+ Title: Assign, update, list, or remove custom security attributes for a user (Preview) - Azure Active Directory

+description: Assign, update, list, or remove custom security attributes for a user in Azure Active Directory.

+# Assign, update, list, or remove custom security attributes for a user (Preview)

+[Custom security attributes](../fundamentals/custom-security-attributes-overview.md) in Azure Active Directory (Azure AD), part of Microsoft Entra, are business-specific attributes (key-value pairs) that you can define and assign to Azure AD objects. For example, you can assign custom security attribute to filter your employees or to help determine who gets access to resources. This article describes how to assign, update, list, or remove custom security attributes for Azure AD.

+1. Select **Add filter** to open the Add filter pane.

+1. Select **Custom security attributes**.

+## Remove custom security attribute assignments from a user

+1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).

+1. Select **Azure Active Directory** > **Users**.

+1. Find and select the user that has the custom security attribute assignments you want to remove.

+1. In the Manage section, select **Custom security attributes (preview)**.

+1. Add check marks next to all the custom security attribute assignments you want to remove.

+1. Select **Remove assignment**.

+## PowerShell

+To manage custom security attribute assignments for users in your Azure AD organization, you can use PowerShell. The following commands can be used to manage assignments.

+Use the [Get-AzureADMSUser](/powershell/module/azuread/get-azureadmsuser) command to get the custom security attribute assignments for a user.

+```powershell

+$user1 = Get-AzureADMSUser -Id dbb22700-a7de-4372-ae78-0098ee60e55e -Select CustomSecurityAttributes

+$user1.CustomSecurityAttributes

+## Microsoft Graph API

+To manage custom security attribute assignments for users in your Azure AD organization, you can use the Microsoft Graph API. The following API calls can be made to manage assignments. For more information, see [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).

+#### Get the custom security attribute assignments for a user

+Use the [Get user](/graph/api/user-get?view=graph-rest-beta&preserve-view=true) API to get the custom security attribute assignments for a user.

+```http

+GET https://graph.microsoft.com/beta/users/{id}?$select=customSecurityAttributes

+```

+If there are no custom security attributes assigned to the user or if the calling principal does not have access, the response will look like:

+```http

+{

+ "customSecurityAttributes": null

+}

+```

+#### List all users with a custom security attribute assignment that equals a value

+Use the [List users](/graph/api/user-list?view=graph-rest-beta&preserve-view=true) API to list all users with a custom security attribute assignment that equals a value. The following example retrieves users with a custom security attribute named `AppCountry` with a value that equals `Canada`. The filter value is case sensitive. You must add `ConsistencyLevel=eventual` in the request or the header. You must also include `$count=true` to ensure the request is routed correctly.

+- Attribute set: `Marketing`

+- Attribute: `AppCountry`

+- Filter: AppCountry eq 'Canada'

+```http

+GET https://graph.microsoft.com/beta/users?$count=true&$select=id,displayName,customSecurityAttributes&$filter=customSecurityAttributes/Marketing/AppCountry eq 'Canada'

+ConsistencyLevel: eventual

+```

+#### List all users with a custom security attribute assignment that starts with a value

+Use the [List users](/graph/api/user-list?view=graph-rest-beta&preserve-view=true) API to list all users with a custom security attribute assignment that starts with a value. The following example retrieves users with a custom security attribute named `EmployeeId` with a value that starts with `GS`. The filter value is case sensitive. You must add `ConsistencyLevel=eventual` in the request or the header. You must also include `$count=true` to ensure the request is routed correctly.

+- Attribute set: `Marketing`

+- Attribute: `EmployeeId`

+- Filter: EmployeeId startsWith 'GS'

+```http

+GET https://graph.microsoft.com/beta/users?$count=true&$select=id,displayName,customSecurityAttributes&$filter=startsWith(customSecurityAttributes/Marketing/EmployeeId,'GS')

+ConsistencyLevel: eventual

+```

+#### List all users with a custom security attribute assignment that does not equal a value

+Use the [List users](/graph/api/user-list?view=graph-rest-beta&preserve-view=true) API to list all users with a custom security attribute assignment that does not equal a value. The following example retrieves users with a custom security attribute named `AppCountry` with a value that does not equal `Canada`. The filter value is case sensitive. You must add `ConsistencyLevel=eventual` in the request or the header. You must also include `$count=true` to ensure the request is routed correctly.

+- Attribute set: `Marketing`

+- Attribute: `AppCountry`

+- Filter: AppCountry ne 'Canada'

+```http

+GET https://graph.microsoft.com/beta/users?$count=true&$select=id,displayName,customSecurityAttributes&$filter=customSecurityAttributes/Marketing/AppCountry ne 'Canada'

+ConsistencyLevel: eventual

+```

+- [Assign, update, list, or remove custom security attributes for an application](../manage-apps/custom-security-attributes-apps.md)

+- To learn more about how Microsoft Azure controls resource access, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+|Account Administrator|This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|

+|Service Administrator|This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|

+|Owner|This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|

+- [Assign, update, list, or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md)

+- [Assign, update, list, or remove custom security attributes for an application](../manage-apps/custom-security-attributes-apps.md)

+- [Assign, update, list, or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md)

+- [Assign, update, list, or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md)

+Add and assign custom security attributes to users or enterprise applications. For more information, see [Add or deactivate custom security attributes in Azure AD](custom-security-attributes-add.md), [Assign, update, list, or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md), or [Assign, update, list, or remove custom security attributes for an application](../manage-apps/custom-security-attributes-apps.md).

+## Symptom - Request_UnsupportedQuery error

+When you try to call Microsoft Graph APIs for custom security attributes, you see a message similar to the following:

+```

+Bad Request - 400

+Request_UnsupportedQuery

+Unsupported or invalid query filter clause specified for property '<AttributeSet>_<Attribute>' of resource 'CustomSecurityAttributeValue'.

+```

+**Cause**

+The request isn't formatted correctly.

+**Solution**

+If required, add `ConsistencyLevel=eventual` in the request or the header. You might also need to include `$count=true` to ensure the request is routed correctly. For more information, see [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).

+

+* The account owner who created the subscription will be assigned the Service Administrator and Account Administrator roles. (The Azure EA Portal assigns Azure Service Manager (ASM) or "classic" roles to manage subscriptions. To learn more, see [Azure Resource Manager vs. classic deployment](../../azure-resource-manager/management/deployment-models.md).)

+To learn more, visit [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+* [Best practices](secure-with-azure-ad-best-practices.md)

+ Title: Assign, update, list, or remove custom security attributes for an application (Preview) - Azure Active Directory

+description: Assign, update, list, or remove custom security attributes for an application that has been registered with your Azure Active Directory (Azure AD) tenant.

+# Assign, update, list, or remove custom security attributes for an application (Preview)

+[Custom security attributes](../fundamentals/custom-security-attributes-overview.md) in Azure Active Directory (Azure AD) are business-specific attributes (key-value pairs) that you can define and assign to Azure AD objects. For example, you can assign custom security attribute to filter your applications or to help determine who gets access. This article describes how to assign, update, list, or remove custom security attributes for Azure AD enterprise applications.

+## Remove custom security attribute assignments from applications

+1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).

+1. Select **Azure Active Directory** > **Enterprise applications**.

+1. Find and select the application that has the custom security attribute assignments you want to remove.

+1. In the Manage section, select **Custom security attributes (preview)**.

+1. Add check marks next to all the custom security attribute assignments you want to remove.

+1. Select **Remove assignment**.

+## PowerShell

+To manage custom security attribute assignments for applications in your Azure AD organization, you can use PowerShell. The following commands can be used to manage assignments.

+Use the [Get-AzureADMSServicePrincipal](/powershell/module/azuread/get-azureadmsserviceprincipal) command to get the custom security attribute assignments for an application (service principal).

+```powershell

+Get-AzureADMSServicePrincipal -Select CustomSecurityAttributes

+Get-AzureADMSServicePrincipal -Id 7d194b0c-bf17-40ff-9f7f-4b671de8dc20 -Select "CustomSecurityAttributes, Id"

+## Microsoft Graph API

+To manage custom security attribute assignments for applications in your Azure AD organization, you can use the Microsoft Graph API. The following API calls can be made to manage assignments.

+For other similar Microsoft Graph API examples for users, see [Assign, update, list, or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md#microsoft-graph-api) and [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).

+#### Get the custom security attribute assignments for an application (service principal)

+Use the [Get servicePrincipal](/graph/api/serviceprincipal-get?view=graph-rest-beta&preserve-view=true) API to get the custom security attribute assignments for an application (service principal).

+```http

+GET https://graph.microsoft.com/beta/servicePrincipals/{id}?$select=customSecurityAttributes

+```

+If there are no custom security attributes assigned to the application or if the calling principal does not have access, the response will look like:

+```http

+{

+ "customSecurityAttributes": null

+}

+```

+- [Assign, update, list, or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md)

+For more information about the classic subscription administrator roles, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+When we say separate role-based access control system. it means there is a different data store where role definitions and role assignments are stored. Similarly, there is a different policy decision point where access checks happen. For more information, see [Roles for Microsoft 365 services in Azure AD](m365-workload-docs.md) and [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+Consider the example where the Contoso company has hired people across geographies to manage and reset passwords for employees in its Azure AD organization. Instead of asking a Privileged Role Administrator or Global Administrator to assign the Helpdesk Administrator role to each person individually, they can create a Contoso_Helpdesk_Administrators group and assign the role to the group. When people join the group, they're assigned the role indirectly. Your existing governance workflow can then take care of the approval process and auditing of the group's membership to ensure that only legitimate users are members of the group and are thus assigned the Helpdesk Administrator role.

+If a group is assigned a role, any IT administrator who can manage group membership could also indirectly manage the membership of that role. For example, assume that a group named Contoso_User_Administrators is assigned the User Administrator role. An Exchange administrator who can modify group membership could add themselves to the Contoso_User_Administrators group and in that way become a User Administrator. As you can see, an administrator could elevate their privilege in a way you didn't intend.

+- Group nesting isn't supported. A group can't be added as a member of a role-assignable group.

+If you don't want members of the group to have standing access to a role, you can use [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) to make a group eligible for a role assignment. Each member of the group is then eligible to activate the role assignment for a fixed time duration.

+The following scenarios aren't supported:

+- Azure Information Protection Portal (the classic portal) doesn't recognize role membership via group yet. You can [migrate to the unified sensitivity labeling platform](/azure/information-protection/configure-policy-migrate-labels) and then use the Microsoft Purview compliance center to use group assignments to manage roles.

+Using this feature requires an Azure AD Premium P1 license. The Privileged Identity Management for just-in-time role activation requires an Azure AD Premium P2 license. To find the right license for your requirements, see [Comparing generally available features of the Free and Premium editions](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+Users with this role have all permissions in the Azure Information Protection service. This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. This role does not grant any permissions in Identity Protection, Privileged Identity Management, Monitor Microsoft 365 Service Health, Microsoft 365 Defender portal, or Microsoft Purview compliance portal.

+[Identity Protection](../identity-protection/overview-identity-protection.md) | All permissions of the Security Reader role<br>Perform all Identity Protection operations except for resetting passwords

+| [Identity Protection](../identity-protection/overview-identity-protection.md) | All permissions of the Security Reader role<br>Perform all Identity Protection operations except for configuring or changing risk-based policies, resetting passwords, and configuring alert e-mails. |

+[Identity Protection](../identity-protection/overview-identity-protection.md) | Read all security reports and settings information for security features<br><ul><li>Anti-spam<li>Encryption<li>Data loss prevention<li>Anti-malware<li>Advanced threat protection<li>Anti-phishing<li>Mail flow rules

+> [!IMPORTANT]

+>

+> **Standard tier** is currently not available in Azure API 2023-01-01 due to a [critical bug](https://github.com/Azure/AKS/issues/3481). To enable the Uptime SLA feature in your cluster, you'll use the existing **Paid tier** and the `--uptime-sla` parameter.

+>

+> Alternatively, you can select the **Standard tier** or **Free tier** on Azure portal when creating or updating an AKS cluster.

+## Uptime SLA terms and conditions

+The Uptime SLA feature is included in the Paid tier and is enabled per cluster. For more information on pricing, see the [AKS pricing details](https://azure.microsoft.com/pricing/details/kubernetes-service/).

+## Create a new cluster in the Free tier or Paid tier

+> [!IMPORTANT]

+> `--tier standard` and `--tier free` are currently unavailable in Azure CLI 2.46.0 due to a [critical bug](https://github.com/Azure/AKS/issues/3481). To enable the Uptime SLA feature, use the commands below.

+# Create a new AKS cluster in the Paid tier

+# Sample output for --no-uptime-sla

+# Sample output for --uptime-sla

+ "name": "Base",

+This process takes several minutes to complete. When finished, the following example JSON snippet shows the Paid tier for the SKU, indicating your cluster is enabled with Uptime SLA.

+ "name": "Base",

+> - **Contains an external endpoint or an externally resolvable FQDN**, the application gateway routes the request to the backend server by using its frontend public IP address. If the subnet contains [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md), the application gateway will route the request to the service via its private IP address. DNS resolution is based on a private DNS zone or custom DNS server, if configured, or it uses the default Azure-provided DNS. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage App Configuration resources. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+|Lookups|Azure Monitor provides various ways to enrich data, including:<br>- [Data collection rules](../essentials/data-collection-rule-overview.md), which let you send data from multiple sources to a Log Analytics workspace, and perform calculations and transformations before ingesting the data.<br>- KQL operators, such as the [join operator](/azure/data-explorer/kusto/query/joinoperator), which combines data from different tables, and the [externaldata operator](/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuremonitor), which returns data from external storage.<br>- Integration with services, such as [Azure Machine Learning](../../machine-learning/overview-what-is-azure-machine-learning.md) or [Azure Event Hubs](../../event-hubs/event-hubs-about.md), to apply advanced machine learning and stream in additional data.|

+- Take the [Analyze logs in Azure Monitor with KQL training module](/training/modules/analyze-logs-with-kql/).

+This article is not a complete list of partners. The number keeps expanding and maintaining this list is no longer scalable. As such, we are not accepting new requests to be added to this list. Any GitHub changes opened will be closed without action. We suggest you use your favorite search engine to locate other appropropriate partners.

+Dynatrace partners with Microsoft to help the worldΓÇÖs largest organizations tame hybrid, multicloud complexity and accelerate digital transformation. Beyond the integrations built by Dynatrace that enable monitoring of specific Azure services and the ability to purchase the Dynatrace Software Intelligence Platform through the [Microsoft Azure Marketplace](https://www.dynatrace.com/news/press-release/dynatrace-expands-strategic-collaboration-with-microsoft/), Dynatrace also deeply integrates with Microsoft Azure as a native solution. Azure Native Dynatrace Service provides all the unique capabilities of the [Dynatrace Software Intelligence Platform on Microsoft Azure with native integration into the Azure Portal](https://www.dynatrace.com/news/press-release/dynatrace-platform-available-on-microsoft-azure/). The Dynatrace Software Intelligence Platform provides several purpose-built [integrations for monitoring Microsoft Azure](https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-cloud-platforms/microsoft-azure-services) resources and services. Some examples include:

+- VM Extension for Azure Virtual Machines

+- Extension for Azure App services for Windows, Linux and containers

+- VM Extension for Azure Virtual Machine Scale Set (VMSS)

+- Azure Site-Extension on Azure Functions

+- Monitoring of Azure Kubernetes Service

+- Dynatrace OpenTelemetry Instrumentation of Azure Functions

+- Azure Spring Apps integration

+- Dynatrace Azure Monitor Integration

+Dynatrace SaaS is hosted on Microsoft Azure and available in several Azure regions. For an overview of the currently supported Azure regions please see the [Dynatrace documentation](https://www.dynatrace.com/support/help/how-to-use-dynatrace/data-privacy-and-security/data-security/data-security-controls#data-storage).

+Furthermore, Dynatrace is also available as a native solution integrated into Microsoft Azure. The [Azure Native Dynatrace Service](https://www.dynatrace.com/news/blog/using-dynatrace-on-microsoft-azure/) is available via the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/dynatrace.dynatrace_portal_integration?tab=Overview&exp=ubp8)

+The Azure Native Dynatrace Service gives Microsoft Azure customers a seamless experience for Dynatrace automatic and intelligent observability and runtime application security in and from Azure. The benefits of this native integration include:

+- Integrated onboarding: You can provision Dynatrace and manage the integration through the Azure Marketplace and Portal. The seamless onboarding experience sets up Dynatrace automatically.

+- Single sign-on: You can easily enable SSO through Azure Active Directory.

+- Metrics and logs: You can enable the collection of metrics and logs for Virtual Machine (VM) and App Services resources by installing Dynatrace OneAgent on those resources. Furthermore, you can activate the sending of Azure [subscription activity logs](./essentials/activity-log-schema.md) and [resource logs](./essentials/resource-logs-categories.md) to Dynatrace.

+- OneAgent deployment: You can install or uninstall Dynatrace OneAgents on single or multiple virtual machines and Azure App Services directly from your Azure Portal.

+- Manage Dynatrace within Azure portal: Within your Azure Portal, you can verify which resources are sending Azure metrics and logs to Dynatrace and make instant changes as needed.

+- Deeper Azure CLI integration: You can easily manage Dynatrace resources from the Azure CLI to further extend deployments of those resources with ARM templates or other third-party IAAC platforms, such as Terraform.

+- Azure Monitor metrics collection: The collection of Azure Monitor metrics from your Azure subscription can be activated with one click with no need for configuration or hosting of infrastructure/components. This includes Azure services such as App Services & Functions, Azure Databases, Azure Load Balancers, Azure Storage, and many more (see the complete list of services). Monitoring with the Azure Native Dynatrace Service is set up in the background and activated from the Azure console in a second.

+For more information and documentation on the native integration of Dynatrace in Azure, see our [documentation](https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-cloud-platforms/microsoft-azure-services/azure-platform/azure-native-integration) or directly have a look at the [Azure marketplace listing](https://azuremarketplace.microsoft.com/marketplace/apps/dynatrace.dynatrace_portal_integration?tab=Overview&exp=ubp8)

+LogicMonitor is a SaaS-based performance monitoring platform for complex IT infrastructure. With coverage for thousands of technologies, LogicMonitor provides granular visibility into infrastructure and application performance.

+- Configure your Azure resources to send logs to Logz.ioΓÇöa fully managed setup with no infrastructure for customers to set up and operate

+## Create the config file in Visual Studio Code

+The available experimental features include:

+- **extensibility**: Allows Bicep to use a provider model to deploy non-ARM resources. Currently, we only support a Kubernetes provider.

+- **paramsFiles**: Allows for the use of a Bicep-style parameters file with a terser syntax than the JSON equivalent parameters file. Currently, you also need a special build of Bicep to enable this feature, so is it inaccessible to most users. See [Parameters - first release](https://github.com/Azure/bicep/issues/9567).

+- **sourceMapping**: Enables basic source mapping to map an error location returned in the ARM template layer back to the relevant location in the Bicep file.

+- **resourceTypedParamsAndOutputs**: Enables the type for a parameter or output to be of type resource to make it easier to pass resource references between modules. This feature is only partially implemented. See [Simplifying resource referencing](https://github.com/azure/bicep/issues/2245).

+- **symbolicNameCodegen**: Allows the ARM template layer to use a new schema to represent resources as an object dictionary rather than an array of objects. This feature improves the semantic equivalent of the Bicep and ARM templates, resulting in more reliable code generation. Enabling this feature has no effect on the Bicep layer's functionality.

+- **userDefinedTypes**: Allows you to define your own custom types for parameters. See [User-defined types in Bicep](https://aka.ms/bicepCustomTypes).

+## Clean up resources

+If you want to clean up and remove a Cognitive Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.

+* [Portal](../../cognitive-services-apis-create-account.md#clean-up-resources)

+* [Azure CLI](../../cognitive-services-apis-create-account-cli.md#clean-up-resources)

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Key-phrase-extraction&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+## Clean up resources

+If you want to clean up and remove a Cognitive Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.

+* [Portal](../../cognitive-services-apis-create-account.md#clean-up-resources)

+* [Azure CLI](../../cognitive-services-apis-create-account-cli.md#clean-up-resources)

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Language-detection&Page=quickstart&Section=Clean-up-resources" target="_target" target="_target">I ran into an issue</a>

+## Clean up resources

+If you want to clean up and remove a Cognitive Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.

+* [Portal](../../cognitive-services-apis-create-account.md#clean-up-resources)

+* [Azure CLI](../../cognitive-services-apis-create-account-cli.md#clean-up-resources)

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=JAVA&Pillar=Language&Product=Named-entity-recognition&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+## Clean up resources

+If you want to clean up and remove a Cognitive Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.

+* [Portal](../../cognitive-services-apis-create-account.md#clean-up-resources)

+* [Azure CLI](../../cognitive-services-apis-create-account-cli.md#clean-up-resources)

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=PYTHON&Pillar=Language&Product=Personally-identifying-info&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+## Clean up resources

+If you want to clean up and remove a Cognitive Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.

+* [Portal](../../cognitive-services-apis-create-account.md#clean-up-resources)

+* [Azure CLI](../../cognitive-services-apis-create-account-cli.md#clean-up-resources)

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Summarization&Page=quickstart&Section=Clean-up-resources" target="_target" target="_target">I ran into an issue</a>

+## Clean up resources

+If you want to clean up and remove a Cognitive Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.

+* [Portal](../../cognitive-services-apis-create-account.md#clean-up-resources)

+* [Azure CLI](../../cognitive-services-apis-create-account-cli.md#clean-up-resources)

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CSHARP&Pillar=Language&Product=Text-analytics-for-health&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+Familiarize yourself with the Azure user roles relevant to Azure Communications Gateway by reading [Azure roles, Azure AD roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md).

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | Managed connector (Azure-hosted) and built-in connector, which is [service provider based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). The built-in version differs in the following ways: <br><br>- The built-in version connects directly to your Azure Storage account requiring only a connection string. <br><br>- The built-in version can directly access Azure virtual networks. <br><br>For more information, review the following documentation: <br><br>- [Azure Blob Storage managed connector reference](/connectors/azureblobconnector) <br>- [Azure Blob built-in connector reference](/azure/logic-apps/connectors/built-in/reference/azureblob/) <br>- [Built-in connectors in Azure Logic Apps](built-in.md) |

+- The logic app workflow from where you want to access your Azure Storage account. To start your workflow with an Azure Blob trigger, you need a blank workflow. To use an Azure Blob action, start your workflow with any trigger.

+A Consumption logic app workflow can use only the Azure Blob Storage managed connector. However, a Standard logic app workflow can use the Azure Blob Storage managed connector and the Azure blob built-in connector. Although both connector versions provide only one Blob trigger, the trigger name differs as follows, based on whether you're working with a Consumption or Standard workflow:

+1. In your workflow where you want to add the Blob action, follow one of these steps:

+ - To add an action under the last step, select **New step**.

+ - To add an action between steps, move your pointer use over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.

+1. In the action information box, provide the necessary information.

+1. In your workflow where you want to add the Blob action, follow one of these steps:

+ - To add an action under the last step, select the plus sign (**+**), and then select **Add an action**.

+ - To add an action between steps, select the plus sign (**+**) between those steps, and then select **Add an action**.

+1. In your workflow where you want to add the Blob action, follow one of these steps:

+ - To add an action under the last step, select the plus sign (**+**), and then select **Add an action**.

+ - To add an action between steps, select the plus sign (**+**) between those steps, and then select **Add an action**.

+1. In the action information box, provide the necessary information.

+ >

+ * To add an action between steps, move your pointer over the connecting arrow so that the plus sign (**+**) appears. Select the plus sign, and then select **Add an action**.

+ --name my-app-credentials \

+

+> You can scale compute on [cluster read replicas](concepts-read-replicas.md) independent of its primary cluster's compute.

+When a subscription no longer has a valid billing account owner, Azure sends an email to other Billing account owners, Service Administrators (if any), Co-Administrators (if any), and Subscription Owners informing them of the situation and provides them with a link to accept billing ownership of the subscription. Any one of the users can select the link to accept billing ownership. For more information about billing roles, see [Billing Roles](understand-mca-roles.md) and [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+Select **Scan History** in the vulnerability assessment pane to view a history of all scans previously run on this database.

+Select **Scan History** in the vulnerability assessment pane to view a history of all scans previously run on this database.

+- Learn more about [storing vulnerability assessment scan results in a storage account accessible behind firewalls and VNets](/azure/azure-sql/database/sql-database-vulnerability-assessment-storage).

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service hybrid](/azure/aks/hybrid/aks-hybrid-options-overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service hybrid](/azure/aks/hybrid/aks-hybrid-options-overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service hybrid](/azure/aks/hybrid/aks-hybrid-options-overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service hybrid](/azure/aks/hybrid/aks-hybrid-options-overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+- Review the [platforms that support Defender for Cloud](security-center-os-coverage.md).

+ Title: Overview of Azure Event Hubs Dedicated tier

+description: This article provides an overview of Dedicated Azure Event Hubs, which offers single-tenant deployments of event hubs.

+Event Hubs Dedicated clusters are designed to meet the needs of most demanding mission-critical event streaming workloads. These clusters provide a high-performance, low-latency, scalable, and reliable event streaming service for your event streaming applications that are based on AMQP(Event Hubs SDK) or Apache Kafka APIs.

+> The Dedicated tier isn't available in all regions. Try to create a Dedicated cluster in the Azure portal and see supported regions in the **Location** drop-down list on the **Create Event Hubs Cluster** page.

+The Dedicated tier of Event Hubs offers several benefits to customers who need run mission-critical workloads at enterprise-level capacity.

+Event Hubs Dedicated clusters minimize the latency jitter and ensure consistent performance with guaranteed capacity.

+The Dedicated cluster offers self-serve scaling capabilities that allow you to adjust the capacity of the cluster according to dynamic loads and to facilitate business operations. You can scale out during spikes in usage and scale in when the usage is low.

+Therefore, to determine the necessary number of CUs, you should carry out your anticipated event streaming workload on an Event Hubs Dedicated cluster while observing the cluster's resource utilization. For more information, see [When to scale my Dedicated cluster](#when-to-scale-my-dedicated-cluster).

+As a Dedicated cluster user, you can determine the type of cluster by examining the availability of the capacity scaling feature in the portal. If this capability is present, you're using a self-serve scalable cluster. Conversely, if it isn't available, you're utilizing a legacy Dedicated cluster. Alternatively you can look for the [Azure Resource Manager properties](/azure/templates/microsoft.eventhub/clusters?pivots=deployment-language-arm-template) related to Dedicated clusters.

+Event Hubs Self-serve scalable clusters are based on new infrastructure and allow users to easily scale the number of capacity units allocated to each cluster. By creating a Dedicated cluster through the Event Hubs portal or ARM templates, you gain access to a self-service scalable cluster. To learn how to scale your Dedicated cluster, see [Scale Event Hubs Dedicated clusters](event-hubs-dedicated-cluster-create-portal.md).

+> Self-serve scalable Dedicated clusters currently don't support [availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones). If you need to use AZ with your Dedicated cluster, then you need to explicitly create a Legacy Dedicated cluster.

+Event Hubs Dedicated clusters created prior to the availability of self-serve scalable clusters are referred to as legacy clusters.

+To use these legacy clusters, direct creation through the Azure portal or ARM templates isn't possible and you must instead [submit a support request](event-hubs-Dedicated-cluster-create-portal.md#submit-a-support-request) to create one.

+The Event Hubs Dedicated offering is billed at a fixed monthly price, with a **minimum of 4 hours of usage**. The Dedicated tier offers all the features of the premium plan, but with enterprise-scale capacity and limits for customers with demanding workloads.

+Event Hubs Dedicated tier is generally available (GA). The self-serve experience to create an Event Hubs cluster through the [Azure portal](event-hubs-dedicated-cluster-create-portal.md) is currently in Preview. You can also request for the cluster to be created by contacting the [Event Hubs team](mailto:askeventhubs@microsoft.com).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [**Owner**](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage Event Hubs namespaces. For more information, see [**Azure roles, Azure AD roles, and classic subscription administrator roles**](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+ * [Azure roles, Azure AD roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles)

+Azure Machine Learning workspaces are MLflow-compatible, which means you can use MLflow to track runs, metrics, parameters, and artifacts with your Azure Machine Learning workspaces. By using MLflow for tracking, you don't need to change your training routines to work with Azure Machine Learning or inject any cloud-specific syntax, which is one of the main advantages of the approach.

+In this article, you will learn how to use MLflow for tracking your experiments and runs in Azure Machine Learning workspaces.

+> [!NOTE]

+> If you want to track experiments running on Azure Databricks or Azure Synapse Analytics, see the dedicated articles [Track Azure Databricks ML experiments with MLflow and Azure Machine Learning](how-to-use-mlflow-azure-databricks.md) or [Track Azure Synapse Analytics ML experiments with MLflow and Azure Machine Learning](how-to-use-mlflow-azure-synapse.md).

+## Configuring the experiment

+MLflow organizes the information in experiments and runs (in Azure Machine Learning, runs are called __Jobs__). By default, runs are logged to an experiment named __Default__ that is automatically created for you. You can configure the experiment where tracking is happening.

+# [Working interactively](#tab/interactive)

+When training interactively, such as in a Jupyter Notebook, use MLflow command `mlflow.set_experiment()`. For example, the following code snippet demonstrates configuring the experiment, and then logging during a job:

+```python

+experiment_name = 'hello-world-example'

+mlflow.set_experiment(experiment_name)

+```

+# [Working with jobs](#tab/jobs)

+When submitting jobs using Azure Machine Learning CLI or SDK, you can set the experiment name using the property `experiment_name` of the job. You don't have to configure it on your training script.

+## Configure the run

+Azure Machine Learning any training job in what MLflow calls a run. Use runs to capture all the processing that your job performs.

+# [Working interactively](#tab/interactive)

+When working interactively, MLflow starts tracking your training routine as soon as you try to log information that requires an active run. For instance, when you log a metric, log a parameter, or when you start a training cycle when Mlflow's autologging functionality is enabled. However, it is usually helpful to start the run explicitly, specially if you want to capture the total time of your experiment in the field __Duration__. To start the run explicitly, use `mlflow.start_run()`.

+Regardless if you started the run manually or not, you will eventually need to stop the run to inform MLflow that your experiment run has finished and marks its status as __Completed__. To do that, all `mlflow.end_run()`. We strongly recommend starting runs manually so you don't forget to end them when working on notebooks.

+```python

+mlflow.start_run()

+# Your code

+mlflow.end_run()

+To help you avoid forgetting to end the run, it is usually helpful to use the context manager paradigm:

+```python

+with mlflow.start_run() as run:

+ # Your code

+```

+When you start a new run with `mlflow.start_run()`, it may be interesting to indicate the parameter `run_name` which will then translate to the name of the run in Azure Machine Learning user interface and help you identify the run quicker:

+```python

+with mlflow.start_run(run_name="hello-world-example") as run:

+ # Your code

+# [Working with jobs](#tab/jobs)

+Azure Machine Learning jobs allow you to submit long running training or inference routines as isolated and reproducible executions.

+### Creating a training routine

+When working with jobs, you typically place all your training logic inside of a folder, for instance `src`. Place all the files you need in that folder. Particularly, one of them will be a Python file with your training code entry point. The following example shows a `hello_world.py` example:

+The previous code example doesn't uses `mlflow.start_run()` but if used you can expect MLflow to reuse the current active run so there is no need to remove those lines if migrating to Azure Machine Learning.

+### Adding tracking to your routine

+Use MLflow SDK to track any metric, parameter, artifacts, or models. For detailed examples about how to log each, see [Log metrics, parameters and files with MLflow](how-to-log-view-metrics.md).

+### Ensure your job's environment has MLflow installed

+All Azure Machine Learning environments already have MLflow installed for you, so no action is required if you are using a curated environment. If you want to use a custom environment:

+1. Create a `conda.yml` file with the dependencies you need:

+ :::code language="yaml" source="~/azureml-examples-main//sdk/python/using-mlflow/deploy/environment/conda.yml" highlight="7-8" range="1-12":::

+

+1. Reference the environment in the job you are using.

+### Configuring the job's name

+Use the parameter `display_name` of Azure Machine Learning jobs to configure the name of the run. The following example shows how:

+1. Use the `display_name` property to configure the job.

+ # [Azure CLI](#tab/cli)

+ To submit the job, create a YAML file with your job definition in a `job.yml` file. This file should be created outside the `src` directory.

+ :::code language="yaml" source="~/azureml-examples-main/cli/jobs/basics/hello-world-org.yml" highlight="8" range="1-9":::

+ # [Python SDK](#tab/python)

+ ```python

+ from azure.ai.ml import command, Environment

+ command_job = command(

+ code="src",

+ command="echo "hello world",

+ environment=Environment(image="library/python:latest"),

+ compute="cpu-cluster",

+ display_name="hello-world-example"

+ )

+ ```

+2. Ensure you are not using `mlflow.start_run(run_name="")` inside of your training routine.

+### Submitting the job

+1. First, let's connect to Azure Machine Learning workspace where we are going to work on.

+ # [Azure CLI](#tab/cli)

+

+ ```azurecli

+ az account set --subscription <subscription>

+ az configure --defaults workspace=<workspace> group=<resource-group> location=<location>

+ ```

+

+ # [Python SDK](#tab/python)

+

+ The workspace is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. In this section, we'll connect to the workspace in which you'll perform deployment tasks.

+

+ 1. Import the required libraries:

+

+ ```python

+ from azure.ai.ml import MLClient

+ from azure.identity import DefaultAzureCredential

+ ```

+

+ 2. Configure workspace details and get a handle to the workspace:

+

+ ```python

+ subscription_id = "<subscription>"

+ resource_group = "<resource-group>"

+ workspace = "<workspace>"

+

+ ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)

+ ```

+1. Submit the job

+ # [Azure CLI](#tab/cli)

+ Use the Azure Machine Learning CLI [to submit your job](how-to-train-model.md). Jobs using MLflow and running on Azure Machine Learning will automatically log any tracking information to the workspace. Open your terminal and use the following to submit the job.

+ ```azurecli

+ az ml job create -f job.yml --web

+ ```

+ # [Python SDK](#tab/python)

+ Use the Python SDK [to submit your job](how-to-train-model.md). Jobs using MLflow and running on Azure Machine Learning will automatically log any tracking information to the workspace.

+ ```python

+ returned_job = ml_client.jobs.create_or_update(command_job)

+ returned_job.studio_url

+ ```

+1. You can monitor the job process in Azure Machine Learning studio.

+## Autologging

+You can [log metrics, parameters and files with MLflow](how-to-log-view-metrics.md) manually. However, you can also rely on MLflow automatic logging capability. Each machine learning framework supported by MLflow decides what to track automatically for you.

+To enable [automatic logging](https://mlflow.org/docs/latest/tracking.html#automatic-logging) insert the following code before your training code:

+```python

+mlflow.autolog()

+```

+## View metrics and artifacts in your workspace

+The metrics and artifacts from MLflow logging are tracked in your workspace. To view them anytime, navigate to your workspace and find the experiment by name in your workspace in [Azure Machine Learning studio](https://ml.azure.com).

+Select the logged metrics to render charts on the right side. You can customize the charts by applying smoothing, changing the color, or plotting multiple metrics on a single graph. You can also resize and rearrange the layout as you wish. Once you have created your desired view, you can save it for future use and share it with your teammates using a direct link.

+Retrieve run metric using MLflow SDK, use [mlflow.get_run()](https://mlflow.org/docs/latest/python_api/mlflow.html#mlflow.get_run).

+```Python

+from mlflow.tracking import MlflowClient

+client = MlflowClient()

+run = MlflowClient().get_run("<RUN_ID>")

+metrics = run.data.metrics

+tags = run.data.tags

+params = run.data.params

+print(metrics,tags,params)

+```

+To view the artifacts of a run, you can use [MlFlowClient.list_artifacts()](https://mlflow.org/docs/latest/python_api/mlflow.tracking.html#mlflow.tracking.MlflowClient.list_artifacts)

+```Python

+client.list_artifacts(run_id)

+```

+To download an artifact to the current directory, you can use [MLFlowClient.download_artifacts()](https://www.mlflow.org/docs/latest/python_api/mlflow.tracking.html#mlflow.tracking.MlflowClient.download_artifacts)

+```Python

+client.download_artifacts(run_id, "helloworld.txt", ".")

+```

+For more details about how to retrieve information from experiments and runs in Azure Machine Learning using MLflow view [Query & compare experiments and runs with MLflow](how-to-track-experiments-mlflow.md).

+## Example notebooks

+If you are looking for examples about how to use MLflow in Jupyter notebooks, please see our example's repository [Using MLflow (Jupyter Notebooks)](https://github.com/Azure/azureml-examples/tree/main/sdk/python/using-mlflow).

+* [Deploy MLflow models](how-to-deploy-mlflow-models.md).

+|[Pegatron](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/pegatron1671697317455.pegatron_5g?exp=ubp8&tab=Overview)||||[NTT](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/nttgermanyagcokg1596708630215.ntt_ex_germany_p5g_001?exp=ubp8) |

+|[Accenture](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/accenture1628868945076.acn-soln-area-15-5g-cloud-box-quality-inspection?exp=ubp8)||||[Tech Mahindra](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/techm.private_5g_network?exp=ubp8&tab=Overview) |

+||||| [Accenture](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/accenture1628868945076.acn-soln-area-6-5g-edge?exp=ubp8) |

+||||| Avanade |

+- [BT Group](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/britishtelecommunicationsplc1603355038257.0005_5g_private_network_bt_global-mpn1687281-preview?tab=Overview&flightCodes=bbaba195c14644e4aa5b4c7b6627ac7b)

+- Elisa

+- Tampnet

+| BICS | Airspan |

+- [Sensing Feeling](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/sensingfeelinglimited1671143541932.001?exp=ubp8)

+|**Subscription permissions** | Ensure that you have *Owner* access on the subscription that contains the resources you want to move.<br/><br/> *Why do I need Owner access?* The first time you add a resource for a specific source and destination pair in an Azure subscription, Resource Mover creates a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types), formerly known as the Managed Service Identity (MSI). This identity is trusted by the subscription. Before you can create the identity and assign it the required roles (*Contributor* and *User access administrator* in the source subscription), the account you use to add resources needs *Owner* permissions in the subscription. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles).|

+1. Assign the `Project` attribute with a value of `Cascade` to the user. For more information, see [Assign, update, list, or remove custom security attributes for a user](../active-directory/enterprise-users/users-custom-security-attributes.md).

+ Title: "Azure roles, Azure AD roles, and classic subscription administrator roles"

+description: Describes the different roles in Azure - Azure roles, and Azure Active Directory (Azure AD) roles, and classic subscription administrator roles

+# Azure roles, Azure AD roles, and classic subscription administrator roles

+If you're new to Azure, you may find it a little challenging to understand all the different roles in Azure. This article helps explain the following roles and when you would use each:

+- Classic subscription administrator roles

+The following diagram is a high-level view of how the Azure roles, Azure AD roles, and classic subscription administrator roles are related.

+[Azure RBAC](overview.md) is an authorization system built on [Azure Resource Manager](../azure-resource-manager/management/overview.md) that provides fine-grained access management to Azure resources, such as compute and storage. Azure RBAC includes over 70 built-in roles. There are four fundamental Azure roles. The first three apply to all resource types:

+| [Contributor](built-in-roles.md#contributor) | <ul><li>Create and manage all of types of Azure resources</li><li>Create a new tenant in Azure Active Directory</li><li>Can't grant access to others</li></ul> | Applies to all resource types. |

+Only the Azure portal and the Azure Resource Manager APIs support Azure RBAC. Users, groups, and applications that are assigned Azure roles can't use the [Azure classic deployment model APIs](../azure-resource-manager/management/deployment-models.md).

+In the Azure portal, role assignments using Azure RBAC appear on the **Access control (IAM)** page. This page can be found throughout the portal, such as management groups, subscriptions, resource groups, and various resources.

+When you click the **Roles** tab, you'll see the list of built-in and custom roles.

+[Azure AD roles](../active-directory/roles/custom-overview.md) are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains. The following table describes a few of the more important Azure AD roles.

+In the Azure portal, you can see the list of Azure AD roles on the **Roles and administrators** page. For a list of all the Azure AD roles, see [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md).

+By default, Azure roles and Azure AD roles don't span Azure and Azure AD. However, if a Global Administrator elevates their access by choosing the **Access management for Azure resources** switch in the Azure portal, the Global Administrator will be granted the [User Access Administrator](built-in-roles.md#user-access-administrator) role (an Azure role) on all subscriptions for a particular tenant. The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription. For more information, see [Elevate access to manage all Azure subscriptions and management groups](elevate-access-global-admin.md).

+Several Azure AD roles span Azure AD and Microsoft 365, such as the Global Administrator and User Administrator roles. For example, if you're a member of the Global Administrator role, you have global administrator capabilities in Azure AD and Microsoft 365, such as making changes to Microsoft Exchange and Microsoft SharePoint. However, by default, the Global Administrator doesn't have access to Azure resources.

+## Classic subscription administrator roles

+Account Administrator, Service Administrator, and Co-Administrator are the three classic subscription administrator roles in Azure. Classic subscription administrators have full access to the Azure subscription. They can manage resources using the Azure portal, Azure Resource Manager APIs, and the classic deployment model APIs. The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator. Then, additional Co-Administrators can be added. The Service Administrator and the Co-Administrators have the equivalent access of users who have been assigned the Owner role (an Azure role) at the subscription scope. The following table describes the differences between these three classic subscription administrative roles.

+| Classic subscription administrator | Limit | Permissions | Notes |

+| | | | |

+| Account Administrator | 1 per Azure account | <ul><li>Can access the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and manage billing</li><li>Manage billing for all subscriptions in the account</li><li>Create new subscriptions</li><li>Cancel subscriptions</li><li>Change the billing for a subscription</li><li>Change the Service Administrator</li><li>Can't cancel subscriptions unless they have the Service Administrator or subscription Owner role</li></ul> | Conceptually, the billing owner of the subscription. |

+| Service Administrator | 1 per Azure subscription | <ul><li>Manage services in the [Azure portal](https://portal.azure.com)</li><li>Cancel the subscription</li><li>Assign users to the Co-Administrator role</li></ul> | By default, for a new subscription, the Account Administrator is also the Service Administrator.<br>The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.<br>The Service Administrator has full access to the Azure portal. |

+| Co-Administrator | 200 per subscription | <ul><li>Same access privileges as the Service Administrator, but canΓÇÖt change the association of subscriptions to Azure AD directories</li><li>Assign users to the Co-Administrator role, but can't change the Service Administrator</li></ul> | The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope. |

+In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the **Classic administrators** tab.

+In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the properties page of your subscription.

+For more information, see [Azure classic subscription administrators](classic-administrators.md).

+### Azure account and Azure subscriptions

+An Azure account is used to establish a billing relationship. An Azure account is a user identity, one or more Azure subscriptions, and an associated set of Azure resources. The person who creates the account is the Account Administrator for all subscriptions created in that account. That person is also the default Service Administrator for the subscription.

+Azure subscriptions help you organize access to Azure resources. They also help you control how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by office, department, project, and so on. Every service belongs to a subscription, and the subscription ID may be required for programmatic operations.

+Each subscription is associated with an Azure AD directory. To find the directory the subscription is associated with, open **Subscriptions** in the Azure portal and then select a subscription to see the directory.

+Accounts and subscriptions are managed in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).

+- [Assign Azure roles using the Azure portal](role-assignments-portal.md)

+- [Assign Azure AD roles to users](../active-directory/roles/manage-roles-portal.md)

+- [Roles for Microsoft 365 services in Azure Active Directory](../active-directory/roles/m365-workload-docs.md)

+You're unable to assign a role at management group scope.

+You're unable to assign a role in the Azure portal on **Access control (IAM)** because the **Add** > **Add role assignment** option is disabled or because you get the following permissions error:

+You're currently signed in with a user that doesn't have permission to assign roles at the selected scope.

+Check that you're currently signed in with a user that is assigned a role that has the `Microsoft.Authorization/roleAssignments/write` permission such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator) at the scope you're trying to assign the role.

+You're using a service principal to assign roles with Azure CLI and you get the following error:

+It's likely Azure CLI is attempting to look up the assignee identity in Azure AD and the service principal can't read Azure AD by default.

+The second way to resolve this error is to create the role assignment by using the `--assignee-object-id` parameter instead of `--assignee`. By using `--assignee-object-id`, Azure CLI will skip the Azure AD lookup. You'll need to get the object ID of the user, group, or application that you want to assign the role to. For more information, see [Assign Azure roles using Azure CLI](role-assignments-cli.md#assign-a-role-for-a-new-service-principal-at-a-resource-group-scope).

+If you're creating a new user or service principal using the REST API or ARM template, set the `principalType` property when creating the role assignment using the [Role Assignments - Create](/rest/api/authorization/role-assignments/create) API.

+If you're creating a new user or service principal using Azure PowerShell, set the `ObjectType` parameter to `User` or `ServicePrincipal` when creating the role assignment using [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment). The same underlying API version restrictions of Solution 1 still apply. For more information, see [Assign Azure roles using Azure PowerShell](role-assignments-powershell.md).

+If you're creating a new group, wait a few minutes before creating the role assignment.

+The role assignment `name` isn't unique, and it's viewed as an update.

+In PowerShell, if you try to remove the role assignments using the object ID and role definition name, and more than one role assignment matches your parameters, you'll get the error message: `The provided information does not map to a role assignment`. The following output shows an example of the error message:

+Removing the last Owner role assignment for a subscription isn't supported to avoid orphaning the subscription.

+You're allowed to remove the last Owner (or User Access Administrator) role assignment at subscription scope, if you're a Global Administrator for the tenant or a classic administrator (Service Administrator or Co-Administrator) for the subscription. In this case, there's no constraint for deletion. However, if the call comes from some other principal, then you won't be able to remove the last Owner role assignment at subscription scope.

+### Symptom - Role assignment isn't moved after moving a resource

+If you move a resource that has an Azure role assigned directly to the resource (or a child resource), the role assignment isn't moved and becomes orphaned.

+After you move a resource, you must re-create the role assignment. Eventually, the orphaned role assignment will be automatically removed, but it's a best practice to remove the role assignment before moving the resource. For information about how to move resources, see [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md).

+You recently added or updated a role assignment, but the changes aren't being detected. You might see the message `Status: 401 (Unauthorized)`.

+If you're using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you're making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.

+If you're add or remove a role assignment at management group scope and the role has `DataActions`, the access on the data plane might not be updated for several hours. This applies only to management group scope and the data plane.

+The [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment) command indicates that the role assignment wasn't removed. However, if you wait 5-10 minutes and run [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment) again, the output indicates the role assignment was removed.

+You're unable to update an existing custom role.

+You're currently signed in with a user that doesn't have permission to update custom roles.

+Check that you're currently signed in with a user that is assigned a role that has the `Microsoft.Authorization/roleDefinition/write` permission such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator).

+This error usually indicates that you don't have permissions to one or more of the [assignable scopes](role-definitions.md#assignablescopes) in the custom role.

+You're unable to delete a custom role and get the following error message:

+You're trying to create a custom role with data actions and a management group as assignable scope. Custom roles with `DataActions` can't be assigned at the management group scope.

+You're currently signed in with a user that doesn't have write permission to the resource at the selected scope.

+Check that you're currently signed in with a user that is assigned a role that has write permission to the resource at the selected scope. For example, to manage virtual machines in a resource group, you should have the [Virtual Machine Contributor](built-in-roles.md#virtual-machine-contributor) role on the resource group (or parent scope). For a list of the permissions for each built-in role, see [Azure built-in roles](built-in-roles.md).

+You're currently signed in with a user that doesn't have permission to the create support requests.

+Check that you're currently signed in with a user that is assigned a role that has the `Microsoft.Support/supportTickets/write` permission, such as [Support Request Contributor](built-in-roles.md#support-request-contributor).

+Web apps are complicated by the presence of a few different resources that interplay. Here's a typical resource group with a couple of websites:

+Some features of [Azure Functions](../azure-functions/functions-overview.md) require write access. For example, if a user is assigned the [Reader](built-in-roles.md#reader) role, they won't be able to view the functions within a function app. The portal displays **(No access)**.

+When you transfer an Azure subscription to a different Azure AD directory, all role assignments are **permanently** deleted from the source Azure AD directory and aren't migrated to the target Azure AD directory.

+If you're an Azure AD Global Administrator and you don't have access to a subscription after it was transferred between directories, use the **Access management for Azure resources** toggle to temporarily [elevate your access](elevate-access-global-admin.md) to get access to the subscription.

+### Symptom - Deleting a guest assigned the Co-Administrator role doesn't the remove role assignment

+Consider the following scenario:

+- Invite a guest user from an external tenant and then assign them the classic Co-Administrator role.

+- Later, you delete the guest user from your tenant without removing the role assignment.

+- The guest user signs in to the Azure portal and switches to your tenant.

+The guest user still has the Co-Administrator role assignment.

+**Solution**

+Don't use the classic subscription administrator roles. Microsoft recommends that you manage access to Azure resources using Azure RBAC. For more information, see [Assign Azure roles using the Azure portal](role-assignments-portal.md) and [Assign Azure roles to external guest users using the Azure portal](role-assignments-external-users.md).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [**Owner**](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage Service Bus namespaces. For more information, see [**Azure roles, Azure AD roles, and classic subscription administrator roles**](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create storage accounts and manage account configuration. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create storage accounts and manage account configuration. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access blob data with the account key. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+For more information, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md) and [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+To view or read an account's access keys, the user must either be a Service Administrator, or must be assigned an Azure role that includes the **Microsoft.Storage/storageAccounts/listkeys/action**. Some Azure built-in roles that include this action are the **Owner**, **Contributor**, and **Storage Account Key Operator Service Role** roles. For more information about the Service Administrator role, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). For detailed information about built-in roles for Azure Storage, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage).

+To rotate an account's access keys, the user must either be a Service Administrator, or must be assigned an Azure role that includes the **Microsoft.Storage/storageAccounts/regeneratekey/action**. Some Azure built-in roles that include this action are the **Owner**, **Contributor**, and **Storage Account Key Operator Service Role** roles. For more information about the Service Administrator role, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). For detailed information about Azure built-in roles for Azure Storage, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage).

+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+ user_friendly_names yes # To create ΓÇÿmpathnΓÇÖ names for multipath devices

+ path_grouping_policy multibus # To place all the paths in one priority group

+ path_selector "round-robin 0" # To use round robin algorithm to determine path for next I/O operation

+ failback immediate # For immediate failback to highest priority path group with active paths

+ no_path_retry 1 # To disable I/O queueing after retrying once when all paths are down

+ device {

+ vendor "MSFT"

+ product "Virtual HD"

+ }

+Add-WindowsFeature -Name 'Multipath-IO'

+<?xml version="1.0" encoding="utf-8"?>

+ <Target>

+ <Iqn>Volume 1 Storage Target Iqn</Iqn>

+ <Hostname>Volume 1 Storage Target Portal Hostname</Hostname>

+ <Port>Volume 1 Storage Target Portal Port</Port>

+ <NumSessions>Number of sessions</NumSessions>

+ <EnableMultipath>true</EnableMultipath>

+ </Target>

+ <Target>

+ <Iqn>Volume 2 Storage Target Iqn</Iqn>

+ <Hostname>Volume 2 Storage Target Portal Hostname</Hostname>

+ <Port>Volume 2 Storage Target Portal Port</Port>

+ <NumSessions>Number of sessions</NumSessions>

+ <EnableMultipath>true</EnableMultipath>

+ </Target>

+ [string] $TargetConfigPath

+$TargetConfig = New-Object XML

+foreach ($Target in $TargetConfig.Targets.Target)

+ $TargetIqn = $Target.Iqn

+ $TargetHostname = $Target.Hostname

+ $TargetPort = $Target.Port

+ $NumSessions = $Target.NumSessions

+ $succeeded = 1

+ iscsicli AddTarget $TargetIqn * $TargetHostname $TargetPort * 0 * * * * * * * * * 0

+ while ($succeeded -le $NumSessions)

+ {

+ Write-Host "Logging session ${succeeded}/${NumSessions} into ${TargetIqn}"

+ $LoginOptions = '*'

+ if ($Target.EnableMultipath)

+ {

+ Write-Host "Enabled Multipath"

+ $LoginOptions = '0x00000002'

+ }

+ # PersistentLoginTarget will not establish login to the target until after the system is rebooted.

+ # Use LoginTarget if the target is needed before rebooting. Using just LoginTarget will not persist the

+ # session(s).

+ iscsicli PersistentLoginTarget $TargetIqn t $TargetHostname $TargetPort Root\ISCSIPRT\0000_0 -1 * $LoginOptions * * * * * * * * * 0

+ #iscsicli LoginTarget $TargetIqn t $TargetHostname $TargetPort Root\ISCSIPRT\0000_0 -1 * $LoginOptions * * * * * * * * * 0

+ if ($LASTEXITCODE -eq 0)

+ {

+ $succeeded += 1

+ }

+ Start-Sleep -s 1

+ Write-Host ""

+ }

+For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+> The classic subscription administrator roles **Service Administrator** and **Co-Administrator** include the equivalent of the Azure Resource Manager [`Owner`](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access queue data with the account key. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

+For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+Before submitting a Support request, please review this list to see if the issue that you're experiencing is already known and being addressed.

+|Issue |Status |Synapse Component|

+||||

+|[Queries using Azure AD authentication fails after 1 hour](#queries-using-azure-ad-authentication-fails-after-1-hour)|Has Workaround|Azure Synapse Serverless SQL Pool|

+|[Query failures from Serverless SQL to Cosmos DB analytical store](#query-failures-from-serverless-sql-pool-to-azure-cosmos-db-analytical-store)|Has Workaround|Azure Synapse Serverless SQL pool|

+|[Query failures while reading Cosmos Data using OPENROWSET](#query-failures-while-reading-cosmos-data-using-openrowset)|Has Workaround|Azure Synapse Serverless SQL Pool|

+|[Queries failing with Data Exfiltration Error](#queries-failing-with-data-exfiltration-error)|Has Workaround|Azure Synapse Dedicated SQL Pool|

+|[Blob storage linked service with User Assigned Managed Identity (UAMI) is not getting listed](#blob-storage-linked-service-with-user-assigned-managed-identity-uami-is-not-getting-listed)|Has Workaround|Azure Synapse Workspace|

+|[Failed to delete Synapse workspace & Unable to delete virtual network](#failed-to-delete-synapse-workspace--unable-to-delete-virtual-network)|Has Workaround|Azure Synapse Workspace|

+### Queries using Azure AD authentication fails after 1 hour

+SQL connections using Azure AD authentication that remain active for more than 1 hour will start to fail. This includes querying storage using Azure AD pass-through authentication and statements that interact with Azure AD, like CREATE EXTERNAL PROVIDER. This affects every tool that keeps connections active, like query editor in SSMS and ADS. Tools that open new connection to execute queries aren't affected, like Synapse Studio.

+**Workaround**: The engineering team is currently aware of this behavior and working on a fix. <br>

+Following steps can be followed to work around the problem.

+1) It's recommended switching to Service Principal, Managed Identity or Shared Access Signature instead of using user identity for long running queries.

+2) Restarting client (SSMS/ADS) acquires new token to establish the connection.

+## Remove DisableRegistryTools

+If you've performed all four steps but the agent still doesn't work, that may be because the DisableRegistryTools registry key is enabled in one of the following locations:

+- HKU:\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1

+- HKU:\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1

+- HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1

+This registry key prevents the agent from installing the side-by-side stack, which results in an installMSIException error. This error leads to the session hosts being stuck in an unavailable state.

+To resolve this issue, you'll need to remove the key:

+1. Remove the DisableRegistryTools key from the three previously listed locations.

+1. Uninstall and remove the affected side-by-side stack installation from the **Apps & Features** folder.

+1. Remove the affected side-by-side stack's registry keys.

+1. Restart your VM.

+1. Start the agent and let it auto-install the side-by-side stack.

+ --force-deletion none