-If you haven't already done so, [register a web application in Azure Active Directory B2C](tutorial-register-applications.md).

-

-

-3. Application segment URLΓÇÖs (internal and external) need to maintain uniqueness across complex applications.

-To configure (and update) Application Segments for a complex app using the API, you first [create a wildcard application](application-proxy-wildcard.md#create-a-wildcard-application), and then update the application's onPremisesPublishing property to configure the application segments and respective CORS settings.

-> 2 application segment per complex application are supported for [Microsoft Azure AD premium subscription](https://azure.microsoft.com/pricing/details/active-directory). Licence requirement for more than 2 application segments per complex application to be announced soon.

-If successful, this method returns a `204 No Content` response code and does not return anything in the response body.

-## Example

-##### Request

-Here is an example of the request.

-```http

-PATCH https://graph.microsoft.com/beta/applications/{<object-id-of--the-complex-app-under-APP-Registrations}

-Content-type: application/json

-{

- "onPremisesPublishing": {

- "onPremisesApplicationSegments": [

- {

- "externalUrl": "https://home.contoso.net/",

- "internalUrl": "https://home.test.com/",

- "alternateUrl": "",

- "corsConfigurations": []

- },

- {

- "externalUrl": "https://assets.constoso.net/",

- "internalUrl": "https://assets.test.com",

- "alternateUrl": "",

- "corsConfigurations": [

- {

- "resource": "/",

- "allowedOrigins": [

- "https://home.contoso.net/"

- ],

- "allowedHeaders": [

- "*"

- ],

- "allowedMethods": [

- "*"

- ],

- "maxAgeInSeconds": 0

- }

- ]

- }

- ]

- }

-}

-```

-##### Response

-```http

-HTTP/1.1 204 No Content

-```

->Azure AD CBA supports both certificates on-device as well as external storage like security keys on Windows.

-> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).

- **Example of** [**Permissions Management Report**](https://microsoft.sharepoint.com/:v:/t/MicrosoftEntraPermissionsManagementAssets/EQWmUsMsdkZEnFVv-M9ZoagBd4B6JUQ2o7zRTupYrfxbGA)

- - To view details about the task, select the down arrow in the table.

- - A **Normal Task** icon displays to the left of the task name if the task is normal (that is, not risky).

- - A **Deleted Task** icon displays to the left of the task name if the task involved deleting data.

- - A **High-Risk Task** icon displays to the left of the task name if the task is high-risk.

-# Pilot cloud sync for an existing synced AD forest

-This tutorial walks you through piloting cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.

-1. Ensure that you're familiar with basics of cloud sync.

-1. Ensure that you're running Azure AD Connect sync version 1.4.32.0 or later and have configured the sync rules as documented.

-1. When piloting, you'll be removing a test OU or group from Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD.

-

- A new link type has been introduced in Azure AD Connect sync, which will prevent the deletion in a piloting scenario.

-1. Ensure that the objects in the pilot scope have ms-ds-consistencyGUID populated so cloud sync hard matches the objects.

-1. This configuration is for advanced scenarios. Ensure that you follow the steps documented in this tutorial precisely.

-Run the following command to download the templates for `Microsoft.Identity.Web`, which we'll make use of in this tutorial.

-```dotnetcli

-dotnet new --install Microsoft.Identity.Web.ProjectTemplates

-```

-Then, run the following command to create the application. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name.

-> [!div class="nextstepaction"]

-To create the app, you need the latest Blazor templates. You can install them for the .NET Core CLI with the following command:

-```dotnetcli

-dotnet new install Microsoft.Identity.Web.ProjectTemplates

-```

-Then run the following command to create the application. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name.

-> [!div class="nextstepaction"]

-* [Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

-Microsoft 365 Groups is the membership service for access across Microsoft 365. They can be created from the Azure portal, or the Microsoft 365 portal. When you create a Microsoft 365 Group, you grant access to a group of resources for collaboration.

-* [Microsoft 365 portal](https://admin.microsoft.com/)

-> [!NOTE]

-> The External Identities collaboration feaure in Azure AD controls permissions. You can increase restrictions in Teams, but restrictions can't be lower than Azure AD settings.

-> [!NOTE]

-> If you enable Azure AD B2B integration, then SharePoint and OneDrive sharing is subject to the Azure AD organizational relationships settings, such as **Members can invite** and **Guests can invite**.

-[What is Conditional Access?](../conditional-access/overview.md)

- * Instead, use the [OAuth2 permission grant model for Microsoft Graph](/graph/api/resources/oauth2permissiongrant)

-* [Use PowerShell to enumerate members of privileged roles](/powershell/module/azuread/get-azureaddirectoryrolemember):

-* [Use OAuth 2.0 scopes](../develop/v2-permissions-and-consent.md) to limit the functionality a service account can access on a resource

- * [Overview of Microsoft Graph permissions](/graph/permissions-reference)

- * [Azure Storage](../../storage/index.yml)

- * [Azure Event Hubs](../../event-hubs/index.yml), or

-* Use [PowerShell](/powershell/module/azuread/get-azureadserviceprincipaloauth2permissiongrant) to [build automation to check and document](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09) scopes for service account

-* Use PowerShell to [review service principal credentials](https://github.com/AzureAD/AzureADAssessment) and confirm validity

- * [what is Azure Key Vault?](../../key-vault/general/basic-concepts.md)

-The free PowerShell sample collects service principal OAuth2 grants and credential information, records them in a comma-separated values (CSV) file, and a Power BI sample dashboard. For more information, see [Microsoft Azure AD Assessment, Assessor Guide](https://github.com/AzureAD/AzureADAssessment).

-* [Monitor sign-ins](../reports-monitoring/concept-sign-ins.md) and resource access by the service account

-# Securing service principals

-An Azure Active Directory (Azure AD) [service principal](../develop/app-objects-and-service-principals.md) is the local representation of an application object in a single tenant or directory. It functions as the identity of the application instance. Service principals define who can access the application, and what resources the application can access. A service principal is created in each tenant where the application is used, and references the globally unique application object. The tenant secures the service principal sign-in and access to resources.

-A multi-tenant application is homed in a single tenant and has instances in other tenants. Most software-as-a-service (SaaS) applications accommodate multi-tenancy. Use service principals to ensure the needed security posture for the application and its users in single-tenant and multi-tenant scenarios.

-An application instance has two properties: the ApplicationID (also known as ClientID) and the ObjectID.

-> It's possible the terms application and service principal are used interchangeably when referring to an application in the context of authentication-related tasks. However, they are two representations of applications in Azure AD.

-The ApplicationID represents the global application and is the same for application instances across tenants. The ObjectID is a unique value for an application object. As with users, groups, and other resources, the ObjectID helps to identify an application instance in Azure AD.

-To learn more, see [Application and service principal relationship](../develop/app-objects-and-service-principals.md).

-You can create an application and its service principal object (ObjectID) in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, the Azure portal, and other tools.

-

-When using service principalsΓÇöclient certificates and client secrets, there are two mechanisms for authentication.

-

-Certificates are more secure, therefore use them, if possible. Unlike client secrets, client certificates can't be embedded in code, accidentally. When possible, use Azure Key Vault for certificate and secrets management to encrypt the following assets with keys protected by hardware security modules:

-For more information on Azure Key Vault and how to use it for certificate and secret management, see

-[About Azure Key Vault](../../key-vault/general/overview.md) and [Assign a Key Vault access policy using the Azure portal](../../key-vault/general/assign-access-policy-portal.md).

-Use the following table to match challenges and mitigations, when using service principals.

-| ChallengesΓÇï| MitigationsΓÇï |

-| Access reviews for service principals assigned to privileged roles| This functionality is in preview, and not widely available |

-| Reviews service principal access| Manual check of resource access control list using the Azure portal |

-| Over-permissioned service principals| When you create automation service accounts or or service principals, provide permissions required for the task. Evaluate service principals to reduce privileges |

-|Identify modifications to service principal credentials or authentication methods |Use the Sensitive Operations Report workbook to mitigate. See also the Tech Community blog post [Azure AD workbook to help you assess Solorigate risk](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718).|

-Run the following commands to find accounts using service principals with Azure CLI or PowerShell.

-Azure CLI:

-`az ad sp list`

-PowerShell:

-`Get-AzureADServicePrincipal -All:$true`

-For more information see [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal).

-To assess the security of your service principals, ensure you evaluate privileges and credential storage.

-Mitigate potential challenges using the following information.

-|Challenges | Mitigations|

-| Detect the user who consented to a multi-tenant app, and detect illicit consent grants to a multi-tenant app | Run the following PowerShell to find multi-tenant apps.<br>`Get-AzureADServicePrincipal -All:$true ? {$_.Tags -eq WindowsAzureActiveDirectoryIntegratedApp"}`<br>Disable user consent. <br>Allow user consent from verified publishers, for selected permissions (recommended) <br> Configure them in the user context. Use their tokens to trigger the service principal.|

-|Tracking who uses the certificate or the secretΓÇï| Monitor the service principal sign-ins using the Azure AD sign-in logs|

-Can't manage service principal sign-in with Conditional Access| Monitor the sign-ins using the Azure AD sign-in logs

-| Contributor is the default Azure role-based access control (RBAC) role|Evaluate needs and apply the role with the least possible permissions|

-## Move from a user account to a service principalΓÇï

-If you're using an Azure user account as a service principal, evaluate if you can move to a [Managed Identity](../../app-service/overview-managed-identity.md?tabs=dotnet) or a service principal. If you can't use a managed identity, provision a service principal with enough permissions and scope to run the required tasks. You can create a service principal by [registering an application](../develop/howto-create-service-principal-portal.md), or with [PowerShell](../develop/howto-authenticate-service-principal-powershell.md).

-When using Microsoft Graph, check the API documentation. See, [Create an Azure service principal](/powershell/azure/create-azure-service-principal-azureps). Ensure the permission type for application is supported.

-## Next steps

-Learn more about service principals:

-[Create a service principal](../develop/howto-create-service-principal-portal.md)

-[Monitor service principal sign-ins](../reports-monitoring/concept-sign-ins.md)

-Learn more about securing service accounts:

-[Introduction to Azure service accounts](service-accounts-introduction-azure.md)

-[Securing managed identities](service-accounts-managed-identities.md)

-[Governing Azure service accounts](service-accounts-governing-azure.md)

-[Introduction to on-premises service accounts](service-accounts-on-premises.md)

-Use Conditional Access to block service principals from untrusted locations. See, [Create a location-based Conditional Access policy](../conditional-access/workload-identity.md#create-a-location-based-conditional-access-policy).

-description: A guide to securing standalone managed service accounts.

-Standalone managed service accounts (sMSAs) are managed domain accounts that you use to help secure one or more services that run on a server. They can't be reused across multiple servers. sMSAs provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate management to other administrators.

-In Active Directory, sMSAs are tied to a specific server that runs a service. You can find these accounts listed in the Active Directory Users and Computers snap-in of the Microsoft Management Console.

-

-Managed service accounts were introduced with Windows Server 2008 R2 Active Directory Schema, and they require at least Windows Server 2008 R2ΓÇï.

-## Benefits of using sMSAs

-sMSAs offer greater security than user accounts that are used as service accounts. At the same time, to help reduce administrative overhead, they:

-* **Set strong passwords**: sMSAs use 240-byte, randomly generated complex passwords. The complexity and length of sMSA passwords minimizes the likelihood of a service getting compromised by brute force or dictionary attacks.

-* **Cycle passwords regularly**: Windows automatically changes the sMSA password every 30 days. Service and domain administrators donΓÇÖt need to schedule password changes or manage the associated downtime.

-* **Simplify SPN management**: Service principal names are automatically updated if the domain functional level is Windows Server 2008 R2. For instance, the service principal name is automatically updated when you:

- * Rename the host computer account.

- * Change the domain name server (DNS) name of the host computer.

- * Add or remove other sam-accountname or dns-hostname parameters by using [PowerShell](/powershell/module/activedirectory/set-adserviceaccount).

-## When to use sMSAs

-sMSAs can simplify management and security tasks. Use sMSAs when you have one or more services deployed to a single server and you can't use a group managed service account (gMSA).

-> Although you can use sMSAs for more than one service, we recommend that each service have its own identity for auditing purposes.

-If the creator of the software canΓÇÖt tell you whether it can use an MSA, you must test your application. To do so, create a test environment and ensure that it can access all required resources. For more information, see [Create and install an sMSA](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting).

-### Assess the security posture of sMSAs

-sMSAs are inherently more secure than standard user accounts, which require ongoing password management. However, it's important to consider sMSAsΓÇÖ scope of access as part of their overall security posture.

-To see how to mitigate potential security issues posed by sMSAs, refer to the following table:

-| sMSA is a member of privileged groups. | <li>Remove the sMSA from elevated privileged groups, such as Domain Admins.<li>Use the *least privileged* model, and grant the sMSA only the rights and permissions it requires to run its services.<li>If you're unsure of the required permissions, consult the service creator. |

-| sMSA has read/write access to sensitive resources. | <li>Audit access to sensitive resources.<li>Archive audit logs to a Security Information and Event Management (SIEM) program, such as Azure Log Analytics or Microsoft Sentinel, for analysis.<li>Remediate resource permissions if an undesirable level of access is detected. |

-| By default, the sMSA password rollover frequency is 30 days. | You can use group policy to tune the duration, depending on enterprise security requirements. To set the password expiration duration, use the following path:<br>*Computer Configuration\Policies\Windows Settings\Security Settings\Security Options*. For domain member, use **Maximum machine account password age**. |

-| | |

-### Challenges with sMSAs

-The challenges associated with sMSAs are as follows:

-| sMSAs can be used on a single server only. | Use a gMSA if you need to use the account across servers. |

-| sMSAs can't be used across domains. | Use a gMSA if you need to use the account across domains. |

-| Not all applications support sMSAs. | Use a gMSA if possible. Otherwise, use a standard user account or a computer account, as recommended by the application creator. |

-| | |

-On any domain controller, run DSA.msc, and then expand the managed service accounts container to view all sMSAs.

-To return only sMSAs in the Active Directory domain, run the following command:

-To manage your sMSAs, you can use the following Active Directory PowerShell cmdlets:

-If an application service supports sMSAs but not gMSAs, and you're currently using a user account or computer account for the security context, [Create and install an sMSA](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting) on the server.

-Ideally, you would move resources to Azure and use Azure Managed Identities or service principals.

-To learn more about securing service accounts, see the following articles:

-* [Introduction to on-premises service accounts](service-accounts-on-premises.md)

-* [Secure computer accounts](service-accounts-computer.md)

-* [Secure user accounts](service-accounts-user-on-premises.md)

-description: A guide to securing user-based service accounts.

-Using on-premises user accounts is the traditional approach to helping secure services that run on Windows. Use these accounts as a last resort when group managed service accounts (gMSAs) and standalone managed service accounts (sMSAs) aren't supported by your service. For information about selecting the best type of account to use, see [Introduction to on-premises service accounts](service-accounts-on-premises.md).

-You might also want to investigate whether you can move your service to use an Azure service account such as a managed identity or a service principal.

-You can create on-premises user accounts to provide a security context for the services and permissions that the accounts require to access local and network resources. On-premises user accounts require manual password management, much like any other Active Directory user account. Service and domain administrators are required to observe strong password management processes to help keep these accounts secure.

-When you create a user account as a service account, use it for a single service only. Name it in a way that makes it clear that it's a service account and which service it's for.

-On-premises user accounts can provide significant benefits. They're the most versatile account type for use with services. User accounts used as service accounts can be controlled by all the policies that govern normal user accounts. But you should use them only if you can't use an MSA. Also evaluate whether a computer account is a better option.

-The challenges associated with the use of on-premises user accounts are summarized in the following table:

-| Password management is a manual process that can lead to weaker security and service downtime.| <li>Make sure that password complexity and password changes are governed by a robust process that ensures regular updates with strong passwords.<li>Coordinate password changes with a password update on the service, which will help reduce service downtime. |

-| Identifying on-premises user accounts that are acting as service accounts can be difficult. | <li>Document and maintain records of service accounts that are deployed in your environment.<li>Track the account name and the resources to which they're assigned access.<li>Consider adding a prefix of "svc-" to all user accounts that are used as service accounts. |

-| | |

-On-premises user accounts are just like any other Active Directory user account. It can be difficult to find such accounts, because no single attribute of a user account identifies it as a service account.

-We recommend that you create an easily identifiable naming convention for any user account that you use as a service account. For example, you might add "svc-" as a prefix and name the service ΓÇ£svc-HRDataConnector.ΓÇ¥

-You can use some of the following criteria to find these service accounts. However, this approach might not find all accounts, such as:

-* Accounts that are trusted for delegation.

-* Accounts with service principal names.

-* Accounts with passwords that are set to never expire.

-To find the on-premises user accounts you've created for services, you can run the following PowerShell commands.

-To find accounts that are trusted for delegation:

-To find accounts that have service principal names:

-To find accounts with passwords that are set to never expire:

-You can also audit access to sensitive resources, and archive audit logs to a security information and event management (SIEM) system. By using systems such as Azure Log Analytics or Microsoft Sentinel, you can search for and analyze and service accounts.

-## Assess the security of on-premises user accounts

-You can assess the security of on-premises user accounts that are being used as service accounts by using the following criteria:

-* What is the password management policy?

-* Is the account a member of any privileged groups?

-* Does the account have read/write permissions to important resources?

-Potential security issues and their mitigations for on-premises user accounts are summarized in the following table:

-| Password management.| <li>Ensure that password complexity and password change are governed by a robust process that includes regular updates and strong password requirements.<li>Coordinate password changes with a password update to minimize service downtime. |

-| The account is a member of privileged groups.| <li>Review group memberships.<li>Remove the account from privileged groups.<li>Grant the account only the rights and permissions it requires to run its service (consult with service vendor). For example, you might be able to deny sign-in locally or deny interactive sign-in. |

-| The account has read/write permissions to sensitive resources.| <li>Audit access to sensitive resources.<li>Archive audit logs to a SIEM (Azure Log Analytics or Microsoft Sentinel) for analysis.<li>Remediate resource permissions if an undesirable level of access is detected. |

-| | |

-## Move to more secure account types

-Microsoft doesn't recommend that you use on-premises user accounts as service accounts. For any service that uses this type of account, assess whether it can instead be configured to use a gMSA or an sMSA.

-Additionally, evaluate whether the service itself could be moved to Azure so that more secure service account types can be used.

-To learn more about securing service accounts, see the following articles:

-* [Introduction to on-premises service accounts](service-accounts-on-premises.md)

-* [Secure computer accounts](service-accounts-computer.md)

-

-|SuccessFactors to Active Directory User Provisioning|FormatDateTime([endDate], ,"M/d/yyyy hh:mm:ss tt"," yyyyMMddHHmmss.fZ ")|On-premises AD string attribute|[Attribute mappings for SAP Success Factors](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)|

-description: Learn how to download, install and run the setup wizard for Azure AD Connect.

-# Getting started with Azure AD Connect using express settings

-Azure AD Connect **Express Settings** is used when you have a single-forest topology and [password hash synchronization](how-to-connect-password-hash-synchronization.md) for authentication. **Express Settings** is the default option and is used for the most commonly deployed scenario. You are only a few short clicks away to extend your on-premises directory to the cloud.

-Before you start installing Azure AD Connect, make sure to [download Azure AD Connect](https://go.microsoft.com/fwlink/?LinkId=615771) and complete the pre-requisite steps in [Azure AD Connect: Hardware and prerequisites](how-to-connect-install-prerequisites.md).

-If express settings does not match your topology, see [related documentation](#related-documentation) for other scenarios.

-1. Sign in as a local administrator to the server you wish to install Azure AD Connect on. You should do this on the server you wish to be the sync server.

-2. Navigate to and double-click **AzureADConnect.msi**.

-3. On the Welcome screen, select the box agreeing to the licensing terms and click **Continue**.

-4. On the Express settings screen, click **Use express settings**.

- 

-5. On the Connect to Azure AD screen, enter the username and password of a Hybrid Identity Administrator for your Azure AD. Click **Next**.

- 

- If you receive an error and have problems with connectivity, then see [Troubleshoot connectivity problems](tshoot-connect-connectivity.md).

-6. On the Connect to AD DS screen, enter the username and password for an enterprise admin account. You can enter the domain part in either NetBios or FQDN format, that is, FABRIKAM\administrator or fabrikam.com\administrator. Click **Next**.

- 

-7. The [**Azure AD sign-in configuration**](plan-connect-user-signin.md#azure-ad-sign-in-configuration) page only shows if you did not complete [verify your domains](../fundamentals/add-custom-domain.md) in the [prerequisites](how-to-connect-install-prerequisites.md).

- 

- If you see this page, then review every domain marked **Not Added** and **Not Verified**. Make sure those domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your domains.

-8. On the Ready to configure screen, click **Install**.

- * Optionally on the Ready to configure page, you can unselect the **Start the synchronization process as soon as configuration completes** checkbox. You should unselect this checkbox if you want to do additional configuration, such as [filtering](how-to-connect-sync-configure-filtering.md). If you unselect this option, the wizard configures sync but leaves the scheduler disabled. It does not run until you enable it manually by [rerunning the installation wizard](how-to-connect-installation-wizard.md).

- * Leaving the **Start the synchronization process as soon as configuration completes** checkbox enabled will immediately trigger a full synchronization to Azure AD of all users, groups, and contacts.

- * If you have Exchange in your on-premises Active Directory, then you also have an option to enable [**Exchange Hybrid deployment**](/exchange/exchange-hybrid). Enable this option if you plan to have Exchange mailboxes both in the cloud and on-premises at the same time.

- 

-9. When the installation completes, click **Exit**.

-10. After the installation has completed, sign off and sign in again before you use Synchronization Service Manager or Synchronization Rule Editor.

-## Next steps

-Now that you have Azure AD Connect installed you can [verify the installation and assign licenses](how-to-connect-post-installation.md).

-Learn more about these features, which were enabled with the installation: [Automatic upgrade](how-to-connect-install-automatic-upgrade.md), [Prevent accidental deletes](how-to-connect-sync-feature-prevent-accidental-deletes.md), and [Azure AD Connect Health](how-to-connect-health-sync.md).

-Learn more about these common topics: [scheduler and how to trigger sync](how-to-connect-sync-feature-scheduler.md).

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

-## Related documentation

-| Azure AD Connect overview | [Integrate your on-premises directories with Azure Active Directory](whatis-hybrid-identity.md)

-| Install using customized settings | [Custom installation of Azure AD Connect](how-to-connect-install-custom.md) |

-description: This document describes how to move the Azure AD Connect database from the local SQL Server Express server to a remote SQL Server.

-# Move Azure AD Connect database from SQL Server Express to SQL Server

-This document describes how to move the Azure AD Connect database from the local SQL Server Express server to a remote SQL Server. You can use the following procedures below to accomplish this task.

-## About this scenario

-The following is some brief information about this scenario. In this scenario, Azure AD Connect version (1.1.819.0) is installed on a single Windows Server 2016 domain controller. It is using the built-in SQL Server 2012 Express Edition for its database. The database will be moved to a SQL Server 2017 server.

-

-Use the following steps to move the Azure AD Connect database to a remote SQL Server.

-1. On the Azure AD Connect server, go to **Services** and stop the **Microsoft Azure AD Sync** service.

-2. Locate the **%ProgramFiles%\Microsoft Azure AD Sync\Data** folder and copy the **ADSync.mdf** and **ADSync_log.ldf** files to the remote SQL Server.

-3. Restart the **Microsoft Azure AD Sync** service on the Azure AD Connect server.

-4. Un-install Azure AD Connect by going to Control Panel

-5. On the remote SQL server, open SQL Server Management Studio.

-6. On Databases, right-click and select Attach.

-7. On the **Attach Databases** screen, click **Add** and navigate to the ADSync.mdf file. Click **OK**.

- 

-8. Once the database is attached, go back to the Azure AD Connect server and install Azure AD Connect.

-9. Once the MSI installation completes, the Azure AD Connect wizard starts with the Express mode setup. Close the screen by clicking the Exit icon.

- 

-10. Start a new command prompt or PowerShell session. Navigate to folder \<drive>\program files\Microsoft Azure AD Connect. Run command .\AzureADConnect.exe /useexistingdatabase to start the Azure AD Connect wizard in ΓÇ£Use existing databaseΓÇ¥ setup mode.

- 

-11. You are greeted with the Welcome to Azure AD Connect screen. Once you agree to the license terms and privacy notice, click **Continue**.

- 

-12. On the **Install required components** screen, the **Use an existing SQL Server** option is enabled. Specify the name of the SQL server that is hosting the ADSync database. If the SQL engine instance used to host the ADSync database is not the default instance on the SQL server, you must specify the SQL engine instance name. Further, if SQL browsing is not enabled, you must also specify the SQL engine instance port number. For example:

- 

-13. On the **Connect to Azure AD** screen, you must provide the credentials of a Hybrid Identity Administrator of your Azure AD directory. The recommendation is to use an account in the default onmicrosoft.com domain. This account is only used to create a service account in Azure AD and is not used after the wizard has completed.

- 

-

-14. On the **Connect your directories** screen, the existing AD forest configured for directory synchronization is listed with a red cross icon beside it. To synchronize changes from an on-premises AD forest, an AD DS account is required. The Azure AD Connect wizard is unable to retrieve the credentials of the AD DS account stored in the ADSync database because the credentials are encrypted and can only be decrypted by the previous Azure AD Connect server. Click **Change Credentials** to specify the AD DS account for the AD forest.

- 

-

-15. In the pop-up dialog, you can either (i) provide an Enterprise Admin credential and let Azure AD Connect create the AD DS account for you, or (ii) create the AD DS account yourself and provide its credential to Azure AD Connect. Once you have selected an option and provide the necessary credentials, click **OK** to close the pop-up dialog.

- 

-

-16. Once the credentials are provided, the red cross icon is replaced with a green tick icon. Click **Next**.

- 

-

-17. On the **Ready to configure** screen, click **Install**.

- 

-

-18. Once installation completes, the Azure AD Connect server is automatically enabled for Staging Mode. It is recommended that you review the server configuration and pending exports for unexpected changes before disabling Staging Mode.

-## Next steps

-Only Hybrid Identity Administrators or Hybrid Identity administrators can install an Authentication Agent (by using Azure AD Connect or standalone) on an on-premises server. Installation adds two new entries to the **Control Panel** > **Programs** > **Programs and Features** list:

-1. Azure AD first requests that a Hybrid Identity Administratoristrator or hybrid identity administrator sign in to Azure AD with their credentials. During sign-in, the Authentication Agent acquires an access token that it can use on behalf of the

-4. Azure AD validates the access token in the registration request and verifies that the request came from a Hybrid Identity Administrator or hybrid identity administrator.

-You can combine Pass-through Authentication with the [Seamless Single Sign-On](how-to-connect-sso.md) feature. This way, when your users are accessing applications on their corporate machines inside your corporate network, they don't need to type in their passwords to sign in.

-For a list of URLs and IP addresses you need to open in your firewall, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) and [Troubleshooting Azure AD Connect connectivity](tshoot-connect-connectivity.md#troubleshoot-connectivity-issues-in-the-installation-wizard).

-description: Explains how to troubleshoot connectivity issues with Azure AD Connect.

-# Troubleshoot Azure AD connectivity

-This article explains how connectivity between Azure AD Connect and Azure AD works and how to troubleshoot connectivity issues. These issues are most likely to be seen in an environment with a proxy server.

-## Troubleshoot connectivity issues in the installation wizard

-Azure AD Connect uses the MSAL library for authentication. The installation wizard and the sync engine proper require machine.config to be properly configured since these two are .NET applications.

->[!NOTE]

->Azure AD Connect v1.6.xx.x uses the ADAL library. The ADAL library is being deprecated and support will end in June 2022. Microsoft recommends that you upgrade to the latest version of [Azure AD Connect v2](whatis-azure-ad-connect-v2.md).

-In this article, we show how Fabrikam connects to Azure AD through its proxy. The proxy server is named fabrikamproxy and is using port 8080.

-First we need to make sure [**machine.config**](how-to-connect-install-prerequisites.md#connectivity) is correctly configured and **Microsoft Azure AD Sync service** has been restarted once after the machine.config file update.

-

-> In some non-Microsoft blogs, it is documented that changes should be made to miiserver.exe.config instead. However, this file is overwritten on every upgrade so even if it works during initial install, the system stops working on first upgrade. For that reason, the recommendation is to update machine.config instead.

->

->

-Of these URLs, the following table is the absolute bare minimum to be able to connect to Azure AD at all. This list does not include any optional features, such as password writeback, or Azure AD Connect Health. It is documented here to help in troubleshooting for the initial configuration.

-| mscrl.microsoft.com |HTTP/80 |Used to download CRL lists. |

-| \*.verisign.com |HTTP/80 |Used to download CRL lists. |

-| \*.entrust.net |HTTP/80 |Used to download CRL lists for MFA. |

-| \*.management.core.windows.net (Azure Storage)</br>\*.graph.windows.net (Azure AD Graph)|HTTPS/443|Used for the various Azure services|

-| secure.aadcdn.microsoftonline-p.com |HTTPS/443 |Used for MFA. |

-| \*.microsoftonline.com |HTTPS/443 |Used to configure your Azure AD directory and import/export data. |

-| \*.crl3.digicert.com |HTTP/80 |Used to verify certificates. |

-| \*.crl4.digicert.com |HTTP/80 |Used to verify certificates. |

-| \*.ocsp.digicert.com |HTTP/80 |Used to verify certificates. |

-| \*.www.d-trust.net |HTTP/80 |Used to verify certificates. |

-| \*.root-c3-ca2-2009.ocsp.d-trust.net |HTTP/80 |Used to verify certificates. |

-| \*.crl.microsoft.com |HTTP/80 |Used to verify certificates. |

-| \*.oneocsp.microsoft.com |HTTP/80 |Used to verify certificates. |

-| \*.ocsp.msocsp.com |HTTP/80 |Used to verify certificates. |

-The installation wizard is using two different security contexts. On the page **Connect to Azure AD**, it is using the currently signed in user. On the page **Configure**, it is changing to the [account running the service for the sync engine](reference-connect-accounts-permissions.md#adsync-service-account). If there is an issue, it appears most likely already at the **Connect to Azure AD** page in the wizard since the proxy configuration is global.

-The following issues are the most common errors you encounter in the installation wizard.

-### The installation wizard has not been correctly configured

-This error appears when the wizard itself cannot reach the proxy.

-

-* If you see this error, verify the [machine.config](how-to-connect-install-prerequisites.md#connectivity) has been correctly configured.

-* If that looks correct, follow the steps in [Verify proxy connectivity](#verify-proxy-connectivity) to see if the issue is present outside the wizard as well.

-If you use a **Microsoft account** rather than a **school or organization** account, you see a generic error.

-

-### The MFA endpoint cannot be reached

-This error appears if the endpoint `https://secure.aadcdn.microsoftonline-p.com` cannot be reached and your Hybrid Identity Administrator has MFA enabled.

-

-* If you see this error, verify that the endpoint **secure.aadcdn.microsoftonline-p.com** has been added to the proxy.

-### The password cannot be verified

-If the installation wizard is successful in connecting to Azure AD, but the password itself cannot be verified you see this error:

-

-* Is the password a temporary password and must be changed? Is it actually the correct password? Try to sign in to `https://login.microsoftonline.com` (on another computer than the Azure AD Connect server) and verify the account is usable.

-To verify if the Azure AD Connect server has actual connectivity with the Proxy and Internet, use some PowerShell to see if the proxy is allowing web requests or not. In a PowerShell prompt, run `Invoke-WebRequest -Uri https://adminwebservice.microsoftonline.com/ProvisioningService.svc`. (Technically the first call is to `https://login.microsoftonline.com` and this URI works as well, but the other URI is faster to respond.)

-PowerShell uses the configuration in machine.config to contact the proxy. The settings in winhttp/netsh should not impact these cmdlets.

-If the proxy is correctly configured, you should get a success status:

-

-If you receive **Unable to connect to the remote server**, then PowerShell is trying to make a direct call without using the proxy or DNS is not correctly configured. Make sure the **machine.config** file is correctly configured.

-

-If the proxy is not correctly configured, you get an error:

-

-

-| 403 |Forbidden |The proxy has not been opened for the requested URL. Revisit the proxy configuration and make sure the [URLs](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) have been opened. |

-| 407 |Proxy Authentication Required |The proxy server required a sign-in and none was provided. If your proxy server requires authentication, make sure to have this setting configured in the machine.config. Also make sure you are using domain accounts for the user running the wizard and for the service account. |

-When Azure AD Connect sends an export request to Azure AD, Azure AD can take up to 5 minutes to process the request before generating a response. This can happen especially if there are a number of group objects with large group memberships included in the same export request. Ensure the Proxy idle timeout is configured to be greater than 5 minutes. Otherwise, intermittent connectivity issue with Azure AD may be observed on the Azure AD Connect server.

-## The communication pattern between Azure AD Connect and Azure AD

-If you have followed all these preceding steps and still cannot connect, you might at this point start looking at network logs. This section is documenting a normal and successful connectivity pattern. It is also listing common red herrings that can be ignored when you are reading the network logs.

-* There are calls to `https://dc.services.visualstudio.com`. It is not required to have this URL open in the proxy for the installation to succeed and these calls can be ignored.

-* You see that dns resolution lists the actual hosts to be in the DNS name space nsatc.net and other namespaces not under microsoftonline.com. However, there are not any web service requests on the actual server names and you do not have to add these URLs to the proxy.

-* The endpoints adminwebservice and provisioningapi are discovery endpoints and used to find the actual endpoint to use. These endpoints are different depending on your region.

-Here is a dump from an actual proxy log and the installation wizard page from where it was taken (duplicate entries to the same endpoint have been removed). This section can be used as a reference for your own proxy and network logs. The actual endpoints might be different in your environment (in particular those URLs in *italic*).

-| 1/11/2016 8:31 |connect://login.microsoftonline.com:443 |

-**Initial Sync**

-This section covers errors that can be returned from ADAL (the authentication library used by Azure AD Connect) and PowerShell. The error explained should help you in understand your next steps.

-### Invalid Grant

-Invalid username or password. For more information, see [The password cannot be verified](#the-password-cannot-be-verified).

-### Unknown User Type

-Your Azure AD directory cannot be found or resolved. Maybe you try to login with a username in an unverified domain?

-### User Realm Discovery Failed

-Network or proxy configuration issues. The network cannot be reached. See [Troubleshoot connectivity issues in the installation wizard](#troubleshoot-connectivity-issues-in-the-installation-wizard).

-### User Password Expired

-### Authorization Failure

-Failed to authorize user to perform action in Azure AD.

-### Authentication Canceled

-The multi-factor authentication (MFA) challenge was canceled.

-### Connect To MSOnline Failed

-### Azure AD Global Administrator Role Needed

-User was authenticated successfully. However user is not assigned Global Administrator role. This is [how you can assign Global Administrator role](../roles/permissions-reference.md) to the user.

-### Privileged Identity Management Enabled

-Authentication was successful. Privileged identity management has been enabled and you are currently not a Hybrid Identity Administrator. For more information, see [Privileged Identity Management](../privileged-identity-management/pim-getting-started.md).

-### Company Information Unavailable

-Authentication was successful. Could not retrieve company information from Azure AD.

-### Domain Information Unavailable

-Authentication was successful. Could not retrieve domain information from Azure AD.

-### Unspecified Authentication Failure

-Shown as Unexpected error in the installation wizard. Can happen if you try to use a **Microsoft Account** rather than a **school or organization account**.

-## Troubleshooting steps for previous releases.

-With releases starting with build number 1.1.105.0 (released February 2016), the sign-in assistant was retired. This section and the configuration should no longer be required, but is kept as reference.

-For the single-sign in assistant to work, winhttp must be configured. This configuration can be done with [**netsh**](how-to-connect-install-prerequisites.md#connectivity).

-

-### The Sign-in assistant has not been correctly configured

-This error appears when the Sign-in assistant cannot reach the proxy or the proxy is not allowing the request.

-

-* If you see this error, look at the proxy configuration in [netsh](how-to-connect-install-prerequisites.md#connectivity) and verify it is correct.

- 

-* If that looks correct, follow the steps in [Verify proxy connectivity](#verify-proxy-connectivity) to see if the issue is present outside the wizard as well.

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

-description: This topic provides steps for how to troubleshoot issues with object synchronization using the troubleshooting task.

-This article provides steps for troubleshooting issues with object synchronization by using the troubleshooting task. To see how troubleshooting works in Azure Active Directory (Azure AD) Connect, watch [this short video](https://aka.ms/AADCTSVideo).

-For Azure AD Connect deployment with version 1.1.749.0 or higher, use the troubleshooting task in the wizard to troubleshoot object synchronization issues. For earlier versions, please troubleshoot manually as described [here](tshoot-connect-object-not-syncing.md).

-To run the troubleshooting task in the wizard, perform the following steps:

-1. Open a new Windows PowerShell session on your Azure AD Connect server with the Run as Administrator option.

-2. Run `Set-ExecutionPolicy RemoteSigned` or `Set-ExecutionPolicy Unrestricted`.

-3. Start the Azure AD Connect wizard.

-4. Navigate to the Additional Tasks page, select Troubleshoot, and click Next.

-5. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell.

-6. In the main menu, select Troubleshoot Object Synchronization.

-

-### Troubleshooting Input Parameters

-The following input parameters are needed by the troubleshooting task:

-1. **Object Distinguished Name** ΓÇô This is the distinguished name of the object that needs troubleshooting

-2. **AD Connector Name** ΓÇô This is the name of the AD forest where the above object resides.

-3. Azure AD tenant Hybrid Identity Administrator credentials

-

-1. Detect UPN mismatch if the object is synced to Azure Active Directory

-2. Check if object is filtered due to domain filtering

-3. Check if object is filtered due to OU filtering

-4. Check if object synchronization is blocked due to a linked mailbox

-5. Check if object is dynamic distribution group which is not supposed to be synchronized

-The rest of this section describes specific results that are returned by the task. In each case, the task provides an analysis followed by recommended actions to resolve the issue.

-## Detect UPN mismatch if object is synced to Azure Active Directory

-### UPN Suffix is NOT verified with Azure AD Tenant

-When UserPrincipalName (UPN)/Alternate Login ID suffix is not verified with the Azure AD Tenant, then Azure Active Directory replaces the UPN suffixes with the default domain name "onmicrosoft.com".

-

-### Azure AD Tenant DirSync Feature ΓÇÿSynchronizeUpnForManagedUsersΓÇÖ is disabled

-When the Azure AD Tenant DirSync Feature ΓÇÿSynchronizeUpnForManagedUsersΓÇÖ is disabled, Azure Active Directory does not allow synchronization updates to UserPrincipalName/Alternate Login ID for licensed user accounts with managed authentication.

-

-Object is out of scope due to domain not being configured. In the example below, the object is out of sync scope as the domain that it belongs to is filtered from synchronization.

-

-### Domain is configured to sync but is missing run profiles/run steps

-Object is out of scope as the domain is missing run profiles/run steps. In the example below, the object is out of sync scope as the domain that it belongs to is missing run steps for the Full Import run profile.

-

-The object is out of sync scope due to OU filtering configuration. In the example below, the object belongs to OU=NoSync,DC=bvtadwbackdc,DC=com. This OU is not included in sync scope.</br>

-

-## Linked Mailbox issue

-A linked mailbox is supposed to be associated with an external master account located in another trusted account forest. If there is no such external master account, then Azure AD Connect will not synchronize the user account corresponds to the linked mailbox in the Exchange forest to the Azure AD tenant.</br>

-

-## Dynamic Distribution Group issue

-Due to various differences between on-premises Active Directory and Azure Active Directory, Azure AD Connect does not synchronize dynamic distribution groups to the Azure AD tenant.

-

-## HTML Report

-In addition to analyzing the object, the troubleshooting task also generates an HTML report that has everything known about the object. This HTML report can be shared with support team to do further troubleshooting, if needed.

-

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

-description: Describes the tools used to synchronize and monitor your on-premises environment with Azure AD.

-# What is the Azure AD Connect Admin Agent?

->[!NOTE]

->The Azure AD Connect Admin Agent is no longer part of the Azure AD Connect installation and cannot be used with Azure AD Connect versions 2.1.12.0 and newer.

-The Azure AD Connect Administration Agent is a new component of Azure Active Directory Connect that can be installed on an Azure Active Directory Connect server. It is used to collect specific data from your Active Directory environment that helps a Microsoft support engineer to troubleshoot issues when you open a support case.

->[!NOTE]

->The admin agent is not installed and enabled by default. You must install the agent in order to collect data to assist with support cases.

-The Azure AD Connect Administration Agent waits for specific requests for data from Azure Active Directory. The agent then takes the requested data from the sync environment and sends it to Azure AD, where it is presented to the Microsoft support engineer.

-The information that the Azure AD Connect Administration Agent retrieves from your environment is not stored. The information is only displayed to the Microsoft support engineer to assist them in investigating and troubleshooting the Azure Active Directory Connect related support case.

-The Azure AD Connect Administration Agent is not installed on the Azure AD Connect Server by default.

-## Install the Azure AD Connect Administration Agent on the Azure AD Connect server

-1. Azure AD Connect is installed on the server

-2. Azure AD Connect Health is installed on the server

-

-The Azure AD Connect Administration Agent binaries are placed in the Azure AD Connect server. To install the agent, use the following steps:

-1. Open PowerShell in admin mode

-2. Navigate to the directory where the application is located cd "C:\Program Files\Microsoft Azure Active Directory Connect\Tools"

-3. Run ConfigureAdminAgent.ps1

-When prompted, please enter your Azure AD Hybrid Identity Administrator credentials. These credentials should be the same credentials entered during Azure AD Connect installation.

-After the agent is installed, you'll see the following two new programs in the "Add/Remove Programs" list in the Control Panel of your server:

-

-## What data in my Sync service is shown to the Microsoft service engineer?

-When you open a support case, the Microsoft Support Engineer can see, for a given user:

- - the relevant data in Active Directory

- - the Active Directory connector space in the Azure Active Directory Connect server

- - the Azure Active Directory connector space in the Azure Active Directory Connect server

- - the Metaverse in the Azure Active Directory Connect server.

-The Microsoft Support Engineer cannot change any data in your system and cannot see any passwords.

-## What if I don't want the Microsoft support engineer to access my data?

-Once the agent is installed, if you do not want the Microsoft service engineer to access your data for a support call, you can disable the functionality by modifying the service config file as described below:

-1. Open **C:\Program Files\Microsoft Azure AD Connect Administration Agent\AzureADConnectAdministrationAgentService.exe.config** in notepad.

-2. Disable **UserDataEnabled** setting as shown below. If **UserDataEnabled** setting exists and is set to true, then set it to false. If the setting does not exist, then add the setting as shown below.

-3. Save the config file.

-4. Restart Azure AD Connect Administration Agent service as shown below

-

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)

-$serverServicePrincipalObjectId = $serverServicePrincipal.Id

-$serverServicePrincipalObjectId = $serverServicePrincipal.Id

- `https://<SUBDOMAIN>.benchling.com`

-description: Learn how to provision Azure NetApp Files with Azure Kubernetes Service.

-#Customer intent: As a cluster operator or developer, I want to learn how to use Azure NetApp Files to provision volumes for Kubernetes environments.

-# Integrate Azure NetApp Files with Azure Kubernetes Service

-A persistent volume represents a piece of storage that has been provisioned for use with Kubernetes pods. A persistent volume can be used by one or many pods and can be dynamically or statically provisioned. This article shows you how to create [Azure NetApp Files][anf] volumes to be used by pods in an Azure Kubernetes Service (AKS) cluster.

-[Azure NetApp Files][anf] is an enterprise-class, high-performance, metered file storage service running on Azure. Kubernetes users have two options when it comes to using Azure NetApp Files volumes for Kubernetes workloads:

-* Create Azure NetApp Files volumes **statically**: In this scenario, the creation of volumes is achieved external to AKS; volumes are created using `az`/Azure UI and are then exposed to Kubernetes by the creation of a `PersistentVolume`. Statically created Azure NetApp Files volumes have lots of limitations (for example, inability to be expanded, needing to be over-provisioned, and so on) and are not recommended for most use cases.

-* Create Azure NetApp Files volumes **on-demand**, orchestrating through Kubernetes: This method is the **preferred** mode of operation for creating multiple volumes directly through Kubernetes and is achieved using [Astra Trident](https://docs.netapp.com/us-en/trident/https://docsupdatetracker.net/index.html). Astra Trident is a CSI-compliant dynamic storage orchestrator that helps provision volumes natively through Kubernetes.

-Using a CSI driver to directly consume Azure NetApp Files volumes from AKS workloads is **highly recommended** for most use cases. This requirement is fulfilled using Astra Trident, an open-source dynamic storage orchestrator for Kubernetes. Astra Trident is an enterprise-grade storage orchestrator purpose-built for Kubernetes, fully supported by NetApp. It simplifies access to storage from Kubernetes clusters by automating storage provisioning. You can take advantage of Astra Trident's Container Storage Interface (CSI) driver for Azure NetApp Files to abstract underlying details and create, expand, and snapshot volumes on-demand. Also, using Astra Trident enables you to use [Astra Control Service](https://cloud.netapp.com/astra-control) built on top of Astra Trident to backup, recover, move, and manage the application-data lifecycle of your AKS workloads across clusters within and across Azure regions to meet your business and service continuity needs.

-## Before you begin

-This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

-> [!IMPORTANT]

-> Your AKS cluster must also be [in a region that supports Azure NetApp Files][anf-regions].

-You also need the Azure CLI version 2.0.59 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-### Prerequisites

-* Azure NetApp Files is only available [in selected Azure regions][anf-regions].

-* To use dynamic provisioning with Azure NetApp Files, install and configure [Astra Trident](https://docs.netapp.com/us-en/trident/https://docsupdatetracker.net/index.html) version 19.07 or later.

-Register the *Microsoft.NetApp* resource provider:

-```azurecli

-az provider register --namespace Microsoft.NetApp --wait

-```

-> [!NOTE]

-> This can take some time to complete.

-When you create an Azure NetApp account for use with AKS, you can create the account in an existing resource group or create a new one in the same region as the AKS cluster.

-The following example creates an account named *myaccount1* in the *myResourceGroup* resource group and *eastus* region:

-```azurecli

-az netappfiles account create \

- --resource-group myResourceGroup \

- --location eastus \

- --account-name myaccount1

-```

-Create a new capacity pool by using [az netappfiles pool create][az-netappfiles-pool-create]. The following example creates a new capacity pool named *mypool1* with 4 TB in size and *Premium* service level:

-```azurecli

-az netappfiles pool create \

- --resource-group myResourceGroup \

- --location eastus \

- --account-name myaccount1 \

- --pool-name mypool1 \

- --size 4 \

- --service-level Premium

-```

-Create a subnet to [delegate to Azure NetApp Files][anf-delegate-subnet] using [az network vnet subnet create][az-network-vnet-subnet-create]. *This subnet must be in the same virtual network as your AKS cluster.*

-```azurecli

-RESOURCE_GROUP=myResourceGroup

-VNET_NAME=$(az network vnet list --resource-group $RESOURCE_GROUP --query [].name -o tsv)

-VNET_ID=$(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query "id" -o tsv)

-SUBNET_NAME=MyNetAppSubnet

-az network vnet subnet create \

- --resource-group $RESOURCE_GROUP \

- --vnet-name $VNET_NAME \

- --name $SUBNET_NAME \

- --delegations "Microsoft.NetApp/volumes" \

- --address-prefixes 10.0.0.0/28

-```

-Volumes can either be provisioned statically or dynamically. Both options are covered in detail below.

-Create a volume by using [az netappfiles volume create][az-netappfiles-volume-create].

-```azurecli

-RESOURCE_GROUP=myResourceGroup

-LOCATION=eastus

-ANF_ACCOUNT_NAME=myaccount1

-POOL_NAME=mypool1

-SERVICE_LEVEL=Premium

-VNET_NAME=$(az network vnet list --resource-group $RESOURCE_GROUP --query [].name -o tsv)

-VNET_ID=$(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query "id" -o tsv)

-SUBNET_NAME=MyNetAppSubnet

-SUBNET_ID=$(az network vnet subnet show --resource-group $RESOURCE_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME --query "id" -o tsv)

-VOLUME_SIZE_GiB=100 # 100 GiB

-UNIQUE_FILE_PATH="myfilepath2" # Note that file path needs to be unique within all ANF Accounts

-az netappfiles volume create \

- --resource-group $RESOURCE_GROUP \

- --location $LOCATION \

- --account-name $ANF_ACCOUNT_NAME \

- --pool-name $POOL_NAME \

- --name "myvol1" \

- --service-level $SERVICE_LEVEL \

- --vnet $VNET_ID \

- --subnet $SUBNET_ID \

- --usage-threshold $VOLUME_SIZE_GiB \

- --file-path $UNIQUE_FILE_PATH \

- --protocol-types "NFSv3"

-```

-### Create the PersistentVolume

-List the details of your volume using [az netappfiles volume show][az-netappfiles-volume-show]

-```azurecli

-az netappfiles volume show \

- --resource-group $RESOURCE_GROUP \

- --account-name $ANF_ACCOUNT_NAME \

- --pool-name $POOL_NAME \

- --volume-name "myvol1" -o JSON

-```

-```output

-{

- ...

- "creationToken": "myfilepath2",

- ...

- "mountTargets": [

- "ipAddress": "10.0.0.4",

- ],

- ...

-}

-```

-Create a `pv-nfs.yaml` defining a PersistentVolume. Replace `path` with the *creationToken* and `server` with *ipAddress* from the previous command. For example:

-```yaml

-apiVersion: v1

-kind: PersistentVolume

-metadata:

- name: pv-nfs

-spec:

- capacity:

- storage: 100Gi

- accessModes:

- - ReadWriteMany

- mountOptions:

- - vers=3

- nfs:

- server: 10.0.0.4

- path: /myfilepath2

-```

-Update the *server* and *path* to the values of your NFS (Network File System) volume you created in the previous step. Create the PersistentVolume with the [kubectl apply][kubectl-apply] command:

-```console

-kubectl apply -f pv-nfs.yaml

-```

-Verify the *Status* of the PersistentVolume is *Available* using the [kubectl describe][kubectl-describe] command:

-```console

-kubectl describe pv pv-nfs

-```

-### Create the PersistentVolumeClaim

-Create a `pvc-nfs.yaml` defining a PersistentVolume. For example:

-```yaml

-apiVersion: v1

-kind: PersistentVolumeClaim

-metadata:

- name: pvc-nfs

-spec:

- accessModes:

- - ReadWriteMany

- storageClassName: ""

- resources:

- requests:

- storage: 1Gi

-```

-Create the PersistentVolumeClaim with the [kubectl apply][kubectl-apply] command:

-```console

-kubectl apply -f pvc-nfs.yaml

-```

-Verify the *Status* of the PersistentVolumeClaim is *Bound* using the [kubectl describe][kubectl-describe] command:

-```console

-kubectl describe pvc pvc-nfs

-```

-Create a `nginx-nfs.yaml` defining a pod that uses the PersistentVolumeClaim. For example:

-```yaml

-kind: Pod

-apiVersion: v1

-metadata:

- name: nginx-nfs

-spec:

- containers:

- - image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

- name: nginx-nfs

- command:

- - "/bin/sh"

- - "-c"

- - while true; do echo $(date) >> /mnt/azure/outfile; sleep 1; done

- volumeMounts:

- - name: disk01

- mountPath: /mnt/azure

- volumes:

- - name: disk01

- persistentVolumeClaim:

- claimName: pvc-nfs

-```

-Create the pod with the [kubectl apply][kubectl-apply] command:

-```console

-kubectl apply -f nginx-nfs.yaml

-```

-Verify the pod is *Running* using the [kubectl describe][kubectl-describe] command:

-```console

-kubectl describe pod nginx-nfs

-```

-Verify your volume has been mounted in the pod by using [kubectl exec][kubectl-exec] to connect to the pod then `df -h` to check if the volume is mounted.

-```console

-$ kubectl exec -it nginx-nfs -- sh

-```

-```output

-/ # df -h

-Filesystem Size Used Avail Use% Mounted on

-...

-10.0.0.4:/myfilepath2 100T 384K 100T 1% /mnt/azure

-...

-```

-To dynamically provision volumes, you need to install Astra Trident. Astra Trident is NetApp's dynamic storage provisioner that is purpose-built for Kubernetes. Simplify the consumption of storage for Kubernetes applications using Astra Trident's industry-standard [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) drivers. Astra Trident deploys in Kubernetes clusters as pods and provides dynamic storage orchestration services for your Kubernetes workloads.

-You can learn more from the [documentation]https://docs.netapp.com/us-en/trident/https://docsupdatetracker.net/index.html).

-Before proceeding to the next step, you will need to:

-1. **Install Astra Trident**. Trident can be installed using the operator/Helm chart/`tridentctl`. The instructions provided below explain how Astra Trident can be installed using the operator. To learn how the other install methods work, see the [Install Guide](https://docs.netapp.com/us-en/trident/trident-get-started/kubernetes-deploy.html).

-This section walks you through the installation of Astra Trident using the operator. You can also choose to install using one of its other methods:

-* [Helm chart](https://docs.netapp.com/us-en/trident/trident-get-started/kubernetes-deploy-operator.html).

-* [`tridentctl`](https://docs.netapp.com/us-en/trident/trident-get-started/kubernetes-deploy-tridentctl.html).

-See to [Deploying Trident](https://docs.netapp.com/us-en/trident/trident-get-started/kubernetes-deploy.html) to understand how each option works and identify the one that works best for you.

-Download Astra Trident from its [GitHub repository](https://github.com/NetApp/trident/releases). Choose from the desired version and download the installer bundle.

-```console

-#Download Astra Trident

-$ wget https://github.com/NetApp/trident/releases/download/v21.07.1/trident-installer-21.07.1.tar.gz

-$ tar xzvf trident-installer-21.07.1.tar.gz

-```

-Deploy the operator using `deploy/bundle.yaml`.

-```console

-$ kubectl create ns trident

-namespace/trident created

-$ kubectl apply -f trident-installer/deploy/bundle.yaml -n trident

-serviceaccount/trident-operator created

-clusterrole.rbac.authorization.k8s.io/trident-operator created

-clusterrolebinding.rbac.authorization.k8s.io/trident-operator created

-deployment.apps/trident-operator created

-podsecuritypolicy.policy/tridentoperatorpods created

-```

-Create a `TridentOrchestrator` to install Astra Trident.

-```console

-$ kubectl apply -f trident-installer/deploy/crds/tridentorchestrator_cr.yaml

-tridentorchestrator.trident.netapp.io/trident created

-```

-The operator installs by using the parameters provided in the `TridentOrchestrator` spec. You can learn about the configuration parameters and example backends from the extensive [installation](https://docs.netapp.com/us-en/trident/trident-get-started/kubernetes-deploy.html) and [backend guides](https://docs.netapp.com/us-en/trident/trident-use/backends.html).

-Confirm Astra Trident was installed.

-```console

-$ kubectl describe torc trident

-Name: trident

-Namespace:

-Labels: <none>

-Annotations: <none>

-API Version: trident.netapp.io/v1

-Kind: TridentOrchestrator

-...

-Spec:

- Debug: true

- Namespace: trident

-Status:

- Current Installation Params:

- IPv6: false

- Autosupport Hostname:

- Autosupport Image: netapp/trident-autosupport:21.01

- Autosupport Proxy:

- Autosupport Serial Number:

- Debug: true

- Enable Node Prep: false

- Image Pull Secrets:

- Image Registry:

- k8sTimeout: 30

- Kubelet Dir: /var/lib/kubelet

- Log Format: text

- Silence Autosupport: false

- Trident Image: netapp/trident:21.07.1

- Message: Trident installed

- Namespace: trident

- Status: Installed

- Version: v21.07.1

-Events:

- Type Reason Age From Message

- - - - -

- Normal Installing 74s trident-operator.netapp.io Installing Trident

- Normal Installed 67s trident-operator.netapp.io Trident installed

-```

-After Astra Trident is installed, create a backend that points to your Azure NetApp Files subscription.

-```console

-$ kubectl apply -f trident-installer/sample-input/backends-samples/azure-netapp-files/backend-anf.yaml -n trident

-secret/backend-tbc-anf-secret created

-tridentbackendconfig.trident.netapp.io/backend-tbc-anf created

-```

-Before running the command, you need to update `backend-anf.yaml` to include details about the Azure NetApp Files subscription, such as:

-* `subscriptionID` for the Azure subscription with Azure NetApp Files enabled. The

-* `tenantID`, `clientID`, and `clientSecret` from an [App Registration](../active-directory/develop/howto-create-service-principal-portal.md) in Azure Active Directory (AD) with sufficient permissions for the Azure NetApp Files service. The App Registration must carry the `Owner` or `Contributor` role thatΓÇÖs predefined by Azure.

-* Azure location that contains at least one delegated subnet.

-In addition, you can choose to provide a different service level. Azure NetApp Files provides three [service levels](../azure-netapp-files/azure-netapp-files-service-levels.md): Standard, Premium, and Ultra.

-A storage class is used to define how a unit of storage is dynamically created with a persistent volume. To consume Azure NetApp Files volumes, a storage class must be created. Create a file named `anf-storageclass.yaml` and copy in the manifest provided below.

-```yaml

-apiVersion: storage.k8s.io/v1

-kind: StorageClass

-metadata:

- name: azure-netapp-files

-provisioner: csi.trident.netapp.io

-parameters:

- backendType: "azure-netapp-files"

- fsType: "nfs"

-```

-Create the storage class using [kubectl apply][kubectl-apply] command:

-```console

-$ kubectl apply -f anf-storageclass.yaml

-storageclass/azure-netapp-files created

-$ kubectl get sc

-NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE

-azure-netapp-files csi.trident.netapp.io Delete Immediate false 3s

-```

-### Create a PersistentVolumeClaim

-A PersistentVolumeClaim (PVC) is a request for storage by a user. Upon the creation of a PersistentVolumeClaim, Astra Trident automatically creates an Azure NetApp Files volume and makes it available for Kubernetes workloads to consume.

-Create a file named `anf-pvc.yaml` and provide the following manifest. In this example, a 1-TiB volume is created that is *ReadWriteMany*.

-```yaml

-kind: PersistentVolumeClaim

-apiVersion: v1

-metadata:

- name: anf-pvc

-spec:

- accessModes:

- - ReadWriteMany

- resources:

- requests:

- storage: 1Ti

- storageClassName: azure-netapp-files

-```

-Create the persistent volume claim with the [kubectl apply][kubectl-apply] command:

-```console

-$ kubectl apply -f anf-pvc.yaml

-persistentvolumeclaim/anf-pvc created

-$ kubectl get pvc

-kubectl get pvc -n trident

-NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE

-anf-pvc Bound pvc-bffa315d-3f44-4770-86eb-c922f567a075 1Ti RWO azure-netapp-files 62s

-```

-After the PVC is created, a pod can be spun up to access the Azure NetApp Files volume. The manifest below can be used to define an NGINX pod that mounts the Azure NetApp Files volume that was created in the previous step. In this example, the volume is mounted at `/mnt/data`.

-Create a file named `anf-nginx-pod.yaml`, which contains the following manifest:

-```yml

-kind: Pod

-apiVersion: v1

-metadata:

- name: nginx-pod

-spec:

- containers:

- - name: nginx

- image: mcr.microsoft.com/oss/nginx/nginx:latest1.15.5-alpine

- resources:

- requests:

- cpu: 100m

- memory: 128Mi

- limits:

- cpu: 250m

- memory: 256Mi

- volumeMounts:

- - mountPath: "/mnt/data"

- name: volume

- volumes:

- - name: volume

- persistentVolumeClaim:

- claimName: anf-pvc

-```

-Create the pod with the [kubectl apply][kubectl-apply] command:

-```console

-$ kubectl apply -f anf-nginx-pod.yaml

-pod/nginx-pod created

-```

-Kubernetes has now created a pod with the volume mounted and accessible within the `nginx` container at `/mnt/data`. Confirm by checking the event logs for the pod using `kubectl describe`:

-```console

-$ kubectl describe pod nginx-pod

-[...]

-Volumes:

- volume:

- Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)

- ClaimName: anf-pvc

- ReadOnly: false

- default-token-k7952:

- Type: Secret (a volume populated by a Secret)

- SecretName: default-token-k7952

- Optional: false

-[...]

-Events:

- Type Reason Age From Message

- - - - -

- Normal Scheduled 15s default-scheduler Successfully assigned trident/nginx-pod to brameshb-non-root-test

- Normal SuccessfulAttachVolume 15s attachdetach-controller AttachVolume.Attach succeeded for volume "pvc-bffa315d-3f44-4770-86eb-c922f567a075"

- Normal Pulled 12s kubelet Container image "mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine" already present on machine

- Normal Created 11s kubelet Created container nginx

- Normal Started 10s kubelet Started container nginx

-```

-Astra Trident supports many features with Azure NetApp Files, such as:

-* [Expanding volumes](https://docs.netapp.com/us-en/trident/trident-use/vol-expansion.html)

-* [On-demand volume snapshots](https://docs.netapp.com/us-en/trident/trident-use/vol-snapshots.html)

-* [Importing volumes](https://docs.netapp.com/us-en/trident/trident-use/vol-import.html)

-* For more information on Azure NetApp Files, see [What is Azure NetApp Files][anf].

-[aks-nfs]: azure-nfs-volume.md

-[anf-waitlist]: https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR8cq17Xv9yVBtRCSlcD_gdVUNUpUWEpLNERIM1NOVzA5MzczQ0dQR1ZTSS4u

-[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply

-[kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

-[kubectl-exec]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#exec

-[use-tags]: use-tags.md

-[kubenet]: https://kubernetes.netlify.app/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#kubenet

-* Review the [prerequisites](/configure-azure-cni.md#prerequisites) for configuring basic Azure CNI networking in AKS, as the same prerequisites apply to this article.

-* Review the [deployment parameters](/configure-azure-cni.md#deployment-parameters) for configuring basic Azure CNI networking in AKS, as the same parameters apply.

-The [deployment parameters](/configure-azure-cni.md#deployment-parameters) for configuring basic Azure CNI networking in AKS are all valid, with two exceptions:

- --resourcegroup myresourcegroup \

-Once the connector is created, navigate to your [Power Apps](https://make.powerapps.com) or [Power Automate](https://flow.microsoft.com) environment. You will see the API listed under **Data > Custom Connectors**.

-> To call the API from the Power Apps test console, you need to add the `https://flow.microsoft.com` URL as an origin to the [CORS policy](cors-policy.md) in your API Management instance.

-Your certificate must be a wildcard certificate for the selected custom domain name. For example, *internal-contoso.com* would need a certificate covering **.internal-contoso.com*. If the certificate used custom domain suffix contains a Subject Alternate Name (SAN) entry for scm, for example **.scm.internal-contoso.com*, the scm site will also available using the custom domain suffix.

- --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.customerId=${logAnalyticsWorkspaceIdEnc}" \

- --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.sharedKey=${logAnalyticsKeyEnc}"

- --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.customerId=${logAnalyticsWorkspaceIdEnc}" `

- --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.sharedKey=${logAnalyticsKeyEnc}"

-Each slot of an app is configured separately. You can plug up to 100 private endpoints per slot. You can't share a private endpoint between slots.

-monikerRange: 'form-recog-2.1.0'

-# Install and run Form Recognizer v2.1 containers

-**This article applies to:**  **Form Recognizer v2.1**.

-In this article you'll learn how to download, install, and run Form Recognizer containers. Containers enable you to run the Form Recognizer service in your own environment. Containers are great for specific security and data governance requirements. Form Recognizer features are supported by six Form Recognizer feature containersΓÇö**Layout**, **Business Card**,**ID Document**, **Receipt**, **Invoice**, and **Custom** (for Receipt, Business Card and ID Document containers you'll also need the **Read** OCR container).

-> * To use Form Recognizer containers, you must submit an online request, and have it approved. For more information, _see_ [Request approval to run container](#request-approval-to-run-container) below.

-To get started, you'll need an active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).

-You'll also need the following to use Form Recognizer containers:

-| **Computer Vision API resource** | **To process business cards, ID documents, or Receipts, you'll need a Computer Vision resource.** <ul><li>You can access the Recognize Text feature as either an Azure resource (the REST API or SDK) or a **cognitive-services-recognize-text** [container](../../../cognitive-services/Computer-vision/computer-vision-how-to-install-containers.md#get-the-container-image). The usual [billing](#billing) fees apply.</li> <li>If you use the **cognitive-services-recognize-text** container, make sure that your Computer Vision key for the Form Recognizer container is the key specified in the Computer Vision `docker run` or `docker compose` command for the **cognitive-services-recognize-text** container and your billing endpoint is the container's endpoint (for example, `http://localhost:5000`). If you use both the Computer Vision container and Form Recognizer container together on the same host, they can't both be started with the default port of *5000*. </li></ul></br>Pass in both the key and endpoints for your Computer Vision Azure cloud or Cognitive Services container:<ul><li>**{COMPUTER_VISION_KEY}**: one of the two available resource keys.</li><li> **{COMPUTER_VISION_ENDPOINT_URI}**: the endpoint for the resource used to track billing information.</li></ul> |

-|||

-##### Read, Layout, and Prebuilt containers

-| Read 3.2 | `8` cores, 16-GB memory | `8` cores, 24-GB memory|

-| Layout 2.1 | `8` cores, 16-GB memory | `8` cores, 24-GB memory |

-| Business Card 2.1 | `2` cores, 4-GB memory | `4` cores, 4-GB memory |

-| ID Document 2.1 | `1` core, 2-GB memory |`2` cores, 2-GB memory |

-| Invoice 2.1 | `4` cores, 8-GB memory | `8` cores, 8-GB memory |

-| Receipt 2.1 | `4` cores, 8-GB memory | `8` cores, 8-GB memory |

-* The `EULA`, `Billing`, and `Key` values must be specified; otherwise the container won't start.

-In addition to the [prerequisites](#prerequisites), you'll need to do the following to process a custom document:

-#### &bullet; Create a folder to store the following files:

- 1. We'll reference the file path for this folder as **{SHARED_MOUNT_PATH}**.

- 1. Copy the file path in a convenient location, such as *Microsoft Notepad*. You'll need to add it to your **.env** file.

- 1. We'll reference the file path for this folder as **{OUTPUT_MOUNT_PATH}**.

- 1. Copy the file path in a convenient location, such as *Microsoft Notepad*. You'll need to add it to your **.env** file.

-* Gather a set of at least six forms of the same type. You'll use this data to train the model and test a form. You can use a [sample data set](https://go.microsoft.com/fwlink/?linkid=2090451) (download and extract *sample_data.zip*). Download the training files to the **shared** folder you created.

-* If you want to label your data, download the [Form Recognizer Sample Labeling tool for Windows](https://github.com/microsoft/OCR-Form-Tools/releases). The download will import the labeling tool .exe file that you'll use to label the data present on your local file system. You can ignore any warnings that occur during the download process.

- - "5000:5000"

-Queries to the container are billed at the pricing tier of the Azure resource that's used for the `Key`. You'll be billed for each container instance used to process your documents and images. Thus, If you use the business card feature, you'll be billed for the Form Recognizer `BusinessCard` and `Computer Vision Read` container instances. For the invoice feature, you'll be billed for the Form Recognizer `Invoice` and `Layout` container instances. *See*, [Form Recognizer](https://azure.microsoft.com/pricing/details/form-recognizer/) and Computer Vision [Read feature](https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/) container pricing.

-The [**docker-compose up**](https://docs.docker.com/engine/reference/commandline/compose_up/) command will start the container when all three of the following options are provided with valid values:

-| `Key` | The key of the Cognitive Services resource that's used to track billing information.<br/>The value of this option must be set to a key for the provisioned resource that's specified in `Billing`. |

-* **[Prebuilt receipt model](concept-receipt.md#supported-languages-and-locales-v30) ΓÇöadditional language support**:

- * English - United Arab Emirates (en-ae)

- * Dutch - Netherlands (nl-nl)

- * French - Canada (fr-ca)

- * Japanese - Japan (ja-jp)

- * Portuguese - Brazil (pt-br)

- * English - Australia (en-au), Canada (en-ca), Great Britain (en-gb), India (en-in)

- * Portuguese - Brazil (pt-br)

- * Tax items (en-in only)

- * [**prebuilt-invoice**](concept-invoice.md). The TotalVAT and Line/VAT fields will now resolve to the existing fields TotalTax and Line/Tax respectively.

-* **Supervised table labeling and training, empty-value labeling** - In addition to Form Recognizer's [state-of-the-art deep learning automatic table extraction capabilities](https://techcommunity.microsoft.com/t5/azure-ai/enhanced-table-extraction-from-documents-with-form-recognizer/ba-p/2058011), it now enables customers to label and train on tables. This new release includes the ability to label and train on line items/tables (dynamic and fixed) and train a custom model to extract key-value pairs and line items. Once a model is trained, the model will extract line items as part of the JSON output in the documentResults section.

- In addition to labeling tables, you can now label empty values and regions. If some documents in your training set don't have values for certain fields, you can label them so that your model will know to extract values properly from analyzed documents.

-* **Natural reading order, handwriting classification, and page selection** - With this update, you can choose to get the text line outputs in the natural reading order instead of the default left-to-right and top-to-bottom ordering. Use the new readingOrder query parameter and set it to "natural" value for a more human-friendly reading order output. In addition, for Latin languages, Form Recognizer will classify text lines as handwritten style or not and give a confidence score.

- * **New try-it-out feature in the Form Recognizer Sample and Labeling Tool** - Ability to try out prebuilt Invoice, Receipt, and Business Card models and the Layout API using the Form Recognizer Sample Labeling tool. See how your data will be extracted without writing any code.

- "AutomationAccountURL" = "<registrationurl>/<subscription-id>";

- "AutomationAccountURL" = "<registration-url>/<subscription-id>";

-Set-AzVMExtension -ResourceGroupName <VMResourceGroupName> -Location <VMLocation> -VMName <VMName> -Name "HybridWorkerExtension" -Publisher "Microsoft.Azure.Automation.HybridWorker" -ExtensionType HybridWorkerForLinux -TypeHandlerVersion 0.1 -Settings $settings

-New-AzConnectedMachineExtension -ResourceGroupName <VMResourceGroupName> -Location <VMLocation> -MachineName <VMName> -Name "HybridWorkerExtension" -Publisher "Microsoft.Azure.Automation.HybridWorker" -ExtensionType HybridWorkerForLinux -TypeHandlerVersion 0.1 -Setting $settings -NoWait

- - For Linux: you can find the troubleshooter at `/var/lib/waagent/Microsoft.Azure.Automation.HybridWorker.HybridWorkerForLinux/troubleshootLinuxExtension.py`

- - For Windows: the logs are located at `C:\HybridWorkerExtensionLogs`. The tool is at `C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows\<version>\bin\troubleshooter\PullLogs.ps1`.

- - For Linux: the logs are located at `/home/nxautomation/run`. The tool is at `/var/lib/waagent/Microsoft.Azure.Automation.HybridWorker.HybridWorkerForLinux/logcollector.py`.

-Azure Arc resource bridge must be configured for proxy so that it can connect to the Azure services. This configuration is handled automatically. However, proxy configuration of the management machine isn't configured by the Azure Arc resource bridge.

- |**Select an Azure Database Server**| Choose **Azure Cosmos DB for NoSQL** to create a document database that you can query by using a SQL syntax. [Learn more about the Azure Cosmos DB for NoSQL](../cosmos-db/introduction.md). |

-* [Microsoft Power Automate](https://flow.microsoft.com/) (was Microsoft Flow)

-| **Admin experience** |Manage Power Automate environments and data loss prevention (DLP) policies, track licensing: [Admin center](https://admin.flow.microsoft.com) |Manage resource groups, connections, access management, and logging: [Azure portal](https://portal.azure.com) |

-* Learn more about [Power Automate](https://ms.flow.microsoft.com).

-The instrumentation key identifies the resource that you want to associate with your telemetry data. You'll need to copy the instrumentation key and add it to your application's code.

-If you don't run the `az extension add` command, you'll see an error message that states: `az : ERROR: az monitor: 'app-insights' is not in the 'az monitor' command group. See 'az monitor --help'.`

-To send data from Application Insights to certain regions, you'll need to override the default endpoint addresses. Each SDK requires slightly different modifications, all of which are described in this article.

-The current snippet listed here is version 5. The version is encoded in the snippet as `sv:"#"`. The [current version is also available on GitHub](https://go.microsoft.com/fwlink/?linkid=2156318).

-If you currently use the [Application Insights REST API](/rest/api/application-insights/), which is normally accessed via `api.applicationinsights.io`, you'll need to use an endpoint that's local to your region.

-description: Redirect to OpenTelemetry agent

-# Azure Monitor OpenTelemetry-based auto-instrumentation for Java applications (redirect to OpenTelemetry)

-Whether you are deploying on-premises or in the cloud, you can use Microsoft's OpenTelemetry-based Java Auto-Instrumentation agent.

-For more information, see [Azure Monitor OpenTelemetry-based auto-instrumentation for Java applications](opentelemetry-enable.md?tabs=java#enable-azure-monitor-opentelemetry-for-net-nodejs-python-and-java-applications).

-For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

-## Next steps

-description: Azure Monitor seamlessly integrates with your application running on Azure Functions, and allows you to monitor the performance and spot the problems with your apps in no time.

-[Azure Functions](../../azure-functions/functions-overview.md) offers built-in integration with Azure Application Insights to monitor functions. For languages other than .NET and .NETCore additional language-specific workers/extensions are needed to get the full benefits of distributed tracing.

-The required Application Insights instrumentation is built into Azure Functions. The only thing you need is a valid instrumentation key to connect your function app to an Application Insights resource. The instrumentation key should be added to your application settings when your function app resource is created in Azure. If your function app doesn't already have this key, you can set it manually. For more information read more about [monitoring Azure Functions](../../azure-functions/functions-monitoring.md?tabs=cmd).

-For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

-If your applications are written in Java you can view richer data from your functions applications, including requests, dependencies, logs, and metrics. The additional data also lets you see and diagnose end-to-end transactions and see the application map, which aggregates many transactions to show a topological view of how the systems interact, and what the average performance and error rates are.

-The end-to-end diagnostics and the application map provide visibility into one single transaction/request. Together these two features are helpful for finding the root cause of reliability issues and performance bottlenecks on a per request basis.

-Navigate to the functions app Overview pane and go to configurations. Under Application Settings, click "+ New application setting".

-Add the following application settings with below values, then click Save on the upper left. DONE!

-> [!IMPORTANT]

-> This feature will have a cold start implication of 8-9 seconds in the Windows Consumption plan.

-#### Linux Consumption

-### Troubleshooting

-* Sometimes the latest version of the Application Insights Java agent is not

- available in Azure Function - it takes a few months for the latest versions to

- roll out to all regions. In case you need the latest version of Java agent to

- monitor your app in Azure Function to use a specific version of Application

- Insights Java Auto-instrumentation Agent, you can upload the agent manually:

-

- Please follow this [instruction](https://github.com/Azure/azure-functions-java-worker/wiki/Distributed-Tracing-for-Java-Azure-Functions#customize-distribute-agent).

-* Read about [requests and dependencies for Java apps](./opentelemetry-enable.md?tabs=java)

-# Azure Monitor best practices: Analyze and visualize data

-This article is part of the scenario [Recommendations for configuring Azure Monitor](best-practices.md). It describes built-in features in Azure Monitor for analyzing collected data. It also describes options for creating custom visualizations to meet the requirements of different users in your organization. Visualizations like charts and graphs can help you analyze your monitoring data to drill down on issues and identify patterns.

-The following sections describe Azure Monitor features that provide analysis of collected data without any configuration.

-### Overview page

-Most Azure services have an **Overview** page in the Azure portal that includes a **Monitor** section with charts that show recent critical metrics. This information is intended for owners of individual services to quickly assess the performance of the resource. Because this page is based on platform metrics that are collected automatically, configuration isn't required for this feature.

-### Metrics Explorer

-You can use Metrics Explorer to interactively work with metric data and create metric alerts. Typically, you need minimal training to use Metrics Explorer, but you must be familiar with the metrics you want to analyze. Configuration isn't required for this feature after data collection is configured. Platform metrics for Azure resources are automatically available. Guest metrics for virtual machines are available after an Azure Monitor agent is deployed to them. Application metrics are available after Application Insights is configured.

-### Log Analytics

-With Log Analytics, you can create log queries to interactively work with log data and create log query alerts. Some training is required for you to become familiar with the query language, although you can use prebuilt queries for common requirements. You can also add [query packs](logs/query-packs.md) with queries that are unique to your organization. Then if you're familiar with the query language, you can build queries for others in your organization.

-## Workbooks

-[Workbooks](./visualize/workbooks-overview.md) are the visualization platform of choice for Azure. They provide a flexible canvas for data analysis and the creation of rich visual reports. You can use workbooks to tap into multiple data sources from across Azure and combine them into unified interactive experiences. They're especially useful to prepare end-to-end monitoring views across multiple Azure resources.

-Insights use prebuilt workbooks to present you with critical health and performance information for a particular service. You can access a gallery of workbooks on the **Workbooks** tab of the Azure Monitor menu and create custom workbooks to meet the requirements of your different users.

-

-Common scenarios for workbooks:

-## Azure dashboards

-[Azure dashboards](../azure-portal/azure-portal-dashboards.md) are useful in providing a "single pane of glass" over your Azure infrastructure and services. While a workbook provides richer functionality, a dashboard can combine Azure Monitor data with data from other Azure services.

-Here's a video walk-through on how to create dashboards:

-Common scenarios for dashboards:

-For details on how to create a dashboard that includes data from Azure Monitor Logs, see [Create and share dashboards of Log Analytics data](visualize/tutorial-logs-dashboards.md). For details on how to create a dashboard that includes data from Application Insights, see [Create custom key performance indicator (KPI) dashboards using Application Insights](app/tutorial-app-dashboards.md).

-## Grafana

-Grafana has popular plug-ins and dashboard templates for APM tools such as Dynatrace, New Relic, and AppDynamics. You can use these resources to visualize Azure platform data alongside other metrics from higher in the stack collected by other tools. It also has AWS CloudWatch and GCP BigQuery plug-ins for multi-cloud monitoring in a single pane of glass.

-Common scenarios for Grafana:

-## Power BI

-Common scenarios for Power BI:

-## Azure Monitor partners

-## Custom application

-You can build your own custom websites and applications by using metric and log data in Azure Monitor accessed through a REST API. This approach gives you complete flexibility in UI, visualization, interactivity, and features.

-To define alerts and automated actions from Azure Monitor data, see [Alerts and automated actions](best-practices-alerts.md).

- - **Azure CLI**: Minimum version required for Azure CLI is [2.44.1 (link to release notes)](/cli/azure/release-notes-azure-cli#january-11-2023). See [How to update the Azure CLI](/cli/azure/update-azure-cli) for upgrade instructions.

-[Azure availability zones](../../availability-zones/az-overview.md) protect your applications and data from datacenter failures and can provide resilience for Azure Monitor features that rely on a Log Analytics workspace. When a workspace is linked to an availability zone, it remains active and operational even if a specific datacenter is malfunctioning or even down, by relying on the availability of other zones in the region. You donΓÇÖt need to do anything in order to switch to an alternative zone, or even be aware of the incident.

-## Typical latency

-Latency refers to the time that data is created on the monitored system and the time that it becomes available for analysis in Azure Monitor. The typical latency to ingest log data is *between 20 seconds and 3 minutes*. The specific latency for any particular data will vary depending on several factors that are explained in this article.

-Network conditions might negatively affect the latency of this data to reach an Azure Monitor Logs ingestion point.

-Azure data adds more time to become available at an Azure Monitor Logs ingestion point for processing:

-After the data is available at an ingestion point, it takes another 30 to 60 seconds to be available for querying.

-| Record received by Azure Monitor ingestion endpoint | [_TimeReceived](./log-standard-columns.md#_timereceived) | This field isn't optimized for mass processing and shouldn't be used to filter large datasets. |

-[Azure Logic Apps](../../logic-apps/index.yml) and [Power Automate](https://flow.microsoft.com) allow you to create automated workflows using hundreds of actions for various services. The Azure Monitor Logs connector allows you to build workflows that retrieve data from a Log Analytics workspace or an Application Insights application in Azure Monitor. This article describes the actions included with the connector and provides a walkthrough to build a workflow using this data.

- | storage-name | Account | Ingress | Sum | 80% of maximum ingress per alert evaluation period. For example, the limit is 60 Gbps for general-purpose v2 in West US. The threshold is 14,400 Gb per 5-minute evaluation period. |

- | namespaces-name | Event Hubs standard metrics | Incoming bytes | Sum | 80% of maximum ingress per alert evaluation period. For example, the limit is 1 MB/s per unit (TU or PU) and five units used. The threshold is 1,200 MB per 5-minute evaluation period. |

-All data from the table will be exported unless limitations are specified. This list is updated as more tables are added.

-$clusterResourceId = az monitor log-analytics cluster list --resource-group "resource-group-name" --query "[?contains(name, "cluster-name")].[id]" --output tsv

-| How can a user access logs? | On the **Azure Monitor** menu, select **Logs**.<br><br>Select **Logs** from **Log Analytics workspaces**.<br><br>From Azure Monitor [workbooks](../best-practices-analysis.md#workbooks). | Select **Logs** on the menu for the Azure resource. Users will have access to data for that resource.<br><br>Select **Logs** on the **Azure Monitor** menu. Users will have access to data for all resources they have access to.<br><br>Select **Logs** from **Log Analytics workspaces**. Users will have access to data for all resources they have access to.<br><br>From Azure Monitor [workbooks](../best-practices-analysis.md#workbooks). |

-# Monitor health of a Log Analytics workspace in Azure Monitor

-To make the integration easier, we support [Logic Apps](https://azure.microsoft.com/services/logic-apps/) and [Power Automate](https://preview.flow.microsoft.com/connectors/shared_videoindexer-v2/video-indexer-v2/) connectors that are compatible with the Azure Video Indexer API.

-To make the integration even easier, we support [Logic Apps](https://azure.microsoft.com/services/logic-apps/) and [Power Automate](https://preview.flow.microsoft.com/connectors/shared_videoindexer-v2/video-indexer-v2/) connectors that are compatible with our API. You can use the connectors to set up custom workflows to effectively index and extract insights from a large amount of video and audio files, without writing a single line of code. Furthermore, using the connectors for your integration gives you better visibility on the health of your workflow and an easy way to debug it. 

-| On-premises network | Private Cloud vCenter Server | TCP(HTTP) | 80 | vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection helps if you use `http://server` instead of `https://server`. |

-| On-premises network | Private Cloud vCenter Server | TCP(HTTPS) | 443 | This port allows you to access vCenter Server from an on-premises network. The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall. The vCenter Server system also uses port 443 to monitor data transfer from SDK clients. |

-| On-premises network | HCX Manager | TCP(HTTPS) | 9443 | Hybrid Cloud Manager Virtual Appliance Management Interface for Hybrid Cloud Manager system configuration. |

-| HCX Manager | Interconnect (HCX-IX) | TCP(HTTPS) | 8123 | HCX Bulk Migration Control |

-| HCX Manager | Interconnect (HCX-IX), Network Extension (HCX-NE) | HTTP TCP(HTTPS) | 9443 | Send management instructions to the local HCX Interconnect using the REST API. |

-| Interconnect (HCX-IX)| L2C | TCP(HTTPS) | 443 | Send management instructions from Interconnect to L2C when L2C uses the same path as the Interconnect. |

- var index = 'https://docsupdatetracker.net/index.html';

- if (process.env["HOME"] != null)

- {

- index = path.join(process.env["HOME"], "site", "wwwroot", index);

- }

- public static IActionResult Run([HttpTrigger(AuthorizationLevel.Anonymous)] HttpRequest req, ILogger log)

- string indexFile = "https://docsupdatetracker.net/index.html";

- if (Environment.GetEnvironmentVariable("HOME") != null)

- {

- indexFile = Path.Join(Environment.GetEnvironmentVariable("HOME"), "site", "wwwroot", indexFile);

- }

- var index = 'https://docsupdatetracker.net/index.html';

- if (process.env["HOME"] != null)

- {

- index = path.join(process.env["HOME"], "site", "wwwroot", index);

- }

- public static IActionResult Run([HttpTrigger(AuthorizationLevel.Anonymous)] HttpRequest req, ILogger log)

- string indexFile = "https://docsupdatetracker.net/index.html";

- if (Environment.GetEnvironmentVariable("HOME") != null)

- {

- indexFile = Path.Join(Environment.GetEnvironmentVariable("HOME"), "site", "wwwroot", indexFile);

- }

-Go to the [Power Automate site](https://preview.flow.microsoft.com/), and login. Then click **Create** and **Scheduled flow**.

-description: Learn about Communication Services' architecture.

-# Client and Server Architecture

-This page illustrates typical architectural components and dataflows in various Azure Communication Service scenarios. Relevant components include:

-1. **Client Application.** This website or native application is leveraged by end-users to communicate. Azure Communication Services provides [SDK client libraries](sdk-options.md) for multiple browsers and application platforms. In addition to our core SDKs, [a UI Library](https://aka.ms/acsstorybook) is available to accelerate browser app development.

-1. **Identity Management Service.** This service capability you build to map users and other concepts in your business logic to Azure Communication Services and also to create tokens for those users when required.

-1. **Call Management Service.** This service capability you build to manage and monitor voice and video calls. This service can create calls, invite users, call phone numbers, play audio, listen to DMTF tones and leverage many other call features through the Calling Automation SDK and REST APIs.

-## User access management

-Azure Communication Services clients must present `user access tokens` to access Communication Services resources securely. `User access tokens` should be generated and managed by a trusted service due to the sensitive nature of the token and the connection string or Azure AD authentication secrets necessary to generate them. Failure to properly manage access tokens can result in additional charges due to misuse of resources.

-### Dataflows

-1. The user starts the client application. The design of this application and user authentication scheme is in your control.

-2. The client application contacts your identity management service. The identity management service maintains a mapping between your users and other addressable objects (for example services or bots) to Azure Communication Service identities.

-3. The identity management service creates a user access token for the applicable identity. If no Azure Communication Services identity has been allocated the past, a new identity is created.

-### Resources

-> [!IMPORTANT]

-> For simplicity, we do not show user access management and token distribution in subsequent architecture flows.

-## Calling a user without push notifications

-The simplest voice and video calling scenarios involves a user calling another, in the foreground without push notifications.

-### Dataflows

-1. The accepting user initializes the Call client, allowing them to receive incoming phone calls.

-2. The initiating user needs the Azure Communication Services identity of the person they want to call. A typical experience may have a *friend's list* maintained by the identity management service that collates the user's friends and associated Azure Communication Service identities.

-3. The initiating user initializes their Call client and calls the remote user.

-4. The accepting user is notified of the incoming call through the Calling SDK.

-5. The users communicate with each other using voice and video in a call.

-### Resources

-## Joining a user-created group call

-You may want users to join a call without an explicit invitation. For example you may have a *social space* with an associated call, and users join that call at their leisure. In this first dataflow, we show a call that is initially created by a client.

-### Dataflows

-1. Initiating user initializes their Call client and makes a group call.

-2. The initiating user shares the group call ID with a Call management service.

-3. The Call Management Service shares the call ID with other users. For example, if the application orients around scheduled events, the group call ID might be an attribute of the scheduled event's data model.

-4. Other users join the call using the group call ID.

-5. The users communicate with each other using voice and video in a call.

-## Joining a scheduled Teams call

-Azure Communication Service applications can join Teams calls. This is ideal for many business-to-consumer scenarios, where the consumer is leveraging a custom application and custom identity, while the business-side is using Teams.

-### Dataflows

-1. The Call Management Service creates a group call with [Graph APIs](/graph/api/resources/onlinemeeting?view=graph-rest-1.0&preserve-view=true). Another pattern involves end users creating the group call using [Bookings](https://www.microsoft.com/microsoft-365/business/scheduling-and-booking-app), Outlook, Teams, or another scheduling experience in the Microsoft 365 ecosystem.

-2. The Call Management Service shares the Teams call details with Azure Communication Service clients.

-3. Typically, a Teams user must join the call and allow external users to join through the lobby. However this experience is sensitive to the Teams tenant configuration and specific meeting settings.

-4. Azure Communication Service users initialize their Call client and join the Teams meeting, using the details received in Step 2.

-5. The users communicate with each other using voice and video in a call.

-### Resources

-zone_pivot_groups: acs-js-csharp-java-python

-> Currently, SMS messages can only be sent to received from United States phone numbers. For more information, see [Phone number types](../../concepts/telephony/plan-solution.md).

-To learn more about Microsoft Graph Security, see the [Microsoft Graph Security API overview](/graph/security-concept-overview). If you're new to logic apps, review [What is Azure Logic Apps?](../logic-apps/logic-apps-overview.md). If you're looking for Power Automate or Power Apps, see [What is Power Automate?](https://flow.microsoft.com/) or [What is Power Apps?](https://powerapps.microsoft.com/)

-### Docker installation

-If this is your first time creating a project using Docker, you may get a prompt instructing you to install Docker Desktop. This installation is required for working with containerized apps, as mentioned in the prerequisites, so click **Yes**. You can also download and [install Docker Desktop for Windows from the official Docker site](https://hub.docker.com/editions/community/docker-ce-desktop-windows).

-Visual Studio launches the Docker Desktop for Windows installer. You can follow the installation instructions on this page to set up Docker, which requires a system reboot.

-> [!IMPORTANT]

-> This feature is currently in preview, and some [limitations apply](#preview-limitations). Previews are made available to you on the condition that you agree to the [supplemental terms of use][terms-of-use]. Some aspects of this feature may change prior to general availability (GA).

-## Preview limitations

-* You can't create a scope map in a registry enabled for [anonymous pull access](container-registry-faq.yml#how-do-i-enable-anonymous-pull-access-).

-* **Azure CLI** - Azure CLI commands command examples in this article require Azure CLI version 2.17.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

-1. Under **Repository permissions**, select **Tokens (Preview) > +Add**.

-1. Under **Repository permissions**, select **Tokens (Preview)**, and select a token.

-1. Under **Repository permissions**, select **Scope maps (Preview)**, and select the scope map to update.

-Use the [az acr scope-map list][az-acr-scope-map-list] command, or the **Scope maps (Preview)** screen in the portal, to list all the scope maps configured in a registry. For example:

-To view the details of a token, such as its status and password expiration dates, run the [az acr token show][az-acr-token-show] command, or select the token in the **Tokens (Preview)** screen in the portal. For example:

-Use the [az acr token list][az-acr-token-list] command, or the **Tokens (Preview)** screen in the portal, to list all the tokens configured in a registry. For example:

-If you didn't generate a token password, or you want to generate new passwords, run the [az acr token credential generate][az-acr-token-credential-generate] command.Regenerating new passwords for tokens will take 60 seconds to replicate and be available.

-In the portal, on the **Tokens (preview)** screen, select the token, and under **Scope map**, select a different scope map.

-In the portal, select the token in the **Tokens (Preview)** screen, and select **Disabled** under **Status**.

-In the portal, select the token in the **Tokens (Preview)** screen, and select **Discard**.

-[terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/

-[az-acr-token-credential-generate]: /cli/azure/acr/token/credential/#az_acr_token_credential_generate

-* Learn about enabling [repository-scoped permissions](container-registry-repository-scoped-permissions.md) (preview) in a container registry.

-Azure Cosmos DB insights provides a view of the overall performance, failures, capacity, and operational health of all your Azure Cosmos DB resources in a unified interactive experience. This article will help you understand the benefits of this new monitoring experience, and how you can modify and adapt the experience to fit the unique needs of your organization.

-Before diving into the experience, you should understand how it presents and visualizes information.

-* **At scale perspective** of your Azure Cosmos DB resources across all your subscriptions in a single location, with the ability to selectively scope to only those subscriptions and resources you are interested in evaluating.

-* **Drill down analysis** of a particular Azure Cosmos DB resource to help diagnose issues or perform detailed analysis by category - utilization, failures, capacity, and operations. Selecting any one of those options provides an in-depth view of the relevant Azure Cosmos DB metrics.

-* **Customizable** - This experience is built on top of Azure Monitor workbook templates allowing you to change what metrics are displayed, modify or set thresholds that align with your limits, and then save into a custom workbook. Charts in the workbooks can then be pinned to Azure dashboards.

-This feature does not require you to enable or configure anything, these Azure Cosmos DB metrics are collected by default.

->There is no charge to access this feature and you will only be charged for the Azure Monitor essential features you configure or enable, as described on the [Azure Monitor pricing details](https://azure.microsoft.com/pricing/details/monitor/) page.

-To view the utilization and performance of your storage accounts across all of your subscriptions, perform the following steps.

-2. Search for **Monitor** and select **Monitor**.

- 

-3. Select **Azure Cosmos DB**.

- 

-On **Overview**, the table displays interactive Azure Cosmos DB metrics. You can filter the results based on the options you select from the following drop-down lists:

-* **Subscriptions** - only subscriptions that have an Azure Cosmos DB resource are listed.

-* **Azure Cosmos DB** - You can select all, a subset, or single Azure Cosmos DB resource.

-* **Time Range** - by default, displays the last 4 hours of information based on the corresponding selections made.

-The counter tile under the drop-down lists rolls-up the total number of Azure Cosmos DB resources are in the selected subscriptions. There is conditional color-coding or heatmaps for columns in the workbook that report transaction metrics. The deepest color has the highest value and a lighter color is based on the lowest values.

-Selecting a drop-down arrow next to one of the Azure Cosmos DB resources will reveal a breakdown of the performance metrics at the individual database container level:

-

-Selecting the Azure Cosmos DB resource name highlighted in blue will take you to the default **Overview** for the associated Azure Cosmos DB account.

-Select **Failures** at the top of the page and the **Failures** portion of the workbook template opens. It shows you total requests with the distribution of responses that make up those requests:

-

-| `404 Not Found` | The operation is attempting to act on a resource that no longer exists. For example, the resource may have already been deleted. |

-For a full list of status codes, consult the [Azure Cosmos DB HTTP status code article](/rest/api/cosmos-db/http-status-codes-for-cosmosdb).

-Select **Capacity** at the top of the page and the **Capacity** portion of the workbook template opens. It shows you how many documents you have, your document growth over time, data usage, and the total amount of available storage that you have left. This can be used to help identify potential storage and data utilization issues.

-

-As with the overview workbook, selecting the drop-down next to an Azure Cosmos DB resource in the **Subscription** column will reveal a breakdown by the individual containers that make up the database.

-Select **Operations** at the top of the page and the **Operations** portion of the workbook template opens. It gives you the ability to see your requests broken down by the type of requests made.

-So in the example below you see that `eastus-billingint` is predominantly receiving read requests, but with a small number of upsert and create requests. Whereas `westeurope-billingint` is read-only from a request perspective, at least over the past four hours that the workbook is currently scoped to via its time range parameter.

-

-2. Once you've navigated to your Azure Cosmos DB account, in the Monitoring section select **Insights (preview)** or **Workbooks** to perform further analysis on throughput, requests, storage, availability, latency, system, and account management.

-By default, the **Time Range** field displays data from the **Last 24 hours**. You can modify the time range to display data anywhere from the last 5 minutes to the last seven days. The time range selector also includes a **Custom** mode that allows you to type in the start/end dates to view a custom time frame based on available data for the selected account.

-The **Overview** tab provides the most common metrics for the selected Azure Cosmos DB account including:

-**Total Requests:** This graph provides a view of the total requests for the account broken down by status code. The units at the bottom of the graph are a sum of the total requests for the period.

-**Normalized RU Consumption (max)**: This graph provides the max percentage between 0-100% of Normalized RU Consumption units for the specified period.

-You can pin any one of the metric sections to an [Azure Dashboard](../azure-portal/azure-portal-dashboards.md) by selecting the pushpin icon at the top right of the section.

-

-To export your data into the Excel format, select the down arrow icon to the left of the pushpin icon.

-

-To expand or collapse all drop-down views in the workbook, select the expand icon to the left of the export icon:

-

-Since this experience is built on top of Azure Monitor workbook templates, you have the ability to **Customize** > **Edit** and **Save** a copy of your modified version into a custom workbook.

-

-Workbooks are saved within a resource group, either in the **My Reports** section that's private to you or in the **Shared Reports** section that's accessible to everyone with access to the resource group. After you save the custom workbook, you need to go to the workbook gallery to launch it.

-

-For troubleshooting guidance, refer to the dedicated workbook-based insights [troubleshooting article](../azure-monitor/insights/troubleshoot-workbooks.md).

-* Configure [metric alerts](../azure-monitor/alerts/alerts-metric.md) and [service health notifications](../service-health/alerts-activity-log-service-notifications-portal.md) to set up automated alerting to aid in detecting issues.

-* Learn the scenarios workbooks are designed to support, how to author new and customize existing reports, and more by reviewing [Create interactive reports with Azure Monitor workbooks](../azure-monitor/visualize/workbooks-overview.md).

-description: Learn more about the merge partitions capability in Azure Cosmos DB

-```azurepowershell

-// Add the preview extension

-```azurepowershell

-// API for NoSQL

-```azurepowershell

-// API for MongoDB

- WhatIf = $true

-Invoke-AzCosmosDBMongoDBCollectionMerge @parameters

-#### [Azure CLI](#tab/azure-cli)

-```azurecli

-// Add the preview extension

-az extension add --name cosmosdb-preview

-```

-```azurecli

-// API for NoSQL

-```azurecli

-// API for MongoDB

-¹ Support for these connectors is planned for the future.

-## Subscribe to cost alerts

-### To subscribe to cost alerts

-1. In cost analysis, select a private or shared view you want to subscribe to alerts for or create and save a new chart view.

- - You can include up to 20 recipients. Consider using a distribution list if you have a large audience. To see how the email looks, start by sending it only to yourself. You can update it later.

-PAL allows Microsoft to identify and recognize partners that have Power Platform and Customer Insights customers. Microsoft attributes usage to a partner's organization based on the account's permissions (user role) and scope (tenant, resource, and so on). The attribution is used for Advanced Specializations, such as the [Microsoft Low Code Advanced Specializations](https://partner.microsoft.com/membership/advanced-specialization#tab-content-2), and [Partner Incentives](https://partner.microsoft.com/asset/collection/microsoft-commerce-incentive-resources#/).

-1. Get access accounts from your customer

-2. Link your access account to your partner ID

-3. Attribute your access account to the product resource

-## Get access accounts from your customer

-Before you link your partner ID, your customer must give you access to their Power Platform or Customer Insights resources. They use one of the following options:

-* **Directory account** - Your customer can create a dedicated user account, or a user account to act as a service account, in their own directory, and provide access to the product(s) you're working on in production.

-* **Service principal** - Your customer can add an app or script from your organization in their directory and provide access to the product you're working on in production.

-## Link your access account to your partner ID

-Linking your access account to your partner ID is also called *PAL association*. When you have access to a Production Environment access account, you can use PAL to link the account to your Microsoft partner location ID.

-For directory accounts (user or service), use the graphical web-based Azure portal, PowerShell, or the Azure CLI to link to your Microsoft partner location ID.

-For service principal, use PowerShell or the Azure CLI to provide the link your Microsoft partner location ID. Link the partner ID to each customer resource.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Go to [Link to a partner ID](https://portal.azure.com/#blade/Microsoft_Azure_Billing/managementpartnerblade) in the Azure portal.

-For more information about using PowerShell or the Azure CLI, see [Use PowerShell, CLI, and other tools](#use-powershell-azure-cli-and-other-tools).

-## Attribute your access account to product resource

-To count the usage of a specific resource, the partner user or guest account needs to be attributed to the *resource* for Power Platform or Dynamics Customer Insights. The access account is the one that you received from your customer. It's the same account that was linked through the Partner Admin Link (PAL).

-To ensure success, we strongly recommend that you use Solutions where available to import your deliverables into the customers Production Environment via a Managed Solution. When you use Solutions, the account used to import the Solution becomes the owner of each deliverable inside the Solution. Linking the account to your partner ID ensures all deliverables inside the Solution are associated to your partner ID, automatically handling this step.

-## Use PowerShell, Azure CLI, and other tools

-The following sections cover PowerShell, Azure CLI, and other tools to manage ownership and link partner IDs.

-If your account is approved for payment by check or wire transfer, the instructions for payment can are found on the invoice.

-* If needed, update your billing contact information at the [Azure portal](https://portal.azure.com).

-If your default payment method is credit card, the [Account Administrator](add-change-subscription-administrator.md#whoisaa) can settle the outstanding charges in the Azure portal. If you pay by invoice (check wire transfer), send your payment to the location listed at the bottom of your invoice.

-The easiest and quickest way to get started in data factory with CDC is through the factory level Change Data Capture resource. From the main pipeline designer, click on New under Factory Resources to create a new Change Data Capture. The CDC factory resource will provide a configuration walk-through experience where you will point to your sources and destinations, apply optional transformations, and then click start to begin your data capture. With the CDC resource, you will not beed to design pipelines or data flow activities and the only billing will be 4 cores of General Purpose data flows while your data in being processed. You set a latency which ADF will use to wake-up and look for changed data. That is the only time you will be billed. The top-level CDC resource is also the ADF method of running your processes continuously. Pipelines in ADF are batch only. But the CDC resource can run continuously.

-| Regions: | Central US |

-| Regions: | Central US |

-| Regions: | Central US |

-In our continuing efforts to simplify your Defender for Cloud configuration experience, we moved the configuration for Endpoint protection (Microsoft Defender for Endpoint) component from the **Environment settings** > **Integrations** page to the **Environment settings** > **Defender plans** > **Settings and monitoring** page, where the other components are managed as well. There is no change to the functionality other than the location in the portal.

-| Vulnerability Assessment | View vulnerabilities for running images | AKS | Preview | Preview | Defender profile | Defender for Containers | Commercial clouds |

-| Hardening | Control plane recommendations | ACR, AKS | GA | GA | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

-| [Recommendation to find vulnerabilities in running container images to be released for General Availability (GA)](#recommendation-to-find-vulnerabilities-in-running-container-images-to-be-released-for-general-availability-ga) | February 2023 |

-| [The built-in policy [Preview]: Private endpoint should be configured for Key Vault is set to be deprecated](#the-built-in-policy-preview-private-endpoint-should-be-configured-for-key-vault-is-set-to-be-deprecated) | February 2023 |

-| [Three alerts in Defender for ARM plan are set to be deprecated](#three-alerts-in-defender-for-arm-plan-are-set-to-be-deprecated) | March 2023 |

-| [Alerts automatic export to Log Analytics workspace is set to be deprecated](#alerts-automatic-export-to-log-analytics-workspace-is-set-to-be-deprecated) | March 2023 |

-### Three alerts in Defender for ARM plan are set to be deprecated

-As we continue to improve the quality of our alerts, the following three alerts from the Defender for ARM plan are set to be deprecated:

-In the scenario where an activity from a suspicious IP address is detected, one of the following Defender for ARM plan alert `Azure Resource Manager operation from suspicious IP address` or ' Azure Resource Manager operation from suspicious proxy IP address' will be presented.

-### Alerts automatic export to Log Analytics workspace is set to be deprecated

-### Recommendation to find vulnerabilities in running container images to be released for General Availability (GA)

-**Estimated date for change: February 2023**

-The [Running container images should have vulnerability findings resolved](defender-for-containers-vulnerability-assessment-azure.md#view-vulnerabilities-for-images-running-on-your-aks-clusters) recommendation is currently in preview. While a recommendation is in preview, it doesn't render a resource unhealthy and isn't included in the calculations of your secure score.

-We recommend that you use the recommendation to remediate vulnerabilities in your containers. Remediating the recommendation won't affect your secure score when the recommendation is released as GA. Learn about [recommendation remediation](implement-security-recommendations.md).

-### The built-in policy \[Preview]: Private endpoint should be configured for Key Vault is set to be deprecated

-**Estimated date for change: February 2023**

-The built-in policy [`[Preview]: Private endpoint should be configured for Key Vault`](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) is set to be deprecated and will be replaced with the [`[Preview]: Azure Key Vaults should use private link`](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6abeaec-4d90-4a02-805f-6b26c4d3fbe9) policy.

-The related [policy definition](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f7c1b1214-f927-48bf-8882-84f0af6588b1) will also be replaced by this new policy in all standards displayed in the regulatory compliance dashboard.

-1. Copy and save the URL. You'll use it later.

-1. Copy and save the URL. You'll use it later.

-1. Save the generated token. You'll use the token later.

-1. Save the generated token. You'll use the token later.

-To store the personal access token you generated as a [key vault secret](../key-vault/secrets/about-secrets.md) and copy the secret identifier:

- | **Folder path** | Enter the folder path relative to the clone URI that contains subfolders with your catalog items. </br> This folder path should be the path to the folder that contains the subfolders with the catalog item manifests, and not the path to the folder with the catalog item manifest itself.<br/>*Sample Catalog Example:* /Environments|

- | **Secret identifier**| Enter the [secret identifier](#create-a-personal-access-token) that contains your personal access token for the repository.|

-You can delete a catalog to remove it from the dev center. Any templates in a deleted catalog won't be available to development teams when they deploy new environments. Update the catalog item reference for any existing environments that were created by using the catalog items in the deleted catalog. If the reference isn't updated and the environment is redeployed, the deployment fails.

-description: Learn how to configure a managed identity that will be used to deploy environments in your Azure Deployment Environments Preview dev center.

-The identity that's attached to the dev center should be assigned the Owner role for all the deployment subscriptions and the Reader role for all subscriptions that contain the relevant project. When a user creates or deploys an environment, the service grants appropriate access to the deployment identity that's attached to a project environment type. The deployment identity uses the access to perform deployments on behalf of the user. You can use the managed identity to empower developers to create environments without granting them access to the subscription.

-1. Confirm that the dev center was successfully created by checking your Azure portal notifications. Then, select **Go to resource**.

-You'll need an Azure Key Vault to store the GitHub personal access token (PAT) that is used to grant Azure access to your GitHub repository.

- Fine grained and classic tokens work with Azure Deployment Environments.

-1. Leave this tab open, youΓÇÖll need to come back to the Key Vault later.

-In this quickstart, you'll configure a system-assigned managed identity for your dev center.

-Make sure that the identity has access to the key vault secret that contains the personal access token to access your repository.

-Configure a key vault access policy:

- - On the Permissions tab, under **Secret permissions**, select **Select all**, and then select **Next**.

-In this quickstart, you'll attach a GitHub repository that contains samples created and maintained by the Azure Deployment Environments team.

-To add a catalog to your dev center, you'll first need to gather some information.

-You'll also need the path to the secret you created in the key vault.

- | **Folder path** | Enter the folder path relative to the clone URI that contains subfolders with your catalog items. </br>This folder path should be the path to the folder that contains the subfolders with the catalog item manifests, and not the path to the folder with the catalog item manifest itself.<br/>*Sample Catalog Example:* /Environments|

- | **Secret identifier**| Enter the secret identifier that contains your personal access token for the repository.|

- |**Dev center**|Select a dev center to associate with this project. All settings for the dev center will apply to the project. |

-Before you can create environment types, you must give the managed identity that represents your dev center access to the subscriptions where you'll configure the [project environment types](concept-environments-key-concepts.md#project-environment-types).

-In this quickstart you'll assign the Owner role to the system-assigned managed identity that you configured previously: [Attach a system-assigned managed identity](quickstart-create-and-configure-devcenter.md#attach-a-system-assigned-managed-identity).

-For information about viewing and managing metrics with Azure Monitor, see [Get started with metrics explorer](../azure-monitor/essentials/metrics-getting-started.md). For a full list of API metrics available for Azure Digital Twins, see [Azure Digital Twins API request metrics](how-to-monitor.md#api-request-metrics).

-Here are two sample projects that can simplify dealing with multiple models at once:

-* [Model uploader](https://github.com/Azure/opendigitaltwins-tools/tree/main/ADTTools#uploadmodels): Once you're finished creating, extending, or selecting your models, you need to upload them to your Azure Digital Twins instance to make them available for use in your solution. If you have many models to upload, or if they have many interdependencies that would make ordering individual uploads complicated, you can use this model uploader sample to upload many models at once.

-* [Model deleter](https://github.com/Azure/opendigitaltwins-tools/tree/main/ADTTools#deletemodels): This sample can be used to delete all models in an Azure Digital Twins instance at once. It contains recursive logic to handle model dependencies through the deletion process.

-This section shows what it looks like to create digital twins and relationships from a client application. It contains .NET code examples that use the [DigitalTwins APIs](/rest/api/digital-twins/dataplane/twins), to provide more context on what goes on inside each of these concepts.

-You can also upload multiple models in a single transaction.

-If you're using the [REST APIs](/rest/api/azure-digitaltwins/) or [Azure CLI](/cli/azure/dt), you can also upload multiple models by placing multiple model definitions in a single JSON file to be uploaded together. In this case, the models should be placed in a JSON array within the file, like in the following example:

-On upload, model files are validated by the service.

-* Array indexing is not supported.

-* Subqueries within the ARRAY_CONTAINS() property are not supported.

-* ARRAY_CONTAINS() is not supported on properties of relationships.

- - For example, say `Floor.Contains` is a relationship from Floor to Room and it has a `lift` property with a value of `["operating", "under maintenance", "under construction"]`. Queries like this are not supported: `SELECT Room FROM DIGITALTWINS Floor JOIN Room RELATED Floor.Contains WHERE Floor.$dtId = 'Floor-35' AND ARRAY_CONTAINS(Floor.Contains.lift, "operating")`.

-* ARRAY_CONTAINS() does not search inside nested arrays.

- - For example, say a twin has a `tags` property with a value of `[1, [2,3], 3, 4]`. A search for `2` using the query `SELECT * FROM DIGITALTWINS WHERE ARRAY_CONTAINS(tags, 2)` will return `False`. A search for a value in the top level array, like `1` using the query `SELECT * FROM DIGITALTWINS WHERE ARRAY_CONTAINS(tags, 1)`, will return `True`.

-* ARRAY_CONTAINS() is not supported if the array contains objects.

- - For example, say a twin has a `tags` property with a value of `[Room1, Room2]` where `Room1` and `Room2` are objects. Queries like this are not supported: `SELECT * FROM DIGITALTWINS WHERE ARRAY_CONTAINS(tags, Room2)`.

-A type checking function for determining whether an property has a Boolean value.

-This function is often combined with other predicates if the program processing the query results requires a boolean value, and you want to filter out cases where the property is not a boolean.

-`<property>`, an property to check whether it is a Boolean.

-The following query builds on the above example to select the digital twins that have a boolean `HasTemperature` property, and the value of that property is not `false`.

-`<property>`, a property to determine whether it is defined.

-A type checking function for determining whether an property's value is `null`.

-`<property>`, a property to check whether it is null.

-This function is often combined with other predicates if the program processing the query results requires a number value, and you want to filter out cases where the property is not a number.

-`<property>`, a property to check whether it is a number.

-The following query selects the digital twins that have a numeric `Capacity` property and its value is not equal to 0.

-This function is often combined with other predicates if the program processing the query results requires a JSON object, and you want to filter out cases where the value is not a JSON object.

-`<property>`, a property to check whether it is of an object type.

-The following query selects all of the digital twins where this is an object called `MapObject`, and it does not have a child property `TemperatureReading`.

-* `<twin-collection>`: Specify a twin collection to search when there is more than one (like when a `JOIN` is used).

-* `exact`: Require an exact match. If this parameter is not set, the result set will include twins with models that inherit from the specified model.

-This function is often combined with other predicates if the program processing the query results requires a primitive-typed value, and you want to filter out cases where the property is not primitive.

-`<property>`, a property to check whether it is of a primitive type.

-This function is often combined with other predicates if the program processing the query results requires a string value, and you want to filter out cases where the property is not a string.

-`<property>`, a property to check whether it is a string.

-The following query selects the digital twins that have a string property `Status` property and its value is not equal to `Completed`.

-## Migrate databases to Azure with familiar tools

-Azure Database Migration Service integrates some of the functionality of our existing tools and services. It provides customers with a comprehensive, highly available solution. The service uses the [Data Migration Assistant](/sql/dma/dma-overview) to generate assessment reports that provide recommendations to guide you through the required changes before a migration. It's up to you to perform any remediation required. Azure Database Migration Service performs all the required steps when ready to begin the migration process. Knowing that the process takes advantage of Microsoft's best practices, you can fire and forget your migration projects with peace of mind.

-> [!NOTE]

-> Using Azure Database Migration Service to perform an online migration requires creating an instance based on the Premium pricing tier.

-## Regional availability

-For up-to-date info about the regional availability of Azure Database Migration Service, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=database-migration).

-## Pricing

-For up-to-date info about Azure Database Migration Service pricing, see [Azure Database Migration Service pricing](https://azure.microsoft.com/pricing/details/database-migration/).

-description: Learn to perform an online migration from SQL Server to an Azure SQL Managed Instance by using Azure Database Migration Service.

-> This tutorial uses an older version of the Azure Database Migration Service. For improved functionality and supportability, consider migrating to Azure SQL Managed Instance by using the [Azure SQL migration extension for Azure Data Studio](tutorial-sql-server-managed-instance-online-ads.md).

-> This tutorial uses an older version of the Azure Database Migration Service. For improved functionality and supportability, consider migrating to Azure SQL Database by using the [Azure SQL migration extension for Azure Data Studio](tutorial-sql-server-azure-sql-database-offline-ads.md).

-The following quickstarts are available to help you create a private resolver. These quickstarts walk you through creating a resource group, a virtual network, and Azure DNS Private Resolver. The steps to configure an inbound endpoint, outbound endpoint, and DNS forwarding ruleset are provied:

-* [Learn module: Introduction to Azure DNS](/training/modules/intro-to-azure-dns).

- "DeliveryStatusDetails": "No error.",

- "ReceivedTimestamp": "2020-09-18T00:22:20.2855749Z",

- This sample has been updated to use the latest **Azure.Messaging.EventHubs** library.

- These samples use the old **Microsoft.Azure.EventHubs** library, but you can easily update it to using the latest **Azure.Messaging.EventHubs** library. To move the sample from using the old library to new one, see the [Guide to migrate from Microsoft.Azure.EventHubs to Azure.Messaging.EventHubs](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/eventhub/Azure.Messaging.EventHubs/MigrationGuide.md).

- - [.NET](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/Azure.Messaging.EventHubs/ManagedIdentityWebApp)

- - [Java](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/eventhubs/azure-messaging-eventhubs/src/samples/java/com/azure/messaging/eventhubs)

-

- These samples use the old **Microsoft.Azure.EventHubs** library, but you can easily update it to using the latest **Azure.Messaging.EventHubs** library. To move the sample from using the old library to new one, see the [Guide to migrate from Microsoft.Azure.EventHubs to Azure.Messaging.EventHubs](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/eventhub/Azure.Messaging.EventHubs/MigrationGuide.md).

- This sample has been updated to use the latest **Azure.Messaging.EventHubs** library.

-You can configure the EventHubs shared access authorization rule on an Event Hubs namespace, or an entity (event hub instance or Kafka Topic in an event hub). Configuring a shared access authorization rule on a consumer group is currently not supported, but you can use rules configured on a namespace or entity to secure access to consumer group.

-When using sendRuleNS authorization rule, client applications can send to both eh1 and topic1. When sendRuleT authorization rule is used, it enforces granular access to topic1 only and hence client applications using this rule for access now cannot send to eh1, but only to topic1.

-You'll need to add a reference to `AzureNamedKeyCredential`.

-You'll need to add a reference to `AzureSASCredential`.

-For certain organizational security requirements, you may have to disable local/SAS key authentication completely and rely on the Azure Active Directory (Azure AD) based authentication which is the recommended way to connect with Azure Event Hubs. You can disable local/SAS key authentication at the Event Hubs namespace level using Azure portal or Azure Resource Manager template.

-description: Learn how to use Azure Event Hubs to stream data from Apache Kafka applications without setting up a Kafka cluster on your own.

-# Use Azure Event Hubs to stream data from Apache Kafka applications

-| [BitsInPerSecond](#circuitbandwidth) | Traffic | BitsPerSecond | Average | Bits ingressing Azure per second | Peering Type | No |

-| [BitsOutPerSecond](#circuitbandwidth) | Traffic | BitsPerSecond | Average | Bits egressing Azure per second | Peering Type | No |

-| GlobalReachBitsInPerSecond | Traffic | BitsPerSecond | Average | Bits ingressing Azure per second | PeeredCircuitSKey | No |

-| GlobalReachBitsOutPerSecond | Traffic | BitsPerSecond | Average | Bits egressing Azure per second | PeeredCircuitSKey | No |

-| [Bits received per second](#gwbits) | Performance | BitsPerSecond | Average | Total bits received on ExpressRoute gateway per second | roleInstance | No |

-| [Packets per second](#packets) | Performance | CountPerSecond | Average | Total Packets received on ExpressRoute Gateway per second | roleInstance | No |

-| [Frequency of routes changed](#frequency) | Availability | Count | Total | Frequency of Routes change in ExpressRoute Gateway | roleInstance | No |

-| [Number of VMs in virtual network](#vm) | Availability | Count | Maximum | Number of VMs in the Virtual Network | No Dimensions | No |

-| [BitsInPerSecond](#connectionbandwidth) | Traffic | BitsPerSecond | Average | Bits ingressing Azure per second through ExpressRoute gateway | ConnectionName | No |

-| [BitsOutPerSecond](#connectionbandwidth) | Traffic | BitsPerSecond | Average | Bits egressing Azure per second through ExpressRoute gateway | ConnectionName | No |

-| [BitsInPerSecond](#directin) | Traffic | BitsPerSecond | Average | Bits ingressing Azure per second | Link | No |

-| [BitsOutPerSecond](#directout) | Traffic | BitsPerSecond | Average | Bits egressing Azure per second | Link | No |

-| DroppedInBitsPerSecond | Traffic | BitsPerSecond | Average | Ingress bits of data dropped per second | Link | No |

-| DroppedOutBitsPerSecond | Traffic | BitPerSecond | Average | Egress bits of data dropped per second | Link | No |

-| [AdminState](#admin) | Physical Connectivity | Count | Average | Admin state of the port | Link | No |

-| [LineProtocol](#line) | Physical Connectivity | Count | Average | Line protocol status of the port | Link | No |

-| [RxLightLevel](#rxlight) | Physical Connectivity | Count | Average | Rx Light level in dBm | Link, Lane | No |

-| [TxLightLevel](#txlight) | Physical Connectivity | Count | Average | Tx light level in dBm | Link, Lane | No |

-* [Link a VNet to an ExpressRoute circuit](expressroute-howto-linkvnet-arm.md)

-> Any valuesets that are to be used for validation must be uploaded to the FHIR server.  This includes any Valuesets which are part of the FHIR specification, > as well as any ValueSets defined in Implementation Guides.  Only fully expanded Valuesets which contain a full list of all codes are supported.  Any > ValueSet definitions which reference external sources are not supported

-`$validate` is an operation in Fast Healthcare Interoperability Resources (FHIR&#174;) that allows you to ensure that a FHIR resource conforms to the base resource requirements or a specified profile. This is a valuable operation to ensure that the data in the FHIR server has the expected attributes and values.

-In the [store profiles in the FHIR service](store-profiles-in-fhir.md) article, you walked through the basics of FHIR profiles and storing them. The FHIR service in Azure Health Data Services (hereby called the FHIR service) allows validating resources against profiles to see if the resources conform to the profiles. This article will guide you through how to use `$validate` for validating resources against profiles. For more information about FHIR profiles outside of this article, visit

-[HL7.org](https://www.hl7.org/fhir/profiling.html).

-## Validating resources against the profiles

-FHIR resources can express their conformance to specific profiles. This allows the FHIR service to **validate** given resources against profiles. Validating a resource against a profile means checking if the resource conforms to the profile, including the specifications listed in `Resource.meta.profile` or in an Implementation Guide. There are two ways for you to validate your resource:

-In both cases, you can decide by way of your FHIR service configuration what to do when the resource doesn't conform to your desired profile.

-## Using $validate

-The `$validate` operation checks whether the provided profile is valid, and whether the resource conforms to the specified profile. As mentioned in the [HL7 FHIR specifications](https://www.hl7.org/fhir/resource-operation-validate.html), you can also specify the mode for `$validate`, such as create and update:

-The server will always return an `OperationOutcome` as the validation results.

-## Validate on resource CREATE or resource UPDATE

-You can choose when you'd like to validate your resource, such as on resource `CREATE` or `UPDATE`. By default, the FHIR service is configured to opt out of validation on resource `Create/Update`. To validate on `Create/Update`, you can use the `x-ms-profile-validation` header set to true: `x-ms-profile-validation: true`.

-

-Change directories into the folder where your deployment manifest is saved. If you used one of the VS Code IoT Edge templates, use the `deployment.json` file in the **config** folder of your solution directory and not the `deployment.template.json` file.

-The results of your deployment are printed in the VS Code output. Successful deployments are applied within a few minutes if the target device is running and connected to the internet.

-All IoT Edge devices use certificates to create secure connections between the runtime and any modules running on the device. IoT Edge devices functioning as gateways use these same certificates to connect to their downstream devices, too. For more information about the function of the different certificates on an IoT Edge device, see [Understand how Azure IoT Edge uses certificates](iot-edge-certs.md).

-> The term *root CA* used throughout this article refers to the topmost authority's certificate in the certificate chain for your IoT solution. You do not need to use the certificate root of a syndicated certificate authority, or the root of your organization's certificate authority. In many cases, it is actually an intermediate CA certificate.

-* [Understand how Azure IoT Edge uses certificates](iot-edge-certs.md).

- If you don't have an IoT Edge device set up, you can create one in an Azure virtual machine. Follow the steps in one of the quickstart articles to [Create a virtual Linux device](quickstart-linux.md) or [Create a virtual Windows device](quickstart.md).

- * If your `config.toml` isn't based on the template, open the [template](https://github.com/Azure/iotedge/blob/main/edgelet/contrib/config/linux/template.toml) and use the commented guidance to add configuration sections following the structure of the template.

- * If you have a new IoT Edge installation that hasn't been configured, copy the template to initialize the configuration. Don't use this command if you have an existing configuration. It overwrites the file.

-> * A certificate can be encoded in a binary representation called DER, or a textual representation called PEM. The PEM format is a `--BEGIN CERTIFICATE--` header followed by the base64-encoded DER followed by a `--END CERTIFICATE--` footer.

-> * Because PEM is delineated, it is also possible to construct a PEM that combines both the `CERTIFICATE` and `PRIVATE KEY` sequentially in the same file.

-> * Lastly, the certificate and private key can be encoded together in a binary representation called *PKCS#12*, that is encrypted with an optional password.

-The output of list with correct ownership and permission is similar to the following:

-1. Check the certificate meets [format requirements](#format-requirements).

-1. In the IoT Edge configuration file `config.toml`, find **Trust bundle cert** section. If the section is missing, you can copy it from the configuration template file.

-1. Set `trust_bundle_cert` key to the certificate file location.

-IoT Edge can use existing certificate and private key files to authenticate or attest to Azure, issue new module server certificates, and authenticate to EST servers. To install them:

-1. Copy the PEM file to the IoT Edge device where IoT Edge modules can have access. For example, `/var/aziot/` directory.

-In this scenario, the bootstrap certificate and private key are expected to be long-lived and potentially installed on the device during manufacturing. IoT Edge uses the bootstrap credentials to authenticate to the EST server for the initial request to issue an identity certificate for subsequent requests, as well as for authentication to DPS or IoT Hub.

-You can choose either the **Azure IoT Edge Dev Tool** CLI or the **Azure IoT Edge tools for VS Code** extension as your IoT Edge development tool. Use the tool selector button at the beginning to choose your tool option for this article.

-The IoT Edge extension defaults to the latest stable version of the IoT Edge runtime when it creates your deployment assets. Currently, the latest stable version is version 1.4. If you're developing modules for devices running the 1.1 long-term support version or the earlier 1.0 version, update the IoT Edge runtime version in Visual Studio Code to match.

-In Visual Studio Code, open *deployment.debug.template.json* deployment manifest file. The [deployment manifest](module-deployment-monitoring.md#deployment-manifest) is a JSON document that describes the modules to be configured on the targeted IoT Edge device. Before deployment, you need to update your Azure Container Registry credentials and your module images with the proper `createOptions` values. For more information about createOption values, see [How to configure container create options for IoT Edge modules](how-to-use-create-options.md).

-> You can find your IoT Hub connection string in the Azure portal under Azure IoT Hub > **Security settings** > **Shared access policies**.

-To debug modules on a remote device, you can use Remote SSH debugging in VS Code.

-To enable VS Code remote debugging, install the [Remote Development extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack). For more information about VS Code remote debugging, see [VS Code Remote Development](https://code.visualstudio.com/docs/remote/remote-overview).

-For details on how to use Remote SSH debugging in VS Code, see [Remote Development using SSH](https://code.visualstudio.com/docs/remote/ssh)

-The Docker and Moby engines support SSH connections to containers allowing you to debug in VS Code connected to a remote device. You need to meet the following prerequisites before you can use this feature.

-1. In Visual Studio Code, use the Command Palette (Ctrl+Shift+P) to issue the *Docker Context: Use* command to activate the Docker context pointing to the remote machine. This command causes both VS Code and Docker CLI to use the remote machine context.

-1. In the *.vscode* directory, add a new configuration to **launch.json** by opening the file in VS Code. Select **Add configuration** then choose the matching remote attach template for your module. For example, the following configuration is for .NET Core. Change the value for the *-H* parameter in *PipeArgs* to your device DNS name or IP address.

-1. In VS Code Debug view, select the debug configuration *Remote Debug IoT Edge Module (.NET Core)*.

-1. In VS Code, set breakpoints in your custom module.

- :::image type="content" source="media/how-to-vs-code-develop-module/vs-code-breakpoint.png" alt-text="Screenshot of VS Code attached to a Docker container on a remote device paused at a breakpoint.":::

-In summary, *ContosoIotHub* can trust *EdgeGateway* because *EdgeGateway* presents a valid **IoT Edge device identity certificate** whose thumbprint matches the one registered in IoT Hub.

-| **Linux AMD64** |  |

-| **Linux ARM32** |  |  |

-| **Linux ARM64** |  |  |

-1. Select **View** > **Command Palette** to open the VS Code command palette.

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

-1. In the VS Code explorer, open the .env file.

-1. In the VS Code explorer, open the **deployment.template.json** file in your IoT Edge solution workspace.

-1. Open the VS Code terminal by selecting **View** > **Terminal**.

-3. In the VS Code explorer, right-click the **deployment.template.json** file and select **Build and Push IoT Edge Solution**.

-| **Linux AMD64** |  |

-| **Linux ARM32** |  |  |

-| **Linux ARM64** |  |  |

-1. In Visual Studio Code, select **View** > **Command Palette** to open the VS Code command palette.

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

-1. In the VS Code explorer, open the **.env** file.

-1. In the VS Code explorer, open **modules** > **CSharpModule** > **Program.cs**.

-1. In the VS Code explorer, open the **deployment.template.json** file in your IoT Edge solution workspace.

-1. Open the VS Code integrated terminal by selecting **View** > **Terminal**.

-1. In the VS Code explorer, right-click the **deployment.template.json** file and select **Build and Push IoT Edge Solution**.

-1. In Visual Studio Code, select **View** > **Command Palette** to open the VS Code command palette.

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

-1. In the VS Code explorer, open the .env file.

- The VS Code window loads your new module in the solution workspace, and updates the deployment.template.json file. Now you should see two module folders: classifier and cameraCapture.

-Once the images are in your registry, you can deploy the solution to an IoT Edge device. You can set modules on a device through the IoT Hub, but you can also access your IoT Hub and devices through Visual Studio Code. In this section, you set up access to your IoT Hub then use VS Code to deploy your solution to your IoT Edge device.

-1. Open the VS Code integrated terminal by selecting **View** > **Terminal**.

-3. In the VS Code explorer, right-click the **deployment.template.json** file and select **Build and Push IoT Edge solution**.

-> * Use VS Code and Docker to create a Docker image and publish it to a container registry.

-2. Open the VS Code command palette by selecting **View** > **Command Palette**.

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

-1. In the VS Code explorer, open the .env file.

-1. Open the VS Code integrated terminal by selecting **View** > **Terminal**.

-3. In the VS Code explorer, right-click the **deployment.template.json** file and select **Build and Push IoT Edge Solution**.

-You can use the Azure portal to deploy your Function module to an IoT Edge device like you did in the quickstarts. You can also deploy and monitor modules from within Visual Studio Code. The following sections use the Azure IoT Edge and IoT Hub for VS Code that was listed in the prerequisites. Install the extension now, if you didn't already.

- 

-## Set up VS Code and tools

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

-<!--Alternative steps: Use VS Code Docker tools to view ACR images with tags-->

-| **Linux AMD64** |  | |

-| **Linux ARM32** |  | |

-| **Linux ARM64** |  | |

-1. In Visual Studio Code, select **View** > **Command Palette** to open the VS Code command palette.

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

-If it's your first time creating Java module, it might take several minutes to download the maven packages. When the solution is ready, the VS Code window loads your IoT Edge solution workspace. The solution workspace contains five top-level components:

-1. In the VS Code explorer, open the .env file.

-1. In the VS Code explorer, open **modules** > **JavaModule** > **src** > **main** > **java** > **com** > **edgemodule** > **App.java**.

-8. In the VS Code explorer, open the **deployment.template.json** file in your IoT Edge solution workspace.

-1. Open the VS Code integrated terminal by selecting **View** > **Terminal**.

-3. In the VS Code explorer, right-click the **deployment.template.json** file and select **Build and Push IoT Edge Solution**.

-| **Linux AMD64** |  | |

-| **Linux ARM32** |  | |

-| **Linux ARM64** |  | |

-1. In Visual Studio Code, select **View** > **Integrated Terminal** to open the VS Code integrated terminal.

-3. Select **View** > **Command Palette** to open the VS Code command palette.

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

-1. In the VS Code explorer, open the **.env** file.

-1. In the VS Code explorer, open **modules** > **NodeModule** > **app.js**.

-7. In the VS Code explorer, open the **deployment.template.json** file in your IoT Edge solution workspace.

-1. Open the VS Code integrated terminal by selecting **View** > **Terminal**.

-3. In the VS Code explorer, right-click the **deployment.template.json** file and select **Build and Push IoT Edge Solution**.

-| **Linux AMD64** |  | |

-| **Linux ARM32** |  | |

-| **Linux ARM64** |  | |

-1. In Visual Studio Code, select **View** > **Command Palette** to open the VS Code command palette.

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

-1. In the VS Code explorer, open the **.env** file.

-1. In the VS Code explorer, open **modules** > **PythonModule** > **main.py**.

-8. In the VS Code explorer, open the **deployment.template.json** file in your IoT Edge solution workspace.

-1. Open the VS Code integrated terminal by selecting **View** > **Terminal**.

-3. In the VS Code explorer, right-click the **deployment.template.json** file and select **Build and Push IoT Edge Solution**.

-2. Open the VS Code command palette by selecting **View** > **Command palette**.

- | Select folder | Choose the location on your development machine for VS Code to create the solution files. |

- The VS Code window loads your IoT Edge solution workspace.

-1. In the VS Code explorer, open the .env file.

-1. In the VS Code explorer, open **modules** > **sqlFunction** > **sqlFunction.csproj**.

-1. In the VS Code explorer, right-click the **deployment.template.json** file and select **Build and Push IoT Edge solution**.

-You can set modules on a device through the IoT Hub, but you can also access your IoT Hub and devices through Visual Studio Code. In this section, you set up access to your IoT Hub then use VS Code to deploy your solution to your IoT Edge device.

-The Device Update Module agent can run alongside other system processes and [IoT Edge modules](../iot-edge/iot-edge-modules.md) that connect to your IoT Hub as part of the same logical device. This section describes how to provision the Device Update agent as a module identity.

- * [Image )

-

-* Disconnected devices:

-

-

-This section describes how to provision the Device Update agent as a module identity on

- - For latest agent versions from packages.miscrosoft.com: Update package lists on your device and install the Device Update agent package and its dependencies using:

- - If you are setting up a [MCC for a disconnected device scenario](connected-cache-disconnected-device-update.md), then install the Delivery Optmization Apt plugin:

-1. Install the IoT Identity Service and add the latest version to your IoT device by following instrucions in [Installing the Azure IoT Identity Service](https://azure.github.io/iot-identity-service/installation.html#install-from-packagesmicrosoftcom).

-Get started with the Azure Key Vault certificate client library for Python. Follow the steps below to install the package and try out example code for basic tasks. By using Key Vault to store certificates, you avoid storing certificates in your code, which increases the security of your app.

-This quickstart assumes you are running [Azure CLI](/cli/azure/install-azure-cli) in a Linux terminal window.

-This quickstart is using Azure Identity library with Azure CLI to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls, for more information, see [Authenticate the client with Azure Identity client library](/python/api/overview/azure/identity-readme)

-from azure.keyvault.certificates import CertificateClient, CertificatePolicy,CertificateContentType, WellKnownIssuerNames

-In this quickstart, logged in user is used to authenticate to key vault, which is preferred method for local development. For applications deployed to Azure, managed identity should be assigned to App Service or Virtual Machine, for more information, see [Managed Identity Overview](../../active-directory/managed-identities-azure-resources/overview.md).

-In below example, the name of your key vault is expanded to the key vault URI, in the format `https://\<your-key-vault-name\>.vault.azure.net`. This example is using ['DefaultAzureCredential()'](/python/api/azure-identity/azure.identity.defaultazurecredential) class, which allows to use the same code across different environments with different options to provide identity. For more information, see [Default Azure Credential Authentication](/python/api/overview/azure/identity-readme).

-Once you've obtained the client object for the key vault, you can create a certificate using the [begin_create_certificate](/python/api/azure-keyvault-certificates/azure.keyvault.certificates.certificateclient?#begin-create-certificate-certificate-name--policy-kwargs-) method:

-Here, the certificate requires a policy obtained with the [CertificatePolicy.get_default](/python/api/azure-keyvault-certificates/azure.keyvault.certificates.certificatepolicy?#get-default--) method.

-When handling the request, Azure authenticates the caller's identity (the service principal) using the credential object you provided to the client.

-To read a certificate from Key Vault, use the [get_certificate](/python/api/azure-keyvault-certificates/azure.keyvault.certificates.certificateclient?#get-certificate-certificate-name-kwargs-) method:

-You can also verify that the certificate has been set with the Azure CLI command [az keyvault certificate show](/cli/azure/keyvault/certificate?#az-keyvault-certificate-show).

-To delete a certificate, use the [begin_delete_certificate](/python/api/azure-keyvault-certificates/azure.keyvault.certificates.certificateclient?#begin-delete-certificate-certificate-name-kwargs-) method:

-You can verify that the certificate is deleted with the Azure CLI command [az keyvault certificate show](/cli/azure/keyvault/certificate?#az-keyvault-certificate-show).

-Get started with the Azure Key Vault client library for Python. Follow the steps below to install the package and try out example code for basic tasks. By using Key Vault to store cryptographic keys, you avoid storing such keys in your code, which increases the security of your app.

-This quickstart assumes you are running [Azure CLI](/cli/azure/install-azure-cli) in a Linux terminal window.

-This quickstart is using Azure Identity library with Azure CLI to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls, for more information, see [Authenticate the client with Azure Identity client library](/python/api/overview/azure/identity-readme).

-Create an access policy for your key vault that grants secret permission to your user account.

-az keyvault set-policy --name <<your-unique-keyvault-name> --upn user@domain.com --secret-permissions delete get list set

-In this quickstart, logged in user is used to authenticate to key vault, which is preferred method for local development. For applications deployed to Azure, managed identity should be assigned to App Service or Virtual Machine, for more information, see [Managed Identity Overview](../../active-directory/managed-identities-azure-resources/overview.md).

-In below example, the name of your key vault is expanded to the key vault URI, in the format `https://\<your-key-vault-name\>.vault.azure.net`. This example is using ['DefaultAzureCredential()'](/python/api/azure-identity/azure.identity.defaultazurecredential) class, which allows to use the same code across different environments with different options to provide identity. For more information, see [Default Azure Credential Authentication](/python/api/overview/azure/identity-readme).

-Once you've obtained the client object for the key vault, you can store a key using the [create_rsa_key](/python/api/azure-keyvault-keys/azure.keyvault.keys.keyclient?#create-rsa-key-name-kwargs-) method:

-You can also use [create_key](/python/api/azure-keyvault-keys/azure.keyvault.keys.keyclient?#create-key-name--key-type-kwargs-) or [create_ec_key](/python/api/azure-keyvault-keys/azure.keyvault.keys.keyclient?#create-ec-key-name-kwargs-).

-When handling the request, Azure authenticates the caller's identity (the service principal) using the credential object you provided to the client.

-To read a key from Key Vault, use the [get_key](/python/api/azure-keyvault-keys/azure.keyvault.keys.keyclient?#get-key-name--version-none-kwargs-) method:

-You can also verify that the key has been set with the Azure CLI command [az keyvault key show](/cli/azure/keyvault/key?#az-keyvault-key-show).

-To delete a key, use the [begin_delete_key](/python/api/azure-keyvault-keys/azure.keyvault.keys.keyclient?#begin-delete-key-name-kwargs-) method:

-You can verify that the key is deleted with the Azure CLI command [az keyvault key show](/cli/azure/keyvault/key?#az-keyvault-key-show).

- If the PowerShell can open your default browser, it will do so and load an Azure sign-in page.

-1. In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on [Use Python virtual environments](/azure/developer/python/configure-local-development-environment?tabs=cmd#use-python-virtual-environments).

-In this quickstart, the logged in user is used to authenticate to key vault, which is the preferred method for local development. For applications deployed to Azure, a managed identity should be assigned to App Service or Virtual Machine, for more information, see [Managed Identity Overview](../../active-directory/managed-identities-azure-resources/overview.md).

-In this example, the name of your key vault is expanded using the value of the "KVUri" variable, in the format: "https://\<your-key-vault-name\>.vault.azure.net". This example is using ['DefaultAzureCredential()'](/python/api/azure-identity/azure.identity.defaultazurecredential) class, which allows to use the same code across different environments with different options to provide identity. For more information, see [Default Azure Credential Authentication](/python/api/overview/azure/identity-readme).

-Once you've obtained the client object for the key vault, you can store a secret using the [set_secret](/python/api/azure-keyvault-secrets/azure.keyvault.secrets.secretclient?#set-secret-name--value-kwargs-) method:

-When handling the request, Azure authenticates the caller's identity (the service principal) using the credential object you provided to the client.

-To read a secret from Key Vault, use the [get_secret](/python/api/azure-keyvault-secrets/azure.keyvault.secrets.secretclient?#get-secret-name--version-none-kwargs-) method:

-You can also retrieve a secret with the Azure CLI command [az keyvault secret show](/cli/azure/keyvault/secret?#az-keyvault-secret-show) or the Azure PowerShell command [Get-AzKeyVaultSecret](/powershell/module/az.keyvault/get-azkeyvaultsecret).

-To delete a secret, use the [begin_delete_secret](/python/api/azure-keyvault-secrets/azure.keyvault.secrets.secretclient?#begin-delete-secret-name-kwargs-) method:

-You can verify that the secret had been removed with the Azure CLI command [az keyvault secret show](/cli/azure/keyvault/secret?#az-keyvault-secret-show) or the Azure PowerShell command [Get-AzKeyVaultSecret](/powershell/module/az.keyvault/get-azkeyvaultsecret).

-* If using an HTTP or HTTPS probe check if the application is healthy and responsive

- * Validate application is functional by directly accessing the applications through the private IP address or instance-level public IP address associated with your backend instance

-* Review the Network Security Groups applied to our backend resources. Ensure that there are no rules of a higher priority than AllowAzureLoadBalancerInBound that will block the health probe

- * You can do this by visiting the Networking blade of your backend VMs or Virtual Machine Scale Sets

- * If you find this NSG issue is the case, move the existing Allow rule or create a new high priority rule to allow AzureLoadBalancer traffic

-* Check your OS. Ensure your VMs are listening on the probe port and review their OS firewall rules to ensure they aren't blocking the probe traffic originating from IP address `168.63.129.16`

- * You can check listening ports by running `netstat -a` from a Windows command prompt or `netstat -l` from a Linux terminal

-* Don't place a firewall NVA VM in the backend pool of the load balancer, use [user-defined routes](../virtual-network/virtual-networks-udr-overview.md#user-defined) to route traffic to backend instances through the firewall

-* Ensure you're using the right protocol, if using HTTP to probe a port listening for a non-HTTP application the probe will fail

-1. Sign in to [Power Automate](https://flow.microsoft.com).

-1. Sign in to [Power Automate](https://flow.microsoft.com).

- * Azure Functions v3 support ends in late 2022. Starting mid-October 2022, new Standard logic app workflows in the Azure portal automatically use Azure Functions v4. Throughout November 2022, existing Standard workflows in the Azure portal are automatically migrating to Azure Functions v4. Unless you deployed your Standard logic apps as NuGet-based projects or pinned your logic apps to a specific bundle version, this upgrade is designed to require no action from you nor have

- a runtime impact. However, if the exceptions apply to you, or for more information about Azure Functions v3 support, see [Azure Logic Apps Standard now supports Azure Functions v4](https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/azure-logic-apps-standard-now-supports-azure-functions-v4/ba-p/3656072).

-To extend and expand your flow's capabilities, you can migrate that flow from [Power Automate](https://flow.microsoft.com) to a Consumption logic app workflow that runs in [multi-tenant Azure Logic Apps](logic-apps-overview.md). You can export your flow as an Azure Resource Manager template for a logic app, deploy that logic app template to an Azure resource group, and then open that logic app in the workflow designer.

-1. Sign in to [Power Automate](https://flow.microsoft.com), and select **My flows**. Find and select your flow. On the toolbar, select the ellipses (**...**) button > **Export** > **Logic Apps template (.json)**.

-description: This article explains difference options for accessing Apache Spark in Azure Machine Learning.

-#Customer intent: As a Full Stack ML Pro, I want to use Apache Spark in Azure Machine Learning.

-The Azure Machine Learning integration with Azure Synapse Analytics (preview) provides easy access to distributed computing, using the Apache Spark framework. This integration offers these Apache Spark computing experiences:

-Azure Machine Learning Managed (Automatic) Spark compute is the easiest way to execute distributed computing tasks in the Azure Machine Learning environment, using the Apache Spark framework. Azure Machine Learning users can use a fully managed, serverless, on-demand Apache Spark compute cluster. Those users can avoid the need to create an Azure Synapse Workspace and an Azure Synapse Spark pool. Users can define the resources, including

-to access the Managed (Automatic) Spark compute in Azure Machine Learning Notebooks, for

-### Some points to consider

-Managed (Automatic) Spark compute works well for most user scenarios that require quick access to distributed computing using Apache Spark. To make an informed decision, however, users should consider the advantages and disadvantages of this approach.

-### Advantages

-### Disadvantages

-

-As of January 2023, the Managed (Automatic) Spark compute doesn't support managed VNet or private endpoint creation to Azure Synapse.

-### Inactivity periods and tear down mechanism

-A Managed (Automatic) Spark compute (**cold start**) resource might need three to five minutes to start the Spark session, when first launched. The automated Managed (Automatic) Spark compute provisioning, backed by Azure Synapse, causes this delay. Once the Managed (Automatic) Spark compute is provisioned, and an Apache Spark session starts, subsequent code executions (**warm start**) won't experience this delay. The Spark session configuration offers an option that defines a session timeout (in minutes). The Spark session will terminate after an inactivity period that exceeds the user-defined timeout. If another Spark session doesn't start in the following 10 minutes, resources provisioned for the Managed (Automatic) Spark compute will be torn down. Once the Managed (Automatic) Spark compute resource tear-down happens, submission of the next job will require a *cold start*. The next visualization shows some session inactivity period and cluster teardown scenarios.

-A Synapse Spark pool created in an Azure Synapse workspace becomes available in the Azure Machine Learning workspace with the Attached Synapse Spark pool. This option may be suitable for the users who want to reuse an existing Azure Synapse Spark pool. Attachment of an Azure Synapse Spark pool to the Azure Machine Learning workspace requires [other steps](./how-to-manage-synapse-spark-pool.md), before the Azure Synapse Spark pool can be used in the Azure Machine Learning for

-While an attached Synapse Spark pool provides access to native Synapse features, the user is responsible for provisioning, attaching, configuring, and managing the Synapse Spark pool.

-The Spark session configuration for an attached Synapse Spark pool also offers an option to define a session timeout (in minutes). The session timeout behavior resembles the description seen in [the previous section](#inactivity-periods-and-tear-down-mechanism), except the associated resources are never torn down after the session timeout.

-You can define three parameter values

-in Azure Machine Learning Spark jobs. You should consider an Azure Machine Learning Apache Spark executor as an equivalent of Azure Spark worker nodes. An example will explain these parameters. Let's say that you have defined number of executors as 6 (equivalent to six worker nodes), executor cores as 4, and executor memory as 28 GB. Your Spark job will then have access to a cluster with 24 cores and 168-GB memory.

-To access data and other resources, a Spark job can either use either user identity passthrough, or a managed identity. This table summarizes the different mechanisms Spark jobs use to access resources.

-[This page](./how-to-submit-spark-jobs.md#ensuring-resource-access-for-spark-jobs) describes Spark job resource access. In a Notebooks session, both the Managed (Automatic) Spark compute and the attached Synapse Spark pool use user identity passthrough for data access during [interactive data wrangling](./interactive-data-wrangling-with-apache-spark-azure-ml.md).

-> - To ensure successful Spark job execution, assign **Contributor** and **Storage Blob Data Contributor** roles, on the Azure storage account used for data input and output, to the identity used for the Spark job.

-> - If an [attached Synapse Spark pool](./how-to-manage-synapse-spark-pool.md) points to a Synapse Spark pool in an Azure Synapse workspace, and that workspace has an associated managed virtual network associated, [configure a managed private endpoint to storage account](../synapse-analytics/security/connect-to-a-secure-storage-account.md), to ensure data access.

-This [quickstart guide](./quickstart-spark-jobs.md) describes how to start using Managed (Automatic) Spark compute to submit your Spark jobs in Azure Machine Learning.

-# Customer intent: As an experienced Python developer, I need to make my data in Azure storage available to my remote compute, to train my machine learning models.

-In this article, learn how to connect to Azure data storage services, with Azure Machine Learning datastores.

-> Azure Machine Learning datastores do **not** create the underlying storage accounts. Instead, they link an **existing** storage account for Azure Machine Learning use. Azure Machine Learning datastores are not required for this. If you have access to the underlying data, you can use storage URIs directly.

- :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/mlflow/create-endpoint.yaml":::

- :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="create_endpoint":::

- :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/mlflow/sklearn-deployment.yaml":::

- :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="create_sklearn_deployment":::

- :::code language="json" source="~/azureml-examples-main/cli/endpoints/online/mlflow/sample-request-sklearn.json":::

-In this article, you learn how to use the [Execute Python Script](algorithm-module-reference/execute-python-script.md) component to add custom logic to Azure Machine Learning designer. In the following how-to, you use the Pandas library to do simple feature engineering.

-You can use the in-built code editor to quickly add simple Python logic. If you want to add more complex code or upload additional Python libraries, you should use the zip file method.

-The default execution environment uses the Anacondas distribution of Python. For a complete list of pre-installed packages, see the [Execute Python Script component reference](algorithm-module-reference/execute-python-script.md) page.

-This article uses the sample dataset, **Automobile price data (Raw)**.

-

-

-1. Take note of which input port you use. The designer assigns the left input port to the variable `dataset1` and the middle input port to `dataset2`.

-Input components are optional since you can generate or import data directly in the **Execute Python Script** component.

-The designer provides an initial entry point script for you to edit and enter your own Python code.

-In this example, you use Pandas to combine two columns found in the automobile dataset, **Price** and **Horsepower**, to create a new column, **Dollars per horsepower**. This column represents how much you pay for each horsepower, which could be a useful feature to decide if a car is a good deal for the money.

-1. Copy and paste the following code into the text box.

- Your pipeline should look the following image:

- The entry point script must contain the function `azureml_main`. There are two function parameters that map to the two input ports for the **Execute Python Script** component.

- The return value must be a Pandas Dataframe. You can return up to two dataframes as component outputs.

-Now, you have a dataset with the new feature **Dollars/HP**, which could be useful in training a car recommender. This is an example of feature extraction and dimensionality reduction.

-Learn how to [import your own data](v1/how-to-designer-import-data.md) in Azure Machine Learning designer.

-In this article, you learn how to transform and save datasets in Azure Machine Learning designer so that you can prepare your own data for machine learning.

-You will use the sample [Adult Census Income Binary Classification](./samples-designer.md) dataset to prepare two datasets: one dataset that includes adult census information from only the United States and another dataset that includes census information from non-US adults.

-In this article, you learn how to:

-1. View results.

-This how-to is a prerequisite for the [how to retrain designer models](how-to-retrain-designer.md) article. In that article, you will learn how to use the transformed datasets to train multiple models with pipeline parameters.

-In this section, you learn how to import the sample dataset and split the data into US and non-US datasets. For more information on how to import your own data into the designer, see [how to import data](v1/how-to-designer-import-data.md).

-Use the following steps to import the sample dataset.

-1. Sign in to <a href="https://ml.azure.com?tabs=jre" target="_blank">ml.azure.com</a>, and select the workspace you want to work with.

-1. To the left of the pipeline canvas is a palette of datasets and components. Select **Datasets**. Then view the **Samples** section.

-In this section, you use the [Split Data component](algorithm-module-reference/split-data.md) to identify and split rows that contain "United-States" in the "native-country" column.

-1. In the component palette to the left of the canvas, expand the **Data Transformation** section and find the **Split Data** component.

-1. Drag the **Split Data** component onto the canvas, and drop the component below the dataset component.

-1. In the component details pane to the right of the canvas, set **Splitting mode** to **Regular Expression**.

- The **Regular expression** mode tests a single column for a value. For more information on the Split Data component, see the related [algorithm component reference page](algorithm-module-reference/split-data.md).

-Now that your pipeline is set up to split the data, you need to specify where to persist the datasets. For this example, use the **Export Data** component to save your dataset to a datastore. For more information on datastores, see [Connect to Azure storage services](how-to-access-data.md)

-1. In the component palette to the left of the canvas, expand the **Data Input and Output** section and find the **Export Data** component.

-1. Select the **Export Data** component that is connected to the *left*-most port of the **Split Data** component.

- The order of the output ports matter for the **Split Data** component. The first output port contains the rows where the regular expression is true. In this case, the first port contains rows for US-based income, and the second port contains rows for non-US based income.

- **Datastore**: Select an existing datastore or select "New datastore" to create one now.

- > This article assumes that you have access to a datastore registered to the current Azure Machine Learning workspace. For instructions on how to setup a datastore, see [Connect to Azure storage services](v1/how-to-connect-data-ui.md#create-datastores).

- If you don't have a datastore, you can create one now. For example purposes, this article will save the datasets to the default blob storage account associated with the workspace. It will save the datasets into the `azureml` container in a new folder called `data`.

-1. In the component details pane to the right of the canvas, set the following options:

-1. Confirm the **Export Data** component connected to the left port of the **Split Data** has the **Path** `/data/us-income`.

-1. Confirm the **Export Data** component connected to the right port has the **Path** `/data/non-us-income`.

-Now that your pipeline is setup to split and export the data, submit a pipeline job.

-1. At the top of the canvas, select **Submit**.

-1. In the **Set up pipeline job** dialog, select **Create new** to create an experiment.

- Experiments logically group together related pipeline jobs. If you run this pipeline in the future, you should use the same experiment for logging and tracking purposes.

-1. Provide a descriptive experiment name like "split-census-data".

-After the pipeline finishes running, you can view your results by navigating to your blob storage in the Azure portal. You can also view the intermediary results of the **Split Data** component to confirm that your data has been split correctly.

-1. In the component details pane to the right of the canvas, select **Outputs + logs**.

-1. Select the visualize icon  next to **Results dataset1**.

-1. Verify that the "native-country" column only contains the value "United-States".

-1. Select the visualize icon  next to **Results dataset2**.

-Skip this section if you want to continue on with part 2 of this how to, [Retrain models with Azure Machine Learning designer](how-to-retrain-designer.md).

-In this article, you learned how to transform a dataset and save it to a registered datastore.

-Continue to the next part of this how-to series with [Retrain models with Azure Machine Learning designer](how-to-retrain-designer.md) to use your transformed datasets and pipeline parameters to train machine learning models.

-|Inqueue | Job is pending for compute resource allocation. Time spent in this stage is mainly depending on the status of your compute cluster or job yield policy for scope job.| If you're using a cluster with enough compute resource, this time should be short. | Check with workspace admin whether to increase the max nodes of the target compute or change the job to another less busy compute. |

-| Finalizing | Job is in post processing after execution complete. Time spent in this stage is mainly for some post processes like: output uploading, metric/logs uploading and resources clean up.| It will be short for command job. However, might be very long for PRS/MPI job because for a distributed job, the finalizing status is from the first node starting finalizing to the last node done finalizing. | Change your step run output mode from upload to mount if you find unexpected long finalizing time, or open support case via Azure portal. |

-Along with the profiling, you can also use the *Output + logs* (on the details page), the Common Runtime enabled monitoring metric for PRS/MPI jobs.

-After reviewing the billing models available, select one appropriate for your use case and complete the following steps:

-Complete the following steps to add identifier in the *Per core* billing model:

- :::image type="content" source="./media/azure-container/billing-identifier-label.png" alt-text="A screenshot of a properly formatted billing identifier label in a deployment.yaml file. The content resembles the sample depoyment.yaml file linked in this article":::

- :::image type="content" source="./media/azure-container/resources.png" alt-text="A screenshot of CPU resource requests in a deployment.yaml file. The content resembles the sample depoyment.yaml file linked in this article.":::

- :::image type="content" source="./media/azure-container/billing-identifier-value.png" alt-text="A screenshot of a properly formatted values.yaml file, showing the global > Azure > billingIdentifier field.":::

-Complete the following steps to add a billing identifier label in the *Per pod* and *Per node* billing model:

-Note that at deployment time, the cluster extensions feature will replace the billing identifier value with the extension type name you provide while setting up plan details.

-You can use [Power Automate](/power-automate/) to automate notifications every time a lead is added to your Azure Storage table. If you don't have an account, you can [sign up for a free account](https://flow.microsoft.com/).

-1. Open the [Power Automate](https://flow.microsoft.com/) webpage. Select **Sign in**. If you don't already have an account, select **Sign up free** to create one.

-1. Go back to [Power Automate](https://flow.microsoft.com/). Find the flow you created to send leads by going to **My Flows** from the Power Automate menu bar. Select the ellipsis next to the flow name to see more options, and select **Edit**.

-It may take some time after finalizing registration until discovered machines appear in the Migration and modernization tool. As VMs are discovered, the **Discovered servers** count rises.

-Investigate the [cloud migration journey](/azure/architecture/cloud-adoption/getting-started/migrate) in the Azure Cloud Adoption Framework.

-* An account on [flow.microsoft.com](https://flow.microsoft.com).

-1. In [Power Automate](https://flow.microsoft.com), select **Create** from the navigation bar on the left.

- | **Auto track configuration** | Select **Disabled**. |

-If you're making any of these changes, we recommend modifying your packet core instance during a maintenance window to minimize the impact on your service. The packet core reinstall will take approximately 45 minutes, but this time may vary between systems. You should allow up to two hours for the process to complete.

-If you're experiencing issues with your deployment, reinstalling the packet core may help return it to a good state. In this how-to guide, you'll learn how to reinstall a packet core instance using the Azure portal.

-Before reinstalling, follow this step to check the packet core instance's installation status.

-1. Under the **Essentials** heading, check the current packet core state under the **Packet core installation state** field. If the status under this field indicates the packet core instance is already running a reinstall process, wait for it to finish before attempting another reinstall.

-1. Azure will now uninstall the packet core instance and redeploy it with the same configuration. This process will take approximately 45 minutes. You can check the progress of the reinstall by selecting the notifications icon and then **More events in the activity log**.

-Through the UI, you can only share data with recipient's Azure sign in email.

-* YouΓÇÖre accessing shared data using ACLs. ACL is not supported for accessing shared data. You can use RBAC instead.

-1. Navigate to the _data source_ in the _Collection_ and select **View Details** to check the status of the scan

-1. Select the **Scan name** to manage the scan

-* [Microsoft Power Automate Template for OneDrive to Azure Storage Replication](https://flow.microsoft.com/galleries/public/templates/2f90b5d3-029b-4e2e-ad37-1c0fe6d187fe/when-a-file-is-uploaded-to-onedrive-copy-it-to-azure-storage-container/)

- ## Use a complex collection for the "many" side of a one-to-many relationship

-Once the index is created and populated, it exists independently of your blob container, but you can re-run indexing operations to refresh your index based on changed documents. Timestamp information on individual blobs is used for change detection. You can opt for either scheduled execution or on-demand indexing as the refresh mechanism.

-An *indexer* is a data-source-aware subservice in Cognitive Search, equipped with internal logic for sampling data, reading metadata data, retrieving data, and serializing data from native formats into JSON documents for subsequent import.

-If you expect that you may need to make updates to your index definition for your production indexes, you should use an alias rather than the index name for requests in your client-side application. Scenarios that require you to create a new index are outlined under these [rebuild conditions](search-howto-reindex.md#rebuild-conditions).

-Leverage the rapid application development environment of Power Apps to create a custom app for your searchable content in Azure Cognitive Search.

-A connector in Power Apps is a data source connection. In this step, you'll create a custom connector to connect to a search index in the cloud.

-1. On the left, expand **Dataverse** > **Custom Connectors**.

-

-1. Give your custom connector a name (for example, *AzureSearchQuery*), and then click **Continue**.

- * In the Host, you will need to enter your search service URL (such as `<yourservicename>.search.windows.net`)

- * For Base URL, simply enter "/"

-1. In the Security Page, set *API Key* as the **Authentication Type**, set both the parameter label and parameter name to *api-key*. For **Parameter location**, select *Header* as shown below.

-1. In the Definitions Page, select **+ New Action** to create an action that will query the index. Enter the value "Query" for the summary and the name of the operation ID. Enter a description like *"Queries the search index"*.

- * For the URL enter a sample query for your search index (`search=*` returns all documents, `$select=` lets you choose fields). The API version is required. Fully specified, a URL might look like this: `https://mydemo.search.windows.net/indexes/hotels-sample-index/docs?search=*&$select=HotelName,Description,Address/City&api-version=2020-06-30`

-1. Click **Import** to auto-fill the Request. Complete setting the parameter metadata by clicking the **...** symbol next to each of the parameters. Click **Back** to return to the Request page after each parameter update.

-1. Switch back to the wizard and return to the **3. Request** step. Scroll down to the Response section. Click **"Add default response"**. This is critical because it will help Power Apps understand the schema of the response.

-1. Paste a sample response. An easy way to capture a sample response is through Search Explorer in the Azure portal. In Search Explorer, you should enter the same query as you did for the request, but add **$top=2** to constrain results to just two documents: : `search=*&$select=HotelName,Description,Address/City&$top=2`.

-1. Click **Import** to add the default response.

-1. Click **Create connector** on the top right to save the definition.

-1. Click **Close** to close the connector.

-When the connector is first created, you need to reopen it from the Custom Connectors list in order to test it. Later, if you make additional updates, you can test from within the wizard.

-You will need a [query API key](search-security-api-keys.md#find-existing-keys) for this task. Each time a connection is created, whether for a test run or inclusion in an app, the connector needs the query API key used for connecting to Azure Cognitive Search.

-1. On the far left, click **Custom Connectors**.

-1. Select **4. Test** to open the test page.

-1. In Test Operation, click **+ New Connection**.

-1. In Operations, click the **Test operation** button. If you are successful you should see a 200 status, and in the body of the response you should see JSON that describes the search results.

-1. Select the type of application. For this tutorial, create a **Blank App** with the **Phone Layout**. The **Power Apps Studio** will appear.

-1. Once in the studio, select the **Data Sources** tab, and click on the new Connector you have just created. In our case, it is called *AzureSearchQuery*. Click **Add a connection**.

- This action will cause the button to update a new collection called *azResult* with the result of the search query, using the text in the *txtQuery* text box as the query term.

-If you are using a free service, remember that you are limited to three indexes, indexers, and data sources. You can delete individual items in the portal to stay under the limit.

-This article explains how to drop and rebuild an Azure Cognitive Search index, the circumstances under which rebuilds are required, and recommendations for mitigating the impact of rebuilds on ongoing query requests. If you frequently have to rebuild your search index, we recommend using [index aliases](search-how-to-alias.md) to make it easier to swap which index your application is pointing to.

-A search index is a collection of physical folders and field-based inverted indexes of your content, distributed in shards across the number of partitions allocated to your search index. In Azure Cognitive Search, you cannot drop and recreate individual fields. If you want to fully rebuild a field, all field storage must be deleted, recreated based on an existing or revised index schema, and then repopulated with data pushed to the index or pulled from external sources.

-It's common to drop and rebuild indexes during development when you are iterating over index design. Most developers work with a small representative sample of their data to facilitate this process.

-## Rebuild conditions

-The following table enumerates the conditions under which a rebuild is required.

-| Condition | Description |

-| Update or delete an analyzer definition in an index | You cannot delete or change an existing analyzer configuration (analyzer, tokenizer, token filter, or char filter) in the index unless you rebuild the entire index. |

-| Delete a field | To physically remove all traces of a field, you have to rebuild the index. When an immediate rebuild is not practical, you can modify application code to disable access to the "deleted" field or use the [$select query parameter](search-query-odata-select.md) to choose which fields are represented in the result set. Physically, the field definition and contents remain in the index until the next rebuild, when you apply a schema that omits the field in question. |

-| Switch tiers | If you require more capacity, there is no in-place upgrade in the Azure portal. A new service must be created, and indexes must be built from scratch on the new service. To help automate this process, you can use the **index-backup-restore** sample code in this [Azure Cognitive Search .NET sample repo](https://github.com/Azure-Samples/azure-search-dotnet-samples). This app will back up your index to a series of JSON files, and then recreate the index in a search service you specify.|

-## Update conditions

-Many other modifications can be made without impacting existing physical structures. Specifically, the following changes do *not* require an index rebuild. For these changes, you can [update an index definition](/rest/api/searchservice/update-index) with your changes.

-1. Determine whether a rebuild is required. If you are just adding fields, or changing some part of the index that is unrelated to fields, you might be able to simply [update the definition](/rest/api/searchservice/update-index) without deleting, recreating, and fully reloading it.

-1. [Drop the existing index](/rest/api/searchservice/delete-index), assuming you are not running new and old indexes side by side.

-When you create the index, physical storage is allocated for each field in the index schema, with an inverted index created for each searchable field. Fields that are not searchable can be used in filters or expressions, but do not have inverted indexes and are not full-text or fuzzy searchable. On an index rebuild, these inverted indexes are deleted and recreated based on the index schema you provide.

-Indexing does not run in the background, but the search service will balance any indexing jobs against ongoing queries. During indexing, you can [monitor query requests](search-monitor-queries.md) in the portal to ensure queries are completing in a timely manner.

-translation.priority.mt:

- - "de-de"

- - "es-es"

- - "fr-fr"

- - "it-it"

- - "ja-jp"

- - "ko-kr"

- - "pt-br"

- - "ru-ru"

- - "zh-cn"

- - "zh-tw"

-When writing an [OData filter expression](query-odata-filter-orderby-syntax.md) to use with Azure Cognitive Search, it is often useful to filter on collection fields. You can achieve this using the `any` and `all` operators.

-Match documents where for all rooms, the `rooms/amenities` field contains "tv" and `rooms/baseRate` is less than 100:

- :::image type="content" source="media/service-configure-firewall/azure-portal-firewall.png" alt-text="Screenshot showing how to configure the IP firewall in the Azure portal" border="true":::

-|Field |How to retrieve |Default value |

-| Supported Azure Functions [runtimes](../azure-functions/supported-languages.md#languages-by-runtime-version)¹ | Node.js 12<br>Node.js 14<br>Node.js 16<br>.NET Core 3.1<br>.NET 6.0<br>.NET 7.0<br>Python 3.8<br>Python 3.9 | All |

-| <ul><li>Triggers are limited to [HTTP](../azure-functions/functions-bindings-http-webhook.md).</li><li>The Azure Functions app must either be in Node.js 12, Node.js 14, Node.js 16, .NET Core 3.1, .NET 6.0, Python 3.8, or Python 3.9.</li><li>Some application settings are managed by the service, therefore the following prefixes are reserved by the runtime:<ul><li>*APPSETTING\_, AZUREBLOBSTORAGE\_, AZUREFILESSTORAGE\_, AZURE_FUNCTION\_, CONTAINER\_, DIAGNOSTICS\_, DOCKER\_, FUNCTIONS\_, IDENTITY\_, MACHINEKEY\_, MAINSITE\_, MSDEPLOY\_, SCMSITE\_, SCM\_, WEBSITES\_, WEBSITE\_, WEBSOCKET\_, AzureWeb*</li></ul></li><li>Some application tags are internally used by the service. Therefore, the following tags are reserved:<ul><li> *AccountId, EnvironmentId, FunctionAppId*.</li></ul></li></ul> | <ul><li>You are responsible to manage the Functions app deployment.</li></ul> |