure AI Studio](connections-add.md).

+- [How to configure a managed network](configure-managed-network.md)

+> [!NOTE]

+> If the blobfuse-proxy is not enabled during the installation of the open source driver, the uninstallation of the open source driver will disrupt existing blobfuse mounts. However, NFS mounts will remain unaffected.

+### Kubenet Cluster Upgrade (Preview)

+You must register the `Microsoft.ContainerService` `AzureOverlayDualStackPreview` feature flag.

+ - If you are going to enable a storage account with Hierarchical Namespace, existing persistent volumes should be remounted with `--use-adls=true` mount option.

+ storageClassName: azureblob-nfs-premium

+ readOnly: false

+ allowVolumeExpansion: true

+ mountOptions:

+ - nconnect=4

+ mountOptions:

+ - nconnect=4

+ volumeHandle: account-name_container-name

+ volumeHandle: account-name_container-name

+ readOnly: false

+ readOnly: false

+ volumeMounts

+ readOnly: false

+ readOnly: false

+> Make sure that the DiskEncryptionSet is located in the same region as your AKS cluster and that the AKS cluster identity has **read** access to the DiskEncryptionSet.

+To assign the AKS cluster identity the Contributor role for the diskencryptionset, execute the following commands:

+```azurecli-interactive

+aksIdentity=$(az aks show -g $RG_NAME -n $CLUSTER_NAME --query "identity.principalId")

+az role assignment create --role "Contributor" --assignee $aksIdentity --scope $diskEncryptionSetId

+```

+ - noresvport

+ - actimeo=30

+ - noresvport

+ - actimeo=30

+- [ig](https://inspektor-gadget.io/docs/latest/ig/): An eBPF-powered open-source framework for debugging and observing Linux and Kubernetes systems. It provides a set of tools (or gadgets) designed to gather relevant information, allowing users to identify the cause of performance issues, crashes, or other anomalies. Notably, its independence from Kubernetes enables users to employ it also for debugging control plane issues.

+ Title: Using Kubelogin with Azure Kubernetes Service (AKS)

+description: Learn about using Kubelogin to enable all of the supported Azure Active Directory authentication methods with Azure Kubernetes Service (AKS).

+# Use Kubelogin with Azure Kubernetes Service (AKS)

+Kubelogin is a client-go credential [plugin][client-go-cred-plugin] that implements Microsoft Entra ID authentication. This plugin provides features that are not available in kubectl.

+Azure Kubernetes Service (AKS) clusters integrated with Microsoft Entra ID, running Kubernetes versions 1.24 and higher, automatically use the `kubelogin` format.

+This article provides an overview of the following authentication methods and examples on how to use them:

+* Device code

+* The Azure CLI

+* Interactive web browser

+* Service principal

+* Managed identity

+* Workflow identity

+## Limitations

+* A maximum of 200 groups are included in the Microsoft Entra ID JSON Web Token (JWT). For more than 200 groups, consider using [Application Roles][entra-id-application-roles].

+* Groups created in Microsoft Entra ID are only included by their ObjectID and not by their display name. `sAMAccountName` is only available for groups synchronized from on-premises Active Directory.

+* On AKS, service principal authentication method only works with managed Microsoft Entra ID, not legacy Azure Active Directory.

+* Device code authentication method doesn't work when Conditional Access policy is configured on a Microsoft Entra tenant. Use web browser interactive authentication instead.

+## Authentication modes

+Most of the interaction with `kubelogin` is specific to the `convert-kubeconfig` subcommand, which uses the input kubeconfig specified in `--kubeconfig` or `KUBECONFIG` environment variable to convert to the final kubeconfig in exec format based on the specified authentication mode.

+### How authentication works

+The authentication modes that `kubelogin` implements are Microsoft Entra ID OAuth 2.0 token grant flows. Throughout `kubelogin` subcommands, you see below common flags. In general, these flags are already set up when you get the kubeconfig from AKS.

+* **--tenant-id**: Microsoft Entra ID tenant ID

+* **--client-id**: The application ID of the public client application. This client app is only used in device code, web browser interactive, and ropc log in modes.

+* **--server-id**: The application ID of the web app, or resource server. The token should be issued to this resource.

+> [!NOTE]

+> With each authentication method, the token isn't cached on the file system.

+## Using device code

+Device code is the default authentication mode in `convert-kubeconfig` subcommand. The `-l devicecode` is optional. This authentication method prompts the device code for user to sign in from a browser session.

+Before `kubelogin` and Exec plugin were introduced, the Azure authentication mode in `kubectl` only supported device code flow. It used an old library that produces the token with `audience` claim that has the `spn:` prefix, which isn't compatible with [AKS-managed Microsoft Entra ID][aks-managed-microsoft-entra-id] using [on-behalf-of][oauth-on-behalf-of] (OBO) flow. When you run the `convert-kubeconfig` subcommand, `kubelogin` removes the `spn:` (prefix in audience claim). If you require using the original functionality, add the `--legacy` argument.

+If you're using `kubeconfig` from legacy Azure AD cluster, `kubelogin` automatically adds the `--legacy` flag.

+In this sign in mode, the access token and refresh token are cached in the `${HOME}/.kube/cache/kubelogin` directory. This path can be overridden specifying the `--token-cache-dir` parameter.

+If your Azure AD integrated cluster uses Kubernetes version 1.24 or earlier, you need to manually convert the kubeconfig format by running the following commands.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+To clean up cached tokens, run the following command.

+```bash

+kubelogin remove-tokens

+```

+> [!NOTE]

+> Device code sign in method doesn't work when Conditional Access policy is configured on Microsoft Entra tenant. Use the [web browser interactive mode][web-browser-interactive-mode] instead.

+## Using the Azure CLI

+Authenticating using the Azure CLI method uses the already signed in context performed by the Azure CLI to get the access token. The token is issued in the same Microsoft Entra tenant as with `az login`.

+`kubelogin` doesn't write the tokens to the token cache file. It's already managed by the Azure CLI.

+> [!NOTE]

+> This authentication method only works with AKS-managed Microsoft Entra ID.

+```bash

+az login

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l azurecli

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+When the Azure CLI's config directory is outside the $`{HOME}` directory, specify the parameter `--azure-config-dir` in `convert-kubeconfig` subcommand. It generates the `kubeconfig` with the environment variable configured. You can achieve the same configuration by setting the environment variable `AZURE_CONFIG_DIR` to this directory while running `kubectl` command.

+## Using an interactive web browser

+Interactive web browser authentication automatically opens a web browser to log in the user. Once authenticated, the browser redirects back to a local web server with the credentials. This authentication method complies with Conditional Access policy.

+When you authenticate using this method, the access token is cached in the `${HOME}/.kube/cache/kubelogin` directory. This path can be overridden by specifying the `--token-cache-dir` parameter.

+The following example shows how to use a bearer token with interactive flow.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l interactive

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+The following example shows how to use Proof-of-Possession (PoP) tokens with interactive flow.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l interactive --pop-enabled --pop-claims "u=/ARM/ID/OF/CLUSTER"

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+## Using a service principal

+This authentication method uses a service principal to sign in. The credential may be provided using an environment variable or command-line argument. The supported credentials are password and pfx client certificate.

+The following are limitations to consider before using this method:

+* This only works with managed Microsoft Entra ID

+* The service principal can be member of a maximum of [200 Microsoft Entra ID groups][microsoft-entra-group-membership].

+The following examples show how to set up a client secret using an environment variable.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l spn

+export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn client id>

+export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<spn secret>

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l spn

+export AZURE_CLIENT_ID=<spn client id>

+export AZURE_CLIENT_SECRET=<spn secret>

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+The following example shows how to set up a client secret in a command-line argument.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l spn --client-id <spn client id> --client-secret <spn client secret>

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+> [!WARNING]

+> This method leaves the secret in the kubeconfig file.

+The following examples show how to set up a client secret using a client certificate.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l spn

+export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn client id>

+export AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE=/path/to/cert.pfx

+export AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE_PASSWORD=<pfx password>

+```

+Run `kubectl get nodes` command to get node information in ps output format.

+```bash

+kubectl get nodes

+```

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l spn

+export AZURE_CLIENT_ID=<spn client id>

+export AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pfx

+export AZURE_CLIENT_CERTIFICATE_PASSWORD=<pfx password>

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+The following example shows how to set up a Proof-of-Possession (PoP) token using a client secret from environment variables.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l spn --pop-enabled --pop-claims "u=/ARM/ID/OF/CLUSTER"

+export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn client id>

+export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<spn secret>

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+## Using a managed identity

+The [managed identity][managed-identity-overview] authentication method should be used for applications to use when connecting to resources that support Microsoft Entra authentication. For example, accessing Azure services such as Azure Virtual Machine, Azure Virtual Machine Scale Sets, Azure Cloud Shell, etc.

+The following example shows how to use the default managed identity.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l msi

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+The following example shows how to use a managed identity with a specific identity.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l msi --client-id <msi-client-id>

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+## Using a workload identity

+This authentication method uses Microsoft Entra ID federated identity credentials to authenticate to Kubernetes clusters with Microsoft Entra ID integration. It works by setting the environment variables:

+* **AZURE_CLIENT_ID**: the Microsoft Entra ID application ID that is federated with workload identity

+* **AZURE_TENANT_ID**: the Microsoft Entra ID tenant ID

+* **AZURE_FEDERATED_TOKEN_FILE**: the file containing signed assertion of workload identity. For example, Kubernetes projected service account (jwt) token

+* **AZURE_AUTHORITY_HOST**: the base URL of a Microsoft Entra ID authority. For example, `https://login.microsoftonline.com/`.

+With [workload identity][workload-identity], it's possible to access Kubernetes clusters from CI/CD system such as GitHub, ArgoCD, etc. without storing Service Principal credentials in those external systems. To configure OIDC federation from GitHub, see the following [example][oidc-federation-github].

+The following example shows how to use a workload identity.

+```bash

+export KUBECONFIG=/path/to/kubeconfig

+kubelogin convert-kubeconfig -l workloadidentity

+```

+Run `kubectl` command to get node information.

+```bash

+kubectl get nodes

+```

+## Using Kubelogin with AKS

+AKS uses a pair of first party Azure AD applications. These application IDs are the same in all environments.

+The AKS Microsoft Entra ID Server application ID used by the server side is: `6dae42f8-4368-4678-94ff-3960e28e3630`. The access token accessing AKS clusters need to be issued for this application. In most of kubelogin authentication modes, `--server-id` is a required parameter with `kubelogin get-token`.

+The AKS Microsoft Entra ID client application ID used by kubelogin to perform public client authentication on behalf of the user is: `80faf920-1908-4b52-b5ef-a8e7bedfc67a`. The client application ID is used as part of device code and web browser interactive authentication methods.

+## Next steps

+* Learn how to integrate AKS with Microsoft Entra ID with our [AKS-managed Microsoft Entra integration][aks-managed-microsoft-entra-integration-guide] how-to guide.

+* To get started with managed identities in AKS, see [Use a managed identity in AKS][use-managed-identity-aks].

+* To get started with workload identities in AKS, see [Use a workload identity in AKS][use-workload-identity-aks].

+<!-- LINKS - internal -->

+[aks-managed-microsoft-entra-id]: managed-azure-ad.md

+[oauth-on-behalf-of]: ../active-directory/develop/v2-oauth2-on-behalf-of-flow.md

+[web-browser-interactive-mode]: #using-an-interactive-web-browser

+[microsoft-entra-group-membership]: /entra/identity/hybrid/connect/how-to-connect-fed-group-claims

+[managed-identity-overview]: /entra/identity/managed-identities-azure-resources/overview

+[workload-identity]: /entra/workload-id/workload-identities-overview

+[entra-id-application-roles]: /entra/external-id/customers/how-to-use-app-roles-customers

+[aks-managed-microsoft-entra-integration-guide]: managed-azure-ad.md

+[use-managed-identity-aks]: use-managed-identity.md

+[use-workload-identity-aks]: workload-identity-overview.md

+<!-- LINKS - external -->

+[client-go-cred-plugin]: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins

+[oidc-federation-github]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure

+* Build and push the images to your ACR using the Azure CLI [`az acr build`][az-acr-build] command.

+ > For this step, there isn't an equivalent Azure PowerShell cmdlet that performs this task.

+ >

+<forward-request http-version="1 | 2or1 | 2" timeout="time in seconds (alternatively, use timeout-ms)" | timeout-ms="time in milliseconds (alternatively, use timeout)" continue-timeout="time in seconds" follow-redirects="false | true" buffer-request-body="false | true" buffer-response="true | false" fail-on-error-status-code="false | true"/>

+| timeout | The amount of time in seconds to wait for the HTTP response headers to be returned by the backend service before a timeout error is raised. Minimum value is 0 seconds. Values greater than 240 seconds may not be honored, because the underlying network infrastructure can drop idle connections after this time. Policy expressions are allowed. You can specify either `timeout` or `timeout-ms` but not both. | No | 300 |

+| timeout-ms | The amount of time in milliseconds to wait for the HTTP response headers to be returned by the backend service before a timeout error is raised. Minimum value is 0 ms. Policy expressions are allowed. You can specify either `timeout` or `timeout-ms` but not both. | No | N/A |

+| continue-timeout | The amount of time in seconds to wait for a `100 Continue` status code to be returned by the backend service before a timeout error is raised. Policy expressions are allowed. | No | N/A |

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+[ARMOverview]: ../../azure-resource-manager/management/overview.md

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+[linuxapp]: ../overview.md#app-service-on-linux

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+[6]: ./media/firewall-integration/firewall-ntprule-monitor.png

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+>

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v3, which is used with Isolated v2 App Service plans.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+> This article is about App Service Environment v3, which is used with Isolated v2 App Service plans.

+> App Service Environment v1 and v2 [will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). After that date, those versions will no longer be supported and any remaining App Service Environment v1 and v2s and the applications running on them will be deleted.

+There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1 or v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v1 or v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+>

+> [Using an App Service Environment v3](using.md)

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

+As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

+7. Select **Next: Monitoring** and set **Boot diagnostics** to **Disable**. Accept the other defaults and then select **Review + create**.

+> [!IMPORTANT]

+> When you use an application gateway in a different resource group than the AKS cluster resource group, the managed identity **_ingressapplicationgateway-{AKSNAME}_** that is created must have **Contributor** and **Reader** roles set in the application gateway resource group.

+# [PowerShell 7.2](#tab/lps72)

+**Limitations**

+> [!NOTE]

+> Currently, PowerShell 7.2 runtime version is supported for both Cloud and Hybrid jobs in all Public regions except Central India, UAE Central, Israel Central, Italy North, Germany North and Gov clouds.

+- For the PowerShell 7.2 runtime version, the module activities aren't extracted for the imported modules. Use [Azure Automation extension for VS code](automation-runbook-authoring.md) to simplify runbook authoring experience.

+- PowerShell 7.x doesn't support workflows. For more information, see [PowerShell workflow](/powershell/scripting/whats-new/differences-from-windows-powershell#powershell-workflow) for more details.

+- PowerShell 7.x currently doesn't support signed runbooks.

+- Source control integration doesn't support PowerShell 7.2. Also, PowerShell 7.2 runbooks in source control get created in Automation account as Runtime 5.1.

+- Az module 8.3.0 is installed by default. The complete list of component modules of selected Az module version is shown once Az version is configured again using Azure portal or API.

+- The imported PowerShell 7.2 module would be validated during job execution. Ensure that all dependencies for the selected module are also imported for successful job execution.

+- Azure runbook doesn't support `Start-Job` with `-credential`.

+- Azure doesn't support all PowerShell input parameters. [Learn more](runbook-input-parameters.md).

+**Known issues**

+- Runbooks taking dependency on internal file paths such as `C:\modules` might fail due to changes in service backend infrastructure. Change runbook code to ensure there are no dependencies on internal file paths and use [Get-ChildItem](/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.3) to get the required module information.

+- `Get-AzStorageAccount` cmdlet might fail with an error: *The `Get-AzStorageAccount` command was found in the module `Az.Storage`, but the module could not be loaded*.

+- Executing child scripts using `.\child-runbook.ps1` is not supported in this preview.

+ **Workaround**: Use `Start-AutomationRunbook` (internal cmdlet) or `Start-AzAutomationRunbook` (from *Az.Automation* module) to start another runbook from parent runbook.

+- When you use [ExchangeOnlineManagement](/powershell/exchange/exchange-online-powershell?view=exchange-ps&preserve-view=true) module version: 3.0.0 or higher, you can experience errors. To resolve the issue, ensure that you explicitly upload [PowerShellGet](/powershell/module/powershellget/) and [PackageManagement](/powershell/module/packagemanagement/) modules.

+## November 2023

+### General Availability: Azure Automation supports PowerShell 7.2 runbooks

+Azure Automation announces General Availability of PowerShell 7.2 runbooks. This enables you to author runbooks in the long-term supported version of PowerShell using [Azure Automation extension for VS code](how-to/runbook-authoring-extension-for-vscode.md) and execute them on a secure and reliable platform. [Learn more](automation-runbook-types.md).

+## October 2023

+### General Availability: Automation extension for Visual Studio Code

+> [!NOTE]

+> You can add up to 10 user-assigned managed identities to an App Configuration store.

+ Title: Quickstart for using Azure App Configuration with JavaScript apps

+description: In this quickstart, create a Node.js app with Azure App Configuration to centralize storage and management of application settings separate from your code.

+ms.devlang: javascript

+#Customer intent: As a JavaScript developer, I want to manage all my app settings in one place.

+# Quickstart: Create a JavaScript app with Azure App Configuration

+In this quickstart, you'll use Azure App Configuration to centralize storage and management of application settings using the [Azure App Configuration JavaScript provider client library](https://github.com/Azure/AppConfiguration-JavaScriptProvider).

+App Configuration provider for JavaScript is built on top of the [Azure SDK for JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/appconfiguration/app-configuration) and is designed to be easier to use with richer features.

+It enables access to key-values in App Configuration as a `Map` object.

+It offers features like configuration composition from multiple labels, key prefix trimming, automatic resolution of Key Vault references, and many more.

+As an example, this tutorial shows how to use the JavaScript provider in a Node.js app.

+## Prerequisites

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+- [LTS versions of Node.js](https://github.com/nodejs/release#release-schedule). For information about installing Node.js either directly on Windows or using the Windows Subsystem for Linux (WSL), see [Get started with Node.js](/windows/dev-environment/javascript/nodejs-overview)

+## Add key-values

+Add the following key-values to the App Configuration store. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value | Content type |

+|-|-|--|

+| *message* | *Message from Azure App Configuration* | Leave empty |

+| *app.greeting* | *Hello World* | Leave empty |

+| *app.json* | *{"myKey":"myValue"}* | *application/json* |

+## Setting up the Node.js app

+In this tutorial, you'll create a Node.js console app and load data from your App Configuration store.

+1. Create a new directory for the project named *app-configuration-quickstart*.

+ ```console

+ mkdir app-configuration-quickstart

+ ```

+1. Switch to the newly created *app-configuration-quickstart* directory.

+ ```console

+ cd app-configuration-quickstart

+ ```

+1. Install the Azure App Configuration provider by using the `npm install` command.

+ ```console

+ npm install @azure/app-configuration-provider

+ ```

+1. Create a new file called *app.js* in the *app-configuration-quickstart* directory and add the following code:

+ ```javascript

+ const { load } = require("@azure/app-configuration-provider");

+ const connectionString = process.env.AZURE_APPCONFIG_CONNECTION_STRING;

+ async function run() {

+ let settings;

+ // Sample 1: Connect to Azure App Configuration using a connection string and load all key-values with null label.

+ settings = await load(connectionString);

+ // Find the key "message" and print its value.

+ console.log(settings.get("message")); // Output: Message from Azure App Configuration

+ // Find the key "app.json" as an object, and print its property "myKey".

+ const jsonObject = settings.get("app.json");

+ console.log(jsonObject.myKey); // Output: myValue

+ // Sample 2: Load all key-values with null label and trim "app." prefix from all keys.

+ settings = await load(connectionString, {

+ trimKeyPrefixes: ["app."]

+ });

+ // From the keys with trimmed prefixes, find a key with "greeting" and print its value.

+ console.log(settings.get("greeting")); // Output: Hello World

+ // Sample 3: Load all keys starting with "app." prefix and null label.

+ settings = await load(connectionString, {

+ selectors: [{

+ keyFilter: "app.*"

+ }],

+ });

+ // Print true or false indicating whether a setting is loaded.

+ console.log(settings.has("message")); // Output: false

+ console.log(settings.has("app.greeting")); // Output: true

+ console.log(settings.has("app.json")); // Output: true

+ }

+ run().catch(console.error);

+ ```

+## Run the application locally

+1. Set an environment variable named **AZURE_APPCONFIG_CONNECTION_STRING**, and set it to the connection string of your App Configuration store. At the command line, run the following command:

+ ### [Windows command prompt](#tab/windowscommandprompt)

+ To run the app locally using the Windows command prompt, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```cmd

+ setx AZURE_APPCONFIG_CONNECTION_STRING "<app-configuration-store-connection-string>"

+ ```

+ ### [PowerShell](#tab/powershell)

+ If you use Windows PowerShell, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```azurepowershell

+ $Env:AZURE_APPCONFIG_CONNECTION_STRING = "<app-configuration-store-connection-string>"

+ ```

+ ### [macOS](#tab/unix)

+ If you use macOS, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```console

+ export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'

+ ```

+ ### [Linux](#tab/linux)

+ If you use Linux, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```console

+ export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'

+ ```

+1. Print the value of the environment variable to validate that it's set properly with the command below.

+ ### [Windows command prompt](#tab/windowscommandprompt)

+ Using the Windows command prompt, restart the command prompt to allow the change to take effect and run the following command:

+ ```cmd

+ echo %AZURE_APPCONFIG_CONNECTION_STRING%

+ ```

+ ### [PowerShell](#tab/powershell)

+ If you use Windows PowerShell, run the following command:

+ ```azurepowershell

+ $Env:AZURE_APPCONFIG_CONNECTION_STRING

+ ```

+ ### [macOS](#tab/unix)

+ If you use macOS, run the following command:

+ ```console

+ echo "$AZURE_APPCONFIG_CONNECTION_STRING"

+ ```

+ ### [Linux](#tab/linux)

+ If you use Linux, run the following command:

+ ```console

+ echo "$AZURE_APPCONFIG_CONNECTION_STRING"

+ ```

+1. After the environment variable is properly set, run the following command to run the app locally:

+ ```bash

+ node app.js

+ ```

+ You should see the following output:

+ ```Output

+ Message from Azure App Configuration

+ myValue

+ Hello World

+ false

+ true

+ true

+ ```

+## Clean up resources

+## Next steps

+In this quickstart, you created a new App Configuration store and learned how to access key-values using the App Configuration JavaScript provider in a Node.js app.

+For more code samples, visit:

+> [!div class="nextstepaction"]

+> [Azure App Configuration JavaScript provider](https://github.com/Azure/AppConfiguration-JavaScriptProvider/tree/main/examples)

+ Title: Using Azure App Configuration in JavaScript apps with the Azure SDK for JavaScript | Microsoft Docs

+description: This document shows examples of how to use the Azure SDK for JavaScript to access key-values in Azure App Configuration.

+# Create a Node.js app with the Azure SDK for JavaScript

+This document shows examples of how to use the [Azure SDK for JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/appconfiguration/app-configuration) to access key-values in Azure App Configuration.

+>[!TIP]

+> App Configuration offers a JavaScript provider library that is built on top of the JavaScript SDK and is designed to be easier to use with richer features. It enables configuration settings to be used like a Map object, and offers other features like configuration composition from multiple labels, key name trimming, and automatic resolution of Key Vault references. Go to the [JavaScript quickstart](./quickstart-javascript-provider.md) to learn more.

+- An Azure account with an active subscription - [Create one for free](https://azure.microsoft.com/free/)

+## Create a key-value

+1. In this tutorial, you'll create a new directory for the project named *app-configuration-example*.

+ mkdir app-configuration-example

+1. Switch to the newly created *app-configuration-example* directory.

+ cd app-configuration-example

+1. Create a new file called *app-configuration-example.js* in the *app-configuration-example* directory and add the following code:

+ ```javascript

+ const { AppConfigurationClient } = require("@azure/app-configuration");

+ async function run() {

+ console.log("Azure App Configuration - JavaScript example");

+ // Example code goes here

+ }

+ run().catch(console.error);

+ ```

+> [!NOTE]

+> The code snippets in this example will help you get started with the App Configuration client library for JavaScript. For your application, you should also consider handling exceptions according to your needs. To learn more about exception handling, please refer to our [JavaScript SDK documentation](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/appconfiguration/app-configuration).

+## Configure your App Configuration connection string

+1. Set an environment variable named **AZURE_APPCONFIG_CONNECTION_STRING**, and set it to the connection string of your App Configuration store. At the command line, run the following command:

+ ### [Windows command prompt](#tab/windowscommandprompt)

+ To run the app locally using the Windows command prompt, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```cmd

+ setx AZURE_APPCONFIG_CONNECTION_STRING "<app-configuration-store-connection-string>"

+ ```

+ ### [PowerShell](#tab/powershell)

+ If you use Windows PowerShell, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ $Env:AZURE_APPCONFIG_CONNECTION_STRING = "<app-configuration-store-connection-string>"

+ ### [macOS](#tab/unix)

+ If you use macOS, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```console

+ export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'

+ ```

+ ### [Linux](#tab/linux)

+ If you use Linux, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```console

+ export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'

+ ```

+1. Print out the value of the environment variable to validate that it is set properly with the command below.

+ ### [Windows command prompt](#tab/windowscommandprompt)

+ Using the Windows command prompt, restart the command prompt to allow the change to take effect and run the following command:

+ echo %AZURE_APPCONFIG_CONNECTION_STRING%

+ ### [PowerShell](#tab/powershell)

+ If you use Windows PowerShell, run the following command:

+ ```azurepowershell

+ $Env:AZURE_APPCONFIG_CONNECTION_STRING

+ ```

+ ### [macOS](#tab/unix)

+ If you use macOS, run the following command:

+ ```console

+ echo "$AZURE_APPCONFIG_CONNECTION_STRING"

+ ```

+ ### [Linux](#tab/linux)

+ If you use Linux, run the following command:

+ echo "$AZURE_APPCONFIG_CONNECTION_STRING"

+## Code samples

+The sample code snippets in this section show you how to perform common operations with the App Configuration client library for JavaScript. Add these code snippets to the body of `run` function in *app-configuration-example.js* file you created earlier.

+> [!NOTE]

+> The App Configuration client library refers to a key-value object as `ConfigurationSetting`. Therefore, in this article, the **key-values** in App Configuration store will be referred to as **configuration settings**.

+Learn below how to:

+- [Connect to an App Configuration store](#connect-to-an-app-configuration-store)

+- [Get a configuration setting](#get-a-configuration-setting)

+- [Add a configuration setting](#add-a-configuration-setting)

+- [Get a list of configuration settings](#get-a-list-of-configuration-settings)

+- [Lock a configuration setting](#lock-a-configuration-setting)

+- [Unlock a configuration setting](#unlock-a-configuration-setting)

+- [Update a configuration setting](#update-a-configuration-setting)

+- [Delete a configuration setting](#delete-a-configuration-setting)

+### Connect to an App Configuration store

+const connection_string = process.env.AZURE_APPCONFIG_CONNECTION_STRING;

+const client = new AppConfigurationClient(connection_string);

+### Get a configuration setting

+The following code snippet retrieves a configuration setting by `key` name.

+ const retrievedConfigSetting = await client.getConfigurationSetting({

+ key: "TestApp:Settings:Message"

+ });

+ console.log("\nRetrieved configuration setting:");

+ console.log(`Key: ${retrievedConfigSetting.key}, Value: ${retrievedConfigSetting.value}`);

+```

+### Add a configuration setting

+The following code snippet creates a `ConfigurationSetting` object with `key` and `value` fields and invokes the `addConfigurationSetting` method.

+This method will throw an exception if you try to add a configuration setting that already exists in your store. If you want to avoid this exception, the [setConfigurationSetting](#update-a-configuration-setting) method can be used instead.

+```javascript

+ const configSetting = {

+ key:"TestApp:Settings:NewSetting",

+ value:"New setting value"

+ };

+ const addedConfigSetting = await client.addConfigurationSetting(configSetting);

+ console.log("\nAdded configuration setting:");

+ console.log(`Key: ${addedConfigSetting.key}, Value: ${addedConfigSetting.value}`);

+```

+### Get a list of configuration settings

+The following code snippet retrieves a list of configuration settings. The `keyFilter` and `labelFilter` arguments can be provided to filter key-values based on `key` and `label` respectively. For more information on filtering, see how to [query configuration settings](./concept-key-value.md#query-key-values).

+```javascript

+ const filteredSettingsList = client.listConfigurationSettings({

+ keyFilter: "TestApp*"

+ });

+ console.log("\nRetrieved list of configuration settings:");

+ for await (const filteredSetting of filteredSettingsList) {

+ console.log(`Key: ${filteredSetting.key}, Value: ${filteredSetting.value}`);

+ }

+```

+### Lock a configuration setting

+The lock status of a key-value in App Configuration is denoted by the `readOnly` attribute of the `ConfigurationSetting` object. If `readOnly` is `true`, the setting is locked. The `setReadOnly` method can be invoked with `true` as the second argument to lock the configuration setting.

+```javascript

+ const lockedConfigSetting = await client.setReadOnly(addedConfigSetting, true /** readOnly */);

+ console.log(`\nRead-only status for ${lockedConfigSetting.key}: ${lockedConfigSetting.isReadOnly}`);

+```

+### Unlock a configuration setting

+If the `readOnly` attribute of a `ConfigurationSetting` is `false`, the setting is unlocked. The `setReadOnly` method can be invoked with `false` as the second argument to unlock the configuration setting.

+```javascript

+ const unlockedConfigSetting = await client.setReadOnly(lockedConfigSetting, false /** readOnly */);

+ console.log(`\nRead-only status for ${unlockedConfigSetting.key}: ${unlockedConfigSetting.isReadOnly}`);

+```

+### Update a configuration setting

+The `setConfigurationSetting` method can be used to update an existing setting or create a new setting. The following code snippet changes the value of an existing configuration setting.

+```javascript

+ addedConfigSetting.value = "Value has been updated!";

+ const updatedConfigSetting = await client.setConfigurationSetting(addedConfigSetting);

+ console.log("\nUpdated configuration setting:");

+ console.log(`Key: ${updatedConfigSetting.key}, Value: ${updatedConfigSetting.value}`);

+```

+### Delete a configuration setting

+The following code snippet deletes a configuration setting by `key` name.

+```javascript

+ const deletedConfigSetting = await client.deleteConfigurationSetting({

+ key: "TestApp:Settings:NewSetting"

+ });

+ console.log("\nDeleted configuration setting:");

+ console.log(`Key: ${deletedConfigSetting.key}, Value: ${deletedConfigSetting.value}`);

+```

+## Run the app

+In this example, you created a Node.js app that uses the Azure App Configuration client library to retrieve a configuration setting created through the Azure portal, add a new setting, retrieve a list of existing settings, lock and unlock a setting, update a setting, and finally delete a setting.

+At this point, your *app-configuration-example.js* file should have the following code:

+```javascript

+const { AppConfigurationClient } = require("@azure/app-configuration");

+async function run() {

+ console.log("Azure App Configuration - JavaScript example");

+ const connection_string = process.env.AZURE_APPCONFIG_CONNECTION_STRING;

+ const client = new AppConfigurationClient(connection_string);

+ const retrievedConfigSetting = await client.getConfigurationSetting({

+ key: "TestApp:Settings:Message"

+ });

+ console.log("\nRetrieved configuration setting:");

+ console.log(`Key: ${retrievedConfigSetting.key}, Value: ${retrievedConfigSetting.value}`);

+ const configSetting = {

+ key: "TestApp:Settings:NewSetting",

+ value: "New setting value"

+ };

+ const addedConfigSetting = await client.addConfigurationSetting(configSetting);

+ console.log("Added configuration setting:");

+ console.log(`Key: ${addedConfigSetting.key}, Value: ${addedConfigSetting.value}`);

+ const filteredSettingsList = client.listConfigurationSettings({

+ keyFilter: "TestApp*"

+ });

+ console.log("Retrieved list of configuration settings:");

+ for await (const filteredSetting of filteredSettingsList) {

+ console.log(`Key: ${filteredSetting.key}, Value: ${filteredSetting.value}`);

+ }

+ const lockedConfigSetting = await client.setReadOnly(addedConfigSetting, true /** readOnly */);

+ console.log(`Read-only status for ${lockedConfigSetting.key}: ${lockedConfigSetting.isReadOnly}`);

+ const unlockedConfigSetting = await client.setReadOnly(lockedConfigSetting, false /** readOnly */);

+ console.log(`Read-only status for ${unlockedConfigSetting.key}: ${unlockedConfigSetting.isReadOnly}`);

+ addedConfigSetting.value = "Value has been updated!";

+ const updatedConfigSetting = await client.setConfigurationSetting(addedConfigSetting);

+ console.log("Updated configuration setting:");

+ console.log(`Key: ${updatedConfigSetting.key}, Value: ${updatedConfigSetting.value}`);

+ const deletedConfigSetting = await client.deleteConfigurationSetting({

+ key: "TestApp:Settings:NewSetting"

+ });

+ console.log("Deleted configuration setting:");

+ console.log(`Key: ${deletedConfigSetting.key}, Value: ${deletedConfigSetting.value}`);

+run().catch(console.error);

+In your console window, navigate to the directory containing the *app-configuration-example.js* file and execute the following command to run the app:

+```console

+node app.js

+```

+You should see the following output:

+```output

+Azure App Configuration - JavaScript example

+Retrieved configuration setting:

+Key: TestApp:Settings:Message, Value: Data from Azure App Configuration

+Added configuration setting:

+Key: TestApp:Settings:NewSetting, Value: New setting value

+Retrieved list of configuration settings:

+Key: TestApp:Settings:Message, Value: Data from Azure App Configuration

+Key: TestApp:Settings:NewSetting, Value: New setting value

+Read-only status for TestApp:Settings:NewSetting: true

+Read-only status for TestApp:Settings:NewSetting: false

+Updated configuration setting:

+Key: TestApp:Settings:NewSetting, Value: Value has been updated!

+Deleted configuration setting:

+Key: TestApp:Settings:NewSetting, Value: Value has been updated!

+```

+## Clean up resources

+This guide showed you how to use the Azure SDK for JavaScript to access key-values in Azure App Configuration.

+To learn how to use Azure App Configuration with JavaScript apps, go to:

+> [!div class="nextstepaction"]

+> [Create a JavaScript app with Azure App Configuration](./quickstart-javascript-provider.md)

+## Related content

+# SQL Managed Instance enabled by Azure Arc with Active Directory authentication

+Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). SQL Managed Instance enabled by Azure Arc uses an existing on-premises Active Directory (AD) domain for authentication.

+This article describes how to enable SQL Managed Instance enabled by Azure Arc with Active Directory (AD) Authentication. The article demonstrates two possible AD integration modes:

+The following diagram shows how to enable Active Directory authentication for SQL Managed Instance enabled by Azure Arc:

+To facilitate this, Azure Arc-enabled data services introduces a new Kubernetes-native [Custom Resource Definition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) called `Active Directory Connector`. It provides instances running on the same data controller the ability to perform Active Directory authentication.

+To enable Active Directory authentication for SQL Managed Instance enabled by Azure Arc, you need an Active Directory connector where you specify the Active Directory integration deployment mode. The two Active Directory integration modes are:

+## Enable Active Directory authentication

+When you deploy an instance with the intention to enable Active Directory authentication, the deployment needs to reference an Active Directory connector instance to use. Referencing the Active Directory connector in managed instance specification automatically sets up the needed environment in instance container to authenticate with Active Directory.

+## Related content

+* [Deploy SQL Managed Instance enabled by Azure Arc in Active Directory (AD)](deploy-active-directory-sql-managed-instance.md)

+* [Connect to SQL Managed Instance enabled by Azure Arc using Active Directory authentication](connect-active-directory-sql-managed-instance.md)

+# SQL Server enabled by Azure Arc in Active Directory authentication with system-managed keytab - prerequisites

+## Related content

+* [Deploy a SQL Managed Instance enabled by Azure Arc in Active Directory (AD)](deploy-active-directory-sql-managed-instance.md)

+* [Connect to SQL Managed Instance enabled by Azure Arc using Active Directory authentication](connect-active-directory-sql-managed-instance.md)

+As part of each commit that builds up Arc-enabled data services, Microsoft runs automated CI/CD pipelines that perform end-to-end tests. These tests are orchestrated via two containers that are maintained alongside the core-product (Data Controller, SQL Managed Instance enabled by Azure Arc & PostgreSQL server). These containers are:

+## Related content

+## Related content

+- Orchestrate most of the activities for SQL Managed Instance enabled by Azure Arc such as upgrades, scale out etc.

+## Related content

+## Related content

+## Related content

+## Related content

+Already created a Data Controller? [Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+ Title: Configure SQL Managed Instance enabled by Azure Arc

+description: Configure SQL Managed Instance enabled by Azure Arc

+# Configure SQL Managed Instance enabled by Azure Arc

+This article explains how to configure SQL Managed Instance enabled by Azure Arc.

+To update the configuration of an instance with the CLI. Run the following command to see configuration options.

+To update the available memory and cores for an instance use:

+To view the changes made to the instance, you can use the following commands to view the configuration yaml file:

+You can configure certain server configuration settings for SQL Managed Instance enabled by Azure Arc either during or after creation time. This article describes how to configure settings like enabling "Ad Hoc Distributed Queries" or "backup compression default" etc.

+## Related content

+ Title: Encrypt a database with transparent data encryption manually in SQL Managed Instance enabled by Azure Arc

+description: How-to guide to turn on transparent data encryption in an SQL Managed Instance enabled by Azure Arc

+# Encrypt a database with transparent data encryption on SQL Managed Instance enabled by Azure Arc

+This article describes how to enable transparent data encryption on a database created in a SQL Managed Instance enabled by Azure Arc. In this article, the term *managed instance* refers to a deployment of SQL Managed Instance enabled by Azure Arc.

+Before you proceed with this article, you must have a SQL Managed Instance enabled by Azure Arc resource created and connect to it.

+- [Create a SQL Managed Instance enabled by Azure Arc](./create-sql-managed-instance.md)

+- [Connect to SQL Managed Instance enabled by Azure Arc](./connect-managed-instance.md)

+## Related content

+ Title: Turn on transparent data encryption in SQL Managed Instance enabled by Azure Arc (preview)

+description: How-to guide to turn on transparent data encryption in an SQL Managed Instance enabled by Azure Arc (preview)

+# Enable transparent data encryption on SQL Managed Instance enabled by Azure Arc (preview)

+This article describes how to enable and disable transparent data encryption (TDE) at-rest on a SQL Managed Instance enabled by Azure Arc. In this article, the term *managed instance* refers to a deployment of SQL Managed Instance enabled by Azure Arc and enabling/disabling TDE will apply to all databases running on a managed instance.

+Before you proceed with this article, you must have a SQL Managed Instance enabled by Azure Arc resource created and connect to it.

+- [Create a SQL Managed Instance enabled by Azure Arc](./create-sql-managed-instance.md)

+- [Connect to SQL Managed Instance enabled by Azure Arc](./connect-managed-instance.md)

+The following example creates a SQL Managed Instance enabled by Azure Arc with one replica, TDE enabled:

+You can set SQL Managed Instance enabled by Azure Arc TDE in one of two modes:

+## Related content

+ Title: Connect to AD-integrated SQL Managed Instance enabled by Azure Arc

+description: Connect to AD-integrated SQL Managed Instance enabled by Azure Arc

+# Connect to AD-integrated SQL Managed Instance enabled by Azure Arc

+This article describes how to connect to SQL Managed Instance endpoint using Active Directory (AD) authentication. Before you proceed, make sure you have an AD-integrated SQL Managed Instance enabled by Azure Arc deployed already.

+See [Tutorial ΓÇô Deploy AD-integrated SQL Managed Instance](deploy-active-directory-sql-managed-instance.md) to deploy SQL Managed Instance enabled by Azure Arc with Active Directory authentication enabled.

+## Connect to SQL Managed Instance enabled by Azure Arc

+From your domain joined Windows-based client machine or a Linux-based domain aware machine, you can use `sqlcmd` utility, or open [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio (ADS)](/azure-data-studio/download-azure-data-studio) to connect to the instance with AD authentication.

+ Title: Connect to SQL Managed Instance enabled by Azure Arc

+description: Connect to SQL Managed Instance enabled by Azure Arc

+# Connect to SQL Managed Instance enabled by Azure Arc

+This article explains how you can connect to your SQL Managed Instance enabled by Azure Arc.

+## View SQL Managed Instance enabled by Azure Arc

+To view instance and the external endpoints, use the following command:

+## Related content

+- An instance of SQL Managed Instance enabled by Azure Arc.

+## Deploy SQL Managed Instance enabled by Azure Arc

+To connect with Azure Data Studio, see [Connect to SQL Managed Instance enabled by Azure Arc](connect-managed-instance.md).

+- SQL Managed Instance enabled by Azure Arc.

+## Deploy an instance of SQL Managed Instance enabled by Azure Arc

+To connect with Azure Data Studio, see [Connect to SQL Managed Instance enabled by Azure Arc](connect-managed-instance.md).

+## Related content

+## Related content

+## Related information

+[Deploy SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+## Related content

+[Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+## Related content

+## Related content

+## Related content

+ Title: Create SQL Managed Instance enabled by Azure Arc using Azure Data Studio

+description: Create SQL Managed Instance enabled by Azure Arc using Azure Data Studio

+# Create SQL Managed Instance enabled by Azure Arc using Azure Data Studio

+## Steps

+## Connect from Azure Data Studio

+View all the SQL Managed Instances provisioned to this data controller. Use the following command:

+## Related information

+## Related content

+ Title: Create a SQL Server Managed Instance enabled by Azure Arc

+description: Deploy SQL Server Managed Instance enabled by Azure Arc

+# Create a SQL Server Managed Instance enabled by Azure Arc

+## Related content

+- [Connect to SQL Managed Instance enabled by Azure Arc](connect-managed-instance.md)

+ Title: Delete a SQL Server Managed Instance enabled by Azure Arc

+description: Learn how to delete a SQL Server Managed Instance enabled by Azure Arc and optionally, reclaim associated Kubernetes persistent volume claims (PVCs).

+# Delete a SQL Server Managed Instance enabled by Azure Arc

+In this how-to guide, you'll find and then delete a SQL Managed Instance enabled by Azure Arc. Optionally, after deleting managed instances, you can reclaim associated Kubernetes persistent volume claims (PVCs).

+1. Find existing instances:

+## Related content

+Learn more about [Features and Capabilities of SQL Managed Instance enabled by Azure Arc](managed-instance-features.md)

+Already created a Data Controller? [Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+This article explains how to deploy an Active Directory (AD) connector using Azure CLI. The AD connector is a key component to enable Active Directory authentication on SQL Managed Instance enabled by Azure Arc.

+## Related content

+Active Directory (AD) connector is a key component to enable Active Directory authentication on SQL Managed Instance enabled by Azure Arc.

+## Related content

+## Related content

+ Title: Deploy Active Directory integrated SQL Server Managed Instance enabled by Azure Arc using Azure CLI

+description: Explains how to deploy Active Directory integrated SQL Server Managed Instance enabled by Azure Arc using Azure CLI

+# Deploy Active Directory integrated SQL Server Managed Instance enabled by Azure Arc using Azure CLI

+This article explains how to deploy SQL Managed Instance enabled by Azure Arc with Active Directory (AD) authentication using Azure CLI.

+## Deploy and update Active Directory integrated SQL Managed Instance

+#### Create an instance

+To view available options for create command for SQL Managed Instance enabled by Azure Arc, use the following command:

+#### Update an instance

+#### Create an instance

+To view available options for create command for SQL Managed Instance enabled by Azure Arc, use the following command:

+## Delete an instance in directly connected mode

+## Related content

+* [Connect to Active Directory integrated SQL Managed Instance enabled by Azure Arc](connect-active-directory-sql-managed-instance.md).

+ Title: Deploy Active Directory-integrated SQL Server Managed Instance enabled by Azure Arc

+description: Learn how to deploy SQL Server Managed Instance enabled by Azure Arc with Active Directory authentication.

+# Deploy Active Directory-integrated SQL Server Managed Instance enabled by Azure Arc

+To deploy SQL Managed Instance enabled by Azure Arc for Azure Arc Active Directory authentication, update your deployment specification file to reference the Active Directory connector instance to use. Referencing the Active Directory connector in the SQL specification file automatically sets up SQL for Active Directory authentication.

+> In the specification file for both modes, the `admin-login-secret` value in the YAML example provides basic authentication. You can use the parameter value to log in to the managed instance, and then create logins for Active Directory users and groups. For more information, see [Connect to Active Directory-integrated SQL Managed Instance enabled by Azure Arc](connect-active-directory-sql-managed-instance.md).

+## Related content

+- [Connect to Active Directory-integrated SQL Managed Instance enabled by Azure Arc](connect-active-directory-sql-managed-instance.md)

+This article explains how to deploy Active Directory (AD) connector in customer-managed keytab mode. The connector is a key component to enable Active Directory authentication on SQL Managed Instance enabled by Azure Arc.

+## Related content

+* [Connect to AD-integrated SQL Managed Instance enabled by Azure Arc](connect-active-directory-sql-managed-instance.md).

+This article explains how to deploy Active Directory connector in system-managed keytab mode. It is a key component to enable Active Directory authentication on SQL Managed Instance enabled by Azure Arc.

+## Related content

+* [Connect to AD-integrated SQL Managed Instance enabled by Azure Arc](connect-active-directory-sql-managed-instance.md).

+## Related content

+## Related content

+## Related content

+## Related content

+## Related content

+ Title: Limitations of SQL Server Managed Instance enabled by Azure Arc

+description: Limitations of SQL Server Managed Instance enabled by Azure Arc

+# Limitations of SQL Server Managed Instance enabled by Azure Arc

+This article describes limitations of SQL Managed Instance enabled by Azure Arc.

+- Doesn't support restore from one SQL Managed Instance enabled by Azure Arc to another SQL Managed Instance enabled by Azure Arc. The database can only be restored to the same Arc-enabled SQL Managed Instance where the backups were created.

+The roles and responsibilities between Microsoft and its customers differ between Azure PaaS services (Platform As A Service) and Azure hybrid (like SQL Managed Instance enabled by Azure Arc).

+## Related content

+ 3. [Deploy SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+## Related content

+## Related content:

+a SQL Managed Instance enabled by Azure Arc with the [`desiredVersion` property set to `auto`](upgrade-sql-managed-instance-auto.md).

+## Related content

+ Title: Business continuity overview - SQL Managed Instance enabled by Azure Arc

+description: Overview business continuity for SQL Managed Instance enabled by Azure Arc

+# Overview: SQL Managed Instance enabled by Azure Arc business continuity

+This overview describes the set of capabilities that come built-in with SQL Managed Instance enabled by Azure Arc and how you can leverage them to recover from disruptions.

+| High availability | Deploy the Azure Arc enabled SQL Managed Instance in high availability mode to achieve local high availability. This mode automatically recovers from scenarios such as hardware failures, pod/node failures, and etc. The built-in listener service automatically redirects new connections to another replica while Kubernetes attempts to rebuild the failed replica. Learn more about [high-availability in SQL Managed Instance enabled by Azure Arc](.\managed-instance-high-availability.md) |This feature is only available in the Business Critical service tier. <br> For General Purpose service tier, Kubernetes provides basic recoverability from scenarios such as node/pod crashes. |

+|Disaster recovery| Configure disaster recovery by setting up another SQL Managed Instance enabled by Azure Arc in a geographically separate data center to synchronize data from the primary data center. This scenario is useful for recovering from events when an entire data center is down due to disruptions such as power outages or other events. | Available in both General Purpose and Business Critical service tiers|

+## Related content

+[Learn more about configuring high availability in SQL Managed Instance enabled by Azure Arc](.\managed-instance-high-availability.md)

+[Learn more about setting up and configuring disaster recovery in SQL Managed Instance enabled by Azure Arc](.\managed-instance-disaster-recovery.md)

+description: Describes how to configure disaster recovery with a failover group for SQL Managed Instance enabled by Azure Arc with the CLI

+This article explains how to configure disaster recovery for SQL Managed Instance enabled by Azure Arc with the CLI. Before you proceed, review the information and prerequisites in [SQL Managed Instance enabled by Azure Arc - disaster recovery](managed-instance-disaster-recovery.md).

+Once the prerequisites are met, run the below command to set up Azure failover group between the two instances:

+- The instances at both sites are in healthy state and a failover needs to be performed:

+ + the primary SQL Managed Instance enabled by Azure Arc is down/unhealthy/unreachable

+ + the secondary SQL Managed Instance enabled by Azure Arc needs to be force-promoted to primary with potential data loss

+ + when the original primary SQL Managed Instance enabled by Azure Arc comes back online, it will report as `Primary` role and unhealthy state and needs to be forced into a `secondary` role so it can join the failover group and data can be synchronized.

+## Related content

+- [Overview: SQL Managed Instance enabled by Azure Arc business continuity](managed-instance-business-continuity-overview.md)

+ Title: Disaster recovery - SQL Managed Instance enabled by Azure Arc - portal

+description: Describes how to configure disaster recovery for SQL Managed Instance enabled by Azure Arc in the portal

+This article explains how to configure disaster recovery for SQL Managed Instance enabled by Azure Arc with Azure portal. Before you proceed, review the information and prerequisites in [SQL Managed Instance enabled by Azure Arc - disaster recovery](managed-instance-disaster-recovery.md).

+## Related content

+- [Overview: SQL Managed Instance enabled by Azure Arc business continuity](managed-instance-business-continuity-overview.md)

+ Title: Disaster recovery - SQL Managed Instance enabled by Azure Arc

+description: Describes disaster recovery for SQL Managed Instance enabled by Azure Arc

+# SQL Managed Instance enabled by Azure Arc - disaster recovery

+To configure disaster recovery in SQL Managed Instance enabled by Azure Arc, set up Azure failover groups. This article explains failover groups.

+Azure failover groups use the same distributed availability groups technology that is in SQL Server. Because SQL Managed Instance enabled by Azure Arc runs on Kubernetes, there's no Windows failover cluster involved. For more information, see [Distributed availability groups](/sql/database-engine/availability-groups/windows/distributed-availability-groups).

+> - The instances in both geo-primary and geo-secondary sites need to be identical in terms of their compute & capacity, as well as service tiers they are deployed in.

+## Related content

+- [Overview: SQL Managed Instance enabled by Azure Arc business continuity](managed-instance-business-continuity-overview.md)

+ Title: SQL Managed Instance enabled by Azure Arc high availability

+description: Learn how to deploy SQL Server Managed Instance enabled by Azure Arc with high availability.

+# High Availability with SQL Server Managed Instance enabled by Azure Arc

+SQL Managed Instance enabled by Azure Arc is deployed on Kubernetes as a containerized application. It uses Kubernetes constructs such as stateful sets and persistent storage to provide built-in health monitoring, failure detection, and failover mechanisms to maintain service health. For increased reliability, you can also configure SQL Managed Instance enabled by Azure Arc to deploy with extra replicas in a high availability configuration. Monitoring, failure detection, and automatic failover are managed by the Arc data services data controller. Arc-enabled data service provides this service is provided without user intervention. The service sets up the availability group, configures database mirroring endpoints, adds databases to the availability group, and coordinates failover and upgrade. This document explores both types of high availability.

+SQL Managed Instance enabled by Azure Arc provides different levels of high availability depending on whether the SQL managed instance was deployed as a *General Purpose* service tier or *Business Critical* service tier.

+- A SQL Managed Instance enabled by Azure Arc deployed with one replica (default)

+In the Business Critical service tier, in addition to what is natively provided by Kubernetes orchestration, Azure SQL Managed Instance for Azure Arc provides a contained availability group. The contained availability group is built on SQL Server Always On technology. It provides higher levels of availability. SQL Managed Instance enabled by Azure Arc deployed with *Business Critical* service tier can be deployed with either 2 or 3 replicas. These replicas are always kept in sync with each other. With contained availability groups, any pod crashes or node failures are transparent to the application as there is at least one other pod that has the instance that has all the data from the primary and is ready to take on connections.

+SQL Managed Instance enabled by Azure Arc takes this concept of contained availability group and adds Kubernetes operator so these can be deployed and managed at scale.

+- When deployed with multiple replicas, a single availability group named with the same name as the Arc enabled SQL managed instance is created. By default, contained AG has three replicas, including primary. All CRUD operations for the availability group are managed internally, including creating the availability group or joining replicas to the availability group created. Additional availability groups cannot be created in an instance.

+### Deploy SQL Server Managed Instance enabled by Azure Arc with multiple replicas using Azure portal

+### Deploy with multiple replicas using Azure CLI

+When a SQL Managed Instance enabled by Azure Arc is deployed in Business Critical service tier, this enables multiple replicas to be created. The setup and configuration of contained availability groups among those instances is automatically done during provisioning.

+SQL Managed Instance enabled by Azure Arc availability groups has the same limitations as Big Data Cluster availability groups. For more information, see [Deploy SQL Server Big Data Cluster with high availability](/sql/big-data-cluster/deployment-high-availability#known-limitations).

+## Related content

+Learn more about [Features and Capabilities of SQL Managed Instance enabled by Azure Arc](managed-instance-features.md)

+ Title: SQL Managed Instance enabled by Azure Arc Overview

+description: SQL Managed Instance enabled by Azure Arc Overview

+# SQL Managed Instance enabled by Azure Arc Overview

+SQL Managed Instance enabled by Azure Arc is an Azure SQL data service that can be created on the infrastructure of your choice.

+SQL Managed Instance enabled by Azure Arc has near 100% compatibility with the latest SQL Server database engine, and enables existing SQL Server customers to lift and shift their applications to Azure Arc data services with minimal application and database changes while maintaining data sovereignty. At the same time, SQL Managed Instance includes built-in management capabilities that drastically reduce management overhead.

+### SQL Managed Instance enabled by Azure Arc - indirect connected mode

+### SQL Managed Instance enabled by Azure Arc - direct connected mode

+## Related content

+Learn more about [Features and Capabilities of SQL Managed Instance enabled by Azure Arc](managed-instance-features.md)

+Already created a Data Controller? [Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+ Title: Migrate a database from SQL Server to SQL Server Managed Instance enabled by Azure Arc

+description: Migrate database from SQL Server to SQL Server Managed Instance enabled by Azure Arc

+# Migrate: SQL Server to SQL Server Managed Instance enabled by Azure Arc

+Use Azure blob storage for migrating to SQL Managed Instance enabled by Azure Arc.

+## Related content

+[Learn more about Features and Capabilities of SQL Managed Instance enabled by Azure Arc](managed-instance-features.md)

+[Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+## Related content

+To access the logs and monitoring dashboards for SQL Managed Instance enabled by Azure Arc, run the following `azdata` CLI command

+## Related content

+## Related content

+## Related content

+Azure Arc-enabled data services such as SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL server receive updates on a frequent basis including servicing patches and new features similar to the experience in Azure. Updates from the Microsoft Container Registry are provided to you and deployment cadences are set by you in accordance with your policies. This way, on-premises databases can stay up to date while ensuring you maintain control. Because Azure Arc-enabled data services are a subscription service, you will no longer face end-of-support situations for your databases.

+## Related content

+>In addition, deploy [Jumpstart ArcBox for DataOps](https://azurearcjumpstart.com/azure_jumpstart_arcbox/DataOps), an easy to deploy sandbox for all things SQL Managed Instance enabled by Azure Arc. ArcBox is designed to be completely self-contained within a single Azure subscription and resource group, which will make it easy for you to get hands-on with all available Azure Arc-enabled technology with nothing more than an available Azure subscription.

+[Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md) (requires creation of an Azure Arc data controller first)

+ For other ways to create a data controller see the links under [Related content](#related-content).

+ For example, [Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md).

+- You have an Azure subscription that resources such as an Azure Arc data controller, SQL Managed Instance enabled by Azure Arc, or Azure Arc-enabled PostgreSQL server will be projected and billed to.

+1. Create a SQL Managed Instance enabled by Azure Arc and/or an Azure Arc-enabled PostgreSQL server.

+- **Azure subscription ID**: The Azure subscription GUID for where you want to create the data controller resource in Azure. All deployments of SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL are also created in and billed to this subscription.

+- **Azure resource group name**: The name of the resource group where you want to create the data controller resource in Azure. All deployments of SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL are also created in this resource group.

+After you've installed the Azure Arc data controller, you can create and access data services such as SQL Managed Instance enabled by Azure Arc or Azure Arc-enabled PostgreSQL server.

+## Related content

+ Title: Restore a database in SQL Managed Instance enabled by Azure Arc to a previous point-in-time

+description: Explains how to restore a database to a specific point-in-time on SQL Managed Instance enabled by Azure Arc.

+Use the point-in-time restore (PITR) to create a database as a copy of another database from some time in the past that is within the retention period. This article describes how to do a point-in-time restore of a database in SQL Managed Instance enabled by Azure Arc.

+- To a new database on the same SQL Managed Instance enabled by Azure Arc

+You can check the retention setting for a SQL Managed Instance enabled by Azure Arc as follows:

+SQL Managed Instance enabled by Azure Arc has built-in automatic backups feature enabled. Whenever you create or restore a new database, SQL Managed Instance enabled by Azure Arc initiates a full backup immediately and schedules differential and transaction log backups automatically. SQL managed instance stores these backups in the storage class specified during the deployment.

+The default retention period for a new SQL Managed Instance enabled by Azure Arc is seven days, and can be adjusted with values of 0, or 1-35 days. The retention period can be set during deployment of the SQL managed instance by specifying the `--retention-days` property. Backup files older than the configured retention period are automatically deleted.

+ 1. `namespace:` Kubernetes namespace where instance is.

+4. Expand the data controller node, right-click on the instance and select **Manage**. Azure Data Studio launches the SQL managed instance dashboard.

+The Retention period for a SQL Managed Instance enabled by Azure Arc can be reconfigured from their original setting as follows:

+You can disable the built-in automated backups for a specific instance of SQL Managed Instance enabled by Azure Arc by setting the `--retention-days` property to 0, as follows. The below command applies to both ```direct``` and ```indirect``` modes.

+> If you disable Automatic Backups for a SQL Managed Instance enabled by Azure Arc, then any Automatic Backups configured will be deleted and you lose the ability to do a point-in-time restore. You can change the `retention-days` property to re-initiate automatic backups if needed.

+Point-in-time restore to SQL Managed Instance enabled by Azure Arc has the following limitations:

+- You can only restore to the same SQL Managed Instance enabled by Azure Arc from where the backup was taken.

+## Related content

+[Learn more about Features and Capabilities of SQL Managed Instance enabled by Azure Arc](managed-instance-features.md)

+[Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+## Related content

+- SQL Managed Instance enabled by Azure Arc

+- SQL Managed Instance enabled by Azure Arc

+- SQL Managed Instance enabled by Azure Arc

+## Related content

+- Support for configuring and managing Azure Failover groups between two instances using Azure portal. For details, review [Configure failover group - portal](managed-instance-disaster-recovery-portal.md).

+- SQL Managed Instance enabled by Azure Arc

+- SQL Managed Instance enabled by Azure Arc

+ - General Purpose: Customer-managed TDE encryption keys (preview). For information, review [Enable transparent data encryption on SQL Managed Instance enabled by Azure Arc](configure-transparent-data-encryption-sql-managed-instance.md).

+ - Support for customer-managed keytab rotation. For information, review [Rotate SQL Managed Instance enabled by Azure Arc customer-managed keytab](rotate-customer-managed-keytab.md).

+ - Support for `sp_configure` to manage configuration. For information, review [Configure SQL Managed Instance enabled by Azure Arc](configure-managed-instance.md).

+- SQL Managed Instance enabled by Azure Arc

+- SQL Managed Instance enabled by Azure Arc

+ - [Rotate SQL Managed Instance enabled by Azure Arc service-managed credentials (preview)](rotate-sql-managed-instance-credentials.md)

+ - Extended SQL Managed Instance enabled by Azure Arc authentication control plane to PostgreSQL

+General Availability of Business Critical service tier. SQL Managed Instance enabled by Azure Arc instances that have a version greater than or equal to v1.7.0 will be charged through Azure billing meters.

+Preview expected costs for SQL Managed Instance enabled by Azure Arc Business Critical tier when you create new instances.

+Added ability to upgrade instances from Azure Data Studio in the indirect and direct connectivity modes.

+Preview expected costs for SQL Managed Instance enabled by Azure Arc Business Critical tier when you create new instances.

+### SQL Managed Instance enabled by Azure Arc

+Change Data Capture (CDC) is now enabled in SQL Managed Instance enabled by Azure Arc.

+For additional information about service tiers, see [High Availability with SQL Managed Instance enabled by Azure Arc (preview)](managed-instance-high-availability.md).

+- SQL Managed Instance enabled by Azure Arc Business Critical instances can be upgraded from the January release and going forward (preview)

+### SQL Managed Instance enabled by Azure Arc

+- Upgrade instances of SQL Managed Instance enabled by Azure Arc General Purpose in-place

+#### SQL Managed Instance enabled by Azure Arc

+This release announces general availability for SQL Managed Instance enabled by Azure Arc [General Purpose service tier](service-tiers.md) in indirectly connected mode.

+#### SQL Managed Instance enabled by Azure Arc

+- Supports point-in-time restore from an existing database in a SQL Managed Instance enabled by Azure Arc to a new database within the same instance.

+- To set a specific recovery point objective for a SQL Managed Instance enabled by Azure Arc, edit the SQL Managed Instance CRD to set the `recoveryPointObjectiveInSeconds` property. Supported values are from 300 to 600.

+- SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL server are not GB18030 certified.

+- When Azure Arc data controller is deleted from Azure portal, validation is done to block the delete if there any instances deployed on this Arc data controller. Currently, this validation is applied only when the delete is performed from the Overview page of the Azure Arc data controller.

+#### SQL Managed Instance enabled by Azure Arc

+- Portal does not show SQL Managed Instance enabled by Azure Arc resources created in the June release. Delete the SQL Managed Instance resources from the resource group list view. You may need to delete the custom location resource first.

+- Doesn't support restore from one SQL Managed Instance enabled by Azure Arc to another SQL Managed Instance enabled by Azure Arc. The database can only be restored to the same SQL Managed Instance enabled by Azure Arc where the backups were created.

+#### New Azure CLI extension for data controller and SQL Server Managed Instance enabled by Azure Arc

+#### SQL Managed Instance enabled by Azure Arc

+#### SQL Managed Instance enabled by Azure Arc

+- You can now configure a SQL Managed Instance to have a pricing tier (`GeneralPurpose`, `BusinessCritical`), license type (`LicenseIncluded`, `BasePrice` (used for AHB pricing), and `developer`. There will be no charges incurred for using SQL Managed Instance enabled by Azure Arc until the General Availability date (publicly announced as scheduled for July 30, 2021) and until you upgrade to the General Availability version of the service.

+#### SQL Managed Instance enabled by Azure Arc

+- New [Azure CLI extension](/cli/azure/azure-cli-extensions-overview) for SQL Managed Instance enabled by Azure Arc has the same commands as `az sql mi-arc <command>`. All SQL Managed Instance enabled by Azure Arc commands are located at `az sql mi-arc`. All Arc related `azdata` commands will be deprecated and moved to Azure CLI in a future release.

+#### SQL Managed Instance enabled by Azure Arc

+## Related content

+description: This article explains how to rebuild a broken SQL Server Managed Instance enabled by Azure Arc replica. A replica may break due to storage corruption, for example.

+# Reprovision replica - SQL Server Managed Instance enabled by Azure Arc

+This article describes how to provision a new replica to replace an existing replica in SQL Server Managed Instance enabled by Azure Arc.

+When you reprovision a replica, you rebuild a new managed instance replica for a SQL Server Managed Instance enabled by Azure Arc deployment. Use this task to replace a replica that is failing to synchronize, for example, due to corruption of the data on the persistent volumes (PV) for that instance, or due to some recurring SQL issue.

+description: Learn how to buy SQL Server Managed Instance enabled by Azure Arc reserved capacity to save costs.

+# Reserved capacity - SQL Server Managed Instance enabled by Azure Arc

+Save money with SQL Managed Instance enabled by Azure Arc by committing to a reservation for Azure Arc services compared to pay-as-you-go prices. With reserved capacity, you make a commitment for SQL Managed Instance enabled by Azure Arc use for one or three years to get a significant discount on the service fee. To purchase reserved capacity, you need to specify the Azure region, deployment type, performance tier, and term.

+3. Select **Add** and then in the **Purchase Reservations** pane, select **SQL Managed Instance** to purchase a new reservation for SQL Managed Instance enabled by Azure Arc.

+## Related content

+To learn about service tiers for SQL Managed Instance enabled by Azure Arc, see [SQL Managed Instance enabled by Azure Arc service tiers](service-tiers.md).

+When you deploy a SQL Managed Instance enabled by Azure Arc, you can configure the size of the persistent volume (PV) for `data`, `logs`, `datalogs`, and `backups`. The deployment creates these volumes based on the values set by parameters `--volume-size-data`, `--volume-size-logs`, `--volume-size-datalogs`, and `--volume-size-backups`. When these volumes become full, you will need to resize the `PersistentVolumes`. SQL Managed Instance enabled by Azure Arc is deployed as part of a `StatefulSet` for both General Purpose or Business Critical service tiers. Kubernetes supports automatic resizing for persistent volumes but not for volumes attached to `StatefulSet`.

+## Related content

+## Related content

+# Rotate SQL Server Managed Instance enabled by Azure Arc customer-managed keytab

+This article describes how to rotate customer-managed keytabs for SQL Managed Instance enabled by Azure Arc. These keytabs are used to enable Active Directory logins for the managed instance.

+Before you proceed with this article, you must have an active directory connector in customer-managed keytab mode and a SQL Managed Instance enabled by Azure Arc created.

+- [Deploy and connect a SQL Managed Instance enabled by Azure Arc](./deploy-active-directory-sql-managed-instance.md)

+## Related content

+# Rotate SQL Server Managed Instance enabled by Azure Arc service-managed credentials (preview)

+This article describes how to rotate service-managed credentials for SQL Managed Instance enabled by Azure Arc. Arc data services generate various service-managed credentials like certificates and SQL logins used for Monitoring, Backup/Restore, High Availability etc. These credentials are considered custom resource credentials managed by Azure Arc data services.

+Before you proceed with this article, you must have a SQL Managed Instance enabled by Azure Arc resource created.

+- [a SQL Managed Instance enabled by Azure Arc created](./create-sql-managed-instance.md)

+## Related content

+ Title: Rotate user-provided TLS certificate in indirectly connected SQL Server Managed Instance enabled by Azure Arc

+description: Rotate user-provided TLS certificate in indirectly connected SQL Server Managed Instance enabled by Azure Arc

+# Rotate certificate SQL Server Managed Instance enabled by Azure Arc (indirectly connected)

+This article describes how to rotate user-provided Transport Layer Security(TLS) certificate for SQL Managed Instance enabled by Azure Arc in indirectly connected mode using Azure CLI or `kubectl` commands.

+* a SQL Managed Instance enabled by Azure Arc in indirectly connected mode

+## Related content

+## Related content

+ Title: SQL Managed Instance enabled by Azure Arc service tiers

+description: Explains the service tiers available for SQL Managed Instance enabled by Azure Arc deployments.

+# SQL Managed Instance enabled by Azure Arc service tiers

+As part of the family of Azure SQL products, SQL Managed Instance enabled by Azure Arc is available in two [vCore](/azure/azure-sql/database/service-tiers-vcore) service tiers.

+## Related content

+This article describes the support policies and troubleshooting boundaries for Azure Arc-enabled data services. This article specifically explains support for Azure Arc data controller and SQL Managed Instance enabled by Azure Arc.

+Microsoft supports Azure Arc-enabled data services for one year from the date of the release of that specific version. This support applies to the data controller, and any supported data services. For example, this support also applies to SQL Managed Instance enabled by Azure Arc.

+Microsoft supports Azure Arc-enabled data services, including the data controller, and the data services (like SQL Managed Instance enabled by Azure Arc) that we provide. Arc-enabled data services require a Kubernetes distribution deployed in a customer operated environment. Microsoft does not provide support for the Kubernetes distribution. Support for the environment and hardware that hosts Kubernetes is provided by the operator of the environment and hardware.

+## Related content:

+## Related content

+ Title: Troubleshoot configuration - SQL Managed Instance enabled by Azure Arc

+description: Describes how to troubleshoot configuration. Includes steps to provide configuration files for SQL Managed Instance enabled by Azure Arc Azure Arc-enabled data services

+## Related content

+ Title: Troubleshoot connection to failover group - SQL Server Managed Instance enabled by Azure Arc

+# Troubleshoot SQL Server Managed Instance enabled by Azure Arc deployments

+## Connection to SQL Server Managed Instance enabled by Azure Arc failover group

+If one of `synchronizationState` isn't equal to `HEALTHY`, focus on the instance which `synchronizationState` isn't equal to `HEALTHY`". Refer to [Can't connect to SQL Server Managed Instance enabled by Azure Arc](#cant-connect-to-sql-server-managed-instance-enabled-by-azure-arc).

+## Can't connect to SQL Server Managed Instance enabled by Azure Arc

+This section identifies specific steps you can take to troubleshoot connections to SQL Managed Instance enabled by Azure Arc.

+> You can't connect to a SQL Managed Instance enabled by Azure Arc if the instance license type is `DisasterRecovery`.

+## Related content

+Deploying Azure Arc-enabled data services involves deploying an Azure Arc data controller and instances of data services SQL Managed Instance enabled by Azure Arc or Azure Arc-enabled PostgresQL server. Deployment creates several artifacts, such as:

+Before you delete a resource such as SQL Managed Instance enabled by Azure Arc or data controller, ensure you complete the following actions first:

+ - [Delete SQL Managed Instance enabled by Azure Arc](delete-managed-instance.md)

+After deleting any existing instances of SQL Managed Instance enabled by Azure Arc and/or Azure Arc-enabled PostgreSQL server, delete the data controller using one of the appropriate method for connectivity mode.

+## Related content

+description: The article describes how to upgrade an active directory connector for direct or indirect mode connected to SQL Managed Instance enabled by Azure Arc

+Upgrade the data controller before you upgrade any data service. SQL Managed Instance enabled by Azure Arc is an example of a data service.

+You can set the `--desired-version` parameter of the `spec.update.desiredVersion` property of a SQL Managed Instance enabled by Azure Arc to `auto` to ensure that your managed instance will be upgraded after a data controller upgrade, with no interaction from a user. This setting simplifies management, as you don't need to manually upgrade every instance for every release.

+description: Article describes how to upgrade an indirectly connected SQL Managed Instance enabled by Azure Arc using Kubernetes tools

+ To upload logs for SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL servers run the following CLI commands-

+## Related content

+## Related content

+To upload metrics for SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL, run the following CLI commands:

+## Related content

+## Related content

+## Related content

+> At the current time, SQL Managed Instance enabled by Azure Arc is generally available in select regions.

+2. Deploy [SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+## Related content

+This release introduces general availability for SQL Managed Instance enabled by Azure Arc General Purpose and SQL Server enabled by Azure Arc. The following table describes the components in this release.

+After you upload your [metrics, logs](upload-metrics-and-logs-to-azure-monitor.md), or [usage](view-billing-data-in-azure.md), you can view your deployments of SQL Managed Instance enabled by Azure Arc or Azure Arc-enabled PostgreSQL servers in the Azure portal. To view your resource in the [Azure portal](https://portal.azure.com), follow these steps:

+ - [Create a SQL Managed Instance enabled by Azure Arc](create-sql-managed-instance.md)

+After you complete your first [metrics or logs upload to Azure](upload-metrics-and-logs-to-azure-monitor.md) or [usage data upload](view-billing-data-in-azure.md), you can see the Azure Arc data controller and any SQL Managed Instance enabled by Azure Arcs or Azure Arc-enabled PostgreSQL server resources in the [Azure portal](https://portal.azure.com).

+## Related content

+As an extension of the Azure location construct, the *custom locations* feature provides a way for tenant administrators to use their Azure Arc-enabled Kubernetes clusters as target locations for deploying Azure services instances. Examples of Azure offerings that can be deployed on top of custom locations include databases, such as SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL server.

+ The *custom locations* feature provides a way for tenant or cluster administrators to configure their Azure Arc-enabled Kubernetes clusters as target locations for deploying instances of Azure offerings. Examples of Azure offerings that can be deployed on top of custom locations include databases, such as SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL server, or application instances, such as App Services, Functions, Event Grid, Logic Apps, and API Management.

+- SQL Server enabled by Azure Arc

+* Learn about [SQL Server enabled by Azure Arc](/sql/sql-server/azure-arc/overview).

+* A namespace within a Kubernetes cluster to target deployment of SQL Managed Instance enabled by Azure Arc and Azure Arc-enabled PostgreSQL servers.

+Azure Arc VM management (preview) on Azure Stack HCI supports upgrade of an Arc resource bridge on Azure Stack HCI, version 22H2 up until appliance version 1.0.14 and `az arcappliance` CLI extension version 0.2.33. These upgrades can be done through manual upgrade. However, Azure Stack HCI, version 22H2 won't be supported for appliance version 1.0.15 or higher, because it's being deprecated. Customers on Azure Stack HCI, version 22H2 will receive limited support. To use appliance version 1.0.15 or higher, you must transition to Azure Stack HCI, version 23H2 (preview). In version 23H2 (preview), the LCM tool manages upgrades across all components as a "validated recipe" package. For more information, visit the [Arc VM management FAQ page](/azure-stack/hci/manage/azure-arc-vms-faq).

+- Introduced a new [proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) option, `ArcData`, that covers the SQL Server enabled by Azure Arc endpoints. This will enable you to use a private endpoint with Azure Arc-enabled servers with the public endpoints for SQL Server enabled by Azure Arc.

+¹ The proxy bypass value `ArcData` is available starting with Azure Connected Machine agent version 1.36 and Azure Extension for SQL Server version 1.1.2504.99. Earlier versions include the SQL Server enabled by Azure Arc endpoints in the "Arc" proxy bypass value.

+Plan and prepare to onboard your machines to Azure Arc-enabled servers through the installation of the [Azure Connected Machine agent](agent-overview.md) (version 1.34 or higher) to establish a connection to Azure. Windows Server 2012 Extended Security Updates supports Windows Server 2012 and R2 Standard and Datacenter editions. Windows Server 2012 Storage is not supported.

+You must also download both the licensing package and servicing stack update (SSU) for the Azure Arc-enabled server as documented at [KB5031043: Procedure to continue receiving security updates after extended support has ended on October 10, 2023](https://support.microsoft.com/topic/kb5031043-procedure-to-continue-receiving-security-updates-after-extended-support-has-ended-on-october-10-2023-c1a20132-e34c-402d-96ca-1e785ed51d45).

+Ensure that both the licensing package and servicing stack update (SSU) are downloaded for the Azure Arc-enabled server as documented at [KB5031043: Procedure to continue receiving security updates after extended support has ended on October 10, 2023](https://support.microsoft.com/topic/kb5031043-procedure-to-continue-receiving-security-updates-after-extended-support-has-ended-on-october-10-2023-c1a20132-e34c-402d-96ca-1e785ed51d45). Ensure you are following all of the networking prerequisites as recorded at [Prepare to deliver Extended Security Updates for Windows Server 2012](prepare-extended-security-updates.md?tabs=azure-cloud#networking).

+ |Dimension values|The dimension values are based on data from the last 24 hours. Select **Add custom value** to add custom dimension values.|

+1. Specify if the alert rule should trigger one or more [action groups](./action-groups.md) when the alert condition is met. For limits on the actions that can be performed, see [Azure Monitor service limits](../../azure-monitor/service-limits.md).

+1. If the pods are in a running state, but there is no data in Log Analytics or data appears to only send during a certain part of the day, it might be an indication that the daily cap has been met. When this limit is met each day, data stops ingesting into the Log Analytics Workspace and resets at the reset time. For more information, see [Log Analytics Daily Cap](../../azure-monitor/logs/daily-cap.md#determine-your-daily-cap).

+- **Azure Monitor Metrics REST API** - Allows you to access Azure Monitor platform metrics definitions and values. For more information, see [Azure Monitor REST API](/rest/api/monitor/metrics/list). For information on how to use the API, see the [Azure monitoring REST API walkthrough](./rest-api-walkthrough.md).

+> [!NOTE]

+> Moving or renaming an Azure Resource may result in a lost of metric history for that resource.

+> [!NOTE]

+> The export operation is subject to the [Log Analytics Query API limits](../service-limits.md#la-query-api). If your query results exceed the maximum size of data returned by the Query API, the operation exports partial results.

+All dashboards are private when created, and each user can create up to 100 private dashboards. If you publish and [share a dashboard with other users in your organization](azure-portal-dashboard-share-access.md), the shared dashboard is implemented as an Azure resource in your subscription, and doesn't count towards the private dashboard limit.

+ > Please store your SSH private key as a secret in Azure Key Vault using the **PowerShell** or **Azure CLI** experience. Storing your private key via the Azure Key Vault portal experience will interfere with the formatting and result in unsuccessful login. If you did store your private key as a secret using the portal experience and no longer have access to the original private key file, see [Update SSH key](../virtual-machines/extensions/vmaccess-linux.md#update-ssh-key) to update access to your target VM with a new SSH key pair.

+ > Please store your SSH private key as a secret in Azure Key Vault using the **PowerShell** or **Azure CLI** experience. Storing your private key via the Azure Key Vault portal experience will interfere with the formatting and result in unsuccessful login. If you did store your private key as a secret using the portal experience and no longer have access to the original private key file, see [Update SSH key](../virtual-machines/extensions/vmaccess-linux.md#update-ssh-key) to update access to your target VM with a new SSH key pair.

+ > Please store your SSH private key as a secret in Azure Key Vault using the **PowerShell** or **Azure CLI** experience. Storing your private key via the Azure Key Vault portal experience will interfere with the formatting and result in unsuccessful login. If you did store your private key as a secret using the portal experience and no longer have access to the original private key file, see [Update SSH key](../virtual-machines/extensions/vmaccess-linux.md#update-ssh-key) to update access to your target VM with a new SSH key pair.

+ > Please store your SSH private key as a secret in Azure Key Vault using the **PowerShell** or **Azure CLI** experience. Storing your private key via the Azure Key Vault portal experience will interfere with the formatting and result in unsuccessful login. If you did store your private key as a secret using the portal experience and no longer have access to the original private key file, see [Update SSH key](../virtual-machines/extensions/vmaccess-linux.md#update-ssh-key) to update access to your target VM with a new SSH key pair.

+| Compression encodings |gzip, brotli |gzip |gzip, deflate, bzip2, brotli |gzip, deflate, bzip2, brotli |

+- brotli

+When the HTTP request has the header `Accept-Encoding: br`, the CDN responds with an uncompressed response.

+Azure Communication Services Call Automation APIs provide developers the ability to steer and control the Azure Communication Services Telephony, VoIP or WebRTC calls using real-time event triggers to perform actions based on custom business logic specific to their domain. Within the Call Automation APIs developers can use simple AI powered APIs, which can be used to play personalized greeting messages, recognize conversational voice inputs to gather information on contextual questions to drive a more self-service model with customers, use sentiment analysis to improve customer service overall. These content specific APIs are orchestrated through **Azure AI Services** with support for customization of AI models without developers needing to terminate media streams on their services and streaming back to Azure for AI functionality.

+> This integration is supported in limited regions for Azure AI services, for more information about which regions are supported please view the limitations section at the bottom of this document. This integration only supports Multi-service Cognitive Service resource, we recommend if you're creating a new Azure AI Service resource you create a Multi-service Cognitive Service resource or when you're connecting an existing resource confirm that it is a Multi-service Cognitive Service resource.

+- westeurope

+- northeurope

+- southafricanorth

+- canadacentral

+- centralindia

+- eastasia

+- southeastasia

+- australiaeast

+- brazilsouth

+- uaenorth

+- Build interactive interaction workflows to self-serve customers for use cases like order bookings and updates, using Play (Audio URL, Text-to-Speech and SSML) and Recognize (DTMF and Voice) actions.

+| | Play Audio using Text-to-Speech | ✔️ | ✔️ | ✔️ | ✔️ |

+| | Recognize user voice inputs | ✔️ | ✔️ | ✔️ | ✔️ |

+| | Start continuous DTMF recognition | ✔️ | ✔️ | ✔️ | ✔️ |

+| | Stop continuous DTMF recognition | ✔️ | ✔️ | ✔️ | ✔️ |

+| | Send DTMF | ✔️ | ✔️ | ✔️ | ✔️ |

+| | Mute participant | ✔️ | ✔️ | ✔️ | ✔️ |

+**Continuous DTMF recognition**

+When your application needs to be able to receive DTMF tones at any point in the call without the application needing to trigger a specific recognize action. This can be useful in scenarios where an agent is on a call and needs the user to enter in some kind of ID or tracking number. To learn more about how to use this view our [guide](../../how-tos/call-automation/control-mid-call-media-actions.md).

+**Send DTMF**

+When your application needs to send DTMF tones to an external participant, this could be for purposes like dialing out to an external agent and providing the extension number, or something like navigating an external IVR menu.

+**Mute**

+Your application can mute certain users based on your business logic. The user would then need to unmute themselves manually if they want to speak.

+| PlayCanceled | The requested play action has been canceled |

+| RecognizeCanceled | The requested recognize action has been canceled |

+|RecordingStateChanged | Status of recording action has changed from active to inactive or vice versa |

+| ContinuousDtmfRecognitionToneReceived | StartContinuousDtmfRecognition completed successfully and a DTMF tone was received from the participant |

+| ContinuousDtmfRecognitionToneFailed | StartContinuousDtmfRecognition completed but an error occurred while handling a DTMF tone from the participant |

+| ContinuousDtmfRecognitionStopped | Successfully executed StopContinuousRecognition |

+| SendDtmfCompleted | SendDTMF completed successfully and the DTMF tones were sent to the target participant |

+| SendDtmfFailed | An error occurred while sending the DTMF tones |

+You can use the newly announced integration between [Azure Communication Services and Azure AI services](./azure-communication-services-azure-cognitive-services-integration.md) to play personalized responses using Azure [Text-To-Speech](../../../../articles/cognitive-services/Speech-Service/text-to-speech.md). You can use human like prebuilt neural voices out of the box or create custom neural voices that are unique to your product or brand. For more information on supported voices, languages and locales see [Language and voice support for the Speech service](../../../../articles/cognitive-services/Speech-Service/language-support.md).

+> Azure Communication Services currently supports two file formats, MP3 files with ID3V2TAG and WAV files formatted as 16-bit PCM mono channel audio recorded at 16KHz. You can create your own audio files using [Speech synthesis with Audio Content Creation tool](../../../ai-services/Speech-Service/how-to-audio-content-creation.md).

+## Sample architecture for playing audio in call using Text-To-Speech

+This sandbox setup is to help developers start building the application. Once you have established a sender reputation by sending mails, you can request to increase the sending volume limits. Submit a [support request](https://azure.microsoft.com/support/create-ticket/) to raise your desired email sending limit if you require sending a volume of messages exceeding the rate limits. Email quota increase requests are not automatically approved. The reviewing team will consider your overall sender reputation, which includes factors such as your email delivery failure rates, your domain reputation, and reports of spam and abuse when determining approval status.

+> [!NOTE]

+> Email quota increase requests may take up to 72 hours to be evaluated and approved, especially for requests that come in on Friday afernoon.

+The Data Channel can be used in many different scenarios. Two common use case examples are:

+The Data Channel API enables the transmission of binary type messages among call participants. With appropriate serialization in the application, it can deliver various message types for different purposes. There are also other libraries or services providing the messaging functionalities. Each of them has its advantages and disadvantages. You should choose the suitable one for your usage scenario. For example, the Data Channel API offers the advantage of low-latency communication, and simplifies user management as there's no need to maintain a separate participant list. However, the data channel feature doesn't provide message persistence and doesn't guarantee that message won't be lost in an end-to-end manner. If you need the stateful messaging or guaranteed delivery, you may want to consider alternative solutions.

+File sharing represents another common use cases for the Data Channel API. In a peer-to-peer call scenario, the Data Channel connection works on a peer-to-peer basis. This setup offers an efficient method for file transfer, taking full advantage of the direct, peer-to-peer connection to enhance speed and reduce latency.

+In a group call scenario, files can still be shared among participants. However, there are better ways, such as Azure Storage or Azure Files. Additionally, broadcasting the file content to all participants in a call can be achieved by setting an empty participant list. However, it's important to keep in mind that, in addition to bandwidth limitations, there are further restrictions imposed during a group call when broadcasting messages, such as packet rate and back pressure from the receive bitrate.

+Every Data Channel message is associated with a specific channel identified by `channelId`. It's important to clarify that this channelId isn't related to the `id` property in the WebRTC Data Channel. This channelId can be utilized to differentiate various application uses, such as using 1000 for control messages and 1001 for image transfers.

+The channelId is assigned during the creation of a DataChannelSender object, and can be either user-specified or determined by the SDK if left unspecified.

+The valid range of a channelId lies between 1 and 65535. If a channelId 0 is provided, or if no channelId is provided, the SDK assigns an available channelId from within the valid range.

+A `durable` channel means the SDK guarantees a lossless and ordered message delivery. In cases when a message can't be delivered, the SDK will throw an exception. In the Web SDK, the durability of the channel is ensured through a reliable SCTP connection. However, it doesn't imply that message won't be lost in an end-to-end manner. In the context of a group call, it signifies the prevention of message loss between the sender and server. In a peer-to-peer call, it denotes reliable transmission between the sender and remote endpoint.

+The Data Channel API introduces the concept of a session, which adheres to open-close semantics. In the SDK, the session is associated to the sender or the receiver object.

+Upon creating a sender object with a new channelId, the sender object is in open state. If the `close()` API is invoked on the sender object, the session becomes closed and can no longer facilitate message sending. At the same time, the sender object notifies all participants in the call that the session is closed.

+From the receiver's perspective, messages coming from different sessions on the sender's side are directed to distinct receiver objects. If the SDK identifies a new session associated with an existing channelId on the receiver's side, it creates a new receiver object. The SDK doesn't close the older receiver object; such closure takes place 1) when the receiver object receives a closure notification from the sender, or 2) if the session hasn't received any messages from the sender for over two minutes.

+The maximum number of participants in a list is limited to 64. If you want to specify more participants, you'll need to manage participant list on your own. For example, if you want to send a message to 50 participants, you can create two different channels, each with 25 participants in their recipient lists. When calculating the limit, two endpoints with the same participant identifier will be counted as separate entities. As an alternative, you could opt for broadcasting messages. However, certain restrictions apply when broadcasting messages.

+Currently the calling SDK has rate limiting implemented, which prevents users from sending data at a higher speed even if their network allows it. The current bandwidth rate maximums for data channel are:

+- Reliable channel (Durable): 64 kbps

+- Unreliable channel (Lossy): 512 kbps

+- High priority unreliable channel: 200 kbps

+However, when broadcasting messages, the send bitrate limit is dynamic and depends on the receive bitrate. In the current implementation, the send bitrate limit is calculated as the maximum send bitrate minus 80% of the receive bitrate.

+Furthermore, we also enforce a packet rate restriction when sending broadcast messages. The current limit is set at 80 packets per second, where every 1200 bytes in a message is counted as one packet. These measures are in place to prevent flooding when a significant number of participants in a group call are broadcasting messages.

+var tones = new DtmfTone[] { DtmfTone.One, DtmfTone.Two, DtmfTone.Three, DtmfTone.Pound };

+var sendDtmfTonesOptions = new SendDtmfTonesOptions(tones, new PhoneNumberIdentifier(calleePhonenumber))

+{

+ OperationContextΓÇ»=ΓÇ»"dtmfs-to-ivr"

+};

+var sendDtmfAsyncResult = await callAutomationClient.GetCallConnection(callConnectionId)

+ .GetCallMedia()

+        .SendDtmfTonesAsync(sendDtmfTonesOptions);

+SendDtmfTonesOptions options = new SendDtmfTonesOptions(tones, new PhoneNumberIdentifier(c2Target));

+options.setOperationContext("dtmfs-to-ivr");

+ .getCallMediaAsync()

+ .sendDtmfTonesWithResponse(options)

+ .block();

+ContinuousDtmfRecognitionOptions options = new ContinuousDtmfRecognitionOptions(new PhoneNumberIdentifier(c2Target));

+options.setOperationContext("dtmf-reco-on-c2");

+ .getCallMediaAsync()

+ .startContinuousDtmfRecognitionWithResponse(options)

+ .block();

+var continuousDtmfRecognitionOptions = new ContinuousDtmfRecognitionOptions(new PhoneNumberIdentifier(callerPhonenumber))

+{

+    OperationContext = "dtmf-reco-on-c2"

+};

+var startContinuousDtmfRecognitionAsyncResult = await callAutomationClient.GetCallConnection(callConnectionId)

+    .GetCallMedia()

+    .StartContinuousDtmfRecognitionAsync(continuousDtmfRecognitionOptions);

+ContinuousDtmfRecognitionOptions options = new ContinuousDtmfRecognitionOptions(new PhoneNumberIdentifier(c2Target));

+options.setOperationContext("dtmf-reco-on-c2");

+ .getCallMediaAsync()

+ .stopContinuousDtmfRecognitionWithResponse(options)

+ .block();

+if (acsEvent is ContinuousDtmfRecognitionToneReceived continuousDtmfRecognitionToneReceived)

+ logger.LogInformation("Tone detected: sequenceId={sequenceId}, tone={tone}",

+ continuousDtmfRecognitionToneReceived.SequenceId,

+        continuousDtmfRecognitionToneReceived.Tone);

+ if (acsEvent instanceof ContinuousDtmfRecognitionToneReceived) {

+ ContinuousDtmfRecognitionToneReceived event = (ContinuousDtmfRecognitionToneReceived) acsEvent;

+ log.info("Tone detected: sequenceId=" + event.getSequenceId()

+ +ΓÇ»", tone=" + event.getTone().convertToString()

+ +ΓÇ»", context=" + event.getOperationContext());

+if (event.type === "Microsoft.Communication.ContinuousDtmfRecognitionToneReceived") {

+ console.log("Tone detected: sequenceId=%s, tone=%s, context=%s",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» eventData.sequenceId,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» eventData.tone,

+ eventData.operationContext);

+}

+if event.type == "Microsoft.Communication.ContinuousDtmfRecognitionToneReceived":

+ app.logger.info("Tone detected: sequenceId=%s, tone=%s, context=%s",

+ event.data['sequenceId'],

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» event.data['tone'],

+ event.data['operationContext'])

+## Overview

+This document provides information about registering a WhatsApp Business Account with Azure Communication Services. This [video](https://learn.microsoft.com/_themes/docs.theme/master/en-us/_themes/global/video-embed.html?id=04c63978-6f27-4289-93d6-625d8569ee28) demonstrates the process.

+ Title: Use Ledger explorer to visually verify your transactions

+description: Learn to use the Microsoft Azure confidential ledger through Azure portal

+# Quickstart: Upload, view and list ledger data with the Azure ledger explorer

+In this quickstart, learn how to use the [Azure portal](https://portal.azure.com) to list, view and verify the integrity and authenticity of the data stored in your Azure confidential ledger.

+## Prerequisites

+The ledger explorer is accessible through the Azure Portal for your confidential ledger resource. You need to be logged in with an Entra ID user which has a Reader, Contributor or Administrator role assigned to access the ledger explorer. For help managing Entra ID users for your ledger, please see [Manage Microsoft Entra token-based users in Azure confidential ledger](./manage-azure-ad-token-based-users.md).

+## How to use the ledger explorer

+The ledger explorer allows you to a list of all transactions on your ledger with their IDs and contents, filtered by collections. You can click on a transaction row to see more details, such as the transaction ID, the transaction receipt, and the cryptographic proof.

+As the ledger is an append-only, sequential datastore, data fetched sequentially starting from Transaction ID `2.1`, the start of the ledger.

+To use the ledger explorer, follow these steps:

+1) Open the Azure portal and log in as an Entra ID user who has a Reader, Contributor or Administrator role assigned for the confidential ledger resource.

+1) On the Overview page, navigate to the "Ledger explorer (preview)" tab

+### Searching for a transaction

+[CCF Transaction IDs](https://microsoft.github.io/CCF/main/use_apps/verify_tx.html#verifying-transactions) require both a view and a sequence number, separated by a `.`. e.g. `2.15`

+Valid Transaction IDs start at `2.1`. Your transactions will receive a unique sequence number assigned by the system, and will be associated with a view.

+If you have previously recorded the specific Transaction ID of a past transaction, you may enter that Transaction ID in the search box to locate that transaction.

+- Search: You can use the filters and the search box to start your transaction search from any Transaction ID.

+### Creating an entry

+Entries can be created from ledger explorer if you have Administrator or Contributor roles. You can use Ledger explorer to quickly create a new ledger entry by clicking on the `Create` button in the command bar.

+Every entry requires a `Collection ID` along with some content. A default Collection ID `subledger:0` is assigned if you do not specify one.

+You can change the Collection ID using the dropdown, or specify a completely new collection by typing it in the `Collection Id` field.

+

+> [!WARNING]

+> Ledger entries are immutable. Once you have committed a transaction you cannot delete it.

+>

+## How to verify your ledger data

+One of the key features of Azure confidential ledger is that it provides cryptographic evidence that your ledger data has not been tampered with via Transaction Receipts.

+A transaction receipt is a JSON document that contains the metadata of a transaction, such as the transaction ID, cryptographic proofs and certificate information. You can use the transaction receipt to verify that a transaction exists on your ledger and that it has not been modified. To learn more about transaction receipts, please read [Write Transaction Receipts](./write-transaction-receipts.md).

+Ledger explorer performs the verification steps listed in [Verify Azure Confidential Ledger write transaction receipts](./verify-write-transaction-receipts.md) to verify the transaction receipt.

+To begin verifying a transaction:

+1. Click on a transaction in Ledger explorer

+1. Click on the `Proof` tab.

+### 1. Leaf node computation:

+The transaction digest is computed from the `Claims Digest`, `Commit Evidence` and `Write Set Digest`. This transaction digest is inserted as a leaf node into the merkle tree.

+

+This step corresponds to [Leaf Node Computation](./verify-write-transaction-receipts.md#leaf-node-computation) in [Verify Azure Confidential Ledger write transaction receipts](./verify-write-transaction-receipts.md).

+### 2. Root node computation

+The transaction receipt provides a cryptographic proof with the Merkle tree branches that leads to the root of the Merkle tree.

+

+This step corresponds to [Root node Computation](./verify-write-transaction-receipts.md#root-node-computation) in [Verify Azure Confidential Ledger write transaction receipts](./verify-write-transaction-receipts.md)

+### 3. Verify signature

+When this transaction is committed, the primary node signs the Merkle root. To verify that this transaction was committed by your ledger and has not been tampered with, Ledger explorer uses the public key of the signing node and the digital signature to verify that the calculated Merkle root matches the signed value.

+Finally, we check that the signing node is endorsed by the ledger. If the transaction is committed and has not been tampered with, Ledger explorer will indicate that the `Globally Committed Status` is `verified`.

+

+This step corresponds to [Verify signature over root node](./verify-write-transaction-receipts.md#verify-signature-over-root-node) and [Verify signing node certificate endorsement](./verify-write-transaction-receipts.md#verify-signing-node-certificate-endorsement) in [Verify Azure Confidential Ledger write transaction receipts](./verify-write-transaction-receipts.md)

+## Next steps

+Learn more about using the SDK to write to and read from the ledger, and verify write transaction receipts:

+- [Quickstart: Microsoft Azure confidential ledger client library for Python](./quickstart-python.md)

+- [Verify write transaction receipts - Code Walkthrough](./verify-write-transaction-receipts.md#code-walkthrough)

+## Prerequisites

+## Prerequisites

+| Azure Container Registry (ACR) | *Your-ACR-address*, `*.blob.core.windows.net`, `login.microsoft.com` | These FQDNs are required when using Azure Container Apps with ACR and Azure Firewall. |

+ --replica-retry-limit 0 `

+ --replica-retry-limit 0 \

+ --scale-rule-metadata "poolName=$AZP_POOL" "targetPipelinesQueueLength=1" \

+ --scale-rule-metadata "poolName=$AZP_POOL" "targetPipelinesQueueLength=1" `

+# Change Data Capture in Azure Cosmos DB analytical store

+# Get started with change data capture in the analytical store for Azure Cosmos DB

+## Health events and observability

+If previously you were using `IHealthMonitor` or you were leveraging `IChangeFeedObserver.OpenAsync` and `IChangeFeedObserver.CloseAsync`, use the [Notifications API](./change-feed-processor.md#life-cycle-notifications).

+* `IChangeFeedObserver.OpenAsync` can be replaced with `WithLeaseAcquireNotification`.

+* `IChangeFeedObserver.CloseAsync` can be replaced with `WithLeaseReleaseNotification`.

+* `IHealthMonitor.InspectAsync` can be replaced with `WithErrorNotification`.

+# Time travel in Azure Synapse Link for Azure Cosmos DB for NoSQL

+Currently transfer isn't supported for [Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) products. For a workaround, see [Move resources to new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md).

+If you have consistent compute spend, but your use of disparate resources makes reservations infeasible, buying a savings plan gives you the ability to reduce your costs. For example, if you consistently spend at least $X every hour, but your usage comes from different resources and/or different datacenter regions, you likely can't effectively cover these costs with reservations. When you buy a savings plan, your hourly usage, up to your commitment amount, is discounted. For this usage, you no longer charged at the pay-as-you-go rates.

+- [Buy a savings plan](buy-savings-plan.md).

+>- This feature doesn't apply when copy activity is configured to invoke a [stored procedure from a SQL sink](./connector-azure-sql-database.md#invoke-a-stored-procedure-from-a-sql-sink), or use [Upsert](connector-azure-sql-database.md#upsert-data) to write data into a SQL sink.

+- A free trial account.

+- For on-premises SQL servers, you can learn more about [SQL Server enabled by Azure Arc](/sql/sql-server/azure-arc/overview) and how to [install Log Analytics agent on Windows computers without Azure Arc](../azure-monitor/agents/agent-windows.md).

+> If you are the owner of the connector, re-authorizing your environment to make changes is **optional**.

+> If you are trying to take ownership of the connector, you must re-authorize using your access token. This change is irreversible as soon as you select 'Re-authorize'.

+- Learn more about [DevOps security in Defender for Cloud](defender-for-devops-introduction.md).

+| [Deprecation of two DevOps security recommendations](#deprecation-of-two-devops-security-recommendations) | November 30, 2023 | January 2024 |

+## Deprecation of two DevOps security recommendations

+**Announcement date: November 30, 2023**

+**Estimated date for change: January 2024**

+With the general availability of DevOps environment posture management, we're updating our approach to having recommendations displayed in the subassessment format. Previously, we had broad recommendations encompassing multiple findings. Now, we're shifting to individual recommendations for each specific finding. With this change, the two broad recommendations will be deprecated:

+- `Azure DevOps Posture Management findings should be resolved`

+- `GitHub Posture Management findings should be resolved`

+This means instead of a singular recommendation for all discovered misconfigurations, we'll provide distinct recommendations for each issue, such as "Azure DevOps service connections should not grant access to all pipelines". This change aims to enhance clarity and visibility of specific issues.

+For more information, see the [new recommendations](recommendations-reference-devops.md).

+|**Medical** |ASTM<br> HL7 <br> DICOM <br> POCT1 |

+ Title: "Best practices for structuring an Azure Deployment Environments catalog"

+description: "This article provides guidelines for structuring an Azure Deployment Environments catalog for efficient caching."

+#customer intent: As a platform engineer, I want to structure my catalog so that Azure Deployment Environments can find and cache environment definitions efficiently.

+# Best practices for Azure Deployment Environment catalogs

+This article describes the best practice guidelines for structuring an Azure Deployment Environments catalog.

+## Structure the catalog for efficient caching

+As a platform engineer, you should structure your catalog in a way that makes it easier and quicker for Azure Deployment Environments to find and cache environment definitions efficiently. By organizing the repository into a specific structure, you can better target files for caching and improve the overall performance of the deployment process. It's essential for platform engineers to understand these guidelines and structure their repositories accordingly to ensure optimal results.

+When you attach a catalog to a dev center, Deployment Environments scans the catalog for an environment.yaml file. On locating the file, ADE assumes the files in that folder and subfolders form an environment definition. ADE caches only the required files, not the entire repository.

+The following diagram shows the recommended structure for a repo. Each template resides within a single folder.

+## Linked environment definitions

+In a linked environment definitions scenario, multiple .json files can point to a single ARM template. ADE checks linked environment definitions sequentially and retrieves the linked files and environment definitions from the repository. For best performance, these interactions should be minimized.

+## Update environment definitions and sync changes

+Over time, environment definitions need updates. You make those updates in your Git repository, and then you must manually sync the catalog up to update the changes to ADE.

+## Files outside recommended structure

+In the following example, the Azuredeploy.json file is above the environment.yaml file in the folder structure. This structure is not valid Azure Deployment Environments catalogs. Environment definitions cannot reference content outside of the catalog item folder.

+## Related content

+- [Add and configure a catalog from GitHub or Azure DevOps in Azure Deployment Environments](/azure/deployment-environments/how-to-configure-catalog?tabs=DevOpsRepoMSI)

+- [Add and configure an environment definition in Azure Deployment Environments](/azure/deployment-environments/configure-environment-definition)

+description: Learn how to install the Azure CLI extension for Azure Deployment Environments so you can create resources from the command line.

+# Install the Azure CLI extension for Azure Deployment Environments

+In addition to the Azure admin portal and the developer portal, you can use the Azure Deployment Environments CLI extension to create resources. Azure Deployment Environments and Microsoft Dev Box use the same Azure CLI extension, which is called *devcenter*.

+You first need to install the Azure CLI, and then install the devcenter extension.

+1. Install the devcenter extension by using the following command.

+ ``` azurecli

+ az extension add --name devcenter

+ ```

+1. Check that the devcenter extension was installed.

+ ``` azurecli

+ az extension list

+ ```

+If you already have the devcenter extension installed, you can update it.

+To remove the extension, use the following command.

+You might find the following commands useful while you work with the devcenter extension.

+1. Sign in to the Azure CLI with your account.

+ az account set --subscription <subscriptionId>

+1. Set a default resource group so that you don't need to specify the resource group for each command.

+ az configure --defaults group=<resourceGroupName>

+1. Get help for a command.

+For complete command listings, see the [Microsoft Dev Box and Azure Deployment Environments Azure CLI documentation](https://aka.ms/CLI-reference).

+- DNS private resolver inbound endpoint provisioning isn't compatible with [Azure Lighthouse](../lighthouse/overview.md).

+ - To see if Azure Lighthouse is in use, search for **Service providers** in the Azure portal and select **Service provider offers**.

+By default, Event Grid namespaces and entities in them such as Message Queuing Telemetry Transport (MQTT) topic spaces are accessible from internet as long as the request comes with valid authentication (access key) and authorization. With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in [CIDR (Classless Inter-Domain Routing)](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation. Only the MQTT clients that fall into the allowed IP range can connect to publish and subscribe. Clients originating from any other IP address are rejected and receive a 403 (Forbidden) response. For more information about network security features supported by Event Grid, see [Network security for Event Grid](network-security.md).

+You can use [private endpoints](../private-link/private-endpoint-overview.md) to allow ingress of events directly from your virtual network to entities in your Event Grid namespaces securely over a [private link](../private-link/private-link-overview.md) without going through the public internet. The private endpoint uses an IP address from the virtual network address space for your namespace. When an MQTT client on a private network connects to the MQTT broker on a private link, the client can publish and subscribe to MQTT messages. For more conceptual information, see [Network security](network-security.md).

+1. Under the MQTT broker section in left rail, navigate to CA certificates menu.

+1. The **Name** for your subnet is automatically filled in with the value 'GatewaySubnet'. This value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the autofilled **Address range** values to match your configuration requirements. **You need to create the GatewaySubnet with a /27 or larger** (/26, /25, and so on.). /28 or smaller subnets are not supported for new deployments. If you plan on connecting 16 ExpressRoute circuits to your gateway, you **must** create a gateway subnet of /26 or larger.

+ Title: Azure Firewall best practices for performance

+description: Learn how to configure Azure Firewall to maximize performance

+# Best practices for Azure Firewall performance

+To maximize the [performance](firewall-performance.md) of your Azure Firewall and Firewall policy, itΓÇÖs important to follow best practices. However, certain network behaviors or features can affect the firewallΓÇÖs performance and latency, despite its performance optimization capabilities.

+## Performance issues common causes

+- **Exceeding rule limitations**

+ If you exceed limitations, such as using over 20,000 unique source/destination combinations in rules, it can affect firewall traffic processing and cause latency. Even though this is a soft limit, if you surpass this value it can affect overall firewall performance. For more information, see the [documented limits](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).

+- **High traffic throughput**

+ Azure Firewall Standard supports up to 30 Gbps, while Premium supports up to 100 Gbps. For more information, see the [throughput limitations](firewall-performance.md#performance-data). You can monitor your throughput or data processing in Azure Firewall metrics. For more information, see [Azure Firewall metrics](logs-and-metrics.md#metrics).

+- **High Number of Connections**

+ An excessive number of connections passing through the firewall can lead to SNAT (Source Network Address Translation) port exhaustion.

+- **IDPS Alert + Deny Mode**

+ If you enable IDPS Alert + Deny Mode, the firewall drops packets that match an IDPS signature. This affects performance.

+## Recommendations

+- **Optimize rule configuration and processing**

+ - Organize rules using firewall policy into Rule Collection Groups and Rule Collections, prioritizing them based on their use frequency.

+ - Use [IP Groups](ip-groups.md) or IP prefixes to reduce the number of IP table rules.

+ - Prioritize rules with the highest number of hits.

+ - Ensure that you are within the following [rule limitations](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).

+- **Use or migrate to Azure Firewall Premium**

+ - Azure Firewall Premium uses advanced hardware and offers a higher-performing underlying engine.

+ - Best for heavier workloads and higher traffic volumes.

+ - It also includes built-in accelerated networking software, which can achieve throughput of up to 100 Gbps, unlike the Standard version.

+- **Add multiple public IP addresses to the firewall to prevent SNAT port exhaustion**

+ - To prevent SNAT port exhaustion, consider adding multiple public IP addresses (PIPs) to your firewall. Azure Firewall provides [2,496 SNAT ports per each additional PIP](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).

+ - If you prefer not to add more PIPs, you can add an Azure NAT Gateway to scale SNAT port usage. This provides advanced SNAT port allocation capabilities.

+- **Start with IDPS Alert mode before you enable Alert + Deny mode**

+ - While the *Alert + Deny* mode offers enhanced security by blocking suspicious traffic, it can also introduce more processing overhead. If you disable this mode, you might observe performance improvement, especially in scenarios where the firewall is primarily used for routing and not deep packet inspection.

+ - It's essential to remember that traffic through the firewall is denied by default until you explicitly configure *allow* rules. Therefore, even when IDPS *Alert + Deny* mode is disabled, your network remains protected, and only explicitly permitted traffic is allowed to pass through the firewall. It can be a strategic choice to disable this mode to optimize performance without compromising the core security features provided by the Azure Firewall.

+## Testing and monitoring

+To ensure optimal performance for your Azure Firewall, you should continuously and proactively monitor it. It's crucial to regularly assess the health and key metrics of your firewall to identify potential issues and maintain efficient operation, especially during configuration changes.

+Use the following best practices for testing and monitoring:

+- **Test latency introduced by the firewall**

+ - To assess the latency added by the firewall, measure the latency of your traffic from the source to the destination by temporarily bypassing the firewall. To do this, reconfigure your routes to bypass the firewall. Compare the latency measurements with and without the firewall to understand its effect on traffic.

+- **Measure firewall latency using latency probe metrics**

+ - Use the *latency probe* metric to measure the average latency of the Azure Firewall. This metric provides an indirect metric of the firewallΓÇÖs performance. Remember that intermittent latency spikes are normal.

+- **Measure traffic throughput metric**

+ - Monitor the *traffic throughput* metric to understand how much data passes through the firewall. This helps you gauge the firewallΓÇÖs capacity and its ability to handle the network traffic.

+- **Measure data processed**

+ - Keep track of the *data processed* metric to assess the volume of data processed by the firewall.

+- **Identify rule hits and performance spikes**

+ - Look for spikes in network performance or latency. Correlate rule hit timestamps, such as application rules hit count and network rules hit count, to determine if rule processing is a significant factor contributing to performance or latency issues. By analyzing these patterns, you can identify specific rules or configurations that you might need to optimize.

+- **Add alerts to key metrics**

+ - In addition to regular monitoring, it's crucial to set up alerts for key firewall metrics. This ensures that you're promptly notified when specific metrics surpass predefined thresholds. To configure alerts, see [Azure Firewall logs and metrics](logs-and-metrics.md#alert-on-azure-firewall-metrics) for detailed instructions about setting up effective alerting mechanisms. Proactive alerting enhances your ability to respond swiftly to potential issues and maintain optimal firewall performance.

+## Next steps

+- [Azure Firewall performance](firewall-performance.md)

+| Compression encodings | gzip, brotli | gzip, brotli | gzip, brotli | gzip, brotli | gzip, deflate, bzip2 | gzip, deflate, bzip2, brotli |

+Only resources within the same virtual network have access to the Kafka API. In this quickstart, you access the cluster directly using SSH. To connect other services, networks, or virtual machines to Kafka, you must first create a virtual network and then create the resources within the network. For more information, see the [Connect to Apache Kafka using a virtual network](apache-kafka-connect-vpn-gateway.md) document.

+3. To set an environment variable with Zookeeper host information, use the following command. The command retrieves all Zookeeper hosts, then returns only the first two entries. This is because you want some redundancy in case one host is unreachable.

+description: This quickstart shows how to use Azure PowerShell to create an Apache Spark cluster in Azure HDInsight, and run Spark SQL query.

+If you're using multiple clusters together, you can create a virtual network, and if you're using a Spark cluster you can use the Hive Warehouse Connector. For more information, see [Plan a virtual network for Azure HDInsight](../hdinsight-plan-virtual-network-deployment.md) and [Integrate Apache Spark and Apache Hive with the Hive Warehouse Connector](../interactive-query/apache-hive-warehouse-connector.md).

+- A cluster of different cluster types on HDInsight. In this quickstart, you create a Spark 2.3 cluster.

+|Location| Specify the Azure region, for example 'Central US.' |

+ :::image type="content" source="./media/apache-spark-jupyter-spark-sql-use-powershell/azure-portal-search-hdinsight-cluster.png" alt-text="Screenshot shows the Azure portal search for HDInsight." border="true":::

+ :::image type="content" source="./media/apache-spark-jupyter-spark-sql-use-powershell/azure-portal-open-hdinsight-cluster.png" alt-text="Screenshot shows HDInsight clusters with the cluster that you created." border="true":::

+You can use the `%%configure` magic to configure the notebook to use an external package. In notebooks that use external packages, make sure you call the `%%configure` magic in the first code cell. This ensures that the kernel is configured to use the package before the session starts.

+1. Run sample script actions to copy jar files from primary storage `wasb://mycontainer@mystorageaccount.blob.core.windows.net/libs/*` to cluster local file system `/usr/libs/sparklibs`. The step is needed as linux uses `:` to separate class path list, but HDInsight only support storage paths with scheme like `wasb://`. The remote storage path won't work correctly if you directly add it to class path.

+HDInsight Jupyter Notebook PySpark kernel doesn't support installing Python packages from PyPi or Anaconda package repository directly. If you have `.zip`, `.egg`, or `.py` dependencies, and want to reference them for one Spark session, follow steps:

+1. Run sample script actions to copy `.zip`, `.egg` or `.py` files from primary storage `wasb://mycontainer@mystorageaccount.blob.core.windows.net/libs/*` to cluster local file system `/usr/libs/pylibs`. The step is needed as linux uses `:` to separate search path list, but HDInsight only support storage paths with scheme like `wasb://`. The remote storage path won't work correctly when you use `sys.path.insert`.

+2. In your notebook, run following code in a code cell with PySpark kernel:

+resource helmChart 'Microsoft.iotoperationsorchestrator/targets@2023-10-04-preview' = {

+resource k8sResource 'Microsoft.iotoperationsorchestrator/targets@2023-10-04-preview' = {

+- [Manage access control for managed feature store](how-to-setup-access-control-feature-store.md)

+- [Azure Machine Learning managed feature stores samples repository](https://github.com/Azure/azureml-examples/tree/main/sdk/python/featurestore_sample)

+| **AzureML Compute Operator** | Can create, manage, delete, and access compute resources within a workspace.|

+By default, logs are pulled from the inference server. To see logs from the storage initializer container, use the Azure CLI or Python SDK (see each tab for details). Logs from the storage initializer container provide information on whether code and model data were successfully downloaded to the container. For more information on deployment logs, see [Get container logs](how-to-troubleshoot-online-endpoints.md#get-container-logs).

+## Related content

+* **AMLOnlineEndpointEventLog**: Contains event information regarding the container's life cycle. Currently, we provide information on the following types of events:

+In the studio, you can use the **Monitoring** tab on an online endpoint's page to see high-level activity monitor graphs for the managed online endpoint. To use the monitoring tab, you must select **Enable Application Insight diagnostic and data collection** when you create your endpoint.

+## Related content

+> [!NOTE]

+> When adding a new deployment to an endpoint, you can adjust the traffic balance between deployments on the "Traffic" page. At this point, though, you should keep the default traffic allocation to the deployments (100% traffic to "blue" and 0% traffic to "green").

+## Related content

+| [Content Safety (Text)](./content-safety-text-tool.md) | Use Azure Content Safety to detect harmful content. | Default | [promptflow-tools](https://pypi.org/project/promptflow-contentsafety/) |

+1. To save checkpoints, replace the original `torch.save()` statement to save your checkpoint with Nebula. Please ensure that your checkpoint instance begins with "global_step", such as "global_step500" or "global_step1000":

+ checkpoint = nm.Checkpoint('global_step500')

+ checkpoint.save('<CKPT_NAME>', model)

+ ```python

+ # Managing checkpoints

+ ## List all checkpoints

+ ckpts = nm.list_checkpoints()

+ ## Get Latest checkpoint path

+ latest_ckpt_path = nm.get_latest_checkpoint_path("checkpoint", persisted_storage_path)

+ ```

+Part 1 of this tutorial series showed how to create a feature set specification with custom transformations, enable materialization and perform a backfill. Part 2 showed how to experiment with features in the experimentation and training flows. Part 3 explained recurrent materialization for the `transactions` feature set, and showed how to run a batch inference pipeline on the registered model. Part 4 described how to run batch inference.

+* Make sure you complete the previous tutorials in this series. This tutorial reuses feature store and other resources created in those earlier tutorials.

+### Configure the Azure Machine Learning Spark notebook

+ 1. Select **Configure session** in the top status bar.

+ 2. Select the **Python packages** tab, s

+ 3. Select **Upload Conda file**.

+ 4. Upload the *conda.yml* file that you [uploaded in the first tutorial](./tutorial-get-started-with-feature-store.md#prepare-the-notebook-environment).

+ 5. Optionally, increase the session time-out (idle time) to avoid frequent prerequisite reruns.

+* [Azure Machine Learning feature stores samples repository](https://github.com/Azure/azureml-examples/tree/main/sdk/python/featurestore_sample)

+ 1. In the **Compute** dropdown list in the top nav, select **Serverless Spark Compute** under **Azure Machine Learning Serverless Spark**.

+ 1. Select **Configure session** in the top status bar.

+ 2. Select the **Python packages** tab.

+ 3. Select **Upload conda file**.

+ 4. Select the `azureml-examples/sdk/python/featurestore-sample/project/env/online.yml` file from your local machine.

+ 5. Optionally, increase the session time-out (idle time) to avoid frequent prerequisite reruns.

+* On your user account, the Owner role for the resource group where the feature store is created.

+1. The **Select target directory** panel opens. Select the **Users** directory, then select _your user name_, and finally select **Clone**.

+ 1. Browse to the *env* directory (select **Users** > **your_user_name** > **featurestore_sample** > **project** > **env**), and then select the *conda.yml* file.

+ 1. Select **Serverless Spark Compute** in the top navigation **Compute** dropdown. This operation might take one to two minutes. Wait for a status bar in the top to display **Configure session**.

+ 1. Select **Configure session** in the top status bar.

+ 1. Select **Python packages**.

+ 1. Select **Upload conda files**.

+ 1. Select the `conda.yml` file you downloaded on your local device.

+ 1. (Optional) Increase the session time-out (idle time in minutes) to reduce the serverless spark cluster startup time.

+1. Install the Azure Machine Learning CLI extension.

+ As explained earlier in this tutorial, `MLClient` is used for creating, reading, updating, and deleting a feature store asset. The notebook code cell sample shown here searches for the feature store that you created in an earlier step. Here, you can't reuse the same `ml_client` value that you used earlier in this tutorial, because it's scoped at the resource group level. Proper scoping is a prerequisite for feature store creation.

+#### Set spark.sql.shuffle.partitions in the yaml file according to the feature data size

+ The spark configuration `spark.sql.shuffle.partitions` is an OPTIONAL parameter that can affect the number of parquet files generated (per day) when the feature set is materialized into the offline store. The default value of this parameter is 200. As best practice, avoid generation of many small parquet files. If offline feature retrieval becomes slow after feature set materialization, go to the corresponding folder in the offline store to check whether the issue involves too many small parquet files (per day), and adjust the value of this parameter accordingly.

+ > [!NOTE]

+ > The sample data used in this notebook is small. Therefore, this parameter is set to 1 in the

+ > featureset_asset_offline_enabled.yaml file.

+#### Set spark.sql.shuffle.partitions in the yaml file according to the feature data size

+ The spark configuration `spark.sql.shuffle.partitions` is an OPTIONAL parameter that can affect the number of parquet files generated (per day) when the feature set is materialized into the offline store. The default value of this parameter is 200. As best practice, avoid generation of many small parquet files. If offline feature retrieval becomes slow after feature set materialization, go to the corresponding folder in the offline store to check whether the issue involves too many small parquet files (per day), and adjust the value of this parameter accordingly.

+ > [!NOTE]

+ > The sample data used in this notebook is small. Therefore, this parameter is set to 1 in the

+ > featureset_asset_offline_enabled.yaml file.

+- If a materialization job is pending, or that job is running for a *data interval* that hasn't yet been backfilled, a new job isn't submitted for that *data interval*.

+ 1. In the **Compute** dropdown list in the top nav, select **Serverless Spark Compute**.

+ 1. Download *azureml-examples/sdk/python/featurestore-sample/project/env/online.yml* file to your local machine.

+ 2. In **configure session** in the top nav, select **Python packages**

+ 3. Select **Upload Conda file**

+ 4. Upload the *online.yml* file from your local machine, with the same steps as described in [uploading *conda.yml* file in the first tutorial](./tutorial-get-started-with-feature-store.md#prepare-the-notebook-environment).

+This quickstart uses the Azure Identity library, along with Azure CLI or Azure PowerShell, to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studi- [OpenSSL](https://www.openssl.org/) on a computer running Windows or Linux.o Code to authenticate their calls. For more information, see [Authenticate the client with Azure Identity client library](/python/api/overview/azure/identity-readme).

+In this quickstart, you created a Managed CCF resource by using the Azure SDK for Java. To learn more about Azure Managed CCF and how to integrate it with your applications, continue on to these articles:

+- The minimum supported version of the Python package is 2.0.0b3.

+Install the Azure confidential ledger management plane client library. The minimum supported version is 2.0.0b3 or later.

+pip install azure-mgmt-confidentialledger==2.0.0b3

+### Initialize a new npm project

+In a terminal or command prompt, create a suitable project folder and initialize an `npm` project. You may skip this step if you have an existing node project.

+```terminal

+cd <work folder>

+npm init -y

+```

+### Install the packages

+npm install --save @azure/identity

+npm install -save @azure/arm-confidentialledger@1.3.0-beta.1

+```

+Install the TypeScript compiler and tools globally

+```terminal

+npm install -g typescript

+The Azure SDK for JavaScript and TypeScript library [azure/arm-confidentialledger](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/confidentialledger/arm-confidentialledger) allows operations on Managed CCF resources, such as creation and deletion, listing the resources associated with a subscription, and viewing the details of a specific resource.

+To run the below samples, please save the code snippets into a file with a `.ts` extension into your project folder and compile it as part of your TypeScript project, or compile the script into JavaScript separately by running:

+```terminal

+tsc <filename.ts>

+```

+The compiled JavaScript file will have the same name but a `*.js` extension. Then run the script in nodeJS:

+```terminal

+node <filename.js>

+```

+The following sample TypeScript code creates and views the properties of a Managed CCF resource.

+```TypeScript

+// Please replace these variables with appropriate values for your project

+const subscriptionId = "0000000-0000-0000-0000-000000000001";

+const ledgerId = "testApp";

+const memberCert0 = "--BEGIN CERTIFICATE--\nMIIBvjCCAUSgAwIBAg...0d71ZtULNWo\n--END CERTIFICATE--";

+const memberCert1 = "--BEGIN CERTIFICATE--\nMIIBwDCCAUagAwIBAgI...2FSyKIC+vY=\n--END CERTIFICATE--";

+async function main() {

+ const client = new ConfidentialLedgerClient(new DefaultAzureCredential(), subscriptionId);

+ const properties = <ManagedCCFProperties> {

+ certificate: memberCert0,

+ certificate: memberCert1,

+ const mccf = <ManagedCCF> {

+ const createResponse = await client.managedCCFOperations.beginCreateAndWait(rgName, ledgerId, mccf);

+ const getResponse = await client.managedCCFOperations.get(rgName, ledgerId);

+ const instancePages = await client.managedCCFOperations.listByResourceGroup(rgName).byPage();

+(async () => {

+ try {

+ await main();

+ } catch(err) {

+ console.error(err);

+ }

+})();

+## Delete the Managed CCF resource

+The following piece of code deletes the Managed CCF resource. Other Managed CCF articles can build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you might wish to leave these resources in place.

+```TypeScript

+import { ConfidentialLedgerClient, ManagedCCFProperties, ManagedCCF, KnownLanguageRuntime, DeploymentType, MemberIdentityCertificate } from "@azure/arm-confidentialledger";

+import { DefaultAzureCredential } from "@azure/identity";

+const subscriptionId = "0000000-0000-0000-0000-000000000001"; // replace

+const rgName = "myResourceGroup";

+const ledgerId = "confidentialbillingapp";

+async function deleteManagedCcfResource() {

+ const client = new ConfidentialLedgerClient(new DefaultAzureCredential(), subscriptionId);

+ console.log("Delete the instance.");

+ await client.managedCCFOperations.beginDeleteAndWait(rgName, ledgerId);

+ console.log("Deleted.");

+}

+(async () => {

+ try {

+ await deleteManagedCcfResource();

+ } catch(err) {

+ console.error(err);

+ }

+})();

+```

+- [How do I connect to a MySQL database that's secured behind a virtual network?](#how-do-i-connect-to-a-mysql-database-thats-secured-behind-a-virtual-network)

+### How do I connect to a MySQL database that's secured behind a virtual network?

+To connect to a MySQL database, you can use several methods based on the tools and environments at your disposal:

+- **Command-line tool access**:

+ - Use the `mysql` command from the app's SSH terminal for basic access.

+- **Desktop tools (for example, MySQL Workbench)**:

+ - **Using SSH tunneling with Azure CLI**:

+ - Create an [SSH session](../../app-service/configure-linux-open-ssh-session.md#open-ssh-session-from-remote-shell) to the web app by using the Azure CLI.

+ - Use the SSH session to tunnel the traffic to MySQL.

+ - **Using site-to-site VPN or Azure VM**:

+ - Your machine must be part of the virtual network.

+ - Consider using:

+ - An Azure VM linked to one of the subnets.

+ - A machine in an on-premises network that has a [site-to-site VPN connection](../../vpn-gateway/vpn-gateway-about-vpngateways.md) to the Azure virtual network.

+- **Azure Cloud Shell integration**:

+ - [Integrate Azure Cloud Shell](../../cloud-shell/private-vnet.md) with the virtual network for direct access.

+> The UserDefinedRouting flag can only be used when creating clusters with `--apiserver-visibility Private` and `--ingress-visibility Private` parameters. Ensure you are using the latest Azure CLI. Clusters deployed with Azure CLI 2.52.0 and older will get deployed with public IPs.

+ Title: Azure Orbital Ground Station - Contact profile resource

+These resources are mutable and don't undergo an authorization process like the spacecraft resources do. One contact profile can be used with many spacecraft resources.

+A whole band, unique in direction and polarity, is called a link. Channels, which are children under links, specify the center frequency, bandwidth, and endpoints. Typically there's only one channel per link, but some applications require multiple channels per link.

+Refer to the example below to understand how to specify an RHCP channel and an LHCP channel if your mission requires dual-polarization on downlink. To find this information about your contact profile, navigate to the contact profile resource overview and click 'JSON view.'

+You can modify or delete the contact profile via the [Azure portal](https://aka.ms/orbital/portal) or [Azure Orbital Ground Station API](/rest/api/orbital/).

+In the Azure portal, navigate to the contact profile resource.

+- To modify minimum viable contact duration, minimum elevation, auto tracking, or events hubs telemetry, click 'Overview' on the left panel then click 'Edit properties.'

+- To edit links and channels, click 'Links' under 'Configurations' on the left panel then click 'Edit link' on the desired link.

+- To edit third-party configurations, click 'Third-Party Configurations' under 'Configurations' on the left panel then click 'Edit' on the desired configuration.

+- To delete a contact profile, click 'Overview' on the left panel then click 'Delete.'

+## Configuring a contact profile for applicable partner ground stations

+After onboarding with a partner ground station network, you receive a name that identifies your configuration file. When [creating your contact profile](contact-profile.md#create-a-contact-profile-resource), add this configuration name to your link in the 'Third-Party Configuration" parameter. This links your contact profile to the partner network.

+ - [KSAT Lite](https://azuremarketplace.microsoft.com/marketplace/apps/kongsbergsatelliteservicesas1657024593438.ksatlite?exp=ubp8&tab=Overview)

+ - [Viasat RTE](https://azuremarketplace.microsoft.com/marketplace/apps/viasatinc1628707641775.viasat-real-time-earth?tab=overview)

+| When did the problem start? | Select the **current date & time**. |

+| Select Ground Stations | Select all desired **Microsoft or partner ground stations** that you are licensed for. If you do not see appropriate partner ground station(s), your subscription must be approved to access those sites by the Azure Orbital Ground Station team. |

+| Do you Accept and Acknowledge the Azure Orbital Supplemental Terms? | Review the terms in the link by hovering over the information icon then select **Yes**. |

+| Description | List your spacecraft's **frequency band(s)**. |

+| File upload | Upload any **pertinent licensing material**, if applicable. |

+|Azure Application Gateway | All public regions | | GA </br> [Azure Application Gateway Private Link](../application-gateway/private-link.md) |

+>| Azure Bot Service (Microsoft.BotService/botServices) | Bot | privatelink.directline.botframework.com | directline.botframework.com |

+>| Azure Bot Service (Microsoft.BotService/botServices) | Token | privatelink.token.botframework.com | token.botframework.com |

+>| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | SqlOnDemand | privatelink.sql.azuresynapse.net | sql.azuresynapse.net |

+>| Azure Data Explorer (Microsoft.Kusto/Clusters) | cluster | privatelink.{regionName}.kusto.windows.net </br> privatelink.blob.core.windows.net </br> privatelink.queue.core.windows.net </br> privatelink.table.core.windows.net | {regionName}.kusto.windows.net </br> blob.core.windows.net </br> queue.core.windows.net </br> table.core.windows.net |

+>| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | feed | privatelink.wvd.microsoft.com | wvd.microsoft.com |

+>| Azure Virtual Desktop (Microsoft.DesktopVirtualization/hostpools) | connection | privatelink.wvd.microsoft.com | wvd.microsoft.com |

+>| Azure Container Registry (Microsoft.ContainerRegistry/registries) | registry | privatelink.azurecr.io </br> {regionName}.data.privatelink.azurecr.io | azurecr.io </br> {regionName}.data.azurecr.io |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Sql | privatelink.documents.azure.com | documents.azure.com |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.com | mongo.cosmos.azure.com |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.com | cassandra.cosmos.azure.com |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.com | gremlin.cosmos.azure.com |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.com | table.cosmos.azure.com |

+>| Azure Event Grid (Microsoft.EventGrid/namespaces) | topic | privatelink.eventgrid.azure.net | eventgrid.azure.net |

+>| Azure Event Grid (Microsoft.EventGrid/partnerNamespaces) | partnernamespace | privatelink.eventgrid.azure.net | eventgrid.azure.net |

+>| Device Update for IoT Hubs (Microsoft.DeviceUpdate/accounts) | DeviceUpdate | privatelink.api.adu.microsoft.com | api.adu.microsoft.com |

+>| Azure IoT Central (Microsoft.IoTCentral/IoTApps) | iotApp | privatelink.azureiotcentral.com | azureiotcentral.com |

+>| Azure Digital Twins (Microsoft.DigitalTwins/digitalTwinsInstances) | API | privatelink.digitaltwins.azure.net | digitaltwins.azure.net |

+>| Microsoft Purview (Microsoft.Purview/accounts) | portal | privatelink.purviewstudio.azure.com | purviewstudio.azure.com |

+>| Azure Managed Grafana (Microsoft.Dashboard/grafana) | grafana | privatelink.grafana.azure.com | grafana.azure.com |

+>| Azure Attestation (Microsoft.Attestation/attestationProviders) | standard | privatelink.attest.azure.net | attest.azure.net |

+>| Azure Managed Disks (Microsoft.Compute/diskAccesses) | disks | privatelink.blob.core.windows.net | privatelink.blob.core.windows.net |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Sql | privatelink.documents.azure.us | documents.azure.us |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.us | mongo.cosmos.azure.us |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Sql | privatelink.documents.azure.cn | documents.azure.cn |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.cn | mongo.cosmos.azure.cn |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.cn | cassandra.cosmos.azure.cn |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.cn | gremlin.cosmos.azure.cn |

+>| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.cn | table.cosmos.azure.cn |

+| Application Gateway | Microsoft.Network/applicationgateways |Frontend IP Configuration name|

+### How to move a VM from regional to zonal configuration

+Before moving a VM from regional to zonal configuration, see [FAQ - Move Azure single instance VM from regional to zonal](../virtual-machines/move-virtual-machines-regional-zonal-faq.md).

+To learn how to move VMs from regional to zonal configuration within same region in the Azure portal, see [Move Azure single instance VMs from regional to zonal configuration](../virtual-machines/move-virtual-machines-regional-zonal-portal.md).

+To learn how to do the same using Azure PowerShell and CLI, see [Move a VM in an availability zone using Azure PowerShell and CLI](../virtual-machines/move-virtual-machines-regional-zonal-powershell.md).

+- **Zonal** model offers uptime [SLA of 99.95%](https://azure.microsoft.com/support/legal/sla/postgresql).

+- **Zone-redundancy** model offers uptime [SLA of 99.99%](https://azure.microsoft.com/support/legal/sla/postgresql).

+1. Where `orchestration_ansible_user` is the user with **admin** privileges, e.g. *root*.

+ RHEL 8.x: sudo dnf info resource-agents

+ RHEL 9.x: sudo dnf info resource-agents-cloud

+ * RHEL 8.8: `resource-agents-4.9.0-40.1`

+ * RHEL 9.0: `resource-agents-cloud-4.10.0-9.6`

+ * RHEL 9.2 and newer: `resource-agents-cloud-4.10.0-34.1`

+Use this article to migrate data plane calls to newer *stable* versions of the [**Search REST API**](/rest/api/searchservice/).

+> API reference docs are now versioned. To get the right information, open a reference page and then apply the version-specific filter located above the table of contents.

+If you added vector support using 2023-10-01-preview, there are no breaking changes, but there's one behavior difference: the `vectorFilterMode` default changed from postfilter to prefilter for [filter expressions](vector-search-filters.md). The default is prefilter for indexes created after 2023-10-01. Indexes created before that date only support postfilter, regardless of how you set the filter mode.

+> Azure portal supports a one-click upgrade path for 2023-07-01-preview indexes. The portal detects that version and provides a **Migrate** button. Before selecting **Migrate**, select **Edit JSON** to review the updated schema first. You should find a schema that conforms to the changes described in this section. Portal migration only handles indexes with one vector field. Indexes with more fields require manual migration.

+ "vectors": [

+ {

+ }

+ ],

+ "tokenizer": "keyword_v2",

+You can use the [**Import and vectorize data wizard**](search-get-started-portal-import-vectors.md), the [2023-10-01-Preview](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2023-10-01-preview&preserve-view=true) REST APIs, or any Azure beta SDK package that's been updated to provide this feature.

+ Title: Ingest Microsoft Defender for Cloud subscription-based alerts to Microsoft Sentinel

+# Ingest Microsoft Defender for Cloud alerts to Microsoft Sentinel

+[Microsoft Defender for Cloud](../defender-for-cloud/index.yml)'s integrated cloud workload protections allow you to detect and quickly respond to threats across hybrid and multicloud workloads.

+This connector allows you to ingest [security alerts from Defender for Cloud](../defender-for-cloud/alerts-reference.md) into Microsoft Sentinel, so you can view, analyze, and respond to Defender alerts, and the incidents they generate, in a broader organizational threat context.

+The new **Tenant-based Microsoft Defender for Cloud connector**, in PREVIEW, allows you to collect Defender for Cloud alerts over your entire tenant, without having to enable each subscription separately. It also leverages [Defender for Cloud's integration with Microsoft Defender XDR](ingest-defender-for-cloud-incidents.md) (formerly Microsoft 365 Defender) to ensure that all of your Defender for Cloud alerts are fully included in any incidents you receive through [Microsoft Defender XDR incident integration](microsoft-365-defender-sentinel-integration.md).

+Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) connector with incident integration allows you to stream all Microsoft 365 Defender incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together, and are enriched by, alerts from Microsoft 365 Defender's component services **Microsoft Defender for Endpoint**, **Microsoft Defender for Identity**, **Microsoft Defender for Office 365**, **Microsoft Defender for Cloud Apps**, and **Microsoft Defender for Cloud**, as well as alerts from other services such as **Microsoft Purview Data Loss Prevention** and **Microsoft Entra ID Protection**.

+ Title: Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration

+description: Learn how using Microsoft Defender for Cloud's integration with Microsoft Defender XDR lets you ingest Microsoft Defender for Cloud incidents through Microsoft Defender XDR. This lets you add Defender for Cloud incidents to your Microsoft Sentinel incidents queue while seamlessly applying Defender XDR's strengths to help investigate all your cloud workload security incidents.

+# Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration

+Microsoft Defender for Cloud is now [integrated with Microsoft Defender XDR](../defender-for-cloud/release-notes.md#defender-for-cloud-is-now-integrated-with-microsoft-365-defender-preview), formerly known as Microsoft 365 Defender. This integration, currently **in Preview**, allows Defender XDR to collect alerts from Defender for Cloud and create Defender XDR incidents from them.

+Thanks to this integration, Microsoft Sentinel customers who have enabled [Defender XDR incident integration](microsoft-365-defender-sentinel-integration.md) will now be able to ingest and synchronize Defender for Cloud incidents, with all their alerts, through Microsoft Defender XDR.

+To support this integration, Microsoft Sentinel has added a new **Tenant-based Microsoft Defender for Cloud (Preview)** connector. This connector will allow Microsoft Sentinel customers to receive Defender for Cloud alerts and incidents across their entire tenants, without having to monitor and maintain the connector's enrollment to all their Defender for Cloud subscriptions.

+This connector can be used to ingest Defender for Cloud alerts, regardless of whether you have Defender XDR incident integration enabled.

+> [!IMPORTANT]

+> The Defender for Cloud integration with Defender XDR, and the Tenant-based Microsoft Defender for Cloud connector, are currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Choose how to use this integration and the new connector

+How you choose to use this integration, and whether you want to ingest complete incidents or just alerts, will depend in large part on what you're already doing with respect to Microsoft Defender XDR incidents.

+- If you're already ingesting Defender XDR incidents, or if you're choosing to start doing so now, you're strongly advised to enable this new tenant-based connector. Your Defender XDR incidents will now include Defender for Cloud-based incidents with fully populated alerts from all Defender for Cloud subscriptions in your tenant.

+ If, in this situation, you remain with the legacy subscription-based Defender for Cloud connector and don't connect the new tenant-based one, you may receive Defender for Cloud incidents that contain empty alerts (in the case of a subscription to which the connector isn't enrolled).

+- If you don't intend to enable [Microsoft Defender XDR incident integration](microsoft-365-defender-sentinel-integration.md), you can still receive Defender for Cloud *alerts*, regardless of which version of the connector you enable. However, the new tenant-based connector still affords you the advantage of not needing the permissions to monitor and maintain your list of Defender for Cloud subscriptions in the connector.

+- If you *have* enabled Defender XDR integration, but you only want to receive Defender for Cloud *alerts* but not *incidents*, you can use [automation rules](create-manage-use-automation-rules.md) to immediately close Defender for Cloud incidents as they arrive.

+ If that's not an adequate solution, or if you still want to collect alerts from Defender for Cloud on a per-subscription basis, you can completely opt-out of the Defender for Cloud integration in the Microsoft Defender XDR portal, and then use the legacy, subscription-based version of the Defender for Cloud connector to receive those alerts.

+## Set up the integration in Microsoft Sentinel

+If you haven't already enabled [incident integration in your Microsoft 365 Defender connector](connect-microsoft-365-defender.md), do so first.

+Then, enable the new **Tenant-based Microsoft Defender for Cloud (Preview)** connector. This connector is available through the **Microsoft Defender for Cloud solution**, version 3.0.0, in the Content Hub. If you have an earlier version of this solution, you can upgrade it in the content hub.

+If you had previously enabled the legacy, subscription-based Defender for Cloud connector (which will be displayed as **Subscription-based Microsoft Defender for Cloud (Legacy)**), then you're advised to disable it to prevent duplication of alerts in your logs.

+If you have any [Scheduled or Microsoft Security analytics rules](detect-threats-built-in.md) that create incidents from Defender for Cloud alerts, you're encouraged to disable these rules, since you'll be receiving ready-made incidents created by&mdash;and synchronized with&mdash;Microsoft 365 Defender.

+If there are specific types of Defender for Cloud alerts for which you don't want to create incidents, you can use automation rules to close these incidents immediately, or you can use the built-in tuning capabilities in the Microsoft 365 Defender portal.

+## Next steps

+In this article, you learned how to use Microsoft Defender for Cloud's integration with Microsoft Defender XDR to ingest incidents and alerts into Microsoft Sentinel.

+Learn more about the Microsoft Defender for Cloud integration with Microsoft Defender XDR.

+- See [Microsoft Defender for Cloud in Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud), and particularly the [Impact to Microsoft Sentinel users](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud#impact-to-microsoft-sentinel-users) section, from the Microsoft Defender XDR documentation.

+- See [Alerts and incidents in Microsoft 365 Defender (Preview)](../defender-for-cloud/concept-integration-365.md) from the Microsoft Defender for Cloud documentation.

+- **Microsoft Defender for Endpoint**

+- **Microsoft Defender for Identity**

+- **Microsoft Defender for Office 365**

+- **Microsoft Defender for Cloud Apps**

+- **Microsoft Defender for Cloud** (Preview)

+- **Microsoft Purview Data Loss Prevention** ([Learn more](/microsoft-365/security/defender/investigate-dlp))

+- **Microsoft Entra ID Protection** ([Learn more](/defender-cloud-apps/aadip-integration))

+- [Take advantage of Microsoft Defender for Cloud integration with Microsoft Defender XDR (Preview)](#take-advantage-of-microsoft-defender-for-cloud-integration-with-microsoft-defender-xdr-preview)

+### Take advantage of Microsoft Defender for Cloud integration with Microsoft Defender XDR (Preview)

+Microsoft Defender for Cloud is now [integrated with Microsoft Defender XDR](../defender-for-cloud/release-notes.md#defender-for-cloud-is-now-integrated-with-microsoft-365-defender-preview), formerly known as Microsoft 365 Defender. This integration, currently **in Preview**, allows Defender XDR to collect alerts from Defender for Cloud and create Defender XDR incidents from them.

+Thanks to this integration, Microsoft Sentinel customers who have enabled [Defender XDR incident integration](microsoft-365-defender-sentinel-integration.md) will now be able to ingest and synchronize Defender for Cloud incidents, with all their alerts, through Microsoft Defender XDR.

+To support this integration, Microsoft has added a new **Tenant-based Microsoft Defender for Cloud (Preview)** connector. This connector will allow Microsoft Sentinel customers to receive Defender for Cloud alerts and incidents across their entire tenants, without having to monitor and maintain the connector's enrollment to all their Defender for Cloud subscriptions.

+This connector can be used to ingest Defender for Cloud alerts, regardless of whether you have Defender XDR incident integration enabled.

+- Learn more about [Microsoft Defender for Cloud integration with Microsoft Defender XDR](../defender-for-cloud/release-notes.md#defender-for-cloud-is-now-integrated-with-microsoft-365-defender-preview).

+- Learn more about [ingesting Defender for Cloud incidents into Microsoft Sentinel](ingest-defender-for-cloud-incidents.md).

+<!--

+- Learn how to [connect the tenant-based Defender for Cloud data connector](connect-defender-for-cloud-tenant.md) (in Preview).

+-->

+Azure Service Bus already spreads the risk of catastrophic failures of individual machines or even complete racks across clusters that span multiple failure domains within a datacenter and it implements transparent failure detection and failover mechanisms such that the service continues to operate within the assured service-levels and typically without noticeable interruptions when such failures occur. A premium namespace can have two or more messaging units and these messaging units are spread across multiple failure domains within a datacenter, supporting an all-active Service Bus cluster model.

+The Service Bus Geo-disaster recovery feature is designed to make it easier to recover from a disaster of this magnitude and abandon a failed Azure region for good and without having to change your application configurations. Abandoning an Azure region typically involves several services and this feature primarily aims at helping to preserve the integrity of the composite application configuration. The feature is globally available for the Service Bus Premium SKU.

+The Geo-Disaster recovery feature ensures that the entire configuration of a namespace (queues, topics, subscriptions, filters) is continuously replicated from a primary namespace to a secondary namespace when paired, and it allows you to initiate a once-only failover move from the primary to the secondary at any time. The failover move re-points the chosen alias name for the namespace to the secondary namespace and then break the pairing. The failover is nearly instantaneous once initiated.

+- The feature enables instant continuity of operations with the same configuration, but **doesn't replicate the messages held in queues or topic subscriptions or dead-letter queues**. To preserve queue semantics, such a replication requires not only the replication of message data, but of every state change in the broker. For most Service Bus namespaces, the required replication traffic would far exceed the application traffic and with high-throughput queues, most messages would still replicate to the secondary while they're already being deleted from the primary, causing excessively wasteful traffic. For high-latency replication routes, which applies to many pairings you would choose for Geo-disaster recovery, it might also be impossible for the replication traffic to sustainably keep up with the application traffic due to latency-induced throttling effects.

+- Pairing a [partitioned namespace](enable-partitions-premium.md) with a non-partitioned namespace isn't supported.

+- if `AutoDeleteOnIdle` is turned on an entity, the entity might not be present in the secondary namespace when the failover occurs.

+A *disaster* is defined as the permanent, or longer-term loss of a Service Bus cluster, Azure region, or datacenter. The region or datacenter might or might not become available again, or might be down for hours or days. Examples of such disasters are fire, flooding, or earthquake. A disaster that becomes permanent might cause the loss of some messages, events, or other data. However, in most cases there should be no data loss and messages can be recovered once the data center comes back up.

+- *Primary/secondary namespace*: The namespaces that correspond to the alias. The primary namespace is "active" and receives messages (it can be an existing or new namespace). The secondary namespace is "passive" and doesn't receive messages. The metadata between both is in sync, so both can seamlessly accept messages without any application code or connection string changes. To ensure that only the active namespace receives messages, you must use the alias.

+ > Failing over activates the secondary namespace and remove the primary namespace from the Geo-Disaster Recovery pairing. Create another namespace to have a new geo-disaster recovery pair.

+If you use the Azure portal to set up the disaster recovery configuration, the portal abstracts this caveat from you.

+- The fact that no data is replicated means that currently active sessions aren't replicated. Additionally, duplicate detection and scheduled messages might not work. New sessions, new scheduled messages, and new duplicates work.

+The Service Bus Premium SKU supports [availability zones](../availability-zones/az-overview.md), providing fault-isolated locations within the same Azure region. Service Bus manages three copies of the messaging store (1 primary and 2 secondary). Service Bus keeps all three copies in sync for data and management operations. If the primary copy fails, one of the secondary copies is promoted to primary with no perceived downtime. If the applications see transient disconnects from Service Bus, the [retry logic](/azure/architecture/best-practices/retry-service-specific#service-bus) in the SDK automatically reconnects to Service Bus.

+When you create a premium tier namespace, the support for availability zones (if available in the selected region) is automatically enabled for the namespace. There's no extra cost for using this feature and you can't disable or enable this feature.

+If you try to create a pairing between a primary namespace with a private endpoint and a secondary namespace without a private endpoint, the pairing fails. The pairing succeeds only if both primary and secondary namespaces have private endpoints. We recommend that you use same configurations on the primary and secondary namespaces and on virtual networks in which private endpoints are created.

+> When you try to pair the primary namespace with a private endpoint and the secondary namespace, the validation process only checks whether a private endpoint exists on the secondary namespace. It doesn't check whether the endpoint works or works after failover. It's your responsibility to ensure that the secondary namespace with private endpoint works as expected after failover.

+If pairing between primary and secondary namespace already exists, private endpoint creation on the primary namespace fails. To resolve, create a private endpoint on the secondary namespace first and then create one for the primary namespace.

+Let's say you have two virtual networks: VNET-1, VNET-2 and these primary and second namespaces: `ServiceBus-Namespace1-Primary`, `ServiceBus-Namespace2-Secondary`. You need to do the following steps:

+- On `ServiceBus-Namespace1-Primary`, create two private endpoints that use subnets from VNET-1 and VNET-2

+- On `ServiceBus-Namespace2-Secondary`, create two private endpoints that use the same subnets from VNET-1 and VNET-2

+**Application-only failover:** Here, the application doesn't exist in VNET-1 but moves to VNET-2. As both private endpoints are configured on both VNET-1 and VNET-2 for both primary and secondary namespaces, the application just works.

+**Service Bus namespace-only failover**: Here again, since both private endpoints are configured on both virtual networks for both primary and secondary namespaces, the application just works.

+| 9.1 CU7<br>9.1.1993.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU6<br>9.1.1851.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU5<br>9.1.1833.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU4<br>9.1.1799.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU3<br>9.1.1653.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU2<br>9.1.1583.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU1<br>9.1.1436.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU7<br>9.1.1740.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU6<br>9.1.1642.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU5<br>9.1.1625.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU4<br>9.1.1592.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU3<br>9.1.1457.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU2<br>9.1.1388.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |

+| 9.1 CU1<br>9.1.1230.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |

+If source machine has an Antivirus software active, installation folder should be excluded. So, exclude folder C:\Program Files (x86)\Microsoft Azure Site Recovery\ for smooth replication.

+ Title: Authorize access to blobs using Microsoft Entra ID

+Pricing for inventory is based on the number of blobs and containers that are scanned during the billing period. The [Azure Blob Storage pricing](https://azure.microsoft.com/pricing/details/storage/blobs/) page shows the price per one million objects scanned. For example, if the price to scan one million objects is `$0.003`, your account contains three million objects, and you produce four reports in a month, then your bill would be `4 * 3 * $0.003 = $0.036`.

+- [Blob Inventory FAQ](storage-blob-faq.yml#azure-storage-blob-inventory)

+| [Access tiers (hot, cool, cold, and archive)](access-tiers-overview.md) | &#x2705; | &#x2705; | &#x2705;| &#x2705; |

+ Yes, this scenario is now supported in both [single-forest](storage-files-identity-ad-ds-mount-file-share.md#mount-file-shares-using-custom-domain-names) and [multi-forest](storage-files-identity-multiple-forests.md) environments for SMB Azure file shares. However, Azure Files only supports configuring CNAMEs using the storage account name as a domain prefix. If you don't want to use the storage account name as a prefix, consider using [DFS Namespaces](files-manage-namespaces.md) instead.

+Now that you've enabled and configured identity-based authentication with AD DS, you can [mount a file share](storage-files-identity-ad-ds-mount-file-share.md).

+ Title: Mount SMB Azure file share using AD DS credentials

+description: Learn how to mount an SMB Azure file share using your on-premises Active Directory Domain Services credentials.

+The process described in this article verifies that your SMB file share and access permissions are set up correctly and that you can mount your SMB Azure file share. Remember that share-level role assignment can take some time to take effect.

+Unless you're using [custom domain names](#mount-file-shares-using-custom-domain-names), you should mount Azure file shares using the suffix `file.core.windows.net`, even if you set up a private endpoint for your share.

+Non-domain-joined VMs or VMs that are joined to a different AD domain than the storage account can access Azure file shares if they have unimpeded network connectivity to the domain controllers and provide explicit credentials. The user accessing the file share must have an identity and credentials in the AD domain that the storage account is joined to.

+## Mount file shares using custom domain names

+If you don't want to mount Azure file shares using the suffix `file.core.windows.net`, you can modify the suffix of the storage account name associated with the Azure file share, and then add a canonical name (CNAME) record to route the new suffix to the endpoint of the storage account. The following instructions are for single-forest environments only. To learn how to configure environments that have two or more forests, see [Use Azure Files with multiple Active Directory forests](storage-files-identity-multiple-forests.md).

+> [!NOTE]

+> Azure Files only supports configuring CNAMES using the storage account name as a domain prefix. If you don't want to use the storage account name as a prefix, consider using [DFS namepaces](files-manage-namespaces.md).

+In this example, we have the Active Directory domain *onpremad1.com*, and we have a storage account called *mystorageaccount* which contains SMB Azure file shares. First, we need to modify the SPN suffix of the storage account to map *mystorageaccount.onpremad1.com* to *mystorageaccount.file.core.windows.net*.

+This will allow clients to mount the share with `net use \\mystorageaccount.onpremad1.com` because clients in *onpremad1* will know to search *onpremad1.com* to find the proper resource for that storage account.

+To use this method, complete the following steps:

+1. Make sure you've set up identity-based authentication and synced your AD user account(s) to Microsoft Entra ID.

+2. Modify the SPN of the storage account using the `setspn` tool. You can find `<DomainDnsRoot>` by running the following Active Directory PowerShell command: `(Get-AdDomain).DnsRoot`

+ ```

+ setspn -s cifs/<storage-account-name>.<DomainDnsRoot> <storage-account-name>

+ ```

+3. Add a CNAME entry using Active Directory DNS Manager and follow the steps below for each storage account in the domain that the storage account is joined to. If you're using a private endpoint, add the CNAME entry to map to the private endpoint name.

+ 1. Open Active Directory DNS Manager.

+ 1. Go to your domain (for example, **onpremad1.com**).

+ 1. Go to "Forward Lookup Zones".

+ 1. Select the node named after your domain (for example, **onpremad1.com**) and right-click **New Alias (CNAME)**.

+ 1. For the alias name, enter your storage account name.

+ 1. For the fully qualified domain name (FQDN), enter **`<storage-account-name>`.`<domain-name>`**, such as **mystorageaccount.onpremad1.com**. The hostname part of the FQDN must match the storage account name. Otherwise you'll get an access denied error during the SMB session setup.

+ 1. For the target host FQDN, enter **`<storage-account-name>`.file.core.windows.net**

+ 1. Select **OK**.

+You should now be able to mount the file share using *storageaccount.domainname.com*. You can also mount the file share using the storage account key.

+Unless you're using [custom domain names](storage-files-identity-ad-ds-mount-file-share.md#mount-file-shares-using-custom-domain-names), you should mount Azure file shares using the suffix `file.core.windows.net`, even if you set up a private endpoint for your share.

+The following table lists suggested tool combinations for migrating to SMB Azure file shares.

+1. Within the intersection of source and target, a table cell lists available migration scenarios. Select one to directly link to the migration guide.

+| Network-attached storage (NAS) | <ul><li>[Via Azure File Sync upload](storage-files-migration-nas-hybrid.md)</li><li>[Via DataBox + Azure File Sync](storage-files-migration-nas-hybrid-databox.md)</li></ul> | <ul><li>Via Azure Storage Mover</li><li>[Via DataBox](storage-files-migration-nas-cloud-databox.md)</li><li>[Via RoboCopy to a mounted Azure file share](storage-files-migration-robocopy.md)</li></ul> |

+| Linux (SMB only) | <ul><li>[Azure File Sync and RoboCopy](storage-files-migration-linux-hybrid.md)</li></ul> | <ul><li>Via Azure Storage Mover</li><li>[Via RoboCopy to a mounted Azure file share](storage-files-migration-robocopy.md)</li></ul> |

+* [Quickstart: Create a Stream Analytics job by using the Azure portal](stream-analytics-quick-create-portal.md)

+* [Stream data from confluent cloud Kafka with Azure Stream Analytics](confluent-kafka-input.md)

+* [Stream data from Azure Stream Analytics into confluent cloud](confluent-kafka-output.md)

+> You must upload certificates as secrets to key vault using Azure CLI.

+* [Quickstart: Create a Stream Analytics job by using the Azure portal](stream-analytics-quick-create-portal.md)

+* [Stream data from confluent cloud Kafka with Azure Stream Analytics](confluent-kafka-input.md)

+* [Stream data from Azure Stream Analytics into confluent cloud](confluent-kafka-output.md)

+This quickstart shows you how to create a Stream Analytics job in the Azure portal. In this quickstart, you define a Stream Analytics job that reads real-time streaming data and filters messages with a temperature greater than 27. The Stream Analytics job reads data from IoT Hub, transforms the data, and writes the output data to a container in an Azure blob storage. The input data used in this quickstart is generated by a Raspberry Pi online simulator.

+1. On the device page, select the copy button next to **Primary Connection String**, and save it to a notepad to use later.

+3. Select **Analytics** > **Stream Analytics job** from the results list. If you don't see **Stream Analytics job** in the list, search for **Stream Analytics job** using the search box at the topic, and select it from the search results.

+1. On the **Stream Analytics job** page, select **Inputs** under **Job topology** on the left menu.

+1. On the **Inputs** page, select **Add input** > **IoT Hub**.

+1. On the **Outputs** page, select **Add output** > **Blob storage/ADLS Gen2**.

+1. Return to the job overview page in the Azure portal, and select **Start job**.

+ 1. Under **Select Data Lake Storage Gen 2 / Account Name**, click **Create New** and provide a global unique name, such as **contosolake**.

+ 1. Under **Select Data Lake Storage Gen 2 / File system name**, click **File System** and name it **users**.

+1. OPTION 2 See the [**Prepare a Storage Account**](#prepare-an-existing-storage-account-for-use-with-azure-synapse-analytics) instructions at the bottom of this document.

+> You need to [enable Microsoft Entra authentication](sql-data-warehouse-authentication.md) to authenticate using Microsoft Entra ID.

+* [Manage users, SSH, and check or repair disks on Azure Linux VMs using the 'VMAccess' Extension](./extensions/vmaccess-linux.md)

+There are five disk types of Azure managed disks: Azure Ultra Disks, Premium SSD v2, premium SSD, Standard SSD, and Standard HDD. You can easily switch between Premium SSD, Standard SSD, and Standard HDD based on your performance needs. Premium SSD and Standard SSD are also available with [Zone-redundant storage](disks-redundancy.md#zone-redundant-storage-for-managed-disks). You can't yet switch from or to an Ultra Disk or a Premium SSD v2, you must deploy a new one with a snapshot of an existing disk. See [Migrate to Premium SSD v2 or Ultra Disk](#migrate-to-premium-ssd-v2-or-ultra-disk) for details.

+Currently, you can only migrate an existing disk to either an Ultra Disk or a Premium SSD v2 through snapshots stored on Standard Storage (Incremental Standard HDD Snapshot). Migration with snapshots stored on Premium storage and other options isn't supported.

+To use a Premium SSD v2, you need to determine the regions and zones where it's supported. Not every region and zones support Premium SSD v2. For a list of regions, see [Regional availability](#regional-availability).

+To determine regions, and zones support premium SSD v2, replace `yourSubscriptionId` then run the following command:

+## Limitations

+### Regional availability

+| vmaccessforlinux.microsoft.ostcextensions | [VMAccess for Linux](vmaccess-linux.md#troubleshoot-and-support) |

+ Title: Reset access to an Azure Linux VM

+description: Learn how to manage administrative users and reset access on Linux VMs by using the VMAccess extension and the Azure CLI.

+# VMAccess Extension for Linux

+The VMAccess Extension is used to manage administrative users, configure SSH, and check or repair disks on Azure Linux virtual machines. The extension integrates with Azure Resource Manager templates. It can also be invoked using Azure CLI, Azure PowerShell, the Azure portal, and the Azure Virtual Machines REST API.

+This article describes how to run the VMAccess Extension from the Azure CLI and through an Azure Resource Manager template. This article also provides troubleshooting steps for Linux systems.

+> [!NOTE]

+> If you use the VMAccess extension to reset the password of your VM after you install the Microsoft Entra Login extension, rerun the Microsoft Entra Login extension to re-enable Microsoft Entra Login for your VM.

+## Prerequisites

+### Supported Linux distributions

+| **Linux Distro** | **x64** | **ARM64** |

+|:--|:--:|:--:|

+| Alma Linux | 9.x+ | 9.x+ |

+| CentOS | 7.x+, 8.x+ | 7.x+ |

+| Debian | 10+ | 11.x+ |

+| Flatcar Linux | 3374.2.x+ | 3374.2.x+ |

+| Azure Linux | 2.x | 2.x |

+| openSUSE | 12.3+ | Not Supported |

+| Oracle Linux | 6.4+, 7.x+, 8.x+ | Not Supported |

+| Red Hat Enterprise Linux | 6.7+, 7.x+, 8.x+ | 8.6+, 9.0+ |

+| Rocky Linux | 9.x+ | 9.x+ |

+| SLES | 12.x+, 15.x+ | 15.x SP4+ |

+| Ubuntu | 18.04+, 20.04+, 22.04+ | 20.04+, 22.04+ |

+### Tips

+* VMAccess was designed for regaining access to a VM given that access is lost. Based on this principle, it grants sudo permission to account specified in the username field. If you don't wish a user to gain sudo permissions, log in to the VM and use built-in tools (for example, usermod, chage, etc.) to manage unprivileged users.

+* You can only have one version of the extension applied to a VM. To run a second action, update the existing extension with a new configuration.

+* During a user update, VMAccess alters the `sshd_config` file and takes a backup of it beforehand. To restore the original backed-up SSH configuration, run VMAccess with `restore_backup_ssh` set to `True`.

+## Extension schema

+The VMAccess Extension configuration includes settings for username, passwords, SSH keys, etc. You can store this information in configuration files, specify it on the command line, or include it in an Azure Resource Manager (ARM) template. The following JSON schema contains all the properties available to use in public and protected settings.

+```json

+{

+ "type": "Microsoft.Compute/virtualMachines/extensions",

+ "name": "<name>",

+ "apiVersion": "2023-09-01",

+ "location": "<location>",

+ "dependsOn": [

+ "[concat('Microsoft.Compute/virtualMachines/', <vmName>)]"

+ ],

+ "properties": {

+ "publisher": "Microsoft.OSTCExtensions",

+ "type": "VMAccessForLinux",

+ "typeHandlerVersion": "1.5",

+ "autoUpgradeMinorVersion": true,

+ "settings": {

+ "check_disk": true,

+ "repair_disk": false,

+ "disk_name": "<disk-name>",

+ },

+ "protectedSettings": {

+ "username": "<username>",

+ "password": "<password>",

+ "ssh_key": "<ssh-key>",

+ "reset_ssh": false,

+ "remove_user": "<username>",

+ "expiration": "<expiration>",

+ "remove_prior_keys": false,

+ "restore_backup_ssh": true

+ }

+ }

+}

+```

+### Property values

+| Name | Value / Example | Data Type |

+| - | - | - |

+| apiVersion | 2023-09-01 | date |

+| publisher | Microsoft.OSTCExtensions | string |

+| type | VMAccessForLinux | string |

+| typeHandlerVersion | 1.5 | int |

+### Settings property values

+

+| Name | Data Type | Description |

+| - | - | - |

+| check_disk | boolean | Whether or not to check disk (optional). Only one between `check_disk` and `repair_disk` can be set to true. |

+| repair_disk | boolean | Whether or not to check disk (optional). Only one between `check_disk` and `repair_disk` can be set to true. |

+| disk_name | string | Name of disk to repair (required when `repair_disk` is true). |

+| username | string | The name of the user to manage (required for all actions on a user account). |

+| password | string | The password to set for the user account. |

+| ssh_key | string | The SSH public key to add for the user account. The SSH key can be in `ssh-rsa`, `ssh-ed25519`, or `.pem` format. |

+| reset_ssh | boolean | Whether or not to reset the SSH. If `true`, it replaces the sshd_config file with an internal resource file corresponding to the default SSH config for that distro. |

+| remove_user | string | The name of the user to remove. Can't be used with `reset_ssh`, `restore_backup_ssh`, and `password`. |

+| expiration | string | Expiration to set to for the account, in the form of `yyyy-mm-dd`. Defaults to never. |

+| remove_prior_keys | boolean | Whether or not to remove old SSH keys when adding a new one. Must be used with `ssh_key`. |

+| restore_backup_ssh | boolean | Whether or not to restore the original backed-up sshd_config. |

+## Template deployment

+Azure VM Extensions can be deployed with Azure Resource Manager (ARM) templates. The JSON schema detailed in the previous section can be used in an ARM template to run the VMAccess Extension during the template's deployment. You can find a sample template that includes the VMAccess extension on [GitHub](https://github.com/Azure/azure-quickstart-templates/blob/master/demos/vmaccess-on-ubuntu/azuredeploy.json).

+The JSON configuration for a virtual machine extension must be nested inside the virtual machine resource fragment of the template, specifically `"resources": []` object for the virtual machine template and for a virtual machine scale set under `"virtualMachineProfile":"extensionProfile":{"extensions" :[]` object.

+## Azure CLI deployment

+### Using Azure CLI VM user commands

+The following CLI commands under [az vm user](/cli/azure/vm/user) use the VMAccess Extension. To use these commands, you need to [install the latest Azure CLI](/cli/azure/install-az-cli2) and sign in to an Azure account by using [az login](/cli/azure/reference-index).

+#### Update SSH key

+The following example updates the SSH key for the user `azureUser` on the VM named `myVM`:

+```azurecli-interactive

+az vm user update \

+ --resource-group myResourceGroup \

+ --name myVM \

+ --username azureUser \

+ --ssh-key-value ~/.ssh/id_rsa.pub

+```

+> [!NOTE]

+> The [`az vm user update` command](/cli/azure/vm) appends the new public key text to the `~/.ssh/authorized_keys` file for the admin user on the VM. This command doesn't replace or remove any existing SSH keys. This command doesn't remove prior keys set at deployment time or subsequent updates by using the VMAccess Extension.

+#### Reset password

+The following example resets the password for the user `azureUser` on the VM named `myVM`:

+```azurecli-interactive

+az vm user update \

+ --resource-group myResourceGroup \

+ --name myVM \

+ --username azureUser \

+ --password myNewPassword

+```

+#### Restart SSH

+The following example restarts the SSH daemon and resets the SSH configuration to default values on a VM named `myVM`:

+```azurecli-interactive

+az vm user reset-ssh \

+ --resource-group myResourceGroup \

+ --name myVM

+```

+> [!NOTE]

+> The [`az vm user reset-ssh` command](/cli/azure/vm) replaces the sshd_config file with a default config file from the internal resources directory. This command doesn't restore the original SSH configuration found on the virtual machine.

+#### Create an administrative/sudo user

+The following example creates a user named `myNewUser` with sudo permissions. The account uses an SSH key for authentication on the VM named `myVM`. This method helps you regain access to a VM when current credentials are lost or forgotten. As a best practice, accounts with sudo permissions should be limited.

+```azurecli-interactive

+az vm user update \

+ --resource-group myResourceGroup \

+ --name myVM \

+ --username myNewUser \

+ --ssh-key-value ~/.ssh/id_rsa.pub

+```

+#### Delete a user

+The following example deletes a user named `myNewUser` on the VM named `myVM`:

+```azurecli-interactive

+az vm user delete \

+ --resource-group myResourceGroup \

+ --name myVM \

+ --username myNewUser

+```

+### Using Azure CLI VM/VMSS extension commands

+You can also use the [az vm extension set](/cli/azure/vm/extension#az-vm-extension-set) and [az vmss extension set](/cli/azure/vmss/extension#az-vmss-extension-set) commands to run the VMAccess Extension with the specified configuration.

+```azurecli-interactive

+az vm extension set \

+ --resource-group myResourceGroup \

+ --vm-name myVM \

+ --name VMAccessForLinux \

+ --publisher Microsoft.OSTCExtensions \

+ --version 1.5 \

+ --settings '{"check_disk":true}'

+ --protected-settings '{"username":"user1","password":"userPassword"}'

+```

+The `--settings` and `--protected-settings` parameters also accept JSON file paths. For example, to update the SSH public key of a user, create a JSON file named `update_ssh_key.json` and add settings in the following format. Replace the values within the file with your own information:

+```json

+{

+ "username":"azureuser",

+ "ssh_key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCZ3S7gGp3rcbKmG2Y4vGZFMuMZCwoUzZNGxxxxxx2XV2x9FfAhy8iGD+lF8UdjFX3t5ebMm6BnnMh8fHwkTRdOt3LDQq8o8ElTBrZaKPxZN2thMZnODs5Hlemb2UX0oRIGRcvWqsd4oJmxsXHNF8UfCZ1ToE4r2SdwTmZv00T2i5faeYnHzxiLPA3Enub7xxxxxxwFArnqad7MO1SY1kLemhX9eFjLWN4mJe56Fu4NiWJkR9APSZQrYeKaqru4KUC68QpVasNJHbuxPSf/PcjF3cjO1+X+4x6L1H5HTPuqUkyZGgDO4ynUHbko4dhlanALcriF7tIfQR9i2r2xOyv5gxJEW/zztGqWma/d4rBoPjnf6tO7rLFHXMt/DVTkAfn5wxxtLDwkn5FMyvThRmex3BDf0gujoI1y6cOWLe9Y5geNX0oj+MXg/W0cXAtzSFocstV1PoVqy883hNoeQZ3mIGB3Q0rIUm5d9MA2bMMt31m1g3Sin6EQ== azureuser@myVM"

+}

+```

+Run the VMAccess Extension through the following command:

+```azurecli-interactive

+az vm extension set \

+ --resource-group myResourceGroup \

+ --vm-name myVM \

+ --name VMAccessForLinux \

+ --publisher Microsoft.OSTCExtensions \

+ --version 1.5 \

+ --protected-settings update_ssh_key.json

+```

+## Azure PowerShell deployment

+Azure PowerShell can be used to deploy the VMAccess Extension to an existing virtual machine or virtual machine scale set. You can deploy the extension to a VM by running:

+```azurepowershell-interactive

+$username = "<username>"

+$sshKey = "<cert-contents>"

+$settings = @{"check_disk" = $true};

+$protectedSettings = @{"username" = $username; "ssh_key" = $sshKey};

+Set-AzVMExtension -ResourceGroupName "<resource-group>" `

+ -VMName "<vm-name>" `

+ -Location "<location>" `

+ -Publisher "Microsoft.OSTCExtensions" `

+ -ExtensionType "VMAccessForLinux" `

+ -Name "VMAccessForLinux" `

+ -TypeHandlerVersion "1.5" `

+ -Settings $settings `

+ -ProtectedSettings $protectedSettings

+```

+You can also provide and modify extension settings by using strings:

+```azurepowershell-interactive

+$username = "<username>"

+$sshKey = "<cert-contents>"

+$settingsString = '{"check_disk":true}';

+$protectedSettingsString = '{"username":"' + $username + '","ssh_key":"' + $sshKey + '"}';

+Set-AzVMExtension -ResourceGroupName "<resource-group>" `

+ -VMName "<vm-name>" `

+ -Location "<location>" `

+ -Publisher "Microsoft.OSTCExtensions" `

+ -ExtensionType "VMAccessForLinux" `

+ -Name "VMAccessForLinux" `

+ -TypeHandlerVersion "1.5" `

+ -SettingString $settingsString `

+ -ProtectedSettingString $protectedSettingsString

+```

+To deploy to a virtual machine scale set, run the following command:

+```azurepowershell-interactive

+$resourceGroupName = "<resource-group>"

+$vmssName = "<vmss-name>"

+$protectedSettings = @{

+ "username" = "azureUser"

+ "password" = "userPassword"

+}

+$publicSettings = @{

+ "repair_disk" = $true

+ "disk_name" = "<disk_name>"

+}

+$vmss = Get-AzVmss `

+ -ResourceGroupName $resourceGroupName `

+ -VMScaleSetName $vmssName

+Add-AzVmssExtension -VirtualMachineScaleSet $vmss `

+ -Name "<extension-name>" `

+ -Publisher "Microsoft.OSTCExtensions" `

+ -Type "VMAccessForLinux" `

+ -TypeHandlerVersion "1.5"" `

+ -AutoUpgradeMinorVersion $true `

+ -Setting $publicSettings `

+ -ProtectedSetting $protectedSettings

+Update-AzVmss `

+ -ResourceGroupName $resourceGroupName `

+ -Name $vmssName `

+ -VirtualMachineScaleSet $vmss

+```

+## Troubleshoot and support

+The VMAccess extension logs exist locally on the VM and are most informative when it comes to troubleshooting.

+| Location | Description |

+| - | - |

+| /var/log/waagent.log | Contains logs from the Linux Agent and shows when an update to the extension occurred. We can check it to ensure the extension ran. |

+| /var/log/azure/Microsoft.OSTCExtensions.VMAccessForLinux/* | The VMAccess Extension produces logs, which can be found here. The directory contains `CommandExecution.log` where you can find each command executed along with its result, along with `extension.log`, which contains individual logs for each execution. |

+| /var/lib/waagent/Microsoft.OSTCExtensions.VMAccessForLinux-\<most recent version\>/config/* | The configuration and binaries for VMAccess VM Extension. |

+|||

+You can also retrieve the execution state of the VMAccess Extension, along with other extensions on a given VM, by running the following command:

+```azurecli-interactive

+az vm extension list --resource-group myResourceGroup --vm-name myVM -o table

+```

+For more help, you can contact the Azure experts at [Azure Community Support](https://azure.microsoft.com/support/forums/). Alternatively, you can file an Azure support incident. Go to [Azure support](https://azure.microsoft.com/support/options/) and select **Get support**. For more information about Azure Support, read the [Azure support plans FAQ](https://azure.microsoft.com/support/faq/).

+## Next steps

+To see the code, current versions, and more documentation, see [VMAccess Linux - GitHub](https://github.com/Azure/azure-linux-extensions/tree/master/VMAccess).

+ If you forgot your password or username see [Reset Access to an Azure VM](./extensions/vmaccess-linux.md)

+ If you forgot your password or username see [Reset Access to an Azure VM](./extensions/vmaccess-linux.md)

+ * **Address Prefix:** 0.0.0.0/0

+For information about working with the legacy gateway SKUs (Basic, Standard, and High Performance), including SKU deprecation, see [Managing legacy gateway SKUs](vpn-gateway-about-skus-legacy.md).

+> If you're working with a legacy gateway SKU (Basic, Standard, and High Performance), see [Managing Legacy gateway SKUs](vpn-gateway-about-skus-legacy.md).

+description: How to work with the old virtual network gateway SKUs; Basic, Standard, and High Performance.

+## SKU deprecation

+The Standard and High Performance SKUs will be deprecated September 30, 2025. The product team will make a migration path available for these SKUs by November 30, 2024. **At this time, there's no action that you need to take**.

+There are no [price](https://azure.microsoft.com/pricing/details/vpn-gateway/) changes if you migrate to Standard (VpnGw1) and High Performance (VpnGw2) gateways. As a benefit, there's a performance improvement after migrating:

+* **Standard** 6.5x

+* **High Performance** 5x

+If you don't migrate your gateway by September 30, 2025, your gateway will be automatically upgraded to AZ gateways: VpnGw1AZ (Standard) or VpnGw2AZ (High Performance).

+Important Dates:

+* **December 1, 2023**: No new gateway creations possible on Standard / High Performance SKUs

+* **November 30, 2024**: Begin migrating gateways to other SKUs

+* **September 30, 2025**: Standard/High Performance SKUs will be retired and gateways will be automatically migrated

+Except for the Basic SKU, you can resize your gateway to a gateway SKU within the same SKU family. For example, if you have a Standard SKU, you can resize to a High Performance SKU. However, you can't resize your VPN gateway between the old SKUs and the new SKU families. For example, you can't go from a Standard SKU to a VpnGw2 SKU, or a Basic SKU to VpnGw1.

+You can resize a gateway for the [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md) using the Azure portal or PowerShell. For PowerShell, use the following command:

+To resize a gateway for the [classic deployment model](../azure-resource-manager/management/deployment-models.md), you must use the Service Management PowerShell cmdlets. Use the following command:

+> [!NOTE]

+> Standard and High Performance SKUs will be deprecated September 30, 2025. While you can choose to change to the new gateway SKUs at any point, there is no requirement to do so at this time. The product team will make a migration path available for these SKUs by November 30, 2024. See [Legacy SKU deprecation](#sku-deprecation) for more information.

+ Title: What's new in Azure VPN Gateway?

+description: Learn what's new with Azure VPN Gateway such as the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes.

+# What's new in Azure VPN Gateway?

+Azure VPN Gateway is updated regularly. Stay up to date with the latest announcements. This article provides you with information about:

+* Recent releases

+* Previews underway with known limitations (if applicable)

+* Known issues

+* Deprecated functionality (if applicable)

+You can also find the latest VPN Gateway updates and subscribe to the RSS feed [here](https://azure.microsoft.com/updates/?category=networking&query=azure%20vpn%20gateway).

+## Recent releases and announcements

+| Type | Area | Name | Description | Date added | Limitations |

+|||||||

+|SKU deprecation | N/A | Standard/High performance VPN gateway SKU | Legacy SKUs (Standard and HighPerformance) will be deprecated on 30 Sep 2025. | Nov 2023 | N/A |

+|Feature | All | [Customer-controlled gateway maintenance](customer-controlled-gateway-maintenance.md) |Customers can schedule maintenance (Guest OS and Service updates) during a time of the day that best suits their business needs. | Nov 2023 (Public preview)| See the [FAQ](vpn-gateway-vpn-faq.md#customer-controlled).

+| Feature | All | [APIPA for VPN Gateway (General availability)](bgp-howto.md#2-create-testvnet1-gateway-with-bgp) | All SKUs of active-active VPN gateways now support multiple custom BGP APIPA addresses for each instance. | Jan 2022 | N/A |

+## Next steps

+* [What is Azure VPN Gateway?](vpn-gateway-about-vpngateways.md)

+* [VPN Gateway FAQ](vpn-gateway-vpn-faq.md)