+ Title: Tutorial to enable Secure Hybrid Access to applications with Azure AD B2C and F5 BIG-IP

+# Tutorial: Secure Hybrid Access to applications with Azure AD B2C and F5 BIG-IP

+For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way forcing a strict path through the BIG-IP.

+Unlocking the strict configuration prevents any further changes via the wizard UI, leaving all BIG-IP objects associated with the published instance of the application open for direct management.

+This is a policy violation due to the BIG-IPΓÇÖs inability to validate the signature of the token issued by Azure AD B2C. The same access log should be able to provide more detail on the issue.

+Exact root cause is still being investigated by F5 engineering, but issue appears related to the AGC not enabling the Auto JWT setting during deployment, thereby preventing the APM from obtaining the current token signing keys.

+You should now see the Key (JWT) field populated with the key ID (KID) of the token signing certificate provided through the OpenID URI metadata.

+// good for prototyping and testing, but this is NOT persisted and it is NOT distributed - do not use in production

+- [Troubleshooting](https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Cache-Troubleshooting)

+- [Troubleshooting](https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Cache-Troubleshooting)

+Even if you want to provide a multitenant tool, you should use a tenant ID or domain name, and **not** `common` or `organizations` with this flow, because the service cannot reliably infer which tenant should be used.

+> [!NOTE]

+> You can't deploy a daemon application to a regular user's device, and a regular user can't access a daemon application. Only a limited set of IT administrators can access devices that have daemon applications running, so a bad actor can't access a client secret or token from device traffic and act on behalf of the daemon application. The daemon application scenario doesn't replace device authentication.

+>

+> Examples of non-daemon applications:

+> - A mobile application that accesses a web service on behalf of an application, but not on behalf of a user.

+> - An IoT device that accesses a web service on behalf of a device, but not on behalf of a user.

+>

+ nodeIntegration: true,

+ contextIsolation: false

+For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value. The values must exactly match the configuration in the [GitHub workflow](https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions#on). For more info, read the [examples](#entity-type-examples).

+### Entity type examples

+#### Branch example

+For a workflow triggered by a push or pull request event on the main branch:

+```yml

+on:

+ push:

+ branches: [ main ]

+ pull_request:

+ branches: [ main ]

+```

+Specify an **Entity type** of **Branch** and a **GitHub branch name** of "main".

+#### Environment example

+For Jobs tied to an environment named "production":

+```yml

+on:

+ push:

+ branches:

+ - main

+jobs:

+ deployment:

+ runs-on: ubuntu-latest

+ environment: production

+ steps:

+ - name: deploy

+ # ...deployment-specific steps

+```

+Specify an **Entity type** of **Environment** and a **GitHub environment name** of "production".

+#### Tag example

+For example, for a workflow triggered by a push to the tag named "v2":

+```yml

+on:

+ push:

+ # Sequence of patterns matched against refs/heads

+ branches:

+ - main

+ - 'mona/octocat'

+ - 'releases/**'

+ # Sequence of patterns matched against refs/tags

+ tags:

+ - v2

+ - v1.*

+```

+Specify an **Entity type** of **Tag** and a **GitHub tag name** of "v2".

+#### Pull request example

+For a workflow triggered by a pull request event, specify an **Entity type** of **Pull request**.

+For an end-to-end example, read [Deploy to App Service using GitHub Actions](/azure/app-service/deploy-github-actions?tabs=openid).

+>This information last updated on January 28th, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Dynamics 365 AI for Market Insights (Preview) | SOCIAL_ENGAGEMENT_APP_USER | c6df1e30-1c9f-427f-907c-3d913474a1c7 | SOCIAL_ENGAGEMENT_APP_USER (339f4def-5ad8-4430-8d12-da5fd4c769a7)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 AI for Market Insights ΓÇô Free (339f4def-5ad8-4430-8d12-da5fd4c769a7)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 Customer Insights Viral | DYN365_CUSTOMER_INSIGHTS_VIRAL | 036c2481-aa8a-47cd-ab43-324f0c157c2d | CDS_CUSTOMER_INSIGHTS_TRIAL (94e5cbf6-d843-4ee8-a2ec-8b15eb52019e)<br/>DYN365_CUSTOMER_INSIGHTS_ENGAGEMENT_INSIGHTS_BASE_TRIAL (e2bdea63-235e-44c6-9f5e-5b0e783f07dd)<br/>DYN365_CUSTOMER_INSIGHTS_VIRAL (ed8e8769-94c5-4132-a3e7-7543b713d51f)<br/>Forms_Pro_Customer_Insights (fe581650-cf61-4a09-8814-4bd77eca9cb5) | Common Data Service for Customer Insights Trial (94e5cbf6-d843-4ee8-a2ec-8b15eb52019e)<br/>Dynamics 365 Customer Insights Engagement Insights Viral (e2bdea63-235e-44c6-9f5e-5b0e783f07dd)<br/>Dynamics 365 Customer Insights Viral Plan (ed8e8769-94c5-4132-a3e7-7543b713d51f)<br/>Microsoft Dynamics 365 Customer Voice for Customer Insights (fe581650-cf61-4a09-8814-4bd77eca9cb5) |

+| Dynamics 365 Customer Service Enterprise Viral Trial | Dynamics_365_Customer_Service_Enterprise_viral_trial | 1e615a51-59db-4807-9957-aa83c3657351 | CUSTOMER_VOICE_DYN365_VIRAL_TRIAL (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>CCIBOTS_PRIVPREV_VIRAL (ce312d15-8fdf-44c0-9974-a25a177125ee)<br/>DYN365_CS_MESSAGING_VIRAL_TRIAL (3bf52bdf-5226-4a97-829e-5cca9b3f3392)<br/>DYN365_CS_ENTERPRISE_VIRAL_TRIAL (94fb67d3-465f-4d1f-a50a-952da079a564)<br/>DYNB365_CSI_VIRAL_TRIAL (33f1466e-63a6-464c-bf6a-d1787928a56a)<br/>DYN365_CS_VOICE_VIRAL_TRIAL (3de81e39-4ce1-47f7-a77f-8473d4eb6d7c)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>POWER_APPS_DYN365_VIRAL_TRIAL (54b37829-818e-4e3c-a08a-3ea66ab9b45d)<br/>POWER_AUTOMATE_DYN365_VIRAL_TRIAL (81d4ecb8-0481-42fb-8868-51536c5aceeb) | Customer Voice for Dynamics 365 vTrial (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>Dynamics 365 AI for Customer Service Virtual Agents Viral (ce312d15-8fdf-44c0-9974-a25a177125ee)<br/>Dynamics 365 Customer Service Digital Messaging vTrial (3bf52bdf-5226-4a97-829e-5cca9b3f3392)<br/>Dynamics 365 Customer Service Enterprise vTrial (94fb67d3-465f-4d1f-a50a-952da079a564)<br/>Dynamics 365 Customer Service Insights vTrial (33f1466e-63a6-464c-bf6a-d1787928a56a)<br/>Dynamics 365 Customer Service Voice vTrial (3de81e39-4ce1-47f7-a77f-8473d4eb6d7c)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power Apps for Dynamics 365 vTrial (54b37829-818e-4e3c-a08a-3ea66ab9b45d)<br/>Power Automate for Dynamics 365 vTrial (81d4ecb8-0481-42fb-8868-51536c5aceeb) |

+| Dynamics 365 Field Service Viral Trial | Dynamics_365_Field_Service_Enterprise_viral_trial | 29fcd665-d8d1-4f34-8eed-3811e3fca7b3 | CUSTOMER_VOICE_DYN365_VIRAL_TRIAL (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>DYN365_FS_ENTERPRISE_VIRAL_TRIAL (20d1455b-72b2-4725-8354-a177845ab77d)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>POWER_APPS_DYN365_VIRAL_TRIAL (54b37829-818e-4e3c-a08a-3ea66ab9b45d)<br/>POWER_AUTOMATE_DYN365_VIRAL_TRIAL (81d4ecb8-0481-42fb-8868-51536c5aceeb) | Customer Voice for Dynamics 365 vTrial (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>Dynamics 365 Field Service Enterprise vTrial (20d1455b-72b2-4725-8354-a177845ab77d)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power Apps for Dynamics 365 vTrial (54b37829-818e-4e3c-a08a-3ea66ab9b45d)<br/>Power Automate for Dynamics 365 vTrial (81d4ecb8-0481-42fb-8868-51536c5aceeb) |

+| Dynamics 365 For Sales Professional | D365_SALES_PRO | be9f9771-1c64-4618-9907-244325141096 | DYN365_SALES_PRO (88d83950-ff78-4e85-aa66-abfc787f8090)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>POWERAPPS_SALES_PRO (6f9f70ce-138d-49f8-bb8b-2e701b7dde75)<br/>FLOW_SALES_PRO (f944d685-f762-4371-806d-a1f48e5bea13)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72) | Dynamics 365 for Sales Professional (88d83950-ff78-4e85-aa66-abfc787f8090)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Power Apps for Sales Pro (6f9f70ce-138d-49f8-bb8b-2e701b7dde75)<br/>Power Automate for Sales Pro (f944d685-f762-4371-806d-a1f48e5bea13)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72) |

+| Dynamics 365 For Sales Professional Trial | D365_SALES_PRO_IW | 9c7bff7a-3715-4da7-88d3-07f57f8d0fb6 | D365_SALES_PRO_IW (73f205fc-6b15-47a5-967e-9e64fdf72d0a)<br/>D365_SALES_PRO_IW_Trial (db39a47e-1f4f-462b-bf5b-2ec471fb7b88) | Dynamics 365 for Sales Professional Trial (73f205fc-6b15-47a5-967e-9e64fdf72d0a)<br/>Dynamics 365 for Sales Professional Trial (db39a47e-1f4f-462b-bf5b-2ec471fb7b88) |

+| Dynamics 365 Marketing Business Edition | DYN365_BUSINESS_MARKETING | 238e2f8d-e429-4035-94db-6926be4ffe7b | DYN365_BUSINESS_Marketing (393a0c96-9ba1-4af0-8975-fa2f853a25ac)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 Marketing (393a0c96-9ba1-4af0-8975-fa2f853a25ac)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 Regulatory Service - Enterprise Edition Trial | DYN365_REGULATORY_SERVICE | 7ed4877c-0863-4f69-9187-245487128d4f | DYN365_REGULATORY_SERVICE (c7657ae3-c0b0-4eed-8c1d-6a7967bd9c65)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Finance and Operations, Enterprise edition - Regulatory Service (c7657ae3-c0b0-4eed-8c1d-6a7967bd9c65)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 Sales Premium Viral Trial | Dynamics_365_Sales_Premium_Viral_Trial | 6ec92958-3cc1-49db-95bd-bc6b3798df71 | CUSTOMER_VOICE_DYN365_VIRAL_TRIAL (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>DYN365_SALES_ENTERPRISE_VIRAL_TRIAL (7f636c80-0961-41b2-94da-9642ccf02de0)<br/>DYN365_SALES_INSIGHTS_VIRAL_TRIAL (456747c0-cf1e-4b0d-940f-703a01b964cc)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>POWER_APPS_DYN365_VIRAL_TRIAL (54b37829-818e-4e3c-a08a-3ea66ab9b45d)<br/>POWER_AUTOMATE_DYN365_VIRAL_TRIAL (81d4ecb8-0481-42fb-8868-51536c5aceeb) | Customer Voice for Dynamics 365 vTrial (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>Dynamics 365 Sales Enterprise vTrial (7f636c80-0961-41b2-94da-9642ccf02de0)<br/>Dynamics 365 Sales Insights vTrial (456747c0-cf1e-4b0d-940f-703a01b964cc)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power Apps for Dynamics 365 vTrial (54b37829-818e-4e3c-a08a-3ea66ab9b45d)<br/>Power Automate for Dynamics 365 vTrial (81d4ecb8-0481-42fb-8868-51536c5aceeb) |

+| Dynamics 365 Talent: Attract | Dynamics_365_Hiring_SKU | e561871f-74fa-4f02-abee-5b0ef54dd36d | DYN365_CDS_DYN_APPS (2d925ad8-2479-4bd8-bb76-5b80f1d48935)<br/>Dynamics_365_Hiring_Free_PLAN (f815ac79-c5dd-4bcc-9b78-d97f7b817d0d)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Common Data Service (2d925ad8-2479-4bd8-bb76-5b80f1d48935)<br/>Dynamics 365 for Talent: Attract (f815ac79-c5dd-4bcc-9b78-d97f7b817d0d)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Microsoft 365 F5 Security + Compliance Add-on | SPE_F5_SECCOMP | 32b47245-eb31-44fc-b945-a8b1576c439f | AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>RMS_S_PREMIUM2 (5689bec4-755d-4753-8b61-40975025187c)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>BPOS_S_DlpAddOn (9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed)<br/>EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>DATA_INVESTIGATIONS (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>ADALLOM_S_STANDALONE (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>WINDEFATP(871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>ATA (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>MICROSOFTENDPOINTDLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>INSIDER_RISK (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>ML_CLASSIFICATION (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>PAM_ENTERPRISE (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f) | Azure Active Directory Premium P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>Azure Information Protection Premium P2 (5689bec4-755d-4753-8b61-40975025187c)<br/>Customer Lockbox (9f431833-0334-42de-a7dc-70aa40db46db)<br/>Data Loss Prevention (9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed)<br/>Exchange Online Archiving (176a09a6-7ec5-4039-ac02-b2791c6ba793)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics ΓÇô Premium (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>Information Protection for Office 365 ΓÇô Premium (efb0351d-3b08-4503-993d-383af8de41e3)<br/> Microsoft 365 Advanced Auditing (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>Microsoft 365 Communication Compliance (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>Microsoft 365 Defender (bf28f719-7844-4079-9c78-c1307898e192)<br/>Microsoft Communications DLP(6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>Microsoft Customer Key (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>Microsoft Data Investigations (46129a58-a698-46f0-aa5b-17f6586297d9)<br/> Microsoft Defender for Cloud Apps (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>Microsoft Defender for Endpoint (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>Microsoft Defender for Identity (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f)<br/>Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>Microsoft Defender for Office 365 (Plan 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>Microsoft Endpoint DLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>Microsoft Information Governance (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>Microsoft Insider Risk Management (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>Microsoft ML-Based Classification (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>Microsoft Records Management (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>Office 365 Advanced eDiscovery (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>Office 365 Privileged Access Management (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>Premium Encryption in Office 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f) |

+| Microsoft Power Apps for Developer | POWERAPPS_DEV | 5b631642-bd26-49fe-bd20-1daaa972ef80 | DYN365_CDS_DEV_VIRAL (d8c638e2-9508-40e3-9877-feb87603837b)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW_DEV_VIRAL (c7ce3f26-564d-4d3a-878d-d8ab868c85fe)<br/>POWERAPPS_DEV_VIRAL (a2729df7-25f8-4e63-984b-8a8484121554) | Common Data Service - DEV VIRAL (d8c638e2-9508-40e3-9877-feb87603837b)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Flow for Developer (c7ce3f26-564d-4d3a-878d-d8ab868c85fe)<br/>PowerApps for Developer (a2729df7-25f8-4e63-984b-8a8484121554) |

+| Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB | CPC_E_2C_8GB_128GB | e2aebe6c-897d-480f-9d62-fff1381581f7 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CPC_2 (3efff3fe-528a-4fc5-b1ba-845802cc764f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB (3efff3fe-528a-4fc5-b1ba-845802cc764f) |

+| Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB (Preview) | CPC_LVL_2 | 461cb62c-6db7-41aa-bf3c-ce78236cdb9e | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CPC_2 (3efff3fe-528a-4fc5-b1ba-845802cc764f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB (3efff3fe-528a-4fc5-b1ba-845802cc764f) |

+| Windows 365 Enterprise 4 vCPU, 16 GB, 256 GB (Preview) | CPC_LVL_3 | bbb4bf6e-3e12-4343-84a1-54d160c00f40 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CPC_E_4C_16GB_256GB (9ecf691d-8b82-46cb-b254-cd061b2c02fb) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Windows 365 Enterprise 4 vCPU, 16 GB, 256 GB (9ecf691d-8b82-46cb-b254-cd061b2c02fb) |

+This article shows you how to assign users and groups to an enterprise application in Azure Active Directory (Azure AD) using PowerShell. When you assign a user to an application, the application appears in the user's [My Apps](https://myapps.microsoft.com/) portal for easy access. If the application exposes roles, you can also assign a specific role to the user.

+When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups.

+Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are not currently supported. For more licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).

+For greater control, certain types of enterprise applications can be configured to require user assignment. See [Manage access to an application](what-is-access-management.md#requiring-user-assignment-for-an-app) for more information on requiring user assignment for an app.

+- An Azure account with an active subscription. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+This article shows you how to configure linked-based single sign-on (SSO) for your application in Azure Active Directory (Azure AD). Linked-based SSO enables Azure AD to provide SSO to an application that is already configured for SSO in another service. The linked option lets you configure the target location when a user selects the application in your organization's My Apps or Microsoft 365 portal.

+- [Manage access to apps](what-is-access-management.md)

+# Tutorial: Configure F5 BIG-IP SSL-VPN for Azure AD SSO

+In this tutorial, learn how to integrate F5ΓÇÖs BIG-IP based Secure socket layer Virtual Private Network (SSL-VPN) with Azure Active Directory (AD) for Secure Hybrid Access (SHA).

+Enabling a BIG-IP SSL-VPN for Azure AD single sign-on (SSO) provides many benefits, including:

+- Improved Zero trust governance through Azure AD pre-authentication and [Conditional Access](/conditional-access/overview)

+- Manage Identities and access from a single control plane, the [Azure portal](https://azure.microsoft.com/features/azure-portal/)

+To learn about all of the benefits, see [Integrate F5 BIG-IP with Azure Active Directory](./f5-aad-integration.md) and [What is single sign-on in Azure Active Directory?](/azure/active-directory/active-directory-appssoaccess-whatis).

+Despite these great value adds, classic VPNs do however remain network orientated, often providing little to zero fine grained access to corporate applications. For this reason, we encourage moving to a more Identity centric approach at achieving Zero Trust [access on a per application basis](/fundamentals/five-steps-to-full-application-integration-with-azure-ad).

+In this scenario, the BIG-IP APM instance of the SSL-VPN service will be configured as a SAML Service Provider (SP) and Azure AD becomes the trusted SAML IDP. SSO from Azure AD is then provided through claims-based authentication to the BIG-IP APM, providing a seamless VPN access experience.

+Familiarizing yourself with [F5 BIG-IP terminology](https://www.f5.com/services/resources/glossary) will also help understand the various components referenced throughout the tutorial.

+Providing an SLO URL ensures a user session is terminated at both ends, the BIG-IP and Azure AD, after the user signs out. BIG-IP APM also provides an [option](https://support.f5.com/csp/article/K12056) for terminating all sessions when calling a specific application URL.

+SP **Name** settings are only required if the entity ID isn't an exact match of the hostname portion of the published URL, or if it isnΓÇÖt in regular hostname-based URL format. Provide the external scheme and hostname of the application being published if entity ID is `urn:ssl-vpn:contosoonline`.

+## Additional resources

+- [The end of passwords, go passwordless](https://www.microsoft.com/security/business/identity/passwordless)

+- [Five steps to full application integration with Azure AD](../fundamentals/five-steps-to-full-application-integration-with-azure-ad.md)

+- [Microsoft Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

+Enabling BIG-IP published services for Azure Active Directory (Azure AD) SSO provides many benefits, including:

+- Improved Zero Trust governance through Azure AD pre-authentication and [Conditional Access](/conditional-access/overview)

+- Identities and access are managed from a single control plane, the [Azure portal](https://azure.microsoft.com/features/azure-portal/)

+- Improved Zero trust governance through Azure AD pre-authentication and [Conditional Access](/conditional-access/overview)

+- Manage identities and access from a single control plane, the [Azure portal](https://azure.microsoft.com/features/azure-portal)

+ * Improved Zero Trust governance through Azure AD pre-authentication and [Conditional Access](/conditional-access/overview)

+ * Manage Identities and access from a single control plane, the [Azure portal](https://portal.azure.com/)

+Enabling BIG-IP published services for Azure Active Directory (Azure AD) SSO provides many benefits, including:

+* Improved Zero Trust governance through Azure AD pre-authentication and [Conditional Access](/conditional-access/overview)

+* Management of identities and access from a single control plane, the [Azure portal](https://azure.microsoft.com/features/azure-portal/)

+* Improved Zero Trust governance through Azure AD pre-authentication and [Conditional Access](/conditional-access/overview)

+* Manage identities and access from a single control plane, the [Azure portal](https://portal.azure.com/)

+* Improved Zero Trust governance through Azure AD pre-authentication and [Conditional Access](/conditional-access/overview)

+ If you configured the application for SP-initiated SAML-based SSO and you change the SSO mode to disabled, it won't stop users from signing in to the application outside the MyApps portal. To achieve this, you need to disable the ability for users to sign in.

+A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials.

+Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens. With [Azure Key Vault](../../key-vault/general/overview.md), developers can use managed identities to access resources. Key Vault stores credentials in a secure manner and gives access to storage accounts.

+The following video shows how you can use managed identities:</br>

+Here are some of the benefits of using managed identities:

+- You don't need to manage credentials. Credentials arenΓÇÖt even accessible to you.

+- You can use managed identities to authenticate to any resource that supports [Azure AD authentication](../authentication/overview-authentication.md), including your own applications.

+- **System-assigned**. Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD. The identity is tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.

+- **User-assigned**. You may also create a managed identity as a standalone Azure resource. You can [create a user-assigned managed identity](how-to-manage-ua-identity-portal.md) and assign it to one or more instances of an Azure service. For user-assigned managed identities, the identity is managed separately from the resources that use it. </br></br>

+The following table shows the differences between the two types of managed identities:

+| Creation | Created as part of an Azure resource (for example, Azure Virtual Machines or Azure App Service). | Created as a stand-alone Azure resource. |

+| Sharing across Azure resources | CanΓÇÖt be shared. <br/> It can only be associated with a single Azure resource. | Can be shared. <br/> The same user-assigned managed identity can be associated with more than one Azure resource. |

+| Common use cases | Workloads that are contained within a single Azure resource. <br/> Workloads for which you need independent identities. <br/> For example, an application that runs on a single virtual machine. | Workloads that run on multiple resources and can share a single identity. <br/> Workloads that need pre-authorization to a secure resource, as part of a provisioning flow. <br/> Workloads where resources are recycled frequently, but permissions should stay consistent. <br/> For example, a workload where multiple virtual machines need to access the same resource. |

+> Regardless of the type of identity chosen, a managed identity is a service principal of a special type that can only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed.

+<br/>

+[](media/overview/when-use-managed-identities.png#lightbox)

+Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. For a list of supported Azure services, see [services that support managed identities for Azure resources](./services-support-managed-identities.md).

+- Use role-based access control (RBAC) to [grant permissions](howto-assign-access-portal.md).

+- View the create, read, update, and delete (CRUD) operations in [Azure Activity logs](../../azure-monitor/essentials/activity-log.md).

+- View sign in activity in Azure AD [sign in logs](../reports-monitoring/concept-sign-ins.md).

+- You can [create, read, update, and delete](how-to-manage-ua-identity-portal.md) the identities.

+- View sign in activity in Azure AD [sign in logs](../reports-monitoring/concept-sign-ins.md).

+Operations on managed identities can be performed by using an Azure Resource Manager template, the Azure portal, Azure CLI, PowerShell, and REST APIs.

+* [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing)

+In this article, using the Azure portal, you learn how to perform the following managed identities for Azure resources operations on a virtual machine scale set:

+ Title: 'Tutorial: Azure AD SSO integration with Balsamiq Wireframes'

+description: Learn how to configure single sign-on between Azure Active Directory and Balsamiq Wireframes.

+# Tutorial: Azure AD SSO integration with Balsamiq Wireframes

+In this tutorial, you'll learn how to integrate Balsamiq Wireframes with Azure Active Directory (Azure AD). When you integrate Balsamiq Wireframes with Azure AD, you can:

+* Control in Azure AD who has access to Balsamiq Wireframes.

+* Enable your users to be automatically signed-in to Balsamiq Wireframes with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Balsamiq Wireframes single sign-on (SSO) enabled subscription.

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Balsamiq Wireframes supports **SP and IDP** initiated SSO.

+* Balsamiq Wireframes supports **Just In Time** user provisioning.

+## Add Balsamiq Wireframes from the gallery

+To configure the integration of Balsamiq Wireframes into Azure AD, you need to add Balsamiq Wireframes from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Balsamiq Wireframes** in the search box.

+1. Select **Balsamiq Wireframes** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Balsamiq Wireframes

+Configure and test Azure AD SSO with Balsamiq Wireframes using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Balsamiq Wireframes.

+To configure and test Azure AD SSO with Balsamiq Wireframes, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Balsamiq Wireframes SSO](#configure-balsamiq-wireframes-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Balsamiq Wireframes test user](#create-balsamiq-wireframes-test-user)** - to have a counterpart of B.Simon in Balsamiq Wireframes that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Balsamiq Wireframes** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a URL using the following pattern:

+ `https://balsamiq.cloud/samlsso/<ID>`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://balsamiq.cloud/samlsso/<ID>`

+ c. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://balsamiq.cloud/samlsso/<ID>`

+ d. In the **Relay State** text box, type a URL using the following pattern:

+ `https://balsamiq.cloud/<ID>/projects`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL, Sign-on URL and Relay State. Contact [Balsamiq Wireframes Client support team](mailto:support@balsamiq.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Balsamiq Wireframes application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Balsamiq Wireframes application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+

+ | Name | Source Attribute|

+ | -| |

+ | Email | user.mail |

+ | firstName | user.givenname |

+ | lastName | user.surname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Balsamiq Wireframes** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Balsamiq Wireframes.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Balsamiq Wireframes**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Balsamiq Wireframes SSO

+1. Log in to your Balsamiq Wireframes company site as an administrator.

+1. Go to **Settings** > **Space Settings** and click **Configure SSO** under Single Sign-On Authentication.

+ 

+1. Copy all the required values and paste it in **Basic SAML Configuration** section in the Azure portal and click **Next**.

+ 

+1. In the **Configure IDp** section, perform the following steps:

+ 

+ 1. In the **SAML 2.0 Endpoint(HTTP)** textbox, paste the value of **Login URL**, which you have copied from the Azure portal.

+ 1. In the **Identity Provider Issuer** textbox, paste the value of **Azure AD Identifier**, which you have copied from the Azure portal.

+ 1. Open the downloaded **Federation Metadata XML** file from the Azure portal and **Upload** the file into **Public Certificate** section.

+

+ 1. Click **Next**.

+ > [!Note]

+ > If you have an IdP Metadata file to upload, the fields will be automatically populated.

+1. Verify your SAML configuration, click **Test SAML Login** button and click **Next**.

+ 

+1. After the successful test configuration, click **Turn on SAML SSO Now**.

+ 

+### Create Balsamiq Wireframes test user

+In this section, a user called Britta Simon is created in Balsamiq Wireframes. Balsamiq Wireframes supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Balsamiq Wireframes, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Balsamiq Wireframes Sign on URL where you can initiate the login flow.

+* Go to Balsamiq Wireframes Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Balsamiq Wireframes for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Balsamiq Wireframes tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Balsamiq Wireframes for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Balsamiq Wireframes you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+In many cases, AKS can determine if a node is unhealthy and attempt to repair the issue, but there are cases where AKS either can't repair the issue or can't detect that there is an issue. For example, AKS can't detect issues if a node status is not being reported due to error in network configuration, or has failed to initially register as a healthy node.

+* .NET 4.8 Framework

+Install <a href="https://www.visualstudio.com/downloads/" target="_blank">Visual Studio 2022</a> with the **ASP.NET and web development** and **Azure development** workloads.

+1. In the **Publish** tab, scroll back up to the top and click **Publish**. Once your ASP.NET app is deployed to Azure. Your default browser is launched with the URL to the deployed app.

+Visual Studio lets you explore and manage your new database in Azure easily in the **SQL Server Object Explorer**. The new database already opened its firewall to the App Service app that you created. But to access it from your local computer (such as from Visual Studio), you must open a firewall for your local machine's public IP address. If your internet service provider changes your public IP address, you need to reconfigure the firewall to access the Azure database again.

+1. In the publish page, scroll down to the **Hosting** section.

+1. At the right-hand corner, click **...** > **View Streaming Logs**.

+1. To change the trace levels to output other trace messages, go back to the publish page.

+1. In the **Hosting** section, click **...** > **Open in Azure portal**.

+> [Tutorial: Connect to SQL Database from App Service without secrets using a managed identity](tutorial-connect-msi-sql-database.md)

+Compared to earlier versions of the App Service Environment, there are some differences with App Service Environment v3:

+This article shows you how to create a managed identity for App Service and Azure Functions applications and how to use it to access other resources.

+> [!IMPORTANT]

+> Managed identities for App Service and Azure Functions won't behave as expected if your app is migrated across subscriptions/tenants. The app needs to obtain a new identity, which is done by [disabling](#remove) and re-enabling the feature. Downstream resources also need to have access policies updated to use the new identity.

+# [Azure portal](#tab/portal)

+1. In the left navigation of your app's page, scroll down to the **Settings** group.

+1. Select **Identity**.

+1. Within the **System assigned** tab, switch **Status** to **On**. Click **Save**.

+# [Azure CLI](#tab/cli)

+Run the `az webapp identity assign` command to create a system-assigned identity:

+```azurecli-interactive

+az webapp identity assign --name myApp --resource-group myResourceGroup

+```

+# [Azure PowerShell](#tab/ps)

+#### For App Service

+Run the `Set-AzWebApp -AssignIdentity` command to create a system-assigned identity for App Service:

+```azurepowershell-interactive

+Set-AzWebApp -AssignIdentity $true -Name <app-name> -ResourceGroupName <group-name>

+```

+#### For Functions

+Run the `Update-AzFunctionApp -IdentityType` command to create a system-assigned identity for a function app:

+```azurepowershell-interactive

+Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupName -IdentityType SystemAssigned

+```

+# [ARM template](#tab/arm)

+For example, a web app's template might look like the following JSON:

+--

+# [Azure portal](#tab/portal)

+1. In the left navigation for your app's page, scroll down to the **Settings** group.

+1. Select **Identity**.

+1. Within the **User assigned** tab, click **Add**.

+1. Search for the identity you created earlier and select it. Click **Add**.

+# [Azure CLI](#tab/cli)

+1. Create a user-assigned identity.

+ ```azurepowershell-interactive

+ az identity create --resource-group <group-name> --name <identity-name>

+ ```

+1. Run the `az webapp identity assign` command to assign the identity to the app.

+ ```azurepowershell-interactive

+ az webapp identity assign --resource-group <group-name> --name <app-name> --identities <identity-name>

+ ```

+# [Azure PowerShell](#tab/ps)

+#### For App Service

+Adding a user-assigned identity in App Service is currently not supported.

+#### For Functions

+1. Create a user-assigned identity.

+ ```azurepowershell-interactive

+ Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease

+ $userAssignedIdentity = New-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName <group-name>

+1. Run the `Update-AzFunctionApp -IdentityType UserAssigned -IdentityId` command to assign the identity in Functions:

+ ```azurepowershell-interactive

+ Update-AzFunctionApp -Name <app-name> -ResourceGroupName <group-name> -IdentityType UserAssigned -IdentityId $userAssignedIdentity.Id

+ ```

+# [ARM template](#tab/arm)

+For example, a web app's template might look like the following JSON:

+--

+## Configure target resource

+You may need to configure the target resource to allow access from your app or function. For example, if you [request a token](#connect-to-azure-services-in-app-code) to access Key Vault, you must also add an access policy that includes the managed identity of your app or function. Otherwise, your calls to Key Vault will be rejected, even if you use a valid token. The same is true for Azure SQL Database. To learn more about which resources support Azure Active Directory tokens, see [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication).

+## Connect to Azure services in app code

+With its managed identity, an app can obtain tokens for Azure resources that are protected by Azure Active Directory, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.

+App Service and Azure Functions provide an internally accessible [REST endpoint](#rest-endpoint-reference) for token retrieval. The REST endpoint can be accessed from within the app with a standard HTTP GET, which can be implemented with a generic HTTP client in every language. For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint and simplifies the development experience. Connecting to other Azure services is as simple as adding a credential object to the service-specific client.

+# [HTTP GET](#tab/http)

+A raw HTTP GET request looks like the following example:

+This response is the same as the [response for the Azure AD service-to-service access token request](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md#service-to-service-access-token-response). To access Key Vault, you will then add the value of `access_token` to a client connection with the vault.

+> [!NOTE]

+> When connecting to Azure SQL data sources with [Entity Framework Core](/ef/core/), consider [using Microsoft.Data.SqlClient](/sql/connect/ado-net/sql/azure-active-directory-authentication), which provides special connection strings for managed identity connectivity. For an example, see [Tutorial: Secure Azure SQL Database connection from App Service using a managed identity](tutorial-connect-msi-sql-database.md).

+For .NET apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme?). See the respective documentation headings of the client library for information:

+- [Add Azure Identity client library to your project](/dotnet/api/overview/azure/identity-readme#getting-started)

+- [Access Azure service with a system-assigned identity](/dotnet/api/overview/azure/identity-readme#authenticating-with-defaultazurecredential)

+- [Access Azure service with a user-assigned identity](/dotnet/api/overview/azure/identity-readme#specifying-a-user-assigned-managed-identity-with-the-defaultazurecredential)

+The linked examples use [`DefaultAzureCredential`](/dotnet/api/overview/azure/identity-readme#defaultazurecredential). It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

+For Node.js apps and JavaScript functions, the simplest way to work with a managed identity is through the [Azure Identity client library for JavaScript](/javascript/api/overview/azure/identity-readme?). See the respective documentation headings of the client library for information:

+- [Add Azure Identity client library to your project](/javascript/api/overview/azure/identity-readme#install-the-package)

+- [Access Azure service with a system-assigned identity](/javascript/api/overview/azure/identity-readme#authenticating-with-defaultazurecredential)

+- [Access Azure service with a user-assigned identity](/javascript/api/overview/azure/identity-readme#authenticating-a-user-assigned-managed-identity-with-defaultazurecredential)

+The linked examples use [`DefaultAzureCredential`](/javascript/api/overview/azure/identity-readme#defaultazurecredential). It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

+For more code examples of the Azure Identity client library for JavaScript, see [Azure Identity examples](https://github.com/Azure/azure-sdk-for-js/blob/%40azure/identity_2.0.1/sdk/identity/identity/samples/AzureIdentityExamples.md).

+For Python apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for Python](/python/api/overview/azure/identity-readme). See the respective documentation headings of the client library for information:

+- [Add Azure Identity client library to your project](/python/api/overview/azure/identity-readme#getting-started)

+- [Access Azure service with a system-assigned identity](/python/api/overview/azure/identity-readme#authenticating-with-defaultazurecredential)

+- [Access Azure service with a user-assigned identity](/python/api/overview/azure/identity-readme#authenticating-a-user-assigned-managed-identity-with-defaultazurecredential)

+The linked examples use [`DefaultAzureCredential`](/python/api/overview/azure/identity-readme#defaultazurecredential). It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

+# [Java](#tab/java)

+For Java apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for Java](/java/api/overview/azure/identity-readme). See the respective documentation headings of the client library for information:

+- [Add Azure Identity client library to your project](/java/api/overview/azure/identity-readme#include-the-package)

+- [Access Azure service with a system-assigned identity](/java/api/overview/azure/identity-readme#authenticating-with-defaultazurecredential)

+- [Access Azure service with a user-assigned identity](/java/api/overview/azure/identity-readme#authenticating-a-user-assigned-managed-identity-with-defaultazurecredential)

+The linked examples use [`DefaultAzureCredential`](/azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential). It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

+For more code examples of the Azure Identity client library for Java, see [Azure Identity Examples](https://github.com/Azure/azure-sdk-for-java/wiki/Azure-Identity-Examples).

+Use the following script to retrieve a token from the local endpoint by specifying a resource URI of an Azure service:

+--

+For more information on the REST endpoint, see [REST endpoint reference](#rest-endpoint-reference).

+## <a name="remove"></a>Remove an identity

+When you remove a system-assigned identity, it's deleted from Azure Active Directory. System-assigned identities are also automatically removed from Azure Active Directory when you delete the app resource itself.

+# [Azure portal](#tab/portal)

+1. In the left navigation of your app's page, scroll down to the **Settings** group.

+1. Select **Identity**. Then follow the steps based on the identity type:

+ - **System-assigned identity**: Within the **System assigned** tab, switch **Status** to **Off**. Click **Save**.

+ - **User-assigned identity**: Click the **User assigned** tab, select the checkbox for the identity, and click **Remove**. Click **Yes** to confirm.

+# [Azure CLI](#tab/cli)

+To remove the system-assigned identity:

+```azurecli-interactive

+az webapp identity remove --name <app-name> --resource-group <group-name>

+```

+To remove one or more user-assigned identities:

+```azurecli-interactive

+az webapp identity remove --name <app-name> --resource-group <group-name> --identities <identity-name1>,<identity-name2>,...

+```

+You can also remove the system assigned identity by specifying `[system]` in `--identities`.

+# [Azure PowerShell](#tab/ps)

+#### For App Service

+Run the `Set-AzWebApp -AssignIdentity` command to remove a system-assigned identity for App Service:

+```azurepowershell-interactive

+Set-AzWebApp -AssignIdentity $false -Name <app-name> -ResourceGroupName <group-name>

+```

+#### For Functions

+To remove all identities in Azure PowerShell (Azure Functions only):

+```azurepowershell-interactive

+# Update an existing function app to have IdentityType "None".

+Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupName -IdentityType None

+```

+# [ARM template](#tab/arm)

+To remove all identities in an ARM template:

+--

+## REST endpoint reference

+> [!NOTE]

+> An older version of this endpoint, using the "2017-09-01" API version, used the `secret` header instead of `X-IDENTITY-HEADER` and only accepted the `clientid` property for user-assigned. It also returned the `expires_on` in a timestamp format. `MSI_ENDPOINT` can be used as an alias for `IDENTITY_ENDPOINT`, and `MSI_SECRET` can be used as an alias for `IDENTITY_HEADER`. This version of the protocol is currently required for Linux Consumption hosting plans.

+An app with a managed identity makes this endpoint available by defining two environment variables:

+- IDENTITY_ENDPOINT - the URL to the local token service.

+- IDENTITY_HEADER - a header used to help mitigate server-side request forgery (SSRF) attacks. The value is rotated by the platform.

+The **IDENTITY_ENDPOINT** is a local URL from which your app can request tokens. To get a token for a resource, make an HTTP GET request to this endpoint, including the following parameters:

+> | Parameter name | In | Description |

+> |-|--|--|

+> | resource | Query | The Azure AD resource URI of the resource for which a token should be obtained. This could be one of the [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI. |

+> | api-version | Query | The version of the token API to be used. Use "2019-08-01" or later. |

+> | X-IDENTITY-HEADER | Header | The value of the IDENTITY_HEADER environment variable. This header is used to help mitigate server-side request forgery (SSRF) attacks. |

+> | client_id | Query | (Optional) The client ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `mi_res_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used. |

+> | principal_id | Query | (Optional) The principal ID of the user-assigned identity to be used. `object_id` is an alias that may be used instead. Cannot be used on a request that includes client_id, mi_res_id, or object_id. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used. |

+> | mi_res_id | Query | (Optional) The Azure resource ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `client_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used. |

+> [!IMPORTANT]

+> If you are attempting to obtain tokens for user-assigned identities, you must include one of the optional properties. Otherwise the token service will attempt to obtain a token for a system-assigned identity, which may or may not exist.

+- [Tutorial: Connect to SQL Database from App Service without secrets using a managed identity](tutorial-connect-msi-sql-database.md)

+> [Tutorial: Python (Django) web app with PostgreSQL](/azure/app-service/tutorial-python-postgresql-app)

+> [Configure Python app](/azure/app-service/configure-language-python)

+> [Add user sign-in to a Python web app](/azure/active-directory/develop/quickstart-v2-python-webapp)

+> [Tutorial: Run Python app in custom container](/azure/app-service/tutorial-custom-container)

+# Tutorial: Connect to SQL Database from App Service without secrets using a managed identity

+[App Service](overview.md) provides a highly scalable, self-patching web hosting service in Azure. It also provides a [managed identity](overview-managed-identity.md) for your app, which is a turn-key solution for securing access to [Azure SQL Database](/azure/sql-database/) and other Azure services. Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the connection strings. In this tutorial, you'll add managed identity to the sample web app you built in one of the following tutorials:

+> - .NET Framework 4.8 and above

+> - .NET 6.0 and above

+This article continues where you left off in either one of the following tutorials:

+- [Tutorial: Build an ASP.NET app in Azure with SQL Database](app-service-web-tutorial-dotnet-sqldatabase.md)

+- [Tutorial: Build an ASP.NET Core and SQL Database app in Azure App Service](tutorial-dotnetcore-sqldb-app.md).

+If you haven't already, follow one of the two tutorials first. Alternatively, you can adapt the steps for your own .NET app with SQL Database.

+## 1. Grant database access to Azure AD user

+First, enable Azure Active Directory authentication to SQL Database by assigning an Azure AD user as the admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Azure AD. For more information on allowed Azure AD users, see [Azure AD features and limitations in SQL Database](../azure-sql/database/authentication-aad-overview.md#azure-ad-features-and-limitations).

+## 2. Set up your dev environment

+# [Visual Studio Windows](#tab/windowsclient)

+1. Visual Studio for Windows is integrated with Azure AD authentication. To enable development and debugging in Visual Studio, add your Azure AD user in Visual Studio by selecting **File** > **Account Settings** from the menu, and select **Sign in** or **Add**.

+1. To set the Azure AD user for Azure service authentication, select **Tools** > **Options** from the menu, then select **Azure Service Authentication** > **Account Selection**. Select the Azure AD user you added and select **OK**.

+# [Visual Studio for macOS](#tab/macosclient)

+1. Visual Studio for Mac is *not* integrated with Azure AD authentication. However, the Azure Identity client library that you'll use later can use tokens from Azure CLI. To enable development and debugging in Visual Studio, [install Azure CLI](/cli/azure/install-azure-cli) on your local machine.

+# [Visual Studio Code](#tab/vscode)

+1. Visual Studio Code is integrated with Azure AD authentication through the Azure extension. Install the <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack" target="_blank">Azure Tools</a> extension in Visual Studio Code.

+1. In Visual Studio Code, in the [Activity Bar](https://code.visualstudio.com/docs/getstarted/userinterface), select the **Azure** logo.

+1. In the **App Service** explorer, select **Sign in to Azure...** and follow the instructions.

+# [Azure CLI](#tab/cli)

+1. The Azure Identity client library that you'll use later can use tokens from Azure CLI. To enable command-line based development, [install Azure CLI](/cli/azure/install-azure-cli) on your local machine.

+1. Sign in to Azure with the following command using your Azure AD user:

+ ```azurecli

+ az login --allow-no-subscriptions

+# [Azure PowerShell](#tab/ps)

+1. The Azure Identity client library that you'll use later can use tokens from Azure PowerShell. To enable command-line based development, [install Azure PowerShell](/powershell/azure/install-az-ps) on your local machine.

+1. Sign in to Azure CLI with the following cmdlet using your Azure AD user:

+ ```powershell-interactive

+ Connect-AzAccount

+ ```

+--

+For more information about setting up your dev environment for Azure Active Directory authentication, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/Identity-readme).

+You're now ready to develop and debug your app with the SQL Database as the back end, using Azure AD authentication.

+## 3. Modify your project

+The steps you follow for your project depends on whether you're using [Entity Framework](/ef/ef6/) (default for ASP.NET) or [Entity Framework Core](/ef/core/) (default for ASP.NET Core).

+# [Entity Framework](#tab/ef)

+1. In Visual Studio, open the Package Manager Console and add the NuGet package [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) and update Entity Framework:

+ ```powershell

+ Install-Package Azure.Identity -Version 1.5.0

+ Update-Package EntityFramework

+1. In your DbContext object (in *Models/MyDbContext.cs*), add the following code to the default constructor.

+ var conn = (System.Data.SqlClient.SqlConnection)Database.Connection;

+ var credential = new Azure.Identity.DefaultAzureCredential();

+ var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://database.windows.net/.default" }));

+ conn.AccessToken = token.Token;

+ ```

+ This code uses [Azure.Identity.DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to get a useable token for SQL Database from Azure Active Directory and then adds it to the database connection. While you can customize `DefaultAzureCredential`, by default it's already very versatile. When running in App Service, it uses app's system-assigned managed identity. When running locally, it can get a token using the logged-in identity of Visual Studio, Visual Studio Code, Azure CLI, and Azure PowerShell.

+1. In *Web.config*, find the connection string called `MyDbConnection` and replace its `connectionString` value with `"server=tcp:<server-name>.database.windows.net;database=<db-name>;"`. Replace _\<server-name>_ and _\<db-name>_ with your server name and database name. This connection string is used by the default constructor in *Models/MyDbContext.cs*.

+ That's every thing you need to connect to SQL Database. When debugging in Visual Studio, your code uses the Azure AD user you configured in [2. Set up your dev environment](#2-set-up-your-dev-environment). You'll set up SQL Database later to allow connection from the managed identity of your App Service app.

+1. Type `Ctrl+F5` to run the app again. The same CRUD app in your browser is now connecting to the Azure SQL Database directly, using Azure AD authentication. This setup lets you run database migrations from Visual Studio.

+# [Entity Framework Core](#tab/efcore)

+1. In Visual Studio, open the Package Manager Console and add the NuGet package [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient):

+ ```powershell

+ Install-Package Microsoft.Data.SqlClient -Version 4.0.1

+1. In the [ASP.NET Core and SQL Database tutorial](tutorial-dotnetcore-sqldb-app.md), the `MyDbConnection` connection string in *appsettings.json* isn't used at all yet. The local environment and the Azure environment both get connection strings from their respective environment variables in order to keep connection secrets out of the source file. But now with Active Directory authentication, there are no more secrets. In *appsettings.json*, replace the value of the `MyDbConnection` connection string with:

+ ```json

+ "Server=tcp:<server-name>.database.windows.net;Authentication=Active Directory Default; Database=<database-name>;"

+ > The [Active Directory Default](/sql/connect/ado-net/sql/azure-active-directory-authentication#using-active-directory-default-authentication) authentication type can be used both on your local machine and in Azure App Service. The driver attempts to acquire a token from Azure Active Directory using various means. If the app is deployed, it gets a token from the app's managed identity. If the app is running locally, it tries to get a token from Visual Studio, Visual Studio Code, and Azure CLI.

+ >

+ That's everything you need to connect to SQL Database. When debugging in Visual Studio, your code uses the Azure AD user you configured in [2. Set up your dev environment](#2-set-up-your-dev-environment). You'll set up SQL Database later to allow connection from the managed identity of your App Service app. The `DefaultAzureCredential` class caches the token in memory and retrieves it from Azure AD just before expiration. You don't need any custom code to refresh the token.

+## 4. Use managed identity connectivity

+ > The back-end services of managed identities also [maintains a token cache](overview-managed-identity.md#configure-target-resource) that updates the token for a target resource only when it expires. If you make a mistake configuring your SQL Database permissions and try to modify the permissions *after* trying to get a token with your app, you don't actually get a new token with the updated permissions until the cached token expires.

+## 5. Publish your changes

+1. In the publish page, select **Publish**.

+> * Connect an ASP.NET Core app to SQL Database and run [database migrations](/ef/core/managing-schemas/migrations)

+- <a href="https://dotnet.microsoft.com/download/dotnet/6.0" target="_blank">Install the latest .NET 6.0 SDK</a>

+ The sample project contains a basic CRUD (create-read-update-delete) app using ASP.NET Core 6.0 and [Entity Framework Core](/ef/core/).

+1. Run the following commands to install the [EF Core tools](/ef/core/cli/), run [database migrations](/ef/core/managing-schemas/migrations), and start the application.

+builder.Services.AddDbContext<MyDatabaseContext>(options =>

+ options.UseSqlite("Data Source=localdatabase.db"));

+builder.Services.AddDbContext<MyDatabaseContext>(options =>

+ options.UseSqlServer(builder.Configuration.GetConnectionString("MyDbConnection")));

+- Calls `builder.Logging.AddAzureWebAppDiagnostics()` in *Program.cs*.

+> * Connect an ASP.NET Core app to SQL Database and run [database migrations](/ef/core/managing-schemas/migrations)

+> * Stream diagnostic logs from Azure

+> [!div class="nextstepaction"]

+> [Tutorial: Connect to SQL Database from App Service without secrets using a managed identity](tutorial-connect-msi-sql-database.md)

+ * Grant permissions to selected application gateways to access certificates that are stored in your Key Vault.

+- Support for importing existing certificates into your Key Vault. Or use Key Vault APIs to create and manage new certificates with any of the trusted Key Vault partners.

+- Support for automatic renewal of certificates that are stored in your Key Vault.

+Application Gateway currently supports software-validated certificates only. Hardware security module (HSM)-validated certificates arenΓÇÖt supported.

+Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway will automatically rotate the certificate if a newer version is available in your Key Vault. An example of a secret URI without a version is `https://myvault.vault.azure.net/secrets/mysecret/`.

+> Azure Application Gateway currently supports only Key Vault accounts in the same subscription as the Application Gateway resource. Choosing a Key Vault under a different subscription than your Application Gateway will result in a failure.

+For TLS termination, Application Gateway only supports certificates in Personal Information Exchange (PFX) format. You can either import an existing certificate or create a new one in your Key Vault. To avoid any failures, ensure that the certificate's status is set to **Enabled** in Key Vault.

+Define access policies to use the user-assigned managed identity with your Key Vault:

+1. Select the Key Vault that contains your certificate.

+ If you're using the permission model **Azure role-based access control**: Select **Access control (IAM)** and [Add a role assignment](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#assign-a-role-to-a-user-assigned-managed-identity) for the user-assigned managed identity to the Azure Key Vault for the role **Key Vault Secrets User**.

+As of March 15, 2021, Key Vault recognizes Application Gateway as a trusted service by leveraging User Managed Identities for authentication to Azure Key Vault. With the use of service endpoints and enabling the trusted services option for Key Vault's firewall, you can build a secure network boundary in Azure. You can deny access to traffic from all networks (including internet traffic) to Key Vault but still make Key Vault accessible for an Application Gateway resource under your subscription.

+When you're using a restricted Key Vault, use the following steps to configure Application Gateway to use firewalls and virtual networks:

+> [!TIP]

+> The following steps are not required if your Key Vault has a Private Endpoint enabled. The application gateway can access the Key Vault using the private IP address.

+1. In the Azure portal, in your Key Vault, select **Networking**.

+1. On the **Firewalls and virtual networks** tab, select **Selected networks**.

+1. Select **Yes** to allow trusted services to bypass the Key Vault's firewall.

+ 

+> If you deploy the Application Gateway instance via an ARM template by using either the Azure CLI or PowerShell, or via an Azure application deployed from the Azure portal, the SSL certificate is stored in the Key Vault as a Base64-encoded PFX file. You must complete the steps in [Use Azure Key Vault to pass secure parameter value during deployment](../azure-resource-manager/templates/key-vault-parameter.md).

+> The values of `appGatewaySSLCertificateData` and `appGatewaySSLCertificatePassword` are looked up from the Key Vault, as described in [Reference secrets with dynamic ID](../azure-resource-manager/templates/key-vault-parameter.md#reference-secrets-with-dynamic-id). Follow the references backward from `parameters('secretName')` to see how the lookup happens. If the certificate is passwordless, omit the `password` entry.

+For Cert name, type a friendly name for the certificate to be referenced in Key Vault. Choose your Managed identity, Key Vault, and Certificate.

+Application Gateway supports certificates referenced in Key Vault via the Role-based access control permission model. The first few steps to reference the Key Vault must be completed via ARM template, Bicep, CLI, or PowerShell.

+In this example, weΓÇÖll use PowerShell to reference a new Key Vault certificate.

+# Get the secret ID from Key Vault

+# Specify the secret ID from Key Vault

+Under **Choose a certificate** select the certificate named in the previous steps. Once selected, select *Add* (if creating) or *Save* (if editing) to apply the referenced Key Vault certificate to the listener.

+Follow the steps to onboard a machine to Automanage Best Practices using an ARM template.

+* You must have necessary [Role-based access control permissions](./automanage-virtual-machines.md#required-rbac-permissions)

+The following ARM template will onboard your specified machine onto Azure Automanage Best Practices. Details on the ARM template and steps on how to deploy are located in the ARM template deployment [section](#arm-template-deployment).

+ "configurationProfile": "[parameters('configurationProfile')]"

+This ARM template will create a configuration profile assignment for your specified machine.

+1. Save this ARM template as `azuredeploy.json`

+1. Run this ARM template deployment with `az deployment group create --resource-group myResourceGroup --template-file azuredeploy.json`

+1. Provide the values for machineName, and configurationProfileAssignment when prompted

+1. You're ready to deploy

+As with any ARM template, it's possible to factor out the parameters into a separate `azuredeploy.parameters.json` file and use that as an argument when deploying.

+The Automanage policy definition can be found in the Azure portal by the name of [Configure virtual machines to be onboarded to Azure Automanage](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff889cab7-da27-4c41-a3b0-de1f6f87c550). If you click on this link, skip directly to step 8 in [Locate and assign the policy](#locate-and-assign-the-policy) below.

+1. Select the **Automanage** option

+1. Now the list will update to show a built-in policy with a name that starts with *Configure virtual machines to be onboarded to Azure Automanage*

+1. Click on the *Configure virtual machines to be onboarded to Azure Automanage* built-in policy name

+ > The Azure Policy definition is used to set Automanage parameters like the configuration profile. It also sets filters that ensure the policy applies only to the correct VMs.

+1. Click on the **Parameters** tab and set the **Configuration Profile** and the desired **Effect**

+- To assign an Azure role, you must have ```Microsoft.Authorization/roleAssignments/write``` permissions, such as [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles#owner).

+## Assign a role to a user-assigned managed identity

+## Verify role assignment to a user-managed identity

+To verify a role to a user-assigned managed identity of the Automation account, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to your Automation account.

+1. Under **Account Settings**, select **Identity**, **User assigned**.

+1. Click **User assigned identity name**.

+ :::image type="content" source="media/add-user-assigned-identity/user-assigned-main-screen-inline.png" alt-text="Assigning role in user-assigned identity in Azure portal." lightbox="media/add-user-assigned-identity/user-assigned-main-screen-expanded.png":::

+ If the roles are already assigned to the selected user-assigned managed identity, you can see a list of role assignments. This list includes all the role-assignments you have permission to read.

+ :::image type="content" source="media/add-user-assigned-identity/user-assigned-role-assignments-inline.png" alt-text="View role-assignments that you have permission in Azure portal." lightbox="media/add-user-assigned-identity/user-assigned-role-assignments-expanded.png":::

+1. To change the subscription, click the **Subscription** drop-down list and select the appropriate subscription.

+1. Click **Add role assignment (Preview)**

+1. In the drop-down list, select the set of resources that the role assignment applies - **Subscription**, **Resource group**, **Role**, and **Scope**. </br> If you don't have the role assignment, you can view the write permissions for the selected scope as an inline message.

+1. In the **Role** drop-down list, select a role as *Virtual Machine Contributor*.

+1. Click **Save**.

+ :::image type="content" source="media/managed-identity/add-role-assignment-inline.png" alt-text="Add a role assignment in Azure portal." lightbox="media/managed-identity/add-role-assignment-expanded.png":::

+After a few minutes, the managed identity is assigned the role at the selected scope.

+> The tutorial runbooks have not been updated to authenticate using a managed identity. Review the [Using system-assigned identity](enable-managed-identity-for-automation.md#assign-role-to-a-system-assigned-managed-identity) or [Using user-assigned identity](add-user-assigned-identity.md#assign-a-role-to-a-user-assigned-managed-identity) to learn how to grant the managed identity access to resources and configure your runbooks to authenticate using either type of managed identity.

+- To assign an Azure role, you must have ```Microsoft.Authorization/roleAssignments/write``` permissions, such as [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles#owner).

+

+## Assign role to a system-assigned managed identity

+## Verify role assignment to a system-managed identity

+To verify a role to a system-assigned managed identity of the Automation account, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. Go to your Automation account.

+1. Under **Account Settings**, select **Identity**.

+ :::image type="content" source="media/managed-identity/system-assigned-main-screen-inline.png" alt-text="Assigning role in system-assigned identity in Azure portal." lightbox="media/managed-identity/system-assigned-main-screen-expanded.png":::

+1. Under **Permissions**, click **Azure role assignments**.

+ If the roles are already assigned to the selected system-assigned managed identity, you can see a list of role assignments. This list includes all the role-assignments you have permission to read.

+ :::image type="content" source="media/managed-identity/role-assignments-view-inline.png" alt-text="View role-assignments that you have permission in Azure portal." lightbox="media/managed-identity/role-assignments-view-expanded.png":::

+1. To change the subscription, click the **Subscription** drop-down list and select the appropriate subscription.

+1. Click **Add role assignment (Preview)**

+1. In the drop-down list, select the set of resources that the role assignment applies - **Subscription**, **Resource group**, **Role**, and **Scope**. </br> If you don't have the role assignment, you can view the write permissions for the selected scope as an inline message.

+1. In the **Role** drop-down list, select a role as *Virtual Machine Contributor*.

+1. Click **Save**.

+ :::image type="content" source="media/managed-identity/add-role-assignment-inline.png" alt-text="Add a role assignment in Azure portal." lightbox="media/managed-identity/add-role-assignment-expanded.png":::

+After a few minutes, the managed identity is assigned the role at the selected scope.

+### CPU quota limit

+There is a CPU quota limit of 5% while configuring extension-based Linux Hybrid Runbook worker. There is no such limit for Windows Hybrid Runbook Worker.

+You can create a Hybrid Worker Group via the Azure Portal. Currently, creating through the ARM template is not supported.

+The operational data does not leave your environment unless you chooses to export/upload (indirect connected mode) or automatically send (directly connected mode) the data to Azure Monitor/Log Analytics. The data goes into a Log Analytics workspace, which you control.

+| [Multi-factor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | &#x2705; | &#x2705; |

+| [Multi-factor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+- [Azure Government isolation guidelines for Impact Level 5 workloads](../documentation-government-impact-level-5.md)

+ Title: Considerations for naming Azure resources

+description: Guidance on naming Azure resources to prevent accidental spillage of sensitive data.

+recommendations: false

+You shouldn't include sensitive or restricted information in Azure resource names because it may be stored or accessed outside the compliance boundary to facilitate support and troubleshooting. Examples of sensitive information include data subject to:

+Data stored or processed in customer VMs, storage accounts, databases, Azure Import/Export, Azure Cache for Redis, ExpressRoute, Azure Cognitive Search, App Service, API Management, and other Azure services suitable for holding, processing, or transmitting customer data can contain sensitive data. However, metadata for these Azure services isn't permitted to contain sensitive or restricted data. This metadata includes all configuration data entered when creating and maintaining an Azure service, including:

+Azure resource names include information provided by you, or on your behalf, that is used to identify or configure cloud service resources, such as software, systems, or containers. However, it does **not** include customer-created content or metadata inside the resource (for example, database column/table names). Azure resource names include the names you assign to Azure Resource Manager level objects and resources deployed in Azure. Examples include the names of resources such as virtual networks, virtual hard disks, database servers and databases, virtual network interface, network security groups, key vaults, and others.

+> [!NOTE]

+> The above examples are but a subset of the types of resources you can name. This list is not meant to be fully exhaustive and the types of resources could change in the future as new cloud services are added.

+You should avoid names that are sensitive to business or mission functions. This guidance applies to all names that meet the criteria mentioned previously, from the name of the larger resource group to the name of the end resources within it. You should also avoid names that indicate your regulatory requirements, for example:

+- [Criminal Justice Information Services (CJIS)](/azure/compliance/offerings/offering-cjis)

+- [Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)](/azure/compliance/offerings/offering-cnssi-1253)

+- [Internal Revenue Service (IRS) Publication 1075](/azure/compliance/offerings/offering-irs-1075)

+- [Export Administration Regulations (EAR)](/azure/compliance/offerings/offering-ear)

+- [International Traffic in Arms Regulations (ITAR)](/azure/compliance/offerings/offering-itar)

+> [!NOTE]

+> Also consider naming of resource tags when reviewing the **[Resource naming and tagging decision guide](/azure/cloud-adoption-framework/decision-guides/resource-tagging/).**

+You should understand and take into account the resource naming convention to help ensure operational security, as Microsoft personnel could use the full resource ID in the following example scenarios:

+## Next steps

+- [Develop your naming and tagging strategy for Azure resources](/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging)

+- [Resource naming and tagging decision guide](/azure/cloud-adoption-framework/decision-guides/resource-tagging/)

+- [Azure Government compliance](./documentation-government-plan-compliance.md)

+- [Azure Government security](./documentation-government-plan-security.md)

+- [Azure compliance](../compliance/index.yml)

+- [Azure and other Microsoft services compliance offerings](/azure/compliance/offerings/)

+## Services in audit scope

+For a detailed list of Azure, Dynamics 365, Microsoft 365, and Power Platform services in FedRAMP and DoD compliance audit scope, see:

+- [Azure public services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-public-services-by-audit-scope)

+- [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope)

+For additional customer assistance, Microsoft provides **Azure Policy regulatory compliance built-in initiatives**, which map to **compliance domains** and **controls** in key US government standards, including:

+For additional regulatory compliance built-in initiatives that pertain to Azure Government, see [Azure Policy samples](../governance/policy/samples/index.md#regulatory-compliance).

+Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility - customer, Microsoft, or shared. For Microsoft-responsible controls, we provide additional audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each control is associated with one or more Azure Policy definitions. These policies may help you [assess compliance](../governance/policy/how-to/get-compliance-data.md) with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

+- [Azure and other Microsoft services compliance offerings](/azure/compliance/offerings/)

+- [Azure Policy regulatory compliance built-in initiatives](../governance/policy/samples/index.md#regulatory-compliance)

+- [Azure Government isolation guidelines for Impact Level 5 workloads](./documentation-government-impact-level-5.md)

+ Title: Azure Government Identity

+description: Microsoft Azure Government provides the same ways to build applications and manage identities as Azure Public. This article provides planning guidance for identity management in Azure Government.

+recommendations: false

+Before determining the identity approach for your application, you need to know what identity types are available to you. There are three types: On-premises identity, Cloud identity, and Hybrid identity.

+|On-premises identity|Cloud identity|Hybrid identity|

+|On-premises identities belong to on-premises Active Directory environments that most customers use today.|Cloud identities originate, exist only, and are managed in Azure AD.|Hybrid identities originate as on-premises identities, but become hybrid through directory synchronization to Azure AD. After directory synchronization, they exist both on-premises and in the cloud, hence hybrid.|

+> [!NOTE]

+> Hybrid comes with deployment options (synchronized identity, federated identity, and so on) that all rely on directory synchronization and mostly define how identities are authenticated as discussed in [What is hybrid identity with Azure Active Directory?](../active-directory/hybrid/whatis-hybrid-identity.md).

+When building any Azure application, you must first decide on the authentication technology:

+- **Applications using modern authentication** ΓÇô Applications using OAuth, OpenID Connect, and/or other modern authentication protocols supported by Azure AD such as newly developed application built using PaaS technologies (for example, Web Apps, Azure SQL Database, and so on).

+- **Applications using legacy authentication protocols (Kerberos/NTLM)** ΓÇô Applications typically migrated from on-premises (for example, lift-and-shift applications).

+Based on this decision there are different considerations when building and deploying on Azure Government.

+[Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) shows how you can use Azure AD to provide secure sign-in and authorization to your applications. This process is the same for Azure Public and Azure Government once you choose your identity authority.

+Azure Government applications can use Azure AD Government identities, but can you use Azure AD Public identities to authenticate to an application hosted in Azure Government? Yes! Since you can use either identity authority, you need to choose which to use:

+Once decided, the special consideration is where you perform your app registration. If you choose Azure AD Public identities for your Azure Government application, you must register the application in your Azure AD Public tenant. Otherwise, if you perform the app registration in the directory the subscription trusts (Azure Government) the intended set of users can't authenticate.

+> [!NOTE]

+The other consideration is the identity authority URL. You need the correct URL based on your chosen authority:

+|Identity authority|URL|

+|||

+|Azure AD Public|login.microsoftonline.com|

+|Azure AD Government|login.microsoftonline.us|

+Supporting Infrastructure-as-a-Service (IaaS) cloud-based applications dependent on NTLM/Kerberos authentication requires on-premises identity. The aim is to support logins for line-of-business application and other apps that require Windows integrated authentication. Adding Active Directory domain controllers as virtual machines in Azure IaaS is the typical method to support these types of apps, shown in the following figure:

+> [!NOTE]

+> The preceding figure is a simple connectivity example, using site-to-site VPN. Azure ExpressRoute is another and preferred connectivity option.

+The type of domain controller to place in Azure is also a consideration based on application requirements for directory access. If applications require directory write access, deploy a standard domain controller with a writable copy of the Active Directory database. If applications only require directory read access, we recommend deploying a Read-Only Domain Controller (RODC) to Azure instead. Specifically, for RODCs we recommend following the guidance available at [Planning domain controller placement](/windows-server/identity/ad-ds/plan/planning-domain-controller-placement).

+Documentation covering the guidelines for deploying Active Directory Domain Controllers and Active Director Federation Services (ADFS) is available from:

+- [Safely virtualizing Active Directory Domain Services](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100) answers questions such as

+ - Is it safe to virtualize Windows Server Active Directory Domain Controllers?

+ - Why deploy Active Directory to Azure Virtual Machines?

+ - Can you deploy ADFS to Azure Virtual Machines?

+- [Deploying Active Directory Federation Services in Azure](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs) provides guidance on how to deploy ADFS in Azure.

+First, see [Connect to Azure Government using portal](./documentation-government-get-started-connect-with-portal.md) for instructions on accessing Azure Government management portal.

+- Azure subscriptions only trust one directory, therefore subscription administration must be performed by an identity from that directory.

+- Azure Public subscriptions trust directories in Azure AD Public whereas Azure Government subscriptions trust directories in Azure AD Government.

+- If you have both Azure Public and Azure Government subscriptions, separate identities for both are required.

+- Cloud identities - Cloud identities are used to manage both subscriptions.

+- Hybrid and cloud identities - Hybrid identity for one subscription, cloud identity for the other.

+A common scenario, having both Office 365 and Azure subscriptions, is conveyed in the following sections.

+In this scenario, we include administrator identities through directory synchronization to the Public tenant while cloud identities are still used in the government tenant.

+Using hybrid identities for administrative accounts allows the use of smartcards (physical or virtual). Government agencies using Common Access Cards (CACs) or Personal Identity Verification (PIV) cards benefit from this approach. In this scenario, ADFS serves as the identity provider and implements the two-step verification (for example, smart card + PIN).

+In this scenario, hybrid identities are used to administrator subscriptions in both clouds.

+**Why does Office 365 GCC use Azure AD Public?** </br>

+The first Office 365 US Government environment, Government Community Cloud (GCC), was created when Microsoft had a single cloud directory. The Office 365 GCC environment was designed to use Azure AD Public while still adhering to controls and requirements outlined in FedRAMP Moderate, Criminal Justice Information Services (CJIS), Internal Revenue Service (IRS) 1075, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Azure Government, with its Azure AD infrastructure, was created later. By that time, GCC had already secured the necessary compliance authorizations (for example, FedRAMP Moderate and CJIS) to meet Federal, State, and Local government requirements while serving hundreds of thousands of customers. Now, many Office 365 GCC customers have two Azure AD tenants: one from the Azure AD subscription that supports Office 365 GCC and the other from their Azure Government subscription, with identities in both.

+**How do I identify an Azure Government tenant?** </br>

+ - Obtain your tenant name (for example, contoso.onmicrosoft.com) or a domain name registered to your Azure AD tenant (for example, contoso.gov).

+ - Navigate to `https://login.microsoftonline.com/<domainname>/.well-known/openid-configuration`

+ - \<domainname\> can either be the tenant name or domain name you gathered in the previous step.

+ - **An example URL**: `https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration`

+**If IΓÇÖm an Office 365 GCC customer and want to build solutions in Azure Government do I need to have two tenants?** </br>

+Yes, the Azure AD Government tenant is required for your Azure Government subscription administration.

+**If IΓÇÖm an Office 365 GCC customer that has built workloads in Azure Government, where should I authenticate from: Public or Government?** </br>

+See [Choosing your identity authority](#choosing-your-identity-authority) earlier in this article.

+**IΓÇÖm an Office 365 customer and have chosen hybrid identity as my identity model. I also have several Azure subscriptions. Is it possible to use the same Azure AD tenant to handle sign-in for Office 365, applications built in my Azure subscriptions, and/or applications reconfigured to use Azure AD for sign-in?** </br>

+**Can an Azure Government subscription be associated with a directory in Azure AD Public?** </br>

+- [Azure Government developer guide](./documentation-government-developer-guide.md)

+- [Azure Government security](./documentation-government-plan-security.md)

+- [Azure Government compliance](./documentation-government-plan-compliance.md)

+- [Compare Azure Government and global Azure](./compare-azure-government-global-azure.md)

+- [Multi-tenant user management](../active-directory/fundamentals/multi-tenant-user-management-introduction.md)

+- [Azure Active Directory fundamentals documentation](../active-directory/fundamentals/index.yml)

+recommendations: false

+- Client-side encryption that enables customers to manage and store keys on-premises or in another secure location. Client-side encryption is built into the Java and .NET storage client libraries, which can use Azure Key Vault APIs, making the implementation straightforward. You can use Azure Active Directory to provide specific individuals with access to Azure Key Vault secrets.

+The basic encryption available for connectivity to Azure Government supports Transport Layer Security (TLS) 1.2 protocol and X.509 certificates. Federal Information Processing Standard (FIPS) 140 validated cryptographic algorithms are also used for infrastructure network connections between Azure Government datacenters. Windows, Windows Server, and Azure File shares can use SMB 3.0 for encryption between the virtual machine (VM) and the file share. Use client-side encryption to encrypt the data before it's transferred into storage in a client application, and to decrypt the data after it's transferred out of storage.

+- **IaaS VMs:** Use Azure disk encryption. Turn on Storage service encryption to encrypt the VHD files that are used to back up those disks in Azure Storage. This approach only encrypts newly written data. If you create a VM and then enable Storage service encryption on the storage account that holds the VHD file, only the changes will be encrypted, not the original VHD file.

+- **Client-side encryption:** Represents the most secure method for encrypting your data, because it encrypts it before transit, and encrypts the data at rest. However, it does require that you add code to your applications using storage, which you might not want to do. In those cases, you can use HTTPS for your data in transit, and Storage service encryption to encrypt the data at rest. Client-side encryption also involves more load on the client that you have to account for in your scalability plans, especially if you're encrypting and transferring much data.

+- Application code and templates should only contain URI references to the secrets, meaning the actual secrets aren't in code, configuration, or source code repositories. This approach prevents key phishing attacks on internal or external repositories, such as harvest-bots at GitHub.

+The Azure Government multi-tenant cloud platform environment is an Internet standards-based Autonomous System (AS) that is physically isolated and separately administered from the rest of Azure public cloud. As defined by [IETF RFC 4271](https://datatracker.ietf.org/doc/rfc4271/), the AS is composed of a set of switches and routers under a single technical administration, using an interior gateway protocol and common metrics to route packets within the AS. An exterior gateway protocol is used to route packets to other ASs through a single and clearly defined routing policy.

+The isolation of the Azure Government environment is achieved through a series of physical and logical controls that include:

+Within the Azure Government network, internal network system components are isolated from other system components through implementation of separate subnets and access control policies on management interfaces. Azure Government doesn't directly peer with the public internet or with the Microsoft corporate network. Azure Government directly peers to the commercial Microsoft Azure network, which has routing and transport capabilities to the Internet and the Microsoft Corporate network. Azure Government limits its exposed surface area by applying extra protections and communications capabilities of our commercial Azure network. In addition, Azure Government ExpressRoute (ER) uses peering with our customerΓÇÖs networks over non-Internet private circuits to route ER customer ΓÇ£DMZΓÇ¥ networks using specific Border Gateway Protocol (BGP)/AS peering as a trust boundary for application routing and associated policy enforcement.

+All Azure and Azure Government employees in the United States are subject to Microsoft background checks. Personnel with the ability to access customer data for troubleshooting purposes in Azure Government are additionally subject to the verification of US citizenship and extra screening requirements where appropriate.

+We're now screening all our operators at a Tier 3 Investigation (formerly National Agency Check with Law and Credit, NACLC) as defined in Section 5.6.2.2 (Page 77) of the DoD [Cloud Computing SRG](https://public.cyber.mil/dccs/dccs-documents/):

+|||Every two years|- Social Security Number search </br>- Criminal history check (7-yr history) </br>- Office of Foreign Assets Control (OFAC) list </br>- Bureau of Industry and Security (BIS) list </br>- Office of Defense Trade Controls (DDTC) debarred list|

+|US citizenship|Azure Gov|Upon employment|- Verification of US citizenship|

+> Insider threat is characterized as potential for providing back-door connections and cloud service provider (CSP) privileged administrator access to customerΓÇÖs systems and data. Microsoft provides strong **[customer commitments](https://www.microsoft.com/trust-center/privacy/data-access)** regarding who can access customer data and on what terms. Access to customer data by Microsoft operations and support personnel is **denied by default**. Access to customer data isn't needed to operate Azure. Moreover, for most support scenarios involving customer troubleshooting tickets, access to customer data isn't needed.

+- Internal Microsoft controls that prevent access to production systems unless it's authorized through **Just-in-Time (JIT)** privileged access management system, as described in this section.

+- Enforcement of **Customer Lockbox** that puts you in charge of approving insider access in support and troubleshooting scenarios, as described in this section. For most support scenarios, access to your data isn't required.

+Microsoft takes strong measures to protect your data from inappropriate access or use by unauthorized persons. Microsoft engineers (including full-time employees and subprocessors/vendors) [don't have default access](https://www.microsoft.com/trust-center/privacy/data-access) to your data in the cloud. Instead, they're granted access, under management oversight, only when necessary. Using the [restricted access workflow](https://www.youtube.com/watch?v=lwjPGtGGe84&feature=youtu.be&t=25m), access to your data is carefully controlled, logged, and revoked when it's no longer needed. For example, access to your data may be required to resolve troubleshooting requests that you initiated. The access control requirements are [established by the following policy](../security/fundamentals/protection-customer-data.md):

+Microsoft engineers can be granted access to customer data using temporary credentials via **Just-in-Time (JIT)** access. There must be an incident logged in the Azure Incident Management system that describes the reason for access, approval record, what data was accessed, etc. This approach ensures that there's appropriate oversight for all access to customer data and that all JIT actions (consent and access) are logged for audit. Evidence that procedures have been established for granting temporary access for Azure personnel to customer data and applications upon appropriate approval for customer support or incident handling purposes is available from the Azure [SOC 2 Type 2 attestation report](/azure/compliance/offerings/offering-soc-2) produced by an independent third-party auditing firm.

+JIT access works with multifactor authentication that requires Microsoft engineers to use a smartcard to confirm their identity. All access to production systems is performed using Secure Admin Workstations (SAWs) that are consistent with published guidance on [securing privileged access](/security/compass/overview). Use of SAWs for access to production systems is required by Microsoft policy and compliance with this policy is closely monitored. These workstations use a fixed image with all software fully managed ΓÇô only select activities are allowed and users cannot accidentally circumvent the SAW design since they don't have admin privileges on these machines. Access is permitted only with a smartcard and access to each SAW is limited to specific set of users.

+[Customer Lockbox for Azure](../security/fundamentals/customer-lockbox-overview.md) is a service that provides you with the capability to control how a Microsoft engineer accesses your data. As part of the support workflow, a Microsoft engineer may require elevated access to your data. Customer Lockbox puts you in charge of that decision by enabling you to approve/deny such elevated requests. Customer Lockbox is an extension of the JIT workflow and comes with full audit logging enabled. Customer Lockbox capability isn't required for support cases that don't involve access to customer data. For most support scenarios, access to customer data isn't needed and the workflow shouldn't require Customer Lockbox. Microsoft engineers rely heavily on logs to maintain Azure services and provide customer support.

+On each Azure node, there's a Hypervisor that runs directly over the hardware and divides the node into a variable number of Guest virtual machines (VMs), as described in [Compute isolation](./azure-secure-isolation-guidance.md#compute-isolation). Each node also has one special Root VM, which runs the Host OS.

+When a Guest VM (also known as customer VM) crashes, customer data may be contained inside a memory dump file on the Guest VM. **By default, Microsoft engineers don't have access to Guest VMs and can't review crash dumps on Guest VMs without customer's approval.** The same process involving explicit customer authorization is used to control access to Guest VM crash dumps should you request an investigation of your VM crash. As described previously, access is gated by the JIT privileged access management system and Customer Lockbox so that all actions are logged and audited. The primary forcing function for deleting the memory dumps from Guest VMs is the routine process of VM reimaging that typically occurs at least every two months.

+As a customer, you're [always in control of your customer data](https://www.microsoft.com/trust-center/privacy/data-management) in Azure. You can access, extract, and delete your customer data stored in Azure at will. When you terminate your Azure subscription, Microsoft takes the necessary steps to ensure that you continue to own your customer data. A common customer concern upon data deletion or subscription termination is whether another customer or Azure administrator can access their deleted data. For more information on how data deletion, retention, and destruction are implemented in Azure, see our online documentation:

+This section covers essential Azure services that you can use to gain in-depth insight into your provisioned Azure resources and get alerted about suspicious activity, including outside attacks aimed at your applications and data. For a complete list, see the Azure service directory sections for [Management + Governance](https://azure.microsoft.com/services/#management-tools), [Networking](https://azure.microsoft.com/services/#networking), and [Security](https://azure.microsoft.com/services/#security). Moreover, the [Azure Security Benchmark](../security/benchmarks/index.yml) provides security recommendations and implementation details to help you improve your security posture with respect to Azure resources.

+**[Microsoft Defender for Cloud](../defender-for-cloud/index.yml)** (formerly Azure Security Center) provides unified security management and advanced threat protection across hybrid cloud workloads. It's an essential service for you to limit your exposure to threats, protect cloud resources, [respond to incidents](../defender-for-cloud/alerts-overview.md), and improve your regulatory compliance posture.

+- **Application monitoring data:** Data about the performance and functionality of the code you've written, regardless of its platform.

+**[Azure Policy](../governance/policy/overview.md)** enables effective governance of Azure resources by creating, assigning, and managing policies. These policies enforce various rules over provisioned Azure resources to keep them compliant with your specific corporate security and privacy standards. For example, one of the built-in policies for Allowed Locations can be used to restrict available locations for new resources to enforce your geo-compliance requirements. For additional customer assistance, Microsoft provides **Azure Policy regulatory compliance built-in initiatives**, which map to **compliance domains** and **controls** in many US government, global, regional, and industry standards. For more information, see [Azure Policy samples](../governance/policy/samples/index.md#regulatory-compliance). Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility ΓÇô customer, Microsoft, or shared. For Microsoft-responsible controls, we provide additional audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each control is associated with one or more Azure Policy definitions. These policies may help you [assess compliance](../governance/policy/how-to/get-compliance-data.md) with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

+**[Azure Firewall](../firewall/overview.md)** provides a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability that integrates with Azure Monitor for logging and analytics.

+**[Network Watcher](../network-watcher/network-watcher-monitoring-overview.md)** allows you to monitor, diagnose, and gain insights into your Azure Virtual Network performance and health. With network security group flow logs, you can gain deeper understanding of your network traffic patterns and collect data for compliance, auditing, and monitoring of your network security profile. Packet capture allows you to capture traffic to and from your virtual machines to diagnose network anomalies and gather network statistics, including information on network intrusions.

+**[Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md)** provides extensive Distributed Denial of Service (DDoS) mitigation capability to help you protect your Azure resources from attacks. Always-on traffic monitoring provides near real-time detection of a DDoS attack, with automatic mitigation of the attack as soon as it's detected. In combination with Web Application Firewall, DDoS Protection defends against a comprehensive set of network layer attacks, including SQL injection, cross-site scripting attacks, and session hijacks. Azure DDoS Protection is integrated with Azure Monitor for analytics and insight.

+- [Azure Government overview](./documentation-government-welcome.md)

+- [Azure Government compliance](./documentation-government-plan-compliance.md)

+- [Azure and other Microsoft services compliance offerings](/azure/compliance/offerings/)

+- [Compare Azure Government and global Azure](./compare-azure-government-global-azure.md)

+- [Azure guidance for secure isolation](./azure-secure-isolation-guidance.md)

+- [Azure Government isolation guidelines for Impact Level 5 workloads](./documentation-government-impact-level-5.md)

+- [Azure Government DoD overview](./documentation-government-overview-dod.md)

+- [Azure security fundamentals documentation](../security/fundamentals/index.yml)

+- [Azure Policy regulatory compliance built-in initiatives](../governance/policy/samples/index.md#regulatory-compliance)

+Data in Azure Monitor is encrypted with Microsoft-managed keys. You can use your own encryption key to protect the data and saved queries in your workspaces. Customer-managed keys in Azure Monitor gives you greater flexibility to manage access controls to logs. Once configure, new data for linked workspaces is encrypted with your key stored in [Azure Key Vault](../../key-vault/general/overview.md), or [Azure Key Vault Managed "HSM"](../../key-vault/managed-hsm/overview.md).

+Azure Monitor ensures that all data and saved queries are encrypted at rest using Microsoft-managed keys (MMK). You also have the option to encrypt data with your own key in [Azure Key Vault](../../key-vault/general/overview.md), with control over key lifecycle and ability to revoke access to your data at any time. Azure Monitor use of encryption is identical to the way [Azure Storage encryption](../../storage/common/storage-service-encryption.md#about-azure-storage-encryption) operates.

+Customer-managed key is delivered on [dedicated clusters](./logs-dedicated-clusters.md) providing higher protection level and control. Data to dedicated clusters is encrypted twice, once at the service level using Microsoft-managed keys or Customer-managed keys, and once at the infrastructure level, using two different encryption algorithms and two different keys. [double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption) protects against a scenario where one of the encryption algorithms or keys may be compromised. In this case, the additional layer of encryption continues to protect your data. Dedicated cluster also allows you to protect your data with [Lockbox](#customer-lockbox-preview) control.

+Data ingested in the last 14 days or recently used in queries is kept in hot-cache (SSD-backed) for query efficiency. SSD data is encrypted with Microsoft keys regardless customer-managed key configuration, but your control over SSD access adheres to [key revocation](#key-revocation)

+Log Analytics Dedicated Clusters [pricing model](./logs-dedicated-clusters.md#cluster-pricing-model) requires commitment Tier starting at 500 GB per day and can have values of 500, 1000, 2000 or 5000 GB per day.

+Azure Monitor uses managed identity to grant access to your Azure Key Vault. The identity of the Log Analytics cluster is supported at the cluster level. To allow Customer-managed key on multiple workspaces, a new Log Analytics cluster resource performs as an intermediate identity connection between your Key Vault and your Log Analytics workspaces. The cluster storage uses the managed identity that\'s associated with the *Cluster* resource to authenticate to your Azure Key Vault via Azure Active Directory.

+After the Customer-managed key configuration, new ingested data to workspaces linked to your dedicated cluster gets encrypted with your key. You can unlink workspaces from the cluster at any time. New data then gets ingested to cluster storage and encrypted with Microsoft key, while you can query your new and old data seamlessly.

+> Customer-managed key capability is regional. Your Azure Key Vault, cluster and linked workspaces must be in the same region, but they can be in different subscriptions.

+2. Log Analytics cluster resource having managed identity with permissions to Key VaultΓÇöThe identity is propagated to the underlay dedicated cluster storage

+3. Dedicated cluster

+4. Workspaces linked to dedicated cluster

+There are three types of keys involved in Storage data encryption:

+- "**KEK**" - Key Encryption Key (your Customer-managed key)

+- "**AEK**" - Account Encryption Key

+- "**DEK**" - Data Encryption Key

+- The cluster storage has unique encryption key for every Storage Account, which is known as the "AEK".

+- The "AEK" is used to derive "DEKs, which are the keys that are used to encrypt each block of data written to disk.

+- When you configure a key in your Key Vault, and updated the key details in the cluster, the cluster storage performs requests to 'wrap' and 'unwrap' "AEK" for encryption and decryption.

+- Your "KEK" never leaves your Key Vault, and in the case of Managed "HSM", it never leaves the hardware.

+- Azure Storage uses managed identity that's associated with the *Cluster* resource for authentication. It accesses Azure Key Vault via Azure Active Directory.

+1. Linking workspaces

+Customer-managed key configuration isn't supported in Azure portal currently and provisioning can be performed via [PowerShell](/powershell/module/az.operationalinsights/), [CLI](/cli/azure/monitor/log-analytics), or [REST](/rest/api/loganalytics/) requests.

+## Storing encryption key ("KEK")

+Create or use an existing Azure Key Vault in the region that the cluster is planed, and generate or import a key to be used for logs encryption. The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both *Soft delete* and *Purge protection* should be enabled.

+- [Purge protection](../../key-vault/general/soft-delete-overview.md#purge-protection) guards against force deletion of the secret, vault even after soft delete

+Clusters uses managed identity for data encryption with your Key Vault. Configure identity `type` property to `SystemAssigned` when creating your cluster to allow access to your Key Vault for "wrap" and "unwrap" operations.

+Create Access Policy in Key Vault to grants permissions to your cluster. These permissions are used by the underlay cluster storage. Open your Key Vault in Azure portal and click *Access Policies* then *+ Add Access Policy* to create a policy with these settings:

+- Key permissionsΓÇöselect *Get*, *Wrap Key* and *Unwrap Key*.

+- Select principalΓÇödepending on the identity type used in the cluster (system or user assigned managed identity)

+ - System assigned managed identity - enter the cluster name or cluster principal ID

+ - User assigned managed identity - enter the identity name

+This step updates dedicated cluster storage with the key and version to use for "AEK" wrap and unwrap.

+az account set ΓÇösubscription "cluster-subscription-id"

+az monitor log-analytics cluster update ΓÇöno-wait ΓÇöname "cluster-name" ΓÇöresource-group "resource-group-name" ΓÇökey-name "key-name" ΓÇökey-vault-uri "key-uri" ΓÇökey-version "key-version"

+# Wait for job completion when `ΓÇöno-wait` was used

+$clusterResourceId = az monitor log-analytics cluster list ΓÇöresource-group "resource-group-name" ΓÇöquery "[?contains(name, "cluster-name")].[id]" ΓÇöoutput tsv

+az resource wait ΓÇöcreated ΓÇöids $clusterResourceId ΓÇöinclude-response-body true

+Response to GET request when key update is completed:

+> This step should be performed only after the cluster provisioning. If you link workspaces and ingest data prior to the provisioning, ingested data will be dropped and won't be recoverable.

+You need to have "write" permissions on your workspace and cluster to perform this operation. It include `Microsoft.OperationalInsights/workspaces/write` and `Microsoft.OperationalInsights/clusters/write`.

+> - The recommended way to revoke access to your data is by disabling your key, or deleting Access Policy in your Key Vault.

+The cluster storage will always respect changes in key permissions within an hour or sooner and storage will become unavailable. New data ingested to linked workspaces is dropped and non-recoverable. Data is inaccessible on these workspaces and queries fail. Previously ingested data remains in storage as long as your cluster and your workspaces aren't deleted. Inaccessible data is governed by the data-retention policy and will be purged when retention is reached. Data ingested in the last 14 days and data recently used in queries is also kept in hot-cache (SSD-backed) for query efficiency. The data on SSD gets deleted on key revocation operation and becomes inaccessible. The cluster storage attempts reach your Key Vault to unwrap encryption periodically, and when key is enabled, unwrap succeeds, SSD data is reloaded from storage, data ingestion and query are resumed within 30 minutes.

+- AutorotationΓÇöupdate your cluster with ```"keyVaultProperties"``` but omit ```"keyVersion"``` property, or set it to ```""```. Storage will automatically use the latest versions.

+- Explicit key version updateΓÇöupdate your cluster with key version in ```"keyVersion"``` property. Rotatio of keys require an explicit ```"keyVaultProperties"``` update in cluster, see [Update cluster with Key identifier details](#update-cluster-with-key-identifier-details). If you generate new key version in Key Vault but don't update it in the cluster, the cluster storage will keep using your previous key. If you disable, or delete the old key before updating a new one in the cluster, you will get into [key revocation](#key-revocation) state.

+All your data remains accessible after the key rotation operation. Data always encrypted with the Account Encryption Key ("AEK"), which is encrypted with your new Key Encryption Key ("KEK") version in Key Vault.

+The query language used in Log Analytics is expressive and can contain sensitive information in comments, or in the query syntax. Some organizations require that such information is kept protected under Customer-managed key policy and you need save your queries encrypted with your key. Azure Monitor enables you to store *saved-searches* and *log alerts* queries encrypted with your key in your own Storage Account when connected to your workspace.

+> Log Analytics queries can be saved in various stores depending on the scenario used. Queries remain encrypted with Microsoft key ("MMK") in the following scenarios regardless Customer-managed key configuration: Workbooks in Azure Monitor, Azure dashboards, Azure Logic App, Azure Notebooks and Automation Runbooks.

+When link your own storage (BYOS) to workspace, the service stores *saved-searches* and *log alerts* queries to your Storage Account. With the control on Storage Account and the [encryption-at-rest policy](../../storage/common/customer-managed-keys-overview.md), you can protect *saved-searches* and *log alerts* with Customer-managed key. You will, however, be responsible for the costs associated with that Storage Account.

+* You need to have "write" permissions on your workspace and Storage Account.

+* Make sure to create your Storage Account in the same region as your Log Analytics workspace is located.

+* The *saves searches* in storage is considered as service artifacts and their format may change.

+* Existing *saves searches* are removed from your workspace. Copy and any *saves searches* that you need before the configuration. You can view your *saved-searches* using [PowerShell](/powershell/module/az.operationalinsights/get-azoperationalinsightssavedsearch).

+* Query history isn't supported and you won't be able to see queries that you ran.

+* You can link a single Storage Account to a workspace, which can be used for both *saved-searches* and *log alerts* queries.

+* Pin to dashboard isn't supported.

+Link a Storage Account for *Query* to keep *saved-searches* queries in your Storage Account.

+az account set ΓÇösubscription "workspace-subscription-id"

+az monitor log-analytics workspace linked-storage create ΓÇötype Query ΓÇöresource-group "resource-group-name" ΓÇöworkspace-name "workspace-name" ΓÇöstorage-accounts $storageAccountId

+Link a Storage Account for *Alerts* to keep *log alerts* queries in your Storage Account.

+az account set ΓÇösubscription "workspace-subscription-id"

+az monitor log-analytics workspace linked-storage create ΓÇötype ALerts ΓÇöresource-group "resource-group-name" ΓÇöworkspace-name "workspace-name" ΓÇöstorage-accounts $storageAccountId

+In Azure Monitor, you have this control on data in workspaces linked to your dedicated cluster. The Lockbox control applies to data stored in a dedicated cluster where itΓÇÖs kept isolated in the cluster storage under your Lockbox protected subscription.

+- The max number of cluster per region and subscription is two.

+- The maximum number of workspaces that can be linked to a cluster is 1000.

+- You can link a workspace to your cluster and then unlink it. The number of workspace link operations on particular workspace is limited to two in a period of 30 days.

+ - [Soft Delete](../../key-vault/general/soft-delete-overview.md).

+ - [Purge protection](../../key-vault/general/soft-delete-overview.md#purge-protection) should be turned on to guard against force deletion of the secret, vault even after soft delete.

+ - If you create a cluster and get an errorΓÇö"region-name doesnΓÇÖt support Double Encryption for clusters", you can still create the cluster without Double encryption, by adding `"properties": {"isDoubleEncryptionEnabled": false}` in the REST request body.

+- Behavior per Key Vault availability:

+ - Normal operationΓÇöstorage caches "AEK" for short periods of time and goes back to Key Vault to unwrap periodically.

+ - Key Vault connection errorsΓÇöstorage handles transient errors (timeouts, connection failures, "DNS" issues), by allowing keys to stay in cache for the duration of the availability issue, and it overcomes blips and availability issues. The query and ingestion capabilities continue without interruption.

+- Key Vault access rateΓÇöThe frequency that Azure the cluster storage accesses Key Vault for wrap and unwrap is between 6 to 60 seconds.

+- If you update your cluster while it's at provisioning state, or updating state, the update will fail.

+- If you get conflictΓÇöerror when creating a cluster, you may have deleted your cluster in the last 14 days and itΓÇÖs in a soft-delete state. The cluster name remains reserved during the soft-delete period and you can't create a new cluster with that name. The name is released after the soft-delete period when the cluster is permanently deleted.

+- If you create a cluster and specify the KeyVaultProperties immediately, the operation may fail since the Access Policy can't be defined until system identity is assigned to the cluster.

+- If you fail to deploy your cluster, verify that your Azure Key Vault, cluster and linked workspaces are in the same region. The can be in different subscriptions.

+- If you update your key version in Key Vault and don't update the new key identifier details in the cluster, the cluster will keep using your previous key and your data will become inaccessible. Update new key identifier details in the cluster to resume data ingestion and ability to query data.

+- Some operations are long and can take a while to complete ΓÇö these are cluster create, cluster key update and cluster delete. You can check the operation status by sending GET request to cluster or workspace and observe the response. For example, unlinked workspace won't have the *clusterResourceId* under *features*.

+ - 400 ΓÇö Cluster name is not valid. Cluster name can contain characters a-z, A-Z, 0-9 and length of 3-63.

+ - 400 ΓÇö The body of the request is null or in bad format.

+ - 400 ΓÇö "SKU" name is invalid. Set "SKU" name to capacityReservation.

+ - 400 ΓÇö Capacity was provided but "SKU" is not capacityReservation. Set "SKU" name to capacityReservation.

+ - 400 ΓÇö Missing Capacity in "SKU". Set Capacity value to 500, 1000, 2000 or 5000 GB/day.

+ - 400 ΓÇö Capacity is locked for 30 days. Decreasing capacity is permitted 30 days after update.

+ - 400 ΓÇö No "SKU" was set. Set the "SKU" name to capacityReservation and Capacity value to 500, 1000, 2000 or 5000 GB/day.

+ - 400 ΓÇö Identity is null or empty. Set Identity with systemAssigned type.

+ - 400 ΓÇö KeyVaultProperties are set on creation. Update KeyVaultProperties after cluster creation.

+ - 400 ΓÇö Operation cannot be executed now. Async operation is in a state other than succeeded. Cluster must complete its operation before any update operation is performed.

+ - 400 ΓÇö Cluster is in deleting state. Async operation is in progress . Cluster must complete its operation before any update operation is performed.

+ - 400 ΓÇö KeyVaultProperties is not empty but has a bad format. See [key identifier update](#update-cluster-with-key-identifier-details).

+ - 400 ΓÇö Failed to validate key in Key Vault. Could be due to lack of permissions or when key doesnΓÇÖt exist. Verify that you [set key and Access Policy](#grant-key-vault-permissions) in Key Vault.

+ - 400 ΓÇö Key is not recoverable. Key Vault must be set to Soft-delete and Purge-protection. See [Key Vault documentation](../../key-vault/general/soft-delete-overview.md)

+ - 400 ΓÇö Operation cannot be executed now. Wait for the Async operation to complete and try again.

+ - 400 ΓÇö Cluster is in deleting state. Wait for the Async operation to complete and try again.

+ - 404 ΓÇö Cluster not found, the cluster may have been deleted. If you try to create a cluster with that name and get conflict, the cluster is in soft-delete for 14 days. You can contact support to recover it, or use another name to create a new cluster.

+ - 409 ΓÇö Can't delete a cluster while in provisioning state. Wait for the Async operation to complete and try again.

+ - 404 ΓÇö Workspace not found. The workspace you specified doesnΓÇÖt exist or was deleted.

+ - 409 ΓÇö Workspace link or unlink operation in process.

+ - 400 ΓÇö Cluster not found, the cluster you specified doesnΓÇÖt exist or was deleted. If you try to create a cluster with that name and get conflict, the cluster is in soft-delete for 14 days. You can contact support to recover it.

+ - 404 ΓÇö Workspace not found. The workspace you specified doesnΓÇÖt exist or was deleted.

+ - 409 ΓÇö Workspace link or unlink operation in process.

+The self-installer tries to determine the correct settings and paths for all the files based on the configuration of the user performing the installation (for example, root). If the pre-requisite steps (enable communication with storage and SAP HANA) were run as root, then the installation will copy the private key and `hdbuserstore` to the backup userΓÇÖs location. The steps to enable communication with the storage back-end and SAP HANA can be manually done by a knowledgeable administrator after the installation.

+1. **[Enable communication with storage](#enable-communication-with-storage)** (for more information, see separate section): Select the storage back-end you're using for your deployment.

+ 1. **For Azure NetApp Files (for more information, see separate section)**: Customer must generate the service principal authentication file.

+ 1. **For Azure Large Instance (for more information, see separate section)**: Set up SSH with a

+ private/public key pair. Provide the public key for each node, where the snapshot tools are

+ planned to be executed, to Microsoft Operations for setup on the storage back-end.

+1. **[Enable communication with storage](#enable-communication-with-storage)** (for more information, see separate section): Select the storage back-end you're using for your deployment.

+1. **[Enable communication with database](#enable-communication-with-database)** (for more information, see separate section):

+ Set up an appropriate SAP HANA user with the required privileges to perform the snapshot.

+ 1. This setting can be tested from the command line as follows using these examples:

+ > [!NOTE]

+ > These examples are for non-SSL communication to SAP HANA.

+This section explains how to enable communication with storage. Ensure the storage back-end you're using is correctly selected.

+1. If the subscription isn't correct, use the following command:

+1. Create a service principal using Azure CLI per the following example:

+ Send the output of the `cat /root/.ssh/id_rsa.pub` command to Microsoft Operations

+This section explains how to enable communication with storage. Ensure the storage back-end you're using is correctly selected.

+1. Connect to the SYSTEMDB to create the user.

+1. Create the user.

+1. Grant the user permissions.

+

+ 1. For SAP HANA releases up to version 2.0 SPS 03:

+ ```sql

+ hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, CATALOG READ TO AZACSNAP;

+ ```

+ 1. For SAP HANA releases from version 2.0 SPS 04, SAP added new fine-grained privileges:

+ ```sql

+ hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, CATALOG READ TO AZACSNAP;

+ ```

+1. *OPTIONAL* - Prevent user's password from expiring.

+1. Set up the SAP HANA Secure User Store (change the password).

+ This example uses the `hdbuserstore` command from the Linux shell to set up the SAP HANA Secure User Store.

+1. Check the SAP HANA Secure User Store.

+ specifying `"*"` as the host name, then the server's host name isn't validated.

+SSL communication also requires Key Store and Trust Store files. While it's possible for

+correct key material is being used for the various SAP HANA systems (for the cases where

+- If using multiple SIDs with the same key material, create hard-links into the securityPath

+private key and the `hdbuserstore` to the backup user's location. The steps to enable communication with the storage back-end

+and SAP HANA can be manually done by a knowledgeable administrator after the installation.

+1. Copy the SSH keys for back-end storage for azacsnap from the "root" user (the user running the install). This assumes the "root" user has

+ already configured connectivity to the storage (for more information, see section [Enable communication with storage](#enable-communication-with-storage)).

+3. Copy the SAP HANA connection secure user store for the target user, azacsnap. This

+ assumes the "root" user has already configured the secure user store (for more information, see section "Enable communication with SAP HANA").

+In some cases, it's necessary to install the tools manually, but the recommendation is to use the

+Step 2 will be necessary if "[Enable communication with database](#enable-communication-with-database)" wasn't done before the

+There are some recommended changes to be applied to SAP HANA to ensure protection of the log backups and catalog. By default, the `basepath_logbackup` and `basepath_catalogbackup` will output their files to the `$(DIR_INSTANCE)/backup/log` directory, and it's unlikely this path is on a volume which `azacsnap` is configured to snapshot these files won't be protected with storage snapshots.

+The following `hdbsql` command examples demonstrate setting the log and catalog paths to locations, which are on storage volumes that can be snapshot by `azacsnap`. Be sure to check the values on the command line match the local SAP HANA configuration.

+After making the changes to the log and catalog backup locations, confirm the settings are correct with the following command.

+In this example, the settings that have been set following the example will display as SYSTEM settings.

+recommended to reduce this value to 300 seconds (for example, 5 minutes). Then it's possible to run regular

+backups of these files (for example, every 10 minutes). This is done by adding the log_backups volumes to the OTHER volume section of the

+## Supported Databases, OS and Azure Platforms

+- **Azure Platforms**

+ - Azure Virtual Machine with Azure NetApp Files storage

+ - Azure Large Instance (on BareMetal Infrastructure)

+> [!TIP]

+> If looking for new features, or support for other databases, operating systems and platforms, check out the [Preview](azacsnap-preview.md) page. You can also provide [feedback or suggestions](https://aka.ms/azacsnap-feedback).

+#!/bin/bash

+# Utility to upload-to/list Azure Blob store.

+# If run as snapshot-to-blob.sh will upload a gzipped tarball of the snapshot.

+# If run as list-blobs.sh will list uploaded blobs.

+# e.g. `ln -s snapshot-to-blob.sh list-blobs.sh`

+SAS_KEY_FILE="${HOME}/bin/blob-credentials.saskey"

+SOURCE_DIR="/mnt/saphana1/hana_data_PR1/.snapshot"

+# _START_ AzCopy Settings

+#Overrides where the job plan files (used for progress tracking and resuming) are stored, to avoid filling up a disk.

+export AZCOPY_JOB_PLAN_LOCATION="${HOME}/.azcopy/plans/"

+#Overrides where the log files are stored, to avoid filling up a disk.

+export AZCOPY_LOG_LOCATION="${HOME}/.azcopy/logs/"

+#If set, to anything, on-screen output will include counts of chunks by state

+export AZCOPY_SHOW_PERF_STATES=true

+# _END_ AzCopy Settings

+# Make sure we got some command line args

+if [ "$(basename "$0")" = "snapshot-to-blob.sh" ] && ([ "$1" = "" ] || [ "$2" = "" ]); then

+ echo "Usage: $0 <SNAPSHOT_NAME> <PREFIX>"

+# Make sure we can read the SAS key credential file.

+if [ -r "${SAS_KEY_FILE}" ]; then

+ source "${SAS_KEY_FILE}"

+else

+ echo "Credential file '${SAS_KEY_FILE}' not found, exiting!"

+fi

+# Assign the rest of the Global variables.

+SNAPSHOT_NAME=$1

+PREFIX=$2

+BLOB_STORE="$(echo "${PORTAL_GENERATED_SAS}" | cut -f1 -d'?')"

+BLOB_SAS_KEY="$(echo "${PORTAL_GENERATED_SAS}" | cut -f2 -d'?')"

+ARCHIVE_LOG="logs/$(basename "$0").log"

+DAY_OF_WEEK=$(date "+%u")

+MONTH_OF_YEAR=$(date "+%m")

+ARCHIVE_BLOB_TGZ="${PREFIX}.${DAY_OF_WEEK}.tgz"

+#######################################

+# Write to the log.

+# Globals:

+# None

+# Arguments:

+# LOG_MSG

+#######################################

+write_log(){

+ LOG_MSG=$1

+ date=$(date "+[%d/%h/%Y:%H:%M:%S %z]")

+ echo "$date ${LOG_MSG}" >> "${ARCHIVE_LOG}"

+}

+#######################################

+# Run and Log the command.

+# Globals:

+# None

+# Arguments:

+# CMD_TO_RUN

+#######################################

+run_cmd(){

+ CMD_TO_RUN="${1}"

+ write_log "[RUNCMD] ${CMD_TO_RUN}"

+ bash -c "${CMD_TO_RUN}"

+#######################################

+# Check snapshot exists and then background the upload to Blob store.

+# Globals:

+# SOURCE_DIR

+# SNAPSHOT_NAME

+# ARCHIVE_LOG

+# Arguments:

+# None

+#######################################

+snapshot_to_blob(){

+ # Check SOURCE_DIR and SNAPSHOT_NAME exist

+ if [ ! -d "${SOURCE_DIR}/${SNAPSHOT_NAME}" ]; then

+ echo "${SOURCE_DIR}/${SNAPSHOT_NAME} not found, exiting!" | tee -a "${ARCHIVE_LOG}"

+ # background ourselves so AzAcSnap exits cleanly

+ echo "Backgrounding '$0 $@' to prevent blocking azacsnap"

+ echo "write_logging to ${ARCHIVE_LOG}"

+ {

+ trap '' HUP

+ # the script

+ upload_to_blob

+ list_blob >> "${ARCHIVE_LOG}"

+ } < > 2>&1 &

+}

+#######################################

+# Upload to Blob store.

+# Globals:

+# SOURCE_DIR

+# SNAPSHOT_NAME

+# ARCHIVE_BLOB_TGZ

+# BLOB_STORE

+# BLOB_SAS_KEY

+# ARCHIVE_LOG

+# Arguments:

+# None

+#######################################

+upload_to_blob(){

+ echo "Starting upload of ${SNAPSHOT_NAME} to ${BLOB_STORE}/${ARCHIVE_BLOB_TGZ}" >> "${ARCHIVE_LOG}"

+ run_cmd "azcopy env ; cd ${SOURCE_DIR}/${SNAPSHOT_NAME} && tar zcvf - * | azcopy cp \"${BLOB_STORE}/${ARCHIVE_BLOB_TGZ}?${BLOB_SAS_KEY}\" --from-to PipeBlob && cd -"

+ echo "Completed upload of ${SNAPSHOT_NAME} ${BLOB_STORE}/${ARCHIVE_BLOB_TGZ}" >> "${ARCHIVE_LOG}"

+ echo "Finished ($0 ${SNAPSHOT_NAME} ${PREFIX}) @ $(date "+%d-%h-%Y %H:%M")" >> "${ARCHIVE_LOG}"

+ echo "--" >> "${ARCHIVE_LOG}"

+#######################################

+# List contents of Blob store.

+# Globals:

+# BLOB_STORE

+# BLOB_SAS_KEY

+# Arguments:

+# None

+#######################################

+list_blob(){

+ LOG_MSG="Current list of files stored in ${BLOB_STORE}"

+ write_log "${LOG_MSG}"

+ echo "${LOG_MSG}"

+ run_cmd "azcopy list \"${BLOB_STORE}?${BLOB_SAS_KEY}\" --properties LastModifiedTime "

+}

+# Log when script started.

+write_log "Started ($0 ${SNAPSHOT_NAME} ${PREFIX}) @ $(date "+%d-%h-%Y %H:%M")"

+# Check what this was called as ($0) and run accordingly.

+case "$(basename "$0")" in

+ "snapshot-to-blob.sh" )

+ snapshot_to_blob

+ ;;

+ "list-blobs.sh" )

+ list_blob

+ ;;

+ *)

+ echo "Command '$0' not recognised!"

+ ;;

+esac

+PORTAL_GENERATED_SAS="https://<targetstorageaccount>.blob.core.windows.net/<blob-store>?sp=racwl&st=2021-06-10T21:10:38Z&se=2021-06-11T05:10:38Z&spr=https&sv=2020-02-10&sr=c&sig=<key-material>"

+This article explains how Azure NetApp Files snapshots work. Azure NetApp Files snapshot technology delivers stability, scalability, and faster recoverability, with no impact to performance. It provides the foundation for data protection solutions, including single-file restores, volume restores and clones, cross-region replication, and long-term retention.

+When a snapshot is taken, the pointers to the data blocks are copied, and modifications are written to new data locations. The snapshot pointers continue to point to the original data blocks that the file occupied when the snapshot was taken, giving you a live and a historical view of the data. If you were to create a new snapshot, the current pointers (that is, the ones created after the most recent additions and modifications) are copied to a new snapshot `Snapshot2`. This creates access to three generations of data (the live data, `Snapshot2`, and `Snapshot1`, in order of age) without taking up the volume space that three full copies would require.

+You can restore Azure NetApp Files snapshots to separate, independent volumes (clones). This operation is near-instantaneous, regardless of the volume size and the capacity consumed. The newly created volume is almost immediately available for access, while the actual volume and snapshot data blocks are being copied over. Depending on volume size and capacity, this process can take considerable time during which the parent volume and snapshot cannot be deleted. However, the volume can already be accessed after initial creation, while the copy process is in progress in the background. This capability enables fast volume creation for data recovery or volume cloning for test and development. By nature of the data copy process, storage capacity pool consumption will double when the restore completes, and the new volume will show the full active capacity of the original snapshot. The snapshot used to create the new volume will also be present on the new volume. After this process is completed, the volume will be independent and disassociated from the original volume, and source volumes and snapshot can be managed or removed independently from the new volume.

+If you don't want to restore the entire snapshot to a new volume or copy large files across the network, you can use the [single-file snapshot restore](snapshots-restore-file-single.md) feature to recover individual files directly within a volume from a snapshot, without requiring an external client data copy.

+When a snapshot is deleted, all pointers from that snapshot to existing data blocks will be removed. Only when a data block has no more pointers pointing at it (by the active volume, or other snapshots in the volume), the data block is returned to the volume-free space for future use. Therefore, removing snapshots usually frees up more capacity in a volume than deleting data from the active volume, because data blocks are often captured in previously created snapshots.

+1. Select **Snapshots** from the Volume page to display the snapshot list.

+ Specify the name for the volume that you're creating.

+4. Select **Review+create**. Select **Create**.

+ The new volume to which the snapshot is restored appears in the Volumes page.

+ The snapshot used to create the new volume will also be present on the new volume.

+However, that status code doesn't necessarily mean the operation is asynchronous. An asynchronous operation also returns a value for `provisioningState` that indicates the operation hasn't finished. The value can vary by operation but won't include **Succeeded**, **Failed**, or **Canceled**. Those three values indicate the operation has finished. If no value is returned for `provisioningState`, the operation has finished and succeeded.

+If the request is still running, you receive a status code 202. If the request has completed, your receive a status code 200. The body of the response contains the properties of the storage account that was created.

+* virtualMachines/extensions - Supports an unlimited number of VM extension instances.

+* machines - Supports up to 5,000 instances.

+* machines/extensions - Supports an unlimited number of VM extension instances.

+ "defaultValue": 3

+| [Columnstore indexes](/sql/relational-databases/indexes/columnstore-indexes-overview) | Yes - [Premium tier, Standard tier - S3 and above, General Purpose tier, Business Critical, and Hyperscale tiers](/sql/relational-databases/indexes/columnstore-indexes-overview) |Yes |

+| [Active geo-replication](active-geo-replication-overview.md) | Yes - all service tiers. Public Preview in Hyperscale. | No, see [Auto-failover groups](auto-failover-group-overview.md) as an alternative. |

+| [Auto-failover groups](auto-failover-group-overview.md) | Yes - all service tiers. Public Preview in Hyperscale. | Yes, see [Auto-failover groups](auto-failover-group-overview.md).|

+| Backup retention | Yes. 7 days default, max 35 days. Hyperscale backups are currently limited to a 7 day retention period. | Yes. 7 days default, max 35 days. |

+| [Long-term backup retention - LTR](long-term-retention-overview.md) | Yes, keep automatically taken backups up to 10 years. Long-term retention policies are not yet supported for Hyperscale databases. | Yes, keep automatically taken backups up to 10 years. |

+| [Point in time database restore](/sql/relational-databases/backup-restore/restore-a-sql-server-database-to-a-point-in-time-full-recovery-model) | Yes - all service tiers. See [SQL Database recovery](recovery-using-backups.md#point-in-time-restore) | Yes - see [SQL Database recovery](recovery-using-backups.md#point-in-time-restore) |

+| Backup retention is currently seven days; long-term retention policies aren't yet supported. | Hyperscale has a unique method for managing backups, so a non-Hyperscale database can't be restored as a Hyperscale database, and a Hyperscale database can't be restored as a non-Hyperscale database.<BR/><BR/>For databases migrated to Hyperscale from other Azure SQL Database service tiers, pre-migration backups are kept for the duration of [backup retention](automated-backups-overview.md#backup-retention) period of the source database, including long-term retention policies. Restoring a pre-migration backup within the backup retention period of the database is supported [programmatically](recovery-using-backups.md#programmatic-recovery-using-automated-backups). You can restore these backups to any non-Hyperscale service tier.|

+When availability group replicas are on Azure virtual machines in different Azure regions, then you can connect the Virtual Networks using the recommended [Virtual Network Peering](../../../virtual-network/virtual-network-peering-overview.md) or [Site to Site VPN Gateway](../../../vpn-gateway/vpn-gateway-about-vpngateways.md)

+1. Connect the Virtual Networks in the two Azure regions using one of the following methods:

+

+ [Virtual Network Peering - Connect virtual networks with virtual network peering using the Azure portal](../../../virtual-network/tutorial-connect-virtual-networks-portal.md) (Recommended)

+

+ or

+

+ [Site to Site VPN Gateway - Configure a VNet-to-VNet connection using the Azure portal](../../../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md).

+ - Place [tempdb](/sql/relational-databases/databases/tempdb-database) on the local ephemeral SSD (default `D:\`) drive for most SQL Server workloads that are not part of Failover Cluster Instance (FCI) after choosing the optimal VM size.

+ - For FCI place tempdb on the shared storage.

+ - If the FCI workload is heavily dependent on tempdb disk performance, then as an advanced configuration place tempdb on the local ephemeral SSD (default `D:\`) drive which is not part of FCI storage. This configuration will need custom monitoring and action to ensure the local ephemeral SSD (default `D:\`) drive is available all the time as any failures of this drive will not trigger action from FCI.

+ - Place [tempdb](/sql/relational-databases/databases/tempdb-database) on the local ephemeral SSD (default `D:\`) drive for most SQL Server workloads that are not part of Failover Cluster Instance (FCI) after choosing the optimal VM size.

+ - For FCI place tempdb on the shared storage.

+ - If the FCI workload is heavily dependent on tempdb disk performance, then as an advanced configuration place tempdb on the local ephemeral SSD (default `D:\`) drive which is not part of FCI storage. This configuration will need custom monitoring and action to ensure the local ephemeral SSD (default `D:\`) drive is available all the time as any failures of this drive will not trigger action from FCI.

+# Register Enterprise or Standard self-installed VM in full mode

+# Back up Azure PostgreSQL databases using Azure data protection via REST API

+The Azure Backup service doesn't store the username and password to connect to the PostgreSQL database. Instead, the backup admin needs to seed the *keys* into the key vault. Then the Azure Backup service will access the key vault, read the keys, and access the database. Note the secret identifier of the relevant key. The following example uses bash.

+Backup vault has to connect to the PostgreSQL server, and then access the database via the keys present in the key vault. So, it requires access to PostgreSQL server and the key vault. Access is granted to the Backup vault's Managed Service Identity (MSI).

+You need to grant permissions to back up vault's MSI on the PostgreSQL server and the Azure Key vault, where the keys to the database are stored. [Learn more](./backup-azure-database-postgresql-overview.md#set-of-permissions-needed-for-azure-postgresql-database-backup).

+After you set the relevant permissions to the vault and PostgreSQL database, and configure the vault and policy, prepare the request to configure backup. See the following request body to configure backup for an Azure PostgreSQL database. The Azure Resource Manager ID (ARM ID) of the Azure PostgreSQL database and its details are present in the _datasourceinfo_ section. The policy information is present in the _policyinfo_ section.

+Validate for backup request is a _POST_ operation and the Uniform Resource Identifier (URI) contains `{subscriptionId}`, `{vaultName}`, `{vaultresourceGroupName}` parameters.

+It returns two responses: 202 (Accepted) when another operation is created, and 200 (OK) when that operation completes.

+Once the request is validated, you can submit the same to the [create backup instance API](/rest/api/dataprotection/backup-instances/create-or-update). One of the Azure Backup data protection services protects the Backup instance within the Backup vault. Here, the Azure PostgreSQL database is the backup instance. Use the above-validated request body with minor additions.

+We'll use the [same request body that we used to validate the backup request](#configure-backup) with a unique name.

+_Create backup instance request_ is an [asynchronous operation](../azure-resource-manager/management/async-operations.md). So, this operation creates another operation that needs to be tracked separately.

+It returns two responses: 201 (Created) when backup instance is created and the protection is configured. 200 (OK) when that configuration completes.

+It returns two responses: 202 (Accepted) when another operation is created, and 200 (OK) when that operation completes.

+- [Get started with Azure Data Protection Provider REST API](/rest/api/dataprotection/)

+# Create Azure Data Protection backup policies for Azure PostgreSQL databases using REST API

+description: An overview on Azure Database for PostgreSQL backup

+# About Azure Database for PostgreSQL backup

+#### Set of permissions needed for Azure PostgreSQL database backup

+#### Set of permissions needed for Azure PostgreSQL database restore

+### Access permissions on the Azure PostgreSQL server

+ :::image type="content" source="./media/backup-azure-database-postgresql-overview/set-reader-access-on-azure-postgresql-server-inline.png" alt-text="Screenshot showing the option to set Backup vaultΓÇÖs M S I Reader access on the Azure PostgreSQL server." lightbox="./media/backup-azure-database-postgresql-overview/set-reader-access-on-azure-postgresql-server-expanded.png":::

+### Access permissions on the Azure Key vault (associated with the PostgreSQL server)

+ :::image type="content" source="./media/backup-azure-database-postgresql-overview/grant-permission-to-applications-azure-rbac-inline.png" alt-text="Screenshot showing the option to grant the backup vaultΓÇÖs M S I Key Vault Secrets User access on the key vault." lightbox="./media/backup-azure-database-postgresql-overview/grant-permission-to-applications-azure-rbac-expanded.png":::

+Run the following query in [PG admin](#use-the-pg-admin-tool) tool (replace _username_ with the database user ID):

+## Use the PG admin tool

+ Title: Azure Database for PostgreSQL server support matrix

+description: Provides a summary of support settings and limitations of Azure Database for PostgreSQL server backup.

+# Azure Database for PostgreSQL server support matrix

+You can use [Azure Backup](./backup-overview.md) to protect Azure Database for PostgreSQL server. This article summarizes supported regions, scenarios, and the limitations.

+## Supported regions

+Azure Database for PostgreSQL server backup is available in the following regions:

+East US, East US 2, Central US, South Central US, West US, West US 2, West Central US, Brazil South, Canada Central, North Europe, West Europe, UK South, UK West, Germany West Central, Switzerland North, Switzerland West, East Asia, Southeast Asia, Japan East, Japan West, Korea Central, Korea South, India Central, Australia East, Australia Central, Australia Central 2, UAE North

+## Support scenarios

+|Scenarios | Details |

+|| |

+|Deployments | [Azure Database for PostgreSQL - Single Server](../postgresql/overview.md#azure-database-for-postgresqlsingle-server) |

+|Azure PostgreSQL versions | 9.5, 9.6, 10, 11 |

+## Feature considerations and limitations

+- Recommended limit for the maximum database size is 400 GB.

+- Cross-region backup isn't supported. Therefore, you can't back up an Azure PostgreSQL server to a vault in another region. Similarly, you can only restore a backup to a server within the same region as the vault. However, we support cross-subscription backup and restore.

+- Only the data is recovered during restore; "roles" aren't restored.

+- We recommend you run the solution only on your test environment.

+## Next steps

+- [Back up Azure Database for PostgreSQL server](backup-azure-database-postgresql.md)

+# Troubleshoot PostgreSQL database backup using Azure Backup

+[About Azure Database for PostgreSQL backup](backup-azure-database-postgresql-overview.md)

+description: Learn about Azure Database for PostgreSQL backup with long-term retention

+# Azure Database for PostgreSQL backup with long-term retention

+1. Select or [create](#create-backup-policy) a Backup Policy that defines the backup schedule and the retention duration.

+ >You don't need to back up the databases *azure_maintenance* and *azure_sys*. Additionally, you can't back up a database already backed-up to a Backup vault.

+ :::image type="content" source="./media/backup-azure-database-postgresql/enter-secret-uri-inline.png" alt-text="Screenshot showing how to enter secret U R I." lightbox="./media/backup-azure-database-postgresql/enter-secret-uri-expanded.png":::

+ 1. **Select the key vault**: Use this option if you know the key vault and secret name. With this option, you (backup admin with write access on the key vault) can grant the access permissions on the key vault inline. The key vault and the secret could pre-exist or be created on the go. Ensure that the secret is the PG server connection string in ADO.net format updated with the credentials of the database user that has been granted with the ΓÇÿbackupΓÇÖ privileges on the server. Learn more about how to [create secrets in the key vault](#create-secrets-in-the-key-vault).

+1. When the secret information update is complete, the validation starts after the key vault information has been updated.

+ >[!Note]

+ >

+ >- Here, the backup service validates if it has all the necessary [access permissions](backup-azure-database-postgresql-overview.md#key-vault-based-authentication-model) to read secret details from the key vault and connect to the database.

+ >- If one or more access permissions are found missing, it will display one of the error messages ΓÇô _Role assignment not done or User cannot assign roles_.

+ - **User cannot assign roles**: This message displays when you (the backup admin) donΓÇÖt have the write access on the PostgreSQL server and/or key vault to assign missing permissions as listed under **View details**. Download the assignment template from the action button and have it run by the PostgreSQL and/or key vault admin. ItΓÇÖs an ARM template that helps you assign the necessary permissions on the required resources. Once the template is run successfully, click **Re-validate** on the Configure Backup page.

+ :::image type="content" source="./media/backup-azure-database-postgresql/download-role-assignment-template-inline.png" alt-text="Screenshot showing the option to download role assignment template." lightbox="./media/backup-azure-database-postgresql/download-role-assignment-template-expanded.png":::

+ - **Role assignment not done**: This message displays when you (the backup admin) have the write access on the PostgreSQL server and/or key vault to assign missing permissions as listed under **View details**. Use **Assign missing roles** action button in the top action menu to grant permissions on the PostgreSQL server and/or the key vault inline.

+ :::image type="content" source="./media/backup-azure-database-postgresql/role-assignment-not-done-inline.png" alt-text="Screenshot showing the error about the role assignment not done." lightbox="./media/backup-azure-database-postgresql/role-assignment-not-done-expanded.png":::

+ - PostgreSQL admin will have all the backup and restore permissions on the database by default. Therefore, validations would succeed.

+## Create Backup policy

+1. Define the Backup schedule.

+ Currently, only Weekly backup option is available. However, you can schedule the backups on multiple days of the week.

+1. Define **Retention** settings.

+ You can add one or more retention rules. Each retention rule assumes inputs for specific backups, and data store and retention duration for those backups.

+ >[!Note]

+ >The **default retention rule** is applied in the absence of any other retention rule and has a default value of three months.

+ >

+ >- Retention duration ranges from seven days to 10 years in the **Backup data store**.

+ >- Retention duration ranges from six months to 10 years in the **Archive data store**.

+## Run an on-demand backup

+- [Learn more](manage-azure-database-postgresql.md#stop-protection) about stopping backup for Azure Database for PostgreSQL Server.

+Backup center helps enterprises to [govern, monitor, operate, and analyze backups at scale](backup-center-overview.md). This article summarizes the scenarios that Backup center supports for each workload type.

+| Monitoring | View all jobs | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP High-Performance Analytic Appliance (HANA) in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | Seven days worth of jobs available out of the box. <br> <br> Each filter/drop-down supports a maximum of 1000 items. So, Backup center can be used to monitor a maximum of 1000 subscriptions and 1000 vaults across tenants. |

+| Monitoring | View all backup instances | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | Same as previous |

+| Monitoring | View all backup policies | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | Same as previous |

+| Monitoring | View all vaults | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | Same as previous |

+| Monitoring | View Azure Monitor alerts at scale | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | Refer [Alerts](./backup-azure-monitoring-built-in-monitor.md#azure-monitor-alerts-for-azure-backup-preview) documentation |

+| Monitoring | View Azure Backup metrics and write metric alert rules | Azure VM <br><br>SQL in Azure VM <br><br> SAP HANA in Azure VM<br><br>Azure Files | You can view metrics for all Recovery Services vaults for a region and subscription simultaneously. Viewing metrics for a larger scope in the Azure portal isnΓÇÖt currently supported. The same limits are also applicable to configure metric alert rules. For more information, see [View metrics in the Azure portal](metrics-overview.md#view-metrics-in-the-azure-portal).|

+| Actions | Configure backup | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | See support matrices for [Azure VM backup](./backup-support-matrix-iaas.md) and [Azure Database for PostgreSQL Server backup](backup-azure-database-postgresql-support-matrix.md) |

+| Actions | Restore Backup Instance | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | See support matrices for [Azure VM backup](./backup-support-matrix-iaas.md) and [Azure Database for PostgreSQL Server backup](backup-azure-database-postgresql-support-matrix.md) |

+| Actions | Create vault | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | Refer to support matrices for [Recovery Services vault](./backup-support-matrix.md#vault-support) |

+| Actions | Create backup policy | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | See support matrices for [Recovery Services vault](./backup-support-matrix.md#vault-support) |

+| Actions | Execute on-demand backup for a backup instance | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | See support matrices for [Azure VM backup](./backup-support-matrix-iaas.md) and [Azure Database for PostgreSQL Server backup](backup-azure-database-postgresql-support-matrix.md) |

+| Actions | Stop backup for a backup instance | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | See support matrices for [Azure VM backup](./backup-support-matrix-iaas.md) and [Azure Database for PostgreSQL Server backup](backup-azure-database-postgresql-support-matrix.md) |

+| Actions | Execute cross-region restore job from Backup center | Azure Virtual Machine <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM | See the [cross-region restore](./backup-create-rs-vault.md#set-cross-region-restore) documentation. |

+| Insights | View Backup Reports | Azure Virtual Machine <br><br> SQL in Azure Virtual Machine <br><br> SAP HANA in Azure Virtual Machine <br><br> Azure Files <br><br> System Center Data Protection Manager <br><br> Azure Backup Agent (MARS) <br><br> Azure Backup Server (MABS) | See [supported scenarios for Backup Reports](./configure-reports.md#supported-scenarios). |

+| Governance | View and assign built-in and custom Azure Policies under category _Backup_. | N/A | N/A |

+| Governance | View datasources not configured for backup | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server | N/A |

+* [Review the support matrix for Azure Database for PostgreSQL Server backup](backup-azure-database-postgresql-support-matrix.md)

+# Back up Azure PostgreSQL databases using Azure CLI

+For informgreSQL databases supported scenarios and limitations, see the [support matrix](backup-azure-database-postgresql-support-matrix.md).

+Backup vault is a storage entity in Azure. This stores the backup data for new workloads that Azure Backup supports. For example, Azure Database for PostgreSQL servers, blobs in a storage account, and Azure Disks. Backup vaults help to organize your backup data, while minimizing management overhead. Backup vaults are based on the Azure Resource Manager model of Azure, which provides enhanced capabilities to help secure backup data.

+ - Default tagging criteria (a default 'tag' for all the scheduled backups. This tag links the backups to the retention rule)

+ - Default tagging criteria (a default 'tag' for all the scheduled backups. This tag links the backups to the retention rule)

+The policy template consists of a trigger (which decides what triggers the backup) and a lifecycle (which decides when to delete/copy/move the backup). In Azure PostgreSQL database backup, the default value for trigger is a scheduled Weekly trigger (one backup every seven days) and to retain each backup for three months.

+The following example creates a new *tag* along with the criteria, the first successful backup of the month. The tag has the same name as the corresponding retention rule to be applied.

+The Azure Backup service doesn't store the username and password to connect to the PostgreSQL database. Instead, the backup admin needs to seed the *keys* into the key vault. Then the Backup service will access the key vault, read the keys, and then access the database. Note the secret identifier of the relevant key.

+Backup vault has to connect to the PostgreSQL server, and then access the database via the keys present in the key vault. Therefore, it requires access to the PostgreSQL server and the key vault. Access is granted to the Backup vault's Managed Service Identity (MSI).

+See the [permissions](./backup-azure-database-postgresql-overview.md#set-of-permissions-needed-for-azure-postgresql-database-backup) you should grant to the Backup vault's Managed Service Identity (MSI) on the PostgreSQL server and Azure Key vault that stores keys to the database.

+# Back up Azure PostgreSQL databases using Azure PowerShell

+For information on the Azure PostgreSQL databases supported scenarios and limitations, see the [support matrix](backup-azure-database-postgresql-support-matrix.md).

+# Manage Azure Database for PostgreSQL server

+## Stop protection

+There are three ways to stop protecting an Azure Database for PostgreSQL server.

+### Stop protection and retain data

+1. Go to **Backup center** and select **Azure Database for PostgreSQL server**.

+1. Select **Stop Backup**.

+### Stop protection and delete data

+1. Go to **Backup center** and select **Azure Database for PostgreSQL server**.

+1. Click **Stop Backup**.

+## Resume protection

+Follow these steps:

+1. Go to **Backup center** and select **Azure Database for PostgreSQL server**.

+1. Select **Resume Backup**.

+# Restore Azure Database for PostgreSQL backups

+ :::image type="content" source="./media/restore-azure-database-postgresql/assign-vault-msi-permission-to-access-storage-account-containers-azure-portal-inline.png" alt-text="Screenshot showing the process to assign Backup vault M S I the permission to access the storage account containers using the Azure portal." lightbox="./media/restore-azure-database-postgresql/assign-vault-msi-permission-to-access-storage-account-containers-azure-portal-expanded.png":::

+ :::image type="content" source="./media/restore-azure-database-postgresql/select-application-type-for-id-inline.png" alt-text="Screenshot showing the process to get the Application I D of the vault MSI." lightbox="./media/restore-azure-database-postgresql/select-application-type-for-id-expanded.png":::

+ :::image type="content" source="./media/restore-azure-database-postgresql/copy-vault-id-inline.png" alt-text="Screenshot showing the process to copy the Application I D of the vault." lightbox="./media/restore-azure-database-postgresql/copy-vault-id-expanded.png":::

+# Restore Azure PostgreSQL databases using Azure CLI

+Being a PaaS database, the Original Location Recovery (OLR) option to restore by replacing the existing database (from where the backups were taken) isn't supported. You can restore from a recovery point to create a new database in the same Azure PostgreSQL server or in any other PostgreSQL server. This is called Alternate-Location Recovery (ALR) that helps to keep both - the source database and the restored (new) database.

+Backup vault uses managed identity to access other Azure resources. To restore from backup, Backup vaultΓÇÖs managed identity requires a set of permissions on the Azure PostgreSQL server to which the database should be restored.

+To list all backup instances within a vault, use [az dataprotection backup-instance list](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list) command. Then fetch the relevant instance using the [az dataprotection backup-instance show](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_show) command. Alternatively, for _at-scale_ scenarios, you can list backup instances across vaults and subscriptions using the [az dataprotection backup-instance list-from-resourcegraph](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list_from_resourcegraph) command.

+Construct the Azure Resource Manager ID (ARM ID) of the new PostgreSQL database. You need to create this with the [target PostgreSQL server to which permissions were assigned](#set-up-permissions). Also, construct the required PostgreSQL database name. For example, a PostgreSQL database can be named **emprestored21** under a target PostgreSQL server **targetossserver** in resource group **targetrg** with a different subscription.

+1. Modify the source datastore

+1. Add other parameters to specify the rehydration priority

+1. Specify the duration for which the rehydrated recovery point should be retained in the vault data store

+1. Restore as a database from this recovery point

+Use the following command to prepare the request for all the previous-mentioned operations, at once.

+Fetch the Uniform Resource Identifier (URI) of the container, within the storage account [to which permissions were assigned](#set-up-permissions). For example, a container named **testcontainerrestore** under a storage account **testossstorageaccount** with a different subscription.

+For archive-based recovery point, in the following script:

+- Modify the source datastore.

+- Add the rehydration priority and the retention duration, in days, of the rehydrated recovery point.

+To validate if the JSON file will succeed to create new resources, use the [az dataprotection backup-instance validate-for-restore](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_validate_for_restore) command.

+Use the [az dataprotection backup-instance restore trigger](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_trigger) command to trigger the restore operation with the previously prepared request.

+You can also use _Az.ResourceGraph_ to track jobs across all Backup vaults. Use the [az dataprotection job list-from-resourcegraph](/cli/azure/dataprotection/job#az_dataprotection_job_list_from_resourcegraph) command to get the relevant job that is across all Backup vaults.

+- [Overview of Azure PostgreSQL backup](backup-azure-database-postgresql-overview.md)

+# Restore Azure PostgreSQL databases using Azure PowerShell

+Backup vault uses managed identity to access other Azure resources. To restore from backup, Backup vaultΓÇÖs managed identity requires a set of permissions on the Azure PostgreSQL server to which the database should be restored.

+There are various restore options for a PostgreSQL database. You can restore the recovery point as another database or restore as files. The recovery point can be on archive tier as well.

+Use the following command to prepare the request for all the previous-mentioned operations, at once.

+You can also use *Az.ResourceGraph* to track jobs across all Backup vaults. Use the [Search-AzDataProtectionJobInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionjobinazgraph?view=azps-5.7.0&preserve-view=true) command to get the relevant job, which is across all backup vault.

+# Restore Azure PostgreSQL databases using Azure data protection REST API

+It returns two responses: 202 (Accepted) when another operation is created. Then 200 (OK) when that operation completes.

+It returns two responses: 202 (Accepted) when another operation is created. Then 200 (OK) when that operation completes.

+ Title: Tutorial - Back up Azure Database for PostgreSQL server

+description: Learn about how to back up Azure Database for PostgreSQL server to an Azure Backup Vault.

+# Back up Azure Database for PostgreSQL server

+This tutorial shows you how to back up Azure Database for PostgreSQL server running on an Azure VM to an Azure Backup Recovery Services vault. In this article, you learn how to:

+> [!div class="checklist"]

+>

+> - Create a Backup vault.

+> - Create a Backup Policy.

+> - Prepare the databases.

+> - Configure backup on the database.

+> - Run an on-demand backup.

+## Before you start

+Before you back up your Azure Database for PostgreSQL server:

+- Identify or create a Backup Vault in the same region where you want to back up the Azure Database for PostgreSQL server instance.

+- Check that Azure Database for PostgreSQL server is named in accordance with naming guidelines for Azure Backup.

+- [Create secrets in the key vault](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault).

+- [Allow access permissions for the relevant key vault](backup-azure-database-postgresql-overview.md#access-permissions-on-the-azure-key-vault-associated-with-the-postgresql-server).

+- [Provide database user's backup privileges on the database](backup-azure-database-postgresql-overview.md#database-users-backup-privileges-on-the-database).

+- [Allow access permissions for PostgreSQL server](backup-azure-database-postgresql-overview.md#access-permissions-on-the-azure-postgresql-server).

+## Create a Backup vault

+A Backup vault is a storage entity in Azure that holds backup data for various newer workloads that Azure Backup supports, such as Azure Database for PostgreSQL servers and Azure Disks. Backup vaults make it easy to organize your backup data, while minimizing management overhead. Backup vaults are based on the Azure Resource Manager model of Azure, which provides enhanced capabilities to help secure backup data.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Type **Backup center** in the search box.

+1. Under **Services**, select **Backup center**.

+1. On the **Backup center** page, select **Vault**.

+ :::image type="content" source="./media/backup-managed-disks/backup-center.png" alt-text="Screenshot showing to select Vault in Backup center.":::

+1. In the **Initiate: Create Vault** screen, select **Backup vault**, and **Proceed**.

+ :::image type="content" source="./media/backup-managed-disks/initiate-create-vault.png" alt-text="Screenshot showing to select Initiate: Create vault.":::

+1. On the **Basics** tab, provide subscription, resource group, backup vault name, region, and backup storage redundancy.

+ Continue by selecting **Review + create**. Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).

+ :::image type="content" source="./media/backup-managed-disks/review-and-create.png" alt-text="Screenshot showing to select Review and create vault.":::

+## Create Backup Policy

+You can create a Backup policy on the go during the configure backup flow. Alternatively, go to **Backup center** -> **Backup policies** -> **Add**.

+1. Enter a name for the new policy.

+ :::image type="content" source="./media/backup-azure-database-postgresql/enter-name-for-new-policy-inline.png" alt-text="Screenshot showing the process to enter a name for the new policy." lightbox="./media/backup-azure-database-postgresql/enter-name-for-new-policy-expanded.png":::

+1. Define the Backup schedule.

+ Currently, only Weekly backup option is available. However, you can schedule the backups on multiple days of the week.

+1. Define **Retention** settings.

+ You can add one or more retention rules. Each retention rule assumes inputs for specific backups, and data store and retention duration for those backups.

+1. To store your backups in one of the two data stores (or tiers), choose **Backup data store** (standard tier) or **Archive data store** (in preview).

+1. Choose **On-expiry** to move the backup to archive data store upon its expiry in the backup data store.

+ >[!Note]

+ >The **default retention rule** is applied in the absence of any other retention rule and has a default value of three months.

+ >

+ >- Retention duration ranges from seven days to 10 years in the **Backup data store**.

+ >- Retention duration ranges from six months to 10 years in the **Archive data store**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/choose-option-to-move-backup-to-archive-data-store-inline.png" alt-text="Screenshot showing to choose On-expiry to move the backup to archive data store upon its expiry." lightbox="./media/backup-azure-database-postgresql/choose-option-to-move-backup-to-archive-data-store-expanded.png":::

+>[!Note]

+>The retention rules are evaluated in a pre-determined order of priority. The priority is the highest for the yearly rule, followed by the monthly, and then the weekly rule. Default retention settings are applied when no other rules qualify. For example, the same recovery point may be the first successful backup taken every week as well as the first successful backup taken every month. However, as the monthly rule priority is higher than that of the weekly rule, the retention corresponding to the first successful backup taken every month applies.

+## Prepare the database

+To prepare the database, follow these steps:

+1. [Create secrets in the key vault](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault).

+1. [Grant privileges to database users using PowerShell scripts](backup-azure-database-postgresql.md#run-powershell-script-to-grant-privileges-to-database-users).

+## Configure backup on the database

+You can configure backup on multiple databases across multiple Azure PostgreSQL servers. To configure backup on the Azure PostgreSQL databases using Azure Backup, follow these steps:

+1. Go to **Backup vault** -> **+Backup**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/adding-backup-inline.png" alt-text="Screenshot showing the option to add a backup." lightbox="./media/backup-azure-database-postgresql/adding-backup-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/adding-backup-details-inline.png" alt-text="Screenshot showing the option to add backup information." lightbox="./media/backup-azure-database-postgresql/adding-backup-details-expanded.png":::

+ Alternatively, you can navigate to this page from the [Backup center](./backup-center-overview.md).

+1. Select or [create](#create-backup-policy) a Backup Policy that defines the backup schedule and the retention duration.

+ :::image type="content" source="./media/backup-azure-database-postgresql/create-or-add-backup-policy-inline.png" alt-text="Screenshot showing the option to add a backup policy." lightbox="./media/backup-azure-database-postgresql/create-or-add-backup-policy-expanded.png":::

+1. **Select Azure PostgreSQL databases to back up**: Choose one of the Azure PostgreSQL servers across subscriptions if they're in the same region as that of the vault. Expand the arrow to see the list of databases within a server.

+ >[!Note]

+ >You don't need to back up the databases *azure_maintenance* and *azure_sys*. Additionally, you can't back up a database already backed-up to a Backup vault.

+ :::image type="content" source="./media/backup-azure-database-postgresql/select-azure-postgresql-databases-to-back-up-inline.png" alt-text="Screenshot showing the option to select an Azure PostgreSQL database." lightbox="./media/backup-azure-database-postgresql/select-azure-postgresql-databases-to-back-up-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/choose-an-azure-postgresql-server-inline.png" alt-text="Screenshot showing how to choose an Azure PostgreSQL server." lightbox="./media/backup-azure-database-postgresql/choose-an-azure-postgresql-server-expanded.png":::

+1. **Assign Azure key vault** that stores the credentials to connect to the selected database. To assign the key vault at the individual row level, click **Select a key vault and secret**. You can also assign the key vault by multi-selecting the rows and click Assign key vault in the top menu of the grid.

+ :::image type="content" source="./media/backup-azure-database-postgresql/assign-azure-key-vault-inline.png" alt-text="Screenshot showing how to assign Azure key vault." lightbox="./media/backup-azure-database-postgresql/assign-azure-key-vault-expanded.png":::

+1. To specify the secret information, use one of the following options:

+ 1. **Enter secret URI**: Use this option if the secret URI is shared/known to you. You can copy the **secret URI from the Key vault** -> **Secrets (select a secret)** -> **Secret Identifier**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/enter-secret-uri-inline.png" alt-text="Screenshot showing how to enter secret U R I." lightbox="./media/backup-azure-database-postgresql/enter-secret-uri-expanded.png":::

+ However, with this option, Azure Backup gets no visibility about the key vault youΓÇÖve referenced. Therefore, access permissions on the key vault canΓÇÖt be granted inline. The backup admin along with the Postgres and/or key vault admin need to ensure that the backup vaultΓÇÖs [access on the key vault is granted manually](backup-azure-database-postgresql-overview.md#access-permissions-on-the-azure-key-vault-associated-with-the-postgresql-server) outside the configure backup flow for the backup operation to succeed.

+ 1. **Select the key vault**: Use this option if you know the key vault and secret name. With this option, you (backup admin with write access on the key vault) can grant the access permissions on the key vault inline. The key vault and the secret could pre-exist or be created on the go. Ensure that the secret is the PG server connection string in ADO.net format updated with the credentials of the database user that has been granted with the _backup_ privileges on the server. Learn more about how to [create secrets in the key vault](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault).

+ :::image type="content" source="./media/backup-azure-database-postgresql/assign-secret-store-inline.png" alt-text="Screenshot showing how to assign secret store." lightbox="./media/backup-azure-database-postgresql/assign-secret-store-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/select-secret-from-azure-key-vault-inline.png" alt-text="Screenshot showing the selection of secret from Azure Key Vault." lightbox="./media/backup-azure-database-postgresql/select-secret-from-azure-key-vault-expanded.png":::

+1. When the secret information update is complete, the validation starts after the key vault information has been updated.

+ >[!Note]

+ >

+ >- Here, the backup service validates if it has all the necessary [access permissions](backup-azure-database-postgresql-overview.md#key-vault-based-authentication-model) to read secret details from the key vault and connect to the database.

+ >- If one or more access permissions are found missing, it'll display one of the error messages ΓÇô _Role assignment not done or User cannot assign roles_.

+ :::image type="content" source="./media/backup-azure-database-postgresql/validation-of-secret-inline.png" alt-text="Screenshot showing the validation of secret." lightbox="./media/backup-azure-database-postgresql/validation-of-secret-expanded.png":::

+ - **User cannot assign roles**: This message displays when you (the backup admin) donΓÇÖt have the write access on the PostgreSQL server and/or key vault to assign missing permissions as listed under **View details**. Download the assignment template from the action button and have it run by the PostgreSQL and/or key vault admin. ItΓÇÖs an ARM template that helps you assign the necessary permissions on the required resources. Once the template is run successfully, click **Re-validate** on the Configure Backup page.

+ :::image type="content" source="./media/backup-azure-database-postgresql/download-role-assignment-template-inline.png" alt-text="Screenshot showing the option to download role assignment template." lightbox="./media/backup-azure-database-postgresql/download-role-assignment-template-expanded.png":::

+ - **Role assignment not done**: This message displays when you (the backup admin) have the write access on the PostgreSQL server and/or key vault to assign missing permissions as listed under **View details**. Use **Assign missing roles** action button in the top action menu to grant permissions on the PostgreSQL server and/or the key vault inline.

+ :::image type="content" source="./media/backup-azure-database-postgresql/role-assignment-not-done-inline.png" alt-text="Screenshot showing the error about the role assignment not done." lightbox="./media/backup-azure-database-postgresql/role-assignment-not-done-expanded.png":::

+1. Select **Assign missing roles** in the top menu and assign roles. Once the process starts, the [missing access permissions](backup-azure-database-postgresql-overview.md#azure-backup-authentication-with-the-postgresql-server) on the KV and/or PG server are granted to the backup vault. You can define the scope at which the access permissions should be granted. When the action is complete, re-validation starts.

+ :::image type="content" source="./media/backup-azure-database-postgresql/assign-missing-roles-inline.png" alt-text="Screenshot showing the option to assign missing roles." lightbox="./media/backup-azure-database-postgresql/assign-missing-roles-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/define-scope-of-access-permission-inline.png" alt-text="Screenshot showing to define the scope of access permission." lightbox="./media/backup-azure-database-postgresql/define-scope-of-access-permission-expanded.png":::

+ - Backup vault accesses secrets the key vault and runs a test connection to the database to validate if the credentials have been entered correctly. The privileges of the database user are also checked to see [if the Database user has backup-related permissions on the database](backup-azure-database-postgresql-overview.md#database-users-backup-privileges-on-the-database).

+ - PostgreSQL admin will have all the backup and restore permissions on the database by default. Therefore, validations would succeed.

+

+ - A low-privileged user may not have backup/restore permissions on the database. Therefore, the validations would fail. A PowerShell script is dynamically generated (one per record/selected database). [Run the PowerShell script to grant these privileges to the database user on the database](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault). Alternatively, you can assign these privileges using PG admin or PSQL tool.

+ :::image type="content" source="./media/backup-azure-database-postgresql/backup-vault-accesses-secrets-inline.png" alt-text="Screenshot showing the backup vault access secrets from the key vault." lightbox="./media/backup-azure-database-postgresql/backup-vault-accesses-secrets-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/run-test-connection.png" alt-text="Screenshot showing the process to start test connection.":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/user-credentials-to-run-test-connection-inline.png" alt-text="Screenshot showing how to provide user credentials to run the test." lightbox="./media/backup-azure-database-postgresql/user-credentials-to-run-test-connection-expanded.png":::

+1. Keep the records with backup readiness as Success to proceed to last step of submitting the operation.

+ :::image type="content" source="./media/backup-azure-database-postgresql/backup-readiness-as-success-inline.png" alt-text="Screenshot showing the backup readiness is successful." lightbox="./media/backup-azure-database-postgresql/backup-readiness-as-success-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/review-backup-configuration-details-inline.png" alt-text="Screenshot showing the backup configuration review page." lightbox="./media/backup-azure-database-postgresql/review-backup-configuration-details-expanded.png":::

+1. Submit the configure backup operation and track the progress under **Backup instances**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/submit-configure-backup-operation-inline.png" alt-text="Screenshot showing the backup configuration submission and tracking progress." lightbox="./media/backup-azure-database-postgresql/submit-configure-backup-operation-expanded.png":::

+## Run an on-demand backup

+To trigger an on-demand backup (that's not in the schedule specified in the policy), follow these steps:

+1. Go to **Backup instances** -> **Backup Now**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/navigate-to-retention-rules-inline.png" alt-text="Screenshot showing the option to navigate to the list of retention rules that were defined in the associated Backup policy." lightbox="./media/backup-azure-database-postgresql/navigate-to-retention-rules-expanded.png":::

+1. Choose retention rules from the list that were defined in the associated Backup policy.

+ :::image type="content" source="./media/backup-azure-database-postgresql/choose-retention-rules-inline.png" alt-text="Screenshot showing the option to choose retention rules that were defined in the associated Backup policy." lightbox="./media/backup-azure-database-postgresql/choose-retention-rules-expanded.png":::

+## Next steps

+In this tutorial, you used the Azure portal to:

+> [!div class="checklist"]

+>

+> - Create a Backup vault.

+> - Create a Backup Policy.

+> - Prepare the databases.

+> - Configure backup on the database.

+> - Run an on-demand backup.

+Continue to the how-to article to Azure Database for PostgreSQL.

+> [!div class="nextstepaction"]

+> [Restore Azure Database for PostgreSQL server](restore-azure-database-postgresql.md)

+- January 2022

+ - [Back up Azure Database for PostgreSQL is now generally available](#back-up-azure-database-for-postgresql-is-now-generally-available)

+## Back up Azure Database for PostgreSQL is now generally available

+Azure Backup and Azure Database services together help you to build an enterprise-class backup solution for Azure PostgreSQL (is now generally available). You can meet your data protection and compliance needs with a customer-controlled backup policy that enables retention of backups for up to 10 years.

+With this, you've granular control to manage the backup and restore operations at the individual database level. Likewise, you can restore across PostgreSQL versions or to blob storage with ease. Besides using the Azure portal to perform the PostgreSQL database protection operations, you can also use the PowerShell, CLI, and REST API clients.

+For more information, see [Azure Database for PostgreSQL backup](backup-azure-database-postgresql-overview.md).

+description: Learn how to use speaker recognition from the Speech SDK to answer the question, "Who is speaking?". In this quickstart, you learn about common design patterns for working with speaker verification and identification, which both use voice biometry to identify unique voices.

+# Get started with speaker recognition

+## Install GStreamer

+Choose a platform for installation instructions.

+Android | Java | [1.18.3](https://gstreamer.freedesktop.org/data/pkg/android/1.18.3/)

+Linux | C++, C#, Java, Python, Go | [Supported Linux distributions and target architectures](~/articles/cognitive-services/speech-service/speech-sdk.md)

+Windows (excluding UWP) | C++, C#, Java, Python | [1.18.3](https://gstreamer.freedesktop.org/data/pkg/windows/1.18.3/msvc/gstreamer-1.0-msvc-x86_64-1.18.3.msi)

+For more information about building libgstreamer_android.so, see [GStreamer configuration by programming language](#gstreamer-configuration).

+For more information, see [Android installation instructions](https://gstreamer.freedesktop.org/documentation/installing/for-android-development.html?gi-language=c).

+Make sure that packages of the same platform (x64 or x86) are installed. For example, if you installed the x64 package for Python, you need to install the x64 GStreamer package. The following instructions are for the x64 packages.

+1. Create the folder c:\gstreamer.

+1. Download the [installer](https://gstreamer.freedesktop.org/data/pkg/windows/1.18.3/msvc/gstreamer-1.0-msvc-x86_64-1.18.3.msi).

+1. Copy the installer to c:\gstreamer.

+1. Run the following command in PowerShell:

+1. Add the system variables GST_PLUGIN_PATH with the value C:\gstreamer\1.0\msvc_x86_64\lib\gstreamer-1.0.

+1. Add the system variables GSTREAMER_ROOT_X86_64 with the value C:\gstreamer\1.0\msvc_x86_64.

+1. Add another entry in the path variable as C:\gstreamer\1.0\msvc_x86_64\bin.

+1. Reboot the machine.

+For more information about GStreamer, see [Windows installation instructions](https://gstreamer.freedesktop.org/documentation/installing/on-windows.html?gi-language=c).

+> GStreamer configuration requirements vary by programming language. For more information, choose your programming language at the top of this page. The contents of this section will be updated.

+| What data is stored in Azure? | Enrollment audio is stored in the service until the voice profile is [deleted](./get-started-speaker-recognition.md#delete-voice-profile-enrollments). Recognition audio samples aren't retained or stored. |

+>[Use managed identities to acquire an access token](../../../app-service/overview-managed-identity.md?tabs=dotnet#configure-target-resource)

+Azure Communication Services Chat can help you add real-time text communication to your cross-platform applications. This page summarizes key Chat concepts and capabilities. See the [Communication Services Chat Software Development Kit (SDK) Overview](./sdk-features.md) for lists of SDKs, languages, platforms, and detailed feature support.

+The Chat APIs provide an **auto-scaling** service for persistently storied text and data communication. Other key features include:

+- **Custom Identity and Addressing** - Azure Communication Services provides generic [identities](../identity-model.md) that are used to address communication endpoints. Clients use these identities to authenticate to the Azure service and communicate with each other in `chat threads` you control.

+- **Encryption** - Chat SDKs encrypt traffic and prevents tampering on the wire.

+- **Microsoft Teams Meetings** - Chat SDKs can [join Teams meetings](../../quickstarts/chat/meeting-interop.md) and communicate with Teams chat messages.

+- **Real-time Notifications** - Chat SDKs use efficient persistent connectivity (WebSockets) to receive real-time notifications such as when a remote user is typing. When apps are running in the background, built-in functionality is available to [fire pop-up notifications](../notifications.md) ("toasts") to inform end users of new threads and messages.

+**Service & Bot Extensibility** - REST APIs and server SDKs allow services to send and receive messages. Bots can be added easily with [Azure Bot Framework integration](../../quickstarts/chat/quickstart-botframework-integration.md).

+- Chat threads have between zero to 250 users as participants who can send messages to it.

+- A user can be a part an unlimited number of chat threads.

+- Only thread participants can send or receive messages, add participants, or remove participants.

+Azure stores chat messages until explicitly deleted. Chat thread participants can use `ListMessages` to view message history for a particular thread. Users that are removed from a chat thread will be able to view previous message history but cannot send or receive new messages. To learn more about data being stored by Communication Services, refer to the [data residency and privacy page](../privacy.md).

+ - **Client app:** The client application connects to your trusted service and receives the access tokens that are used by users to connect directly to Communication Services. Once your trusted service has created the chat thread and added users as participants, they can use the client app to connect to the chat thread and send messages. Use real-time notifications feature, which we will discuss below, in your client app to subscribe to message & thread updates from other participants.

+As part of message history, Chat shares user-generated messages as well as system-generated messages. System messages are generated when a chat thread is updated and identify when a participant was added or removed or when the chat thread topic was updated. When you call `List Messages` or `Get Messages` on a chat thread, the result will contain both kind of messages in chronological order.

+For user-generated messages, the message type can be set in `SendMessageOptions` when sending a message to chat thread. If no value is provided, Communication Services will default to `text` type. Setting this value is important when sending HTML. When `html` is specified, Communication Services will sanitize the content to ensure that it's rendered safely on client devices.

+One way to achieve this is by having your trusted service act as a participant of a chat thread. Let's say you want to enable language translation. This service will be responsible for listening to the messages being exchanged by other participants [1], calling Cognitive APIs to translate the content to desired language[2,3] and sending the translated result as a message in the chat thread[4].

+## Customers with US Azure Billing Addresses

+|USA (includes PR) |Toll-Free |GA |GA |GA |GA* |

+|USA (includes PR) |Local | | |GA |GA* |

+|USA |Short-Codes |Public Preview |Public Preview* | | |

+## Customers with UK Azure Billing Addresses

+|UK |Toll-Free | | |Public Preview |Public Preview* |

+|UK |Local | | |Public Preview |Public Preview* |

+|USA (includes PR) |Toll-Free |GA |GA |Public Preview |Public Preview* |

+|USA (includes PR) |Local | | |Public Preview |Public Preview* |

+## Customers with Ireland Azure Billing Addresses

+|USA (includes PR) |Toll-Free |GA |GA |GA |GA* |

+|USA (includes PR) |Local | | |GA |GA* |

+## Customers with Denmark Azure Billing Addresses

+|Number|Type |Send SMS | Receive SMS |Make Calls |Receive Calls|

+|:|:|:|:|:|:|

+|Denmark |Toll-Free | | |Public Preview |Public Preview* |

+|Denmark |Local | | |Public Preview |Public Preview* |

+***

+\* Available through Azure Bot Framework and Dynamics only

+In this quickstart, you learned about Subscription Eligibility and Number Capabilities for Communication Services.

+The following documents may be interesting to you:

+- [Learn more about Telephony](../telephony/telephony-concept.md)

+- Get a Telephony capable [phone number](../../quickstarts/telephony/get-phone-number.md)

+Azure Communication Services allows for adding voice/video calling and screen sharing to your applications. You can embed the experience into your applications using JavaScript, Objective-C (Apple), Java (Android), or .NET SDKs. Refer to our [full list of available SDKs](./sdk-options.md).

+Calling and screen-sharing services are charged on a per minute per participant basis at $0.004 per participant per minute for group calls. Azure Communication Services doesn't charge for data egress. To understand the various call flows that are possible, refer to [this page](./call-flows.md).

+Alice made a group call with her colleagues, Bob, and Charlie. Alice and Bob used the JS SDKs, Charlie iOS SDKs.

+- Two participants x 60 minutes x $0.004 per participant per minute = $0.48 [both video and audio are charged at the same rate]

+- One participant x 43 minutes x $0.004 per participant per minute = $0.172 [both video and audio are charged at the same rate]

+### Pricing example: Outbound Call from app using JS SDK to a PSTN (Public Switched Telephony Network) number

+- One participant on the VoIP leg (Alice) from App to Communication Services servers x 10 minutes x $0.004 per participant leg per minute = $0.04

+- One participant on the PSTN outbound leg (Bob) from Communication Services servers to a US telephone number x 10 minutes x $0.013 per participant leg per minute = $0.13.

+> USA mixed rate to `+1-425` is $0.013. Refer to the following link for details: https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

+- One participant on the VoIP leg (Alice) from App to Communication Services servers x 10 minutes x $0.004 per participant leg per minute = $0.04

+- One participant on the Communication Services direct routing outbound leg (Bob) from Communication Services servers to an SBC x 10 minutes x $0.004 per participant leg per minute = $0.04.

+- Two participants on the VoIP leg (Alice and Bob) from App to Communication Services servers x 20 minutes x $0.004 per participant leg per minute = $0.16

+- One participant on the PSTN outbound leg (Charlie) from Communication Services servers to US Telephone number x 10 minutes x $0.013 per participant leg per minute = $0.13

+- One Participant (Bob) connected to Teams lobby x 1 minute x $0.004 per participant per minute (lobby charged at regular rate of meetings) = $0.004

+- One participant (Bob) x 29 minutes x $0.004 per participant per minute = $0.116 [both video and audio are charged at the same rate]

+- One participant (Alice) x 30 minutes x $0.000 per participant per minute = $0.0*.

+- One participant (Bob) x three chat messages x $0.0008 = $0.0024.

+- One participant (Alice) x five chat messages x $0.000 = $0.0*.

+*Alice's participation is covered by her Teams license. Your Azure invoice will show the minutes and chat messages that Teams users had with Communication Services Users for your convenience, but those minutes and messages originating from the Teams client won't be charged.

+- After five minutes, Bob adds Charlie to the call. Charlie has his camera turned off for 10 minutes. Then turns his camera on for the rest of the call.

+- After another five minutes, both Bob and Charlie leave the call

+- One Participant (Alice) called the phone number associated with Teams user Bob using Teams Calling plan x 25 minutes deducted from Bob's tenant Teams minute pool

+- One participant (Bob) x 30 minutes x $0.004 per participant per minute = $0.12 [both video and audio are charged at the same rate]

+- One participant (Charlie) x 25 minutes x $0.000 per participant per minute = $0.0*.

+Azure Communication Services allows customers to record PSTN, WebRTC, Conference, SIP Interface calls. Currently Call Recording supports mixed audio+video MP4 and mixed audio-only MP3/WAV output formats. Call Recording SDKs are available for Java and C#. Refer to [this page to learn more](../quickstarts/voice-video-calling/call-recording-sample.md).

+- You'll be charged the length of the meeting. (Length of the meeting is the timeline between user starts a recording and either explicitly stops or when there's no one left in a meeting).

+- You'll be charged the length of the recording.

+With Communication Services you can enhance your application with the ability to send and receive chat messages between two or more users. Chat SDKs are available for JavaScript, .NET, Python, and Java. Refer to [this page to learn about SDKs](./sdk-options.md)

+Geeta starts a chat thread with Emily to share an update and sends five messages. The chat lasts 10 minutes. Geeta and Emily send another 15 messages each.

+## SMS (Short Messaging Service) and Telephony

+Please refer to the following links for details on SMS and Telephony pricing

+- [SMS Pricing Details](./sms-pricing.md)

+- [PSTN Pricing Details](./pstn-pricing.md)

+Get started with ACS

+- [Send an SMS](../quickstarts/sms/send.md)

+- [Add Voice calling to your app](../quickstarts/voice-video-calling/getting-started-with-calling.md)

+ Title: Pricing for PSTN

+description: Learn about Communication Services' Telephony Pricing Model.

+# Telephony (PSTN) Pricing

+> [!IMPORTANT]

+> Number Retention and Portability: Phone numbers that are assigned to you during any preview program may need to be returned to Microsoft if you do not meet regulatory requirements before General Availability. During private preview and public preview, telephone numbers are not eligible for porting. [Details on offers in Public Preview / GA](../concepts/numbers/sub-eligibility-number-capability.md)

+Numbers are billed on a per month basis, and pricing differs based on the type of a number and the source (country) of the number. Once a number is purchased, Customers can make / receive calls using that number and are billed on a per minute basis. PSTN call pricing is based on the type of number and location in which a call is terminated (destination), with few scenarios having rates based on origination location.

+In most cases, customers with Azure subscriptions locations that match the country of the Number offer will be able to buy the Number. However, US and UK numbers may be purchased by customers with Azure subscription locations in other countries. Please see here for details on [in-country and cross-country purchases](../concepts/numbers/sub-eligibility-number-capability.md).

+All prices shown below are in USD.

+## United States Telephony Offers

+### Phone Number Leasing Charges

+|Number type |Monthly fee |

+|--|--|

+|Geographic |USD 1.00/mo |

+|Toll-Free |USD 2.00/mo |

+### Usage Charges

+|Number type |To make calls* |To receive calls|

+|--|--||

+|Geographic |Starting at USD 0.0130/min |USD 0.0085/min |

+|Toll-free |Starting at USD 0.0130/min | USD 0.0220/min |

+\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

+## United Kingdom Telephony Offers

+### Phone Number Leasing Charges

+|Number type |Monthly fee |

+|--|--|

+|Geographic |USD 1.00/mo |

+|Toll-Free |USD 2.00/mo |

+### Usage Charges

+|Number type |To make calls* |To receive calls|

+|--|--||

+|Geographic |Starting at USD 0.0150/min |USD 0.0090/min |

+|Toll-free |Starting at USD 0.0150/min |Starting at USD 0.0290/min |

+\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

+## Denmark Telephony Offers

+### Phone Number Leasing Charges

+|Number type |Monthly fee |

+|--|--|

+|Geographic |USD 0.82/mo |

+|Toll-Free |USD 25.00/mo |

+### Usage Charges

+|Number type |To make calls* |To receive calls|

+|--|--||

+|Geographic |Starting at USD 0.0190/min |USD 0.0100/min |

+|Toll-free |Starting at USD 0.0190/min |Starting at USD 0.0343/min |

+\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

+***

+Note: Pricing for all countries is subject to change as pricing is market-based and depends on third-party suppliers of telephony services. Additionally, pricing may include requisite taxes and fees.

+***

+## Next steps

+In this quickstart, you learned how Telephony (PSTN) Offers are priced for Azure Communication Services.

+The following documents may be interesting to you:

+- [Learn more about Telephony](../concepts/telephony/telephony-concept.md)

+- Get a Telephony capable [phone number](../quickstarts/telephony/get-phone-number.md)

+- [Phone number types in Azure Communication Services](../concepts/telephony/plan-solution.md)

+- [How jobs are matched to workers](matching-concepts.md)

+- [Exception Policies](exception-policy.md)

+ Title: Exception Policy

+description: Learn about the Azure Communication Services Job Router Exception Policy.

+zone_pivot_groups: acs-js-csharp

+# Exception Policy

+An Exception Policy is a set of rules that defines what actions to execute when a condition is triggered. You can save these policies inside Job Router and the attach them to one or more Queues.

+## Triggers

+The following triggers can be used to drive actions:

+**Queue Length -** Fires when the length of the queue exceeds a specified threshold while adding the job to the queue.

+**Wait Time -** Fires when the job has been waiting in the queue for the specified threshold.

+When these triggers are fired, they'll execute one or more actions and send an [Exception Triggered Event][exception_triggered_event] via [Event Grid][subscribe_events].

+## Actions

+**Cancel -** Cancels the job and removes it from the queue.

+**Reclassify -** Reapplies the specified Classification Policy with modified labels to the job.

+**Manual Reclassify -** Modifies the queue, priority, and worker selectors to the job.

+## Examples

+In the following example, we configure an Exception Policy that will cancel a job before it joins a queue with a length greater than 100.

+```csharp

+await client.SetExceptionPolicyAsync(

+ id: "policy-1",

+ name: "My Exception Policy",

+ rules: new List<ExceptionRule>

+ {

+ new ExceptionRule(

+ id: "rule-1",

+ trigger: new QueueLengthExceptionTrigger(threshold: 100),

+ actions: new List<ExceptionAction>

+ {

+ new CancelExceptionAction("cancel-action")

+ })

+ });

+```

+```typescript

+await client.upsertExceptionPolicy({

+ id: "policy-1",

+ name: "My Exception Policy",

+ exceptionRules: [

+ {

+ id: "rule-1",

+ trigger: { kind: "queue-length", threshold: 100 },

+ actions: [

+ { kind: "cancel", id: "cancel-action" }

+ ]

+ }

+ ]

+ });

+```

+In the following example, we configure an Exception Policy with rules that will:

+- Set the job priority to 10 after it has been waiting in the queue for 1 minute.

+- Move the job to `queue-2` after it has been waiting for 5 minutes.

+```csharp

+await client.SetExceptionPolicyAsync(

+ id: "policy-1",

+ name: "My Exception Policy",

+ rules: new List<ExceptionRule>

+ {

+ new ExceptionRule(

+ id: "rule-1",

+ trigger: new WaitTimeExceptionTrigger(TimeSpan.FromMinutes(1)),

+ actions: new List<ExceptionAction>

+ {

+ new ManualReclassifyExceptionAction(id: "action1", priority: 10)

+ }),

+ new ExceptionRule(

+ id: "rule-2",

+ trigger: new WaitTimeExceptionTrigger(TimeSpan.FromMinutes(5)),

+ actions: new List<ExceptionAction>

+ {

+ new ManualReclassifyExceptionAction(id: "action2", queueId: "queue-2")

+ })

+ });

+```

+```typescript

+await client.upsertExceptionPolicy({

+ id: "policy-1",

+ name: "My Exception Policy",

+ exceptionRules: [

+ {

+ id: "rule-1",

+ trigger: { kind: "wait-time", threshold: "00:01:00" },

+ actions: [

+ { kind: "manual-reclassify", id: "action1", priority: 10 }

+ ]

+ },

+ {

+ id: "rule-2",

+ trigger: { kind: "wait-time", threshold: "00:05:00" },

+ actions: [

+ { kind: "manual-reclassify", id: "action2", queueId: "queue-2" }

+ ]

+ }

+ ]

+ });

+```

+<!-- LINKS -->

+[subscribe_events]: ../../how-tos/router-sdk/subscribe-events.md

+[exception_triggered_event]: ../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterjobexceptiontriggered

+ prioritizationRule: new ExpressionRule("If(job.Urgent = true, 10, 5)")

+Azure Communication Services APIs are organized into eight areas. Most areas have fully open-sourced SDKs programmed against published REST APIs that you can use directly over the Internet. The Calling SDK uses proprietary network interfaces and is closed-source.

+In the tables below we summarize these areas and availability of REST APIs and SDK libraries. We note if APIs and SDKs are intended for end-user clients or trusted service environments. APIs such as SMS should not be directly accessed by end-user devices in low trust environments.

+Development of Calling and Chat applications can be accelerated by the [Azure Communication Services UI library](./ui-library/ui-library-overview.md). The customizable UI library provides open-source UI components for Web and mobile apps, and a Microsoft Teams theme.

+Communication Services APIs are documented alongside other [Azure REST APIs in docs.microsoft.com](/rest/api/azure/). This documentation will tell you how to structure your HTTP messages and offers guidance for using [Postman](../tutorials/postman-tutorial.md). REST interface documentation is also published in Swagger format on [GitHub](https://github.com/Azure/azure-rest-api-specs).

+ Title: Media Streaming and Composition

+description: Introduces the Media Streaming and Composition

+# Media Streaming and Composition

+Azure Communication Services Media Streaming and Composition enables you to build dynamic voice and video calling experiences at large scales, suitable for interactive streaming, virtual events, and broadcast scenarios. In a common video calling scenario, each participant is uploading several media streams captured from:

+- Cameras

+- Microphones

+- Applications (screen sharing)

+These media streams are typically arrayed in a grid and broadcast to call participants. Media Streaming and Composition allows you to extend and enhance this experience:

+- Connect devices and services using streaming protocols such as [RTMP](https://datatracker.ietf.org/doc/html/rfc7016) or [SRT](https://datatracker.ietf.org/doc/html/draft-sharabayko-srt)

+- Compose media streams into complex scenes

+RTMP & SRT connectivity can be used for both input and output. Using RTMP/SRT input, a videography studio that emits RTMP/SRT can join an Azure Communication Services call. RTMP/SRT output allows you to stream media from Azure Communication Services into [Azure Media Services](https://docs.microsoft.com/azure/media-services/latest/concepts-overview), YouTube Live, and many other broadcasting channels. The ability to attach industry standard RTMP/SRT emitters and to output content to RTMP/SRT subscribers for broadcasting transforms a small group call into a virtual event that reaches millions of people in real time.

+Media Composition REST APIs (and open-source SDKs) allow you to command the Azure service to cloud compose these media streams. For example, a **presenter layout** can be used to compose a speaker and a translator together in a classic picture-in-picture style. Media Composition allows for all clients and services connected to the media data plane to enjoy a particular dynamic layout without local processing or application complexity.

+ In the diagram below, three endpoints are participating actively in a group call and uploading media. Two users, one of which is using Microsoft Teams, are composed using a *presenter layout.* The third endpoint is a television studio that emits RTMP into the call. The Azure Calling client and Teams client will receive the composed media stream instead of a typical grid. Additionally, Azure Media Services is shown here subscribing to the call's RTMP channel and broadcasting content externally.

+This functionality is activated through REST APIs and open-source SDKs. Below is an example of the JSON encoded configuration of a presenter layout for the above scenario:

+```

+{

+ layout: {

+ type: ΓÇÿpresenterΓÇÖ,

+ presenter: {

+ supportPosition: ΓÇÿrightΓÇÖ,

+ primarySource: ΓÇÿ1ΓÇÖ, // source id

+ }

+ },

+ sources: [

+ { id: ΓÇÿ1ΓÇÖ }, { id: ΓÇÿ2ΓÇÖ }

+ ]

+}

+```

+The presenter layout is one of several layouts available through the media composition capability:

+- **Grid** - This is the typical video calling layout, where all media sources are shown on a grid with similar sizes. You can use the grid layout to specify grid positions and size.

+- **Presentation.** Similar to the grid layout but media sources can have different sizes, allowing for emphasis.

+- **Presenter** - This layout overlays two sources on top of each other.

+- **Weather Person** - This layout overlays two sources, but in real-time Azure will remove the background behind people.

+<!-To try out media composition, check out following content:-->

+<!- [Quick Start - Applying Media Composition to a video call](../../quickstarts/media-composition/get-started-media-composition.md) -->

+<!- [Tutorial - Media Composition Layouts](../../quickstarts/media-composition/media-composition-layouts.md) -->

+Azure Communication Services are cloud-based services with REST APIs and client library SDKs available to help you integrate communication into your applications. You can add communication to your applications without being an expert in underlying technologies such as media encoding or telephony. Azure Communication Service is available in multiple [Azure geographies](concepts/privacy.md) and Azure for government.

+- [Voice and Video Calling](concepts/voice-video-calling/calling-sdk-features.md)

+- [Rich Text Chat](concepts/chat/concepts.md)

+- [SMS](concepts/sms/concepts.md)

+You can connect custom client apps, custom services, and the publicly switched telephony network (PSTN) to your communications experience. You can acquire [phone numbers](./concepts/telephony/plan-solution.md) directly through Azure Communication Services REST APIs, SDKs, or the Azure portal; and use these numbers for SMS or calling applications. Azure Communication Services [direct routing](./concepts/telephony/plan-solution.md) allows you to use SIP and session border controllers to connect your own PSTN carriers and bring your own phone numbers.

+In addition to REST APIs, [Azure Communication Services client libraries](./concepts/sdk-options.md) are available for various platforms and languages, including Web browsers (JavaScript), iOS (Swift), Java (Android), Windows (.NET). A [UI library](https://aka.ms/acsstorybook) can accelerate development for Web, iOS, and Android apps. Azure Communication Services is identity agnostic and you control how end users are identified and authenticated.

+- **Business to Consumer (B2C).** Employees and services engage external customers using voice, video, and text chat in browser and native apps. An organization can send and receive SMS messages, or [operate an interactive voice response system (IVR)](https://github.com/microsoft/botframework-telephony/blob/main/EnableTelephony.md) using a phone number you acquire through Azure. [Integration with Microsoft Teams](./quickstarts/voice-video-calling/get-started-teams-interop.md) can be used to connect consumers to Teams meetings hosted by employees; ideal for remote healthcare, banking, and product support scenarios where employees might already be familiar with Teams.

+- **Consumer to Consumer (C2C).** Build engaging consumer-to-consumer interaction with voice, video, and rich text chat. Any type of user interface can be built on Azure Communication Services SDKs, or use complete application samples and an open-source UI toolkit to help you get started quickly.

+description: Understand when to use Azure Container Apps and how it compares to other container options including Azure Container Instances, Azure App Service, Azure Functions, and Azure Kubernetes Service.

+[Add an identity](../app-service/overview-managed-identity.md?tabs=ps%2Cdotnet) to the function app:

+ Title: 'Quickstart: Cassandra API with CQLSH - Azure Cosmos DB'

+description: This quickstart shows how to use the Azure Cosmos DB's Apache Cassandra API to create a profile application using CQLSH.

+# Quickstart: Build a Cassandra app with CQLSH and Azure Cosmos DB

+> [!div class="op_single_selector"]

+> * [.NET](manage-data-dotnet.md)

+> * [.NET Core](manage-data-dotnet-core.md)

+> * [Java v3](manage-data-java.md)

+> * [Java v4](manage-data-java-v4-sdk.md)

+> * [Node.js](manage-data-nodejs.md)

+> * [Python](manage-data-python.md)

+> * [Golang](manage-data-go.md)

+In this quickstart, you create an Azure Cosmos DB Cassandra API account, and use CQLSH to create a Cassandra database and container. Azure Cosmos DB is a multi-model database service that lets you quickly create and query document, table, key-value, and graph databases with global distribution and horizontal scale capabilities.

+## Prerequisites

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](https://azure.microsoft.com/try/cosmosdb/) without an Azure subscription.

+## Create a database account

+Before you can create a document database, you need to create a Cassandra account with Azure Cosmos DB.

+## Install standalone CQLSH tool

+Refer to [CQL shell](cassandra-support.md#cql-shell) on steps on how to launch a standalone cqlsh tool.

+## Update your connection string

+Now go back to the Azure portal to get your connection string information and copy it into the app. The connection string details enable your app to communicate with your hosted database.

+1. In your Azure Cosmos DB account in the [Azure portal](https://portal.azure.com/), select **Connection String**.

+ :::image type="content" source="./media/manage-data-java/copy-username-connection-string-azure-portal.png" alt-text="View and copy a username from the Azure portal, Connection String page":::

+2. Use the :::image type="icon" source="./media/manage-data-java/copy-button-azure-portal.png"::: button on the right side of the screen to copy the USERNAME and PASSWORD value.

+3. In your terminal, set the SSL variables:

+ ```bash

+ # Export the SSL variables:

+ export SSL_VERSION=TLSv1_2

+ export SSL_VALIDATE=false

+ ```

+4. Connect to Azure Cosmos DB API for Cassandra:

+ - Paste the USERNAME and PASSWORD value into the command.

+ ```sql

+ cqlsh <USERNAME>.cassandra.cosmos.azure.com 10350 -u <USERNAME> -p <PASSWORD> --ssl --protocol-version=4

+ ```

+## CQL commands to create and run an app

+- Create keyspace

+```sql

+CREATE KEYSPACE IF NOT EXISTS uprofile

+WITH REPLICATION = { 'class' : 'NetworkTopologyStrategy', 'datacenter1' : 1 };

+```

+- Create a table

+```sql

+CREATE TABLE IF NOT EXISTS uprofile.user (user_id int PRIMARY KEY, user_name text, user_bcity text);

+```

+- Insert a row into user table

+```sql

+INSERT INTO uprofile.user (user_id, user_name, user_bcity) VALUES (101,'johnjoe','New York')

+```

+You can also insert data using the COPY command.

+```sql

+COPY uprofile.user(user_id, user_name, user_bcity) FROM '/path to file/fileName.csv'

+WITH DELIMITER = ',' ;

+```

+- Query the user table

+```sql

+SELECT * FROM uprofile.users;

+```

+In the Azure portal, open **Data Explorer** to query, modify, and work with this new data.

+ :::image type="content" source="./media/manage-data-java/view-data-explorer-java-app.png" alt-text="View the data in Data Explorer - Azure Cosmos DB":::

+## Review SLAs in the Azure portal

+## Clean up resources

+## Next steps

+In this quickstart, you learned how to create an Azure Cosmos DB account with Cassandra API using CQLSH that creates a Cassandra database and container. You can now import additional data into your Azure Cosmos DB account.

+> [!div class="nextstepaction"]

+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)

+ "organizations:ListAccounts",

+ "iam:ListRoles",

+ "ce:*",

+ "cur:DescribeReportDefinitions"

+4. On the **Security** tab, add the user account under which the Integration Runtime Host Service (DIAHostService) is running, with read access to the certificate.

+5. The HTTP connector loads only trusted certificates. If you're using a self-signed or nonintegrated CA-issued certificate, to enable trust, the certificate must also be installed in one of the following stores:

+ - Trusted People

+ - Third-Party Root Certification Authorities

+ - Trusted Root Certification Authorities

+* Build the rest of your data flow logic by using mapping data flows [transformations](concepts-data-flow-overview.md).

+* Build the rest of your data flow logic by using mapping data flows [transformations](concepts-data-flow-overview.md).

+You can also schedule SSIS packages by using Azure Data Factory. For step-by-step instructions, see [Azure Data Factory event trigger](how-to-create-event-trigger.md).

+ [:::image type="content" source="media/self-hosted-integration-runtime-automation-scripts/script-2-run-result.png#lightbox" alt-text="script 2 run result](media/self-hosted-integration-runtime-automation-scripts/script-2-run-result.png)":::

+ :::image type="content" source="media/solution-template-copy-files-multiple-containers/copy-files-multiple-containers-image-1.png" alt-text="Create a new connection to the source":::

+ :::image type="content" source="media/solution-template-copy-files-multiple-containers/copy-files-multiple-containers-image-2.png" alt-text="Create a new connection to the destination":::

+ :::image type="content" source="media/solution-template-copy-files-multiple-containers/copy-files-multiple-containers-image-3.png" alt-text="Use this template":::

+ :::image type="content" source="media/solution-template-copy-files-multiple-containers/copy-files-multiple-containers-image-4.png" alt-text="Show the pipeline":::

+ :::image type="content" source="media/solution-template-copy-files-multiple-containers/copy-files-multiple-containers-image-5.png" alt-text="Run the pipeline":::

+ :::image type="content" source="media/solution-template-copy-files-multiple-containers/copy-files-multiple-containers-image-6.png" alt-text="Review the result":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/historical-migration-s3-azure-1.png" alt-text="Screenshot that shows the Migrate historical data from AWS S3 to Azure Data Lake Storage Gen2 template.":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/historical-migration-s3-azure-2.png" alt-text="Screenshot that highlights the Use this template button.":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/historical-migration-s3-azure-3.png" alt-text="Screenshot that shows the two pipelines and three datasets that were created by using the template.":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/historical-migration-s3-azure-4.png" alt-text="Screenshot that shows where to select Debug and enter the parameters before you select Finish.":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/historical-migration-s3-azure-5.png" alt-text="Screenshot that shows the returned results.":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/delta-migration-s3-azure-1.png" alt-text="Create a new connection":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/delta-migration-s3-azure-2.png" alt-text="Use this template":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/delta-migration-s3-azure-3.png" alt-text="Review the pipeline":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/delta-migration-s3-azure-4.png" alt-text="Click **Debug**":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/delta-migration-s3-azure-5.png" alt-text="Review the result":::

+ :::image type="content" source="media/solution-template-migration-s3-azure/delta-migration-s3-azure-6.png" alt-text="Screenshot that shows the results from the control table after you run the query.":::

+|**2.**|Certificates|Alerts related to signing chain certificates aren't removed from the portal even after uploading new signing chain certificates.| |

+|**17.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event Grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|

+## Next steps

+

+|**15.**|Certificates|Alerts related to signing chain certificates aren't removed from the portal even after uploading new signing chain certificates.| |

+|**16.**|Compute + Kubernetes |Compute/Kubernetes does not support NTLM web proxy. ||

+|**17.**|Internet Explorer|If enhanced security features are enabled, you may not be able to access local web UI pages. | Disable enhanced security, and restart your browser.|

+|**18.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event Grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|

+|**19.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources are not deleted from the Kubernetes cluster. |To allow the deletion of resources when they're deleted from the git repository, set `--sync-garbage-collection` in Arc OperatorParams. For more information, see [Delete a configuration](../azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md#additional-parameters). |

+|**20.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. That ensures the writes are written to the disk.| |

+|**21.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that do not exist on the network.| |

+|**22.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it is not possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create 1 VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available 1 GPU. |

+|**23.**|Custom script VM extension |There is a known issue in the Windows VMs that were created in an earlier release and the device was updated to 2103. <br> If you add a custom script extension on these VMs, the Windows VM Guest Agent (Version 2.7.41491.901 only) gets stuck in the update causing the extension deployment to time out. | To work around this issue: <ol><li> Connect to the Windows VM using remote desktop protocol (RDP). </li><li> Make sure that the `waappagent.exe` is running on the machine: `Get-Process WaAppAgent`. </li><li> If the `waappagent.exe` is not running, restart the `rdagent` service: `Get-Service RdAgent` \| `Restart-Service`. Wait for 5 minutes.</li><li> While the `waappagent.exe` is running, kill the `WindowsAzureGuest.exe` process. </li><li>After you kill the process, the process starts running again with the newer version.</li><li>Verify that the Windows VM Guest Agent version is 2.7.41491.971 using this command: `Get-Process WindowsAzureGuestAgent` \| `fl ProductVersion`.</li><li>[Set up custom script extension on Windows VM](azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md). </li><ol> |

+|**24.**|GPU VMs |Prior to this release, GPU VM lifecycle was not managed in the update flow. Hence, when updating to 2103 release, GPU VMs are not stopped automatically during the update. You will need to manually stop the GPU VMs using a `stop-stayProvisioned` flag before you update your device. For more information, see [Suspend or shut down the VM](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#suspend-or-shut-down-the-vm).<br> All the GPU VMs that are kept running before the update, are started after the update. In these instances, the workloads running on the VMs aren't terminated gracefully. And the VMs could potentially end up in an undesirable state after the update. <br>All the GPU VMs that are stopped via the `stop-stayProvisioned` before the update, are automatically started after the update. <br>If you stop the GPU VMs via the Azure portal, you'll need to manually start the VM after the device update.| If running GPU VMs with Kubernetes, stop the GPU VMs right before the update. <br>When the GPU VMs are stopped, Kubernetes will take over the GPUs that were used originally by VMs. <br>The longer the GPU VMs are in stopped state, higher the chances that Kubernetes will take over the GPUs. |

+|**25.**|Multi-Process Service (MPS) |When the device software and the Kubernetes cluster are updated, the MPS setting is not retained for the workloads. |[Re-enable MPS](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface) and redeploy the workloads that were using MPS. |

+description: Learn about Azure CLI scripts. With these samples, you can create a virtual machine and then start, stop, and delete it in Azure Lab Services.

+This article includes sample bash scripts built for Azure CLI for Azure Lab Services.

+| [Create and verify a virtual machine (VM)](#create-and-verify-availability-of-a-vm) | Creates a Windows VM with minimal configuration. |

+| [Start a VM](#start-a-vm) | Starts a VM. |

+| [Stop and delete a VM](#stop-and-delete-a-vm) | Stops and deletes a VM. |

+## Prerequisites

+All of these scripts have the following prerequisite:

+- **A lab**. The script requires you to have an existing lab.

+## Create and verify availability of a VM

+This Azure CLI script creates a virtual machine in a lab.

+The VM created based on a marketplace image with SSH authentication.

+The script then verifies that the VM is available for use.

+This script uses the following commands:

+| Command | Notes |

+|||

+| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

+| [az lab vm create](/cli/azure/lab/vm#az_lab_vm_create) | Creates a VM in a lab. |

+| [az lab vm show](/cli/azure/lab/vm#az_lab_vm_show) | Displays the status of the VM in a lab. |

+## Start a VM

+This Azure CLI script starts a virtual machine in a lab.

+This script uses the following commands:

+| Command | Notes |

+|||

+| [az lab vm start](/cli/azure/lab/vm#az_lab_vm_start) | Starts a VM in a lab. This operation can take a while to complete. |

+## Stop and delete a VM

+This Azure CLI script stops and deletes a virtual machine in a lab.

+This script uses the following commands:

+| Command | Notes |

+|||

+| [az lab vm stop](/cli/azure/lab/vm#az_lab_vm_stop) | Stops a VM in a lab. This operation can take a while to complete. |

+| [az lab vm delete](/cli/azure/lab/vm#az_lab_vm_delete) | Deletes a VM in a lab. This operation can take a while to complete. |

+## Clean up deployment

+Run the following command to remove the resource group, VM, and all related resources.

+```azurecli

+az group delete --name $resourceGroupName

+```

+| **[T-Mobile](https://www.t-mobile.com/business/solutions/networking/cloud-networking )** |Supported |Supported |Chicago, Silicon Valley, Washington DC |

+Register-AzProviderFeature -FeatureName AFWEnableNetworkRuleNameLogging -ProviderNamespace Microsoft.Network

+Register-AzResourceProvider -ProviderNamespace Microsoft.Network

+Register-AzResourceProvider -ProviderNamespace Microsoft.Network

+- **TLS Inspection** - decrypts outbound traffic, processes the data, then encrypts the data and sends it to the destination.

+The template deploys a complete testing environment for Azure Firewall Premium enabled with IDPS, TLS Inspection, URL Filtering, and Web Categories:

+- a new Azure Firewall Premium and Firewall Policy with predefined settings to allow easy validation of its core capabilities (IDPS, TLS Inspection, URL Filtering, and Web Categories)

+- deploys all dependencies including Key Vault and a Managed Identity. In a production environment, these resources may already be created and not needed in the same template.

+- generates self-signed Root CA and deploys it on the generated Key Vault

+Now you can test IDPS, TLS Inspection, Web filtering, and Web categories.

+To test IDPS, you should deploy your own internal test Web server with an appropriate server certificate. This test includes sending malicious traffic to a Web server, so it isn't advisable to do this to a public Web server. For more information about Azure Firewall Premium certificate requirements, see [Azure Firewall Premium certificates](premium-certificates.md).

+1. Edit the firewall policy application rules and add a new rule called `AllowURL` to the `AllowWeb` rule collection. Configure the target URL `www.nytimes.com/section/world`, Source IP address **\***, Destination type **URL**, select **TLS Inspection**, and protocols **http, https**.

+4. Under **Rules** for **Name** type *AllowSports*, **Source** *\**, **Protocol** *http, https*, select **TLS Inspection**, **Destination Type** select *Web categories*, **Destination** select *Sports*.

+- Migrate an existing standard firewall (with classic rules) to Azure Firewall Premium with a Premium policy

+> [!IMPORTANT]

+> Upgrading a Standard Firewall deployed in Southeast Asia with Availability Zones is not currently supported.

+Performance is a consideration when migrating from the standard SKU. IDPS and TLS inspection are compute intensive operations. The premium SKU uses a more powerful VM SKU, which scales to a maximum throughput of 30 Gbps comparable with the standard SKU. The 30-Gbps throughput is supported when configured with IDPS in alert mode. Use of IDPS in deny mode and TLS inspection increases CPU consumption. Degradation in max throughput might occur.

+The firewall throughput might be lower than 30 Gbps when youΓÇÖve one or more signatures set to **Alert and Deny** or application rules with **TLS inspection** enabled. Microsoft recommends customers perform full-scale testing in their Azure deployment to ensure the firewall service performance meets your expectations.

+Given a standard firewall policy ID, the script transforms it to a Premium Azure firewall policy. The script first connects to your Azure account, pulls the policy, transforms/adds various parameters, and then uploads a new Premium policy. The new premium policy is named `<previous_policy_name>_premium`. If it's a child policy transformation, a link to the parent policy will remain.

+If you use Azure Firewall Standard SKU with firewall policy, you can use the Allocate/Deallocate method to migrate your Firewall SKU to Premium. This migration approach is supported on both VNet Hub and Secure Hub Firewalls. When you migrate a Secure Hub deployment, it will preserve the firewall public IP address.

+If you require further protection, then you can enable [Azure DDoS Protection Standard](../ddos-protection/ddos-protection-overview.md) on the VNet where your back-ends are deployed. DDoS Protection Standard customers receive additional benefits including cost protection, SLA guarantee, and access to experts from the DDoS Rapid Response Team for immediate help during an attack.

+ Title: Move from IoT Central to a PaaS solution | Microsoft Docs

+description: How do I move between aPaaS and PaaS solution approaches?

+# How do I move between aPaaS and PaaS solutions?

+When you begin your IoT journey, start with Azure IoT Central. IoT Central is the Microsoft application platform as a service (aPaaS) IoT offering. IoT Central is the fastest and easiest way to get started using Azure IoT. However, if you require a high level of customization, you can move from IoT Central and go lower in the stack with the Azure IoT platform as a service (PaaS) services. Use the *IoT Central migrator tool* to migrate devices seamlessly from IoT Central to a custom PaaS solution that uses the Device Provisioning Service (DPS) and IoT Hub service.

+## Move devices with the IoT Central migrator tool

+Use the migrator tool to move devices with no downtime from IoT Central to your own DPS instance. In a PaaS solution, you link a DPS instance to your IoT hub. The migrator tool disconnects devices from IoT Central and connects them to your PaaS solution. From this point forward, new devices are created in your IoT hub. Old device registrations remain in IoT Central so that you can fall back to IoT Central just if something goes wrong.

+Download the [migrator tool from GitHub](https://github.com/Azure/iotc-migrator).

+## Minimize disruption

+To minimize disruption, you can migrate your devices in phases. The migrator tool uses device groups to move devices from IoT Central to your IoT hub. Divide your device fleet into device groups such as devices in Texas, devices in New York, and devices in the rest of the US. Then migrate each device group independently.

+Minimize business impact by following these steps:

+- Create the PaaS solution and run it in parallel with the IoT Central application.

+- Set up continuous data export in IoT Central application and appropriate routes to the PaaS solution IoT hub. Transform both data channels and store the data into the same data lake.

+- Migrate the devices in phases and verify at each phase. If something doesn't go as planned, fail the devices back to IoT Central.

+- When you've migrated all the devices to the PaaS solution and fully exported your data from IoT Central, you can remove the devices from the IoT Central solution.

+After the migration, devices aren't automatically deleted from the IoT Central application so that you can fail them back from your PaaS solution. These devices continue to be billed as IoT Central charges for all provisioned devices in the application. When you remove these devices from the IoT Central application, they're no longer be billed. Eventually, remove the IoT Central application.

+## Firmware best practices

+So that you can seamlessly migrate devices from your IoT Central applications to PaaS solution, follow these guidelines:

+- The device must be an IoT Plug and Play device that uses a [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/dtdlv2.md) model. IoT Central requires all devices to have a DTDL model. This simplifies the interoperability between an IoT PaaS solution and IoT Central.

+- The device must follow the [IoT Central data formats for telemetry, property, and commands](concepts-telemetry-properties-commands.md).

+- IoT Central uses the DPS to provision the devices. The PaaS solution must also use DPS to provision the devices.

+- The updateable DPS pattern ensures that the device can move seamlessly between IoT Central applications and the PaaS solution without any downtime.

+## Move existing data out of IoT Central

+You can configure IoT Central to continuously export telemetry and property values. Export destinations are data stores such as Azure Data Lake, Event Hubs, and Webhooks. You can export device templates using either the IoT Central UI or the REST API. The REST API lets you export the users in an IoT Central application.

+## Next steps

+Now that you've learned about moving from aPaaS to PaaS solutions, a suggested next step is to explore the [IoT Central migrator tool](https://github.com/Azure/iotc-migrator).

+ Title: Extend IoT Central | Microsoft Docs

+description: How do I extend IoT Central if it's missing something I need?

+# How do I extend IoT Central if it's missing something I need?

+Use the following extension points to expand the built-in functionality of IoT Central:

+- Process your IoT data in other services or applications by using the IoT Central data export capabilities.

+- Trigger business flows and activities by using IoT Central rules.

+- Interact with IoT Central programmatically by using the IoT Central REST APIs.

+## Export data

+To extend IoT Central's built-in rules and analytics capabilities, use the data export capability to continuously stream data from your devices to other services for processing. The data export capability enables extension scenarios such as:

+- Enrich, and transform your IoT data to generate advanced visualizations that provide insights.

+- Extract business metrics and use artificial intelligence and machine learning to derive business insights from your IoT data.

+- Monitoring and diagnostics for millions of connected IoT devices.

+- Combine your IoT data with other business data to build dashboards and reports.

+To learn more, see [IoT Central data integration guide](overview-iot-central-solution-builder.md).

+## Rules

+You can create rules in IoT Central that trigger actions when specified conditions are met. Conditions are evaluated based on data from your connected IoT devices. Actions include sending messages to other cloud services or calling a webhook endpoint. Rules enable extension scenarios such as:

+- Notifying operators in other systems.

+- Starting business processes or flows.

+- Monitoring alerts on a custom dashboard.

+To learn more, see [Configure rules](howto-configure-rules.md).

+## REST API

+The *data plane* REST API lets you manage entities in your IoT Central application programmatically. Entities include devices, users, and roles. The preview data plane REST API lets you query the data from your connected devices and manage a wider selection of entities such as jobs and data exports.

+The *control plane* REST API lets you create and manage IoT Central applications.

+The REST APIs enable extension scenarios such as:

+- Programmatic management of your IoT Central applications.

+- Tight integration with other applications.

+To learn more, see [Manage an IoT Central application with the REST API](/learn/modules/manage-iot-central-apps-with-rest-api/).

+## Next steps

+Now that you've learned about the IoT Central extensibility points, the suggested next step is to review the [IoT Central data integration guide](overview-iot-central-solution-builder.md).

+A device template is a blueprint that defines the characteristics and behaviors of a type of device that connects to an Azure IoT Central application.

+ :::image type="content" source="media/howto-set-up-template/infer-model-3.png" alt-text="Screenshot that shows how to rename the autogenerated device template.":::

+Telemetry is a stream of values sent from the device, typically from a sensor. For example, a sensor might report the ambient temperature as shown in the following screenshot:

+For example, a device can use a writable property to let an operator set the target temperature as shown in the following screenshot:

+You can call device commands from IoT Central. Commands optionally pass parameters to the device and receive a response from the device. For example, you can call a command to reboot a device in 10 seconds as shown in the following screenshot:

+Use customizations when you need to modify an imported component or add IoT Central-specific features to a capability. For example, you can change the display name and units of a property as shown in the following screenshot:

+|Color | IoT Central-specific option. |

+|Min value | Set minimum value - IoT Central-specific option. |

+|Max value | Set maximum value - IoT Central-specific option. |

+|Decimal places | IoT Central-specific option. |

+|Initial value | Commands only IoT Central-specific value - default parameter value. |

+ Title: Azure IoT Central application management guide

+description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions. This guide describes how to manage your IoT Central application. Application management includes users, organization, and security.

+# IoT Central application management guide

+IoT Central application administration includes the following tasks:

+- Manage users and roles in the application.

+- Create and manage organizations.

+- Manage security such as device authentication.

+- Configure application settings.

+- Upgrade applications.

+- Export and share applications.

+- Monitor application health.

+To manage which users see which devices in your IoT Central application, use an _organization_ hierarchy. You define an organization in your application.

+The user's role in application determines their permissions over the devices they can see.

+Devices that connect to your IoT Central application typically use X.509 certificates or shared access signatures (SAS) as credentials. The administrator manages the group certificates or keys that these device credentials are derived from.

+To learn how to monitor your IoT Edge fleet remotely using Azure Monitor and built-in metrics integration, see [Collect and transport metrics](../../iot-edge/how-to-collect-and-transport-metrics.md).

+ Title: Take a tour of the Azure IoT Central API | Microsoft Docs

+description: Become familiar with the key areas of the Azure IoT Central REST API. Use the API to create, manage, and use your IoT solution from client applications.

+# Take a tour of the Azure IoT Central API

+This article introduces you to Azure IoT Central REST API. Use the API to create client applications that can create, manage, and use an IoT Central application and its connected devices. The extensibility surface enabled by the IoT Central REST API lets you integrate IoT insights and device management capabilities into your existing dashboards and business applications.

+The REST API operations are grouped into the:

+- *Data plane* operations that let you work with resources inside IoT Central applications. Data plane operations let you automate tasks that can also be completed using the IoT Central UI. Currently, there are [generally available](/rest/api/iotcentral/1.0dataplane/api-tokens) and [preview](/rest/api/iotcentral/1.1-previewdataplane/api-tokens) versions of the data plane API.

+- *Control plane* operations that let you work with the Azure resources associated with IoT Central applications. Control plane operations let you automate tasks that can also be completed in the Azure portal.

+## Data plane operations

+Version 1.0 of the data plane API lets you manage the following resources in your IoT Central application:

+- API tokens

+- Device templates

+- Devices

+- Roles

+- Users

+The devices API also lets you [query telemetry and property values from your devices](howto-query-with-rest-api.md).

+To get started with the data plane APIs, see [Explore the IoT Central APIs](/learn/modules/manage-iot-central-apps-with-rest-api/).

+## Control plane operations

+Version 2021-06-01 of the control plane API lets you manage the IoT Central applications in your Azure subscription. To learn more, see the [Control plane overview](/rest/api/iotcentral/2021-06-01controlplane/apps).

+## Next steps

+Now that you have an overview of Azure IoT Central and are familiar with the capabilities of the IoT Central REST API, the suggested next step is to complete the [Explore the IoT Central APIs](/learn/modules/manage-iot-central-apps-with-rest-api/) Learn module.

+ Title: Azure IoT Central device connectivity guide | Microsoft Docs

+description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions. This guide describes how to connect IoT devices to your IoT Central application. After a device connects, it uses telemetry to send streaming data and properties to report device state. Iot Central can set device state using writable properties and call commands on a device. This article outlines best practices for device connectivity.

+# IoT Central device connectivity guide

+An IoT Central application lets you monitor and manage millions of devices throughout their life cycle. This guide is for device developers who implement the code to run on devices that connect to IoT Central.

+Devices interact with an IoT Central application by using the following primitives:

+An IoT Edge device connects directly to IoT Central. An IoT Edge device can send its own telemetry, report its properties, and respond to writable property updates and commands. IoT Edge modules process data locally on the IoT Edge device. An IoT Edge device can also act as an intermediary for other devices known as downstream devices. Scenarios that use IoT Edge devices include:

+The connection between a device and your IoT Central application is secured by using either [shared access signatures](./concepts-get-connected.md#sas-group-enrollment) or industry-standard [X.509 certificates](./concepts-get-connected.md#x509-group-enrollment).

+## Connectivity patterns

+Device developers typically use one of the device SDKs to implement devices that connect to an IoT Central application. Some scenarios, such as for devices that can't connect to the internet, also require a gateway. To learn more about the device connectivity options available to device developers, see:

+- [Get connected to Azure IoT Central](concepts-get-connected.md)

+- [Connect Azure IoT Edge devices to an Azure IoT Central application](concepts-iot-edge.md)

+A solution design must take into account the required device connectivity pattern. These patterns fall in to two broad categories. Both categories include devices sending telemetry to your IoT Central application:

+### Persistent connections

+Persistent connections are required your solution needs *command and control* capabilities. In command and control scenarios, the IoT Central application sends commands to devices to control their behavior in near real time. Persistent connections maintain a network connection to the cloud and reconnect whenever there's a disruption. Use either the MQTT or the AMQP protocol for persistent device connections to IoT Central.

+The following options support persistent device connections:

+- Use the IoT device SDKs to connect devices and send telemetry:

+ The device SDKs enable both the MQTT and AMQP protocols for creating persistent connections to IoT Central. To learn more, see [Get connected to Azure IoT Central](concepts-get-connected.md).

+- Connect devices over a local network to an IoT Edge device that forwards telemetry to IoT Central:

+ An IoT Edge device can make a persistent connection to IoT Central. For devices that can't connect to the internet or that require network isolation, use an IoT Edge device as a local gateway. The gateway forwards device telemetry to IoT Central. This option enables command and control of the downstream devices connected to the IoT Edge device.

+ To learn more, see [Connect Azure IoT Edge devices to an Azure IoT Central application](concepts-iot-edge.md).

+- Use IoT Central Device Bridge to connect devices that use a custom protocol:

+ Some devices use a protocol or encoding, such as LWM2M or COAP, that IoT Central doesn't currently support. IoT Central Device Bridge acts as a translator that forwards telemetry to IoT Central. Because the bridge maintains a persistent connection, this option enables command and control of the devices connected to the bridge.

+ To learn more, see the [Azure IoT Central Device Bridge](https://github.com/Azure/iotc-device-bridge) GitHub repository.

+### Ephemeral connections

+Ephemeral connections are brief connections for devices to send telemetry to your IoT Central application. After a device sends the telemetry, it drops the connection. The device reconnects when it has more telemetry to send. Ephemeral connections aren't suitable for command and control scenarios.

+The following options support ephemeral device connections:

+- Connect devices and send telemetry by using HTTP:

+ IoT Central supports device clients that use the HTTP API to send telemetry. To learn more, see the [Send Device Event](/rest/api/iothub/device/send-device-event) API documentation.

+ > [!NOTE]

+ > Use DPS to provision and register your device with IoT Central before you use the HTTP API to send telemetry.

+- Use IoT Central Device Bridge in stateless mode to connect devices:

+

+ Deploy IoT Central Device Bridge as an Azure Function. The function accepts incoming telemetry data as HTTP requests and forwards it to IoT Central. IoT Central Device Bridge integrates with DPS and automatically handles device provisioning for you.

+ To learn more, see [Azure IoT Central Device Bridge](https://github.com/Azure/iotc-device-bridge) GitHub repository.

+- Use IoT Central Device Bridge in stateless mode to connect external clouds:

+

+ Use Azure IoT Central Device Bridge to forward messages to IoT Central from other IoT clouds, such as SigFox, Particle, and The Things Network.

+ To learn more, see [Azure IoT Central Device Bridge](https://github.com/Azure/iotc-device-bridge) GitHub repository.

+### Data transformation and custom computation on ingress

+Some scenarios require device telemetry augmented with data from external systems or stores. Augmenting telemetry before it reaches IoT Central enables features such as dashboards and rules to use the augmented data.

+Some scenarios require you to transform telemetry before it reaches IoT Central. For example, transforming telemetry from legacy formats.

+The following options are available for custom transformations or computations before IoT Central ingests the telemetry:

+- Use IoT Edge:

+

+ Use custom modules in IoT Edge for custom transformations and computations. Use IoT Edge when your devices use the Azure IoT device SDKs.

+- Use IoT Central Device Bridge:

+

+ Use IoT Central Device Bridge adapters for custom transformations and computations.

+To learn more, see [Transform data for IoT Central](howto-transform-data.md).

+To learn more, see [Edit an existing device template](howto-edit-device-template.md).

+A device model is defined by using the [DTDL](https://github.com/Azure/opendigitaltwins-dtdl) modeling language. This language lets you define:

+- Multi-component model. A more complex model that includes two or more components. These components include a single root component, and one or more nested components. For an example, see the [Temperature Controller](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/samples/TemperatureController.json) model.

+## Best practices

+These recommendations show how to implement devices to take advantage of the built-in disaster recovery and automatic scaling in IoT Central.

+The following steps show the high-level flow when a device connects to IoT Central:

+1. Use DPS to provision the device and get a device connection string.

+1. Use the connection string to connect IoT Central's internal IoT Hub endpoint. Send data to and receive data from your IoT Central application.

+1. If the device gets connection failures, then depending on the error type, either retry the connection or reprovision the device.

+### Use DPS to provision the device

+To provision a device with DPS, use the scope ID, credentials, and device ID from your IoT Central application. To learn more about the credential types, see [X.509 group enrollment](concepts-get-connected.md#x509-group-enrollment) and [SAS group enrollment](concepts-get-connected.md#sas-group-enrollment). To learn more about device IDs, see [Device registration](concepts-get-connected.md#device-registration).

+On success, DPS returns a connection string the device can use to connect to your IoT Central application. To troubleshoot provisioning errors, see [Check the provisioning status of your device](troubleshoot-connection.md#check-the-provisioning-status-of-your-device).

+The device can cache the connection string to use for later connections. However, the device must be prepared to [handle connection failures](#handle-connection-failures).

+### Handle connection failures

+For scaling or disaster recovery purposes, IoT Central may update its underlying IoT hub. To maintain connectivity, your device code should handle specific connection errors by establishing a connection to the new IoT Hub endpoint.

+If the device gets any of the following errors when it connects, it should reprovision the device with DPS to get a new connection string. These errors mean the connection string is no longer valid:

+- Unreachable IoT Hub endpoint.

+- Expired security token.

+- Device disabled in IoT Hub.

+If the device gets any of the following errors when it connects, it should use a back-off strategy to retry the connection. These errors mean the connection string is still valid, but transient conditions are stopping the device from connecting:

+- Operator blocked device.

+- Internal error 500 from the service.

+To learn more about device error codes, see [Troubleshooting device connections](troubleshoot-connection.md).

+### Test failover capabilities

+The Azure CLI lets you test the failover capabilities of your device code. The CLI command works by temporarily switching a device registration to a different internal IoT hub. To verify the device failover worked, check that the device still sends telemetry and responds to commands.

+To run the failover test for your device, run the following command:

+```azurecli

+az iot central device manual-failover \

+ --app-id {Application ID of your IoT Central application} \

+ --device-id {Device ID of the device you're testing} \

+ --ttl-minutes {How to wait before moving the device back to it's original IoT hub}

+```

+> [!TIP]

+> To find the **Application ID**, navigate to **Administration > Your application** in your IoT Central application.

+If the command succeeds, you see output that looks like the following:

+```output

+Command group 'iot central device' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

+{

+ "hubIdentifier": "6bd4...bafa",

+ "message": "Success! This device is now being failed over. You can check your device'ΓÇÖ's status using 'iot central device registration-info' command. The device will revert to its original hub at Tue, 18 May 2021 11:03:45 GMT. You can choose to failback earlier using device-manual-failback command. Learn more: https://aka.ms/iotc-device-test"

+}

+```

+To learn more about the CLI command, see [az iot central device manual-failover](/cli/azure/iot/central/device#az_iot_central_device_manual_failover).

+You can now check that telemetry from the device still reaches your IoT Central application.

+> [!TIP]

+> To see sample device code that handles failovers in various programing languages, see [IoT Central high availability clients](/samples/azure-samples/iot-central-high-availability-clients/iotc-high-availability-clients/).

+To learn more about using IoT Central, the suggested next steps are to try the quickstarts, beginning with [Create an Azure IoT Central application](./quick-deploy-iot-central.md).

+ Title: Azure IoT Central device management guide

+description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions. This guide describes how to manage the IoT devices connected to your IoT Central application.

+# IoT Central device management guide

+An IoT Central application lets you monitor and manage millions of devices throughout their life cycle.

+IoT Central lets you complete device management tasks such as:

+- Monitor and manage the devices connected to the application.

+- Troubleshoot and remediate issues with devices.

+- Provision new devices.

+To monitor devices, use the custom device views defined by a solution builder. These views can show device telemetry and property values. An example is the **Overview** view shown in the previous screenshot.

+For more detailed information, use device groups and the built-in analytics features. To learn more, see [How to use analytics to analyze device data](howto-create-analytics.md).

+To manage individual devices, use device views to set device and cloud properties, and call device commands. Examples include the **Manage device** and **Commands** views in the previous screenshot.

+To manage devices in bulk, create and schedule jobs. Jobs can update properties and run commands on multiple devices. To learn more, see [Create and run a job in your Azure IoT Central application](howto-manage-devices-in-bulk.md).

+If your IoT Central application uses *organizations*, an administrator controls which devices you have access to.

+The [troubleshooting guide](troubleshoot-connection.md) helps you to diagnose and remediate common issues. You can use the **Devices** page to block devices that appear to be malfunctioning until the problem is resolved.

+You can add and remove devices in your IoT Central application either individually or in bulk. To learn more, see:

+- [Manage individual devices in your Azure IoT Central application](howto-manage-devices-individually.md).

+- [Manage devices in bulk in your Azure IoT Central application](howto-manage-devices-in-bulk.md).

+Create personal dashboards in an IoT Central application that contain links to the resources you use most often. To learn more, see [Manage dashboards](howto-manage-dashboards.md).

+ Title: Azure IoT Central data integration guide | Microsoft Docs

+description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions. This guide describes how to integrate your IoT Central application with other services to extend its capabilities.

+# IoT Central data integration guide

+Azure IoT Central is an application platform that:

+- Includes rich functionality such as device monitoring and management at scale.

+- Provides many built-in features that help you to reduce the burden and cost of developing an IoT solution.

+- Has extensibility and integration points that let you use its features and capabilities in your wider solution.

+A typical IoT solution:

+- Enables IoT devices to connect to your solution and send it data.

+- Manages and secures the connected devices and their data.

+- Extracts business value from your device data.

+- Is composed of multiple services and applications.

+When you use IoT Central to create an IoT solution, tasks include:

+- Configure data transformations to make it easier to extract business value from your data.

+- Configure dashboards and views in the IoT Central web UI.

+- Use the built-in rules and analytics tools to derive business insights from the connected devices.

+- Use the data export, rules capabilities, and APIs to integrate IoT Central with other services and applications.

+## Transform data at ingress

+Devices may send complex telemetry that needs to be simplified before it's used in IoT Central or exported. In some scenarios, you need to normalize the telemetry from different devices so that you can display and process the telemetry consistently. To learn more, see [Map telemetry on ingress to IoT Central](howto-map-data.md).

+## Extract business value

+IoT Central provides a rich platform to help you extract business value from your IoT data. IoT Central has many built-in features that you can use to gain insights and take action on your IoT data. However, some IoT solution scenarios need more specialized business processes outside of IoT Central to extract value from your IoT data.

+Built-in features of IoT Central you can use to extract business value include:

+- Configure dashboards and views:

+ An IoT Central application can have one or more dashboards that operators use to view and interact with the application. You can customize the default dashboard and create specialized dashboards:

+ - To view some examples of customized dashboards, see [Industry focused templates](../retail/tutorial-in-store-analytics-create-app.md).

+

+ - To learn more about dashboards, see [Create and manage multiple dashboards](howto-manage-dashboards.md) and [Configure the application dashboard](howto-manage-dashboards.md).

+

+ - When a device connects to an IoT Central, the device is associated with a device template for the device type. A device template has customizable views that an operator uses to manage individual devices. You can create and customize the available views for each device type. To learn more, see [Add views](howto-set-up-template.md#views).

+- Use built-in rules and analytics:

+ You can add rules to an IoT Central application that run customizable actions. Rules evaluate conditions, based on data coming from a device, to determine when to run an action. To learn more about rules, see:

+

+ - [Tutorial: Create a rule and set up notifications in your Azure IoT Central application](tutorial-create-telemetry-rules.md)

+ - [Configure rules](howto-configure-rules.md)

+

+ IoT Central has built-in analytics capabilities that an operator can use to analyze the data flowing from the connected devices. To learn more, see [How to use analytics to analyze device data](howto-create-analytics.md).

+Scenarios that process IoT data outside of IoT Central to extract business value include:

+- Compute, enrich, and transform:

+

+ IoT Central lets you capture, transform, manage, and visualize IoT data. Sometimes, it's useful to enrich or transform you IoT data using external data sources. You can then feed the enriched data back into IoT Central.

+ For example, use the IoT Central continuous data export feature to trigger an Azure function. The function enriches captured device telemetry and pushes the enriched data back into IoT Central while preserving timestamps.

+- Extract business metrics and use artificial intelligence (AI) and machine learning (ML):

+

+ Use IoT data to calculate common business metrics such as *overall equipment effectiveness* (OEE) and *overall process effectiveness* (OPE). You can also use IoT data to enrich your existing AI and ML assets. For example, IoT Central can help to capture the data you need to build, train, and deploy your models.

+ Use the IoT Central continuous data export feature to publish captured IoT data into an Azure data lake. Then use a connected to Azure Databricks workspace to compute OEE and OPE. Pipe the same data to Azure ML or Azure Synapse to use their machine learning capabilities.

+- Streaming computation, monitoring, and diagnostics

+ IoT Central provides a scalable and reliable infrastructure to capture streaming data from millions of connected devices. Sometimes, you need to run stream computations over the hot or warm data paths to meet business requirements. You can also merge IoT data with data in external stores such as Azure Data explorer to provide enhanced diagnostics.

+- Analyze and visualize IoT data alongside business data

+ IoT Central provides feature-rich dashboards and visualizations. However, business-specific reports may require you to merge IoT data with existing business data sourced from external systems. Use the IoT Central integration features to extract IoT data from IoT Central. Then merge the IoT data with existing business data to deliver a centralized solution for analyzing and visualizing you business processes.

+ For example, use the IoT Central continuous data export feature to continuously ingest your IoT data into an Azure Synapse store. Then use Azure Data Factory to bring data from external systems into the Azure Synapse store. Use the Azure Synapse store with Power BI to generate your business reports.

+To learn more, see [Transform data for IoT Central](howto-transform-data.md). For a complete, end-to-end sample, see the [IoT Central Compute](https://github.com/iot-for-all/iot-central-compute) GitHub repository.

+You can use the data export and rules capabilities in IoT Central to integrate with other service. To learn more, see:

+## Integrate with companion applications

+IoT Central provides rich operator dashboards and visualizations. However, some IoT solutions must integrate with existing applications, or require new companion applications to expand their capabilities. To integrate with other applications, use IoT Central extensibility points such as the REST API and the continuous data export feature.

+You use data plane REST APIs to access the entities in and the capabilities of your IoT Central application. For example, managing devices, device templates, users, and roles. The IoT Central REST API operations are *data plane* operations. To learn more, see [How to use the IoT Central REST API to manage users and roles](howto-manage-users-roles-with-rest-api.md).

+[Quickly deploy a new IoT Central application](quick-deploy-iot-central.md) and then customize it to your specific requirements. Application templates in Azure IoT Central are a tool to help you kickstart your IoT solution development. You can use app templates for everything from getting a feel for what is possible, to fully customizing your application to resell to your customers.

+Start with a generic _application template_ or with one of the industry-focused application templates:

+- [Retail](../retail/tutorial-in-store-analytics-create-app.md)

+- [Energy](../energy/tutorial-smart-meter-app.md)

+- [Government](../government/tutorial-connected-waste-management.md)

+- [Healthcare](../healthcare/tutorial-continuous-patient-monitoring.md).

+The smart meters not only enable automated billing, but also advanced metering use cases such as real-time readings and bi-directional communication. The smart meter app template enables utilities and partners to monitor smart meters status and data, define alarms and notifications. It provides sample commands, such as disconnect meter and update software. The meter data can be set up to egress to other business applications and to develop custom solutions.

+App's key functionalities:

+- Meter sample device model

+- Meter info and live status

+- Meter readings such as energy, power, and voltages

+- Meter command samples

+- Built-in visualization and dashboards

+- Extensibility for custom solution development

+When you build an IoT solution, Azure IoT Central simplifies the build process and helps to reduce the burden and costs of IoT management, operations, and development. With IoT Central, you can easily connect, monitor, and manage your Internet of Things (IoT) assets at scale. After you connect your smart meters to IoT Central, the app template uses built-in features such as device models, commands, and dashboards. The app template also uses the IoT Central storage for warm path scenarios such as near real-time meter data monitoring, analytics, rules, and visualization.

+After you deploy the application template, it comes with sample smart meter device, device model, and a dashboard.

+Adatum is a fictitious energy company, who monitors and manages smart meters. On the smart meter monitoring dashboard, you see smart meter properties, data, and sample commands. It enables operators and support teams to proactively perform the following activities before it turns into support incidents:

+* Review the latest meter info and its installed [location](../core/howto-use-location-data.md) on the map.

+* Proactively check the meter network and connection status.

+* Monitor Min and Max voltage readings for network health.

+* Review the energy, power, and voltage trends to catch any anomalous patterns.

+* Track the total energy consumption for planning and billing purposes.

+* Command and control operations such as reconnect meter and update firmware version. In the template, the command buttons show the possible functionalities and don't send real commands.

+1. From the left pane, open the **Administration** tab.

+1. Select **Application settings** and then the **Delete** button.

+# Tutorial: Deploy and walk through the solar panel monitoring app template

+The solar panel monitoring app enables utilities and partners to monitor solar panels, such as their energy generation and connection status in near real time. It can send notifications based on defined threshold criteria. It provides sample commands, such as update firmware and other properties. The solar panel data can be set up to egress to other business applications and to develop custom solutions.

+App's key functionalities:

+- Solar panel sample device model

+- Solar Panel info and live status

+- Solar energy generation and other readings

+- Command and control samples

+- Built-in visualization and dashboards

+- Extensibility for custom solution development

+Solar panels are one of the significant sources of renewable energy. Typically, a solar panel uses a gateway to connect to an IoT Central application. You might need to build IoT Central device bridge to connect devices, which can't be connected directly. The IoT Central device bridge is an open-source solution and you can find the complete details [here](../core/howto-build-iotc-device-bridge.md).

+When you build an IoT solution, Azure IoT Central simplifies the build process and helps to reduce the burden and costs of IoT management, operations, and development. With IoT Central, you can easily connect, monitor, and manage your Internet of Things (IoT) assets at scale. After you connect your solar panels to IoT Central, the app template uses built-in features such as device models, commands, and dashboards. The app template also uses the IoT Central storage for warm path scenarios such as near real-time meter data monitoring, analytics, rules, and visualization.

+Connected Waste Management app is an IoT Central app template to help you kickstart your IoT solution development to enable smart cities to remotely monitor to maximize efficient waste collection.

+Try to customize the following features:

+Traditional water consumption tracking relies on water operators manually reading water consumption meters at the meter sites. More cities are replacing traditional meters with advanced smart meters enabling remote monitoring of consumption and remotely controlling valves to control water flow. Water consumption monitoring coupled with digital feedback message to the citizen can increase awareness and reduce water consumption.

+The water consumption monitoring app is an IoT Central app template to help you kickstart your IoT solution development to enable water utilities and cities to remotely monitor and control water flow to reduce consumption.

+When you build an IoT solution, Azure IoT Central simplifies the build process and helps to reduce the burden and costs of IoT management, operations, and development. You can brand, customize, and integrate your solution with third-party services.

+As an administrator, you can change several settings to customize the user experience in your application.

+description: This tutorial shows you how to deploy and use the water quality monitoring application template for IoT Central.

+Traditional water quality monitoring relies on manual sampling techniques and field laboratory analysis, which is time consuming and costly. By remotely monitoring water quality in real-time, water quality issues can be managed before citizens are affected. Moreover, with advanced analytics, water utilities, and environmental agencies can act on early warnings on potential water quality issues and plan on water treatment in advance.

+The water quality monitoring app is an IoT Central app template to help you kickstart your IoT solution development and enable water utilities to digitally monitor water quality in smart cities.

+Use the IoT Central *water quality monitoring* application template and the guidance in this article to develop an end-to-end water quality monitoring solution.

+When you build an IoT solution, Azure IoT Central simplifies the build process and helps to reduce the burden and costs of IoT management, operations, and development. You can brand, customize, and integrate your solution with third-party services.

+1. To add a new cloud property, select **+ Add Cloud Property**. In Azure IoT Central, you can add a property that is relevant to a device but that doesn't come from the device. One example of such a property is an alert threshold specific to installation area, asset information, or maintenance information.

+In the healthcare IoT space, Continuous Patient Monitoring is one of the key enablers of reducing the risk of readmissions, managing chronic diseases more effectively, and improving patient outcomes. Continuous Patient Monitoring can be split into two major categories:

+1. **In-patient monitoring**: Using medical wearables and other devices in the hospital, care teams can monitor patient vital signs and medical conditions without having to send a nurse to check up on a patient multiple times a day. Care teams can understand the moment that a patient needs critical attention through notifications and prioritizes their time effectively.

+1. **Remote patient monitoring**: By using medical wearables and patient reported outcomes (PROs) to monitor patients outside of the hospital, the risk of readmission can be lowered. Data from chronic disease patients and rehabilitation patients can be collected to ensure that patients are adhering to care plans and that alerts of patient deterioration can be surfaced to care teams before they become critical.

+This application template can be used to build solutions for both categories of Continuous Patient Monitoring. The benefits include:

+- Seamlessly connect different kinds of medical wearables to an IoT Central instance.

+- Monitor and manage the devices to ensure they remain healthy.

+- Create custom rules around device data to trigger appropriate alerts.

+- Export your patient health data to the Azure API for FHIR, a compliant data store.

+- Export the aggregated insights into existing or new business applications.

+For many retailers, environmental conditions within their stores are a key differentiator from their competitors. Retailers want to maintain pleasant conditions within their stores for the benefit of their customers.

+You can use the IoT Central in-store analytics condition monitoring application template to build an end-to-end solution. The application template lets you digitally connect to and monitor a retail store environment using of different kinds of sensor devices. These sensor devices generate telemetry that you can convert into business insights to help the retailer reduce operating costs and create a great experience for their customers.

+Use the application template to:

+- Connect different kinds of IoT sensors to an IoT Central application instance.

+- Monitor and manage the health of the sensor network and any gateway devices in the environment.

+- Create custom rules around the environmental conditions within a store to trigger alerts for store managers.

+- Transform the environmental conditions within your store into insights that the retail store team can use to improve the customer experience.

+- Export the aggregated insights into existing or new business applications to provide useful and timely information to retail staff.

+The application template comes with a set of device templates and uses a set of simulated devices to populate the dashboard.

+Global logistics spending is expected to reach $10.6 trillion in 2020. Transportation of goods accounts for most of this spending and shipping providers are under intense competitive pressure and constraints.

+You can use IoT sensors to collect and monitor ambient conditions such as temperature, humidity, tilt, shock, light, and the location of a shipment. You can combine telemetry gathered from IoT sensors and devices with other data sources such as weather and traffic information in cloud-based business intelligence systems.

+The benefits of a connected logistics solution include:

+- Shipment monitoring with real-time tracing and tracking.

+- Shipment integrity with real-time ambient condition monitoring.

+- Security from theft, loss, or damage of shipments.

+- Geo-fencing, route optimization, fleet management, and vehicle analytics.

+- Forecasting for predictable departure and arrival of shipments.

+As manufacturers and retailers establish worldwide presences, their supply chains branch out and become more complex. Consumers now expect large selections of products to be available, and for those goods to arrive within one or two days of purchase. Distribution centers must adapt to these trends while overcoming existing inefficiencies.

+Today, reliance on manual labor means that picking and packing accounts for 55-65% of distribution center costs. Manual picking and packing are also typically slower than automated systems, and rapidly fluctuating staffing needs make it even harder to meet shipping volumes. This seasonal fluctuation results in high staff turnover and increase the likelihood of costly errors.

+Solutions based on IoT enabled cameras can deliver transformational benefits by enabling a digital feedback loop. Data from across the distribution center leads to actionable insights that, in turn, results in better data.

+The benefits of a digital distribution center include:

+- Cameras monitor goods as they arrive and move through the conveyor system.

+- Automatic identification of faulty goods.

+- Efficient order tracking.

+- Reduced costs, improved productivity, and optimized usage.

+1. Set of IoT sensors sending telemetry data to a gateway device.

+2. Gateway devices sending telemetry and aggregated insights to IoT Central.

+3. Data is routed to the desired Azure service for manipulation.

+4. Azure services like ASA or Azure Functions can be used to reformat data streams and send to the desired storage accounts.

+5. Processed data is stored in hot storage for near real-time actions or cold storage for more insight enhancements that is based on ML or batch analysis.

+6. Logic Apps can be used to power various business workflows in end-user business applications.

+Azure IoT Central is a solution development platform that simplifies IoT device and Azure IoT Edge gateway connectivity, configuration, and management. The platform significantly reduces the burden and costs of IoT device management, operations, and related developments. Customers and partners can build an end-to-end enterprise solutions to achieve a digital feedback loop in distribution centers.

+In this dashboard, you'll see one gateway and one camera acting as an IoT device. Gateway is providing telemetry about packages such as valid, invalid, unidentified, and size along with associated device twin properties. All downstream commands are executed at IoT devices, such as a camera. This dashboard is pre-configured to showcase the critical distribution center device operations activity.

+The dashboard is logically organized to show the device management capabilities of the Azure IoT gateway and IoT device. You can:

+* Complete gateway command and control tasks.

+* Manage all the cameras in the solution.

+Click on the Device templates tab, and you'll see the gateway capability model. A capability model is structured around two different interfaces **Camera** and **Digital Distribution Gateway**

+**Too many invalid packages alert** - This rule is triggered when the camera detects a high number of invalid packages flowing through the conveyor system.

+**Large package** - This rule will trigger if the camera detects huge package that can't be inspected for the quality.

+Inventory is the stock of goods a retailer holds. Inventory management is critical to ensure the right product is in the right place at the right time. A retailer must balance the costs of storing too much inventory against the costs of not having sufficient items in stock to meet demand.

+IoT data generated from radio-frequency identification (RFID) tags, beacons, and cameras provide opportunities to improve inventory management processes. You can combine telemetry gathered from IoT sensors and devices with other data sources such as weather and traffic information in cloud-based business intelligence systems.

+The benefits of smart inventory management include:

+- Reducing the risk of items being out of stock and ensuring the desired customer service level.

+- In-depth analysis and insights into inventory accuracy in near real time.

+- Tools to help decide on the right amount of inventory to hold to meet customer orders.

+This application template focuses on device connectivity, and the configuration and management of RFID and Bluetooth low energy (BLE) reader devices.

+1. Set of IoT sensors sending telemetry data to a gateway device.

+2. Gateway devices sending telemetry and aggregated insights to IoT Central.

+3. Data is routed to the desired Azure service for manipulation.

+4. Azure services like ASA or Azure Functions can be used to reformat data streams and send to the desired storage accounts.

+5. Processed data is stored in hot storage for near real-time actions or cold storage for additional insight enhancements that is based on ML or batch analysis.

+6. Logic Apps can be used to power various business workflows in end-user business applications.

+### RFID and BLE readers

+BLE reader also known as Access Points (AP) are similar to RFID reader. It's used to detect nearby Bluetooth signals and relay its message to local Azure IoT Edge or cloud using JSON-RPC 2.0 over MQTT.

+Azure IoT Central is a solution development platform that simplifies IoT device connectivity, configuration, and management. The platform significantly reduces the burden and costs of IoT device management, operations, and related developments. Customers and partners can build an end-to-end enterprise solutions to achieve a digital feedback loop in inventory management.

+### Business insights and actions using data egress

+IoT Central platform provides rich extensibility options through Continuous Data Export (CDE) and APIs. Business insights based on telemetry data processing or raw telemetry are typically exported to a preferred line-of-business application. It can be achieved using webhook, service bus, event hub, or blob storage to build, train, and deploy machine learning models and further enrich insights.

+* No specific pre-requisites required to deploy this app.

+* Recommended to have Azure subscription, but you can even try without it.

+ :::image type="content" source="media/tutorial-iot-central-smart-inventory-management/iotc-retail-home-page.png" alt-text="Screenshot showing how to create an app from the smart inventory management application template":::

+After successfully deploying the app template, your default dashboard is a smart inventory management operator focused portal. Northwind Trader is a fictitious smart inventory provider managing warehouse with Bluetooth low energy (BLE) and retail store with Radio-frequency identification (RFID). In this dashboard, you'll see two different gateways providing telemetry about inventory along with associated commands, jobs, and actions that you can perform.

+The dashboard is logically divided between two different gateway device management operations:

+* The warehouse is deployed with a fixed BLE gateway and BLE tags on pallets to track and trace inventory at a larger facility.

+* Retail store is implemented with a fixed RFID gateway and RFID tags at individual an item level to track and trace the stock in a store outlet.

+* View the gateway [location](../core/howto-use-location-data.md), status and related details.

+ :::image type="content" source="media/tutorial-iot-central-smart-inventory-management/smart-inventory-management-dashboard-1.png" alt-text="Screenshot showing the top half of the smart inventory management dashboard.":::

+* You can easily track the total number of gateways, active, and unknown tags.

+* You can perform device management operations such as update firmware, disable sensor, enable sensor, update sensor threshold, update telemetry intervals and update device service contracts.

+* Gateway devices can perform on-demand inventory management with a complete or incremental scan.

+ :::image type="content" source="media/tutorial-iot-central-smart-inventory-management/smart-inventory-management-dashboard-2.png" alt-text="Screenshot showing the bottom half of the smart inventory management dashboard.":::

+Click on the Device templates tab, and you'll see the gateway capability model. A capability model is structured around two different interfaces **Gateway Telemetry and Property** and **Gateway Commands**

+**Gateway Telemetry and Property** - This interface represents all the telemetry related to sensors, location, device info, and device twin property capability such as gateway thresholds and update intervals.

+**Unknown tags**: It's critical to track every RFID and BLE tags associated with an asset. If the gateway is detecting too many unknown tags, it's an indication of synchronization challenges with tag sourcing applications.

+In the increasingly competitive retail landscape, retailers constantly face pressure to close the gap between demand and fulfillment. A new trend that has emerged to address the growing consumer demand is to house inventory near the end customers and the stores they visit.

+The IoT Central micro-fulfillment center application template enables you to monitor and manage all aspects of your fully automated fulfillment centers. The template includes a set of simulated condition monitoring sensors and robotic carriers to accelerate the solution development process. These sensor devices capture meaningful signals that can be converted into business insights allowing retailers to reduce their operating costs and create experiences for their customers.

+The application template enables you to:

+- Seamlessly connect different kinds of IoT sensors such as robots or condition monitoring sensors to an IoT Central application instance.

+- Monitor and manage the health of the sensor network, and any gateway devices in the environment.

+- Create custom rules around the environmental conditions within a fulfillment center to trigger appropriate alerts.

+- Transform the environmental conditions within your fulfillment center into insights that the retail warehouse team can use.

+- Export the aggregated insights into existing or new business applications for the benefit of the retail staff members.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the navigation bar and then select the **Retail** tab:

+ :::image type="content" source="media/tutorial-micro-fulfillment-center-app/iotc-retail-homepage-mfc.png" alt-text="Screenshot showing how to create an app.":::

+* See device telemetry, such as the number of picks, the number of orders processed, and properties, such as the structure system status.

+* View the floor plan and location of the robotic carriers within the fulfillment structure.

+* Trigger commands, such as resetting the control system, updating the carrier's firmware, and reconfiguring the network.

+ :::image type="content" source="media/tutorial-micro-fulfillment-center-app/mfc-dashboard-1.png" alt-text="Screenshot of the top half of the Northwind Traders micro-fulfillment center dashboard.":::

+* See an example of the dashboard that an operator can use to monitor conditions within the fulfillment center.

+* Monitor the health of the payloads that are running on the gateway device within the fulfillment center.

+If you select the device templates tab, you see that there are two different device types that are part of the template:

+* **Robotic Carrier**: This device template represents the definition for a functioning robotic carrier that has been deployed in the fulfillment structure, and is performing appropriate storage and retrieval operations. If you select the template, you see that the robot is sending device data, such as temperature and axis position, and properties like the robotic carrier status.

+* **Structure Condition Monitoring**: This device template represents a device collection that allows you to monitor environment condition, as well as the gateway device hosting various edge workloads to power your fulfillment center. The device sends telemetry data, such as the temperature, the number of picks, and the number of orders. It also sends information about the state and health of the compute workloads running in your environment.

+| `edgeAgent_metadata` | `edge_agent_version`, `experimental_features`, `host_information` | Type: gauge<br> General metadata about the device. The value is always 0, information is encoded in the tags. Note `experimental_features` and `host_information` are json objects. `host_information` looks like ```{"OperatingSystemType": "linux", "Architecture": "x86_64", "Version": "1.2.7", "Provisioning": {"Type": "dps.tpm", "DynamicReprovisioning": false, "AlwaysReprovisionOnStartup": false}, "ServerVersion": "20.10.11+azure-3", "KernelVersion": "5.11.0-1027-azure", "OperatingSystem": "Ubuntu 20.04.4 LTS", "NumCpus": 2, "Virtualized": "yes"}```. Note `ServerVersion` is the Docker version and `Version` is the IoT Edge security daemon version. |

+# Add custom metrics

+# Collect and transport metrics

+# Get notified about issues using alerts

+Enhance your monitoring solution with [metrics from custom modules](how-to-add-custom-metrics.md).

+IoT Edge supports X64, ARM32, and ARM64 Linux devices. Microsoft provides official installation packages for Ubuntu and Raspberry Pi OS Stretch operating systems.

+# Explore curated visualizations

+Customize your monitoring solution with [alert rules](how-to-create-alerts.md) and [metrics from custom modules](how-to-add-custom-metrics.md).

+description: Azure IoT Edge setup instructions for Ubuntu LTS Virtual Machines

+This article lists the steps to deploy an Ubuntu 18.04 LTS virtual machine with the Azure IoT Edge runtime installed and configured using a pre-supplied device connection string. The deployment is accomplished using a [cloud-init](../virtual-machines/linux/using-cloud-init.md) based [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) maintained in the [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/master) project repository.

+This article lists the steps to deploy an Ubuntu 20.04 LTS virtual machine with the Azure IoT Edge runtime installed and configured using a pre-supplied device connection string. The deployment is accomplished using a [cloud-init](../virtual-machines/linux/using-cloud-init.md) based [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) maintained in the [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.2) project repository.

+On first boot, the virtual machine [installs the latest version of the Azure IoT Edge runtime via cloud-init](https://github.com/Azure/iotedge-vm-deploy/blob/master/cloud-init.txt). It also sets a supplied connection string before the runtime starts, allowing you to easily configure and connect the IoT Edge device without the need to start an SSH or remote desktop session.

+ :::moniker range=">=iotedge-2020-11"

+ :::moniker range="iotedge-2018-06"

+ > [](./media/how-to-install-iot-edge-ubuntuvm/iotedge-vm-deploy.png)

+ :::moniker-end

+ :::moniker range=">=iotedge-2020-11"

+ > [](./media/how-to-install-iot-edge-ubuntuvm/iotedge-vm-deploy-ubuntu2004.png)

+ :::moniker-end

+ | Field | Description |

+ | | -- |

+ | **Subscription** | The active Azure subscription to deploy the virtual machine into. |

+ | **Resource group** | An existing or newly created Resource Group to contain the virtual machine and it's associated resources. |

+ | **Region** | The [geographic region](https://azure.microsoft.com/global-infrastructure/locations/) to deploy the virtual machine into, this value defaults to the location of the selected Resource Group. |

+ | **DNS Label Prefix** | A required value of your choosing that is used to prefix the hostname of the virtual machine. |

+ | **Admin Username** | A username, which will be provided root privileges on deployment. |

+ | **Device Connection String** | A [device connection string](./how-to-provision-single-device-linux-symmetric.md#view-registered-devices-and-retrieve-provisioning-information) for a device that was created within your intended [IoT Hub](../iot-hub/about-iot-hub.md). |

+ | **VM Size** | The [size](../cloud-services/cloud-services-sizes-specs.md) of the virtual machine to be deployed. |

+ | **Ubuntu OS Version** | The version of the Ubuntu OS to be installed on the base virtual machine. |

+ | **Authentication Type** | Choose **sshPublicKey** or **password** depending on your preference. |

+ | **Admin Password or Key** | The value of the SSH Public Key or the value of the password depending on the choice of Authentication Type. |

+ When all fields have been filled in, click the button at the bottom to move to `Next : Review + create` where you can review the terms and click **Create** to begin the deployment.

+ :::moniker range=">=iotedge-2020-11"

+If you'd like to open up ports to access the VM through SSH or other inbound connections, refer to the Azure Virtual Machines documentation on [opening up ports and endpoints to a Linux VM](../virtual-machines/linux/nsg-quickstart.md)

+1. Download a disk image file to use for your VM and save it locally. For example, [Ubuntu Server 20.04](http://releases.ubuntu.com/20.04/). For information about supported operating systems for IoT Edge devices, see [Azure IoT Edge supported systems](./support.md).

+<!-- Device requirements H3 and content -->

+<!-- Device requirements prerequisites H3 and content -->

+ > [!NOTE]

+ > For instructions to get the latest repository configuration from Microsoft see the preliminary steps to [Install IoT Edge](how-to-provision-single-device-linux-symmetric.md#install-iot-edge).

+1. Update apt.

+1. Uninstall the previous version of IoT Edge, leaving your configuration files in place.

+1. Install the most recent version of IoT Edge, along with the IoT identity service.

+1. Import your old config.yaml file into its new format, and apply the configuration info.

+| Ubuntu Server 20.04 |  | |  |

+| Ubuntu Server 18.04 |  | |  |

+| Ubuntu Server 20.04 |  | |  |

+| Ubuntu Server 18.04 |  | |  |

+| [Ubuntu 18.04 ¹](https://wiki.ubuntu.com/BionicBeaver/ReleaseNotes) | |  | |

+| [Ubuntu 20.04 ¹](https://wiki.ubuntu.com/FocalFossa/ReleaseNotes) | |  | |

+¹ Installation packages are made available on the [Azure IoT Edge releases](https://github.com/Azure/azure-iotedge/releases). See the installation steps in [Offline or specific version installation](how-to-provision-single-device-linux-symmetric.md#offline-or-specific-version-installation-optional).

+| **1.2** | 1.2.0<br>1.2.1<br>1.2.3<br>1.2.4<br>1.2.5<br><br>1.2.7 | 1.2.0<br>1.2.1<br>1.2.3<br>1.2.4<br>1.2.5<br>1.2.6<br>1.2.7 | 1.2.0<br>1.2.1<br>1.2.3<br>1.2.4<br>1.2.5<br> |

+# Integrating Key Vault with Integrated Certificate Authorities

+Azure Key Vault has a trusted partnership with the following Certificate Authorities:

+- [DigiCert](https://www.digicert.com/)

+- [GlobalSign](https://www.globalsign.com/en)

+Azure Key Vault users can generate DigiCert/GlobalSign certificates directly from their key vaults. Key Vault's partnership ensures end-to-end certificate lifecycle management for certificates issued by DigiCert.

+#### DigiCert

+- Account ID

+- Account Password

+#### GlobalSign

+Make sure you have the following information from your Global Sign account:

+- Account ID

+- Account Password

+- First Name of Administrator

+- Last Name of Administrator

+- E-mail of Administrator

+- Phone Number of Administrator

+### Azure portal (DigiCert)

+### Azure portal (GlobalSign)

+1. To add DigiCert certificate authority, go to the key vault you want to add it to.

+2. On the Key Vault property page, select **Certificates**.

+3. Select the **Certificate Authorities** tab:

+4. Select **Add**:

+5. Under **Create a certificate authority**, enter these values:

+ - **Name**: An identifiable issuer name. For example, **GlobalSignCA**.

+ - **Provider**: **GlobalSign**.

+ - **Account ID**: Your GlobalSign account ID.

+ - **Account Password**: Your GlobalSign account password.

+ - **First Name of Administrator**: The first name of administrator of the Global Sign account.

+ - **Last Name of Administrator**: The last name of administrator of the Global Sign account.

+ - **E-mail of Administrator**: The email of administrator of the Global Sign account.

+ - **Phone number of Administrator**: The phone number of administrator of the Global Sign account.

+1. Select **Create**.

+

+GlobalSignCA is now in the certificate authority list.

+| 2 | Associating a NAT gateway to the subnet | Dynamic, explicit | Yes | Best |

+

+After the workspace is provisioned, you can also automate many Machine Learning Studio (classic) tasks using the [PowerShell Module for Machine Learning Studio (classic)](/previous-versions/azure/machine-learning/classic/powershell-module).

+<!--Link references-->

+> Configuring Data-in replication for zone-redundant high availability servers is not supported.

+Configuring Data-in replication for zone-redundant high availability servers isn't supported. On servers were HA is enabled, the stored procedures for replication `mysql.az_replication_*` won't be available. You can't use HA servers as source server when you use binary log files position-based replication.

+Modifying the parameter `replicate_wild_ignore_table` used to create replication filter for tables, is currently not supported for Azure Database for MySQL -Flexible server.

+- Binary log files on the source server shouldn't be purged before the replica applies those changes. If the source is Azure Database for MySQL refer how to configure binlog_expire_logs_seconds for [Flexible server](./concepts-server-parameters.md#binlog_expire_logs_seconds) or [Single server](../concepts-server-parameters.md#binlog_expire_logs_seconds)

+- In case of private access ensure that the source server name can be resolved and is accessible from the VNet where the Azure Database for MySQL instance is running.For more details see, [Name resolution for resources in Azure virtual networks](../../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md)

+# Azure Database for MySQL - Flexible Server

+Azure Database for MySQL Flexible Server is a fully managed production-ready database service designed for more granular control and flexibility over database management functions and configuration settings. The flexible server architecture allows users to opt for high availability within single availability zone and across multiple availability zones. Flexible servers provide better cost optimization controls with the ability to stop/start server and burstable compute tier, ideal for workloads that donΓÇÖt need full-compute capacity continuously. Flexible Server also supports reserved instances allowing you to save up to 63% cost, ideal for production workloads with predictable compute capacity requirements. The service supports community version of MySQL 5.7 and 8.0. The service is generally available today in wide variety of [Azure regions](overview.md#azure-regions).

+- Ease of deployments, simplified scaling, and low database management overhead for functions like backups, high availability, security, and monitoring

+- Production workloads with same-zone, zone-redundant high availability and managed maintenance windows

+- Enterprise grade security, compliance, and privacy

+Azure Database for MySQL Flexible Server allows configuring high availability with automatic failover. The high availability solution is designed to ensure that committed data is never lost due to failures, and improve overall uptime for your application. When high availability is configured, flexible server automatically provisions and manages a standby replica. There are two high availability-architectural models:

+The flexible server service is available in three SKU tiers: Burstable, General Purpose, and Memory Optimized. The Burstable tier is best suited for low-cost development and low concurrency workloads that don't need full-compute capacity continuously. The General Purpose and Memory Optimized are better suited for production workloads requiring high concurrency, scale, and predictable performance. You can build your first app on a small database for a few dollars a month, and then seamlessly adjust the scale to meet the needs of your solution. The storage scaling is online and supports storage autogrowth. Flexible Server enables you to provision additional IOPS up to 20 K IOPs above the complimentary IOPS limit independent of storage. Using this feature, you can increase or decrease the number of IOPS provisioned based on your workload requirements at any time. Dynamic scalability enables your database to transparently respond to rapidly changing resource requirements. You only pay for the resources you consume.

+The flexible server service allows you to stop and start server on-demand to optimize cost. The compute tier billing is stopped immediately when the server is stopped. This can allow you to have significant cost savings during development, testing and for time-bound predictable production workloads. The server remains in stopped state for 30 days unless restarted sooner.

+## Enterprise grade security, compliance, and privacy

+Flexible Server allows full-private access to the servers using [Azure virtual network](../../virtual-network/virtual-networks-overview.md) (VNet) integration. Servers in Azure virtual network can only be reached and connected through private IP addresses. With VNet integration, public access is denied and servers canΓÇÖt be reached using public endpoints.

+In addition, you can use and integrate with community monitoring tools like [Percona Monitoring and Management with your MySQL Flexible Server](https://techcommunity.microsoft.com/t5/azure-database-for-mysql/monitor-azure-database-for-mysql-using-percona-monitoring-and/ba-p/2568545).

+* Using Azure Data Migration Service when network bandwidth between source and Azure is good (for example: High-speed ExpressRoute). Learn more with step-by-step instructions - [Migrate MySQL to Azure Database for MySQL offline using DMS - Azure Database Migration Service](../../dms/tutorial-mysql-azure-mysql-offline-portal.md)

+* Use mydumper/myloader to take advantage of compression settings to efficiently move data over low speed networks (such as public internet). Learn more with step-by-step instructions [Migrate large databases to Azure Database for MySQL using mydumper/myloader](../../mysql/concepts-migrate-mydumper-myloader.md)

+Use data-in replication with mydumper/myloader consistent backup/restore for initial seeding. Learn more with step-by-step instructions - [Tutorial: Minimal Downtime Migration of Azure Database for MySQL ΓÇô Single Server to Azure Database for MySQL ΓÇô Flexible Server](../../mysql/howto-migrate-single-flexible-minimum-downtime.md)

+To migrate from Azure Database for MySQL - Single Server to Flexible Server in five easy steps, refer to [this blog](https://techcommunity.microsoft.com/t5/azure-database-for-mysql/migrate-from-azure-database-for-mysql-single-server-to-flexible/ba-p/2674057).

+| China East 2 | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |

+| China North 2 | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |

+Now that you've read an introduction to Azure Database for MySQL - Single-Server deployment mode, you're ready to:

+# What's new in Azure Database for MySQL - Flexible Server?

+This release of Azure Database for MySQL - Flexible Server includes the following updates.

+ Operations on servers that are in a [Stop](concept-servers.md#stopstart-an-azure-database-for-mysql-flexible-server) state are disabled and show as inactive in the Azure portal. Operations that aren't supported on stopped servers include changing the pricing tier, number of vCores, storage size or IOPS, backup retention day, server tag, the server password, server parameters, storage autogrow, GEO backup, HA, and user identity.

+- **Availability in three additional Azure regions**

+ The public preview of Azure Database for MySQL - Flexible Server is now available in the following Azure regions:

+ - China East 2

+ - China North 2

+ When you're using ARM templates for provisioning or configuration changes for HA enabled servers, if a single deployment is made to enable/disable HA and along with other server properties like backup redundancy, storage etc. then deployment would fail. You can mitigate it by submitting the deployment request separately for to enable\disable and configuration changes. You wouldnΓÇÖt have issue with Portal or Azure CLI as these are request already separated.

+ A dedicated Backup and Restore blade is now available in the Azure portal. This blade lists the backups available within the serverΓÇÖs retention period, effectively providing you with single pane view for managing a serverΓÇÖs backups and consequent restores. You can use this blade to

+ 1) View the completion timestamps for all available full backups within the serverΓÇÖs retention period

+ With the fastest restore point option, you can restore a Flexible Server instance in the fastest time possible on a given day within the serverΓÇÖs retention period. This restore operation will simply restore the full snapshot backup without requiring restore or recovery of logs. With fastest restore point, customers will see three options while performing point in time restores from Azure portal viz latest restore point, custom restore point and fastest restore point. [Learn more](concepts-backup-restore.md#point-in-time-restore)

+ The service now allows you to recover a deleted MySQL flexible server resource within five days from the time of server deletion. For a detailed guide on how to restore a deleted server, [refer documented steps](../flexible-server/how-to-restore-dropped-server.md). To protect server resources post deployment from accidental deletion or unexpected changes, we recommend administrators to leverage [management locks](../../azure-resource-manager/management/lock-resources.md).

+ On servers where we have HA and Geo-redundant backup option enabled, we found a rare issue encountered by a race condition, which blocks the restart of the standby server to finish. As a result of this issue, when you fail over the HA enabled Azure database for MySQL - Flexible server MySQL Instance may get stuck in restarting state for a long time. The fix will be deployed to the production in the next deployment cycle.

+ When creating Read replica, you have an option to select the Availability Zones location of your choice. An Availability Zone is a high availability offering that protects your applications and data from datacenter failures. Availability Zones are unique physical locations within an Azure region. [Learn more](../flexible-server/concepts-read-replicas.md).

+ You wonΓÇÖt be able to create new or maintain existing read replicas on the Burstable tier server. In the interest of providing a good query and development experience for Burstable SKU tiers, the support for creating and maintaining read replica for servers in the Burstable pricing tier will be discontinued.

+ If you have an existing Azure Database for MySQL - Flexible Server with read replica enabled, youΓÇÖll have to scale up your server to either General Purpose or Memory Optimized pricing tiers or delete the read replica within 60 days. After the 60-day period, while you can continue to use the primary server for your read-write operations, replication to read replica servers will be stopped. For newly created servers, read replica option will be available only for the General Purpose and Memory Optimized pricing tiers.

+ Azure Database for MySQL Flexible Server now gives you the ability to Stop the server for up to 30 days when not in use and Start the server within this time when youΓÇÖre ready to resume your development. This enables you to develop at your own pace and save development costs on the database servers by paying for the resources only when they are in use. This is important for dev-test workloads and when youΓÇÖre only using the server for part of the day. When you stop the server, all active connections will be dropped. When the server is in the Stopped state, the server's compute isnΓÇÖt billed. However, storage continues to be billed as the server's storage remains to ensure that data files are available when the server is started again. [Learn more](concept-servers.md#stopstart-an-azure-database-for-mysql-flexible-server)

+ - [innodb_log_file_size](https://dev.mysql.com/doc/refman/8.0/en/innodb-parameters.html#sysvar_innodb_log_file_size) can now be configured to any of these values: 256 MB, 512 MB, 1 GB, or 2 GB. Because it's a static parameter, it will require a server restart. If youΓÇÖve changed the parameter innodb_log_file_size from default, check if the value of "show global status like 'innodb_buffer_pool_pages_dirty'" stays at 0 for 30 seconds to avoid restart delay. See [Server parameters in Azure Database for MySQL](./concepts-server-parameters.md) to learn more.

+ - US West 3

+ - North Central US

+ - When a primary Azure region is down, one canΓÇÖt create geo-redundant servers in its geo-paired region as storage canΓÇÖt be provisioned in the primary Azure region. One must wait for the primary region to be up to provision geo-redundant servers in the geo-paired region.

+ - After successfully scaling Compute in the Compute+Storage blade, IOPS are reset to the SKU default. Customers can work around the issue by rescaling IOPs in the Compute+Storage blade to desired value (previously set) post the compute deployment and consequent IOPS reset.

+ Azure Database for MySQL - Flexible Server now offers zone-redundant high availability in two additional regions: UK South and Japan East. [Learn more](overview.md#azure-regions).

+ - SSL\TLS 1.2 is enforced and canΓÇÖt be disabled. (No workarounds)

+ The performance of Azure Database for MySQL ΓÇô Flexible Server degrades with private access-virtual network isolation (No workaround).

+> [!NOTE]

+> Currently, outbound connections from Azure Database for PostgreSQL via foreign data wrapper extensions such as postgres_fdw are not supported, except for connections to other Azure Database for PostgreSQL servers in the same Azure region.

+## Private DNS zone group

+If you choose to integrate your private endpoint with a private DNS zone, a private DNS zone group is also created. The DNS zone group is a strong association between the private DNS zone and the private endpoint that helps auto-updating the private DNS zone when there is an update on the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated.

+Previously, the DNS records for the private endpoint were created via scripting (retrieving certain information about the private endpoint and then adding it on the DNS zone). With the DNS zone group, there is no need to write any additional CLI/Powershell lines for every DNS zone. Also, when you delete the private endpoint, all the DNS records within the DNS zone group will be deleted as well.

+A common scenario for DNS zone group is in a hub-and-spoke topology, where it allows the private DNS zones to be created only once in the hub and allows the spokes to register to it, rather than creating differents zones in each spoke.

+> [!NOTE]

+> Each DNS zone group can support up to 5 DNS zones.

+> [!NOTE]

+> Adding multiple DNS zone groups to a single Private Endpoint is not supported.

+ - Review the **tactics and techniques** in your analytics rule details. The Fusion ML algorithm uses [MITRE ATT&CK](https://attack.mitre.org/) information for detecting multi-stage attacks, and the tactics and techniques you label the analytics rules with will show up in the resulting incidents. Fusion calculations may be affected if incoming alerts are missing tactic information.

+ Check the "Number of Messages Received" and "Number of Messages Deleted" widgets in the queue dashboard. If there are no notifications under messages deleted," then check health messages. It's possible that some permissions are missing. Check your IAM configurations.

+For more information, see [Monitor the health of your data connectors](monitor-data-connector-health.md).

+ Title: Create a codeless connector for Microsoft Sentinel

+description: Learn how to create a codeless connector in Microsoft Sentinel using the Codeless Connector Platform (CCP).

+# Create a codeless connector for Microsoft Sentinel (Public preview)

+> [!IMPORTANT]

+> The Codeless Connector Platform (CCP) is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+The Codeless Connector Platform (CCP) provides partners, advanced users, and developers with the ability to create custom connectors, connect them, and ingest data to Microsoft Sentinel. Connectors created via the CCP can be deployed via API, an ARM template, or as a solution in the Microsoft Sentinel [content hub](sentinel-solutions.md).

+Connectors created using CCP are fully SaaS, without any requirements for service installations, and also include [health monitoring](monitor-data-connector-health.md) and full support from Microsoft Sentinel.

+Create your data connector by defining a JSON configuration file, with settings for how the data connector page in Microsoft Sentinel looks and works and polling settings that define how the connection works between Microsoft Sentinel and your data source.

+**Use the following steps to create your CCP connector and connect to your data source from Microsoft Sentinel**:

+> [!div class="checklist"]

+> * Configure the connector's user interface

+> * Configure the connector's polling settings

+> * Deploy your connector to your Microsoft Sentinel workspace

+> * Connect Microsoft Sentinel to your data source and start ingesting data

+This article describes the syntax used in the CCP JSON configuration file and procedures for deploying your connector via API, an ARM template, or a Microsoft Sentinel solution.

+## Prerequisites

+Before building a connector, we recommend that you learn and understand how your data source behaves and exactly how Microsoft Sentinel will need to connect.

+For example, you'll need to understand the types of authentication, pagination, and API endpoints that are required for successful connections.

+## Create a connector JSON configuration file

+To create your custom, CCP connector, create a JSON file with the following basic syntax:

+```json

+{

+ "kind": "<name>",

+ "properties": {

+ "connectorUiConfig": {...

+ },

+ "pollingConfig": {...

+ }

+ }

+}

+```

+Fill in each of the following area with additional properties that define how your connector connects Microsoft Sentinel to your data source, and is displayed in the Azure portal:

+- `connectorUiConfig`. Defines the visual elements and text displayed on the data connector page in Microsoft Sentinel. For more information, see [Configure your connector's user interface](#configure-your-connectors-user-interface).

+- `pollingConfig`. Defines how Microsoft Sentinel collects data from your data source. For more information, see [Configure your connector's polling settings](#configure-your-connectors-polling-settings).

+## Configure your connector's user interface

+This section describes the configuration for how the user interface on the data connector page appears in Microsoft Sentinel.

+Use the [properties supported](#ui-props) for the `connectorUiConfig` area of the [JSON configuration file](#create-a-connector-json-configuration-file) to configure the user interface displayed for your data connector in the Azure portal.

+The following image shows a sample data connector page, highlighted with numbers that correspond to configurable areas of the user interface:

+1. **Title**. The title displayed for your data connector.

+1. **Icon**. The icon displayed for your data connector.

+1. **Status**. Describes whether or not your data connector is connected to Microsoft Sentinel.

+1. **Data charts**. Displays relevant queries and the amount of ingested data in the last two weeks.

+1. **Instructions tab**. Includes a **Prerequisites** section, with a list of minimal validations before the user can enable the connector, and an **Instructions**, with a list of instructions to guide the user in enabling the connector. This section can include text, buttons, forms, tables, and other common widgets to simplify the process.

+1. **Next steps tab**. Includes useful information for understanding how to find data in the event logs, such as sample queries.

+<a name="ui-props"></a>The `connectorUiConfig` section of the configuration file includes the following properties:

+|Name |Type |Description |

+||||

+|**id** | GUID | A distinct ID for the connector. |

+|**title** | String |Title displayed in the data connector page. |

+|**publisher** | String | Your company name. |

+|**descriptionMarkdown** | String, in markdown | A description for the connector. |

+|**additionalRequirementBanner** | String, in markdown | Text for the **Prerequisites** section of the **Instructions** tab. |

+| **graphQueriesTableName** | String | Defines the name of the Log Analytics table from which data for your queries is pulled. <br><br>The table name can be any string, but must end in `_CL`. For example: `TableName_CL`

+|**graphQueries** | [GraphQuery[]](#graphquery) | Queries that present data ingestion over the last two weeks in the **Data charts** pane.<br><br>Provide either one query for all of the data connector's data types, or a different query for each data type. |

+|**sampleQueries** | [SampleQuery[]](#samplequery) | Sample queries for the customer to understand how to find the data in the event log, to be displayed in the **Next steps** tab. |

+|**dataTypes** | [DataTypes[]](#datatypes) | A list of all data types for your connector, and a query to fetch the time of the last event for each data type. |

+|**connectivityCriteria** | [ConnectivityCriteria[]](#connectivitycriteria) |An object that defines how to verify if the connector is correctly defined. |

+|**availability** | `{`<br>` status: Number,`<br>` isPreview: Boolean`<br>`}` | One of the following values: <br><br>- **1**: Connector is generally available to customers. <br>- **isPreview**: Indicates that the connector is not yet generally available. |

+|**permissions** | [RequiredConnectorPermissions[]](#requiredconnectorpermissions) | Lists the permissions required to enable or disable the connector. |

+|**instructionsSteps** | [InstructionStep[]](#instructionstep) | An array of widget parts that explain how to install the connector, displayed on the **Instructions** tab. |

+|**metadata** | [Metadata](#metadata) | ARM template metadata, for deploying the connector as an ARM template. |

+| | | |

+### GraphQuery

+Defines a query that presents data ingestion over the last two weeks in the **Data charts** pane.

+Provide either one query for all of the data connector's data types, or a different query for each data type.

+|Name |Type |Description |

+||||

+|**metricName** | String | A meaningful name for your graph. <br><br>Example: `Total data received` |

+|**legend** | String | The string that appears in the legend to the right of the chart, including a variable reference.<br><br>Example: `{{graphQueriesTableName}}` |

+|**baseQuery** | String | The query that filters for relevant events, including a variable reference. <br><br>Example: `TableName | where ProviderName == ΓÇ£myproviderΓÇ¥` or `{{graphQueriesTableName}}` |

+| | | |

+### SampleQuery

+|Name |Type |Description |

+||||

+| **Description** | String | A meaningful description for the sample query.<br><br>Example: `Top 10 vulnerabilities detected` |

+| **Query** | String | Sample query used to fetch the data type's data. <br><br>Example: `{{graphQueriesTableName}}\n | sort by TimeGenerated\n | take 10` |

+| | | |

+### DataTypes

+|Name |Type |Description |

+||||

+| **dataTypeName** | String | A meaningful description for the`lastDataReceivedQuery` query, including support for a variable. <br><br>Example: `{{graphQueriesTableName}}` |

+| **lastDataReceivedQuery** | String | A query that returns one row, and indicates the last time data was received, or no data if there is no relevant data. <br><br>Example: `{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)`

+| | | |

+### ConnectivityCriteria

+|Name |Type |Description |

+||||

+| **type** | ENUM | Always define this value as `SentinelKindsV2`. |

+| **value** | deprecated |N/A |

+| | | |

+### Availability

+|Name |Type |Description |

+||||

+| **status** | Boolean | Determines whether or not the data connector is available in your workspace. <br><br>Example: `1`|

+| **isPreview** | Boolean |Determines whether the data connector is supported as Preview or not. <br><br>Example: `false` |

+| | | |

+### RequiredConnectorPermissions

+|Name |Type |Description |

+||||

+| **tenant** | ENUM | Defines the required permissions, as one or more of the following values: `GlobalAdmin`, `SecurityAdmin`, `SecurityReader`, `InformationProtection` <br><br>Example: The **tenant** value displays displays in Microsoft Sentinel as: **Tenant Permissions: Requires `Global Administrator` or `Security Administrator` on the workspace's tenant**|

+| **licenses** | ENUM | Defines the required licenses, as one of the following values: `OfficeIRM`,`OfficeATP`, `Office365`, `AadP1P2`, `Mcas`, `Aatp`, `Mdatp`, `Mtp`, `IoT` <br><br>Example: The **licenses** value displays in Microsoft Sentinel as: **License: Required Azure AD Premium P2**|

+| **customs** | String | Describes any custom permissions required for your data connection, in the following syntax: <br>`{`<br>` name:string,`<br>` description:string`<br>`}` <br><br>Example: The **customs** value displays in Microsoft Sentinel as: **Subscription: Contributor permissions to the subscription of your IoT Hub.** |

+| **resourceProvider** | [ResourceProviderPermissions](#resourceproviderpermissions) | Describes any prerequisites for your Azure resource. <br><br>Example: The **resourceProvider** value displays in Microsoft Sentinel as: <br>**Workspace: write permission is required.**<br>**Keys: read permissions to shared keys for the workspace are required.**|

+| | | |

+#### ResourceProviderPermissions

+|Name |Type |Description |

+||||

+| **provider** | ENUM | Describes the resource provider, with one of the following values: <br>- `Microsoft.OperationalInsights/workspaces` <br>- `Microsoft.OperationalInsights/solutions`<br>- `Microsoft.OperationalInsights/workspaces/datasources`<br>- `microsoft.aadiam/diagnosticSettings`<br>- `Microsoft.OperationalInsights/workspaces/sharedKeys`<br>- `Microsoft.Authorization/policyAssignments` |

+| **providerDisplayName** | String | A query that should return one row, indicating the last time that data was received, or no data if there is no relevant data. |

+| **permissionsDisplayText** | String | Display text for *Read*, *Write*, or *Read and Write* permissions. |

+| **requiredPermissions** | [RequiredPermissionSet](#requiredpermissionset) | Describes the minimum permissions required for the connector as one of the following values: `read`, `write`, `delete`, `action` |

+| **Scope** | ENUM | Describes the scope of the data connector, as one of the following values: `Subscription`, `ResourceGroup`, `Workspace` |

+| | | |

+### RequiredPermissionSet

+|Name |Type |Description |

+||||

+|**read** | boolean | Determines whether *read* permissions are required. |

+| **write** | boolean | Determines whether *write* permissions are required. |

+| **delete** | boolean | Determines whether *delete* permissions are required. |

+| **action** | boolean | Determines whether *action* permissions are required. |

+| | | |

+### Metadata

+This section provides metadata used when you're [deploying your data connector as an ARM template](#deploy-your-connector-in-microsoft-sentinel-and-start-ingesting-data).

+|Name |Type |Description |

+||||

+| **id** | String | Defines a GUID for your ARM template. |

+| **kind** | String | Defines the kind of ARM template you're creating. Always use `dataConnector`. |

+| **source** | String |Describes your data source, using the following syntax: <br>`{`<br>` kind:string`<br>` name:string`<br>`}`|

+| **author** | String | Describes the data connector author, using the following syntax: <br>`{`<br>` name:string`<br>`}`|

+| **support** | String | Describe the support provided for the data connector using the following syntax: <br> `{`<br>` "tier": string,`<br>` "name": string,`<br>`"email": string,`<br> `"link": string`<br>` }`|

+| | | |

+### Instructions

+This section provides parameters that define the set of instructions that appear on your data connector page in Microsoft Sentinel.

+|Name |Type |Description |

+||||

+| **title** | String | Optional. Defines a title for your instructions. |

+| **description** | String | Optional. Defines a meaningful description for your instructions. |

+| **innerSteps** | [InstructionStep](#instructionstep) | Optional. Defines an array of inner instruction steps. |

+| **bottomBorder** | Boolean | When `true`, adds a bottom border to the instructions area on the connector page in Microsoft Sentinel |

+| **isComingSoon** | Boolean | When `true`, adds a **Coming soon** title on the connector page in Microsoft Sentinel |

+| | | |

+#### CopyableLabel

+Shows a field with a button on the right to copy the field value. For example:

+**Sample code**:

+```json

+Implementation:

+instructions: [

+ new CopyableLabelInstructionModel({

+ fillWith: [ΓÇ£MicrosoftAwsAccountΓÇ¥],

+ label: ΓÇ£Microsoft Account IDΓÇ¥,

+ }),

+ new CopyableLabelInstructionModel({

+ fillWith: [ΓÇ£workspaceIdΓÇ¥],

+ label: ΓÇ£External ID (WorkspaceId)ΓÇ¥,

+ }),

+ ]

+```

+**Parameters**: `CopyableLabelInstructionParameters`

+|Name |Type |Description |

+||||

+|**fillWith** | ENUM | Optional. Array of environment variables used to populate a placeholder. Separate multiple placeholders with commas. For example: `{0},{1}` <br><br>Supported values: `workspaceId`, `workspaceName`, `primaryKey`, `MicrosoftAwsAccount`, `subscriptionId` |

+|**label** | String | Defines the text for the label above a text box. |

+|**value** | String | Defines the value to present in the text box, supports placeholders. |

+|**rows** | Rows | Optional. Defines the rows in the user interface area. By default, set to **1**. |

+|**wideLabel** |Boolean | Optional. Determines a wide label for long strings. By default, set to `false`. |

+| | | |

+#### InfoMessage

+Defines an inline information message. For example:

+In contrast, the following image shows a *non*-inline information message:

+**Sample code**:

+```json

+instructions: [

+ new InfoMessageInstructionModel({

+ text:”Microsoft Defender for Endpoint… “,

+ visible: true,

+ inline: true,

+ }),

+ new InfoMessageInstructionModel({

+ text:”In order to export… “,

+ visible: true,

+ inline: false,

+ }),

+ ]

+```

+**Parameters**: `InfoMessageInstructionModelParameters`

+|Name |Type |Description |

+||||

+|**text** | String | Define the text to display in the message. |

+|**visible** | Boolean | Determines whether the message is displayed. |

+|**inline** | Boolean | Determines how the information message is displayed. <br><br>- `true`: (Recommended) Shows the information message embedded in the instructions. <br>- `false`: Adds a blue background. |

+| | | |

+#### LinkInstructionModel

+Displays a link to other pages in the Azure portal, as a button or a link. For example:

+**Sample code**:

+```json

+new LinkInstructionModel({linkType: ΓÇ£OpenPolicyAssignmentΓÇ¥, policyDefinitionGuid: <GUID>, assignMode = ΓÇ£PolicyΓÇ¥})

+new LinkInstructionModel({ linkType: LinkType.OpenAzureActivityLog } )

+```

+**Parameters**: `InfoMessageInstructionModelParameters`

+|Name |Type |Description |

+||||

+|**linkType** | ENUM | Determines the link type, as one of the following values: <br><br>`InstallAgentOnWindowsVirtualMachine`<br>`InstallAgentOnWindowsNonAzure`<br> `InstallAgentOnLinuxVirtualMachine`<br> `InstallAgentOnLinuxNonAzure`<br>`OpenSyslogSettings`<br>`OpenCustomLogsSettings`<br>`OpenWaf`<br> `OpenAzureFirewall` `OpenMicrosoftAzureMonitoring` <br> `OpenFrontDoors` <br>`OpenCdnProfile` <br>`AutomaticDeploymentCEF` <br> `OpenAzureInformationProtection` <br> `OpenAzureActivityLog` <br> `OpenIotPricingModel` <br> `OpenPolicyAssignment` <br> `OpenAllAssignmentsBlade` <br> `OpenCreateDataCollectionRule` |

+|**policyDefinitionGuid** | String | Optional. For policy-based connectors, defines the GUID of the built-in policy definition. |

+|**assignMode** | ENUM | Optional. For policy-based connectors, defines the assign mode, as one of the following values: `Initiative`, `Policy` |

+|**dataCollectionRuleType** | ENUM | Optional. For DCR-based connectors, defines the type of data collection rule type as one of the following: `SecurityEvent`, `ForwardEvent` |

+| | | |

+To define an inline link using markdown, use the following example as a guide:

+```markdown

+<value>Follow the instructions found on article [Connect Microsoft Sentinel to your threat intelligence platform]({0}). Once the application is created you will need to record the Tenant ID, Client ID and Client Secret.</value>

+```

+The code sample listed above shows an inline link that looks like the following image:

+To define a link as an ARM template, use the following example as a guide:

+```markdown

+ <value>1. Click the **Deploy to Azure** button below.

+[]({1})

+```

+The code sample listed above shows a link button that looks like the following image:

+ΓÇâ:::image type="content" source="media/create-codeless-connector/sample-markdown-link-button.png" alt-text="Screenshot of the link button created by the earlier sample markdown.":::

+#### InstructionStep

+Displays a group of instructions, as an expandable accordion or non-expandable, separate from the main instructions section.

+For example:

+**Parameters**: `InstructionStepsGroupModelParameters`

+|Name |Type |Description |

+||||

+|**title** | String | Defines the title for the instruction step. |

+|**instructionSteps** | [InstructionStep[]](#instructionstep) | Optional. Defines an array of inner instruction steps. |

+|**canCollapseAllSections** | Boolean | Optional. Determines whether the section is a collapsible accordion or not. |

+|**noFxPadding** | Boolean | Optional. If `true`, reduces the height padding to save space. |

+|**expanded** | Boolean | Optional. If `true`, shows as expanded by default. |

+| | | |

+## Configure your connector's polling settings

+This section describes the configuration for how data is polled from your data source for a codeless data connector.

+The following code shows the syntax of the `pollingConfig` section of the [CCP configuration](#create-a-connector-json-configuration-file) file.

+```rest

+"pollingConfig": {

+ auth": {

+ "authType": <string>,

+ },

+ "request": {…

+ },

+ "response": {…

+ },

+ "paging": {…

+ }

+ }

+```

+The `pollingConfig` section includes the following properties:

+|Name |Type |Description |

+||||

+|**id** | String | Mandatory. Defines a unique identifier for a rule or configuration entry, using one of the following values: <br><br>- A GUID (recommended) <br>- A document ID, if the data source resides in a Cosmos DB |

+|**auth** | String | Describes the authentication properties for polling the data. For more information, see [auth configuration](#auth-configuration). |

+|<a name="authtype"></a>**auth.authType** | String | Mandatory. Defines the type of authentication, nested inside the `auth` object, as one of the following values: `Basic`, `APIKey`, `Session` |

+|**request** | Nested JSON | Mandatory. Describes the request payload for polling the data, such as the API endpoint. For more information, see [request configuration](#request-configuration). |

+|**response** | Nested JSON | Mandatory. Describes the response object and nested message returned from the API when polling the data. For more information, see [response configuration](#response-configuration). |

+|**paging** | Nested JSON. | Optional. Describes the pagination payload when polling the data. For more information, see [paging configuration](#paging-configuration). |

+| | | |

+For more information, see [Sample pollingConfig code](#sample-pollingconfig-code).

+### auth configuration

+The `auth` section of the [pollingConfig](#configure-your-connectors-polling-settings) configuration includes the following parameters, depending on the type defined in the [authType](#authtype) element:

+#### APIKey authType parameters

+|Name |Type |Description |

+||||

+|**APIKeyName** |String | Optional. Defines the name of your API key, as one of the following values: <br><br>- `XAuthToken` <br>- `Authorization` |

+|**IsAPIKeyInPostPayload** |Boolean | Determines where your API key is defined. <br><br>True: API key is defined in the POST request payload <br>False: API key is defined in the header |

+|**APIKeyIdentifier** | String | Optional. Defines the name of the identifier for the API key. <br><br>For example, where the authorization is defined as `"Authorization": "token <secret>"`, this parameter is defined as: `{APIKeyIdentifier: ΓÇ£tokenΓÇ¥})` |

+| | | |

+#### Session authType parameters

+|Name |Type |Description |

+||||

+|**QueryParameters** | String | Optional. A list of query parameters, in the serialized `dictionary<string, string>` format: <br><br>`{'<attr_name>': '<val>', '<attr_name>': '<val>'... }` |

+|**IsPostPayloadJson** | Boolean | Optional. Determines whether the query parameters are in JSON format. |

+|**Headers** | String. | Optional. Defines the header used when calling the endpoint to get the session ID, and when calling the endpoint API. <br><br> Define the string in the serialized `dictionary<string, string>` format: `{'<attr_name>': '<val>', '<attr_name>': '<val>'... }` |

+|**SessionTimeoutInMinutes** | String | Optional. Defines a session timeout, in minutes. |

+|**SessionIdName** | String | Optional. Defines an ID name for the session. |

+|**SessionLoginRequestUri** | String | Optional. Defines a session login request URI. |

+| | | |

+### request configuration

+The `request` section of the [pollingConfig](#configure-your-connectors-polling-settings) configuration includes the following parameters:

+|Name |Type |Description |

+||||

+|**apiEndpoint** | String | Mandatory. Defines the endpoint to pull data from. |

+|**httpMethod** |String | Mandatory. Defines the API method: `GET` or `POST` |

+|**queryTimeFormat** | String, or *UnixTimestamp* or *UnixTimestampInMills* | Mandatory. Defines the format used to define the query time. <br><br>This value can be a string, or in *UnixTimestamp* or *UnixTimestampInMills* format to indicate the query start and end time in the UnixTimestamp. |

+|**startTimeAttributeName** | String | Optional. Defines the name of the attribute that defines the query start time. |

+|**endTimeAttributeName** | String | Optional. Defines the name of the attribute that defines the query end time. |

+|**queryTimeIntervalAttributeName** | String. | Optional. Defines the name of the attribute that defines the query time interval. |

+|**queryTimeIntervalDelimiter** | String | Optional. Defines the query time interval delimiter. |

+|**queryWindowInMin** | String | Optional. Defines the available query window, in minutes. <br><br>Minimum value: `5` |

+|**queryParameters** | String | Optional. Defines the parameters passed in the query in the [`eventsJsonPaths`](#eventsjsonpaths) path. <br><br>Define the string in the serialized `dictionary<string, string>` format: `{'<attr_name>': '<val>', '<attr_name>': '<val>'... }` |

+|**queryParametersTemplate** | String object | Optional. Defines the query parameters template to use when passing query parameters in advanced scenarios. <br><br>For example: `"queryParametersTemplate": "{'cid': 1234567, 'cmd': 'reporting', 'format': 'siem', 'data': { 'from': '{_QueryWindowStartTime}', 'to': '{_QueryWindowEndTime}'}, '{_APIKeyName}': '{_APIKey}'}"` |

+|**isPostPayloadJson** | Boolean | Optional. Determines whether the POST payload is in JSON format. |

+|**rateLimitQPS** | Double | Optional. Defines the number of calls or queries allowed in a second. |

+|**timeoutInSeconds** | Integer | Optional. Defines the request timeout, in seconds. |

+|**retryCount** | Integer | Optional. Defines the number of request retries to try if needed. |

+|**headers** | String | Optional. Defines the request header value, in the serialized `dictionary<string, string>` format: `{'<attr_name>': '<val>', '<attr_name>': '<val>'... }` |

+| | | |

+### response configuration

+The `response` section of the [pollingConfig](#configure-your-connectors-polling-settings) configuration includes the following parameters:

+|Name |Type |Description |

+||||

+| <a name="eventsjsonpaths"></a> **eventsJsonPaths** | List of strings | Mandatory. Defines the path to the message in the response JSON. <br><br>A JSON path expression specifies a path to an element, or a set of elements, in a JSON structure |

+| **successStatusJsonPath** | String | Optional. Defines the path to the success message in the response JSON. |

+| **successStatusValue** | String | Optional. Defines the path to the success message value in the response JSON |

+| **isGzipCompressed** | Boolean | Optional. Determines whether the response is compressed in a gzip file. |

+| | | |

+The following code shows an example of the [eventsJsonPaths](#eventsjsonpaths) value for a top-level message:

+```json

+"eventsJsonPaths": [

+ "$"

+ ]

+```

+### paging configuration

+The `paging` section of the [pollingConfig](#configure-your-connectors-polling-settings) configuration includes the following parameters:

+|Name |Type |Description |

+||||

+| **pagingType** | String | Mandatory. Determines the paging type to use in results, as one of the following values: `None`, `LinkHeader`, `NextPageToken`, `NextPageUrl`, `Offset` |

+| **linkHeaderTokenJsonPath** | String | Optional. Defines the JSON path to link header in the response JSON, if the `LinkHeader` isn't defined in the response header. |

+| **nextPageTokenJsonPath** | String | Optional. Defines the path to a next page token JSON. |

+| **hasNextFlagJsonPath** |String | Optional. Defines the path to the `HasNextPage` flag attribute. |

+| **nextPageTokenResponseHeader** | String | Optional. Defines the *next page* token header name in the response. |

+| **nextPageParaName** | String | Optional. Determines the *next page* name in the request. |

+| **nextPageRequestHeader** | String | Optional. Determines the *next page* header name in the request. |

+| **nextPageUrl** | String | Optional. Determines the *next page* URL, if it's different from the initial request URL. |

+| **nextPageUrlQueryParameters** | String | Optional. Determines the *next page* URL's query parameters if it's different from the initial request's URL. <br><br>Define the string in the serialized `dictionary<string, object>` format: `{'<attr_name>': <val>, '<attr_name>': <val>... }` |

+| **offsetParaName** | String | Optional. Defines the name of the offset parameter. |

+| **pageSizeParaName** | String | Optional. Defines the name of the page size parameter. |

+| **PageSize** | Integer | Defines the paging size. |

+| | | |

+### Sample pollingConfig code

+The following code shows an example of the `pollingConfig` section of the [CCP configuration](#create-a-connector-json-configuration-file) file:

+```rest

+"pollingConfig": {

+ "auth": {

+ "authType": "APIKey",

+ "APIKeyIdentifier": "token",

+ "APIKeyName": "Authorization"

+ },

+ "request": {

+ "apiEndpoint": "https://api.github.com/../{{placeHolder1}}/audit-log",

+ "rateLimitQPS": 50,

+ "queryWindowInMin": 15,

+ "httpMethod": "Get",

+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",

+ "retryCount": 2,

+ "timeoutInSeconds": 60,

+ "headers": {

+ "Accept": "application/json",

+ "User-Agent": "Scuba"

+ },

+ "queryParameters": {

+ "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}"

+ }

+ },

+ "paging": {

+ "pagingType": "LinkHeader",

+ "pageSizeParaName": "per_page"

+ },

+ "response": {

+ "eventsJsonPaths": [

+ "$"

+ ]

+ }

+}

+```

+## Add placeholders to your connector's JSON configuration file

+You may want to create a JSON configuration file template, with placeholders parameters, to reuse across multiple connectors, or even to create a connector with data that you don't currently have.

+To create placeholder parameters, define an additional array named `userRequestPlaceHoldersInput` in the [Instructions](#instructions) section of your [CCP JSON configuration](#create-a-connector-json-configuration-file) file, using the following syntax:

+```json

+"instructions": [

+ {

+ "parameters": {

+ "enable": "true",

+ "userRequestPlaceHoldersInput": [

+ {

+ "displayText": "Organization Name",

+ "requestObjectKey": "apiEndpoint",

+ "placeHolderName": "{{placeHolder1}}"

+ }

+ ]

+ },

+ "type": "APIKey"

+ }

+ ]

+```

+The `userRequestPlaceHoldersInput` parameter includes the following attributes:

+|Name |Type |Description |

+||||

+|**DisplayText** | String | Defines the text box display value, which is displayed to the user when connecting. |

+|**RequestObjectKey** |String | Defines the ID used to identify where in the request section of the API call to replace the placeholder value with a user value. <br><br>If you don't use this attribute, use the `PollingKeyPaths` attribute instead. |

+|**PollingKeyPaths** |String |Defines an array of [JsonPath](https://www.npmjs.com/package/JSONPath) objects that directs the API call to anywhere in the template, to replace a placeholder value with a user value.<br><br>**Example**: `"pollingKeyPaths":["$.request.queryParameters.test1"]` <br><br>If you don't use this attribute, use the `RequestObjectKey` attribute instead. |

+|**PlaceHolderName** |String |Defines the name of the placeholder parameter in the JSON template file. This can be any unique value, such as `{{placeHolder}}`. |

+| | |

+## Deploy your connector in Microsoft Sentinel and start ingesting data

+After creating your [JSON configuration file](#create-a-connector-json-configuration-file), including both the [user interface](#configure-your-connectors-user-interface) and [polling](#configure-your-connectors-polling-settings) configuration, deploy your connector in your Microsoft Sentinel workspace.

+1. Use one of the following options to deploy your data connector.

+ > [!TIP]

+ > The advantage of deploying via an Azure Resource Manager (ARM) template is that several values are built-in to the template, and you don't need to define them manually in an API call.

+ >

+ # [Deploy via ARM template](#tab/deploy-via-arm-template)

+ Use a JSON configuration file to create an ARM template to use when deploying your connector. To ensure that your data connector gets deployed to the correct workspace, make sure to either define the workspace for the ARM template to deploy when creating your JSON file, or select the workspace when deploying the ARM template.

+ 1. Prepare an [ARM template JSON file](/azure/templates/microsoft.securityinsights/dataconnectors) for your connector. For example, see the following ARM template JSON files:

+ - Data connector in the [Slack solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SlackAudit/Data%20Connectors/SlackNativePollerConnector/azuredeploy_Slack_native_poller_connector.json)

+ - [Atlassian Jira Audit data connector](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AtlassianJiraAudit/JiraNativePollerConnector/azuredeploy_Jira_native_poller_connector.json)

+ 1. In the Azure portal, search for **Deploy a custom template**.

+ 1. On the **Custom deployment** page, select **Build your own template in the editor** > **Load file**. Browse to and select your local ARM template, and then save your changes.

+ 1. Select your subscription and resource group, and then enter the Log Analytics workspace where you want to deploy your custom connector.

+ 1. Select **Review + create** to deploy your custom connector to Microsoft Sentinel.

+ 1. In Microsoft Sentinel, go to the **Data connectors** page, search for your new connector. Configure it to start ingesting data.

+ For more information, see [Deploy a local template](/azure/azure-resource-manager/templates/deployment-tutorial-local-template?tabs=azure-powershell) in the Azure Resource Manager documentation.

+ # [Deploy via API](#tab/deploy-via-api)

+ 1. Authenticate to the Azure API. For more information, see [Getting started with REST](/rest/api/azure/).

+ 1. Invoke an `UPSERT` API call to Microsoft Sentinel to deploy your new connector. Your data connector is deployed to your Microsoft Sentinel workspace, and is available on the **Data connectors** page.

+

+1. Configure your data connector to connect your data source and start ingesting data into Microsoft Sentinel. You can connect to your data source either via the portal, as with out-of-the-box data connectors, or via API.

+ When you use the Azure portal to connect, user data is sent automatically. When you connect via API, you'll need to send the relevant authentication parameters in the API call.

+ # [Connect via the Azure portal](#tab/connect-via-the-azure-portal)

+ In your Microsoft Sentinel data connector page, follow the instructions you've provided to connect to your data connector.

+ The data connector page in Microsoft Sentinel is controlled by the [InstructionStep](#instructionstep) configuration in the `connectorUiConfig` element of the [CCP JSON configuration](#create-a-connector-json-configuration-file) file. If you have issues with the user interface connection, make sure that you have the correct configuration for your authentication type.

+ # [Connect via API](#tab/connect-via-api)

+ Use the `CONNECT` endpoint to send a PUT method and pass the JSON configuration directly in the body of the message. For more information, see [auth configuration](#auth-configuration).

+ Use the following API attributes, depending on the [authType](#authtype) defined. For each `authType` parameter, all listed attributes are mandatory and are string values.

+ |authType |Attributes |

+ |||

+ |**Basic** | Define: <br>- `kind` as `Basic` <br>- `userName` as your username, in quotes <br>- `password` as your password, in quotes |

+ |**APIKey** |Define: <br>- `kind` as `APIKey` <br>- `APIKey` as your full API key string, in quotes|

+ | | |

+ If you're using a [template configuration file with placeholder data](#add-placeholders-to-your-connectors-json-configuration-file), send the data together with the `placeHolderValue` attributes that hold the user data. For example:

+ ```rest

+ "requestConfigUserInputValues": [

+ {

+ "displayText": "<A display name>",

+ "placeHolderName": "<A placeholder name>",

+ "placeHolderValue": "<A value for the placeholder>",

+ "pollingKeyPaths": "<Array of items to use in place of the placeHolderName>"

+ }

+ ]

+ ```

+

+1. In Microsoft Sentinel, go to the **Logs** page and verify that you see the logs from your data source flowing in to your workspace.

+If you don't see data flowing into Microsoft Sentinel, check your data source documentation and troubleshooting resources, check the configuration details, and check the connectivity. For more information, see [Monitor the health of your data connectors](monitor-data-connector-health.md).

+### Disconnect your connector

+If you no longer need your connector's data, disconnect the connector to stop the data flow.

+Use one of the following methods:

+- **Azure portal**: In your Microsoft Sentinel data connector page, select **Disconnect**.

+- **API**: Use the DISCONNECT API to send a PUT call with an empty body to the following URL:

+ ```rest

+ https://management.azure.com /subscriptions/{{SUB}}/resourceGroups/{{RG}}/providers/Microsoft.OperationalInsights/workspaces/{{WS-NAME}}/providers/Microsoft.SecurityInsights/dataConnectors/{{Connector_Id}}/disconnect?api-version=2021-03-01-preview

+ ```

+## Next steps

+If you haven't yet, share your new codeless data connector with the Microsoft Sentinel community! Create a solution for your data connector and share it in the Microsoft Sentinel Marketplace.

+For more information, see [About Microsoft Sentinel solutions](sentinel-solutions.md).

+| **[Codeless Connector Platform (CCP)](#connect-with-the-codeless-connector-platform)** <br>Best for less technical audiences to create SaaS connectors using a configuration file instead of advanced development. | Supports all capabilities available with the code. | Yes | Low; simple, codeless development

+|**[Azure Functions](#connect-with-azure-functions)** <br>Best for high-volume cloud sources, and for unique collection requirements | Supports all capabilities available with the code. | Yes | High; requires programming knowledge |

+## Connect with the Codeless Connector Platform

+The Codeless Connector Platform (CCP) provides a configuration file that can be used by both customers and partners, and then deployed to your own workspace, or as a solution to Microsoft Sentinel's solution's gallery.

+Connectors created using the CCP are fully SaaS, without any requirements for service installations, and also include health monitoring and full support from Microsoft Sentinel.

+For more information, see [Create a codeless connector for Microsoft Sentinel](create-codeless-connector.md).

+

+## Microsoft Project

+| Connector attribute | Description |

+| | |

+| **Data ingestion method** | **Azure service-to-service integration: <br>[API-based connections](connect-azure-windows-microsoft-services.md#api-based-connections)** |

+| **License prerequisites/<br>Cost information** | Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.<br>Other charges may apply |

+| **Log Analytics table(s)** | ProjectActivity |

+| **Supported by** | Microsoft |

+| | |

+

+## Microsoft Power BI

+| Connector attribute | Description |

+| | |

+| **Data ingestion method** | **Azure service-to-service integration: <br>[API-based connections](connect-azure-windows-microsoft-services.md#api-based-connections)** |

+| **License prerequisites/<br>Cost information** | Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.<br>Other charges may apply |

+| **Log Analytics table(s)** | PowerBIActivity |

+| **Supported by** | Microsoft |

+| | |

+- [Threat intelligence integration in Microsoft Sentinel](threat-intelligence-integration.md)

+- In the **Tactics and techniques** field, you can choose from among categories of attacks by which to classify the rule. These are based on the tactics and techniques of the [MITRE ATT&CK](https://attack.mitre.org/) framework.

+ [Incidents](investigate-cases.md) created from alerts that are detected by rules mapped to MITRE ATT&CK tactics and techniques automatically inherit the rule's mapping.

+1. To begin an investigation, select a specific incident. On the right, you can see detailed information for the incident including its severity, summary of the number of entities involved, the raw events that triggered this incident, the incidentΓÇÖs unique ID, and any mapped MITRE ATT&CK tactics or techniques.

+- [Amazon Web Services (CloudTrail and S3)](connect-aws.md)

+- [Support for MITRE ATT&CK techniques (Public preview)](#support-for-mitre-attck-techniques-public-preview)

+- [Codeless data connectors (Public preview)](#codeless-data-connectors-public-preview)

+### Support for MITRE ATT&CK techniques (Public preview)

+In addition to supporting MITRE ATT&CK tactics, your entire Microsoft Sentinel user flow now also supports MITRE ATT&CK techniques.

+When creating or editing [analytics rules](detect-threats-custom.md), map the rule to one or more specific tactics *and* techniques. When searching for rules on the **Analytics** page, filter by tactic and technique to narrow your search results.

+Check for mapped tactics and techniques throughout Microsoft Sentinel, in:

+- **[Incidents](investigate-cases.md)**. Incidents created from alerts that are detected by rules mapped to MITRE ATT&CK tactics and techniques automatically inherit the rule's tactic and technique mapping.

+- **[Bookmarks](bookmarks.md)**. Bookmarks that capture results from hunting queries mapped to MITRE ATT&CK tactics and techniques automatically inherit the query's mapping.

+#### MITRE ATT&CK framework version upgrade

+We also upgraded the MITRE ATT&CK support throughout Microsoft Sentinel to use the MITRE ATT&CK framework *version 9*. This update includes support for the following new tactics:

+**Replacing the deprecated *PreAttack* tactic**:

+- [Reconnaissance](https://attack.mitre.org/versions/v9/tactics/TA0043/)

+- [Resource Development](https://attack.mitre.org/versions/v9/tactics/TA0042/)

+**Industrial Control System (ICS) tactics**:

+- [Impair Process Control](https://collaborate.mitre.org/attackics/index.php/Impair_Process_Control)

+- [Inhibit Response Function](https://collaborate.mitre.org/attackics/index.php/Inhibit_Response_Function)

+### Codeless data connectors (Public preview)

+Partners, advanced users, and developers can now use the new Codeless Connector Platform (CCP) to create custom connectors, connect their data sources, and ingest data to Microsoft Sentinel.

+The Codeless Connector Platform (CCP) provides support for new data connectors via ARM templates, API, or via a solution in the Microsoft Sentinel [content hub](sentinel-solutions.md).

+Connectors created using CCP are fully SaaS, without any requirements for service installations, and also include [health monitoring](monitor-data-connector-health.md) and full support from Microsoft Sentinel.

+For more information, see [Create a codeless connector for Microsoft Sentinel](create-codeless-connector.md).

+- [Use multiple Microsoft Sentinel workspaces](extend-sentinel-across-workspaces-tenants.md#the-need-to-use-multiple-microsoft-sentinel-workspaces)

+- Grouping Kusto Query Language operators / commands by category for easy navigation.

+- Listing the possible tasks a user would perform with Kusto Query Language in Microsoft Sentinel. Each task includes operators used, sample queries, and use cases.

+- [IoT OT Threat Monitoring with Defender for IoT solution](#iot-ot-threat-monitoring-with-defender-for-iot-solution-public-preview)

+- [Continuous Threat Monitoring for GitHub solution](#ingest-github-logs-into-your-microsoft-sentinel-workspace-public-preview)

+### Apache Log4j Vulnerability Detection solution

+Remote code execution vulnerabilities related to Apache Log4j were disclosed on 9 December 2021. The vulnerability allows for unauthenticated remote code execution, and it's triggered when a specially crafted string, provided by the attacker through a variety of different input vectors, is parsed and processed by the Log4j 2 vulnerable component.

+The [Apache Log4J Vulnerability Detection](sentinel-solutions-catalog.md#domain-solutions) solution was added to the Microsoft Sentinel content hub to help customers monitor, detect, and investigate signals related to the exploitation of this vulnerability, using Microsoft Sentinel.

+For more information, see the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/) and [Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions](sentinel-solutions-deploy.md).

+Remote code execution vulnerabilities related to Apache Log4j were disclosed on 9 December 2021. The vulnerability allows for unauthenticated remote code execution, and it's triggered when a specially crafted string, provided by the attacker through a variety of different input vectors, is parsed and processed by the Log4j 2 vulnerable component.

+- [Fine-tuning recommendations for your analytics rules (Public preview)](#get-fine-tuning-recommendations-for-your-analytics-rules-public-preview)

+- [Continuous deployment from your content repositories (Public preview)](#enable-continuous-deployment-from-your-content-repositories-public-preview)

+- [Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel](#deploy-and-monitor-azure-key-vault-honeytokens-with-microsoft-sentinel)

+Searching for incidents using the advanced search functionality is now generally available.

+You can now stream event logs from Windows Servers connected to your Microsoft Sentinel workspace using Windows Event Collection / Windows Event Forwarding (WEC / WEF), thanks to this new data connector. The connector uses the new Azure Monitor Agent (AMA), which provides a number of advantages over the legacy Log Analytics agent (also known as the MMA):

+- **Scalability:** If you've enabled Windows Event Collection (WEC), you can install the Azure Monitor Agent (AMA) on the WEC machine to collect logs from many servers with a single connection point.

+- **Speed:** The AMA can send data at an improved rate of 5 K EPS, allowing for faster data refresh.

+- **Coverage:** WEC / WEF enables the collection of Windows Event logs from legacy (on-premises and physical) servers and also from high-usage or sensitive machines, such as domain controllers, where installing an agent is undesired.

+We recommend using this connector with the [Microsoft Sentinel Information Model (ASIM)](normalization.md) parsers installed to ensure full support for data normalization.

+We're evolving our free trial experience to include the following updates:

+- **New Log Analytics workspaces** can ingest up to 10 GB / day of log data for the first 31-days at no cost. New workspaces include workspaces that are less than three days old.

+ Both Log Analytics data ingestion and Microsoft Sentinel charges are waived during the 31-day trial period. This free trial is subject to a 20-workspace limit per Azure tenant.

+> During your free trial, find resources for cost management, training, and more on the **News & guides > Free trial** tab in Microsoft Sentinel. This tab also displays details about the dates of your free trial, and how many days you've left until it expires.

+- [Learn about Microsoft Sentinel solutions](sentinel-solutions.md)

+- [Understand threat intelligence integrations](threat-intelligence-integration.md)

+- **Security big data analytics**, using cost-optimized, fully managed Azure Synapse Apache Spark compute pool.

+To support this integration, we added the ability to create and launch an Azure Synapse workspace directly from Microsoft Sentinel. We also added new, sample notebooks to guide you through configuring the Azure Synapse environment, setting up a continuous data export pipeline from Log Analytics into Azure Data Lake Storage, and then hunting on that data at scale.

+### Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel

+The new **Microsoft Sentinel Deception** solution helps you watch for malicious activity in your key vaults by helping you to deploy decoy keys and secrets, called *honeytokens*, to selected Azure key vaults.

+Once deployed, any access or operation with the honeytoken keys and secrets generate incidents that you can investigate in Microsoft Sentinel.

+The **Microsoft Sentinel Deception** solution includes a workbook to help you deploy the honeytokens, either at scale or one at a time, watchlists to track the honeytokens created, and analytics rules to generate incidents as needed.

+For more information, see [Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel (Public preview)](monitor-key-vault-honeytokens.md).

+- [Template versioning for your scheduled analytics rules (Public preview)](#manage-template-versions-for-your-scheduled-analytics-rules-public-preview)

+The new version of the Windows Security Events connector, based on the Azure Monitor Agent, is now generally available. For more information, see [Connect to Windows servers to collect security events](connect-windows-security-events.md?tabs=AMA).

+- If a template is updated, you'll be notified and you can choose to update your rules to the new version of their templates, or leave them as they are.

+Azure Sentinel now provides the ability to enhance your data connector health monitoring with a new *SentinelHealth* table. The *SentinelHealth* table is created after you [turn on the Azure Sentinel health feature](monitor-data-connector-health.md#turn-on-microsoft-sentinel-health-for-your-workspace) in your Azure Sentinel workspace, at the first success or failure health event generated.

+As we continue to add more and more built-in data connectors for Azure Sentinel, we reorganized our data connector documentation to reflect this scaling.

+For most data connectors, we replaced full articles that describe an individual connector with a series of generic procedures and a full reference of all currently supported connectors.

+You'll only see the storage types that you actually have defined resources for.

+Incidents are generated for alerts that are possibly associated with Ransomware activities, when they occur during a specific time-frame, and are associated with the Execution and Defense Evasion stages of an attack. You can use the alerts listed in the incident to analyze the techniques possibly used by attackers to compromise a host / device and to evade detection.

+In response to multiple requests from customers and our support teams, we added a series of best practice guidance to our documentation.

+1. On the **Analytics** page, select the **Rule templates** tab.

+ 1. Select the **Rule type** filter, then the drop-down list that appears below.

+ 1. If necessary, select the top of the drop-down list to retract it, then select **OK**.

+- **Tactics and techniques** are the MITRE ATT&CK framework tactics and techniques covered by the anomaly.

+1. Choose a rule template that is not already labeled **IN USE**. Select the **Create rule** button to open the rule creation wizard.

+1. On the **Analytics** page, check that the **Active rules** tab is selected.

+1. Select the **Tables** tab on the left pane of the **Logs** page.

+1. Select **Run**.

+1. Right-click anywhere on the row of the rule, or left-click the ellipsis (...) at the end of the row, then select **Duplicate**.

+1. The new copy of the rule will have the suffix " - Customized" in the rule name. To actually customize this rule, select this rule and select **Edit**.

+ You can preview the results of your changes in the **Results preview pane**. Select an **Anomaly ID** in the results preview to see why the ML model identifies that anomaly.

+1. Enable the customized rule to generate results. Some of your changes may require the rule to run again, so you must wait for it to finish and come back to check the results on the logs page. The customized anomaly rule runs in **Flighting** (testing) mode by default. The original rule continues to run in **Production** mode by default.

+ If you are satisfied with the results for the customized rule, you can go back to the **Active rules** tab, select on the customized rule, select the **Edit** button and on the **General** tab switch it from **Flighting** to **Production**. The original rule will automatically change to **Flighting** since you can't have two versions of the same rule in production at the same time.

+The first step is to enable a **system-assigned managed identity** for the Function, following that [procedure](/azure/app-service/overview-managed-identity?toc=%2Fazure%2Fazure-functions%2Ftoc.json&tabs=ps%2Cportal).

+Currently, you can choose from the following database templates in Azure Synapse Studio to start creating your lake database:

+3. Optionally, use the newly created 'DataExplorationDB' database to create a login for a user in DataExplorationDB that will access external data:

+## December 2021 update

+The following updates are new to Azure Synapse Analytics this month.

+### Apache Spark for Synapse

+* Accelerate Spark workloads with NVIDIA GPU acceleration [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--16536080) [article](./spark/apache-spark-rapids-gpu.md)

+* Mount remote storage to a Synapse Spark pool [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--1823990543) [article](./spark/synapse-file-mount-api.md)

+* Natively read & write data in ADLS with Pandas [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-663522290) [article](./spark/tutorial-use-pandas-spark-pool.md)

+* Dynamic allocation of executors for Spark [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--1143932173) [article](./spark/apache-spark-autoscale.md)

+### Machine Learning

+* The Synapse Machine Learning library [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--463873803) [article](https://microsoft.github.io/SynapseML/docs/about/)

+* Getting started with state-of-the-art pre-built intelligent models [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-2023639030) [article](./machine-learning/tutorial-form-recognizer-use-mmlspark.md)

+* Building responsible AI systems with the Synapse ML library [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-914346508) [article](https://microsoft.github.io/SynapseML/docs/features/responsible_ai/Model%20Interpretation%20on%20Spark/)

+* PREDICT is now GA for Synapse Dedicated SQL pools [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1594404878) [article](./machine-learning/tutorial-sql-pool-model-scoring-wizard.md)

+* Simple & scalable scoring with PREDICT and MLFlow for Apache Spark for Synapse [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--213049585) [article](./machine-learning/tutorial-score-model-predict-spark-pool.md)

+* Retail AI solutions [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--2020504048) [article](./machine-learning/quickstart-industry-ai-solutions.md)

+### Security

+* User-Assigned managed identities now supported in Synapse Pipelines in preview [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--1340445678) [article](../data-factory/credentials.md?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext&tabs=data-factory)

+* Browse ADLS Gen2 folders in an Azure Synapse Analytics workspace in preview [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1147067155) [article](how-to-access-container-with-access-control-lists.md)

+### Data Integration

+* Pipeline Fail activity [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1827125525) [article](../data-factory/control-flow-fail-activity.md)

+* Mapping Data Flow gets new native connectors [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-717833003) [article](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/mapping-data-flow-gets-new-native-connectors/ba-p/2866754)

+* Additional notebook export formats: HTML, Python, and LaTeX [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-december-2021-update/ba-p/3042904#REF3)

+* Three new chart types in notebook view: box plot, histogram, and pivot table [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-december-2021-update/ba-p/3042904#REF4)

+* Reconnect to lost notebook session [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-december-2021-update/ba-p/3042904#REF5)

+### Integrate

+* Synapse Link for Dataverse [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1397891373) [article](/powerapps/maker/data-platform/azure-synapse-link-synapse)

+* Custom partitions for Synapse link for Azure Cosmos DB in preview [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--409563090) [article](../cosmos-db/custom-partitioning-analytical-store.md)

+* Map data tool (Public Preview), a no-code guided ETL experience [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-december-2021-update/ba-p/3042904#REF7) [article](./database-designer/overview-map-data.md)

+* Quick reuse of spark cluster [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-december-2021-update/ba-p/3042904#REF7) [article](../data-factory/concepts-integration-runtime-performance.md#time-to-live)

+* External Call transformation [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-december-2021-update/ba-p/3042904#REF9) [article](../data-factory/data-flow-external-call.md)

+* Flowlets (Public Preview) [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-december-2021-update/ba-p/3042904#REF10) [article](../data-factory/concepts-data-flow-flowlet.md)

+This article lists updates to Azure Synapse Analytics that are published in Jan 2022. Each update links to the Azure Synapse Analytics blog and an article that provides more information. For previous months releases, check out [Azure Synapse Analytics - updates archive](whats-new-archive.md).

+## Jan 2022 update

+You can now use four new database templates in Azure Synapse. [Learn more about Automotive, Genomics, Manufacturing, and Pharmaceuticals templates from the blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/four-additional-azure-synapse-database-templates-now-available/ba-p/3058044) or the [database templates article](./database-designer/overview-database-templates.md). These templates are currently in public preview and are available within the Synapse Studio gallery.

+Improvements to the Synapse Machine Learning library v0.9.5 (previously called MMLSpark). This release simplifies the creation of massively scalable machine learning pipelines with Apache Spark. To learn more, [read the blog post about the new capabilities in this release](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_3) or see the [full release notes](https://microsoft.github.io/SynapseML/)

+* The Azure Synapse Analytics security overview - A whitepaper that covers the five layers of security. The security layers include authentication, access control, data protection, network security, and threat protection. [Understand each security feature in detailed](./guidance/security-white-paper-introduction.md) to implement an industry-standard security baseline and protect your data on the cloud.

+* TLS 1.2 is now required for newly created Synapse Workspaces. To learn more, see how [TLS 1.2 provides enhanced security using this article](./security/connectivity-settings.md) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_6). Login attempts to a newly created Synapse workspace from connections using a TLS versions lower than 1.2 will fail.

+* Data quality validation rules using Assert transformation - You can now easily add data quality, data validation, and schema validation to your Synapse ETL jobs by leveraging Assert transformation in Synapse data flows. To learn more, see the [Assert transformation in mapping data flow article](/data-factory/data-flow-assert.md) or [the blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_8).

+* Native data flow connector for Dynamics - Synapse data flows can now read and write data directly to Dynamics through the new data flow Dynamics connector. Learn more on how to [Create data sets in data flows to read, transform, aggregate, join, etc. using this article](../data-factory/connector-dynamics-crm-office-365.md) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_9). You can then write the data back into Dynamics using the built-in Synapse Spark compute.

+* IntelliSense and auto-complete added to pipeline expressions - IntelliSense makes creating expressions, editing them easy. To learn more, see how to [check your expression syntax, find functions, and add code to your pipelines.](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/intellisense-support-in-expression-builder-for-more-productive/ba-p/3041459)

+### Synapse SQL

+* COPY schema discovery for complex data ingestion. To learn more, see the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_12) or [how Github leveraged this functionality in Introducing Automatic Schema Discovery with auto table creation for complex datatypes](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/introducing-automatic-schema-discovery-with-auto-table-creation/ba-p/3068927).

+* Serverless SQL pools now support the HASHBYTES function. HASHBYTES is a T-SQL function which hashes values. Learn how to use [hash values in distributing data using this article](/sql/t-sql/functions/hashbytes-transact-sql) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_13).

+As explained in [How Traffic Manager Works](../traffic-manager/traffic-manager-how-it-works.md), Traffic Manager works at the Domain Name System (DNS) level. It sends DNS responses to direct clients to the appropriate service endpoint. Clients then connect to the service endpoint directly, not through Traffic Manager.

+Therefore, Traffic Manager doesnΓÇÖt provide an endpoint or IP address for clients to connect to. If you want static IP address for your service, that must be configured at the service, not in Traffic Manager.

+As explained in [How Traffic Manager Works](../traffic-manager/traffic-manager-how-it-works.md), a Traffic Manager endpoint can be any internet facing service hosted inside or outside of Azure. Hence, Traffic Manager can route traffic that originates from the public internet to a set of endpoints that are also internet facing. If you have endpoints that are inside a private network (for example, an internal version of [Azure Load Balancer](../load-balancer/components.md#frontend-ip-configurations)) or have users making DNS requests from such internal networks, then you canΓÇÖt use Traffic Manager to route this traffic.

+As explained in [How Traffic Manager Works](../traffic-manager/traffic-manager-how-it-works.md), Traffic Manager works at the DNS level. It uses DNS responses to direct clients to the appropriate service endpoint. Clients connect to the service endpoint directly, not through Traffic Manager. Therefore, Traffic Manager doesnΓÇÖt see the HTTP traffic between the client and the server.

+Additionally, the source IP address of the DNS query received by Traffic Manager belongs to the recursive DNS service, not the client. Therefore, Traffic Manager has no way to track individual clients and canΓÇÖt implement 'sticky' sessions. This limitation is common to all DNS-based traffic management systems and isnΓÇÖt specific to Traffic Manager.

+As explained in [How Traffic Manager Works](../traffic-manager/traffic-manager-how-it-works.md), Traffic Manager works at the DNS level. It uses DNS responses to direct clients to the appropriate service endpoint. Clients then connect to the service endpoint directly, not through Traffic Manager. Traffic Manager doesnΓÇÖt see HTTP traffic between client and server. Therefore, any HTTP error you see must be coming from your application. For the client to connect to the application, all DNS resolution steps are complete. That includes any interaction that Traffic Manager has on the application traffic flow.

+The HTTP host header sent from the client's browser is the most common source of problems. Make sure that the application is configured to accept the correct host header for the domain name youΓÇÖre using. For endpoints using the Azure App Service, see [configuring a custom domain name for a web app in Azure App Service using Traffic Manager](../app-service/configure-domain-traffic-manager.md).

+As explained in [How Traffic Manager Works](../traffic-manager/traffic-manager-how-it-works.md), Traffic Manager works at the DNS level. Since clients connect to your service endpoints directly, thereΓÇÖs no performance impact incurred when using Traffic Manager once the connection is established.

+Yes, in addition to the source IP address of the DNS query it receives (which usually is the IP address of the DNS resolver), when performing lookups for Geographic, Performance, and Subnet routing methods, traffic manager also considers the client subnet address if itΓÇÖs included in the query by the resolver making the request on behalf of the end user.

+When a DNS query lands on Traffic Manager, it sets a value in the response called time-to-live (TTL). This value, whose unit is in seconds, indicates to DNS resolvers downstream on how long to cache this response. While DNS resolvers arenΓÇÖt guaranteed to cache this result, caching it enables them to respond to any subsequent queries off the cache instead of going to Traffic Manager DNS servers. This impacts the responses as follows:

+- a higher TTL also means that your data doesnΓÇÖt reflect the latest health information that Traffic Manager has obtained through its probing agents.

+You can set, at a per profile level, the DNS TTL to be as low as 0 seconds and as high as 2,147,483,647 seconds (the maximum range compliant with [RFC-1035](https://www.ietf.org/rfc/rfc1035.txt )). A TTL of 0 means that downstream DNS resolvers donΓÇÖt cache query responses and all queries are expected to reach the Traffic Manager DNS servers for resolution.

+### When I delete a Traffic Manager profile, what is the amount of time before the name of the profile is available for reuse?

+It can take up to 2 hours for the name to become available after a Traffic Manger profile is deleted.

+The key difference between these two popular routing methods is that in Performance routing method your primary goal is to send traffic to the endpoint that can provide the lowest latency to the caller, whereas, in Geographic routing the primary goal is to enforce a geo fence for your callers so that you can deliberately route them to a specific endpoint. The overlap happens since thereΓÇÖs a correlation between geographical closeness and lower latency, although this isnΓÇÖt always true. There might be an endpoint in a different geography that can provide a better latency experience for the caller and in that case Performance routing will send the user to that endpoint but Geographic routing will always send them to the endpoint youΓÇÖve mapped for their geographic region. To further make it clear, consider the following example - with Geographic routing you can make uncommon mappings such as send all traffic from Asia to endpoints in the US and all US traffic to endpoints in Asia. In that case, Geographic routing will deliberately do exactly what you have configured it to do and performance optimization isnΓÇÖt a consideration.

+The country/region hierarchy that is used by Traffic Manager can be found [here](traffic-manager-geographic-regions.md). While this page is kept up to date with any changes, you can also programmatically retrieve the same information by using the [Azure Traffic Manager REST API](/rest/api/trafficmanager/).

+No, Traffic Manager canΓÇÖt guarantee that the geographic region we infer from the source IP address of a DNS query will always correspond to the user's location due to the following reasons:

+- First, as described in the previous FAQ, the source IP we see is that of a DNS resolver doing the lookup on behalf of the user. While the geographic location of the DNS resolver is a good proxy for the geographic location of the user, it can also be different depending upon the footprint of the DNS resolver service and the specific DNS resolver service a customer has chosen to use.

+As an example, a customer located in Malaysia could specify in their device's settings use a DNS resolver service whose DNS server in Singapore might get picked to handle the query resolutions for that user/device. In that case, Traffic Manager can only see the resolver's IP that corresponds to the Singapore location. Also, see the earlier FAQ regarding client subnet address support on this page.

+- Second, Traffic Manager uses an internal map to do the IP address to geographic region translation. While this map is validated and updated on an ongoing basis to increase its accuracy and account for the evolving nature of the internet, thereΓÇÖs still the possibility that our information isnΓÇÖt an exact representation of the geographic location of all the IP addresses.

+### Does an endpoint need to be physically located in the same region as the one itΓÇÖs configured with for geographic routing?

+### Can I assign geographic regions to endpoints in a profile that isnΓÇÖt configured to do geographic routing?

+Yes, if the routing method of a profile isnΓÇÖt geographic, you can use the [Azure Traffic Manager REST API](/rest/api/trafficmanager/) to assign geographic regions to endpoints in that profile. In the case of non-geographic routing type profiles, this configuration is ignored. If you change such a profile to geographic routing type at a later time, Traffic Manager can use those mappings.

+A region can be assigned to only one endpoint within a profile if itΓÇÖs using the geographic routing method. If that endpoint isnΓÇÖt a nested type with a child profile attached to it, if that endpoint going unhealthy, Traffic Manager continues to send traffic to it since the alternative of not sending any traffic isn't any better. Traffic Manager doesnΓÇÖt fail over to another endpoint, even when the region assigned is a "parent" of the region assigned to the endpoint that went unhealthy (for example, if an endpoint that has region Spain goes unhealthy, we donΓÇÖt fail over to another endpoint that has the region Europe assigned to it). This is done to ensure that Traffic Manager respects the geographic boundaries that a customer has setup in their profile. To get the benefit of failing over to another endpoint when an endpoint goes unhealthy, itΓÇÖs recommended that geographic regions be assigned to nested profiles with multiple endpoints within it instead of individual endpoints. In this way, if an endpoint in the nested child profile fails, traffic can fail over to another endpoint inside the same nested child profile.

+Yes, only API version 2017-03-01 and newer supports the Geographic routing type. Any older API versions canΓÇÖt be used to created profiles of Geographic routing type or assign geographic regions to endpoints. If an older API version is used to retrieve profiles from an Azure subscription, any profile of Geographic routing type isnΓÇÖt returned. In addition, when using older API versions, any profile returned that has endpoints with a geographic region assignment, doesnΓÇÖt have its geographic region assignment shown.

+Subnet routing allows you to differentiate the experience you deliver for specific sets of users identified by the source IP of their DNS requests IP address. An example would be showing different content if users are connecting to a website from your corporate HQ. Another would be restricting users from certain ISPs to only access endpoints that support only IPv4 connections if those ISPs have subpar performance when IPv6 is used.

+End-user devices typically use a DNS resolver to do the DNS lookup on their behalf. The outgoing IP of such resolvers is what Traffic Manager sees as the source IP. In addition, Subnet routing method also looks to see if thereΓÇÖs EDNS0 Extended Client Subnet (ECS) information that was passed with the request. If ECS information is present, that is the address used to determine the routing. In the absence of ECS information, the source IP of the query is used for routing purposes.

+- You canΓÇÖt have overlap of address ranges since each IP needs to be mapped to only a single endpoint

+- The start address canΓÇÖt be more than the end address

+In a profile with Subnet routing, if you have an endpoint with no subnets mapped to it, any request that doesnΓÇÖt match with other endpoints will be directed to here. ItΓÇÖs highly recommended that you have such a fallback endpoint in your profile since Traffic Manager will return an NXDOMAIN response if a request comes in and it isnΓÇÖt mapped to any endpoints or if itΓÇÖs mapped to an endpoint but that endpoint is unhealthy.

+In a profile with Subnet routing, if you have an endpoint with that is disabled, Traffic Manager will behave as if that endpoint and the subnet mappings it has doesnΓÇÖt exist. If a query that would have matched with its IP address mapping is received and the endpoint is disabled, Traffic Manager will return a fallback endpoint (one with no mappings) or if such an endpoint isnΓÇÖt present, will return an NXDOMAIN response.

+MultiValue routing returns multiple healthy endpoints in a single query response. The main advantage of this is that, if an endpoint is unhealthy, the client has more options to retry without making another DNS call (which might return the same value from an upstream cache). This is applicable for availability-sensitive applications that want to minimize the downtime.

+We canΓÇÖt guarantee that the same set of endpoints will be returned in each query. This is also affected by the fact that some of the endpoints might go unhealthy at which point they wonΓÇÖt be included in the response

+When you use performance routing method, Traffic Manager picks the best Azure region for your end user to connect to by inspecting the source IP and EDNS Client Subnet (if passed in) and checking it against the network latency intelligence the service maintains. Real User Measurements enhances this for your end-user base by having their experience contribute to this latency table in addition to ensuring that this table adequately spans the end-user networks from where your end users connect to Azure. This leads to an increased accuracy in the routing of your end user.

+Real User Measurements measures and reports on only the latency to reach Azure regions. If youΓÇÖre using performance-based routing with endpoints hosted in non-Azure regions, you can still benefit from this feature by having increased latency information about the representative Azure region you had selected to be associated with this endpoint.

+Yes, Real User Measurements is designed to ingest data collected through different type of end-user clients. This FAQ will be updated as new types of client applications get supported.

+When Real User Measurements is used with the measurement JavaScript provided, each page rendering results in six measurements being taken. These are then reported back to the Traffic Manager service. You are charged for this feature based on the number of measurements reported to Traffic Manager service. For example, if the user navigates away from your webpage while the measurements are being taken but before it was reported, those measurements arenΓÇÖt considered for billing purposes.

+No, thereΓÇÖs no programmed delay before the script is invoked.

+No, each time itΓÇÖs invoked, the Real User Measurements script measures a set of six Azure regions as determined by the service. This set changes between different invocations and when a large number of such invocations happen, the measurement coverage spans across different Azure regions.

+The measurement JavaScript is embedded within your webpage and you are in complete control over when to start and stop using it. As long as the Traffic Manager service receives a request for a list of Azure regions to be measured, a set of regions is returned.

+Since the measurement logic is run from your client application, you are in full control of what happens including seeing the latency measurements. Traffic Manager doesnΓÇÖt report an aggregate view of the measurements received under the key linked to your subscription.

+When you embed the measurement script to a web page, it will be possible for others to see the script and your Real User Measurements (RUM) key. But itΓÇÖs important to know that this key is different from your subscription ID and is generated by Traffic Manager to be used only for this purpose. Knowing your RUM key wonΓÇÖt compromise your Azure account safety.

+While itΓÇÖs possible for others to use your key to send wrong information to Azure, a few wrong measurements wonΓÇÖt change the routing since itΓÇÖs taken into account along with all the other measurements we receive. If you need to change your keys, you can regenerate the key at which point the old key becomes discarded.

+No, it doesn't need to use Traffic Manager. The routing side of Traffic Manager operates separately from the Real User Measurement part and although itΓÇÖs a great idea to have them both in the same web property, they don't need to be.

+As mentioned in the previous answer, the server-side components of Real User Measurements are owned and managed by Azure. This means your Azure bandwidth usage wonΓÇÖt increase because you use Real User Measurements. This doesnΓÇÖt include any bandwidth usage outside of what Azure charges. We minimize the bandwidth used by downloading only a single pixel image to measurement the latency to an Azure region.

+- The Azure regions to which theyΓÇÖre getting routed to.

+Traffic View gives you the overall view of the traffic your Traffic Manager profiles receive. In particular, it can be used to understand where your user base connects from and equally importantly what their average latency experience is. You can then use this information to find areas in which you need to focus, for example, by expanding your Azure footprint to a region that can serve those users with lower latency. Another insight you can derive from using Traffic View is to see the patterns of traffic to different regions, which in turn can help you make decisions on increasing or decreasing invent in those regions.

+Traffic View creates its output by processing the data from the seven days preceding the day before when itΓÇÖs viewed by you. This is a moving window and the latest data will be used each time you visit.

+When you use external endpoints hosted outside Azure regions in a Traffic Manager profile, you can choose to have it mapped to an Azure region, which is a proxy for its latency characteristics (this is in fact needed if you use performance routing method). If it has this Azure region mapping, that Azure region's latency metrics will be used when creating the Traffic View output. If no Azure region is specified, the latency information will be empty in the data for those external endpoints.

+Traffic View pricing is based on the number of data points used to create the output. Currently, the only data type supported is the queries your profile receives. In addition, youΓÇÖre only billed for the processing that was done when you have Traffic View enabled. This means that, if you enable Traffic View for some time period in a month and turn it off during other times, only the data points processed while you had the feature enabled count towards your bill.

+Using endpoints from multiple subscriptions isnΓÇÖt possible with Azure Web Apps. Azure Web Apps requires that any custom domain name used with Web Apps is only used within a single subscription. It isnΓÇÖt possible to use Web Apps from multiple subscriptions with the same domain name.

+For other endpoint types, itΓÇÖs possible to use Traffic Manager with endpoints from more than one subscription. In Resource Manager, endpoints from any subscription can be added to Traffic Manager, as long as the person configuring the Traffic Manager profile has read access to the endpoint. These permissions can be granted using [Azure role-based access control (Azure RBAC role)](../role-based-access-control/role-assignments-portal.md). Endpoints from other subscriptions can be added using [Azure PowerShell](/powershell/module/az.trafficmanager/new-aztrafficmanagerendpoint) or the [Azure CLI](/cli/azure/network/traffic-manager/endpoint#az_network_traffic_manager_endpoint_create).

+Traffic Manager doesnΓÇÖt currently provide IPv6-addressable name servers. However, Traffic Manager can still be used by IPv6 clients connecting to IPv6 endpoints. A client doesnΓÇÖt make DNS request directly to Traffic Manager. Instead, the client uses a recursive DNS service. An IPv6-only client sends requests to the recursive DNS service via IPv6. Then the recursive service should be able to contact the Traffic Manager name servers using IPv4.

+Typically, Traffic Manager is used to direct traffic to applications deployed in different regions. However, it can also be used where an application has more than one deployment in the same region. The Traffic Manager Azure endpoints donΓÇÖt permit more than one Web App endpoint from the same Azure region to be added to the same Traffic Manager profile.

+Traffic Manager is a single, global service. It isnΓÇÖt regional. The choice of resource group location makes no difference to Traffic Manager profiles deployed in that resource group.

+Azure Resource Manager requires all resource groups to specify a location, which determines the default location for resources deployed in that resource group. When you create a Traffic Manager profile, itΓÇÖs created in a resource group. All Traffic Manager profiles use **global** as their location, overriding the resource group default.

+Traffic manager canΓÇÖt provide any certificate validation, including:

+* Server-side certificates arenΓÇÖt validated

+* SNI server-side certificates arenΓÇÖt validated

+* Client certificates arenΓÇÖt supported

+Traffic Manager allows you to use IPv4 or IPv6 addresses to specify endpoints. There are a few restrictions, which are listed below:

+- Addresses that correspond to reserved private IP address spaces arenΓÇÖt allowed. These addresses include those called out in RFC 1918, RFC 6890, RFC 5737, RFC 3068, RFC 2544 and RFC 5771

+No, Traffic Manager doesnΓÇÖt allow you to mix endpoint addressing types within a profile, except for the case of a profile with MultiValue routing type where you can mix IPv4 and IPv6 addressing types

+Yes, you can with the exception that a profile of type MultiValue canΓÇÖt be a parent profile in a nested profile set.

+### I stopped a web application endpoint in my Traffic Manager profile but IΓÇÖm not receiving any traffic even after I restarted it. How can I fix this?

+### Can I use Traffic Manager even if my application doesnΓÇÖt have support for HTTP or HTTPS?

+When TCP monitoring is used, Traffic Manager starts a three-way TCP handshake by sending a SYN request to endpoint at the specified port. It then waits for an SYN-ACK response from the endpoint for a period of time (specified in the timeout settings).

+- If an SYN-ACK response is received within the timeout period specified in the monitoring settings, then that endpoint is considered healthy. A FIN or FIN-ACK is the expected response from the Traffic Manager when it regularly terminates a socket.

+- If an SYN-ACK response is received after the specified timeout, the Traffic Manager will respond with an RST to reset the connection.

+- you can specify how long to wait before a health check request times out (minimum time-out value is 5 sec).

+- you can specify the time-to-live (TTL) for the DNS response to be as low as 0. Doing so means that DNS resolvers canΓÇÖt cache the response and each new query gets a response that incorporates the most up-to-date health information that the Traffic Manager has.

+Traffic Manager allows you to specify custom headers in the HTTP(S) health checks it initiates to your endpoints. If you want to specify a custom header, you can do that at the profile level (applicable to all endpoints) or specify it at the endpoint level. If a header is defined at both levels, then the one specified at the endpoint level will override the profile level 1.

+One of the metrics provided by Traffic Manager is the health status of endpoints in a profile. You can see this as an aggregate of all endpoints inside a profile (for example, 75% of your endpoints are healthy), or, at a per endpoint level. Traffic Manager metrics are exposed through Azure Monitor and you can use its [alerting capabilities](../azure-monitor/alerts/alerts-metric.md) to get notifications when thereΓÇÖs a change in the health status of your endpoint. For more information, see [Traffic Manager metrics and alerts](traffic-manager-metrics-alerts.md).

+Nested Traffic Manager profiles can be configured using both the Azure Resource Manager and the classic Azure REST APIs, Azure PowerShell cmdlets and cross-platform Azure CLI commands. TheyΓÇÖre also supported via the new Azure portal.

+You can nest profiles up to 10 levels deep. 'Loops' arenΓÇÖt permitted.

+ThereΓÇÖs no negative pricing impact of using nested profiles.

+* Endpoint health checks: ThereΓÇÖs no charge for a child profile when configured as an endpoint in a parent profile. Monitoring of the endpoints in the child profile is billed in the usual way.

+No. ThereΓÇÖs no performance impact incurred when using nested profiles.

+The Traffic Manager name servers traverse the profile hierarchy internally when processing each DNS query. A DNS query to a parent profile can receive a DNS response with an endpoint from a child profile. A single CNAME record is used whether youΓÇÖre using a single profile or nested profiles. ThereΓÇÖs no need to create a CNAME record for each profile in the hierarchy.

+| Disabled. The child profile has been disabled. |Stopped |The parent endpoint state is Stopped, not Disabled. The Disabled state is reserved for indicating that youΓÇÖve disabled the endpoint in the parent profile. |

+* [I stopped a web application endpoint in my Traffic Manager profile but I'm not receiving any traffic even after I restarted it. How can I fix this?](./traffic-manager-faqs.md#i-stopped-a-web-application-endpoint-in-my-traffic-manager-profile-but-im-not-receiving-any-traffic-even-after-i-restarted-it-how-can-i-fix-this)

+* [Can I use Traffic Manager even if my application doesn't have support for HTTP or HTTPS?](./traffic-manager-faqs.md#can-i-use-traffic-manager-even-if-my-application-doesnt-have-support-for-http-or-https)

+* [Does an endpoint need to be physically located in the same region as the one it's configured with for geographic routing?](./traffic-manager-faqs.md#does-an-endpoint-need-to-be-physically-located-in-the-same-region-as-the-one-its-configured-with-for-geographic-routing)

+* [Can I assign geographic regions to endpoints in a profile that isn't configured to do geographic routing?](./traffic-manager-faqs.md#can-i-assign-geographic-regions-to-endpoints-in-a-profile-that-isnt-configured-to-do-geographic-routing)

+ Title: Migrate automatically from Azure Virtual Desktop (classic) - Azure

+# Migrate automatically from Azure Virtual Desktop (classic)

+The migration module tool lets you migrate your organization from Azure Virtual Desktop (classic) to Azure Virtual Desktop automatically. This article will show you how to use the tool.

+ Install-Module -Name Microsoft.RdInfra.RDPowershell.Migration -AllowClobber

+>You can only create 500 application groups for each Azure Active Directory tenant. We added this limit because of service limitations for retrieving feeds for our users. This limit doesn't apply to app groups created in Azure Virtual Desktop (classic).

+This script creates a virtual machine scale set and attaches and prepares data disks.

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+This script uses the commands outlined in the following table:

+This script creates a virtual machine scale set that uses a custom VM image as the source for the VM instances.

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+This script uses the commands outlined in the following table:

+| [az group create](/cli/azure/ad/group#az-ad-group-create) | Creates a resource group in which all resources are stored. |

+| [az vm create](/cli/azure/vm#az-vm-create) | Creates an Azure virtual machine. |

+| [az sig create](/cli/azure/sig#az-sig-create) | Creates a shared image gallery. |

+| [az sig image-definition create](/cli/azure/sig/image-definition#az-sig-image-definition-create) | Creates a gallery image definition. |

+| [az sig image-version create](/cli/azure/sig/image-version#az-sig-image-version-create) | Create a new image version. |

+This script creates an Azure virtual machine scale set with an Ubuntu operating system and related networking resources including a load balancer. After running the script, you can access the VM instances over SSH.

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+This script uses the commands outlined in the following table:

+This script creates a virtual machine scale set running Ubuntu and uses host-based metrics to automatically scale as CPU load changes.

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+This script uses the commands outlined in the following table:

+This script creates a virtual machine scale set running Ubuntu and uses the Custom Script Extension to install a basic web application. After running the script, you can access the web app through a web browser.

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+This script uses the commands outlined in the following table:

+This script creates a virtual machine scale set running Ubuntu in a single Availability Zone. After running the script, you can access the virtual machine over RDP.

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+This script uses the commands outlined in the following table:

+This script creates a virtual machine scale set running Ubuntu across multiple Availability Zones. After running the script, you can access the virtual machine over RDP.

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+Managed boot diagnostics can be enabled through the Azure portal, CLI and ARM Templates.

+SQL Server proportional fill mechanism distributes reads and writes to all datafiles evenly provided all SQL Server data files are the same size and have the same freespace. SAP on SQL Server will deliver the best performance when reads and writes are distributed evenly across all available datafiles. If a database has too few datafiles or datafiles with very different sizes the best method to correct this is an R3load export and import. An R3load export and import involves downtime and should only be done if there is an obvious performance problem that needs to be resolved

+If the datafiles are only moderately different sizes, increase all datafiles to the same size and SQL Server will rebalance data over time.

+SQL Server will automatically grow datafiles evenly if traceflag 1117 is set or if SQL Server 2016 or higher is used

+- January 30, 2022: Adding context about SQL Server proprotional fill and expectations that SQL server data files should be the same size and should have the same free space in [SQL Server Azure Virtual Machines DBMS deployment for SAP NetWeaver](./dbms_guide_sqlserver.md)

+ Title: SAP Information Lifecycle Management with Microsoft Azure Blob Storage | Microsoft Docs

+description: SAP Information Lifecycle Management with Microsoft Azure Blob Storage

+documentationcenter: ''

+editor: ''

+tags: azure-resource-manager

+keywords: ''

+ vm-linux

+# SAP Information Lifecycle Management (ILM) with Microsoft Azure Blob Storage

+SAP Information Lifecycle Management (ILM) provides a broad range of capabilities for managing data

+volumes, Retention Management as well as the decommissioning of legacy systems, while balancing the

+total cost of ownership, risk, and legal compliance. SAP ILM Store (a component of ILM) would enable

+storing of these archive files and attachments from SAP system into Microsoft Azure Blob storage, thus

+enabling cloud storage.

+

+## How to

+This document covers creation and configuration of Azure blob storage account to be used with SAP

+ILM. This account will be used to store archive data from S/4HANA System.

+The steps to be followed to create a storage account are:

+1. Register a new application with your subscription.

+2. Create a Blob storage account.

+3. Create a new custom role or use an existing (build-In or custom) role.

+4. Assign the role to application to allow access to the storage account.

+> [!NOTE]

+> Steps 2, 3 and 4 can either be done manually or by using the Microsoft Quickstart template.

+### QuickStart template approach:

+This is an automated approach to create the Azure account. You can find the template in the [Azure Quickstart Templates library](https://azure.microsoft.com/resources/templates/sap-ilm-store/).

+### Manual configuration approach:

+Azure blob storage account can be configured manually.

+The steps to be followed are:

+1. Register a new application

+The details are available at [Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app)

+ > [!NOTE]

+ > Make sure that Client secret is added as per the section Add Credentials ΓÇô Add a Client Secret

+1. Create a Blob Storage account

+Refer steps in the page [Create a storage account](/azure/storage/common/storage-account-create?tabs=azure-portal)

+Ensure "Enable secure transfer" is set.

+It is recommended to set the following property values:

+ * Enable blob public access = false

+ * Minimum TLS Version = 1.2

+ * Enable storage account key access = false

+1. Maintain IAM for the account

+In the Access Control (IAM) setting, go to "Role Assignments" and add "Role assignment" for

+the App created with the role of "Storage Blob Data Contributor". In the App dialog, choose

+"User, group or Service Principal" for "Assign Access to" field.

+ > [!NOTE]

+ > Ensure no other user has access to this storage account apart from the registered application.

+During the process of the account setup and configuration, it is recommended to refer to [Security recommendations for Blob Storage](/azure/storage/blobs/security-recommendations)

+With the completion of this setup, we are ready to use this blob storage account with SAP ILM

+to store archive files from S/4 HANA System.

+## Next steps

+* [SAP ILM on the SAP help portal](https://help.sap.com/doc/c3b6eda797634474b7a3aac5a48e84d5/1610%20001/en-US/frameset.htm)

+| **PowerPlatformInfra** | This tag represents the IP addresses used by the infrastructure to host Power Platform services. | Outbound | Yes | No |