+ "surname":"Smith",

+While you can use pre-made [custom policy starter pack](/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#custom-policy-starter-pack), it's important for you understand how custom policy is built from scratch. In this how-to guide series, you'll learn what you need to understand for you to customize the behavior of your user experience by using custom policies. At the end of this how-to guide series, you should be able to read and understand existing custom policies or write your own from scratch.

+- [Write your first Azure Active Directory B2C custom policy - Hello World!](custom-policies-series-hello-world.md)

+- [src/pages/Hello.jsx](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/1-call-api-obo/SPA/src/pages/Home.jsx) - Demonstrate how to call a protected resource with OAuth2 bearer token.

+|{Settings:DfpEnvironment}| The ID of the DFP environment.|Environment ID is a global unique identifier of the DFP environment that you sends the data to. Your custom policy should invoke the API endpoint including the `x-ms-dfpenvid=<your-env-id>` in the query string parameter.|

+> [!IMPORTANT]

+> Authenticator app (TOTP) provides stronger security than SMS/Phone multi-factor authentication. To set this up please read our instructions for [enabling multi-factor authentication in Azure Active Directory B2C](multi-factor-authentication.md).

+- [Manage your Azure Active Directory B2C tenant](tenant-management-manage-administrator.md)

+- [Manage your Azure Active Directory B2C tenant](tenant-management-manage-administrator.md)

+### Two users in the source tenant matched with the same user in the target tenant

+When two users in the source tenant have the same mail, and they both need to be created in the target tenant, one user will be created in the target and linked to the two users in the source. Please ensure that the mail attribute is not shared among users in the source tenant. In addition, please ensure that the mail of the user in the source tenant is from a verified domain. The external user will not be created successfully if the mail is from an unverified domain.

+For independent software vendors: The Microsoft Azure Active Directory Application Gallery Terms & Conditions, excluding Sections 2ΓÇô4, apply to this Partner-Driven Integrations Catalog (the ΓÇ£Integrations CatalogΓÇ¥). References to the ΓÇ£GalleryΓÇ¥ shall be read as the ΓÇ£Integrations CatalogΓÇ¥ and references to an ΓÇ£AppΓÇ¥ shall be read as ΓÇ£IntegrationΓÇ¥.

+1. [Integrate your SCIM endpoint](#integrate-your-scim-endpoint-with-the-azure-ad-provisioning-service) with the Azure AD Provisioning Service. Azure AD supports several third-party applications that implement SCIM 2.0. If you use one of these apps, then you can quickly automate both provisioning and deprovisioning of users and groups.

+1. Check if the attributes are already defined in the **core** user schema or **enterprise** user schema. If not, you must define an extension to the user schema that covers the missing attributes. See example for an extension to the user to allow provisioning a user `tag`.

+1. Map SCIM attributes to the user attributes in Azure AD. If one of the attributes you've defined in your SCIM endpoint doesn't have a clear counterpart on the Azure AD user schema, guide the tenant administrator to extend their schema, or use an extension attribute as shown in the example for the `tags` property.

+|Query users or groups|[Section 3.4.2](https://tools.ietf.org/html/rfc7644#section-3.4.2). By default, users are retrieved with their `id` and queried with their `username` and `externalId`, and groups are queried with `displayName`.|

+|Support the /Schemas endpoint|[Section 7](https://tools.ietf.org/html/rfc7643#page-30) The schema discovery endpoint is used to discover more attributes.|

+> To understand how and when the Azure AD user provisioning service emits the operations described in the example, see the section [Provisioning cycles: Initial and incremental](how-provisioning-works.md#provisioning-cycles-initial-and-incremental) in [How provisioning works](how-provisioning-works.md).

+All services must be configured to use the following cipher suites, in the exact order specified in the example. If you only have an RSA certificate, installed the ECDSA cipher suites don't have any effect. </br>

+> * Support the OAuth authorization code grant or a long lived token as described in the example (Required)

+| .NET Client, Windows Store, UWP, Xamarin iOS and Android |ADAL .NET v3 |[NuGet](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) |[GitHub](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet) | [Desktop app](../develop/quickstart-v2-windows-desktop.md) | |

+To compute the assertion, you can use one of the many JWT libraries in the language of your choice - [MSAL supports this using `.WithCertificate()`](msal-net-client-assertions.md). The information is carried by the token in its **Header**, **Claims**, and **Signature**.

+`exp` | 1601519414 | The "exp" (expiration time) claim identifies the expiration time on or after which the JWT **must not** be accepted for processing. See [RFC 7519, Section 4.1.4](https://tools.ietf.org/html/rfc7519#section-4.1.4). This allows the assertion to be used until then, so keep it short - 5-10 minutes after `nbf` at most. Azure AD does not place restrictions on the `exp` time currently.

+`iss` | {ClientID} | The "iss" (issuer) claim identifies the principal that issued the JWT, in this case your client application. Use the GUID application ID.

+`jti` | (a Guid) | The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value **must** be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" value is a case-sensitive string. [RFC 7519, Section 4.1.7](https://tools.ietf.org/html/rfc7519#section-4.1.7)

+`nbf` | 1601519114 | The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. [RFC 7519, Section 4.1.5](https://tools.ietf.org/html/rfc7519#section-4.1.5). Using the current time is appropriate.

+In the **App registrations** tab for the client application:

+Client assertions can be used anywhere a client secret would be used. For example, in the [authorization code flow](v2-oauth2-auth-code-flow.md), you can pass in a `client_secret` to prove that the request is coming from your app. You can replace this with `client_assertion` and `client_assertion_type` parameters.

+|`client_assertion`| `JWT` |This is the JWT created above. |

+Knowing about OAuth or OpenID Connect (OIDC) at the protocol level is not required to use the Microsoft identity platform. However, you will encounter protocol terms and concepts as you use the identity platform to add authentication to your apps. As you work with the Azure portal, our documentation, and authentication libraries, knowing some fundamentals can assist your integration and overall experience.

+Four parties are usually involved in an OAuth 2.0 and OpenID Connect authentication and authorization exchange. These exchanges are often called *authentication flows* or *auth flows*.

+* **Authorization server** - The identity platform is the authorization server. Also called an *identity provider* or *IdP*, it securely handles the end-user's information, their access, and the trust relationships between the parties in the auth flow. The authorization server issues the security tokens your apps and APIs use for granting, denying, or revoking access to resources (authorization) after the user has signed in (authenticated).

+* **Resource owner** - The resource owner in an auth flow is usually the application user, or *end-user* in OAuth terminology. The end-user "owns" the protected resource (their data) which your app accesses on their behalf. The resource owner can grant or deny your app (the client) access to the resources they own. For example, your app might call an external system's API to get a user's email address from their profile on that system. Their profile data is a resource the end-user owns on the external system, and the end-user can consent to or deny your app's request to access their data.

+The parties in an authentication flow use **bearer tokens** to assure, verify, and authenticate a principal (user, host, or service) and to grant or deny access to protected resources (authorization). Bearer tokens in the identity platform are formatted as [JSON Web Tokens](https://tools.ietf.org/html/rfc7519) (JWT).

+Three types of bearer tokens are used by the identity platform as *security tokens*:

+* [Refresh tokens](refresh-tokens.md) - The client uses a refresh token, or *RT*, to request new access and ID tokens from the authorization server. Your code should treat refresh tokens and their string content as sensitive data because they're intended for use only by authorization server.

+Your client app needs a way to trust the security tokens issued to it by the identity platform. The first step in establishing trust is by [registering your app](quickstart-register-app.md). When you register your app, the identity platform automatically assigns it some values, while others you configure based on the application's type.

+* **Application (client) ID** - Also called *application ID* and *client ID*, this value is assigned to your app by the identity platform. The client ID uniquely identifies your app in the identity platform and is included in the security tokens the platform issues.

+The identity platform offers authentication and authorization services using standards-compliant implementations of OAuth 2.0 and OpenID Connect (OIDC) 1.0. Standards-compliant authorization servers like the identity platform provide a set of HTTP endpoints for use by the parties in an auth flow to execute the flow.

+The endpoint URIs for your app are generated automatically when you register or configure your app. The endpoints you use in your app's code depend on the application's type and the identities (account types) it should support.

+**We strongly advise against crafting your own library or raw HTTP calls to execute authentication flows.** A [Microsoft Authentication Library](reference-v2-libraries.md) is safer and much easier. However, if your scenario prevents you from using our libraries or you'd just like to learn more about the identity platform's implementation, we have protocol reference:

+Certain web APIs such as the Azure Resource Manager API (`https://management.core.windows.net/`) expect a trailing forward slash (`/`) in the audience claim (`aud`) of the access token. In this case, pass the scope as `https://management.core.windows.net//user_impersonation`, including the double forward slash (`//`).

+Application source code should first try to get a token silently from the cache. If the method call returns a "UI required" error or exception, try acquiring a token by other means.

+For confidential client applications (web app, web API, or a daemon application like a Windows service), you can;

+In this quickstart, you'll register a web API with the Microsoft identity platform and expose it to client apps by adding a scope. By registering your web API and exposing it through scopes, you can provide permissions-based access to its resources to authorized users and client apps that access your API.

+With the web API registered, you can add scopes to the API's code so it can provide granular permission to consumers.

+If you have successfully added both example scopes described in the previous sections, they'll appear in the **Expose an API** pane of your web API's app registration, similar to the following image:

+In the next article in this series, you configure a client app's registration with access to your web API and the scopes you defined by following the steps in this article.

+Once a client app registration is granted permission to access your web API, the client can be issued an OAuth 2.0 access token by the identity platform. When the client calls the web API, it presents an access token whose scope (`scp`) claim is set to the permissions you've specified in the client's app registration.

+You can expose additional scopes later as necessary. Consider that your web API can expose multiple scopes associated with several operations. Your resource can control access to the web API at runtime by evaluating the scope (`scp`) claims in the OAuth 2.0 access token it receives.

+In this tutorial, you'll build a native Windows Desktop .NET (XAML) app that signs in users and gets an access token to call the Microsoft Graph API.

+When you've completed the guide, your application will able to call a protected API that uses personal accounts (including outlook.com, live.com, and others). The application will also use work and school accounts from any company or organization that uses Azure Active Directory (Azure AD).

+>

+> - Create a _Windows Presentation Foundation (WPF)_ project in Visual Studio

+> - Install the Microsoft Authentication Library (MSAL) for .NET

+> - Register the application in the Azure portal

+> - Add code to support user sign-in and sign-out

+> - Add code to call Microsoft Graph API

+> - Test the app

+- [.NET Framework 4.8](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net48)

+- [Visual Studio 2019](https://visualstudio.microsoft.com/vs/)

+| Library | Description |

+| - | - |

+| [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client) | Microsoft Authentication Library (MSAL.NET) |

+In this section you'll create a new project to demonstrate how to integrate a Windows Desktop .NET application (XAML) with _Sign-In with Microsoft_ so that the application can query web APIs that require a token.

+The application that you'll create displays a button that'll call the Microsoft Graph API, an area to display the results, and a sign-out button.

+Create the application using the following steps:

+1. Open Visual Studio

+1. On the start window, select **Create a new project**.

+1. In the **All language** dropdown, select **C#**.

+1. Search for and choose the **WPF App (.NET Framework)** template, and then select Next.

+1. In the **Project name** box, enter a name like _Win-App-calling-MsGraph_.

+1. Choose a **Location** for the project or accept the default option.

+1. In the **Framework**, select **.NET framework 4.8**.

+1. Select **Create**.

+ ```powershell

+ Install-Package Microsoft.Identity.Client -Pre

+ ```

+Use the following steps to register your application:

+1. Follow the instructions to download and automatically configure your new application.

+To register and configure your application, follow these steps:

+1. Open the _App.xaml.cs_ file, and then add the reference for MSAL to the class:

+ ```csharp

+ using Microsoft.Identity.Client;

+ ```

+ <!-- Workaround for Docs conversion bug -->

+2. Update the app class to the following:

+ ```csharp

+ public partial class App : Application

+ {

+ static App()

+ {

+ _clientApp = PublicClientApplicationBuilder.Create(ClientId)

+ .WithAuthority(AzureCloudInstance.AzurePublic, Tenant)

+ .WithDefaultRedirectUri()

+ .Build();

+ }

+ // Below are the clientId (Application Id) of your app registration and the tenant information.

+ // You have to replace:

+ // - the content of ClientID with the Application Id for your app registration

+ // - the content of Tenant by the information about the accounts allowed to sign-in in your application:

+ // - For Work or School account in your org, use your tenant ID, or domain

+ // - for any Work or School accounts, use `organizations`

+ // - for any Work or School accounts, or Microsoft personal account, use `common`

+ // - for Microsoft Personal account, use consumers

+ private static string ClientId = "Enter_the_Application_Id_here";

+ private static string Tenant = "common";

+ private static IPublicClientApplication _clientApp ;

+ public static IPublicClientApplication PublicClientApp { get { return _clientApp; } }

+ }

+ ```

+A _MainWindow.xaml_ file is automatically be created as a part of your project template. Open this file, and then replace your application's _\<Grid>_ node with the following code:

+1. In the _MainWindow.xaml.cs_ file, add the reference for MSAL to the class:

+ ```csharp

+ using Microsoft.Identity.Client;

+ ```

+2. Replace the `MainWindow` class code with the following code:

+ ```csharp

+ public partial class MainWindow : Window

+ {

+ //Set the API Endpoint to Graph 'me' endpoint

+ string graphAPIEndpoint = "https://graph.microsoft.com/v1.0/me";

+ //Set the scope for API call to user.read

+ string[] scopes = new string[] { "user.read" };

+ public MainWindow()

+ {

+ InitializeComponent();

+ }

+ /// <summary>

+ /// Call AcquireToken - to acquire a token requiring user to sign-in

+ /// </summary>

+ private async void CallGraphButton_Click(object sender, RoutedEventArgs e)

+ {

+ AuthenticationResult authResult = null;

+ var app = App.PublicClientApp;

+ ResultText.Text = string.Empty;

+ TokenInfoText.Text = string.Empty;

+ var accounts = await app.GetAccountsAsync();

+ var firstAccount = accounts.FirstOrDefault();

+ try

+ {

+ authResult = await app.AcquireTokenSilent(scopes, firstAccount)

+ .ExecuteAsync();

+ }

+ catch (MsalUiRequiredException ex)

+ {

+ // A MsalUiRequiredException happened on AcquireTokenSilent.

+ // This indicates you need to call AcquireTokenInteractive to acquire a token

+ System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");

+ try

+ {

+ authResult = await app.AcquireTokenInteractive(scopes)

+ .WithAccount(accounts.FirstOrDefault())

+ .WithPrompt(Prompt.SelectAccount)

+ .ExecuteAsync();

+ }

+ catch (MsalException msalex)

+ {

+ ResultText.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";

+ }

+ }

+ catch (Exception ex)

+ {

+ ResultText.Text = $"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}";

+ return;

+ }

+ if (authResult != null)

+ {

+ ResultText.Text = await GetHttpContentWithToken(graphAPIEndpoint, authResult.AccessToken);

+ DisplayBasicTokenInfo(authResult);

+ this.SignOutButton.Visibility = Visibility.Visible;

+ }

+ }

+ }

+ ```

+Calling the `AcquireTokenInteractive` method results in a window that prompts users to sign in. Applications usually require users to sign in interactively the first time they need to access a protected resource. They might also need to sign in when a silent operation to acquire a token fails (for example, when a userΓÇÖs password is expired).

+Eventually, the `AcquireTokenSilent` method may fail. Reasons for failure might be that the user has either signed out or changed their password on another device. When MSAL detects that the issue can be resolved by requiring an interactive action, it fires an `MsalUiRequiredException` exception. Your application can handle this exception in two ways:

+- It can make a call against `AcquireTokenInteractive` immediately. This call results in prompting the user to sign in. This pattern is used in online applications where there's no available offline content for the user. The sample generated by this setup follows this pattern, which can be seen in action the first time you execute the sample.

+- Because no user has used the application, `PublicClientApp.Users.FirstOrDefault()` contains a null value, and an `MsalUiRequiredException` exception is thrown.

+- The code in the sample then handles the exception by calling `AcquireTokenInteractive`, which results in prompting the user to sign in.

+- It can instead present a visual indication to users that an interactive sign-in is required, so that they can select the right time to sign in. Or the application can retry `AcquireTokenSilent` later. This pattern is frequently used when users can use other application functionality without disruption. For example, when offline content is available in the application. In this case, users can decide when they want to sign in to either access the protected resource or refresh the outdated information. Alternatively, the application can decide to retry `AcquireTokenSilent` when the network is restored after having been temporarily unavailable.

+In this sample application, you use the `GetHttpContentWithToken` method to make an HTTP `GET` request against a protected resource that requires a token and then return the content to the caller. This method adds the acquired token in the HTTP Authorization header. For this sample, the resource is the Microsoft Graph API _me_ endpoint, which displays the user's profile information.

+The `SignOutButton_Click` method removes users from the MSAL user cache, which effectively tells MSAL to forget the current user so that a future request to acquire a token succeeds only if it's made to be interactive.

+To display basic information about the token, add the following method to your _MainWindow.xaml.cs_ file:

+In addition to the access token that's used to call the Microsoft Graph API, after the user signs in, MSAL also obtains an ID token. This token contains a small subset of information that's pertinent to users. The `DisplayBasicTokenInfo` method displays the basic information that's contained in the token. For example, it displays the user's display name and ID, as well as the token expiration date and the string representing the access token itself. You can select the _Call Microsoft Graph API_ button multiple times and see that the same token was reused for subsequent requests. You can also see the expiration date being extended when MSAL decides it's time to renew the token.

+> [!div class="nextstepaction"]

+ Title: B2B direct connect Azure AD overview

+The default cross-tenant access settings apply to all external Azure AD organizations, except organizations for which you've configured individual settings. Initially, Azure AD blocks all inbound and outbound B2B direct connect capabilities by default for all external Azure AD tenants. You can change these default settings, but typically you can leave them as-is and enable B2B direct connect access with individual organizations.

+You can configure organization-specific settings by adding the organization and modifying the cross-tenant access settings. These settings then take precedence over the default settings for this organization.

+Starting from the example above, Contoso could also choose to allow only the Fabrikam Marketing group to collaborate with Contoso's users through B2B direct connect. In this case, Contoso needs to obtain the Marketing group's object ID from Fabrikam. Then, instead of allowing inbound access to all Fabrikam's users, they'll configure their Fabrikam-specific access settings as follows:

+In the resource organization, the Teams shared channel owner can search within Teams for users from an external organization and add them to the shared channel. After they're added, the B2B direct connect users can access the shared channel from within their home instance of Teams, where they collaborate using features such as chat, calls, file-sharing, and app-sharing. For details, see [Overview of teams and channels in Microsoft Teams](/microsoftteams/teams-channels-overview). For details about the resources, files, and applications that are available to the B2B direct connect user via the Teams shared channel refer to [Chat, teams, channels, & apps in Microsoft Teams](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page).

+B2B collaboration and B2B direct connect are two different approaches to sharing with users outside of your organization. You can find a [feature-to-feature comparison](external-identities-overview.md#comparing-external-identities-feature-sets) in the External Identities overview, where we discuss some key differences in how users are managed, and how they access resources.

+# Customer intent: As a tenant administrator, I want to make sure that my users can authenticate themselves with one-time passcode.

+Guest user nicole@firstupconsultants.com is invited to Fabrikam, which doesn't have Google federation set up. Nicole doesn't have a Microsoft account. They'll receive a one-time passcode for authentication.

+6. Select **Save**.

+No, the global rollout of the change to enable email one-time passcode by default doesn't include enabling SharePoint and OneDrive integration with Azure AD B2B by default.To learn how to enable or disable the integration of SharePoint and OneDrive with Azure AD B2B for secure collaboration, see [SharePoint and OneDrive Integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration).

+Learn about [Identity Providers for External Identities](identity-providers.md), and how to reset [redemption status for a guest user](reset-redemption-status.md).

+ Title: Azure AD B2B collaboration overview

+A simple invitation and redemption process lets partners use their own credentials to access your company's resources. You can also enable self-service sign-up user flows to let external users sign up for apps or resources themselves. Once the external user has redeemed their invitation or completed sign-up, they're represented in your directory as a [user object](user-properties.md). The user type for these B2B collaboration users is typically set to "guest" and their user principal name contains the #EXT# identifier.

+You can [enable integration with SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration) to share files, folders, list items, document libraries, and sites with people outside your organization, while using Azure B2B for authentication and management. The users you share resources with are typically guest users in your directory, and permissions and groups work the same for these guests as they do for internal users. When enabling integration with SharePoint and OneDrive, you also enable the [email one-time passcode](one-time-passcode.md) feature in Azure AD B2B to serve as a fallback authentication method.

+- [Invitation email](invitation-email-elements.md)

+- [B2B direct connect](b2b-direct-connect-overview.md)

+Lifecycle Workflows introduce a history feature based on summaries and details. These history summaries allow you to quickly get information about for who a workflow ran, and whether or not this run was successful. This is valuable because the large set of information given by audit logs might become too numerous to be efficiently used. To make a large set of information processed easier to read, Lifecycle Workflows provide summaries for quick use. You can view these history summaries in three ways:

+- **Users summary**: Shows a summary of users processed by a workflow. Successfully, failed, and total ran information for each specific user is shown.

+Summaries allow you to quickly gain details about how a workflow ran for itself, or users, without going into further details in logs. For a step by step guide on getting this information, see [Check the status of a workflow (Preview)](check-status-workflow.md).

+Separating processing of the workflow from the tasks is important because, in a workflow, processing a user certain tasks could be successful, while others could fail. Whether or not a task runs after a failed task in a workflow depends on parameters such as enabling continue On Error, and their placement within the workflow. For more information, see [Common task parameters (preview)](lifecycle-workflow-tasks.md#common-task-parameters-preview).

+Software as a service (SaaS) and line of business (LoB) applications often rely on UPNs to find users and store user profile information, including roles. Applications potentially affected by UPN changes use just-in-time (JIT) provisioning to create a user profile when users initially sign in to the app.

+* Provisioning a role or permission profile for a user in Docusign can be accomplished by using an expression in your attribute mappings using the [switch](../app-provisioning/functions-for-customizing-application-data.md#switch) and [singleAppRoleAssignment](../app-provisioning/functions-for-customizing-application-data.md#singleapproleassignment) functions. For example, the expression below will provision the ID "8032066" when a user has the "DS Admin" role assigned in Azure AD. It will not provision any permission profile if the user isn't assigned a role on the Azure AD side. The ID can be retrieved from the DocuSign [portal](https://support.docusign.com/).

+ > The value is not real. Update the value with the actual Sign-On URL. Contact [SpringCM Client support team](https://support.docusign.com/s/) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+You can set up the AKS to ACR integration using the Azure CLI or Azure PowerShell. The AKS to ACR integration assigns the [**AcrPull** role][acr-pull] to the [Azure Active Directory (Azure AD) **managed identity**][aad-identity] associated with the agent pool in your AKS cluster. For more information on AKS managed identities, see [Summary of managed identities][summary-msi].

+> There is a latency issue with Azure Active Directory groups when attaching ACR. If the AcrPull role is granted to an Azure AD group and the kubelet identity is added to the group to complete the RBAC configuration, there may be a delay before the RBAC group takes effect. If you are running automation that requires the RBAC configuration to be complete, we recommended you use the [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Azure AD group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Azure AD group before a token is generated by kubelet, which avoids the latency issue.

+Accessing a private AKS cluster requires that you connect to that cluster either from the cluster virtual network, from a peered network, or via a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a *jumpbox* within the cluster virtual network, or creating a private endpoint inside of another virtual network. Alternatively, you can use `command invoke` to access private clusters without having to configure a VPN or Express Route. Using `command invoke` allows you to remotely invoke commands like `kubectl` and `helm` on your private cluster through the Azure API without directly connecting to the cluster. Permissions for using `command invoke` are controlled through the `Microsoft.ContainerService/managedClusters/runcommand/action` and `Microsoft.ContainerService/managedclusters/commandResults/read` actions.

+In AKS, the VM image for your cluster's nodes is based on Ubuntu Linux, [Mariner Linux](use-mariner.md), or Windows Server 2019. When you create an AKS cluster or scale out the number of nodes, the Azure platform automatically creates and configures the requested number of VMs. Agent nodes are billed as standard VMs, so any VM size discounts (including [Azure reservations][reservation-discounts]) are automatically applied.

+AKS nodes are Azure virtual machines (VMs) that you manage and maintain.

+* Linux nodes run optimized versions of Ubuntu or Mariner.

+ # Patch the Persistent Volume in case ReclaimPolicy is Delete

+ # Patch the Persistent Volume in case ReclaimPolicy is Delete

+ * Prepare a local machine with Unix-like operating system installed (for example, Ubuntu, Mariner, macOS, Windows Subsystem for Linux).

+You can use the [`az network vnet subnet list`][az-network-vnet-subnet-list] Azure CLI command or the [`Get-AzVirtualNetworkSubnetConfig`][get-azvirtualnetworksubnetconfig] PowerShell cmdlet to get the subnets in your virtual network.

+[az-network-vnet-subnet-list]: /cli/azure/network/vnet/subnet#az-network-vnet-subnet-list

+[get-azvirtualnetworksubnetconfig]: /powershell/module/az.network/get-azvirtualnetworksubnetconfig

+description: Learn how to terminate a long running operation on an Azure Kubernetes Service cluster at the node pool or cluster level.

+description: Learn how to use Azure AD in Azure Kubernetes Service (AKS)

+In an AKS cluster, your Kubernetes nodes run as Azure virtual machines (VMs). These Linux-based VMs use an Ubuntu or Mariner image, with the OS configured to automatically check for updates every day. If security or kernel updates are available, they are automatically downloaded and installed.

+ Title: Use a static IP with a load balancer in Azure Kubernetes Service (AKS)

+When you create a load balancer resource in an Azure Kubernetes Service (AKS) cluster, the public IP address assigned to it is only valid for the lifespan of that resource. If you delete the Kubernetes service, the associated load balancer and IP address are also deleted. If you want to assign a specific IP address or retain an IP address for redeployed Kubernetes services, you can create and use a static public IP address.

+* This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

+* You need the Azure CLI version 2.0.59 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* This article covers using a *Standard* SKU IP with a *Standard* SKU load balancer. For more information, see [IP address types and allocation methods in Azure][ip-sku].

+1. Use the `az aks show`[az-aks-show] command to get the node resource group name of your AKS cluster, which follows this format: `MC_<resource group name>_<AKS cluster name>_<region>`.

+ ```azurecli-interactive

+ az aks show \

+ --resource-group myResourceGroup \

+ --name myAKSCluster

+ --query nodeResourceGroup

+ --output tsv

+ ```

+2. Use the [`az network public ip create`][az-network-public-ip-create] command to create a static public IP address. The following example creates a static IP resource named *myAKSPublicIP* in the *MC_myResourceGroup_myAKSCluster_eastus* node resource group.

+ ```azurecli-interactive

+ az network public-ip create \

+ --resource-group MC_myResourceGroup_myAKSCluster_eastus \

+ --name myAKSPublicIP \

+ --sku Standard \

+ --allocation-method static

+ ```

+ > [!NOTE]

+ > If you're using a *Basic* SKU load balancer in your AKS cluster, use *Basic* for the `--sku` parameter when defining a public IP. Only *Basic* SKU IPs work with the *Basic* SKU load balancer and only *Standard* SKU IPs work with *Standard* SKU load balancers.

+3. After you create the static public IP address, use the [`az network public-ip list`][az-network-public-ip-list] command to get the IP address. Specify the name of the node resource group and public IP address you created, and query for the *ipAddress*.

+ ```azurecli-interactive

+ az network public-ip show --resource-group MC_myResourceGroup_myAKSCluster_eastus --name myAKSPublicIP --query ipAddress --output tsv

+ ```

+1. Before creating a service, use the [`az role assignment create`][az-role-assignment-create] command to ensure the cluster identity used by the AKS cluster has delegated permissions to the node resource group.

+ ```azurecli-interactive

+ az role assignment create \

+ --assignee <Client ID> \

+ --role "Network Contributor" \

+ --scope /subscriptions/<subscription id>/resourceGroups/<MC_myResourceGroup_myAKSCluster_eastus>

+ ```

+ > [!IMPORTANT]

+ > If you customized your outbound IP, make sure your cluster identity has permissions to both the outbound public IP and the inbound public IP.

+2. Create a file named `load-balancer-service.yaml` and copy in the contents of the following YAML file, providing your own public IP address created in the previous step and the node resource group name.

+ ```yaml

+ apiVersion: v1

+ kind: Service

+ metadata:

+ annotations:

+ service.beta.kubernetes.io/azure-load-balancer-resource-group: MC_myResourceGroup_myAKSCluster_eastus

+ name: azure-load-balancer

+ spec:

+ loadBalancerIP: 40.121.183.52

+ type: LoadBalancer

+ ports:

+ - port: 80

+ selector:

+ app: azure-load-balancer

+ ```

+3. Use the `kubectl apply` command to create the service and deployment.

+```console

+kubectl apply -f load-balancer-service.yaml

+## Apply a DNS label to the service

+If your service uses a dynamic or static public IP address, you can use the `service.beta.kubernetes.io/azure-dns-label-name` service annotation to set a public-facing DNS label. This publishes a fully qualified domain name (FQDN) for your service using Azure's public DNS servers and top-level domain. The annotation value must be unique within the Azure location, so it's recommended to use a sufficiently qualified label. Azure automatically appends a default suffix in the location you selected, such as `<location>.cloudapp.azure.com`, to the name you provide, creating the FQDN.

+ service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel

+To see the DNS label for your load balancer, run the following command:

+kubectl describe service azure-load-balancer

+The DNS label will be listed under the `Annotations`, as shown in the following condensed example output:

+```console

+Name: azure-load-balancer

+Namespace: default

+Labels: <none>

+Annotations: service.beta.kuberenetes.io/azure-dns-label-name: myserviceuniquelabel

+...

+> [!NOTE]

+If the static IP address defined in the *loadBalancerIP* property of the Kubernetes service manifest doesn't exist or hasn't been created in the node resource group and there are no additional delegations configured, the load balancer service creation fails. To troubleshoot, review the service creation events using the [`kubectl describe`][kubectl-describe] command. Provide the name of the service specified in the YAML manifest, as shown in the following example:

+The output will show you information about the Kubernetes service resource. The following example output shows a `Warning` in the `Events`: "`user supplied IP address was not found`." In this scenario, make sure you've created the static public IP address in the node resource group and that the IP address specified in the Kubernetes service manifest is correct.

+```console

+For additional control over the network traffic to your applications, you may want to [create an ingress controller][aks-ingress-basic]. You can also [create an ingress controller with a static public IP address][aks-static-ingress].

+[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create

+[az-aks-show]: /cli/azure/aks#az-aks-show

+# Tutorial: Deploy and use Azure Container Registry (ACR)

+Azure Container Registry (ACR) is a private registry for container images. A private container registry allows you to securely build and deploy your applications and custom code. In this tutorial, part two of seven, you deploy an ACR instance and push a container image to it. You learn how to:

+>

+> * Create an ACR instance

+In later tutorials, you integrate your ACR instance with a Kubernetes cluster in AKS, and deploy an application from the image.

+In the [previous tutorial][aks-tutorial-prepare-app], you created a container image for a simple Azure Voting application. If you haven't created the Azure Voting app image, return to [Tutorial 1: Prepare an application for AKS][aks-tutorial-prepare-app].

+Before creating an ACR, you need a resource group. An Azure resource group is a logical container into which you deploy and manage Azure resources.

+1. Create a resource group with the [`az group create`][az-group-create] command.

+2. Create an ACR instance with the [`az acr create`][az-acr-create] command and provide your own unique registry name. The registry name must be unique within Azure, and contain 5-50 alphanumeric characters. In the rest of this tutorial, `<acrName>` is used as a placeholder for the container registry name. The *Basic* SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput.

+1. Create a resource group with the [`New-AzResourceGroup`][new-azresourcegroup] cmdlet.

+2. Create an ACR instance with the [`New-AzContainerRegistry`][new-azcontainerregistry] cmdlet and provide your own unique registry name. The registry name must be unique within Azure, and contain 5-50 alphanumeric characters. In the rest of this tutorial, `<acrName>` is used as a placeholder for the container registry name. The *Basic* SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput.

+Log in to your ACR using the [`az acr login`][az-acr-login] command and provide the unique name given to the container registry in the previous step.

+Log in to your ACR using the [`Connect-AzContainerRegistry`][connect-azcontainerregistry] cmdlet and provide the unique name given to the container registry in the previous step.

+To see a list of your current local images, use the [`docker images`][docker-images] command.

+The following example output shows a list of the current local Docker images:

+To use the *azure-vote-front* container image with ACR, you need to tag the image with the login server address of your registry. The tag is used for routing when pushing container images to an image registry.

+To get the login server address, use the [`az acr list`][az-acr-list] command and query for the *loginServer*.

+To get the login server address, use the [`Get-AzContainerRegistry`][get-azcontainerregistry] cmdlet and query for the *loginServer*.

+Then, tag your local *azure-vote-front* image with the *acrLoginServer* address of the container registry. To indicate the image version, add *:v1* to the end of the image name:

+To verify the tags are applied, run [`docker images`][docker-images] again.

+The following example output shows an image tagged with the ACR instance address and a version number:

+```console

+Push the *azure-vote-front* image to your ACR instance using the [`docker push`][docker-push] command. Make sure to provide your own *acrLoginServer* address for the image name.

+To return a list of images that have been pushed to your ACR instance, use the [`az acr repository list`][az-acr-repository-list] command, providing your own `<acrName>`.

+To see the tags for a specific image, use the [`az acr repository show-tags`][az-acr-repository-show-tags] command.

+To return a list of images that have been pushed to your ACR instance, use the [`Get-AzContainerRegistryManifest`][get-azcontainerregistrymanifest] cmdlet, providing your own `<acrName>`.

+To see the tags for a specific image, use the [`Get-AzContainerRegistryTag`][get-azcontainerregistrytag] cmdlet as follows:

+In this tutorial, you created an ACR and pushed an image to use in an AKS cluster. You learned how to:

+>

+> * Create an ACR instance

+In the next tutorial, you'll learn how to deploy a Kubernetes cluster in Azure.

+[Determine how many hosts you would need based on the expected VM Utilization][determine-host-based-on-vm-utilization].

+Evaluate [host utilization][host-utilization-evaluate] to determine the number of allocatable VMs by size before you deploy.

+For more information about the host SKUs and pricing, see [Azure Dedicated Host pricing][azure-dedicated-host-pricing].

+[azure-dedicated-host-pricing]: https://azure.microsoft.com/pricing/details/virtual-machines/dedicated-host/

+[determine-host-based-on-vm-utilization]: ../virtual-machines/dedicated-host-general-purpose-skus.md

+[host-utilization-evaluate]: ../virtual-machines/dedicated-hosts-how-to.md#check-the-status-of-the-host

+* `azure.workload.identity/proxy-sidecar-port` - value is the desired port for the proxy sidecar. The default value is `8000`.

+ value: "8000"

+ - containerPort: 8000

+[kubelet-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs

+1. Select **Next: Contact information** and supply your information as required by [ICANN](https://lookup.icann.org/) for the domain registration.

+> Azure Database for MySQL - Single Server is on the road to retirement by 16 September 2024. If your existing MySQL database is hosted on Azure Database for MySQL - Single Server, consider migrating to Azure Database for MySQL - Flexible Server using the following steps, or using [Azure Database Migration Service (DMS)](/azure/mysql/single-server/whats-happening-to-mysql-single-server#migrate-from-single-server-to-flexible-server).

+Many applications have more than a single component. For example, you may have a front end that is publicly accessible and connects to a back-end API or web app which in turn connects to a database, storage account, key vault, another VM, or a combination of these resources. This architecture makes up an N-tier application. It's important that applications like this are architected to protect back-end resources to the greatest extent possible.

+> [Reliable web app pattern planning (.NET)](/azure/architecture/reference-architectures/reliable-web-app/dotnet/pattern-overview.md)

+>[!NOTE]

+> You can create private and public listeners with the same port number (Preview feature). However, be aware of any Network Security Group (NSG) associated with the application gateway subnet. Depending on your NSG's configuration, you may need an inbound rule with **Destination IP addresses** as your application gateway's public and private frontend IPs.

+>

+> **Inbound Rule**:

+> - Source: (as per your requirement)

+> - Destination IP addresses: Public and Private frontend IPs of your application gateway.

+> - Destination Port: (as per listener configuration)

+> - Protocol: TCP

+>

+> **Outbound Rule**: (no specific requirement)

+- To use public and private listeners with a common port number (Preview feature), you must have an inbound rule with the **destination IP address** as your gateway's **frontend IPs (public and private)**. When using this feature, your application gateway changes the "Destination" of the inbound flow to the frontend IPs of your gateway. [Learn more](./configuration-listeners.md#frontend-port).

+Associate a frontend port. You can select an existing port or create a new one. Choose any value from the [allowed range of ports](./application-gateway-components.md#ports). You can use not only well-known ports, such as 80 and 443, but any allowed custom port that's suitable. The same port can be used for public and private listeners (Preview feature).

+>[!NOTE]

+> When using private and public listeners with the same port number, your application gateway changes the "destination" of the inbound flow to the frontend IPs of your gateway. Hence, depending on your Network Security Group's configuration, you may need an inbound rule with **Destination IP addresses** as your application gateway's public and private frontend IPs.

+>

+> **Inbound Rule**:

+> - Source: (as per your requirement)

+> - Destination IP addresses: Public and Private frontend IPs of your application gateway.

+> - Destination Port: (as per listener configuration)

+> - Protocol: TCP

+>

+> **Outbound Rule**: (no specific requirement)

+**Limitation**: The portal currently supports private and public listeners creation only for the Public clouds.

+ rows = func.SqlRowList(map(lambda r: func.SqlRow.from_dict(r), req_body))

+ rows = func.SqlRowList(map(lambda r: func.SqlRow.from_dict(r), req_body))

+For more information on snapshots, see [Debug snapshots on exceptions in .NET apps](../azure-monitor/app/snapshot-debugger.md) and [Troubleshoot problems enabling Application Insights Snapshot Debugger or viewing snapshots](https://learn.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot).

+| [Data v1](/rest/api/maps/data)<br>[Data v2](/rest/api/maps/data-v2)<br>[Data registry](/rest/api/maps/data-registry) | Yes, except for MapDataStorageService.GetDataStatus and MapDataStorageService.GetUserData, which are non-billable| One request = 1 transaction| <ul><li>Location Insights Data (Gen2 pricing)</li></ul>|

+Here's a short **introduction to Azure Monitor agent video**, which includes a quick demo of how to set up the agent from the Azure portal: [ITOps Talk: Azure Monitor Agent](https://www.youtube.com/watch?v=f8bIrFU8tCs)

+## Benefits

+Using Azure Monitor agent, you get immediate benefits as shown below:

+- **Cost savings** by [using data collection rules](data-collection-rule-azure-monitor-agent.md):

+ - Enables targeted and granular data collection for a machine or subset(s) of machines, as compared to the "all or nothing" approach of legacy agents.

+ - Allows filtering rules and data transformations to reduce the overall data volume being uploaded, thus lowering ingestion and storage costs significantly

+- **Simpler management** including efficient troubleshooting:

+ - Supports data uploads multiple destinations (multiple Log Analytics workspaces, i.e. *multihoming* on Windows and Linux) including cross-region and cross-tenant data collection (using Azure LightHouse)

+ - Centralized, agent configuration "in the cloud" for enterprise scale throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.

+ - Any change(s) in configuration is rolled out to all agents automatically, without requiring a client side deployment

+ - Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.

+- **Security and Performance**

+ - Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients)

+ - Higher event throughput that is 25% better than the legacy Log Analytics (MMA/OMS) agents.

+- **A single agent** that servers all data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.

+## Supported operating systems

+### Windows

+### Linux

+| Amazon Linux 2017.09 | | X | |

+| Amazon Linux 2 | X | X | |

+| Red Hat Enterprise Linux Server 9+ | X | | |

+Intelligent view A scenario when you might want to override the value for cloud role instance could be if your app is running in a containerized environment. In this case, just knowing the individual server might not be enough information to locate a specific issue.

+### Does dependency tracking in Application Insights include logging response bodies?

+Dependency tracking in Application Insights does not include logging response bodies as it would generate too much telemetry for most applications.

+* Check out [platforms](./app-insights-overview.md#supported-languages) supported by Application Insights.

+Explore this sample Flask application. Install Flask, OpenCensus, and the extensions for Flask and Azure.

+```shell

+pip install flask opencensus opencensus-ext-flask opencensus-ext-azure

+```

+You will need to add your Application Insights connection string to the environment variable.

+```shell

+APPLICATIONINSIGHTS_CONNECTION_STRING=<appinsights-connection-string>

+```

+**Sample Flask Application**

+ exporter=AzureExporter(

+ connection_string='<appinsights-connection-string>', # or set environment variable APPLICATION_INSIGHTS_CONNECTION_STRING

+ ),

+from module_2 import function_1

+config_integration.trace_integrations(["logging"])

+logging.basicConfig(

+ format="%(asctime)s traceId=%(traceId)s spanId=%(spanId)s %(message)s"

+)

+logger.warning("Before the span")

+with tracer.span(name="hello"):

+ logger.warning("In the span")

+ function_1(logger, tracer)

+logger.warning("After the span")

+```

+```python

+# module_2.py

+config_integration.trace_integrations(["logging"])

+logging.basicConfig(

+ format="%(asctime)s traceId=%(traceId)s spanId=%(spanId)s %(message)s"

+)

+logger = logging.getLogger(__name__)

+def function_1(logger=logger, parent_tracer=None):

+ span_context=parent_tracer.span_context,

+ sampler=AlwaysOnSampler(),

+ )

+- [.NET](opentelemetry-enable.md?tabs=net)

+- [JavaScript](opentelemetry-enable.md?tabs=nodejs)

+- [Python](opentelemetry-enable.md?tabs=python)

+The default **Application Dashboard** is created on demand the first time you select the Application Dashboard button. If you move or rename your Application Insights instance, queries on the dashboard will fail with "Resource not found" errors because the dashboard queries rely on the original resource URI. Delete the default dashboard. On the Application Insights **Overview** resource menu, select **Application Dashboard** again. The default dashboard will be re-created with the new resource name. Make other custom edits to the dashboard as needed.

+- [User flows](./usage-flows.md)

+| United Kingdom | United Kingdom South |

+| United Kingdom | United Kingdom West |

+| Switzerland | Switzerland West |

+| United Kingdom | United Kingdom South |

+| United Kingdom | United Kingdom West |

+| Switzerland | Switzerland West |

+| United Kingdom | United Kingdom South |

+| United Kingdom | United Kingdom West |

+description: Learn about the data and service resilience benefits Azure Monitor availability zones provide to protect against datacenter failure.

+#customer-intent: As an IT manager, I want to understand the data and service resilience benefits Azure Monitor availability zones provide so that can ensure my data and services are sufficiently protected in the event of datacenter failure.

+# Enhance data and service resilience in Azure Monitor Logs with availability zones

+[Azure availability zones](../../availability-zones/az-overview.md) protect applications and data from datacenter failures and can enhance the resilience of Azure Monitor features that rely on a Log Analytics workspace. This article describes the data and service resilience benefits Azure Monitor availability zones provide by default to [dedicated clusters](logs-dedicated-clusters.md) in supported regions.

+## Prerequisites

+- A Log Analytics workspace linked to a [dedicated cluster](logs-dedicated-clusters.md).

+ > [!NOTE]

+ > Application Insights resources can use availability zones only if they're workspace-based and the workspace uses a dedicated cluster. Classic Application Insights resources can't use availability zones.

+

+## Data resilience - supported regions

+Availability zones protect your data from datacenter failures by relying on datacenters in different physical locations, equipped with independent power, cooling, and networking.

+Azure Monitor currently supports data resilience for availability-zone-enabled dedicated clusters in these regions:

+ | Americas | Europe | Middle East | Africa | Asia Pacific |

+ ||||||

+ | Brazil South | France Central | UAE North | South Africa North | Australia East |

+ | Canada Central | Germany West Central | | | Central India |

+ | Central US | North Europe | | | Japan East |

+ | East US | Norway East | | | Korea Central |

+ | East US 2 | UK South | | | Southeast Asia |

+ | South Central US | West Europe | | | East Asia |

+ | US Gov Virginia | Sweden Central | | | China North 3 |

+ | West US 2 | Switzerland North | | | |

+ | West US 3 | | | | |

+## Service resilience - supported regions

+When available in your region, Azure Monitor availability zones enhance your Azure Monitor service resilience automatically. Physical separation and independent infrastructure makes interruption of service availability in your Log Analytics workspace far less likely because the Log Analytics workspace can rely on resources from a different zone.

+Azure Monitor currently supports service resilience for availability-zone-enabled dedicated clusters in these regions:

+- East US 2

+- West US 2

+- Canada Central

+- France Central

+- Japan East

+Learn more about how to:

+- [Set up a dedicated cluster](logs-dedicated-clusters.md).

+- [Migrate Log Analytics workspaces to availability zone support](../../availability-zones/migrate-monitor-log-analytics.md).

+- [Update](/azure/azure-monitor/reference/tables/update) and [UpdateSummary](/azure/azure-monitor/reference/tables/updatesummary) when the Update Management solution isn't running in the workspace or solution targeting is enabled. See [What data types are included in the 500-MB data daily allowance?](../../defender-for-cloud/plan-defender-for-servers-data-workspace.md#log-analytics-pricing-faq).

+# Create and manage a dedicated cluster in Azure Monitor Logs

+Linking a Log Analytics workspace to a dedicated cluster in Azure Monitor provides advanced capabilities and higher query utilization. Clusters require a minimum ingestion commitment of 500 GB per day. You can link and unlink workspaces from a dedicated cluster without any data loss or service interruption.

+## Advanced capabilities

+- **[Customer-managed keys](../logs/customer-managed-keys.md)** - Encrypt cluster data using keys that you provide and control.

+- **[Lockbox](../logs/customer-managed-keys.md#customer-lockbox-preview)** - Control Microsoft support engineer access requests to your data.

+- **[Double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption)** - Protect against a scenario where one of the encryption algorithms or keys may be compromised. In this case, the extra layer of encryption continues to protect your data.

+- **Cost optimization** - Link your workspaces in same region to cluster to get commitment tier discount to all workspaces, even to ones with low ingestion that

+eligible for commitment tier discount.

+- **[Availability zones](../../availability-zones/az-overview.md)** - Protect your data from datacenter failures by relying on datacenters in different physical locations, equipped with independent power, cooling, and networking. The physical separation in zones and independent infrastructure makes an incident far less likely since the workspace can rely on the resources from any of the zones. [Azure Monitor availability zones](./availability-zones.md) covers broader parts of the service and when available in your region, extends your Azure Monitor resilience automatically. Azure Monitor creates dedicated clusters as availability-zone-enabled (`isAvailabilityZonesEnabled`: 'true') by default in supported regions. You can't alter this setting after creating the cluster.

+ Availability zones aren't currently supported in all regions. New clusters you create in supported regions have availability zones enabled by default.

+## Cluster pricing model

+Log Analytics Dedicated Clusters use a commitment tier pricing model of at least 500 GB/day. Any usage above the tier level incurs charges based on the per-GB rate of that commitment tier. See [Azure Monitor Logs pricing details](cost-logs.md#dedicated-clusters) for pricing details for dedicated clusters.

+## Required permissions

+To perform cluster-related actions, you need these permissions:

+| Action | Permissions or role needed |

+|-|-|

+| Create a dedicate cluster |`Microsoft.Resources/deployments/*`and `Microsoft.OperationalInsights/clusters/write`|

+| Change cluster properties |`Microsoft.OperationalInsights/clusters/write`|

+| Link workspaces to a cluster | `Microsoft.OperationalInsights/clusters/write` and `Microsoft.OperationalInsights/workspaces/write`|

+| Grant the required permissions | Owner or Contributor role that has `*/write` permissions, or a Log Analytics Contributor role that has `Microsoft.OperationalInsights/*` permissions.|

+For more information on Log Analytics permissions, see [Manage access to log data and workspaces in Azure Monitor](./manage-access.md).

+- **ResourceGroupName**: Use a central IT resource group because many teams in the organization usually share clusters. For more design considerations, review Design a Log Analytics workspace configuration(../logs/workspace-design.md).

+- **SkuCapacity**: You can set the commitment tier (formerly called capacity reservations) to 500, 1000, 2000 or 5000 GB/day. For more information on cluster costs, see [Dedicate clusters](./cost-logs.md#dedicated-clusters).

+- **Managed identity**: Clusters support two [managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types):

+ - System-assigned managed identity - Generated automatically with the cluster creation when identity `type` is set to "*SystemAssigned*". This identity can be used later to grant storage access to your Key Vault for wrap and unwrap operations.

+ - User-assigned managed identity - Lets you configure a customer-managed key at cluster creation, when granting it permissions in your Key Vault before cluster creation.

+After you create your cluster resource, you can edit properties such as *sku*, *keyVaultProperties, or *billingType*. See more details below.

+You can have up to five active clusters per subscription per region. If the cluster is deleted, it's still reserved for 14 days. You can have up to seven clusters per subscription and region, five active, plus two deleted in past 14 days.

+The managed identity service generates the *principalId* GUID when you create the cluster.

+After you create your cluster resource and it's fully provisioned, you can edit cluster properties using CLI, PowerShell or REST API. Properties you can set after the cluster is provisioned include:

+When the data volume to your linked workspaces changes over time, you can update the Commitment Tier level appropriately. The tier is specified in units of GB and can have values of 500, 1000, 2000 or 5000 GB/day. You don't have to provide the full REST request body, but you must include the sku.

+- A maximum of seven clusters allowed per subscription and region, five active, plus two deleted in past 14 days.

+- Cluster update shouldn't include both identity and key identifier details in the same operation. In case you need to update both, the update should be in two consecutive operations.

+ - Double encryption setting can't be changed after the cluster has been created.

+- If you attempt to link a Log Analytics workspace that's already linked to another cluster, the operation will fail.

+- 400--Cluster name isn't valid. Cluster name can contain characters a-z, A-Z, 0-9 and length of 3-63.

+- 400--Capacity was provided but SKU isn't capacityReservation. Set SKU name to capacityReservation.

+- 400--Operation can't be executed now. Async operation is in a state other than succeeded. Cluster must complete its operation before any update operation is performed.

+- 400--KeyVaultProperties isn't empty but has a bad format. See [key identifier update](../logs/customer-managed-keys.md#update-cluster-with-key-identifier-details).

+- 400--Key isn't recoverable. Key Vault must be set to Soft-delete and Purge-protection. See [Key Vault documentation](../../key-vault/general/soft-delete-overview.md)

+- 400--Operation can't be executed now. Wait for the Async operation to complete and try again.

+ - 404--Cluster not found, the cluster might have been deleted. If you try to create a cluster with that name and get conflict, the cluster is in soft-delete for 14 days. You can contact support to recover it, or use another name to create a new cluster.

+For general Snapshot Debugger troubleshooting, refer to the [Snapshot Debugger Troubleshoot documentation](https://learn.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot).

+<br>Snapshot Collector used via SDK is not supported when Interop feature is enabled. [See more not supported scenarios.](https://learn.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot#not-supported-scenarios)

+* For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](https://learn.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot).

+* For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](https://learn.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot).

+- For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](https://learn.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot).

+If you've enabled Snapshot Debugger but aren't seeing snapshots, check our [Troubleshooting guide](https://learn.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot).

+ You can now choose a minimum size of 2 TiB when creating a capacity pool. Capacity pools smaller than 4 TiB in size can only be used with volumes using [standard network features](configure-network-features.md#options-for-network-features). This enhancement provides a more cost effective solution for running workloads such as SAP-shared files and VDI that require lower capacity pool sizes for their capacity and performance needs. When you have less than 2-4 TiB capacity with proportional performance, this enhancement allows you to start with 2 TiB as a minimum pool size and increase with 1-TiB increments. For capacities less than 3 TiB, this enhancement saves cost by allowing you to re-evaluate volume planning to take advantage of savings of smaller capacity pools. This feature is supported in all [regions with Standard network features](azure-netapp-files-network-topologies.md#supported-regions).

+ Title: Manage resource groups - Python

+description: Use Python to manage your resource groups through Azure Resource Manager. Shows how to create, list, and delete resource groups.

+# Manage Azure resource groups by using Python

+Learn how to use Python with [Azure Resource Manager](overview.md) to manage your Azure resource groups.

+## Prerequisites

+* Python 3.7 or later installed. To install the latest, see [Python.org](https://www.python.org/downloads/)

+* The following Azure library packages for Python installed in your virtual environment. To install any of the packages, use `pip install {package-name}`

+ * azure-identity

+ * azure-mgmt-resource

+ * azure-mgmt-storage

+* The examples in this article use CLI-based authentication (`AzureCliCredential`). Depending on your environment, you may need to run `az login` first to authenticate.

+* An environment variable with your Azure subscription ID. To get your Azure subscription ID, use:

+ ```azurecli-interactive

+ az account show --name 'your subscription name' --query id -o tsv

+ ```

+ To set the value, use the option for your environment.

+ #### [Windows](#tab/windows)

+ ```console

+ setx AZURE_SUBSCRIPTION_ID your-subscription-id

+ ```

+ > [!NOTE]

+ > If you only need to access the environment variable in the current running console, you can set the environment variable with `set` instead of `setx`.

+ After you add the environment variables, you may need to restart any running programs that will need to read the environment variable, including the console window. For example, if you're using Visual Studio as your editor, restart Visual Studio before running the example.

+ #### [Linux](#tab/linux)

+ ```bash

+ export AZURE_SUBSCRIPTION_ID=your-subscription-id

+ ```

+ After you add the environment variables, run `source ~/.bashrc` from your console window to make the changes effective.

+ #### [macOS](#tab/macos)

+ ##### Bash

+ Edit your .bash_profile, and add the environment variables:

+ ```bash

+ export AZURE_SUBSCRIPTION_ID=your-subscription-id

+ ```

+ After you add the environment variables, run `source ~/.bash_profile` from your console window to make the changes effective.

+## What is a resource group?

+A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to add resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.

+The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data is stored in a particular region.

+## Create resource groups

+To create a resource group, use [ResourceManagementClient.resource_groups.create_or_update](/python/api/azure-mgmt-resource/azure.mgmt.resource.resources.v2022_09_01.operations.resourcegroupsoperations#azure-mgmt-resource-resources-v2022-09-01-operations-resourcegroupsoperations-create-or-update).

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ResourceManagementClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+resource_client = ResourceManagementClient(credential, subscription_id)

+rg_result = resource_client.resource_groups.create_or_update(

+ "exampleGroup",

+ {

+ "location": "westus"

+ }

+)

+print(f"Provisioned resource group with ID: {rg_result.id}")

+```

+## List resource groups

+To list the resource groups in your subscription, use [ResourceManagementClient.resource_groups.list](/python/api/azure-mgmt-resource/azure.mgmt.resource.resources.v2022_09_01.operations.resourcegroupsoperations#azure-mgmt-resource-resources-v2022-09-01-operations-resourcegroupsoperations-list).

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ResourceManagementClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+resource_client = ResourceManagementClient(credential, subscription_id)

+rg_list = resource_client.resource_groups.list()

+for rg in rg_list:

+ print(rg.name)

+```

+To get one resource group, provide the name of the resource group.

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ResourceManagementClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+resource_client = ResourceManagementClient(credential, subscription_id)

+rg_result = resource_client.resource_groups.get("exampleGroup")

+print(f"Retrieved resource group {rg_result.name} in the {rg_result.location} region with resource ID {rg_result.id}")

+```

+## Delete resource groups

+To delete a resource group, use [ResourceManagementClient.resource_groups.begin_delete](/python/api/azure-mgmt-resource/azure.mgmt.resource.resources.v2022_09_01.operations.resourcegroupsoperations#azure-mgmt-resource-resources-v2022-09-01-operations-resourcegroupsoperations-begin-delete).

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ResourceManagementClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+resource_client = ResourceManagementClient(credential, subscription_id)

+rg_result = resource_client.resource_groups.begin_delete("exampleGroup")

+```

+For more information about how Azure Resource Manager orders the deletion of resources, see [Azure Resource Manager resource group deletion](delete-resource-group.md).

+## Deploy resources

+You can deploy Azure resources by using Python classes or by deploying an Azure Resource Manager (ARM) template.

+The following example creates a storage account. The name you provide for the storage account must be unique across Azure.

+```python

+import os

+import random

+from azure.identity import AzureCliCredential

+from azure.mgmt.storage import StorageManagementClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+random_postfix = ''.join(random.choices('abcdefghijklmnopqrstuvwxyz1234567890', k=13))

+storage_account_name = "demostore" + random_postfix

+storage_client = StorageManagementClient(credential, subscription_id)

+storage_account_result = storage_client.storage_accounts.begin_create(

+ "exampleGroup",

+ storage_account_name,

+ {

+ "location": "westus",

+ "sku": {

+ "name": "Standard_LRS"

+ }

+ }

+)

+```

+To deploy an ARM template, use [ResourceManagementClient.deployments.begin_create_or_update](/python/api/azure-mgmt-resource/azure.mgmt.resource.resources.v2022_09_01.operations.deploymentsoperations#azure-mgmt-resource-resources-v2022-09-01-operations-deploymentsoperations-begin-create-or-update).

+```python

+import os

+import json

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ResourceManagementClient

+from azure.mgmt.resource.resources.models import DeploymentMode

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+resource_client = ResourceManagementClient(credential, subscription_id)

+with open("storage.json", "r") as template_file:

+ template_body = json.load(template_file)

+rg_deployment_result = resource_client.deployments.begin_create_or_update(

+ "exampleGroup",

+ "exampleDeployment",

+ {

+ "properties": {

+ "template": template_body,

+ "parameters": {

+ "storagePrefix": {

+ "value": "demostore"

+ },

+ },

+ "mode": DeploymentMode.incremental

+ }

+ }

+)

+```

+The following example shows the ARM template you're deploying:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "storagePrefix": {

+ "type": "string",

+ "minLength": 3,

+ "maxLength": 11

+ }

+ },

+ "variables": {

+ "uniqueStorageName": "[concat(parameters('storagePrefix'), uniqueString(resourceGroup().id))]"

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Storage/storageAccounts",

+ "apiVersion": "2022-09-01",

+ "name": "[variables('uniqueStorageName')]",

+ "location": "eastus",

+ "sku": {

+ "name": "Standard_LRS"

+ },

+ "kind": "StorageV2",

+ "properties": {

+ "supportsHttpsTrafficOnly": true

+ }

+ }

+ ]

+}

+```

+For more information about deploying an ARM template, see [Deploy resources with ARM templates and Azure CLI](../templates/deploy-cli.md).

+## Lock resource groups

+Locking prevents other users in your organization from accidentally deleting or modifying critical resources.

+To prevent a resource group and its resources from being deleted, use [ManagementLockClient.management_locks.create_or_update_at_resource_group_level](/python/api/azure-mgmt-resource/azure.mgmt.resource.locks.v2016_09_01.operations.managementlocksoperations#azure-mgmt-resource-locks-v2016-09-01-operations-managementlocksoperations-create-or-update-at-resource-group-level).

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_result = lock_client.management_locks.create_or_update_at_resource_group_level(

+ "exampleGroup",

+ "lockGroup",

+ {

+ "level": "CanNotDelete"

+ }

+)

+```

+To get the locks for a resource group, use [ManagementLockClient.management_locks.list_at_resource_group_level](/python/api/azure-mgmt-resource/azure.mgmt.resource.locks.v2016_09_01.operations.managementlocksoperations#azure-mgmt-resource-locks-v2016-09-01-operations-managementlocksoperations-list-at-resource-group-level).

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_result = lock_client.management_locks.get_at_resource_group_level("exampleGroup", "lockGroup")

+print(f"Lock {lock_result.name} applies {lock_result.level} lock")

+```

+To delete a lock on a resource group, use [ManagementLockClient.management_locks.delete_at_resource_group_level](/python/api/azure-mgmt-resource/azure.mgmt.resource.locks.v2016_09_01.operations.managementlocksoperations#azure-mgmt-resource-locks-v2016-09-01-operations-managementlocksoperations-delete-at-resource-group-level).

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_client.management_locks.delete_at_resource_group_level("exampleGroup", "lockGroup")

+```

+For more information, see [Lock resources with Azure Resource Manager](lock-resources.md).

+## Tag resource groups

+You can apply tags to resource groups and resources to logically organize your assets. For information, see [Using tags to organize your Azure resources](tag-resources.md).

+## Export resource groups to templates

+To assist with creating ARM templates, you can export a template from existing resources. For more information, see [Use Azure portal to export a template](../templates/export-template-portal.md).

+## Manage access to resource groups

+[Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) is the way that you manage access to resources in Azure. For more information, see [Add or remove Azure role assignments using Azure CLI](../../role-based-access-control/role-assignments-cli.md).

+## Next steps

+- To learn Azure Resource Manager, see [Azure Resource Manager overview](overview.md).

+- For more information about authentication options, see [Authenticate Python apps to Azure services by using the Azure SDK for Python](/azure/developer/python/sdk/authentication-overview).

+Azure VMware Solution is currently supported in the following regions:

+* Australia East

+* Australia Southeast

+* Brazil South

+* Canada Central

+* Canada East

+* Central US

+* East Asia

+* East US

+* East US 2

+* France Central

+* Germany West Central

+* Japan East

+* Japan West

+* North Central US

+* North Europe

+* South Africa North

+* South Central US

+* Southeast Asia

+* Sweden Central

+* Sweden North

+* Switzerland West

+* UK South

+* UK West

+* West Europe

+* West US

+* West US 2

+All new Azure VMware Solution private clouds are being deployed with NSX-T Data Center version 3.2.2. NSX-T Data Center versions in existing private clouds will be upgraded to NSX-T Data Center version 3.2.2 through April 2023.

+> [!IMPORTANT]

+> Customers should not advertise bogon routes over ExpressRoute from on-premises or their Azure VNET. Examples of bogon routes include 0.0.0.0/5 or 192.0.0.0/3.

+## Rotate an existing external identity source account's username and/or password

+1. Use the [Get-ExternalIdentitySources](configure-identity-source-vcenter.md#list-external-identity) run command to pull current populated values.

+1. Run [Remove-ExternalIdentitySource](configure-identity-source-vcenter.md#remove-existing-external-identity-sources) and provide DomainName of External Identity source you'd like to rotate.

+> [!IMPORTANT]

+> If you do not provide a DomainName, all external identity sources will be removed.

+1. Run [New-LDAPSIdentitySource](configure-identity-source-vcenter.md#add-active-directory-over-ldap-with-ssl) or [New-LDAPIdentitySource](configure-identity-source-vcenter.md#add-active-directory-over-ldap) depending on your configuration.

+>[!NOTE]

+>There is work to make this an easier process than it is today with a new run command.

+>[PR with VMware](https://github.com/vmware/PowerCLI-Example-Scripts/pull/604)

+For Docker support on a custom image, install [Docker Community Edition (CE)](https://www.docker.com/community-edition) or [Docker Enterprise Edition (EE)](https://docs.docker.com/).

+> Continuous language identification is only supported with Speech SDKs in C#, C++, Java ([for speech to text only](#speech-to-text)), JavaScript ([for speech to text only](#speech-to-text)),and Python.

+> Speech-to-text recognition with at-start language identification is supported with Speech SDKs in C#, C++, Python, Java, JavaScript, and Objective-C. Speech-to-text recognition with continuous language identification is only supported with Speech SDKs in C#, C++, Java, JavaScript, and Python.

+componentType: pubsub.azure.servicebus.queue

+componentType: pubsub.azure.servicebus.queue

+ componentType: 'pubsub.azure.servicebus.queue'

+ "componentType": "pubsub.azure.servicebus.queue",

+New-AzRoleAssignment -ObjectId $PrincipalId -RoleDefinitionName 'Storage Blob Data Contributor' -Scope "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Storage/storageAccounts/$StorageAcctName"

+* To deploy a new virtual network, subnet, network profile, and container group using a Resource Manager template, see [Create an Azure container group with VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-vnet

+* To deploy Azure Container Instances that can pull images from an Azure Container Registry through a private endpoint, see [Deploy to Azure Container Instances from Azure Container Registry using a managed identity](../container-instances/using-azure-container-registry-mi.md).

+When access to an Azure Container Registry (ACR) is [restricted using a private endpoint](../container-registry/container-registry-private-link.md), using a managed identity allows Azure Container Instances [deployed into a virtual network](container-instances-vnet.md) to access the container registry through the private endpoint.

+## Deploy in a virtual network using the Azure CLI

+To deploy a container group to a virtual network using managed identity to authenticate image pulls from an ACR that runs behind a private endpoint via the Azure CLI, use the following command:

+```azurecli-interactive

+az container create --name my-containergroup --resource-group myResourceGroup --image <loginServer>/hello-world:v1 --acr-identity $userID --assign-identity $userID --vnet "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myVNetResourceGroup/providers/ --subnet mySubnetName

+```

+For more info on how to deploy to a virtual network see [Deploy container instances into an Azure virtual network](./container-instances-vnet.md).

+## Deploy a multi-container group in a virtual network using YAML and the Azure CLI

+To deploy a multi-container group to a virtual network using managed identity to authenticate image pulls from an ACR that runs behind a private endpoint via the Azure CLI, you can specify the container group configuration in a YAML file. Then pass the YAML file as a parameter to the command.

+```yaml

+apiVersion: '2021-10-01'

+location: eastus

+type: Microsoft.ContainerInstance/containerGroups

+identity:

+ type: UserAssigned

+ userAssignedIdentities: {

+ '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId': {}

+ }

+properties:

+ osType: Linux

+ imageRegistryCredentials:

+ - server: myacr.azurecr.io

+ identity: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId'

+ subnetIds:

+ - id: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myVNetResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNetName/subnets/mySubnetName'

+ name: mySubnetName

+ containers:

+ - name: myContainer-1

+ properties:

+ resources:

+ requests:

+ cpu: '.4'

+ memoryInGb: '1'

+ environmentVariables:

+ - name: CONTAINER

+ value: 1

+ image: 'myacr.azurecr.io/myimage:latest'

+ - name: myContainer-2

+ properties:

+ resources:

+ requests:

+ cpu: '.4'

+ memoryInGb: '1'

+ environmentVariables:

+ - name: CONTAINER

+ value: 2

+ image: 'myacr.azurecr.io/myimage:latest'

+```

+```azurecli-interactive

+az container create --name my-containergroup --resource-group myResourceGroup --file my-YAML-file.yaml

+```

+For more info on how to deploy to a multi-container group see [Deploy a multi-container group](./container-instances-multi-container-yaml.md).

+* `--untagged` - Specifies that all manifests that don't have associated tags (*untagged manifests*) are deleted. This parameter also deletes untagged manifests in addition to tags that are already being deleted.

+> Starting from October 2021, new container registries allow a maximum of 200 private endpoints. Registries created earlier allow a maximum of 10 private endpoints. Use the [az acr show-usage](/cli/azure/acr#az-acr-show-usage) command to see the limit for your registry. Please open a support ticket to increase the limit to 200 private endpoints.

+Once a new geo-replication is added, a private endpoint connection is set to be pending. To approve a private endpoint connection configured manually run [az acr private-endpoint-connection approve][az-acr-private-endpoint-connection-approve] command.

+* To verify DNS settings in the virtual network that route to a private endpoint, run the [az acr check-health](/cli/azure/acr#az-acr-check-health) command with the `--vnet` parameter. For more information, see [Check the health of an Azure container registry](container-registry-check-health.md).

+* [Troubleshoot Azure Private Endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).

+* If you need to deploy Azure Container Instances that can pull images from an ACR through a private endpoint, see [Deploy to Azure Container Instances from Azure Container Registry using a managed identity](../container-instances/using-azure-container-registry-mi.md).

+The **Overview** page in the Azure portal for each registry includes a brief view of recent resource usage and activity, such as push and pull operations. This high-level information is useful, but only a small amount of data is shown there.

+## Monitoring data

+Azure Container Registry collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data).

+## Analyzing metrics

+You can analyze metrics for an Azure container registry with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for details on using this tool.

+> You can also go to the metrics explorer by navigating to your registry in the portal. In the menu, select **Metrics** under **Monitoring**.

+### REST API

+Following are queries that you can use to help you monitor your registry resource.

+1. Select **Metrics** under **Monitoring**.

+- See [Show registry usage](container-registry-skus.md#show-registry-usage) for information about how to get a snapshot of storage usage and other resource consumption in your registry.

+ Title: Working with the change feed

+description: Use Azure Cosmos DB change feed to track changes, process events, and keep other systems up-to-date.

+The change feed feature is currently supported in the following Azure Cosmos DB SDKs.

+| **Client drivers** | **NoSQL** | **Apache Cassandra** | **MongoDB** | **Apache Gremlin** | **Table** | **PostgreSQL** |

+| .NET |  |  |  |  |  |  |

+| Java |  |  |  |  |  |  |

+| Python |  |  |  |  |  |  |

+| Node/JavaScript |  |  |  |  |  |  |

+Today, you see all inserts and updates in the change feed. You can't filter the change feed for a specific type of operation.

+> [!TIP]

+> One possible alternative, is to add a "soft marker" on the item for updates and filter based on that when processing items in the change feed.

+Currently change feed doesn't log delete operations. As a workaround, you can add a soft marker on the items that are being deleted. For example, you can add an attribute in the item called "deleted," set its value to "true," and then set a time-to-live (TTL) value on the item. Setting the TTL ensures that the item is automatically deleted. For more information, see [Time to Live (TTL)](nosql/time-to-live.md).

+You can read the change feed for historic items. This historical data includes the most recent change corresponding to the item. The historical data doesn't include the intermediate changes. For example, you can use the change feed to read items that were added five years ago. However, you can't see the intermediate changes since then. You can read the change feed as far back as the origin of your container. If an item is deleted, it's removed from the change feed entirely.

+Change feed items arrive in the order of their modification time. This sort order is guaranteed per logical partition key.

+Consuming the change feed in an Eventual consistency level can result in duplicate events in-between subsequent change feed read operations. For example, the last event of one read operation could appear as the first event of the next operation.

+In a multi-region Azure Cosmos DB account, if a write-region fails over, change feed works across the manual failover operation and the feed remains contiguous.

+If the TTL property is set on an item to `-1`, the change feed persists that item forever. If the data isn't deleted, it remains in the change feed.

+### Change feed and \_etag, \_lsn, or \_ts

+Azure Cosmos DB includes multiple internal fields that are automatically assigned to a new item. These fields are important to understand in the context of the change feed.

+The `_etag` field is internal and you shouldn't take dependency on it, because it can change at any time. Typically, the `_etag` field changes whenever the item is modified. For more information, see [optimistic concurrency control](nosql/database-transactions-optimistic-concurrency.md#optimistic-concurrency-control). The `_etag` value from the change feed item is different than the `_etag` value on the original source item. In the context of the change feed, the `_etag` value is used to sequence the feed.

+`_ts` is a modification or a creation timestamp. You can use `_ts` for chronological comparison.

+`_lsn` is a batch ID that is added to the item within the context of the change feed only. The `_lsn` field doesn't exist on the original source item. In the change feed, the field represents the transaction ID. Many items may have the same `_lsn`.

+* [Use change feed with Azure Functions](change-feed-functions.md)

+* [Use change feed with the change feed processor](change-feed-processor.md)

+Change feed is available for each logical partition key within the container, and it can be distributed across one or more consumers for parallel processing.

+* The change feed is sorted by the order of modification within each logical partition key value. There's no guaranteed order across the partition key values.

+* Changes can be synchronized from any point-in-time. There's no fixed data retention period for which changes are available.

+* Changes are available in parallel for all logical partition keys of an Azure Cosmos DB container. This capability allows multiple consumers to process changes from large containers in parallel.

+Native Apache Cassandra provides change data capture (CDC), a mechanism to flag specific tables for archival and rejecting writes to those tables once a configurable size-on-disk for the CDC log is reached. The change feed feature in Azure Cosmos DB for Apache Cassandra enhances the ability to query the changes with predicate via CQL. To learn more about the implementation details, see [Change feed in the Azure Cosmos DB for Apache Cassandra](cassandr).

+ Title: Consistency level choices

+Distributed databases that rely on replication for high availability, low latency, or both, must make a fundamental tradeoff between the read consistency, availability, latency, and throughput as defined by the [PACELC theorem](https://en.wikipedia.org/wiki/PACELC_theorem). The linearizability of the strong consistency model is the gold standard of data programmability. But it adds a steep price from higher write latencies due to data having to replicate and commit across large distances. Strong consistency may also suffer from reduced availability (during failures) because data can't replicate and commit in every region. Eventual consistency offers higher availability and better performance, but it's more difficult to program applications because data may not be consistent across all regions.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4RZ0h]

+Azure Cosmos DB provides native support for wire protocol-compatible APIs for popular databases. These include MongoDB, Apache Cassandra, Apache Gremlin, and Azure Table Storage. In API for Gremlin or Table, the default consistency level configured on the Azure Cosmos DB account is used. For details on consistency level mapping between Apache Cassandra and Azure Cosmos DB, see [API for Cassandra consistency mapping](cassandr).

+Read consistency applies to a single read operation scoped within a logical partition. A remote client or a stored procedure can issue the read operation.

+The following graphic illustrates the strong consistency with musical notes. After the data is written to the "West US 2" region, when you read the data from other regions, you get the most recent value:

+In bounded staleness consistency, the lag of data between any two regions is always less than a specified amount. The amount can be "K" versions (that is, "updates") of an item or by "T" time intervals, whichever is reached first. In other words, when you choose bounded staleness, the maximum "staleness" of the data in any region can be configured in two ways:

+Bounded Staleness is beneficial primarily to single-region write accounts with two or more regions. If the data lag in a region (determined per physical partition) exceeds the configured staleness value, writes for that partition are throttled until staleness is back within the configured upper bound.

+For a single-region account, Bounded Staleness provides the same write consistency guarantees as Session and Eventual Consistency. With Bounded Staleness, data is replicated to a local majority (three replicas in a four replica set) in the single region.

+Reads when using Bounded Staleness returns the latest data available in that region by reading from two available replicas in that region. Since writes within a region always replicate to a local majority (three out of four replicas), consulting two replicas return the most updated data available in that region.

+Bounded Staleness works best for globally distributed applications using a single-region write accounts with two or more regions, where near strong consistency across regions is desired. For multi-region write accounts with two or more regions, application servers should direct reads and writes to the same region in which the application servers are hosted. Bounded Staleness in a multi-write account is an anti-pattern. This level would require a dependency on replication lag between regions, which shouldn't matter if data is read from the same region it was written to.

+In session consistency, within a single client session, reads are guaranteed to honor the read-your-writes, and write-follows-reads guarantees. This guarantee assumes a single ΓÇ£writerΓÇ¥ session or sharing the session token for multiple writers.

+After every write operation, the client receives an updated Session Token from the server. The client caches the tokens and sends them to the server for read operations in a specified region. If the replica against which the read operation is issued contains data for the specified token (or a more recent token), the requested data is returned. If the replica doesn't contain data for that session, the client retries the request against another replica in the region. If necessary, the client retries the read against extra available regions until data for the specified session token is retrieved.

+If the client didn't initiate a write to a physical partition, the client doesn't contain a session token in its cache and reads to that physical partition behave as reads with Eventual Consistency. Similarly, if the client is re-created, its cache of session tokens is also re-created. Here too, read operations follow the same behavior as Eventual Consistency until subsequent write operations rebuild the clientΓÇÖs cache of session tokens.

+Session consistency is the most widely used consistency level for both single region and globally distributed applications. It provides write latencies, availability, and read throughput comparable to that of eventual consistency. Session consistency also provides the consistency guarantees that suit the needs of applications written to operate in the context of a user. The following graphic illustrates the session consistency with musical notes. The "West US 2 writer" and the "East US 2 reader" are using the same session (Session A) so they both read the same data at the same time. Whereas the "Australia East" region is using "Session B" so, it receives data later but in the same order as the writes.

+In consistent prefix, updates made as single document writes see eventual consistency.

+Assume two write operations are performed transactionally (all or nothing operations) on document Doc1 followed by document Doc2, within transactions T1 and T2. When client does a read in any replica, the user sees either ΓÇ£Doc1 v1 and Doc2 v1ΓÇ¥ or ΓÇ£Doc1 v2 and Doc2 v2ΓÇ¥ or neither document if the replica is lagging, but never ΓÇ£Doc1 v1 and Doc2 v2ΓÇ¥ or ΓÇ£Doc1 v2 and Doc2 v1ΓÇ¥ for the same read or query operation.

+In Eventual consistency, the client issues read requests against any one of the four replicas in the specified region. This replica may be lagging and could return stale or no data.

+Eventual consistency is the weakest form of consistency because a client may read the values that are older than the ones it read in the past. Eventual consistency is ideal where the application doesn't require any ordering guarantees. Examples include count of Retweets, Likes, or non-threaded comments. The following graphic illustrates the eventual consistency with musical notes.

+If your account is configured with a consistency level other than the strong consistency, you can find out the probability that your clients may get strong and consistent reads for your workloads. You can figure out this probability by looking at the *Probabilistically Bounded Staleness* (PBS) metric. This metric is exposed in the Azure portal, to learn more, see [Monitor Probabilistically Bounded Staleness (PBS) metric](how-to-manage-consistency.md#monitor-probabilistically-bounded-staleness-pbs-metric).

+Probabilistically bounded staleness shows how eventual is your eventual consistency. This metric provides an insight into how often you can get a stronger consistency than the consistency level that you've currently configured on your Azure Cosmos DB account. In other words, you can see the probability (measured in milliseconds) of getting consistent reads for a combination of write and read regions.

+The exact RTT latency is a function of speed-of-light distance and the Azure networking topology. Azure networking doesn't provide any latency SLAs for the RTT between any two Azure regions, however it does publish [Azure network round-trip latency statistics](../networking/azure-network-latency.md). For your Azure Cosmos DB account, replication latencies are displayed in the Azure portal. You can use the Azure portal by going to the Metrics section and then selecting the Consistency option. Using the Azure portal, you can monitor the replication latencies between various regions that are associated with your Azure Cosmos DB account.

+- For a given type of write operation, such as insert, replace, upsert, and delete, the write throughput for request units is identical for all consistency levels. For strong consistency, changes need to be committed in every region (global majority) while for all other consistency levels, local majority (three replicas in a four replica set) is being used.

+Within a globally distributed database environment, there's a direct relationship between the consistency level and data durability in the presence of a region-wide outage. As you develop your business continuity plan, you need to understand the maximum period of recent data updates the application can tolerate losing when recovering after a disruptive event. The time period of updates that you might afford to lose is known as **recovery point objective** (**RPO**).

+This table defines the relationship between consistency model and data durability in the presence of a region wide outage.

+*K* = The number of *"K"* versions (that is, updates) of an item.

+For a single region account, the minimum value of *K* and *T* is 10 write operations or 5 seconds. For multi-region accounts the minimum value of *K* and *T* is 100,000 write operations or 300 seconds. This value defines the minimum RPO for data when using Bounded Staleness.

+Azure Cosmos DB accounts configured with multiple write regions can't be configured for strong consistency as it isn't possible for a distributed system to provide an RPO of zero and an RTO of zero. Additionally, there are no write latency benefits on using strong consistency with multiple write regions because a write to any region must be replicated and committed to all configured regions within the account. This scenario results in the same write latency as a single write region account.

+## More reading

+ Title: MongoDB extension commands

+description: This article describes how to use MongoDB extension commands to manage data stored in Azure Cosmos DB for MongoDB.

+# Use MongoDB extension commands to manage data stored in Azure Cosmos DB for MongoDB

+The following document contains the custom action commands that are specific to Azure Cosmos DB for MongoDB. These commands can be used to create and obtain database resources that are specific to the [Azure Cosmos DB capacity model](../account-databases-containers-items.md).

+By using Azure Cosmos DB for MongoDB, you can enjoy the shared benefits of Azure Cosmos DB. These benefits include, but aren't limited to:

+* Global distribution

+* Automatic sharding

+* High availability

+* Latency guarantees

+* Encryption at rest

+* Backups

+You can enjoy these benefits while preserving your investments in your existing MongoDB application\[s\]. You can communicate with the Azure Cosmos DB for MongoDB by using any of the open-source [MongoDB client drivers](https://docs.mongodb.org/ecosystem/drivers). The Azure Cosmos DB for MongoDB enables the use of existing client drivers by adhering to the [MongoDB wire protocol](https://docs.mongodb.org/manual/reference/mongodb-wire-protocol).

+Azure Cosmos DB for MongoDB is compatible with MongoDB server version 4.0, 3.6, and 3.2. For more information, see supported features and syntax in versions [4.0](feature-support-40.md), [3.6](feature-support-36.md), and [3.2](feature-support-32.md).

+The following extension commands create and modify Azure Cosmos DB-specific resources via database requests:

+| Field | Type | Description |

+| | | |

+| `customAction` | `string` | Name of the custom command. The value must be `CreateDatabase`. |

+| `offerThroughput` | `int` | Provisioned throughput that you set on the database. This parameter is optional. |

+| `autoScaleSettings` | `Object` | Required for [Autoscale mode](../provision-throughput-autoscale.md). This object contains the settings associated with the Autoscale capacity mode. You can set up the `maxThroughput` value, which describes the highest number of Request Units that the collection can increase to dynamically. |

+If the command is successful, it returns the following response:

+### Example: Create a database

+This command creates a database without database-level throughput. This operation means that the collections within this database need to specify the amount of throughput that you need to use.

+### Example: Create a database with throughput

+This command creates a database and sets a throughput to it. All collections within this database share the set throughput, unless the collections are created with [a specific throughput level](../set-throughput.md#set-throughput-on-a-database-and-a-container).

+### Example: Create a database with Autoscale throughput

+The update database extension command updates the properties associated with the specified database. Changing your database from provisioned throughput to autoscale and vice-versa is only supported in the Azure portal. The following table describes the parameters within the command:

+| Field | Type | Description |

+| | | |

+| `customAction` | `string` | Name of the custom command. The value must be `UpdateDatabase`. |

+| `offerThroughput` | `int` | New provisioned throughput that you want to set on the database if the database uses [database-level throughput](../set-throughput.md#set-throughput-on-a-database) |

+| `autoScaleSettings` | `Object` | Required for [Autoscale mode](../provision-throughput-autoscale.md). This object contains the settings associated with the Autoscale capacity mode. You can set up the `maxThroughput` value, which describes the highest number of Request Units that the database can be increased to dynamically. |

+This command uses the database specified in the context of the session. This database is the same one you used in the `use <database>` command. At the moment, the database name can't be changed using this command.

+If the command is successful, it returns the following response:

+### Example: Update the provisioned throughput associated with a database

+### Example: Update the Autoscale throughput associated with a database

+| Field | Type | Description |

+| | | |

+| `customAction` | `string` | Name of the custom command. The value must be `GetDatabase`. |

+| Field | Type | Description |

+| | | |

+| `ok` | `int` | Status of response. 1 == success. 0 == failure. |

+| `database` | `string` | Name of the database. |

+| `provisionedThroughput` | `int` | Provisioned throughput that is set on the database if the database is using [manual database-level throughput](../set-throughput.md#set-throughput-on-a-database) |

+| `autoScaleSettings` | `Object` | This object contains the capacity parameters associated with the database if it's using the [Autoscale mode](../provision-throughput-autoscale.md). The `maxThroughput` value describes the highest number of Request Units that the database can be increased to dynamically. |

+### Example: Get the database

+| Field | Type | Required | Description |

+| | | | |

+| `customAction` | `string` | Required | Name of the custom command. The value must be `CreateCollection`. |

+| `collection` | `string` | Required | Name of the collection. No special characters or spaces are allowed. |

+| `offerThroughput` | `int` | Optional | Provisioned throughput to set on the database. If this parameter isn't provided, it defaults to the minimum, 400 RU/s. * To specify throughput beyond 10,000 RU/s, the `shardKey` parameter is required. |

+| `shardKey` | `string` | Required for collections with large throughput | The path to the Shard Key for the sharded collection. This parameter is required if you set more than 10,000 RU/s in `offerThroughput`. If it's specified, all documents inserted require this key and value. |

+| `autoScaleSettings` | `Object` | Required for [Autoscale mode](../provision-throughput-autoscale.md) | This object contains the settings associated with the Autoscale capacity mode. You can set up the `maxThroughput` value, which describes the highest number of Request Units that the collection can be increased to dynamically. |

+| `indexes` | `Array` | Optionally configure indexes. This parameter is supported for 3.6+ accounts only. | When present, an index on _id is required. Each entry in the array must include a key of one or more fields, a name, and may contain index options. For example, to create a compound unique index on the fields `a` and `b` use this entry: `{key: {a: 1, b: 1}, name:"a_1_b_1", unique: true}`. |

+### Example: Create a collection with the minimum configuration

+To create a new collection with name `"testCollection"` and the default values, use the following command:

+This operation results in a new fixed, unsharded, collection with 400RU/s and an index on the `_id` field automatically created. This type of configuration also applies when creating new collections via the `insert()` function. For example:

+### Example: Create an unsharded collection

+To create an unsharded collection with name `"testCollection"` and provisioned throughput of 1000 RUs, use the following command:

+```

+### Example: Create a sharded collection

+### Example: Create an unsharded Autoscale collection

+For the `autoScaleSettings.maxThroughput` value, you can specify a range from 4,000 RU/s to 10,000 RU/s without a shard key. For higher autoscale throughput, you need to specify the `shardKey` parameter.

+### Example: Create a sharded Autoscale collection

+The update collection extension command updates the properties associated with the specified collection. Changing your collection from provisioned throughput to autoscale and vice-versa is only supported in the Azure portal.

+| Field | Type | Description |

+| | | |

+| `customAction` | `string` | Name of the custom command. The value must be `UpdateCollection`. |

+| `collection` | `string` | Name of the collection. |

+| `offerThroughput` | `int` | Provisioned throughput to set on the collection. |

+| `autoScaleSettings` | `Object` | Required for [Autoscale mode](../provision-throughput-autoscale.md). This object contains the settings associated with the Autoscale capacity mode. The `maxThroughput` value describes the highest number of Request Units that the collection can be increased to dynamically. |

+| `indexes` | `Array` | Optionally configure indexes. This parameter is supported for 3.6+ accounts only. When present, the set of indexes specified (including dropping indexes) replaces the existing indexes of the collection. An index on _id is required. Each entry in the array must include a key of one or more fields, a name, and may contain index options. For example, to create a compound unique index on the fields a and b use this entry: `{key: {a: 1, b: 1}, name: "a_1_b_1", unique: true}`. |

+### Example: Update the provisioned throughput associated with a collection

+| Field | Type | Description |

+| | | |

+| `customAction` | `string` | Name of the custom command. The value must be `GetCollection`. |

+| `collection` | `string` | Name of the collection. |

+| Field | Type | Description |

+| | | |

+| `ok` | `int` | Status of response. 1 == success. 0 == failure. |

+| `database` | `string` | Name of the database. |

+| `collection` | `string` | Name of the collection. |

+| `shardKeyDefinition` | `document` | Index specification document used as a shard key. This field is an optional response parameter. |

+| `provisionedThroughput` | `int` | Provisioned Throughput to set on the collection. This field is an optional response parameter. |

+| `autoScaleSettings` | `Object` | This object contains the capacity parameters associated with the database if it's using the [Autoscale mode](../provision-throughput-autoscale.md). The `maxThroughput` value describes the highest number of Request Units that the collection can be increased to dynamically. |

+### Example: Get the collection

+If the collection has an associated throughput capacity to it, it includes the `provisionedThroughput` value, and the output would be:

+If the collection has an associated Autoscale throughput, it includes the `autoScaleSettings` object with the `maxThroughput` parameter, which defines the maximum throughput the collection increases to dynamically. Additionally, it also includes the `provisionedThroughput` value, which defines the minimum throughput this collection reduces to if there are no requests in the collection:

+## <a id="parallel-change-stream"></a> Parallelizing change streams

+When using [change streams](change-streams.md) at scale, it's best to evenly spread the load. The following command returns one or more change stream resume tokens - each one corresponding to data from a single physical shard/partition (multiple logical shards/partitions can exist on one physical partition). Each resume token causes watch() to only return data from that physical shard/partition.

+Use `db.collection.watch()` on each resume token (one thread per token), to scale change streams efficiently.

+### Example: Get the stream token

+Run a watch() thread/process for each resume token returned from the GetChangeStreamTokens custom command. Here's an example for one thread.

+The document (value) in the resumeAfter field represents the resume token. The command `watch()` returns a curser for all documents that were inserted, updated, or replaced from that physical partition since the GetChangeStreamTokens custom command was run. A sample of the data returned is included here.

+{

+ "_id": {

+ "_data": BinData(0,

+ "eyJWIjoyLCJSaWQiOiJQeFVhQUxuMFNLRT0iLCJDfdsfdsfdsft7IkZlZWRSYW5nZSI6eyJ0eXBlIjoiRWZmZWN0aXZlIFBhcnRpdGlvbiBLZXkgUmFuZ2UiLCJ2YWx1ZSI6eyJtaW4iOiIiLCJtYXgiOiJGRiJ9fSwiU3RhdGUiOnsidHlwZSI6ImNvbnRpbnVhdGlvbiIsInZhbHVlIjoiXCIxOTgwXCIifX1dfQ=="),

+ "_kind": 1

+ },

+ "fullDocument": {

+ "_id": ObjectId("60da41ec9d1065b9f3b238fc"),

+ "name": John,

+ "age": 6

+ },

+ "ns": {

+ "db": "test-db",

+ "coll": "test_coll"

+ },

+ "documentKey": {

+ "_id": ObjectId("60da41ec9d1065b9f3b238fc")

+ }

+}

+Each document returned includes a resume token (they're all the same for each page). This resume token should be stored and reused if the thread/process dies. This resume token picks up from where you left off, and receive data only from that physical partition.

+| Field | Type | Description |

+| | | |

+| `ok` | `int` | Status of response. 1 == success. 0 == failure. |

+| `code` | `int` | Only returned when the command failed (that is, ok == 0). Contains the MongoDB error code. This field is an optional response parameter. |

+| `errMsg` | `string` | Only returned when the command failed (that is, ok == 0). Contains a user-friendly error message. This field is an optional response parameter. |

+Next you can proceed to learn the following Azure Cosmos DB concepts:

+ Title: Pre-data migration steps

+# Pre-migration steps for data migrations from MongoDB to Azure Cosmos DB for MongoDB

+This MongoDB pre-migration guide is part of series on MongoDB migration. The critical MongoDB migration steps are pre-migration, migration, and [post-migration](post-migration-optimization.md), as shown in this guide.

+

+2. Plan out how you execute the migration.

+The [Database Migration Assistant](https://github.com/AzureCosmosDB/Cosmos-DB-Migration-Assistant-for-API-for-MongoDB)(DMA) assists you with the [Discovery](#programmatic-discovery-using-the-database-migration-assistant) and [Assessment](#programmatic-assessment-using-the-database-migration-assistant) stages of the planning.

+The first pre-migration step is resource discovery. In this step, you need to create a **data estate migration spreadsheet**.

+You may use the [Database Migration Assistant](https://github.com/AzureCosmosDB/Cosmos-DB-Migration-Assistant-for-API-for-MongoDB) (DMA) to assist you with the discovery stage and create the data estate migration sheet programmatically.

+It's easy to [setup and run DMA](https://github.com/AzureCosmosDB/Cosmos-DB-Migration-Assistant-for-API-for-MongoDB#how-to-run-the-dma) through an Azure Data Studio client. It can be run from any machine connected to your source MongoDB environment.

+| DB Name | Collection Count | Doc Count | Avg Doc Size | Data Size | Index Count | Index Size |

+| | | | | | | |

+| `bookstoretest` | 2 | 192200 | 4144 | 796572532 | 7 | 260636672 |

+| `cosmosbookstore` | 1 | 96604 | 4145 | 400497620 | 1 | 1814528 |

+| `geo` | 2 | 25554 | 252 | 6446542 | 2 | 266240 |

+| `kagglemeta` | 2 | 87934912 | 190 | 16725184704 | 2 | 891363328 |

+| `pe_orig` | 2 | 57703820 | 668 | 38561434711 | 2 | 861605888 |

+| `portugeseelection` | 2 | 30230038 | 687 | 20782985862 | 1 | 450932736 |

+| `sample_mflix` | 5 | 75583 | 691 | 52300763 | 5 | 798720 |

+| `test` | 1 | 22 | 545 | 12003 | 0 | 0 |

+| `testcol` | 26 | 46 | 88 | 4082 | 32 | 589824 |

+| `testhav` | 3 | 2 | 528 | 1057 | 3 | 36864 |

+| **TOTAL:** | **46** | **176258781** | | **72.01 GB** | | **2.3 GB** |

+Alternately, you may refer to the sample spreadsheet in this guide and create a similar document yourself.

+* As you progress through this guide, you build this spreadsheet into a tracking document for your end-to-end migration planning, adding columns as needed.

+[Database Migration Assistant](https://github.com/AzureCosmosDB/Cosmos-DB-Migration-Assistant-for-API-for-MongoDB) (DMA) also assists you with the assessment stage of pre-migration planning.

+Refer to the section [Programmatic discovery using the Database Migration Assistant](#programmatic-discovery-using-the-database-migration-assistant) to know how to setup and run DMA.

+The DMA notebook runs a few assessment rules against the resource list it gathers from source MongoDB. The assessment result lists the required and recommended changes needed to proceed with the migration.

+With the discovery and assessment steps complete, you're done with the MongoDB side of the equation. Now it's time to plan the Azure Cosmos DB side of the equation. How are you planning to set up and configure your production Azure Cosmos DB resources? Do your planning at a *per-resource* level ΓÇô that means you should add the following columns to your planning spreadsheet:

+* Azure Cosmos DB mapping

+* Shard key

+* If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

+* **Capacity model**: Database capacity on Azure Cosmos DB is based on a throughput-based model. This model is based on [Request Units per second](../request-units.md), which is a unit that represents the number of database operations that can be executed against a collection on a per-second basis. This capacity can be allocated at [a database or collection level](../set-throughput.md), and it can be provisioned on an allocation model, or using the [autoscale provisioned throughput](../provision-throughput-autoscale.md).

+* **Request Units**: Every database operation has an associated Request Units (RUs) cost in Azure Cosmos DB. When executed, the request units are subtracted from the available request units level on a given second. If a request requires more RUs than the currently allocated RU/s there are two options to solve the issue - increase the number of RUs, or wait until the next second starts, and then retry the operation.

+* **Elastic capacity**: The capacity for a given collection or database can change at any time. This flexibility allows for the database to elastically adapt to the throughput requirements of your workload.

+* **Automatic sharding**: Azure Cosmos DB provides an automatic partitioning system that only requires a shard (or a partition key). The [automatic partitioning mechanism](../partitioning-overview.md) is shared across all the Azure Cosmos DB APIs and it allows for seamless data and throughout scaling through horizontal distribution.

+Figure out what Azure Cosmos DB resources you create. This process requires stepping through your data estate migration spreadsheet and mapping each existing MongoDB resource to a new Azure Cosmos DB resource.

+* Anticipate that each MongoDB database becomes an Azure Cosmos DB database.

+* Anticipate that each MongoDB collection becomes an Azure Cosmos DB collection.

+* Choose a naming convention for your Azure Cosmos DB resources. Keeping the same resource names is usually a fine choice, unless there are any changes in the structure of databases and collections.

+* Determine whether you're using sharded or unsharded collections in Azure Cosmos DB. The unsharded collection limit is 20 GB. Sharding, on the other hand, helps achieve horizontal scale that is critical to the performance of many workloads.

+* If using sharded collections, *don't assume that your MongoDB collection shard key becomes your Azure Cosmos DB container partition key*. Don't assume that your existing MongoDB data model document structure should be the same model you employ on Azure Cosmos DB.

+ * Shard key is the single most important setting for optimizing the scalability and performance of Azure Cosmos DB, and data modeling is the second most important. Both of these settings are immutable and can't be changed once they're set; therefore it's highly important to optimize them in the planning phase. Follow the guidance in the [Immutable decisions](#immutable-decisions) section for more information.

+* Azure Cosmos DB doesn't recognize certain MongoDB collection types such as capped collections. For these resources, just create normal Azure Cosmos DB collections.

+* Azure Cosmos DB has two collection types of its own ΓÇô shared and dedicated throughput. Shared vs dedicated throughput is another critical, immutable decision, which it's vital to make in the planning phase. Follow the guidance in the [Immutable decisions](#immutable-decisions) section for more information.

+The following Azure Cosmos DB configuration choices can't be modified or undone once you've created an Azure Cosmos DB resource; therefore it's important to get these configuration choices right during pre-migration planning, before you kick off any migrations:

+* Refer to [Partitioning and horizontal scaling in Azure Cosmos DB](../partitioning-overview.md) to choose the best shard key. Partitioning, also known as Sharding, is a key point of consideration before migrating data. Azure Cosmos DB uses fully managed partitioning to increase the capacity in a database to meet the storage and throughput requirements. This feature doesn't need the hosting or configuration of routing servers.

+ * In a similar way, the partitioning capability automatically adds capacity and rebalances the data accordingly. For more information on choosing the right partition key for your data, see [choosing a partition key](../partitioning-overview.md#choose-partitionkey).

+* Follow [Optimize provisioned throughput cost in Azure Cosmos DB](../optimize-cost-throughput.md#optimize-by-provisioning-throughput-at-different-levels) to choose between dedicated and shared throughput for each resource that you migrate

+* You can use the [Azure Cosmos DB capacity calculator](https://cosmos.azure.com/capacitycalculator/) to determine the number of Request Units you should use. This number is based on your database account configuration, amount of data, document size, and required reads and writes per second.

+ * **Document size**: As the size of an item/document increase, the number of RUs consumed to read or write the item/document also increases.

+ * **Document property count**:The number of RUs consumed to create or update a document is related to the number, complexity and length of its properties. You can reduce the request unit consumption for write operations by [limiting the number of indexed properties](indexing.md).

+ * **Query patterns**: The complexity of a query affects how many request units the query consumes.

+* The best way to understand the cost of queries is to use sample data in Azure Cosmos DB, [and run sample queries from the MongoDB Shell](connect-account.md) using the `getLastRequestStastistics` command to get the request charge, which outputs the number of RUs consumed:

+ ```bash

+ db.runCommand({getLastRequestStatistics: 1})

+ ```

+ *This command outputs a JSON document similar to the following example:

+ ```json

+ {

+ "_t": "GetRequestStatisticsResponse",

+ "ok": 1,

+ "CommandName": "find",

+ "RequestCharge": 10.1,

+ "RequestDurationInMilliSeconds": 7.2

+ }

+ ```

+* You can also use [the diagnostic settings](../monitor-resource-logs.md) to understand the frequency and patterns of the queries executed against Azure Cosmos DB. The results from the diagnostic logs can be sent to a storage account, an Event Hubs instance or [Azure Log Analytics](../../azure-monitor/logs/log-analytics-tutorial.md).

+Finally, now that you have a view of your existing data estate and a design for your new Azure Cosmos DB data estate, you're ready to plan how to execute your migration process end-to-end. Once again, do your planning at a *per-resource* level, adding columns to your spreadsheet to capture the logistic dimensions included in this section.

+* Assign responsibility for migrating each existing resource from MongoDB to Azure Cosmos DB. How you apply your team resources in order to shepherd your migration to completion is up to you. For small migrations, you can have one team kick off the entire migration and monitor its progress. For larger migrations, you could assign responsibility to team-members on a per-resource basis for migrating and monitoring that resource.

+ * Before you plan which migration tools to use, we recommend acquainting yourself with the options that are available. The [Azure Database Migration Service for Azure Cosmos DB's API for MongoDB](../../dms/tutorial-mongodb-cosmos-db.md) provides a mechanism that simplifies data migration by providing a fully managed hosting platform, migration monitoring options and automatic throttling handling. Here's a full list of options:

+ |**Migration type**|**Solution**|**Considerations**|

+ ||||

+ |Online|[Azure Database Migration Service](../../dms/tutorial-mongodb-cosmos-db-online.md)|&bull; Uses the [bulk executor library](../bulk-executor-overview.md) for Azure Cosmos DB <br />&bull; Suitable for large datasets and takes care of replicating live changes <br/>&bull; Works only with other MongoDB sources|

+ |Offline|[Azure Database Migration Service](../../dms/tutorial-mongodb-cosmos-db-online.md)|&bull; Uses the [bulk executor library](../bulk-executor-overview.md) for Azure Cosmos DB <br/>&bull; Suitable for large datasets and takes care of replicating live changes <br/>&bull; Works only with other MongoDB sources|

+ |Offline|[Azure Data Factory](../../data-factory/connector-azure-cosmos-db.md)|&bull; Uses the [bulk executor library](../bulk-executor-overview.md) for Azure Cosmos DB <br/>&bull; Suitable for large datasets <br/> &bull; Easy to set up and supports multiple sources <br/> &bull; Lack of checkpointing means that any issue during migration would require a restart of the whole migration process<br/>&bull; Lack of a dead letter queue would mean that a few erroneous files could stop the entire migration process <br/>&bull; Needs custom code to increase read throughput for certain data sources|

+ |Offline|[Existing Mongo Tools (mongodump, mongorestore, Studio3T)](tutorial-mongotools-cosmos-db.md)|&bull; Easy to set up and integration <br/>&bull; Needs custom handling for throttles|

+ *|Offline/online|[Azure Databricks and Spark](migrate-databricks.md)|&bull; Full control of migration rate and data transformation <br/>&bull; Requires custom coding|

+

+ * If your resource can tolerate an offline migration, use this diagram to choose the appropriate migration tool:

+ 

+ * If your resource requires an online migration, use this diagram to choose the appropriate migration tool:

+ 

+ * Watch an [overview and demo of the migration solutions](https://www.youtube.com/watch?v=WN9h80P4QJM) video.

+* Once you have chosen migration tools for each resource, the next step is to prioritize the resources you'll migrate. Good prioritization can help keep your migration on schedule. A good practice is to prioritize migrating those resources, which need the most time to be moved; migrating these resources first bring the greatest progress toward completion. Furthermore, since these time-consuming migrations typically involve more data, they're more resource-intensive for the migration tool and therefore are more likely to expose any problems with your migration pipeline early on. This practice minimizes the chance that your schedule slips due to any difficulties with your migration pipeline.

+* Plan how you monitor the progress of migration once it has started. If you're coordinating your data migration effort among a team, plan a regular cadence of team syncs too, so that you have a comprehensive view of how the high-priority migrations are going.

+The best choice of MongoDB migration tool depends on your migration scenario.

+Here's a list of compatible tools for each migration scenario:

+| Source | Destination | Process recommendation |

+| | | |

+| &bull; MongoDB on-premises cluster <br /> &bull; MongoDB on IaaS VM cluster <br /> &bull; MongoDB Atlas cluster - **Offline** | Azure Cosmos DB Mongo API | &bull; <10-GB data: MongoDB native tools <br /> &bull; <1-TB data: Azure DMS <br /> &bull; >1-TB data: Spark |

+| &bull; MongoDB on-premises cluster <br /> &bull; MongoDB on IaaS VM cluster <br /> &bull; MongoDB Atlas cluster - **Online** | Azure Cosmos DB Mongo API | &bull; <1-TB data: Azure DMS <br /> &bull; >1-TB data: Spark + Mongo Changestream |

+| &bull; Need to change schema during migration <br /> Need more flexibility than aforementioned tools | Azure Cosmos DB Mongo API | &bull; ADF is more flexible than DMS, it supports schema modifications during migration and supports the most source/destination combinations <br /> &bull; DMS is better in terms of scale (ex. faster migration) |

+| &bull; JSON file | Azure Cosmos DB Mongo API | &bull; MongoDB native tools specifically **mongoimport** |

+| &bull; CSV file | Azure Cosmos DB Mongo API | &bull; MongoDB native tools specifically **mongoimport** |

+| &bull; BSON file | Azure Cosmos DB Mongo API | &bull; MongoDB native tools specifically **mongorestore** |

+Given that you're migrating from a particular MongoDB version, the supported tools for each version are included here:

+| MongoDB source version | Azure Cosmos DB for MongoDB destination version | Supported tools | Unsupported tools |

+| | | | |

+| <2.x, >4.0 | 3.2, 3.6, 4.0 | MongoDB native tools, Spark | DMS, ADF |

+| 3.2, 3.6, 4.0 | 3.2, 3.6, 4.0 | MongoDB native tools, DMS, ADF, Spark | None |

+In the pre-migration phase, spend some time to plan what steps you take toward app migration and optimization post-migration.

+* In the post-migration phase, you execute a cutover of your application to use Azure Cosmos DB instead of your existing MongoDB data estate.

+* Make your best effort to plan out indexing, global distribution, consistency, and other *mutable* Azure Cosmos DB properties at a per resource level. However, these Azure Cosmos DB configuration settings *can* be modified later, so expect to make adjustments to these settings later. You apply these mutable configurations post-migration.

+ * [Offline migration using MongoDB native tools](tutorial-mongotools-cosmos-db.md)

+ * [Offline migration using Azure database migration service (DMS)](../../dms/tutorial-mongodb-cosmos-db.md)

+ * [Online migration using Azure database migration service (DMS)](../../dms/tutorial-mongodb-cosmos-db-online.md)

+ Title: Troubleshoot "request header too large" or "bad request"

+description: Learn how to diagnose and fix either the HTTP request header too large or bad request (400) exceptions.

+# Diagnose and troubleshoot "request header too large" or "bad request" messages in Azure Cosmos DB SDK for .NET

+The "Request header too large" message is thrown with an HTTP error code 400. This error occurs if the size of the request header has grown so large that it exceeds the maximum-allowed size. We recommend that you use the latest version of the Azure Cosmos DB SDK for .NET. We recommend that you use version 3.x because this major version adds header size tracing to the exception message.

+This section reviews scenarios where the session token is too large.

+#### Cause

+#### Temporary mitigation

+Restart your client application to reset all the session tokens. Eventually, the session token grows back to the previous size that caused the issue. To avoid this issue completely, use the solution in the next section.

+#### Solution

+This section reviews scenarios where the continuation token is too large.

+#### Cause

+The 400 bad request occurs on query operations where the continuation token is used if the token has grown too large. This error can also occur if different queries have different continuation token sizes.

+#### Solution

+1. Follow the guidance in the [.NET v3](performance-tips-dotnet-sdk-v3.md) or [.NET v2](performance-tips.md) performance tips articles. Convert the application to use the direct connection mode with the TCP protocol. The direct connection mode with the TCP protocol doesn't have the header size restriction like the HTTP protocol, so it avoids this issue.

+ Title: Partitioning and horizontal scaling

+description: Learn about partitioning, logical, physical partitions in Azure Cosmos DB, best practices when choosing a partition key, and how to manage logical partitions.

+Azure Cosmos DB uses partitioning to scale individual containers in a database to meet the performance needs of your application. The items in a container are divided into distinct subsets called *logical partitions*. Logical partitions are formed based on the value of a *partition key* that is associated with each item in a container. All the items in a logical partition have the same partition key value.

+A logical partition also defines the scope of database transactions. You can update items within a logical partition by using a [transaction with snapshot isolation](database-transactions-optimistic-concurrency.md). When new items are added to a container, the system transparently creates new logical partitions. You don't have to worry about deleting a logical partition when the underlying data is deleted.

+There's no limit to the number of logical partitions in your container. Each logical partition can store up to 20 GB of data. Good partition key choices have a wide range of possible values. For example, in a container where all items contain a `foodGroup` property, the data within the `Beef Products` logical partition can grow up to 20 GB. [Selecting a partition key](#choose-partitionkey) with a wide range of possible values ensures that the container is able to scale.

+A container is scaled by distributing data and throughput across physical partitions. Internally, one or more logical partitions are mapped to a single physical partition. Typically smaller containers have many logical partitions but they only require a single physical partition. Unlike logical partitions, physical partitions are an internal implementation of the system and Azure Cosmos DB entirely manages physical partitions.

+The number of physical partitions in your container depends on the following characteristics:

+* The total data storage (each individual physical partition can store up to 50 GBs of data).

+There's no limit to the total number of physical partitions in your container. As your provisioned throughput or data size grows, Azure Cosmos DB automatically creates new physical partitions by splitting existing ones. Physical partition splits don't affect your application's availability. After the physical partition split, all data within a single logical partition will still be stored on the same physical partition. A physical partition split simply creates a new mapping of logical partitions to physical partitions.

+For example, consider a container with the path `/foodGroup` specified as the partition key. The container could have any number of physical partitions, but in this example we assume it has three. A single physical partition could contain multiple partition keys. As an example, the largest physical partition could contain the top three most significant size logical partitions: `Beef Products`, `Vegetable and Vegetable Products`, and `Soups, Sauces, and Gravies`.

+If you assign a throughput of 18,000 request units per second (RU/s), then each of the three physical partitions can utilize 1/3 of the total provisioned throughput. Within the selected physical partition, the logical partition keys `Beef Products`, `Vegetable and Vegetable Products`, and `Soups, Sauces, and Gravies` can, collectively, utilize the physical partition's 6,000 provisioned RU/s. Because provisioned throughput is evenly divided across your container's physical partitions, it's important to choose a partition key that evenly distributes throughput consumption. For more information, see [choosing the right logical partition key](#choose-partitionkey).

+Each physical partition consists of a set of replicas, also referred to as a [*replica set*](global-dist-under-the-hood.md). Each replica hosts an instance of the database engine. A replica set makes the data store within the physical partition durable, highly available, and consistent. Each replica that makes up the physical partition inherits the partition's storage quota. All replicas of a physical partition collectively support the throughput that's allocated to the physical partition. Azure Cosmos DB automatically manages replica sets.

+Typically, smaller containers only require a single physical partition, but they still have at least four replicas.

+* The partition key path (For example: "/userId"). The partition key path accepts alphanumeric and underscores (_) characters. You can also use nested objects by using the standard path notation(/).

+Selecting your partition key is a simple but important design choice in Azure Cosmos DB. Once you select your partition key, it isn't possible to change it in-place. If you need to change your partition key, you should move your data to a new container with your new desired partition key. ([Container copy jobs](intra-account-container-copy.md) help with this process.)

+* Be a property that has a value, which doesn't change. If a property is your partition key, you can't update that property's value.

+* Spread request unit (RU) consumption and data storage evenly across all logical partitions. This spread ensures even RU consumption and storage distribution across your physical partitions.

+* Have values that are no larger than 2048 bytes typically, or 101 bytes if large partition keys aren't enabled. For more information, see [large partition keys](large-partition-keys.md)

+If you need [multi-item ACID transactions](database-transactions-optimistic-concurrency.md#multi-item-transactions) in Azure Cosmos DB, you need to use [stored procedures or triggers](how-to-write-stored-procedures-triggers-udfs.md#stored-procedures). All JavaScript-based stored procedures and triggers are scoped to a single logical partition.

+> If you only have one physical partition, the value of the partition key may not be relevant as all queries will target the same physical partition.

+For most containers, the above criteria are all you need to consider when picking a partition key. For large read-heavy containers, however, you might want to choose a partition key that appears frequently as a filter in your queries. Queries can be [efficiently routed to only the relevant physical partitions](how-to-query-container.md#in-partition-query) by including the partition key in the filter predicate.

+This property can be a good partition key choice if most of your workload's requests are queries and most of your queries have an equality filter on the same property. For example, if you frequently run a query that filters on `UserID`, then selecting `UserID` as the partition key would reduce the number of [cross-partition queries](how-to-query-container.md#avoiding-cross-partition-queries).

+However, if your container is small, you probably don't have enough physical partitions to need to worry about the performance of cross-partition queries. Most small containers in Azure Cosmos DB only require one or two physical partitions.

+If your container could grow to more than a few physical partitions, then you should make sure you pick a partition key that minimizes cross-partition queries. Your container requires more than a few physical partitions when either of the following are true:

+* Your container has over 30,000 RUs provisioned

+* Your container stores over 100 GB of data

+The system property *item ID* exists in every item in your container. You may have other properties that represent a logical ID of your item. In many cases, these IDs are also great partition key choices for the same reasons as the *item ID*.

+* You can easily do efficient point reads since you always know an item's partition key if you know its *item ID*.

+* If the *item ID* is the partition key, it becomes a unique identifier throughout your entire container. You can't create items that have duplicate *item IDs*.

+* If you have a read-heavy container with many [physical partitions](partitioning-overview.md#physical-partitions), queries are more efficient if they have an equality filter with the *item ID*.

+* You can't run stored procedures or triggers that target multiple logical partitions.

+ Title: Request Units as a throughput and performance currency

+description: Learn how request units function as a currency in Azure Cosmos DB and how to specify and estimate Request Unit requirements.

+Azure Cosmos DB normalizes the cost of all database operations using Request Units (or RUs, for short). Request unit is a performance currency abstracting the system resources such as CPU, IOPS, and memory that are required to perform the database operations supported by Azure Cosmos DB.

+The cost to do a point read (fetching a single item by its ID and partition key value) for a 1-KB item is one Request Unit (or one RU). All other database operations are similarly assigned a cost using RUs. No matter which API you use to interact with your Azure Cosmos DB container, RUs measure the actual costs of using that API. Whether the database operation is a write, point read, or query, costs are always measured in RUs.

+> [!VIDEO https://learn.microsoft.com/_themes/docs.theme/master/en-us/_themes/global/video-embed.html?id=772fba63-62c7-488c-acdb-a8f686a3b5f4]

+To manage and plan capacity, Azure Cosmos DB ensures that the number of RUs for a given database operation over a given dataset is deterministic. You can examine the response header to track the number of RUs consumed by any database operation. When you understand the [factors that affect RU charges](request-units.md#request-unit-considerations) and your application's throughput requirements, you can run your application cost effectively.

+1. **Provisioned throughput mode**: In this mode, you assign the number of RUs for your application on a per-second basis in increments of 100 RUs per second. To scale the provisioned throughput for your application, you can increase or decrease the number of RUs at any time in increments or decrements of 100 RUs. You can make your changes either programmatically or by using the Azure portal. You're billed on an hourly basis for the number of RUs per second you've provisioned. To learn more, see the [Provisioned throughput](set-throughput.md) article.

+ You can assign throughput at two distinct granularities:

+ * **Containers**: For more information, see [Assign throughput to an Azure Cosmos DB container](how-to-provision-container-throughput.md).

+ * **Databases**: For more information, see [Assign throughput to an Azure Cosmos DB database](how-to-provision-database-throughput.md).

+2. **Serverless mode**: In this mode, you don't have to assign any throughput when creating resources in your Azure Cosmos DB account. At the end of your billing period, you get billed for the number of Request Units consumed by your database operations. To learn more, see the [Serverless throughput](serverless.md) article.

+3. **Autoscale mode**: In this mode, you can automatically and instantly scale the throughput (RU/s) of your database or container based on its usage. This scaling operation doesn't affect the availability, latency, throughput, or performance of the workload. This mode is well suited for mission-critical workloads that have variable or unpredictable traffic patterns, and require SLAs on high performance and scale. To learn more, see the [autoscale throughput](provision-throughput-autoscale.md) article.

+* **Type of reads**: Point reads cost fewer RUs than queries.

+* **Query patterns**: The complexity of a query affects how many RUs are consumed for an operation. Factors that affect the cost of query operations include:

+ The same query on the same data always costs the same number of RUs on repeated executions.

+If you assign *'R'* RUs on an Azure Cosmos DB container (or database), Azure Cosmos DB ensures that *'R'* RUs are available in *each* region associated with your Azure Cosmos DB account. You can't selectively assign RUs to a specific region. The RUs provisioned on an Azure Cosmos DB container (or database) are provisioned in all the regions associated with your Azure Cosmos DB account.

+* Learn more about how to [assign throughput on Azure Cosmos DB containers and databases](set-throughput.md).

+* Learn more about [serverless on Azure Cosmos DB](serverless.md).

+* Learn more about [logical partitions](./partitioning-overview.md)

+Check out the [Manage departments in the Azure portal](https://www.youtube.com/watch?v=vs3wIeRDK4Q) video.

+- [Anonymous authentication](#anonymous-authentication)

+### Anonymous authentication

+The following properties are supported for storage account key authentication in Azure Data Factory or Synapse pipelines:

+| Property | Description | Required |

+|: |: |: |

+| type | The `type` property must be set to `AzureBlobStorage` (suggested) or `AzureStorage` (see the following notes). | Yes |

+| containerUri | Specify the Azure Blob container URI which has enabled Anonymous read access by taking this format `https://<AccountName>.blob.core.windows.net/<ContainerName>` and [Configure anonymous public read access for containers and blobs](/azure/storage/blobs/anonymous-read-access-configure#set-the-public-access-level-for-a-container) | Yes |

+| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. You can use the Azure integration runtime or the self-hosted integration runtime (if your data store is in a private network). If this property isn't specified, the service uses the default Azure integration runtime. | No |

+**Example:**

+```json

+{

+ "name": "AzureBlobStorageAnonymous",

+ "properties": {

+ "annotations": [],

+ "type": "AzureBlobStorage",

+ "typeProperties": {

+ "containerUri": "https:// <accountname>.blob.core.windows.net/ <containername>",

+ "authenticationType": "Anonymous"

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+**Examples UI**:

+The UI experience will be like below. This sample will use the Azure open dataset as the source. If you want to get the open [dataset bing_covid-19_data.csv](https://pandemicdatalake.blob.core.windows.net/public/curated/covid-19/bing_covid-19_data/latest/bing_covid-19_data.csv), you just need to choose **Authentication type** as **Anonymous** and fill in Container URI with `https://pandemicdatalake.blob.core.windows.net/public`.

+Azure Data Factory can get new or changed files only from Azure Blob Storage by enabling **Enable change data capture ** in the mapping data flow source transformation. With this connector option, you can read new or updated files only and apply transformations before loading transformed data into destination datasets of your choice. Pleaser refer to [Change Data Capture](concepts-change-data-capture.md) for details.

+ Upload the **tutorial.py** to a blob storage. ([How to upload a file into blob](/azure/storage/blobs/storage-quickstart-blobs-portal))

+ > Applications are defined by their publishers. If an application doesn't have publisher information (it's unsigned), a path rule is created for the full path of the specific application.

+ :::image type="content" source="media/adaptive-application/recent-alerts.png" alt-text="Screenshot showing recent alerts.":::

+ :::image type="content" source="media/adaptive-application/adaptive-application-alerts-start-time.png" alt-text="Screenshot of the start time of adaptive application controls alerts showing that the time is when adaptive application controls created the alert.":::

+When you move a machine from one group to another, the application control policy applied to it changes to the settings of the group that you moved it to. You can also move a machine from a configured group to a non-configured group, which removes any application control rules that were applied to the machine.

+The relevant API documentation is available in [the Adaptive application Controls section of Defender for Cloud's API docs](/rest/api/defenderforcloud/adaptive-application-controls).

+* **Get** retrieves the JSON with the full recommendation data (that is, list of machines, publisher/path rules, and so on).

+- Security alerts are triggered by advanced detections in Defender for Cloud, and are available when you enable Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).

+If your subscription has Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads) enabled, you'll receive security alerts when Defender for Cloud detects threats to their resources.

+|Pricing:|Free<br>(Most security alerts are only available with [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads))|

+- Which of my subscriptions with [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads) enabled have outstanding recommendations?

+Like for Log Analytics workspaces, Defender for Cloud users are eligible for [500-MB of free data](plan-defender-for-servers-data-workspace.md#log-analytics-pricing-faq) daily on defined data types that include security events.

+Learn about Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).

+Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) with a set of security measures and practices designed to protect cloud-based applications from various cyber threats and vulnerabilities. Defender for Cloud combines the capabilities of:

+- A development security operations (DevSecOps) solution that unifies security management at the code level across multicloud and multiple-pipeline environments

+- A cloud security posture management (CSPM) solution that surfaces actions that you can take to prevent breaches

+- A cloud workload protection platform (CWPP) with specific protections for servers, containers, storage, databases, and other workloads

+

+## Secure cloud applications

+Defender for Cloud helps you to incorporate good security practices early during the software development process, or DevSecOps. You can protect your code management environments and your code pipelines, and get insights into your development environment security posture from a single location. Defender for Cloud currently includes Defender for DevOps.

+TodayΓÇÖs applications require security awareness at the code, infrastructure, and runtime levels to make sure that deployed applications are hardened against attacks.

+| Capability | What problem does it solve? | Get started | Defender plan and pricing |

+| - | | -- | - |

+| [Code pipeline insights](defender-for-devops-introduction.md) | Empowers security teams with the ability to protect applications and resources from code to cloud across multi-pipeline environments, including GitHub and Azure DevOps. Findings from Defender for DevOps, such as IaaC misconfigurations and exposed secrets, can then be correlated with other contextual cloud security insights to prioritize remediation in code. | Connect [Azure DevOps](quickstart-onboard-devops.md) and [GitHub](quickstart-onboard-github.md) repositories to Defender for Cloud | [Defender for DevOps](https://azure.microsoft.com/pricing/details/defender-for-cloud/) |

+## Improve your security posture

+The security of your cloud and on-premises resources depends on proper configuration and deployment. Defender for Cloud recommendations identify the steps that you can take to secure your environment.

+Defender for Cloud includes Foundational CSPM (Free) capabilities for free. You can also enable advanced CSPM capabilities by enabling paid Defender plans.

+| Capability | What problem does it solve? | Get started | Defender plan and pricing |

+| - | | -- | - |

+| [Centralized policy management](security-policy-concept.md) | Define the security conditions that you want to maintain across your environment. The policy translates to recommendations that identify resource configurations that violate your security policy. The [Microsoft cloud security benchmark](concept-regulatory-compliance.md) is a built-in standard that applies security principles with detailed technical implementation guidance for Azure, for other cloud providers (such as AWS and GCP), and for other Microsoft clouds. | [Customize security a policy](custom-security-policies.md) | Foundational CSPM (Free) |

+| [Secure score]( secure-score-security-controls.md) | Summarize your security posture based on the security recommendations. As you remediate recommendations, your secure score improves. | [Track your secure score](secure-score-access-and-track.md) | Foundational CSPM (Free) |

+| [Multicloud coverage](plan-multicloud-security-get-started.md) | Connect to your multicloud environments with agentless methods for CSPM insight and CWP protection. | Connect your [Amazon AWS](quickstart-onboard-aws.md) and [Google GCP](quickstart-onboard-gcp.md) cloud resources to Defender for Cloud | Foundational CSPM (Free) |

+| [Cloud Security Posture Management (CSPM)](concept-cloud-security-posture-management.md) | Use the dashboard to see weaknesses in your security posture. | [Enable CSPM tools](enable-enhanced-security.md) | Foundational CSPM (Free) |

+| [Advanced Cloud Security Posture Management](concept-cloud-security-posture-management.md) | Get advanced tools to identify weaknesses in your security posture, including:</br>- Governance to drive actions to improve your security posture</br>- Regulatory compliance to verify compliance with security standards</br>- Cloud security explorer to build a comprehensive view of your environment | [Enable CSPM tools](enable-enhanced-security.md) | Defender CSPM |

+| [Attack path analysis](concept-attack-path.md#what-is-attack-path-analysis) | Model traffic on your network to identify potential risks before you implement changes to your environment. | [Build queries to analyze paths](how-to-manage-attack-path.md) | Defender CSPM |

+| [Cloud Security Explorer](concept-attack-path.md#what-is-cloud-security-explorer) | A map of your cloud environment that lets you build queries to find security risks. | [Build queries to find security risks](how-to-manage-cloud-security-explorer.md) | Defender CSPM |

+| [Security governance](governance-rules.md#building-an-automated-process-for-improving-security-with-governance-rules) | Drive security improvements through your organization by assigning tasks to resource owners and tracking progress in aligning your security state with your security policy. | [Define governance rules](governance-rules.md#defining-governance-rules-to-automatically-set-the-owner-and-due-date-of-recommendations) | Defender CSPM |

+| [Microsoft Entra Permissions Management](../active-directory/cloud-infrastructure-entitlement-management/index.yml) | Provide comprehensive visibility and control over permissions for any identity and any resource in Azure, AWS, and GCP. | [Review your Permission Creep Index (CPI)](other-threat-protections.md#entra-permission-management-formerly-cloudknox) | Defender CSPM |

+## Protect cloud workloads

+Proactive security principles require that you implement security practices that protect your workloads from threats. Cloud workload protections (CWP) surface workload-specific recommendations that lead you to the right security controls to protect your workloads.

+When your environment is threatened, security alerts right away indicate the nature and severity of the threat so you can plan your response. After you identify a threat in your environment, you need to quickly respond to limit the risk to your resources.

+| Capability | What problem does it solve? | Get started | Defender plan and pricing |

+| - | | -- | - |

+| Protect cloud servers | Provide server protections through Microsoft Defender for Endpoint or extended protection with just-in-time network access, file integrity monitoring, vulnerability assessment, and more. | [Secure your multicloud and on-premises servers](defender-for-servers-introduction.md) | [Defender for Servers](https://azure.microsoft.com/pricing/details/defender-for-cloud/) |

+| Identify threats to your storage resources | Detect unusual and potentially harmful attempts to access or exploit your storage accounts using advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts. | [Protect your cloud storage resources](defender-for-storage-introduction.md) | [Defender for Storage](https://azure.microsoft.com/pricing/details/defender-for-cloud/) |

+| Protect cloud databases | Protect your entire database estate with attack detection and threat response for the most popular database types in Azure to protect the database engines and data types, according to their attack surface and security risks. | [Deploy specialized protections for cloud and on-premises databases](quickstart-enable-database-protections.md) | - [Defender for Azure SQL Databases](https://azure.microsoft.com/pricing/details/defender-for-cloud/)</br>- [Defender for SQL servers on machines](https://azure.microsoft.com/pricing/details/defender-for-cloud/)</br>- [Defender for Open-source relational databases](https://azure.microsoft.com/pricing/details/defender-for-cloud/)</br>- [Defender for Azure Cosmos DB](https://azure.microsoft.com/pricing/details/defender-for-cloud/) |

+| Protect containers | Secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications with environment hardening, vulnerability assessments, and run-time protection. | [Find security risks in your containers](defender-for-containers-introduction.md) | [Defender for Containers](https://azure.microsoft.com/pricing/details/defender-for-cloud/) |

+| [Infrastructure service insights](asset-inventory.md) | Diagnose weaknesses in your application infrastructure that can leave your environment susceptible to attack. | - [Identify attacks targeting applications running over App Service](defender-for-app-service-introduction.md)</br>- [Detect attempts to exploit Key Vault accounts](defender-for-key-vault-introduction.md)</br>- [Get alerted on suspicious Resource Manager operations](defender-for-resource-manager-introduction.md)</br>- [Expose anomalous DNS activities](defender-for-dns-introduction.md) | - [Defender for App Service](https://azure.microsoft.com/pricing/details/defender-for-cloud/)</br></br>- [Defender for Key Vault](https://azure.microsoft.com/pricing/details/defender-for-cloud/)</br></br>- [Defender for Resource Manager](https://azure.microsoft.com/pricing/details/defender-for-cloud/)</br></br>- [Defender for DNS](https://azure.microsoft.com/pricing/details/defender-for-cloud/)|

+| [Security alerts](alerts-overview.md) | Get informed of real-time events that threaten the security of your environment. Alerts are categorized and assigned severity levels to indicate proper responses. | [Manage security alerts]( managing-and-responding-alerts.md) | [Any workload protection Defender plan](#protect-cloud-workloads) |

+| [Security incidents](alerts-overview.md#what-are-security-incidents) | Correlate alerts to identify attack patterns and integrate with Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions to respond to threats and limit the risk to your resources. | [Export alerts to SIEM, SOAR, or ITSM systems](export-to-siem.md) | [Any workload protection Defender plan](#protect-cloud-workloads) |

+For more information about Defender for Cloud and how it works, check out:

+- A [step-by-step walkthrough](https://mslearn.cloudguides.com/en-us/guides/Protect%20your%20multi-cloud%20environment%20with%20Microsoft%20Defender%20for%20Cloud) of Defender for Cloud

+- An interview about Defender for Cloud with an expert in cybersecurity in [Lessons Learned from the Field](episode-six.md)

+- [Pricing tier](defender-for-cloud-introduction.md#protect-cloud-workloads): with or without Microsoft Defender for Cloud's Defender plans, which determine which Defender for Cloud features are available for resources in scope (can be specified for subscriptions and workspaces using the API).

+If your agent reports to a workspace other than the **default** workspace, any Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads) that you've enabled on the subscription should also be enabled on the workspace.

+Docker Registry, Microsoft Artifact Registry/Microsoft Container Registry, and Microsoft Azure Red Hat OpenShift (ARO) built-in container image registry are not supported.

+Images should first be imported to ACR. Learn more about [importing container images to an Azure container registry](/azure/container-registry/container-registry-import-images?tabs=azure-cli).

+Learn more about the Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).

+These resources are created under us-east-1 and eu-central-1 in each AWS account where container vulnerability assessment is enabled:

+- Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads)

+ - ![Upgrade plan icon.][4] Upgrade the workspace to use enhanced security features. This icon indicates that the workspace or subscription isn't protected with Microsoft Defender for Servers. To use the FIM features, your subscription must be protected with this plan. Learn about how to [enable Defender for Servers](plan-defender-for-servers-select-plan.md).

+#### Supported operating systems for the Log Analytics agent

+Defender for Cloud depends on the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md). Ensure your machines are running one of the supported operating systems for this agent as described on the following pages:

+* [Log Analytics agent for Windows supported operating systems](../azure-monitor/agents/agents-overview.md#supported-operating-systems)

+* [Log Analytics agent for Linux supported operating systems](../azure-monitor/agents/agents-overview.md#supported-operating-systems)

+Also ensure your Log Analytics agent is [properly configured to send data to Defender for Cloud](working-with-log-analytics-agent.md#manual-agent)

+- Protecting workloads with [the Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads)

+ > When any Microsoft Defender plan is enabled, it's described in a policy definition as being on the 'Standard' setting. When it's disabled, it's 'Free'. To learn about the differences between these plans, see [Microsoft Defender for Cloud's Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).

+- **Workload protections** - This is the cloud workload protection platform (CWPP) integrated within Defender for Cloud for advanced, intelligent protection of your workloads running on Azure, on-premises machines, or other cloud providers. For each resource type, there's a corresponding Microsoft Defender plan. The tile shows the coverage of your connected resources (for the currently selected subscriptions) and the recent alerts, color-coded by severity. Learn more about [the Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).

+ Title: User roles and permissions in Microsoft Defender for Cloud

+# User roles and permissions

+Microsoft Defender for Cloud uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) to provide [built-in roles](../role-based-access-control/built-in-roles.md). You can assign these roles to users, groups, and services in Azure to give users access to resources according the access defined in the role.

+After working through these planning steps, you can start deployment:

+- [Enable Defender for Servers](enable-enhanced-security.md) plans

+- [Connect on-premises machines](quickstart-onboard-machines.md) to Azure.

+- [Connect AWS accounts](quickstart-onboard-aws.md) to Defender for Cloud.

+- [Connect GCP projects](quickstart-onboard-gcp.md) to Defender for Cloud.

+- Learn about [scaling your Defender for Server deployment](plan-defender-for-servers-scale.md).

+## Log Analytics pricing FAQ

+- [Will I be charged for machines without the Log Analytics agent installed?](#will-i-be-charged-for-machines-without-the-log-analytics-agent-installed)

+- [If a Log Analytics agent reports to multiple workspaces, will I be charged twice?](#if-a-log-analytics-agent-reports-to-multiple-workspaces-will-i-be-charged-twice)

+- [If a Log Analytics agent reports to multiple workspaces, is the 500-MB free data ingestion available on all of them?](#if-a-log-analytics-agent-reports-to-multiple-workspaces-is-the-500-mb-free-data-ingestion-available-on-all-of-them)

+- [Is the 500-MB free data ingestion calculated for an entire workspace or strictly per machine?](#is-the-500-mb-free-data-ingestion-calculated-for-an-entire-workspace-or-strictly-per-machine)

+- [What data types are included in the 500-MB data daily allowance?](#what-data-types-are-included-in-the-500-mb-data-daily-allowance)

+- [How can I monitor my daily usage](#how-can-i-monitor-my-daily-usage)

+- [How can I manage my costs?](#how-can-i-manage-my-costs)

+### If I enable Defender for Clouds Servers plan on the subscription level, do I need to enable it on the workspace level?

+When you enable the Servers plan on the subscription level, Defender for Cloud will enable the Servers plan on your default workspaces automatically. Connect to the default workspace by selecting **Connect Azure VMs to the default workspace(s) created by Defender for Cloud** option and selecting **Apply**.

+However, if you're using a custom workspace in place of the default workspace, you'll need to enable the Servers plan on all of your custom workspaces that don't have it enabled.

+If you're using a custom workspace and enable the plan on the subscription level only, the `Microsoft Defender for servers should be enabled on workspaces` recommendation will appear on the Recommendations page. This recommendation will give you the option to enable the servers plan on the workspace level with the Fix button. You're charged for all VMs in the subscription even if the Servers plan isn't enabled for the workspace. The VMs won't benefit from features that depend on the Log Analytics workspace, such as Microsoft Defender for Endpoint, VA solution (TVM/Qualys), and Just-in-Time VM access.

+Enabling the Servers plan on both the subscription and its connected workspaces, won't incur a double charge. The system will identify each unique VM.

+If you enable the Servers plan on cross-subscription workspaces, connected VMs from all subscriptions will be billed, including subscriptions that don't have the Servers plan enabled.

+### Will I be charged for machines without the Log Analytics agent installed?

+Yes. When you enable [Microsoft Defender for Servers](defender-for-servers-introduction.md) on an Azure subscription or a connected AWS account, you'll be charged for all machines that are connected to your Azure subscription or AWS account. The term machines include Azure virtual machines, Azure Virtual Machine Scale Sets instances, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.

+### If a Log Analytics agent reports to multiple workspaces, will I be charged twice?

+If a machine, reports to multiple workspaces, and all of them have Defender for Servers enabled, the machines will be billed for each attached workspace.

+### If a Log Analytics agent reports to multiple workspaces, is the 500-MB free data ingestion available on all of them?

+Yes. If you configure your Log Analytics agent to send data to two or more different Log Analytics workspaces (multi-homing), you'll get 500-MB free data ingestion for each workspace. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500-MB limit.

+### Is the 500-MB free data ingestion calculated for an entire workspace or strictly per machine?

+You'll get 500-MB free data ingestion per day, for every VM connected to the workspace. Specifically for the [security data types](#what-data-types-are-included-in-the-500-mb-data-daily-allowance) that are directly collected by Defender for Cloud.

+This data is a daily rate averaged across all nodes. Your total daily free limit is equal to **[number of machines] x 500 MB**. So even if some machines send 100 MB and others send 800 MB, if the total doesn't exceed your total daily free limit, you won't be charged extra.

+### What data types are included in the 500-MB data daily allowance?

+Defender for Cloud's billing is closely tied to the billing for Log Analytics. [Microsoft Defender for Servers](defender-for-servers-introduction.md) provides a 500 MB/node/day allocation for machines against the following subset of [security data types](/azure/azure-monitor/reference/tables/tables-category#security):

+- [SecurityAlert](/azure/azure-monitor/reference/tables/securityalert)

+- [SecurityBaseline](/azure/azure-monitor/reference/tables/securitybaseline)

+- [SecurityBaselineSummary](/azure/azure-monitor/reference/tables/securitybaselinesummary)

+- [SecurityDetection](/azure/azure-monitor/reference/tables/securitydetection)

+- [SecurityEvent](/azure/azure-monitor/reference/tables/securityevent)

+- [WindowsFirewall](/azure/azure-monitor/reference/tables/windowsfirewall)

+- [SysmonEvent](/azure/azure-monitor/reference/tables/sysmonevent)

+- [ProtectionStatus](/azure/azure-monitor/reference/tables/protectionstatus)

+- [Update](/azure/azure-monitor/reference/tables/update) and [UpdateSummary](/azure/azure-monitor/reference/tables/updatesummary) when the Update Management solution isn't running in the workspace or solution targeting is enabled.

+If the workspace is in the legacy Per Node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data.

+### How can I monitor my daily usage?

+You can view your data usage in two different ways, the Azure portal, or by running a script.

+**To view your usage in the Azure portal**:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Log Analytics workspaces**.

+1. Select your workspace.

+1. Select **Usage and estimated costs**.

+ :::image type="content" source="media/plan-defender-for-servers-data-workspace/data-usage.png" alt-text="Screenshot of your data usage of your log analytics workspace. " lightbox="media/plan-defender-for-servers-data-workspace/data-usage.png":::

+You can also view estimated costs under different pricing tiers by selecting :::image type="icon" source="media/plan-defender-for-servers-data-workspace/drop-down-icon.png" border="false"::: for each pricing tier.

+**To view your usage by using a script**:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Log Analytics workspaces** > **Logs**.

+1. Select your time range. Learn about [time ranges](../azure-monitor/logs/log-analytics-tutorial.md).

+1. Copy and past the following query into the **Type your query here** section.

+ ```azurecli

+ let Unit= 'GB';

+ Usage

+ | where IsBillable == 'TRUE'

+ | where DataType in ('SecurityAlert', 'SecurityBaseline', 'SecurityBaselineSummary', 'SecurityDetection', 'SecurityEvent', 'WindowsFirewall', 'MaliciousIPCommunication', 'SysmonEvent', 'ProtectionStatus', 'Update', 'UpdateSummary')

+ | project TimeGenerated, DataType, Solution, Quantity, QuantityUnit

+ | summarize DataConsumedPerDataType = sum(Quantity)/1024 by DataType, DataUnit = Unit

+ | sort by DataConsumedPerDataType desc

+ ```

+1. Select **Run**.

+ :::image type="content" source="media/plan-defender-for-servers-data-workspace/select-run.png" alt-text="Screenshot showing where to enter your query and where the select run button is located." lightbox="media/plan-defender-for-servers-data-workspace/select-run.png":::

+You can learn how to [Analyze usage in Log Analytics workspace](../azure-monitor/logs/analyze-usage.md).

+Based on your usage, you won't be billed until you've used your daily allowance. If you're receiving a bill, it's only for the data used after the 500-MB limit is reached, or for other service that doesn't fall under the coverage of Defender for Cloud.

+### How can I manage my costs?

+You may want to manage your costs and limit the amount of data collected for a solution by limiting it to a particular set of agents. Use [solution targeting](../azure-monitor/insights/solution-targeting.md) to apply a scope to the solution and target a subset of computers in the workspace. If you're using solution targeting, Defender for Cloud lists the workspace as not having a solution.

+> [!IMPORTANT]

+> Solution targeting has been deprecated because the Log Analytics agent is being replaced with the Azure Monitor agent and solutions in Azure Monitor are being replaced with insights. You can continue to use solution targeting if you already have it configured, but it is not available in new regions.

+> The feature will not be supported after August 31, 2024.

+> Regions that support solution targeting until the deprecation date are:

+>

+> | Region code | Region name |

+> | : | :- |

+> | CCAN | canadacentral |

+> | CHN | switzerlandnorth |

+> | CID | centralindia |

+> | CQ | brazilsouth |

+> | CUS | centralus |

+> | DEWC | germanywestcentral |

+> | DXB | UAENorth |

+> | EA | eastasia |

+> | EAU | australiaeast |

+> | EJP | japaneast |

+> | EUS | eastus |

+> | EUS2 | eastus2 |

+> | NCUS | northcentralus |

+> | NEU | NorthEurope |

+> | NOE | norwayeast |

+> | PAR | FranceCentral |

+> | SCUS | southcentralus |

+> | SE | KoreaCentral |

+> | SEA | southeastasia |

+> | SEAU | australiasoutheast |

+> | SUK | uksouth |

+> | WCUS | westcentralus |

+> | WEU | westeurope |

+> | WUS | westus |

+> | WUS2 | westus2 |

+>

+> | Air-gapped clouds | Region code | Region name |

+> | :- | :- | :- |

+> | UsNat | EXE | usnateast |

+> | UsNat | EXW | usnatwest |

+> | UsGov | FF | usgovvirginia |

+> | China | MC | ChinaEast2 |

+> | UsGov | PHX | usgovarizona |

+> | UsSec | RXE | usseceast |

+> | UsSec | RXW | ussecwest |

+When you enable [Microsoft Defender for Servers](defender-for-servers-introduction.md) on an Azure subscription or a connected AWS account, all of the connected machines will be protected by Defender for Servers. You can enable Microsoft Defender for Servers at the Log Analytics workspace level, but only servers reporting to that workspace will be protected and billed and those servers won't receive some benefits, such as Microsoft Defender for Endpoint, vulnerability assessment, and just-in-time VM access.

+## Defender for Servers pricing FAQ

+- [My subscription has Microsoft Defender for Servers enabled, which machines do I pay for?](#my-subscription-has-microsoft-defender-for-servers-enabled-which-machines-do-i-pay-for)

+- [If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Defender for Servers?](#if-i-already-have-a-license-for-microsoft-defender-for-endpoint-can-i-get-a-discount-for-defender-for-servers)

+### My subscription has Microsoft Defender for Servers enabled, which machines do I pay for?

+When you enable [Microsoft Defender for Servers](defender-for-servers-introduction.md) on a subscription, all machines in that subscription (including machines that are part of PaaS services and reside in this subscription) are billed according to their power state as shown in the following table:

+| State | Description | Instance usage billed |

+|--|--|--|

+| Starting | VM is starting up. | Not billed |

+| Running | Normal working state for a VM | Billed |

+| Stopping | This state is transitional. When completed, it will show as Stopped. | Billed |

+| Stopped | The VM has been shut down from within the guest OS or using the PowerOff APIs. Hardware is still allocated to the VM and it remains on the host. | Billed |

+| Deallocating | This state is transitional. When completed, the VM will show as Deallocated. | Not billed |

+| Deallocated | The VM has been stopped successfully and removed from the host. | Not billed |

+### If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Defender for Servers?

+If you already have a license for **Microsoft Defender for Endpoint for Servers Plan 2**, you won't have to pay for that part of your Microsoft Defender for Servers license. Learn more about [this license](/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements).

+To request your discount, [contact Defender for Cloud's support team](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). You'll need to provide the relevant workspace ID, region, and number of Microsoft Defender for Endpoint for servers licenses applied for machines in the given workspace.

+The discount will be effective starting from the approval date, and won't take place retroactively.

+After kicking off the planning process, review the [second article in this planning series](plan-defender-for-servers-data-workspace.md) to understand how your data is stored, and Log Analytics workspace requirements.

+- VMs, subnets, and VNets of the Resource Manager resource type ("classic" Azure resources are not supported)

+- You can click any of the resources to drill down into them and view the details of that resource and its recommendations directly, and in the context of the Network map.

+2. You can click **Reset** in top left corner at any time to return the map to its default state.

+The **Traffic** view provides you with a map of all the possible traffic between your resources. This provides you with a visual map of all the rules you configured that define which resources can communicate with whom. This enables you to see the existing configuration of the network security groups as well as quickly identify possible risky configurations within your workloads.

+2. Click **Traffic** to see the list of possible outbound and inbound traffic on the resource - this is a comprehensive list of who can communicate with the resource and who it can communicate with, and through which protocols and ports. For example, when you select a VM, all the VMs it can communicate with are shown, and when you select a subnet, all the subnets which it can communicate with are shown.

+[Vulnerability assessment](/azure/azure-sql/database/sql-vulnerability-assessment) is an easy to configure service that can discover, track, and help you remediate potential database vulnerabilities. It provides visibility into your security posture as part of secure score and includes the steps to resolve security issues and enhance your database fortifications.

+[Learn more about adaptive network hardening](adaptive-network-hardening.md).

+### Using Azure Resource Manager templates

+Use the [following ARM template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.sql/sql-logical-server/azuredeploy.json) to create a new Azure SQL Logical Server with expresss configuration for SQL vulnerability assessment.

+### Can I setup reccuring scans with express configuration?

+Express configuration automatically sets up reccuring scans for all databases under your server. This is the default and is not configurable at server or database level.

+ Title: Microsoft Defender for Cloud interoperability with Azure services and Azure clouds

+description: Learn about the Azure cloud environments where Defender for Cloud can be used and the Azure services that Defender for Cloud protects.

+# Microsoft Defender for Cloud interoperability with Azure services and Azure clouds

+This article indicates the Azure clouds and Azure services that are supported by Microsoft Defender for Cloud.

+## Security benefits for Azure services

+Defender for Cloud provides recommendations, security alerts, and vulnerability assessment for these Azure

+|Service|[Recommendations](security-policy-concept.md) free with [Foundational CSPM](concept-cloud-security-posture-management.md) |[Security alerts](alerts-overview.md) |Vulnerability assessment|

+|:-|:-:|:-:|:-:|

+|Azure App Service|Γ£ö|Γ£ö|-|

+|Azure Automation account|Γ£ö|-|-|

+|Azure Batch account|Γ£ö|-|-|

+|Azure Blob Storage|Γ£ö|Γ£ö|-|

+|Azure Cache for Redis|Γ£ö|-|-|

+|Azure Cloud Services|Γ£ö|-|-|

+|Azure Cognitive Search|Γ£ö|-|-|

+|Azure Container Registry|Γ£ö|Γ£ö|[Defender for Containers](defender-for-containers-introduction.md)|

+|Azure Cosmos DB*|Γ£ö|Γ£ö|-|

+|Azure Data Lake Analytics|Γ£ö|-|-|

+|Azure Data Lake Storage|Γ£ö|Γ£ö|-|

+|Azure Database for MySQL*|-|Γ£ö|-|

+|Azure Database for PostgreSQL*|-|Γ£ö|-|

+|Azure Event Hubs namespace|Γ£ö|-|-|

+|Azure Functions app|Γ£ö|-|-|

+|Azure Key Vault|Γ£ö|Γ£ö|-|

+|Azure Kubernetes Service|Γ£ö|Γ£ö|-|

+|Azure Load Balancer|Γ£ö|-|-|

+|Azure Logic Apps|Γ£ö|-|-|

+|Azure SQL Database|Γ£ö|Γ£ö|[Defender for Azure SQL](defender-for-sql-introduction.md)|

+|Azure SQL Managed Instance|Γ£ö|Γ£ö|[Defender for Azure SQL](defender-for-sql-introduction.md)|

+|Azure Service Bus namespace|Γ£ö|-|-|

+|Azure Service Fabric account|Γ£ö|-|-|

+|Azure Storage accounts|Γ£ö|Γ£ö|-|

+|Azure Stream Analytics|Γ£ö|-|-|

+|Azure Subscription|Γ£ö **|Γ£ö|-|

+|Azure Virtual Network</br> (incl. subnets, NICs, and network security groups)|Γ£ö|-|-|

+\* These features are currently supported in preview.

+\*\* Azure Active Directory (Azure AD) recommendations are available only for subscriptions with [enhanced security features enabled](enable-enhanced-security.md).

+## Features supported in different Azure cloud environments

+Microsoft Defender for Cloud is available in the following Azure cloud environments:

+| Feature/Service | Azure | Azure Government | Azure China 21Vianet |

+||-|--|--|

+| **Defender for Cloud free features** | | | |

+| - [Continuous export](./continuous-export.md) | GA | GA | GA |

+| - [Workflow automation](./workflow-automation.md) | GA | GA | GA |

+| - [Recommendation exemption rules](./exempt-resource.md) | Public Preview | Not Available | Not Available |

+| - [Alert suppression rules](./alerts-suppression-rules.md) | GA | GA | GA |

+| - [Email notifications for security alerts](./configure-email-notifications.md) | GA | GA | GA |

+| - [Deployment of agents and extensions](monitoring-components.md) | GA | GA | GA |

+| - [Asset inventory](./asset-inventory.md) | GA | GA | GA |

+| - [Azure Monitor Workbooks reports in Microsoft Defender for Cloud's workbooks gallery](./custom-dashboards-azure-workbooks.md) | GA | GA | GA |

+| - [Integration with Microsoft Defender for Cloud Apps](./other-threat-protections.md#display-recommendations-in-microsoft-defender-for-cloud-apps) | GA | GA | Not Available |

+| **Microsoft Defender plans and extensions** | | | |

+| - [Microsoft Defender for Servers](./defender-for-servers-introduction.md) | GA | GA | GA |

+| - [Microsoft Defender for App Service](./defender-for-app-service-introduction.md) | GA | Not Available | Not Available |

+| - [Microsoft Defender for DNS](./defender-for-dns-introduction.md) | GA | GA | GA |

+| - [Microsoft Defender for Kubernetes](./defender-for-kubernetes-introduction.md) ^{[1](#footnote1)} | GA | GA | GA |

+| - [Microsoft Defender for Containers](./defender-for-containers-introduction.md) ^{[7](#footnote7)} | GA | GA | GA |

+| - [Defender extension for Azure Arc-enabled Kubernetes clusters, servers or data services](./defender-for-kubernetes-azure-arc.md) ^{[2](#footnote2)} | Public Preview | Not Available | Not Available |

+| - [Microsoft Defender for Azure SQL database servers](./defender-for-sql-introduction.md) | GA | GA | GA ^{[6](#footnote6)} |

+| - [Microsoft Defender for SQL servers on machines](./defender-for-sql-introduction.md) | GA | GA | Not Available |

+| - [Microsoft Defender for open-source relational databases](./defender-for-databases-introduction.md) | GA | Not Available | Not Available |

+| - [Microsoft Defender for Key Vault](./defender-for-key-vault-introduction.md) | GA | Not Available | Not Available |

+| - [Microsoft Defender for Resource Manager](./defender-for-resource-manager-introduction.md) | GA | GA | GA |

+| - [Microsoft Defender for Storage](./defender-for-storage-introduction.md) ^{[3](#footnote3)} | GA | GA | Not Available |

+| - [Microsoft Defender for Azure Cosmos DB](concept-defender-for-cosmos.md) | Public Preview | Not Available | Not Available |

+| - [Kubernetes workload protection](./kubernetes-workload-protections.md) | GA | GA | GA |

+| - [Bi-directional alert synchronization with Sentinel](../sentinel/connect-azure-security-center.md) | Public Preview | Not Available | Not Available |

+| **Microsoft Defender for Servers features** ^{[4](#footnote4)} | | | |

+| - [Just-in-time VM access](./just-in-time-access-usage.md) | GA | GA | GA |

+| - [File Integrity Monitoring](./file-integrity-monitoring-overview.md) | GA | GA | GA |

+| - [Adaptive application controls](./adaptive-application-controls.md) | GA | GA | GA |

+| - [Adaptive network hardening](./adaptive-network-hardening.md) | GA | GA | Not Available |

+| - [Docker host hardening](./harden-docker-hosts.md) | GA | GA | GA |

+| - [Integrated Qualys vulnerability scanner](./deploy-vulnerability-assessment-vm.md) | GA | Not Available | Not Available |

+| - [Regulatory compliance dashboard & reports](./regulatory-compliance-dashboard.md) ^{[5](#footnote5)} | GA | GA | GA |

+| - [Microsoft Defender for Endpoint deployment and integrated license](./integration-defender-for-endpoint.md) | GA | GA | Not Available |

+| - [Connect AWS account](./quickstart-onboard-aws.md) | GA | Not Available | Not Available |

+| - [Connect GCP project](./quickstart-onboard-gcp.md) | GA | Not Available | Not Available |

+^{<a name="footnote1"></a>1} Partially GA: Support for Azure Arc-enabled clusters is in public preview and not available on Azure Government.

+^{<a name="footnote2"></a>2} Requires Microsoft Defender for Kubernetes or Microsoft Defender for Containers.

+^{<a name="footnote3"></a>3} Partially GA: Some of the threat protection alerts from Microsoft Defender for Storage are in public preview.

+^{<a name="footnote4"></a>4} These features all require [Microsoft Defender for Servers](./defender-for-servers-introduction.md).

+^{<a name="footnote5"></a>5} There may be differences in the standards offered per cloud type.

+

+^{<a name="footnote6"></a>6} Partially GA: Subset of alerts and vulnerability assessment for SQL servers. Behavioral threat protections aren't available.

+^{<a name="footnote7"></a>7} Partially GA: Support for Arc-enabled Kubernetes clusters (and therefore AWS EKS too) is in public preview and not available on Azure Government. Run-time visibility of vulnerabilities in container images is also a preview feature.

+## Next steps

+This article explained how Microsoft Defender for Cloud is supported in the Azure, Azure Government, and Azure China 21Vianet clouds. Now that you're familiar with the Defender for Cloud capabilities supported in your cloud, learn how to:

+- [Manage security recommendations in Defender for Cloud](review-security-recommendations.md)

+- [Manage and respond to security alerts in Defender for Cloud](managing-and-responding-alerts.md)

+ Title: Matrices of Defender for Containers features in Azure, multicloud, and on-premises environments

+description: Learn about the container and Kubernetes services that you can protect with Defender for Containers.

+# Defender for Containers feature availability

+These tables show the features that are available, by environment, for Microsoft Defender for Containers. For more information about Defender for Containers, see [Microsoft Defender for Containers](defender-for-containers-introduction.md).

+## Azure (AKS)

+| Domain | Feature | Supported Resources | Linux release state ^{[1](#footnote1)} | Windows release state ^{[1](#footnote1)} | Agentless/Agent-based | Pricing Tier | Azure clouds availability |

+|--|--|--|--|--|--|--|--|

+| Compliance | Docker CIS | VM, Virtual Machine Scale Set | GA | - | Log Analytics agent | Defender for Servers Plan 2 | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Vulnerability Assessment ^{[2](#footnote2)} | Registry scan - OS packages | ACR, Private ACR | GA | Preview | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Vulnerability Assessment ^{[3](#footnote3)} | Registry scan - language specific packages | ACR, Private ACR | Preview | - | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Vulnerability Assessment | View vulnerabilities for running images | AKS | GA | Preview | Defender profile | Defender for Containers | Commercial clouds |

+| Hardening | Control plane recommendations | ACR, AKS | GA | Preview | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Hardening | Kubernetes data plane recommendations | AKS | GA | - | Azure Policy | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Runtime protection| Threat detection (control plane)| AKS | GA | GA | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Runtime protection| Threat detection (workload) | AKS | GA | - | Defender profile | Defender for Containers | Commercial clouds |

+| Discovery and provisioning | Discovery of unprotected clusters | AKS | GA | GA | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Discovery and provisioning | Collection of control plane threat data | AKS | GA | GA | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Discovery and provisioning | Auto provisioning of Defender profile | AKS | GA | - | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Discovery and provisioning | Auto provisioning of Azure policy add-on | AKS | GA | - | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+^{<a name="footnote2"></a>2} VA can detect vulnerabilities for these [OS packages](#registries-and-images).

+^{<a name="footnote3"></a>3} VA can detect vulnerabilities for these [language specific packages](#registries-and-images).

+### Additional environment information

+#### Registries and images

+| Aspect | Details |

+|--|--|

+| Registries and images | **Supported**<br> ΓÇó [ACR registries protected with Azure Private Link](../container-registry/container-registry-private-link.md) (Private registries requires access to Trusted Services) <br> ΓÇó Windows images using Windows OS version 1709 and above (Preview). This is free while it's in preview, and will incur charges (based on the Defender for Containers plan) when it becomes generally available.<br><br>**Unsupported**<br> ΓÇó Super-minimalist images such as [Docker scratch](https://hub.docker.com/_/scratch/) images<br> ΓÇó "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS<br> ΓÇó Images with [Open Container Initiative (OCI) Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md) <br> ΓÇó Providing image tag information for [multi-architecture images](https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/) is currently unsupported|

+| OS Packages | **Supported** <br> ΓÇó Alpine Linux 3.12-3.16 <br> ΓÇó Red Hat Enterprise Linux 6, 7, 8 <br> ΓÇó CentOS 6, 7 <br> ΓÇó Oracle Linux 6, 7, 8 <br> ΓÇó Amazon Linux 1, 2 <br> ΓÇó openSUSE Leap 42, 15 <br> ΓÇó SUSE Enterprise Linux 11, 12, 15 <br> ΓÇó Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye <br> ΓÇó Ubuntu 10.10-22.04 <br> ΓÇó FreeBSD 11.1-13.1 <br> ΓÇó Fedora 32, 33, 34, 35|

+| Language specific packages (Preview) <br><br> (**Only supported for Linux images**) | **Supported** <br> ΓÇó Python <br> ΓÇó Node.js <br> ΓÇó .NET <br> ΓÇó JAVA <br> ΓÇó Go |

+#### Kubernetes distributions and configurations

+| Aspect | Details |

+|--|--|

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service hybrid](/azure/aks/hybrid/aks-hybrid-options-overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+^{<a name="footnote1"></a>1} Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you'll need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+> [!NOTE]

+> For additional requirements for Kuberenetes workload protection, see [existing limitations](../governance/policy/concepts/policy-for-kubernetes.md#limitations).

+#### Network restrictions

+##### Private link

+Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

+Learn how to [use Azure Private Link to connect networks to Azure Monitor](../azure-monitor/logs/private-link-security.md).

+## AWS (EKS)

+| Domain | Feature | Supported Resources | Linux release state ^{[1](#footnote1)} | Windows release state ^{[1](#footnote1)} | Agentless/Agent-based | Pricing tier |

+|--|--| -- | -- | -- | -- | --|

+| Compliance | Docker CIS | EC2 | Preview | - | Log Analytics agent | Defender for Servers Plan 2 |

+| Vulnerability Assessment | Registry scan | ECR | Preview | - | Agentless | Defender for Containers |

+| Vulnerability Assessment | View vulnerabilities for running images | - | - | - | - | - |

+| Hardening | Control plane recommendations | - | - | - | - | - |

+| Hardening | Kubernetes data plane recommendations | EKS | Preview | - | Azure Policy extension | Defender for Containers |

+| Runtime protection| Threat detection (control plane)| EKS | Preview | Preview | Agentless | Defender for Containers |

+| Runtime protection| Threat detection (workload) | EKS | Preview | - | Defender extension | Defender for Containers |

+| Discovery and provisioning | Discovery of unprotected clusters | EKS | Preview | - | Agentless | Free |

+| Discovery and provisioning | Collection of control plane threat data | EKS | Preview | Preview | Agentless | Defender for Containers |

+| Discovery and provisioning | Auto provisioning of Defender extension | - | - | - | - | - |

+| Discovery and provisioning | Auto provisioning of Azure policy extension | - | - | - | - | - |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+### Additional environment information

+#### Images

+| Aspect | Details |

+|--|--|

+| Registries and images | **Unsupported** <br>ΓÇó Images that have at least one layer over 2 GB<br> ΓÇó Public repositories and manifest lists <br>ΓÇó Images in the AWS management account aren't scanned so that we don't create resources in the management account. |

+#### Kubernetes distributions and configurations

+| Aspect | Details |

+|--|--|

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service hybrid](/azure/aks/hybrid/aks-hybrid-options-overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+^{<a name="footnote1"></a>1} Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you'll need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+> [!NOTE]

+> For additional requirements for Kuberenetes workload protection, see [existing limitations](../governance/policy/concepts/policy-for-kubernetes.md#limitations).

+#### Network restrictions

+##### Private link

+Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

+Learn how to [use Azure Private Link to connect networks to Azure Monitor](../azure-monitor/logs/private-link-security.md).

+##### Outbound proxy support

+Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

+## GCP (GKE)

+| Domain | Feature | Supported Resources | Linux release state ^{[1](#footnote1)} | Windows release state ^{[1](#footnote1)} | Agentless/Agent-based | Pricing tier |

+|--|--| -- | -- | -- | -- | --|

+| Compliance | Docker CIS | GCP VMs | Preview | - | Log Analytics agent | Defender for Servers Plan 2 |

+| Vulnerability Assessment | Registry scan | - | - | - | - | - |

+| Vulnerability Assessment | View vulnerabilities for running images | - | - | - | - | - |

+| Hardening | Control plane recommendations | - | - | - | - | - |

+| Hardening | Kubernetes data plane recommendations | GKE | Preview | - | Azure Policy extension | Defender for Containers |

+| Runtime protection| Threat detection (control plane)| GKE | Preview | Preview | Agentless | Defender for Containers |

+| Runtime protection| Threat detection (workload) | GKE | Preview | - | Defender extension | Defender for Containers |

+| Discovery and provisioning | Discovery of unprotected clusters | GKE | Preview | - | Agentless | Free |

+| Discovery and provisioning | Collection of control plane threat data | GKE | Preview | Preview | Agentless | Defender for Containers |

+| Discovery and provisioning | Auto provisioning of Defender extension | GKE | Preview | - | Agentless | Defender for Containers |

+| Discovery and provisioning | Auto provisioning of Azure policy extension | GKE | Preview | - | Agentless | Defender for Containers |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+### Additional information

+#### Kubernetes distributions and configurations

+| Aspect | Details |

+|--|--|

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service hybrid](/azure/aks/hybrid/aks-hybrid-options-overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+^{<a name="footnote1"></a>1} Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you'll need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+> [!NOTE]

+> For additional requirements for Kuberenetes workload protection, see [existing limitations](../governance/policy/concepts/policy-for-kubernetes.md#limitations).

+#### Network restrictions

+##### Private link

+Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

+Learn how to [use Azure Private Link to connect networks to Azure Monitor](../azure-monitor/logs/private-link-security.md).

+##### Outbound proxy support

+Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

+## On-premises Arc-enabled machines

+| Domain | Feature | Supported Resources | Linux release state ^{[1](#footnote1)} | Windows release state ^{[1](#footnote1)} | Agentless/Agent-based | Pricing tier |

+|--|--| -- | -- | -- | -- | --|

+| Compliance | Docker CIS | Arc enabled VMs | Preview | - | Log Analytics agent | Defender for Servers Plan 2 |

+| Vulnerability Assessment ^{[2](#footnote2)} | Registry scan - OS packages | ACR, Private ACR | GA | Preview | Agentless | Defender for Containers |

+| Vulnerability Assessment ^{[3](#footnote3)} | Registry scan - language specific packages | ACR, Private ACR | Preview | - | Agentless | Defender for Containers |

+| Vulnerability Assessment | View vulnerabilities for running images | - | - | - | - | - |

+| Hardening | Control plane recommendations | - | - | - | - | - |

+| Hardening | Kubernetes data plane recommendations | Arc enabled K8s clusters | Preview | - | Azure Policy extension | Defender for Containers |

+| Runtime protection| Threat detection (control plane)| Arc enabled K8s clusters | Preview | Preview | Defender extension | Defender for Containers |

+| Runtime protection ^{[4](#footnote4)} | Threat detection (workload)| Arc enabled K8s clusters | Preview | - | Defender extension | Defender for Containers |

+| Discovery and provisioning | Discovery of unprotected clusters | Arc enabled K8s clusters | Preview | - | Agentless | Free |

+| Discovery and provisioning | Collection of control plane threat data | Arc enabled K8s clusters | Preview | Preview | Defender extension | Defender for Containers |

+| Discovery and provisioning | Auto provisioning of Defender extension | Arc enabled K8s clusters | Preview | Preview | Agentless | Defender for Containers |

+| Discovery and provisioning | Auto provisioning of Azure policy extension | Arc enabled K8s clusters | Preview | - | Agentless | Defender for Containers |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+^{<a name="footnote2"></a>2} VA can detect vulnerabilities for these [OS packages](#registries-and-images-1).

+^{<a name="footnote3"></a>3} VA can detect vulnerabilities for these [language specific packages](#registries-and-images-1).

+^{<a name="footnote4"></a>4} Runtime protection can detect threats for these [Supported host operating systems](#supported-host-operating-systems).

+### Additional information

+#### Registries and images

+| Aspect | Details |

+|--|--|

+| Registries and images | **Supported**<br> ΓÇó [ACR registries protected with Azure Private Link](../container-registry/container-registry-private-link.md) (Private registries requires access to Trusted Services) <br> ΓÇó Windows images using Windows OS version 1709 and above (Preview). This is free while it's in preview, and will incur charges (based on the Defender for Containers plan) when it becomes generally available.<br><br>**Unsupported**<br> ΓÇó Super-minimalist images such as [Docker scratch](https://hub.docker.com/_/scratch/) images<br> ΓÇó "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS<br> ΓÇó Images with [Open Container Initiative (OCI) Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md) <br> ΓÇó Providing image tag information for [multi-architecture images](https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/) is currently unsupported |

+| OS Packages | **Supported** <br> ΓÇó Alpine Linux 3.12-3.15 <br> ΓÇó Red Hat Enterprise Linux 6, 7, 8 <br> ΓÇó CentOS 6, 7 <br> ΓÇó Oracle Linux 6, 7, 8 <br> ΓÇó Amazon Linux 1, 2 <br> ΓÇó openSUSE Leap 42, 15 <br> ΓÇó SUSE Enterprise Linux 11, 12, 15 <br> ΓÇó Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye <br> ΓÇó Ubuntu 10.10-22.04 <br> ΓÇó FreeBSD 11.1-13.1 <br> ΓÇó Fedora 32, 33, 34, 35|

+| Language specific packages (Preview) <br><br> (**Only supported for Linux images**) | **Supported** <br> ΓÇó Python <br> ΓÇó Node.js <br> ΓÇó .NET <br> ΓÇó JAVA <br> ΓÇó Go |

+#### Kubernetes distributions and configurations

+| Aspect | Details |

+|--|--|

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service hybrid](/azure/aks/hybrid/aks-hybrid-options-overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+^{<a name="footnote1"></a>1} Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you'll need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+> [!NOTE]

+> For additional requirements for Kuberenetes workload protection, see [existing limitations](../governance/policy/concepts/policy-for-kubernetes.md#limitations).

+#### Supported host operating systems

+Defender for Containers relies on the **Defender extension** for several features. The Defender extension is supported on the following host operating systems:

+- Amazon Linux 2

+- CentOS 8

+- Debian 10

+- Debian 11

+- Google Container-Optimized OS

+- Mariner 1.0

+- Mariner 2.0

+- Red Hat Enterprise Linux 8

+- Ubuntu 16.04

+- Ubuntu 18.04

+- Ubuntu 20.04

+- Ubuntu 22.04

+Ensure your Kubernetes node is running on one of the verified supported operating systems. Clusters with different host operating systems, will only get partial coverage.

+#### Network restrictions

+##### Private link

+Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

+Learn how to [use Azure Private Link to connect networks to Azure Monitor](../azure-monitor/logs/private-link-security.md).

+##### Outbound proxy support

+Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

+## Next steps

+

+- Learn how [Defender for Cloud collects data using the Log Analytics Agent](monitoring-components.md).

+- Learn how [Defender for Cloud manages and safeguards data](data-security.md).

+- Review the [platforms that support Defender for Cloud](security-center-os-coverage.md).

+ Title: Matrices of Defender for Servers features in foundational CSPM, Azure Arc, multicloud, and endpoint protection solutions

+description: Learn about the environments where you can protect servers and virtual machines with Defender for Servers.

+# Support matrices for Defender for Servers

+This article provides information about the environments where you can protect servers and virtual machines with Defender for Servers and the endpoint protections that you can use to protect them.

+## Supported features for virtual machines and servers<a name="vm-server-features"></a>

+The following tables show the features that are supported for virtual machines and servers in Azure, Azure Arc, and other clouds.

+- [Windows machines](#windows-machines)

+- [Linux machines](#linux-machines)

+- [Multicloud machines](#multicloud-machines)

+### Windows machines

+| **Feature** | **Azure Virtual Machines** | **Azure Virtual Machine Scale Sets** | **Azure Arc-enabled machines** | **Defender for Servers required** |

+|--|::|::|::|::|

+| [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) | Γ£ö</br>(on supported versions) | Γ£ö</br>(on supported versions) | Γ£ö | Yes |

+| [Virtual machine behavioral analytics (and security alerts)](alerts-reference.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Fileless security alerts](alerts-reference.md#alerts-windows) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Network-based security alerts](other-threat-protections.md#network-layer) | Γ£ö | Γ£ö | - | Yes |

+| [Just-in-time VM access](just-in-time-access-usage.md) | Γ£ö | - | - | Yes |

+| [Integrated Qualys vulnerability scanner](deploy-vulnerability-assessment-vm.md#overview-of-the-integrated-vulnerability-scanner) | Γ£ö | - | Γ£ö | Yes |

+| [File Integrity Monitoring](file-integrity-monitoring-overview.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Adaptive application controls](adaptive-application-controls.md) | Γ£ö | - | Γ£ö | Yes |

+| [Network map](protect-network-resources.md#network-map) | Γ£ö | Γ£ö | - | Yes |

+| [Adaptive network hardening](adaptive-network-hardening.md) | Γ£ö | - | - | Yes |

+| [Regulatory compliance dashboard & reports](regulatory-compliance-dashboard.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Docker host hardening](./harden-docker-hosts.md) | - | - | - | Yes |

+| Missing OS patches assessment | Γ£ö | Γ£ö | Γ£ö | Azure: No<br><br>Azure Arc-enabled: Yes |

+| Security misconfigurations assessment | Γ£ö | Γ£ö | Γ£ö | Azure: No<br><br>Azure Arc-enabled: Yes |

+| [Endpoint protection assessment](supported-machines-endpoint-solutions-clouds-servers.md#supported-endpoint-protection-solutions) | Γ£ö | Γ£ö | Γ£ö | Azure: No<br><br>Azure Arc-enabled: Yes |

+| Disk encryption assessment | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) | Γ£ö | - | No |

+| Third-party vulnerability assessment | Γ£ö | - | Γ£ö | No |

+| [Network security assessment](protect-network-resources.md) | Γ£ö | Γ£ö | - | No |

+### Linux machines

+| **Feature** | **Azure Virtual Machines** | **Azure Virtual Machine Scale Sets** | **Azure Arc-enabled machines** | **Defender for Servers required** |

+|--|::|::|::|::|

+| [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) | Γ£ö | - | Γ£ö | Yes |

+| [Virtual machine behavioral analytics (and security alerts)](./azure-defender.md) | Γ£ö</br>(on supported versions) | Γ£&#