-1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [http://certauth.login.microsoftonline.com](http://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](/azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [http://certauth.login.microsoftonline.us](http://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs.

-### Enable Azure AD CBA using Microsoft Graph API

-1. Follow the steps to [consent to the _Policy.ReadWrite.AuthenticationMethod_ delegated permission](/graph/graph-explorer/graph-explorer-features.md#consent-to-permissions).

- GET https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMetHodConfigurations/X509Certificate

-This document discusses how to enable passwordless authentication to on-premises resources for environments with both *Azure Active Directory (Azure AD)-joined* and *hybrid Azure AD-joined* Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys.

- - For more information about the available Azure AD hybrid authentication options, see the following articles:

- - [Choose the right authentication method for your Azure AD hybrid identity solution](../hybrid/choose-ad-authn.md)

- - [Select which installation type to use for Azure AD Connect](../hybrid/how-to-connect-install-select-installation.md)

-For Azure AD joined devices the best experience is on Windows 10 version 1903 or higher.

-`aud` | `https://login.microsoftonline.com/{tenantId}/v2.0` | The "aud" (audience) claim identifies the recipients that the JWT is intended for (here Azure AD) See [RFC 7519, Section 4.1.3](https://tools.ietf.org/html/rfc7519#section-4.1.3). In this case, that recipient is the login server (login.microsoftonline.com).

- "aud": "https: //login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/token",

-Clients use access tokens to access a protected resource. An access token can be used only for a specific combination of user, client, and resource. Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has obtained an access token can use it for extent of its lifetime. Adjusting the lifetime of an access token is a trade-off between improving system performance and increasing the amount of time that the client retains access after the userΓÇÖs account is disabled. Improved system performance is achieved by reducing the number of times a client needs to acquire a fresh access token.

-ID tokens are passed to websites and native clients. ID tokens contain profile information about a user. An ID token is bound to a specific combination of user and client. ID tokens are considered valid until their expiry. Usually, a web application matches a userΓÇÖs session lifetime in the application to the lifetime of the ID token issued for the user. You can adjust the lifetime of an ID token to control how often the web application expires the application session, and how often it requires the user to be re-authenticated with the Microsoft identity platform (either silently or interactively).

-> Existing tokenΓÇÖs lifetime will not be changed. After they expire, a new token will be issued based on the default value.

-Refresh and session token configuration are affected by the following properties and their respectively set values. After the retirement of refresh and session token configuration on January 30, 2021, Azure AD will only honor the default values described below. If you decide not to use [Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to manage sign-in frequency, your refresh and session tokens will be set to the default configuration on that date and youΓÇÖll no longer be able to change their lifetimes.

-A tokenΓÇÖs validity is evaluated at the time the token is used. The policy with the highest priority on the application that is being accessed takes effect.

-| **Join()** | Creates a new value by joining two attributes. Optionally, you can use a separator between the two attributes. |

- > The **Users may join devices to Azure AD** setting is applicable only to Azure AD join on Windows 10 or newer. This setting doesn't apply to hybrid Azure AD joined devices, [Azure AD joined VMs in Azure](./howto-vm-sign-in-azure-ad-windows.md#enabling-azure-ad-login-in-for-windows-vm-in-azure), or Azure AD joined devices that use [Windows Autopilot self-deployment mode](/mem/autopilot/self-deploying) because these methods work in a userless context.

- > The **Require Multi-Factor Authentication to register or join devices with Azure AD** setting applies to devices that are either Azure AD joined (with some exceptions) or Azure AD registered. This setting doesn't apply to hybrid Azure AD joined devices, [Azure AD joined VMs in Azure](./howto-vm-sign-in-azure-ad-windows.md#enabling-azure-ad-login-in-for-windows-vm-in-azure), or Azure AD joined devices that use [Windows Autopilot self-deployment mode](/mem/autopilot/self-deploying).

-## Enabling Azure AD login in for Windows VM in Azure

-To use Azure AD login in for Windows VM in Azure, you need to first enable Azure AD login option for your Windows VM and then you need to configure Azure role assignments for users who are authorized to login in to the VM.

->- We now recommend that the partner set the audience of the SAML or WS-Fed based IdP to a tenanted audience. Refer to the [SAML 2.0](#required-saml-20-attributes-and-claims) and [WS-Fed](#required-ws-fed-attributes-and-claims) required attributes and claims sections below.

-|Audience |`https://login.microsoftonline.com/<tenant ID>/` (Recommended tenanted audience.) Replace `<tenant ID>` with the tenant ID of the Azure AD tenant you're setting up federation with.<br><br>`urn:federation:MicrosoftOnline` (This value will be deprecated.) |

-|Audience |`https://login.microsoftonline.com/<tenant ID>/` (Recommended tenanted audience.) Replace `<tenant ID>` with the tenant ID of the Azure AD tenant you're federating with.<br><br>`urn:federation:MicrosoftOnline` (This value will be deprecated.) |

-[Moula](https://moula.com.au/pay/merchants), [Surveypal](https://www.surveypal.com/app), [Kbot365](https://www.konverso.ai/virtual-assistant-digital-workplace/), [TackleBox](https://tacklebox.in/), [Powell Teams](https://powell-software.com/en/powell-teams-en/), [Talentsoft Assistant](https://msteams.talent-soft.com/), [ASC Recording Insights](https://teams.asc-recording.app/product), [GO1](https://www.go1.com/), [B-Engaged](https://b-engaged.se/), [Competella Contact Center Workgroup](http://www.competella.com/), [Asite](http://www.asite.com/), [ImageSoft Identity](https://identity.imagesoftinc.com/), [My IBISWorld](https://identity.imagesoftinc.com/), [insuite](../saas-apps/insuite-tutorial.md), [Change Process Management](../saas-apps/change-process-management-tutorial.md), [Cyara CX Assurance Platform](../saas-apps/cyara-cx-assurance-platform-tutorial.md), [Smart Global Governance](../saas-apps/smart-global-governance-tutorial.md), [Prezi](../saas-apps/prezi-tutorial.md), [Mapbox](../saas-apps/mapbox-tutorial.md), [Datava Enterprise Service Platform](../saas-apps/datava-enterprise-service-platform-tutorial.md), [Whimsical](../saas-apps/whimsical-tutorial.md), [Trelica](../saas-apps/trelica-tutorial.md), [EasySSO for Confluence](../saas-apps/easysso-for-confluence-tutorial.md), [EasySSO for BitBucket](../saas-apps/easysso-for-bitbucket-tutorial.md), [EasySSO for Bamboo](../saas-apps/easysso-for-bamboo-tutorial.md), [Torii](../saas-apps/torii-tutorial.md), [Axiad Cloud](../saas-apps/axiad-cloud-tutorial.md), [Humanage](../saas-apps/humanage-tutorial.md), [ColorTokens ZTNA](../saas-apps/colortokens-ztna-tutorial.md), [CCH Tagetik](../saas-apps/cch-tagetik-tutorial.md), [ShareVault](../saas-apps/sharevault-tutorial.md), [Vyond](../saas-apps/vyond-tutorial.md), [TextExpander](../saas-apps/textexpander-tutorial.md), [Anyone Home CRM](../saas-apps/anyone-home-crm-tutorial.md), [askSpoke](../saas-apps/askspoke-tutorial.md), [ice Contact Center](../saas-apps/ice-contact-center-tutorial.md)

-Before using the Azure Monitor workbooks, you must configure Azure AD to send a copy of its audit logs to Azure Monitor.

-**Prerequisite role**: Global Admin

-1. If there isn't already a setting, click **Add diagnostic setting**. Use the instructions in the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md#send-logs-to-azure-monitor)

-to send the Azure AD audit log to the Azure Monitor workspace.

-## Next steps:

-Managed identities for Azure resources eliminate the need to manage credentials in code. You can use them to get an Azure Active Directory (Azure AD) token your applications can use when you access resources that support Azure AD authentication. Azure manages the identity so you don't have to.

-There are two types of managed identities: system-assigned and user-assigned. The main difference between them is that system-assigned managed identities have their lifecycle linked to the resource where they're used. User-assigned managed identities can be used on multiple resources. To learn more about managed identities, see [What are managed identities for Azure resources?](overview.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account associated with the Azure subscription to create the user-assigned managed identity.

-To list or read a user-assigned managed identity, your account needs the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) or [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.

-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account associated with the Azure subscription to list the user-assigned managed identities.

-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account associated with the Azure subscription to delete a user-assigned managed identity.

-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account associated with the Azure subscription to list the user-assigned managed identities.

-As with the Azure portal and scripting, Resource Manager templates provide the ability to deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based. You can:

-For information on how to assign a user-assigned managed identity to an Azure VM by using a Resource Manager template, see [Configure managed identities for Azure resources on an Azure VM using a template](qs-configure-template-windows-vm.md).

-| Sharing across Azure resources | Cannot be shared. <br/> It can only be associated with a single Azure resource. | Can be shared. <br/> The same user-assigned managed identity can be associated with more than one Azure resource. |

-3. Azure Resource Manager configures the identity on the VM by updating the Azure Instance Metadata Service identity endpoint with the service principal client ID and certificate.

-This article provides various code and script examples for token acquisition, as well as guidance on important topics such as handling token expiration and HTTP errors.

-A client application can request managed identities for Azure resources [app-only access token](../develop/developer-glossary.md#access-token) for accessing a given resource. The token is [based on the managed identities for Azure resources service principal](overview.md#managed-identity-types). As such, there is no need for the client to register itself to obtain an access token under its own service principal. The token is suitable for use as a bearer token in

-The fundamental interface for acquiring an access token is based on REST, making it accessible to any client application running on the VM that can make HTTP REST calls. This is similar to the Azure AD programming model, except the client uses an endpoint on the virtual machine (vs an Azure AD endpoint).

-| `Metadata` | An HTTP request header field, required by managed identities for Azure resources as a mitigation against Server Side Request Forgery (SSRF) attack. This value must be set to "true", in all lower case. |

-| `access_token` | The requested access token. When calling a secured REST API, the token is embedded in the `Authorization` request header field as a "bearer" token, allowing the API to authenticate the caller. |

-For .NET applications and functions, the simplest way to work with managed identities for Azure resources is through the Microsoft.Azure.Services.AppAuthentication package. This library will also allow you to test your code locally on your development machine, using your user account from Visual Studio, the [Azure CLI](/cli/azure), or Active Directory Integrated Authentication. For more on local development options with this library, see the [Microsoft.Azure.Services.AppAuthentication reference](/dotnet/api/overview/azure/service-to-service-authentication). This section shows you how to get started with the library in your code.

-Example on how to parse the access token from the response:

-Example on how to parse the access token from the response:

-While the managed identities for Azure resources subsystem does cache tokens, we also recommend to implement token caching in your code. As a result, you should prepare for scenarios where the resource indicates that the token is expired.

-The managed identities for Azure resources endpoint signals errors via the status code field of the HTTP response message header, as either 4xx or 5xx errors:

-| 4xx Error in request. | One or more of the request parameters was incorrect. | Do not retry. Examine the error details for more information. 4xx errors are design-time errors.|

-| 5xx Transient error from service. | The managed identities for Azure resources subsystem or Azure Active Directory returned a transient error. | It is safe to retry after waiting for at least 1 second. If you retry too quickly or too often, IMDS and/or Azure AD may return a rate limit error (429).|

-| 400 Bad Request | invalid_resource | AADSTS50001: The application named *\<URI\>* was not found in the tenant named *\<TENANT-ID\>*. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\ | (Linux only) |

-| | unauthorized_client | The client is not authorized to request an access token using this method. | Caused by a request on a VM that doesn't have managed identities for Azure resources configured correctly. See [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md) if you need assistance with VM configuration. |

-| | unsupported_response_type | The authorization server does not support obtaining an access token using this method. | |

-| 500 Internal server error | unknown | Failed to retrieve token from the Active directory. For details see logs in *\<file path\>* | Verify that managed identities for Azure resources is enabled on the VM. See [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md) if you need assistance with VM configuration.<br><br>Also verify that your HTTP GET request URI is formatted correctly, particularly the resource URI specified in the query string. See the "Sample request" in the preceding REST section for an example, or [Azure services that support Azure AD authentication](./services-support-managed-identities.md) for a list of services and their respective resource IDs.

-It is recommended to retry if you receive a 404, 429, or 5xx error code (see [Error handling](#error-handling) above).

-See [Azure services that support Azure AD authentication](./services-support-managed-identities.md) for a list of resources that support Azure AD and have been tested with managed identities for Azure resources, and their respective resource IDs.

-description: A tutorial that shows you how to use a Linux VM system-assigned managed identity to access Azure Storage, using a SAS credential instead of a storage account access key.

-A Service SAS provides the ability to grant limited access to objects in a storage account, for a limited time and a specific service (in our case, the blob service), without exposing an account access key. You can use a SAS credential as usual when doing storage operations, for example when using the Storage SDK. For this tutorial, we demonstrate uploading and downloading a blob using Azure Storage CLI. You will learn how to:

-If you don't already have one, you will now create a storage account. You can also skip this step and grant your VM system-assigned managed identity access to the keys of an existing storage account.

-1. Click the **+/Create new service** button found on the upper left-hand corner of the Azure portal.

-2. Click **Storage**, then **Storage Account**, and a new "Create storage account" panel will display.

-3. Enter a **Name** for the storage account, which you will use later.

-6. Click **Create**.

-Later we will upload and download a file to the new storage account. Because files require blob storage, we need to create a blob container in which to store the file.

-2. Click the **Containers** link in the left panel, under "Blob service."

-3. Click **+ Container** on the top of the page, and a "New container" panel slides out.

-4. Give the container a name, select an access level, then click **OK**. The name you specified will be used later in the tutorial.

-Azure Storage natively supports Azure AD authentication, so you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage. In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Grant access by assigning the [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.

-For the remainder of the tutorial, we will work from the VM we created earlier.

-To complete these steps, you will need an SSH client. If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/install-win10). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).

-1. In the Azure portal, navigate to **Virtual Machines**, go to your Linux virtual machine, then from the **Overview** page click **Connect** at the top. Copy the string to connect to your VM.

-3. Next, you will be prompted to enter in your **Password** you added when creating the **Linux VM**. You should then be successfully signed in.

-For this request we'll use the follow HTTP request parameters to create the SAS credential:

-Create a sample blob file to upload to your blob storage container. On a Linux VM, you can do this with the following command.

-Next, authenticate with the CLI `az storage` command using the SAS credential, and upload the file to the blob container. For this step, you will need to [install the latest Azure CLI](/cli/azure/install-azure-cli) on your VM, if you haven't already.

-1. Click the **+ Create a resource** button found on the upper left-hand corner of the Azure portal.

-2. Click **Storage**, then **Storage account - blob, file, table, queue**.

-6. Click **Create**.

-2. Under **Blob Service**, click **Containers**.

-3. Click **+ Container** on the top of the page.

-4. Under **New container**, enter a name for the container and under **Public access level** keep the default value .

-7. In the **Upload blob** pane, under **Files**, click the folder icon and browse to the file **hello_world.txt** on your local machine, select the file, then click **Upload**.

-1. Click **Access control (IAM)**.

-1. Click **Add** > **Add role assignment** to open the Add role assignment page.

-Azure Storage natively supports Azure AD authentication, so it can directly accept access tokens obtained using a managed identity. This is part of Azure Storage's integration with Azure AD, and is different from supplying credentials on the connection string.

-Here's a .NET code example of opening a connection to Azure Storage using an access token and then reading the contents of the file you created earlier. This code must run on the VM to be able to access the VM's managed identity endpoint. .NET Framework 4.6 or higher is required to use the access token method. Replace the value of `<URI to blob file>` accordingly. You can obtain this value by navigating to file you created and uploaded to blob storage and copying the **URL** under **Properties** the **Overview** page.

-In this tutorial, you learned how enable a Windows VM's system-assigned identity to access Azure Storage. To learn more about Azure Storage see:

-This tutorial shows you how to use a system-assigned managed identity for a Windows virtual machine (VM) to access an Azure Data Lake Store. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without needing to insert credentials into your code. You learn how to:

-In your Data Lake Store, create a new folder and grant your VM's system-assigned identity permission to read, write, and execute files in that folder:

-1. In the Azure portal, click **Data Lake Store** in the left-hand navigation.

-2. Click the Data Lake Store you want to use for this tutorial.

-3. Click **Data Explorer** in the command bar.

-4. The root folder of the Data Lake Store is selected. Click **Access** in the command bar.

-5. Click **Add**. In the **Select** field, enter the name of your VM, for example **DevTestVM**. Click to select your VM from the search results, then click **Select**.

-6. Click **Select Permissions**. Select **Read** and **Execute**, add to **This folder**, and add as **An access permission only**. Click **Ok**. The permission should be added successfully.

-8. For this tutorial, create a new folder. Click **New Folder** in the command bar, and give the new folder a name, for example **TestFolder**. Click **Ok**.

-9. Click on the folder you created, then click **Access** in the command bar.

-10. Similar to step 5, click **Add**, in the **Select** field enter the name of your VM, select it and click **Select**.

-11. Similar to step 6, click **Select Permissions**, select **Read**, **Write**, and **Execute**, add to **This folder**, and add as **An access permission entry and a default permission entry**. Click **Ok**. The permission should be added successfully.

-Azure Data Lake Store natively supports Azure AD authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. To authenticate to the Data Lake Store filesystem you send an access token issued by Azure AD to your Data Lake Store filesystem endpoint, in an Authorization header in the format "Bearer <ACCESS_TOKEN_VALUE>". To learn more about Data Lake Store support for Azure AD authentication, read [Authentication with Data Lake Store using Azure Active Directory](../../data-lake-store/data-lakes-store-authentication-using-azure-active-directory.md)

-1. In the portal, navigate to **Virtual Machines**, go to your Windows VM, and in the **Overview** click **Connect**.

-3. Now that you have created a **Remote Desktop Connection** with the virtual machine, open **PowerShell** in the remote session.

-5. Using PowerShell's `Invoke-WebRequest', make a request to your Data Lake Store's REST endpoint to list the folders in the root folder. This is a simple way to check everything is configured correctly. It is important the string "Bearer" in the Authorization header has a capital "B". You can find the name of your Data Lake Store in the **Overview** section of the Data Lake Store blade in the Azure portal.

- If you inspect the value of `$HdfsRedirectResponse` it should look like the following response:

-In this tutorial, you learned how to use a system-assigned managed identity for a Windows virtual machine to access an Azure Data Lake Store. To learn more about Azure Data Lake Store see:

-This tutorial shows you how a Windows virtual machine (VM) can use a system-assigned managed identity to access [Azure Key Vault](../../key-vault/general/overview.md). Serving as a bootstrap, Key Vault makes it possible for your client application to then use a secret to access resources not secured by Azure Active Directory (AD). Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without including authentication information in your code.

-This section shows how to grant your VM access to a secret stored in a Key Vault. Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication.  However, not all Azure services support Azure AD authentication. To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the VM's managed identity to access Key Vault to retrieve the credentials.

-1. Fill out all required information making sure that you choose the subscription and resource group where you created the virtual machine that you are using for this tutorial.

-Next, add a secret to the Key Vault, so you can retrieve it later using code running in your VM. In this tutorial, we are using PowerShell but the same concepts apply to any code executing in this virtual machine.

-1. Select **Secrets**, and click **Add**.

-1. In the **Create a secret** screen from **Upload options** leave **Manual** selected.

-1. Click **Create** to create the secret.

-The managed identity used by the virtual machine needs to be granted access to read the secret that we will store in the Key Vault.

-1. In the **Add access policy** section under **Configure from template (optional)** choose **Secret Management** from the pull-down menu.

-1. In the portal, navigate to **Virtual Machines** and go to your Windows virtual machine and in the **Overview**, click **Connect**.

-3. Now that you have created a **Remote Desktop Connection** with the virtual machine, open PowerShell in the remote session.  

-Alternatively you may also do this via [PowerShell or the CLI](../../azure-resource-manager/management/delete-resource-group.md)

-In this tutorial, you learned how to use a Windows VM system-assigned managed identity to access Azure Key Vault. To learn more about Azure Key Vault see:

-* Import of all roles will fail if any of the custom roles is either "agent" or "end-user". To avoid this, ensure that none of the roles being imported has the above display names.

-# Add Azure Dedicated Host to an Azure Kubernetes Service (AKS) cluster

-* Control over maintenance events initiated by the Azure platform. While the majority of maintenance events have little to no impact on your virtual machines, there are some sensitive workloads where each second of pause can have an impact. With dedicated hosts, you can opt in to a maintenance window to reduce the impact to your service.

-* An existing agentpool cannot be converted from non-ADH to ADH or ADH to non-ADH.

-* It is not supported to update agentpool from host group A to host group B.

-Span across multiple availability zones. In this case, you are required to have a host group in each of the zones you wish to use.

-Span across multiple fault domains which are mapped to physical racks.

-In this example, we will use [az vm host group create](/cli/azure/vm/host/group#az_vm_host_group_create?view=azure-cli-latest&preserve-view=true) to create a host group using both availability zones and fault domains.

-## Add a Dedicated Host Nodepool to an existing AKS cluster

-## Remove a Dedicated Host Nodepool from an AKS cluster

- A tool called [Creator](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/master/src/APIM_ARMTemplate/README.md#Creator) in the resource kit can help automate the creation of API templates based on an Open API Specification file. Additionally, developers can supply API Management policies for an API in XML format.

-* For customers who are already using API Management, another challenge is to extract existing configurations into Resource Manager templates. For those customers, a tool called [Extractor](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/master/src/APIM_ARMTemplate/README.md#extractor) in the resource kit can help generate templates by extracting configurations from their API Management instances.

-* To learn more about the self-hosted gateway, see [Azure API Management self-hosted gateway overview](self-hosted-gateway-overview.md).

- --server <server-name>

-# Configure listener-specific SSL policies on Application Gateway through portal (Preview)

-To set up a listener-specific SSL policy, you'll need to first go to the **SSL settings (Preview)** tab in the Portal and create a new SSL profile. When you create an SSL profile, you'll see two tabs: **Client Authentication** and **SSL Policy**. The **SSL Policy** tab is to configure a listener-specific SSL policy. The **Client Authentication** tab is where to upload a client certificate(s) for mutual authentication - for more information, check out [Configuring a mutual authentication](./mutual-authentication-portal.md).

-2. Select **SSL settings (Preview)** from the left-side menu.

-> [Manage web traffic with an application gateway using the Azure CLI](./tutorial-manage-web-traffic-cli.md)

-# Overview of mutual authentication with Application Gateway (Preview)

-With mutual authentication, there are additional server variables that you can use to pass information about the client certificate to the backend servers behind the Application Gateway. For more information about which server variables are available and how to use them, check out [server variables](./rewrite-http-headers-url.md#mutual-authentication-server-variables-preview).

-# Configure mutual authentication with Application Gateway through portal (Preview)

-To configure an existing Application Gateway with mutual authentication, you'll need to first go to the **SSL settings (Preview)** tab in the Portal and create a new SSL profile. When you create an SSL profile, you'll see two tabs: **Client Authentication** and **SSL Policy**. The **Client Authentication** tab is where you'll upload your client certificate(s). The **SSL Policy** tab is to configure a listener specific SSL policy - for more information, check out [Configuring a listener specific SSL policy](./application-gateway-configure-listener-specific-ssl-policy.md).

-2. Select **SSL settings (Preview)** from the left-side menu.

-1. Navigate to your Application Gateway and go to the **SSL settings (Preview)** tab in the left-hand menu.

-# Configure mutual authentication with Application Gateway through PowerShell (Preview)

-# Troubleshooting mutual authentication errors in Application Gateway (Preview)

-We'll go through different scenarios that you might run into and how to troubleshoot those scenarios. We'll then address error codes and explain likely causes for certain error codes you might be seeing with mutual authentication.

-### Mutual authentication server variables (Preview)

-# Build your training data set for a custom model

-> [Learn about accuracy and confidence with custom models](../concept-accuracy-confidence.md)

-|Agent-based (V1) |Installed after the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md) reporting to an Azure Monitor [Log Analytics workspace](../azure-monitor/logs/design-logs-deployment.md) is completed.|

-|Extension-based (V2) |Installed using the [Hybrid Runbook Worker VM extension](./extension-based-hybrid-runbook-worker-install.md), without any dependency on the Log Analytics agent reporting to an Azure Monitor Log Analytics workspace. This is the recommended platform.|

-az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --profile-name <profile name> --auto-upload-logs true --auto-upload-metrics true --custom-location <name of custom location>

-az arcdata dc create --name arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --profile-name azure-arc-aks-premium-storage --auto-upload-logs true --auto-upload-metrics true --custom-location mycustomlocation

-kubectl get datacontrollers --name arc

-[Create an Azure SQL managed instance on Azure Arc](create-sql-managed-instance.md)

-az sql mi-arc create --name <name> --resource-group <group> --location <Azure location> ΓÇôsubscription <subscription> --custom-location <custom-location>

-az sql mi-arc create --name sqldemo --resource-group rg --location uswest2 ΓÇôsubscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --custom-location private-location

-description: "This article provides a conceptual overview of Custom Locations capability of Azure Arc"

-# What is a Custom location?

-As an extension of the Azure location construct, *Custom Locations* provides a reference as deployment target which administrators can setup, and user can point to, when creating an Azure resource. It abstracts the backend infrastructure details from application developers, database admin users, or other users in the organization. Since Custom Locations is an Azure Resource Manager resource that supports [Role based Access Control](../../role-based-access-control/overview.md) (RBAC), an administrator or operator can determine which users have access to create resource instances on:

-They are represented by a custom location by assigning RBAC permissions to users within your organization on the custom location.

-For example, a cluster operator can create a custom location **Contoso-Michigan-Healthcare-App** representing a namespace on a Kubernetes cluster in your organization's Michigan Data Center and assign permissions to application developers on this custom location to deploy healthcare related web applications without the developer having to know details of the namespace and Kubernetes cluster where the application would be deployed on.

-On Arc-enabled Kubernetes clusters, Custom Locations represents an abstraction of a namespace within the Azure Arc-enabled Kubernetes cluster. Custom Locations creates the granular [RoleBindings and ClusterRoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) necessary for other Azure services to access the cluster. These other Azure services require cluster access to manage resources you want to deploy on your clusters.

-When an administrator enables the Custom Locations feature on the cluster, a ClusterRoleBinding is created on the cluster, authorizing the Azure AD application used by the Custom Locations Resource Provider (RP). Once authorized, Custom Locations RP can create ClusterRoleBindings or RoleBindings needed by other Azure RPs to create custom resources on this cluster. The cluster extensions installed on the cluster determines the list of RPs to authorize.

-1. The RP fetches the `kubeconfig` file associated with the Azure Arc-enabled Kubernetes cluster, on which the Custom Location exists.

- * Custom Location is referenced as `extendedLocation` in the original PUT request.

-1. Azure Arc-enabled Data Services RP uses the `kubeconfig` to communicate with the cluster to create a custom resource of the Azure Arc-enabled Data Services type on the namespace mapped to the Custom Location.

- * The Azure Arc-enabled Data Services operator was deployed via cluster extension creation before the Custom Location existed.

-* Use our quickstart to [connect a Kubernetes cluster to Azure Arc](../kubernetes/quickstart-connect-cluster.md). Then [Create a custom location](../kubernetes/custom-locations.md) on your Azure Arc-enabled Kubernetes cluster.

-After initial deployment of the Azure Connected Machine agent for Windows or Linux, you may need to reconfigure the agent, upgrade it, or remove it from the computer. You can easily manage these routine maintenance tasks manually or through automation, which reduces both operational error and expenses.

-## Before uninstalling agent

-Before removing the Connected Machine agent from your Azure Arc-enabled server, consider the following to avoid unexpected issues or costs added to your Azure bill:

-* If you have deployed Azure VM extensions to an enabled server, and you remove the Connected Machine agent or you delete the resource representing the Azure Arc-enabled server in the resource group, those extensions continue to run and perform their normal operation.

-* If you delete the resource representing the Azure Arc-enabled server in your resource group, but you don't uninstall the VM extensions, when you re-register the machine, you won't be able to manage the installed VM extensions.

-For servers or machines you no longer want to manage with Azure Arc-enabled servers, it is necessary to follow these steps to successfully stop managing it:

-1. Remove the VM extensions from the machine or server. Steps are provided below.

-2. Disconnect the machine from Azure Arc using one of the following methods:

- * Running `azcmagent disconnect` command on the machine or server.

- * From the selected registered Azure Arc-enabled server in the Azure portal by selecting **Delete** from the top bar.

- * Using the [Azure CLI](../../azure-resource-manager/management/delete-resource-group.md?tabs=azure-cli#delete-resource) or [Azure PowerShell](../../azure-resource-manager/management/delete-resource-group.md?tabs=azure-powershell#delete-resource). For the`ResourceType` parameter use `Microsoft.HybridCompute/machines`.

-3. [Uninstall the agent](#remove-the-agent) from the machine or server following the steps below.

-## Renaming a machine

-When you change the name of the Linux or Windows machine connected to Azure Arc-enabled servers, the new name is not recognized automatically because the resource name in Azure is immutable. As with other Azure resources, you have to delete the resource and re-create it in order to use the new name.

-For Azure Arc-enabled servers, before you rename the machine, it is necessary to remove the VM extensions before proceeding.

-> While installed extensions continue to run and perform their normal operation after this procedure is complete, you won't be able to manage them. If you attempt to redeploy the extensions on the machine, you may experience unpredictable behavior.

-> [!WARNING]

-> We recommend you avoid renaming the machine's computer name and only perform this procedure if absolutely necessary.

-1. Audit the VM extensions installed on the machine and note their configuration, using the [Azure CLI](manage-vm-extensions-cli.md#list-extensions-installed) or using [Azure PowerShell](manage-vm-extensions-powershell.md#list-extensions-installed).

-2. Remove VM extensions installed from the [Azure portal](manage-vm-extensions-portal.md#remove-extensions), using the [Azure CLI](manage-vm-extensions-cli.md#remove-extensions), or using [Azure PowerShell](manage-vm-extensions-powershell.md#remove-extensions).

-3. Use the **azcmagent** tool with the [Disconnect](manage-agent.md#disconnect) parameter to disconnect the machine from Azure Arc and delete the machine resource from Azure. Disconnecting the machine from Azure Arc-enabled servers does not remove the Connected Machine agent, and you do not need to remove the agent as part of this process. You can run azcmagent manually while logged on interactively, or automate using the same service principal you used to onboard multiple agents, or with a Microsoft identity platform [access token](../../active-directory/develop/access-tokens.md). If you did not use a service principal to register the machine with Azure Arc-enabled servers, see the following [article](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale) to create a service principal.

-4. Rename the machines computer name.

-5. Re-register the Connected Machine agent with Azure Arc-enabled servers. Run the `azcmagent` tool with the [Connect](manage-agent.md#connect) parameter complete this step.

-6. Redeploy the VM extensions that were originally deployed to the machine from Azure Arc-enabled servers. If you deployed the Azure Monitor for VMs (insights) agent or the Log Analytics agent using an Azure Policy definition, the agents are redeployed after the next [evaluation cycle](../../governance/policy/how-to/get-compliance-data.md#evaluation-triggers).

-The Azure Connected Machine agent is updated regularly to address bug fixes, stability enhancements, and new functionality. [Azure Advisor](../../advisor/advisor-overview.md) identifies resources that are not using the latest version of machine agent and recommends that you upgrade to the latest version. It will notify you when you select the Azure Arc-enabled server by presenting a banner on the **Overview** page or when you access Advisor through the Azure portal.

-| Windows | Manually<br> Windows Update |

-| Ubuntu | [Apt](https://help.ubuntu.com/lts/serverguide/apt.html) |

-Update package for the Connected Machine agent for Windows is available from:

-* [Windows agent Windows Installer package](https://aka.ms/AzureConnectedMachineAgent) from the Microsoft Download Center.

-The agent can be upgraded following various methods to support your software update management process. Outside of obtaining from Microsoft Update, you can download and run manually from the Command Prompt, from a script or other automation solution, or from the UI wizard by executing `AzureConnectedMachine.msi`.

-> [!NOTE]

-> * To upgrade the agent, you must have *Administrator* permissions.

-> * To upgrade manually, you must first download and copy the Installer package to a folder on the target server, or from a shared network folder.

-If you are unfamiliar with the command-line options for Windows Installer packages, review [Msiexec standard command-line options](/windows/win32/msi/standard-installer-command-line-options) and [Msiexec command-line options](/windows/win32/msi/command-line-options).

-#### To upgrade using the Setup Wizard

-2. Execute **AzureConnectedMachineAgent.msi** to start the Setup Wizard.

-2. To upgrade the agent silently and create a setup log file in the `C:\Support\Logs` folder, run the following command.

- msiexec.exe /i AzureConnectedMachineAgent.msi /qn /l*v "C:\Support\Logs\Azcmagentupgradesetup.log"

-#### Upgrade Ubuntu

-#### Upgrade Red Hat/CentOS/Amazon Linux

-Actions of the [yum](https://access.redhat.com/articles/yum-cheat-sheet) command, such as installation and removal of packages, are logged in the `/var/log/yum.log` log file.

-#### Upgrade SUSE Linux Enterprise

-## About the Azcmagent tool

-The Azcmagent tool (Azcmagent.exe) is used to configure the Azure Connected Machine agent during installation, or modify the initial configuration of the agent after installation. Azcmagent.exe provides command-line parameters to customize the agent and view its status:

-* **connect** - To connect the machine to Azure Arc

-* **disconnect** - To disconnect the machine from Azure Arc

-* **show** - View agent status and its configuration properties (Resource Group name, Subscription ID, version, etc.), which can help when troubleshooting an issue with the agent. Include the `-j` parameter to output the results in JSON format.

-* **config** - View and change settings to enable features and control agent behavior

-* **logs** - Creates a .zip file in the current directory containing logs to assist you while troubleshooting.

-* **version** - Shows the Connected Machine agent version.

-* **-useStderr** - Directs error and verbose output to stderr. Include the `-json` parameter to output the results in JSON format.

-* **-h or --help** - Shows available command-line parameters

- For example, to see detailed help for the **Connect** parameter, type `azcmagent connect -h`.

-* **-v or --verbose** - Enable verbose logging

-You can perform a **Connect** and **Disconnect** manually while logged on interactively, or automate using the same service principal you used to onboard multiple agents or with a Microsoft identity platform [access token](../../active-directory/develop/access-tokens.md). If you did not use a service principal to register the machine with Azure Arc-enabled servers, see the following [article](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale) to create a service principal.

->[!NOTE]

->You must have *Administrator* permissions on Windows or *root* access permissions on Linux machines to run **azcmagent**.

-### Connect

-This parameter specifies a resource in Azure Resource Manager representing the machine is created in Azure. The resource is in the subscription and resource group specified, and data about the machine is stored in the Azure region specified by the `--location` setting. The default resource name is the hostname of the machine if not specified.

-A certificate corresponding to the system-assigned identity of the machine is then downloaded and stored locally. Once this step is completed, the Azure Connected Machine Metadata Service and guest configuration agent service begins synchronizing with Azure Arc-enabled servers.

-To connect using a service principal, run the following command:

-`azcmagent connect --service-principal-id <serviceprincipalAppID> --service-principal-secret <serviceprincipalPassword> --tenant-id <tenantID> --subscription-id <subscriptionID> --resource-group <ResourceGroupName> --location <resourceLocation>`

-To connect using an access token, run the following command:

-`azcmagent connect --access-token <> --subscription-id <subscriptionID> --resource-group <ResourceGroupName> --location <resourceLocation>`

-To connect with your elevated logged-on credentials (interactive), run the following command:

-`azcmagent connect --tenant-id <TenantID> --subscription-id <subscriptionID> --resource-group <ResourceGroupName> --location <resourceLocation>`

-### Disconnect

-This parameter specifies a resource in Azure Resource Manager representing the machine is deleted in Azure. It does not remove the agent from the machine, you uninstall the agent separately. After the machine is disconnected, if you want to re-register it with Azure Arc-enabled servers, use `azcmagent connect` so a new resource is created for it in Azure.

-> [!NOTE]

-> If you have deployed one or more of the Azure VM extensions to your Azure Arc-enabled server and you delete its registration in Azure, the extensions are still installed. It is important to understand that depending on the extension installed, it is actively performing its function. Machines that are intended to be retired or no longer managed by Azure Arc-enabled servers should first have the extensions removed before removing its registration from Azure.

-To disconnect using a service principal, run the following command:

-`azcmagent disconnect --service-principal-id <serviceprincipalAppID> --service-principal-secret <serviceprincipalPassword> --tenant-id <tenantID>`

-To disconnect using an access token, run the following command:

-`azcmagent disconnect --access-token <accessToken>`

-To disconnect with your elevated logged-on credentials (interactive), run the following command:

-`azcmagent disconnect`

-### Config

-This parameter allows you to view and configure settings that control agent behavior.

-To view a list of all the configuration properties and their values, run the following command:

-`azcmagent config list`

-To get the value for a particular configuration property, run the following command:

-`azcmagent config get <propertyName>`

-To change a configuration property, run the following command:

-`azcmagent config set <propertyName> <propertyValue>`

-To clear a configuration property's value, run the following command:

-`azcmagent config clear <propertyName>`

-## Remove the agent

-Perform one of the following methods to uninstall the Windows or Linux Connected Machine agent from the machine. Removing the agent does not unregister the machine with Azure Arc-enabled servers or remove the Azure VM extensions installed. For servers or machines you no longer want to manage with Azure Arc-enabled servers, it is necessary to follow these steps to successfully stop managing it:

-1. Remove VM extensions installed from the [Azure portal](manage-vm-extensions-portal.md#remove-extensions), using the [Azure CLI](manage-vm-extensions-cli.md#remove-extensions), or using [Azure PowerShell](manage-vm-extensions-powershell.md#remove-extensions) that you don't want to remain on the machine.

-1. Unregister the machine by running `azcmagent disconnect` to delete the Azure Arc-enabled servers resource in Azure. If that fails, you can delete the resource manually in Azure. Otherwise, if the resource was deleted in Azure, you'll need to run `azcmagent disconnect --force-local-only` on the server to remove the local configuration.

-### Windows agent

-### Linux agent

-> To uninstall the agent, you must have *root* access permissions or with an account that has elevated rights using Sudo.

-## Unregister machine

-If you are planning to stop managing the machine with supporting services in Azure, perform the following steps to unregister the machine with Azure Arc-enabled servers. You can perform these steps either before or after you have removed the Connected Machine agent from the machine.

-1. Open Azure Arc-enabled servers by going to the [Azure portal](https://aka.ms/hybridmachineportal).

-2. Select the machine in the list, select the ellipsis (**...**), and then select **Delete**.

-> Azure Arc-enabled servers does not support using proxy servers that require authentication, TLS (HTTPS) connections, or a [Log Analytics gateway](../../azure-monitor/agents/gateway.md) as a proxy for the Connected Machine agent.

-### Universal proxy configuration

-Universal proxy configuration is available starting with version 1.13 of the Azure Connected Machine agent and is the preferred way of configuring proxy server settings.

-Microsoft recommends using the agent configuration property instead of the system environment variable.

-On Linux, the Azure Connected Machine agent first checks the `proxy.url` agent configuration property (starting with agent version 1.13), and then the `HTTPS_PROXY` environment variable set for the himds, GC_Ext, and GCArcService daemons. There is an included script that will configure systemd's default proxy settings for the Azure Connected Machine agent and all other services on the machine to use a specified proxy server.

-### Migrating from environment variables to universal proxy configuration

-If you are already using environment variables to configure the proxy server for the Azure Connected Machine agent and want to migrate to the universal proxy configuration based on local agent settings, follow these steps:

-* When you have finished testing, see [Remove Azure Arc-enabled servers agent](manage-agent.md#remove-the-agent).

-## Step 2: Review access rights

-List role assignments for the Azure Arc-enabled servers resource, using [Azure PowerShell](../../role-based-access-control/role-assignments-list-powershell.md#list-role-assignments-for-a-resource) and with other PowerShell code, you can export the results to CSV or another format.

-If you're using a managed identity for an application or process running on an Azure Arc-enabled server, you need to make sure the Azure VM has a managed identity assigned. To view the role assignment for a managed identity, you can use the Azure PowerShell `Get-AzADServicePrincipal` cmdlet. For more information, see [List role assignments for a managed identity](../../role-based-access-control/role-assignments-list-powershell.md#list-role-assignments-for-a-managed-identity).

-## Step 3: Disconnect from Azure Arc and uninstall agent

-Delete the resource ID of the Azure Arc-enabled server in Azure using one of the following methods:

- * Running `azcmagent disconnect` command on the machine or server.

- * From the selected registered Azure Arc-enabled server in the Azure portal by selecting **Delete** from the top bar.

- * Using the [Azure CLI](../../azure-resource-manager/management/delete-resource-group.md?tabs=azure-cli#delete-resource) or [Azure PowerShell](../../azure-resource-manager/management/delete-resource-group.md?tabs=azure-powershell#delete-resource). For the`ResourceType` parameter use `Microsoft.HybridCompute/machines`.

-Then, remove the Azure Arc-enabled servers Windows or Linux agent following the [Remove agent](manage-agent.md#remove-the-agent) steps.

-| AZCM0067 | The agent is already connected to Azure | Follow the steps in [disconnect the agent](manage-agent.md#unregister-machine) first, then try again. |

-<a name="footnote1"></a>¹If this GPO is enabled and applies to machines with the Connected Machine agent, it deletes the user profile associated with the built-in account specified for the *himds* service. As a result, it also deletes the authentication certificate used to communicate with the service that is cached in the local certificate store for 30 days. Before the 30-day limit, an attempt is made to renew the certificate. To resolve this issue, follow the steps to [unregister the machine](manage-agent.md#unregister-machine) and then re-register it with the service running `azcmagent connect`.

-Function apps in the same region can be assigned to the same Consumption plan. There's no downside or impact to having multiple apps running in the same Consumption plan. Assigning multiple apps to the same Consumption plan has no impact on resilience, scalability, or reliability of each app.

-> When using the [Consumption plan](./functions-scale.md), we recommend you always put each app in its own plan, since apps are scaled independently anyway.

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) y that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) y that represents the feature as a point. Can be used to position the label of the feature.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-|`obstructionArea` | [Polygon](/rest/api/maps/wfs/get-feature#featuregeojson)| false | A simplified geometry (when the line geometry is complicated) of the feature that is to be avoided during routing. Requires `isObstruction` set to true.|

-|`anchorPoint` | [Point](/rest/api/maps/wfs/get-feature#featuregeojson) | false | [GeoJSON Point geometry](/rest/api/maps/wfs/get-feature#featuregeojson) that represents the feature as a point. Can be used to position the label of the feature.|

-You can use the [Web Feature Service (WFS) API](/rest/api/maps/v2/wfs) to query datasets. WFS follows the [Open Geospatial Consortium API Features](http://docs.opengeospatial.org/DRAFTS/17-069r1.html). You can use the WFS API to query features within the dataset itself. For example, you can use WFS to find all mid-size meeting rooms of a specific facility and floor level.

-* WFS API (Web Feature service). You can use the [WFS API](/rest/api/maps/v2/wfs) to query datasets. WFS follows the [Open Geospatial Consortium API Features](http://docs.opengeospatial.org/DRAFTS/17-069r1.html). The WFS API is helpful for querying features within a dataset. For example, you can use WFS to find all mid-size meeting rooms of a specific facility and floor level.

-See [WFS](/rest/api/maps/wfs) for information on the Creator Web Feature Service REST API.

-The following tables show gap analyses for the log types that are currently collected by each agent. This will be updated as support for AMA grows towards parity with the Log Analytics agent. For a general comparison of Azure Monitor agents, see [Overview of Azure Monitor agents](../agents/azure-monitor-agent-overview.md).

-| **DNS logs** | No | Yes |

-## How to use Application Insights

-There are several ways to get started with Application Insights. Begin with whatever works best for you, and you can add others later.

-### Prerequisites

-### Get started

-To use Application Insights at run time, you can instrument your web app on the server. This approach is ideal for apps that are already deployed, because it avoids any updates to the app code.

-See the following articles for details and instructions:

-You can also add Application Insights to your app code at development time. This approach lets you customize and add to telemetry collection.

-See the following articles for details and instructions:

-For all supported languages, platforms, and frameworks, see [Supported languages](./platforms.md).

-### Monitor

-After you set up Application Insights, monitor your app.

-### Detect and diagnose

-When you receive an alert or discover a problem:

-### Measure, learn, and build

-## Next steps

-Alternatively, you can subscribe to this page as a RSS feed by adding https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/ip-addresses.md.atom to your favorite RSS/ATOM reader to get notified of the latest changes.

-20.40.124.240/28

-20.40.125.80/28

-191.233.26.128/28

-191.233.26.64/28

-20.40.129.112/28

-20.40.129.128/28

-20.40.129.144/28

-20.40.129.48/28

-20.40.129.64/28

-20.40.129.80/28

-52.229.216.64/28

-52.229.216.80/28

-52.158.28.80/28

-52.158.28.96/28

-52.158.28.112/28

-52.140.232.176/28

-52.140.232.192/28

-51.144.56.112/28

-51.144.56.128/28

-51.144.56.144/28

-51.144.56.160/28

-51.144.56.176/28

-51.105.9.144/28

-51.105.9.160/28

-20.40.104.112/28

-20.40.104.128/28

-20.40.104.144/28

-52.139.250.112/28

-52.139.250.128/28

-52.139.250.144/28

-40.91.82.64/28

-40.91.82.80/28

-40.91.82.96/28

-40.91.82.112/28

-40.91.82.128/28

-13.86.97.240/28

-13.86.98.48/28

-13.86.98.0/28

-13.86.98.16/28

-13.86.98.64/28

-23.100.224.32/28

-23.100.224.48/28

-23.100.224.64/28

-23.100.224.80/28

-23.100.224.96/28

-23.100.224.112/28

-23.100.225.0/28

-20.45.5.176/28

-20.45.5.192/28

-20.45.5.208/28

-20.45.5.224/28

-20.45.5.240/28

-20.42.35.64/28

-20.42.35.80/28

-20.42.35.96/28

-20.42.35.112/28

-20.42.35.128/28

-| `\Processor(_Total)\% Processor Time` | default metrics | Difference in [system wide CPU load tick counters](https://oshi.github.io/oshi/apidocs/oshi/hardware/CentralProcessor.html#getProcessorCpuLoadTicks())(Only User and System) divided by the number of [logical processors count](https://oshi.github.io/oshi/apidocs/oshi/hardware/CentralProcessor.html#getLogicalProcessors()) in a given interval of time | no |

-The IPs used by Application Insights Snapshot Debugger are included in the Azure Monitor service tag. For more information, see [Service Tags documentation](../../virtual-network/service-tags-overview.md).

-The Activity log is a [platform log](./platform-logs-overview.md) in Azure that provides insight into subscription-level events. Activity log includes such information as when a resource is modified or when a virtual machine is started. You can view the Activity sign in the Azure portal or retrieve entries with PowerShell and CLI. This article provides details on viewing the Activity log and sending it to different destinations.

-* [Create diagnostic setting to send Activity logs to other destinations](./diagnostic-settings.md)

-The **\_BilledSize** column specifies the size in bytes of data that will be billed to your Azure account if **\_IsBillable** is true.

-# Log Analytics workspace data export in Azure Monitor (preview)

-In all pricing tiers, an event's data size is calculated from a string representation of the properties that are stored in Log Analytics for this event, regardless of whether the data is sent from an agent or added during the ingestion process. This includes any [custom fields](custom-fields.md) that are added as data is collected and then stored in Log Analytics. Several properties common to all data types, including some [Log Analytics Standard Properties](./log-standard-columns.md), are excluded in the calculation of the event size. This includes `_ResourceId`, `_SubscriptionId`, `_ItemId`, `_IsBillable`, `_BilledSize` and `Type`. All other properties stored in Log Analytics are included in the calculation of the event size. Some data types are free from data ingestion charges altogether, for example the [AzureActivity](/azure/azure-monitor/reference/tables/azureactivity), [Heartbeat](/azure/azure-monitor/reference/tables/heartbeat), [Usage](/azure/azure-monitor/reference/tables/usage) and [Operation](/azure/azure-monitor/reference/tables/operation) types. Some solutions have more solution-specific policies about free data ingestion, for instance [Azure Migrate](https://azure.microsoft.com/pricing/details/azure-migrate/) makes dependency visualization data free for the first 180-days of a Server Assessment. To determine whether an event was excluded from billing for data ingestion, you can use the [_IsBillable](log-standard-columns.md#_isbillable) property as shown [below]Fdata-volume-for-specific-events). Usage is reported in GB (10^9 bytes).

-```kuso

-> | vaults / accessPolicies | No |

- :::image type="content" alt-text="Shared private endpoint overview." source="media\howto-shared-private-endpoints\shared-private-endpoint-overview.png" :::

-## Shared Private Link Resources Management APIs

-Private endpoints of secured resources that are created through Azure SignalR Service APIs are referred to as *shared private link resources*. This is because you're "sharing" access to a resource, such as an Azure Function, that has been integrated with the [Azure Private Link service](https://azure.microsoft.com/services/private-link/). These private endpoints are created inside Azure SignalR Service execution environment and are not directly visible to you.

-At this moment, you can use Management REST API to create or delete *shared private link resources*. In the remainder of this article, we will use [Azure CLI](/cli/azure/) to demonstrate the REST API calls.

-The rest of the examples show how the _contoso-signalr_ service can be configured so that its upstream calls to function go through a private endpoint rather than public network.

-If you are using the CLI, you can poll for the status by manually querying the `Azure-AsyncOperationHeader` value,

-```donetcli

-### Step 2a: Approve the private endpoint connection for the function

-> [!NOTE]

-> In this section, you use the Azure portal to walk through the approval flow for a private endpoint to Azure Function. Alternately, you could use the [REST API](/rest/api/appservice/web-apps/approve-or-reject-private-endpoint-connection) that's available via the App Service provider.

-It takes minutes for the approval to be propagated to Azure SignalR Service. To confirm that the shared private link resource has been updated after approval, you can also obtain the "Connection state" by using the GET API.

-+ [What are private endpoints?](../private-link/private-endpoint-overview.md)

-ADR is currently available for Azure SQL Database, Azure SQL Managed Instance, databases in Azure Synapse Analytics, and SQL Server on Azure VMs starting with SQL Server 2019.

-> ADR is enabled by default in Azure SQL Database and Azure SQL Managed Instance and disabling ADR for either product is not supported.

- The process remains the same as before with the addition of reconstructing sLog and copying log records for non-versioned operations.

- Redo from sLog (oldest uncommitted transaction up to last checkpoint). Redo is a fast operation as it only needs to process a few records from the sLog.

- The Undo phase with ADR completes almost instantaneously by using sLog to undo non-versioned operations and Persisted Version Store (PVS) with Logical Revert to perform row level version-based Undo.

- sLog is a secondary in-memory log stream that stores log records for non-versioned operations (such as metadata cache invalidation, lock acquisitions, and so on). The sLog is:

-## Accelerated Database Recovery Patterns

-description: Manage and scale multiple databases in Azure SQL Database - hundreds and thousands - using elastic pools. One price for resources you can distribute where needed.

-Azure SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases that have varying and unpredictable usage demands. The databases in an elastic pool are on a single server and share a set number of resources at a set price. Elastic pools in Azure SQL Database enable SaaS developers to optimize the price performance for a group of databases within a prescribed budget while delivering performance elasticity for each database.

-## What are SQL elastic pools

-SaaS developers build applications on top of large scale data-tiers consisting of multiple databases. A common application pattern is to provision a single database for each customer. But different customers often have varying and unpredictable usage patterns, and it's difficult to predict the resource requirements of each individual database user. Traditionally, you had two options:

-Elastic pools solve this problem by ensuring that databases get the performance resources they need when they need it. They provide a simple resource allocation mechanism within a predictable budget. To learn more about design patterns for SaaS applications using elastic pools, see [Design Patterns for Multi-tenant SaaS Applications with Azure SQL Database](saas-tenancy-app-design-patterns.md).

-> There is no per-database charge for elastic pools. You are billed for each hour a pool exists at the highest eDTU or vCores, regardless of usage or whether the pool was active for less than an hour.

-Elastic pools enable the developer to purchase resources for a pool shared by multiple databases to accommodate unpredictable periods of usage by individual databases. You can configure resources for the pool based either on the [DTU-based purchasing model](service-tiers-dtu.md) or the [vCore-based purchasing model](service-tiers-vcore.md). The resource requirement for a pool is determined by the aggregate utilization of its databases. The amount of resources available to the pool is controlled by the developer budget. The developer simply adds databases to the pool, optionally sets the minimum and maximum resources for the databases (either minimum and maximum DTUs or minimum or maximum vCores depending on your choice of resourcing model), and then sets the resources of the pool based on their budget. A developer can use pools to seamlessly grow their service from a lean startup to a mature business at ever-increasing scale.

-Within the pool, individual databases are given the flexibility to auto-scale within set parameters. Under heavy load, a database can consume more resources to meet demand. Databases under light loads consume less, and databases under no load consume no resources. Provisioning resources for the entire pool rather than for single databases simplifies your management tasks. Plus, you have a predictable budget for the pool. Additional resources can be added to an existing pool with minimum downtime. Similarly, if extra resources are no longer needed they can be removed from an existing pool at any point in time. And you can add or remove databases from the pool. If a database is predictably under-utilizing resources, move it out.

-> When moving databases into or out of an elastic pool, there is no downtime except for a brief period of time (on the order of seconds) at the end of the operation when database connections are dropped.

-## When should you consider a SQL Database elastic pool

-Pools are well suited for a large number of databases with specific utilization patterns. For a given database, this pattern is characterized by low average utilization with relatively infrequent utilization spikes. Conversely, multiple databases with persistent medium-high utilization should not be placed in the same elastic pool.

-The more databases you can add to a pool the greater your savings become. Depending on your application utilization pattern, it's possible to see savings with as few as two S3 databases.

-The following sections help you understand how to assess if your specific collection of databases can benefit from being in a pool. The examples use Standard pools but the same principles also apply to Basic and Premium pools.

-### Assessing database utilization patterns

-The following figure shows an example of a database that spends much time idle, but also periodically spikes with activity. This is a utilization pattern that is suited for a pool:

- 

-The chart illustrates DTU usage over a 1 hour time period from 12:00 to 1:00 where each data point has 1 minute granularity. At 12:10 DB1 peaks up to 90 DTUs, but its overall average usage is less than five DTUs. An S3 compute size is required to run this workload in a single database, but this leaves most of the resources unused during periods of low activity.

-A pool allows these unused DTUs to be shared across multiple databases, and so reduces the DTUs needed and overall cost.

-Building on the previous example, suppose there are additional databases with similar utilization patterns as DB1. In the next two figures below, the utilization of four databases and 20 databases are layered onto the same graph to illustrate the non-overlapping nature of their utilization over time using the DTU-based purchasing model:

- 

- 

-The aggregate DTU utilization across all 20 databases is illustrated by the black line in the preceding figure. This shows that the aggregate DTU utilization never exceeds 100 DTUs, and indicates that the 20 databases can share 100 eDTUs over this time period. This results in a 20x reduction in DTUs and a 13x price reduction compared to placing each of the databases in S3 compute sizes for single databases.

-This example is ideal for the following reasons:

-In the DTU purchasing model, the price of a pool is a function of the pool eDTUs. While the eDTU unit price for a pool is 1.5x greater than the DTU unit price for a single database, **pool eDTUs can be shared by many databases and fewer total eDTUs are needed**. These distinctions in pricing and eDTU sharing are the basis of the price savings potential that pools can provide.

-## How do I choose the correct pool size

-The best size for a pool depends on the aggregate resources needed for all databases in the pool. This involves determining the following:

-1. Estimate the eDTUs or vCores needed for the pool as follows:

-2. Estimate the total storage space needed for the pool by adding the data size needed for all the databases in the pool. For the DTU purchasing model, then determine the eDTU pool size that provides this amount of storage.

-3. For the DTU-based purchasing model, take the larger of the eDTU estimates from Step 1 and Step 2. For the vCore-based purchasing model, take the vCore estimate from Step 1.

-4. See the [SQL Database pricing page](https://azure.microsoft.com/pricing/details/sql-database/) and find the smallest pool size that is greater than the estimate from Step 3.

-5. Compare the pool price from Step 4 to the price of using the appropriate compute sizes for single databases.

-> If the number of databases in a pool approaches the maximum supported, make sure to consider [Resource management in dense elastic pools](elastic-pool-resource-management.md).

-### Per database properties

-You can optionally set "per database" properties to modify resource consumption patterns in elastic pools. For more information, see resource limits documentation for [DTU](resource-limits-dtu-elastic-pools.md#database-properties-for-pooled-databases) and [vCore](resource-limits-vcore-elastic-pools.md#database-properties-for-pooled-databases) elastic pools.

-## Using other SQL Database features with elastic pools

-With a pool, management tasks are simplified by running scripts in **[elastic jobs](elastic-jobs-overview.md)**. An elastic job eliminates most of tedium associated with large numbers of databases.

-For more information about other database tools for working with multiple databases, see [Scaling out with Azure SQL Database](elastic-scale-introduction.md).

-Pooled databases generally support the same [business continuity features](business-continuity-high-availability-disaster-recover-hadr-overview.md) that are available to single databases.

- Point-in-time restore uses automatic database backups to recover a database in a pool to a specific point in time. See [Point-In-Time Restore](recovery-using-backups.md#point-in-time-restore)

- Geo-restore provides the default recovery option when a database is unavailable because of an incident in the region where the database is hosted. See [Restore an Azure SQL Database or failover to a secondary](disaster-recovery-guidance.md)

- For applications that have more aggressive recovery requirements than geo-restore can offer, configure [Active geo-replication](active-geo-replication-overview.md) or an [auto-failover group](auto-failover-group-overview.md).

-## Creating a new SQL Database elastic pool using the Azure portal

-2. Select **Create** to open the **Select SQL deployment option** pane. To view more information about elastic pools, on the **Databases** tile, select **Show details**.

-3. On the **Databases** tile, in the **Resource type** dropdown, select **Elastic pool**, and then select **Create**.

- 

-The pool's service tier determines the features available to the elastics in the pool, and the maximum amount of resources available to each database. For details, see Resource limits for elastic pools in the [DTU model](resource-limits-dtu-elastic-pools.md#elastic-pool-storage-sizes-and-compute-sizes). For vCore-based resource limits for elastic pools, see [vCore-based resource limits - elastic pools](resource-limits-vcore-elastic-pools.md).

-To configure the resources and pricing of the pool, click **Configure pool**. Then select a service tier, add databases to the pool, and configure the resource limits for the pool and its databases.

-When you have completed configuring the pool, you can click 'Apply', name the pool, and click 'OK' to create the pool.

-You can use the built-in [performance monitoring](./performance-guidance.md) and [alerting tools](./alerts-insights-configure-portal.md), combined with performance ratings. Additionally, SQL Database can [emit metrics and resource logs](./metrics-diagnostic-telemetry-logging-streaming-export-configure.md?tabs=azure-portal) for easier monitoring.

- SnelStart used elastic pools with Azure SQL Database to rapidly expand its business services at a rate of 1,000 new Azure SQL databases per month.

- Umbraco uses elastic pools with Azure SQL Database to quickly provision and scale services for thousands of tenants in the cloud.

- Daxko/CSI uses elastic pools with Azure SQL Database to accelerate its development cycle and to enhance its customer services and performance.

-## Gateway maintenance for Azure SQL Database

-The Business Critical service tier model is based on a cluster of database engine processes. This architectural model relies on a fact that there is always a quorum of available database engine nodes and has minimal performance impact on your workload even during maintenance activities.

-Premium availability is enabled in the Business Critical service tier and is designed for intensive workloads that cannot tolerate reduced availability due to the ongoing maintenance operations.

-In addition, the Business Critical cluster has built-in [Read Scale-Out](read-scale-out.md) capability that provides free-of charge built-in read-only replica that can be used to run read-only queries (for example reports) that should not affect performance of your primary workload.

-| **Read-only replicas** |1 built-in, included in price <br> 0 - 4 using [geo-replication](active-geo-replication-overview.md) |1 built-in, included in price <br> 0 - 1 using [auto-failover groups](auto-failover-group-overview.md#best-practices-for-sql-managed-instance) |

-| **Pricing/Billing** |[vCore, reserved storage, and backup storage](https://azure.microsoft.com/pricing/details/sql-database/single/) are charged. <br/>IOPS is not charged. |[vCore, reserved storage, and backup storage](https://azure.microsoft.com/pricing/details/sql-database/managed/) is charged. <br/>IOPS is not charged. |

-| **Read-only replicas** | 0 built-in </br> 0 - 4 using [geo-replication](active-geo-replication-overview.md) | 0 built-in </br> 0 - 1 using [auto-failover groups](auto-failover-group-overview.md#best-practices-for-sql-managed-instance) |

-| **Pricing/Billing** | [vCore, reserved storage, and backup storage](https://azure.microsoft.com/pricing/details/sql-database/single/) are charged. <br/>IOPS is not charged.| [vCore, reserved storage, and backup storage](https://azure.microsoft.com/pricing/details/sql-database/managed/) is charged. <br/>IOPS is not charged. |

-| UK South | Yes | |

-Follow the instructions in the [Create your first Windows VM in the Azure portal](../virtual-machines/windows/quick-create-portal.md) tutorial. You'll create the VM in the virtual network, which you created in the previous step. Start with a gallery image of Windows Server 2019 Datacenter to run the Azure Backup Server.

-The table summarizes the maximum number of protected workloads for each Azure Backup Server VM size. The information is based on internal performance and scale tests with canonical values for the workload size and churn. The actual workload size can be larger but should be accommodated by the disks attached to the Azure Backup Server VM.

-| Maximum protected workloads | Average workload size | Average workload churn (daily) | Minimum storage IOPS | Recommended disk type/size | Recommended VM size |

-|-|--|--||--||

-| 20 | 100 GB | Net 5% churn | 2,000 | Standard HDD (8 TB or above size per disk) | A4V2 |

-| 40 | 150 GB | Net 10% churn | 4,500 | Premium SSD* (1 TB or above size per disk) | DS3_V2 |

-| 60 | 200 GB | Net 10% churn | 10,500 | Premium SSD* (8 TB or above size per disk) | DS3_V2 |

-*To get the required IOPs, use minimum recommended- or higher-size disks. Smaller-size disks offer lower IOPs.

- When you use your own SQL Server instance, make sure you add builtin\Administrators to the sysadmin role to the master database's sysadmin role.

-Now that you've covered how to set up Azure Backup Server for Azure VMware Solution, you may want to learn about:

- :::image type="content" alt-text="Shared private endpoint overview." source="media\howto-secure-shared-private-endpoints\shared-private-endpoint-overview.png" border="false" :::

-## Shared Private Link Resources Management APIs

-Private endpoints of secured resources that are created through Azure Web PubSub Service APIs are referred to as *shared private link resources*. This is because you're "sharing" access to a resource, such as an Azure Function, that has been integrated with the [Azure Private Link service](https://azure.microsoft.com/services/private-link/). These private endpoints are created inside Azure Web PubSub Service execution environment and are not directly visible to you.

-At this moment, you can use Management REST API to create or delete *shared private link resources*. In the remainder of this article, we will use [Azure CLI](/cli/azure/) to demonstrate the REST API calls.

-If you are using the CLI, you can poll for the status by manually querying the `Azure-AsyncOperationHeader` value,

-```donetcli

-### Step 2a: Approve the private endpoint connection for the function

-> [!NOTE]

-> In this section, you use the Azure portal to walk through the approval flow for a private endpoint to Azure Function. Alternately, you could use the [REST API](/rest/api/appservice/web-apps/approve-or-reject-private-endpoint-connection) that's available via the App Service provider.

-It takes minutes for the approval to be propagated to Azure Web PubSub Service. To confirm that the shared private link resource has been updated after approval, you can also obtain the "Connection state" by using the GET API.

-+ [What are private endpoints?](../private-link/private-endpoint-overview.md)

-| userChainIdentifier | Address of the user that was created on the blockchain network. In Ethereum, this address is the userΓÇÖs **on chain** address. |

-| userChainIdentifier | Address of the user that was created on the blockchain network. In Ethereum, this address is the userΓÇÖs **on chain** address. |

-5. Select the Event Grid from Blockchain WorkbenchΓÇÖs resource group.

-1. Browse to the Service Bus within the WorkbenchΓÇÖs resource group.

-* The geo-filtering feature uses country/region codes to define the countries/regions from which a request is allowed or blocked for a secured directory. **Azure CDN from Verizon** and **Azure CDN from Akamai** profiles use ISO 3166-1 alpha-2 country codes to define the countries from which a request will be allowed or blocked for a secured directory.

- * Install and configure [Azure Powershell](/powershell/azure/), and then use the following command:

- * Install and configure [Azure Powershell](/powershell/azure/), and then use the following command:

-1. After the deployment step, add an **Azure Powershell** step, set its **Display name** property to "Azure Deployment: Enable RDP Extension" (or another suitable name), and select your appropriate Azure subscription.

-While subentities can have many phrase lists as features that help detect the entity, each subentity has only one model as a feature. In this [pizza app](/Azure/pizza_luis_bot/blob/master/CognitiveModels/MicrosoftPizza.json), those models are primarily lists.

-

-[Learn more about example utterances](/how-to/entities.md)

-zone_pivot_groups: keyword-quickstart

-zone_pivot_groups: programming-languages-set-twenty-five

-description: Learn how to use the Speech SDK to convert speech to text, including object construction, supported audio input formats, and configuration options for speech recognition.

-> [See the quickstart samples on GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/quickstart)

-* The Azure region the endpoint is associated with.

-Version 1.3.0 of the Speech SDK introduces an API to select the audio input. This article describes how to obtain the IDs of the audio devices connected to a system. These IDs can then be used in the Speech SDK. You configure the audio device through the `AudioConfig` object:

-> Logging is available since Speech SDK version 1.4.0 in all supported Speech SDK programming languages, with the exception of JavaScript.

-> [!IMPORTANT]

-> The Speech service has replaced the Bing Speech API and Translator Speech. For migration instructions, see the _Migration_ section.

-After you have a Microsoft account, go to the [Azure sign-up page](https://azure.microsoft.com/free/ai/) and select **Start free**. Create a new Azure account by using a Microsoft account. Here's a video of [how to sign up for an Azure free account](https://www.youtube.com/watch?v=GWT2R1C_uUU).

-> [!NOTE]

-> When you sign up for a free Azure account, it comes with $200 in service credit that you can apply toward a paid Speech service subscription, valid for up to 30 days. Your Azure services are disabled when your credit runs out or expires at the end of the 30 days. To continue using Azure services, you must upgrade your account. For more information, see [Upgrade your Azure free account](../../cost-management-billing/manage/upgrade-azure-subscription.md).

->

-> The Speech service has two service tiers, free (f0) and subscription (s0), which have different limitations and benefits. If you use the free, low-volume Speech service tier, you can keep this free subscription even after your free trial or service credit expires. For more information, see [Cognitive Services pricing - Speech service](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/).

-> [!div class="nextstepaction"]

-> * [Get started with speech-to-text](./get-started-speech-to-text.md)

-> * [Get started with text-to-speech](get-started-text-to-speech.md)

-> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through Powershell, CLI and REST APIs. Such rules cannot be configured through the Azure portal, though they may be viewed in the portal.

- > Presently, only virtual networks belonging to the same Azure Active Directory tenant are shown for selection during rule creation. To grant access to a subnet in a virtual network belonging to another tenant, please use Powershell, CLI or REST APIs.

-When a BYOI user joins a Teams meeting, they're treated as an anonymous external user, similar to users that join a Teams meeting anonymously using the Teams web application. The ability for BYOI users to join Teams meetings as anonymous users is controlled by the existing "allow anonymous meeting join" configuration. This same configuration also controls the existing Teams anonymous meeting join. This setting can be updated in the [Teams admin center](https://admin.teams.microsoft.com/meetings/settings) or with the Teams PowerShell cmdlet [Set-CsTeamsMeetingConfiguration](/powershell/module/skype/set-csteamsmeetingconfiguration).

-## Azure Pipelines

-Azure Pipelines scaling allows your container app to scale in or out depending on the number of jobs in the Azure DevOps agent pool. With Azure Pipelines, your app can scale to zero, but you need [at least one agent registered in the pool schedule additional agents](https://keda.sh/blog/2021-05-27-azure-pipelines-scaler/). For more information regarding this scaler, see [KEDA Azure Pipelines scaler](https://keda.sh/docs/2.4/scalers/azure-pipelines/).

-The following example shows how to create a memory scaling rule.

-```json

-{

- ...

- "resources": {

- ...

- "properties": {

- ...

- "template": {

- ...

- "scale": {

- "minReplicas": "0",

- "maxReplicas": "10",

- "rules": [{

- "name": "azdo-agent-scaler",

- "custom": {

- "type": "azure-pipelines",

- "metadata": {

- "poolID": "<pool id>",

- "targetPipelinesQueueLength": "1"

- },

- "auth": [

- {

- "secretRef": "<secret reference pat>",

- "triggerParameter": "personalAccessToken"

- },

- {

- "secretRef": "<secret reference Azure DevOps url>",

- "triggerParameter": "organizationURL"

- }

- ]

- }

- }]

- }

- }

- }

- }

-}

-```

-In this example, the container app scales when at least one job is waiting in the pool queue.

-* [Demo](https://resources.linkurio.us/demo)

-* [Cosmos DB - Gremlin API Pricing](../how-pricing-works.md)

-

-

-

-1. Search for **Azure Cosmos DB** principal and select it (to make it easier to find, you can also search by principal ID: `a232010e-820c-4083-83bb-3ace5fc29d0b` for any Azure region except Azure Government regions where the principal ID is `57506a73-e302-42a9-b869-6f12d9ec29e9`). If the **Azure Cosmos DB** principal isn't in the list, you might need to re-register the **Microsoft.DocumentDB** resource provider as described in the [Register the resource provider](#register-resource-provider) section of this article.

-#Sign into Azure Powershell with your account

-Azure Government billing billing owners can opt in to receive invoices by email. However, they can't allow others to get invoices by email.

-Azure Government billing billing owners can opt in to receive invoices by email. However, they can't allow others to get invoices by email.

-Each of these perspectives is valuable, and Data Catalog uses a crowdsourcing approach to metadata that allows each one to be captured and used to provide a complete picture of registered data sources. Using the Data Catalog portal, each user can add and edit their own annotations, while being able to view annotations provided by other users.

-| Tags (glossary tags) |Tags can be supplied at the data asset and attribute / column levels. Glossary tags are centrally-defined glossary terms that can be used to categorize data assets or attributes using a common business taxonomy. For more information see [How to set up the Business Glossary for Governed Tagging](data-catalog-how-to-business-glossary.md) |

-| Experts |Experts can be supplied at the data asset level. Experts identify users or groups with expert perspectives on the data and can serve as points of contact for users who discover the registered data sources and have questions that are not answered by the existing annotations. |

-| Request access |Request access information can be supplied at the data asset level. This information is for users who discover a data source that they do not yet have permissions to access. Users can enter the email address of the user or group who grants access, the URL of the process or tool that users need to gain access, or can enter the process itself as text. |

-When selecting multiple data assets in the Data Catalog portal, users can annotate all selected assets in a single operation. Annotations will apply to all selected assets, making it easy to select and provide a consistent description and sets of tags and experts for related data assets.

->

->

-When selecting multiple tables and views, only columns that all selected data assets have in common will be displayed in the Data Catalog portal. This allows users to provide tags and descriptions for all columns with the same name for all selected assets.

-<!-- In [How to discover data sources](data-catalog-how-to-discover.md), you learn about **Azure Data Catalog's** extensive search capabilities including searching for data assets that have a profile. See [How to include a data profile when registering a data source](#howto). -->

->

-<a name="howto"></a>

-

->

-

-> [!NOTE]

-> For Azure-SSIS IR in Azure Synapse, user-assigned managed identity is not supported.

-To encrypt the sensitive data from the JSON payload on an on-premises self-hosted integration runtime, run **New-AzDataFactoryV2LinkedServiceEncryptedCredential**, and pass on the JSON payload. This cmdlet ensures the credentials are encrypted using DPAPI and stored on the self-hosted integration runtime node locally. It can be run from any machine provided the **Remote access** option is enabled on the targeted self-hosted integration runtime, and Powershell 7.0 or higher is used to execute it. The output payload containing the encrypted reference to the credential can be redirected to another JSON file (in this case 'encryptedLinkedService.json').

-This article describes how to reconfigure an existing Azure-SSIS integration runtime. To create an Azure-SSIS integration runtime (IR) in Azure Data Factory, see [Create an Azure-SSIS integration runtime](create-azure-ssis-integration-runtime.md).

-## Data Factory UI

-On the **Connections** pane of **Manage** hub, switch to the **Integration runtimes** page and select **Refresh**.

-> You can use Powershell to easily get the endpoint Urls for various clouds by executing ΓÇ£Get-AzEnvironment | Format-ListΓÇ¥, which will return a list of endpoints for each cloud environment.

-> You can use Powershell to easily get the endpoint Urls for various clouds by executing ΓÇ£Get-AzEnvironment | Format-ListΓÇ¥, which will return a list of endpoints for each cloud environment.

-> The JSON editor in Azure Portal for authoring & deploying ADF v1 pipelines will be turned OFF on 31st July 2019. After 31st July 2019, you can continue to use [ADF v1 Powershell cmdlets](/powershell/module/az.datafactory/), [ADF v1 .Net SDK](/dotnet/api/microsoft.azure.management.datafactories.models), [ADF v1 REST APIs](/rest/api/datafactory/) to author & deploy your ADF v1 pipelines.

- - Choose cables that are compatible with the [Mellanox MCX314A-BCCT](https://store.mellanox.com/products/mellanox-mcx314a-bcct-connectx-3-pro-en-network-interface-card-40-56gbe-dual-port-qsfp-pcie3-0-x8-8gt-s-rohs-r6.html) network interface.

-| Cables required | 4 grounded 120 V / 10 A power cords (NEMA 5-15) included <br> Device supports up to 240 V power and has C-13 power receptacles <br> Use network cables compatible with [Mellanox MCX314A-BCCT](https://store.mellanox.com/products/mellanox-mcx314a-bcct-connectx-3-pro-en-network-interface-card-40-56gbe-dual-port-qsfp-pcie3-0-x8-8gt-s-rohs-r6.html) |

-## Register the resource provider

-Register the Microsoft.DataMigration resource provider before you create your first instance of the Database Migration Service.

-1. In the Azure portal, search for and select **Subscriptions**.

- 

-2. Select the subscription in which you want to create the instance of Azure Database Migration Service, and then select **Resource providers**.

- 

-3. Search for migration, and then select **Register** for **Microsoft.DataMigration**.

- 

-## Create an instance of the service

-1. In the Azure portal menu or on the **Home** page, select **Create a resource**. Search for and select **Azure Database Migration Service**.

- 

-2. On the **Azure Database Migration Service** screen, select **Create**.

- 

-3. On the **Create Migration Service** basics screen:

- - Select the subscription.

- - Create a new resource group or choose an existing one.

- - Specify a name for the instance of the Azure Database Migration Service.

- - Select the location in which you want to create the instance of Azure Database Migration Service.

- - Choose **Azure** as the service mode.

- - Select a pricing tier. For more information on costs and pricing tiers, see the [pricing page](https://aka.ms/dms-pricing).

-

- 

- - Select Next: Networking.

-4. On the **Create Migration Service** networking screen:

- - Select an existing virtual network or create a new one. The virtual network provides Azure Database Migration Service with access to the source database and target environment. For more information about how to create a virtual network in the Azure portal, see the article [Create a virtual network using the Azure portal](../virtual-network/quick-create-portal.md).

- 

- - Select **Review + Create** to create the service.

-

- - After a few moments, your instance of Azure Database Migration service is created and ready to use:

- 

-| **[RETN](https://retn.net/services/cloud-connect/)** | Equinix | Amsterdam |

-description: In this quickstart, you use Azure Blueprints to create, define, and deploy artifacts using the Azure CLI.

-# Quickstart: Define and Assign an Azure blueprint with Azure CLI

-Learning how to create and assign blueprints enables the definition of common patterns to develop

-reusable and rapidly deployable configurations based on Azure Resource Manager templates (ARM

-templates), policy, security, and more. In this tutorial, you learn to use Azure Blueprints to do

-some of the common tasks related to creating, publishing, and assigning a blueprint within your

-organization, such as:

-## Add the Blueprint extension

-To enable Azure CLI to manage blueprint definitions and assignments, the extension must be added.

-This extension works wherever Azure CLI can be used, including

-[bash on Windows 10](/windows/wsl/install-win10), [Cloud Shell](https://shell.azure.com) (both

-standalone and inside the portal), the [Azure CLI Docker

-image](https://hub.docker.com/_/microsoft-azure-cli), or locally installed.

-1. Check that the latest Azure CLI is installed (at least **2.0.76**). If it isn't yet installed,

- follow

- [these instructions](/cli/azure/install-azure-cli-windows).

-1. In your Azure CLI environment of choice, import it with the following command:

- # Check the extension list (note that you may have other extensions installed)

-available resources. We'll create a blueprint named 'MyBlueprint' to configure role and policy

-assignments for the subscription. Then we'll add a resource group, an ARM template, and a role

-> When using Azure CLI, the _blueprint_ object is created first. For each _artifact_ to be added

-> that has parameters, the parameters need to be defined in advance on the initial _blueprint_.

-1. Create the initial _blueprint_ object. The **parameters** parameter takes a JSON file that

- includes all of the blueprint level parameters. The parameters are set during assignment and used

- by the artifacts added in later steps.

- - JSON file - blueprintparms.json

- > Use the filename _blueprint.json_ when importing your blueprint definitions.

- > This file name is used when calling

- > [az blueprint import](/cli/azure/blueprint#az_blueprint_import).

- management group, use parameter **managementgroup**. To specify the subscription, use parameter

- **subscription**.

-1. Add role assignment at subscription. In the following example, the principal identities granted

- the specified role are configured to a parameter that is set during blueprint assignment. This

- example uses the _Contributor_ built-in role with a GUID of

- `b24988ac-6180-42a0-ab88-20f7382dd24c`.

-1. Add policy assignment at subscription. This example uses the _Apply tag and its default value to

- resource groups_ built-in policy with a GUID of `49c88fc8-6fd1-46fd-a676-f12d1d3a4c71`.

- - JSON file - artifacts\policyTags.json

- > When using `az blueprint` on a Mac, replace `\` with `/` for parameter values that include

- > the path. In this case, the value for **parameters** becomes `artifacts/policyTags.json`.

-1. Add another policy assignment for Storage tag (reusing _storageAccountType_ parameter) at

- subscription. This additional policy assignment artifact demonstrates that a parameter defined on

- the blueprint is usable by more than one artifact. In the example, the **storageAccountType** is

- used to set a tag on the resource group. This value provides information about the storage

- account that is created in the next step. This example uses the _Apply tag and its default value

- to resource groups_ built-in policy with a GUID of `49c88fc8-6fd1-46fd-a676-f12d1d3a4c71`.

- - JSON file - artifacts\policyStorageTags.json

- > When using `az blueprint` on a Mac, replace `\` with `/` for parameter values that include

- > the path. In this case, the value for **parameters** becomes `artifacts/policyStorageTags.json`.

-1. Add template under resource group. The **template** parameter for an ARM template includes the

- normal JSON components of the template. The template also reuses the **storageAccountType**,

- **tagName**, and **tagValue** blueprint parameters by passing each to the template. The blueprint

- parameters are available to the template by using parameter **parameters** and inside the

- template JSON that key-value pair is used to inject the value. The blueprint and template

- parameter names could be the same.

- - JSON ARM template file - artifacts\templateStorage.json

- - JSON ARM template parameter file - artifacts\templateStorageParams.json

- > When using `az blueprint` on a Mac, replace `\` with `/` for parameter values that include

- > the path. In this case, the value for **template** becomes `artifacts/templateStorage.json`

- > and **parameters** becomes `artifacts/templateStorageParams.json`.

-1. Add role assignment under resource group. Similar to the previous role assignment entry, the

- example below uses the definition identifier for the **Owner** role and provides it a different

- parameter from the blueprint. This example uses the _Owner_ built-in role with a GUID of

- `8e3af657-a8ff-443c-a75c-2fe8c4bcb635`.

-Now that the artifacts have been added to the blueprint, it's time to publish it. Publishing makes

-it available to assign to a subscription.

-The value for `{BlueprintVersion}` is a string of letters, numbers, and hyphens (no spaces or other

-special characters) with a max length of 20 characters. Use something unique and informational such

-as **v20200605-135541**.

-Once a blueprint is published using the Azure CLI, it's assignable to a subscription. Assign the

-blueprint you created to one of the subscriptions under your management group hierarchy. If the

-blueprint is saved to a subscription, it can only be assigned to that subscription. The

-**blueprint-name** parameter specifies the blueprint to assign. To provide name, location, identity,

-lock, and blueprint parameters, use the matching Azure CLI parameters on the

-`az blueprint assignment create` command or provide them in the **parameters** JSON file.

-1. Run the blueprint deployment by assigning it to a subscription. As the **contributors** and

- **owners** parameters require an array of objectIds of the principals to be granted the role

- assignment, use

- [Azure Active Directory Graph API](/graph/migrate-azure-ad-graph-planning-checklist)

- for gathering the objectIds for use in the **parameters** for your own users, groups, or

- service principals.

- - JSON file - blueprintAssignment.json

- [user-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

- In this case, the **identity-type** parameter is set to _UserAssigned_ and the

- **user-assigned-identities** parameter specifies the identity. Replace `{userIdentity}` with

- The **user-assigned managed identity** can be in any subscription and resource group the user

- assigning the blueprint has permissions to.

- > Azure Blueprints doesn't manage the user-assigned managed identity. Users are responsible for

- > assigning sufficient roles and permissions or the blueprint assignment will fail.

-### Unassign a blueprint

-You can remove a blueprint from a subscription. Removal is often done when the artifact resources

-are no longer needed. When a blueprint is removed, the artifacts assigned as part of that blueprint

-are left behind. To remove a blueprint assignment, use the `az blueprint assignment delete`

-command:

-In this quickstart, you've created, assigned, and removed a blueprint with Azure CLI. To learn more

-about Azure Blueprints, continue to the blueprint lifecycle article.

-When you learn how to create and assign blueprints, you can define common patterns to develop

-reusable and rapidly deployable configurations based on Azure Resource Manager templates (ARM

-templates), policy, security, and more. In this tutorial, you learn to use Azure Blueprints to do

-some of the common tasks related to creating, publishing, and assigning a blueprint within your

-organization. These tasks include:

-available resources. In this example, create a new blueprint named **MyBlueprint** to configure role

-and policy assignments for the subscription. Then add a new resource group, and create a Resource

-Manager template and role assignment on the new resource group.

-1. Select **Blueprint definitions** from the page on the left and select the **+ Create blueprint**

- button at the top of the page.

- Or, select **Create** from the **Getting started** page to go straight to creating a blueprint.

- :::image type="content" source="./media/create-blueprint-portal/create-blueprint-button.png" alt-text="Screenshot of the 'Create blueprint' button on the Blueprint definitions page." border="false":::

-1. Provide a **Blueprint name** such as **MyBlueprint**. (Use up to 48 letters and numbers,

- but no spaces or special characters). Leave **Blueprint description** blank

-1. In the **Definition location** box, select the ellipsis on the right, select the

- [management group](../management-groups/overview.md) or subscription where you want to save the

- blueprint, and choose **Select**.

-1. Verify that the information is correct. The **Blueprint name** and **Definition location** fields

- can't be changed later. Then select **Next : Artifacts** at the bottom of the page or the

- **Artifacts** tab at the top of the page.

- 1. Select the **+ Add artifact** row under **Subscription**. The **Add artifact** window opens on

- 1. Select **Role assignment** for **Artifact type**.

- 1. Under **Role**, select **Contributor**. Leave the **Add user, app or group** box with the

- > creation is a _static parameter_. If the parameter is assigned during blueprint assignment,

- > it's a _dynamic parameter_. For more information, see

- > [Blueprint parameters](./concepts/parameters.md).

- 1. Select the **+ Add artifact** row under the role assignment artifact.

- 1. Select **Policy assignment** for **Artifact type**.

-1. The window to provide parameters to the artifact as part of the blueprint definition opens and

- allows setting the parameters for all assignments (static parameters) based on this blueprint

- instead of during assignment (dynamic parameters). This example uses dynamic parameters during

- blueprint assignment, so leave the defaults and select **Cancel**.

- 1. Select the **+ Add artifact** row under **Subscription**.

- 1. Select **Resource group** for **Artifact type**.

- 1. Leave the **Artifact display name**, **Resource Group Name**, and **Location** boxes blank,

- but make sure that the check box is checked for each parameter property to make them dynamic

- parameters.

- 1. Select the **+ Add artifact** row under the **ResourceGroup** entry.

- 1. Select **Azure Resource Manager template** for **Artifact type**, set **Artifact display

- 1. On the **Template** tab in the editor box, paste the following ARM template. After you paste

- the template, select the **Parameters** tab and note that the template parameters

- **storageAccountType** and **location** were detected. Each parameter was automatically

- detected and populated, but configured as a dynamic parameter.

- > HTML. When you're pointing to a URL on GitHub, ensure that you have selected **RAW** to get

- > the pure JSON file and not the one wrapped with HTML for display on GitHub. An error occurs

- > if the imported template is not purely JSON.

- 1. Clear the **storageAccountType** check box and note that the dropdown list contains only

- values included in the ARM template under **allowedValues**. Select the box to set it back to

- a dynamic parameter.

-1. Your completed blueprint should look similar to the following. Notice that each artifact has

- **_x_ out of _y_ parameters populated** in the **Parameters** column. The dynamic parameters are

- set during each assignment of the blueprint.

-1. Now that all planned artifacts have been added, select **Save Draft** at the bottom of the page.

-1. In the list of blueprints, select and hold (or right-click) the one that you previously created

- and select **Edit blueprint**.

-1. In **Blueprint description**, provide some information about the blueprint and the artifacts that

- compose it. In this case, enter something like: **This blueprint sets tag policy and role

- assignment on the subscription, creates a ResourceGroup, and deploys a resource template and role

- assignment to that ResourceGroup.**

-1. Select **Next : Artifacts** at the bottom of the page or the **Artifacts** tab at the top of the

- page.

- 1. Select the **+ Add artifact** row directly under the **ResourceGroup** entry.

- 1. Select **Role assignment** for **Artifact type**.

- 1. Under **Role**, select **Owner**, and clear the check box under the **Add user, app or group**

- box.

- 1. Search for and select a user, app, or group to add. This artifact uses a static parameter set

- the same in every assignment of this blueprint.

-1. Your completed blueprint should look similar to the following. Notice that the newly added role

- assignment shows **1 out of 1 parameters populated**. That means it's a static parameter.

-Now that all the planned artifacts have been added to the blueprint, it's time to publish it.

-Publishing makes the blueprint available to be assigned to a subscription.

-1. In the list of blueprints, select and hold (or right-click) the one you previously created and

- select **Publish blueprint**.

- length of 20 characters), such as **v1**. Optionally, enter text in **Change notes**, such as

- **First publish**.

-After a blueprint has been published, it can be assigned to a subscription. Assign the blueprint

-that you created to one of the subscriptions under your management group hierarchy. If the blueprint

-is saved to a subscription, it can only be assigned to that subscription.

-1. In the list of blueprints, select and hold (or right-click) the one that you previously created

- (or select the ellipsis) and select **Assign blueprint**.

- subscriptions that you want to deploy this blueprint to.

- 1. Provide a **Display name** for the new subscription.

- 1. Select the available **Offer** from the dropdown list.

- 1. Use the ellipsis to select the [management group](../management-groups/overview.md) that the

- subscription will be a child of.

- > An assignment is created for each subscription that you select. You can make changes to a

- > single subscription assignment at a later time without forcing changes on the remainder of the

- > selected subscriptions.

-1. In **Location**, select a region for the managed identity and subscription deployment object to

- be created in. Azure Blueprints uses this managed identity to deploy all artifacts in the assigned

- blueprint. To learn more, see

- [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).

-1. Leave the **Blueprint definition version** dropdown list selection of **Published** versions on

- the **v1** entry. (The default is the most recently published version.)

- :::image type="content" source="./media/create-blueprint-portal/assignment-locking-mi.png" alt-text="Screenshot of the Locking assignment and managed identity options for the blueprint assignment." border="false":::

-1. For the subscription level role assignment **[User group or application name] : Contributor**,

- search for and select a user, app, or group.

-1. For the subscription level policy assignment, set **Tag Name** to **CostCenter** and the **Tag

- Value** to **ContosoIT**.

-1. For **ResourceGroup**, provide a **Name** of **StorageAccount** and a **Location** of **East US

- 2** from the dropdown list.

- > For each artifact that you added under the resource group during blueprint definition, that

- > artifact is indented to align with the resource group or object that you'll deploy it with.

- > Artifacts that either don't take parameters or have no parameters to be defined at assignment

- > are listed only for contextual information.

-1. On the ARM template **StorageAccount**, select **Standard_GRS** for the **storageAccountType**

- parameter.

-When a blueprint has been assigned to one or more subscriptions, two things happen:

-Now that the blueprint has been assigned to a subscription, verify the progress of the deployment:

-1. In the list of blueprints, select and hold (or right-click) the one that you previously assigned

- and select **View assignment details**.

- :::image type="content" source="./media/create-blueprint-portal/view-assignment-details.png" alt-text="Screenshot of the blueprint assignment context menu with the 'View assignment details' option selected." border="false":::

-1. On the **Blueprint assignment** page, validate that all artifacts were successfully deployed and

- that there were no errors during the deployment. If errors occurred, see

- [Troubleshooting blueprints](./troubleshoot/general.md) for steps to determine what went wrong.

-If you no longer need a blueprint assignment, remove it from a subscription. The blueprint might

-have been replaced by a newer blueprint with updated patterns, policies, and designs. When a

-blueprint is removed, the artifacts assigned as part of that blueprint are left behind. To remove a

-blueprint assignment, follow these steps:

-1. In the list of blueprints, select the blueprint that you want to unassign. Then select the

- **Unassign blueprint** button at the top of the page.

-1. Read the confirmation message and then select **OK**.

-1. Right-click the blueprint that you want to delete, and select **Delete blueprint**. Then select

- **Yes** in the confirmation dialog box.

-> Deleting a blueprint in this method also deletes all published versions of the selected blueprint.

-> To delete a single version, open the blueprint, select the **Published versions** tab, select the

-> version that you want to delete, and then select **Delete This Version**. Also, you can't delete a

-> blueprint until you've deleted all blueprint assignment of that blueprint definition.

-In this quickstart, you've created, assigned, and removed a blueprint with Azure portal. To learn

-description: In this quickstart, you use Azure Blueprints to create, define, and deploy artifacts using the PowerShell.

-# Quickstart: Define and Assign an Azure blueprint with PowerShell

-Learning how to create and assign blueprints enables the definition of common patterns to develop

-reusable and rapidly deployable configurations based on Azure Resource Manager templates (ARM

-templates), policy, security, and more. In this tutorial, you learn to use Azure Blueprints to do

-some of the common tasks related to creating, publishing, and assigning a blueprint within your

-organization, such as:

- [Add the Az.Blueprint module](./how-to/manage-assignments-ps.md#add-the-azblueprint-module) to

- install and validate the **Az.Blueprint** module from the PowerShell Gallery.

-available resources. We'll create a blueprint named 'MyBlueprint' to configure role and policy

-assignments for the subscription. Then we'll add a resource group, an ARM template, and a role

-> When using PowerShell, the _blueprint_ object is created first. For each _artifact_ to be added

-> that has parameters, the parameters need to be defined in advance on the initial _blueprint_.

-1. Create the initial _blueprint_ object. The **BlueprintFile** parameter takes a JSON file that

- includes properties about the blueprint, any resource groups to create, and all of the blueprint

- level parameters. The parameters are set during assignment and used by the artifacts added in

- later steps.

- - JSON file - blueprint.json

- > Use the filename _blueprint.json_ when creating your blueprint definitions programmatically.

- > This file name is used when calling

- > [Import-AzBlueprintWithArtifact](/powershell/module/az.blueprint/import-azblueprintwithartifact).

- management group, use parameter **ManagementGroupId**. To specify the subscription, use

- parameter **SubscriptionId**.

-1. Add role assignment at subscription. The **ArtifactFile** defines the _kind_ of artifact, the

- properties align to the role definition identifier, and the principal identities are passed as an

- array of values. In the following example, the principal identities granted the specified role

- are configured to a parameter that is set during blueprint assignment. This example uses the

- _Contributor_ built-in role with a GUID of `b24988ac-6180-42a0-ab88-20f7382dd24c`.

- - JSON file - \artifacts\roleContributor.json

-1. Add policy assignment at subscription. The **ArtifactFile** defines the _kind_ of artifact, the

- properties that align to a policy or initiative definition, and configures the policy assignment

- to use the defined blueprint parameters to configure during blueprint assignment. This example

- uses the _Apply tag and its default value to resource groups_ built-in policy with a GUID of

- `49c88fc8-6fd1-46fd-a676-f12d1d3a4c71`.

- - JSON file - \artifacts\policyTags.json

-1. Add another policy assignment for Storage tag (reusing _storageAccountType_ parameter) at

- subscription. This additional policy assignment artifact demonstrates that a parameter defined on

- the blueprint is usable by more than one artifact. In the example, the **storageAccountType** is

- used to set a tag on the resource group. This value provides information about the storage

- account that is created in the next step. This example uses the _Apply tag and its default value

- to resource groups_ built-in policy with a GUID of `49c88fc8-6fd1-46fd-a676-f12d1d3a4c71`.

- - JSON file - \artifacts\policyStorageTags.json

-1. Add template under resource group. The **TemplateFile** for an ARM template includes the normal

- JSON component of the template. The template also reuses the **storageAccountType**, **tagName**,

- and **tagValue** blueprint parameters by passing each to the template. The blueprint parameters

- are available to the template by using parameter **TemplateParameterFile** and inside the

- template JSON that key-value pair is used to inject the value. The blueprint and template

- parameter names could be the same.

- - JSON ARM template file - \artifacts\templateStorage.json

- - JSON ARM template parameter file - \artifacts\templateStorageParams.json

-1. Add role assignment under resource group. Similar to the previous role assignment entry, the

- example below uses the definition identifier for the **Owner** role and provides it a different

- parameter from the blueprint. This example uses the _Owner_ built-in role with a GUID of

- `8e3af657-a8ff-443c-a75c-2fe8c4bcb635`.

- - JSON file - \artifacts\roleOwner.json

-Now that the artifacts have been added to the blueprint, it's time to publish it. Publishing makes

-it available to assign to a subscription.

-The value for `{BlueprintVersion}` is a string of letters, numbers, and hyphens (no spaces or other

-special characters) with a max length of 20 characters. Use something unique and informational such

-as **v20180622-135541**.

-Once a blueprint is published using PowerShell, it's assignable to a subscription. Assign the

-blueprint you created to one of the subscriptions under your management group hierarchy. If the

-blueprint is saved to a subscription, it can only be assigned to that subscription. The

-**Blueprint** parameter specifies the blueprint to assign. To provide name, location, identity,

-lock, and blueprint parameters, use the matching PowerShell parameters on the

-`New-AzBlueprintAssignment` cmdlet or provide them in the **AssignmentFile** parameter JSON file.

-1. Run the blueprint deployment by assigning it to a subscription. As the **contributors** and

- **owners** parameters require an array of objectIds of the principals to be granted the role

- assignment, use

- [Azure Active Directory Graph API](/graph/migrate-azure-ad-graph-planning-checklist)

- for gathering the objectIds for use in the **AssignmentFile** for your own users, groups, or

- service principals.

- - JSON file - blueprintAssignment.json

- [user-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

- In this case, the **identity** portion of the JSON assignment file changes as follows. Replace

- `{tenantId}`, `{subscriptionId}`, `{yourRG}`, and `{userIdentity}` with your tenantId,

- subscriptionId, resource group name, and the name of your user-assigned managed identity,

- respectively.

- The **user-assigned managed identity** can be in any subscription and resource group the user

- assigning the blueprint has permissions to.

- > Azure Blueprints doesn't manage the user-assigned managed identity. Users are responsible for

- > assigning sufficient roles and permissions or the blueprint assignment will fail.

-### Unassign a blueprint

-You can remove a blueprint from a subscription. Removal is often done when the artifact resources

-are no longer needed. When a blueprint is removed, the artifacts assigned as part of that blueprint

-are left behind. To remove a blueprint assignment, use the `Remove-AzBlueprintAssignment` cmdlet:

-In this quickstart, you've created, assigned, and removed a blueprint with PowerShell. To learn more

-about Azure Blueprints, continue to the blueprint lifecycle article.

-description: In this quickstart, you use Azure Blueprints to create, define, and deploy artifacts using the REST API.

-Learning how to create and assign blueprints enables the definition of common patterns to develop

-reusable and rapidly deployable configurations based on Azure Resource Manager templates (ARM

-templates), policy, security, and more. In this tutorial, you learn to use Azure Blueprints to do

-some of the common tasks related to creating, publishing, and assigning a blueprint within your

-organization, such as:

-## Getting started with REST API

-If you're unfamiliar with REST API, start by reviewing [Azure REST API Reference](/rest/api/azure/)

-to get a general understanding of REST API, specifically request URI and request body. This article

-uses these concepts to provide directions for working with Azure Blueprints and assumes a working

-knowledge of them. Tools such as [ARMClient](https://github.com/projectkudu/ARMClient) and others

-may handle authorization automatically and are recommended for beginners.

-instructions. Following is a sample header for authenticating with Azure. Generate an authentication

-header, sometimes called a **Bearer token**, and provide the REST API URI to connect to with any

-parameters or a **Request Body**:

-Replace `{subscriptionId}` in the **$restUri** variable above to get information about your

-subscription. The $response variable holds the result of the `Invoke-RestMethod` cmdlet, which can

-be parsed with cmdlets such as

-[ConvertFrom-Json](/powershell/module/microsoft.powershell.utility/convertfrom-json). If the REST

-API service endpoint expects a **Request Body**, provide a JSON formatted variable to the `-Body`

-parameter of `Invoke-RestMethod`.

-available resources. We'll create a blueprint named 'MyBlueprint' to configure role and policy

-assignments for the subscription. Then we'll add a resource group, an ARM template, and a role

-> When using the REST API, the _blueprint_ object is created first. For each _artifact_ to be added

-> that has parameters, the parameters need to be defined in advance on the initial _blueprint_.

-In each REST API URI, there are variables that are used that you need to replace with your own

-values:

-> Blueprints may also be created at the subscription level. To see an example, see

-1. Create the initial _blueprint_ object. The **Request Body** includes properties about the

- blueprint, any resource groups to create, and all of the blueprint level parameters. The

- parameters are set during assignment and used by the artifacts added in later steps.

-1. Add role assignment at subscription. The **Request Body** defines the _kind_ of artifact, the

- properties align to the role definition identifier, and the principal identities are passed as an

- array of values. In the following example, the principal identities granted the specified role

- are configured to a parameter that is set during blueprint assignment. This example uses the

- _Contributor_ built-in role with a GUID of `b24988ac-6180-42a0-ab88-20f7382dd24c`.

-1. Add policy assignment at subscription. The **Request Body** defines the _kind_ of artifact, the

- properties that align to a policy or initiative definition, and configures the policy assignment

- to use the defined blueprint parameters to configure during blueprint assignment. This example

- uses the _Apply tag and its default value to resource groups_ built-in policy with a GUID of

- `49c88fc8-6fd1-46fd-a676-f12d1d3a4c71`.

-1. Add another policy assignment for Storage tag (reusing _storageAccountType_ parameter) at

- subscription. This additional policy assignment artifact demonstrates that a parameter defined on

- the blueprint is usable by more than one artifact. In the example, the **storageAccountType** is

- used to set a tag on the resource group. This value provides information about the storage

- account that is created in the next step. This example uses the _Apply tag and its default value

- to resource groups_ built-in policy with a GUID of `49c88fc8-6fd1-46fd-a676-f12d1d3a4c71`.

-1. Add template under resource group. The **Request Body** for an ARM template includes the normal

- JSON component of the template and defines the target resource group with

- **properties.resourceGroup**. The template also reuses the **storageAccountType**, **tagName**,

- and **tagValue** blueprint parameters by passing each to the template. The blueprint parameters

- are available to the template by defining **properties.parameters** and inside the template JSON

- that key-value pair is used to inject the value. The blueprint and template parameter names could

- be the same, but were made different to illustrate how each passes from the blueprint to the

- template artifact.

-1. Add role assignment under resource group. Similar to the previous role assignment entry, the

- example below uses the definition identifier for the **Owner** role and provides it a different

- parameter from the blueprint. This example uses the _Owner_ built-in role with a GUID of

- `8e3af657-a8ff-443c-a75c-2fe8c4bcb635`.

-Now that the artifacts have been added to the blueprint, it's time to publish it. Publishing makes

-it available to assign to a subscription.

-The value for `{BlueprintVersion}` is a string of letters, numbers, and hyphens (no spaces or other

-special characters) with a max length of 20 characters. Use something unique and informational such

-as **v20180622-135541**.

-Once a blueprint is published using REST API, it's assignable to a subscription. Assign the

-blueprint you created to one of the subscriptions under your management group hierarchy. If the

-blueprint is saved to a subscription, it can only be assigned to that subscription. The **Request

-Body** specifies the blueprint to assign, provides name and location to any resource groups in the

-blueprint definition, and provides all parameters defined on the blueprint and used by one or more

-attached artifacts.

-In each REST API URI, there are variables that are used that you need to replace with your own

-values:

-1. Provide the Azure Blueprints service principal the **Owner** role on the target subscription. The

- AppId is static (`f71766dc-90d9-4b7d-bd9d-4499c4331c3f`), but the service principal ID varies by

- tenant. Details can be requested for your tenant using the following REST API. It uses

- [Azure Active Directory Graph API](/graph/migrate-azure-ad-graph-planning-checklist),

- which has different authorization.

-1. Run the blueprint deployment by assigning it to a subscription. As the **contributors** and

- **owners** parameters require an array of objectIds of the principals to be granted the role

- assignment, use

- [Azure Active Directory Graph API](/graph/migrate-azure-ad-graph-planning-checklist)

- for gathering the objectIds for use in the **Request Body** for your own users, groups, or

- service principals.

- In this case, the **identity** portion of the request body changes as follows. Replace

- The **user-assigned managed identity** can be in any subscription and resource group the user

- assigning the blueprint has permissions to.

- > Azure Blueprints doesn't manage the user-assigned managed identity. Users are responsible for

- > assigning sufficient roles and permissions or the blueprint assignment will fail.

-You can remove a blueprint from a subscription. Removal is often done when the artifact resources

-are no longer needed. When a blueprint is removed, the artifacts assigned as part of that blueprint

-are left behind. To remove a blueprint assignment, use the following REST API operation:

-In this quickstart, you've created, assigned, and removed a blueprint with REST API. To learn more

-> [GitHub Commit History](https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/ism-protected/control-mapping.md).

-> [GitHub Commit History](https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/iso27001-ase-sql-workload/control-mapping.md).

-> [GitHub Commit History](https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/iso27001-shared/control-mapping.md).

-> [GitHub Commit History](https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/medi).

-> [GitHub Commit History](https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/pci-dss-3.2.1/control-mapping.md).

-> [GitHub Commit History](https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/swift-2020/control-mapping.md).

-(see [examples](/virtual-machines/extensions/dsc-template.md)),

-[extension for the guest configuration feature](/virtual-machines/extensions/guest-configuration.md).

-Run the following script in the Azure Cloud Shell. Replace the `clustername` value with a unique name for your cluster before you run the script. The cluster name can contain only lowercase letters and numbers:

-# Create a service principal to use when authenticating from IoT Central

-SP_JSON=$(az ad sp create-for-rbac --skip-assignment --name $clustername)

- --principal-id $(jq -r .appId <<< $SP_JSON) \

- --principal-assignment-name $clustername \

-echo "Azure Data Explorer URL: $(az kusto cluster show --name $clustername --resource-group $resourcegroup --query uri -o tsv)"

-echo "Client ID: $(jq -r .appId <<< $SP_JSON)"

-echo "Tenant ID: $(jq -r .tenant <<< $SP_JSON)"

-echo "Client secret: $(jq -r .password <<< $SP_JSON)"

-Make a note of the **Azure Data Explorer URL**, **Client ID**, **Tenant ID**, and **Client secret**. You use these values later in the quickstart.

-1. In **Client ID**, enter the **Client ID** you made a note of previously.

-1. In **Tenant ID**, enter the **Tenant ID** you made a note of previously.

-1. In **Client secret**, enter the **Client secret** you made a note of previously.

-zone_pivot_groups: iot-develop-stm-toolset

-# - id: iot-develop-stm-toolset

-# Title: IoT Devices

-# prompt: Choose a build environment

- ::: image type="content" source="media/quickstart-devkit-stm-b-l4s5i/stm-b-l4s5i.png" alt-text="Locate key components on the STM DevKit board":::

-3. Run the following commands after replacing the following sample parameter values with your own: **Provider, Name, Version, Properties, Handler, Installed Criteria, Files**. See [Import schema and API information](import-schema.md) for details on what values you can use. In particular, be aware that the same exact set of compatibility properties cannot be used with more than one Provider and Name combination.

-Now that the networking side of things is handled, lets create a SQL Server Database. We are going to create a [single database](../azure-sql/database/single-database-create-quickstart.md?tabs=azure-portal) as it is the quickest deployment option for Azure SQL Database. For other deployment options, create an [elastic pool](../azure-sql/database/elastic-pool-overview.md#creating-a-new-sql-database-elastic-pool-using-the-azure-portal), [managed instance](../azure-sql/managed-instance/instance-create-quickstart.md), or [SQL virtual machine](../azure-sql/virtual-machines/windows/sql-vm-create-portal-quickstart.md).

-In cases where a multi-tenant architecture is required, Azure Lighthouse can help centralize and streamline management operations. By using Azure Lighthouse, users in one managing tenant can perform [cross-tenant management functions](cross-tenant-management-experience.md) in a centralized, scalable manner.

-* IP address

-When preallocating your backend pool with an IP address range which you plan to later create virtual machines and virtual machine scale sets, configure your backend pool by IP address and VNET ID combination.

-All backend pool management is done directly on the backend pool object as highlighted in the examples below.

-Create new backend pool:

-$resourceGroup = "myResourceGroup"

-$loadBalancerName = "myLoadBalancer"

-$backendPoolName = "myBackendPool"

-$vnetName = "myVnet"

-$location = "eastus"

-$nicName = "myNic"

-$backendPool = New-AzLoadBalancerBackendAddressPool -ResourceGroupName $resourceGroup -LoadBalancerName $loadBalancerName -Name $backendPoolName  

-$virtualNetwork = 

-Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroup 

- 

-$ip1 = New-AzLoadBalancerBackendAddressConfig -IpAddress "10.0.0.5" -Name "TestVNetRef" -VirtualNetwork $virtualNetwork  

-Get-AzLoadBalancerBackendAddressPool -ResourceGroupName $resourceGroup -LoadBalancerName $loadBalancerName -Name $backendPoolName 

-$nic =

-New-AzNetworkInterface -ResourceGroupName $resourceGroup -Location $location -Name $nicName -PrivateIpAddress 10.0.0.4 -Subnet $virtualNetwork.Subnets[0]

-$vmname = "myVM1"

-$vmsize = "Standard_DS1_v2"

-$pubname = "MicrosoftWindowsServer"

-$nicname = "myNic"

-$off = "WindowsServer"

-$sku = "2019-Datacenter"

-$resourceGroup = "myResourceGroup"

-$location = "eastus"

-$nic =

-Get-AzNetworkInterface -Name $nicname -ResourceGroupName $resourceGroup

-$vmConfig =

-New-AzVMConfig -VMName $vmname -VMSize $vmsize | Set-AzVMOperatingSystem -Windows -ComputerName $vmname -Credential $cred | Set-AzVMSourceImage -PublisherName $pubname -Offer $off -Skus $sku -Version latest | Add-AzVMNetworkInterface -Id $nic.Id

-$vm1 = New-AzVM -ResourceGroupName $resourceGroup -Zone 1 -Location $location -VM $vmConfig

- * A Load Balancer with IP-based Backend Pool cannot function as a Private Link service

- * ACI containers are not currently supported by IP based LBs

- * Load Balancers or services such as Application Gateway cannot be placed in the backend pool of the load balancer

- * Inbound NAT Rules cannot be specified by IP address

- * You can configure IP-based and NIC-based backend pools for the same load balancer however, you cannot create a single backend pool that mixes backed addresses targeted by NIC and IP addresses within the same pool.

-Review the [REST API](/rest/api/load-balancer/loadbalancerbackendaddresspools/createorupdate) for IP based backendpool management.

-Floating IP can be configured on a Load Balancer rule via the Azure Portal, REST API, CLI, PowerShell, or other client. In addition to the rule configuration, you must also configure your virtual machine's Guest OS in order to leverage Floating IP.

-description: Reference guide to expression functions for Azure Logic Apps and Power Automate

-# Reference guide to expression functions for Azure Logic Apps and Power Automate

-For workflow definitions in [Azure Logic Apps](../logic-apps/logic-apps-overview.md) and [Power Automate](/power-automate/getting-started), some [expressions](../logic-apps/logic-apps-workflow-definition-language.md#expressions) get their values from runtime actions that might not yet exist when your workflow starts running. To reference these values or process the values in these expressions, you can use *expression functions* provided by the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md).

-> and expressions in Power Automate, see [Use expressions in conditions](/power-automate/use-expressions-in-conditions).

-| Return a string in lowercase format. | toLower('<*text*>') <p>For example: toLower('Hello') | "hello" |

-| 1. Get the *parameterName*'s value by using the nested `parameters()` function. </br>2. Perform work with the result by passing that value to *functionName*. | "\@<*functionName*>(parameters('<*parameterName*>'))" |

-| 1. Get the result from the nested inner function *functionName*. </br>2. Pass the result to the outer function *functionName2*. | "\@<*functionName2*>(<*functionName*>(<*item*>))" |

-| 1. Get the result from *functionName*. </br>2. Given that the result is an object with property *propertyName*, get that property's value. | "\@<*functionName*>(<*item*>).<*propertyName*>" |

-Azure Logic Apps automatically or implicitly converts between some data types, so you don't have to manually perform these conversions. For example, if you use non-string values where strings are expected as inputs, Logic Apps automatically converts the non-string values into strings.

-Logic Apps automatically or implicitly performs base64 encoding or decoding, so you don't have to manually perform these conversions by using the corresponding functions:

-> If you manually add any of these functions while using the workflow designer, either directly to a trigger

-Return an action's output at runtime. and is shorthand for `actions('<actionName>').outputs`. See [actions()](#actions). The `actionOutputs()` function resolves to `outputs()` in the Logic App Designer, so consider using [outputs()](#outputs), rather than `actionOutputs()`. Although both functions work the same way, `outputs()` is preferred.

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-And returns this result: `"2018-03-15T10:00:00.0000000Z"

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-Return the first non-null value from one or more parameters.

-Empty strings, empty arrays, and empty objects are not null.

-| <*first-non-null-item*> | Any | The first item or value that is not null. If all parameters are null, this function returns null. |

-| <*text1text2...*> | String | The string created from the combined input strings. <p><p>**Note**: The length of the result must not exceed 104,857,600 characters. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*quotient-result*> | Integer or Float | The result from dividing the first number by the second number. If either the dividend or divisor has Float type, the result has Float type. <p><p>**Note**: To convert the float result to an integer, try [creating and calling a function in Azure](../logic-apps/logic-apps-azure-functions.md) from your logic app. |

-This function is not case-sensitive.

-formatDateTime('<timestamp>', '<format>'?)

-| | -- | - | -- |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| | - | -- |

-| <*reformatted-timestamp*> | String | The updated timestamp in the specified format |

-*Example*

-This example converts a timestamp to the specified format:

-formatDateTime('03/15/2018 12:00:00', 'yyyy-MM-ddTHH:mm:ss')

-```

-And returns this result: `"2018-03-15T12:00:00"`

-| <*locale*> | No | String | The locale to use as supported by `number.ToString(<format>, <locale>)`. If not specified, the default value is `en-us`. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-This function is not case-sensitive,

-| <*index-value*>| Integer | The starting position or index value for the specified substring. <p>If the string is not found, return the number -1. |

-| <*JSON-result*> | JSON native type, object, or array | The JSON native type value, object, or array of objects from the input string or XML. <p><p>- If you pass in XML that has a single child element in the root element, the function returns a single JSON object for that child element. <p> - If you pass in XML that has multiple child elements in the root element, the function returns an array that contains JSON objects for those child elements. <p>- If the string is null, the function returns an empty object. |

-| <*char1*><*delimiter*><*char2*><*delimiter*>... | String | The resulting string created from all the items in the specified array. <p><p>**Note**: The length of the result must not exceed 104,857,600 characters. |

-Return the starting position or index value for the last occurrence of a substring. This function is not case-sensitive, and indexes start with the number 0.

-```json

-```json

-```json

-```json

-```json

-```json

-Check whether at least one expression is true.

-Return true when at least one expression is true,

-or return false when all are false.

-```json

-Return an action's outputs at runtime. Use this function, rather than `actionOutputs()`, which resolves to `outputs()` in the Logic App Designer. Although both functions work the same way, `outputs()` is preferred.

-| <*count*> | Yes | Integer | The number of integers in the array. The `count` parameter value must be a positive integer that doesn't exceed 100,000. <p><p>**Note**: The sum of the `startIndex` and `count` values must not exceed 2,147,483,647. |

-| <*updated-text*> | String | The updated string after replacing the substring <p>If the substring is not found, return the original string. |

-This example removes one item, the number 0,

-from the front of the specified array:

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-Check whether a string starts with a specific substring. Return true when the substring is found, or return false when not found. This function is not case-sensitive.

-| <*value*> | Yes | Any | The value to convert. If this value is null or evaluates to null, the value is converted to an empty string (`""`) value. <p><p>For example, if you assign a string variable to a non-existent property, which you can access with the `?` operator, the null value is converted to an empty string. However, comparing a null value isn't the same as comparing an empty string. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. |

-| <*property*> | No | String | The name for the workflow property whose value you want <p><p>By default, a workflow object has these properties: `name`, `type`, `id`, `location`, `run`, and `tags`. <p><p>- The `run` property value is a JSON object that includes these properties: `name`, `type`, and `id`. <p><p>- The `tags` property is a JSON object that includes [tags that are associated with your logic app in Azure Logic Apps or flow in Power Automate](../azure-resource-manager/management/tag-resources.md) and the values for those tags. For more information about tags in Azure resources, review [Tag resources, resource groups, and subscriptions for logical organization in Azure](../azure-resource-manager/management/tag-resources.md). <p><p>**Note**: By default, a logic app has no tags, but a Power Automate flow has the `flowDisplayName` and `environmentName` tags. |

-| <*value*> | Yes | String | The string with the JSON object to convert <p>The JSON object must have only one root property, which can't be an array. <br>Use the backslash character (\\) as an escape character for the double quotation mark ("). |

-| [<*xml-node1*>, <*xml-node2*>, ...] </br>-or- </br>[<*value1*>, <*value2*>, ...] | Array | An array with XML nodes or values that match the specified XPath expression |

-These expressions use either XPath expression, `/*[name()="file"]/*[name()="location"]` or `/*[local-name()="file" and namespace-uri()="https://contoso.com"]/*[local-name()="location"]`, to find nodes that match the `<location></location>` node. These examples show the syntax that you use in either the Logic App Designer or in the expression editor:

-> However, if you're work in the Logic App Designer or expression editor, you don't need to escape the

-Learn about the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md)

-|Object detection, instance segmentation| `min_size`<br>`max_size`<br>`box_score_thresh`<br>`nms_iou_thresh`<br>`box_detections_per_img` | 600<br>1333<br>0.3<br>0.5<br>100 |

-After you have an Azure AD access token, you can call methods in the Partner Center submission API. To create or update submissions, you typically call multiple methods in the Partner Center submission API in a specific order. For information about each scenario and the syntax of each method, see the Ingestion API swagger.

-https://apidocs.microsoft.com/services/partneringestion/

-## Compliance, Privacy and Security

-As an important reminder, you must comply with all applicable laws in your use of Azure Media Services, and you may not use Media Services or any Azure service in a manner that violates the rights of others, or that may be harmful to others.

-Before uploading any video/image to Media Services, You must have all the proper rights to use the video/image, including, where required by law, all the necessary consents from individuals (if any) in the video/image, for the use, processing, and storage of their data in Media Services and Azure. Some jurisdictions may impose special legal requirements for the collection, online processing and storage of certain categories of data, such as biometric data. Before using Media Services and Azure for the processing and storage of any data subject to special legal requirements, You must ensure compliance with any such legal requirements that may apply to You.

-To learn about compliance, privacy and security in Media Services please visit the Microsoft [Trust Center](https://www.microsoft.com/trust-center/?rtc=1). For Microsoft's privacy obligations, data handling and retention practices, including how to delete your data, please review Microsoft's [Privacy Statement](https://privacy.microsoft.com/PrivacyStatement), the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products?rtc=1) ("OST") and [Data Processing Addendum](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67) ("DPA"). By using Media Services, you agree to be bound by the OST, DPA and the Privacy Statement.

-## Next steps

-[Learn about fundamental concepts](concepts-overview.md)

-View and manage Query Store using the following views and functions. Anyone in the [select privilege public role](howto-create-users.md#to-create-more-admin-users-in-azure-database-for-mysql) can use these views to see the data in Query Store. These views are only available in the **mysql** database.

-

-# Create databases and users in Azure Database for MySQL

-This article describes how to create users in Azure Database for MySQL.

-## To create a database with a non-admin user in Azure Database for MySQL

- If you're not sure how to connect, see [connect and query data for Single Server](./connect-workbench.md) or [connect and query data for Flexible Server](./flexible-server/connect-workbench.md).

-4. Verify the grants in the database:

-5. Sign in to the server, specifying the designated database and using the new user name and password. This example shows the mysql command line. When you use this command, you'll be prompted for the user's password. Use your own server name, database name, and user name.

-### [Single Server](#tab/single-server)

- ```azurecli-interactive

- mysql --host mydemoserver.mysql.database.azure.com --database testdb --user db_user@mydemoserver -p

- ```

-### [Flexible Server](#tab/flexible-server)

- ```azurecli-interactive

- mysql --host mydemoserver.mysql.database.azure.com --database testdb --user db_user -p

- ```

-## To create more admin users in Azure Database for MySQL

-1. Get the connection information and admin user name.

- To connect to your database server, you need the full server name and admin sign-in credentials. You can easily find the server name and sign-in information on the server **Overview** page or on the **Properties** page in the Azure portal.

-2. Use the admin account and password to connect to your database server. Use your preferred client tool, such as MySQL Workbench, mysql.exe, or HeidiSQL.

- If you're not sure how to connect, see [Use MySQL Workbench to connect and query data](./connect-workbench.md).

-3. Edit and run the following SQL code. Replace the placeholder value `new_master_user` with your new user name. This syntax grants the listed privileges on all the database schemas (*.*) to the user (`new_master_user` in this example).

- FLUSH PRIVILEGES;

- ```

-4. Verify the grants:

- ```sql

- USE sys;

- SHOW GRANTS FOR 'new_master_user'@'%';

-## azure_superuser

-Open the firewall for the IP addresses of the new users' machines to enable them to connect:

-* [Create and manage firewall rules on Single Server](howto-manage-firewall-using-portal.md)

-* [Create and manage firewall rules on Flexible Server](flexible-server/how-to-connect-tls-ssl.md)

-IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.Now along with the NSG rules evaluation, the Azure Virtual Network Manager rules will also be evaluated.

-> [!IMPORTANT]

-> Planned maintenance notifications are currently available in preview in all regions **except** West Central US

-## PostgreSQL version 9.6

-| East US 2 | :heavy_check_mark: | :x: | :heavy_check_mark: |

-| Southeast Asia | :heavy_check_mark: | :x: | :x: |

-description: Use this quickstart to learn how to create a Private Endpoint using Azure CLI.

-#Customer intent: As someone with a basic network background, but is new to Azure, I want to create an Azure private endpoint

-# Quickstart: Create a Private Endpoint using Azure CLI

-Get started with Azure Private Link by using a Private Endpoint to connect securely to an Azure web app.

-In this quickstart, you'll create a private endpoint for an Azure web app and deploy a virtual machine to test the private connection.

-Private endpoints can be created for different kinds of Azure services, such as Azure SQL and Azure Storage.

-* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

-* An Azure Web App with a **PremiumV2-tier** or higher app service plan deployed in your Azure subscription.

- * For more information and an example, see [Quickstart: Create an ASP.NET Core web app in Azure](../app-service/quickstart-dotnetcore.md).

- * For a detailed tutorial on creating a web app and an endpoint, see [Tutorial: Connect to a web app using an Azure Private Endpoint](tutorial-private-endpoint-webapp-portal.md).

-* Sign in to the Azure portal and check that your subscription is active by running `az login`.

-* Check your version of the Azure CLI in a terminal or command window by running `az --version`. For the latest version, see the [latest release notes](/cli/azure/release-notes-azure-cli?tabs=azure-cli).

- * If you don't have the latest version, update your installation by following the [installation guide for your operating system or platform](/cli/azure/install-azure-cli).

-## Create a resource group

-An Azure resource group is a logical container into which Azure resources are deployed and managed.

-Create a resource group with [az group create](/cli/azure/group#az_group_create):

-* Named **CreatePrivateEndpointQS-rg**.

-* In the **eastus** location.

-```azurecli-interactive

-az group create \

- --name CreatePrivateEndpointQS-rg \

- --location eastus

-```

-## Create a virtual network and bastion host

-In this section, you'll create a virtual network, subnet, and bastion host.

-The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.

-Create a virtual network with [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create)

-* Named **myVNet**.

-* Address prefix of **10.0.0.0/16**.

-* Subnet named **myBackendSubnet**.

-* Subnet prefix of **10.0.0.0/24**.

-* In the **CreatePrivateEndpointQS-rg** resource group.

-* Location of **eastus**.

-az network vnet create \

- --resource-group CreatePrivateEndpointQS-rg\

- --location eastus \

- --name myVNet \

- --address-prefixes 10.0.0.0/16 \

- --subnet-name myBackendSubnet \

- --subnet-prefixes 10.0.0.0/24

-Update the subnet to disable private endpoint network policies for the private endpoint with [az network vnet subnet update](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_update):

-```azurecli-interactive

-az network vnet subnet update \

- --name myBackendSubnet \

- --resource-group CreatePrivateEndpointQS-rg \

- --vnet-name myVNet \

- --disable-private-endpoint-network-policies true

-```

-Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create a public ip address for the bastion host:

-* Create a standard zone redundant public IP address named **myBastionIP**.

-* In **CreatePrivateEndpointQS-rg**.

-```azurecli-interactive

-az network public-ip create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name myBastionIP \

- --sku Standard

-```

-Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) to create a bastion subnet:

-* Named **AzureBastionSubnet**.

-* Address prefix of **10.0.1.0/24**.

-* In virtual network **myVNet**.

-* In resource group **CreatePrivateEndpointQS-rg**.

-```azurecli-interactive

-az network vnet subnet create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name AzureBastionSubnet \

- --vnet-name myVNet \

- --address-prefixes 10.0.1.0/24

-```

-Use [az network bastion create](/cli/azure/network/bastion#az_network_bastion_create) to create a bastion host:

-* Named **myBastionHost**.

-* In **CreatePrivateEndpointQS-rg**.

-* Associated with public IP **myBastionIP**.

-* Associated with virtual network **myVNet**.

-* In **eastus** location.

-```azurecli-interactive

-az network bastion create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name myBastionHost \

- --public-ip-address myBastionIP \

- --vnet-name myVNet \

- --location eastus

-```

-## Create test virtual machine

-In this section, you'll create a virtual machine that will be used to test the private endpoint.

-Create a VM withΓÇ»[az vm create](/cli/azure/vm#az_vm_create). When prompted, provide a password to be used as the credentials for the VM:

-* Named **myVM**.

-* In **CreatePrivateEndpointQS-rg**.

-* In network **myVNet**.

-* In subnet **myBackendSubnet**.

-* Server image **Win2019Datacenter**.

-```azurecli-interactive

-az vm create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name myVM \

- --image Win2019Datacenter \

- --public-ip-address "" \

- --vnet-name myVNet \

- --subnet myBackendSubnet \

- --admin-username azureuser

-```

-## Create private endpoint

-In this section, you'll create the private endpoint.

-Use [az webapp list](/cli/azure/webapp#az_webapp_list) to place the resource ID of the Web app you previously created into a shell variable.

-Use [az network private-endpoint create](/cli/azure/network/private-endpoint#az_network_private_endpoint_create) to create the endpoint and connection:

-* Named **myPrivateEndpoint**.

-* In resource group **CreatePrivateEndpointQS-rg**.

-* In virtual network **myVNet**.

-* In subnet **myBackendSubnet**.

-* Connection named **myConnection**.

-* Your webapp **\<webapp-resource-group-name>**.

-```azurecli-interactive

-id=$(az webapp list \

- --resource-group <webapp-resource-group-name> \

- --query '[].[id]' \

- --output tsv)

-az network private-endpoint create \

- --name myPrivateEndpoint \

- --resource-group CreatePrivateEndpointQS-rg \

- --vnet-name myVNet --subnet myBackendSubnet \

- --private-connection-resource-id $id \

- --group-id sites \

- --connection-name myConnection

-```

-In this section, you'll create and configure the private DNS zone using [az network private-dns zone create](/cli/azure/network/private-dns/zone#az_network_private_dns_zone_create).

-You'll use [az network private-dns link vnet create](/cli/azure/network/private-dns/link/vnet#az_network_private_dns_link_vnet_create) to create the virtual network link to the dns zone.

-You'll create a dns zone group with [az network private-endpoint dns-zone-group create](/cli/azure/network/private-endpoint/dns-zone-group#az_network_private_endpoint_dns_zone_group_create).

-* Zone named **privatelink.azurewebsites.net**

-* In virtual network **myVNet**.

-* In resource group **CreatePrivateEndpointQS-rg**.

-* DNS link named **myDNSLink**.

-* Associated with **myPrivateEndpoint**.

-* Zone group named **MyZoneGroup**.

-```azurecli-interactive

-az network private-dns zone create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name "privatelink.azurewebsites.net"

-az network private-dns link vnet create \

- --zone-name "privatelink.azurewebsites.net" \

- --name MyDNSLink \

- --virtual-network myVNet \

- --registration-enabled false

-az network private-endpoint dns-zone-group create \

- --resource-group CreatePrivateEndpointQS-rg \

- --endpoint-name myPrivateEndpoint \

- --name MyZoneGroup \

- --private-dns-zone "privatelink.azurewebsites.net" \

- --zone-name webapp

-```

-## Test connectivity to private endpoint

-In this section, you'll use the virtual machine you created in the previous step to connect to the SQL server across the private endpoint.

-1. Sign in to the [Azure portal](https://portal.azure.com)

-2. Select **Resource groups** in the left-hand navigation pane.

-3. Select **CreatePrivateEndpointQS-rg**.

-4. Select **myVM**.

-5. On the overview page for **myVM**, select **Connect** then **Bastion**.

-6. Select the blue **Use Bastion** button.

-7. Enter the username and password that you entered during the virtual machine creation.

-8. Open Windows PowerShell on the server after you connect.

-9. Enter `nslookup <your-webapp-name>.azurewebsites.net`. Replace **\<your-webapp-name>** with the name of the web app you created in the previous steps. You'll receive a message similar to what is displayed below:

- A private IP address of **10.0.0.5** is returned for the web app name. This address is in the subnet of the virtual network you created previously.

-10. In the bastion connection to **myVM**, open Internet Explorer.

-11. Enter the url of your web app, **https://\<your-webapp-name>.azurewebsites.net**.

-12. You'll receive the default web app page if your application hasn't been deployed:

- :::image type="content" source="./media/create-private-endpoint-portal/web-app-default-page.png" alt-text="Default web app page." border="true":::

-13. Close the connection to **myVM**.

-When you're done using the private endpoint and the VM, use [az group delete](/cli/azure/group#az_group_delete) to remove the resource group and all the resources it has:

-## Next steps

-In this quickstart, you created a:

-* Virtual network and bastion host.

-* Virtual machine.

-* Private endpoint for an Azure Web App.

-You used the virtual machine to test connectivity securely to the web app across the private endpoint.

-For more information on the services that support a private endpoint, see:

-> [Private Link availability](private-link-overview.md#availability)

-description: Use this quickstart to learn how to create a Private Endpoint using the Azure portal.

-#Customer intent: As someone with a basic network background, but is new to Azure, I want to create a private endpoint on a SQL server so that I can securely connect to it.

-# Quickstart: Create a Private Endpoint using the Azure portal

-Get started with Azure Private Link by using a Private Endpoint to connect securely to an Azure web app.

-In this quickstart, you'll create a private endpoint for an Azure web app and deploy a virtual machine to test the private connection.

-Private endpoints can be created for different kinds of Azure services, such as Azure SQL and Azure Storage.

-* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

-* An Azure Web App with a **PremiumV2-tier** or higher app service plan deployed in your Azure subscription.

- * For more information and an example, see [Quickstart: Create an ASP.NET Core web app in Azure](../app-service/quickstart-dotnetcore.md).

- * For a detailed tutorial on creating a web app and an endpoint, see [Tutorial: Connect to a web app using an Azure Private Endpoint](tutorial-private-endpoint-webapp-portal.md).

-## Sign in to Azure

-Sign in to the Azure portal at https://portal.azure.com.

-In this section, you'll create a virtual network, subnet, and bastion host.

-The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.

-1. On the upper-left side of the screen, select **Create a resource > Networking > Virtual network** or search for **Virtual network** in the search box.

-2. In **Create virtual network**, enter or select this information in the **Basics** tab:

- | **Setting** | **Value** |

- ||--|

- | **Project Details** | |

- | Subscription | Select your Azure subscription |

- | Resource Group | Select **CreatePrivateEndpointQS-rg** |

- | **Instance details** | |

- | Name | Enter **myVNet** |

-3. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

-4. In the **IP Addresses** tab, enter this information:

- | Setting | Value |

- |--|-|

- | IPv4 address space | Enter **10.1.0.0/16** |

-5. Under **Subnet name**, select the word **default**.

-6. In **Edit subnet**, enter this information:

- | Setting | Value |

- |--|-|

- | Subnet name | Enter **mySubnet** |

- | Subnet address range | Enter **10.1.0.0/24** |

-7. Select **Save**.

-8. Select the **Security** tab.

-9. Under **BastionHost**, select **Enable**. Enter this information:

- | Bastion name | Enter **myBastionHost** |

- | AzureBastionSubnet address space | Enter **10.1.1.0/24** |

- | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

-8. Select the **Review + create** tab or select the **Review + create** button.

-9. Select **Create**.

-## Create a virtual machine

-In this section, you'll create a virtual machine that will be used to test the private endpoint.

-1. On the upper-left side of the portal, select **Create a resource** > **Compute** > **Virtual machine** or search for **Virtual machine** in the search box.

-2. In **Create a virtual machine**, type or select the values in the **Basics** tab:

- | Setting | Value |

- |--|-|

- | **Project Details** | |

- | Subscription | Select your Azure subscription |

- | Resource Group | Select **CreatePrivateEndpointQS-rg** |

- | **Instance details** | |

- | Virtual machine name | Enter **myVM** |

- | Availability Options | Select **No infrastructure redundancy required** |

- | Image | Select **Windows Server 2019 Datacenter - Gen1** |

- | Azure Spot instance | Select **No** |

- | Size | Choose VM size or take default setting |

- | **Administrator account** | |

- | Username | Enter a username |

- | Password | Enter a password |

- | Confirm password | Reenter password |

-3. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

-4. In the Networking tab, select or enter:

- |-|-|

- | **Network interface** | |

- | Virtual network | **myVNet** |

- | Subnet | **mySubnet** |

- | NIC network security group | **Basic**|

-5. Select **Review + create**.

-6. Review the settings, and then select **Create**.

-## Create a Private Endpoint

-In this section, you'll create a Private Endpoint for the web app you created in the prerequisites section.

-1. On the upper-left side of the screen in the portal, select **Create a resource** > **Networking** > **Private Link**, or in the search box enter **Private Link**.

-2. Select **Create**.

-3. In **Private Link Center**, select **Private endpoints** in the left-hand menu.

-4. In **Private endpoints**, select **+ Add**.

-5. In the **Basics** tab of **Create a private endpoint**, enter, or select this information:

- | **Project details** | |

- | Resource group | Select **CreatePrivateEndpointQS-rg**. You created this resource group in the previous section.|

- | **Instance details** | |

-6. Select the **Resource** tab or the **Next: Resource** button at the bottom of the page.

-7. In **Resource**, enter or select this information:

- | Resource | Select **\<your-web-app-name>**. </br> Select the name of the web app you created in the prerequisites. |

-8. Select the **Configuration** tab or the **Next: Configuration** button at the bottom of the screen.

-9. In **Configuration**, enter or select this information:

- | **Private DNS integration** | |

- | Integrate with private DNS zone | Leave the default of **Yes**. |

- | Private DNS zones | Leave the default of **(New) privatelink.azurewebsites.net**.

-13. Select **Review + create**.

-14. Select **Create**.

-## Test connectivity to private endpoint

-In this section, you'll use the virtual machine you created in the previous step to connect to the web app across the private endpoint.

-1. Select **Resource groups** in the left-hand navigation pane.

-2. Select **CreatePrivateEndpointQS-rg**.

-3. Select **myVM**.

-4. On the overview page for **myVM**, select **Connect** then **Bastion**.

-5. Select the blue **Use Bastion** button.

-6. Enter the username and password that you entered during the virtual machine creation.

-7. Open Windows PowerShell on the server after you connect.

-8. Enter `nslookup <your-webapp-name>.azurewebsites.net`. Replace **\<your-webapp-name>** with the name of the web app you created in the previous steps. You'll receive a message similar to what is displayed below:

- A private IP address of **10.1.0.5** is returned for the web app name. This address is in the subnet of the virtual network you created previously.

-11. In the bastion connection to **myVM**, open Internet Explorer.

-12. Enter the url of your web app, **https://\<your-webapp-name>.azurewebsites.net**.

-13. You'll receive the default web app page if your application hasn't been deployed:

- :::image type="content" source="./media/create-private-endpoint-portal/web-app-default-page.png" alt-text="Default web app page." border="true":::

-18. Close the connection to **myVM**.

-If you're not going to continue to use this application, delete the virtual network, virtual machine, and web app with the following steps:

-1. From the left-hand menu, select **Resource groups**.

-2. Select **CreatePrivateEndpointQS-rg**.

-3. Select **Delete resource group**.

-4. Enter **CreatePrivateEndpointQS-rg** in **TYPE THE RESOURCE GROUP NAME**.

-5. Select **Delete**.

-## Next steps

-In this quickstart, you created a:

-* Virtual network and bastion host.

-* Virtual machine.

-* Private endpoint for an Azure Web App.

-You used the virtual machine to test connectivity securely to the web app across the private endpoint.

-For more information on the services that support a private endpoint, see:

-> [Private Link availability](private-link-overview.md#availability)

-description: Use this quickstart to learn how to create a Private Endpoint using Azure PowerShell.

-#Customer intent: As someone with a basic network background, but is new to Azure, I want to create an Azure private endpoint

-# Quickstart: Create an Azure Private Endpoint using Azure PowerShell

-Get started with Azure Private Link by using a Private Endpoint to connect securely to an Azure web app.

-In this quickstart, you'll create a private endpoint for an Azure web app and deploy a virtual machine to test the private connection.

-Private endpoints can be created for different kinds of Azure services, such as Azure SQL and Azure Storage.

-* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

-* An Azure Web App with a **PremiumV2-tier** or higher app service plan deployed in your Azure subscription.

- * For more information and an example, see [Quickstart: Create an ASP.NET Core web app in Azure](../app-service/quickstart-dotnetcore.md).

- * For a detailed tutorial on creating a web app and an endpoint, see [Tutorial: Connect to a web app using an Azure Private Endpoint](tutorial-private-endpoint-webapp-portal.md).

-If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

-An Azure resource group is a logical container into which Azure resources are deployed and managed.

-In this section, you'll create a virtual network, subnet, and bastion host.

-The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.

-Create a virtual network and bastion host with:

-* [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork)

-* [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress)

-* [New-AzBastion](/powershell/module/az.network/new-azbastion)

-```azurepowershell-interactive

-## Create backend subnet config. ##

-$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24

-## Create Azure Bastion subnet. ##

-$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24

-## Create the virtual network. ##

-$parameters1 = @{

- Name = 'MyVNet'

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Location = 'eastus'

- AddressPrefix = '10.0.0.0/16'

- Subnet = $subnetConfig, $bastsubnetConfig

-}

-$vnet = New-AzVirtualNetwork @parameters1

-## Create public IP address for bastion host. ##

-$parameters2 = @{

- Name = 'myBastionIP'

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Location = 'eastus'

- Sku = 'Standard'

- AllocationMethod = 'Static'

-}

-$publicip = New-AzPublicIpAddress @parameters2

-## Create bastion host ##

-$parameters3 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Name = 'myBastion'

- PublicIpAddress = $publicip

- VirtualNetwork = $vnet

-}

-New-AzBastion @parameters3

-```

-## Create test virtual machine

-In this section, you'll create a virtual machine that will be used to test the private endpoint.

-Create the virtual machine with:

- * [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential)

- * [New-AzNetworkInterface](/powershell/module/az.network/new-aznetworkinterface)

- * [New-AzVM](/powershell/module/az.compute/new-azvm)

- * [New-AzVMConfig](/powershell/module/az.compute/new-azvmconfig)

- * [Set-AzVMOperatingSystem](/powershell/module/az.compute/set-azvmoperatingsystem)

- * [Set-AzVMSourceImage](/powershell/module/az.compute/set-azvmsourceimage)

- * [Add-AzVMNetworkInterface](/powershell/module/az.compute/add-azvmnetworkinterface)

-```azurepowershell-interactive

-## Set credentials for server admin and password. ##

-$cred = Get-Credential

-## Command to get virtual network configuration. ##

-$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpointQS-rg

-## Command to create network interface for VM ##

-$parameters1 = @{

- Name = 'myNicVM'

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Location = 'eastus'

- Subnet = $vnet.Subnets[0]

-}

-$nicVM = New-AzNetworkInterface @parameters1

-## Create a virtual machine configuration.##

-$parameters2 = @{

- VMName = 'myVM'

- VMSize = 'Standard_DS1_v2'

-}

-$parameters3 = @{

- ComputerName = 'myVM'

- Credential = $cred

-}

-$parameters4 = @{

- PublisherName = 'MicrosoftWindowsServer'

- Offer = 'WindowsServer'

- Skus = '2019-Datacenter'

- Version = 'latest'

-}

-$vmConfig =

-New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Set-AzVMSourceImage @parameters4 | Add-AzVMNetworkInterface -Id $nicVM.Id

-## Create the virtual machine ##

-New-AzVM -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Location 'eastus' -VM $vmConfig

-```

-## Create private endpoint

-In this section, you'll create the private endpoint and connection using:

-* [New-AzPrivateLinkServiceConnection](/powershell/module/az.network/New-AzPrivateLinkServiceConnection)

-* [New-AzPrivateEndpoint](/powershell/module/az.network/new-azprivateendpoint)

-```azurepowershell-interactive

-## Place web app into variable. Replace <webapp-resource-group-name> with the resource group of your webapp. ##

-## Replace <your-webapp-name> with your webapp name ##

-$webapp = Get-AzWebApp -ResourceGroupName <webapp-resource-group-name> -Name <your-webapp-name>

-## Create private endpoint connection. ##

-$parameters1 = @{

- Name = 'myConnection'

- PrivateLinkServiceId = $webapp.ID

- GroupID = 'sites'

-}

-$privateEndpointConnection = New-AzPrivateLinkServiceConnection @parameters1

-## Place virtual network into variable. ##

-$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'

-## Disable private endpoint network policy ##

-$vnet.Subnets[0].PrivateEndpointNetworkPolicies = "Disabled"

-$vnet | Set-AzVirtualNetwork

-## Create private endpoint

-$parameters2 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Name = 'myPrivateEndpoint'

- Location = 'eastus'

- Subnet = $vnet.Subnets[0]

- PrivateLinkServiceConnection = $privateEndpointConnection

-}

-New-AzPrivateEndpoint @parameters2

-```

-In this section you'll create and configure the private DNS zone using:

-* [New-AzPrivateDnsZone](/powershell/module/az.privatedns/new-azprivatednszone)

-* [New-AzPrivateDnsVirtualNetworkLink](/powershell/module/az.privatedns/new-azprivatednsvirtualnetworklink)

-* [New-AzPrivateDnsZoneConfig](/powershell/module/az.network/new-azprivatednszoneconfig)

-* [New-AzPrivateDnsZoneGroup](/powershell/module/az.network/new-azprivatednszonegroup)

-```azurepowershell-interactive

-## Place virtual network into variable. ##

-$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'

-## Create private dns zone. ##

-$parameters1 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Name = 'privatelink.azurewebsites.net'

-}

-$zone = New-AzPrivateDnsZone @parameters1

-## Create dns network link. ##

-$parameters2 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- ZoneName = 'privatelink.azurewebsites.net'

- Name = 'myLink'

- VirtualNetworkId = $vnet.Id

-}

-$link = New-AzPrivateDnsVirtualNetworkLink @parameters2

-## Create DNS configuration ##

-$parameters3 = @{

- Name = 'privatelink.azurewebsites.net'

- PrivateDnsZoneId = $zone.ResourceId

-}

-$config = New-AzPrivateDnsZoneConfig @parameters3

-## Create DNS zone group. ##

-$parameters4 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- PrivateEndpointName = 'myPrivateEndpoint'

- Name = 'myZoneGroup'

- PrivateDnsZoneConfig = $config

-}

-New-AzPrivateDnsZoneGroup @parameters4

-```

-## Test connectivity to private endpoint

-In this section, you'll use the virtual machine you created in the previous step to connect to the SQL server across the private endpoint.

-1. Sign in to the [Azure portal](https://portal.azure.com)

-2. Select **Resource groups** in the left-hand navigation pane.

-3. Select **CreatePrivateEndpointQS-rg**.

-4. Select **myVM**.

-5. On the overview page for **myVM**, select **Connect** then **Bastion**.

-6. Select the blue **Use Bastion** button.

-7. Enter the username and password that you entered during the virtual machine creation.

-8. Open Windows PowerShell on the server after you connect.

-9. Enter `nslookup <your-webapp-name>.azurewebsites.net`. Replace **\<your-webapp-name>** with the name of the web app you created in the previous steps. You'll receive a message similar to what is displayed below:

- A private IP address of **10.0.0.5** is returned for the web app name. This address is in the subnet of the virtual network you created previously.

-10. In the bastion connection to **myVM**, open Internet Explorer.

-11. Enter the url of your web app, **https://\<your-webapp-name>.azurewebsites.net**.

-12. You'll receive the default web app page if your application hasn't been deployed:

- :::image type="content" source="./media/create-private-endpoint-portal/web-app-default-page.png" alt-text="Default web app page." border="true":::

-13. Close the connection to **myVM**.

-When you're done using the private endpoint and the VM, use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) to remove the resource group and all the resources it has:

-## Next steps

-In this quickstart, you created a:

-* Virtual network and bastion host.

-* Virtual machine.

-* Private endpoint for an Azure Web App.

-You used the virtual machine to test connectivity securely to the web app across the private endpoint.

-For more information on the services that support a private endpoint, see:

-> [Private Link availability](private-link-overview.md#availability)

-description: In this quickstart, you use an Azure Resource Manager template (ARM template) to create a private endpoint.

-In this quickstart, you use an Azure Resource Manager template (ARM template) to create a private endpoint.

-You can also complete this quickstart by using the [Azure portal](create-private-endpoint-portal.md), [Azure PowerShell](create-private-endpoint-powershell.md), or the [Azure CLI](create-private-endpoint-cli.md).

-If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.sql%2Fprivate-endpoint-sql%2Fazuredeploy.json)

-You need an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/private-endpoint-sql/).

-Multiple Azure resources are defined in the template:

-Here's how to deploy the ARM template to Azure:

-1. To sign in to Azure and open the template, select **Deploy to Azure**. The template creates the private endpoint, the instance of SQL Database, the network infrastructure, and a virtual machine to validate.

- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.sql%2Fprivate-endpoint-sql%2Fazuredeploy.json)

-2. Select or create your resource group.

-3. Type the SQL Administrator sign-in and password.

-4. Type the virtual machine administrator username and password.

-5. Read the terms and conditions statement. If you agree, select **I agree to the terms and conditions stated above** > **Purchase**. The deployment can take 20 minutes or longer to complete.

-Connect to the VM _myVm{uniqueid}_ from the internet as follows:

-2. Select **Connect**. **Connect to virtual machine** opens.

-3. Select **Download RDP File**. Azure creates a Remote Desktop Protocol (_.rdp_) file and downloads it to your computer.

-4. Open the downloaded .rdp file.

- a. If prompted, select **Connect**.

- b. Enter the username and password you specified when you created the VM.

- > You might need to select **More choices** > **Use a different account**, to specify the credentials you entered when you created the VM.

-5. Select **OK**.

-6. You might receive a certificate warning during the sign-in process. If you receive a certificate warning, select **Yes** or **Continue**.

-7. After the VM desktop appears, minimize it to go back to your local desktop.

-Here's how to connect to the SQL Database server from the VM by using the private endpoint.

-1. In the Remote Desktop of _myVM{uniqueid}_, open PowerShell.

-2. Enter the following: nslookup sqlserver{uniqueid}.database.windows.net.ΓÇ»

- You'll receive a message similar to this:

-3. Install SQL Server Management Studio.

-4. InΓÇ»**Connect to server**, enter or select this information:

- - **Server type**: Select **Database Engine**.

- - **Server name**: Select **sqlserver{uniqueid}.database.windows.net**.

- - **Username**: Enter a username provided during creation.

- - **Password**: Enter a password provided during creation.

- - **Remember password**: SelectΓÇ»**Yes**.

-5. Select **Connect**.

-6. From the menu on the left, go to **Databases**.

-7. Optionally, you can create or query information from _sample-db_.

-8. Close the Remote Desktop connection to _myVm{uniqueid}_.

-When you no longer need the resources that you created with the private endpoint, delete the resource group. This removes the private endpoint and all the related resources.

-To delete the resource group, call the `Remove-AzResourceGroup` cmdlet:

-For more information on the services that support a private endpoint, see:

-> [Private Link availability](private-link-overview.md#availability)

-description: Learn about Azure Private Endpoint

-# Customer intent: As someone with a basic network background, but is new to Azure, I want to understand the capabilities of Azure private endpoints so that I can securely connect to my Azure PaaS services within the virtual network.

-# What is Azure Private Endpoint?

-A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network.

-* Your own service using a [Private Link Service](private-link-service-overview.md).

-## Private Endpoint properties

- A Private Endpoint specifies the following properties:

-|Subnet | The subnet to deploy and where the private IP address is assigned. For subnet requirements, see the limitations section in this article. |

-|Private Link Resource | The private link resource to connect using resource ID or alias, from the list of available types. A unique network identifier will be generated for all traffic sent to this resource. |

-|Target subresource | The subresource to connect. Each private link resource type has different options to select based on preference. |

-|Connection approval method | Automatic or manual. Depending on Azure role based access control permissions, your private endpoint can be approved automatically. If you try to connect to a private link resource without Azure role-based access control, use the manual method to allow the owner of the resource to approve the connection. |

-|Request Message | You can specify a message for requested connections to be approved manually. This message can be used to identify a specific request. |

-|Connection status | A read-only property that specifies if the private endpoint is active. Only private endpoints in an approved state can be used to send traffic. More states available: <br>-**Approved**: Connection was automatically or manually approved and is ready to be used.</br><br>-**Pending**: Connection was created manually and is pending approval by the private link resource owner.</br><br>-**Rejected**: Connection was rejected by the private link resource owner.</br><br>-**Disconnected**: Connection was removed by the private link resource owner. The private endpoint becomes informative and should be deleted for cleanup. </br>|

-Some key details about private endpoints:

- - Virtual Network

- - On premises using [VPN](https://azure.microsoft.com/services/vpn-gateway/) or [Express Route](https://azure.microsoft.com/services/expressroute/)

- - Services powered by Private Link

-## Private link resource

-A private link resource is the destination target of a given private endpoint.

-The table below lists the available resources that support a private endpoint:

-| Private link resource name | Resource type | Subresources |

-| **Azure App Configuration** | Microsoft.Appconfiguration/configurationStores | configurationStores |

-| **Azure Automation** | Microsoft.Automation/automationAccounts | Webhook, DSCAndHybridWorker |

-| **Azure Cosmos DB** | Microsoft.AzureCosmosDB/databaseAccounts | Sql, MongoDB, Cassandra, Gremlin, Table |

-| **Azure Batch** | Microsoft.Batch/batchAccounts | batch account |

-| **Azure Cache for Redis** | Microsoft.Cache/Redis | redisCache |

-| **Azure Cache for Redis Enterprise** | Microsoft.Cache/redisEnterprise | redisEnterprise |

-| **Cognitive Services** | Microsoft.CognitiveServices/accounts | account |

-| **Azure Managed Disks** | Microsoft.Compute/diskAccesses | managed disk |

-| **Azure Container Registry** | Microsoft.ContainerRegistry/registries | registry |

-| **Azure Kubernetes Service - Kubernetes API** | Microsoft.ContainerService/managedClusters | management |

-| **Azure Data Factory** | Microsoft.DataFactory/factories | data factory |

-| **Azure Database for MariaDB** | Microsoft.DBforMariaDB/servers | mariadbServer |

-| **Azure Database for MySQL** | Microsoft.DBforMySQL/servers | mysqlServer |

-| **Azure Database for PostgreSQL - Single server** | Microsoft.DBforPostgreSQL/servers | postgresqlServer |

-| **Azure IoT Hub** | Microsoft.Devices/IotHubs | iotHub |

-| **Microsoft Digital Twins** | Microsoft.DigitalTwins/digitalTwinsInstances | digitaltwinsinstance |

-| **Azure Event Grid** | Microsoft.EventGrid/domains | domain |

-| **Azure Event Grid** | Microsoft.EventGrid/topics | Event grid topic |

-| **Azure Event Hub** | Microsoft.EventHub/namespaces | namespace |

-| **Azure HDInsight** | Microsoft.HDInsight/clusters | cluster |

-| **Azure API for FHIR** | Microsoft.HealthcareApis/services | service |

-| **Azure Keyvault HSM** | Microsoft.Keyvault/managedHSMs | HSM |

-| **Azure Key Vault** | Microsoft.KeyVault/vaults | vault |

-| **Azure Machine Learning** | Microsoft.MachineLearningServices/workspaces | amlworkspace |

-| **Azure Migrate** | Microsoft.Migrate/assessmentProjects | project |

-| **Application Gateway** | Microsoft.Network/applicationgateways | application gateway |

-| **Private Link Service** (Your own service) | Microsoft.Network/privateLinkServices | empty |

-| **Power BI** | Microsoft.PowerBI/privateLinkServicesForPowerBI | Power BI |

-| **Azure Purview** | Microsoft.Purview/accounts | account |

-| **Azure Purview** | Microsoft.Purview/accounts | portal |

-| **Azure Backup** | Microsoft.RecoveryServices/vaults | vault |

-| **Azure Relay** | Microsoft.Relay/namespaces | namespace |

-| **Microsoft Search** | Microsoft.Search/searchServices | search service |

-| **Azure Service Bus** | Microsoft.ServiceBus/namespaces | namespace |

-| **SignalR** | Microsoft.SignalRService/SignalR | signalr |

-| **SignalR** | Microsoft.SignalRService/webPubSub | webpubsub |

-| **Azure SQL Database** | Microsoft.Sql/servers | Sql Server (sqlServer) |

-| **Azure SQL Managed Instance** | Microsoft.Sql/managedInstances | Sql Managed Instance (managedInstance) |

-| **Azure Storage** | Microsoft.Storage/storageAccounts | Blob (blob, blob_secondary)<BR> Table (table, table_secondary)<BR> Queue (queue, queue_secondary)<BR> File (file, file_secondary)<BR> Web (web, web_secondary) |

-| **Azure File Sync** | Microsoft.StorageSync/storageSyncServices | File Sync Service |

-| **Azure Synapse** | Microsoft.Synapse/privateLinkHubs | synapse |

-| **Azure Synapse Analytics** | Microsoft.Synapse/workspaces | Sql, SqlOnDemand, Dev |

-| **Azure App Service** | Microsoft.Web/hostingEnvironments | hosting environment |

-| **Azure App Service** | Microsoft.Web/sites | sites |

-| **Azure App Service** | Microsoft.Web/staticSites | staticSite |

-When using private endpoints, traffic is secured to a private link resource. The platform does an access control to validate network connections reaching only the specified private link resource. To access more resources within the same Azure service, extra private endpoints are required.

-You can completely lock down your workloads from accessing public endpoints to connect to a supported Azure service. This control provides an extra network security layer to your resources. The security provides protection that prevents access to other resources hosted on the same Azure service.

-## Access to a private link resource using approval workflow

-You can connect to a private link resource using the following connection approval methods:

-

-The private link resource owner can do the following actions over a private endpoint connection:

-> Only a private endpoint in an approved state can send traffic to a given private link resource.

-### Connect with alias

-An alias is a unique moniker that is generated when the service owner creates the private link service behind a standard load balancer. Service owners can share this alias with their consumers offline.

-Consumers can request a connection to private link service using either the resource URI or the alias. If you want to connect using the alias, you must create a private endpoint using the manual connection approval method. For using manual connection approval method, set manual request parameter to true during private endpoint create flow. For more information, see [New-AzPrivateEndpoint](/powershell/module/az.network/new-azprivateendpoint) and [az network private-endpoint create](/cli/azure/network/private-endpoint#az_network_private_endpoint_create). Note that this manual request can be auto approved if the consumer subscription is allowlisted on the provider side. To learn more, navigate to [controlling service access](./private-link-service-overview.md#control-service-access).

-The DNS settings used for connections to a private link resource are important. Ensure your DNS settings are correct when you use the fully qualified domain name (FQDN) for the connection. The settings must resolve to the private IP address of the private endpoint. Existing Azure services might already have a DNS configuration to use when connecting over a public endpoint. This configuration must be overwritten to connect using your private endpoint.

-The network interface associated with the private endpoint contains the information required to configure your DNS. The information includes the FQDN and private IP address for a private link resource.

-For complete detailed information about recommendations to configure DNS for private endpoints, see [Private Endpoint DNS configuration](private-endpoint-dns.md).

-The following table includes a list of known limitations when using private endpoints:

-| Traffic destined to a private endpoint using a user-defined route may be asymmetric. | Return traffic from a private endpoint bypasses a Network Virtual Appliance (NVA) and attempts to return to the source VM. | Source Network Address Translation (SNAT) is used to ensure symmetric routing. For all traffic destined to a private endpoint using a UDR, it's recommended to use SNAT for traffic at the NVA. |

-> NSG and UDR support for private endpoints are in public preview on select regions. For more information, see [Public preview of Private Link UDR Support](https://azure.microsoft.com/updates/public-preview-of-private-link-udr-support/) and [Public preview of Private Link Network Security Group Support](https://azure.microsoft.com/updates/public-preview-of-private-link-network-security-group-support/).

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-## Public preview limitations

-### NSG

-| Obtain effective routes and security rules won't be available on a private endpoint network interface. | You aren't able to navigate to the network interface to see relevant information on the effective routes and security rules. | Q4CY21 |

-| NSG flow logs not supported. | NSG flow logs won't work for inbound traffic destined for a private endpoint. | No information at this time. |

-| Intermittent drops with ZRS storage accounts. | Customers using ZRS storage account may see periodic intermittent drops even with allow NSG applied on storage private endpoint subnet. | September |

-| Intermittent drops with Azure Key Vault. | Customers using Azure Key Vault may see periodic intermittent drops even with allow NSG applied on Azure Key Vault private endpoint subnet. | September |

-| Limit on number of address prefixes per NSG. | Having more than 500 address prefixes in NSG in a single rule isn't supported. | September |

-| AllowVirtualNetworkAccess flag | Customers setting VNet peering on their VNet (VNet A) with **AllowVirtualNetworkAccess** flag set to false on the peering link to another VNet (VNet B) can't use the **VirtualNetwork** tag to deny traffic from VNet B accessing private endpoint resources. They'll need to explicitly place a block for VNet BΓÇÖs address prefix to deny traffic to the private endpoint. | September |

-| Dual port NSG rules unsupported. | If multiple port ranges are used with NSG rules, only the first port range is honored for allow rules and deny rules. Rules with multiple port ranges are defaulted to deny all instead of specific ports. </br> **For more information, see rule example below.** | September |

-| Priority | Source port | Destination port | Action | Effective action |

-| 10 | 10-12, 13-14 | 120-130, 140-150 | Deny | Traffic from all source ports will be denied to all dest ports since there are multiple source and destination port ranges. |

-**Table: Example dual port rule.**

-### UDR

-| Source Network Address Translation (SNAT) is recommended always. | Because of the variable nature of the private endpoint data-plane, it's recommended to SNAT traffic destined to a private endpoint to ensure return traffic is honored. | No information at this time. |

->

->

-|I just need to find assets, I don't want to edit anything|Data Reader|

-|I need to edit information about assets, assign classifications, associate them with glossary entries, and so on.|Data Curator|

-|I need to edit the glossary or set up new classification definitions|Data Curator|

-|I need to view Insights to understand the governance posture of my data estate|Data Curator|

-|My application's Service Principal needs to push data to Azure Purview|Data Curator|

-|I need to set up scans via the Azure Purview Studio|Data Curator on the collection **or** Data Curator **And** Data Source Administrator where the source is registered|

-|I need to enable a Service Principal or group to set up and monitor scans in Azure Purview without allowing them to access the catalog's information |Data Source Admin|

-|I need to put users into roles in Azure Purview | Collection Admin |

-Each Data Map capacity unit supports 25 operations/second and 10 GB of metadata storage. The Data Map is billed on an hourly basis. You are billed for the maximum Data Map capacity unit needed within the hour. At times, you may need more operations/second within the hour, and this will increase the number of capacity units needed within that hour. At other times, your operations/second usage may be low, but you may still need a large volume of metadata storage. The metadata storage is what determines how many capacity units you need within the hour.

-| Azure Stream Analytics | Yes | Yes\*\* | - |

-| Azure Data Factory | Yes | Yes | - |

-| Virtual Machines | Yes | Yes | - |

-| Virtual Machine Scale Set | Yes | Yes | - |

-| App Service | Yes | Yes\*\* | - |

-| Automation | Yes | Yes\*\* | - |

-| Azure Functions | Yes | Yes\*\* | - |

-| Azure portal | Yes | Yes\*\* | - |

-| Azure-managed applications | Yes | Yes\*\* | - |

-| Azure SQL Database | Yes | Yes, RSA 3072-bit | Yes |

-| Blob Storage | Yes | Yes | Yes |

-| Premium Blob Storage | Yes | Yes | Yes |

-| Disk Storage | Yes | Yes | - |

-| Ultra Disk Storage | Yes | Yes | - |

-| Managed Disk Storage | Yes | Yes | - |

-| File Storage | Yes | Yes | - |

-| File Premium Storage | Yes | Yes | - |

-| File Sync | Yes | Yes | - |

-| Queue Storage | Yes | Yes | Yes |

-## SDKS

-The IP firewall rules are applied at the Service Bus namespace level. Therefore, the rules apply to all connections from clients using any supported protocol. Any connection attempt from an IP address that does not match an allowed IP rule on the Service Bus namespace is rejected as unauthorized. The response does not mention the IP rule. IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

- - **All networks** (default). This option enables public access from all networks using an access key. If you select the **All networks** option, the event hub accepts connections from any IP address (using the access key). This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

-When adding virtual network or firewalls rules, set the value of `defaultAction` to `Deny`.

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "servicebusNamespaceName": {

- "type": "string",

- "metadata": {

- "description": "Name of the Service Bus namespace"

- },

- "location": {

- "type": "string",

- "metadata": {

- "description": "Location for Namespace"

- }

- }

- },

- "variables": {

- "namespaceNetworkRuleSetName": "[concat(parameters('servicebusNamespaceName'), concat('/', 'default'))]",

- {

- "apiVersion": "2018-01-01-preview",

- "name": "[parameters('servicebusNamespaceName')]",

- "type": "Microsoft.ServiceBus/namespaces",

- "location": "[parameters('location')]",

- "sku": {

- "name": "Premium",

- "tier": "Premium"

- },

- "properties": { }

- },

- {

- "apiVersion": "2018-01-01-preview",

- "name": "[variables('namespaceNetworkRuleSetName')]",

- "type": "Microsoft.ServiceBus/namespaces/networkrulesets",

- "dependsOn": [

- "[concat('Microsoft.ServiceBus/namespaces/', parameters('servicebusNamespaceName'))]"

- ],

- "properties": {

- "virtualNetworkRules": [<YOUR EXISTING VIRTUAL NETWORK RULES>],

- "ipRules":

- [

- {

- "ipMask":"10.1.1.1",

- "action":"Allow"

- {

- "ipMask":"11.0.0.0/24",

- "action":"Allow"

- ],

- "trustedServiceAccessEnabled": false,

- "defaultAction": "Deny"

- }

- ],

- "outputs": { }

- }

-Any immediate IP route between the compartments, including those carrying HTTPS over TCP/IP, carries the risk of exploitation of vulnerabilities from the network layer on up. Messaging services provide completely insulated communication paths, where messages are even written to disk as they transition between parties. Workloads in two distinct virtual networks that are both bound to the same Service Bus instance can communicate efficiently and reliably via messages, while the respective network isolation boundary integrity is preserved.

-Binding a Service Bus namespace to a virtual network is a two-step process. You first need to create a **Virtual Network service endpoint** on a Virtual Network subnet and enable it for **Microsoft.ServiceBus** as explained in the [service endpoint overview][vnet-sep]. Once you have added the service endpoint, you bind the Service Bus namespace to it with a **virtual network rule**.

-The virtual network rule is an association of the Service Bus namespace with a virtual network subnet. While the rule exists, all workloads bound to the subnet are granted access to the Service Bus namespace. Service Bus itself never establishes outbound connections, does not need to gain access, and is therefore never granted access to your subnet by enabling this rule.

- - **All networks** (default). This option enables public access from all networks using an access key. If you select the **All networks** option, the event hub accepts connections from any IP address (using the access key). This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

-When adding virtual network or firewalls rules, set the value of `defaultAction` to `Deny`.

- "ipRules":[<YOUR EXISTING IP RULES>],

- "trustedServiceAccessEnabled": false,

- "defaultAction": "Deny"

-You can use a shared access signature (SAS) to delegate access to resources in your Azure Storage account. A SAS token includes the targeted resource, the permissions granted, and the interval over which access is permitted. Best practices recommend that you limit the interval for a SAS in case it is compromised. By setting a SAS expiration policy for your storage accounts, you can provide a recommended upper expiration limit when a user creates a SAS.

-A SAS expiration policy does not prevent a user from creating a SAS with an expiration that exceeds the limit recommended by the policy. When a user creates a SAS that violates the policy, they'll see a warning, together with the recommended maximum interval. If you have configured a diagnostic setting for logging with Azure Monitor, then Azure Storage writes to a property in the logs whenever a user creates a SAS that expires after the recommended interval.

-When you create a SAS expiration policy on a storage account, the policy applies to each type of SAS that you can create on that storage account, including a service SAS, user delegation SAS, or account SAS.

-* If the query is fully partitioned, and a new file is created for each output partition.