+## January 2024

+### Updated articles

+- [Tutorial: Configure Nok Nok Passport with Azure Active Directory B2C for passwordless FIDO2 authentication](partner-nok-nok.md) - Updated Nok Nok instructions

+- [Configure Transmit Security with Azure Active Directory B2C for passwordless authentication](partner-bindid.md) - Updated Transmit Security instructions

+- [About claim resolvers in Azure Active Directory B2C custom policies](claim-resolver-overview.md) - Updated claim resolvers and user journey

+> [!IMPORTANT]

+> Face attributes are predicted through the use of statistical algorithms. They might not always be accurate. Use caution when you make decisions based on attribute data. Please refrain from using these attributes for anti-spoofing. Instead, we recommend using Face Liveness detection. For more information, please refer to [Tutorial: Detect liveness in faces](/azure/ai-services/computer-vision/tutorials/liveness).

+> [!IMPORTANT]

+> Face attributes are predicted through the use of statistical algorithms. They might not always be accurate. Use caution when you make decisions based on attribute data. Please refrain from using these attributes for anti-spoofing. Instead, we recommend using Face Liveness detection. For more information, please refer to [Tutorial: Detect liveness in faces](/azure/ai-services/computer-vision/tutorials/liveness).

+ Title: Introduction to prompt engineering with GPT-4 Turbo with Vision

+description: Learn how to better engineer prompts for GPT-4 Turbo with Vision.

+# Introduction to prompt engineering with GPT-4 Turbo with Vision

+To unlock the full potential of GPT-4 Turbo with Vision, it's essential to tailor the system prompt to your specific needs. Here are some guidelines to enhance the accuracy and efficiency of your prompts.

+## Fundamentals of crafting your prompt

+- **Contextual specificity:** Adding context to the scenario at hand gives the model a better understanding of an appropriate output. This level of specificity aids in focusing on relevant aspects and avoiding extraneous details.

+- **Task-oriented prompts:** Focusing on a specific task helps the model to develop the output while taking that perspective into consideration.

+- **Handling refusals:** When the model indicates an inability to perform a task, refining the prompt can be an effective solution. More specific prompts can guide the model towards a clearer understanding and better execution of the task. Some tips to keep in mind:

+ - Request explanations for generated responses to enhance transparency in the model's output <br>

+ - If using a single-image prompt, place the image before the text <br>

+ - Ask the model to describe the image in details first and complete your specific task from the description

+- **Adding examples:** Add examples that represent the type of responses you're looking for

+- **Try prompt tuning:** Try prompt tuning techniques such as Chain of Thought, a technique where you describe a sequence of steps leading to an outcome, therefore communicating a sort of ΓÇ£chain of thoughtΓÇ¥ or thought process for the model to replicate.

+- **Break down requests:** Try breaking down complex requests step-by-step to create manageable sub-goals

+- **Define output format:** Clearly mention the desired format for the output, such as markdown, JSON, HTML, etc. You can also suggest a specific structure, length, or specific attributes about the response.

+## Example prompt inputs & outputs

+There are many ways to craft system prompts to tailor the output specifically to your needs. The following sample inputs and outputs showcase how adjusting your prompts can give you different results. Try the model out for yourself using these images and adjusting the system prompt in the [Azure AI Studio playground](https://ai.azure.com/).

+### Contextual specificity

+Context can help improve feedback from the model. For example, if you're working on image descriptions for a product catalog, ensure your prompt reflects this in a clear and concise way. A prompt like ΓÇ£Describe images for an outdoor hiking product catalog, focusing on enthusiasm and professionalismΓÇ¥ guides the model to generate responses that are both accurate and contextually rich.

+|Basic prompt|Model output|

+|--|--|

+| :::image type="content" source="../media/concepts/gpt-v/tent-chairs.jpg" lightbox="../media/concepts/gpt-v/tent-chairs.jpg" alt-text="Photograph of a camping tent and chairs in a forest."::: What is in this image? | The image shows a camping setup in a forest area. There is a yellow tent, two folding camping chairsΓÇöone red and one blueΓÇöand a portable camping table. The surrounding area is densely populated with trees, indicating that the campsite is in a wooded region. |

+|Updated prompt|Model output|

+|--|--|

+| :::image type="content" source="../media/concepts/gpt-v/tent-chairs.jpg" lightbox="../media/concepts/gpt-v/tent-chairs.jpg" alt-text="Photograph of a camping tent and chairs in a forest."::: Describe images for an outdoor hiking product catalog, focusing on enthusiasm and professionalism. | "Embark on your next outdoor adventure with our premium hiking and camping essentials! Featured here is our vibrant, spacious tent, designed to be your home away from home amidst the serenity of nature. Crafted with top-notch materials, it promises durability and comfort in any weather. Complementing the tent are our ultra-comfortable, lightweight folding chairs, available in eye-catching red and serene blue, perfect for those moments of relaxation after a day of exploration. Don't forget our sturdy, portable table, ideal for a delightful outdoor meal or a game of cards under the stars. Elevate your camping experience with our reliable products, where quality meets the great outdoors!" |

+### Task-oriented prompts

+Giving the model a specific task to follow is one way of sharpening the response. In this example, this prompt steers the model to concentrate on elements crucial for insurance assessments, thereby improving accuracy and relevancy.

+|Basic prompt|Model output|

+|--|--|

+| :::image type="content" source="../media/concepts/gpt-v/car-crash.jpg" lightbox="../media/concepts/gpt-v/car-crash.jpg" alt-text="Photograph of a car crashed into a pole."::: What is in this image? | The image shows a silver sedan that has been in an accident. The front end of the car is damaged, with the hood crumpled, and the bumper partially detached. The car is resting against a utility pole on the sidewalk, and there is visible smoke coming from the engine area, indicating a recent crash. The setting appears to be a residential street, as indicated by the presence of houses in the background, a neatly trimmed hedge, and a sidewalk. |

+|Updated prompt|Model output|

+|--|--|

+| :::image type="content" source="../media/concepts/gpt-v/car-crash.jpg" lightbox="../media/concepts/gpt-v/car-crash.jpg" alt-text="Photograph of a car crashed into a pole."::: Analyze this car damage video for an auto insurance report, focusing on identifying and detailing damage | In the image provided, we observe a silver sedan that has sustained significant front-end damage. The vehicle's hood is notably crumpled, and the front bumper has suffered substantial deformation, partially detaching from the chassis. The right headlamp assembly appears to be damaged or dislodged. There is also visible damage to the front grille area. The car is in contact with a utility pole, suggesting a frontal collision with the pole at a relatively low or moderate speed. Smoke is emanating from the engine compartment, suggesting potential mechanical or electrical damage that may need further inspection for a comprehensive assessment. The airbags do not appear to be deployed in this image. The vehicle will require a detailed inspection to evaluate the full extent of structural and mechanical damage for a complete insurance report. |

+### Handling refusals

+When you receive a refusal output from a model, there are several ways you can tweak input to generate a more appropriate response. Below is one example of how to handle a refusal and progress.

+|Basic prompt|Model output|

+|--|--|

+| :::image type="content" source="../media/concepts/gpt-v/dinner-spread.jpg" lightbox="../media/concepts/gpt-v/dinner-spread.jpg" alt-text="Photograph of a dinner table with several plates of food."::: Plan this meal | Sorry, I can't provide that information. |

+|Follow up prompt|Model output|

+|--|--|

+| What information do you need? | I apologize for the confusion earlier. To plan a meal based on the image provided, I would need to know the following: <br> The number of people dining to ensure there's enough food for everyone.<br>Any dietary restrictions or preferences to accommodate (e.g., vegetarian, gluten-free, allergies).<br>The occasion or type of meal being planned (e.g., casual lunch, dinner party).<br>Desired balance of the meal in terms of food groups and nutrition. <br>With this information, I could help suggest how to portion the dishes, create a balanced meal, and ensure the meal meets the needs of all diners.|

+### Adding examples

+|Basic prompt|Model output|

+|--|--|

+| :::image type="content" source="../media/concepts/gpt-v/border-collie.jpg" lightbox="../media/concepts/gpt-v/border-collie.jpg" alt-text="Photograph of a border collie dog laying in a grass field."::: What is this dog breed and what is its average weight and height? | The dog in the image appears to be a Border Collie. Border Collies are known for their intelligence, agility, and herding abilities.The average weight for a Border Collie is typically around 30-45 pounds (14-20 kilograms). As for height, Border Collies generally stand about 18-22 inches (46-56 centimeters) tall at the shoulder. These figures can vary based on the individual dog's genetics, diet, and level of activity. Border Collies are medium-sized dogs with a well-proportioned body and a high level of energy. |

+|Updated prompt|Model output|

+|--|--|

+| Q: What is this dog breed and what is its average weight & height? :::image type="content" source="../media/concepts/gpt-v/pomeranian.jpg" lightbox="../media/concepts/gpt-v/pomeranian.jpg" alt-text="Photograph of a pomeranian dog sitting on a pool diving board above the water."::: <br> A: Breed: pomeranian; average weight: 3-7 lbs; average height: 8-14 inches <br> :::image type="content" source="../media/concepts/gpt-v/bulldog.jpg" lightbox="../media/concepts/gpt-v/bulldog.jpg" alt-text="Photograph of a bulldog laying in a grass field."::: A: Breed: English bulldog; average weight: 50-55 lbs; average height: 14-16 inches :::image type="content" source="../media/concepts/gpt-v/border-collie.jpg" lightbox="../media/concepts/gpt-v/border-collie.jpg" alt-text="Photograph of a border collie dog laying in a grass field."::: | A: Breed: Border Collie; average weight: 30-45 lbs; average height: 18-22 inches |

+### Try prompt tuning

+Using the chain of thought prompt technique below, you can guide the model to follow a thought process to achieve the correct answer.

+|Basic prompt|Model output|

+|--|--|

+| Q: Alex has 8 cookies. She buys 2 more boxes of 4 cookies each. How many cookies does she have? <br> A: 16 <br> Q: Alex has 20 balloons for a party, but 3 of them pop. She buys 10 more balloons. How many balloons does she have?| A: 27 |

+|Updated prompt|Model output|

+|--|--|

+| Q: Alex has 8 cookies. She buys 2 more boxes of 4 cookies each. How many cookies does she have? <br> A: Alex started with 8 cookies and bought two more boxes of 4 each. 2 x 4 = 8, and 8 + 8 = 16. <br> Q: Alex has 20 balloons for a party, but 3 of them pop. She buys 10 more balloons. How many balloons does she have? | A: Alex started with 20 balloons, but 3 popped, leaving her with 17 balloons. She then bought 10 more, so she has 17 + 10 = 27 balloons. |

+### Break down requests

+|Basic prompt|Model output|

+|--|--|

+| :::image type="content" source="../media/concepts/gpt-v/grandmas-recipe.jpg" lightbox="../media/concepts/gpt-v/grandmas-recipe.jpg" alt-text="Photograph of a recipe card detailing a recipe for Grandma's Apple Crumb Pie."::: What's in this image? | The image contains a recipe card titled Grandma's Apple Crumb Pie. It is noted as a Thanksgiving tradition. The ingredients listed are:<br><ul><li>5-7 apples, peeled </li> <li>1 9-inch pie crust</li> <li> 3/4 cups sugar </li> <li>1/2 teaspoon cinnamon </li> <li>A dash of salt </li><li> 3 tablespoons butter</li> </ul><br>Please note that the measurements for sugar, flour, and butter are not fully visible in the image. If needed, the standard measures for a crumb topping typically involve a combination of sugar, flour, and butter mixed together until crumbly|

+|Updated prompt|Model output|

+|-|--|

+| :::image type="content" source="../media/concepts/gpt-v/grandmas-recipe.jpg" lightbox="../media/concepts/gpt-v/grandmas-recipe.jpg" alt-text="Photograph of a recipe card detailing a recipe for Grandma's Apple Crumb Pie."::: You are an AI assistant that helps create shopping lists and instructions to prep food based on recipes. Please provide a list of ingredients to purchase, and then provide a list of instructions to prep the ingredients based on the recipe card. | Sure, here's a shopping list based on the recipe card: <br>Shopping List:</br><ol><li>5-7 apples (suitable for baking, such as Granny Smith or Honeycrisp)</li> <li>1 ready-made pie crust (9-inch) </li><li>Sugar (ensure you have enough for 1/2 cup)</li><li>All-purpose flour (ensure you have enough for 3/4 cup)</li><li>Ground cinnamon</li><li>Salt</li><li>Butter (ensure you have enough for 3 tablespoons)</li></ol><br>Prepping Instructions:</br> <ul><li>Peel the apples: Using a vegetable peeler or a paring knife, remove the skin from 5 to 7 apples.</li><li>Core and slice the apples: Cut the apples into quarters, remove the cores, and then slice the apple quarters into thin slices or chunks, depending on your preference for pie texture.</li><li>Measure the ingredients: Measure out 3/4 cups of sugar, 1/2 teaspoon of cinnamon, a dash of salt (about 1/8 teaspoon), and 3 tablespoons of butter.</li><li>Prepare the butter: Cut the butter into small pieces to be ready to use in the recipe. It's often easier to incorporate if it's cold, so keep it refrigerated until it's needed</li><li>Preheat your oven according to the pie recipe's instructions so it's ready for baking once your pie is assembled.</li><li>Remember to follow any additional preparation or baking instructions provided in the full recipe for your apple crumb pie.</li></ul> |

+### Define output format

+|Basic prompt|Model output|

+|-|--|

+|:::image type="content" source="../media/concepts/gpt-v/rental-listing.jpg" lightbox="../media/concepts/gpt-v/rental-listing.jpg" alt-text="Photograph of a white villa in a tropical region with a pool."::: Describe this image | The image shows a luxurious white villa with a traditional thatched roof on one section and a clear blue swimming pool in the foreground. There are sun loungers lined up along the poolside, inviting relaxation. The architecture includes elegant archways, a balcony with wooden railings, and large windows and doors that suggest a bright and airy interior. The villa is surrounded by lush tropical vegetation, including tall palm trees, which adds to the serene and exotic ambiance of the setting. |

+|Updated prompt|Model output|

+|-|--|

+|:::image type="content" source="../media/concepts/gpt-v/rental-listing.jpg" lightbox="../media/concepts/gpt-v/rental-listing.jpg" alt-text="Photograph of a white villa in a tropical region with a pool."::: You are an AI assistant that writes detailed listings for vacation rental properties. Summarize in three sentences the optimal features of the listing, based on only what is visible in the image. Conclude with one sentence on why the customer should book today. | This idyllic villa showcases an inviting private pool with steps for easy access, framed by a beautifully tiled sun deck and comfortable loungers ideal for soaking up the sun or enjoying a good book under the shade of tropical palms. Architectural charm is evident in the villa's design, featuring elegant archways, a thatched-roof gazebo, and balconies that promise serene views and a perfect spot to savor your morning or evening beverages. The lush greenery surrounding the property not only provides privacy but also enhances the sense of an exclusive paradise retreat. Don't miss the opportunity to secure this perfect blend of luxury and tranquility ΓÇô book today for a tropical escape like no other! |

+These guidelines and examples demonstrate how tailored system prompts can significantly enhance the performance of GPT-4 Turbo with Vision, ensuring that the responses are not only accurate but also perfectly suited to the specific context of the task at hand.

+| gpt-4 (vision-preview) | Sweden Central <br> West US <br> Japan East| Switzerland North <br> Australia East |

+> Azure AI enhancements for GPT-4 Turbo with Vision will be billed separately from the core functionalities. Each specific Azure AI enhancement for GPT-4 Turbo with Vision has its own distinct charges. For details, see the [special pricing information](../concepts/gpt-with-vision.md#special-pricing-information).

+ "finish_details": {

+ "type": "stop",

+ "stop": "<|fim_suffix|>"

+ },

+| Price | [Available here](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/) <br> For details on GPT-4 Turbo with Vision, see the [special pricing information](../openai/concepts/gpt-with-vision.md#special-pricing-information).|

+- `2023-03-15-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-06-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-03-15-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-06-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-03-15-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-06-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-06-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-06-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-06-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-06-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-09-01-preview` (retiring 2024-04-02) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+description: In this quickstart, learn how to use the Speech service to convert speech to text with recognition from a microphone or .wav file.

+#customer intent: As a developer, I want to use Speech services to covert speech to text, from either a microphone or a file using my choice of technology.

+## Next step

+description: In this quickstart, you convert speech to text continuously from a file. The Speech service transcribes the speech and identifies one or more speakers.

+#customer intent: As a developer, I want to create speech to text applications that use diarization to improve readability of multiple person conversations.

+# Quickstart: Create real-time diarization (Preview)

+## Next step

+description: In this quickstart, you create an app that converts text to speech. Learn about supported audio formats and custom configuration options.

+#customer intent: As a user, I want to create speech output from text by using my choice of technologies which fit into my current processes.

+## Next step

+3. In the right panel, you can define your connection name, and you can add multiple *Key-value pairs* to store your credentials and keys by selecting **Add key-value pairs**.

+4. Besides your key value pairs, please also add following extra meta data to the connection:

+ - azureml.flow.connection_type: Custom

+ - azureml.flow.module: promptflow.connections

+

+ :::image type="content" source="./media/python-tool/custom-connection-meta.png" alt-text="Screenshot that shows add extra meta to custom connection in AI studio." lightbox = "./media/python-tool/custom-connection-meta.png":::

+

+1. Create a custom connection with the following details:

+ - azureml.flow.connection_type: Serp

+ - azureml.flow.module: promptflow.connections

+ - api_key: Your_Serp_API_key, please mark it as a secret.

+

+ :::image type="content" source="./media/serp-api-tool/serp-connection-meta.png" alt-text="Screenshot that shows add extra meta to custom connection in AI studio." lightbox = "./media/serp-api-tool/serp-connection-meta.png":::

+> [!NOTE]

+> You must use a version >= 2.56 of Azure CLI to migrate outbound type. Use `az upgrade` to update to the latest version of Azure CLI.

+ * **package**: File path to the package or a folder containing your app service contents. Wildcards are supported.

+description: Learn how to migrate your App Service Environment to App Service Environment v3 by using the migration feature.

+You can automatically migrate App Service Environment v1 and v2 to [App Service Environment v3](overview.md) by using the migration feature. To learn more about the migration process and to see if your App Service Environment supports migration at this time, see the [overview of the migration feature](migrate.md).

+> We recommend that you use this feature for development environments before migrating any production environments, to avoid unexpected problems. Please provide any feedback related to this article or the feature by using the buttons at the bottom of the page.

+Ensure that you understand how migrating to App Service Environment v3 affects your applications. Review the [migration process](migrate.md#overview-of-the-migration-process-using-the-migration-feature) to understand the process timeline and where and when you need to get involved. Also review the [FAQs](migrate.md#frequently-asked-questions), which can answer some of your questions.

+Ensure that there are no locks on your virtual network, resource group, resource, or subscription. Locks block platform operations during migration.

+Ensure that no Azure policies are blocking actions that are required for the migration, including subnet modifications and Azure App Service resource creations. Policies that block resource modifications and creations can cause migration to get stuck or fail.

+We recommend that you use the [Azure portal](how-to-migrate.md?pivots=experience-azp) for the migration experience. If you decide to use the [Azure CLI](/cli/azure/) for the migration, follow the steps described here in order and as written, because you're making Azure REST API calls. We recommend that you use the Azure CLI to make these API calls. For information about other methods, see [Azure REST API reference](/rest/api/azure/).

+For this guide, [install the Azure CLI](/cli/azure/install-azure-cli) or use [Azure Cloud Shell](https://shell.azure.com/).

+Run the following commands to get your App Service Environment ID and store it as an environment variable. Replace the placeholders for the name and resource groups with your values for the App Service Environment that you want to migrate. `ASE_RG` and `VNET_RG` are the same if your virtual network and App Service Environment are in the same resource group.

+## 2. Validate that migration is supported

+The following command checks whether your App Service Environment is supported for migration. If you receive an error or if your App Service Environment is in an unhealthy or suspended state, you can't migrate at this time. See the [troubleshooting](migrate.md#troubleshooting) section for descriptions of the potential error messages that you can get. If your environment [isn't supported for migration](migrate.md#supported-scenarios) or you want to migrate to App Service Environment v3 without using the migration feature, see the [manual migration options](migration-alternatives.md).

+## 3. Generate IP addresses for your new App Service Environment v3 resource

+Run the following command to create new IP addresses. This step takes about 15 minutes to complete. Don't scale or make changes to your existing App Service Environment during this time.

+Run the following command to check the status of this step:

+If the step is in progress, you get a status of `Migrating`. After you get a status of `Ready`, run the following command to view your new IPs. If you don't see the new IPs immediately, wait a few minutes and try again.

+By using the new IPs, update any of your resources or networking components to ensure that your new environment functions as intended after migration is complete. It's your responsibility to make any necessary updates.

+This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes when moving to App Service Environment v3. These changes include the port change for Azure Load Balancer, which now uses port 80. Don't migrate until you complete this step.

+App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Previous versions didn't require this delegation. You need to confirm that your subnet is delegated properly and update the delegation (if necessary) before migrating. You can update the delegation either by running the following command or by going to the subnet in the [Azure portal](https://portal.azure.com).

+Virtual network locks block platform operations during migration. If your virtual network has locks, you need to remove them before migrating. If necessary, you can add back the locks after migration is complete.

+Locks can exist at three scopes: subscription, resource group, and resource. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. If you have locks applied at the subscription, resource group, or resource scope, you need to remove them before the migration. For more information on locks and lock inheritance, see [Lock your resources to protect your infrastructure](../../azure-resource-manager/management/lock-resources.md).

+Use the following command to check if your virtual network has any locks:

+Delete any existing locks by using the following command:

+For related commands to check if your subscription or resource group has locks, see the [Azure CLI reference for locks](../../azure-resource-manager/management/lock-resources.md#azure-cli).

+You can make your new App Service Environment v3 resource zone redundant if your existing environment is in a [region that supports zone redundancy](./overview.md#regions). You can configure zone redundancy by setting the `zoneRedundant` property to `true`.

+Zone redundancy is an optional configuration. You can set it only during the creation of your new App Service Environment v3 resource. You can't remove it at a later time. For more information, see [Choose your App Service Environment v3 configurations](./migrate.md#choose-your-app-service-environment-v3-configurations). If you don't want to configure zone redundancy, don't include the `zoneRedundant` parameter.

+If your existing App Service Environment uses a custom domain suffix, you need to [configure one for your new App Service Environment v3 resource during the migration process](./migrate.md#choose-your-app-service-environment-v3-configurations). Migration fails if you don't configure a custom domain suffix and are using one currently. Migration also fails if you try to add a custom domain suffix during migration to an environment that doesn't have one configured. For more information on App Service Environment v3 custom domain suffixes, including requirements, step-by-step instructions, and best practices, see [Custom domain suffix for App Service Environments](./how-to-custom-domain-suffix.md).

+> If you're configuring a custom domain suffix, when you're adding the network permissions on your Azure key vault, be sure that your key vault allows access from your App Service Environment's new outbound IP addresses that were generated in step 3.

+To set these configurations, create a file called *parameters.json* with the following details based on your scenario. Don't include the properties for a custom domain suffix if this feature doesn't apply to your migration. Pay attention to the value of the `zoneRedundant` property, because this configuration is irreversible after migration. Set the value of the `kind` property based on your existing App Service Environment version. Accepted values for the `kind` property are `ASEV1` and `ASEV2`.

+If you're migrating without a custom domain suffix and you're enabling zone redundancy, use this code:

+If you're using a user-assigned managed identity for your custom domain suffix configuration and you're enabling zone redundancy, use this code:

+If you're using a system-assigned managed identity for your custom domain suffix configuration and you're *not* enabling zone redundancy, use this code:

+## 8. Migrate to App Service Environment v3 and check status

+After you complete all of the preceding steps, you can start the migration. Make sure that you understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3).

+This step takes three to six hours for v2 to v3 migrations and up to six hours for v1 to v3 migrations, depending on the environment size. During that time, there's about one hour of application downtime. Scaling, deployments, and modifications to your existing App Service Environment are blocked during this step.

+Include the `body` parameter in the following command if you're enabling zone redundancy and/or configuring a custom domain suffix. If neither of those configurations applies to your migration, you can remove the parameter from the command.

+The first command gets the operation ID for the migration. Copy the value of the `ID` property.

+Replace the placeholder for the operation ID in the following command with the value that you copied. This command returns the detailed status of your migration. You can run this command as often as needed to get the latest status.

+After you get a status of `Ready`, migration is done, and you have an App Service Environment v3 resource. Your apps are now running in your new environment.

+Get the details of your new environment by running the following command or by going to the [Azure portal](https://portal.azure.com).

+## 1. Validate that migration is supported

+In the [Azure portal](https://portal.azure.com), go to the **Migration** page for the App Service Environment that you're migrating. You can get to the **Migration** page by selecting the banner at the top of the **Overview** page for your App Service Environment, or by selecting the **Migration** item on the left menu.

+On the **Migration** page, the platform validates if migration is supported for your App Service Environment. Select **Validate**, and then confirm that you want to proceed with the validation. The validation process takes a few seconds.

+If your environment isn't supported for migration, a banner appears at the top of the page and includes an error message with a reason. For descriptions of the error messages that can appear if you aren't eligible for migration, see [Troubleshooting](migrate.md#troubleshooting).

+If your App Service Environment isn't supported for migration at this time or your environment is in an unhealthy or suspended state, you can't use the migration feature. If your environment [isn't supported for migration with the migration feature](migrate.md#supported-scenarios) or you want to migrate to App Service Environment v3 without using the migration feature, see the [manual migration options](migration-alternatives.md).

+If migration is supported for your App Service Environment, proceed to the next step in the process. The **Migration** page guides you through the series of steps to complete the migration.

+## 2. Generate IP addresses for your new App Service Environment v3 resource

+Under **Get new IP addresses**, confirm that you understand the implications and select the **Start** button. This step takes about 15 minutes to complete. You can't scale or make changes to your existing App Service Environment during this time.

+When the previous step finishes, the IP addresses for your new App Service Environment v3 resource appear. Use the new IPs to update any resources and networking components so that your new environment functions as intended after migration is complete. It's your responsibility to make any necessary updates.

+This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes in moving to App Service Environment v3. These changes include the port change for Azure Load Balancer, which now uses port 80. Don't move to the next step until you confirm that you made these updates.

+App Service Environment v3 requires the subnet that it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Previous versions didn't require this delegation. You need to confirm that your subnet is delegated properly and update the delegation (if necessary) before migrating. The portal displays a link to your subnet so that you can confirm and update as needed.

+Your App Service plans are converted from Isolated to the corresponding Isolated v2 tier. For example, I2 is converted to I2v2. Your apps might be overprovisioned after the migration, because the Isolated v2 tier has more memory and CPU per corresponding instance size. You have the opportunity to scale your environment as needed after migration is complete. For more information, review the [pricing details](https://azure.microsoft.com/pricing/details/app-service/windows/).

+## 6. Confirm that the virtual network has no locks

+Virtual network locks block platform operations during migration. If your virtual network has locks, you need to remove them before migrating. If necessary, you can add back the locks after migration is complete.

+Locks can exist at three scopes: subscription, resource group, and resource. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. If you have locks applied at the subscription, resource group, or resource scope, you need to remove them before the migration. For more information on locks and lock inheritance, see [Lock your resources to protect your infrastructure](../../azure-resource-manager/management/lock-resources.md).

+You can make your new App Service Environment v3 resource zone redundant if your existing environment is in a [region that supports zone redundancy](./overview.md#regions). Zone redundancy is an optional configuration. You can set it only during the creation of your new App Service Environment v3 resource. You can't remove it at a later time. For more information, see [Choose your App Service Environment v3 configurations](./migrate.md#choose-your-app-service-environment-v3-configurations).

+Select the **Enabled** checkbox if you want to configure zone redundancy.

+If your environment is in a region that doesn't support zone redundancy, the checkbox is unavailable. If you need a zone-redundant App Service Environment v3 resource, use one of the manual migration options and create the resource in one of the regions that supports zone redundancy.

+If your existing App Service Environment uses a [custom domain suffix](./migrate.md#choose-your-app-service-environment-v3-configurations), you must configure one for your new App Service Environment v3 resource. The configuration options for a custom domain suffix appear if this situation applies to you. You can't migrate until you provide the required information.

+If you want to use a custom domain suffix but don't currently have one configured, you can configure one after migration is complete. For more information on App Service Environment v3 custom domain suffixes, including requirements, step-by-step instructions, and best practices, see [Custom domain suffix for App Service Environments](./how-to-custom-domain-suffix.md).

+> If you're configuring a custom domain suffix, when you're adding the network permissions on your Azure key vault, be sure that your key vault allows access from your App Service Environment's new outbound IP addresses that were generated in step 2.

+After you add the details for your custom domain suffix, the **Migrate** button is available.

+After you complete all of the preceding steps, you can start the migration. Make sure that you understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3), including what happens during this time.

+This step takes three to six hours for v2 to v3 migrations and up to six hours for v1 to v3 migrations, depending on the environment size. Scaling and modifications to your existing App Service Environment are blocked during this step.

+> In rare cases, you might see a notification in the portal that says "Migration to App Service Environment v3 failed" after you start the migration. There's a known bug that might trigger this notification even if the migration is progressing. Check the activity log for the App Service Environment to determine the validity of this error message.

+> :::image type="content" source="./media/migration/migration-error.png" alt-text="Screenshot that shows the potential error notification after migration starts.":::

+At this time, detailed migration statuses are available only when you're using the Azure CLI. For more information, see the [Azure CLI section for migrating to App Service Environment v3](#8-migrate-to-app-service-environment-v3-and-check-status).

+When migration is complete, you have an App Service Environment v3 resource, and all of your apps are running in your new environment. You can confirm the environment's version by checking the **Configuration** page for your App Service Environment.

+If your migration included a custom domain suffix, the domain appeared in the **Essentials** section of the **Overview** page of the portal for App Service Environment v1/v2, but it no longer appears there in App Service Environment v3. Instead, for App Service Environment v3, go to the **Custom domain suffix** page to confirm that your custom domain suffix is configured correctly. You can also remove the configuration if you no longer need it or configure one if you didn't have one previously.

+> [Use an App Service Environment v3 resource](using.md)

+> [App Service Environment v3 networking](networking.md)

+- ELB App Service Environment can't be migrated to ILB App Service Environment v3 and vice versa.

+ - If you can't support downtime, see [migration-alternatives](migration-alternatives.md#migrate-manually).

+description: Learn how to migrate your applications to App Service Environment v3.

+If you're currently using App Service Environment v1 or v2, you have the opportunity to migrate your workloads to [App Service Environment v3](overview.md). App Service Environment v3 has [advantages and feature differences](overview.md#feature-differences) that provide enhanced support for your workloads and can reduce overall costs.

+The App Service Environment v3 [migration feature](migrate.md) provides an automated migration path to App Service Environment v3. Consider using the migration feature if your environment falls into one of the [supported scenarios](migrate.md#supported-scenarios).

+If your App Service Environment [isn't supported for the migration feature](migrate.md#migration-feature-limitations), you must use one of the manual methods to migrate to App Service Environment v3.

+Scenario: You have an app that runs on App Service Environment v1 or App Service Environment v2, and you need that app to run on App Service Environment v3.

+For any migration method that doesn't use the [migration feature](migrate.md), you need to [create the App Service Environment v3 resource](creation.md) and a new subnet by using the method of your choice.

+[Networking changes](networking.md) between App Service Environment v1/v2 and App Service Environment v3 involve new (and for internet-facing environments, additional) IP addresses. You need to update any infrastructure that relies on these IPs. Be sure to account for inbound dependency changes, such as the Azure Load Balancer port.

+Multiple App Service Environments can't exist in a single subnet. If you need to use your existing subnet for your new App Service Environment v3 resource, you must delete the existing App Service Environment before you create a new one. For this scenario, we recommend that you [back up your apps and then restore them](#evaluate-backup-and-restore) in the new environment after you create and configure the environment. This process causes application downtime because of the time it takes to:

+- Delete the old environment.

+- Create the App Service Environment v3 resource.

+- Configure any infrastructure and connected resources to work with the new environment.

+- Deploy your apps onto the new environment.

+- [Create an App Service Environment v3](creation.md) resource.

+- Update any networking dependencies with the IP addresses associated with the new environment.

+- Plan for downtime (if applicable).

+- Decide on a process for re-creating your apps in your new environment.

+## Size and scale the environment

+App Service Environment v3 uses Isolated v2 Azure App Service plans that are priced and sized differently from Isolated plans. Review the [pricing details](https://azure.microsoft.com/pricing/details/app-service/windows/) to understand how you're new environment needs to be sized and scaled to ensure appropriate capacity. There's no difference in how you create App Service plans for App Service Environment v3 compared to previous versions.

+## Evaluate backup and restore

+You can use the [back up and restore](../manage-backup.md) feature to keep your app configuration, file content, and database connected to your app when you're migrating to the new environment.

+You must configure custom backups for your apps in order to restore them to App Service Environment v3. Automatic backup doesn't support restoration on different App Service Environment versions. For more information on custom backups, see [Automatic vs. custom backups](../manage-backup.md#automatic-vs-custom-backups).

+You can select a custom backup and restore it to App Service in your App Service Environment v3 resource. You must create the App Service plan that you'll restore to before you restore the app. You can choose to restore the backup to the production slot, an existing slot, or a new slot that you create during the restoration process.

+|Quick - should take only 5 to 10 minutes per app. |Support is limited to [certain database types](../manage-backup.md#automatic-vs-custom-backups). |

+|You can restore multiple apps at the same time. (You need to configure restoration for each app individually.) |The old environment, the new environment, and supporting resources (for example apps, databases, storage accounts, and containers) must all be in the same subscription. |

+|In-app MySQL databases are automatically backed up without any configuration. |Backups can be up to 10 GB of app and database content. Up to 4 GB of that content can be the database backup. If the backup size exceeds this limit, you get an error. |

+|You can restore the app to a snapshot of a previous state. |Using a [firewall-enabled storage account](../../storage/common/storage-network-security.md) as the destination for your backups isn't supported. |

+|You can integrate with [Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md) and [Azure Application Gateway](../../application-gateway/overview.md) to distribute traffic across old and new environments. |Using a [storage account with private endpoints](../../storage/common/storage-private-endpoints.md) for backup and restore isn't supported. |

+|You can create empty web apps to restore to in your new environment before you start restoring, to speed up the process. | Only custom backups are supported. |

+## Clone your app to App Service Environment v3

+[Cloning your apps](../app-service-web-app-cloning.md) is another feature that you can use to get your *Windows* apps onto App Service Environment v3. The limitations for cloning apps are the same as those for the App Service backup feature. For more information, see [Back up an app in Azure App Service](../manage-backup.md#whats-included-in-an-automatic-backup).

+> Cloning apps is supported for App Service plans on Windows only.

+We recommend this solution for users who are using App Service on Windows and can't migrate by using the [migration feature](migrate.md). You need to set up your new App Service Environment v3 resource before you clone any apps. Cloning an app can take up to 30 minutes to complete.

+To clone an app by using PowerShell, see the [instructions](../app-service-web-app-cloning.md#cloning-an-existing-app-to-an-app-service-environment).

+To clone an app by using the Azure portal:

+1. In the [Azure portal](https://portal.azure.com), go to your existing App Service plan. Under **Development Tools**, select **Clone App**.

+1. Fill in the required fields by using the details for your new App Service Environment v3 resource:

+ 1. For **Resource Group**, select an existing resource group or create a new one.

+ 1. For **Name**, give your app a name. This name can be the same as the old app, but the site's default URL for the new environment will be different. You need to update any custom DNS or connected resources to point to the new URL.

+ 1. For **Region**, use your App Service Environment v3 name.

+ 1. If you want to clone your deployment source, select the **Clone deployment source** checkbox.

+ 1. For **Windows Plan**, you can use an existing App Service plan from your new environment if you created one already, or you can create a new plan. The available App Service plans in your new App Service Environment v3 resource appear in the dropdown list.

+ 1. For **Sku and size**, modify the memory and CPU as needed by using one of the Isolated v2 options if you're creating a new App Service plan. App Service Environment v3 uses Isolated v2 plans, which have more memory and CPU per corresponding instance size compared to the Isolated plans. For more information, see the [App Service Environment v3 pricing details](overview.md#pricing).

+|You can automate cloning by using PowerShell. |Supported only for App Service plans on Windows. |

+|You can clone multiple apps at the same time. (Cloning needs to be configured for each app individually or through a script.) |Support is limited to [certain database types](../manage-backup.md#automatic-vs-custom-backups). |

+|You can integrate with [Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md) and [Azure Application Gateway](../../application-gateway/overview.md) to distribute traffic across old and new environments. |The old environment, the new environment, and supporting resources (for example apps, databases, storage accounts, and containers) must all be in the same subscription. |

+## Manually create your apps in App Service Environment v3

+If the migration feature doesn't support your apps or you want to take a more manual route, you can deploy your apps by following the same process that you used for your existing App Service Environment. You don't need to make updates when you deploy your apps to your new environment.

+You can export [Azure Resource Manager templates](../../azure-resource-manager/templates/overview.md) (ARM templates) of your existing apps, App Service plans, and any other supported resources and deploy them in or with your new environment. To export a template for just an app, go to your App Service plan. Under **Automation**, select **Export template**.

+You can also export templates for multiple resources directly from your resource group. Go to your resource group, select the resources that you want a template for, and then select **Export template**.

+The following initial changes to your ARM templates are required to get your apps onto App Service Environment v3:

+- Update `sku` parameters for an App Service plan to an Isolated v2 plan:

+- Update the App Service plan (`serverfarm`) parameter that the app will be deployed into to the plan that's associated with App Service Environment v3.

+- Update the hosting environment profile (`hostingEnvironmentProfile`) parameter to the new App Service Environment v3 resource ID.

+- An ARM template export includes all properties that the resource providers expose for the resources. Remove all nonrequired properties, such as properties that point to the domain of the old app. For example, you could simplify the `sites` resource to the following sample:

+Other changes might be required, depending on how you configured your app.

+You can [deploy ARM templates](../deploy-complex-application-predictably.md) by using the Azure portal, the Azure CLI, or PowerShell.

+## Migrate manually

+The [migration feature](migrate.md) automates the migration to App Service Environment v3 and transfers all of your apps to the new environment. There's about one hour of downtime during this migration. If your apps can't have any downtime, we recommend that you use one of the manual options to re-create your apps in App Service Environment v3.

+You can distribute traffic between your old and new environments by using [Application Gateway](../networking/app-gateway-with-service-endpoints.md). If you're using an internal load balancer (ILB) App Service Environment, [create an Azure Application Gateway instance](integrate-with-application-gateway.md) with an extra back-end pool to distribute traffic between your environments. For information about ILB App Service Environments and internet-facing App Service Environments, see [Application Gateway integration](../overview-app-gateway-integration.md).

+You can also use services like [Azure Front Door](../../frontdoor/quickstart-create-front-door.md), [Azure Content Delivery Network](../../cdn/cdn-add-to-web-app.md), and [Azure Traffic Manager](../../cdn/cdn-traffic-manager.md) to distribute traffic between environments. Using these services allows for testing of your new environment in a controlled manner and helps you move to your new environment at your own pace.

+After your migration and any testing with your new environment are complete, delete your old App Service Environment, the apps that are on it, and any supporting resources that you no longer need. You continue to be charged for any resources that you don't delete.

+ Downtime is dependent on your migration process. If you have a different App Service Environment that you can point traffic to while you migrate, or if you can use a different subnet to create your new environment, you won't have downtime. If you must use the same subnet, there's downtime while you delete the old environment, create the App Service Environment v3 resource, create the new App Service plans, re-create the apps, and update any resources that use the new IP addresses.

+ No. Apps that run on App Service Environment v1 and v2 shouldn't need any modifications to run on App Service Environment v3. If you're using IP SSL, you must remove the IP SSL bindings before migrating.

+ The migration feature supports this [migration scenario](./migrate.md#supported-scenarios). You can migrate by using a manual method if you don't want to use the migration feature. You can configure your [custom domain suffix](./how-to-custom-domain-suffix.md) when creating your App Service Environment v3 resource or any time after.

+- **What if my App Service Environment v2 resource is zone pinned?**

+ Zone pinning isn't a supported feature on App Service Environment v3. You can choose to enable zone redundancy when creating your App Service Environment v3 resource.

+ Review the [feature differences](overview.md#feature-differences) between App Service Environment v3 and previous versions. For ILB App Service Environments, you keep the same ILB IP address. For internet-facing App Service Environments, the public IP address and the outbound IP address change.

+

+ For internet-facing App Service Environments, previously there was a single IP for both inbound and outbound. For App Service Environment v3, they're separate. For more information, see [App Service Environment v3 networking](networking.md#addresses).

+ The [back up and restore](../manage-backup.md) feature supports restoring apps between App Service Environment versions as long as you use a custom backup for the restoration. Automatic backup doesn't support restoration to different App Service Environment versions.

+- **What will happen to my App Service Environment v1 and v2 resources after August 31, 2024?**

+ After August 31, 2024, if you haven't migrated to App Service Environment v3, your App Service Environment v1 and v2 resources and the apps deployed in them will no longer be available.

+

+ App Service Environment v1 and v2 are hosted on App Service scale units that run on [Azure Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) architecture. Because this architecture will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/), App Service Environment v1 and v2 [won't be available after that date](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). Migrate to App Service Environment v3 to keep your apps running, or save or back up any resources or data that you need to maintain.

+> [App Service Environment v3 networking](networking.md)

+> [Use an App Service Environment v3 resource](using.md)

+> [Integrate your ILB App Service Environment with Azure Application Gateway](integrate-with-application-gateway.md)

+> [Migrate to App Service Environment v3 by using the migration feature](migrate.md)

+> As of [29 January 2024](https://azure.microsoft.com/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024-2/), you can no longer create new App Service Environment v1 and v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API.

+>

+ [!INCLUDE [Virtual environment setup](./includes/quickstart-python/virtual-environment-setup.md)]

+ [!INCLUDE [Virtual environment setup](./includes/quickstart-python/virtual-environment-setup.md)]

+| [!INCLUDE [Create app service step 1](./includes/quickstart-python/create-app-service-visual-studio-code-1.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-1-240-px.png" alt-text="A Screenshot of the Azure Tools icon in the left toolbar of VS Code." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-1.png"::: |

+| [!INCLUDE [Create app service step 2](./includes/quickstart-python/create-app-service-visual-studio-code-2.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-2-240-px.png" alt-text="A screenshot of the App Service section of Azure Tools extension and the context menu used to create a new web app." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-2.png"::: |

+| [!INCLUDE [Create app service step 3](./includes/quickstart-python/create-app-service-visual-studio-code-3.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-4-240-px.png" alt-text="A screenshot of the dialog box in VS Code used to select Create a new Web App." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-4.png"::: |

+| [!INCLUDE [Create app service step 4](./includes/quickstart-python/create-app-service-visual-studio-code-4.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-5-240-px.png" alt-text="A screenshot of the dialog box in VS Code used to enter the globally unique name for the new web app." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-5.png"::: |

+| [!INCLUDE [Create app service step 5](./includes/quickstart-python/create-app-service-visual-studio-code-5.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-6-240-px.png" alt-text="A screenshot of the dialog box in VS Code used to select the runtime stack for the new web app." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-6.png"::: |

+| [!INCLUDE [Create app service step 6](./includes/quickstart-python/create-app-service-visual-studio-code-6.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-7-240-px.png" alt-text="A screenshot of the dialog box in VS Code used to a pricing tier for the new web app." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-7.png"::: |

+| [!INCLUDE [Create app service step 7](./includes/quickstart-python/create-app-service-visual-studio-code-7.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-7b-240-px.png" alt-text="A screenshot of the dialog box in VS Code used to start deploy to new web app." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-7b.png"::: |

+| [!INCLUDE [Create app service step 8](./includes/quickstart-python/create-app-service-visual-studio-code-8.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-7c-240-px.png" alt-text="A screenshot of the dialog box in VS Code used to select the folder to deploy as the new web app." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-7c.png"::: |

+| [!INCLUDE [Create app service step 9](./includes/quickstart-python/create-app-service-visual-studio-code-9.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-8-240-px.png" alt-text="A screenshot of a dialog box in VS Code asking if you want to update your workspace to run build commands." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-8.png"::: |

+| [!INCLUDE [Create app service step 10](./includes/quickstart-python/create-app-service-visual-studio-code-10.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-visual-studio-code-9-240-px.png" alt-text="A screenshot showing the confirmation dialog when the app code has been deployed to Azure." lightbox="./media/quickstart-python/create-app-service-visual-studio-code-9.png"::: |

+| [!INCLUDE [Create app service step 1](./includes/quickstart-python/create-app-service-azure-portal-1.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-1-240px.png" alt-text="A screenshot of how to use the search box in the top tool bar to find App Services in Azure." lightbox="./media/quickstart-python/create-app-service-azure-portal-1.png"::: |

+| [!INCLUDE [Create app service step 2](./includes/quickstart-python/create-app-service-azure-portal-2.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-2-240px.png" alt-text="A screenshot of the location of the Create button on the App Services page in the Azure portal." lightbox="./media/quickstart-python/create-app-service-azure-portal-2.png"::: |

+| [!INCLUDE [Create app service step 3](./includes/quickstart-python/create-app-service-azure-portal-3.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-3-240px.png" alt-text="A screenshot of how to fill out the form to create a new App Service in the Azure portal." lightbox="./media/quickstart-python/create-app-service-azure-portal-3.png"::: |

+| [!INCLUDE [Create app service step 4](./includes/quickstart-python/create-app-service-azure-portal-4.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-4-240px.png" alt-text="A screenshot of how to select the basic app service plan in the Azure portal." lightbox="./media/quickstart-python/create-app-service-azure-portal-4.png"::: |

+| [!INCLUDE [Create app service step 5](./includes/quickstart-python/create-app-service-azure-portal-5.md)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-5-240px.png" alt-text="A screenshot of the location of the Review plus Create button in the Azure portal." lightbox="./media/quickstart-python/create-app-service-azure-portal-5.png"::: |

+| [!INCLUDE [Stream logs from Azure portal 1](./includes/quickstart-python/stream-logs-azure-portal-1.md)] | :::image type="content" source="./media/quickstart-python/stream-logs-azure-portal-1-240px.png" alt-text="A screenshot of the location in the Azure portal where to enable streaming logs." lightbox="./media/quickstart-python/stream-logs-azure-portal-1.png"::: |

+| [!INCLUDE [Stream logs from Azure portal 2](./includes/quickstart-python/stream-logs-azure-portal-2.md)] | :::image type="content" source="./media/quickstart-python/stream-logs-azure-portal-2-240px.png" alt-text="A screenshot of how to view logs in the Azure portal." lightbox="./media/quickstart-python/stream-logs-azure-portal-2.png"::: |

+| [!INCLUDE [Stream logs from VS Code 1](./includes/quickstart-python/stream-logs-visual-studio-code-1.md)] | :::image type="content" source="./media/quickstart-python/stream-logs-vs-code-1-240px.png" alt-text="A screenshot of how to start streaming logs with the VS Code extension." lightbox="./media/quickstart-python/stream-logs-vs-code-1.png"::: |

+| [!INCLUDE [Stream logs from VS Code 2](./includes/quickstart-python/stream-logs-visual-studio-code-2.md)] | :::image type="content" source="./media/quickstart-python/stream-logs-vs-code-2-240px.png" alt-text="A screenshot of an example of streaming logs in the VS Code Output window." lightbox="./media/quickstart-python/stream-logs-vs-code-2.png"::: |

+| [!INCLUDE [Remove resource group Azure portal 1](./includes/quickstart-python/remove-resource-group-azure-portal-1.md)] | :::image type="content" source="./media/quickstart-python/remove-resource-group-azure-portal-1-240px.png" alt-text="A screenshot of how to search for and navigate to a resource group in the Azure portal." lightbox="./media/quickstart-python/remove-resource-group-azure-portal-1.png"::: |

+| [!INCLUDE [Remove resource group Azure portal 2](./includes/quickstart-python/remove-resource-group-azure-portal-2.md)] | :::image type="content" source="./media/quickstart-python/remove-resource-group-azure-portal-2-240px.png" alt-text="A screenshot of the location of the Delete Resource Group button in the Azure portal." lightbox="./media/quickstart-python/remove-resource-group-azure-portal-2.png"::: |

+| [!INCLUDE [Remove resource group Azure portal 3](./includes/quickstart-python/remove-resource-group-azure-portal-3.md)] | :::image type="content" source="./media/quickstart-python/remove-resource-group-azure-portal-3-240px.png" alt-text="A screenshot of the confirmation dialog for deleting a resource group in the Azure portal." lightbox="./media/quickstart-python/remove-resource-group-azure-portal-3.png"::: |

+| [!INCLUDE [Remove resource group VS Code 1](./includes/quickstart-python/remove-resource-group-visual-studio-code-1.md)] | :::image type="content" source="./media/quickstart-python/remove-resource-group-visual-studio-code-1-240px.png" alt-text="A screenshot of how to delete a resource group in VS Code using the Azure Tools extension." lightbox="./media/quickstart-python/remove-resource-group-visual-studio-code-1.png"::: |

+| [!INCLUDE [Remove resource group VS Code 2](./includes/quickstart-python/remove-resource-group-visual-studio-code-2.md)] | :::image type="content" source="./media/quickstart-python/remove-resource-group-visual-studio-code-2-240px.png" alt-text="A screenshot of the confirmation dialog for deleting a resource group from VS Code." lightbox="./media/quickstart-python/remove-resource-group-visual-studio-code-2.png"::: |

+* [Analyze app Logs in HDInsight](/azure/hdinsight/hdinsight-hadoop-oms-log-analytics-tutorial)

+FRONTEND_NAME='test-frontend'

+Example YAML file:

+ Title: Deploy a new SQL Managed Instance enabled by Azure Arc using Kubernetes tools

+description: Describes how to use Kubernetes tools to deploy SQL Managed Instance enabled by Azure Arc.

+# Deploy SQL Managed Instance enabled by Azure Arc using Kubernetes tools

+You can use an online tool to base64 encode your desired username and password or you can use CLI tools depending on your platform.

+- A minimum of 2 GB is required for memory request, if specified.

+[Connect to SQL Managed Instance enabled by Azure Arc](connect-managed-instance.md)

+ Title: Create a SQL Managed Instance enabled by Azure Arc

+description: Deploy SQL Managed Instance enabled by Azure Arc

+# Deploy a SQL Managed Instance enabled by Azure Arc

+To view available options for the create command for SQL Managed Instance enabled by Azure Arc, use the following command:

+To create a SQL Managed Instance enabled by Azure Arc, use `az sql mi-arc create`. See the following examples for different connectivity modes:

+If no storage class is specified for backups, the default storage class in Kubernetes is used and if this is not RWX capable, the SQL Managed Instance enabled by Azure Arc installation may not succeed.

+> When specifying memory allocation and vCore allocation use this formula to ensure your performance is acceptable: for each 1 vCore you should have at least 4GB of RAM of capacity available on the Kubernetes node where the SQL Managed Instance enabled by Azure Arc pod will run.

+> If you want to automate the creation of SQL Managed Instance enabled by Azure Arc and avoid the interactive prompt for the admin password, you can set the `AZDATA_USERNAME` and `AZDATA_PASSWORD` environment variables to the desired username and password prior to running the `az sql mi-arc create` command.

+> If you created the data controller using AZDATA_USERNAME and AZDATA_PASSWORD in the same terminal session, then the values for AZDATA_USERNAME and AZDATA_PASSWORD will be used to create the SQL Managed Instance enabled by Azure Arc too.

+> If you are using the indirect connectivity mode, creating SQL Managed Instance enabled by Azure Arc in Kubernetes will not automatically register the resources in Azure. Steps to register the resource are in the following articles:

+You can copy the external IP and port number from here and connect to SQL Managed Instance enabled by Azure Arc using your favorite tool for connecting to eg. SQL Server or Azure SQL Managed Instance such as Azure Data Studio or SQL Server Management Studio.

+- [Create SQL Managed Instance enabled by Azure Arc using Azure Data Studio](create-sql-managed-instance-azure-data-studio.md)

+ Title: Delete a SQL Managed Instance enabled by Azure Arc

+description: Learn how to delete a SQL Managed Instance enabled by Azure Arc and optionally, reclaim associated Kubernetes persistent volume claims (PVCs).

+# Delete a SQL Managed Instance enabled by Azure Arc

+ Title: Deploy Active Directory integrated SQL Managed Instance enabled by Azure Arc using Azure CLI

+description: Explains how to deploy Active Directory integrated SQL Managed Instance enabled by Azure Arc using Azure CLI

+# Deploy Active Directory integrated SQL Managed Instance enabled by Azure Arc using Azure CLI

+ Title: Deploy Active Directory-integrated SQL Managed Instance enabled by Azure Arc

+description: Learn how to deploy SQL Managed Instance enabled by Azure Arc with Active Directory authentication.

+# Deploy Active Directory-integrated SQL Managed Instance enabled by Azure Arc

+ Title: Limitations of SQL Managed Instance enabled by Azure Arc

+description: Limitations of SQL Managed Instance enabled by Azure Arc

+# Limitations of SQL Managed Instance enabled by Azure Arc

+ Title: Features and Capabilities of SQL Managed Instance enabled by Azure Arc

+description: Features and Capabilities of SQL Managed Instance enabled by Azure Arc

+# Features and Capabilities of SQL Managed Instance enabled by Azure Arc

+SQL Managed Instance enabled by Azure Arc share a common code base with the latest stable version of SQL Server. Most of the standard SQL language, query processing, and database management features are identical. The features that are common between SQL Server and SQL Database or SQL Managed Instance are:

+|Feature|SQL Managed Instance enabled by Azure Arc|

+|Back up to Azure to (back up to URL)|Yes|

+| Feature | SQL Managed Instance enabled by Azure Arc |

+| Feature | SQL Managed Instance enabled by Azure Arc |

+| Feature | SQL Managed Instance enabled by Azure Arc |

+| Dedicated administrator connection | Yes |

+| Automatically maintain indexed views | Yes |

+| Feature | SQL Managed Instance enabled by Azure Arc |

+SQL Managed Instance enabled by Azure Arc supports various data tools that can help you manage your data.

+| **Tool** | SQL Managed Instance enabled by Azure Arc|

+The following features and services are not available for SQL Managed Instance enabled by Azure Arc.

+description: Learn how to deploy SQL Managed Instance enabled by Azure Arc with high availability.

+# High Availability with SQL Managed Instance enabled by Azure Arc

+SQL Managed Instance enabled by Azure Arc is deployed on Kubernetes as a containerized application. It uses Kubernetes constructs such as stateful sets and persistent storage to provide built-in:

+- Health monitoring

+- Failure detection

+- Automatic fail over to maintain service health.

+For increased reliability, you can also configure SQL Managed Instance enabled by Azure Arc to deploy with extra replicas in a high availability configuration. The Arc data services data controller manages:

+- Monitoring

+- Failure detection

+- Automatic failover

+Arc-enabled data service provides this service without user intervention. The service:

+- Sets up the availability group

+- Configures database mirroring endpoints

+- Adds databases to the availability group

+- Coordinates failover and upgrade.

+This document explores both types of high availability.

+In the General Purpose service tier, there is only one replica available, and the high availability is achieved via Kubernetes orchestration. For instance, if a pod or node containing the managed instance container image crashes, Kubernetes attempts to stand up another pod or node, and attach to the same persistent storage. During this time, the SQL managed instance is unavailable to the applications. Applications need to reconnect and retry the transaction when the new pod is up. If `load balancer` is the service type used, then applications can reconnect to the same primary endpoint and Kubernetes will redirect the connection to the new primary. If the service type is `nodeport` then the applications will need to reconnect to the new IP address.

+To verify the build-in high availability provided by Kubernetes, you can:

+1. Delete the pod of an existing managed instance

+1. Verify that Kubernetes recovers from this action

+During recover, Kubernetes bootstraps another pod and attaches the persistent storage.

+- Kubernetes cluster requires [shared, remote storage](storage-configuration.md#factors-to-consider-when-choosing-your-storage-configuration)

+After all containers within the pod recover, you can connect to the managed instance.

+In the Business Critical service tier, in addition to what is natively provided by Kubernetes orchestration, SQL Managed Instance for Azure Arc provides a contained availability group. The contained availability group is built on SQL Server Always On technology. It provides higher levels of availability. SQL Managed Instance enabled by Azure Arc deployed with *Business Critical* service tier can be deployed with either 2 or 3 replicas. These replicas are always kept in sync with each other.

+With contained availability groups, any pod crashes or node failures are transparent to the application. The contained availability group provides at least one other pod that has all the data from the primary and is ready to take on connections.

+- When deployed with multiple replicas, a single availability group named with the same name as the Arc enabled SQL managed instance is created. By default, contained AG has three replicas, including primary. All CRUD operations for the availability group are managed internally, including creating the availability group or joining replicas to the availability group created. You can't create more availability groups in an instance.

+### Deploy SQL Managed Instance enabled by Azure Arc with multiple replicas using Azure portal

+From Azure portal, on the create SQL Managed Instance enabled by Azure Arc page:

+When a SQL Managed Instance enabled by Azure Arc is deployed in Business Critical service tier, the deployment creates multiple replicas. The setup and configuration of contained availability groups among those instances is automatically done during provisioning.

+By default, all the replicas are configured in synchronous mode. This means any updates on the primary instance are synchronously replicated to each of the secondary instances.

+You can connect to the primary endpoint with SQL Server Management Studio and verify DMVs as:

+Deploy Business Critical service tier SQL managed instances in either two-replica configuration or three replica configuration. The effects of failures and the subsequent recoverability are different with each configuration. A three replica instance provides a higher level of availability and recovery, than a two replica instance.

+In a two replica configuration, when both the node states are `SYNCHRONIZED`, if the primary replica becomes unavailable, the secondary replica is automatically promoted to primary. When the failed replica becomes available, it is updated with all the pending changes. If there are connectivity issues between the replicas, then the primary replica may not commit any transactions as every transaction needs to be committed on both replicas before a success is returned back on the primary.

+In a three replica configuration, a transaction needs to commit in at least 2 of the 3 replicas before returning a success message back to the application. In the event of a failure, one of the secondaries is automatically promoted to primary while Kubernetes attempts to recover the failed replica. When the replica becomes available, it is automatically joined back with the contained availability group and pending changes are synchronized. If there are connectivity issues between the replicas, and more than 2 replicas are out of sync, primary replica won't commit any transactions.

+ Create the Kubernetes service to the primary instance by running the following command if your Kubernetes cluster uses `NodePort` services. Replace `<podName>` with the name of the server returned at previous step, `<serviceName>` with the preferred name for the Kubernetes service created.

+ Title: Migrate a database from SQL Server to SQL Managed Instance enabled by Azure Arc

+description: Migrate database from SQL Server to SQL Managed Instance enabled by Azure Arc

+# Migrate: SQL Server to SQL Managed Instance enabled by Azure Arc

+#### New Azure CLI extension for data controller and SQL Managed Instance enabled by Azure Arc

+description: This article explains how to rebuild a broken SQL Managed Instance enabled by Azure Arc replica. A replica may break due to storage corruption, for example.

+# Reprovision replica - SQL Managed Instance enabled by Azure Arc

+This article describes how to provision a new replica to replace an existing replica in SQL Managed Instance enabled by Azure Arc.

+When you reprovision a replica, you rebuild a new managed instance replica for a SQL Managed Instance enabled by Azure Arc deployment. Use this task to replace a replica that is failing to synchronize, for example, due to corruption of the data on the persistent volumes (PV) for that instance, or due to some recurring SQL issue.

+description: Learn how to buy SQL Managed Instance enabled by Azure Arc reserved capacity to save costs.

+# Reserved capacity - SQL Managed Instance enabled by Azure Arc

+# Rotate SQL Managed Instance enabled by Azure Arc customer-managed keytab

+# Rotate SQL Managed Instance enabled by Azure Arc service-managed credentials (preview)

+ Title: Rotate user-provided TLS certificate in indirectly connected SQL Managed Instance enabled by Azure Arc

+description: Rotate user-provided TLS certificate in indirectly connected SQL Managed Instance enabled by Azure Arc

+# Rotate certificate SQL Managed Instance enabled by Azure Arc (indirectly connected)

+ Title: Troubleshoot connection to failover group - SQL Managed Instance enabled by Azure Arc

+# Troubleshoot SQL Managed Instance enabled by Azure Arc deployments

+## Connection to SQL Managed Instance enabled by Azure Arc failover group

+If one of `synchronizationState` isn't equal to `HEALTHY`, focus on the instance which `synchronizationState` isn't equal to `HEALTHY`". Refer to [Can't connect to SQL Managed Instance enabled by Azure Arc](#cant-connect-to-sql-managed-instance-enabled-by-azure-arc).

+## Can't connect to SQL Managed Instance enabled by Azure Arc

+| hash-max-ziplist-entries |Configures [memory optimization](https://redis.io/docs/management/optimization/memory-optimization/) for small aggregate data types |Standard and Premium |

+| hash-max-ziplist-value |Configures [memory optimization](https://redis.io/docs/management/optimization/memory-optimization/) for small aggregate data types |Standard and Premium |

+| set-max-intset-entries |Configures [memory optimization](https://redis.io/docs/management/optimization/memory-optimization/) for small aggregate data types |Standard and Premium |

+| zset-max-ziplist-entries |Configures [memory optimization](https://redis.io/docs/management/optimization/memory-optimization/) for small aggregate data types |Standard and Premium |

+| zset-max-ziplist-value |Configures [memory optimization](https://redis.io/docs/management/optimization/memory-optimization/) for small aggregate data types |Standard and Premium |

+1. Open the file `\src\App.js` in the code editor. Delete all the default `import` statements. Then delete all the markup from the `return` statement. Then add import statements for components and React hooks. Note that we'll be implementing the imported **AudienceDisplay** and **UserIdSelection** components in the later steps. The file should look like the following:

+1. Replace `TODO 1` with the following code. Note that the values for `userId` `userName` `containerId` will be passed in from the **App** component. If there's no `containerId`, a new container is created. Also, note that the `containerId` is stored on the URL hash. A user entering a session from a new browser may copy the URL from an existing session browser or navigate to `localhost:3000` and manually input the container ID. With this implementation, we want to wrap the `getContainer` call in a try catch in the case that the user inputs a container ID which doesn't exist. Visit the [Containers](../concepts/architecture.md#container) documentation for more information.

+1. Replace `TODO 3` with the following code. This will call the `tryGetAudienceObject` when the component is mounted and set the returned audience members to `fluidMembers` and `currentMember`. Note, we check if an audience object is returned in case a user inputs a containerId which doesn't exist and we need to return them to the **UserIdSelection** view (`props.onContainerNotFound()` will handle switching the view). Also, it is good practice to deregister event handlers when the React component dismounts by returning `audience.off`.

+For more information, see [Data collection in Azure Monitor](../essentials/data-collection.md). You can read about details of connecting Operations Manager and Azure Monitor and modifying the frequency that configuration is delivered at [Configure integration with System Center Operations Manager](./om-agents.md).

+| January 2024 |**Known Issues**<ul><li>The agent extension code size is beyond the deployment limit set by Arc, thus 1.29.5 will not install on Arc enabled servers. Fix is coming in 1.29.6.</li></ul>**Windows**<ul><li>Added support for Transport Layer Security 1.3</li><li>Reverted a change to enable multiple IIS subscriptions to use same filter. Feature will be redeployed once memory leak is fixed.</li><li>Improved ETW event throughput rate</li></ul>**Linux**<ul><li>Fix Error messages logged intended for mdsd.err went to mdsd.warn instead in 1.29.4 only. Likely error messages: "Exception while uploading to Gig-LA : ...", "Exception while uploading to ODS: ...", "Failed to upload to ODS: ..."</li><li>Fixed syslog timestamp parsing where an incorrect timezone offset might be applied</li></ul> | 1.23.0 | 1.29.5 |

+| December 2023 |**Known Issues**<ul><li>The agent extension code size is beyond the deployment limit set by Arc, thus 1.29.4 will not install on Arc enabled servers. Fix is coming in 1.29.6.</li><li>Multiple IIS subscriptions causes a memory leak. feature reverted in 1.23.0.</ul>**Windows** <ul><li>Prevent CPU spikes by not using bookmark when resetting an Event Log subscription</li><li>Added missing fluentbit exe to AMA client setup for Custom Log support</li><li>Updated to latest AzureCredentialsManagementService and DsmsCredentialsManagement package</li><li>Update ME to v2.2023.1027.1417</li></ul>**Linux**<ul><li>Support for TLS V1.3</li><li>Support for nopri in Syslog</li><li>Ability to set disk quota from DCR Agent Settings</li><li>Add ARM64 Ubuntu 22 support</li><li>**Fixes**<ul><li>SysLog</li><ul><li>Parse syslog Palo Alto CEF with multiple space characters following the hostname</li><li>Fix an issue with incorrectly parsing messages containing two '\n' chars in a row</li><li>Improved support for non-RFC compliant devices</li><li>Support infoblox device messages containing both hostname and IP headers</li></ul><li>Fix AMA crash in RHEL 7.2</li><li>Remove dependency on "which" command</li><li>Fix port conflicts due to AMA using 13000 </li><li>Reliability and Performance improvements</li></ul></li></ul>| 1.22.0 | 1.29.4|

+> Configuring the Azure Load Balancer using the **Basic SKU**, requires that Azure virtual machines belong to an Availability Set. To learn more about availability sets, see [Manage the availability of Windows virtual machines in Azure](../../virtual-machines/availability.md). To add existing virtual machines to an availability set, refer to [Set Azure Resource Manager VM Availability Set](/troubleshoot/azure/virtual-machines/allocation-failure#resize-a-vm-or-add-vms-to-an-existing-availability-set).

+The following table lists the types of data you can configure a Log Analytics workspace to collect from all connected agents.

+- Python Application using Python 3.7+

+### Python < 3.7 support

+OpenTelemetry's Python-based monitoring solutions only support Python 3.7 and greater, excluding the previously supported Python versions 2.7, 3.4, 3.5, and 3.6 from OpenCensus. We suggest upgrading for users who are on the older versions of Python since, as of writing this document, those versions have already reached [end of life](https://devguide.python.org/versions/). Users who are adamant about not upgrading may still use the OpenTelemetry solutions, but may find unexpected or breaking behavior that is unsupported. In any case, the last supported version of [opencensus-ext-azure](https://pypi.org/project/opencensus-ext-azure/) always exists, and stills work for those versions, but no new releases are made for that project.

+See [Azure Monitor Insights overview](insights/insights-overview.md) for a list of available insights and solutions in Azure Monitor. See the documentation for each for any unique configuration or pricing information.

+### With custom mount path for container stdout & stderr logs

+### Custom mount path not required for Azure Stack Edge version > 2318. Custom mount path must be /home/data/docker for Azure Stack Edge cluster with version <= 2318

+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.logsettings.custommountpath=<customMountPath>

+Sources of monitoring data from Azure applications can be organized into tiers, the highest tiers being your application itself and the lower tiers being components of Azure platform. The method of accessing data from each tier varies. The application tiers are summarized in the table below, and the sources of monitoring data in each tier are presented in the following sections.

+[Insights](insights/insights-overview.md) collect data to provide additional insights into the operation of a particular service or application. They may address resources in different application tiers and even multiple tiers.

+Azure Monitor Metrics is a feature of Azure Monitor that collects numeric data from monitored resources into a time-series database. Metrics are numerical values that are collected at regular intervals and describe some aspect of a system at a particular time.

+## REST API

+This article provides details on creating and configuring diagnostic settings to send Azure platform metrics, resource logs and the activity log to different destinations.

+- **[Platform metrics](./metrics-supported.md)** are sent automatically to [Azure Monitor Metrics](./data-platform-metrics.md) by default and without configuration.

+- **[Platform logs](./platform-logs-overview.md)** - provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on.

+ - **Resource logs** aren't collected until they're routed to a destination.

+ - The **Activity log** provides information about resources from outside the resource, such as when the resource was created or deleted. Entries exist on their own but can be routed to other locations.

+With resource logs, you can select the log categories you want to route individually or choose a category group.

+**Category groups**

+You can use *category groups* to dynamically collect resource logs based on predefined groupings instead of selecting individual log categories. Microsoft defines the groupings to help monitor specific use cases across all Azure services. Over time, the categories in the group might be updated as new logs are rolled out or as assessments change. When log categories are added or removed from a category group, your log collection is modified automatically without you having to update your diagnostic settings.

+| Storage account | Don't use an existing storage account that has other, non-monitoring data stored in it. Spliting the types of data up allow you better control access to the data. If you're archiving the activity log and resource logs together, you might choose to use the same storage account to keep all monitoring data in a central location.<br><br>To prevent modification of the data, send it to immutable storage. Set the immutable policy for the storage account as described in [Set and manage immutability policies for Azure Blob Storage](../../storage/blobs/immutable-policy-configure-version-scope.md). You must follow all steps in this linked article including enabling protected append blobs writes.<br><br>The storage account needs to be in the same region as the resource being monitored if the resource is regional.<br><br> Diagnostic settings can't access storage accounts when virtual networks are enabled. You must enable **Allow trusted Microsoft services** to bypass this firewall setting in storage accounts so that the Azure Monitor diagnostic settings service is granted access to your storage account.<br><br>[Azure DNS zone endpoints (preview)](../../storage/common/storage-account-overview.md#azure-dns-zone-endpoints-preview) and [Azure Premium LRS](../../storage/common/storage-redundancy.md#locally-redundant-storage) (locally redundant storage) storage accounts aren't supported as a log or metric destination.|

+The **Insights** menu item opens the insight for the resource if the Azure service has one. [Insights](../insights/insights-overview.md) provide a customized monitoring experience built on the Azure Monitor data platform and standard features.

+Azure Monitor is enabled the moment that you create a new Azure subscription, and [activity log](./essentials/platform-logs-overview.md) and platform [metrics](essentials/data-platform-metrics.md) are automatically collected. Create [diagnostic settings](essentials/diagnostic-settings.md) to collect more detailed information about the operation of your Azure resources, and add monitoring solutions to provide extra analysis on collected data for particular services.

+description: Learn the basics of Azure Monitor Logs, which are used for advanced analysis of monitoring data.

+Azure Monitor Logs is a feature of Azure Monitor that collects and organizes log and performance data from monitored resources. Several features of Azure Monitor store their data in Logs and present this data in various ways to assist you in monitoring the performance and availability of your cloud and hybrid applications and their supporting components.

+These services store their data in Azure Monitor Logs so that it can be analyzed with other log data collected by Azure Monitor.

+* A cool-access capacity pool can contain both volumes with cool access enabled and volumes with cool access disabled.

+* Antivirus and file scanning are not recommended for files that are archived to cool access.

+Bicep supports an optional configuration file named `bicepconfig.json`. Within this file, you can add values that customize your Bicep development experience. This file is merged with the [default configuration file](https://github.com/Azure/bicep/blob/main/src/Bicep.Core/Configuration/bicepconfig.json). For more information, see [Understand the merge process](#understand-the-merge-process). To customize configuration, create a configuration file in the same directory or a parent directory of your Bicep files. If there are multiple parent directories containing `bicepconfig.json` files, Bicep uses the configuration from the nearest one. For more information, see [Understand the file resolution process](#understand-the-file-resolution-process).

+## Understand the merge process

+The `bicepconfig.json` file undergoes a recursive bottom-up merging process with the default configuration file. During the merging process, Bicep examines each path in both configurations. If a path isn't present in the default configuration, the path and its associated value are added in the final result. Conversely, if a path exists in the default configuration with a different value, the value from `bicepconfig.json` takes precedence in the merged result.

+Consider a scenario where the default configuration is defined as follows:

+```json

+{

+ "cloud": {

+ ...

+ "credentialPrecedence": [

+ "AzureCLI",

+ "AzurePowerShell"

+ ]

+ },

+ "moduleAliases": {

+ "ts": {},

+ "br": {

+ "public": {

+ "registry": "mcr.microsoft.com",

+ "modulePath": "bicep"

+ }

+ }

+ },

+ ...

+}

+```

+And the `bicepconfig.json` is defined as follows:

+```json

+{

+ "cloud": {

+ "credentialPrecedence": [

+ "AzurePowerShell",

+ "AzureCLI"

+ ]

+ },

+ "moduleAliases": {

+ "br": {

+ "ContosoRegistry": {

+ "registry": "contosoregistry.azurecr.io"

+ },

+ "CoreModules": {

+ "registry": "contosoregistry.azurecr.io",

+ "modulePath": "bicep/modules/core"

+ }

+ }

+ }

+}

+```

+The resulting merged configuration would be:

+```json

+{

+ "cloud": {

+ ...

+ "credentialPrecedence": [

+ "AzurePowerShell",

+ "AzureCLI"

+ ]

+ },

+ "moduleAliases": {

+ "ts": {},

+ "br": {

+ "public": {

+ "registry": "mcr.microsoft.com",

+ "modulePath": "bicep"

+ },

+ "ContosoRegistry": {

+ "registry": "contosoregistry.azurecr.io"

+ },

+ "CoreModules": {

+ "registry": "contosoregistry.azurecr.io",

+ "modulePath": "bicep/modules/core"

+ }

+ }

+ },

+ ...

+}

+```

+In the preceding example, the value of `cloud.credentialPrecedence` is replaced, while the value of `cloud.moduleAliases.ContosoRegistry` and `cloud.moduleAliases.CoreModules` are appended in the merged configuration.

+## Understand the file resolution process

+The `bicepconfig.json` file can be placed in the same directory or a parent directory of your Bicep files. If there are multiple parent directories containing `bicepconfig.json` files, Bicep uses the configuration file from the nearest one. For instance, in the given folder structure where each folder has a `bicepconfig.json` file:

+If you compile `main.bicep` in the `child` folder, the `bicepconfig.json` file in the `child` folder is used. The configuration files in the `parent` folder and the `root` folder are ignored. If the `child` folder doesn't contain a configuration file, Bicep searches for a configuration in the `parent` folder and then the `root` folder. If no configuration file is found in any of the folders, Bicep defaults to using the [default values](https://github.com/Azure/bicep/blob/main/src/Bicep.Core/Configuration/bicepconfig.json).

+In the context of a Bicep file invoking multiple modules, each module undergoes compilation using the nearest `bicepconfig.json`. Then, the main Bicep file is compiled with its corresponding `bicepconfig.json`. In the following scenario, `modA.bicep` is compiled using the `bicepconfig.json` located in the `A` folder, `modB.bicep` is compiled with the `bicepconfig.json` in the `B` folder, and finally, `main.bicep` is compiled using the `bicepconfig.json` in the `root` folder.

+In the absence of a `bicepconfig.json` file in the `A` and `B` folders, all three Bicep files are compiled using the `bicepconfig.json` found in the `root` folder. If `bicepconfig.json` isn't present in any of the folders, the compilation process defaults to using the [default values](https://github.com/Azure/bicep/blob/main/src/Bicep.Core/Configuration/bicepconfig.json).

+Here's an example of enabling features 'compileTimeImports' and 'userDefinedFunctions`.

+Bicep modules are converted into a single Azure Resource Manager template with [nested templates](../templates/linked-templates.md#nested-template). For more information about how Bicep resolves configuration files and how Bicep merge user-defined configuration file with the default configuration file, see [Configuration file resolution process](./bicep-config.md#understand-the-file-resolution-process) and [Configuration file merge process](./bicep-config.md#understand-the-merge-process).

+## Enable virtual machines, resource pools, clusters, hosts, datastores, networks, and VM templates in Azure

+Once you connected your Azure VMware Solution private cloud to Azure, you can browse your vCenter inventory from the Azure portal. This section shows you how to make these resources Azure enabled.

+ The enable action starts a deployment and creates a resource in Azure, creating representative objects in Azure for your VMware vSphere resources. It allows you to manage who can access those resources through Role-based access control granularly.

+1. Repeat the previous steps for one or more virtual machine, network, resource pool, and VM template resources.

+Additionally, for virtual machines there is an additional section to configure **VM extensions**. This will enable guest management to facilitate additional Azure extensions to be installed on the VM. The steps to enable this would be:

+1. Select **Enable guest management**.

+1. Choose a __Connectivity Method__ for the Arc agent.

+1. Provide an Administrator/Root access username and password for the VM.

+If you choose to enable the guest management as a separate step or have issues with the VM extension install steps please review the prerequisites and steps discussed in the section below.

+From here additional extensions can be installed. See the [VM extensions Overview](/azure/azure-arc/servers/manage-vm-extensions) for a list of current extensions.

+### Next Steps

+To manage Arc-enabled Azure VMware Solution go to: [Manage Arc-enabled Azure VMware private cloud - Azure VMware Solution](/azure/azure-vmware/manage-arc-enabled-azure-vmware-solution)

+To remove Arc-enabled  Azure VMWare Solution resources from Azure go to: [Remove Arc-enabled Azure VMware Solution vSphere resources from Azure - Azure VMware Solution](/azure/azure-vmware/remove-arc-enabled-azure-vmware-solution-vsphere-resources-from-azure)

+For more on-premises JetStream DR prerequisites, see the [JetStream Pre-Installation Guide](https://jetstreamsoft.com/portal/online-docs/jsdr-admin_4.2/Pre-Installation.html).

+1. In your on-premises data center, install JetStream DR following the [JetStream documentation](https://jetstreamsoft.com/portal/online-docs/jsdr-admin_4.2/Installation.html).

+1. [Deploy a JetStream DRVA appliance](https://jetstreamsoft.com/portal/online-docs/jsdr-admin_4.2/DeployaDRVA.html).

+- [vSphere Replication administration](https://docs.vmware.com/en/vSphere-Replication/https://docsupdatetracker.net/index.html)

+- [Dell Technologies](https://www.delltechnologies.com/asset/en-us/products/data-protection/briefs-summaries/cyber-recovery-with-powerprotect-for-multi-cloud-solution-brief.pdf)

+| Supported TLS Versions | TLS 1.2, TLS 1.0/1.1 - [Configurable](/rest/api/cdn/custom-domains/enable-custom-https#usermanagedhttpsparameters) | TLS 1.2, TLS 1.3 | TLS 1.2, TLS 1.3 |

+## Step 1: Create a Chaos Studio Private Access (CSPA) resource

+## Step 2: Create your Virtual Network, Subnet, and Private Endpoint

+## Step 3: Map the agent host VM to the CSPA resource

+> The PrivateAccessID should exactly match the "resourceID" used to create the CSPA resource in Step 1.

+## Step 4: Update host VM to map the communications endpoint to the private endpoint

+## Step 5: Update the communication endpoint in agentSettings and agentInstanceConfig JSON files

+## Step 5.5: Disable CRL verification in agentSettings.JSON

+## Step 6: Restart the Azure Chaos Agent service in the VM

+## Step 7: Run your Agent-based experiment using private endpoints

+This guide introduces you to the Azure Automation service, and how it can be used to simplify management of your Azure cloud services.

+Azure Automation provides a highly reliable and highly available workflow execution engine that scales to meet your needs as your organization grows. In Azure Automation, processes can be kicked off manually, by third-party systems, or at scheduled intervals so that tasks happen exactly when needed.

+Azure cloud services can be managed in Azure Automation by using the PowerShell cmdlets that are available in the [Azure PowerShell tools](/powershell/). Azure Automation has these cloud service PowerShell cmdlets available out of the box, so that you can perform all of your cloud service management tasks within the service. You can also pair these cmdlets in Azure Automation with the cmdlets for other Azure services, to automate complex tasks across Azure services and third party systems.

+* [My first runbook](../automation/learn/powershell-runbook-managed-identity.md)

+For more information about Azure certificates, see [Certificates overview for Azure Cloud Services](cloud-services-certs-create.md). For a complete description of OpenSSL parameters, see the documentation at [https://www.openssl.org/docs/manmaster/man1/req.html](https://www.openssl.org/docs/manmaster/man1/req.html).

+> Azure Notification Hubs has announced that Firebase Cloud Messaging (FCM) legacy API will be deprecated in July 2024. This will affect all Azure Communiation Services Calling and Chat applications who send Android push notifications. Customers impacted will need to migrate their registrations from FCM legacy to FCM v1, and can start doing so in March 2024. For more information including migration steps, please see [Notifcation Hub documentation](../../notification-hubs/notification-hubs-gcm-to-fcm.md).

+- Unknown - Indicates that SBC hasn't attempted a TLS handshake in the last 15 minutes.

+- Unknown - Indicates that SBC hasn't sent any SIP options.

+- Expired - Indicates that SBC was sending SIP OPTIONS, but we haven't received any OPTIONS messages in the last 15 minutes.

+> [!NOTE]

+>If you've just configured a new trunk, it can take up to 15 minutes to update the status.

+## Call context headers

+Call context headers are currently available only for Call Automation SDK. Call Automation SDK supports User-To-User header and up to five custom SIP headers. Those headers are supported in INVITE and REFER methods.

+### User-To-User header

+SIP User-To-User (UUI) header is an industry standard to pass contextual information during a call setup process. The maximum length of a UUI header key is 64 chars. The maximum length of UUI header value is 256 chars.

+### Custom header

+Azure Communication Services also supports up to five custom SIP headers. Custom SIP header key must start with a mandatory `X-MS-Custom-` prefix. The maximum length of a SIP header key is 64 chars, including the `X-MS-Custom-` prefix. The maximum length of SIP header value is 256 chars.

+For implementation details refer to [How to pass contextual data between calls](../../how-tos/call-automation/custom-context.md).

+The SBC must support INVITE with Replaces.

+ Title: Quickstart - Subscribe to Azure Communication Services Events

+description: In this quickstart, you learn how to subscribe to events from Azure Communication Services.

+zone_pivot_groups: acs-plat-azp-azcli-net-ps

+ms.devlang: azurecli

+# Quickstart: Subscribe to Azure Communication Services events

+In this quickstart, you learn how to subscribe to events from Azure Communication Services through the portal, Azure CLI, PowerShell and .NET SDK.

+You can set up event subscriptions for Communication Services resources through the [Azure portal](https://portal.azure.com) or Azure CLI, PowerShell or with the Azure [Event Grid Management SDK](https://www.nuget.org/packages/Azure.ResourceManager.EventGrid/).

+For this Quickstart, we walk through the process of setting up webhook as a subscriber for SMS events from Azure Communication Services. For a full list of events, see this [page](/azure/event-grid/event-schema-communication-services).

+Each Azure region in your deployment connects to your core network. You must choose the type of connection (for example, Microsoft Azure Peering Service Voice). You must use specific IP addresses and domain names to route traffic between your network and Azure Communications Gateway.

+The following table lists all the available connection types and whether they're supported for each communications service. The connection types are in the order that we recommend (with recommended types first).

+| MAPS Voice |✅ |✅|✅|- Best media quality because of prioritization with Microsoft network<br>- No extra costs<br>- See [Internet peering for Peering Service Voice walkthrough](../internet-peering/walkthrough-communications-services-partner.md)|

+Domain delegation provides topology hiding and might increase customer trust, but requires giving us full control over the subdomain that you delegate. For Microsoft Teams Direct Routing, choose domain delegation if you don't want customers to see a `*.commsgw.azure.com` address in their Microsoft 365 admin centers.

+1. Configure your routers and peering connection to ensure all traffic to Azure Communications Gateway is through Microsoft Azure Peering Service Voice (also known as MAPS Voice) or ExpressRoute Microsoft Peering.

+> Some steps in the deployment and integration process can require days or weeks to complete. For example, you might need to arrange Microsoft Azure Peering Service Voice (MAPS Voice) connectivity before you can deploy, wait for onboarding, or wait for a specific date to launch your service. We recommend that you read through any documentation from your onboarding team and the procedures in [Deploy Azure Communications Gateway](#deploy-azure-communications-gateway) and [Integrate with your chosen communications services](#integrate-with-your-chosen-communications-services) before you start deploying.

+- The type of connection you want to use: for example, Microsoft Azure Peering Service Voice (recommended; sometimes called MAPS Voice).

+## Configure Microsoft Azure Peering Service Voice or ExpressRoute

+- To configure Microsoft Azure Peering Service Voice (sometimes called MAPS Voice), follow the instructions in [Internet peering for Peering Service Voice walkthrough](../internet-peering/walkthrough-communications-services-partner.md).

+- IBM MQ

+- [Connect to IBM MQ](connectors-create-api-mq.md)

+- **Historical record**: By default, you have access to 100 inactive revisions, but you can [adjust this threshold manually](#change-inactive-revision-limit).

+### Change inactive revision limit

+You can use the `--max-inactive-revisions` parameter with the `containerapp create` or `containerapp update` commands to control the number of inactive revisions tracked by Container Apps.

+This example demonstrates how to create a new container app that tracks 50 inactive revisions:

+```azurecli

+az containerapp create --max-inactive-revisions 50

+```

+Data in PostgreSQL table will be pushed to Apache Kafka using the [Debezium PostgreSQL connector](https://debezium.io/documentation/reference/stable/connectors/postgresql.html), which is a Kafka Connect **source** connector. Inserts, updates, or deletion to records in the PostgreSQL table will be captured as `change data` events and sent to Kafka topic(s). The [DataStax Apache Kafka connector](https://docs.datastax.com/en/kafka/doc/kafka/kafkaIntro.html) (Kafka Connect **sink** connector), forms the second part of the pipeline. It will synchronize the change data events from Kafka topic to Azure Cosmos DB for Apache Cassandra tables.

+> For details, please refer to the [Debezium](https://debezium.io/documentation/reference/stable/connectors/postgresql.html) and [DataStax](https://docs.datastax.com/en/kafka/doc/) documentation.

+Azure Cosmos DB uses hash-based partitioning to spread logical partitions across physical partitions. Azure Cosmos DB hashes the partition key value of an item. The hashed result determines the logical partition. Then, Azure Cosmos DB allocates the key space of partition key hashes evenly across the physical partitions.

+You can create only one data catalog per organization (Microsoft Entra domain). Therefore, if the owner or co-owner of an Azure subscription who belongs to this Microsoft Entra domain has already created a catalog, then you can't create a catalog again even if you have multiple Azure subscriptions. To test whether a data catalog has been created by a user in your Microsoft Entra domain, go to the [Azure Data Catalog home page](https://www.azuredatacatalog.com) and verify whether you see the catalog. If a catalog has already been created for you, skip the following procedure and go to the next section.

+1. Go to the [Azure Data Catalog home page](https://www.azuredatacatalog.com) and select **Publish Data**.

+1. Go to the [Azure Data Catalog home page](https://www.azuredatacatalog.com) and select **Publish Data**.

+| clientId | ID of the application used to generate the refresh token. | Yes |

+| clientSecret | Secret of the application used to generate the refresh token. Mark this field as a SecureString to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |

+| refreshToken | The refresh token obtained from Google used to authorize access to BigQuery. Learn how to get one from [Obtaining OAuth 2.0 access tokens](https://developers.google.com/identity/protocols/OAuth2WebServer#obtainingaccesstokens) and [this community blog](https://jpd.ms/getting-your-bigquery-refresh-token-for-azure-datafactory-f884ff815a59). Mark this field as a SecureString to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |

+| keyFilePath | The full path to the `.p12` or `.json` key file that is used to authenticate the service account email address. | Yes |

+This connector currently supports MariaDB of version 10.x, 11.x under the recommended new driver version v2 and 10.0 to 10.5 for the legacy driver version.

+ :::image type="content" source="media/connector-mariadb/mariadb-connector.png" alt-text="Screenshot of the MariaDB connector.":::

+If you use the recommended driver version, the following properties are supported for MariaDB linked service:

+| driverVersion | The driver version when you select the recommended driver version. The value is v2. | Yes |

+| server | The name of your MariaDB Server. | Yes |

+| port | The port number to connect to the MariaDB server. | No |

+| database | Your MariaDB database name. | Yes |

+| username | Your user name. | Yes |

+| password | The password for the user name. Mark this field as SecureString to store it securely. Or, you can [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |

+ "server": "<server>",

+ "port": "<port>",

+ "database": "<database>",

+ "username": "<username>",

+ "password": {

+ "type": "SecureString",

+ "value": "<password>"

+ },

+ "driverVersion": "v2"

+ "server": "<server>",

+ "port": "<port>",

+ "database": "<database>",

+ "username": "<username>",

+ "password": {

+ "type": "AzureKeyVaultSecret",

+ "store": {

+ "referenceName": "<Azure Key Vault linked service name>",

+ "type": "LinkedServiceReference"

+ },

+ "secretName": "<secretName>"

+ },

+ "driverVersion": "v2"

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+If you use the legacy driver version, the following properties are supported:

+| Property | Description | Required |

+|: |: |: |

+| type | The type property must be set to: **MariaDB** | Yes |

+| connectionString | An ODBC connection string to connect to MariaDB. <br/>You can also put password in Azure Key Vault and pull the `pwd` configuration out of the connection string. Refer to the following samples and [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md) article with more details. | Yes |

+| connectVia | The [Integration Runtime](concepts-integration-runtime.md) to be used to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. If not specified, it uses the default Azure Integration Runtime. |No |

+**Example:**

+```json

+{

+ "name": "MariaDBLinkedService",

+ "properties": {

+ "type": "MariaDB",

+ "typeProperties": {

+ "connectionString": "Server=<host>;Port=<port>;Database=<database>;UID=<user name>;PWD=<password>"

+## Data type mapping for MariaDB

+When copying data from MariaDB, the following mappings are used from MariaDB data types to interim data types used by the service internally. See [Schema and data type mappings](copy-activity-schema-and-type-mapping.md) to learn about how copy activity maps the source schema and data type to the sink.

+| MariaDB data type | Interim service data type | Interim service data type (for the legacy driver version) |

+|: |: |: |

+| `bigint` |`Int64` |`Int64` |

+| `bigint unsigned` |`Decimal` |`Decimal` |

+| `bit(1)` |`UInt64` |`Boolean` |

+| `bit(M), M>1`|`UInt64`|`Byte[]`|

+| `blob` |`Byte[]` |`Byte[]` |

+| `bool` |`Boolean` <br/>(If TreatTinyAsBoolean=false, it is mapped as `SByte`. TreatTinyAsBoolean is true by default ) |`Int16` |

+| `char` |`String` |`String` |

+| `date` |`Datetime` |`Datetime` |

+| `datetime` |`Datetime` |`Datetime` |

+| `decimal` |`Decimal` |`Decimal, String` |

+| `double` |`Double` |`Double` |

+| `double precision` |`Double` |`Double` |

+| `enum` |`String` |`String` |

+| `float` |`Single` |`Single` |

+| `int` |`Int32` |`Int32` |

+| `int unsigned` |`Int64`|`Int64`|

+| `integer` |`Int32` |`Int32` |

+| `integer unsigned` |`Int64` |`Int64` |

+| `JSON` |`String` |-|

+| `long varbinary` |`Byte[]` |`Byte[]` |

+| `long varchar` |`String` |`String` |

+| `longblob` |`Byte[]` |`Byte[]` |

+| `longtext` |`String` |`String` |

+| `mediumblob` |`Byte[]` |`Byte[]` |

+| `mediumint` |`Int32` |`Int32` |

+| `mediumint unsigned` |`Int64` |`Int64` |

+| `mediumtext` |`String` |`String` |

+| `numeric` |`Decimal` |`Decimal` |

+| `real` |`Double` |`Double` |

+| `set` |`String` |`String` |

+| `smallint` |`Int16` |`Int16` |

+| `smallint unsigned` |`Int32` |`Int32` |

+| `text` |`String` |`String` |

+| `time` |`TimeSpan` |`TimeSpan` |

+| `timestamp` |`Datetime` |`Datetime` |

+| `tinyblob` |`Byte[]` |`Byte[]` |

+| `tinyint` |`SByte` |`Int16` |

+| `tinyint unsigned` |`Int16` |`Int16` |

+| `tinytext` |`String` |`String` |

+| `varchar` |`String` |`String` |

+| `year` |`Int` |`Int` |

+## Upgrade the MariaDB driver version

+Here are steps that help you upgrade your MariaDB driver version:

+1. Create a new MariaDB linked service and configure it by referring to [Linked service properties](connector-mariadb.md#linked-service-properties).

+1. The data type mapping for the latest MariaDB linked service is different from that for the legacy version. To learn the latest data type mapping, see [Data type mapping for MariaDB](connector-mariadb.md#data-type-mapping-for-mariadb).

+1. More MariaDB versions are supported for the latest driver version. For more information, see [Supported capabilities](connector-mariadb.md#supported-capabilities).

+Microsoft Fabric Lakehouse is a data architecture platform for storing, managing, and analyzing structured and unstructured data in a single location. In order to achieve seamless data access across all compute engines in Microsoft Fabric, go to [Lakehouse and Delta Tables](/fabric/data-engineering/lakehouse-and-delta-tables) to learn more. By default, data is written to Lakehouse Table in V-Order, and you can go to [Delta Lake table optimization and V-Order](/fabric/data-engineering/delta-optimization-and-v-order?tabs=sparksql#what-is-v-order) for more information.

+>[!Note]

+> Data is written to Lakehouse Table in V-Order by default. For more information, go to [Delta Lake table optimization and V-Order](/fabric/data-engineering/delta-optimization-and-v-order?tabs=sparksql#what-is-v-order).

+This connector supports MySQL version 5.5, 5.6, 5.7, 8.0, 8.1 and 8.2 under the recommended new driver version v2 and 5.6, 5.7 and 8.0 for the legacy driver version.

+If you use the recommended driver version，the following properties are supported for MySQL linked service:

+| driverVersion | The driver version when you select the recommended driver version. The value is v2. | Yes |

+| server | The name of your MySQL Server. | Yes |

+| port | The port number to connect to the MySQL server. |No|

+| database | Your MySQL database name. |Yes|

+| username | Your user name.|Yes|

+| password | The password for the user name. Mark this field as SecureString to store it securely. Or, you can [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |

+| sslMode | This option specifies whether the driver uses TLS encryption and verification when connecting to MySQL. E.g., `SSLMode=<0/1/2/3/4>`.<br/>Options: DISABLED (0) / PREFERRED (1) **(Default)** / REQUIRED (2) / VERIFY_CA (3) / VERIFY_IDENTITY (4) | Yes |

+| useSystemTrustStore | This option specifies whether to use a CA certificate from the system trust store, or from a specified PEM file. E.g. `UseSystemTrustStore=<0/1>`;<br/>Options: Enabled (1) / Disabled (0) **(Default)** | No |

+ "server": "<server>",

+ "port": 3306,

+ "database": "<database>",

+ "username": "<username>",

+ "password": {

+ "type": "SecureString",

+ "value": "<password>"

+ },

+ "sslmode": <sslmode>,

+ "usesystemtruststore": <UseSystemTrustStore>,

+ "driverVersion": "v2"

+ "server": "<server>",

+ "port": 3306,

+ "database": "<database>",

+ "username": "<username>",

+ "sslmode": <sslmode>,

+ "usesystemtruststore": <UseSystemTrustStore>,

+ },

+ "driverVersion": "v2"

+If you use the legacy driver version, the following properties are supported:

+| Property | Description | Required |

+|: |: |: |

+| type | The type property must be set to: **MySql** | Yes |

+| connectionString | Specify information needed to connect to the Azure Database for MySQL instance.<br/> You can also put password in Azure Key Vault and pull the `password` configuration out of the connection string. Refer to the following samples and [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md) article with more details. | Yes |

+| connectVia | The [Integration Runtime](concepts-integration-runtime.md) to be used to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. If not specified, it uses the default Azure Integration Runtime. | No |

+A typical connection string is `Server=<server>;Port=<port>;Database=<database>;UID=<username>;PWD=<password>`. More properties you can set per your case:

+| Property | Description | Required |

+|: |: |: |

+| sslMode | This option specifies whether the driver uses TLS encryption and verification when connecting to MySQL. E.g., `SSLMode=<0/1/2/3/4>`.<br/>Options: DISABLED (0) / PREFERRED (1) **(Default)** / REQUIRED (2) / VERIFY_CA (3) / VERIFY_IDENTITY (4) | Yes |

+| SSLCert | The full path and name of a .pem file containing the SSL certificate used for proving the identity of the client. <br/> To specify a private key for encrypting this certificate before sending it to the server, use the `SSLKey` property.| Yes, if using two-way SSL verification. |

+| SSLKey | The full path and name of a file containing the private key used for encrypting the client-side certificate during two-way SSL verification.| Yes, if using two-way SSL verification. |

+| useSystemTrustStore | This option specifies whether to use a CA certificate from the system trust store, or from a specified PEM file. E.g. `UseSystemTrustStore=<0/1>`;<br/>Options: Enabled (1) / Disabled (0) **(Default)** | No |

+**Example:**

+ "connectionString": "Server=<server>;Port=<port>;Database=<database>;UID=<username>;PWD=<password>"

+| MySQL data type | Interim service data type | Interim service data type (for the legacy driver version) |

+|: |: |: |

+| `bigint` |`Int64` |`Int64` |

+| `bigint unsigned` |`Decimal` |`Decimal` |

+| `bit(1)` |`UInt64` |`Boolean` |

+| `bit(M), M>1`|`UInt64`|`Byte[]`|

+| `blob` |`Byte[]` |`Byte[]` |

+| `bool` |`Boolean` <br/>(If TreatTinyAsBoolean=false, it is mapped as `SByte`. TreatTinyAsBoolean is true by default ) |`Int16` |

+| `char` |`String` |`String` |

+| `date` |`Datetime` |`Datetime` |

+| `datetime` |`Datetime` |`Datetime` |

+| `decimal` |`Decimal` |`Decimal, String` |

+| `double` |`Double` |`Double` |

+| `double precision` |`Double` |`Double` |

+| `enum` |`String` |`String` |

+| `float` |`Single` |`Single` |

+| `int` |`Int32` |`Int32` |

+| `int unsigned` |`Int64`|`Int64`|

+| `integer` |`Int32` |`Int32` |

+| `integer unsigned` |`Int64` |`Int64` |

+| `JSON` |`String` |-|

+| `long varbinary` |`Byte[]` |`Byte[]` |

+| `long varchar` |`String` |`String` |

+| `longblob` |`Byte[]` |`Byte[]` |

+| `longtext` |`String` |`String` |

+| `mediumblob` |`Byte[]` |`Byte[]` |

+| `mediumint` |`Int32` |`Int32` |

+| `mediumint unsigned` |`Int64` |`Int64` |

+| `mediumtext` |`String` |`String` |

+| `numeric` |`Decimal` |`Decimal` |

+| `real` |`Double` |`Double` |

+| `set` |`String` |`String` |

+| `smallint` |`Int16` |`Int16` |

+| `smallint unsigned` |`Int32` |`Int32` |

+| `text` |`String` |`String` |

+| `time` |`TimeSpan` |`TimeSpan` |

+| `timestamp` |`Datetime` |`Datetime` |

+| `tinyblob` |`Byte[]` |`Byte[]` |

+| `tinyint` |`SByte` |`Int16` |

+| `tinyint unsigned` |`Int16` |`Int16` |

+| `tinytext` |`String` |`String` |

+| `varchar` |`String` |`String` |

+| `year` |`Int` |`Int` |

+## Upgrade the MySQL driver version

+Here are steps that help you upgrade your MySQL driver version:

+1. Create a new MySQL linked service and configure it by referring toΓÇ»[Linked service properties](connector-mysql.md#linked-service-properties).

+1. The data type mapping for the latest MySQL linked service is different from that for the legacy version. To learn the latest data type mapping, see [Data type mapping for MySQL](connector-mysql.md#data-type-mapping-for-mysql).

+1. More MySQL versions are supported for the latest driver version. For more information, see [Supported capabilities](connector-mysql.md#supported-capabilities).

+| Veritas | [https://www.veritas.com/partners/microsoft-azure](https://www.veritas.com/partners/microsoft-azure) <br> For details, contact Veritas. |

+- Learn how to [Recover from a failed Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-recover-device-failure.md).

+| Veritas | [https://www.veritas.com/partners/microsoft-azure](https://www.veritas.com/partners/microsoft-azure) <br> For details, contact Veritas. |

+ | Veritas | [https://www.veritas.com/partners/microsoft-azure](https://www.veritas.com/partners/microsoft-azure) <br> For details, contact Veritas. |

+ | Veritas | [https://www.veritas.com/partners/microsoft-azure](https://www.veritas.com/partners/microsoft-azure) <br> For details, contact Veritas. |

+ | Veritas | [https://www.veritas.com/partners/microsoft-azure](https://www.veritas.com/partners/microsoft-azure) <br> For details, contact Veritas. |

+[Learn how to deploy IoT Edge workloads on Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-deploy-compute-module-simple.md)

+In Visual Studio, use the **Tools** -> **NuGet Package Manager** -> **Package Manager Console**, and run the `Install-Package` command (`Install-Package Microsoft.Azure.WebJobs.Extensions.EventGrid -Version 3.3.1`). Alternatively, right-click the project in the Solution Explorer window, and select **Manage NuGet Packages** menu to browse for the NuGet package, and install or update it to the latest version.

+ <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.EventGrid" Version="3.3.1" />

+ Title: Azure Storage Actions as Event Grid source

+description: Describes the properties that are provided for Azure Storage Actions events with Azure Event Grid.

+# Azure Storage Actions as an Event Grid source

+This article provides the properties and schema for Azure Storage Actions events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md). To learn more about Azure Storage Actions, see [What is Azure Storage Actions?](../storage-actions/overview.md).

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../storage-actions/overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+> To enroll, see \<sign-up form link here\>.

+## Available event types

+## Storage Actions events

+These events are triggered when a storage task is queued and when a storage task run completes.

+ |Event name |Description|

+ |-|--|

+ | [Microsoft.StorageActions.StorageTaskQueued](#microsoftstorageactionsstoragetaskqueued-event) | Triggered when a storage task assignment run is queued. This event provides the status of assignment execution such as when the assignment is queued, and the corresponding execution ID for tracking purpose. |

+ |[Microsoft.StorageActions.StorageTaskCompleted](#microsoftstorageactionsstoragetaskcompleted-event) | Triggered when a storage tasks assignment run is completed. This event provides the status of assignment execution such as when the assignment is completed, the assignment's status, which task is associated with the assignment, and the link to summary report file. |

+### Example events

+# [Event Grid event schema](#tab/event-grid-event-schema)

+### Microsoft.StorageActions.StorageTaskQueued event

+```json

+[{

+ "topic":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account",

+ "subject":"DataManagement/StorageTasks",

+ "eventType":"Microsoft.StorageActions.StorageTaskQueued",

+ "id":"8eb4656c-5c4a-4541-91e0-685558acbb1d",

+ "data":{

+ "queuedDateTime":"2023-08-07T21:35:23Z",

+ "taskExecutionId":"testdelete-2023-08-07T21:35:16.9494934Z_2023-08-07T21:35:17.5432186Z"

+ },

+ "dataVersion":"1.0",

+ "metadataVersion":"1",

+ "eventTime":"2023-08-07T21:35:23Z"

+}]

+```

+### Microsoft.StorageActions.StorageTaskCompleted event

+```json

+[{

+ "topic":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account",

+ "subject":"DataManagement/StorageTasks",

+ "eventType":"Microsoft.StorageActions.StorageTaskCompleted",

+ "id":"dee33d3b-0b39-42f2-b2be-76f2fb94b852",

+ "data":{

+ "status":"Succeeded",

+ "completedDateTime":"2023-08-07T21:35:34Z",

+ "taskExecutionId":"testdelete-2023-08-07T21:35:16.9494934Z_2023-08-07T21:35:17.5432186Z",

+ "taskName":"deleteallcentraleu",

+ "summaryReportBlobUrl":"https://my-storage-account.blob.core.windows.net/result-container/deleteallcentraleu_testdelete_2023-08-07T21:35:23/SummaryReport.json"

+ },

+ "dataVersion":"1.0",

+ "metadataVersion":"1",

+ "eventTime":"2023-08-07T21:35:34Z"

+}]

+```

+# [Cloud event schema](#tab/cloud-event-schema)

+### Microsoft.StorageActions.StorageTaskQueued event

+```json

+[{

+ "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account",

+ "subject": "DataManagement/StorageTasks",

+ "type": "Microsoft.StorageActions.StorageTaskQueued",

+ "time": "2023-08-07T21:35:23Z",

+ "id": "8eb4656c-5c4a-4541-91e0-685558acbb1d",

+ "data": {

+ "queuedDateTime":"2023-08-07T21:35:23Z",

+ "taskExecutionId":"testdelete-2023-08-07T21:35:16.9494934Z_2023-08-07T21:35:17.5432186Z"

+ },

+ "specversion": "1.0"

+}]

+```

+### Microsoft.StorageActions.StorageTaskCompleted event

+```json

+[{

+ "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account",

+ "subject": "DataManagement/StorageTasks",

+ "type": "Microsoft.StorageActions.StorageTaskCompleted",

+ "time": "2023-08-07T21:35:34Z",

+ "id": "dee33d3b-0b39-42f2-b2be-76f2fb94b852",

+ "data": {

+ "status":"Succeeded",

+ "completedDateTime":"2023-08-07T21:35:34Z",

+ "taskExecutionId":"testdelete-2023-08-07T21:35:16.9494934Z_2023-08-07T21:35:17.5432186Z",

+ "taskName":"deleteallcentraleu",

+ "summaryReportBlobUrl":"https://my-storage-account.blob.core.windows.net/result-container/deleteallcentraleu_testdelete_2023-08-07T21:35:23/SummaryReport.json"

+ },

+ "specversion": "1.0"

+}]

+```

+## Event properties

+# [Event Grid event schema](#tab/event-grid-event-schema)

+An event has the following top-level data:

+| Property | Type | Description |

+| -- | - | -- |

+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |

+| `subject` | string | Publisher-defined path to the event subject. |

+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |

+| `eventType` | string | One of the registered event types for this event source. |

+| `id` | string | Unique identifier for the event. |

+| `data` | object | Storage task event data. |

+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |

+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |

+# [Cloud event schema](#tab/cloud-event-schema)

+An event has the following top-level data:

+| Property | Type | Description |

+| -- | - | -- |

+| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |

+| `subject` | string | Publisher-defined path to the event subject. |

+| `type` | string | One of the registered event types for this event source. |

+| `id` | string | Unique identifier for the event. |

+| `data` | object | Storage task event data. |

+| `specversion` | string | CloudEvents schema specification version. |

+The data object has the following properties:

+| Property | Type | Description |

+| -- | - | -- |

+| `queuedDateTime` | string | The time that the storage task assignment is queued. |

+| `status` | string | The storage task assignment completion status (`Succeeded` or `Failed`) |

+| `completedDateTime` | string | The time that the storage task assignment completed. |

+| `taskExecutionId` | string | The unique ID that is associated with the storage task assignment. |

+| `taskName` | string | The storage task that is associated with the storage task assignment. |

+| `summaryReportBlobUrl` | string | The link to the storage task assignment summary report file. |

+## Next steps

+- For an introduction to Azure Event Grid, see [What is Event Grid?](overview.md)

+- For more information about creating an Azure Event Grid subscription, see [Event Grid subscription schema](subscription-creation-schema.md).

+By default, Event Hubs namespaces are accessible from internet as long as the request comes with valid authentication and authorization. With IP firewall, you can restrict it further to only a set of IPv4 and IPv6 addresses or address ranges in [CIDR (Classless Inter-Domain Routing)](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation.

+This feature is helpful in scenarios in which Azure Event Hubs should be only accessible from certain well-known sites. Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 and IPv6 addresses. For example, if you use Event Hubs with [Azure Express Route][express-route], you can create a **firewall rule** to allow traffic from only your on-premises infrastructure IP addresses.

+ 3. For **address range**, enter specific IPv4 or IPv6 addresses or address ranges in CIDR notation.

+

+ > [!IMPORTANT]

+ > When the service starts supporting IPv6 connections in the future and clients automatically switch to using IPv6, your clients will break if you have only IPv4 addresses, not IPv6 addresses. Therefore, we recommend that you add IPv6 addresses to the list of allowed IP addresses now so that your clients don't break when the service eventually switches to supporting IPv6.

+The default value of the `defaultAction` property was `Deny` for API version **2021-01-01-preview and earlier**. However, the deny rule isn't enforced unless you set IP filters or virtual network rules. That is, if you didn't have any IP filters or virtual network rules, it's treated as `Allow`.

+From API version **2021-06-01-preview onwards**, the default value of the `defaultAction` property is `Allow`, to accurately reflect the service-side enforcement. If the default action is set to `Deny`, IP filters and virtual network rules are enforced. If the default action is set to `Allow`, IP filters and virtual network rules aren't enforced. The service remembers the rules when you turn them off and then back on again.

+Azure portal always uses the latest API version to get and set properties. If you had configured your namespace using **2021-01-01-preview and earlier** with `defaultAction` set to `Deny`, and specified zero IP filters and virtual network rules, the portal would have previously checked **Selected Networks** on the **Networking** page of your namespace. Now, it checks the **All networks** option.

+description: This article describes how to configure access from private endpoints.

+You can use service tags to define network access controls on [network security groups](../virtual-network/network-security-groups-overview.md#security-rules) or [Azure Firewall](../firewall/service-tags.md). Use service tags in place of specific IP addresses when you create security rules. By specifying the service tag name (for example, `EventHub`) in the appropriate *source* or *destination* field of a rule, you can allow or deny the traffic for the corresponding service.

+| `EventHub` | Azure Event Hubs. | Outbound | Yes | Yes |

+By default, Event Hubs namespaces are accessible from internet as long as the request comes with valid authentication and authorization. With IP firewall, you can restrict it further to only a set of IPv4 or IPv6 addresses or address ranges in [CIDR (Classless Inter-Domain Routing)](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation.

+This feature is helpful in scenarios in which Azure Event Hubs should be only accessible from certain well-known sites. Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 or IPv6 addresses. For example, if you use Event Hubs with [Azure Express Route](../expressroute/expressroute-faqs.md#supported-services), you can create a **firewall rule** to allow traffic from only your on-premises infrastructure IP addresses.

+The IP firewall rules are applied at the Event Hubs namespace level. Therefore, the rules apply to all connections from clients using any supported protocol. Any connection attempt from an IP address that doesn't match an allowed IP rule on the Event Hubs namespace is rejected as unauthorized. The response doesn't mention the IP rule. IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

+For more information, see [How to configure IP firewall for an event hub](event-hubs-ip-filtering.md).

+The integration of Event Hubs with [Virtual Network (virtual network) Service Endpoints](../virtual-network/virtual-network-service-endpoints-overview.md) enables secure access to messaging capabilities from workloads such as virtual machines that are bound to virtual networks, with the network traffic path being secured on both ends.

+The result is a private and isolated relationship between the workloads bound to the subnet and the respective Event Hubs namespace, in spite of the observable network address of the messaging service endpoint being in a public IP range. There's an exception to this behavior. When you enable a service endpoint, by default, the service enables the `denyall` rule in the [IP firewall](event-hubs-ip-filtering.md) associated with the virtual network. You can add specific IP addresses in the IP firewall to enable access to the Event Hubs public endpoint.

+### Advanced security scenarios enabled by virtual network integration

+For more information, see [How to configure virtual network service endpoints for an event hub](event-hubs-service-endpoints.md).

+A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. The private endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can connect to an instance of an Azure resource, giving you the highest level of granularity in access control.

+For more information, see [How to configure private endpoints for an event hub](private-link-service.md).

+There are various reasons for client applications not able to connect to an event hub. The connectivity issues might be permanent or transient. If the issue happens all the time (permanent), you might want to check the connection string, your organization's firewall settings, IP firewall settings, network security settings (service endpoints, private endpoints, etc.), and more. For transient issues, upgrading to latest version of the SDK, running commands to check dropped packets, and obtaining network traces might help with troubleshooting the issues. This article provides tips for troubleshooting connectivity issues with Azure Event Hubs.

+### Check if the application needs to be running in a specific subnet of a virtual network

+By default, Event Hubs namespaces are accessible from internet as long as the request comes with valid authentication and authorization. With IP firewall, you can restrict it further to only a set of IPv4 or IPv6 addresses or address ranges in [CIDR (Classless Inter-Domain Routing)](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation.

+Some of the transient connectivity issues might have been fixed in the later versions of the SDK than what you are using. Ensure that you're using the latest version of client SDKs in your applications. SDKs are continuously improved with new/updated features and bug fixes, so always test with latest package. Check the release notes for issues that are fixed and features added/updated.

+When there are intermittent connectivity issues, run the following command to check if there are any dropped packets. This command tries to establish 25 different TCP connections every 1 second with the service. Then, you can check how many of them succeeded/failed and also see TCP connection latency. You can download the `psping` tool from [here](/sysinternals/downloads/psping).

+Transient connectivity issues might occur because of backend service upgrades and restarts. When they occur, you might see the following symptoms:

+- There might be a drop in incoming messages/requests.

+- The log file might contain error messages.

+- The applications might be disconnected from the service for a few seconds.

+- Requests might be momentarily throttled.

+If the application code utilizes SDK, the retry policy is already built in and active. The application reconnects without significant impact to the application/workflow. Catching these transient errors, backing off and then retrying the call ensures that your code is resilient to these transient issues.

+## VNet to VNet and VNet to Virtual WAN connectivity

+By default, VNet to VNet and VNet to Virtual WAN connectivity is disabled through an ExpressRoute circuit for all gateway SKUs. To enable this connectivity, you must configure the ExpressRoute virtual network gateway to allow this traffic. For more information, see guidance about [virtual network connectivity over ExpressRoute](virtual-network-connectivity-guidance.md). To enabled this traffic, see [Enable VNet to VNet or VNet to Virtual WAN connectivity through ExpressRoute](expressroute-howto-add-gateway-portal-resource-manager.md#enable-or-disable-vnet-to-vnet-or-vnet-to-virtual-wan-traffic-through-expressroute).

+## Enable or disable VNet to VNet or VNet to Virtual WAN traffic through ExpressRoute

+You can enable or disable VNet to VNet or VNet to WAN connectivity through ExpressRoute. By default, VNet to VNet or VNet to WAN traffic is disabled through ExpressRoute. You can enable this traffic by using the following steps.

+1. In the Azure portal, navigate to the ExpressRoute virtual network gateway.

+1. In the **Settings** section, select **Configuration**.

+1. In the **Configuration** section, select the checkbox for **Allow traffic from remote virtual networks**. You can also enable traffic from remote Virtual WAN networks by selecting the checkbox for **Allow traffic from remote Virtual WAN network**.

+ :::image type="content" source="./media/expressroute-howto-add-gateway-portal-resource-manager/allow-remote-virtual-network-wan.png" alt-text="Screenshot that shows how to enable VNet to VNet and VNet to WAN traffic.":::

+These steps will need to be completed on all virtual networks that need to communicate with each other through ExpressRoute.

+## Enable VNet to VNet or VNet to Virtual WAN connectivity through ExpressRoute

+By default, VNet to VNet and VNet to Virtual WAN connectivity is disabled through an ExpressRoute circuit. To enable this connectivity, you must configure the ExpressRoute virtual network gateway to allow this traffic. For more information, see [Enable VNet to VNet or VNet to Virtual WAN connectivity through ExpressRoute](expressroute-howto-add-gateway-portal-resource-manager.md#enable-or-disable-vnet-to-vnet-or-vnet-to-virtual-wan-traffic-through-expressroute).

+ Title: Modify inventory assets

+description: This article outlines how to update assets with customized text labels to categorize and make use of inventory data.

+# Asset modification overview

+This article outlines how to modify inventory assets. You can change the state of an asset, assign an external ID or apply labels to help provide context and use inventory data. Users can also remove assets from their inventory in bulk based on the method with which they were discovered; for instance, users can remove a seed from a discovery group and elect to remove any assets that were discovered through a connection to this seed. This article describes all modification options available in Defender EASM, and outlines how to update assets and track any updates with the Task Manager.

+### Label assets

+Labels help you organize your attack surface and apply business context in a customizable way. You can apply any text label to a subset of assets to group assets and make better use of your inventory. Customers commonly categorize assets that:

+- Have recently come under your organization's ownership through a merger or acquisition.

+- Require compliance monitoring.

+- Are owned by a specific business unit in their organization.

+- Are affected by a specific vulnerability that requires mitigation.

+- Relate to a particular brand owned by the organization.

+- Were added to your inventory within a specific time range.

+

+Labels are free form text fields, so you can create a label for any use case that applies to your organization.

+[](media/labels-1a.png#lightbox)

+### Change the state of an asset

+Users can also change the state of an asset. States help categorize your inventory based on their role in your organization. Users can switch between the following states:

+- **Approved Inventory**: A part of your owned attack surface; an item that you are directly responsible for.

+- **Dependency**: Infrastructure that is owned by a third party but is part of your attack surface because it directly supports the operation of your owned assets. For example, you might depend on an IT provider to host your web content. While the domain, hostname, and pages would be part of your ΓÇ£Approved Inventory,ΓÇ¥ you may wish to treat the IP Address running the host as a ΓÇ£Dependency.ΓÇ¥

+- **Monitor Only**: An asset that is relevant to your attack surface but is neither directly controlled nor a technical dependency. For example, independent franchisees or assets belonging to related companies might be labeled as ΓÇ£Monitor OnlyΓÇ¥ rather than ΓÇ£Approved InventoryΓÇ¥ to separate the groups for reporting purposes.

+- **Candidate**: An asset that has some relationship to your organization's known seed assets but does not have a strong enough connection to immediately label it as ΓÇ£Approved Inventory.ΓÇ¥ These candidate assets must be manually reviewed to determine ownership.

+- **Requires Investigation**: A state similar to the ΓÇ£CandidateΓÇ¥ states, but this value is applied to assets that require manual investigation to validate. This is determined based on our internally generated confidence scores that assess the strength of detected connections between assets. It does not indicate the infrastructure's exact relationship to the organization as much as it denotes that this asset has been flagged as requiring additional review to determine how it should be categorized.

+### Apply an External ID

+Users can also apply an external ID to an asset. This is useful in situations when you employ multiple solutions for asset tracking, remediation activities or ownership monitoring; seeing any external IDs within Defender EASM helps you align this disparate asset information. External ID values can be numeric or alphanumeric and must be entered in text format. External IDs are also displayed within the Asset Details section.

+## How to modify assets

+You can modify assets from both the inventory list and asset details pages. You can make changes to a single asset from the asset details page. You can make changes to a single asset or multiple assets from the inventory list page. The following sections describe how to apply changes from the two inventory views depending on your use case.

+### Inventory list page

+You should modify assets from the inventory list page if you want to update numerous assets at once. You can refine your asset list based on filter parameters. This process helps you to identify assets that should be categorized with the label, external ID or state change that you want. To modify assets from this page:

+1. On the leftmost pane of your Microsoft Defender External Attack Surface Management (Defender EASM) resource, select **Inventory**.

+2. Apply filters to produce your intended results. In this example, we're looking for domains that expire within 30 days that require renewal. The applied label helps you more quickly access any expiring domains to simplify the remediation process. You can apply as many filters as necessary to obtain the specific results that are needed. For more information on filters, see [Inventory filters overview](inventory-filters.md).

+ 

+3. After your inventory list is filtered, select the dropdown by the checkbox next to the **Asset** table header. This dropdown gives you the option to select all results that match your query or the results on that specific page (up to 25). The **None** option clears all assets. You can also choose to select only specific results on the page by selecting the individual check marks next to each asset.

+ 

+4. Select **Modify assets**.

+5. On the **Modify Assets** pane that opens on the right side of your screen, you can quickly change the state of the selected assets. For this example, you create a new label. Select **Create a new label**.

+6. Determine the label name and display text values. The label name can't be changed after you initially create the label, but the display text can be edited at a later time. The label name is used to query for the label in the product interface or via API, so edits are disabled to ensure these queries work properly. To edit a label name, you need to delete the original label and create a new one.

+ Select a color for your new label and select **Add**. This action takes you back to the **Modify Assets** screen.

+ 

+7. Apply your new label to the assets. Click inside the **Add labels** text box to view a full list of available labels. Or you can type inside the box to search by keyword. After you select the labels you want to apply, select **Update**.

+ 

+8. Allow a few moments for the labels to be applied. After the process is finished, you see a "Completed" notification. The page automatically refreshes and displays your asset list with the labels visible. A banner at the top of the screen confirms that your labels were applied.

+ [](media/labels-6.png#lightbox)

+### Asset details page

+You can also modify a single asset from the asset details page. This option is ideal for situations when assets need to be thoroughly reviewed before a label or state change is applied.

+1. On the leftmost pane of your Defender EASM resource, select **Inventory**.

+2. Select the specific asset you want to modify to open the asset details page.

+3. On this page, select **Modify asset**.

+ 

+4. Follow steps 5 to 7 in the "Inventory list page" section.

+5. The asset details page refreshes and displays the newly applied label or state change. A banner indicates that the asset was successfully updated.

+## Modify, remove, or delete labels

+Users can remove a label from an asset by accessing the same **Modify asset** pane from either the inventory list or asset details view. From the inventory list view, you can select multiple assets at once and then add or remove the desired label in one action.

+To modify the label itself or delete a label from the system:

+1. On the leftmost pane of your Defender EASM resource, select **Labels (Preview)**.

+ [](media/labels-8a.png#lightbox)

+ This page displays all the labels within your Defender EASM inventory. Labels on this page might exist in the system but not be actively applied to any assets. You can also add new labels from this page.

+2. To edit a label, select the pencil icon in the **Actions** column of the label you want to edit. A pane opens on the right side of your screen where you can modify the name or color of a label. Select **Update**.

+3. To remove a label, select the trash can icon from the **Actions** column of the label you want to delete. Select **Remove Label**.

+ 

+The **Labels** page automatically refreshes. The label is removed from the list and also removed from any assets that had the label applied. A banner confirms the removal.

+## Task Manager and notifications

+After a task is submitted, a notification confirms that the update is in progress. From any page in Azure, select the notification (bell) icon to see more information about recent tasks.

+

+

+The Defender EASM system can take seconds to update a handful of assets or minutes to update thousands. You can use the Task Manager to check on the status of any modification tasks in progress. This section outlines how to access the Task Manager and use it to better understand the completion of submitted updates.

+1. On the leftmost pane of your Defender EASM resource, select **Task Manager**.

+ 

+2. This page displays all your recent tasks and their status. Tasks are listed as **Completed**, **Failed**, or **In Progress**. A completion percentage and progress bar also appear. To see more details about a specific task, select the task name. A pane opens on the right side of your screen that provides more information.

+3. Select **Refresh** to see the latest status of all items in the Task Manager.

+## Filter for labels

+After you label assets in your inventory, you can use inventory filters to retrieve a list of all assets with a specific label applied.

+1. On the leftmost pane of your Defender EASM resource, select **Inventory**.

+2. Select **Add filter**.

+3. Select **Labels** from the **Filter** dropdown list. Select an operator and choose a label from the dropdown list of options. The following example shows how to search for a single label. You can use the **In** operator to search for multiple labels. For more information on filters, see the [inventory filters overview](inventory-filters.md).

+ 

+4. Select **Apply**. The inventory list page reloads and displays all assets that match your criteria.

+## Asset chain-based management

+In some instances, you may wish to remove multiple assets at once based on the means with which they were discovered. For example, you may determine that a particular seed within a discovery group has pulled in assets that are not relevant to your organization, or you may need to remove assets that relate to a subsidiary that is no longer under your purview. For this reason, Defender EASM offers the ability to remove the source entity and any assets "downstream" in the discovery chain. You can delete linked assets with the following three methods:

+- **Seed-based management:** users can delete a seed that was previously included in a discovery group, removing all assets that were introduced to inventory through an observed connection to the specified seed. This method is useful when you can determine that a specific manually inputted seed resulted in undesired assets being added to inventory.

+- **Discovery chain management**: users can identify an asset within a discovery chain and delete it, simultaneously removing any assets discovered by that entity. Discovery is a recursive process; it scans seeds to identify new assets directly associated to these designated seeds, then continues to scan the newly discovered entities to unveil more connections. This deletion approach is useful when your discovery group is properly configured, but you need to remove a newly discovered asset and any asset(s) brought into inventory by association to that entity. Consider your discovery group settings and designated seeds to be the "top" of your discovery chain; this deletion approach allows you to remove assets from the middle.

+- **Discovery group management:** users can remove entire discovery group(s) and all assets that were introduced to inventory through this discovery group. This is useful when an entire discovery group is no longer applicable to your organization. For instance, you may have a discovery group that specifically searches for assets related to a subsidiary. If this subsidiary is no longer relevant to your organization, you can leverage asset chain-based management to delete all assets brought into inventory through that discovery group.

+ You can still view removed assets in Defender EASM; simply filter your inventory list for assets in the "Archived" state.

+### Seed-based deletion

+You may decide that one of your initially designated discovery seeds should no longer be included in a discovery group. The seed may no longer be relevant to your organization, or it might be bringing in more false positives than legitimate owned assets. In this situation, you can remove the seed from your Discovery Group to prevent it from being used in future discovery runs while simultaneously removing any assets that have been brought to inventory through the designated seed in the past.

+To perform a bulk removal based on a seed, route to the appropriate Discovery Group details page and click "Edit discovery group." Follow the prompts to reach the Seeds page, and remove the problematic seed from the list. When you select "Review + Update", you will see a warning that indicates that all assets discovered through the designated seed will be removed as well. Select "Update" or "Update & Run" to complete the deletion.

+

+### Discovery chain-based deletion

+In the following example, imagine that you've discovered an insecure login form on your Attack Surface Summary dashboard. Your investigation routes you to a host that does not appear to be owned by your organization. You view the asset details page for more information; upon reviewing the Discovery chain, you learn that the host was brought into inventory because the corresponding domain was registered using an employee's corporate email address that was also used to register approved business entities.

+

+In this situation, the initial discovery seed (the corporate domain) is still legitimate so we need to instead remove a problematic asset from the discovery chain. While we could perform the chain deletion from the contact email, we'll instead elect to remove everything associated to the personal domain registered to this employee so that Defender EASM will alert us of any other domains registered to that email address in the future. From the discovery chain, select this personal domain to view the asset details page. From this view, select "Remove from discovery chain" to remove the asset from your inventory, as well as all assets brought into inventory due to an observed connection to the personal domain. You will be asked to confirm the removal of the asset and all downstream assets and will be presented with a summarized list of the other assets that will be removed with this action. Select "Remove discovery chain" to confirm the bulk removal.

+

+### Discovery group deletion

+You may need to delete and entire discovery group and all the assets discovered through the group. For instance, your company may have sold a subsidiary that no longer needs to be monitored. Users can delete discovery groups from the Discovery management page. To remove a discovery group and all related assets, simply select the trash bin icon next to the appropriate group in the list. You will receive a warning that lists a summary of the assets that will be removed with this action. To confirm the deletion of the discovery group; and all related assets, select "Remove discovery group."

+

+

+## Next steps

+- [Inventory filters overview](inventory-filters.md)

+- [Understand inventory assets](understanding-inventory-assets.md)

+- [Understand asset details](understanding-asset-details.md)

+ Title: Blue/Green deployments using Azure Front Door

+description: Learn how to use Azure Front Door to implement a blue/green deployment strategy for your web applications.

+# Blue/green deployments using Azure Front Door

+*Blue/Green deployment* is a software release methodology that gradually introduces application enhancements to a small subset of end users. If the enhancements are successful, the number of users on the new deployment is slowly increased until all users are on the new deployment. If there are any issues, requests are routed to the old backend with the previous application version. This method is a safer way to introduce code changes than suddenly pointing all users to the new enhancements.

+Azure Front Door is MicrosoftΓÇÖs modern cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access between your users and your applicationsΓÇÖ static and dynamic web content across the globe. This article explains how to use Azure Front DoorΓÇÖs global load balancing capabilities to set up a blue/green deployment model for your backends.

+## Prerequisites

+* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Create an Azure Front Door profile

+1. Sign in to the [Azure portal](https://portal.azure.com/?WT.mc_id=A261C142F).

+1. Select **Create a resource** from the home page, search for *Front Door and CDN profiles*, and select **Create**.

+1. Select **Custom create** on the *Compare offerings* page, and then select **Continue to create a Front Door**.

+1. On the **Basics** tab, enter or select the following information:

+ | Settings | Values |

+ | -- | -- |

+ | Subscriptions | Select your subscription. |

+ | Resource group | Select **Create new** and enter myAFDResourceGroup into the text box. |

+ | Resource group location | Select **East US**. |

+ | Name | Enter a unique name for your Front Door profile. |

+ | Tier | Select **Standard**. |

+1. Select the **Endpoints** tab, and then select **Add endpoint**. Enter a globally unique name for your endpoint, and then select **Add**. You can create more endpoints after the deployment.

+1. Select **+ Add a route** to configure routing to your Web App origin.

+ :::image type="content" source="./media/blue-green-deployment/endpoint.png" alt-text="Screenshot of the add a new endpoint for a new Azure Front Door profile.":::

+1. Provide a name for the route and configure the route settings based on the needs of your application. For more information, see [Create a Front Door for your application](create-front-door-portal.md#create-a-front-door-for-your-application).

+ :::image type="content" source="./media/blue-green-deployment/add-a-route.png" alt-text="Screenshot of the added route page for a new Azure Front Door profile.":::

+1. To create a new origin group, select **Add a new origin group** and enter *myOriginGroup* as the name.

+1. Select **+ Add** to add an origin to the origin group. Enter the following information for the existing version of the application:

+ :::image type="content" source="./media/blue-green-deployment/add-current-origin.png" alt-text="Screenshot of the adding the first origin in an origin group for a new Azure Front Door profile.":::

+ | Settings | Values |

+ | -- | -- |

+ | Name | Enter **CurrentWebApp** for the name. |

+ | Origin type | Select *App Service* from the dropdown. |

+ | Hostname | Enter the hostname of your Web App. This example uses *webapp-current.azurewebsites.net*. |

+ | Priority | Enter **1**. |

+ | Weight | Enter **75**. |

+ | Status | Select the check box for **Enable this origin**. |

+1. Select **+ Add** to add another origin to the origin group. Enter the following information for the new version of the application:

+ :::image type="content" source="./media/blue-green-deployment/add-new-origin.png" alt-text="Screenshot of the adding the second origin in an origin group for a new Azure Front Door profile.":::

+ | Settings | Values |

+ | -- | -- |

+ | Name | Enter **NewWebApp** for the name. |

+ | Origin type | Select *App Service* from the dropdown. |

+ | Hostname | Enter the hostname of your Web App. This example uses *webapp-new.azurewebsites.net*. |

+ | Priority | Enter **1**. |

+ | Weight | Enter **25**. |

+ | Status | Leave **Enable this origin** unchecked. |

+ > [!NOTE]

+ > Initially you want to set the weight of the current origin higher than the new origin. This ensures that most of the traffic is routed to the current origin. As you test the new origin, you can gradually increase the weight of the new origin and decrease the weight of the current origin. The total weight doesn't have to add up to be 100, although it will help you visualize the traffic distribution. The example sets the existing origin to receive three times as much traffic as the new origin.

+1. Enable session affinity if your application requires it. For more information, see [Session affinity](routing-methods.md#session-affinity).

+ > [!NOTE]

+ > *Session affinity* determines if the end user gets routed to the same origin after the first first request goes through Azure Front Door. Whether or not you enable this feature depends on your application, and the type of enhancements being rolled out. If it is a major revision, you might want to enable session affinity, so that if users were initially routed to the new codebase they will continue to use it. If the enhancement is relatively minor, for example, involving a single page with no dependencies on other parts of the application, you can potentially leave session affinity disabled. When in doubt, have session affinity enabled.

+1. Health probe settings can be left at the default values. You can adjust the probe settings based on the needs of your application. For more information, see [Health probes](health-probes.md).

+1. Under **Load balancing settings**, enter the following information:

+ :::image type="content" source="./media/blue-green-deployment/configure-origin-group-settings.png" alt-text="Screenshot of configuring the origin group settings.":::

+ | Settings | Values |

+ | -- | -- |

+ | Sample size | Enter **4**. |

+ | Successful samples required | Enter **3**. |

+ | Latency sensitivity (in milliseconds) | Enter **500**. |

+ > [!NOTE]

+ > We recommend setting the latency sensitivity to 500 milliseconds (half a second) or higher. This ensures that both origins gets used, as it is possible that one origin is faster than the other.

+1. Select **Add** to add the origin group. Then select **Review + create** to review the settings of your Front Door profile. Select **Create** to create the profile.

+## Start Blue/Green deployment

+When you're ready to begin the blue/green deployment, you can start by enabling the new origin. This starts routing traffic to the new origin, while still allowing you to revert back to the old origin if needed.

+1. After the Front Door profile gets created, go to the origin group you created earlier. Select the new origin, and then select **Enable this origin**. This starts routing traffic to the new origin.

+ :::image type="content" source="./media/blue-green-deployment/enable-new-origin.png" alt-text="Screenshot of enabling the new origin to receive traffic.":::

+1. Monitor the new origin to ensure that it's working as expected. Once you're confident that the new origin is working as expected, you can gradually increase the weight of the new origin and decrease the weight of the old origin. Keep increasing the weight of the new origin until all traffic is routed to the new origin.

+1. If you experience any issues with the new origin, you can disable the new origin to route all traffic back to the old origin. This process allows you to investigate and fix the issues without impacting your users.

+## Next steps

+[Secure traffic to your Azure Front Door origins](origin-security.md)

+ - Using the `metadata.gatekeeper.sh/requires-sync-data` annotation in a constraint template to configure the [replication of data](https://open-policy-agent.github.io/gatekeeper/website/docs/sync) from your cluster into the OPA cache is currently only allowed for built-in policies. This is because it can dramatically increase the Gatekeeper pods' resource usage if not used carefully.

+The Bulk Export feature allows data to be exported from the FHIR Server per the [FHIR specification](https://www.hl7.org/fhir/uv/bulkdata/).

+After configuring the Azure API for FHIR for export, you can use the $export command to export the data out of the service. The data will be stored into the storage account you specified while configuring export. To learn how to invoke $export command in FHIR server, read documentation on the [HL7 FHIR $export specification](https://www.hl7.org/fhir/uv/bulkdata/).

+* [System](https://www.hl7.org/fhir/uv/bulkdata/): `GET https://<<FHIR service base URL>>/$export>>`

+* [Patient](https://www.hl7.org/fhir/uv/bulkdata/): `GET https://<<FHIR service base URL>>/Patient/$export>>`

+* [Group of patients*](https://www.hl7.org/fhir/uv/bulkdata/) - Azure API for FHIR exports all related resources but doesn't export the characteristics of the group: `GET https://<<FHIR service base URL>>/Group/[ID]/$export>>`

+There are two required header parameters that must be set for $export jobs. The values are defined by the current [$export specification](https://www.hl7.org/fhir/uv/bulkdata/).

+The server will always return an OperationOutcome as the result.

+This request will validate the resource. On validation resources are not created in FHIR service, you will need to send a POST request without $validate to create resource.

+The FHIR service supports the `$export` operation [specified by HL7](https://www.hl7.org/fhir/uv/bulkdata/) for exporting FHIR data from a FHIR server. In the FHIR service implementation, calling the `$export` endpoint causes the FHIR service to export data into a pre-configured Azure storage account.

+By using the bulk `$export` operation in the FHIR service, you can export data as described in the [HL7 FHIR Bulk Data Access specification](https://www.hl7.org/fhir/uv/bulkdata/).

+For general information about the FHIR `$export` API spec, see the [HL7 FHIR Export Request Flow](https://www.hl7.org/fhir/uv/bulkdata/) documentation.

+* [System](https://www.hl7.org/fhir/uv/bulkdata/): `GET {{fhirurl}}/$export`

+* [Patient](https://www.hl7.org/fhir/uv/bulkdata/): `GET {{fhirurl}}/Patient/$export`

+* [Group of patients](https://www.hl7.org/fhir/uv/bulkdata/)\*: `GET {{fhirurl}}/Group/[ID]/$export`

+In addition to checking the presence of exported files in your storage account, you can check your `$export` operation status through the URL in the `Content-Location` header that's returned in the FHIR service response. For more information, see the [Bulk Data Status Request](https://www.hl7.org/fhir/uv/bulkdata/) documentation from HL7.

+Two required header parameters must be set for `$export` jobs. The values are set according to the current HL7 [$export specification](https://www.hl7.org/fhir/uv/bulkdata/).

+For more information about canceling an `$export` operation, see the [Bulk Data Delete Request](https://www.hl7.org/fhir/uv/bulkdata/) documentation from HL7.

+Yes. You can use [Azure Active Directory B2C](../../active-directory-b2c/overview.md) (Azure AD B2C) with the FHIR service to grant access to your applications and users. For more information, see [Use Azure Active Directory B2C to grant access to the FHIR service](../fhir/azure-ad-b2c-setup.md).

+**Request up to 100 TB of storage for the FHIR service**

+The FHIR service can store and exchange large amounts of health data, and each FHIR service instance has a 4 TB storage limit by default. If you have more data, you can ask Microsoft to increase storage up to 100 TB for your FHIR service.

+

+By adding more storage, organizations can handle large data sets to enable analytics scenarios. For example, you can use more storage to manage population health, conduct research, and gain new insights from health data. Plus, more storage enables Azure API for FHIR customers with high-volume data (greater than 4 TB) to migrate to the FHIR service in Azure Health Data Services.

+

+To request storage greater than 4 TB, [create a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) on the Azure portal and use the issue type **Service and Subscription limit (quotas)**.

+> Due to an issue with billing metrics for storage, customers who opt for more than 4 TB of storage capacity won't be billed for storage until the issue is resolved.

+With the integration of Azure Data Lake Storage available for preview, organizations have full control over their imaging data and increased flexibility for accessing and working with that data through the Azure storage ecosystem and APIs. By using Azure Data Lake Storage with the DICOM service, organizations are able to:

+This feature improvement is applicable to System export, for more information on export, see [FHIR specification](https://hl7.org/fhir/uv/bulkdata/)

+Also see [Export your FHIR data by invoking the $export command on the FHIR service](./../healthcare-apis/fhir/export-data.md)

+> [!IMPORTANT]

+> Triggers in the IoT Central connector won't work unless the Logic App has a public endpoint. To learn more, see [Considerations for inbound traffic to Logic Apps through private endpoints](../../logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint.md#considerations-for-inbound-traffic-through-private-endpoints).

+ Title: Azure IoT Central integration guide

+# IoT Central integration and extension guide

+- Trigger business flows and activities by using IoT Central rules.

+- Interact with IoT Central programmatically by using the IoT Central REST APIs.

+## Export data

+Devices can send complex telemetry that needs to be simplified before IoT Central can use it or export it. In some scenarios, you need to normalize the telemetry from different devices so that you can display and process the telemetry consistently. To learn more, see [Map telemetry on ingress to IoT Central](howto-map-data.md).

+ You can add rules to an IoT Central application that run customizable actions. Rules evaluate conditions, based on data coming from a device, to determine when to run an action. Actions include sending messages to other cloud services or calling a webhook endpoint. Rules enable extension scenarios such as:

+ - Notifying operators in other systems.

+ - Starting business processes or flows.

+ - Monitoring alerts on a custom dashboard.

+ To learn more about rules, see:

+You use *data plane* REST APIs to access the entities in and the capabilities of your IoT Central application. For example, managing devices, device templates, users, and roles. The IoT Central REST API operations are data plane operations. The REST APIs enable extension scenarios such as:

+- Programmatic management of your IoT Central applications.

+- Tight integration with other applications.

+To learn more, see [Tutorial: Use the REST API to manage an Azure IoT Central application](tutorial-use-rest-api.md).

+You use the *control plane* to manage IoT Central-related resources in your Azure subscription. You can use the REST API, the Azure CLI, or Resource Manager templates for control plane operations. For example, you can use the Azure CLI to create an IoT Central application. To learn more, see [Manage IoT Central from Azure CLI](howto-manage-iot-central-from-cli.md).

+To add an IP filter rule, select **Add IP Filter Rule**. To quickly add your computer's IP address, select **Add your client IP address**.

+## Apply IP filter rules to the built-in Event Hubs compatible endpoint

+To apply the IP filter rules to the built-in Event Hubs compatible endpoint, check the box next to **Apply IP filters to the built-in endpoint?**, then select **Save**.

+The IP filter rules are applied at the IoT Hub service level. Therefore, the IP filter rules apply to all connections from devices and back-end apps using any supported protocol. Also, you can choose if the [built-in Event Hubs compatible endpoint](iot-hub-devguide-messages-read-builtin.md) (not via the IoT Hub connection string) are bound to these rules.

+description: Use the Azure IoT Operations portal or the Azure CLI to manage your asset configurations remotely and enable data to flow from your assets to an MQTT broker.

+This article describes how to use the Azure IoT Operations (preview) portal and the Azure CLI to:

+## Sign in

+# [Azure IoT Operations portal](#tab/portal)

+To sign in to the Azure IoT Operations portal, navigate to the [Azure IoT Operations portal](https://iotoperations.azure.com) in your browser and sign in by using your Microsoft Entra ID credentials.

+# [Azure CLI](#tab/cli)

+Before you use the `az az iot ops asset` commands, sign in to the subscription that contains your Azure IoT Operations deployment:

+```azurecli

+az login

+```

+# [Azure IoT Operations portal](#tab/portal)

+# [Azure CLI](#tab/cli)

+Run the following command:

+```azurecli

+az iot ops asset endpoint create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --cluster {your cluster name}

+```

+> [!TIP]

+> Use `az connectedk8s list` to list the clusters you have access to.

+To learn more, see [az iot ops asset endpoint](/cli/azure/iot/ops/asset/endpoint).

+This configuration deploys a new `assetendpointprofile` resource called `opc-ua-connector-0` to the cluster. After you define an asset, an OPC UA connector pod discovers it. The pod uses the asset endpoint that you specify in the asset definition to connect to an OPC UA server.

+# [Azure IoT Operations portal](#tab/portal)

+# [Azure CLI](#tab/cli)

+To use the `UsernamePassword` authentication mode, complete the following steps:

+1. Follow the steps in [Configure OPC UA user authentication with username and password](howto-configure-opcua-authentication-options.md#configure-opc-ua-user-authentication-with-username-and-password) to add secrets for username and password in Azure Key Vault, and project them into Kubernetes cluster.

+1. Use a command like the following example to create your asset endpoint:

+ ```azurecli

+ az iot ops asset endpoint create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --cluster {your cluster name} --username-ref "aio-opc-ua-broker-user-authentication/username" --password-ref "aio-opc-ua-broker-user-authentication/password"

+ ```

+# [Azure IoT Operations portal](#tab/portal)

+# [Azure CLI](#tab/cli)

+1. Follow the steps in [Configure OPC UA transport authentication](howto-configure-opcua-authentication-options.md#configure-opc-ua-transport-authentication) to add a transport certificate and private key to Azure Key Vault, and project them into Kubernetes cluster.

+1. Use a command like the following example to create your asset endpoint:

+ ```azurecli

+ az iot ops asset endpoint create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --cluster {your cluster name} --username-ref "aio-opc-ua-broker-user-authentication/username" --password-ref "aio-opc-ua-broker-user-authentication/password" --cert secret=aio-opc-ua-broker-client-certificate thumbprint=000000000000000000 password=aio-opc-ua-broker-client-certificate-password

+ ```

+To learn more, see [az iot ops asset](/cli/azure/iot/ops/asset).

+# [Azure IoT Operations portal](#tab/portal)

+1. Select the **Assets** tab. Before you create any assets, you see the following screen:

+ - **Queue size**: The depth of the queue to hold the sampling data before publishing it.

+# [Azure CLI](#tab/cli)

+Use the following command to add a "thermostat" asset by using the Azure CLI. The command adds two tags to the asset by using the `--data` parameter:

+```azurecli

+az iot ops asset create --name thermostat -g {your resource group name} --cluster {your cluster name} --endpoint opc-ua-connector-0 --description 'A simulated thermostat asset' --data data_source='ns=3;s=FastUInt10', name=temperature --data data_source='ns=3;s=FastUInt100', name='Tag 10'

+```

+When you create an asset by using the Azure CLI, you can define:

+- Multiple tags by using the `--data` parameter multiple times.

+- Multiple events by using the `--event` parameter multiple times.

+- Optional information for the asset such as:

+ - Manufacturer

+ - Manufacturer URI

+ - Model

+ - Product code

+ - Hardware version

+ - Software version

+ - Serial number

+ - Documentation URI

+- Default values for sampling interval, publishing interval, and queue size.

+- Tag specific values for sampling interval, publishing interval, and queue size.

+- Event specific values for sampling publishing interval, and queue size.

+- The observability mode for each tag and event

+# [Azure IoT Operations portal](#tab/portal)

+ - **Queue size**: The depth of the queue to hold the sampling data before publishing it.

+# [Azure CLI](#tab/cli)

+When you create an asset by using the Azure CLI, you can define multiple events by using the `--event` parameter multiple times. The syntax for the `--event` parameter is similar to the `--data` parameter:

+```azurecli

+az iot ops asset create --name thermostat -g {your resource group name} --cluster {your cluster name} --endpoint opc-ua-connector-0 --description 'A simulated thermostat asset' --event event_notifier='ns=3;s=FastUInt12', name=warning

+```

+For each event that you define, you can specify the:

+- Event notifier. This value is the event notifier from the OPC UA server.

+- Event name. This value is the friendly name that you want to use for the event. If you don't specify an event name, the event notifier is used as the event name.

+- Observability mode.

+- Queue size.

+# [Azure IoT Operations portal](#tab/portal)

+# [Azure CLI](#tab/cli)

+To list your assets, use the following command:

+```azurecli

+az iot ops asset query -g {your resource group name}

+```

+> [!TIP]

+> You can refine the query command to search for assets that match specific criteria. For example, you can search for assets by manufacturer.

+To view the details of the thermostat asset, use the following command:

+```azurecli

+az iot ops asset show --name thermostat -g {your resource group}

+```

+To update an asset, use the `az iot ops asset update` command. For example, to update the asset's description, use a command like the following example:

+```azurecli

+az iot ops asset update --name thermostat --description 'A simulated thermostat asset' -g {your resource group}

+```

+To list the thermostat asset's tags, use the following command:

+```azurecli

+az iot ops asset data-point list --asset thermostat -g {your resource group}

+```

+To list the thermostat asset's events, use the following command:

+```azurecli

+az iot ops asset event list --asset thermostat -g {your resource group}

+```

+To add a new tag to the thermostat asset, use a command like the following example:

+```azurecli

+az iot ops asset data-point add --asset thermostat -g {your resource group} --data-source 'ns=3;s=FastUInt1002' --name 'humidity'

+```

+To delete a tag, use the `az iot ops asset data-point remove` command.

+You can manage an asset's events by using the `az iot ops asset event` commands.

+# [Azure IoT Operations portal](#tab/portal)

+# [Azure CLI](#tab/cli)

+To delete an asset, use a command that looks like the following example:

+```azurecli

+az iot ops asset delete --name thermostat -g {your resource group name}

+```

+Whenever you make a change to asset in the Azure IoT Operations portal, you see a notification that reports the status of the operation:

+- [az iot ops asset](/cli/azure/iot/ops/asset)

+- [az iot ops asset endpoint](/cli/azure/iot/ops/asset/endpoint)

+For more information, see the steps to [export Azure App Service certificates](/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#export-an-app-service-certificate).

+tenantId=$(az account show --query tenantId) # Get your tenantId

+[Learn more](https://www.cpacket.com/)

+| [**Logic Apps Standard Reader (Preview)**](../role-based-access-control/built-in-roles.md#logic-apps-standard-reader-preview) | You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. |

+| [**Logic Apps Standard Operator (Preview)**](../role-based-access-control/built-in-roles.md#logic-apps-standard-operator-preview) | You have access to enable, resubmit, and disable workflows and to create connections to services, systems, and networks for a Standard logic app. The Operator role can perform administration and support tasks on the Azure Logic Apps platform, but doesn't have permissions to edit workflows or settings. |

+| [**Logic Apps Standard Developer (Preview)**](../role-based-access-control/built-in-roles.md#logic-apps-standard-developer-preview) | You have access to create and edit workflows, connections, and settings for a Standard logic app. The Developer role doesn't have permissions to make changes outside the scope of workflows, for example, application-wide changes such as configure virtual network integration. App Service Plans aren't supported. |

+| [**Logic Apps Standard Contributor (Preview)**](../role-based-access-control/built-in-roles.md#logic-apps-standard-contributor-preview) | You have access to manage all aspects of a Standard logic app, but you can't change access or ownership. |

+> This is not a complete list of the hosts required for all Visual Studio Code resources on the internet, only the most commonly used. For example, if you need access to a GitHub repository or other host, you must identify and add the required hosts for that scenario. For a complete list of host names, see [Network Connections in Visual Studio Code](https://code.visualstudio.com/docs/setup/network).

+| `vscode.download.prss.microsoft.com` | Used for Visual Studio Code download CDN |

+ from mlflow.tracking import MlflowClient

+ ```

+1. Initialize the MLflow client

+ ```python

+ mlflow_client = MlflowClient()

+ # Creating a unique endpoint name with current datetime to avoid conflicts

+ import datetime

+

+ endpoint_name = "sklearn-diabetes-" + datetime.datetime.now().strftime("%m%d%H%M%f")

+ Write this configuration into a `JSON` file:

+- [Troubleshoot online endpoint deployment](how-to-troubleshoot-managed-online-endpoints.md)

+Azure Machine Learning supports MLflow for model management when connected to a workspace. Such approach represents a convenient way to support the entire model lifecycle for users familiar with the MLFlow client. The following article describes the different capabilities and how it compares with other options.

+* Notice that organizational registries are not supported for model management with MLflow.

+| [Organizational registries](how-to-manage-registries.md) support | | | **&check;** | **&check;** |

+> - <sup>5</sup> Use [registries](how-to-manage-registries.md) to move models across different workspaces while keeping lineage.

+curl https://management.azure.com/subscriptions/<YOUR-SUBSCRIPTION-ID>/resourceGroups?api-version=2022-04-01 -H "Authorization:Bearer <YOUR-ACCESS-TOKEN>"

+> The `api-version` argument varies from service to service. For the Machine Learning Service, for instance, the current API version is `2023-10-01`. To find the latest API version for other Azure services, see the [Azure REST API reference](/rest/api/azure/) for the specific service.

+curl https://management.azure.com/subscriptions/<YOUR-SUBSCRIPTION-ID>/resourceGroups/<YOUR-RESOURCE-GROUP>/providers/Microsoft.MachineLearningServices/workspaces/?api-version=2023-10-01 \

+ "creationTime": "2023-01-03T19:56:09.7588299+00:00",

+providers/Microsoft.MachineLearningServices/workspaces/<YOUR-WORKSPACE-NAME>/experiments?api-version=2023-10-01 \

+providers/Microsoft.MachineLearningServices/workspaces/<YOUR-WORKSPACE-NAME>/models?api-version=2023-10-01 \

+providers/Microsoft.MachineLearningServices/workspaces/<YOUR-WORKSPACE-NAME>/computes?api-version=2023-10-01 \

+ 'https://management.azure.com/subscriptions/<YOUR-SUBSCRIPTION-ID>/resourceGroups/<YOUR-RESOURCE-GROUP>/providers/Microsoft.MachineLearningServices/workspaces/<YOUR-WORKSPACE-NAME>/computes/<YOUR-COMPUTE-NAME>?api-version=2023-10-01' \

+> [!NOTE]

+/providers/Microsoft.MachineLearningServices/workspaces/<YOUR-NEW-WORKSPACE-NAME>?api-version=2023-10-01' \

+/providers/Microsoft.MachineLearningServices/workspaces/<YOUR-NEW-WORKSPACE-NAME>?api-version=2023-10-01' \

+/providers/Microsoft.MachineLearningServices/workspaces/<YOUR-NEW-WORKSPACE-NAME>?api-version=2023-10-01' \

+> To troubleshoot Spark jobs created during interactive data wrangling in a notebook session, select **Job details** near the top right corner of the notebook UI. A Spark jobs from an interactive notebook session is created under the experiment name **notebook-runs**.

+description: Learn best practices for distributed training with supported frameworks, such as MPI, Horovod, DeepSpeed, PyTorch, TensorFlow, and InfiniBand.

+Learn more about using distributed GPU training code in Azure Machine Learning. This article helps you run your existing distributed training code, and offers tips and examples for you to follow for each framework:

+* TensorFlow

+Review the basic concepts of [distributed GPU training](concept-distributed-training.md), such as *data parallelism*, *distributed data parallelism*, and *model parallelism*.

+> If you don't know which type of parallelism to use, more than 90% of the time you should use **distributed data parallelism**.

+Azure Machine Learning offers an [MPI job](https://www.mcs.anl.gov/research/projects/mpi/) to launch a given number of processes in each node. Azure Machine Learning constructs the full MPI launch command (`mpirun`) behind the scenes. You can't provide your own full head-node-launcher commands like `mpirun` or `DeepSpeed launcher`.

+> The base Docker image used by an Azure Machine Learning MPI job needs to have an MPI library installed. [Open MPI](https://www.open-mpi.org) is included in all the [Azure Machine Learning GPU base images](https://github.com/Azure/AzureML-Containers). When you use a custom Docker image, you are responsible for making sure the image includes an MPI library. Open MPI is recommended, but you can also use a different MPI implementation such as Intel MPI. Azure Machine Learning also provides [curated environments](resource-curated-environments.md) for popular frameworks.

+1. Use an Azure Machine Learning environment with the preferred deep learning framework and MPI. Azure Machine Learning provides [curated environments](resource-curated-environments.md) for popular frameworks. Or [create a custom environment](how-to-manage-environments-v2.md#create-an-environment) with the preferred deep learning framework and MPI.

+1. Define a `command` with `instance_count`. `instance_count` should be equal to the number of GPUs per node for per-process-launch, or set to 1 (the default) for per-node-launch if the user script is responsible for launching the processes per node.

+* The training code is instrumented correctly with Horovod before adding the Azure Machine Learning parts.

+* Your Azure Machine Learning environment contains Horovod and MPI. The PyTorch and TensorFlow curated GPU environments come preconfigured with Horovod and its dependencies.

+* For the full notebook to run the Horovod example, see [azureml-examples: Train a basic neural network with distributed MPI on the MNIST dataset using Horovod](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/single-step/tensorflow/mnist-distributed-horovod/tensorflow-mnist-distributed-horovod.ipynb).

+When running MPI jobs with Open MPI images, you can use the following environment variables for each process launched:

+1. `OMPI_COMM_WORLD_RANK`: The rank of the process

+2. `OMPI_COMM_WORLD_SIZE`: The world size

+3. `AZ_BATCH_MASTER_NODE`: The primary address with port, `MASTER_ADDR:MASTER_PORT`

+4. `OMPI_COMM_WORLD_LOCAL_RANK`: The local rank of the process on the node

+5. `OMPI_COMM_WORLD_LOCAL_SIZE`: The number of processes on the node

+> Despite the name, the environment variable `OMPI_COMM_WORLD_NODE_RANK` doesn't correspond to the `NODE_RANK`. To use per-node-launcher, set `process_count_per_node=1` and use `OMPI_COMM_WORLD_RANK` as the `NODE_RANK`.

+> For data parallelism, the [official PyTorch guidance](https://pytorch.org/tutorials/intermediate/ddp_tutorial.html#comparison-between-dataparallel-and-distributeddataparallel) is to use DistributedDataParallel (DDP) over DataParallel for both single-node and multi-node distributed training. PyTorch also recommends using [DistributedDataParallel over the multiprocessing package](https://pytorch.org/docs/stable/notes/cuda.html#use-nn-parallel-distributeddataparallel-instead-of-multiprocessing-or-nn-dataparallel). Azure Machine Learning documentation and examples therefore focus on DistributedDataParallel training.

+The backbone of any distributed training is based on a group of processes that know each other and can communicate with each other using a backend. For PyTorch, the process group is created by calling [torch.distributed.init_process_group](https://pytorch.org/docs/stable/distributed.html#torch.distributed.init_process_group) in **all distributed processes** to collectively form a process group.

+The most common communication backends used are `mpi`, `nccl`, and `gloo`. For GPU-based training, `nccl` is recommended for best performance and should be used whenever possible.

+`init_method` tells how each process can discover each other, how they initialize and verify the process group using the communication backend. By default, if `init_method` isn't specified, PyTorch uses the environment variable initialization method (`env://`). `init_method` is the recommended initialization method to use in your training code to run distributed PyTorch on Azure Machine Learning. PyTorch looks for the following environment variables for initialization:

+- **`MASTER_ADDR`**: IP address of the machine that hosts the process with rank 0

+- **`MASTER_PORT`**: A free port on the machine that hosts the process with rank 0

+- **`WORLD_SIZE`**: The total number of processes. Should be equal to the total number of devices (GPU) used for distributed training

+- **`RANK`**: The (global) rank of the current process. The possible values are 0 to (world size - 1)

+Many applications also need the following environment variables:

+- **`LOCAL_RANK`**: The local (relative) rank of the process within the node. The possible values are 0 to (# of processes on the node - 1). This information is useful because many operations such as data preparation only should be performed once per node, usually on local_rank = 0.

+- **`NODE_RANK`**: The rank of the node for multi-node training. The possible values are 0 to (total # of nodes - 1).

+1. Specify the training script and arguments.

+Azure Machine Learning sets the `MASTER_ADDR`, `MASTER_PORT`, `WORLD_SIZE`, and `NODE_RANK` environment variables on each node, and sets the process-level `RANK` and `LOCAL_RANK` environment variables.

+* For the full notebook to run the Pytorch example, see [azureml-examples: Distributed training with PyTorch on CIFAR-10](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/single-step/pytorch/distributed-training/distributed-cifar10.ipynb).

+Azure Machine Learning supports [DeepSpeed](https://www.deepspeed.ai/tutorials/azure/) as a first-class citizen to run distributed jobs with near linear scalability in terms of:

+DeepSpeed can be enabled using either Pytorch distribution or MPI for running distributed training. Azure Machine Learning supports the DeepSpeed launcher to launch distributed training as well as autotuning to get optimal `ds` configuration.

+You can use a [curated environment](resource-curated-environments.md) for an out of the box environment with the latest state of art technologies including DeepSpeed, ORT, MSSCCL, and Pytorch for your DeepSpeed training jobs.

+* For DeepSpeed training and autotuning examples, see [these folders](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/deepspeed).

+If you use [native distributed TensorFlow](https://www.tensorflow.org/guide/distributed_training) in your training code, such as TensorFlow 2.x's `tf.distribute.Strategy` API, you can launch the distributed job via Azure Machine Learning using `distribution` parameters or the `TensorFlowDistribution` object.

+If your training script uses the parameter server strategy for distributed training, such as for legacy TensorFlow 1.x, you also need to specify the number of parameter servers to use in the job, inside the `distribution` parameter of the `command`. In the above, for example, `"parameter_server_count" : 1` and `"worker_count": 2`.

+In TensorFlow, the `TF_CONFIG` environment variable is required for training on multiple machines. For TensorFlow jobs, Azure Machine Learning configures and sets the `TF_CONFIG` variable appropriately for each worker before executing your training script.

+You can access `TF_CONFIG` from your training script if you need to: `os.environ['TF_CONFIG']`.

+Example `TF_CONFIG` set on a chief worker node:

+* For the full notebook to run the TensorFlow example, see [azureml-examples: Train a basic neural network with distributed MPI on the MNIST dataset using Tensorflow with Horovod](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/single-step/tensorflow/mnist-distributed-horovod/tensorflow-mnist-distributed-horovod.ipynb).

+InfiniBand can be an important factor in attaining this linear scaling. InfiniBand enables low-latency, GPU-to-GPU communication across nodes in a cluster. InfiniBand requires specialized hardware to operate. Certain Azure VM series, specifically the NC, ND, and H-series, now have RDMA-capable VMs with SR-IOV and InfiniBand support. These VMs communicate over the low latency and high-bandwidth InfiniBand network, which is much more performant than Ethernet-based connectivity. SR-IOV for InfiniBand enables near bare-metal performance for any MPI library (MPI is used by many distributed training frameworks and tooling, including NVIDIA's NCCL software.) These SKUs are intended to meet the needs of computationally intensive, GPU-accelerated machine learning workloads. For more information, see [Accelerating Distributed Training in Azure Machine Learning with SR-IOV](https://techcommunity.microsoft.com/t5/azure-ai/accelerating-distributed-training-in-azure-machine-learning/ba-p/1059050).

+Typically, VM SKUs with an "r" in their name contain the required InfiniBand hardware, and those without an "r" typically do not. ("r" is a reference to RDMA, which stands for *remote direct memory access*.) For instance, the VM SKU `Standard_NC24rs_v3` is InfiniBand-enabled, but the SKU `Standard_NC24s_v3` is not. Aside from the InfiniBand capabilities, the specs between these two SKUs are largely the same. Both have 24 cores, 448-GB RAM, 4 GPUs of the same SKU, etc. [Learn more about RDMA- and InfiniBand-enabled machine SKUs](../virtual-machines/sizes-hpc.md#rdma-capable-instances).

+>The older-generation machine SKU `Standard_NC24r` is RDMA-enabled, but it doesn't contain SR-IOV hardware required for InfiniBand.

+If you create an `AmlCompute` cluster of one of these RDMA-capable, InfiniBand-enabled sizes, the OS image comes with the Mellanox OFED driver required to enable InfiniBand preinstalled and preconfigured.

+> If you use session-level Conda packages, you can [improve](./apache-spark-azure-ml-concepts.md#improving-session-cold-start-time-while-using-session-level-conda-packages) the Spark session *cold start* time if you set the configuration variable `spark.hadoop.aml.enable_cache` to true. A session cold start with session level Conda packages typically takes 10 to 15 minutes when the session starts for the first time. However, subsequent session cold starts with the configuration variable set to true typically take three to five minutes.

+## Import servers using RVTools XLSX (preview)

+As part of your migration journey to Azure using the Azure Migrate appliance, you first discover servers, inventory, and workloads. However, for a quick assessment before you deploy the appliance, you can [import the servers using the RVtools XLSX file (preview)](tutorial-import-vmware-using-rvtools-xlsx.md).

+### Key benefits

+- Helps to create a business case or assess the servers before you deploy the appliance.

+- Aids as an alternative when there's an organizational restriction to deploy Azure Migrate appliance.

+- Helpful when you can't share credentials that allow access to on-premises servers

+- Useful when security constraints prevent you from gathering and sending data collected by the appliance to Azure.

+### Limitations

+#### [Business case considerations](#tab/businesscase)

+If you're importing servers by using an RVTools XLSX file and building a business case, listed below are few limitations:

+- Performance history duration in Azure settings aren't applicable.

+- Servers are classified as unknown in the business case utilization insights chart and are sized as-is without right sizing for Azure or AVS cost.

+#### [Assessment considerations](#tab/assessmentcase)

+If you're importing servers by using an RVTools XLSX file for creating an assessment with the following criteria:

+- Sizing criteria as **performance-based** on the configured CPU and memory (based on the CPUs and Memory columns from the RVTools XLSX).

+- Storage criteria (In use MiB and In use MB for versions prior to 4.1.2)

+You won't be able to provide performance history or percentile information.

+To get an accurate OS suitability/readiness in Azure VM and Azure VMware Solution assessment, enter the **Operating system** version and **architecture** in the respective columns.

+- **Previous version**: For customer using, the previous version of Azure Migrate (only assessment of on-premises VMware VMs was supported), you should now use the current version. In the previous version, you can't create new projects or perform new discoveries.

+ Title: Import on-premises servers in a VMware environment using RVTools XLSX (preview)

+description: Learn how to import on-premises servers in a VMware environment by using the RVTools XLSX (preview).

+#Customer intent: As an VMware admin, I want to import my on-premises servers running in a VMware environment.

+# Tutorial: Import servers running in a VMware environment with RVTools XLSX (preview)

+As part of your migration journey to Azure, you discover your on-premises inventory and workloads.

+This tutorial shows you how to discover the servers that are running in your VMware environment by using RVTools XLSX (preview). When you use this tool, you can control the data shared in the file and there's no need to set up the Azure Migrate appliance to discover servers. [Learn more](migrate-support-matrix-vmware.md#import-servers-using-rvtools-xlsx-preview).

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Prepare an Azure account.

+> * Set up an Azure Migrate project.

+> * Import the RVTools XLSX file.

+> [!NOTE]

+> Tutorials show you the quickest path for trying out a scenario. They use default options where possible.

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin.

+## Prerequisites

+Before you begin this tutorial, ensure that you have the following prerequisites in place:

+- 20,000 servers in a single XLSX file and 35,000 in an Azure Migrate project.

+- The file format should be XLSX.

+- File sensitivity is set to **General** or file protection is set to **Any user**.

+- [Operating system names](migrate-support-matrix.md) specified in the RVTools XLSX (preview) file contains and matches the supported names.

+- The XLSX file should contain the vInfo & vDisk sheets and the VM, Powerstate, Disks, CPUs, Memory, Provisioned MiB, In use MiB, OS according to the configuration file, VM UUID columns from the vInfo sheet and the VM, Capacity MiB columns from the vDisk sheet should be present.

+

+## Prepare an Azure user account

+To create a project and register the Azure Migrate appliance, you must have an Azure user account that has the following permissions:

+- Contributor or Owner permissions in Azure subscription. Complete the procedure to [set Contributor or Owner permissions in the Azure subscription](tutorial-discover-vmware.md#prepare-an-azure-user-account)

+- Permissions to register Microsoft Entra apps.

+- Owner or Contributor and User Access Administrator permission at subscription level to create an instance of Azure Key Vault, which is used during the agentless server migration.

+## Set up an Azure Migrate project

+Follow the instructions on [how to set up an Azure Migrate project](tutorial-discover-import.md#set-up-a-project).

+## Import the servers using the RVTools XLSX file (preview)

+To import the servers using RVTools XLSX (preview) file, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Migrate**.

+1. Under **Migration goals**, select **Servers, databases and web apps**.

+1. On **Azure Migrate | Servers, databases and web apps** page, under **Assessment tools**, select **Discover** and then select **Using import**.

+ :::image type="content" source="./media/tutorial-import-vmware-using-rvtools-xlsx/navigation-using-import.png" alt-text="Screenshot that shows how to navigate to the RVTools import option." lightbox="./media/tutorial-import-vmware-using-rvtools-xlsx/navigation-using-import.png":::

+1. In **Discover** page, in **File type**, select **VMware inventory (RVTools XLSX)**.

+1. In the **Step 1: Import the file** section, select the RVTools XLSX file and then select **Import**.

+ :::image type="content" source="./media/tutorial-import-vmware-using-rvtools-xlsx/select-import.png" alt-text="Screenshot that shows to upload, check status and selecting import." lightbox="./media/tutorial-import-vmware-using-rvtools-xlsx/select-import.png":::

+ We recommend that you don't close the browser tab or attempt to import again while the current import is in progress. The import status provides information on the following:

+ - If there are warnings in the status, you can either fix them or continue without addressing them.

+ - To improve assessment accuracy, improve the server information as suggested in warnings.

+ - If the import status appears as **Failed**, you must fix the errors to continue with the import.

+

+ :::image type="content" source="./media/tutorial-import-vmware-using-rvtools-xlsx/failed-status.png" alt-text="Screenshot that shows to status as failed." lightbox="./media/tutorial-import-vmware-using-rvtools-xlsx/failed-status.png":::

+

+ - To view and fix errors, follow these steps:

+ - Select *Download error details.XLSX* file. This operation downloads the XLSX with warnings included.

+ - Review and address the errors as necessary.

+ - Upload the modified file again.

+When the **Import status** is marked as **Complete**, it implies that the server information is successfully imported.

+## Update server information

+To update the information for a server, follow these steps:

+1. In the *Download error details.XLSX* file, update the rows.

+1. To reimport the data, follow the steps from 1-5 in the [Import using the RVTools XLSX file (preview)](#import-the-servers-using-the-rvtools-xlsx-file-preview).

+> [!NOTE]

+> Currently, we don't support deleting servers after you import them into project.

+## Verify servers in Azure portal

+To verify that the servers appear in the Azure portal after importing, follow these steps:

+1. Go to Azure Migrate dashboard.

+1. On the **Azure Migrate | Servers, databases and web apps >** page, in **Azure Migrate: Discovery and assessment** section, select the icon that displays the count for Discovered servers.

+1. Select the **Import based** tab.

+## Next steps

+- Learn on [key benefits and limitations of using RVTools.XLSX](migrate-support-matrix-vmware.md#import-servers-using-rvtools-xlsx-preview).

+[Azure Migrate](migrate-services-overview.md) helps you to discover, assess and migrate on-premises servers, apps, and data to the Microsoft Azure cloud. This article summarizes new releases and features in Azure Migrate.

+## Update (January 2024)

+- Public preview: Using the RVTools XLSX, you can import on-premises servers' configuration into a VMware environment and create quick business case by assessing the cost of Azure and Azure VMware Solution (AVS) environments. [Learn more](migrate-support-matrix-vmware.md#import-servers-using-rvtools-xlsx-preview).

+- Geo-restore: is available only if you configured your server for geo-redundant storage and it allows you to restore your server to either a geo-paired region or any other Azure supported region where flexible server is available.

+> If you are restoring an Azure Database for MySQL flexible server instance configured with zone redundant high availability, the restored server is configured in the same region and zone as your primary server, and deployed as a single server in a non-HA mode. Refer to [zone redundant high availability](concepts-high-availability.md) for flexible server.

+| Node.js | Windows, Linux, macOS X | [sidorares/node-mysql2](https://github.com/sidorares/node-mysql2/blob/master/website/docs/documentation/00-index.mdx) | [Download](https://github.com/sidorares/node-mysql2) |

+| Brazil South | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+| USGov Virginia | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |

+| West US 3 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+Resource Health signals can generate one or more of the following alerts:

+Once the underlying condition causing an alert is remediated, the alert is cleared and the Resource Health is reported as *Available*.

+ --scope $SCOPE \

+ --scope $SCOPE \

+ --parameters clusterName=$ARO_CLUSTER_NAME \

+## Overview of managed identities

+Managed identities eliminate the need to manage credentials. Managed identities provide an identity for service instances to use when connecting to resources that support Microsoft Entra ID (formerly Azure Active Directory) authentication. For example, the service can use a managed identity to access resources like [Azure Key Vault](../key-vault/general/overview.md), where data admins can securely store credentials or access storage accounts. The service uses the managed identity to obtain Microsoft Entra ID tokens.

+Microsoft Entra ID offers two types of managed identities:

+- **System-assigned:** You can enable a managed identity directly on a resource. When you enable a system-assigned managed identity during the creation of the resource, an identity is created in Microsoft Entra ID tied to that resource's lifecycle. By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. When the resource is deleted, Azure automatically deletes the identity for you.

+- **User-assigned:** You can also create a managed identity as a standalone resource and associate it with other resources. The identity is managed separately from the resources that use it.

+For more general information about managed identities, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview).

+## User-assigned managed identities in Azure Operator Insights

+Azure Operator Insights Data Products use a user-assigned managed identity for:

+- Encryption with customer-managed keys, also called CMK-based encryption.

+- Integration with Microsoft Purview. The managed identity allows the Data Product to manage the collection and the data catalog within the collection.

+When you [create a Data Product](data-product-create.md), you set up the managed identity and associate it with the Data Product. To use the managed identity with Microsoft Purview, you must also [grant the managed identity the appropriate permissions in Microsoft Purview](purview-setup.md#access-and-set-up-your-microsoft-purview-account).

+You use Microsoft Entra ID to manage user-assigned managed identities. For more information, see [Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).

+## System-assigned managed identities in Azure Operator Insights

+Azure Operator Insights doesn't support system-assigned managed identities.

+See [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) for more background on managed identities for Azure resources, on which managed identity in Azure Operator Insights is based.

+Provide the user-assigned managed identity (UAMI) for your Azure Operator Insights Data Product with necessary roles in the Microsoft Purview compliance portal. This UAMI was set up when the Data Product was created. For information on how to set up this UAMI, see [Set up user-assigned managed identity](data-product-create.md#set-up-user-assigned-managed-identity). At the desired collection, assign this UAMI to the **Collection admin**, **Data source admin**, and **Data curator** roles. Alternately, you can apply the UAMI at the root collection/account level. All collections would inherit these role assignments by default.

+ Title: "Azure Operator Nexus: Customize Kubernetes worker nodes with a DaemonSet"

+description: How-to guide for customizing Kubernetes Worker Nodes with a DaemonSet.

+# Customize worker nodes with a DaemonSet

+To meet application requirements, you may need to modify operating system settings, enable a Linux kernel module or install a host-level application package. Use a `DaemonSet` with host privileges to customize worker nodes.

+The example `DaemonSet` sets `registry.contoso.com` to bypass the Cloud Services Network proxy for image pulls, installs the SCTP kernel module and sets `fs.inotify.max_user_instances` to `4096`. Finally, the script applies a label to the Kubernetes Node to ensure the DaemonSet only runs once.

+```yaml

+apiVersion: apps/v1

+kind: DaemonSet

+metadata:

+ name: customized

+ namespace: kube-system

+spec:

+ selector:

+ matchLabels:

+ name: customized

+ template:

+ metadata:

+ labels:

+ name: customized

+ spec:

+ affinity:

+ nodeAffinity:

+ requiredDuringSchedulingIgnoredDuringExecution:

+ nodeSelectorTerms:

+ - matchExpressions:

+ - key: customized

+ operator: NotIn

+ values:

+ - "1"

+ tolerations:

+ - operator: Exists

+ effect: NoSchedule

+ containers:

+ - name: customized

+ image: mcr.microsoft.com/cbl-mariner/base/core:1.0

+ command:

+ - nsenter

+ - --target

+ - "1"

+ - --mount

+ - --uts

+ - --ipc

+ - --net

+ - --pid

+ - --

+ - bash

+ - -exc

+ - |

+ sed -i '/registrycontoso.com/!s/NO_PROXY=/&registry.contoso.com,/' /etc/systemd/system/containerd.service.d/http-proxy.conf

+ systemctl daemon-reload

+ systemctl restart containerd

+ modprobe sctp

+ sed -i 's/^fs.inotify.max_user_instances.*/fs.inotify.max_user_instances = 4096/' /etc/sysctl.d/90-system-max-limits.conf

+ kubectl --kubeconfig=/etc/kubernetes/kubelet.conf label node ${HOSTNAME,,} customized=1

+ sleep infinity

+ resources:

+ limits:

+ memory: 200Mi

+ requests:

+ cpu: 100m

+ memory: 16Mi

+ securityContext:

+ privileged: true

+ hostNetwork: true

+ hostPID: true

+ hostIPC: true

+ terminationGracePeriodSeconds: 0

+```

+And apply the `Daemonset`:

+```bash

+kubectl apply -f /path/to/daemonset.yaml

+```

+- `user@tenant.onmicrosoft.com` is the display name of the Microsoft Entra user.

+ You can use the Azure CLI to get the signed in user and set the value for `PGUGSER` environment variable:

+ ```bash

+ export PGUSER=$(az ad signed-in-user show --query "[displayName]" -o tsv | sed 's/ /\\ /g')

+ ```

+Following the initial password authentication error, you might see another error message indicating that the client is trying to reconnect to the server, this time without SSL encryption. The failure here is due to the server's `pg_hba.conf` configuration not permitting unencrypted connections.

+To avoid this dual attempt and specify the desired SSL mode, use the `sslmode` connection option in your client configuration. For instance, if you're using `libpq` variables in the bash shell, you can set the SSL mode by using the following command:

+Another possible cause of this error is creating a user or role in PostgreSQL without specifying a password. Executing commands like `CREATE USER <user-name>` or `CREATE ROLE <role-name>` without an accompanying password statement results in a user or role with no password set. Attempting to connect with these kinds of users or roles without setting a password will lead to authentication failure with password authentication failed error.

+* **If you suspect a potential security breach**

+ If log capturing isn't already on, get it set up now. Log capturing key for keeping an eye on database activities and catching any odd access patterns. There are several ways to do this, including Azure Monitor Log Analytics and server logs, which help store and analyze database event logs.

+By following these steps, you should be able to resolve the authentication issues and successfully connect to your Azure Database for PostgreSQL - Flexible Server. If you're still facing issues after following the guidance provided, please don't hesitate to [file a support ticket](../../azure-portal/supportability/how-to-create-azure-support-request.md).

+> For Online migrations using Single servers running PostgreSQL 9.5 and 9.6, we explicitly have to allow replication connection. To enable that, add a firewall entry to allowlist connection from target. Make sure the firewall rule name has `_replrule` suffix. The suffic isn't required for Single servers running PostgreSQL 10 and 11. Support for **Online** migrations is currently available in France Central, Germany West Central, North Europe, South Africa North, UAE North, all regions across Asia, Australia, UK and public US regions. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image.

+> The Single to Flex Migration tool is available in all Azure regions and currently supports **Offline** migrations. Support for **Online** migrations is currently available in France Central, Germany West Central, North Europe, South Africa North, UAE North, all regions across Asia, Australia, UK and public US regions. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image.

+> This functionality is enabled by default for flexible servers in all Azure public regions. It will be enabled for flexible servers in gov clouds and China regions soon. Also, please note that this feature is currently disabled for PostgreSQL version 16 servers, and support for it will be introduced in the near future.

+> The Single to Flex Migration tool is available in all Azure regions and currently supports **Offline** migrations. Support for **Online** migrations is currently available in France Central, Germany West Central, North Europe, South Africa North, UAE North, all regions across Asia, Australia, UK and public US regions. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image.

+**Migration mode** gives you the option to pick the mode for the migration. **Offline** is the default option. Support for **Online** migrations is currently available in France Central, Germany West Central, North Europe, South Africa North, UAE North, all regions across Asia, Australia, UK and public US regions. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image.

+[quadrant_contact]:mailto:migrations@quadrantresource.com

+> | [Virtual Machine Local User Login](#virtual-machine-local-user-login) | View Virtual Machines in the portal and login as a local user configured on the arc server | 602da2ba-a5c2-41da-b01d-5360126ab525 |

+> | [Azure Stack HCI Administrator](#azure-stack-hci-administrator) | Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader | bda0d508-adf1-4af0-9c28-88919fc3ae06 |

+> | [Azure Stack HCI Device Management Role](#azure-stack-hci-device-management-role) | Microsoft.AzureStackHCI Device Management Role | 865ae368-6a45-4bd1-8fbf-0d5151f56fc1 |

+> | [Azure Stack HCI VM Contributor](#azure-stack-hci-vm-contributor) | Grants permissions to perform all VM actions | 874d1c73-6003-4e60-a13a-cb31ea190a85 |

+> | [Azure Stack HCI VM Reader](#azure-stack-hci-vm-reader) | Grants permissions to view VMs | 4b3fe76c-f777-4d24-a2d7-b027b0f7b273 |

+> | [Logic App Contributor](#logic-app-contributor) | Lets you manage logic apps, but not change access to them. | 87a39d53-fc1b-424a-814c-f7e04687dc9e |

+> | [Logic App Operator](#logic-app-operator) | Lets you read, enable, and disable logic apps, but not edit or update them. | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe |

+> | [Logic Apps Standard Contributor (Preview)](#logic-apps-standard-contributor-preview) | You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. | ad710c24-b039-4e85-a019-deb4a06e8570 |

+> | [Logic Apps Standard Developer (Preview)](#logic-apps-standard-developer-preview) | You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. | 523776ba-4eb2-4600-a3c8-f2dc93da4bdb |

+> | [Logic Apps Standard Operator (Preview)](#logic-apps-standard-operator-preview) | You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings. | b70c96e9-66fe-4c09-b6e7-c98e69c98555 |

+> | [Logic Apps Standard Reader (Preview)](#logic-apps-standard-reader-preview) | You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. | 4accf36b-2c05-432f-91c8-5c532dff4c73 |

+> | [Azure Connected Machine Resource Manager](#azure-connected-machine-resource-manager) | Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group | f5819b54-e033-4d82-ac66-4fec3cbf3f4c |

+> | [Azure Resource Bridge Deployment Role](#azure-resource-bridge-deployment-role) | Azure Resource Bridge Deployment Role | 7b1f81f9-4196-4058-8aae-762e593270df |

+### Virtual Machine Local User Login

+View Virtual Machines in the portal and login as a local user configured on the arc server

+[Learn more](/azure/azure-arc/servers/ssh-arc-troubleshoot)

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/*/read | |

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/listCredentials/action | Gets the endpoint access credentials to the resource. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "View Virtual Machines in the portal and login as a local user configured on the arc server",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525",

+ "name": "602da2ba-a5c2-41da-b01d-5360126ab525",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.HybridCompute/machines/*/read",

+ "Microsoft.HybridConnectivity/endpoints/listCredentials/action"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Virtual Machine Local User Login",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/write | Update the service details in the service configurations of the target resource. |

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/read | Gets the details about the service to the resource. |

+ "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write",

+ "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read",

+> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/Usages/action | |

+> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/afdendpoints/Usages/action | |

+> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/origingroups/Usages/action | |

+> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/rulesets/Usages/action | |

+ "Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action",

+ "Microsoft.Cdn/profiles/Usages/action",

+ "Microsoft.Cdn/profiles/afdendpoints/Usages/action",

+ "Microsoft.Cdn/profiles/origingroups/Usages/action",

+ "Microsoft.Cdn/profiles/rulesets/Usages/action"

+> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/CheckResourceUsage/action | |

+> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/endpoints/CheckResourceUsage/action | |

+ "Microsoft.Support/*",

+ "Microsoft.Cdn/profiles/CheckResourceUsage/action",

+ "Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action"

+[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac)

+[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac)

+[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac)

+[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac)

+### Azure Stack HCI Administrator

+Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader

+[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles)

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/register/action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Unregister/Action | Unregisters the subscription for the Azure Stack HCI resource provider. |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/clusters/* | |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/register/action | Registers the subscription for the Microsoft.HybridCompute Resource Provider |

+> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/register/action | Registers the subscription for the Microsoft.GuestConfiguration resource provider. |

+> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/write | Creates or updates a resource group. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/delete | Deletes a resource group and all its resources. |

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/register/action | Register the subscription for Microsoft.HybridConnectivity |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |

+> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. |

+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/* | |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |

+> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/installPatches/action | Installs patches on any Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/read | Reads any Azure Arc runcommands |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/write | Installs or Updates an Azure Arc runcommands |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/delete | Deletes an Azure Arc runcommands |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/read | Reads any Azure Arc licenses |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses |

+> | Microsoft.ResourceConnector/register/action | Registers the subscription for Appliances resource provider and enables the creation of Appliance. |

+> | Microsoft.ResourceConnector/appliances/read | Gets an Appliance resource |

+> | Microsoft.ResourceConnector/appliances/write | Creates or Updates Appliance resource |

+> | Microsoft.ResourceConnector/appliances/delete | Deletes Appliance resource |

+> | Microsoft.ResourceConnector/locations/operationresults/read | Get result of Appliance operation |

+> | Microsoft.ResourceConnector/locations/operationsstatus/read | Get result of Appliance operation |

+> | Microsoft.ResourceConnector/appliances/listClusterUserCredential/action | Get an appliance cluster user credential |

+> | Microsoft.ResourceConnector/appliances/listKeys/action | Get an appliance cluster customer user keys |

+> | Microsoft.ResourceConnector/operations/read | Gets list of Available Operations for Appliances |

+> | Microsoft.ExtendedLocation/register/action | Registers the subscription for Custom Location resource provider and enables the creation of Custom Location. |

+> | Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource |

+> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |

+> | Microsoft.ExtendedLocation/customLocations/write | Creates or Updates Custom Location resource |

+> | Microsoft.ExtendedLocation/customLocations/delete | Deletes Custom Location resource |

+> | Microsoft.EdgeMarketplace/offers/read | Get a Offer |

+> | Microsoft.EdgeMarketplace/publishers/read | Get a Publisher |

+> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/register/action | Registers Subscription with Microsoft.Kubernetes resource provider |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/write | Creates or updates extension resource. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/delete | Deletes extension instance resource. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/operations/read | Gets Async Operation status. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/namespaces/read | Get Namespace Resource |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Write | Creates/Updates storage containers resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource |

+> | Microsoft.HybridContainerService/register/action | Register the subscription for Microsoft.HybridContainerService |

+> | **Condition** | |

+> | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) | Add or remove role assignments for the following roles:<br/>Azure Connected Machine Resource Manager<br/>Azure Connected Machine Resource Administrator<br/>Azure Connected Machine Onboarding<br/>Azure Stack HCI VM Reader<br/>Azure Stack HCI VM Contributor<br/>Azure Stack HCI Device Management Role<br/>Azure Resource Bridge Deployment Role<br/>Key Vault Secrets User |

+ "description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06",

+ "name": "bda0d508-adf1-4af0-9c28-88919fc3ae06",

+ "Microsoft.AzureStackHCI/register/action",

+ "Microsoft.AzureStackHCI/Unregister/Action",

+ "Microsoft.AzureStackHCI/clusters/*",

+ "Microsoft.HybridCompute/register/action",

+ "Microsoft.GuestConfiguration/register/action",

+ "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",

+ "Microsoft.Resources/subscriptions/resourceGroups/write",

+ "Microsoft.Resources/subscriptions/resourceGroups/delete",

+ "Microsoft.HybridConnectivity/register/action",

+ "Microsoft.Authorization/roleAssignments/write",

+ "Microsoft.Authorization/roleAssignments/delete",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.Resources/subscriptions/read",

+ "Microsoft.Management/managementGroups/read",

+ "Microsoft.Support/*",

+ "Microsoft.AzureStackHCI/*",

+ "Microsoft.Insights/AlertRules/Write",

+ "Microsoft.Insights/AlertRules/Delete",

+ "Microsoft.Insights/AlertRules/Read",

+ "Microsoft.Insights/AlertRules/Activated/Action",

+ "Microsoft.Insights/AlertRules/Resolved/Action",

+ "Microsoft.Insights/AlertRules/Throttled/Action",

+ "Microsoft.Insights/AlertRules/Incidents/Read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",

+ "Microsoft.ResourceHealth/availabilityStatuses/read",

+ "Microsoft.Resources/subscriptions/read",

+ "Microsoft.Resources/subscriptions/operationresults/read",

+ "Microsoft.HybridCompute/machines/read",

+ "Microsoft.HybridCompute/machines/write",

+ "Microsoft.HybridCompute/machines/delete",

+ "Microsoft.HybridCompute/machines/UpgradeExtensions/action",

+ "Microsoft.HybridCompute/machines/assessPatches/action",

+ "Microsoft.HybridCompute/machines/installPatches/action",

+ "Microsoft.HybridCompute/machines/extensions/read",

+ "Microsoft.HybridCompute/machines/extensions/write",

+ "Microsoft.HybridCompute/machines/extensions/delete",

+ "Microsoft.HybridCompute/operations/read",

+ "Microsoft.HybridCompute/locations/operationresults/read",

+ "Microsoft.HybridCompute/locations/operationstatus/read",

+ "Microsoft.HybridCompute/machines/patchAssessmentResults/read",

+ "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",

+ "Microsoft.HybridCompute/machines/patchInstallationResults/read",

+ "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",

+ "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",

+ "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",

+ "Microsoft.HybridCompute/osType/agentVersions/read",

+ "Microsoft.HybridCompute/osType/agentVersions/latest/read",

+ "Microsoft.HybridCompute/machines/runcommands/read",

+ "Microsoft.HybridCompute/machines/runcommands/write",

+ "Microsoft.HybridCompute/machines/runcommands/delete",

+ "Microsoft.HybridCompute/machines/licenseProfiles/read",

+ "Microsoft.HybridCompute/machines/licenseProfiles/write",

+ "Microsoft.HybridCompute/machines/licenseProfiles/delete",

+ "Microsoft.HybridCompute/licenses/read",

+ "Microsoft.HybridCompute/licenses/write",

+ "Microsoft.HybridCompute/licenses/delete",

+ "Microsoft.ResourceConnector/register/action",

+ "Microsoft.ResourceConnector/appliances/read",

+ "Microsoft.ResourceConnector/appliances/write",

+ "Microsoft.ResourceConnector/appliances/delete",

+ "Microsoft.ResourceConnector/locations/operationresults/read",

+ "Microsoft.ResourceConnector/locations/operationsstatus/read",

+ "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",

+ "Microsoft.ResourceConnector/appliances/listKeys/action",

+ "Microsoft.ResourceConnector/operations/read",

+ "Microsoft.ExtendedLocation/register/action",

+ "Microsoft.ExtendedLocation/customLocations/read",

+ "Microsoft.ExtendedLocation/customLocations/deploy/action",

+ "Microsoft.ExtendedLocation/customLocations/write",

+ "Microsoft.ExtendedLocation/customLocations/delete",

+ "Microsoft.EdgeMarketplace/offers/read",

+ "Microsoft.EdgeMarketplace/publishers/read",

+ "Microsoft.Kubernetes/register/action",

+ "Microsoft.KubernetesConfiguration/register/action",

+ "Microsoft.KubernetesConfiguration/extensions/write",

+ "Microsoft.KubernetesConfiguration/extensions/read",

+ "Microsoft.KubernetesConfiguration/extensions/delete",

+ "Microsoft.KubernetesConfiguration/extensions/operations/read",

+ "Microsoft.KubernetesConfiguration/namespaces/read",

+ "Microsoft.KubernetesConfiguration/operations/read",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.AzureStackHCI/StorageContainers/Write",

+ "Microsoft.AzureStackHCI/StorageContainers/Read",

+ "Microsoft.HybridContainerService/register/action"

+ "notDataActions": [],

+ "conditionVersion": "2.0",

+ "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))"

+ "roleName": "Azure Stack HCI Administrator",

+### Azure Stack HCI Device Management Role

+Microsoft.AzureStackHCI Device Management Role

+[Learn more](/azure-stack/hci/deploy/deployment-azure-resource-manager-template)

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/* | |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/EdgeDevices/* | |

+ "description": "Microsoft.AzureStackHCI Device Management Role",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/865ae368-6a45-4bd1-8fbf-0d5151f56fc1",

+ "name": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1",

+ "Microsoft.AzureStackHCI/Clusters/*",

+ "Microsoft.AzureStackHCI/EdgeDevices/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read"

+ "roleName": "Azure Stack HCI Device Management Role",

+### Azure Stack HCI VM Contributor

+Grants permissions to perform all VM actions

+[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles)

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualMachines/* | |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/virtualMachineInstances/* | |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/NetworkInterfaces/* | |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualHardDisks/* | |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualNetworks/Read | Gets/Lists virtual networks resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualNetworks/join/action | Joins virtual networks resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/LogicalNetworks/Read | Gets/Lists logical networks resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/LogicalNetworks/join/action | Joins logical networks resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/GalleryImages/Read | Gets/Lists gallery images resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/GalleryImages/deploy/action | Deploys gallery images resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/deploy/action | Deploys storage containers resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/MarketplaceGalleryImages/Read | Gets/Lists market place gallery images resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/MarketPlaceGalleryImages/deploy/action | Deploys market place gallery images resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/Read | Gets clusters |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/ArcSettings/Read | Gets arc resource of HCI cluster |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/delete | Deletes a deployment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/cancel/action | Cancels a deployment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/validate/action | Validates an deployment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/whatIf/action | Predicts template deployment changes. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |

+> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/installPatches/action | Installs patches on any Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/read | Reads any Azure Arc runcommands |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/write | Installs or Updates an Azure Arc runcommands |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/delete | Deletes an Azure Arc runcommands |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/read | Reads any Azure Arc licenses |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses |

+> | Microsoft.ExtendedLocation/customLocations/Read | Gets an Custom Location resource |

+> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. |

+> | *none* | |

+ "description": "Grants permissions to perform all VM actions",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/874d1c73-6003-4e60-a13a-cb31ea190a85",

+ "name": "874d1c73-6003-4e60-a13a-cb31ea190a85",

+ "Microsoft.AzureStackHCI/VirtualMachines/*",

+ "Microsoft.AzureStackHCI/virtualMachineInstances/*",

+ "Microsoft.AzureStackHCI/NetworkInterfaces/*",

+ "Microsoft.AzureStackHCI/VirtualHardDisks/*",

+ "Microsoft.AzureStackHCI/VirtualNetworks/Read",

+ "Microsoft.AzureStackHCI/VirtualNetworks/join/action",

+ "Microsoft.AzureStackHCI/LogicalNetworks/Read",

+ "Microsoft.AzureStackHCI/LogicalNetworks/join/action",

+ "Microsoft.AzureStackHCI/GalleryImages/Read",

+ "Microsoft.AzureStackHCI/GalleryImages/deploy/action",

+ "Microsoft.AzureStackHCI/StorageContainers/Read",

+ "Microsoft.AzureStackHCI/StorageContainers/deploy/action",

+ "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",

+ "Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action",

+ "Microsoft.AzureStackHCI/Clusters/Read",

+ "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",

+ "Microsoft.Insights/AlertRules/Write",

+ "Microsoft.Insights/AlertRules/Delete",

+ "Microsoft.Insights/AlertRules/Read",

+ "Microsoft.Insights/AlertRules/Activated/Action",

+ "Microsoft.Insights/AlertRules/Resolved/Action",

+ "Microsoft.Insights/AlertRules/Throttled/Action",

+ "Microsoft.Insights/AlertRules/Incidents/Read",

+ "Microsoft.Resources/deployments/read",

+ "Microsoft.Resources/deployments/write",

+ "Microsoft.Resources/deployments/delete",

+ "Microsoft.Resources/deployments/cancel/action",

+ "Microsoft.Resources/deployments/validate/action",

+ "Microsoft.Resources/deployments/whatIf/action",

+ "Microsoft.Resources/deployments/exportTemplate/action",

+ "Microsoft.Resources/deployments/operations/read",

+ "Microsoft.Resources/deployments/operationstatuses/read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",

+ "Microsoft.ResourceHealth/availabilityStatuses/read",

+ "Microsoft.Resources/subscriptions/read",

+ "Microsoft.Resources/subscriptions/operationresults/read",

+ "Microsoft.HybridCompute/machines/read",

+ "Microsoft.HybridCompute/machines/write",

+ "Microsoft.HybridCompute/machines/delete",

+ "Microsoft.HybridCompute/machines/UpgradeExtensions/action",

+ "Microsoft.HybridCompute/machines/assessPatches/action",

+ "Microsoft.HybridCompute/machines/installPatches/action",

+ "Microsoft.HybridCompute/machines/extensions/read",

+ "Microsoft.HybridCompute/machines/extensions/write",

+ "Microsoft.HybridCompute/machines/extensions/delete",

+ "Microsoft.HybridCompute/operations/read",

+ "Microsoft.HybridCompute/locations/operationresults/read",

+ "Microsoft.HybridCompute/locations/operationstatus/read",

+ "Microsoft.HybridCompute/machines/patchAssessmentResults/read",

+ "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",

+ "Microsoft.HybridCompute/machines/patchInstallationResults/read",

+ "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",

+ "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",

+ "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",

+ "Microsoft.HybridCompute/osType/agentVersions/read",

+ "Microsoft.HybridCompute/osType/agentVersions/latest/read",

+ "Microsoft.HybridCompute/machines/runcommands/read",

+ "Microsoft.HybridCompute/machines/runcommands/write",

+ "Microsoft.HybridCompute/machines/runcommands/delete",

+ "Microsoft.HybridCompute/machines/licenseProfiles/read",

+ "Microsoft.HybridCompute/machines/licenseProfiles/write",

+ "Microsoft.HybridCompute/machines/licenseProfiles/delete",

+ "Microsoft.HybridCompute/licenses/read",

+ "Microsoft.HybridCompute/licenses/write",

+ "Microsoft.HybridCompute/licenses/delete",

+ "Microsoft.ExtendedLocation/customLocations/Read",

+ "Microsoft.ExtendedLocation/customLocations/deploy/action",

+ "Microsoft.KubernetesConfiguration/extensions/read"

+ "dataActions": [],

+ "roleName": "Azure Stack HCI VM Contributor",

+### Azure Stack HCI VM Reader

+Grants permissions to view VMs

+[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles)

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualMachines/Read | Gets/Lists virtual machine resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/virtualMachineInstances/Read | Gets/Lists virtual machine instance resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualMachines/Extensions/Read | Gets/Lists virtual machine extensions resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualNetworks/Read | Gets/Lists virtual networks resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/LogicalNetworks/Read | Gets/Lists logical networks resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/NetworkInterfaces/Read | Gets/Lists network interfaces resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualHardDisks/Read | Gets/Lists virtual hard disk resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/GalleryImages/Read | Gets/Lists gallery images resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/MarketplaceGalleryImages/Read | Gets/Lists market place gallery images resource |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |

+> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Grants permissions to view VMs",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/4b3fe76c-f777-4d24-a2d7-b027b0f7b273",

+ "name": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.AzureStackHCI/VirtualMachines/Read",

+ "Microsoft.AzureStackHCI/virtualMachineInstances/Read",

+ "Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read",

+ "Microsoft.AzureStackHCI/VirtualNetworks/Read",

+ "Microsoft.AzureStackHCI/LogicalNetworks/Read",

+ "Microsoft.AzureStackHCI/NetworkInterfaces/Read",

+ "Microsoft.AzureStackHCI/VirtualHardDisks/Read",

+ "Microsoft.AzureStackHCI/StorageContainers/Read",

+ "Microsoft.AzureStackHCI/GalleryImages/Read",

+ "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",

+ "Microsoft.Insights/AlertRules/Write",

+ "Microsoft.Insights/AlertRules/Delete",

+ "Microsoft.Insights/AlertRules/Read",

+ "Microsoft.Insights/AlertRules/Activated/Action",

+ "Microsoft.Insights/AlertRules/Resolved/Action",

+ "Microsoft.Insights/AlertRules/Throttled/Action",

+ "Microsoft.Insights/AlertRules/Incidents/Read",

+ "Microsoft.Resources/deployments/read",

+ "Microsoft.Resources/deployments/exportTemplate/action",

+ "Microsoft.Resources/deployments/operations/read",

+ "Microsoft.Resources/deployments/operationstatuses/read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",

+ "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",

+ "Microsoft.ResourceHealth/availabilityStatuses/read",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/subscriptions/read",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.Resources/subscriptions/operationresults/read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Stack HCI VM Reader",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+### Azure Stack Registration Owner

+Lets you manage Azure Stack registrations.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/edgeSubscriptions/read | |

+> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/products/*/action | |

+> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/products/read | Gets the properties of an Azure Stack Marketplace product |

+> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/read | Gets the properties of an Azure Stack registration |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Lets you manage Azure Stack registrations.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",

+ "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.AzureStack/edgeSubscriptions/read",

+ "Microsoft.AzureStack/registrations/products/*/action",

+ "Microsoft.AzureStack/registrations/products/read",

+ "Microsoft.AzureStack/registrations/read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Stack Registration Owner",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+### EventGrid Contributor

+Lets you manage EventGrid operations.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/* | Create and manage Event Grid resources |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Lets you manage EventGrid operations.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de",

+ "name": "1e241071-0855-49ea-94dc-649edcd759de",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.EventGrid/*",

+ "Microsoft.Insights/alertRules/*",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.Support/*"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "EventGrid Contributor",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+### EventGrid Data Sender

+Allows send access to event grid events.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/topics/read | Read a topic |

+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/domains/read | Read a domain |

+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/partnerNamespaces/read | Read a partner namespace |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/namespaces/read | Read a namespace |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/events/send/action | Send events to topics |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Allows send access to event grid events.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7",

+ "name": "d5a91429-5739-47e2-a06b-3470a27159e7",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.EventGrid/topics/read",

+ "Microsoft.EventGrid/domains/read",

+ "Microsoft.EventGrid/partnerNamespaces/read",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.EventGrid/namespaces/read"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.EventGrid/events/send/action"

+ ],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "EventGrid Data Sender",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+### EventGrid EventSubscription Contributor

+Lets you manage EventGrid event subscription operations.

+[Learn more](/azure/event-grid/security-authorization)

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/* | Create and manage regional event subscriptions |

+Lets you read, enable, and disable logic apps, but not edit or update them.

+[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations)

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/*/read | Read Insights alert rules |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/*/read | Gets diagnostic settings for Logic Apps |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/*/read | Gets the available metrics for Logic Apps. |

+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/*/read | Reads Logic Apps resources. |

+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/disable/action | Disables the workflow. |

+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/enable/action | Enables the workflow. |

+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/validate/action | Validates the workflow. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/*/read | Read Connections. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/*/read | Read Custom API. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan |

+You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership.

+[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations)

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/* | Create and manages a Connection Gateway. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/* | Create and manages a Connection. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/* | Creates and manages a Custom API. |

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/ad710c24-b039-4e85-a019-deb4a06e8570",

+ "name": "ad710c24-b039-4e85-a019-deb4a06e8570",

+ "permissions": [

+ "actions": [

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ "roleName": "Logic Apps Standard Contributor (Preview)",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope.

+[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations)

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/* | Create and manages a Connection. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/* | Creates and manages a Custom API. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/appsettings/read | Get Web App settings. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/config/list/Action | List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/config/Read | Get Web App configuration settings |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/Write | Update Web App's configuration settings |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/web/appsettings/delete | Delete Web Apps App Setting |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/web/appsettings/read | Get Web App Single App setting. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/web/appsettings/write | Create or Update Web App Single App setting |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/deployWorkflowArtifacts/action | Create the artifacts in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/* | Get or list hostruntime artifacts for the web app or function app. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/listworkflowsconnections/action | List logic app's connections by its ID in a Logic App. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/publish/Action | Publish a Web App |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/Read | Get the properties of a Web App |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/config/appsettings/read | Get Web App Slot's single App setting. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/config/appsettings/write | Create or Update Web App Slot's Single App setting |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/config/list/Action | List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/config/Read | Get Web App Slot's configuration settings |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/config/web/appsettings/delete | Delete Web App Slot's App Setting |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/deployWorkflowArtifacts/action | Create the artifacts in a deployment slot in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/listworkflowsconnections/action | List logic app's connections by its ID in a deployment slot in a Logic App. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/publish/Action | Publish a Web App Slot |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflows/* | |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflowsconfiguration/* | |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/523776ba-4eb2-4600-a3c8-f2dc93da4bdb",

+ "name": "523776ba-4eb2-4600-a3c8-f2dc93da4bdb",

+ "permissions": [

+ {

+ "actions": [

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ "roleName": "Logic Apps Standard Developer (Preview)",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings.

+[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations)

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/*/read | Read Connections. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/*/read | Read Custom API. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/applySlotConfig/Action | Apply web app slot configuration from target slot to the current web app |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/config/Read | Get Web App configuration settings |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/* | Get or list hostruntime artifacts for the web app or function app. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/Read | Get the properties of a Web App |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/restart/Action | Restart a Web App |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/config/Read | Get Web App Slot's configuration settings |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/restart/Action | Restart a Web App Slot |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/slotsswap/Action | Swap Web App deployment slots |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/start/Action | Start a Web App Slot |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/stop/Action | Stop a Web App Slot |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slotsdiffs/Action | Get differences in configuration between web app and slots |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slotsswap/Action | Swap Web App deployment slots |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/start/Action | Start a Web App |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/stop/Action | Stop a Web App |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflows/read | List the workflows in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflowsconfiguration/read | Get logic app's configuration information by its ID in a Logic App. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/write | Create a new Web App or update an existing one |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/b70c96e9-66fe-4c09-b6e7-c98e69c98555",

+ "name": "b70c96e9-66fe-4c09-b6e7-c98e69c98555",

+ "permissions": [

+ {

+ "actions": [

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ "roleName": "Logic Apps Standard Operator (Preview)",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history.

+[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations)

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/*/read | Read Connections. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/*/read | Read Custom API. |

+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/read | List Web Apps Hostruntime Workflow Triggers. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/runs/read | List Web Apps Hostruntime Workflow Runs. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflows/read | List the workflows in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflowsconfiguration/read | Get logic app's configuration information by its ID in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. |

+> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. |

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/4accf36b-2c05-432f-91c8-5c532dff4c73",

+ "name": "4accf36b-2c05-432f-91c8-5c532dff4c73",

+ "permissions": [

+ "actions": [

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ "roleName": "Logic Apps Standard Reader (Preview)",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+[Learn more](/azure/azure-arc/servers/security-overview)

+### Azure Connected Machine Resource Manager

+Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group

+[Learn more](/azure-stack/hci/deploy/deployment-azure-resource-manager-template)

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/read | Gets the endpoint to the resource. |

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/write | Update the endpoint to the target resource. |

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/read | Gets the details about the service to the resource. |

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/write | Update the service details in the service configurations of the target resource. |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/*/read | |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles |

+> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles |

+> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. |

+> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/*/read | |

+> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/write | Create new guest configuration assignment. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c",

+ "name": "f5819b54-e033-4d82-ac66-4fec3cbf3f4c",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.HybridConnectivity/endpoints/read",

+ "Microsoft.HybridConnectivity/endpoints/write",

+ "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read",

+ "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write",

+ "Microsoft.HybridCompute/machines/read",

+ "Microsoft.HybridCompute/machines/write",

+ "Microsoft.HybridCompute/machines/delete",

+ "Microsoft.HybridCompute/machines/extensions/read",

+ "Microsoft.HybridCompute/machines/extensions/write",

+ "Microsoft.HybridCompute/machines/extensions/delete",

+ "Microsoft.HybridCompute/*/read",

+ "Microsoft.HybridCompute/machines/UpgradeExtensions/action",

+ "Microsoft.HybridCompute/machines/licenseProfiles/read",

+ "Microsoft.HybridCompute/machines/licenseProfiles/write",

+ "Microsoft.HybridCompute/machines/licenseProfiles/delete",

+ "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",

+ "Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read",

+ "Microsoft.GuestConfiguration/guestConfigurationAssignments/write"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Connected Machine Resource Manager",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+### Azure Resource Bridge Deployment Role

+Azure Resource Bridge Deployment Role

+[Learn more](/azure/azure-arc/resource-bridge/overview)

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Register/Action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. |

+> | Microsoft.ResourceConnector/register/action | Registers the subscription for Appliances resource provider and enables the creation of Appliance. |

+> | Microsoft.ResourceConnector/appliances/read | Gets an Appliance resource |

+> | Microsoft.ResourceConnector/appliances/write | Creates or Updates Appliance resource |

+> | Microsoft.ResourceConnector/appliances/delete | Deletes Appliance resource |

+> | Microsoft.ResourceConnector/locations/operationresults/read | Get result of Appliance operation |

+> | Microsoft.ResourceConnector/locations/operationsstatus/read | Get result of Appliance operation |

+> | Microsoft.ResourceConnector/appliances/listClusterUserCredential/action | Get an appliance cluster user credential |

+> | Microsoft.ResourceConnector/appliances/listKeys/action | Get an appliance cluster customer user keys |

+> | Microsoft.ResourceConnector/appliances/upgradeGraphs/read | Gets the upgrade graph of Appliance cluster |

+> | Microsoft.ResourceConnector/telemetryconfig/read | Get Appliances telemetry config utilized by Appliances CLI |

+> | Microsoft.ResourceConnector/operations/read | Gets list of Available Operations for Appliances |

+> | Microsoft.ExtendedLocation/register/action | Registers the subscription for Custom Location resource provider and enables the creation of Custom Location. |

+> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |

+> | Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource |

+> | Microsoft.ExtendedLocation/customLocations/write | Creates or Updates Custom Location resource |

+> | Microsoft.ExtendedLocation/customLocations/delete | Deletes Custom Location resource |

+> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/register/action | Register the subscription for Microsoft.HybridConnectivity |

+> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/register/action | Registers Subscription with Microsoft.Kubernetes resource provider |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/write | Creates or updates extension resource. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/delete | Deletes extension instance resource. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/operations/read | Gets Async Operation status. |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/namespaces/read | Get Namespace Resource |

+> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. |

+> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. |

+> | Microsoft.HybridContainerService/register/action | Register the subscription for Microsoft.HybridContainerService |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Write | Creates/Updates storage containers resource |

+> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Azure Resource Bridge Deployment Role",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/7b1f81f9-4196-4058-8aae-762e593270df",

+ "name": "7b1f81f9-4196-4058-8aae-762e593270df",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.AzureStackHCI/Register/Action",

+ "Microsoft.ResourceConnector/register/action",

+ "Microsoft.ResourceConnector/appliances/read",

+ "Microsoft.ResourceConnector/appliances/write",

+ "Microsoft.ResourceConnector/appliances/delete",

+ "Microsoft.ResourceConnector/locations/operationresults/read",

+ "Microsoft.ResourceConnector/locations/operationsstatus/read",

+ "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",

+ "Microsoft.ResourceConnector/appliances/listKeys/action",

+ "Microsoft.ResourceConnector/appliances/upgradeGraphs/read",

+ "Microsoft.ResourceConnector/telemetryconfig/read",

+ "Microsoft.ResourceConnector/operations/read",

+ "Microsoft.ExtendedLocation/register/action",

+ "Microsoft.ExtendedLocation/customLocations/deploy/action",

+ "Microsoft.ExtendedLocation/customLocations/read",

+ "Microsoft.ExtendedLocation/customLocations/write",

+ "Microsoft.ExtendedLocation/customLocations/delete",

+ "Microsoft.HybridConnectivity/register/action",

+ "Microsoft.Kubernetes/register/action",

+ "Microsoft.KubernetesConfiguration/register/action",

+ "Microsoft.KubernetesConfiguration/extensions/write",

+ "Microsoft.KubernetesConfiguration/extensions/read",

+ "Microsoft.KubernetesConfiguration/extensions/delete",

+ "Microsoft.KubernetesConfiguration/extensions/operations/read",

+ "Microsoft.KubernetesConfiguration/namespaces/read",

+ "Microsoft.KubernetesConfiguration/operations/read",

+ "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",

+ "Microsoft.HybridContainerService/register/action",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.AzureStackHCI/StorageContainers/Write",

+ "Microsoft.AzureStackHCI/StorageContainers/Read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Resource Bridge Deployment Role",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+- [Collaborating for Success: How SAP and Microsoft are working together to accelerate customer innovation and transformation](https://discover.sap.com/microsoft/en-us/https://docsupdatetracker.net/index.html)

+Customer Lockbox requests are not triggered in the following scenarios:

+ Title: "Crowdstrike Falcon Data Replicator V2 (using Azure Functions) connector for Microsoft Sentinel"

+description: "Learn how to install the connector Crowdstrike Falcon Data Replicator V2 (using Azure Functions) to connect your data source to Microsoft Sentinel."

+# Crowdstrike Falcon Data Replicator V2 (using Azure Functions) connector for Microsoft Sentinel

+To integrate with Crowdstrike Falcon Data Replicator V2 (using Azure Functions) make sure you have:

+The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.

+**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias GWorkspaceReports and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Parsers/GWorkspaceActivityReports.yaml), on the second line of the query, enter the hostname(s) of your GWorkspaceReports device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.

+The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.

+ * For ArcSight, see [Common Event Format (CEF) forwarding](https://community.microfocus.com/cyberres/arcsight/f/discussions/241072/using-forwarding-connector-to-send-logs-to-esm-and-logger-destination).

+Refer to [Azure Site Recovery Deployment Planner Version History](/azure/site-recovery/site-recovery-deployment-planner-history) page for the fixes that are added in each update.

+zone_pivot_groups: spring-apps-tier-selection

+This article shows you how to create a system-assigned or user-assigned managed identity for an app deployed to Azure Spring Apps and use it to access Azure Key Vault.

+- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).

+- [Azure CLI](/cli/azure/install-azure-cli), version 2.55.0 or higher.

+- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+- [Azure CLI](/cli/azure/install-azure-cli), version 2.55.0 or higher.

+## Provide names for each resource

+Create variables to hold the resource names by using the following commands. Be sure to replace the placeholders with your own values.

+### [System-assigned managed identity](#tab/system-assigned-managed-identity)

+```azurecli

+export LOCATION=<location>

+export RESOURCE_GROUP=myresourcegroup

+export SPRING_APPS=myasa

+export APP=springapp-system

+export KEY_VAULT=<your-keyvault-name>

+```

+### [User-assigned managed identity](#tab/user-assigned-managed-identity)

+```azurecli

+export LOCATION=<location>

+export RESOURCE_GROUP=myresourcegroup

+export SPRING_APPS=myasa

+export APP=springapp-user

+export KEY_VAULT=<your-keyvault-name>

+export USER_ASSIGNED_IDENTITY=<user-assigned-identity-name>

+```

+A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group to contain both the Key Vault and Spring Cloud using the [az group create](/cli/azure/group#az-group-create) command, as shown in the following example:

+az group create --name ${RESOURCE_GROUP} --location ${LOCATION}

+To create a Key Vault, use the [az keyvault create](/cli/azure/keyvault#az-keyvault-create) command, as shown in the following example:

+> [!IMPORTANT]

+> Each Key Vault must have a unique name.

+ --resource-group ${RESOURCE_GROUP} \

+ --name ${KEY_VAULT}

+Use the following command to show the app URL and then make a note of the returned URL, which is in the format `https://${KEY_VAULT}.vault.azure.net`. Use this value in the following step.

+```azurecli

+az keyvault show \

+ --resource-group ${RESOURCE_GROUP} \

+ --name ${KEY_VAULT} \

+ --query properties.vaultUri --output tsv

+```

+You can now place a secret in your Key Vault by using the [az keyvault secret set](/cli/azure/keyvault/secret#az-keyvault-secret-set) command, as shown in the following example:

+ --vault-name ${KEY_VAULT} \

+After you install all corresponding extensions, use the following command to create an Azure Spring Apps instance:

+ --resource-group ${RESOURCE_GROUP} \

+ --sku Enterprise \

+ --name ${SPRING_APPS}

+```

+### [System-assigned managed identity](#tab/system-assigned-managed-identity)

+The following example creates the app with a system-assigned managed identity, as requested by the `--system-assigned` parameter:

+```azurecli

+az spring app create \

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${SPRING_APPS} \

+ --name ${APP} \

+ --assign-endpoint true \

+ --system-assigned

+export MANAGED_IDENTITY_PRINCIPAL_ID=$(az spring app show \

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${SPRING_APPS} \

+ --name ${APP} \

+ --query identity.principalId --output tsv)

+```

+### [User-assigned managed identity](#tab/user-assigned-managed-identity)

+Use the following command to create a user-assigned managed identity:

+```azurecli

+az identity create --resource-group ${RESOURCE_GROUP} --name ${USER_ASSIGNED_IDENTITY}

+export MANAGED_IDENTITY_PRINCIPAL_ID=$(az identity show \

+ --resource-group ${RESOURCE_GROUP} \

+ --name ${USER_ASSIGNED_IDENTITY} \

+ --query principalId --output tsv)

+export USER_IDENTITY_RESOURCE_ID=$(az identity show \

+ --resource-group ${RESOURCE_GROUP} \

+ --name ${USER_ASSIGNED_IDENTITY} \

+ --query id --output tsv)

+```

+The following command creates the app with a user-assigned managed identity, as requested by the `--user-assigned` parameter:

+```azurecli

+az spring app create \

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${SPRING_APPS} \

+ --name ${APP} \

+ --user-assigned $USER_IDENTITY_RESOURCE_ID \

+ --assign-endpoint true

+```

+```azurecli

+az extension add --upgrade --name spring

+az spring create \

+ --resource-group ${RESOURCE_GROUP} \

+ --name ${SPRING_APPS}

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${SPRING_APPS} \

+ --name ${APP} \

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${SPRING_APPS} \

+ --name ${APP} \

+ --query identity.principalId --output tsv)

+Use the following command to create a user-assigned managed identity:

+```azurecli

+az identity create --resource-group ${RESOURCE_GROUP} --name ${USER_ASSIGNED_IDENTITY}

+export MANAGED_IDENTITY_PRINCIPAL_ID=$(az identity show \

+ --resource-group ${RESOURCE_GROUP} \

+ --name ${USER_ASSIGNED_IDENTITY} \

+ --query principalId --output tsv)

+export USER_IDENTITY_RESOURCE_ID=$(az identity show \

+ --resource-group ${RESOURCE_GROUP} \

+ --name ${USER_ASSIGNED_IDENTITY} \

+ --query id --output tsv)

+The following command creates the app with a user-assigned managed identity, as requested by the `--user-assigned` parameter.

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${SPRING_APPS} \

+ --name ${APP} \

+ --name ${KEY_VAULT} \

+> For system-assigned managed identity, use `az keyvault delete-policy --name ${KEY_VAULT} --object-id ${MANAGED_IDENTITY_PRINCIPAL_ID}` to remove the access for your app after system-assigned managed identity is disabled.

+ ### [System-assigned managed identity](#tab/system-assigned-managed-identity)

+ ```properties

+ spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=<your-keyvault-url>

+ spring.cloud.azure.keyvault.secret.property-sources[0].credential.managed-identity-enabled=true

+ ```

+ ### [User-assigned managed identity](#tab/user-assigned-managed-identity)

+ Use the following command to query the client ID of the user-assigned managed identity:

+ ```azurecli

+ az identity show \

+ --resource-group ${RESOURCE_GROUP} \

+ --name ${USER_ASSIGNED_IDENTITY} \

+ --query clientId --output tsv

+ ```

+ ```properties

+ spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=<your-keyvault-url>

+ spring.cloud.azure.keyvault.secret.property-sources[0].credential.managed-identity-enabled=true

+ spring.cloud.azure.keyvault.secret.property-sources[0].credential.client-id=<client-ID-of-user-assigned-managed-identity>

+ ```

+

+1. Update *src/main/java/com/example/demo/DemoApplication.java* with the following code example. This code retrieves the connection string from the Key Vault.

+5. Use the following command to deploy your app to Azure Spring Apps:

+ ```azurecli

+ az spring app deploy \

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${SPRING_APPS} \

+ --name ${APP} \

+ --source-path

+5. Use the following command to deploy your app to Azure Spring Apps:

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${SPRING_APPS} \

+ --name ${APP} \

+ --source-path \

+ --build-env BP_JVM_VERSION=17

+6. To test your app, access the public endpoint or test endpoint by using the following command:

+ curl https://${SPRING_APPS}-${APP}.azuremicroservices.io/get

+ The following message is returned in the response body: `jdbc:sqlserver://SERVER.database.windows.net:1433;database=DATABASE;`.

+## Clean up resources

+Use the following command to delete the entire resource group, including the newly created service instance:

+```azurecli

+az group delete --name ${RESOURCE_GROUP} --yes

+```

+- [How to access Storage blob with managed identity in Azure Spring Apps](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/managed-identity-storage-blob)

+- [Enable system-assigned managed identity for applications in Azure Spring Apps](./how-to-enable-system-assigned-managed-identity.md)

+- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+- [Authenticate Azure Spring Apps with Key Vault in GitHub Actions](./github-actions-key-vault.md)

+ Title: About Azure Storage Actions Preview

+description: Learn how to perform operations on blobs in Azure Storage accounts based on a set of conditions that you define.

+# What is Azure Storage Actions Preview?

+Azure Storage Actions is a serverless framework that you can use to perform common data operations on millions of objects across multiple storage accounts.

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+The preview release of Azure Storage Actions enables you to create _storage tasks_ that can perform operations on blobs in Azure Storage accounts based on a set of conditions that you define. Storage tasks can process millions of objects in a storage account without provisioning additional compute capacity and without requiring you to write code.

+## Anatomy of a storage task

+A storage task contains a set of _conditions_, _operations_, and _assignments_. The following table describes each component of a storage task.

+| Component | Description |

+|||

+| Conditions | A _condition_ a collection of one or more _clauses_. Each clause contains a property, a value, and an operator. When the storage task runs, it uses the operator to compare a property with a value to determine whether a clause is met by the target object. For example, a clause might evaluate whether a `creation-time` property of a blob is greater than five days ago. |

+| Operations | An operation is the action a storage task performs on each object that meets the defined set of conditions. Deleting a blob is an example of an operation. |

+| Assignments | An assignment identifies a storage account and a subset of objects to target in that account. It also specifies when the task runs and where execution reports are stored. |

+## How to use a storage task

+First, define the conditions and operations of a storage task. Then, assign that task to one or more storage accounts. Monitor task runs by using metrics, charts, and reports.

+### Define a storage task

+Start by creating a storage task. To provision a storage task, you must define at least one condition and one operation. After the task is created, you can edit those conditions and operations or add more of them by using a visual designer.

+See these articles to learn how to define a storage task:

+- [Create a storage task](storage-tasks/storage-task-create.md)

+- [Define storage task conditions and operations](storage-tasks/storage-task-conditions-operations-edit.md)

+- [Properties, operators, and operations in storage task conditions](storage-tasks/storage-task-properties-operators-operations.md)

+### Assign a storage task

+You can assign a storage task to any storage account in which your identity is assigned the [Storage Blob Data Owner](../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role. As you create an assignment, you'll select a storage account, and assign a role to the system-assigned managed identity of the task. That identity is created for you automatically when the task is provisioned. The role that you assign that identity must enable it to perform the operations that are defined in the task.

+A storage task can be assigned to a storage account only by an owner of that account. Therefore, if the task that you define is useful to an owner of another storage account, you must grant that user access to the storage task. Then, that user can assign your task to their storage account. You can grant a user access to your storage task by assigning an Azure role to their user identity.

+See these articles to learn how to assign a storage task:

+- [Create and manage a storage task assignment](storage-tasks/storage-task-assignment-create.md)

+- [Azure roles for storage task assignments](storage-tasks/storage-task-authorization-roles.md)

+### Monitor storage task runs

+Tasks run asynchronously according to the schedule that you specify in the assignment. An execution report is created when the run completes. That report itemizes the results of the task run on each object that was targeted by the task.

+The overview page of the task presents metrics and visualizations that summarize how many objects met the task condition, and the result of the operations attempted by the storage task on each object. The charts enable you to quickly drill into a specific execution instance.

+See these articles to learn how to monitor task runs:

+- [Analyze storage task runs](storage-tasks/storage-task-runs.md)

+- [Monitor Azure Storage Actions](storage-tasks/monitor-storage-tasks.md)

+### Handle storage task events

+Azure Storage Actions events allow applications to react to events, such as the completion of a storage task run. It does so without the need for complicated code or expensive and inefficient polling services.

+Azure Storage Actions events are pushed using [Azure Event Grid](https://azure.microsoft.com/services/event-grid/) to subscribers such as Azure Functions, Azure Logic Apps, or even to your own http listener. Event Grid provides reliable event delivery to your applications through rich retry policies and dead-lettering. Event Grid uses [event subscriptions](../event-grid/concepts.md#event-subscriptions) to route event messages to subscribers. First, subscribe an endpoint to an event. Then, when an event is triggered, the Event Grid service will send data about that event to the endpoint.

+See the [Azure Storage Actions events schema](../event-grid/event-schema-storage-actions.md?toc=/azure/storage-actions/toc.json) article to view the full list of the events that Azure Storage Actions supports.

+## Supported Regions

+Azure Storage tasks are supported in the following public regions:

+- France Central

+- Canada Central

+## Pricing and billing

+List pricing information here.

+## Next steps

+- [Quickstart: Create, assign, and run a storage task by using the Azure portal](storage-tasks/storage-task-quickstart-portal.md)

+- [Known issues with storage tasks](storage-tasks/storage-task-known-issues.md)

+ Title: Monitor Azure Storage Actions Preview

+description: Start here to learn how to monitor Azure Storage Actions Preview.

+# Monitor Azure Storage Actions Preview

+When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. This article describes the monitoring data generated by Azure Storage Actions. Azure Storage Actions uses [Azure Monitor](/azure/azure-monitor/overview). If you are unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource).

+## Monitoring overview page in Azure portal

+The following metrics appear in the **Overview** page of each storage task.

+- Total number of runs

+- Total number of runs that resulted in an error

+- Total number of objects targeted by task runs

+- Total number of objects operated on

+- Total number of objects where an operation succeeded

+- Total number of objects where an operation failed

+The following image shows how these metrics appear in the **Overview** page.

+> [!div class="mx-imgBorder"]

+> 

+These metrics include runs from multiple storage task assignments, but only assignments that target storage accounts to which you have read permission. These metrics appear as tiles that you can select to view a list of the task runs which comprise the metric. Each listed task provides a link to a detailed execution report. For more information about how to drill into metrics and reports for each task run, see [Analyze storage task runs](storage-task-runs.md).

+## Monitoring data

+Azure Storage Actions collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](/azure/azure-monitor/essentials/monitor-azure-resource#monitoring-data-from-Azure-resources). For information about the metrics and logs that are created by Azure Storage tasks, see [Monitoring Azure Storage Actions data reference](storage-tasks-monitor-data-reference.md).

+## Collection and routing

+Platform metrics and the activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting. To learn how to create a diagnostic setting, see [Create diagnostic setting to collect platform logs and metrics in Azure](/azure/azure-monitor/platform/diagnostic-settings).

+## Analyzing metrics

+You can analyze metrics for Azure Storage Actions with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](/azure/azure-monitor/essentials/metrics-getting-started) for details on using this tool.

+For a list of the platform metrics collected for Azure Storage Actions, see [Monitoring Azure Storage Actions metrics](storage-tasks-monitor-data-reference.md#metrics). You can also see a list [all resource metrics supported in Azure Monitor](/azure/azure-monitor/essentials/metrics-supported).

+## Analyzing logs

+Azure Storage Actions don't support resource logs. Azure Storage Actions support the [activity log](/azure/azure-monitor/essentials/activity-log) log only. The [activity log](/azure/azure-monitor/essentials/activity-log) is a type of platform log in Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.

+## Alerts

+Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](/azure/azure-monitor/alerts/alerts-metric-overview) and the [activity log](/azure/azure-monitor/alerts/activity-log-alerts).

+## Next steps

+- See [Monitoring Azure Storage Actions data reference](storage-tasks-monitor-data-reference.md) for a reference of the metrics, logs, and other important values created by Azure Storage Actions.

+- See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

+ Title: Create and manage a storage task assignment

+description: Learn how to create an assignment, and then enable that assignment to run.

+# Create and manage a storage task assignment

+An _assignment_ identifies a storage account and a subset of objects in that account that the task will target. An assignment also defines when the task runs and where execution reports are stored.

+This article helps you create an assignment, and then enable that assignment to run.

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Create an assignment

+Create an assignment for each storage account you want to target. A storage task can contain up to 50 assignments.

+> [!NOTE]

+> During the public preview, you can target only storage accounts that are in the same region as the storage tasks.

+### Create an assignment from the storage task menu

+You can create an assignment in the context of a storage task. This option can be convenient if you're the task author and you want to target multiple storage accounts. For each assignment you'll identify the storage account that you want to target.

+Navigate to the storage task in the Azure portal and then under **Storage task management**, select **Assignments**, and then select **Configure assignments**.

+> [!div class="mx-imgBorder"]

+> 

+In the **Assignments** page, select **+ Add assignment** and the **Add assignment** pane will appear.

+### Create an assignment from the storage account menu

+You can also create an assignment in the context of a storage account. This option can be convenient if you want to use an existing task to process objects in your storage account. For each assignment you'll identify the storage task that you want to assign to your account.

+Navigate to the storage account in the Azure portal and then under **Data management**, select **Storage tasks**.

+In the **Storage tasks** page, select the **Task assignment** tab, select **+ Create assignment**, and then select **+ Add assignment**.

+> [!div class="mx-imgBorder"]

+> 

+The **Add assignment** pane appears.

+## Select a scope

+In the **Select scope** section, select a subscription and name the assignment. Then, select the storage account that you want to target.

+If you opened the **Add assignment** pane in the context of the storage account, you'll select a storage task instead of the storage account.

+The following table describes each field in the **Select Scope** section:

+| Section | Field | Required or optional | Description |

+|--|--|--|--|

+| Select scope | Subscription | Required | The subscription of the storage account that you want to add to this assignment. |

+| Select scope | Select a storage account | Required | The storage account that you want to add to this assignment. You must be an owner of the storage account. This field appears only if you create the assignment in the context of a storage task.|

+| Select scope | Select a storage task | Required | The storage task to which you would like to assign your storage account. This field appears only if you create the assignment in the context of a storage account.|

+| Select scope | Assignment name | Required | The name of the assignment. Assignment names must be between 2 and 62 characters in length and may contain only letters and numbers. |

+## Add a role assignment

+In the **Role assignment** section, in the **Role** drop-down list, select the role that you want to assign to the system-assigned managed identity of the storage task. Only roles that are assigned to your user identity appear in this drop-down list. Roles not assigned to your user identity do not appear in this list. To learn more, see [Azure roles for storage tasks](storage-task-authorization-roles.md)

+> [!div class="mx-imgBorder"]

+> 

+## Add a filter

+In the **Filter objects** section, choose whether you want to target a subset of blobs based on a filter. Filters help you narrow the scope of execution. If you want the task to evaluate all of the containers and blobs in an account, then you can select the **Do not filter** option. The following example uses a filter to target only blobs that exist in a container that is named `mycontainer`.

+> [!div class="mx-imgBorder"]

+> 

+The following table describes each field:

+| Section | Field | Required or optional | Description |

+|--|--|--|--|

+| Filter objects | Filter by | Required | Option to either filter objects by using a prefix or to run the task against the entire storage account. |

+| Filter objects | Blob prefixes | Optional | The string prefix that is used to narrow the scope of blobs that are evaluated by the task. This field is required only if you choose to filter by using a blob prefix. |

+## Define the trigger

+In the **Trigger details** section, select how often you'd like this task to run. You can choose to run this task only once, or run the task recurring. If you decide to run this task on a recurring basis, choose a start and end time and specify the number of days in between each run. You can also specify where you'd like to store the execution reports.

+> [!div class="mx-imgBorder"]

+> 

+The following table describes each field:

+| Section | Field | Required or optional | Description |

+|--|--|--|--|

+| Trigger details | Run frequency | Required | Option to either run the task one time or multiple times. |

+| Trigger details | Start from | Required | The date and time to begin running the task. |

+| Trigger details | End by | Required | The date and time stop running the task. |

+| Trigger details | Repeat very (in days) | Required | The interval in days between each run. |

+| Trigger details | Report export container | Required | The container where task execution reports are stored. |

+## Save the assignment

+Select the **Add** button to create the assignment.

+The **Add assignment pane** closes. When deployment is complete, the assignment appears in the **Assignments** page. If you don't see the assignment in that page, then select the **Refresh** button.

+> [!div class="mx-imgBorder"]

+> 

+## Enable an assignment

+The assignment is disabled by default. To enable the assignment so that it will be scheduled to run, select the checkbox that appears beside the assignment, and then select **Enable**.

+> [!div class="mx-imgBorder"]

+> 

+After the task runs, an execution report is generated and then stored in the container that you specified when you created the assignment. For more information about that report as well as how to view metrics that capture the number of objects targeted, the number of operations attempted, and the number of operations that succeeded, see [Analyze storage task runs](storage-task-runs.md).

+## Edit an assignment

+An assignment becomes a sub resource of the targeted storage account. Therefore, after you create the assignment, you can edit only it's run frequency. The other fields of an assignment become read only. The **Single run (only once)** option becomes read only as well.

+- To edit the run frequency of an assignment in the context of a storage task, navigate to the storage task in the Azure portal and then under **Storage task management**, select **Assignments**.

+- To edit the run frequency of an assignment in the context of a storage account, navigate to the storage account in the Azure portal and then under **Data management**, select **Storage tasks**.

+## See also

+- [Azure Storage Actions overview](../overview.md)

+- [Analyze storage task runs](storage-task-runs.md)

+ Title: Azure roles for storage tasks

+description: Learn about the least privileged built-in Azure roles or RBAC actions required to read, update, delete and assign a storage task.

+# Azure roles for storage tasks

+This article describes the least privileged built-in Azure roles or RBAC actions required to read, update, delete and assign a storage task.

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Permission to read, edit, or delete a task

+You must assign a role to any security principal in your organization that needs access to the storage task. To learn how to assign an Azure role, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+To give users or applications access to the storage task, choose an Azure Built-in or custom role that has the permission necessary to edit the read or edit task. If you prefer to use a custom role, make sure that your role contains the RBAC actions necessary to read or edit the task. Use the following table as a guide.

+| Permission level | Azure built-in role | RBAC actions for custom roles |

+|--|--|--|

+| List and read storage tasks | `Contributor` | `Microsoft.StorageActions/storageTasks/read` |

+| Create and update storage tasks | `Contributor` | `Microsoft.StorageActions/storageTasks/write` |

+| Delete storage tasks | `Contributor` | `Microsoft.StorageActions/storageTasks/delete` |

+## Permission to assign a task

+A task _assignment_ identifies a storage account and a subset of objects in that account that the storage task will target. An assignment also defines when the task runs and where execution reports are stored. For step-by-step guidance, see [Create and manage a Storage task assignment](storage-task-assignment-create.md).

+To create an assignment, your identity must be assigned a custom role that contains the following RBAC actions:

+- The `Microsot.Authorization.roleAssignments/write` action.

+- All of the RBAC actions that are available in the `Microsoft.Storage/StorageAccounts` set of RBAC action.

+To learn how to create a custom role, see [Azure custom roles](../../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).

+## Permission for a task to perform operations

+As you create an assignment, you must choose an Azure Built-in or custom role that has the permission necessary to perform the specified operations on the target storage account or storage account container. You can choose only roles that are assigned to your user identity. If you prefer to use a custom role, you must make sure that your role contains the RBAC actions necessary to perform the operations.

+The following table shows the least privileged built-in Azure role as well as the RBAC actions required by each operation.

+| Permission | Built-in role | RBAC actions for a custom role |

+||||

+| SetBlobTier | [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner)| Microsoft.Storage/storageAccounts/blobServices/read<br>Microsoft.Storage/storageAccounts/blobServices/write<br>Microsoft.Storage/storageAccounts/blobServices/containers/write<br>Microsoft.Storage/storageAccounts/blobServices/containers/read<br>Microsoft.Storage/storageAccounts/blobServices/containers/read<br>Microsoft.Storage/storageAccounts/blobServices/containers/write<br>Microsoft.Storage/storageAccounts/blobServices/containers/delete |

+| SetBlobExpiry | [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |

+| SetBlobTags | [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write |

+| SetBlobImmutabilityPolicy | [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write<br>Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read<br>Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete<br>Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/extend/action<br>Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/lock/action |

+| SetBlobLegalHold | [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) | Microsoft.Storage/storageAccounts/blobServices/containers/setLegalHold/action<br>Microsoft.Storage/storageAccounts/blobServices/containers/clearLegalHold/action |

+| DeleteBlob | [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) | Microsoft.Storage/storageAccounts/blobServices/containers/delete |

+| UndeleteBlob | [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) | Microsoft.Storage/storageAccounts/blobServices/containers/write<br>Microsoft.Storage/storageAccounts/blobServices/containers/delete |

+## See also

+- [Create and manage an assignment](storage-task-assignment-create.md)

+ Title: Define storage task conditions & operations

+description: Learn how to define the conditions and operations of a storage task by using a visual editor.

+# Define storage task conditions and operations

+You can use a visual editor to define the conditions and operations of a storage task.

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+An _operation_ is an action taken on each object that meets the conditions defined in the task. A _condition_ contains one or more conditional _clauses_. Each clause defines the relationship between a property and a value. To execute an operation defined in the storage task, the terms of that relationship must be met by each object.

+To learn more, see [Properties, operators, and operations in storage task conditions](storage-task-properties-operators-operations.md).

+## Open the conditions editor

+Navigate to the storage task in the Azure portal and then under **Storage task management**, select **Conditions**.

+> [!div class="mx-imgBorder"]

+> 

+The **Visual builder** tab of the **Conditions** pane appears.

+## Define conditions

+Define a condition by adding clauses. A clause defines the relationship between a property and a value. To execute an operation defined in the storage task, the terms of that relationship must be met by each object.

+### Add and remove clauses

+To add a clause, select **Add new clause**, and to remove a clause, select the delete icon(:::image type="icon" source="../media/storage-tasks/storage-task-conditions-operations-edit/conditions-delete-icon.png":::) that appears next to it.

+> [!div class="mx-imgBorder"]

+> 

+### Specify the terms of a clause

+To define a clause, choose a property, specify a value for that property, and then choose an operator that relates them together.

+#### Choose a property

+In the **Blob property** drop-down list, choose a property. See [Supported blob properties](storage-task-properties-operators-operations.md#supported-properties-in-a-clause).

+The following example selects the **Blob name** property.

+> [!div class="mx-imgBorder"]

+> 

+#### Choose a value and operator

+In the **Property value** box, enter a value and in the **Operator** drop-down list, choose an operator. See [Supported Operators](storage-task-properties-operators-operations.md#supported-operators-in-a-clause).

+The following example specifies a value of `.log` along with the **Ends with** operator. This condition allows the operation defined in this storage task to execute only on blobs that have a `.log` file extension.

+> [!div class="mx-imgBorder"]

+> 

+#### Use a wildcard in string values

+You can use the `*` and `?` wildcard characters in the value of a string property. The `*` character represents zero or more characters while a `?` character represents exactly one character.

+For example, if you want your clause to evaluate to true only for blobs that are Word documents, you would use the string `*.docx`. However, if you want only documents are named with a single character such as `1.docx` or `2.docx`, then you would use the string `?.docx`.

+You can use the `*` or `?` anywhere in a string. You can escape these characters by adding a `\` just before the character.

+#### Reference a value from object metadata

+Clauses that include a date and time property can reference a value from the metadata of a container or an index tag of a blob. These values are obtained dynamically at runtime when the task executes.

+In your storage account, you can add a key to the metadata of a container or to the index tags of a blob. The value of that key must be a [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601#Durations)-formatted time interval. For example, you might add a key named `retainfor` along with a string value of `PT5M` which represents an interval of five minutes.

+To reference a key, select the **Edit** link that appears in the **Property value** column. Then, in the **Select a value** dialog box, select **Container metadata** or **Blob Index tags**.

+The following example adds the **Creation time** property, the **Earlier than** operator, and references a key named `retainFor` in the index tags of each blob that is evaluated.

+> [!div class="mx-imgBorder"]

+> 

+This condition tests whether a blob was created earlier than a certain time duration relative to now (the current date and time). For example, if the value retrieved from the `retainFor` tag is five minutes, then this condition checks if the blob was created more than 5 minutes ago.

+> [!NOTE]

+> In the **Code** tab, you'll see the logic of this example represented in a slightly different way. The generated code tests whether the current time is greater than creation time plus the time interval. Both representations yield the same result.

+If the key is not present for an evaluated object, then the condition evaluates to false. If the key value is a string that does not conform to the [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601#Durations) standard, then an error is reported in the execution report.

+#### Apply And / Or to a clause

+You add **And** or **Or** to a clause. Specify **And** if you want to target objects that meet the criteria in both the current clause and the previous clause of the condition. Specify **Or** to target objects that meet the criterion in either the current clause or the previous clause.

+The following example shows clauses that use **And**. In this example, the storage task targets objects that have a `.log` extension and which have a tag named `Archive-Status` set to `Ready`.

+> [!div class="mx-imgBorder"]

+> 

+### Change the order of clauses

+You can arrange clauses in an order that you believe will improve the performance of a task run. For example, instead of first testing all blobs in an account against a name filter, you might elevate a clause that targets a specific container. That small adjustment can prevent the task from performing unnecessary evaluations.

+First, select the clause. Then, select **Move clause up** or **Move clause down** to change its position in the list.

+The following example shows the result of selecting a clause and then selecting **Move clause up**.

+> [!div class="mx-imgBorder"]

+> 

+### Group and ungroup clauses

+Grouped clauses operate as a single unit separate from the rest of the clauses. Grouping clauses is similar to putting parentheses around a mathematical equation or logic expression. The **And** or **Or** operator for the first clause in the group applies to the whole group.

+Select the checkbox that appears next to each clause you want to group together. Then, select **Group**.

+The following example shows two conditions grouped together. In this example, the operation executes if a blob has the `.log` extension and either a tag named `Archive-Status` is set to the value of `Ready` or the file has not been accessed in 120 days.

+> [!div class="mx-imgBorder"]

+> 

+To ungroup clauses, select the ungroup icon (:::image type="icon" source="../media/storage-tasks/storage-task-conditions-operations-edit/ungroup-icon.png":::) or select each clause in the group, and select **Ungroup**.

+## Preview the effect of conditions

+You can view a list of blobs that would be impacted by the conditions that you've defined. In the conditions editor, select **Preview conditions**.

+> [!div class="mx-imgBorder"]

+> 

+In the **Preview Conditions**, you can specify a target subscription, storage account and container. Because a preview can only show up to 5000 blobs, you can also specify a prefix to narrow the list.

+> [!div class="mx-imgBorder"]

+> 

+## Define operations

+An operation is an action taken on each object that meets the conditions defined in the task.

+### Add and remove operations

+To add an operation, select **Add new operation**, and to remove an operation, select the delete icon(:::image type="icon" source="../media/storage-tasks/storage-task-conditions-operations-edit/conditions-delete-icon.png":::) that appears next to it.

+> [!div class="mx-imgBorder"]

+> 

+#### Choose an operation

+In the **Operation** drop-down list, choose an operation. See [Supported operations](storage-task-properties-operators-operations.md#supported-operations).

+The following example selects the **Set blob tags** property.

+> [!div class="mx-imgBorder"]

+> 

+#### Choose a parameter

+Enter or select the parameters that are appropriate for the operation.

+The following example sets the `Archive-Status` tag to the value `Archived`.

+> [!div class="mx-imgBorder"]

+> 

+### Change the order of operations

+You can arrange operations in any order.

+In this example, the existing order makes sense. Blobs are first archived and the tags are set. It wouldn't make sense to set the tag before changing the tier just in case the attempt to change the tier of a blob didn't succeed. If the set blob tag operation appeared first in the list, you might consider moving that operation beneath the set blob tier operation.

+To move an operation, select the checkbox that appears beside it. Then, select **Move operation up** or **Move operation down** to change its position in the list.

+## See also

+- [Azure Storage Actions Overview](../overview.md)

+ Title: Create a storage task

+description: Learn how to create a storage task. A storage task can perform on blobs in one or more Azure Storage accounts.

+# Create a storage task

+A storage task can perform operations on blobs in an Azure Storage account. As you create a task, you can define the conditions that must be met by each object (container or blob), and the operations to perform on the object. You can also identify one or more Azure Storage account targets. See [What are Azure Storage Actions?](../overview.md).

+In this how-to article, you'll learn how to create a storage task.

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Create a task

+In the Azure portal, search for _Storage Tasks_. Then, under **Services**, select **Storage tasks - Azure Storage Actions**.

+> [!div class="mx-imgBorder"]

+> 

+On the **Azure Storage Actions | Storage Tasks** page, select **Create**.

+> [!div class="mx-imgBorder"]

+> 

+## Basics tab

+On the **Basics** tab, provide the essential information for your storage task. The following table describes the fields on the **Basics** tab.

+| Section | Field | Required or optional | Description |

+|--|--|--|--|

+| Project details | Subscription | Required | Select the subscription for the new storage task. |

+| Project details | Resource group | Required | Create a new resource group for this storage task, or select an existing one. For more information, see [Resource groups](../../azure-resource-manager/management/overview.md#resource-groups). |

+| Instance details | Storage task name | Required | Choose a unique name for your storage task. storage task names must be between 3 and 18 characters in length and might contain only lowercase letters and numbers. |

+| Instance details | Region | Required | Select the appropriate region for your storage task. For more information, see [Regions and Availability Zones in Azure](../../availability-zones/az-overview.md). |

+The following image shows an example of the **Basics** tab.

+> [!div class="mx-imgBorder"]

+> 

+## Conditions tab

+On the **Conditions** tab, define the conditions that must be met by each object (container or blob), and the operations to perform on the object.

+You must define at least one condition and one operation. To add a clause to a condition, select **Add new clause**. To add operations, select **Add new operation**.

+The following table describes the fields on the **Conditions** tab.

+| Section | Field | Required or optional | Description |

+|--|--|--|--|

+| If | And/Or | Required | An operator that combines two or more predicates to form a logical-AND or logical-OR expression. |

+| If | Blob property | Required | The blob or container property that you like to use in the clause. See [Supported blob properties](storage-task-properties-operators-operations.md#supported-properties-in-a-clause)|

+| If | Operator | Required | The operator that defines how each property in the clause must relate to the corresponding value. See [Supported operators](storage-task-properties-operators-operations.md#supported-operators-in-a-clause)|

+| If| Property value | Required | The value that relates to the corresponding property. |

+| Then | Operations | Required | The action to perform when objects meet the conditions defined in this task. See [Supported operations](storage-task-properties-operators-operations.md#supported-operations)|

+| Then | Parameter | Required | A value used by the operation. |

+The following image shows an example of the **Conditions** tab.

+> [!div class="mx-imgBorder"]

+> 

+To learn more about supported properties and operators in conditions, see [Storage task conditions and operations](storage-task-properties-operators-operations.md).

+## Assignments tab

+An _assignment_ identifies a storage account and a subset of objects in that account that the task will target. An assignment also defines when the task runs and where execution reports are stored.

+To add an assignment, select **Add assignment**. This step is optional. You don't have to add an assignment to create the task.

+The following table describes the fields that appear in the **Add assignment** pane.

+| Section | Field | Required or optional | Description |

+|--|--|--|--|

+| Select scope | Subscription | Required | The subscription of the storage account that you want to add to this assignment. |

+| Select scope | Select a storage account | Required | The storage account that you want to add to this assignment. |

+| Select scope | Assignment name | Required | The name of the assignment. Assignment names must be between 2 and 62 characters in length and may contain only letters and numbers. |

+| Filter objects | Filter by | Required | Option to either filter objects by using a prefix or to run the task against the entire storage account. |

+| Filter objects | Blob prefixes | Optional | The string prefix that is used to narrow the scope of blobs that are evaluated by the task. This field is required only if you choose to filter by using a blob prefix. |

+| Trigger details | Run frequency | Required | Option to either run the task one time or multiple times. |

+| Trigger details | Start from | Required | The date and time to begin running the task. |

+| Trigger details | End by | Required | The date and time to stop running the task. |

+| Trigger details | Repeat very (in days) | Required | The interval in days between each run. |

+| Trigger details | Report export container | Required | The container where task execution reports are stored. |

+The following image shows an example of the **Add assignment** pane.

+> [!div class="mx-imgBorder"]

+> 

+## Tags tab

+On the **Tags** tab, you can specify Resource Manager tags to help organize your Azure resources. For more information, see [Tag resources, resource groups, and subscriptions for logical organization](../../azure-resource-manager/management/tag-resources.md).

+The following image shows a standard configuration of the index tag properties for a new storage account.

+> [!div class="mx-imgBorder"]

+> 

+## Review + create tab

+When you navigate to the **Review + create** tab, Azure runs validation on the storage task settings that you have chosen. If validation passes, you can proceed to create the storage task.

+If validation fails, then the portal indicates which settings need to be modified.

+The following image shows the **Review** tab data prior to the creation of a new storage task.

+> [!div class="mx-imgBorder"]

+> 

+## See also

+- [Azure Storage Actions overview](../overview.md)

+- [Create, assign, and run a storage task](storage-task-quickstart-portal.md)

+- [Define conditions and operations](storage-task-conditions-operations-edit.md)

+ Title: Known issues and limitations with storage tasks

+description: Learn about limitations and known issues of storage tasks.

+# Known issues and limitations with storage tasks

+This article describes limitations and known issues of storage tasks. The issues that appear in this article reflect the current state of the service. This list will change over time as support continues to expand.

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Storage account regions

+During the public preview, you can target only storage accounts that are in the same region as the storage tasks.

+## Scale limits

+| Scale factor | Supported limit |

+|||

+| Storage tasks per subscription | 100 |

+| Storage task assignments per storage task | 50 |

+| Storage task assignments per storage account | 50 |

+| Storage task definition versions | 50 |

+Azure Storage Actions autoscales its processing tasks based on the volume of data in a storage account, subject to internal limits. The duration of execution depends on the number of blobs in the storage account, as well as their hierarchy in Azure Data Lake Storage Gen2. The first execution of a task over a path prefix might take longer than subsequent executions. Azure Storage Actions are also designed to be self-regulating and to allow application workloads on the storage account to take precedence. As a result, the scale and the duration of execution also depend on the available transaction capacity given the storage account's maximum request limit. The following are typical processing scales, which might be higher if you have more transaction capacity available, or might be lower for lesser spare transaction capacity on the storage account.

+During the preview, Azure Storage Actions can invoke up to 200 million operations per day for a maximum of seven days on a flat-namespace storage account. Depending on the proportion of blobs targeted that meet the condition for operations, a task assignment might process between 200 million and four billion blobs in a day.

+For storage accounts with a hierarchical namespace, Azure Storage Actions can invoke up to 35 million operations per day for a maximum of seven days during the preview. Depending on the proportion of blobs targeted that meet the condition for operations, a task assignment might process between 35 million to 400 million blobs in a day.

+## Overlapping prefix for assignments

+Storage tasks don't prevent execution of task assignments on overlapping prefixes. If there are multiple task assignments with overlapping prefixes, blobs might be processed by these task assignments in any order. If the execution order of operations across these task assignments is important, then as you configure the task, ensure that the prefix for assignments doesn't overlap.

+## Concurrency limit for execution

+Storage tasks have a limit on the number of task assignments that can be executed concurrently on each storage account. To ensure optimal performance, make sure that task assignments on a single storage account are scheduled to run with a reasonable time interval between them based on the objects targeted, to ensure task runs complete in time. Task assignment executions exceeding the concurrency limit for a storage account are paused until other assignments have completed.

+## Scale dependence on transaction capacity available for the storage account

+Storage task assignment execution is autoscaled depending on the transaction request capacity available on the storage account. Scale is higher when more transaction capacity is available and lower when less transaction capacity is available.

+When the targeted storage account has lower available transaction capacity, storage task execution might be throttled resulting in longer than expected duration for completing the task assignment execution.

+For more information about scale limits, see [Scalability and performance targets for Blob storage](../../storage/blobs/scalability-targets.md).

+> [!NOTE]

+> You can request higher capacity and ingress limits. To request an increase, contact [Azure Support](https://azure.microsoft.com/support/faq/).

+## Storage task runs can write to the report export container without permission to the container

+As you create a task assignment, you'll assign a role to the system-assigned managed identity of the storage task. When the storage task runs, it can operate only on containers where it's managed identity is assigned the required role. This is not the case with the report export container that you choose during task assignment. While a storage task can't operate on existing blobs in that container, a task does not require the correct role to write reports to that container.

+## String operators on container metadata, blob metadata, and blob index tags don't work if the values are numbers

+You can't use string operators on container metadata, blob metadata and blob index tags along with numbers as value. For example, equals(Tags.Value[Year], '2022') where the value '2022' is a number, along with string operator equals, doesn't evaluate correctly.

+## Assignments fail when they reference a storage account name that starts with a digit

+If you assign a storage task to a storage account that has a name, which starts with a digit, the storage task assignment fails.

+## Storage task assignments fail on some storage accounts in supported regions

+Storage tasks are supported on new storage accounts created after the subscription is allow-listed. They might not work on some existing storage accounts even thought those accounts are located in supported regions.

+## Monitoring data doesn't appear unless the storage task and the storage account are in the same resource group

+If the storage task and the storage account specified in the task assignment are in different resource groups, the aggregated monitoring data for the storage account doesn't show up correctly in the monitoring tab of the storage task pane.

+## Storage tasks assignment execution gets stuck in an in-progress state with no blobs processed

+In most cases, tasks execution progresses after 20 minutes. However, if the task gets stuck, then make sure that the target storage account has the necessary compatible configuration. For example, if the storage task sets the immutability policy, but the target account isn't configured with versioning support, the storage task won't progress and will eventually fail. Make sure to test each operation on the target storage account by using a mechanism other than a storage task to ensure that the operation succeeds. Then, add the operation to the storage task.

+## Storage task fails with an internal error

+If incompatible storage task operations are tried out on storage accounts, the task execution can fail with an error, or it can be stuck in in-progress state. For example, an operation that attempts to set a blob index tag on an account that has a hierarchical namespace won't succeed. Make sure that the storage account configuration and the storage task operation are compatible.

+## Whitespace characters in Blob index tags and metadata isn't yet supported

+Whitespace characters in the key and value of blob tags are acceptable inputs. However, storage task conditions are unable to process the whitespace characters. If a key or value contains a whitespace character, an error appears when the task runs.

+## Blob name property value contains or matches "." is unsupported

+The string field input on blob name clause accepts ".doc" or ".pdf" as inputs but fails to deploy the task resource. The service resource provider validation catches it and throws the error. The value of the property 'Name' is '.doc' and it doesn't follow the pattern '^[a-zA-Z0-9]+$'"}]}.

+## Storage task assignments operate on an incomplete list of blobs when used with multiple directory filters in accounts that have a hierarchical namespace

+If multiple filters are used in storage task assignments, not all directory prefixes are scanned for blobs to be operated on.

+## Using whitespace characters in the path prefix during task assignment isn't supported

+Storage accounts that have a hierarchical namespace display location information as `container1 / subcontainer1` with a whitespace character between the string and the `/` character. An error appears if you copy and paste this information into the path prefix field during assignment.

+## See Also

+- [Azure Storage Actions overview](../overview.md)

+ Title: Properties, operators, and operations in storage task conditions

+description: Learn about the elements of conditions and operations in a storage task.

+# Properties, operators, and operations in storage task conditions

+This article describes the properties, operators, and operations that you can use to compose each storage task condition. To learn how to define conditions and operations, see [Define storage task conditions and operations](storage-task-conditions-operations-edit.md).

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Supported properties in a clause

+The following table shows the properties that you can use to compose each clause of a condition. A clause can contain string, boolean, numeric, as well as date and time properties.

+| String | Date and time<sup>3</sup> | Numeric | Boolean |

+|--||-||

+| AccessTier<sup>1</sup> | AccessTierChangeTime | Content-Length | Deleted |

+| Metadata.Value | Creation-Time | TagCount | IsCurrentVersion |

+| Name | DeletedTime | | |

+| BlobType<sup>2</sup> | LastAccessTime | | |

+| Container.Metadata.Value[Name] | Last-Modified | | |

+| Container.Name | | | |

+| Container.Metadata.Value[Name] | | | |

+| Container.Name | | | |

+| Tags.Value[Name] | | | |

+| VersionId | | | |

+<sup>1</sup> Allowed values are `Hot`, `Cool`, or `Archive`.

+<sup>2</sup> Allowed values are `BlockBlob`, `PageBlob`, or `AppendBlob`

+<sup>3</sup> Can be set to a specific time or to a metadata value dynamically obtained from objects. See [Reference a value from object metadata](storage-task-conditions-operations-edit.md#reference-a-value-from-object-metadata).

+### Supported operators in a clause

+The following table shows the operators that you can use in a clause to evaluate the value of each type of property.

+| String | Date and time | Numeric | Boolean |

+|||||

+| contains | equals |equals | equals |

+| empty | greater | greater | not |

+| equals | greaterOrEquals |greaterOrEquals ||

+| endWith | less | less ||

+| length | lessOrEquals | lessOrEquals ||

+| startsWith | addToTime | ||

+| Matches | | ||

+## Supported operations

+The following table shows the supported operations, parameters, and parameter values:

+| Operation | Parameters | Values |

+||-||

+| Set blob tier | Tier | Hot \| Cold \| Archive |

+| Set blob expiry | None | Absolute \| Never expire \| Relative to creation time \| Relative to current time |

+| Delete blob | None | None |

+| Undelete blob | None | None |

+| Set blob tags | TagSet | A fixed collection of up to 10 key-value pairs |

+| Set blob immutability policy | DateTime, string | DateTime of when policy ends, Locked \| Unlocked |

+| Set blob legal hold | Bool | True \| False |

+## See also

+- [Define conditions and operations](storage-task-conditions-operations-edit.md)

+ Title: 'Quickstart: Create, assign, and run a storage task'

+description: Learn how to create your first storage task. You'll also assign that task to a storage account, queue the task to run, and then view the results of the run.

+# Quickstart: Create, assign, and run a storage task

+In this quickstart, you learn how to use the [Azure portal](https://portal.azure.com/) to create a storage task and assign it to an Azure Storage account. Then, you'll review the results of the run. The storage task applies a time-based immutability policy any Microsoft Word documents that exist in the storage account.

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Prerequisites

+- An Azure subscription. See [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An Azure storage account. See [create a storage account](../../storage/common/storage-account-create.md). As you create the account, make sure to enable version-level immutability support and that you don't enable the hierarchical namespace feature.

+- The [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role is assigned to your user identity in the context of the storage account or resource group.

+- A custom role assigned to your user identity in the context of the resource group which contains the RBAC actions necessary to assign a task to a storage account. See [Permissions required to assign a task](storage-task-authorization-roles.md#permission-for-a-task-to-perform-operations).

+- A blob container with one or more Microsoft Word documents stored in that container.

+## Create a task

+1. In the Azure portal, search for _Storage tasks_.

+2. Under **Services**, select **Storage tasks - Azure Storage Actions**.

+ > [!div class="mx-imgBorder"]

+ > 

+3. On the **Azure Storage Actions | Storage Tasks** page, select **Create**.

+ > [!div class="mx-imgBorder"]

+ > 

+4. In the **Basics** page, under **Project details**, make sure that the correct subscription is selected. Then, select the same resource group that contains your new storage account.

+ > [!div class="mx-imgBorder"]

+ > 

+5. Under **Instance details**, enter *mystoragetask* for the **Storage task name**, and select any region that is supported by the preview of this service.

+ > [!div class="mx-imgBorder"]

+ > 

+6. Select **Next** to open the **Conditions** page.

+## Add clauses to a condition

+You can specify the conditions of a storage task by making selections in **If** section of the **Visual Builder** tab. Every storage task has at least one condition with one clause in that condition.

+1. In the **Select a property** drop-down list of the **If** section, select **Blob name**.

+2. For the **Operator** of that condition, select **Ends with**, and in the **Enter a string** box, enter _.docx_.

+ > [!div class="mx-imgBorder"]

+ > 

+ This condition allows operations only on Word documents.

+## Add operations

+You can specify the operations that a storage task performs by making selections in **Then** section of the **Visual Builder** tab. Every storage task has at least one operation to perform when a blob or container meets the specified condition.

+1. In the **Select an operation** drop-down list of the **Then** section, select **Set blob immutability policy**.

+ > [!div class="mx-imgBorder"]

+ > 

+ This operation applies a time-based immutability policy to Microsoft Word documents.

+2. Select **Add new operation**, and then in the **Select a operation** drop-down list, select **Set blob tags**.

+3. In the **Enter a tag name** box, Enter _ImmutabilityUpdatedBy_, and in the **Enter a tag value** box, enter _StorageTaskQuickstart_.

+ > [!div class="mx-imgBorder"]

+ > 

+ This operation adds a blob index tag to each Word document in that container.

+4. Select **Next** to open the **Assignments** page.

+## Add an assignment

+A storage task _assignment_ specifies a storage account. After you enable the storage task, the conditions and operations of your task will be applied to that storage account. The assignment also contains configuration properties which help you target specific blobs, or specify when and how often the task runs. You can add an assignment for each account you want to target.

+1. Select **Add assignment**.

+ The **Add assignment** pane appears.

+2. In the **Select scope** section, select your subscription and storage account and name the assignment _mystoragetaskassignment_.

+ > [!div class="mx-imgBorder"]

+ > 

+3. In the **Role assignment** section, in the **Role** drop-down list, select the **Storage Blob Data Owner** to assign that role to the system-assigned managed identity of the storage task.

+ > [!div class="mx-imgBorder"]

+ > 

+4. In the **Filter objects** section, make sure that the **Blob prefix** option is selected. Then, in the **Blob prefixes** box, enter the prefix of the container that you are using to complete this quickstart followed by the `/` character. For example, if your test container is named `mycontainer`, then enter `mycontainer/`.

+ > [!div class="mx-imgBorder"]

+ > 

+ Filters help you narrow the scope of execution. If you want the task to evaluate all of the containers and blobs in an account, then you can select the **Do not filter** option instead.

+5. In the **Trigger details** section, select **Single run (only once)** and then select the container where you'd like to store the execution reports.

+ > [!div class="mx-imgBorder"]

+ > 

+6. Select **Add**.

+7. In the **Tags** tab, select **Next**.

+8. In the **Review + Create** tab, select **Review + create**.

+ When the task is deployed, the **Your deployment is complete** page appears.

+9. Select **Go to resource** to open the **Overview** page of the storage task.

+## Enable the task assignment

+Storage task assignments are disabled by default. Enable assignments from the **Assignments** page.

+1. Select **Assignments**, select the **mystoragetaskassignment** assignment, and then select **Enable**.

+ > [!div class="mx-imgBorder"]

+ > 

+ The task assignment is queued to run.

+2. Periodically select **Refresh** to view an updated status.

+ Until the task runs and then completes, the string **In progress** appears beneath the **Last run status** column. When the task completes, the string **Completed** appears in that column.

+ > [!div class="mx-imgBorder"]

+ > 

+## View results of the task run

+After the task completes running, you can view the results of the run.

+1. With the **Assignments** page still open, select **View task runs**.

+ The **Execution tasks** pane appears, and in that pane, a line item which describes the report appears.

+2. Select the **View report** link to download a report.

+ > [!div class="mx-imgBorder"]

+ > 

+ The report appears as a comma-separated list of the container, the blob, and the operation performed along with a status. You can also view these comma-separated reports in the container that you specified when you configured the assignment.

+## Next steps

+[Create a storage task](storage-task-create.md)

+ Title: Analyze storage task runs

+description: Learn how to view lists of runs and review run reports.

+# Analyze storage task runs

+You can view a list of task runs. For each completed run, you can open a report that lists each object that met the conditions of the task and the outcome of the operation against that object.

+> [!IMPORTANT]

+> Azure Storage Actions is currently in PREVIEW and is available these [regions](../overview.md#supported-regions).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## View a list of task runs

+After a task run completes, it appears in a list that you can open and review.

+### Storage task view

+You can see all of the runs attempted by a storage task by opening a list of runs from the storage task menu. You'll see only those runs against accounts to which you have read permission.

+Navigate to the storage task in the Azure portal and then under **Storage task management**, select **Task runs**.

+> [!div class="mx-imgBorder"]

+> 

+Metrics appear as tiles that you can select to view a list of the task runs which comprise the metric. For example, to view list of task runs where at least one operation failed, select the **Objects on which the operation failed** tile. Then, a filtered list of task runs will appear. You can filter this list by time frame. The following table describes each field that appears in this list.

+| Column | Description |

+|--|--|

+| Execution start time | The date and time when the task run started. |

+| Storage account name | The name of the storage account that was targeted by the task assignment. |

+| Assignment name | The name of the assignment. This name is specified by the creator of the assignment at configuration time. |

+| Status | Specifies whether the task completed or is pending execution. |

+| Completed / attempted count | The number of objects which met the conditions of the storage task and the total number of objects targeted by the storage task. |

+| Report download | A link to an execution report. This report appears only when the status is `Completed`.|

+### Storage account view

+You can see all runs against a specific storage account by opening a list of runs from the storage account menu.

+Navigate to the storage account in the Azure portal and then under **Data management**, select **Storage tasks**.

+> [!div class="mx-imgBorder"]

+> 

+A list of task runs appears. You can filter this list by time frame. The following table describes each field that appears in this list.

+| Column | Description |

+|--|--|

+| Execution start time | The date and time when the task run started. |

+| Assignment name | The name of the assignment. This name is specified by the creator of the assignment at configuration time. |

+| Task name | The name of the storage task. This name is specified by the creator of the assignment at configuration time. |

+| Status | Specifies whether the task completed or is pending execution. When the status is `Completed`, a link to an execution report appears. |

+| Completed / attempted count | The number of objects which met the conditions of the storage task and the total number of objects targeted by the storage task. |

+## View execution reports

+Each task run generates an execution report. That report is stored in a container that is located in the targeted storage account. The name of that container is specified when the assignment is created. A link to the report appears next to each run in the task run list. Use that link to open a report which contains status information about each object that was targeted by the run.

+To open the report, select the **View report** link for any listed task run. Then, the report will begin downloading. The report is packaged as a compressed file so you'll have to extract the contents of that file to a directory on your client.

+The report is formatted as a CSV file. Each row of the report contains the details about the execution of the operation on each object that is targeted by the task. The following table describes the columns of information that appear in the execution report:

+| Name | Description |

+|--|--|

+| Container | Definition |

+| Blob | The fully qualified name of the blob. |

+| Snapshot | The ID of the snapshot for this task. This field is empty if the object is a base blob. |

+| VersionId | The ID of the version of this task. This field is empty if the object is a base blob. |

+| Operation | The operation attempted. |

+| Result | This field contains a value of `Success` or `Failed`. This field is set to `N/A` if the application of the defined conditions on the object evaluates to false. |

+| Error description | This field is empty if the operation succeeds or the application of the defined conditions on the object evaluates to false. |

+| Error code | This field is empty if the operation succeeds or the application of the defined conditions on the object evaluates to false. |

+| Matched condition block | The condition block associated with the row. |

+The following example shows an execution report:

+> [!div class="mx-imgBorder"]

+> 

+## See also

+- [Monitor Azure Storage Actions](monitor-storage-tasks.md)

+- [Storage Tasks Overview](../overview.md)

+ Title: Storage Actions monitoring data reference

+description: Important reference material needed when you monitor Azure Storage Actions.

+# Azure Storage Actions monitoring data reference

+See [Monitoring Azure Storage Actions](monitor-storage-tasks.md) for details on collecting and analyzing monitoring data for Azure Storage Actions.

+## Metrics

+This section lists all the automatically collected platform metrics for Azure Storage Actions.

+|Metric Type | Resource Provider / Type Namespace<br/> and link to individual metrics |

+|-|--|

+| Storage tasks | [Microsoft.StorageActions/storageTasks](/azure/azure-monitor/reference/supported-metrics/microsoft-storage-storagetasks-metrics) |

+| Storage tasks | [Microsoft.StorageActions/storageAccounts/storageTasks](/azure/azure-monitor/reference/supported-metrics/microsoft-storage-storageaccounts-storagetasks-metrics) |

+## Metric dimensions

+For more information on what metric dimensions are, see [Multi-dimensional metrics](/azure/azure-monitor/platform/data-platform-metrics#multi-dimensional-metrics).

+Azure Storage Actions support the following dimensions for metrics in Azure Monitor.

+| Dimension Name | Description |

+| - | -- |

+| **AccountName** | The name of a storage account |

+| **TaskAssignmentId** | The ID of the task assignment |

+## Activity log

+The following table lists the operations that Azure Storage Actions might record in the activity log. This list of entries is a subset of the possible entries that you might find in the activity log.

+| Namespace | Description |

+|:|:|

+| Microsoft.StorageActions/storageTasks/read | Reads an existing storage task. |

+| Microsoft.StorageActions/storageTasks/delete | Deletes a storage task. |

+| Microsoft.StorageActions/storageTasks/promote/action | Promotes specific version of storage task to current version. |

+| Microsoft.StorageActions/storageTasks/write | Edits a storage task. |

+| Microsoft.StorageActions/storageAccounts/storageTasks/delete | Deletes a storage task. |

+| Microsoft.StorageActions/storageAccounts/storageTasks/read | Reads an existing storage task. |

+| Microsoft.StorageActions/storageAccounts/storageTasks/executionsummary/action | Opens task runs. |

+| Microsoft.StorageActions/storageAccounts/storageTasks/assignmentexecutionsummary/action | Opens task runs from the Assignments pane. |

+| Microsoft.StorageActions/storageAccounts/storageTasks/write | Edits a storage task. |

+See [all the possible resource provider operations in the activity log](/azure/role-based-access-control/resource-provider-operations).

+For more information on the schema of Activity Log entries, see [Activity Log schema](/azure/azure-monitor/essentials/activity-log-schema).

+## See Also

+- See [Monitoring Azure Storage Actions](monitor-storage-tasks.md) for a description of monitoring Azure Storage Actions.

+- See [Monitoring Azure resources with Azure Monitor](../../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.

+|Maximum capacity units (TiB) |100 |100 |600 |600|600|600| 600 |600 |600 |600 | 100 | 100 |

+|Maximum capacity units (TiB) |200 |200 |200 |200 |

+Using the [DeltaTableBuilder API](https://docs.delta.io/latest/delta-apidoc.html):

+Using the [DeltaTableBuilder API](https://docs.delta.io/latest/delta-apidoc.html)

+- **Data Disk IOPS Consumed Percentage**: The percentage calculated by dividing the actual data disk IOPS completed by the provisioned data disk IOPS. If this amount is at 100%, your application running is IO capped from your data disk's IOPS limit.

+- **Data Disk Bandwidth Consumed Percentage**: The percentage calculated by dividing the actual data disk throughput completed by the provisioned data disk throughput. If this amount is at 100%, your application running is IO capped from your data disk's bandwidth limit.

+- **OS Disk IOPS Consumed Percentage**: The percentage calculated by dividing the actual OS disk IOPS completed by the provisioned OS disk IOPS. If this amount is at 100%, your application running is IO capped from your OS disk's IOPS limit.

+- **OS Disk Bandwidth Consumed Percentage**: The percentage calculated by dividing the actual OS disk throughput completed by the provisioned OS disk throughput. If this amount is at 100%, your application running is IO capped from your OS disk's bandwidth limit.

+- **VM Cached IOPS Consumed Percentage**: The percentage calculated by dividing the total actual cached IOPS completed by the max cached virtual machine IOPS limit. If this amount is at 100%, your application running is IO capped from your VM's cached IOPS limit.

+- **VM Cached Bandwidth Consumed Percentage**: The percentage calculated by dividing the total actual cached throughput completed by the max cached virtual machine throughput. If this amount is at 100%, your application running is IO capped from your VM's cached bandwidth limit.

+- **VM uncached IOPS Consumed Percentage**: The percentage calculated by dividing the total actual uncached IOPS on a virtual machine completed by the max uncached virtual machine IOPS limit. If this amount is at 100%, your application running is IO capped from your VM's uncached IOPS limit.

+- **VM Uncached Bandwidth Consumed Percentage**: The percentage calculated by dividing the total actual uncached throughput on a virtual machine completed over the max provisioned virtual machine throughput. If this amount is at 100%, your application running is IO capped from your VM's uncached bandwidth limit.

+The most important field is the Nessus Linking Key (**nessusLinkingKey**, required). It is always required. This document explains where to find it: [Retrieve the Tenable Nessus Agent Linking Key (Tenable Nessus Agent 10.4)](https://docs.tenable.com/nessus/Content/RetrieveLinkingKey.htm). In the PowerShell interface, specify nessusLinkingKey under `-ProtectedSettings` so that it will be encrypted by Azure. All other fields are passed unencrypted through -Settings.

+## Quickstart template

+>[!NOTE]

+> The provided template creates an [Azure Generation 2 VM](../generation-2.md) by default.

+>[!NOTE]

+> Only SSH authentication is enabled by default when using the quickstart template. When prompted, provide the value of your own SSH public key, such as the contents of *~/.ssh/id_rsa.pub*.

+>

+> If you don't have an SSH key pair, [create and use an SSH key pair for Linux VMs in Azure](mac-create-ssh-keys.md).

+Click **Copy** to add the quickstart template to your clipboard:

+You can also download or create a template and specify the local path with the `--template-file` parameter.

+## Create a quickstart template VM with Azure CLI

+After acquiring or creating a quickstart template, create a VM with it using the Azure CLI.

+The following command requests several pieces of input from the user. These include:

+- Name of the Resource Group (resourceGroupName)

+- Location of the Azure datacenter that hosts the VM (location)

+- A name for resources related to the VM (projectName)

+- Username for the administrator user (username)

+- A public SSH key for accessing the VM's terminal (key)

+Creating an Azure virtual machine requires a [resource group](./../../azure-resource-manager/management/manage-resource-groups-portal.md). Quickstart templates include resource group creation as part of the process.

+To run the CLI script, click **Open Cloudshell**. Once you have access to the Azure Cloudshell, click **Copy** to copy the command, right-click the shell, then select **Paste**.

+The last line in the command shows the public IP address of the newly created VM. You need the public IP address to connect to the virtual machine.

+You can then SSH to your VM as normal. Provide your own public IP address from the preceding command:

+## Other templates

+In this example, you created a basic Linux VM. For more Resource Manager templates that include application frameworks or create more complex environments, browse the [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Compute&pageNumber=1&sort=Popular).

+## Next steps

+- To learn how to develop Resource Manager templates, see [Azure Resource Manager documentation](../../azure-resource-manager/index.yml).

+- To see the Azure virtual machine schemas, see [Azure template reference](/azure/templates/microsoft.compute/allversions).

+- To see more virtual machine template samples, see [Azure Quickstart templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Compute&pageNumber=1&sort=Popular).

+ Title: Previous generation Azure VM size series

+# Previous generation Azure VM size series

+This article provides a list of all size series that are considered *previous-gen*. Status is listed as *next-gen available* or *capacity limited* based on capacity. For sizes that require it there are *migration guides* to help move to replacement sizes.

+> Series listed as *previous-gen* are **not currently retired** and can still be used.

+## What are previous-gen size series?

+Previous generations virtual machine size series are running on older hardware. While they can still be used and are fully supported, there are newer generations available. It's recommended to migrate to the latest generation replacements.

+To learn more about previous-gen sizes, retirement, and the status states of previous-gen size series, see the [size series retirement overview](./retirement-overview.md).

+| Basic A-series | [Capacity limited](./retirement-overview.md#capacity-limited) |

+| Standard A-series | [Capacity limited](./retirement-overview.md#capacity-limited) |

+| Compute-intensive A-series | [Capacity limited](./retirement-overview.md#capacity-limited) |

+| Standard D-series | [Capacity limited](./retirement-overview.md#capacity-limited) |

+| Preview DC-series | [Capacity limited](./retirement-overview.md#capacity-limited) |

+| DS-series | [Capacity limited](./retirement-overview.md#capacity-limited) |

+| F-series | [Next-gen available](./retirement-overview.md#next-gen-available) | |

+| Fs-series | [Next-gen available](./retirement-overview.md#next-gen-available) | |

+| GS-series | [Capacity limited](./retirement-overview.md#capacity-limited) | |

+| G-series | [Capacity limited](./retirement-overview.md#capacity-limited) | |

+| Memory-optimized D-series | [Capacity limited](./retirement-overview.md#capacity-limited) | |

+| Memory-optimized DS-series| [Capacity limited](./retirement-overview.md#capacity-limited) | |

+| Ls-series | [Capacity limited](./retirement-overview.md#capacity-limited) | |

+| NVv2-series | [Next-gen available](./retirement-overview.md#next-gen-available) | |

+ Title: Retired Azure VM size series

+# Retired Azure VM size series

+> [!WARNING]

+> Series with *Retirement Status* listed as *Retired* are **no longer available** and can't be provisioned.

+## What are retired size series?

+Retired virtual machine size series are running on older hardware which is no longer supported. The hardware will be replaced with newer generations of hardware.

+Series with *Retirement Status* listed as *Announced* are still available, but will be retired on the *Planned Retirement Date*. It's recommended that you plan your migration to a replacement series well before the listed retirement date.

+To learn more about size series retirement, previous-gen sizes, and the retirement process, see the [size series retirement overview](./retirement-overview.md).

+> [!IMPORTANT]

+> If you are currently using one of the size series listed as *Retired*, view the migration guide to switch to a replacement series as soon as possible.

+*Previous-gen* size series are not retired and still fully supported, but they have limitations similar to series that are announced for retirement. For a list of previous-gen sizes, see [previous generation Azure VM sizes](./previous-gen-sizes-list.md).

+| NCv2-Series | **Retired** | - | 9/6/23 | [NCv2-series Retirement](./migration-guides/ncv2-series-retirement.md) |

+| ND-Series | **Retired** | - | 9/6/23 | [ND-series Retirement](./migration-guides/nd-series-retirement.md) |

+description: Overview of the retirement process for virtual machine size series and information on previous-gen sizes.

+# Previous-gen and retired VM size series

+Azure virtual machine sizes are the amount of resources allocated to a virtual machine in the cloud. These resources are a portion of the physical serverΓÇÖs hardware capabilities. A *size series* is a collection of all sizes that are available within a single physical serverΓÇÖs hardware. As a size series' physical hardware ages and newer components are released, Microsoft stops deploying more of previously established series' hardware. Once users migrate off of said hardware or the hardware becomes sufficiently outdated, it's retired to make room for new infrastructure.

+When hardware becomes *previous-gen* or begins the retirement process, we recommend migrating workloads to newer generation hardware. Newer hardware provides better performance and future scalability. Migrating also helps you to avoid any potential issues that may arise from using outdated hardware. By keeping your hardware up-to-date, you can ensure that your workloads are running smoothly and efficiently.

+This article describes the various states of older hardware and explains the processes behind these states.

+Previous generation size series **are not currently retired** and can still be used. These sizes are still fully supported, but they aren't guaranteed to receive more capacity. We recommend migrating to the latest generation replacements as soon as possible, especially when trying to scale up your installations.

+There are two types of previous-gen sizes; *next-gen available* and *capacity limited*.

+### Next-gen available

+Size series listed as *next-gen available* means that while no capacity limitation plans have been made, there are sufficient deployments of newer alternative sizes to justify considering these series "previous-gen". *Next-gen available* series have no formal announcement of retirement timelines, but they'll eventually be retired.

+For a list of previous-gen size series that are considered *next-gen available*, see the [list of previous-gen sizes](./previous-gen-sizes-list.md).

+### Capacity limited

+Size series listed as *capacity limited* means that while no retirement plans have been made, no extra capacity for this series will be deployed. Similar to *next-gen available* previous-gen series, there are sufficient deployments of newer alternative sizes available to replace *capacity limited* size deployments.

+If you had one VM running on a *capacity limited* size and require another VM of a similar size in the same series, there is no guarantee that capacity will be able to fulfill this request. Any new VMs should be created using sizes in [series that aren't considered previous-gen](../sizes.md). Migrating to sizes considered *next-gen available* is not recommended since these sizes are also similarly outdated.

+For a list of previous-gen size series that are considered *capacity limited*, see the [list of previous-gen sizes](./previous-gen-sizes-list.md).

+Retired size series are **no longer available** and can't be used. If you have VMs running on sizes that are considered *retired*, migrate to a newer next-gen size as soon as possible.

+Retiring hardware is necessary over time to ensure that the latest and greatest technology is available on Azure. Retirement ensures that the hardware is reliable, secure, and efficient. It also allows for the latest features and capabilities that may not be present on previous generations of hardware.

+Hardware which is currently listed as *previous-gen* are often preparing for retirement which will be announced formally prior to the retirement date.

+For information on size series that have been retired or are scheduled for retirement, see the [list of retired sizes](./retired-sizes-list.md).

+Migrating to newer sizes allows you to keep up with the latest hardware and features available on Azure.

+Some size series have specific migration instructions due to the unique hardware or software features. To see a list of migration guide, see [retired size migration guides](./retired-sizes-list.md) and [previous-gen size migration guides](./previous-gen-sizes-list.md).

+For sizes without specific instructions, you can [resize your VM](./resize-vm.md) to a newer size using the Azure portal, Azure PowerShell, Azure CLI, or Terraform. Make sure that the new size has support for all features that your workload requires.

+- For a list of previous-gen sizes, see [Previous generation Azure VM sizes](./previous-gen-sizes-list.md).

+- [ASNA Visual RPG for .NET](https://docs.asna.com/documentation/Help170/AVR/_HTML/AvrInstallationandsetup.htm) compiler for the .NET Framework via Visual Studio plug-in.

+- [cPacket Cloud Visbility](https://www.cpacket.com/resources/ccloud/)

+> [!NOTE]

+> As of February 1, 2024, the below toggle's backend functionality has not rolled out to all regions. As a result, you may see the toggle option, but enabling/disabling the toggle will not have any effect. The backend functionality is aimed to finish rolling out within the next several weeks.

+>

+Enabling or disabling the toggle will only affect the following traffic flow: traffic flowing between the Virtual WAN hub and standalone VNet(s) via the ExpressRoute circuit. Enabling or disabling the toggle will **not** incur downtime for all other traffic flows (Ex: on-premises site to spoke VNet 2 will not be impacted, VNet 2 to VNet 3 will not be impacted, etc).

+- A working WAF and a Log Analytics Workspace that is configured to receive logs from the respective Azure Application Gateway or Azure Front Door. For more information, see [Resource logs for Azure Web Application Firewall](ag/web-application-firewall-logs.md).

+- Additionally, Microsoft Sentinel should be enabled for the Log Analytics Workspace that is being used here. For more information, see [Quickstart: Onboard Microsoft Sentinel](../sentinel/quickstart-onboard.md).

+ > It is important to ensure that the WAF logs are already in the Log Analytics Workspace before you create this Analytical rule. Otherwise, Sentinel will not recognize some of the columns in the query and you will have to add extra input like `| extend action_s = column_ifexists(ΓÇ£action_sΓÇ¥, ΓÇ£ΓÇ¥), transactionId_g = column_ifexists(ΓÇ£transactionId_gΓÇ¥, ΓÇ£ΓÇ¥)` for each column that gives an error. This input creates the column names manually and assigns them null values. To skip this step, send the WAF logs to the workspace first.