+1. Open your browser and go to the OpenID Connect metadata URL for the tenant. Find the `issuer` object and record its value. It should look similar to `https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0`.

+This article describes how to handle an OAuth2 custom error with Azure Active Directory B2C (Azure AD B2C). Use this technical profile if something logic goes wrong within your policy. The technical profile returns error to your OAuth2 or OpenId Connect relying party application. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/technical-profiles/oauth2-error) of the OAuth2 custom error technical profile.

+You can call the OAuth2 error technical profile from a [user journey](userjourneys.md), or [sub journey](subjourneys.md) (type of `transfer`). Set the [orchestration step](userjourneys.md#orchestrationsteps) type to `SendClaims` with a reference to your OAuth2 error technical profile.

+### Configure the user flow

+To configure the session behavior in your user flow, follow these steps:

+### Configure the custom policy

+To configure the session behavior in your custom policy, follow these steps:

+1. Open the relying party (RP) file, for example *SignUpOrSignin.xml*

+1. If it doesn't already exist, add the following `<UserJourneyBehaviors>` element to the `<RelyingParty>` element. It must be located immediately after `<DefaultUserJourney ReferenceId="UserJourney Id"/>`.

+ ```xml

+ <UserJourneyBehaviors>

+ <SingleSignOn Scope="Application" />

+ <SessionExpiryType>Absolute</SessionExpiryType>

+ <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>

+ </UserJourneyBehaviors>

+ ```

+

+ After you add the user journey behavior elements, the `RelyingParty` element should look like the following example:

+

+ ```xml

+ <RelyingParty>

+ <DefaultUserJourney ReferenceId="SignUpOrSignIn" />

+ <UserJourneyBehaviors>

+ <SingleSignOn Scope="Application" />

+ <SessionExpiryType>Absolute</SessionExpiryType>

+ <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>

+ </UserJourneyBehaviors>

+ <TechnicalProfile Id="PolicyProfile">

+ <DisplayName>PolicyProfile</DisplayName>

+ <Protocol Name="OpenIdConnect" />

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="displayName" />

+ <OutputClaim ClaimTypeReferenceId="givenName" />

+ ...

+ </OutputClaims>

+ <SubjectNamingInfo ClaimType="sub" />

+ </TechnicalProfile>

+ </RelyingParty>

+ ```

+

+1. Change the value of the `Scope` attribute to one of the possible value: `Suppressed`, `Tenant`, `Application`, or `Policy`. For more information, check out the [RelyingParty](relyingparty.md) reference article.

+1. Set the `SessionExpiryType` element to `Rolling` or `Absolute`. For more information, check out the [RelyingParty](relyingparty.md) reference article.

+1. Set the `SessionExpiryInSeconds` element to a numeric value between 900 seconds (15 minutes) and 86,400 seconds(24 hours). For more information, check out the [RelyingParty](relyingparty.md) reference article.

+1. In the Azure ADDS management VM, access the DNS console and manually delete DNS records for the domain controllers from the deleted replica set.

+| Authorization System | CIEM supports AWS accounts, Azure Subscriptions, GCP projects as the Authorization systems |

+| Authorization System Type | Any system which provides the authorizations by assigning the permissions to the identities, resources. CIEM supports AWS, Azure, GCP as the Authorization System Types |

+| Data Collector | Virtual entity which stores the data collection configuration |

+| ED | Enterprise directory |

+| JEP | Just Enough Permissions |

+- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md).

+## Prerequisites

+- To enable the CloudKnox **Feature highlights** tile in the Azure AD portal, [select this link to run the script in your browser](https://aka.ms/ciem-prod).

+- To use the CloudKnox public preview, we encourage you to fill out a consent form that provides other terms and conditions for the public preview product. To open the form, select [CloudKnox Permissions Management Public Preview: Terms and Conditions](https://aka.ms/ciem-terms).

+- To enable the CloudKnox **Feature highlights** tile in the Azure AD portal, [select this link to run the script in your browser](https://aka.ms/ciem-prod).

+- To use the CloudKnox public preview, we encourage you to fill out a consent form that provides other terms and conditions for the public preview product. To open the form, select [CloudKnox Permissions Management Public Preview: Terms and Conditions](https://aka.ms/ciem-terms).

+## View a training video on enabling CloudKnox

+To view a video on how to enable CloudKnox in your Azure AD tenant, select

+[Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).

+## How to onboard an Azure subscription

+To enable CloudKnox in your organization:

+- You must have an Azure AD tenant. If you don't already have one, [create a free account](https://azure.microsoft.com/free/).

+- You must be eligible for or have an active assignment to the global administrator role as a user in that tenant.

+- To enable the CloudKnox **Feature highlights** tile in the Azure AD portal, [select this link to run the script in your browser](https://aka.ms/ciem-prod).

+- To use the CloudKnox public preview, we encourage you to fill out a consent form that provides other terms and conditions for the public preview product. To open the form, select [CloudKnox Permissions Management Public Preview: Terms and Conditions](https://aka.ms/ciem-terms).

+## View a training video on enabling CloudKnox

+To view a video on how to enable CloudKnox in your Azure AD tenant, select

+[Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).

+## How to enable CloudKnox on your Azure AD tenant

+## Prerequisites

+- To enable the CloudKnox **Feature highlights** tile in the Azure AD portal, [select this link to run the script in your browser](https://aka.ms/ciem-prod).

+- To use the CloudKnox public preview, we encourage you to fill out a consent form that provides other terms and conditions for the public preview product. To open the form, select [CloudKnox Permissions Management Public Preview: Terms and Conditions](https://aka.ms/ciem-terms).

+ Title: CloudKnox Permissions Management training videos

+description: CloudKnox Permissions Management training videos.

+# CloudKnox Permissions Management training videos

+To view step-by-step training videos on how to use CloudKnox Permissions Management (CloudKnox) features, select a link below.

+## Enable CloudKnox in your Azure Active Directory (Azure AD) tenant

+To view a video on how to enable CloudKnox in your Azure AD tenant, select

+[Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).

+<!## Privilege on demand (POD) work flows

+- View a step-by-step video on [how to create group-based permissions](https://vimeo.com/462797947/d041de9157).>

+# Conditional Access: Resilience defaults

+During an outage, not all conditions can be evaluated in real time by the Backup Authentication Service to determine whether a Conditional Access policy should apply. Conditional Access resilience defaults are a new session control that lets admins decide between:

+- Whether to block authentications during an outage whenever a policy condition canΓÇÖt be evaluated in real-time.

+- Allow policies to be evaluated using data collected at the beginning of the userΓÇÖs session.

+When resilience defaults are disabled, the Backup Authentication Service won't use data collected at the beginning of the session to evaluate conditions. During an outage, if a policy condition canΓÇÖt be evaluated in real-time, access will be denied.

+It isn't possible to conduct a dry run using the Backup Authentication Service or simulate the result of a policy with resilience defaults enabled or disabled at this time. Azure AD will conduct monthly exercises using the Backup Authentication Service. The sign-in logs will display if the Backup Authentication Service was used to issue the access token.

+> <button>Make this change for me</button>

+For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker.

+> <button>Make this change for me</button>

+Scenarios that required **implicit flow** can now use **Auth code flow** to reduce the risk of compromise associated with implicit grant flow misuse. If you configured your application registration to get Access tokens using implicit flow, but don't actively use it, we recommend you turn off the setting to protect from misuse.

+Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license. For more information on how to get an Azure AD subscription, see the [Azure AD product page](https://azure.microsoft.com/services/active-directory).

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Browse to **Azure Active Directory** > **Devices** > **Enterprise State Roaming**.

+For a Windows 10 or newer device to use the Enterprise State Roaming service, the device must authenticate using an Azure AD identity. For devices that are joined to Azure AD, the userΓÇÖs primary sign-in identity is their Azure AD identity, so no other configuration is required. For devices that use on-premises Active Directory, the IT admin must [Configure hybrid Azure Active Directory joined devices](./hybrid-azuread-join-plan.md).

+Enterprise State Roaming data is hosted in one or more [Azure regions](https://azure.microsoft.com/regions/) that best align with the country/region value set in the Azure Active Directory instance. Enterprise State Roaming data is partitioned based on three major geographic regions: North America, EMEA, and APAC. Enterprise State Roaming data for the tenant is locally located with the geographical region, and isn't replicated across regions. For example:

+The country/region value is set as part of the Azure AD directory creation process and canΓÇÖt be modified later. If you need more details on your data storage location, file a ticket with [Azure support](https://azure.microsoft.com/support/options/).

+Data synced to the Microsoft cloud using Enterprise State Roaming is retained until it's manually deleted or until the data is determined to be stale.

+Explicit deletion is when an administrator deletes a user, directory, or requests explicitly that data is to be deleted.

+Data that hasn't been accessed for one year (ΓÇ£the retention periodΓÇ¥) will be treated as stale and may be deleted from the Microsoft cloud. The retention period is subject to change but won't be less than 90 days. The stale data may be a specific set of Windows/application settings or all settings for a user. For example:

+* If no devices access a particular settings collection like language, then that collection becomes stale after the retention period and may be deleted.

+* If a user has turned off settings sync on all their devices, then none of the settings data will be accessed. All the settings data for that user will become stale and may be deleted after the retention period.

+* If the Azure AD directory admin turns off Enterprise State Roaming for the entire directory, then all users in that directory will stop syncing settings. All settings data for all users will become stale and may be deleted after the retention period.

+The data retention policy isn't configurable. Once the data is permanently deleted, it isn't recoverable. However, The settings data is deleted only from the Microsoft cloud, not from the end-user device. If any device later reconnects to the Enterprise State Roaming service, the settings are again synced and stored in the Microsoft cloud.

+Use these Group Policy and mobile device management (MDM) settings only on corporate-owned devices because these policies are applied to the userΓÇÖs entire device. Applying an MDM policy to disable settings sync for a personal, user-owned device will negatively impact the use of that device. Additionally, other user accounts on the device will also be affected by the policy.

+## Group Policy settings

+The Group Policy settings apply to Windows 10 or newer devices that are joined to an Active Directory domain. The table also includes legacy settings that would appear to manage sync settings. Legacy settings that don't work for Enterprise State Roaming for Windows 10 or newer are noted with ΓÇÿDo not useΓÇÖ in the description.

+These settings are located in Group Policy under: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings**.

+- **Separation of corporate and consumer data** ΓÇô Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.

+- **Enhanced security** ΓÇô Data is automatically encrypted before leaving the userΓÇÖs Windows 10 or newer device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.

+- **Better management and monitoring** ΓÇô Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.

+| [Enable Enterprise State Roaming in Azure Active Directory](enterprise-state-roaming-enable.md) | Enterprise State Roaming is available to any organization with a Premium Azure Active Directory (Azure AD) subscription. |

+| [Settings and data roaming FAQ](enterprise-state-roaming-faqs.yml) | This article answers some questions IT administrators might have about settings and app data sync. |

+| [Group policy and MDM settings for settings sync](enterprise-state-roaming-group-policy-settings.md) | Windows 10 or newer provides Group Policy and mobile device management (MDM) policy settings to limit settings sync. |

+| [Windows 10 roaming settings reference](enterprise-state-roaming-windows-settings-reference.md) | A list of settings that will be roamed and/or backed-up in Windows 10 or newer. |

+| [Troubleshooting](enterprise-state-roaming-troubleshooting.md) | This article goes through some basic steps for troubleshooting, and contains a list of known issues. |

+**Potential issue**: If your device is configured to require Multi-Factor Authentication on the Azure Active Directory portal, you may fail to sync settings while signing in to a Windows 10 or newer device using a password. This type of Multi-Factor Authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 or newer devices with their Windows Hello for Business PIN or by completing Multi-Factor Authentication while accessing other Azure services like Microsoft 365.

+**Potential issue**: Sync can fail if the admin configures the Active Directory Federation Services Multi-Factor Authentication Conditional Access policy and the access token on the device expires. Ensure that you sign in and sign out using the Windows Hello for Business PIN or complete Multi-Factor Authentication while accessing other Azure services like Microsoft 365.

+ Title: Windows roaming settings reference - Azure Active Directory

+description: Settings that will be roamed or backed up in Windows with ESR

+# Windows roaming settings reference

+## Windows Settings details

+List of settings that can be configured to sync in recent Windows versions. These can be found in Windows 10 under **Settings** > **Accounts** > **Sync your settings** or **Settings** > **Accounts** > **Windows backup** > **Remember my preferences** on Windows 11.

+| Settings | Windows 10 (21H1 or newer) |

+| | |

+| Keyboard: turn on toggle keys (off by default) | sync |

+| Date, Time, and Region: country/region | sync |

+| Date, Time, and Region: region format (locale) | sync |

+| Language: language profile | sync |

+| Language: list of keyboards | sync |

+| Wi-Fi: Wi-Fi profiles (only WPA) | sync |

+## Browser settings

+For more information on the Sync behavior for the new Microsoft Edge, see the article [Microsoft Edge Sync](/deployedge/microsoft-edge-enterprise-sync).

+1. Labels are synchronized to Azure AD with the Execute-AzureAdLabelSync cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Azure AD.

+1. The [sensitivity label scope](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#label-scopes&preserve-view=true) must be configured for Groups & Sites.

+3. The current signed-in user has sufficient privileges to assign labels. The user must be either a Global Administrator, Group Administrator, or the group owner.

+4. The current signed-in user must be within the scope of the [sensitivity label publishing policy](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#what-label-policies-can-do&preserve-view=true)

+In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers. Reviewers will see the message in the email they receive that prompts them to complete the review. To learn more about using this feature, see step 14 of the [Create a single-stage review](../governance/create-access-review.md#create-a-single-stage-access-review) section.

+### View status of multi-stage review (preview)

+To see the status and stage of a multi-stage access review:

+1. Select the multi-stage review you want to check the status of or see what stage it's in.

+

+1. Click **Results** on the left nav menu under **Current**.

+1. Once you are on the results page, under **Status** it will tell you which stage the multi-stage review is in. The next stage of the review won't become active until the duration specified during the access review setup has passed.

+1. If a decision has been made, but the review duration for this stage has not expired yet, you can select **Stop current stage** button on the results page. This will trigger the next stage of review.

+

+## Create a single-stage access review

+### Scope

+ > [!NOTE]

+ > Selecting multiple groups or applications results in the creation of multiple access reviews. For example, if you select five groups to review, the result is five separate access reviews.

+### Next: Reviews

+

+1. You can create a single-stage or multi-stage review (preview). For a single stage review continue here. To create a multi-stage access review (preview), follow the steps in [Create a multi-stage access review (preview)](#create-a-multi-stage-access-review-preview)

+1. In the **Specify reviewers** section, in the **Select reviewers** box, select either one or more people to make decisions in the access reviews. You can choose from:

+### Next: Settings

+### Next: Review + Create

+## Create a multi-stage access review (preview)

+A multi-stage review allows the administrator to define two or three sets of reviewers to complete a review one after another. In a single-stage review, all reviewers make a decision within the same period and the last reviewer to make a decision "wins". In a multi-stage review, two or three independent sets of reviewers make a decision within their own stage, and the next stage doesn't happen until a decision is made in the previous stage. Multi-stage reviews can be used to reduce the burden on later-stage reviewers, allow for escalation of reviewers, or have independent groups of reviewers agree on decisions.

+1. After you have selected the resource and scope of your review, move on to the **Reviews** tab.

+1. Click the checkbox next to **(Preview) Multi-stage review**.

+1. Under **First stage review**, select the reviewers from the dropdown menu next to **Select reviewers**.

+1. If you select **Group owner(s)** or **Managers of Users**, you have the option to add a fallback reviewer. To add a fallback, click **Select fallback reviewers** and add the users you want to be fallback reviewers.

+

+ 

+1. Add the duration for the first stage. To add the duration, enter a number in the field next to **Stage duration (in days)**. This is the number of days you wish for the first stage to be open to the first stage reviewers to make decisions.

+

+1. Under **Second stage review**, select the reviewers from the dropdown menu next to **Select reviewers**. These reviewers will be asked to review after the duration of the first stage review ends.

+1. Add any fallback reviewers if necessary.

+1. Add the duration for the second stage.

+

+1. By default, you will see two stages when you create a multi-stage review. However, you can add up to three stages. If you want to add a third stage, click **+ Add a stage** and complete the required fields.

+1. You can decide to allow 2nd and 3rd stage reviewers to the see decisions made in the previous stage(s).If you want to allow them to see the decisions made prior, click the box next to **Show previous stage(s) decisions to later stage reviewers** under **Reveal review results**. Leave the box unchecked to disable this setting if youΓÇÖd like your reviewers to review independently.

+ 

+1. The duration of each recurrence will be set to the sum of the duration day(s) you specified in each stage.

+1. Specify the **Review recurrence**, the **Start date**, and **End date** for the review. The recurrence type must be at least as long as the total duration of the recurrence (i.e., the max duration for a weekly review recurrence is 7 days).

+1. To specify which reviewees will continue from stage to stage, select one or multiple of the following options next to **Specify reviewees to go to next stage** :

+ 

+ 1. **Approved reviewees** - Only reviewees that were approved move on to the next stage(s).

+ 1. **Denied reviewees** - Only reviewees that were denied move on to the next stage(s).

+ 1. **Not reviewed reviewees** - Only reviewees that haven't been reviewed will move on to the next stage(s).

+ 1. **Reviewees marked as "Don't Know"** - Only reviewees marked as "Don't know" move on to the next stage(s).

+ 1. **All**: everyone moves on to the next stage if youΓÇÖd like all stages of reviewers to make a decision.

+1. Continue on to the **settings tab** and finish the rest of the settings and create the review. Follow the instructions in [Next: Settings](#next-settings).

+Azure Active Directory (Azure AD) simplifies how enterprises manage access to groups and applications in Azure AD and other Microsoft Online Services with a feature called Azure AD access reviews. This article will go over how a designated reviewer performs an access review for members of a group or users with access to an application. If you would like to review access to an access package read [Review access of an access package in Azure AD entitlement management](entitlement-management-access-reviews-review-access.md)

+## Perform access review using My Access

+You can review access to groups and applications via My Access, an end-user friendly portal for granting, approving, and reviewing access needs.

+### Use email to navigate to My Access

+1. Look for an email from Microsoft asking you to review access. You can see an example email message below:

+1. Click the **Start review** link to open the access review.git pu

+### Navigate directly to My Access

+1. Sign in to the My Access at https://myaccess.microsoft.com/

+## Review access for one or more users

+Once that it opens, you will see the list of users in scope for the access review.

+> [!NOTE]

+> If the request is to review your own access, the page will look different. For more information, see [Review access for yourself to groups or applications](review-your-access.md).

+### Manually review access for one or more users

+1. Select one or more users by clicking the circle next to their names.

+1. Select **Approve** or **Deny** on the bar above.

+ - If you are unsure if a user should continue to have access or not, you can click **Don't know**. The user gets to keep their access and your choice is recorded in the audit logs. It is important that you keep in mind that any information you provide will be available to other reviewers. They can read your comments and take them into account when they review the request.

+1. The administrator of the access review may require that you supply a reason in the **Reason** box for your decision. Even when a reason is not required. You can still provide a reason for your decision and the information that you include will be available to other approvers for review.

+1. Click **Submit**.

+ > [!IMPORTANT]

+### Review access based on recommendations

+1. Or to accept recommendations for all unreviewed users, make sure that no users are selected and click on the **Accept recommendations** button on the top bar.

+> [!NOTE]

+> When you accept recommendations previous decisions will not be changed.

+### Review access for one or more users in a multi-stage access review (preview)

+If multi-stage access reviews have been enabled by the administrator, there will be 2 or 3 total stages of review. Each stage of review will have a specified reviewer.

+You will review access either manually or accept the recommendations based on sign-in activity for the stage you are assigned as the reviewer.

+If you are the 2nd stage or 3rd stage reviewer, you will also see the decisions made by the reviewers in the prior stage(s) if the administrator enabled this setting when creating the access review. The decision made by a 2nd or 3rd stage reviewer will overwrite the previous stage. So, the decision the 2nd stage reviewer makes will overwrite the first stage, and the 3rd stage reviewer's decision will overwrite the second stage.

+ 

+Approve or deny access as outlined in [Review access for one or more users](#review-access-for-one-or-more-users).

+> [!NOTE]

+> The next stage of the review won't become active until the duration specified during the access review setup has passed. If the administrator believes a stage is done but the review duration for this stage has not expired yet, they can use the **Stop current stage** button in the overview of the access review in the Azure AD portal. This will close the active stage and start the next stage.

+## If no action is taken on access review

+When the access review is setup, the administrator has the option to use advanced settings to determine what will happen in the event a reviewer doesn't respond to an access review request.

+The administrator can set up the review so that if reviewers do not respond at the end of the review period, all unreviewed users can have an automatic decision made on their access. This includes the loss of access to the group or application under review.

+**Application:** BIG-IP published service to be protected by Azure AD SHA.

+**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes.

+| 3| Azure AD pre-authenticates user and applies any enforced Conditional Access policies |

+* An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certs while testing

+There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template. With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.

+Initiate the **Easy Button** configuration to set up a SAML Service Provider (SP) and Azure AD as an Identity Provider (IdP) for your application.

+1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.

+2. Review the list of configuration steps and select **Next**

+3. Follow the sequence of steps required to publish your application.

+ 

+The **Configuration Properties** tab creates a new application config and SSO object. Consider **Azure Service Account Details** section to be the client application you registered in your Azure AD tenant earlier. These settings allow a BIG-IP to programmatically register a SAML application directly in your tenant, along with the properties you would normally configure manually. Easy Button does this for every BIG-IP APM service being enabled for SHA.

+Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.

+1. Enter **Host**. This is usually the FQDN that will be used for the applications external URL

+1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing.

+**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes.

+**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing Kerberos-based SSO to the backend application.

+| 1| User connects to application endpoint (BIG-IP) |

+| 2| BIG-IP APM access policy redirects user to Azure AD (SAML IdP) |

+| 3| Azure AD pre-authenticates user and applies any enforced Conditional Access policies |

+* An [SSL Web certificate](./f5-bigip-deployment-guide.md) for publishing services over HTTPS, or use default BIG-IP certs while testing

+There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template. With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.

+Initiate the **Easy Button** configuration to set up a SAML Service Provider (SP) and Azure AD as an Identity Provider (IdP) for your application.

+1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.

+ 

+2. Review the list of configuration steps and select **Next**

+ 

+3. Follow the sequence of steps required to publish your application.

+ 

+The **Configuration Properties** tab creates a new application config and SSO object. Consider **Azure Service Account Details** section to be the client application you registered in your Azure AD tenant earlier. These settings allow a BIG-IP to programmatically register a SAML application directly in your tenant, along with the properties you would normally configure manually. Easy Button does this for every BIG-IP APM service being enabled for SHA.

+Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.

+1. Enter **Host**. This is usually the FQDN that will be used for the applications external URL

+1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing.

+**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes.

+**HR system:** LDAP based employee database acting as source of truth for fine grained application permissions.

+| 1| User connects to application endpoint (BIG-IP) |

+| 2| BIG-IP APM access policy redirects user to Azure AD (SAML IdP) |

+| 3| Azure AD pre-authenticates user and applies any enforced Conditional Access policies |

+| 4| User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token |

+| 5| BIG-IP requests additional attributes from LDAP based HR system |

+| 6| BIG-IP injects Azure AD and HR system attributes as headers in request to application |

+- An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certs while testing

+There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template. With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.

+Initiate the **Easy Button** configuration to set up a SAML Service Provider (SP) and Azure AD as an Identity Provider (IdP) for your application.

+1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.

+2. Review the list of configuration steps and select **Next**

+3. Follow the sequence of steps required to publish your application.

+ 

+The **Configuration Properties** tab creates a new application config and SSO object. Consider **Azure Service Account Details** section to be the client application you registered in your Azure AD tenant earlier. These settings allow a BIG-IP to programmatically register a SAML application directly in your tenant, along with the properties you would normally configure manually. Easy Button does this for every BIG-IP APM service being enabled for SHA.

+Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.

+1. Enter **Host**. This is usually the FQDN that will be used for the applications external URL

+The optional **Security Settings** specify whether Azure AD should encrypt issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides additional assurance that the content tokens canΓÇÖt be intercepted, and personal or corporate data be compromised.

+1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing.

+**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes.

+**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the Oracle application.

+| 4| User is redirected back to BIG-IP (SAML SP) and SSO is performed using issued SAML token |

+| 5| BIG-IP performs LDAP query for users Unique ID (UID) attribute |

+* An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certs while testing

+1. Enter **Host**. This is usually the FQDN that will be used for the applications external URL

+ 

+1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing.

+**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes.

+**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the Oracle service.

+* An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certs while testing

+The **Configuration Properties** tab creates a new application config and SSO object. Consider **Azure Service Account Details** section to be the client application you registered in your Azure AD tenant earlier. These settings allow a BIG-IP to programmatically register a SAML application directly in your tenant, along with the properties you would normally configure manually. Easy Button does this for every BIG-IP APM service being enabled for SHA.

+Some of these are global settings can be re-used for publishing more applications, further reducing deployment time and effort.

+1. Enter **Host**. This is usually the FQDN that will be used for the applications external URL

+ 

+ 

+>[!NOTE]

+>This feature has no correlation to Azure AD but is another source of attributes.

+1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing.

+- For large data sets (> 250 000 records), you should use the reporting API to download the data.

+> | microsoft.directory/accessReviews/allProperties/allTasks | (Deprecated) Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Azure AD |

+> | microsoft.directory/accessReviews/allProperties/read | (Deprecated) Read all properties of access reviews |

+> | microsoft.directory/accessReviews/allProperties/allTasks | (Deprecated) Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Azure AD |

+ Title: 'Tutorial: Azure AD SSO integration with Conviso Platform SSO'

+description: Learn how to configure single sign-on between Azure Active Directory and Conviso Platform SSO.

+# Tutorial: Azure AD SSO integration with Conviso Platform SSO

+In this tutorial, you'll learn how to integrate Conviso Platform SSO with Azure Active Directory (Azure AD). When you integrate Conviso Platform SSO with Azure AD, you can:

+* Control in Azure AD who has access to Conviso Platform SSO.

+* Enable your users to be automatically signed-in to Conviso Platform SSO with their Azure AD accounts.

+* Conviso Platform SSO single sign-on (SSO) enabled subscription.

+* Conviso Platform SSO supports **IDP** initiated SSO.

+## Adding Conviso Platform SSO from the gallery

+To configure the integration of Conviso Platform SSO into Azure AD, you need to add Conviso Platform SSO from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **Conviso Platform SSO** in the search box.

+1. Select **Conviso Platform SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Conviso Platform SSO

+Configure and test Azure AD SSO with Conviso Platform SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Conviso Platform SSO.

+To configure and test Azure AD SSO with Conviso Platform SSO, perform the following steps:

+1. **[Configure Conviso Platform SSO SSO](#configure-conviso-platform-sso-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Conviso Platform SSO test user](#create-conviso-platform-sso-test-user)** - to have a counterpart of B.Simon in Conviso Platform SSO that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **Conviso Platform SSO** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+1. On the **Set up Conviso Platform SSO** section, copy the appropriate URL(s) based on your requirement.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Conviso Platform SSO.

+1. In the applications list, select **Conviso Platform SSO**.

+## Configure Conviso Platform SSO SSO

+To configure single sign-on on **Conviso Platform SSO** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Conviso Platform SSO support team](mailto:sre@convisoappsec.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Conviso Platform SSO test user

+In this section, you create a user called Britta Simon in Conviso Platform SSO. Work with [Conviso Platform SSO support team](mailto:sre@convisoappsec.com) to add the users in the Conviso Platform SSO platform. Users must be created and activated before you use single sign-on.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Conviso Platform SSO for which you set up the SSO

+* You can use Microsoft My Apps. When you click the Conviso Platform SSO tile in the My Apps, you should be automatically signed in to the Conviso Platform SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+Once you configure Conviso Platform SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure Active Directory integration with Atlassian Cloud'

+ > URL should fit `https://<INSTANCE>.atlassian.net` pattern.

+Contact [BullseyeTDP support](mailto:hello@bullseyetdp.com) in order to obtain a SCIM Token.

+1. Under the **Admin Credentials** section, input your BullseyeTDP Tenant URL as `https://scim.bullseyeengagement.com/scim` and corresponding Secret Token. Click **Test Connection** to ensure Azure AD can connect to BullseyeTDP. If the connection fails, ensure your BullseyeTDP account has Admin permissions and try again.

+ Title: 'Tutorial: Azure AD SSO integration with Datasite'

+# Tutorial: Azure AD SSO integration with Datasite

+1. On the **Basic SAML Configuration** section, perform the following steps:

+

+ a. In the **Reply URL** text box, type the URL:

+ `https://auth.datasite.com/sp/ACS.saml2`

+

+ b. In the **Sign-on URL** text box, type the URL:

+In this section, you create a user called B.Simon in Datasite. Work with [Datasite support team](mailto:service@datasite.com) to add the users in the Datasite platform. Users must be created and activated before you use single sign-on.

+Once you configure Datasite you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ a. In the **Identifier** text box, type the URL:

+ `https://<OrgChartNowServer>.orgchartnow.com/saml/sso_metadata?entityID=<Your_Azure_AD_Entity_ID>`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://<OrgChartServer>.orgchartnow.com/saml/sso_acs?entityID=<Your_Azure_AD_Entity_ID>`

+ `https://<OrgChartServer>.orgchartnow.com/saml/sso_acs?entityID=<Your_Azure_AD_Entity_ID>`

+To configure single sign-on in OrgChart Now, follow the steps enumerated in the [SSO Configuration article](https://help.orgchartnow.com/en/topics/sso-configuration.html#configuring-sso-41334) on OrgChart Now's Help site.

+To enable Azure AD users to log in to OrgChart Now, they must be set up as a user in OrgChart Now, or **Auto-Provisioning** must be enabled in the [SSO Configuration](https://help.orgchartnow.com/en/topics/sso-configuration.html#configuring-sso-41334) panel.

+If you do not wish to enable auto-provisioning at this time, you can manually add a user to OrgChart Now for SSO testing purposes. To do so, follow the steps enumerated in the [Creating a New User](https://help.orgchartnow.com/en/account-settings/manage-users.html#UUID-a921b00b-a5a2-3099-8fe5-d0f28f5a50b9_bridgehead-idm4532421481724832584395125038) section of the [Account Settings: Manage Users](https://help.orgchartnow.com/en/account-settings/manage-users.html) article.

+ Title: 'Tutorial: Azure AD SSO integration with ShipHazmat'

+# Tutorial: Azure AD SSO integration with ShipHazmat

+* ShipHazmat supports **IDP** initiated SSO.

+* ShipHazmat supports **Just In Time** user provisioning.

+## Add ShipHazmat from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for ShipHazmat

+To configure and test Azure AD SSO with ShipHazmat, perform the following steps:

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+ 1. **[Create ShipHazmat test user](#create-shiphazmat-test-user)** - to have a counterpart of B.Simon in ShipHazmat that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **ShipHazmat** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a value using the following pattern:

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the ShipHazmat for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the ShipHazmat tile in the My Apps, you should be automatically signed in to the ShipHazmat for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure ShipHazmat you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with SKYSITE'

+# Tutorial: Azure AD SSO integration with SKYSITE

+* SKYSITE supports **IDP** initiated SSO.

+* SKYSITE supports **Just In Time** user provisioning.

+## Add SKYSITE from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for SKYSITE

+To configure and test Azure AD SSO with SKYSITE, perform the following steps:

+1. In the Azure portal, on the **SKYSITE** application integration page, click on **Properties tab** and perform the following step:

+ 

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+ 

+## Configure SKYSITE SSO

+1. Click on **Settings** on the top right side of page and then navigate to **Account setting**.

+ 

+1. Switch to **Single sign on (SSO)** tab, perform the following steps:

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the SKYSITE for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the SKYSITE tile in the My Apps, you should be automatically signed in to the SKYSITE for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure SKYSITE you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Configure TAP App Security for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to TAP App Security.

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: affd297c-2b6f-4dc2-b4c3-d29458cf4b1b

+ms.devlang: na

+# Tutorial: Configure TAP App Security for automatic user provisioning

+This tutorial describes the steps you need to perform in both TAP App Security and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [TAP App Security](https://tapappsecurity.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities supported

+> [!div class="checklist"]

+> * Create users in TAP App Security.

+> * Remove users in TAP App Security when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and TAP App Security.

+> * [Single sign-on](tap-app-security-tutorial.md) to TAP App Security.

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in TAP App Security with Admin permissions.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and TAP App Security](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure TAP App Security to support provisioning with Azure AD

+Contact [TAP App Security support](mailto:support@tapappsecurity.com) in order to obtain a SCIM Token.

+## Step 3. Add TAP App Security from the Azure AD application gallery

+Add TAP App Security from the Azure AD application gallery to start managing provisioning to TAP App Security. If you have previously setup TAP App Security for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* When assigning users and groups to TAP App Security, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles.

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+## Step 5. Configure automatic user provisioning to TAP App Security

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TAP App Security based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for TAP App Security in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **TAP App Security**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your TAP App Security Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to TAP App Security. If the connection fails, ensure your TAP App Security account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to TAP App Security**.

+1. Review the user attributes that are synchronized from Azure AD to TAP App Security in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in TAP App Security for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the TAP App Security API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by TAP App Security|

+ |||||

+ |userName|String|&check;|&check;

+ |active|Boolean||&check;

+ |phoneNumbers[type eq "mobile"].value|String||

+ |displayName|String||&check;

+ |title|String||&check;

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for TAP App Security, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to TAP App Security by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you are ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Azure AD SSO integration with Textline'

+# Tutorial: Azure AD SSO integration with Textline

+* Textline supports **IDP** initiated SSO.

+* Textline supports **Just In Time** user provisioning.

+## Add Textline from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+To configure and test Azure AD SSO with Textline, perform the following steps:

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+ 1. **[Create Textline test user](#create-textline-test-user)** - to have a counterpart of B.Simon in Textline that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **Textline** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Textline for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Textline tile in the My Apps, you should be automatically signed in to the Textline for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Textline you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with The Funding Portal'

+# Tutorial: Azure AD SSO integration with The Funding Portal

+* The Funding Portal supports **SP** initiated SSO.

+## Add The Funding Portal from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for The Funding Portal

+To configure and test Azure AD SSO with The Funding Portal, perform the following steps:

+1. In the Azure portal, on **The Funding Portal** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<subdomain>.regenteducation.net/`

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [The Funding Portal Client support team](mailto:info@regenteducation.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to The Funding Portal Sign-on URL where you can initiate the login flow.

+* Go to The Funding Portal Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the The Funding Portal tile in the My Apps, this will redirect to The Funding Portal Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure The Funding Portal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+See a [video walkthrough](https://www.youtube.com/watch?v=8jqjHjQo-3c) going over the setup of the Azure AD Verifiable Credential service.

+### Set access policies for the Verifiable Credentials Admin user

+### Set access policies for the Verifiable Credentials Issuer and Request services

+ :::image type="content" source="media/verifiable-credentials-configure-tenant/request-service-key-vault-access-policy.png" alt-text="Screenshot that demonstrates how to add an access policy for the Verifiable Credential Issuer Service." :::

+The access policies for the Verifiable Credentials Issuer service should be added automatically. If the **Verifiable Credential Issuer Service** doesn't appear in the list of access policies, take the following steps to manually add access policies to the service.

+1. Select **+ Add Access Policy** to add permission to the service principal of the **Verifiable Credential Issuer Service**.

+1. In **Add access policy**:

+ 1. For **Key permissions**, select **Get** and **Sign**.

+ 1. For **Select principal**, select **Verifiable Credential Issuer Service**.

+ 1. Select **Add**.

+ :::image type="content" source="media/verifiable-credentials-configure-tenant/issuer-service-key-vault-access-policy.png" alt-text="Screenshot that demonstrates how to add an access policy for the Verifiable Credential Request Service." :::

+

+ 1. **Domain**: Enter a domain that's added to a service endpoint in your decentralized identity (DID) document. The domain is what binds your DID to something tangible that the user might know about your business. Microsoft Authenticator and other digital wallets use this information to validate that your DID is linked to your domain. If the wallet can verify the DID, it displays a verified symbol. If the wallet can't verify the DID, it informs the user that the credential was issued by an organization it couldn't validate.

+- [Learn how to verify Azure AD Verifiable Credentials](verifiable-credentials-configure-verifier.md).

+To diagnose and debug autoscaler events, logs and status can be retrieved from the cluster autoscaler.

+AKS provides SLA guarantees as an optional feature with [Uptime SLA][uptime-sla].

+ Title: Add-ons, extensions, and other integrations with Azure Kubernetes Service

+description: Learn about the add-ons, extensions, and open-source integrations you can use with Azure Kubernetes Service.

+# Add-ons, extensions, and other integrations with Azure Kubernetes Service

+Azure Kubernetes Service (AKS) provides additional, supported functionality for your cluster using add-ons and extensions. There are also many more integrations provided by open-source projects and third parties that are commonly used with AKS. These open-source and third-party integrations are not covered by the [AKS support policy][aks-support-policy].

+## Add-ons

+Add-ons provide extra capabilities for your AKS cluster and their installation and configuration is managed Azure. Use `az aks addon` to manage all add-ons for your cluster.

+The below table shows the available add-ons.

+| Name | Description | More details |

+||||

+| http_application_routing | Configure ingress with automatic public DNS name creation for your AKS cluster. | [HTTP application routing add-on on Azure Kubernetes Service (AKS)][http-app-routing] |

+| monitoring | Use Container Insights monitoring with your AKS cluster. | [Container insights overview][container-insights] |

+| virtual-node | Use virtual nodes with your AKS cluster. | [Use virtual nodes][virtual-nodes] |

+| azure-policy | Use Azure Policy for AKS, which enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | [Understand Azure Policy for Kubernetes clusters][azure-policy-aks] |

+| ingress-appgw | Use Application Gateway Ingress Controller with your AKS cluster. | [What is Application Gateway Ingress Controller?][agic] |

+| open-service-mesh | Use Open Service Mesh with your AKS cluster. | [Open Service Mesh AKS add-on][osm] |

+| azure-keyvault-secrets-provider | Use Azure Keyvault Secrets Provider addon.| [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster][keyvault-secret-provider] |

+## Extensions

+Cluster extensions build on top of certain Helm charts and provide an Azure Resource Manager-driven experience for installation and lifecycle management of different Azure capabilities on top of your Kubernetes cluster. For more details on the specific cluster extensions for AKS, see [Deploy and manage cluster extensions for Azure Kubernetes Service (AKS)][cluster-extensions]. For more details on the currently available cluster extensions, see [Currently available extensions][cluster-extensions-current].

+## Difference between extensions and add-ons

+Both extensions and add-ons are supported ways to add functionality to your AKS cluster. When you install an add-on, the functionality is added as part of the AKS resource provider in the Azure API. When you install an extension, the functionality is added as part of a separate resource provider in the Azure API.

+## Open source and third-party integrations

+You can install many open source and third-party integrations on your AKS cluster, but these open-source and third-party integrations are not covered by the [AKS support policy][aks-support-policy].

+The below table shows a few examples of open-source and third-party integrations.

+| Name | Description | More details |

+||||

+| [Helm][helm] | An open-source packaging tool that helps you install and manage the lifecycle of Kubernetes applications. | [Quickstart: Develop on Azure Kubernetes Service (AKS) with Helm][helm-qs] |

+| [Prometheus][prometheus] | An open source monitoring and alerting toolkit. | [Container insights with metrics in Prometheus format][prometheus-az-monitor], [Prometheus Helm chart][prometheus-helm-chart] |

+| [Grafana][grafana] | An open-source dashboard for observability. | [Deploy Grafana on Kubernetes][grafana-install] |

+| [Couchbase][couchdb] | A distributed NoSQL cloud database. | [Install Couchbase and the Operator on AKS][couchdb-install] |

+| [OpenFaaS][open-faas]| An open-source framework for building serverless functions by using containers. | [Use OpenFaaS with AKS][open-faas-aks] |

+| [Apache Spark][apache-spark] | An open source, fast engine for large-scale data processing. | [Run an Apache Spark job with AKS][spark-job] |

+| [Istio][istio] | An open-source service mesh. | [Istio Installation Guides][istio-install] |

+| [Linkerd][linkerd] | An open-source service mesh. | [Linkerd Getting Started][linkerd-install] |

+| [Consul][consul] | An open source, identity-based networking solution. | [Getting Started with Consul Service Mesh for Kubernetes][consul-install] |

+[http-app-routing]: http-application-routing.md

+[container-insights]: ../azure-monitor/containers/container-insights-overview.md

+[virtual-nodes]: virtual-nodes.md

+[azure-policy-aks]: ../governance/policy/concepts/policy-for-kubernetes.md#install-azure-policy-add-on-for-aks

+[agic]: ../application-gateway/ingress-controller-overview.md

+[osm]: open-service-mesh-about.md

+[keyvault-secret-provider]: csi-secrets-store-driver.md

+[cluster-extensions]: cluster-extensions.md?tabs=azure-cli

+[cluster-extensions-current]: cluster-extensions.md?tabs=azure-cli#currently-available-extensions

+[aks-support-policy]: support-policies.md

+[helm]: https://helm.sh

+[helm-qs]: quickstart-helm.md

+[prometheus]: https://prometheus.io/

+[prometheus-helm-chart]: https://github.com/prometheus-community/helm-charts#usage

+[prometheus-az-monitor]: /monitor-aks.md#container-insights

+[istio]: https://istio.io/

+[istio-install]: https://istio.io/latest/docs/setup/install/

+[linkerd]: https://linkerd.io/

+[linkerd-install]: https://linkerd.io/getting-started/

+[consul]: https://www.consul.io/

+[consul-install]: https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy

+[grafana]: https://grafana.com/

+[grafana-install]: https://grafana.com/docs/grafana/latest/installation/kubernetes/

+[couchdb]: https://www.couchbase.com/

+[couchdb-install]: https://docs.couchbase.com/operator/current/tutorial-aks.html

+[open-faas]: https://www.openfaas.com/

+[open-faas-aks]: openfaas.md

+[apache-spark]: https://spark.apache.org/

+[spark-job]: spark-job.md

+[azure-ml-overview]: ../machine-learning/how-to-attach-arc-kubernetes.md

+[dapr-overview]: ./dapr.md

+[gitops-overview]: ../azure-arc/kubernetes/conceptual-gitops-flux2.md

+AKS supports upgrading the images on a node so you're up to date with the newest OS and runtime updates. AKS regularly provides new images with the latest updates, so it's beneficial to upgrade your node's images regularly for the latest AKS features. Linux node images are updated weekly, and Windows node images updated monthly. Although customers will be notified of image upgrades via the AKS release notes, it might take up to a week for updates to be rolled out in all regions. This article shows you how to upgrade AKS cluster node images and how to update node pool images without upgrading the version of Kubernetes.

+| buffer-response="false &#124; true" | Affects processing of chunked responses. When set to "false", each chunk received from the backend is immediately returned to the caller. When set to "true", chunks are buffered (8KB, unless end of stream is detected) and only then returned to the caller.<br/><br/>Set to "false" with backends such as those implementing [server-sent events (SSE)](how-to-server-sent-events.md) that require content to be returned or streamed immediately to the caller. | No | true |

+1. Update the first 3 lines of the following Azure CLI script to match your environment and run it.

+ ```azurecli

+4. Click **API Permissions**. You should see the permissions granted by the Azure CLI script in step 1.

+ Title: Configure API for server-sent events in Azure API Management

+description: How to configure an API for server-sent events (SSE) in Azure API Management

+# Configure API for server-sent events

+This article provides guidelines for configuring an API in API Management that implements server-sent events (SSE). SSE is based on the HTML5 `EventSource` standard for streaming (pushing) data automatically to a client over HTTP after a client has established a connection.

+> [!TIP]

+> API Management also provides native support for [WebSocket APIs](websocket-api.md), which keep a single, persistent, bidrectional connection open between a client and server.

+## Prerequisites

+- An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md).

+- An API that implements SSE. [Import and publish](import-and-publish.md) the API to your API Management instance using one of the supported import methods.

+## Guidelines for SSE

+Follow these guidelines when using API Management to reach a backend API that implements SSE.

+* **Choose service tier for long-running HTTP connections** - SSE relies on a long-running HTTP connection. Long-running connections are supported in the dedicated API Management tiers, but not in the Consumption tier.

+* **Keep idle connections alive** - If a connection between client and backend could be idle for 4 minutes or longer, implement a mechanism to keep the connection alive. For example, enable a TCP keepalive signal at the backend of the connection, or send traffic from the client side at least once per 4 minutes.

+ This configuration is needed to override the idle session timeout of 4 minutes that is enforced by the Azure Load Balancer, which is used in the API Management infrastructure.

+* **Relay events immediately to clients** - Turn off response buffering on the [`forward-request` policy](api-management-advanced-policies.md#ForwardRequest) so that events are immediately relayed to the clients. For example:

+ ```xml

+ <forward-request timeout="120" fail-on-error-status-code="true" buffer-response="false"/>

+ ```

+* **Avoid other policies that buffer responses** - Certain policies such as [`validate-content`](validation-policies.md#validate-content) can also buffer response content and shouldn't be used with APIs that implement SSE.

+* **Disable response caching** - To ensure that notifications to the client are timely, verify that [response caching](api-management-howto-cache.md) isn't enabled. For more information, see [API Management caching policies](api-management-caching-policies.md).

+* **Test API under load** - Follow general practices to test your API under load to detect performance or configuration issues before going into production.

+## Next steps

+* Learn more about [configuring policies](/api-management-howto-policies.md) in API Management.

+* Learn about API Management [capacity](api-management-capacity.md).

+> [!NOTE]

+> Ensure ports 80 and 445 are open when using Azure Files with VNET integration.

+>

+> [!NOTE]

+> When VNET integration is used, ensure the following ports are open:

+> * Azure Files: 80 and 445.

+> * Azure Blobs: 80 and 443.

+>

+## Summary

+```azurecli

+> * Using NAT gateway with App Service is dependent on virtual network integration, and therefore **Standard**, **Premium**, **PremiumV2** or **PremiumV3** App Service plan is required.

+> * When using NAT gateway together with App Service, all traffic to Azure Storage must be using private endpoint or service endpoint.

+> * NAT gateway cannot be used together with App Service Environment v1 or v2.

+* Configure regional virtual network integration with your app as described in [Integrate your app with an Azure virtual network](../overview-vnet-integration.md)

+* Ensure [Route All](../overview-vnet-integration.md#routes) is enabled for your virtual network integration so the Internet bound traffic will be affected by routes in your virtual network.

+* Provision a NAT gateway with a public IP and associate it with the virtual network integration subnet.

+1. Go to the **Networking** UI in the App Service portal and select virtaul network integration in the Outbound Traffic section. Ensure that your app is integrated with a subnet and **Route All** has been enabled.

+1. In the **Subnet** tab, select the subnet used for virtual network integration.

+If you prefer using CLI to configure your environment, these are the important commands. As a prerequisite, you should create an app with virtual network integration configured.

+Ensure **Route All** is configured for your virtual network integration:

+Associate the NAT gateway with the virtual network integration subnet:

+For more information on virtual network integration, see [Virtual network integration documentation](../overview-vnet-integration.md).

+Change to the directory that contains the sample code and run the [az webapp up](/cli/azure/webapp#az-webapp-up) command. **Replace** `<app-name>` with a globally unique name.

+```azurecli

+<li>You can optionally include the argument <code>--location &lt;location-name&gt;</code> where <code>&lt;location-name&gt;</code> is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the <a href="/cli/azure/appservice#az-appservice-list-locations"><code>az account list-locations</code></a> command.</li>

+```azurecli

+```azurecli

+Change to the directory that contains the sample code and run the [az webapp up](/cli/azure/webapp#az-webapp-up) command. In the following example, replace <app_name> with a unique app name. Static content is indicated by the `--html` flag.

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+> The first two commands, `resourceID` and `workspaceID`, are variables to be used in the [az monitor diagnostic-settings create](/cli/azure/monitor/diagnostic-settings#az-monitor-diagnostic-settings-create) command. See [Create diagnostic settings using Azure CLI](../azure-monitor/essentials/diagnostic-settings.md#create-using-azure-cli) for more information on this command.

+```azurecli

+```azurecli

+ :::image type="content" source="media/application-gateway-diagnostics/diagnostics2.png" alt-text="Screenshot of storage account endpoints" lightbox="media/application-gateway-diagnostics/diagnostics2.png":::

+ :::image type="content" source="media/application-gateway-diagnostics/diagnostics1.png" alt-text="Screenshot of app gateway properties" lightbox="media/application-gateway-diagnostics/diagnostics1.png":::

+ > An incorrect configuration of the route table could result in asymmetrical routing in Application Gateway v2. Ensure that all management/control plane traffic is sent directly to the Internet and not through a virtual appliance. Logging, metrics, and CRL checks could also be affected.

+> User-assigned managed identities are supported for Azure jobs only.

+- For an overview of Azure Automation account security, see [Automation account authentication overview](automation-security-overview.md).

+> Start/Stop VMs during off-hours (v1) will be deprecated soon and the date will be announced once V2 moves to general availability (GA).

+- Creating an Azure Arc data controller in direct connectivity mode involves the following steps:

+ 1. Create an Azure Arc-enabled data services extension.

+ 1. Create a custom location.

+ 1. Create the data controller.

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+In the Business Critical service tier, in addition to what is natively provided by Kubernetes orchestration, Azure SQL Managed Instance for Azure Arc provides a contained availability group. The contained availability group is built on SQL Server Always On technology. It provides higher levels of availability. Azure Arc-enabled SQL managed instance deployed with *Business Critical* service tier can be deployed with either 2 or 3 replicas. These replicas are always kept in sync with each other. With contained availability groups, any pod crashes or node failures are transparent to the application as there is at least one other pod that has the instance that has all the data from the primary and is ready to take on connections.

+ Determine the pod that hosts the primary replica. Connect to the managed instance and run:

+ The query returns the pod that hosts the primary replica.

+> As a best practice, you should delete the Kubernetes service created above by running this command:

+```azurecli

+```azurecli

+## February 2022

+This release is published February 25, 2022.

+### Image tag

+`v1.4.0_2022-02-25`

+For complete release version information, see [Version log](version-log.md).

+### SQL Managed Instance

+- Support for readable secondary replicas:

+ - To set readable secondary replicas use `--readable-secondaries` when you create or update an Arc-enabled SQL Managed Instance deployment.

+ - Set `--readable secondaries` to any value between 0 and the number of replicas minus 1.

+ - `--readable-secondaries` only applies to Business Critical tier.

+- Automatic backups are taken on the primary instance in a Business Critical service tier when there are multiple replicas. When a failover happens, backups move to the new primary.

+- RWX capable storage class is required for backups, for both General Purpose and Business Critical service tiers.

+- Billing support when using multiple read replicas.

+For additional information about service tiers, see [High Availability with Azure Arc-enabled SQL Managed Instance (preview)](managed-instance-high-availability.md).

+### User experience improvements

+The following improvements are available in [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).

+- Azure Arc and Azure CLI extensions now generally available.

+- Changed edit commands for SQL Managed Instance for Azure Arc dashboard to use `update`, reflecting Azure CLI changes. This works in indirect or direct mode.

+- Data controller deployment wizard step for connectivity mode is now earlier in the process.

+- Removed an extra backups field in SQL MI deployment wizard.

+### Image tag

+`v1.3.0_2022-01-27`

+For complete release version information, see [Version log](version-log.md).

+### February 25, 2022

+|Component |Value |

+|--||

+|Container images tag |`v1.4.0_2022-02-25`

+|CRD names and versions |`datacontrollers.arcdata.microsoft.com`: v1beta1, v1, v2, v3</br>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2</br>`kafkas.arcdata.microsoft.com`: v1beta1</br>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2</br>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1, v2, v3, v4</br>`postgresqls.arcdata.microsoft.com`: v1beta1, v1beta2</br>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1</br>`dags.sql.arcdata.microsoft.com`: v1beta1, v2beta2</br>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1|

+|ARM API version|2021-11-01|

+|`arcdata` Azure CLI extension version| 1.2.1|

+|Arc enabled Kubernetes helm chart extension version|1.1.18791000|

+|Arc Data extension for Azure Data Studio|1.0|

+The Azure Monitor agent supports Azure service tags (both AzureMonitor and AzureResourceManager tags are required). It supports connecting via **direct proxies, Log Analytics gateway, and private links** as described below.

+### Log Analytics gateway configuration

+1. Follow the instructions above to configure proxy settings on the agent and provide the IP address and port number corresponding to the gateway server. If you have deployed multiple gateway servers behind a load balancer, the agent proxy configuration is the virtual IP address of the load balancer instead.

+2. Add the **configuration endpoint URL** to fetch data collection rules to the allow list for the gateway

+ `Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com`

+ `Add-OMSGatewayAllowedHost -Host <gateway-server-region-name>.handler.control.monitor.azure.com`

+ (If using private links on the agent, you must also add the [dce endpoints](../essentials/data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint))

+3. Add the **data ingestion endpoint URL** to the allow list for the gateway

+ `Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com`

+3. Restart the **OMS Gateway** service to apply the changes

+ `Stop-Service -Name <gateway-name>`

+ `Start-Service -Name <gateway-name>`

+> [!IMPORTANT]

+> This article describes collecting file based text logs using the Log Analytics agent. It should not be confused with the [custom logs API](../logs/custom-logs-overview.md) which allows you to send data to Azure Monitor Logs using a REST API.

+ "enableAutomaticUpgrade":true

+sample.Sum = 42.3;

+To register telemetry processors that need parameters in ASP.NET Core, create a custom class implementing **ITelemetryProcessorFactory**. Call the constructor with the desired parameters in the **Create** method and then use **AddSingleton<ITelemetryProcessorFactory, MyTelemetryProcessorFactory>()**.

+### AppExceptions

+ "Flow_Type": "Bluefield",

+armclient PUT /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/microsoft.insights/components/MyResourceName/CurrentBillingFeatures?api-version=2018-05-01-preview "{'CurrentBillingFeatures':['Basic'],'DataVolumeCap':{'Cap':100,'WarningThreshold':80,'ResetTime':12}}"

+In addition to using activity log alerts, you can also configure email or webhook notifications to get notified for scale actions via the notifications tab on the autoscale setting.

+- **Standard DCR**. Used with different workflows that send data to Azure Monitor. Workflows currently supported are [Azure Monitor agent](../agents/azure-monitor-agent-overview.md) and [custom logs (preview)](../logs/custom-logs-overview.md).

+- **Workspace transformation DCR)**. Used with a Log Analytics workspace to apply [ingestion-time transformations (preview)](../logs/ingestion-time-transformations.md) to workflows that don't currently support DCRs.

+A rule gets created and stored in the region you specify, and is backed up to the [paired-region](../../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) within the same geography. The service is deployed to all three [availability zones](../../availability-zones/az-overview.md#availability-zones) within the region, making it a **zone-redundant service** which further adds to high availability.

+## Supported regions

+Data collection rules are stored regionally, and are available in all public regions where Log Analytics is supported, as well as the Azure Government and China clouds. Air-gapped clouds are not yet supported.

+| extension | VM extension-based data source, used exclusively by Log Analytics solutions and Azure services ([View agent supported services and solutions](../agents/azure-monitor-agent-overview.md#supported-services-and-features)) |

+Consider the following input with [dynamic data](/azure/data-explorer/kusto/query/scalar-data-types/dynamic):

+In order to access the properties in *AdditionalContext*, define it as dynamic-typed column in the input stream:

+ "type": "dynamic"

+Use the [parse_json function](/azure/data-explorer/kusto/query/parsejsonfunction) to handle [dynamic literals](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals).

+For example, the following queries provide the same functionality:

+```

+## microsoft.aadiam/azureADMetrics

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|ThrottledRequests|No|ThrottledRequests|Count|Average|azureADMetrics type metric|No Dimensions|

+|BackendDuration|Yes|Duration of Backend Requests|Milliseconds|Average|Duration of Backend Requests in milliseconds|Location, Hostname|

+|Capacity|Yes|Capacity|Percent|Average|Utilization metric for ApiManagement service|Location|

+|Duration|Yes|Overall Duration of Gateway Requests|Milliseconds|Average|Overall Duration of Gateway Requests in milliseconds|Location, Hostname|

+|GatewayHttpServerRequestsMilliSecondsMax|Yes|Max time of requests|Milliseconds|Maximum|The max time of requests|Pod, httpStatusCode, outcome, httpMethod|

+|GatewayHttpServerRequestsMilliSecondsSum|Yes|Total time of requests|Milliseconds|Total|The total time of requests|Pod, httpStatusCode, outcome, httpMethod|

+|GatewayHttpServerRequestsSecondsCount|Yes|Request count|Count|Total|The number of requests|Pod, httpStatusCode, outcome, httpMethod|

+|GatewayJvmGcLiveDataSizeBytes|Yes|jvm.gc.live.data.size|Bytes|Average|Size of old generation memory pool after a full GC|Pod|

+|GatewayJvmGcMaxDataSizeBytes|Yes|jvm.gc.max.data.size|Bytes|Maximum|Max size of old generation memory pool|Pod|

+|GatewayJvmGcMemoryAllocatedBytesTotal|Yes|jvm.gc.memory.allocated|Bytes|Maximum|Incremented for an increase in the size of the young generation memory pool after one GC to before the next|Pod|

+|GatewayJvmGcMemoryPromotedBytesTotal|Yes|jvm.gc.memory.promoted|Bytes|Maximum|Count of positive increases in the size of the old generation memory pool before GC to after GC|Pod|

+|GatewayJvmGcPauseSecondsCount|Yes|jvm.gc.pause.total.count|Count|Total|GC Pause Count|Pod|

+|GatewayJvmGcPauseSecondsMax|Yes|jvm.gc.pause.max.time|Seconds|Maximum|GC Pause Max Time|Pod|

+|GatewayJvmGcPauseSecondsSum|Yes|jvm.gc.pause.total.time|Seconds|Total|GC Pause Total Time|Pod|

+|GatewayJvmMemoryCommittedBytes|Yes|jvm.memory.committed|Bytes|Average|Memory assigned to JVM in bytes|Pod|

+|GatewayJvmMemoryUsedBytes|Yes|jvm.memory.used|Bytes|Average|Memory Used in bytes|Pod|

+|GatewayProcessCpuUsage|Yes|process.cpu.usage|Percent|Average|The recent CPU usage for the JVM process|Pod|

+|GatewayRatelimitThrottledCount|Yes|Throttled requests count|Count|Total|The count of the throttled requests|Pod|

+|GatewaySystemCpuUsage|Yes|system.cpu.usage|Percent|Average|The recent CPU usage for the whole system|Pod|

+|PodNetworkIn|Yes|App Network In|Bytes|Average|Cumulative count of bytes received in the app|Deployment, AppName, Pod|

+|PodNetworkOut|Yes|App Network Out|Bytes|Average|Cumulative count of bytes sent from the app|Deployment, AppName, Pod|

+## Microsoft.BotService/botServices

+|RequestLatency|Yes|Requests Latencies|Milliseconds|Average|How long it takes to get request response|Operation, Authentication, Protocol, ResourceId, Region|

+|RequestsTraffic|Yes|Requests Traffic|Count|Average|Number of requests within a given period of time|Operation, Authentication, Protocol, ResourceId, Region, StatusCode, StatusCodeClass, StatusText|

+|CharactersTrained|Yes|Characters Trained (Deprecated)|Count|Total|Total number of characters trained.|ApiName, OperationName, Region|

+|CharactersTranslated|Yes|Characters Translated (Deprecated)|Count|Total|Total number of characters in incoming text request.|ApiName, OperationName, Region|

+|MatchedRewards|Yes|Matched Rewards|Count|Total| Number of Matched Rewards.|Mode, RunId|

+|ProcessedCharacters|Yes|Processed Characters|Count|Total|Number of Characters.|ApiName, FeatureName, UsageChannel, Region|

+|SpeechSessionDuration|Yes|Speech Session Duration|Seconds|Total|Total duration of speech session in seconds.|ApiName, OperationName, Region|

+|TotalTransactions|Yes|Total Transactions|Count|Total|Total number of transactions.|No Dimensions|

+## Microsoft.Compute/virtualMachineScaleSets

+|RunDuration|Yes|Run Duration|Milliseconds|Total|Run Duration in milliseconds|No Dimensions|

+|SuccessfulPullCount|Yes|Successful Pull Count|Count|Average|Number of successful image pulls|No Dimensions|

+|SuccessfulPushCount|Yes|Successful Push Count|Count|Average|Number of successful image pushes|No Dimensions|

+|TotalPullCount|Yes|Total Pull Count|Count|Average|Number of image pulls in total|No Dimensions|

+|TotalPushCount|Yes|Total Push Count|Count|Average|Number of image pushes in total|No Dimensions|

+|d2c.telemetry.egress.dropped|Yes|Routing: telemetry messages dropped|Count|Total|The number of times messages were dropped by IoT Hub routing due to dead endpoints. This value does not count messages delivered to fallback route as dropped messages are not delivered there.|No Dimensions|

+|d2c.telemetry.egress.orphaned|Yes|Routing: telemetry messages orphaned|Count|Total|The number of times messages were orphaned by IoT Hub routing because they didn't match any routing rules (including the fallback rule).|No Dimensions|

+|d2c.endpoints.latency.builtIn.events|Yes|Routing: message latency for messages/events|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into the built-in endpoint (messages/events).|No Dimensions|

+|d2c.endpoints.latency.eventHubs|Yes|Routing: message latency for Event Hub|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and message ingress into an Event Hub endpoint.|No Dimensions|

+|d2c.endpoints.latency.serviceBusQueues|Yes|Routing: message latency for Service Bus Queue|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a Service Bus queue endpoint.|No Dimensions|

+|d2c.endpoints.latency.serviceBusTopics|Yes|Routing: message latency for Service Bus Topic|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a Service Bus topic endpoint.|No Dimensions|

+|d2c.endpoints.latency.storage|Yes|Routing: message latency for storage|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a storage endpoint.|No Dimensions|

+|d2c.telemetry.egress.dropped|Yes|Routing: telemetry messages dropped|Count|Total|The number of times messages were dropped by IoT Hub routing due to dead endpoints. This value does not count messages delivered to fallback route as dropped messages are not delivered there.|No Dimensions|

+|d2c.telemetry.egress.orphaned|Yes|Routing: telemetry messages orphaned|Count|Total|The number of times messages were orphaned by IoT Hub routing because they didn't match any routing rules (including the fallback rule).|No Dimensions|

+|EventGridLatency|Yes|Event Grid latency|Milliseconds|Average|The average latency (milliseconds) from when the Iot Hub event was generated to when the event was published to Event Grid. This number is an average between all event types. Use the EventType dimension to see latency of a specific type of event.|EventType|

+|RoutingDeliveryLatency|Yes|Routing Delivery Latency (preview)|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into an endpoint. You can use the EndpointName and EndpointType dimensions to understand the latency to your different endpoints.|EndpointType, EndpointName, RoutingSource|

+## Microsoft.DocumentDB/databaseAccounts

+|MongoRequestsCount|No|(deprecated) Mongo Request Rate|CountPerSecond|Average|Mongo request Count per second|DatabaseName, CollectionName, Region, ErrorCode|

+|MongoRequestsDelete|No|(deprecated) Mongo Delete Request Rate|CountPerSecond|Average|Mongo Delete request per second|DatabaseName, CollectionName, Region, ErrorCode|

+|MongoRequestsInsert|No|(deprecated) Mongo Insert Request Rate|CountPerSecond|Average|Mongo Insert count per second|DatabaseName, CollectionName, Region, ErrorCode|

+|MongoRequestsQuery|No|(deprecated) Mongo Query Request Rate|CountPerSecond|Average|Mongo Query request per second|DatabaseName, CollectionName, Region, ErrorCode|

+|MongoRequestsUpdate|No|(deprecated) Mongo Update Request Rate|CountPerSecond|Average|Mongo Update request per second|DatabaseName, CollectionName, Region, ErrorCode|

+|ActiveConnections|No|ActiveConnections|Count|Maximum|Total Active Connections for Microsoft.EventHub.|No Dimensions|

+|ConnectionsClosed|No|Connections Closed.|Count|Maximum|Connections Closed for Microsoft.EventHub.|No Dimensions|

+|ConnectionsOpened|No|Connections Opened.|Count|Maximum|Connections Opened for Microsoft.EventHub.|No Dimensions|

+|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|No Dimensions|

+|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|No Dimensions|

+|SuccessfulRequests|No|Successful Requests|Count|Total|Successful Requests for Microsoft.EventHub.|No Dimensions|

+|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.EventHub.|No Dimensions|

+|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.EventHub.|No Dimensions|

+|ActiveConnections|No|ActiveConnections|Count|Maximum|Total Active Connections for Microsoft.EventHub.|No Dimensions|

+|ConnectionsClosed|No|Connections Closed.|Count|Maximum|Connections Closed for Microsoft.EventHub.|EntityName|

+|ConnectionsOpened|No|Connections Opened.|Count|Maximum|Connections Opened for Microsoft.EventHub.|EntityName|

+|NamespaceCpuUsage|No|CPU|Percent|Maximum|CPU usage metric for Premium SKU namespaces.|No Dimensions|

+|NamespaceMemoryUsage|No|Memory Usage|Percent|Maximum|Memory usage metric for Premium SKU namespaces.|No Dimensions|

+|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|EntityName, |

+|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|EntityName, |

+|SuccessfulRequests|No|Successful Requests|Count|Total|Successful Requests for Microsoft.EventHub.|EntityName, |

+|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.EventHub.|EntityName, |

+|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.EventHub.|EntityName, |

+## Microsoft.KeyVault/managedHSMs

+|Availability|No|Overall Vault Availability|Percent|Average|Vault requests availability|ActivityType, ActivityName, StatusCode, StatusCodeClass|

+|ServiceApiResult|Yes|Total Service Api Results|Count|Count|Gets the available metrics for a Managed HSM pool|ActivityType, ActivityName, StatusCode, StatusCodeClass|

+|ServiceApiLatency|Yes|Overall Service Api Latency|Milliseconds|Average|Overall latency of service api requests|ActivityType, ActivityName, StatusCode, StatusCodeClass|

+|ContinuousExportNumOfRecordsExported|Yes|Continuous export - num of exported records|Count|Total|Number of records exported, fired for every storage artifact written during the export operation|ContinuousExportName, Database|

+|StreamingIngestResults|Yes|Streaming Ingest Result|Count|Count|Streaming ingest result|Result|

+|TotalNumberOfExtents|Yes|Total number of extents|Count|Average|Total number of data extents|No Dimensions|

+## Microsoft.Logic/integrationServiceEnvironments

+|ActionThrottledEvents|Yes|Action Throttled Events|Count|Total|Number of workflow action throttled events..|No Dimensions|

+|RunFailurePercentage|Yes|Run Failure Percentage|Percent|Total|Percentage of workflow runs failed.|No Dimensions|

+|RunStartThrottledEvents|Yes|Run Start Throttled Events|Count|Total|Number of workflow run start throttled events.|No Dimensions|

+|RunThrottledEvents|Yes|Run Throttled Events|Count|Total|Number of workflow action or trigger throttled events.|No Dimensions|

+|TriggerThrottledEvents|Yes|Trigger Throttled Events|Count|Total|Number of workflow trigger throttled events.|No Dimensions|

+## Microsoft.Logic/workflows

+## Microsoft.Network/applicationGateways

+|ExpressRouteGatewayCountOfRoutesAdvertisedToPeer|Yes|Count Of Routes Advertised to Peer|Count|Maximum|Count Of Routes Advertised To Peer by ExpressRouteGateway|roleInstance|

+|ExpressRouteGatewayCountOfRoutesLearnedFromPeer|Yes|Count Of Routes Learned from Peer|Count|Maximum|Count Of Routes Learned From Peer by ExpressRouteGateway|roleInstance|

+|ExpressRouteGatewayFrequencyOfRoutesChanged|No|Frequency of Routes change|Count|Total|Frequency of Routes change in ExpressRoute Gateway|roleInstance|

+|ExpressRouteGatewayNumberOfVmInVnet|No|Number of VMs in the Virtual Network|Count|Maximum|Number of VMs in the Virtual Network|No Dimensions|

+|AllocatedSnatPorts|No|Allocated SNAT Ports|Count|Average|Total number of SNAT ports allocated within time period|FrontendIPAddress, BackendIPAddress, ProtocolType, |

+|UsedSnatPorts|No|Used SNAT Ports|Count|Average|Total number of SNAT ports used within time period|FrontendIPAddress, BackendIPAddress, ProtocolType, |

+## Microsoft.Network/p2sVpnGateways

+|P2SBandwidth|Yes|Gateway P2S Bandwidth|BytesPerSecond|Average|Average point-to-site bandwidth of a gateway in bytes per second|Instance|

+|PEBytesIn|Yes|Bytes In|Count|Total|Total number of Bytes Out|No Dimensions|

+|PLSBytesIn|Yes|Bytes In|Count|Total|Total number of Bytes Out|PrivateLinkServiceId|

+## Microsoft.Network/virtualNetworkGateways

+|AverageBandwidth|Yes|Gateway S2S Bandwidth|BytesPerSecond|Average|Average site-to-site bandwidth of a gateway in bytes per second|Instance|

+|ExpressRouteGatewayCountOfRoutesAdvertisedToPeer|Yes|Count Of Routes Advertised to Peer|Count|Maximum|Count Of Routes Advertised To Peer by ExpressRouteGateway|roleInstance|

+|ExpressRouteGatewayCountOfRoutesLearnedFromPeer|Yes|Count Of Routes Learned from Peer|Count|Maximum|Count Of Routes Learned From Peer by ExpressRouteGateway|roleInstance|

+|ExpressRouteGatewayFrequencyOfRoutesChanged|No|Frequency of Routes change|Count|Total|Frequency of Routes change in ExpressRoute Gateway|roleInstance|

+|ExpressRouteGatewayNumberOfVmInVnet|No|Number of VMs in the Virtual Network|Count|Maximum|Number of VMs in the Virtual Network|No Dimensions|

+|P2SBandwidth|Yes|Gateway P2S Bandwidth|BytesPerSecond|Average|Average point-to-site bandwidth of a gateway in bytes per second|Instance|

+|P2SConnectionCount|Yes|P2S Connection Count|Count|Maximum|Point-to-site connection count of a gateway|Protocol, Instance|

+|TunnelNatedBytes|No|Tunnel NATed Bytes|Bytes|Total|Number of bytes that were NATed on a tunnel by a NAT rule |NatRule, ConnectionName, RemoteIP, Instance|

+|TunnelNatFlowCount|No|Tunnel NAT Flows|Count|Total|Number of NAT flows on a tunnel by flow type and NAT rule|NatRule, ConnectionName, RemoteIP, FlowType, Instance|

+|TunnelNatPacketDrop|No|Tunnel NAT Packet Drops|Count|Total|Number of NATed packets on a tunnel that dropped by drop type and NAT rule|NatRule, ConnectionName, RemoteIP, DropType, Instance|

+## Microsoft.Network/vpnGateways

+|AverageBandwidth|Yes|Gateway S2S Bandwidth|BytesPerSecond|Average|Average site-to-site bandwidth of a gateway in bytes per second|Instance|

+|TunnelNatedBytes|No|Tunnel NATed Bytes|Bytes|Total|Number of bytes that were NATed on a tunnel by a NAT rule |NatRule, ConnectionName, RemoteIP, Instance|

+|TunnelNatFlowCount|No|Tunnel NAT Flows|Count|Total|Number of NAT flows on a tunnel by flow type and NAT rule|NatRule, ConnectionName, RemoteIP, FlowType, Instance|

+|TunnelNatPacketDrop|No|Tunnel NAT Packet Drops|Count|Total|Number of NATed packets on a tunnel that dropped by drop type and NAT rule|NatRule, ConnectionName, RemoteIP, DropType, Instance|

+|incoming.scheduled|Yes|Scheduled Push Notifications Sent|Count|Total|Scheduled Push Notifications Sent|No Dimensions|

+## Microsoft.Purview/accounts

+|ScanBillingUnits|Yes|Scan Billing Units|Count|Total|Indicates the scan billing units.|ResourceId|

+|ScanCancelled|Yes|Scan Cancelled|Count|Total|Indicates the number of scans cancelled.|ResourceId|

+|ScanCompleted|Yes|Scan Completed|Count|Total|Indicates the number of scans completed successfully.|ResourceId|

+|ScanFailed|Yes|Scan Failed|Count|Total|Indicates the number of scans failed.|ResourceId|

+|ScanTimeTaken|Yes|Scan time taken|Seconds|Total|Indicates the total scan time in seconds.|ResourceId|

+|ListenerConnections-ClientError|No|ListenerConnections-ClientError|Count|Total|ClientError on ListenerConnections for Microsoft.Relay.|EntityName, |

+|ListenerConnections-ServerError|No|ListenerConnections-ServerError|Count|Total|ServerError on ListenerConnections for Microsoft.Relay.|EntityName, |

+|ListenerConnections-Success|No|ListenerConnections-Success|Count|Total|Successful ListenerConnections for Microsoft.Relay.|EntityName, |

+|SenderConnections-ClientError|No|SenderConnections-ClientError|Count|Total|ClientError on SenderConnections for Microsoft.Relay.|EntityName, |

+|SenderConnections-ServerError|No|SenderConnections-ServerError|Count|Total|ServerError on SenderConnections for Microsoft.Relay.|EntityName, |

+|SenderConnections-Success|No|SenderConnections-Success|Count|Total|Successful SenderConnections for Microsoft.Relay.|EntityName, |

+|AbandonMessage|Yes|Abandoned Messages|Count|Total|Abandoned Messages|EntityName|

+|CompleteMessage|Yes|Completed Messages|Count|Total|Completed Messages|EntityName|

+|CPUXNS|No|CPU (Deprecated)|Percent|Maximum|Service bus premium namespace CPU usage metric. This metric is depricated. Please use the CPU metric (NamespaceCpuUsage) instead.|No Dimensions|

+|NamespaceCpuUsage|No|CPU|Percent|Maximum|CPU usage metric for Premium SKU namespaces.|No Dimensions|

+|NamespaceMemoryUsage|No|Memory Usage|Percent|Maximum|Memory usage metric for Premium SKU namespaces.|No Dimensions|

+|PendingCheckpointOperationCount|No|Pending Checkpoint Operations Count.|Count|Total|Pending Checkpoint Operations Count.|No Dimensions|

+|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.ServiceBus.|EntityName, |

+|ServerSendLatency|Yes|Server Send Latency.|Milliseconds|Average|Server Send Latency.|EntityName|

+|SuccessfulRequests|No|Successful Requests|Count|Total|Total successful requests for a namespace|EntityName, |

+|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.ServiceBus.|EntityName, MessagingErrorSubCode|

+|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.ServiceBus.|EntityName, |

+|WSXNS|No|Memory Usage (Deprecated)|Percent|Maximum|Service bus premium namespace memory usage metric. This metric is deprecated. Please use the Memory Usage (NamespaceMemoryUsage) metric instead.|No Dimensions|

+|ConnectionQuotaUtilization|Yes|Connection Quota Utilization|Percent|Maximum|The percentage of connection connected relative to connection quota.|No Dimensions|

+|InboundTraffic|Yes|Inbound Traffic|Bytes|Total|The inbound traffic of service|No Dimensions|

+|OutboundTraffic|Yes|Outbound Traffic|Bytes|Total|The outbound traffic of service|No Dimensions|

+|TotalConnectionCount|Yes|Connection Count|Count|Maximum|The amount of user connection.|No Dimensions|

+|app_cpu_billed|Yes|App CPU billed|Count|Total|App CPU billed. Applies to serverless databases.|No Dimensions|

+|app_cpu_percent|Yes|App CPU percentage|Percent|Average|App CPU percentage. Applies to serverless databases.|No Dimensions|

+|app_memory_percent|Yes|App memory percentage|Percent|Average|App memory percentage. Applies to serverless databases.|No Dimensions|

+|SuccessE2ELatency|Yes|Success E2E Latency|Milliseconds|Average|The average end-to-end latency of successful requests made to a storage service or the specified API operation, in milliseconds. This value includes the required processing time within Azure Storage to read the request, send the response, and receive acknowledgment of the response.|GeoType, ApiName, Authentication|

+|SuccessServerLatency|Yes|Success Server Latency|Milliseconds|Average|The average time used to process a successful request by Azure Storage. This value does not include the network latency specified in SuccessE2ELatency.|GeoType, ApiName, Authentication|

+|ClientLatency|Yes|Average Client Latency|Milliseconds|Average|Average latency of client file operations to the Cache.|No Dimensions|

+|StorageTargetLatency|Yes|StorageTarget Latency|Milliseconds|Average|The average round trip latency of all the file operations the Cache sends to a partricular StorageTarget.|StorageTarget|

+## Microsoft.Synapse/workspaces/kustoPools

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|BatchBlobCount|Yes|Batch Blob Count|Count|Average|Number of data sources in an aggregated batch for ingestion.|Database|

+|BatchDuration|Yes|Batch Duration|Seconds|Average|The duration of the aggregation phase in the ingestion flow.|Database|

+|BatchesProcessed|Yes|Batches Processed|Count|Total|Number of batches aggregated for ingestion. Batching Type: whether the batch reached batching time, data size or number of files limit set by batching policy|Database, SealReason|

+|BatchSize|Yes|Batch Size|Bytes|Average|Uncompressed expected data size in an aggregated batch for ingestion.|Database|

+|BlobsDropped|Yes|Blobs Dropped|Count|Total|Number of blobs permanently rejected by a component.|Database, ComponentType, ComponentName|

+|BlobsProcessed|Yes|Blobs Processed|Count|Total|Number of blobs processed by a component.|Database, ComponentType, ComponentName|

+|BlobsReceived|Yes|Blobs Received|Count|Total|Number of blobs received from input stream by a component.|Database, ComponentType, ComponentName|

+|CacheUtilization|Yes|Cache utilization|Percent|Average|Utilization level in the cluster scope|No Dimensions|

+|ContinuousExportMaxLatenessMinutes|Yes|Continuous Export Max Lateness|Count|Maximum|The lateness (in minutes) reported by the continuous export jobs in the cluster|No Dimensions|

+|ContinuousExportNumOfRecordsExported|Yes|Continuous export - num of exported records|Count|Total|Number of records exported, fired for every storage artifact written during the export operation|ContinuousExportName, Database|

+|ContinuousExportPendingCount|Yes|Continuous Export Pending Count|Count|Maximum|The number of pending continuous export jobs ready for execution|No Dimensions|

+|ContinuousExportResult|Yes|Continuous Export Result|Count|Count|Indicates whether Continuous Export succeeded or failed|ContinuousExportName, Result, Database|

+|CPU|Yes|CPU|Percent|Average|CPU utilization level|No Dimensions|

+|DiscoveryLatency|Yes|Discovery Latency|Seconds|Average|Reported by data connections (if exist). Time in seconds from when a message is enqueued or event is created until it is discovered by data connection. This time is not included in the Azure Data Explorer total ingestion duration.|ComponentType, ComponentName|

+|EventsDropped|Yes|Events Dropped|Count|Total|Number of events dropped permanently by data connection. An Ingestion result metric with a failure reason will be sent.|ComponentType, ComponentName|

+|EventsProcessed|Yes|Events Processed|Count|Total|Number of events processed by the cluster|ComponentType, ComponentName|

+|EventsProcessedForEventHubs|Yes|Events Processed (for Event/IoT Hubs)|Count|Total|Number of events processed by the cluster when ingesting from Event/IoT Hub|EventStatus|

+|EventsReceived|Yes|Events Received|Count|Total|Number of events received by data connection.|ComponentType, ComponentName|

+|ExportUtilization|Yes|Export Utilization|Percent|Maximum|Export utilization|No Dimensions|

+|IngestionLatencyInSeconds|Yes|Ingestion Latency|Seconds|Average|Latency of data ingested, from the time the data was received in the cluster until it's ready for query. The ingestion latency period depends on the ingestion scenario.|No Dimensions|

+|IngestionResult|Yes|Ingestion result|Count|Total|Total number of sources that either failed or succeeded to be ingested. Splitting the metric by status, you can get detailed information about the status of the ingestion operations.|IngestionResultDetails, FailureKind|

+|IngestionUtilization|Yes|Ingestion utilization|Percent|Average|Ratio of used ingestion slots in the cluster|No Dimensions|

+|IngestionVolumeInMB|Yes|Ingestion Volume|Bytes|Total|Overall volume of ingested data to the cluster|Database|

+|InstanceCount|Yes|Instance Count|Count|Average|Total instance count|No Dimensions|

+|KeepAlive|Yes|Keep alive|Count|Average|Sanity check indicates the cluster responds to queries|No Dimensions|

+|MaterializedViewAgeMinutes|Yes|Materialized View Age|Count|Average|The materialized view age in minutes|Database, MaterializedViewName|

+|MaterializedViewDataLoss|Yes|Materialized View Data Loss|Count|Maximum|Indicates potential data loss in materialized view|Database, MaterializedViewName, Kind|

+|MaterializedViewExtentsRebuild|Yes|Materialized View Extents Rebuild|Count|Average|Number of extents rebuild|Database, MaterializedViewName|

+|MaterializedViewHealth|Yes|Materialized View Health|Count|Average|The health of the materialized view (1 for healthy, 0 for non-healthy)|Database, MaterializedViewName|

+|MaterializedViewRecordsInDelta|Yes|Materialized View Records In Delta|Count|Average|The number of records in the non-materialized part of the view|Database, MaterializedViewName|

+|MaterializedViewResult|Yes|Materialized View Result|Count|Average|The result of the materialization process|Database, MaterializedViewName, Result|

+|QueryDuration|Yes|Query duration|Milliseconds|Average|Queries' duration in seconds|QueryStatus|

+|QueryResult|No|Query Result|Count|Count|Total number of queries.|QueryStatus|

+|QueueLength|Yes|Queue Length|Count|Average|Number of pending messages in a component's queue.|ComponentType|

+|QueueOldestMessage|Yes|Queue Oldest Message|Count|Average|Time in seconds from when the oldest message in queue was inserted.|ComponentType|

+|ReceivedDataSizeBytes|Yes|Received Data Size Bytes|Bytes|Average|Size of data received by data connection. This is the size of the data stream, or of raw data size if provided.|ComponentType, ComponentName|

+|StageLatency|Yes|Stage Latency|Seconds|Average|Cumulative time from when a message is discovered until it is received by the reporting component for processing (discovery time is set when message is enqueued for ingestion queue, or when discovered by data connection).|Database, ComponentType|

+|SteamingIngestRequestRate|Yes|Streaming Ingest Request Rate|Count|RateRequestsPerSecond|Streaming ingest request rate (requests per second)|No Dimensions|

+|StreamingIngestDataRate|Yes|Streaming Ingest Data Rate|Count|Average|Streaming ingest data rate (MB per second)|No Dimensions|

+|StreamingIngestDuration|Yes|Streaming Ingest Duration|Milliseconds|Average|Streaming ingest duration in milliseconds|No Dimensions|

+|StreamingIngestResults|Yes|Streaming Ingest Result|Count|Count|Streaming ingest result|Result|

+|TotalNumberOfConcurrentQueries|Yes|Total number of concurrent queries|Count|Maximum|Total number of concurrent queries|No Dimensions|

+|TotalNumberOfExtents|Yes|Total number of extents|Count|Total|Total number of data extents|No Dimensions|

+|TotalNumberOfThrottledCommands|Yes|Total number of throttled commands|Count|Total|Total number of throttled commands|CommandType|

+|TotalNumberOfThrottledQueries|Yes|Total number of throttled queries|Count|Maximum|Total number of throttled queries|No Dimensions|

+|ApiConnectionRequests|Yes|Requests|Count|Total|API Connection Requests|HttpStatusCode, ClientIPAddress|

+|AppConnections|Yes|Connections|Count|Average|The number of bound sockets existing in the sandbox (w3wp.exe and its child processes). A bound socket is created by calling bind()/connect() APIs and remains until said socket is closed with CloseHandle()/closesocket().|Instance|

+|AverageMemoryWorkingSet|Yes|Average memory working set|Bytes|Average|The average amount of memory used by the app, in megabytes (MiB).|Instance|

+|AverageResponseTime|Yes|Average Response Time (deprecated)|Seconds|Average|The average time taken for the app to serve requests, in seconds.|Instance|

+|BytesReceived|Yes|Data In|Bytes|Total|The amount of incoming bandwidth consumed by the app, in MiB.|Instance|

+|BytesSent|Yes|Data Out|Bytes|Total|The amount of outgoing bandwidth consumed by the app, in MiB.|Instance|

+|CpuTime|Yes|CPU Time|Seconds|Total|The amount of CPU consumed by the app, in seconds. For more information about this metric. Please see: https://aka.ms/website-monitor-cpu-time-vs-cpu-percentage (CPU time vs CPU percentage).|Instance|

+|CurrentAssemblies|Yes|Current Assemblies|Count|Average|The current number of Assemblies loaded across all AppDomains in this application.|Instance|

+|FileSystemUsage|Yes|File System Usage|Bytes|Average|Percentage of filesystem quota consumed by the app.|No Dimensions|

+|FunctionExecutionCount|Yes|Function Execution Count|Count|Total|Function Execution Count|Instance|

+|FunctionExecutionUnits|Yes|Function Execution Units|Count|Total|Function Execution Units|Instance|

+|Gen0Collections|Yes|Gen 0 Garbage Collections|Count|Total|The number of times the generation 0 objects are garbage collected since the start of the app process. Higher generation GCs include all lower generation GCs.|Instance|

+|Gen1Collections|Yes|Gen 1 Garbage Collections|Count|Total|The number of times the generation 1 objects are garbage collected since the start of the app process. Higher generation GCs include all lower generation GCs.|Instance|

+|Gen2Collections|Yes|Gen 2 Garbage Collections|Count|Total|The number of times the generation 2 objects are garbage collected since the start of the app process.|Instance|

+|Handles|Yes|Handle Count|Count|Average|The total number of handles currently open by the app process.|Instance|

+|HealthCheckStatus|Yes|Health check status|Count|Average|Health check status|Instance|

+|Http101|Yes|Http 101|Count|Total|The count of requests resulting in an HTTP status code 101.|Instance|

+|Http2xx|Yes|Http 2xx|Count|Total|The count of requests resulting in an HTTP status code = 200 but < 300.|Instance|

+|Http3xx|Yes|Http 3xx|Count|Total|The count of requests resulting in an HTTP status code = 300 but < 400.|Instance|

+|Http401|Yes|Http 401|Count|Total|The count of requests resulting in HTTP 401 status code.|Instance|

+|Http403|Yes|Http 403|Count|Total|The count of requests resulting in HTTP 403 status code.|Instance|

+|Http404|Yes|Http 404|Count|Total|The count of requests resulting in HTTP 404 status code.|Instance|

+|Http406|Yes|Http 406|Count|Total|The count of requests resulting in HTTP 406 status code.|Instance|

+|Http4xx|Yes|Http 4xx|Count|Total|The count of requests resulting in an HTTP status code = 400 but < 500.|Instance|

+|Http5xx|Yes|Http Server Errors|Count|Total|The count of requests resulting in an HTTP status code = 500 but < 600.|Instance|

+|HttpResponseTime|Yes|Response Time|Seconds|Average|The time taken for the app to serve requests, in seconds.|Instance|

+|IoOtherBytesPerSecond|Yes|IO Other Bytes Per Second|BytesPerSecond|Total|The rate at which the app process is issuing bytes to I/O operations that don't involve data, such as control operations.|Instance|

+|IoOtherOperationsPerSecond|Yes|IO Other Operations Per Second|BytesPerSecond|Total|The rate at which the app process is issuing I/O operations that aren't read or write operations.|Instance|

+|IoReadBytesPerSecond|Yes|IO Read Bytes Per Second|BytesPerSecond|Total|The rate at which the app process is reading bytes from I/O operations.|Instance|

+|IoReadOperationsPerSecond|Yes|IO Read Operations Per Second|BytesPerSecond|Total|The rate at which the app process is issuing read I/O operations.|Instance|

+|IoWriteBytesPerSecond|Yes|IO Write Bytes Per Second|BytesPerSecond|Total|The rate at which the app process is writing bytes to I/O operations.|Instance|

+|IoWriteOperationsPerSecond|Yes|IO Write Operations Per Second|BytesPerSecond|Total|The rate at which the app process is issuing write I/O operations.|Instance|

+|MemoryWorkingSet|Yes|Memory working set|Bytes|Average|The current amount of memory used by the app, in MiB.|Instance|

+|PrivateBytes|Yes|Private Bytes|Bytes|Average|Private Bytes is the current size, in bytes, of memory that the app process has allocated that can't be shared with other processes.|Instance|

+|Requests|Yes|Requests|Count|Total|The total number of requests regardless of their resulting HTTP status code.|Instance|

+|RequestsInApplicationQueue|Yes|Requests In Application Queue|Count|Average|The number of requests in the application request queue.|Instance|

+|ScmCpuTime|Yes|ScmCpuTime|Seconds|Total|ScmCpuTime|Instance|

+|ScmPrivateBytes|Yes|ScmPrivateBytes|Bytes|Average|ScmPrivateBytes|Instance|

+|Threads|Yes|Thread Count|Count|Average|The number of threads currently active in the app process.|Instance|

+|TotalAppDomains|Yes|Total App Domains|Count|Average|The current number of AppDomains loaded in this application.|Instance|

+|TotalAppDomainsUnloaded|Yes|Total App Domains Unloaded|Count|Average|The total number of AppDomains unloaded since the start of the application.|Instance|

+|CpuTime|Yes|CPU Time|Seconds|Total|The amount of CPU consumed by the app, in seconds. For more information about this metric. Please see: https://aka.ms/website-monitor-cpu-time-vs-cpu-percentage (CPU time vs CPU percentage).|Instance|

+|ScmCpuTime|Yes|ScmCpuTime|Seconds|Total|ScmCpuTime|Instance|

+|ScmPrivateBytes|Yes|ScmPrivateBytes|Bytes|Average|ScmPrivateBytes|Instance|

+|CdnPercentageOf4XX|Yes|CdnPercentageOf4XX|Percent|Total|CdnPercentageOf4XX|Instance|

+|CdnPercentageOf5XX|Yes|CdnPercentageOf5XX|Percent|Total|CdnPercentageOf5XX|Instance|

+|CdnRequestCount|Yes|CdnRequestCount|Count|Total|CdnRequestCount|Instance|

+|CdnResponseSize|Yes|CdnResponseSize|Bytes|Total|CdnResponseSize|Instance|

+|CdnTotalLatency|Yes|CdnTotalLatency|Seconds|Total|CdnTotalLatency|Instance|

+## Microsoft.AAD/domainServices

+|DscNodeStatus|Dsc Node Status|No|

+|JobLogs|Job Logs|No|

+|JobStreams|Job Streams|No|

+|cloud-controller-manager|Kubernetes Cloud Controller Manager|Yes|

+|guard|Kubernetes Guard|No|

+|AirflowDagProcessingLogs|Airflow dag processing logs|Yes|

+|AirflowSchedulerLogs|Airflow scheduler logs|Yes|

+|AirflowTaskLogs|Airflow task execution logs|Yes|

+|AirflowWebLogs|Airflow web logs|Yes|

+|AirflowWorkerLogs|Airflow worker logs|Yes|

+## Microsoft.DocumentDB/databaseAccounts

+|ApplicationMetricsLogs|Application Metrics Logs|Yes|

+|RuntimeAuditLogs|Runtime Audit Logs|Yes|

+## Microsoft.Insights/AutoscaleSettings

+## Microsoft.KeyVault/managedHSMs

+|AuditEvent|Audit Logs|No|

+## Microsoft.Logic/integrationAccounts

+## Microsoft.Logic/workflows

+## Microsoft.Network/applicationGateways

+## Microsoft.Network/bastionHosts

+## Microsoft.Network/p2sVpnGateways

+## Microsoft.Network/virtualNetworkGateways

+## Microsoft.Network/vpnGateways

+|Audit|Audit Logs|No|

+## Microsoft.Purview/accounts

+|ScanStatusLogEvent|ScanStatus|Yes|

+|VNetAndIPFilteringLogs|VNet/IP Filtering Connection Logs|No|

+|AllLogs|Azure Web PubSub Service Logs.|Yes|

+## Microsoft.Synapse/workspaces/kustoPools

+|Category|Category Display Name|Costs To Export|

+||||

+|Command|Command|Yes|

+|FailedIngestion|Failed ingest operations|Yes|

+|IngestionBatching|Ingestion batching|Yes|

+|Query|Query|Yes|

+|SucceededIngestion|Successful ingest operations|Yes|

+|TableDetails|Table details|Yes|

+|TableUsageStatistics|Table usage statistics|Yes|

+## microsoft.web/hostingenvironments

+## microsoft.web/sites

+> [!IMPORTANT]

+> This feature has been deprecated as the Log Analytics agent is being replaced with the Azure Monitor agent and solutions in Azure Monitor are being replaced with insights. You can continue to use it if you already have it configured, but it's being removed from regions where it is not already being used. The feature will longer be supported after August 31, 2024.

+# Optional name of a field that includes the timestamp for the data. If the time field is not specified, Azure Monitor assumes the time is the message ingestion time

+| Microsoft.Cache/redis | [listKeys](/rest/api/redis/redis/list-keys) |

+| Microsoft.Cache/redis | [listKeys](/rest/api/redis/redis/list-keys) |

+| [Azure AD service principal](authentication-aad-service-principal.md) | September 2021 | Azure Active Directory (Azure AD) supports user creation in Azure SQL Database on behalf of Azure AD applications (service principals).|

+| [Audit management operations](../database/auditing-overview.md#auditing-of-microsoft-support-operations) | March 2021 | Azure SQL audit capabilities enable you to audit operations done by Microsoft support engineers when they need to access your SQL assets during a support request, enabling more transparency in your workforce. |

+### February 2022

+| **Free Azure SQL Database** | Try Azure SQL Database for free using the Azure free account. To learn more, review [Try SQL Database for free](free-sql-db-free-account-how-to-deploy.md).|

+|||

+### 2021

+| **Azure AD-only authentication** | Restricting authentication to your Azure SQL Database only to Azure Active Directory users is now generally available. To learn more, see [Azure AD-only authentication](../database/authentication-azure-ad-only-authentication.md). |

+|**Split what's new** | The previously combined **What's new** article has been split by product - [What's new in SQL Database](doc-changes-updates-release-notes-whats-new.md) and [What's new in SQL Managed Instance](../managed-instance/doc-changes-updates-release-notes-whats-new.md), making it easier to identify what features are currently in preview, generally available, and significant documentation changes. Additionally, the [Known Issues in SQL Managed Instance](../managed-instance/doc-changes-updates-known-issues.md) content has moved to its own page. |

+| **Maintenance window** | The maintenance window feature allows you to configure a maintenance schedule for your Azure SQL Database, currently in preview. To learn more, see [maintenance window](maintenance-window.md).|

+| **SQL insights** | SQL insights is a comprehensive solution for monitoring any product in the Azure SQL family. SQL insights uses dynamic management views to expose the data you need to monitor health, diagnose problems, and tune performance. To learn more, see [SQL insights](../../azure-monitor/insights/sql-insights-overview.md). |

+ Title: Free SQL Database with Azure free account

+description: Guidance on how to deploy an Azure SQL Database for free using an Azure free account.

+# Try Azure SQL Database free with Azure free account

+Azure SQL Database is an intelligent, scalable, relational database service built for the cloud. SQL Database is a fully managed platform as a service (PaaS) database engine that handles most database management functions such as upgrading, patching, backups, and monitoring without user involvement.

+Using an Azure free account, you can try Azure SQL Database for **free for 12 months** with the following **monthly limit**:

+- **1 S0 database with 10 database transaction units and 250 GB storage**

+This article shows you how to create and use an Azure SQL Database for free using an [Azure free account](https://azure.microsoft.com/free/).

+## Prerequisites

+To try Azure SQL Database for free, you need:

+- An Azure free account. If you don't have one, [create a free account](https://azure.microsoft.com/free/) before you begin.

+## Create a database

+This article uses the Azure portal to create a SQL Database with public access. Alternatively, you can create a SQL Database using [PowerShell, the Azure CLI](./single-database-create-quickstart.md) or an [ARM template](./single-database-create-arm-template-quickstart.md).

+To create your database, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com/) with your Azure free account.

+1. Search for and select **SQL databases**:

+

+ :::image type="content" source="./media/free-sql-db-free-account-how-to-deploy/search-sql-database.png" alt-text="Screenshot that shows how to search and select SQL database.":::

+ Alternatively, you can search for and navigate to **Free Services**, and then select the **Azure SQL Database** tile from the list:

+

+ :::image type="content" source="media/free-sql-db-free-account-how-to-deploy/free-services-sql-database.png" alt-text="Screenshot that shows a list of all free services on the Azure portal.":::

+1. Select **Create**.

+1. On the **Basics** tab of the **Create SQL Database** form, under **Project details**, select the free trial Azure **Subscription**.

+1. For **Resource group**, select **Create new**, enter *myResourceGroup*, and select **OK**.

+1. For **Database name**, enter *mySampleDatabase*.

+1. For **Server**, select **Create new**, and fill out the **New server** form with the following values:

+ - **Server name**: Enter *mysqlserver*, and add some characters for uniqueness. We can't provide an exact server name to use because server names must be globally unique for all servers in Azure, not just unique within a subscription. So enter something like mysqlserver12345, and the portal lets you know if it's available or not.

+ - **Server admin login**: Enter *azureuser*.

+ - **Password**: Enter a password that meets complexity requirements, and enter it again in the **Confirm password** field.

+ - **Location**: Select a location from the dropdown list.

+ Select **OK**.

+1. Leave **Want to use SQL elastic pool** set to **No**.

+1. Under **Compute + storage**, select **Configure database**.

+1. For the free trial, under **Service Tier** select **Standard (For workloads with typical performance requirements)**. Set **DTUs** to **10** and **Data max size (GB)** to **250**, and then select **Apply**.

+ :::image type="content" source="media/free-sql-db-free-account-how-to-deploy/configure-database.png" alt-text="Screenshot that shows selecting database service tier.":::

+1. Leave **Backup storage redundancy** set to **Geo-redundant backup storage**

+1. Select **Next: Networking** at the bottom of the page.

+ :::image type="content" source="./media/free-sql-db-free-account-how-to-deploy/create-database-basics-tab.png" alt-text="New SQL database - Basic tab":::

+1. On the **Networking** tab, for **Connectivity method**, select **Public endpoint**.

+1. For **Firewall rules**, set **Allow Azure services and resources to access this server** set to **Yes** and set **Add current client IP address** to **Yes**.

+1. Leave **Connection policy** set to **Default**.

+1. For **Encrypted Connections**, leave **Minimum TLS version** set to **TLS 1.2**.

+1. Select **Next: Security** at the bottom of the page.

+ :::image type="content" source="./media/free-sql-db-free-account-how-to-deploy/create-database-networking-tab.png" alt-text="Networking tab":::

+1. Leave the values unchanged on **Security** tab.

+ :::image type="content" source="./media/free-sql-db-free-account-how-to-deploy/create-database-security-tab.png" alt-text="Security tab":::

+1. Select **Next: Additional settings** at the bottom of the page.

+1. On the **Additional settings** tab, in the **Data source** section, for **Use existing data**, select **Sample**. This creates an AdventureWorksLT sample database so there are some tables and data to query and experiment with, as opposed to an empty blank database.

+1. Select **Review + create** at the bottom of the page.

+ :::image type="content" source="./media/free-sql-db-free-account-how-to-deploy/create-database-additional-settings-tab.png" alt-text="Additional settings":::

+1. On the **Review + create** page, after reviewing, select **Create**.

+

+ > [!IMPORTANT]

+ > While creating the SQL Database from your Azure free account, you will still see an **Estimated cost per month** in the **Compute + Storage : Cost Summary** blade and **Review + Create** tab. But, as long as you are using your Azure free account, and your free service usage is within monthly limits, you won't be charged for the service. To view usage information, review [**Monitor and track free services usage**](#monitor-and-track-service-usage) later in this article.

+

+## Query the database

+Once your database is created, you can use the **Query editor (preview)** in the Azure portal to connect to the database and query data.

+1. In the portal, search for and select **SQL databases**, and then select your database from the list.

+1. On the page for your database, select **Query editor (preview)** in the navigation menu.

+1. Enter your server admin login information, and select **OK**.

+ :::image type="content" source="./media/single-database-create-quickstart/query-editor-login.png" alt-text="Sign in to Query editor":::

+1. Enter the following query in the **Query editor** pane.

+ ```sql

+ SELECT TOP 20 pc.Name as CategoryName, p.name as ProductName

+ FROM SalesLT.ProductCategory pc

+ JOIN SalesLT.Product p

+ ON pc.productcategoryid = p.productcategoryid;

+ ```

+1. Select **Run**, and then review the query results in the **Results** pane.

+ :::image type="content" source="./media/single-database-create-quickstart/query-editor-results.png" alt-text="Query editor results":::

+1. Close the **Query editor** page, and select **OK** when prompted to discard your unsaved edits.

+## Monitor and track service usage

+You are not charged for the Azure SQL Database included with your Azure free account unless you exceed the free service limit. To remain within the limit, use the Azure portal to track and monitor your free services usage.

+To track usage, follow these steps:

+1. In the Azure portal, search for **Subscriptions** and select the free trial subscription.

+1. On the **Overview** page, scroll down to see the tile **Top free services by usage**, and then select **View all free services**.

+ :::image type="content" source="media/free-sql-db-free-account-how-to-deploy/free-services-usage-overview.png" alt-text="Screenshot that shows the Free Trial subscription overview page and highlights View all free services.":::

+1. Locate the meters related to **Azure SQL Database** to track usage.

+ :::image type="content" source="media/free-sql-db-free-account-how-to-deploy/free-services-tracking.png" alt-text="Screenshot that shows the View and track usage information blade on Azure portal for all free services.":::

+The following table describes the values on the track usage page:

+| **Value**| **Description**|

+| - | - |

+|**Meter** | Identifies the unit of measure for the service being consumed. For example, the meter for Azure SQL Database is *SQL Database, Single Standard, S0 DTUs*, which tracks the number of S0 databases used per day, and has a monthly limit of 1. |

+| **Usage/limit** | The usage of the meter for the current month, and the limit for the meter.

+| **Status**| The current status of your usage of the service defined by the meter. The possible values for status are: </br> **Not in use**: You haven't used the meter or the usage for the meter hasn't reached the billing system. </br> **Exceeded on \<Date\>**: You've exceeded the limit for the meter on \<Date\>. </br> **Unlikely to Exceed**: You're unlikely to exceed the limit for the meter. </br>**Exceeds on \<Date\>**: You're likely to exceed the limit for the meter on \<Date\>. |

+| | |

+>[!IMPORTANT]

+> - With an Azure free account, you also get $200 in credit to use in 30 days. During this time, any usage of the service beyond the free monthly amount is deducted from this credit.

+> - At the end of your first 30 days or after you spend your $200 credit (whichever comes first), you'll only pay for what you use beyond the free monthly amount of services. To keep getting free services after 30 days, move to pay-as-you-go pricing. If you don't move to pay as you go, you can't purchase Azure services beyond your $200 credit and eventually your account and services will be disabled.

+> - For more information, see [**Azure free account FAQ**](https://azure.microsoft.com/free/free-account-faq/).

+## Clean up resources

+When you're finished using these resources, you can delete the resource group you created, which will also delete the server and single database within it.

+To delete **myResourceGroup** and all its resources using the Azure portal:

+1. In the portal, search for and select **Resource groups**, and then select **myResourceGroup** from the list.

+1. On the resource group page, select **Delete resource group**.

+1. Under **Type the resource group name**, enter *myResourceGroup*, and then select **Delete**.

+## Next steps

+[Connect and query](connect-query-content-reference-guide.md) your database using different tools and languages:

+> [!div class="nextstepaction"]

+> [Connect and query using SQL Server Management Studio](connect-query-ssms.md)

+>

+> [Connect and query using Azure Data Studio](/sql/azure-data-studio/quickstart-sql-database?toc=/azure/sql-database/toc.json)

+ az functionapp create --resource-group WebPubSubFunction --consumption-plan-location <REGION> --runtime node --runtime-version 14 --functions-version 3 --name <FUNCIONAPP_NAME> --storage-account <STORAGE_NAME>

+ > [!NOTE]

+ > If you're running the function version other than v3.0, please check [Azure Functions runtime versions documentation](../azure-functions/functions-versions.md#languages) to set `--runtime` parameter to supported value.

+ az functionapp create --resource-group WebPubSubFunction --consumption-plan-location <REGION> --runtime node --runtime-version 14 --functions-version 3 --name <FUNCIONAPP_NAME> --storage-account <STORAGE_NAME>

+ > [!NOTE]

+ > If you're running the function version other than v3.0, please check [Azure Functions runtime versions documentation](../azure-functions/functions-versions.md#languages) to set `--runtime` parameter to supported value.

+**Step 1**

+**Step 2**

+* Check if there are duplicate mount points present.

+Identify the failed to freeze mount points from the extension log file. <br>

+For example: /boot, /usr/sap in the below sample output.

+```

+ 2017-11-02 11:22:56 Thawing: /boot

+ 2017-11-02 11:22:56 Failed to FITHAW: /boot

+ 2017-11-02 11:22:56 Thawing: /sapshare

+ 2017-11-02 11:22:56 Thawing: /usr/sap

+ 2017-11-02 11:22:56 Failed to FITHAW: /usr/sap

+```

+On the Linux VM execute 'mount' command and check if the failed mount points have multiple entries. If yes, remove the old entries or rename the mount path and retry the backup operation.

+ * **Ingress Traffic from public internet:** The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet. Note that the source can be either the Internet or a set of public IP addresses that you specify.

+ $fileShareConfig = New-Object -TypeName "Microsoft.Azure.Commands.Batch.Models.PSAzureFileShareConfiguration" -ArgumentList @("<Storage-Account-name>", "https://<Storage-Account-name>.file.core.windows.net/batchfileshare1", "S", "Storage-Account-key")

+ New-AzBatchPool -Id "<Pool-Name>" -VirtualMachineSize "STANDARD_D2_V2" -VirtualMachineConfiguration $configuration -TargetDedicatedComputeNodes 1 -MountConfiguration @($mountConfig) -BatchContext $context

+- See [Microsoft SMB protocol and CIFS protocol overview](/windows/desktop/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) to learn more about CIFS.

+ Title: Test your IoT Plug and Play device with Azure CLI

+description: A guide on how to test IoT Plug and Play device with the Azure CLI in preparation for certification.

+# How to test IoT Plug and Play devices

+The IoT Plug and Play device certification program includes tools to check that a device meets the IoT Plug and Play certification requirements. The tools also help organizations to drive awareness of the availability of their IoT Plug and Play devices. These certified devices are tailored for IoT solutions and help to reduce time to market.

+This article shows you how to:

+- Install the Azure IoT command-line tool extension for the Azure CLI

+- Run the IoT Plug and Play tests to validate your device application while in-development phase

+> [!Note]

+> A full walk through the certification process can be found in the [Azure Certified Device certification tutorial](tutorial-00-selecting-your-certification.md).

+## Prepare your device

+The application code that runs on your IoT Plug and Play must:

+- Connect to Azure IoT Hub using the [Device Provisioning Service (DPS)](../iot-dps/about-iot-dps.md).

+- Follow the [IoT Plug an Play conventions](../iot-develop/concepts-developer-guide-device.md) to implement of telemetry, properties, and commands.

+The application is software that's installed separately from the operating system or is bundled with the operating system in a firmware image that's flashed to the device.

+Prior to certifying your device through the certification process for IoT Plug and Play, you will want to validate that the device implementation matches the telemetry, properties and commands defined in the [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl) device model locally prior to submitting to the [Azure IoT Public Model Repository](../iot-develop/concepts-model-repository.md).

+To meet the certification requirements, your device must:

+- Connects to Azure IoT Hub using the [DPS](../iot-dps/about-iot-dps.md).

+- Implement of telemetry, properties, or commands following the IoT Plug and Play convention.

+- Describe the device interactions with a [DTDL v2](https://aka.ms/dtdl) model.

+- Send the model ID during [DPS registration](../iot-develop/concepts-developer-guide-device.md#dps-payload) in the DPS provisioning payload.

+- Announce the model ID during the [MQTT connection](../iot-develop/concepts-developer-guide-device.md#model-id-announcement).

+## Test with the Azure IoT Extension CLI

+The [Azure IoT CLI extension](/cli/azure/ext/azure-iot/iot/product?view=azure-cli-latest) lets you validate that the device implementation matches the model before you submit the device for certification through the Azure Certified Device portal.

+The following steps show you how to prepare for and run the certification tests using the CLI:

+### Install the Azure IoT extension for the Azure CLI

+Install the [Azure CLI](/cli/azure/install-azure-cli) and review the installation instructions to set up the [Azure CLI](/cli/azure/iot?view=azure-cli-latest) in your environment.

+To install the Azure IoT Extension, run the following command:

+```azurecli

+az extension add --name azure-iot

+```

+To learn more, see [Azure CLI for Azure IoT](https://docs.microsoft.com/cli/azure/iot/product?view=azure-cli-latest).

+### Create a new product test

+The following command creates a test using DPS with a symmetric key attestation method:

+- Creates a new product to test, and generates a test configuration. The output displays the DPS information that the device must use for provisioning: the primary key, device ID, and ID Scope.

+- Specifies the folder with the DTDL files describing your model.

+```azurecli

+az iot product test create --badge-type Pnp --at SymmetricKey --device-type FinishedProduct --models {local folder name}

+```

+The JSON output from the command contains the `primaryKey`, `registrationId`, and `scopeID` to use when you connect your device.

+Expected output:

+```json

+"deviceType": "FinishedProduct",

+"id": "d45d53d9-656d-4be7-9bbf-140bc87e98dc",

+"provisioningConfiguration": {

+ "symmetricKeyEnrollmentInformation": {

+ "primaryKey":"Ci/Ghpqp0n4m8FD5PTicr6dEikIfM3AtVWzAhObU7yc=",

+ "registrationId": "d45d53d9-656d-4be7-9bbf-140bc87e98dc",

+ "scopeId": "0ne000FFA42"

+ }

+}

+```

+### Connect your device

+Use the DPS information output by the previous command to connect your device to the test IoT Hub instance.

+### Manage and configure the product tests

+When the device is connected and ready to interact with the IoT hub, generate a product test configuration file. To create the file:

+- Use the test `id` from the output of the previous command.

+- Use the `--wait` parameter to get the test case.

+```azurecli

+az iot product test task create --type GenerateTestCases --test-id [YourTestId] --wait

+```

+Expected output:

+```json

+{

+ "deviceTestId": "d45d53d9-656d-4be7-9bbf-140bc87e98dc",

+ "error": null,

+ "id": "526da38e-91fc-4e20-a761-4f04b392c42b",

+ "resultLink": "/deviceTests/d45d53d9-656d-4be7-9bbf-140bc87e98dc/TestCases",

+ "status": "Completed",

+ "type": "GenerateTestCases"

+}

+```

+You can use the `az iot product test case update` command to modify the test configuration file.

+### Run the tests

+After you generate the test configuration, the next step is to run the tests. Use the same `devicetestId` from the previous commands as parameter to run the tests. Check the test results to make sure that all tests have a status `Passed`.

+```azurecli

+az iot product test task create --type QueueTestRun --test-id [YourTestId] --wait

+```

+Example test run output

+```json

+ "validationTasks": [

+ {

+ "componentName": "Default component",

+ "endTime": "2020-08-25T05:18:49.5224772+00:00",

+ "interfaceId": "dtmi:com:example:TemperatureController;1",

+ "logs": [

+ {

+ "message": "Waiting for telemetry from the device",

+ "time": "2020-08-25T05:18:37.3862586+00:00"

+ },

+ {

+ "message": "Validating PnP properties",

+ "time": "2020-08-25T05:18:37.3875168+00:00"

+ },

+ {

+ "message": "Validating PnP commands",

+ "time": "2020-08-25T05:18:37.3894343+00:00"

+ },

+ {

+ "message": "{\"propertyName\":\"serialNumber\",\"expectedSchemaType\":null,\"actualSchemaType\":null,\"message\":\"Property is successfully validated\",\"passed\":true,\"time\":\"2020-08-25T05:18:37.4205985+00:00\"}",

+ "time": "2020-08-25T05:18:37.4205985+00:00"

+ },

+ {

+ "message": "PnP interface properties validation passed",

+ "time": "2020-08-25T05:18:37.4206964+00:00"

+ },

+```

+## Test using the Azure Certified Device portal

+The following steps show you how to use the [Azure Certified Device portal](https://certify.azure.com) to onboard, register product details, submit a getting started guide, and run the certification tests.

+### Onboarding

+To use the [certification portal](https://certify.azure.com), you must use an Azure Active Directory from your work or school tenant.

+To publish the models to the Azure IoT Public Model Repository, your account must be a member of the [Microsoft Partner Network](https://partner.microsoft.com). The system checks that the Microsoft Partner Network ID exists and the account is fully vetted before publishing to the device catalog.

+### Company profile

+You can manage your company profile from the left navigation menu. The company profile includes the company URL, email address, and company logo. The program agreement must be accepted on this page before you run any certification operations.

+The company profile information is used in the device description showcased in the device catalog.

+### Create new project

+To certify a device, you must first create a new project.

+Navigate to the [certification portal](https://certify.azure.com). On the **Projects** page, select *+ Create new project*. Then enter a name for the project, the device name, and select a device class.

+The product information you provide during the certification process falls into four categories:

+- Device information. Collects information about the device such as its name, description, certifications, and operating system.

+- The **Get started** guide. You must submit the guide as a PDF document to be approved by the system administrator before publishing the device.

+- Marketing details. Provide customer-ready marketing information for your device. The marketing information includes as description, a photo, and distributors.

+- Additional industry certifications. This optional section lets you provide additional information about any other certifications the device has got.

+### Connect and test

+The connect and test step checks that your device meets the IoT Plug and Play certification requirements.

+There are three steps to be completed:

+1. Connect and discover interfaces. The device must connect to the Azure IoT certification service through DPS. Choose the authentication method (X.509 certificate, symmetric keys, or trusted platform module) to use and update the device application with the DPS information.

+1. Review interfaces. Review the interface and make sure each one has payload inputs that make sense for testing.

+1. Test. The system tests each device model to check that the telemetry, properties, and commands described in the model follow the IoT Plug and Play conventions. When the test is complete, select the **view logs** link to see the telemetry from the device and the raw data sent to IoT Hub device twin properties.

+### Submit and publish

+The final required stage is to submit the project for review. This step notifies an Azure Certified Device team member to review your project for completeness, including the device and marketing details, and the get started guide. A team member may contact you at the company email address previously provided with questions or edit requests before approval.

+If your device requires further manual validation as part of certification, you'll receive a notice at this time.

+When a device is certified, you can choose to publish your product details to the Azure Certified Device Catalog using the **Publish to catalog** feature in the product summary page.

+## Next steps

+Now the device submission is completed, you can contact the device certification team at [iotcert@microsoft.com](mailto:iotcert@microsoft.com) to continue to the next steps, which include Microsoft Partner Network membership validation and a review of the getting started guides. When all the requirements are satisfied, you can choose to have your device included in the [Certified for Azure IoT device catalog](https://devicecatalog.azure.com).

+ Title: "Translator: sovereign clouds"

+description: Using Translator in sovereign clouds

+# Translator in sovereign (national) clouds

+ Azure sovereign clouds are isolated in-country platforms with independent authentication, storage, and compliance requirements. Sovereign clouds are often used within geographical boundaries where there's a strict data residency requirement. Translator is currently deployed in the following sovereign clouds:

+|Cloud | Region identifier |

+||--|

+| [Azure US Government](../../azure-government/documentation-government-welcome.md)|<ul><li>`usgovarizona` (US Gov Arizona)</li><li>`usgovvirginia` (US Gov Virginia)</li></ul>|

+| [Azure China 21 Vianet](/azure/china/overview-operations) |<ul><li>`chinaeast2` (East China 2)</li><li>`chinanorth` (China North)</li></ul>|

+## Azure portal endpoints

+The following table lists the base URLs for Azure sovereign cloud endpoints:

+| Sovereign cloud | Azure portal endpoint |

+| | -- |

+| Azure portal for US Government | `https://portal.azure.us` |

+| Azure portal China operated by 21 Vianet | `https://portal.azure.cn` |

+## Translator: sovereign clouds

+### [Azure US Government](#tab/us)

+ The Azure Government cloud is available to US government customers and their partners. US federal, state, local, tribal governments and their partners have access to the Azure Government cloud dedicated instance. Cloud operations are controlled by screened US citizens.

+| Azure US Government | Availability and support |

+|--|--|

+|Azure portal | <ul><li>[Azure Government Portal](https://portal.azure.us/)</li></ul>|

+| Available regions</br></br>The region-identifier is a required header when using Translator for the government cloud. | <ul><li>`usgovarizona` </li><li> `usgovvirginia`</li></ul>|

+|Available pricing tiers|<ul><li>Free (F0) and Standard (S0). See [Translator pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator/)</li></ul>|

+|Supported Features | <ul><li>Text Translation</li><li>Document Translation</li><li>Custom Translation</li></ul>|

+|Supported Languages| <ul><li>[Translator language support](language-support.md)</li></ul>|

+<!-- markdownlint-disable MD036 -->

+### Endpoint

+#### Azure portal

+Base URL:

+```http

+https://portal.azure.us

+```

+#### Authorization token

+Replace the `<region-identifier>` parameter with the sovereign cloud identifier:

+|Cloud | Region identifier |

+||--|

+| Azure US Government|<ul><li>`usgovarizona` (US Gov Arizona)</li><li>`usgovvirginia` (US Gov Virginia)</li></ul>|

+| Azure China 21 Vianet|<ul><li>`chinaeast2` (East China 2)</li><li>`chinanorth` (China North)</li></ul>|

+```http

+https://<region-identifier>.api.cognitive.microsoft.us/sts/v1.0/issueToken

+```

+#### Text translation

+```http

+https://api.cognitive.microsofttranslator.us/

+```

+#### Document Translation custom endpoint

+Replace the `<your-custom-domain>` parameter with your [custom domain endpoint](document-translation/get-started-with-document-translation.md#what-is-the-custom-domain-endpoint).

+```http

+https://<your-custom-domain>.cognitiveservices.azure.us/

+```

+#### Custom Translator portal

+```http

+https://portal.customtranslator.azure.us/

+```

+### Example API translation request

+Translate a single sentence from English to Simplified Chinese.

+**Request**

+```curl

+curl -X POST "https://api.cognitive.microsofttranslator.us/translate?api-version=3.0?&from=en&to=zh-Hans" -H "Ocp-Apim-Subscription-Key: <subscription key>" -H "Ocp-Apim-Subscription-Region: chinanorth" -H "Content-Type: application/json; charset=UTF-8" -d "[{'Text':'你好, 你叫什么名字？'}]"

+```

+**Response body**

+```JSON

+[

+ {

+ "translations":[

+ {"text": "Hello, what is your name?", "to": "en"}

+ ]

+ }

+]

+```

+> [!div class="nextstepaction"]

+> [Azure Government: Translator text reference](reference/rest-api-guide.md)

+### [Azure China 21 Vianet](#tab/china)

+The Azure China cloud is a physical and logical network-isolated instance of cloud services located in China. In order to apply for an Azure China account, you need a Chinese legal entity, Internet Content provider (ICP) license, and physical presence within China.

+|Azure China 21 Vianet | Availability and support |

+|||

+|Azure portal |<ul><li>[Azure China 21 Vianet Portal](https://portal.azure.cn/)</li></ul>|

+|Regions <br></br>The region-identifier is a required header when using a multi-service resource. | <ul><li>`chinanorth` </li><li> `chinaeast2`</li></ul>|

+|Supported Feature|<ul><li>[Text Translation](https://docs.azure.cn/cognitive-services/translator/reference/v3-0-reference)</li></ul>|

+|Supported Languages|<ul><li>[Translator language support.](https://docs.azure.cn/cognitive-services/translator/language-support)</li></ul>|

+<!-- markdownlint-disable MD036 -->

+<!-- markdownlint-disable MD024 -->

+### Endpoint

+Base URL

+#### Azure portal

+```http

+https://portal.azure.cn

+```

+#### Authorization token

+Replace the `<region-identifier>` parameter with the sovereign cloud identifier:

+```http

+https://<region-identifier>.api.cognitive.azure.cn/sts/v1.0/issueToken

+```

+#### Text translation

+```http

+https://api.translator.azure.cn/translate

+```

+### Example API translation request

+Translate a single sentence from English to Simplified Chinese.

+**Request**

+```curl

+curl -X POST "https://api.translator.azure.cn/translate?api-version=3.0&from=en&to=zh-Hans" -H "Ocp-Apim-Subscription-Key: <client-secret>" -H "Content-Type: application/json; charset=UTF-8" -d "[{'Text': 'Hello, what is your name?'}]"

+```

+**Response body**

+```JSON

+[

+ {

+ "translations":[

+ {"text": "你好, 你叫什么名字？", "to": "zh-Hans"}

+ ]

+ }

+]

+```

+> [!div class="nextstepaction"]

+> [Azure China: Translator Text reference](https://docs.azure.cn/cognitive-services/translator/reference/v3-0-reference)

+## Next step

+> [!div class="nextstepaction"]

+> [Learn more about Translator](index.yml)

+ Title: Azure Communication Services BYOS overview

+description: Learn about the Azure Communication Services BYOS.

+# Bring your own storage (BYOS) overview

+In many applications end-users may want to store their Call Recording files long-term. Some of the common scenarios are compliance, quality assurance, assessment, post call analysis, training, and coaching. Now with the BYOS (bring your own storage) being available, end-users will have an option to store their files long term and manage the files in a way they need. The end user will be responsible for legal regulations about storing the data. BYOS simplifies downloading of the files from Azure Communication Services (ACS) and minimizes the number of support request if customer was unable to download recording in 48 hours. Data will be transferred securely from Microsoft Azure blob storage to a customer Azure blob storage.

+Here are a few examples:

+- Contact Center Recording

+- Compliance Recording Scenario

+- Healthcare Virtual Visits Scenario

+- Conference/meeting recordings and so on

+BYOS can be easily integrated into any application regardless of the programming language. When creating a call recording resource in Azure Portal, enable the BYOS option and provide the sas-url to the storage. This simple experience allows developers to meet their needs, scale, and avoid investing time and resources into designing and maintaining a custom solution.

+## Feature highlights

+- HIPAA complaint

+## Next steps

+- TBD

+description: Automate tasks for SQL databases on premises or in the cloud using Azure Logic Apps.

+# Connect to a SQL database from Azure Logic Apps

+* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+ Title: Connect to Twilio with Azure Logic Apps

+description: Automate tasks and workflows that manage global SMS, MMS, and IP messages through your Twilio account using Azure Logic Apps.

+# Connect to Twilio from Azure Logic Apps

+* An Azure account and subscription. If you don't have an Azure subscription,

+[sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Learn about the impact that Google security and privacy policies have on Google connectors, such as Gmail, in Azure Logic Apps.

+description: Improve your app's threat protection, detection, and response with Microsoft Graph Security & Azure Logic Apps.

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Wait to run the next action in logic app workflows by using the Delay or Delay Until actions in Azure Logic Apps.

+* An Azure account and subscription. If you don't have a subscription, you can [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Send outbound HTTP or HTTPS requests to service endpoints from Azure Logic Apps.

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+ Title: Receive and respond to HTTPS requests

+description: Handle inbound HTTPS calls from external services using Azure Logic Apps.

+* An Azure account and subscription. If you don't have a subscription, you can [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Create and run recurring tasks that handle contiguous data by using sliding windows in Azure Logic Apps.

+* An Azure account and subscription. If you don't have a subscription, you can [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Automate workflows that trigger, pause, and resume based on events at a service endpoint by using Azure Logic Apps.

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure account and subscription. If you don't have an Azure subscription,

+[sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+The supported payment methods for Microsoft Azure are credit cards and check/wire transfer. To get approved to pay by check/wire transfer, see [Pay for your Azure subscription by check or wire transfer](pay-by-invoice.md).

+- If you want to a delete credit card, see [Delete an Azure billing payment method](delete-azure-payment-method.md).

+You can create only one data catalog per organization (Azure Active Directory domain). Therefore, if the owner or co-owner of an Azure subscription who belongs to this Azure Active Directory domain has already created a catalog, then you can't create a catalog again even if you have multiple Azure subscriptions. To test whether a data catalog has been created by a user in your Azure Active Directory domain, go to the [Azure Data Catalog home page](http://azuredatacatalog.com) and verify whether you see the catalog. If a catalog has already been created for you, skip the following procedure and go to the next section.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-create.png" alt-text="Data catalog resource type with the Create button selected.":::

+1. Specify a **name** for the data catalog, the **subscription** you want to use, the **location** for the catalog, and the **pricing tier**. Then select **Create**.

+1. Go to the [Azure Data Catalog home page](http://azuredatacatalog.com) and select **Publish Data**.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-publish-data.png" alt-text="On the data catalog homepage, the Publish Data button is selected.":::

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-marketing-landing-page.png" alt-text="The data catalog service page, with the blue get started button at the bottom.":::

+1. Go to the **Settings** page.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-create-azure-data-catalog.png" alt-text="The data catalog settings page, with several expandable options.":::

+1. Expand **Pricing** and verify your Azure Data Catalog **edition** (Free or Standard).

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-create-catalog-select-edition.png" alt-text="The pricing option expanded with the free edition selected.":::

+1. If you choose *Standard* edition as your pricing tier, you can expand **Security Groups** and enable authorizing Active Directory security groups to access Data Catalog and enable automatic adjustment of billing.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-standard-security-groups.png" alt-text="The security groups option expanded with the option to enable authorizing shown.":::

+1. Expand **Catalog Users** and select **Add** to add users for the data catalog. You're automatically added to this group.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-add-catalog-user.png" alt-text="Catalog users expanded and the add button highlighted.":::

+1. If you choose *Standard* edition as your pricing tier, you can expand **Glossary Administrators** and select **Add** to add glossary administrator users. You're automatically added to this group.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-standard-glossary-admin.png" alt-text="Glossary Administrators expanded and the add button highlighted.":::

+1. Expand **Catalog Administrators** and select **Add** to add other administrators for the data catalog. You're automatically added to this group.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-add-catalog-admins.png" alt-text="Catalog Administrators expanded and the add button highlighted.":::

+1. Expand **Portal Title** and add extra text that will be displayed in the portal title.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-portal-title.png" alt-text="Portal title expanded, showing the text box where optional text can be added.":::

+1. Once you complete the **Settings** page, next navigate to the **Publish** page.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-created.png" alt-text="Data Catalog home page, with the Publish tab selected in the top menu.":::

+1. Select **All services** and then select **Data Catalog**.

+ :::image type="content" source="media/data-catalog-get-started/data-catalog-browse-azure-portal.png" alt-text="The left Azure portal menu is open, with 'all services' selected. In the services menu, Data Catalog is selected.":::

+ You'll see the data catalog you created in the list. If you don't, check your subscription, resource group, location, and tag filters at the top of the search.

+1. Select the catalog that you created. You'll see the **Data Catalog** page in the portal, showing details for your Data Catalog.

+1. You can view properties of the data catalog and update them. For example, you can select **Pricing tier** and change the edition.

+To register a data source, follow these steps:

+You can include a snapshot preview of the data in each table and view that is registered, using the Data Catalog data-source registration tool. If you choose to include previews during registration, the registration tool includes up to 20 records from each table and view. This snapshot is then copied to the catalog along with the structural and descriptive metadata.

+Registering a data source makes it discoverable in Data Catalog when you use the metadata and optional preview extracted during registration. If the data source needs to be updated in the catalog (for example, if the schema of an object has changed, tables originally excluded should be included, or you want to update the data that's included in the previews), the data source registration tool can be rerun.

+Because it copies structural and descriptive metadata from a data source to the catalog service, registering the data source in Data Catalog makes the data easier to discover and understand. After you've registered the data source, you can annotate, manage, and discover it by using the Data Catalog portal.

+> [!Important]

+> Due to the sunset of Google AdWords API by **April 27, 2022**, the service has upgraded to the new Google Ads API. Please refer this [document](connector-troubleshoot-google-adwords.md#migrate-to-the-new-version-of-google-ads-api) for detailed migration steps and recommendations. Please make sure the migration to be done before **April 27, 2022**.

+| connectionProperties | A group of properties that defines how to connect to Google AdWords. | Yes |

+| ***Under `connectionProperties`:*** | | |

+| loginCustomerID | The customer ID of the Google AdWords manager account through which you want to fetch report data of specific customer.| No |

+ "connectionProperties": {

+ "clientCustomerID": "<clientCustomerID>",

+ "loginCustomerID": "<loginCustomerID>",

+ "developerToken": {

+ "type": "SecureString",

+ "value": "<developerToken>"

+ },

+ "authenticationType": "ServiceAuthentication",

+ "refreshToken": {

+ "type": "SecureString",

+ "value": "<refreshToken>"

+ },

+ "clientId": {

+ "type": "SecureString",

+ "value": "<clientId>"

+ },

+ "clientSecret": {

+ "type": "SecureString",

+ "value": "<clientSecret>"

+ },

+ "email": "<email>",

+ "keyFilePath": "<keyFilePath>",

+ "trustedCertPath": "<trustedCertPath>",

+ "useSystemTrustStore": true,

+ }

+ Title: Troubleshoot the Google AdWords connector

+description: Learn how to troubleshoot issues with the Google AdWords connector in Azure Data Factory and Azure Synapse Analytics.

+# Troubleshoot the Google AdWords connector in Azure Data Factory and Azure Synapse

+This article provides suggestions to troubleshoot common problems with the Google AdWords connector in Azure Data Factory and Azure Synapse.

+## Migrate to the new version of Google Ads API

+- **Symptoms**

+ You see a hint on the Google AdWords linked service configuration page. It reminds you to upgrade your linked service to a newer version before the legacy API is deprecated by Google.

+- **Cause**

+ Due to the sunset of Google AdWords API by **April 27, 2022**, you are recommended to migrate your existing linked service to the new version of Google Ads API before the date. Starting **April 27, 2022**, connection will start to fail because of the deprecation of Google AdWords API (see this [link](https://ads-developers.googleblog.com/2021/04/upgrade-to-google-ads-api-from-adwords.html)). Migration steps:

+

+ 1. Open your Google AdWords connector linked service configuration page.

+ 2. Edit the linked service and choose the new API version (select **Google Ads**).

+

+ :::image type="content" source="media/connector-troubleshoot-guide/update-google-adwords-linked-service.png" alt-text="Screenshot of updating the linked service configuration for Google AdWords.":::

+ 3. Apply the changes.

+- **Known issues and recommendations**

+ 1. The new Google Ads API doesn't provide a migration plan for below reports/tables:

+ a. AD_CUSTOMIZERS_FEED_ITEM_REPORT

+ b. CAMPAIGN_GROUP_PERFORMANCE_REPORT

+ c. CAMPAIGN_NEGATIVE_KEYWORDS_PERFORMANCE_REPORT

+ d. CAMPAIGN_NEGATIVE_LOCATIONS_REPORT

+ e. CAMPAIGN_NEGATIVE_PLACEMENTS_PERFORMANCE_REPORT

+ f. CREATIVE_CONVERSION_REPORT

+ g. CRITERIA_PERFORMANCE_REPORT

+ h. FINAL_URL_REPORT

+ i. KEYWORDLESS_CATEGORY_REPORT

+ j. MARKETPLACE_PERFORMANCE_REPORT

+ k. TOP_CONTENT_PERFORMANCE_REPORT

+ 2. The syntax for Google Ads query language is similar to AWQL from the AdWords API, but not identical. You can refer this [document](https://developers.google.com/google-ads/api/docs/migration/querying) for more details.

+## Next steps

+For more troubleshooting help, try these resources:

+- [Connector troubleshooting guide](connector-troubleshoot-guide.md)

+- [Data Factory blog](https://azure.microsoft.com/blog/tag/azure-data-factory/)

+- [Data Factory feature requests](/answers/topics/azure-data-factory.html)

+- [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory)

+- [Microsoft Q&A page](/answers/topics/azure-data-factory.html)

+- [Stack Overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)

+- [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)

+# Build large-scale data copy pipelines with metadata-driven approach in copy data tool

+ > If you select tabular data store, you will have chance to further select either full load or delta load in the next page. If you select storage store, you can further select full load only in the next page. Incrementally loading new files only from storage store is currently not supported.

+| TopLevelPipelineName | The name of top layer pipeline. |

+> [!IMPORTANT]

+> If you are using this feature in Azure Synapse Analytics, please ensure that your subscription is also registered with Data Factory resource provider, or otherwise you will get an error stating that _the creation of an "Event Subscription" failed_.

+- When authoring in the data factory (in the development environment for instance), the Azure account signed in needs to have the above permission

+- When publishing through [CI/CD](continuous-integration-delivery.md), the account used to publish the ARM template into the testing or production factory needs to have the above permission.

+> [!IMPORTANT]

+> If you are using this feature in Azure Synapse Analytics, please ensure that your subscription is also registered with Data Factory resource provider, or otherwise you will get an error stating that _the creation of an "Event Subscription" failed_.

+Specifically,

+- When authoring in the data factory (in the development environment for instance), the Azure account signed in needs to have the above permission

+- When publishing through [CI/CD](continuous-integration-delivery.md), the account used to publish the ARM template into the testing or production factory needs to have the above permission.

+- Azure SQL Database

+- Azure SQL Managed Instance - (public preview)

+> Because Azure SQL Managed Instance native Private Endpoint in public preview, you can access it from managed Virtual Network using Private Linked Service and Load Balancer. Please see [How to access SQL Managed Instance from Data Factory Managed VNET using Private Endpoint](tutorial-managed-virtual-network-sql-managed-instance.md).

+ SELECT count(1) changecount FROM cdc.fn_cdc_get_net_changes_dbo_customers(@from_lsn, @to_lsn, 'all')

+ SELECT * FROM cdc.fn_cdc_get_net_changes_dbo_customers(@from_lsn, @to_lsn, 'all')

+ SELECT count(1) changecount FROM cdc.fn_cdc_get_net_changes_dbo_customers(@from_lsn, @to_lsn, ''all'')')

+ SELECT * FROM cdc.fn_cdc_get_net_changes_dbo_customers(@from_lsn, @to_lsn, ''all'')')

+ > [!NOTE]

+ > If you need to connect to your device from an outside network, see [Enable device access from outside network](azure-stack-edge-gpu-manage-access-power-connectivity-mode.md#enable-device-access-from-outside-network) for additional network settings.

+> * Enable device access via remote PowerShell over HTTP

+> * Enable device access from outside network

+## Enable device access from outside network

+To be able to connect to your Azure Stack Edge device from an outside network, make sure the network for your laptop and the network for the device meet the following requirements.

+| Traffic direction | Out-of-network requirements |

+|--|--|

+| Outbound to laptop |On the network for the Azure Stack Edge device:<ul><li>Configure the correct gateways on the device to enable traffic to reach the laptopΓÇÖs network.</li><li>If you configure multiple gateways on the device, ensure that traffic can reach your laptop's network on all gateways.<br>A device ideally tries to use the network interface card (NIC) with the lowest route metric. However, there's no clear way for an Azure Stack Edge device to identify the NIC with the lowest metric. So it's best to make your laptop network reachable on all configured gateways.</li></ul>|

+|Inbound to device |On the network for your laptop:<ul><li>Configure a clear network route from the laptop to the network for the device, possibly through defined gateways.</li></ul>|

+> [!NOTE]

+> Diagnostic tests for Azure Stack Edge return a warning if all gateways don't have internet connectivity. For diagnostics information, see [Run diagnostics](azure-stack-edge-gpu-troubleshoot.md#run-diagnostics).

+<!--ORIGINAL PRESENTATION: If a user needs to be able to connect to the Azure Stack Edge appliance from an outside network, you'll need this network configuration:

+- **In-bound traffic:** For in-bound traffic from the customer's laptop (in network A) to the appliance (in network B), network A should have a clear route to network B, possibly through defined gateways.

+- **Outbound traffic:** For outbound traffic from the appliance to the customer's laptop (network B to network A):

+ - Configure the correct gateways on the appliance so that traffic can reach network A.

+ - If you configure multiple gateways on the appliance, ensure that traffic can reach network B on all gateways.

+ An appliance ideally tries to use the network interface card (NIC) with the lowest route metric. However, there's no clear way for an Azure Stack Edge appliance to identify the NIC with the lowest metric. So it's best to make network A reachable on all configured gateways.

+ > [!NOTE]

+ > Diagnostic tests for Azure Stack Edge return a warning if all gateways don't have internet connectivity. For diagnostics information, see [Run diagnostics](azure-stack-edge-gpu-troubleshoot.md#run-diagnostics). Terminology creep: This is the first reference to internet connectivity.-->

+To create your Azure Stack Edge / Data Box Gateway, IoT Hub, and Azure Storage resource, you need permissions as a contributor or higher at a resource group level. You also need the corresponding resource providers to be registered. For any operations that involve activation key and credentials, permissions to the Microsoft Graph API are also required. These requirements are described in the following sections.

+ > - We recommend that you do not switch the local IP address of the network interface from static to DCHP, unless you have another IP address to connect to the device. If using one network interface and you switch to DHCP, there would be no way to determine the DHCP address. If you want to change to a DHCP address, wait until after the device has registered with the service, and then change. You can then view the IPs of all the adapters in the **Device properties** in the Azure portal for your service.

+ > - If you need to connect to your device from an outside network, see [Enable device access from outside network](azure-stack-edge-gpu-manage-access-power-connectivity-mode.md#enable-device-access-from-outside-network) for additional network settings.

+ > [!NOTE]

+ > If you need to connect to your device from an outside network, see [Enable device access from outside network](azure-stack-edge-gpu-manage-access-power-connectivity-mode.md#enable-device-access-from-outside-network) for additional network settings.

+ > We recommend that you do not switch the local IP address of the network interface from static to DCHP, unless you have another IP address to connect to the device. If using one network interface and you switch to DHCP, there would be no way to determine the DHCP address. If you want to change to a DHCP address, wait until after the device has activated with the service, and then change. You can then view the IPs of all the adapters in the **Device properties** in the Azure portal for your service.

+The vocabulary of an Azure Digital Twins solution is defined using [models](concepts-models.md), which describe the types of entities that exist in your environment. An *ontology* is a set of models for a given domain, like building structures, IoT systems, smart cities, energy grids, web content, and more.

+Sometimes, when your solution is tied to a particular industry, it can be easier and more effective to start with a set of models for that industry that already exist, instead of authoring your own model set from scratch. This article explains more about using pre-existing industry ontologies for your Azure Digital Twins scenarios, including strategies for using the ontologies that are available today.

+Here are some other benefits to using industry-standard DTDL ontologies as schemas for your twin graphs:

+* Harmonization of software components, documentation, query libraries, and more

+* Reduced investment in conceptual modeling and system development

+* Easier data interoperability on a semantic level

+* Best practice reuse, rather than starting from scratch

+1. **Source SQL Server**: SQL Server instance on-premises, private cloud, or any public cloud virtual machine. All versions of SQL Server 2008 and above are supported.

+- When migrating to SQL Server on Azure Virtual Machines, SQL Server 2014 and below are not supported.

+Use the Azure SQL Migration extension in Azure Data Studio to migrate the databases from a SQL Server instance to a [SQL Server on Azure Virtual Machine (SQL Server 2016 and above)](../azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md) with minimal downtime. For methods that may require some manual effort, see the article [SQL Server instance migration to SQL Server on Azure Virtual Machine](../azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview.md).

+Use the Azure SQL Migration extension in Azure Data Studio to migrate the databases from a SQL Server instance to a [SQL Server on Azure Virtual Machine (SQL Server 2016 and above)](../azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md) with minimal downtime. For methods that may require some manual effort, see the article [SQL Server instance migration to SQL Server on Azure Virtual Machine](../azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview.md).

+These network-related prerequisites need to be set up before you can use your cache:

+* Access from the subnet to additional Microsoft Azure infrastructure services, including NTP servers and the Azure Queue Storage service.

+When creating this subnet, be careful that its security settings allow access to the necessary infrastructure services mentioned later in this section. You can restrict outbound internet connectivity, but make sure that there are exceptions for the items documented here.

+### Azure Queue Storage access

+The cache must be able to securely access the [Azure Queue Storage service](../storage/queues/storage-queues-introduction.md) from inside its dedicated subnet. Azure HPC Cache uses the queues service when communicating configuration and state information.

+If the cache can't access the queue service, you might see a CacheConnectivityError message when creating the cache.

+There are two ways to provide access:

+* Create an Azure Storage service endpoint in your cache subnet.

+ Read [Add a virtual network subnet](../virtual-network/virtual-network-manage-subnet.md#add-a-subnet) for instructions to add the **Microsoft.Storage** service endpoint.

+* Individually configure access to the Azure storage queue service domain in your network security group or other firewalls.

+ Add rules to permit access on these ports:

+ * TCP port 443 for secure traffic to any host in the domain queue.core.windows.net (`*.queue.core.windows.net`).

+ * TCP port 80 - used for verification of the server-side certificate. This is sometimes referred to as certificate revocation list (CRL) checking and online certificate status protocol (OCSP) communications. All of *.queue.core.windows.net uses the same certificate, and thus the same CRL/OCSP servers. The hostname is stored in the server-side SSL certificate.

+ Refer to the security rule tips in [NTP access](#ntp-access) for more information.

+ This command lists the CRL and OSCP servers that need to be permitted access. These servers must be resolvable by DNS and reachable on port 80 from the cache subnet.

+ ```bash

+ openssl s_client -connect azure.queue.core.windows.net:443 2>&1 < | sed -n '/--BEGIN/,/--END/p' | openssl x509 -noout -text -in /dev/stdin |egrep -i crl\|ocsp|grep URI

+ ```

+ The output looks something like this, and can change if the SSL certificate updates:

+ ```bash

+ OCSP - URI:http://ocsp.msocsp.com

+ CRL - URI:http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20RSA%20TLS%20CA%2002.crl

+ CRL - URI:http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20RSA%20TLS%20CA%2002.crl

+ ```

+You can check the subnet's connectivity by using this command from a test VM inside the subnet:

+```bash

+openssl s_client -connect azure.queue.core.windows.net:443 -status 2>&1 < |grep "OCSP Response Status"

+```

+A successful connection gives this response:

+```bash

+OCSP Response Status: successful (0x0)

+```

+description: Add logic apps, integration accounts, custom connectors, and managed connectors to your integration service environment (ISE).

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Restrict creating and using API connections in Azure Logic Apps.

+* An Azure account and subscription. If you don't have a subscription, [create a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Design your strategy to protect data, recover quickly from disruptive events, restore resources required by critical business functions, and maintain business continuity for Azure Logic Apps.

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Learn about accessing Azure virtual networks (VNETs) from Azure Logic Apps using an integration service environment (ISE).

+description: Learn how to set up a single public outbound IP address for integration service environments (ISEs) in Azure Logic Apps.

+description: Create an integration service environment (ISE) to access Azure virtual networks (VNETs) using the Azure Logic Apps REST API.

+* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). Both the managed identity and the target Azure resource where you need access must use the same Azure subscription.

+description: View and create queries in Azure Monitor logs for Azure Logic Apps.

+* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Links to topics about how to create, use, share, and certify custom connectors in Azure Logic Apps.

+description: Create and manage your own encryption keys to secure data at rest for integration service environments (ISEs) in Azure Logic Apps.

+* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Migrate flows from Power Automate to Azure Logic Apps by exporting as Azure Resource Manager templates.

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Handle stored procedures that time out when using the SQL connector in Azure Logic Apps.

+description: How to work around throttling problems or 'HTTP 429 Too many requests' errors in Azure Logic Apps.

+ For example, suppose that your logic app gets tables from a SQL Server database and then gets the rows from each table. Based on the number of rows that you have to process, you can use multiple connections and multiple **For each** loops to divide the total number of rows into smaller sets for processing. This scenario uses two **For each** loops to split the total number of rows in half. The first **For each** loop uses an expression that gets the first half. The other **For each** loop uses a different expression that gets the second half, for example:<br><br>

+ * Expression 1: The `take()` function gets the front of a collection. For more information, see the [**`take()`** function](workflow-definition-language-functions-reference.md#take).

+ `@take(collection-or-array-name, div(length(collection-or-array-name), 2))`

+ * Expression 2: The `skip()` function removes the front of a collection and returns all the other items. For more information, see the [**`skip()`** function](workflow-definition-language-functions-reference.md#skip).

+ `@skip(collection-or-array-name, div(length(collection-or-array-name), 2))`

+* An Azure subscription. If you don't have a subscription, [create a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+description: Check network health and manage logic apps, connections, custom connectors, and integration accounts in your integration service environment (ISE) for Azure Logic Apps.

+description: Learn how to create and run code snippets by using inline code actions for automated tasks and workflows that you create with Azure Logic Apps.

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+See examples of regression and automated machine learning for predictions in these Python notebooks: [Sales Forecasting](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-orange-juice-sales/auto-ml-forecasting-orange-juice-sales.ipynb), [Demand Forecasting](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb), and [Forecasting GitHub's Daily Active Users](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-github-dau/auto-ml-forecasting-github-dau.ipynb).

+* [Memory](#memory-quota)

+This issue happens when the size of the model is larger than the available disk space and the model is not able to be downloaded. Try a SKU with more disk space.

+* Try a [Managed online endpoints SKU list](reference-managed-online-endpoints-vm-sku-list.md) with more disk space

+* Try reducing image and model size

+#### Memory quota

+This issue happens when the memory footprint of the model is larger than the available memory. Try a [Managed online endpoints SKU list](reference-managed-online-endpoints-vm-sku-list.md) with more memory.<br>

+- ISV to ensure the SaaS private plan is using the correct tenant ID for the customer - [How to find your Azure Active Directory tenant ID](../active-directory/fundamentals/active-directory-how-to-find-tenant.md). For VMs use the [Azure Subscription ID. (video guide)](../media-services/latest/setup-azure-subscription-how-to.md?tabs=portal)

+- ISV to ask the customer to find the Private Plan in Azure Marketplace: [Private plans in Azure Marketplace](/marketplace/private-plans)

+- Customer to ensure marketplace is enabled - [Azure Marketplace](../cost-management-billing/manage/ea-azure-marketplace.md) ΓÇô if it is not, the user has to contact their Azure Administrator to enable marketplace, for more information regarding Azure Marketplace, see [Azure Marketplace](../cost-management-billing/manage/ea-azure-marketplace.md).

+- (Customer) If the offer is still not visible, itΓÇÖs possible that the customer has Private Marketplace enabled - Customer to Ask the Azure Administrator to enable the specific Private Plan in Private Marketplace: [Create and manage Private Azure Marketplace collections in the Azure portal](/marketplace/create-manage-private-azure-marketplace-new)

+ - (Customer) The Azure Administrator must follow the instructions in [Azure EA portal administration](../cost-management-billing/manage/ea-portal-administration.md), and discuss with their Microsoft Representative the steps to enable billing for Marketplace

+- [Create an Azure Support Request](../azure-portal/supportability/how-to-create-azure-support-request.md)

+4. Select the Platform for your VM, either **Windows Server** (allow port 5986 for Windows) or **Linux** (allow port 22 for Linux). Your platform choice affects the remaining options.

+This example shows a PowerShell call to the API (allow port 22 during VM creation):

+This code sample shows a PowerShell call to the API (allow port 5986 during VM creation):

+| <center>**1. Product Marketing**<br><img src="medi)</ul> | Create product messaging, positioning, promotion, pricing<br>Partner Center (PC) → Offer Creation |

+- Visit the links above for each API as needed.

+After you have an Azure AD access token, call methods in the Partner Center submission API. To create or update submissions, you typically call multiple methods in the Partner Center submission API in a specific order. For information about each scenario and the syntax of each method, see the [Ingestion API](https://ingestionapi-swagger.azureedge.net/#/) Swagger.

+| RHEL 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.4, 7.0, 6.x | Y | Y | Y |

+| Cent OS 8.1, 8.0, 7.7, 7.6, 7.5, 7.4, 6.x | Y | Y | Y |

+## Create a non-admin user

+az postgres flexible-server connect --help

+* Maximum connections per node

+ * 300 for 0-3 vCores

+ * 500 for 4-15 vCores

+ * 1000 for 16+ vCores

+The connection limits above are for *user* connections (`max_connections` minus

+`superuser_reserved_connections`). We reserve extra connections for

+administration and recovery.

+The limits apply to both worker nodes and the coordinator node. Attempts to

+connect beyond these limits will fail with an error.

+| Azure Key Vault (Microsoft.KeyVault/vaults) / vault | privatelink.vaultcore.azure.net | vault.azure.net <br> vaultcore.azure.net |

+| Azure Cognitive Search | Microsoft.Search/searchServices | search service |

+ Title: How to view, edit, and delete assets

+This article discusses how you can view your assets and their relevant details. It also describes how you can edit and delete assets from your catalog.

+You can discover your assets in the Azure Purview data catalog by either:

+- [Browsing the data catalog](how-to-browse-catalog.md)

+- [Searching the data catalog](how-to-search-catalog.md)

+- **Overview** - An asset's basic details like description, classification, hierarchy, and glossary terms.

+- **Properties** - The technical metadata and relationships discovered in the data source.

+- **Related** - This tab lets you navigate through the technical hierarchy of assets that are related to the current asset you are viewing.

+### Remove Trailing Slash

+Remove the trailing slash from higher level assets for Azure Blob, ADLS Gen1,and ADLS Gen2

+Applies to: Azure Blob, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2

+Asset types: "azure_blob_container", "azure_blob_service", "azure_storage_account", "azure_datalake_gen2_service", "azure_datalake_gen2_filesystem", "azure_datalake_gen1_account"

+Before: `https://myaccount.core.windows.net/`

+After: `https://myaccount.core.windows.net`

+ Title: Asset certification in the Azure Purview data catalog

+description: How to certify assets in the Azure Purview data catalog

+# Asset certification in the Azure Purview data catalog

+As an Azure Purview data catalog grows in size, it becomes important for data consumers to understand what assets they can trust. Data consumers must know if an asset meet their organization's quality standards and can be regarded as reliable. Azure Purview allows data stewards to manually endorse assets to indicate that they're ready to use across an organization or business unit. This article describes how data stewards can certify assets and data consumers can view certification labels.

+## How to certify an asset

+To certify an asset, you must be a **data curator** for the collection containing the asset.

+1. Navigate to the [asset details](catalog-asset-details.md) of the desired asset. Select **Edit**.

+ :::image type="content" source="media/how-to-certify-assets/edit-asset.png" alt-text="Edit an asset from the asset details page" border="true":::

+1. Toggle the **Certified** field to **Yes**.

+ :::image type="content" source="media/how-to-certify-assets/toggle-certification-on.png" alt-text="Toggle an asset to be certified" border="true":::

+1. Save your changes. The asset will now have a "Certified" label next to the asset name.

+

+ :::image type="content" source="media/how-to-certify-assets/view-certified-asset.png" alt-text="An asset with a certified label" border="true":::

+> [!NOTE]

+> PowerBI assets can only be [certified in a PowerBI workspace](https://docs.microsoft.com/power-bi/collaborate-share/service-endorse-content). PowerBI endorsement labels are displayed in Azure Purview's search and browse experiences.

+### Certify assets in bulk

+You can use the Azure Purview [bulk edit experience](how-to-bulk-edit-assets.md) to certify multiple assets at once.

+1. After searching or browsing the data catalog, select checkbox next to the assets you wish to certify.

+ :::image type="content" source="media/how-to-certify-assets/bulk-edit-select.png" alt-text="Select assets to bulk certify" border="true":::

+1. Select **View selected**.

+1. Select **Bulk edit**

+ :::image type="content" source="media/how-to-certify-assets/bulk-edit-open.png" alt-text="Open the bulk edit experience" border="true":::

+1. Choose attribute **Certified**, operation **Replace with**, and new value **Yes**.

+ :::image type="content" source="media/how-to-certify-assets/bulk-edit-certify.png" alt-text="Apply certification labels to all selected assets" border="true":::

+1. Select **Apply**

+All assets selected will have the "Certified" label.

+## Viewing certification labels in Search

+When search or browsing the data catalog, you'll see a certification label on any asset that is certified. Certified assets will also be boosted in search results to help data consumers discover them easily.

+## Next steps

+Discover your assets in the Azure Purview data catalog by either:

+- [Browsing the data catalog](how-to-browse-catalog.md)

+- [Searching the data catalog](how-to-search-catalog.md)

+The supported SQL Server versions are 2005 and above. SQL Server Express LocalDB is not supported.

+ ts.Complete();

+ ts.Complete();

+> If using Windows OS image with Hyper-V role enabled, ie. the VM will be configured for nested virtualization, the Available Memory Metric will not be available, since the dynamic memory driver within the VM will be in a stopped state.

+> If using Windows OS image with Hyper-V role enabled, ie. the VM will be configured for nested virtualization, the Available Memory Metric will not be available, since the dynamic memory driver within the VM will be in a stopped state.

+**To write to managed disk, use [PowerShell Az.RecoveryServices module 2.0.0](https://www.powershellgallery.com/packages/Az.RecoveryServices/2.0.0-preview) onwards.** It only requires creation of a log storage account. It is recommended to use a standard account type and LRS redundancy since it is used to store only temporary logs. Ensure that the storage account is created in the same Azure region as the vault.

+

+

+- Your Azure subscription has an [associated payment method](/marketplace/azure-marketplace-overview#purchasing-requirements). Azure credits or free MSDN subscriptions aren't supported.

+- Your organization allows acquiring any Azure Marketplace software application listed in [Purchase policy management](/marketplace/azure-purchasing-invoicing#purchase-policy-management).

+Set-AzDiagnosticSetting -ResourceId <storage-service-resource-id> -EventHubAuthorizationRuleId <event-hub-namespace-and-key-name> -Enabled $true -Category <operations-to-log>

+Set-AzDiagnosticSetting -ResourceId <storage-service-resource-id> -WorkspaceId <log-analytics-workspace-resource-id> -Enabled $true -Category <operations-to-log>

+az monitor diagnostic-settings create --name <setting-name> --event-hub <event-hub-name> --event-hub-rule <event-hub-namespace-and-key-name> --resource <storage-account-resource-id> --logs '[{"category": <operations>, "enabled": true}]'

+az monitor diagnostic-settings create --name <setting-name> --workspace <log-analytics-workspace-resource-id> --resource <storage-account-resource-id> --logs '[{"category": <category name>, "enabled": true}]'

+description: Learn about limitations and known issues of Network File System (NFS) 3.0 protocol support for Azure Blob Storage.

+# Known issues with Network File System (NFS) 3.0 protocol support for Azure Blob Storage

+This article describes limitations and known issues of Network File System (NFS) 3.0 protocol support for Azure Blob Storage.

+To see how each Blob Storage feature is supported in accounts that have NFS 3.0 support enabled, see [Blob Storage feature support for Azure Storage accounts](storage-feature-support-in-storage-accounts.md).

+- [Network File System (NFS) 3.0 protocol support for Azure Blob Storage](network-file-system-protocol-support.md)

+This article provides guidance on how to mount a container in Azure Blob Storage from a Linux-based Azure virtual machine (VM) or a Linux system that runs on-premises by using the Network File System (NFS) 3.0 protocol. To learn more about NFS 3.0 protocol support in Blob Storage, see [Network File System (NFS) 3.0 protocol support for Azure Blob Storage](network-file-system-protocol-support.md).

+- [Network File System (NFS) 3.0 protocol support for Azure Blob Storage](network-file-system-protocol-support.md)

+- [Known issues with Network File System (NFS) 3.0 protocol support for Azure Blob Storage](network-file-system-protocol-known-issues.md)

+Blob storage now supports the Network File System (NFS) 3.0 protocol. This article contains recommendations that help you to optimize the performance of your storage requests. To learn more about NFS 3.0 support for Azure Blob Storage, see [Network File System (NFS) 3.0 protocol support for Azure Blob storage](network-file-system-protocol-support.md).

+- To learn more about NFS 3.0 support for Azure Blob Storage, see [Network File System (NFS) 3.0 protocol support for Azure Blob storage](network-file-system-protocol-support.md).

+ Title: Network File System 3.0 support for Azure Blob Storage

+# Network File System (NFS) 3.0 protocol support for Azure Blob Storage

+ Title: Host keys for SFTP support for Azure Blob Storage (preview) | Microsoft Docs

+Blob storage now supports the SSH File Transfer Protocol (SFTP). This support provides the ability to securely connect to Blob Storage accounts via an SFTP endpoint, allowing you to leverage SFTP for file access, file transfer, as well as file management. For more information, see [SSH File Transfer Protocol (SFTP) support for Azure Blob Storage](secure-file-transfer-protocol-support.md).

+- [SSH File Transfer Protocol (SFTP) support for Azure Blob Storage](secure-file-transfer-protocol-support.md)

+description: Learn about limitations and known issues of SSH File Transfer Protocol (SFTP) support for Azure Blob Storage.

+# Known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage (preview)

+This article describes limitations and known issues of SFTP support for Azure Blob Storage.

+- [SSH File Transfer Protocol (SFTP) support for Azure Blob Storage](secure-file-transfer-protocol-support.md)

+To learn more about SFTP support for Azure Blob Storage, see [SSH File Transfer Protocol (SFTP) in Azure Blob Storage](secure-file-transfer-protocol-support.md).

+- [SSH File Transfer Protocol (SFTP) support for Azure Blob Storage](secure-file-transfer-protocol-support.md)

+- [Known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage](secure-file-transfer-protocol-known-issues.md)

+ Title: SFTP support for Azure Blob Storage (preview) | Microsoft Docs

+# SSH File Transfer Protocol (SFTP) support for Azure Blob Storage (preview)

+Now, with SFTP support for Azure Blob Storage, you can enable an SFTP endpoint for Blob Storage accounts with a single setting. Then you can set up local user identities for authentication to transfer data securely without the need to do any additional work.

+This article describes SFTP support for Azure Blob Storage. To learn how to enable SFTP for your storage account, see [Connect to Azure Blob Storage by using the SSH File Transfer Protocol (SFTP) (preview)](secure-file-transfer-protocol-support-how-to.md).

+SFTP support for Azure Blob Storage currently limits its cryptographic algorithm support based on security considerations. We strongly recommend that customers utilize Microsoft Security Development Lifecycle (SDL) approved algorithms to securely access their data. More details can be found [here](/security/sdl/cryptographic-recommendations)

+> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through PowerShell, CLI and REST APIs. Such rules cannot be configured through the Azure portal, though they may be viewed in the portal.

+ > Presently, only virtual networks belonging to the same Azure Active Directory tenant are shown for selection during rule creation. To grant access to a subnet in a virtual network belonging to another tenant, please use , PowerShell, CLI or REST APIs.

+Set-AzDiagnosticSetting -ResourceId <storage-service-resource-id> -EventHubAuthorizationRuleId <event-hub-namespace-and-key-name> -Enabled $true -Category <operations-to-log>

+Set-AzDiagnosticSetting -ResourceId <storage-service-resource-id> -WorkspaceId <log-analytics-workspace-resource-id> -Enabled $true -Category <operations-to-log>

+az monitor diagnostic-settings create --name <setting-name> --event-hub <event-hub-name> --event-hub-rule <event-hub-namespace-and-key-name> --resource <storage-account-resource-id> --logs '[{"category": <operations>, "enabled": true}]'

+az monitor diagnostic-settings create --name <setting-name> --workspace <log-analytics-workspace-resource-id> --resource <storage-account-resource-id> --logs '[{"category": <category name>, "enabled": true}]'

+#### Solution 4 ΓÇö Use REST API-based tools like Storage Explorer/PowerShell

+Set-AzDiagnosticSetting -ResourceId <storage-service-resource-id> -EventHubAuthorizationRuleId <event-hub-namespace-and-key-name> -Enabled $true -Category <operations-to-log>

+Set-AzDiagnosticSetting -ResourceId <storage-service-resource-id> -WorkspaceId <log-analytics-workspace-resource-id> -Enabled $true -Category <operations-to-log>

+az monitor diagnostic-settings create --name <setting-name> --event-hub <event-hub-name> --event-hub-rule <event-hub-namespace-and-key-name> --resource <storage-account-resource-id> --logs '[{"category": <operations>, "enabled": true}]'

+az monitor diagnostic-settings create --name <setting-name> --workspace <log-analytics-workspace-resource-id> --resource <storage-account-resource-id> --logs '[{"category": <category name>, "enabled": true}]'

+Set-AzDiagnosticSetting -ResourceId <storage-service-resource-id> -EventHubAuthorizationRuleId <event-hub-namespace-and-key-name> -Enabled $true -Category <operations-to-log>

+Set-AzDiagnosticSetting -ResourceId <storage-service-resource-id> -WorkspaceId <log-analytics-workspace-resource-id> -Enabled $true -Category <operations-to-log>

+az monitor diagnostic-settings create --name <setting-name> --storage-account <storage-account-name> --resource <storage-service-resource-id> --resource-group <resource-group> --logs '[{"category": <operations>, "enabled": true}]'

+az monitor diagnostic-settings create --name <setting-name> --event-hub <event-hub-name> --event-hub-rule <event-hub-namespace-and-key-name> --resource <storage-account-resource-id> --logs '[{"category": <operations>, "enabled": true}]'

+az monitor diagnostic-settings create --name <setting-name> --workspace <log-analytics-workspace-resource-id> --resource <storage-account-resource-id> --logs '[{"category": <category name>, "enabled": true}]'

+5. Create an Azure Automation Runbook Module for StorSimple 8000 Series device management. On the Windows PowerShell window, type the following commands:

+ - Azure PowerShell. [Download Azure PowerShell](/powershell/azure/).

+ $"MERGE INTO [device_updated] AS old " +

+For Azure SQL, `INSTEAD OF` [DML triggers](/sql/relational-databases/triggers/dml-triggers?view=azuresqldb-current&preserve-view=true) can be used to intercept the INSERT commands issued by ASA and replace them with UPDATE or MERGE:

+```SQL

+CREATE TRIGGER tr_devices_updated_upsert ON device_updated INSTEAD OF INSERT

+AS

+BEGIN

+ MERGE device_updated AS old

+ USING inserted AS new

+ ON new.DeviceId = old.DeviceId

+ WHEN MATCHED THEN

+ UPDATE SET

+ old.Value += new.Value,

+ old.Timestamp = new.Timestamp

+ WHEN NOT MATCHED THEN

+ INSERT (DeviceId, Value, Timestamp)

+ VALUES (new.DeviceId, new.Value, new.Timestamp);

+END;

+```

+* [Quickstart: Create a Stream Analytics job by using the Azure portal](stream-analytics-quick-create-portal.md)

+For Windows, use PowerShell:

+- UNIQUE constraint is only supported when NOT ENFORCED is used.

+After creating the tables for your dedicated SQL pool, the next step is to load data into the table. For a loading tutorial, see [Loading data to dedicated SQL pool](load-data-wideworldimportersdw.md).

+# Traffic Manager subnet override using Azure PowerShell

+- Learn more about terms used in this article at our [autoscale glossary](autoscale-glossary.md).

+- View our [autoscale FAQ](autoscale-faq.yml) to answer commonly asked questions.

+ Title: Azure Virtual Desktop autoscale (preview) glossary - Azure

+description: A glossary of terms and concepts for the Azure Virtual Desktop autoscale (preview) feature.

+# Autoscale (preview) glossary

+This article is a list of definitions for key terms and concepts related to the autoscale (preview) feature for Azure Virtual Desktop.

+## Autoscale

+The autoscale feature is Azure Virtual DesktopΓÇÖs native scaling service that turns VMs on and off based on the number of sessions on the session hosts in the host pool and which phase of the [scaling plan](#scaling-plan) [schedule](#schedule) the workday is in.

+## Scaling tool

+Azure Virtual DesktopΓÇÖs scaling tool uses Azure Automation and Azure Logic Apps to scale the VMs in a host pool based on how many user sessions per CPU core there are during peak and off-peak hours.

+## Scaling plan

+A scaling plan is an Azure Virtual Desktop Azure Resource Manager object that defines the schedules for scaling session hosts in a host pool. You can assign one scaling plan to multiple host pools. Each host pool can only have one scaling plan assigned to it.

+## Schedule

+Schedules are sub-resources of [scaling plans](#scaling-plan) that specify the start time, capacity threshold, minimum percentage of hosts, load-balancing algorithm, and other configuration settings for the different phases of the day.

+## Ramp up

+The ramp-up phase of a [scaling plan](#scaling-plan) [schedule](#schedule) is usually at the beginning of the work day, when users start to sign in and start their sessions. In this phase, the number of [active user sessions](#active-user-session) usually increases at a rapid pace without reaching the maximum number of active sessions for the day yet.

+## Peak

+The peak phase of a [scaling plan](#scaling-plan) [schedule](#schedule) is when your host pool reaches the maximum number of [active user sessions](#active-user-session) for the day. In this phase, the number of active sessions usually holds steady until the peak phase ends. New active user sessions can be established during this phase, but usually at a slower rate than the ramp-up phase.

+## Ramp down

+The ramp-down phase of a [scaling plan](#scaling-plan) [schedule](#schedule) is usually at the end of the work day, when users start to sign out and end their sessions for the evening. In this phase, the number of [active user sessions](#active-user-session) usually decreases rapidly.

+## Off-peak

+The off-peak phase of the [scaling plan](#scaling-plan) [schedule](#schedule) is when the host pool usually reaches the minimum number of [active user sessions](#active-user-session) for the day. During this phase, there aren't usually many active users, but you can keep a small amount of resources on to accommodate users who work after the peak and ramp-down phases.

+## Available session host

+Available session hosts are session hosts that have passed all Azure Virtual Desktop agent health checks and have VM objects that are powered on, making them available for users to start their user sessions on.

+## Capacity threshold

+The capacity threshold is the percentage of a [host pool's capacity](#available-host-pool-capacity) that, when reached, triggers a [scaling action](#scaling-action) to happen.

+For example:

+- If the [used host pool capacity](#used-host-pool-capacity) is below the capacity threshold and the autoscale feature can turn off virtual machines (VMs) without going over the capacity threshold, then the feature will turn the VMs off.

+- If the used host pool capacity goes over the capacity threshold, then the autoscale feature will turn more VMs on until the used host pool capacity goes below the capacity threshold.

+## Available host pool capacity

+Available host pool capacity is how many user sessions a host pool can host based on the number of [available session hosts](#available-session-host). The available host pool capacity is the host pool's maximum session limit multiplied by the number of [available session hosts](#available-session-host) in the host pool.

+In other words:

+Host pool maximum session limit × number of available session hosts = available host pool capacity.

+## Used host pool capacity

+The used host pool capacity is the amount of [host pool capacity](#available-host-pool-capacity) that's currently taken up by active and disconnected user sessions.

+In other words:

+The number of [active](#active-user-session) and [disconnected user sessions](#disconnected-user-session) ├╖ [the host pool capacity](#available-host-pool-capacity) = used host pool capacity.

+## Scaling action

+Scaling actions are when [the autoscale feature](#autoscale) turns VMs on or off.

+## Minimum percentage of hosts

+The minimum percentage of hosts is the lowest percentage of all session hosts in the host pool that must be turned on for each phase of the [scaling plan](#scaling-plan) [schedule](#schedule).

+## Active user session

+A user session is considered "active" when the user signs in and connects to their remote app or desktop resource.

+## Disconnected user session

+A disconnected user session is an inactive session that the user hasn't signed out of yet. When a user closes the remote session window without signing out, the session becomes disconnected. When a user reconnects to their remote resources, they'll be redirected to their disconnected session on the session host they were working on. At this point, the disconnected session becomes an [active session](#active-user-session) again.

+## Force logoff

+A force logoff, or forced sign-out, is when the service ends an [active user session](#active-user-session) or a [disconnected user session](#disconnected-user-session) without the user's consent.

+## Exclusion tag

+An exclusion tag is a property of a [scaling plan](#scaling-plan) that's a tag name you can apply to VMs that you want to exclude from [scaling actions](#scaling-action). [The autoscale feature](#autoscale) only performs scaling actions on VMs without tag names that match the exclusion tag.

+## Next steps

+- For more information about the autoscale feature, see the [autoscale feature document](autoscale-scaling-plan.md).

+- For more information about the scaling script, see the [scaling script document](set-up-scaling-script.md).

+- Learn how to troubleshoot your scaling plan at [Enable diagnostics for your scaling plan](autoscale-diagnostics.md).

+- Learn more about terms used in this article at our [autoscale glossary](autoscale-glossary.md).

+- View our [autoscale FAQ](autoscale-faq.yml) to answer commonly asked questions.

+If you'd like to learn more about terms used in this article, check out our [autoscale glossary](autoscale-glossary.md). You can also look at our [autoscale FAQ](autoscale-faq.yml) if you have additional questions.

+Use this article to resolve errors and issues when using PowerShell with Azure Virtual Desktop. For more information on Remote Desktop Services PowerShell, see [Azure Virtual Desktop PowerShell](/powershell/windows-virtual-desktop/overview).

+ Title: What's new in Azure Monitor for Azure Virtual Desktop?

+description: New features and product updates in Azure Monitor for Azure Virtual Desktop.

+# What's new in Azure Monitor for Azure Virtual Desktop?

+PowerShell: `Set-AzVmssVM -ResourceGroupName {resourceGroupName} -VMScaleSetName {vmScaleSetName} -InstanceId {instanceId} -Reimage` (for more information, see the [PowerShell documentation](/powershell/module/az.compute/set-azvmssvm))

+PowerShell: `Get-AzVmssVM -ResourceGroupName {resourceGroupName} -VMScaleSetName {vmScaleSetName}` (for more information, see the [PowerShell documentation](/powershell/module/az.compute/get-azvmssvm))

+Some database workloads like SQL Server require high memory, storage, and I/O bandwidth, but not a high core count. Many database workloads are not CPU-intensive. Azure offers certain VM sizes where you can constrain the VM vCPU count to reduce the cost of software licensing, while maintaining the same memory, storage, and I/O bandwidth.

+The licensing fees charged for SQL Server are constrained to the new vCPU count, and other products should be charged based on the new vCPU count. This results in a 50% to 75% increase in the ratio of the VM specs to active (billable) vCPUs. These new VM sizes allow customer workloads to use the same memory, storage, and I/O bandwidth while optimizing their software licensing cost. At this time, the compute cost, which includes OS licensing, remains the same one as the original size. For more information, see [Azure VM sizes for more cost-effective database workloads](https://azure.microsoft.com/blog/announcing-new-azure-vm-sizes-for-more-cost-effective-database-workloads/).

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not Supported <br>

+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not Supported <br>

+**Q: Can the ephemeral OS disk be created using PowerShell or CLI?**

+## Azure PowerShell deployment

+Azure PowerShell can be used to enable backup on a virtual machine. Once the backup is configured, first scheduled backup job will install the Vm snapshot extension on the VM.

+## Azure PowerShell deployment

+Azure PowerShell can be used to enable backup on a virtual machine. Once the backup is configured, first scheduled backup job will install the Vm snapshot extension on the VM.

+1-year and 3-year RI offerings for the VMs are no longer available; however, regular PAYGO offer can still be transacted until the official decommission date. After August 31, 2022, any remaining H-series VM subscriptions in the preceding list will be set to a deallocated state. They'll stop working and no longer incur billing charges. If you need RI, please refer to our migration documents to find the suitable VM offerings that have RI available. You can either exchange/refund your existing reservations. If you choose not to, after the hardware is deprecated you wonΓÇÖt be getting the reservation benefit but still be paying for it.

+The VHDX format is not supported in Azure, only **fixed VHD**. You can convert the disk to fixed VHD format using Hyper-V Manager or the PowerShell [convert-vhd](/powershell/module/hyper-v/convert-vhd) cmdlet. An example is as following.

+Before using the Azure CLI or Azure PowerShell, you must first connect to your Azure subscription. You do so by [Signing in with Azure CLI](/cli/azure/authenticate-azure-cli), [Signing in with Azure PowerShell](/powershell/azure/authenticate-azureps), or supplying your credentials to the Azure portal when prompted.

+ Title: Create and encrypt a Linux VM with Azure PowerShell

+description: In this quickstart, you learn how to use Azure PowerShell to create and encrypt a Linux virtual machine

+> You cannot use the portal to deploy a VM from an image in another azure tenant. To create a VM from an image shared between tenants, you must use the Azure CLI or [PowerShell](../windows/share-images-across-tenants.md).

+# NVadsA10 v5-series (Preview)

+Managed images are helpful in development and test environments where you need a consistent baseline VM. A managed image resource can be created from a generalized virtual machine (VM) that is stored as either a managed disk or an unmanaged disk in a storage account. The image can then be used to create multiple VMs. For information on how managed images are billed, see [Managed Disks pricing](https://azure.microsoft.com/pricing/details/managed-disks/).

+## Create a managed image from a VM using the portal

+1. Go to the [Azure portal](https://portal.azure.com). Search for and select **Virtual machines**.

+3. In the **Virtual machine** page for the VM, on the upper menu, select **Capture**. The **Create an image** page appears.

+4. For **Share image to Azure compute gallery**, select **No, capture only a managed image.**

+5. For **Resource Group**, you can either create the image in the same resource group as the VM or select another resource group in your subscription.

+4. For **Name**, either accept the pre-populated name or type your own name for the image.

+7. 7. If you want the ability to use the image in any [availability zone](../../availability-zones/az-overview.md), select **On** for **Zone resiliency**.

+## Create a managed image of a VM using PowerShell

+## Create a managed image from a snapshot using PowerShell

+## Create a managed image from a VM that uses a storage account

+- Learn more about using an [Azure Compute Gallery](../shared-image-galleries.md) (formerly known as Shared Image Gallery)

+Before using the Azure CLI or Azure PowerShell, you must first connect to your Azure subscription. You do so by [Signing in with Azure CLI](/cli/azure/authenticate-azure-cli), [Signing in with Azure PowerShell](/powershell/azure/authenticate-azureps), or supplying your credentials to the Azure portal when prompted.

+When using PowerShell to encrypt a new disk for Windows VMs, a new sequence version should be specified. The sequence version has to be unique. The script below generates a GUID for the sequence version. In some cases, a newly added data disk might be encrypted automatically by the Azure Disk Encryption extension. Auto encryption usually occurs when the VM reboots after the new disk comes online. This is typically caused because "All" was specified for the volume type when disk encryption previously ran on the VM. If auto encryption occurs on a newly added data disk, we recommend running the Set-AzVmDiskEncryptionExtension cmdlet again with new sequence version. If your new data disk is auto encrypted and you do not wish to be encrypted, decrypt all drives first then re-encrypt with a new sequence version specifying OS for the volume type.

+## Use PowerShell to move a VM

+| Windows 10 - Build 2009, 2004, 1909 <br/><br/>Windows 10 Enterprise multi-session - Build 2009, 2004, 1909 <br/><br/>Windows Server 2016 (version 1607)<br/><br/>Windows Server 2019 (version 1909) | [21.Q2-1](https://download.microsoft.com/download/4/e/-Azure-NVv4-Driver-21Q2-1.exe) (.exe) |

+az vm run-command show --name "myRunCommand" --vm-name "myVM" --resource-group "myRG" --instance-view

+Set-AzVMRunCommand -ResourceGroupName "myRG" -VMName "myVM" -RunCommandName "RunCommandName" ΓÇôSourceScript "Write-Host Hello World!"

+Get-AzVMRunCommand -ResourceGroupName "myRG" -VMName "myVM"

+Get-AzVMRunCommand -ResourceGroupName "myRG" -VMName "myVM" -RunCommandName "RunCommandName" -Status

+Remove-AzVMRunCommand -ResourceGroupName "myRG" -VMName "myVM" -RunCommandName "RunCommandName"

+> You cannot use the portal to deploy a VM from an image in another azure tenant. To create a VM from an image shared between tenants, you must use the [Azure CLI](../linux/share-images-across-tenants.md) or PowerShell.

+When you connect to Azure services from your private network, the recommended approach is to use [Private Link](../../private-link/private-link-overview.md).

+Private Link lets you access services in Azure from your private network without the use of a public IP address. Connecting to these services over the internet aren't necessary and are handled over the Azure backbone network. For example, when you access Azure Storage, you can use a private endpoint to ensure your connection is fully private.

+#### NAT and VM with an instance-level public IP

+*Figure: Virtual Network NAT and VM with an instance level public IP*

+| Inbound | VM with instance-level public IP |

+#### NAT and VM with a standard public load balancer

+*Figure: Virtual Network NAT and VM with a standard public load balancer*

+| Inbound | Standard public load balancer |

+#### NAT and VM with an instance-level public IP and a standard public load balancer

+*Figure: Virtual Network NAT and VM with an instance-level public IP and a standard public load balancer*

+| Inbound | VM with instance-level public IP and a standard public load balancer |

+NAT gateway can be attached to up to 16 public IP addresses. Each NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. Review the following section for details and the [troubleshooting article](./troubleshoot-nat.md) for specific problem resolution guidance.

+NAT gateway SNATs the private IP address and source port of a virtual machine (or other compute resource) to a static public IP address before going outbound to the internet from a virtual network.

+The following example flows explain the basic concept of SNAT and how it works with NAT gateway.

+When NAT gateway is configured with public IP address 65.52.1.1, the source IPs are SNAT'd into NAT gateway's public IP address as shown below:

+The source IP address and port of each flow is SNAT'd to the public IP address 65.52.1.1 (source tuple after SNAT) and to a different port for each new connection going to the same destination endpoint. The act of NAT gateway replacing all of the source ports and IPs with the public IP and port before connecting to the internet is known as *IP masquerading* or *port masquerading*. Multiple private sources are masqueraded behind a public IP.

+Azure provides ~64,000 SNAT ports per public IP address. For each public IP address attached to NAT gateway, the entire inventory of ports provided by those IPs is made available to any virtual machine instance within a subnet that is also attached to NAT gateway. NAT gateway selects a port at random out of the available inventory of ports for a virtual machine to use. Each time a new connection is made to the same destination endpoint over the internet, a new source port is used. As mentioned in the [Performance](#performance) section, NAT gateway supports up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet. NAT gateway will continue to select a new source port at random to go to the same destination endpoint until no more SNAT ports are available for use. If NAT gateway doesn't find any available SNAT ports, only then will it reuse a SNAT port. A port can be reused so long as it's going to a different destination endpoint.

+A NAT gateway will translate flow 4 to a source port that may have been recently used for a different destination endpoint. See [Scale NAT](#scale-nat) for more discussion on correctly sizing your IP address provisioning.

+- NAT gateway selects source ports at random for outbound traffic flow whereas Load Balancer selects ports sequentially.

+- NAT gateway doesn't reuse a SNAT port until no other SNAT ports are available to make new connections, whereas Load Balancer looks to select the lowest available SNAT port in sequential order.

+Any IP configuration of a virtual machine can create outbound flows on-demand as needed. Pre-allocation of SNAT ports to each virtual machine isn't required.

+After a SNAT port is released, it's available for use by any VM on subnets configured with NAT. On-demand allocation allows dynamic and divergent workloads on subnets to use SNAT ports as needed. As long as SNAT ports are available, SNAT flows will succeed. SNAT port hot spots benefit from a larger inventory. SNAT ports aren't left unused for VMs not actively needing them.

+SNAT maps private addresses to one or more public IP addresses, rewriting the source address and source port in the process. A single NAT gateway can scale up to 16 IP addresses. If a public IP prefix is provided, each IP address within the prefix provides SNAT port inventory. Adding more public IP addresses increases the available inventory of SNAT ports. TCP and UDP are separate SNAT port inventories and are unrelated to NAT gateway.

+NAT gateway opportunistically reuses source (SNAT) ports. When you scale your workload, assume that each flow requires a new SNAT port, and then scale the total number of available IP addresses for outbound traffic. Carefully consider the scale you're designing for, and then allocate IP addresses quantities accordingly.

+TCP timers determine the amount of time a connection is held between two endpoints before it's terminated and the port is available for reuse. Depending on the type of packet sent by either endpoint, a specific type of timer will be triggered.

+| TCP RST | Occurs when the private side of NAT sends an RST (reset) packet in an attempt to communicate on the TCP connection. If the RST packet isn't received by the public side of NAT, or the RST packet is returned to the private endpoint, the connection will time out and close. The public side of NAT doesn't generate TCP RST packets or any other traffic. | 10 seconds |

+After a SNAT port is no longer in use, it's available for reuse to the same destination IP address and port after 5 seconds.

+#### Timer considerations

+Design recommendations for configuring timers:

+- In an idle connection scenario, NAT gateway holds onto SNAT ports until the connection idle times out. Because long idle timeout timers can unnecessarily increase the likelihood of SNAT port exhaustion, it isn't recommended to increase the idle timeout duration to longer than the default time of 4 minutes. If a flow never goes idle, then it will not be impacted by the idle timer.

+- Basic load balancers and basic public IP addresses aren't compatible with NAT. Use standard SKU load balancers and public IPs instead.

+

+

+ - To upgrade a basic public IP address too standard, see [Upgrade a public IP address](../ip-services/public-ip-upgrade-portal.md)

+- Learn how to [troubleshoot NAT gateway](troubleshoot-nat.md).

+| Metric | Description | Recommended aggregation | Dimensions |

+Resource health isn't supported.

+description: Overview of Virtual Network NAT features, resources, architecture, and implementation. Learn how Virtual Network NAT works and how to use NAT gateway resources in Azure.

+Virtual Network NAT is a fully managed and highly resilient Network Address Translation (NAT) service. Virtual Network NAT simplifies outbound Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses the Virtual Network NAT's static public IP addresses.

+## Virtual Network NAT benefits

+With NAT, individual VMs (or other compute resources) don't need public IP addresses and can remain fully private. Resources without a public IP address can still reach external sources outside the virtual network. You can associate a public IP prefix to ensure that a contiguous set of IPs will be used for outbound. Destination firewall rules can be configured based on this predictable IP list.

+NAT is a fully managed and distributed service. It doesn't depend on any individual compute instances such as VMs or a single physical gateway device. NAT uses software defined networking making it highly resilient.

+NAT can be associated to a subnet and can be used by all compute resources in that subnet. Further, all subnets in a virtual network can use the same resource. When associated to a public IP prefix, it automatically scales to the number of IP addresses needed for outbound.

+NAT won't affect the network bandwidth of your compute resources since it's a software defined networking service. Learn more about [NAT gateway's performance](nat-gateway-resource.md#performance).

+## Virtual Network NAT basics

+NAT can be created in a specific availability zone and has redundancy built in within the specified zone. NAT is non-zonal by default. When you create [availability zones](../../availability-zones/az-overview.md) scenarios, NAT can be isolated in a specific zone. This deployment is called a zonal deployment.

+NAT is fully scaled out from the start. There's no ramp up or scale-out operation required. Azure manages the operation of NAT for you. NAT always has multiple fault domains and can sustain multiple failures without service outage.

+* Outbound connectivity can be defined for each subnet with NAT. Multiple subnets within the same virtual network can have different NATs. Or multiple subnets within the same virtual network can use the same NAT. A subnet is configured by specifying which NAT gateway resource to use. All outbound traffic for the subnet is processed by NAT automatically without any customer configuration. NAT takes precedence over other outbound scenarios and replaces the default Internet destination of a subnet.

+* NAT supports TCP and UDP protocols only. ICMP isn't supported.

+* NAT is compatible with standard SKU public IP addresses or public IP prefix resources or a combination of both. You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT will groom all traffic to the range of IP addresses of the prefix. Basic resources, such as basic load balancer or basic public IPs aren't compatible with NAT. Basic resources must be placed on a subnet not associated to a NAT Gateway. Basic load balancer and basic public IP can be upgraded to standard to work with NAT gateway.

+

+* To upgrade a basic load balancer to standard, see [Upgrade a public Azure Load Balancer](../../load-balancer/upgrade-basic-standard.md)

+* To upgrade a basic public IP to standard, see [Upgrade a public IP address](../ip-services/public-ip-upgrade-portal.md)

+* NAT is the recommended method for outbound connectivity. A NAT gateway doesn't have the same limitations of SNAT port exhaustion as does [default outbound access](../ip-services/default-outbound-access.md) and [outbound rules of a load balancer](../../load-balancer/outbound-rules.md).

+ * To migrate outbound access to a NAT gateway from default outbound access or from load balancer outbound rules, see [Migrate outbound access to Azure Virtual Network NAT](./tutorial-migrate-outbound-nat.md)

+* NAT canΓÇÖt be associated to an IPv6 public IP address or IPv6 public IP prefix. It can be associated to a dual stack subnet.

+* NAT allows flows to be created from the virtual network to the services outside your virtual network. Return traffic from the Internet is only allowed in response to an active flow. Services outside your virtual network canΓÇÖt initiate an inbound connection through NAT gateway.

+* NAT canΓÇÖt span multiple virtual networks.

+* Multiple NATs canΓÇÖt be attached to a single subnet.

+* NAT canΓÇÖt be deployed in a [gateway subnet](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub)

+* The private side of NAT (virtual machine instances or other compute resources) sends TCP reset packets for attempts to communicate on a TCP connection that doesn't exist. One example is connections that have reached idle timeout. The next packet received will return a TCP reset to the private IP address to signal and force connection closure. The public side of NAT doesn't generate TCP reset packets or any other traffic. Only traffic produced by the customer's virtual network is emitted.

+For pricing details, see [Virtual network pricing](https://azure.microsoft.com/pricing/details/virtual-network). NAT data path is at least 99.9% available.

+[Virtual Network NAT gateway](./nat-overview.md#virtual-network-nat-basics) supports IPv4 UDP and TCP protocols. ICMP is not supported and is expected to fail.