+- Learn how to [pass the Azure AD token to your application](idp-pass-through-user-flow.md).

+- Check out the Azure AD multi-tenant federation [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#azure-active-directory), and how to pass Azure AD access token [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#azure-active-directory-with-access-token)

+- Learn how to [pass Facebook token to your application](idp-pass-through-user-flow.md).

+- Check out the Facebook federation [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#facebook), and how to pass Facebook access token [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#facebook-with-access-token)

+## Next steps

+- Learn how to [pass GitHub token to your application](idp-pass-through-user-flow.md).

+- Check out the GitHub federation [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#github), and how to pass GitHub access token [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#github-with-access-token)

+- Learn how to [pass Google token to your application](idp-pass-through-user-flow.md).

+- Check out the Google federation [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#google), and how to pass Google access token [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#google-with-access-token)

+Azure AD B2C supports passing the access token of [OAuth 2.0](authorization-code-flow.md) and [OpenID Connect](openid-connect.md) identity providers. For all other identity providers, the claim is returned blank. For more details, check out the identity providers federation [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers).

+| Redirect URLs |Specify the page to which users are redirected after BindID authentication: `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`<br>For Example: `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br>If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.<br>Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant.|

+Because this configuration is widely used with the *Workday to Active Directory user provisioning* app, the following steps include screenshots of the Workday application. However, the configuration can also be used with *all other apps*, such as ServiceNow, Salesforce, and Dropbox. Note that in order to successfully complete this procedure you must have first set up app provisioning for the app. Each app has its own configuration article. For example, to configure the Workday application, see [Tutorial: Configure Workday to Azure AD user provisioning](../saas-apps/workday-inbound-cloud-only-tutorial.md).

+ - Interactive logon: Require smart card is set to enabled or 1

+> [Firefox 91+](https://support.mozilla.org/kb/windows-sso) is supported for device-based Conditional Access, but "Allow Windows single sign-on for Microsoft, work, and school accounts" needs to be enabled.

+Continuous access evaluation is implemented by enabling services, like Exchange Online, SharePoint Online, and Teams, to subscribe to critical Azure AD events. Those events can then be evaluated and enforced near real time. Critical event evaluation doesn't rely on Conditional Access policies so it is available in any tenant. The following events are currently evaluated:

+## Share your product ideas

+Have an idea for improving the for the Microsoft identity platform? Browse and vote for ideas submitted by others or submit your own:

+https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

+- [Quickstart: Acquire a token and call the Microsoft Graph API by using a console app's identity](console-app-quickstart.md)

+- [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](desktop-app-quickstart.md)

+- [Quickstart: Add sign-in with Microsoft to a web app](web-app-quickstart.md)

+- [Quickstart: Protect a web API with the Microsoft identity platform](web-api-quickstart.md)

+- [Quickstart: Sign in users and call the Microsoft Graph API from a mobile application](mobile-app-quickstart.md)

+>This information last updated on March 10th, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Teams Phone with Calling Plan | MCOTEAMS_ESSENTIALS | ae2343d1-0999-43f6-ae18-d816516f6e78 | MCOPSTN1 (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) | Microsoft 365 Domestic Calling Plan (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) |

+>The policy list is enumerated only once when first switching to this tab. A refresh button is available to manually force the wizard to query your tenant, but this button is displayed only when the application has been deployed.

+In Azure Active Directory (Azure AD), for more granular administrative control, you can assign an Azure AD role with a scope that's limited to one or more administrative units. When an Azure AD role is assigned at the scope of an administrative unit, role permissions apply only when managing members of the administrative unit itself, and do not apply to tenant-wide settings or configurations.

+For example, an administrator who is assigned the Groups Administrator role at the scope of an administrative unit can manage groups that are members of the administrative unit, but they cannot manage other groups in the tenant. They also cannot manage tenant-level settings related to groups, such as expiration or group naming policies.

+This article describes how to assign Azure AD roles with administrative unit scope.

+| [Groups Administrator](permissions-reference.md#groups-administrator) | Can manage all aspects of groups in the assigned administrative unit only. |

+| [SharePoint Administrator](permissions-reference.md#sharepoint-administrator) | Can manage Microsoft 365 groups in the assigned administrative unit only. For SharePoint sites associated with Microsoft 365 groups in an administrative unit, can also update site properties (site name, URL, and external sharing policy) using the Microsoft 365 admin center. Cannot use the SharePoint admin center or SharePoint APIs to manage sites. |

+| [Teams Administrator](permissions-reference.md#teams-administrator) | Can manage Microsoft 365 groups in the assigned administrative unit only. Can manage team members in the Microsoft 365 admin center for teams associated with groups in the assigned administrative unit only. Cannot use the Teams admin center. |

+In this section, you create a user called B.Simon in Sonarqube. Work with [Sonarqube Client support team](https://sonarsource.com/company/contact/) to add the users in the Sonarqube platform. Users must be created and activated before you use single sign-on.

+- [Resize disk PV without downtime](#resize-a-persistent-volume-without-downtime)

+## Resize a persistent volume without downtime

+> Currently, Azure disk CSI driver supports resizing PVCs without downtime on specific regions.

+> Follow this [link][expand-an-azure-managed-disk] to register the disk online resize feature.

+And after a few minutes, confirm the size of the PVC and inside the pod:

+[expand-an-azure-managed-disk]: ../virtual-machines/linux/expand-disks.md#expand-an-azure-managed-disk

+Create a *pv-azuredisk.yaml* file with a *PersistentVolume*. Update `volumeHandle` with disk resource ID. For example:

+```yaml

+apiVersion: v1

+kind: PersistentVolume

+metadata:

+ name: pv-azuredisk

+spec:

+ capacity:

+ storage: 100Gi

+ accessModes:

+ - ReadWriteOnce

+ persistentVolumeReclaimPolicy: Retain

+ csi:

+ driver: disk.csi.azure.com

+ readOnly: false

+ volumeHandle: /subscriptions/<subscriptionID>/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk

+ volumeAttributes:

+ fsType: ext4

+```

+Create a *pvc-azuredisk.yaml* file with a *PersistentVolumeClaim* that uses the *PersistentVolume*. For example:

+```yaml

+apiVersion: v1

+metadata:

+ name: pvc-azuredisk

+spec:

+ accessModes:

+ - ReadWriteOnce

+ resources:

+ requests:

+ storage: 100Gi

+ volumeName: pv-azuredisk

+ storageClassName: ""

+```

+Use the `kubectl` commands to create the *PersistentVolume* and *PersistentVolumeClaim*.

+```console

+kubectl apply -f pv-azuredisk.yaml

+kubectl apply -f pvc-azuredisk.yaml

+```

+Verify your *PersistentVolumeClaim* is created and bound to the *PersistentVolume*.

+```console

+$ kubectl get pvc pvc-azuredisk

+NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE

+pvc-azuredisk Bound pv-azuredisk 100Gi RWO 5s

+```

+Create a *azure-disk-pod.yaml* file to reference your *PersistentVolumeClaim*. For example:

+ - name: azure

+ persistentVolumeClaim:

+ claimName: pvc-azuredisk

+[use-tags]: use-tags.md

+ - nobrl

+- [*Azure Files*](azure-files-csi.md), which can be used to mount an SMB 3.0/3.1 share backed by an Azure Storage account to pods. With Azure Files, you can share data across multiple nodes and pods. Azure Files can use Azure Standard Storage backed by regular HDDs or Azure Premium Storage backed by high-performance SSDs.

+Whilst this will update the mapping of the storage classes, the binding of the Persistent Volume to the CSI provisioner will only take place at provisioning time. This could be during a cordon & drain operation (cluster update) or by detaching and reattaching the Volume.

+### Migrating in-tree disk persistent volumes

+> [!IMPORTANT]

+> If your in-tree Persistent Volume reclaimPolicy is set to Delete you will need to change the Persistent Volume to Retain to persist your data. This can be achieved via a [patch operation on the PV](https://kubernetes.io/docs/tasks/administer-cluster/change-pv-reclaim-policy/). For example:

+> ```console

+> $ kubectl patch pv pv-azuredisk --type merge --patch '{"spec": {"persistentVolumeReclaimPolicy": "Retain"}}'

+> ```

+If you have in-tree persistent volumes, get disk ID from `azureDisk.diskURI` and then follow this [guide][azure-disk-static-mount] to set up CSI driver persistent volumes

+[azure-disk-static-mount]: azure-disk-volume.md#mount-disk-as-volume

+| ignore-error | If true and the request results in an error, the error will be ignored, and the response variable will contain a null value. | No | false |

+You can control what traffic goes through the virtual network integration. There are three types of routing to consider when you configure regional virtual network integration. [Application routing](#application-routing) defines what traffic is routed from your app and into the virtual network. [Configuration routing](#configuration-routing) affects operations that happen before or during startup of you app. Examples are container image pull and app settings with Key Vault reference. [Network routing](#network-routing) is the ability to handle how both app and configuration traffic is routed from your virtual network and out.

+By default, only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) sent from your app is routed through the virtual network integration. Unless you configure application routing or configuration routing options, all other traffic will not be sent through the virtual network integration. Traffic is only subject to [network routing](#network-routing) if it is sent through the virtual network integration.

+Application routing applies to traffic that is sent from your app after it has been started. See [configuration routing](#configuration-routing) for traffic during start up. When you configure application routing, you can either route all traffic or only private traffic into your virtual network. You configure this behavior through the **Route All** setting. If **Route All** is disabled, your app only routes private traffic into your virtual network. If you want to route all your outbound app traffic into your virtual network, make sure that **Route All** is enabled.

+> * Only traffic configured in applicaiton or configuration routing is subject to the NSGs and UDRs that are applied to your integration subnet.

+> * When **Route All** is enabled, outbound traffic from your app is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.

+When you are using virtual network integration, you can configure how parts of the configuration traffic is managed. By default, configuration traffic will go directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.

+You can use route tables to route outbound traffic from your app to wherever you want. Route tables affect your destination traffic. Route tables only apply to traffic routed through the virtual network integration. See [application routing](#application-routing) and [configuration routing](#configuration-routing) for details. Common destinations can include firewall devices or gateways. Routes that are set on your integration subnet won't affect replies to inbound app requests.

+When you want to route outbound traffic on-premises, you can use a route table to send outbound traffic to your Azure ExpressRoute gateway. If you do route traffic to a gateway, set routes in the external network to send any replies back.

+An app that uses virtual network integration can use a [network security group](../virtual-network/network-security-groups-overview.md) to block outbound traffic to resources in your virtual network or the internet. To block traffic to public addresses, enable [Route All](#application-routing). When **Route All** isn't enabled, NSGs are only applied to RFC1918 traffic from your app.

+> [!NOTE]

+> If you want to try an alternative approach to connect your app to the Postgres database in Azure, see the [Service Connector version](../service-connector/tutorial-django-webapp-postgres-cli.md) of this tutorial. Service Connector is a new Azure service that is currently in public preview. [Section 4.2](../service-connector/tutorial-django-webapp-postgres-cli.md#42-configure-environment-variables-to-connect-the-database) of that tutorial introduces a simplified process for creating the connection.

+> [Configure Python app](configure-language-python.md)

+ -AADAppIdentifierUri 'api://MyOrganizationImmersiveReaderAADApp'

+ | AADAppIdentifierUri |The URI for the Azure AD app. If an existing Azure AD app is not found, a new one with this URI will be created. For example, `api://MyOrganizationImmersiveReaderAADApp`. Here we are using the default Azure AD URI scheme prefix of `api://` for compatibility with the [Azure AD policy of using verified domains](../../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains). |

+ Title: Soft Delete in Azure App Configuration

+description: Soft Delete in Azure App Configuration

+# Soft delete

+Azure App Configuration's Soft delete feature allows recovery of your data such as key-values, feature flags, and revision history of a deleted store. It's automatically enabled for all stores in the standard tier. In this article, learn more about the soft delete feature and its functionality.

+Learn how to [recover Azure App Configuration stores](./howto-recover-deleted-stores-in-azure-app-configuration.md) using the soft delete feature.

+> [!NOTE]

+> When an App Configuration store is soft-deleted, services that are integrated with the store will be deleted. For example Azure RBAC roles assignments, managed identity, Event Grid subscriptions, and private endpoints. Recovering a soft-deleted App Configuration store will not restore these services. They will need to be recreated.

+## Scenarios

+The soft delete feature addresses the recovery of the deleted stores, whether the deletion was accidental or intentional. The soft delete feature will act as a safeguard in the following scenarios:

+* **Recovery of a deleted App Configuration store**: A deleted app configuration store could be recovered in the retention time period.

+* **Permanent deletion of App Configuration store**: This feature helps you to permanently delete an app configuration store.

+## Recover

+Recover is the operation to get the stores in a soft deleted state back to an active state where one can request the store for configuration and feature management.

+## Retention period

+A variable to specify the time period, in days, for which a soft deleted store will be retained. This value can only be set at the creation of store and once set, it can't be changed. Once the retention period elapses, the store will be permanently deleted automatically.

+## Purge

+Purge is the operation to permanently delete the stores in a soft deleted state, provided the store doesn't have purge-protection enabled. To recreate the App Configuration store with the same name as a deleted store, you need to purge the store first if it's not already past the retention period.

+## Purge protection

+With Purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires. Once purge protection is enabled on a store, it can't be disabled.

+## Permissions to recover or purge store

+A user has to have below permissions to recover or purge a soft-deleted app configuration store. The built-in Contributor and Owner roles already have the required permissions to recover and purge.

+- Permission to recover - `Microsoft.AppConfiguration/configurationStores/write`

+- Permission to purge - `Microsoft.AppConfiguration/configurationStores/action`

+## Billing implications

+There won't be any charges for the soft deleted stores. Once you recover a soft deleted store, the usual charges will start applying. Soft delete isn't available with free tier.

+## Next steps

+> [!div class="nextstepaction"]

+> [Recover Azure App Configuration stores](./howto-recover-deleted-stores-in-azure-app-configuration.md)

+ Title: Recover Azure App Configuration stores (Preview)

+description: Recover/Purge Azure App Configuration soft deleted Stores

+# Recover Azure App Configuration stores (Preview)

+This article covers the soft delete feature of Azure App Configuration stores. You'll learn about how to set retention policy, enable purge protection, recover and purge a soft-deleted store.

+To learn more about the concept of soft delete feature, see [Soft-Delete in Azure App Configuration](./concept-soft-delete.md).

+## Prerequisites

+* An Azure subscription - [create one for free](https://azure.microsoft.com/free/dotnet)

+* Refer to the [Soft-Delete in Azure App Configuration](./concept-soft-delete.md#permissions-to-recover-or-purge-store) for permissions requirements.

+## Set retention policy and enable purge protection at store creation

+To create a new App Configuration store in the Azure portal, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com). In the upper-left corner of the home page, select **Create a resource**. In the **Search the Marketplace** box, type *App Configuration* and press Enter.

+ :::image type="content" source="./media/how-to-soft-delete-app-config-3.png" alt-text="In MarketPlace Search results, App Configuration is highlighted":::

+1. Select **App Configuration** from the search results, and then select **Create**.

+ :::image type="content" source="./media/how-to-soft-delete-app-config-7.png" alt-text="In Snapshot, Create option is highlighted":::

+1. On the **Create App Configuration** pane, enter the following settings:

+ | Setting | Suggested value | Description |

+ ||||

+ | **Subscription** | Your subscription | Select the Azure subscription for your store |

+ | **Resource group** | Your resource group | Select the Azure resource group for your store |

+ | **Resource name** | Globally unique name | Enter a unique resource name to use for the App Configuration store. This name can't be the same name as the previous configuration store. |

+ | **Location** | Your desired Location | Select the region you want to create your configuration store in. |

+ | **Pricing tier** | *Standard* | Select the standard pricing tier. For more information, see the [App Configuration pricing page](https://azure.microsoft.com/pricing/details/app-configuration). |

+ | **Days to retain deleted stores** | Retention period for soft deleted stores | Select the number of days for which you would want the soft deleted stores and their content to be retained. |

+ | **Enable Purge protection** | Purge protection status | Check to enable Purge protection on the store so no one can purge it before the retention period expires. |

+ :::image type="content" source="./media/how-to-soft-delete-app-config-6.png" alt-text="In Create, Recovery options are highlighted":::

+1. Select **Review + create** to validate your settings.

+1. Select **Create**. The deployment might take a few minutes.

+## Enable Purge Protection in an existing store

+1. Log in to the Azure portal.

+1. Select your standard tier App Configuration store.

+1. Refer to the screenshot below on where to check for the soft delete status of an existing store.

+ :::image type="content" source="./media/how-to-soft-delete-app-config-1.png" alt-text="In Overview, Soft-delete is highlighted.":::

+1. Click on the **Enabled** value of Soft Delete. You'll be redirected to the **properties** of your store. At the bottom of the page, you can review the information related to soft delete. The Retention period is shown as "Days to retain deleted stores". You can't change this value once it's set. The Purge protection check box shows whether purge protection is enabled for this particular store or not. Once enabled, purge protection can't be disabled.

+ :::image type="content" source="./media/how-to-soft-delete-app-config-2.png" alt-text="In Properties, Soft delete, Days to retain are highlighted.":::

+## List, recover, or purge a soft deleted App Configuration store

+1. Log in to the Azure portal.

+1. Click on the search bar at the top of the page.

+1. Search for "App Configuration" and click on **App Configuration** under **Services**. Don't click on an individual App Configuration store.

+1. At the top of the screen, click the option to **Manage deleted stores**. A context pane will open on the right side of your screen.

+ :::image type="content" source="./media/how-to-soft-delete-app-config-4.png" alt-text="On App Configuration stores, the Manage deleted stores option is highlighted.":::

+1. Select your subscription from the drop box. If you've deleted one or more App Configuration stores, these stores will appear in the context pane on the right. Click "Load More" at the bottom of the context pane if not all deleted stores are loaded.

+1. Once you find the store that you wish to recover or purge, select the checkbox next to it. You can select multiple stores

+1. Please click **Recover** at the bottom of the context pane to recover the store OR

+ click **Purge** option to permanently delete the store. Note you won't be able to purge a store when purge protection is enabled.

+ :::image type="content" source="./media/how-to-soft-delete-app-config-5.png" alt-text="On Manage deleted stores panel, one store is selected, and the Recover button is highlighted.":::

+## Recover an App Configuration store with customer-managed key enabled

+When recovering stores that use customer-managed keys, there are extra steps that need to be performed to access the recovered data. This is because the recovered store, will no longer have a managed identity assigned that has access to the customer-managed key. A new managed identity should be assigned to the store and the customer managed key settings should be reconfigured to use the newly assigned identity. When updating the managed key settings to use the newly assigned identity, ensure to continue using the same key from the key vault. For more details on how to use customer-managed keys in App Configuration stores, refer to [Use customer-managed keys to encrypt your App Configuration data](./concept-customer-managed-keys.md).

+## Next steps

+> [!div class="nextstepaction"]

+> [Soft-Delete in Azure App Configuration](./concept-soft-delete.md)

+| `https://login.microsoftonline.com`, `https://<region>.login.microsoft.com`, `login.windows.net` (for Azure Cloud), `https://login.microsoftonline.us`, `<region>.login.microsoftonline.us` (for Azure US Government) | Required to fetch and update Azure Resource Manager tokens. |

+Only used when deploying to a Windows or Linux Premium plan or to a Windows Consumption plan. Not supported for Linux Consumption plans or Windows or Linux Dedicated plans. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).

+Only used when deploying to a Windows or Linux Premium plan or to a Windows Consumption plan. Not supported for Linux Consumption plans or Windows or Linux Dedicated plans. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).

+ "maxMessageBatchSize": 1000,

+| Feburary 2022 | <ul><li>Bugfixes for the AMA Client installer (private preview)</li><li>Versioning fix to reflect appropriate Windows major/minor/hotfix versions</li></ul> | 1.2.0.0 | Not yet available |

+The Azure Monitor agent (AMA) collects monitoring data from the guest operating system of Azure virtual machines and delivers it to Azure Monitor. This article provides an overview of the Azure Monitor agent and includes information on how to install it and how to configure data collection.

+Here's an **introductory video** explaining all about this new agent, including a quick demo of how to set things up using the Azure Portal: [ITOps Talk: Azure Monitor Agent](https://www.youtube.com/watch?v=f8bIrFU8tCs)

+| Windows Client OS installer | Private preview | [Sign-up link](https://aka.ms/amadcr-privatepreviews) |

+* [Micrometer Spring Legacy](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready-metrics) 1.1.0 or above (this backports the autoconfig code in the Spring framework).

+By default, Application Insights Java 3.x produces a log file named `applicationinsights.log` in the same directory

+that holds the `applicationinsights-agent-3.2.7.jar` file.

+If no log file is generated, check that your Java application has write permission to the directory that holds the

+`applicationinsights-agent-3.2.7.jar` file.

+If still no log file is generated, check the stdout log from your Java application. Application Insights Java 3.x

+should log any errors to stdout that would prevent it from logging to its normal location.

+Otherwise, these cipher suites should already be part of modern Java 8+ distributions,

+so it is recommended to check where you installed your Java distribution from, and investigate why the security

+providers in that Java distribution's `java.security` configuration file differ from standard Java distributions.

+# [API](#tab/api-1)

+**Request body**

+**Example**

+**Sample request**

+**Sample response**

+# [CLI](#tab/cli-1)

+To configure a table for Basic Logs or Analytics Logs, run the [az monitor log-analytics workspace table update](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-update) command and set the `--plan` parameter to `Basic` or `Analytics`.

+For example:

+- To set Basic Logs:

+ ```azurecli

+ az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name ContainerLog --plan Basic

+ ```

+- To set Analytics Logs:

+ ```azurecli

+ az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name ContainerLog --plan Analytics

+ ```

+

+# [CLI](#tab/cli-2)

+To check the configuration of a table, run the [az monitor log-analytics workspace table show](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-show) command.

+For example:

+```azurecli

+az monitor log-analytics workspace table show --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name Syslog --output table \

+```

+You can set retention policies for individual tables, except for workspaces in the legacy Free Trial pricing tier, using Azure Resource Manager APIs. You canΓÇÖt currently configure data retention for individual tables in the Azure portal.

+Each table is a subresource of the workspace it's in. For example, you can address the `SecurityEvent` table in [Azure Resource Manager](../../azure-resource-manager/management/overview.md) as:

+The table name is case-sensitive.

+# [API](#tab/api-1)

+**Request body**

+**Example**

+This example sets the table's interactive retention to the workspace default of 30 days, and the total retention to two years. This means the archive duration is 23 months.

+**Request**

+**Request body**

+**Response**

+# [CLI](#tab/cli-1)

+To set the retention and archive duration for a table, run the [az monitor log-analytics workspace table update](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-update) command and pass the `--retention-time` and `--total-retention-time` parameters.

+This example sets table's interactive retention to 30 days, and the total retention to two years. This means the archive duration is 23 months:

+```azurecli

+az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+--name AzureMetrics --retention-time 30 --total-retention-time 730

+```

+To reapply the workspace's default interactive retention value to the table and reset its total retention to 0, run the [az monitor log-analytics workspace table update](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-update) command with the `--retention-time` and `--total-retention-time` parameters set to `-1`.

+For example:

+```azurecli

+az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name Syslog --retention-time -1 --total-retention-time -1

+```

+## Get retention and archive policy by table

+# [API](#tab/api-2)

+To get the retention policy of a particular table (in this example, `SecurityEvent`), call the **Tables - Get** API:

+```JSON

+GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables/SecurityEvent?api-version=2021-12-01-preview

+```

+To get all table-level retention policies in your workspace, don't set a table name; for example:

+```JSON

+GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables?api-version=2021-12-01-preview

+```

+# [CLI](#tab/cli-2)

+To get the retention policy of a particular table, run the [az monitor log-analytics workspace table show](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-show) command.

+For example:

+```azurecli

+az monitor log-analytics workspace table show --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name SecurityEvent

+```

+If you set the data retention policy to 30 days, you can purge older data immediately using the `immediatePurgeDataOn30Days` parameter in Azure Resource Manager. The purge functionality is useful when you need to remove personal data immediately. The immediate purge functionality isn't available through the Azure portal.

+You can also purge data from a workspace using the [purge feature](personal-data-mgmt.md#how-to-export-and-delete-private-data), which removes personal data. You canΓÇÖt purge data from archived logs.

+Dedicated clusters require customers to commit for at least 500 GB of data ingestion per day. You can link existing workspace to a dedicated cluster and unlink it with no data loss or service interruption.

+Once a cluster is created, workspaces can be linked to it, and new ingested data to them is stored on the cluster. Workspaces can be unlinked from a cluster at any time and new data then stored on shared Log Analytics clusters. The link and unlink operation doesn't affect your queries and access to data before, and after the operation. The Cluster and workspaces must be in the same region.

+1. **Cluster (default)**--Billing for ingested data is done at the cluster level. The ingested data quantities from each workspace associated to a cluster are aggregated to calculate the daily bill for the cluster.

+2. **Workspaces**--The Commitment Tier costs for your Cluster are attributed proportionately to the workspaces in the cluster, by each workspace's data ingestion volume (after accounting for per-node allocations from [Microsoft Defender for Cloud](../../security-center/index.yml) for each workspace.) Details of pricing model are explained [here](./manage-cost-storage.md#log-analytics-dedicated-clusters).

+If your linked workspace is using legacy Per Node pricing tier, it will be billed based on data ingested against the cluster's Commitment Tier, and no longer Per Node. Per-node data allocations from Microsoft Defender for Cloud will continue to be applied.

+When you link workspaces to a cluster, the pricing tier is changed to cluster, and ingestion is billed based on cluster's Commitment Tier. Workspaces can be unlinked from a cluster at any time, and pricing tier change to per-GB.

+You can have up to two active clusters per subscription per region. If the cluster is deleted, it is still reserved for 14 days. You can have up to four reserved clusters per subscription per region (active or recently deleted).

+After you create your cluster resource and it's fully provisioned, you can edit additional properties using CLI, PowerShell or REST API. The additional properties that can be set after the cluster has been provisioned include the following:

+ - **Cluster (default)**--The costs for your cluster are attributed to the cluster resource.

+ - **Workspaces**--The costs for your cluster are attributed proportionately to the workspaces in the Cluster, with the cluster resource being billed some of the usage if the total ingested data for the day is under the commitment tier. See [Log Analytics Dedicated Clusters](./manage-cost-storage.md#log-analytics-dedicated-clusters) to learn more about the cluster pricing model.

+> The *billingType* property isn't supported in CLI.

+### PowerShell

+```powershell

+Select-AzSubscription "cluster-subscription-id"

+Update-AzOperationalInsightsCluster -ResourceGroupName "resource-group-name" -ClusterName "cluster-name" -BillingType "Workspaces"

+```

+You can unlink a workspace from a cluster, and new data to workspace isn't ingested to cluster. Also, the workspace pricing tier is set to per-GB.

+It's recommended that you unlink all workspaces from a dedicated cluster before deleting it. You need to have *write* permissions on the cluster resource. When deleting a cluster, you're losing access to all data ingested to the cluster from linked workspaces and from workspaces that were linked previously. This operation isn't reversible. If you delete your cluster when workspaces are linked, these get unlinked automatically and new data get ingested to Log Analytics storage instead.

+A cluster resource that was deleted in the last 14 days is kept in soft-delete state and its name remained reserved. After the soft-delete period, the cluster is permanently deleted and its name can be reused to create a cluster.

+> - There is a limit of 4 clusters per subscription. Both active and soft-deleted clusters are counted as part of this. Customers shouldn't create recurrent procedures that create and delete clusters. It has a significant impact on Log Analytics backend systems.

+ - Double encryption setting can't can not be changed after the cluster has been created.

+- Deleting a linked workspace is permitted while linked to cluster. If you decide to [recover](./delete-workspace.md#recover-workspace) the workspace during the [soft-delete](./delete-workspace.md#soft-delete-behavior) period, it returns to previous state and remains linked to cluster.

+- If you get conflict error when creating a cluster, it may be that you've deleted your cluster in the last 14 days and it's in a soft-delete state. The cluster name remains reserved during the soft-delete period and you can't create a new cluster with that name. The name is released after the soft-delete period when the cluster is permanently deleted.

+- 400--Cluster name is not valid. Cluster name can contain characters a-z, A-Z, 0-9 and length of 3-63.

+- 400--The body of the request is null or in bad format.

+- 400--SKU name is invalid. Set SKU name to capacityReservation.

+- 400--Capacity was provided but SKU is not capacityReservation. Set SKU name to capacityReservation.

+- 400--Missing Capacity in SKU. Set Capacity value to 500, 1000, 2000 or 5000 GB/day.

+- 400--Capacity is locked for 30 days. Decreasing capacity is permitted 30 days after update.

+- 400--No SKU was set. Set the SKU name to capacityReservation and Capacity value to 500, 1000, 2000 or 5000 GB/day.

+- 400--Identity is null or empty. Set Identity with systemAssigned type.

+- 400--KeyVaultProperties are set on creation. Update KeyVaultProperties after cluster creation.

+- 400--Operation cannot be executed now. Async operation is in a state other than succeeded. Cluster must complete its operation before any update operation is performed.

+- 400--Cluster is in deleting state. Async operation is in progress. Cluster must complete its operation before any update operation is performed.

+- 400--KeyVaultProperties is not empty but has a bad format. See [key identifier update](../logs/customer-managed-keys.md#update-cluster-with-key-identifier-details).

+- 400--Failed to validate key in Key Vault. Could be due to lack of permissions or when key doesn't exist. Verify that you [set key and access policy](../logs/customer-managed-keys.md#grant-key-vault-permissions) in Key Vault.

+- 400--Key is not recoverable. Key Vault must be set to Soft-delete and Purge-protection. See [Key Vault documentation](../../key-vault/general/soft-delete-overview.md)

+- 400--Operation cannot be executed now. Wait for the Async operation to complete and try again.

+- 400--Cluster is in deleting state. Wait for the Async operation to complete and try again.

+ - 404--Cluster not found, the cluster may have been deleted. If you try to create a cluster with that name and get conflict, the cluster is in soft-delete for 14 days. You can contact support to recover it, or use another name to create a new cluster.

+ - 409--Can't delete a cluster while in provisioning state. Wait for the Async operation to complete and try again.

+- 404--Workspace not found. The workspace you specified doesn't exist or was deleted.

+- 409--Workspace link or unlink operation in process.

+- 400--Cluster not found, the cluster you specified doesn't exist or was deleted. If you try to create a cluster with that name and get conflict, the cluster is in soft-delete for 14 days. You can contact support to recover it.

+- 404--Workspace not found. The workspace you specified doesn't exist or was deleted.

+- 409--Workspace link or unlink operation in process.

+## Restore data

+# [API](#tab/api-1)

+**Request body**

+**Restore table status**

+**Sample request**

+# [CLI](#tab/cli-1)

+To restore data from a table, run the [az monitor log-analytics workspace table restore create](/cli/azure/monitor/log-analytics/workspace/table/restore#az-monitor-log-analytics-workspace-table-restore-create) command.

+For example:

+```azurecli

+az monitor log-analytics workspace table restore create --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name Heartbeat_RST --restore-source-table Heartbeat --start-restore-time "2022-01-01T00:00:00.000Z" --end-restore-time "2022-01-08T00:00:00.000Z" --no-wait

+```

+Deleting the restored table does not delete the data in the source table.

+> [!NOTE]

+> Restored data is available as long as the underlying source data is available. When you delete the source table from the workspace or when the source table's retention period ends, the data is dismissed from the restored table. However, the empty table will remain if you do not delete it explicitly.

+# [API](#tab/api-2)

+# [CLI](#tab/cli-2)

+To delete a restore table, run the [az monitor log-analytics workspace table delete](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-delete) command.

+For example:

+```azurecli

+az monitor log-analytics workspace table delete --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name Heartbeat_RST

+```

+Use a search job when the log query timeout of 10 minutes isn't enough time to search through large volumes of data or when you're running a slow query.

+The search job results table is a [Log Analytics](log-analytics-workspace-overview.md#log-data-plans-preview) table that is available for log queries and other Azure Monitor features that use tables in a workspace. The table uses the [retention value](data-retention-archive.md) set for the workspace, but you can modify this value after the table is created.

+# [API](#tab/api-1)

+**Request body**

+**Sample request**

+**Response**

+# [CLI](#tab/cli-1)

+To run a search job, run the [az monitor log-analytics workspace table search-job create](/cli/azure/monitor/log-analytics/workspace/table/search-job#az-monitor-log-analytics-workspace-table-search-job-create) command. The name of the results table, which you set using the `--name` parameter, must end with *_SRCH*.

+For example:

+```azurecli

+az monitor log-analytics workspace table search-job create --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name HeartbeatByIp_SRCH --search-query 'Heartbeat | where ComputerIP has "00.000.00.000"' --limit 1500 \

+ --start-search-time "2022-01-01T00:00:00.000Z" --end-search-time "2022-01-08T00:00:00.000Z" --no-wait

+```

+# [API](#tab/api-2)

+**Table status**<br>

+**Sample request**

+**Response**

+# [CLI](#tab/cli-2)

+To check the status and details of a search job table, run the [az monitor log-analytics workspace table show](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-show) command.

+For example:

+```azurecli

+az monitor log-analytics workspace table show --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name HeartbeatByIp_SRCH --output table \

+```

+We recommend deleting the search job table when you're done querying the table. This reduces workspace clutter and extra charges for data retention.

+# [API](#tab/api-3)

+# [CLI](#tab/cli-3)

+To delete a search table, run the [az monitor log-analytics workspace table delete](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-delete) command.

+For example:

+```azurecli

+az monitor log-analytics workspace table delete --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace \

+ --name HeartbeatByIp_SRCH

+```

+For additional troubleshooting guidance related to the Log Analytics agent for Linux, see [Troubleshoot Azure Log Analytics Linux Agent](../agents/agent-linux-troubleshoot.md).

+aadcdn.msauth.cn

+aadcdn.msftauth.cn

+login.live.com

+The following table includes links to a sample CLI script for Azure Managed Applications.

+| [Define and create a managed application](scripts/managed-application-define-create-cli-sample.md) | Creates a managed application definition in the service catalog and then deploys the managed application from the service catalog. |

+ Title: Create managed application definition - Azure CLI

+description: Provides an Azure CLI script sample that publishes a managed application definition to a service catalog and then deploys a managed application definition from the service catalog.

+ms.devlang: azurecli

+# Create a managed application definition to service catalog and deploy managed application from service catalog with Azure CLI

+This script publishes a managed application definition to a service catalog and then deploys a managed application definition from the service catalog.

+## Sample script

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $appResourceGroup -y

+az group delete --name $appDefinitionResourceGroup -y

+```

+## Sample reference

+This script uses the following command to create the managed application definition. Each command in the table links to command-specific documentation.

+| Command | Notes |

+|||

+| [az managedapp definition create](/cli/azure/managedapp/definition#az_managedapp_definition_create) | Create a managed application definition. Provide the package that contains the required files. |

+## Next steps

+* For an introduction to managed applications, see [Azure Managed Application overview](../overview.md).

+* For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

+ "retentionDays":28,

+ "retentionDays": 28,

+> [!NOTE]

+> [Import and Export using Private Link](database-import-export-private-link.md) is in preview.

+## Limitations

+- Import using Private Link does not support specifying a backup storage redundancy while creating a new database and creates with the default geo-redundant backup storage redundancy. As a work around, first create an empty database with desired backup storage redundancy using Azure portal or PowerShell and then import the BACPAC into this empty database.

+- Import and Export operations are not supported in Azure SQL DB Hyperscale tier yet.

+- Import using REST API with private link can only be done to existing database since the API uses database extensions. To workaround this create an empty database with desired name and call Import REST API with Private link.

+> [!NOTE]

+> [Import and Export using Private Link](database-import-export-private-link.md) is in preview.

+>

+> - [Azure SQL Database (single database)](failover-group-add-single-database-tutorial.md)

+> - [Azure SQL Database (elastic pool)](failover-group-add-elastic-pool-tutorial.md)

+> - [Azure SQL Managed Instance](../managed-instance/failover-group-add-instance-tutorial.md)

+Configure an [auto-failover group](auto-failover-group-sql-db.md) for an Azure SQL Database elastic pool and test failover using the Azure portal.

+|error_state_d|A numeric state value associated with the query timeout (an [attention](/sql/relational-databases/errors-events/mssqlserver-3617-database-engine-error) event) |

+# Add a database to a failover group using the Azure CLI

+# Add an Azure SQL Database elastic pool to a failover group using the Azure CLI

+# Configure SQL Database auditing and Advanced Threat Protection using the Azure CLI

+# Backup an Azure SQL single database to an Azure storage container using the Azure CLI

+# Copy a database in Azure SQL Database to a new server using the Azure CLI

+# Create a single database and configure a firewall rule using the Azure CLI

+# Import a BACPAC file into a database in SQL Database using the Azure CLI

+# Monitor and scale a single database in Azure SQL Database using the Azure CLI

+# Move a database in SQL Database in a SQL elastic pool using the Azure CLI

+# Restore a single database in Azure SQL Database to an earlier point in time using the Azure CLI

+# Scale an elastic pool in Azure SQL Database using the Azure CLI

+# Configure active geo-replication for a single database in Azure SQL Database using the Azure CLI

+# Configure a failover group for a group of databases in Azure SQL Database using the Azure CLI

+# Configure active geo-replication for a pooled database in Azure SQL Database using the Azure CLI

+| **Availability** | 1 replica, no Read Scale-out, zone-redundant HA (preview), no local cache | Multiple replicas, up to 4 Read Scale-out, zone-redundant HA (preview), partial local cache | 3 replicas, 1 Read Scale-out, zone-redundant HA, full local storage |

+|Import Export | Import-Export service is currently not supported for Hyperscale databases. |

+echo "Creating $database in serverless tier"

+ Title: The link feature best practices

+description: Learn about best practices when using the link feature for Azure SQL Managed Instance.

+ms.devlang:

+# Best practices with link feature for Azure SQL Managed Instance (preview)

+This article outlines best practices when using the link feature for Azure SQL Managed Instance. The link feature for Azure SQL Managed Instance connects your SQL Servers hosted anywhere to SQL Managed Instance, providing near real-time data replication to the cloud.

+> [!NOTE]

+> The link feature for Azure SQL Managed Instance is currently in preview.

+## Take log backups regularly

+The link feature replicates data using the [Distributed availability groups](/sql/database-engine/availability-groups/windows/distributed-availability-groups) concept based the Always On availability groups technology stack. Data replication with distributed availability groups is based on replicating transaction log records. No transaction log records can be truncated from the database on the primary instance until they're replicated to the database on the secondary instance. If transaction log record replication is slow or blocked due to network connection issues, the log file keeps growing on the primary instance. Growth speed depends on the intensity of workload and the network speed. If there's a prolonged network connection outage and heavy workload on primary instance, the log file may take all available storage space.

+To minimize the risk of running out of space on your primary instance due to log file growth, make sure to take database log backups regularly. By taking log backups regularly, you make your database more resilient to unplanned log growth events. Consider scheduling daily log backup tasks using SQL Server Agent job.

+You can use a Transact-SQL (T-SQL) script to back up the log file, such as the sample provided in this section. Replace the placeholders in the sample script with name of your database, name and path of the backup file, and the description.

+To back up your transaction log, use the following sample Transact-SQL (T-SQL) script:

+```sql

+USE [<DatabaseName>]

+--Set current database inside job step or script

+--Check that you are executing the script on the primary instance

+if (SELECT role

+ FROM sys.dm_hadr_availability_replica_states AS a

+ JOIN sys.availability_replicas AS b

+ ON b.replica_id = a.replica_id

+WHERE b.replica_server_name = @@SERVERNAME) = 1

+BEGIN

+-- Take log backup

+BACKUP LOG [<DatabaseName>]

+TO DISK = N'<DiskPathandFileName>'

+WITH NOFORMAT, NOINIT,

+NAME = N'<Description>', SKIP, NOREWIND, NOUNLOAD, COMPRESSION, STATS = 1

+END

+```

+Use the following Transact-SQL (T-SQL) command to check the log spaced used by your database:

+```sql

+DBCC SQLPERF(LOGSPACE);

+```

+The query output looks like the following example below for sample database **tpcc**:

+In this example, the database has used 76% of the available log, with an absolute log file size of approximately 27 GB (27,971 MB). The thresholds for action may vary based on your workload, but it's typically an indication that you should take a log backup to truncate log file and free up some space.

+## Add startup trace flags

+There are two trace flags (`-T1800` and `-T9567`) that, when added as start up parameters, can optimize the performance of data replication through the link. See [Enable startup trace flags](managed-instance-link-preparation.md#enable-startup-trace-flags) to learn more.

+## Next steps

+To get started with the link feature, [prepare your environment for replication](managed-instance-link-preparation.md).

+For more information on the link feature, see the following articles:

+- [Managed Instance link ΓÇô overview](link-feature.md)

+- [Managed Instance link ΓÇô connecting SQL Server to Azure reimagined](https://aka.ms/mi-link-techblog)

+# Link feature for Azure SQL Managed Instance (preview)

+- SQL Server 2019 Enterprise Edition or Developer Edition with [CU15 (or above)](https://support.microsoft.com/en-us/topic/kb5008996-cumulative-update-15-for-sql-server-2019-4b6a8ee9-1c61-482d-914f-36e429901fb6) installed on-premises, or on an Azure VM.

+> [!NOTE]

+> SQL Managed Instance link feature is available in regions: Australia Central, Australia Central 2, Australia Southeast, Brazil South, Brazil Southeast, France Central, France South, South India, Central India, West India, Japan West, Japan East, Jio India West, Jio India Central, Korea Central, Korea South, North Central US, North Europe, Norway West, Norway East, South Africa North, South Africa West, South Central US, Southeast Asia, Sweden Central, Switzerland North, Switzerland West, UK South, UK West, West Central US, West Europe, West US, West US 2, West US 3. We are working on enabling link feature in all regions.

+You can keep running the link for as long as you need it, for months and even years at a time. And for your modernization journey, if or when you're ready to migrate to Azure, the link enables a considerably-improved migration experience with the minimum possible downtime compared to all other options available today, providing a true online migration to SQL Managed Instance.

+If you are interested in using Link feature for Azure SQL Managed Instance with versions and editions that are currently not supported, sign-up [here](https://aka.ms/mi-link-signup).

+- [Prepare for SQL Managed Instance link](./managed-instance-link-preparation.md).

+- [Use SQL Managed Instance link via SSMS to replicate database](./managed-instance-link-use-ssms-to-replicate-database.md).

+- [Use SQL Managed Instance link via SSMS to migrate database](./managed-instance-link-use-ssms-to-failover-database.md).

+ Title: Prepare environment for link feature

+description: This guide teaches you how to prepare your environment to use the SQL Managed Instance link to replicate your database over to Azure SQL Managed Instance, and possibly failover.

+ms.devlang:

+# Prepare environment for link feature - Azure SQL Managed Instance

+This article teaches you to prepare your environment for the [Managed Instance link feature](link-feature.md) so that you can replicate your databases from your instance of SQL Server to your instance of Azure SQL Managed Instance.

+> [!NOTE]

+> The link feature for Azure SQL Managed Instance is currently in preview.

+## Prerequisites

+To use the Managed Instance link feature, you need the following prerequisites:

+- An active Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/).

+- [SQL Server 2019 Enterprise or Developer edition](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2019?filetype=EXE), starting with [CU15 (15.0.4198.2)](https://support.microsoft.com/topic/kb5008996-cumulative-update-15-for-sql-server-2019-4b6a8ee9-1c61-482d-914f-36e429901fb6).

+- An instance of Azure SQL Managed Instance. [Get started](instance-create-quickstart.md) if you don't have one.

+## Prepare your SQL Server instance

+To prepare your SQL Server instance, you need to validate you're on the minimum supported version, you've enabled the availability group feature, and you've added the proper trace flags at startup. You will need to restart SQL Server for these changes to take effect.

+### Install CU15 (or higher)

+The link feature for SQL Managed Instance was introduced in CU15 of SQL Server 2019.

+To check your SQL Server version, run the following Transact-SQL (T-SQL) script:

+```sql

+-- Shows the version and CU of the SQL Server

+SELECT @@VERSION

+```

+If your SQL Server version is lower than CU15 (15.0.4198.2), either install the minimally supported [CU15](https://support.microsoft.com/topic/kb5008996-cumulative-update-15-for-sql-server-2019-4b6a8ee9-1c61-482d-914f-36e429901fb6), or the current latest cumulative update. Your SQL Server instance will be restarted during the update.

+### Enable availability groups feature

+The link feature for SQL Managed Instance relies on the Always On availability groups feature, which is not enabled by default. To learn more, review [enabling the Always On availability groups feature](/sql/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server).

+To confirm the Always On availability groups feature is enabled, run the following Transact-SQL (T-SQL) script:

+```sql

+-- Is HADR enabled on this SQL Server?

+declare @IsHadrEnabled sql_variant = (select SERVERPROPERTY('IsHadrEnabled'))

+select

+ @IsHadrEnabled as IsHadrEnabled,

+ case @IsHadrEnabled

+ when 0 then 'The Always On availability groups is disabled.'

+ when 1 then 'The Always On availability groups is enabled.'

+ else 'Unknown status.'

+ end as 'HadrStatus'

+```

+If the availability groups feature is not enabled, follow these steps to enable it:

+1. Open the **SQL Server Configuration Manager**.

+1. Choose the SQL Server service from the navigation pane.

+1. Right-click on the SQL Server service, and select **Properties**:

+

+ :::image type="content" source="./media/managed-instance-link-preparation/sql-server-configuration-manager-sql-server-properties.png" alt-text="Screenshot showing S Q L Server configuration manager.":::

+1. Go to the **Always On Availability Groups** tab.

+1. Select the checkbox to enable **Always On Availability Groups**. Select **OK**:

+ :::image type="content" source="./media/managed-instance-link-preparation/always-on-availability-groups-properties.png" alt-text="Screenshot showing always on availability groups properties.":::

+1. Select **OK** on the dialog box to restart the SQL Server service.

+### Enable startup trace flags

+To optimize Managed Instance link performance, enabling trace flags `-T1800` and `-T9567` at startup is highly recommended:

+- **-T1800**: This trace flag optimizes SQL Server performance when the disks hosting the log files for the primary and secondary replica in an availability group have different sector sizes, such as 512 bytes and 4k. If both primary and secondary replicas have a disk sector size of 4k, this trace flag isn't required. To learn more, review [KB3009974](https://support.microsoft.com/topic/kb3009974-fix-slow-synchronization-when-disks-have-different-sector-sizes-for-primary-and-secondary-replica-log-files-in-sql-server-ag-and-logshipping-environments-ed181bf3-ce80-b6d0-f268-34135711043c).

+- **-T9567**: This trace flag enables compression of the data stream for availability groups during automatic seeding, which increases the load on the processor but can significantly reduce transfer time during seeding.

+To enable these trace flags at startup, follow these steps:

+1. Open **SQL Server Configuration Manager**.

+1. Choose the SQL Server service from the navigation pane.

+1. Right-click on the SQL Server service, and select **Properties**:

+ :::image type="content" source="./media/managed-instance-link-preparation/sql-server-configuration-manager-sql-server-properties.png" alt-text="Screenshot showing S Q L Server configuration manager.":::

+1. Go to the **Startup Parameters** tab. In **Specify a startup parameter**, enter `-T1800` and select **Add** to add the startup parameter. After the trace flag has been added, enter `-T9567` and select **Add** to add the other trace flag as well. Select **Apply** to save your changes:

+ :::image type="content" source="./media/managed-instance-link-preparation/startup-parameters-properties.png" alt-text="Screenshot showing Startup parameter properties.":::

+1. Select **OK** to close the **Properties** window.

+To learn more, review [enabling trace flags](/sql/t-sql/database-console-commands/dbcc-traceon-transact-sql).

+### Restart SQL Server and validate configuration

+After you've validated you're on a supported version of SQL Server, enabled the Always On availability groups feature, and added your startup trace flags, restart your SQL Server instance to apply all of these changes.

+To restart your SQL Server instance, follow these steps:

+1. Open **SQL Server Configuration Manager**.

+1. Choose the SQL Server service from the navigation pane.

+1. Right-click on the SQL Server service, and select **Restart**:

+ :::image type="content" source="./media/managed-instance-link-preparation/sql-server-configuration-manager-sql-server-restart.png" alt-text="Screenshot showing S Q L Server restart command call.":::

+After the restart, use Transact-SQL to validate the configuration of your SQL Server. Your SQL Server version should be 15.0.4198.2 or greater, the Always On availability groups feature should be enabled, and you should have the Trace flags -T1800 and -T9567 enabled.

+To validate your configuration, run the following Transact-SQL (T-SQL) script:

+```sql

+-- Shows the version and CU of SQL Server

+SELECT @@VERSION

+-- Shows if Always On availability groups feature is enabled

+SELECT SERVERPROPERTY ('IsHadrEnabled')

+-- Lists all trace flags enabled on the SQL Server

+DBCC TRACESTATUS

+```

+The following screenshot is an example of the expected outcome for a SQL Server that's been properly configured:

+## Configure network connectivity

+For the Managed Instance link to work, there must be network connectivity between SQL Server and SQL Managed Instance. The network option that you choose depends on where your SQL Server resides - whether it's on-premises or on a virtual machine (VM).

+### SQL Server on Azure VM

+Deploying your SQL Server to an Azure VM in the same Azure virtual network (VNet) that hosts your SQL Managed Instance is the simplest method, as there will automatically be network connectivity between the two instances. To learn more, see the detailed tutorial [Deploy and configure an Azure VM to connect to Azure SQL Managed Instance](./connect-vm-instance-configure.md).

+If your SQL Server on Azure VM is in a different VNet to your managed instance, either connect the two Azure VNets using [Global VNet peering](https://techcommunity.microsoft.com/t5/azure-sql/new-feature-global-vnet-peering-support-for-azure-sql-managed/ba-p/1746913), or configure [VPN gateways](../../vpn-gateway/tutorial-create-gateway-portal.md).

+>[!NOTE]

+> Global VNet peering is enabled by default on managed instances provisioned after November 2020. [Raise a support ticket](../database/quota-increase-request.md) to enable Global VNet peering on older instances.

+### SQL Server outside of Azure

+If your SQL Server is hosted outside of Azure, establish a VPN connection between your SQL Server and your SQL Managed Instance with either option:

+- [Site-to-site virtual private network (VPN) connection](/office365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network)

+- [Azure Express Route connection](../../expressroute/expressroute-introduction.md)

+> [!TIP]

+> Azure Express Route is recommended for the best network performance when replicating data. Ensure to provision a gateway with sufficiently large bandwidth for your use case.

+### Open network ports between the environments

+Port 5022 needs to allow inbound and outbound traffic between SQL Server and SQL Managed Instance. Port 5022 is the standard port used for availability groups, and cannot be changed or customized.

+The following table describes port actions for each environment:

+|Environment|What to do|

+|:|:--|

+|SQL Server (in Azure) | Open both inbound and outbound traffic on port 5022 for the network firewall to the entire subnet of the SQL Managed Instance. If necessary, do the same on the Windows firewall as well. Create an NSG rule in the virtual network hosting the VM that allows communication on port 5022. |

+|SQL Server (outside of Azure) | Open both inbound and outbound traffic on port 5022 for the network firewall to the entire subnet of the SQL Managed Instance. If necessary, do the same on the Windows firewall as well. |

+|SQL Managed Instance |[Create an NSG rule](../../virtual-network/manage-network-security-group.md#create-a-security-rule) in the Azure portal to allow inbound and outbound traffic from the IP address of the SQL Server on port 5022 to the virtual network hosting the SQL Managed Instance. |

+Use the following PowerShell script on the host SQL Server to open ports in the Windows Firewall:

+```powershell

+New-NetFirewallRule -DisplayName "Allow TCP port 5022 inbound" -Direction inbound -Profile Any -Action Allow -LocalPort 5022 -Protocol TCP

+New-NetFirewallRule -DisplayName "Allow TCP port 5022 outbound" -Direction outbound -Profile Any -Action Allow -LocalPort 5022 -Protocol TCP

+```

+## Test bidirectional network connectivity

+Bidirectional network connectivity between SQL Server and SQL Managed Instance is necessary for the Managed Instance link feature to work. After opening your ports on the SQL Server side, and configuring an NSG rule on the SQL Managed Instance side, test connectivity.

+### Test connection from SQL Server to SQL Managed Instance

+To check if SQL Server can reach your SQL Managed Instance use the `tnc` command in PowerShell from the SQL Server host machine. Replace `<ManagedInstanceFQDN>` with the fully qualified domain name of the Azure SQL Managed Instance.

+```powershell

+tnc <ManagedInstanceFQDN> -port 5022

+```

+A successful test shows `TcpTestSucceeded : True`:

+If the response is unsuccessful, verify the following:

+- There are rules in both the network firewall *and* the windows firewall that allow traffic to the *subnet* of the SQL Managed Instance.

+- There is an NSG rule allowing communication on port 5022 for the virtual network hosting the SQL Managed Instance.

+#### Test connection from SQL Managed Instance to SQL Server

+To check that the SQL Managed Instance can reach your SQL Server, create a test endpoint, and then use the SQL Agent to execute a PowerShell script with the `tnc` command pinging SQL Server on port 5022.

+Connect to the SQL Managed Instance and run the following Transact-SQL (T-SQL) script to create test endpoint:

+```sql

+-- Create certificate needed for the test endpoint

+USE MASTER

+CREATE CERTIFICATE TEST_CERT

+WITH SUBJECT = N'Certificate for SQL Server',

+EXPIRY_DATE = N'3/30/2051'

+GO

+-- Create test endpoint

+USE MASTER

+CREATE ENDPOINT TEST_ENDPOINT

+ STATE=STARTED

+ AS TCP (LISTENER_PORT=5022, LISTENER_IP = ALL)

+ FOR DATABASE_MIRRORING (

+ ROLE=ALL,

+ AUTHENTICATION = CERTIFICATE TEST_CERT,

+ ENCRYPTION = REQUIRED ALGORITHM AES

+ )

+```

+Next, create a new SQL Agent job called `NetHelper`, using the public IP address or DNS name that can be resolved from the SQL Managed Instance for `SQL_SERVER_ADDRESS`.

+To create the SQL Agent Job, run the following Transact-SQL (T-SQL) script:

+```sql

+-- SQL_SERVER_ADDRESS should be public IP address, or DNS name that can be resolved from the Managed Instance host machine.

+DECLARE @SQLServerIpAddress NVARCHAR(MAX) = '<SQL_SERVER_ADDRESS>'

+DECLARE @tncCommand NVARCHAR(MAX) = 'tnc ' + @SQLServerIpAddress + ' -port 5022 -InformationLevel Quiet'

+DECLARE @jobId BINARY(16)

+EXEC msdb.dbo.sp_add_job @job_name=N'NetHelper',

+ @enabled=1,

+ @description=N'Test Managed Instance to SQL Server network connectivity on port 5022.',

+ @category_name=N'[Uncategorized (Local)]',

+ @owner_login_name=N'cloudSA', @job_id = @jobId OUTPUT

+EXEC msdb.dbo.sp_add_jobstep @job_id=@jobId, @step_name=N'tnc step',

+ @step_id=1,

+ @os_run_priority=0, @subsystem=N'PowerShell',

+ @command = @tncCommand,

+ @database_name=N'master',

+ @flags=40

+EXEC msdb.dbo.sp_update_job @job_id = @jobId, @start_step_id = 1

+EXEC msdb.dbo.sp_add_jobserver @job_id = @jobId, @server_name = N'(local)'

+EXEC msdb.dbo.sp_start_job @job_name = N'NetHelper'

+```

+Execute the SQL Agent job by running the following T-SQL command:

+```sql

+EXEC msdb.dbo.sp_start_job @job_name = N'NetHelper'

+```

+Execute the following query to show the log of the SQL Agent job:

+```sql

+SELECT

+ sj.name JobName, sjs.step_id, sjs.step_name, sjsl.log, sjsl.date_modified

+FROM

+ msdb.dbo.sysjobs sj

+ LEFT OUTER JOIN msdb.dbo.sysjobsteps sjs

+ ON sj.job_id = sjs.job_id

+ LEFT OUTER JOIN msdb.dbo.sysjobstepslogs sjsl

+ ON sjs.step_uid = sjsl.step_uid

+WHERE

+ sj.name = 'NetHelper'

+```

+If the connection is successful, the log will show `True`. If the connection is unsuccessful, the log will show `False`.

+Finally, drop the test endpoint and certificate with the following Transact-SQL (T-SQL) commands:

+```sql

+DROP ENDPOINT TEST_ENDPOINT

+GO

+DROP CERTIFICATE TEST_CERT

+GO

+```

+If the connection is unsuccessful, verify the following:

+- The firewall on the host SQL Server allows inbound and outbound communication on port 5022.

+- There is an NSG rule for the virtual network hosting the SQL Managed instance that allows communication on port 5022.

+- If your SQL Server is on an Azure VM, there is an NSG rule allowing communication on port 5022 on the virtual network hosting the VM.

+- SQL Server is running.

+> [!CAUTION]

+> Proceed with the next steps only if there is validated network connectivity between your source and target environments. Otherwise, please troubleshoot network connectivity issues before proceeding any further.

+## Install SSMS

+SQL Server Management Studio (SSMS) v18.11.1 is the easiest way to use the Managed Instance Link. [Download SSMS version 18.11.1 or later](/sql/ssms/download-sql-server-management-studio-ssms) and install it to your client machine.

+After installation completes, open SSMS and connect to your supported SQL Server instance. Right-click a user database, and validate you see the "Azure SQL Managed Instance link" option in the menu:

+## Next steps

+After your environment has been prepared, you're ready to start [replicating your database](managed-instance-link-use-ssms-to-replicate-database.md). To learn more, review [Link feature in Azure SQL Managed Instance](link-feature.md).

+ Title: Failover database with link feature in SSMS

+description: This guide teaches you how to use the SQL Managed Instance link in SQL Server Management Studio (SSMS) to failover database from SQL Server to Azure SQL Managed Instance.

+# Failover database with link feature in SSMS - Azure SQL Managed Instance

+This article teaches you to use the [Managed Instance link feature](link-feature.md) to failover your database from SQL Server to Azure SQL Managed Instance in SQL Server Management Studio (SSMS).

+Failing over your database from your SQL Server instance to your SQL Managed Instance breaks the link between the two databases, stopping replication, and leaving both databases in an independent state, ready for individual read-write workloads.

+Before failing over your database, make sure you've [prepared your environment](managed-instance-link-preparation.md) and [configured replication through the link feature](managed-instance-link-use-ssms-to-replicate-database.md).

+> [!NOTE]

+> The link feature for Azure SQL Managed Instance is currently in preview.

+## Prerequisites

+To failover your databases to Azure SQL Managed Instance, you need the following prerequisites:

+- An active Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/).

+- [SQL Server 2019 Enterprise or Developer edition](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2019), starting with [CU15 (15.0.4198.2)](https://support.microsoft.com/topic/kb5008996-cumulative-update-15-for-sql-server-2019-4b6a8ee9-1c61-482d-914f-36e429901fb6).

+- An instance of Azure SQL Managed Instance. [Get started](instance-create-quickstart.md) if you don't have one.

+- [SQL Server Management Studio (SSMS) v18.11.1 or later](/sql/ssms/download-sql-server-management-studio-ssms).

+- [Prepared your environment for replication](managed-instance-link-preparation.md)

+- Setup the [link feature and replicated your database to your managed instance in Azure](managed-instance-link-use-ssms-to-replicate-database.md).

+## Failover database

+Use the **Failover database to Managed Instance** wizard in SQL Server Management Studio (SSMS) to failover your database from your instance of SQL Server to your instance of SQL Managed Instance. The wizard takes you through the failing over your database, breaking the link between the two instances in the process.

+> [!CAUTION]

+> If you are performing a planned manual failover, stop the workload on the database hosted on the source SQL Server to allow the replicated database on the SQL Managed Instance to completely catch up and failover without data loss. If you are performing a forced failover, there may be data loss.

+To failover your database, follow these steps:

+1. Open SQL Server Management Studio (SSMS) and connect to your instance of SQL Server.

+1. In **Object Explorer**, right-click your database, hover over **Azure SQL Managed Instance link** and select **Failover database** to open the **Failover database to Managed Instance** wizard:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-failover-database/link-failover-ssms-database-context-failover-database.png" alt-text="Screenshot showing database's context menu option for database failover.":::

+1. Select **Next** on the **Introduction** page of the **Failover database to Managed Instance** wizard:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-failover-database/link-failover-introduction.png" alt-text="Screenshot showing Introduction page.":::

+3. On the **Log in to Azure** page, select **Sign-in** to provide your credentials and sign into your Azure account. Select the subscription that is hosting the your SQL Managed Instance from the drop-down and then select **Next**:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-failover-database/link-failover-login-to-azure.png" alt-text="Screenshot showing Log in to Azure page.":::

+4. On the **Failover type** page, choose the type of failover you're performing and check the box to confirm that you've either stopped the workload for a planned failover, or you understand that there may be data loss for a forced failover. Select **Next**:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-failover-database/link-failover-failover-type.png" alt-text="Screenshot showing Failover Type page.":::

+1. On the **Clean up (optional)**, choose to drop the availability group if it was created solely for the purpose of migrating your database to Azure and you no longer need the availability group. If you want to keep the availability group, then leave the boxes unchecked. Select **Next**:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-failover-database/link-failover-cleanup-optional.png" alt-text="Screenshot showing Cleanup (optional) page.":::

+1. On the **Summary** page, review the actions that will be performed for your failover. (Optionally) You can also create a script to save and run yourself at a later time. When you're ready to proceed with the failover, select **Finish**:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-failover-database/link-failover-summary.png" alt-text="Screenshot showing Summary page.":::

+7. The **Executing actions** page displays the progress of each action:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-failover-database/link-failover-executing-actions.png" alt-text="Screenshot showing Executing actions page.":::

+8. After all steps complete, the **Results** page shows a completed status, with checkmarks next to each successfully completed action. You can now close the window:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-failover-database/link-failover-results.png" alt-text="Screenshot showing Results window.":::

+## View failed over database

+During the failover process, the Managed Instance link is dropped and no longer exists. Both databases on the source SQL Server instance and target SQL Managed Instance can execute a read-write workload, and are completely independent.

+You can validate this by reviewing the database on the SQL Server:

+And then reviewing the database on the SQL Managed Instance:

+To learn more, review [Link feature in Azure SQL Managed Instance](link-feature.md).

+ Title: Replicate database with link feature in SSMS

+description: This guide teaches you how to use the SQL Managed Instance link in SQL Server Management Studio (SSMS) to replicate database from SQL Server to Azure SQL Managed Instance.

+# Replicate database with link feature in SSMS - Azure SQL Managed Instance

+This article teaches you to use the [Managed Instance link feature](link-feature.md) to replicate your database from SQL Server to Azure SQL Managed Instance in SQL Server Management Studio (SSMS).

+Before configuring replication for your database through the link feature, make sure you've [prepared your environment](managed-instance-link-preparation.md).

+> [!NOTE]

+> The link feature for Azure SQL Managed Instance is currently in preview.

+## Prerequisites

+To replicate your databases to Azure SQL Managed Instance, you need the following prerequisites:

+- An active Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/).

+- [SQL Server 2019 Enterprise or Developer edition](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2019), starting with [CU15 (15.0.4198.2)](https://support.microsoft.com/topic/kb5008996-cumulative-update-15-for-sql-server-2019-4b6a8ee9-1c61-482d-914f-36e429901fb6).

+- An instance of Azure SQL Managed Instance. [Get started](instance-create-quickstart.md) if you don't have one.

+- [SQL Server Management Studio (SSMS) v18.11.1 or later](/sql/ssms/download-sql-server-management-studio-ssms).

+- A properly [prepared environment](managed-instance-link-preparation.md).

+## Replicate database

+Use the **New Managed Instance link** wizard in SQL Server Management Studio (SSMS) to setup the link between your instance of SQL Server and your instance of SQL Managed Instance. The wizard takes you through the process of creating the Managed Instance link. Once the link is created, your source database gets a read-only replica copy on your target Azure SQL Managed Instance.

+To set up the Managed Instance link, follow these steps:

+1. Open SQL Server Management Studio (SSMS) and connect to your instance of SQL Server.

+1. In **Object Explorer**, right-click your database, hover over **Azure SQL Managed Instance link** and select **Replicate database** to open the **New Managed Instance link** wizard:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-ssms-database-context-replicate-database.png" alt-text="Screenshot showing database's context menu option to replicate database after hovering over Azure SQL Managed Instance link.":::

+1. Select **Next** on the **Introduction** page of the **New Managed Instance link** wizard:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-introduction.png" alt-text="Screenshot showing the introduction page for Managed Instance link replicate database wizard.":::

+1. On the **Requirements** page, the wizard validates requirements to establish a link to your SQL Managed Instance. Select **Next** once all the requirements are validated:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-sql-server-requirements.png" alt-text="Screenshot showing S Q L Server requirements page.":::

+1. On the **Select Databases** page, choose one or more databases you want to replicate to your SQL Managed Instance via the Managed Instance link. Select **Next**:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-select-databases.png" alt-text="Screenshot showing Select Databases page.":::

+1. On the **Login to Azure and select Managed Instance** page, select **Sign In...** to sign into Microsoft Azure. Choose the subscription, resource group, and target managed instance from the drop-downs. Select **Login** and provide login details for the SQL Managed Instance:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-login-to-azure.png" alt-text="Screenshot showing Login to Azure and select Managed Instance page.":::

+1. After providing all necessary information, select **Next**:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-login-to-azure-populated.png" alt-text="Screenshot showing Login to Azure and select Managed Instance populated page.":::

+1. Review the prepopulated values on the **Specify Distributed AG Options** page, and change any that need customization. When ready, select **Next**.

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-distributed-ag-options.png" alt-text="Screenshot showing Specify Distributed A G options page.":::

+1. Review the actions on the **Summary** page, and select **Finish** when ready. (Optionally) You can also create a script to save and run yourself at a later time.

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-summary.png" alt-text="Screenshot showing Summary window.":::

+1. The **Executing actions** page displays the progress of each action:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-executing-actions.png" alt-text="Screenshot showing Executing actions page.":::

+1. After all steps complete, the **Results** page shows a completed status, with checkmarks next to each successfully completed action. You can now close the window:

+ :::image type="content" source="./media/managed-instance-link-use-ssms-to-replicate-database/link-replicate-results.png" alt-text="Screenshot showing Results page.":::

+## View replicated database

+After the Managed Instance link is created, the selected databases are replicated to the SQL Managed Instance.

+Use **Object Explorer** on your SQL Server instance to view the `Synchronized` status of the replicated database, and expand **Always On High Availability** and **Availability Groups** to view the distributed availability group that is created for the Managed Instance link.

+Connect to your SQL Managed Instance and use **Object Explorer** to view your replicated database. Depending on the database size and network speed, the database may initially be in a `Restoring` state. After initial seeding completes, the database is restored to the SQL Managed Instance and ready for read-only workloads:

+## Next steps

+To break the link and failover your database to the SQL Managed Instance, see [failover database](managed-instance-link-use-ssms-to-failover-database.md). To learn more, see [Link feature in Azure SQL Managed Instance](link-feature.md).

+# Create an Azure SQL Managed Instance using the Azure CLI

+# Restore a Managed Instance database to another geo-region using the Azure CLI

+# Manage Transparent Data Encryption in a Managed Instance using your own key from Azure Key Vault using the Azure CLI

+ - Once you configure the backup of a disk, you canΓÇÖt change the Snapshot Resource Group thatΓÇÖs assigned to a backup instance.

+`REST` mode is an API server mode that provides a basic set of HTTP endpoints for audio file batch submission, status checking, and long polling. Also enables programmatic consumption using a Python module extension, or importing as a submodule.

+# Use any requests from the Python requests library

+#Customer intent: As a Python developer, I want use Personalizer in an Azure Notebook so that I can understand the end to end lifecycle of a Personalizer loop.

+### Include the Python modules

+Include the required Python modules. The cell has no output.

+| USA & Puerto Rico | Toll-Free | General Availability | General Availability | Public Preview | Public Preview\* |

+| USA & Puerto Rico | Local | Not Available | Not Available | Public Preview | Public Preview\* |

+zone_pivot_groups: acs-plat-web-ios-android-windows

+## Create your Python app

+We can now start writing our Python application. First, we'll import the required packages.

+- Cassandra operations that are consuming high RU/s.

+| where DatabaseName=="azure_comos" and CollectionName=="user"

+| summarize max(RequestCharge) by bin(TimeGenerated, 10m), tostring(requestType), OperationName;

+- Monitoring RU consumption per operation on logical partition keys.

+| where DatabaseName=="azure_comos" and CollectionName=="user"

+| where DatabaseName=="azure_comos" and CollectionName=="user"

+| where DatabaseName=="azure_comos" and CollectionName=="user"

+| summarize TotalRequestCharge=sum(todouble(RequestCharge)) by bin(TimeGenerated, 1m), PartitionKey

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| where TimeGenerated > ago(24h)

+| project ActivityId, DatabaseName, CollectionName, queryText=split(split(PIICommandText,'"')[3], ' ')[0], RequestCharge, TimeGenerated

+| order by RequestCharge desc;

+- RU consumption based on variations in payload sizes for read and write operations.

+CDBCassandraRequests

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| project ResponseLength, TimeGenerated, RequestCharge, cassandraOperationName=split(split(PIICommandText,'"')[3], ' ')[0]

+| where cassandraOperationName =="SELECT"

+| summarize maxResponseLength=max(ResponseLength), maxRU=max(RequestCharge) by bin(TimeGenerated, 10m), tostring(cassandraOperationName)

+CDBCassandraRequests

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| project ResponseLength, TimeGenerated, RequestCharge, cassandraOperationName=split(split(PIICommandText,'"')[3], ' ')[0]

+| where cassandraOperationName in ("CREATE", "UPDATE", "INSERT", "DELETE", "DROP")

+| summarize maxResponseLength=max(ResponseLength), maxRU=max(RequestCharge) by bin(TimeGenerated, 10m), tostring(cassandraOperationName)

+CDBCassandraRequests

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| project ResponseLength, TimeGenerated, RequestCharge, cassandraOperationName=split(split(PIICommandText,'"')[3], ' ')[0]

+| where cassandraOperationName in ("CREATE", "UPDATE", "INSERT", "DELETE", "DROP")

+| summarize maxResponseLength=max(ResponseLength), maxRU=max(RequestCharge) by bin(TimeGenerated, 10m), tostring(cassandraOperationName)

+| render timechart;

+// Read operations over a time period.

+CDBCassandraRequests

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| project ResponseLength, TimeGenerated, RequestCharge, cassandraOperationName=split(split(PIICommandText,'"')[3], ' ')[0]

+| where cassandraOperationName =="SELECT"

+| summarize maxResponseLength=max(ResponseLength), maxRU=max(RequestCharge) by bin(TimeGenerated, 10m), tostring(cassandraOperationName)

+- RU consumption based on read and write operations by logical partition.

+```kusto

+CDBPartitionKeyRUConsumption

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| where OperationName in ("Delete", "Read", "Upsert")

+| summarize totalRU=max(RequestCharge) by OperationName, PartitionKeyRangeId

+```

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+- Is a hot partition leading to high RU consumption?

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+CDBCassandraRequests

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| where ErrorCode in (4608, 4352) //Corresponding code in Cassandra

+| summarize max(DurationMs) by bin(TimeGenerated, 10m), ErrorCode

+| render timechart;

+CDBCassandraRequests

+| DatabaseName=="azure_cosmos" and CollectionName=="user"

+| render timechart;

+- Operations that are getting throttled.

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| where DatabaseName=="azure_cosmos" and CollectionName=="user"

+| where ErrorCode==4097 // Corresponding error code in Cassandra

+> [!WARNING]

+> Only use the CQL COPY to migrate small datasets. To move large datasets, [migrate data by using Spark](#migrate-data-by-using-spark).

+### 2.14.6 (March 7, 2022)

+ - This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB. In addition to this update there are couple issues that were addressed in this release:

+ * Fix for an issue related to high CPU usage when the emulator is running.

+ * Add PowerShell option to set the Mongo API version: "-MongoApiVersion". Valid setting are: "3.2", "3.6" and "4.0"

+> A complete partial document update sample can be found in the [.js v3 samples repository](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples/v3/typescript/src/ItemManagement.ts#L167) on GitHub. In the sample, as the container is created without a partition key specified, the JavaScript SDK

+If you execute your data flow activities in sequence, it is recommended that you set a TTL in the Azure IR configuration. The service will reuse the compute resources, resulting in a faster cluster start-up time. Each activity will still be isolated and receive a new Spark context for each execution.

+| folderPath | The path to folder. If you want to use wildcard to filter folder, skip this setting and specify in activity source settings. Note that you will need to setup the file share location in your Windows or Linux environment to expose the folder for sharing. | No |

+A minimum compute type of General Purpose with an 8+8 (16 total v-cores) configuration and a 10-minute Time to live (TTL) is the minimum recommendation for most production workloads. By setting a small TTL, the Azure IR can maintain a warm cluster that will not incur the several minutes of start time for a cold cluster. For more information, see [Azure integration runtime](concepts-integration-runtime.md).

+ | Private DNS zones | Leave the default value in both Target sub-resources: 1. datafactory: **(New) privatelink.datafactory.azure.net**. 2. portal: **(New) privatelink.adf.azure.com**.|

+* **Azure Storage account**. Create a Python script and an input file, and upload them to the Azure storage. The output from the spark program is stored in this storage account. The on-demand Spark cluster uses the same storage account as its primary storage.

+### Upload Python script to your Blob Storage account

+1. Create a Python file named **WordCount_Spark.py** with the following content:

+Spark jobs are more extensible than Pig/Hive jobs. For Spark jobs, you can provide multiple dependencies such as jar packages (placed in the java CLASSPATH), Python files (placed on the PYTHONPATH), and any other files.

+Create the following folder structure in the Azure Blob storage referenced by the HDInsight linked service. Then, upload dependent files to the appropriate sub folders in the root folder represented by **entryFilePath**. For example, upload Python files to the pyFiles subfolder and jar files to the jars subfolder of the root folder. At runtime, the service expects the following folder structure in the Azure Blob storage:

+* **Azure Storage account**. You create a Python script and an input file, and upload them to the Azure storage. The output from the spark program is stored in this storage account. The on-demand Spark cluster uses the same storage account as its primary storage.

+### Upload Python script to your Blob Storage account

+1. Create a Python file named **WordCount_Spark.py** with the following content:

+- The **entryFilePath** is set to the **test.py**, which is the Python file.

+1. In the local web UI of your device, go to **Device** page.

+2. Under the **Device endpoints**, copy the **Kubernetes API** endpoint. This endpoint is a string in the following format: `https://compute.<device-name>.<DNS-domain>[Kubernetes-cluster-IP-address]`.

+ - If you have been provided a key from Microsoft (select users may have a key), go to Kubernetes API, select **Advanced config**, and download an advanced configuration file for Kubernetes.

+

+|Disconnected mode| Deploy, run, manage applications in offline mode. <br> Disconnected mode supports offline upload scenarios.|

+|Easy ordering| Bulk ordering and tracking of the device via Azure Edge Hardware Center. <br> For more information, see [Order a device via Azure Edge Hardware Center](azure-stack-edge-gpu-deploy-prep.md#create-a-new-resource).|

+- Review the [Azure Stack Edge Mini R system requirements](azure-stack-edge-gpu-system-requirements.md).

+| **Creation of admission webhook configuration detected**<br>(K8S_AdmissionController) ^{[2](#footnote2)}| Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook). | Credential Access, Persistence | Low |

+| **Digital currency mining container detected**<br>(K8S_MaliciousContainerImage) ^{[2](#footnote2)} | Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool. | Execution | High |

+| **Exposed Kubeflow dashboard detected**<br>(K8S_ExposedKubeflow) ^{[2](#footnote2)} | The Kubernetes audit log analysis detected exposure of the Istio Ingress by a load balancer in a cluster that runs Kubeflow. This action might expose the Kubeflow dashboard to the internet. If the dashboard is exposed to the internet, attackers can access it and run malicious containers or code on the cluster. Find more details in the following article: https://aka.ms/exposedkubeflow-blog | Initial Access | Medium |

+| **Exposed Kubernetes dashboard detected**<br>(K8S_ExposedDashboard) ^{[2](#footnote2)}| Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboard allows an unauthenticated access to the cluster management and poses a security threat. | Initial Access | High |

+| **Exposed Kubernetes service detected**<br>(K8S_ExposedService) ^{[2](#footnote2)} | The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers. In some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk. | Initial Access | Medium |

+| **K8S API requests from proxy IP address detected**<br>(K8S_TI_Proxy) ^{[2](#footnote2)}| Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP. | Execution | Low |

+| **Kubernetes events deleted**<br>(K8S_DeleteEvents) ^{[1](#footnote1)} ^{[2](#footnote2)} | Defender for Cloud detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster. | Defense Evasion | Low |

+| **Kubernetes penetration testing tool detected**<br>(K8S_PenTestToolsKubeHunter) ^{[2](#footnote2)} | Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the AKS cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes. | Execution | Low |

+| **New container in the kube-system namespace detected**<br>(K8S_KubeSystemContainer) ^{[2](#footnote2)}| Kubernetes audit log analysis detected a new container in the kube-system namespace that isnΓÇÖt among the containers that normally run in this namespace. The kube-system namespaces should not contain user resources. Attackers can use this namespace for hiding malicious components. | Persistence | Low |

+| **New high privileges role detected**<br>(K8S_HighPrivilegesRole) ^{[2](#footnote2)}| Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster. | Persistence | Low |

+| **Role binding to the cluster-admin role detected**<br>(K8S_ClusterAdminBinding) ^{[2](#footnote2)} | Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges. Unnecessary administrator privileges might cause privilege escalation in the cluster. | Persistence | Low |

+^{<a name="footnote2"></a>2}: This alert is supported by Windows.

+ Title: How to use Defender for Containers

+description: Learn how to use Defender for Containers to scan Linux images in your Linux-hosted registries

+# Use Defender for Containers to scan your ACR images for vulnerabilities

+When **Defender for Containers** is enabled, any image you push to your registry will be scanned immediately. In addition, any image pulled within the last 30 days is also scanned.

+1. Enable **Defender for Containers** for your subscription. Defender for Cloud is now ready to scan images in your registries.

+1. When you've taken the steps required to remediate the security issue, replace the image in your registry:

+ 1. Push the updated image to trigger a scan.

+ 1. When you're sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the ΓÇ£oldΓÇ¥ vulnerable image from your registry.

+If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

+## Microsoft Defender for Containers plan availability

+| Release state: | General availability (GA)<br> Certain features are in preview, for a full list see the [availability](supported-machines-endpoint-solutions-clouds-containers.md) section. |

+| Feature availability | Refer to the [availability](supported-machines-endpoint-solutions-clouds-containers.md) section for additional information on feature release state and availability.|

+| Clouds: | **Azure**:<br>:::image type="icon" source="./medi#defender-for-containers-feature-availability). |

+\* resource limits aren't configurable

+- **On push** - Whenever an image is pushed to your registry, Defender for Containers automatically scans that image. To trigger the scan of an image, push it to your repository.

+ - A Continuous scan based on an image pull. This scan is performed every seven days after an image was pulled, and only for 30 days after the image was pulled. This mode doesn't require the security profile, or extension.

+ - (Preview) Continuous scan for running images. This scan is performed every seven days for as long as the image runs. This mode runs instead of the above mode when the Defender profile, or extension is running on the cluster.

+Defender for Containers expands on the registry scanning features by introducing the **preview feature** of run-time visibility of vulnerabilities powered by the Defender profile, or extension.

+> [!NOTE]

+> There's no Defender profile for Windows, it's only available on Linux OS.

+This recommendation shows running images, and their vulnerabilities based on ACR image. Images that are deployed from a non ACR registry, won't be scanned, and will appear under the Not applicable tab.

+- [What happens to subscriptions with Microsoft Defender for Kubernetes or Microsoft Defender for Containers enabled?](#what-happens-to-subscriptions-with-microsoft-defender-for-kubernetes-or-microsoft-defender-for-containers-enabled)

+### What happens to subscriptions with Microsoft Defender for Kubernetes or Microsoft Defender for Containers enabled?

+No. Subscriptions that have either Microsoft Defender for Kubernetes or Microsoft Defender for Containers Registries enabled doesn't need to be upgraded to the new Microsoft Defender for Containers plan. However, they won't benefit from the new and improved capabilities and theyΓÇÖll have an upgrade icon shown alongside them in the Azure portal.

+> For details of which Defender for servers features are relevant for machines running on other cloud environments, see [Supported features for virtual machines and servers](supported-machines-endpoint-solutions-clouds-servers.md?tabs=features-windows#supported-features-for-virtual-machines-and-servers-).

+Microsoft Defender for Cloud provides health assessments of [supported](supported-machines-endpoint-solutions-clouds-servers.md#endpoint-supported) versions of Endpoint protection solutions. This article explains the scenarios that lead Defender for Cloud to generate the following two recommendations:

+To learn more about the specific Defender for Cloud features available on Windows and Linux, see [Feature coverage for machines](supported-machines-endpoint-solutions-clouds-containers.md).

+ - **Microsoft Defender for servers** brings threat detection and advanced defenses to your Windows and Linux EC2 instances. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more. You can view the full list of available features in the [Supported features for virtual machines and servers](supported-machines-endpoint-solutions-clouds-servers.md?tabs=tab/features-multi-cloud) table.

+|Required roles and permissions:|**Contributor** permission for the relevant Azure subscription.|

+

+

+

+ > [!NOTE]

+ > To enable the Azure Arc auto-provisioning, you'll need an **Owner** permission on the relevant Azure subscription.

+

+ - To manually install Azure Arc on your existing and future EC2 instances, follow the instructions in the [EC2 instances should be connected to Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/231dee23-84db-44d2-bd9d-c32fbcfb42a3) recommendation.

+

+ - **Microsoft Defender for servers** brings threat detection and advanced defenses to your GCP VM instances. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more. You can view the full list of available features in the [Supported features for virtual machines and servers table](supported-machines-endpoint-solutions-clouds-servers.md)

+|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) |Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented [here](./supported-machines-endpoint-solutions-clouds-servers.md?tabs=features-windows). Endpoint protection assessment is documented <a href='/azure/defender-for-cloud/endpoint-protection-recommendations-technical'>here</a>.<br />(Related policy: [Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2faf6cd1bd-1635-48cb-bde7-5b15693900b9)) |Medium |

+- [Defender for Containers can now scan for vulnerabilities in Windows images (preview)](#defender-for-containers-can-now-scan-for-vulnerabilities-in-windows-images-preview)

+- [New alert for Microsoft Defender for Storage (preview)](#new-alert-for-microsoft-defender-for-storage-preview)

+- [Configure email notifications settings from an alert](#configure-email-notifications-settings-from-an-alert)

+

+### Defender for Containers can now scan for vulnerabilities in Windows images (preview)

+Defender for Container's image scan now supports Windows images that are hosted in Azure Container Registry. This feature is free while in preview, and will incur a cost when it becomes generally available.

+Learn more in [Use Microsoft Defender for Container to scan your images for vulnerabilities](defender-for-container-registries-usage.md).

+### New alert for Microsoft Defender for Storage (preview)

+To expand the threat protections provided by Microsoft Defender for Storage, we've added a new preview alert.

+Threat actors use applications and tools to discover and access storage accounts. Microsoft Defender for Storage detects these applications and tools so that you can block them and remediate your posture.

+This preview alert is called `Access from a suspicious application`. The alert is relevant to Azure Blob Storage, and ADLS Gen2 only.

+| Alert (alert type) | Description | MITRE tactic | Severity |

+|--|--|--|--|

+| **PREVIEW - Access from a suspicious application**<br>(Storage.Blob_SuspiciousApp) | Indicates that a suspicious application has successfully accessed a container of a storage account with authentication.<br>This might indicate that an attacker has obtained the credentials necessary to access the account, and is exploiting it. This could also be an indication of a penetration test carried out in your organization.<br>Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2 | Initial Access | Medium |

+### Configure email notifications settings from an alert

+A new section has been added to the alert User Interface (UI) which allows you to view and edit who will receive email notifications for alerts that are triggered on the current subscription.

+Learn how to [Configure email notifications for security alerts](configure-email-notifications.md).

+ For a full list of available features, see [Supported features for virtual machines and servers](supported-machines-endpoint-solutions-clouds-servers.md). Automatic onboarding capabilities will allow you to easily connect any existing, and new compute instances discovered in your environment.

+ Title: Microsoft Defender for Containers feature availability

+description: Learn about the availability of Microsoft Defender for Cloud containers features according to OS, machine type, and cloud deployment.

+# Defender for Containers feature availability

+The **tabs** below show the features of Microsoft Defender for Cloud that are available for Windows and Linux machines.

+## Supported features by environment

+### [**Azure (AKS)**](#tab/azure-aks)

+| Domain | Feature | Supported Resources | Release state ^{[1](#footnote1)} | Windows support | Agentless/Agent-based | Pricing Tier | Azure clouds availability |

+|--|--|--|--|--|--|--|--|

+| Compliance | Docker CIS | VMs | GA | X | Log Analytics agent | Defender for Servers | |

+| VA | Registry scan | ACR, Private ACR | GA | Γ£ô (Preview) | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| VA | View vulnerabilities for running images | AKS | Preview | X | Defender profile | Defender for Containers | Commercial clouds |

+| Hardening | Control plane recommendations | ACR, AKS | GA | Γ£ô | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Hardening | Kubernetes data plane recommendations | AKS | GA | X | Azure Policy | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Runtime Threat Detection | Agentless threat detection | AKS | GA | Γ£ô | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Runtime Threat Detection | Agent-based threat detection | AKS | Preview | X | Defender profile | Defender for Containers | Commercial clouds |

+| Discovery and Auto provisioning | Discovery of uncovered/unprotected clusters | AKS | GA | Γ£ô | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Discovery and Auto provisioning | Auditlog collection for agentless threat detection | AKS | GA | Γ£ô | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Discovery and Auto provisioning | Auto provisioning of Defender profile | AKS | GA | X | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Discovery and Auto provisioning | Auto provisioning of Azure policy add-on | AKS | GA | X | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+### [**AWS (EKS)**](#tab/aws-eks)

+| Domain | Feature | Supported Resources | Release state ^{[1](#footnote1)} | Windows support | Agentless/Agent-based | Pricing tier |

+|--|--| -- | -- | -- | -- | --|

+| Compliance | Docker CIS | EC2 | Preview | X | Log Analytics agent | Defender for Servers |

+| VA | Registry scan | N/A | - | - | - | - |

+| VA | View vulnerabilities for running images | N/A | - | - | - | - |

+| Hardening | Control plane recommendations | N/A | - | - | - | - |

+| Hardening | Kubernetes data plane recommendations | EKS | Preview | X | Azure Policy extension | Defender for Containers |

+| Runtime Threat Detection | Agentless threat detection | EKS | Preview | X | Agentless | Defender for Containers |

+| Runtime Threat Detection | Agent-based threat detection | EKS | Preview | X | Defender extension | Defender for Containers |

+| Discovery and Auto provisioning | Discovery of uncovered/unprotected clusters | EKS | Preview | X | Agentless | Free |

+| Discovery and Auto provisioning | Auditlog collection for agentless threat detection | EKS | Preview | X | Agentless | Defender for Containers |

+| Discovery and Auto provisioning | Auto provisioning of Defender extension | N/A | N/A | X | - | - |

+| Discovery and Auto provisioning | Auto provisioning of Azure policy extension | N/A | N/A | X | - | - |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+### [**GCP (GKE)**](#tab/gcp-gke)

+| Domain | Feature | Supported Resources | Release state ^{[1](#footnote1)} | Windows support | Agentless/Agent-based | Pricing tier |

+|--|--| -- | -- | -- | -- | --|

+| Compliance | Docker CIS | GCP VMs | Preview | X | Log Analytics agent | Defender for Servers |

+| VA | Registry scan | N/A | - | - | - | - |

+| VA | View vulnerabilities for running images | N/A | - | - | - | - |

+| Hardening | Control plane recommendations | N/A | - | - | - | - |

+| Hardening | Kubernetes data plane recommendations | GKE | Preview | X | Azure Policy extension | Defender for Containers |

+| Runtime Threat Detection | Agentless threat detection | GKE | Preview | X | Agentless | Defender for Containers |

+| Runtime Threat Detection | Agent-based threat detection | GKE | Preview | X | Defender extension | Defender for Containers |

+| Discovery and Auto provisioning | Discovery of uncovered/unprotected clusters | GKE | Preview | X | Agentless | Free |

+| Discovery and Auto provisioning | Auditlog collection for agentless threat detection | GKE | Preview | X | Agentless | Defender for Containers |

+| Discovery and Auto provisioning | Auto provisioning of Defender DaemonSet | GKE | Preview | X | Agentless | Defender for Containers |

+| Discovery and Auto provisioning | Auto provisioning of Azure policy extension | GKE | Preview | X | Agentless | Defender for Containers |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+### [**On-prem/IasS (ARC)**](#tab/iass-arc)

+| Domain | Feature | Supported Resources | Release state ^{[1](#footnote1)} | Windows support | Agentless/Agent-based | Pricing tier |

+|--|--| -- | -- | -- | -- | --|

+| Compliance | Docker CIS | Arc enabled VMs | Preview | X | Log Analytics agent | Defender for Servers |

+| VA | Registry scan | ACR, Private ACR | Preview | Γ£ô | Agentless | Defender for Containers |

+| VA | View vulnerabilities for running images | Arc enabled K8s clusters | Preview | X | Defender extension | Defender for Containers |

+| Hardening | Control plane recommendations | N/A | - | - | - | - |

+| Hardening | Kubernetes data plane recommendations | Arc enabled K8s clusters | Preview | X | Azure Policy extension | Defender for Containers |

+| Runtime Threat Detection | Threat detection via auditlog | Arc enabled K8s clusters | - | Γ£ô | Defender extension | Defender for Containers |

+| Runtime Threat Detection | Agent-based threat detection | Arc enabled K8s clusters | Preview | X | Defender extension | Defender for Containers |

+| Discovery and Auto provisioning | Discovery of uncovered/unprotected clusters | Arc enabled K8s clusters | Preview | - | Agentless | Free |

+| Discovery and Auto provisioning | Auditlog collection for threat detection | Arc enabled K8s clusters | Preview | Γ£ô | Defender extension | Defender for Containers |

+| Discovery and Auto provisioning | Auto provisioning of Defender extension | Arc enabled K8s clusters | Preview | Γ£ô | Agentless | Defender for Containers |

+| Discovery and Auto provisioning | Auto provisioning of Azure policy extension | Arc enabled K8s clusters | Preview | X | Agentless | Defender for Containers |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Additional information

+### Registries and images

+| Aspect | Details |

+|--|--|

+| Registries and images | **Supported**<br> ΓÇó [ACR registries protected with Azure Private Link](../container-registry/container-registry-private-link.md) (Private registries requires access to Trusted Services) <br> ΓÇó Windows images (Preview). This is free while it's in preview, and will incur charges (based on the Defender for Containers plan) when it becomes generally available.<br><br>**Unsupported**<br> ΓÇó Super-minimalist images such as [Docker scratch](https://hub.docker.com/_/scratch/) images<br> ΓÇó "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS<br> ΓÇó Images with [Open Container Initiative (OCI) Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md) |

+### Kubernetes distributions and configurations

+| Aspect | Details |

+|--|--|

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md)^{[1](#footnote1)}<br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[2](#footnote2)} ^{[3](#footnote3)}<br>ΓÇó [Azure Kubernetes Service on Azure Stack HCI](/azure-stack/aks-hci/overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br><br>**Unsupported**<br> ΓÇó Any [taints](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to your nodes *might* disrupt the configuration of Defender for Containers<br> |

+^{<a name="footnote1"></a>1}The AKS Defender profile doesn't support AKS clusters that don't have RBAC role enabled.<br>

+^{<a name="footnote2"></a>2}Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.<br>

+^{<a name="footnote3"></a>3}To get [Microsoft Defender for Containers](../azure-arc/kubernetes/overview.md) protection for you should onboard to [Azure Arc-enabled Kubernetes](https://mseng.visualstudio.com/TechnicalContent/_workitems/recentlyupdated/) and enable Defender for Containers as an Arc extension.

+> [!NOTE]

+> For additional requirements for Kuberenetes workload protection, see [existing limitations](../governance/policy/concepts/policy-for-kubernetes.md#limitations).

+## Next steps

+- Learn how [Defender for Cloud collects data using the Log Analytics Agent](enable-data-collection.md).

+- Learn how [Defender for Cloud manages and safeguards data](data-security.md).

+- Review the [platforms that support Defender for Cloud](security-center-os-coverage.md).

+ Title: Microsoft Defender for Cloud's servers features according to OS, machine type, and cloud

+description: Learn about the availability of Microsoft Defender for Cloud's servers features according to OS, machine type, and cloud deployment.

+# Feature coverage for machines

+The **tabs** below show the features of Microsoft Defender for Cloud that are available for Windows and Linux machines.

+## Supported features for virtual machines and servers <a name="vm-server-features"></a>

+### [**Windows machines**](#tab/features-windows)

+| **Feature** | **Azure Virtual Machines** | **Azure Virtual Machine Scale Sets** | **Azure Arc-enabled machines** | **Defender for servers required** |

+|--|::|::|::|::|

+| [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) | Γ£ö</br>(on supported versions) | Γ£ö</br>(on supported versions) | Γ£ö | Yes |

+| [Virtual machine behavioral analytics (and security alerts)](alerts-reference.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Fileless security alerts](alerts-reference.md#alerts-windows) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Network-based security alerts](other-threat-protections.md#network-layer) | Γ£ö | Γ£ö | - | Yes |

+| [Just-in-time VM access](just-in-time-access-usage.md) | Γ£ö | - | - | Yes |

+| [Integrated Qualys vulnerability scanner](deploy-vulnerability-assessment-vm.md#overview-of-the-integrated-vulnerability-scanner) | Γ£ö | - | Γ£ö | Yes |

+| [File integrity monitoring](file-integrity-monitoring-overview.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Adaptive application controls](adaptive-application-controls.md) | Γ£ö | - | Γ£ö | Yes |

+| [Network map](protect-network-resources.md#network-map) | Γ£ö | Γ£ö | - | Yes |

+| [Adaptive network hardening](adaptive-network-hardening.md) | Γ£ö | - | - | Yes |

+| [Regulatory compliance dashboard & reports](regulatory-compliance-dashboard.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Docker host hardening](./harden-docker-hosts.md) | - | - | - | Yes |

+| Missing OS patches assessment | Γ£ö | Γ£ö | Γ£ö | Azure: No<br><br>Azure Arc-enabled: Yes |

+| Security misconfigurations assessment | Γ£ö | Γ£ö | Γ£ö | Azure: No<br><br>Azure Arc-enabled: Yes |

+| [Endpoint protection assessment](supported-machines-endpoint-solutions-clouds-servers.md#supported-endpoint-protection-solutions-) | Γ£ö | Γ£ö | Γ£ö | Azure: No<br><br>Azure Arc-enabled: Yes |

+| Disk encryption assessment | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) | Γ£ö | - | No |

+| Third-party vulnerability assessment | Γ£ö | - | Γ£ö | No |

+| [Network security assessment](protect-network-resources.md) | Γ£ö | Γ£ö | - | No |

+| | | | | |

+### [**Linux machines**](#tab/features-linux)

+| **Feature** | **Azure Virtual Machines** | **Azure Virtual Machine Scale Sets** | **Azure Arc-enabled machines** | **Defender for servers required** |

+|--|::|::|::|::|

+| [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) | Γ£ö | - | Γ£ö | Yes |

+| [Virtual machine behavioral analytics (and security alerts)](./azure-defender.md) | Γ£ö</br>(on supported versions) | Γ£ö</br>(on supported versions) | Γ£ö | Yes |

+| [Fileless security alerts](alerts-reference.md#alerts-windows) | - | - | - | Yes |

+| [Network-based security alerts](other-threat-protections.md#network-layer) | Γ£ö | Γ£ö | - | Yes |

+| [Just-in-time VM access](just-in-time-access-usage.md) | Γ£ö | - | - | Yes |

+| [Integrated Qualys vulnerability scanner](deploy-vulnerability-assessment-vm.md#overview-of-the-integrated-vulnerability-scanner) | Γ£ö | - | Γ£ö | Yes |

+| [File integrity monitoring](file-integrity-monitoring-overview.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Adaptive application controls](adaptive-application-controls.md) | Γ£ö | - | Γ£ö | Yes |

+| [Network map](protect-network-resources.md#network-map) | Γ£ö | Γ£ö | - | Yes |

+| [Adaptive network hardening](adaptive-network-hardening.md) | Γ£ö | - | - | Yes |

+| [Regulatory compliance dashboard & reports](regulatory-compliance-dashboard.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| [Docker host hardening](./harden-docker-hosts.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

+| Missing OS patches assessment | Γ£ö | Γ£ö | Γ£ö | Azure: No<br><br>Azure Arc-enabled: Yes |

+| Security misconfigurations assessment | Γ£ö | Γ£ö | Γ£ö | Azure: No<br><br>Azure Arc-enabled: Yes |

+| [Endpoint protection assessment](supported-machines-endpoint-solutions-clouds-servers.md#supported-endpoint-protection-solutions-) | - | - | - | No |

+| Disk encryption assessment | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) | Γ£ö | - | No |

+| Third-party vulnerability assessment | Γ£ö | - | Γ£ö | No |

+| [Network security assessment](protect-network-resources.md) | Γ£ö | Γ£ö | - | No |

+| | | | | |

+### [**Multi-cloud machines**](#tab/features-multi-cloud)

+| **Feature** | **Availability in AWS** | **Availability in GCP** |

+|--|:-:|

+| [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) | Γ£ö | Γ£ö |

+| [Virtual machine behavioral analytics (and security alerts)](alerts-reference.md) | Γ£ö | Γ£ö |

+| [Fileless security alerts](alerts-reference.md#alerts-windows) | Γ£ö | Γ£ö |

+| [Network-based security alerts](other-threat-protections.md#network-layer) | - | - |

+| [Just-in-time VM access](just-in-time-access-usage.md) | - | - |

+| [Integrated Qualys vulnerability scanner](deploy-vulnerability-assessment-vm.md#overview-of-the-integrated-vulnerability-scanner) | Γ£ö | Γ£ö |

+| [File integrity monitoring](file-integrity-monitoring-overview.md) | Γ£ö | Γ£ö |

+| [Adaptive application controls](adaptive-application-controls.md) | Γ£ö | Γ£ö |

+| [Network map](protect-network-resources.md#network-map) | - | - |

+| [Adaptive network hardening](adaptive-network-hardening.md) | - | - |

+| [Regulatory compliance dashboard & reports](regulatory-compliance-dashboard.md) | Γ£ö | Γ£ö |

+| [Docker host hardening](harden-docker-hosts.md) | Γ£ö | Γ£ö |

+| Missing OS patches assessment | Γ£ö | Γ£ö |

+| Security misconfigurations assessment | Γ£ö | Γ£ö |

+| [Endpoint protection assessment](supported-machines-endpoint-solutions-clouds-servers.md#supported-endpoint-protection-solutions-) | Γ£ö | Γ£ö |

+| Disk encryption assessment | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) |

+| Third-party vulnerability assessment | - | - |

+| [Network security assessment](protect-network-resources.md) | - | - |

+| | |

+

+> [!TIP]

+>To experiment with features that are only available with enhanced security features enabled, you can enroll in a 30-day trial. For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+## Supported endpoint protection solutions <a name="endpoint-supported"></a>

+The following table provides a matrix of supported endpoint protection solutions and whether you can use Microsoft Defender for Cloud to install each solution for you.

+For information about when recommendations are generated for each of these solutions, see [Endpoint Protection Assessment and Recommendations](endpoint-protection-recommendations-technical.md).

+| Solution | Supported platforms | Defender for Cloud installation |

+||||

+| Microsoft Defender Antivirus | Windows Server 2016 or later | No (built into OS) |

+| System Center Endpoint Protection (Microsoft Antimalware) | Windows Server 2012 R2 | Via extension |

+| Trend Micro ΓÇô Deep Security | Windows Server (all) | No |

+| Symantec v12.1.1100+ | Windows Server (all) | No |

+| McAfee v10+ | Windows Server (all) | No |

+| McAfee v10+ | Linux (GA) | No |

+| Microsoft Defender for Endpoint for Linux^{[1](#footnote1)} | Linux (GA) | Via extension |

+| Sophos V9+ | Linux (GA) | No |

+| | | |

+^{<a name="footnote1"></a>1} It's not enough to have Microsoft Defender for Endpoint on the Linux machine: the machine will only appear as healthy if the always-on scanning feature (also known as real-time protection (RTP)) is active. By default, the RTP feature is **disabled** to avoid clashes with other AV software.

+## Feature support in government and national clouds

+| Feature/Service | Azure | Azure Government | Azure China 21Vianet |

+||-|--|--|

+| **Defender for Cloud free features** | | | |

+| - [Continuous export](./continuous-export.md) | GA | GA | GA |

+| - [Workflow automation](./workflow-automation.md) | GA | GA | GA |

+| - [Recommendation exemption rules](./exempt-resource.md) | Public Preview | Not Available | Not Available |

+| - [Alert suppression rules](./alerts-suppression-rules.md) | GA | GA | GA |

+| - [Email notifications for security alerts](./configure-email-notifications.md) | GA | GA | GA |

+| - [Auto provisioning for agents and extensions](./enable-data-collection.md) | GA | GA | GA |

+| - [Asset inventory](./asset-inventory.md) | GA | GA | GA |

+| - [Azure Monitor Workbooks reports in Microsoft Defender for Cloud's workbooks gallery](./custom-dashboards-azure-workbooks.md) | GA | GA | GA |

+| - [Integration with Microsoft Defender for Cloud Apps](./other-threat-protections.md#display-recommendations-in-microsoft-defender-for-cloud-apps-) | GA | Not Available | Not Available |

+| **Microsoft Defender plans and extensions** | | | |

+| - [Microsoft Defender for servers](./defender-for-servers-introduction.md) | GA | GA | GA |

+| - [Microsoft Defender for App Service](./defender-for-app-service-introduction.md) | GA | Not Available | Not Available |

+| - [Microsoft Defender for DNS](./defender-for-dns-introduction.md) | GA | GA | GA |

+| - [Microsoft Defender for container registries](./defender-for-container-registries-introduction.md) ^{[1](#footnote1)} | GA | GA ^{[2](#footnote2)} | GA ^{[2](#footnote2)} |

+| - [Microsoft Defender for container registries scanning of images in CI/CD workflows](./defender-for-container-registries-cicd.md) ^{[3](#footnote3)} | Public Preview | Not Available | Not Available |

+| - [Microsoft Defender for Kubernetes](./defender-for-kubernetes-introduction.md) ^{[4](#footnote4)} | GA | GA | GA |

+| - [Microsoft Defender for Containers](./defender-for-containers-introduction.md) ^{[10](#footnote4)} | GA | GA | GA |

+| - [Defender extension for Azure Arc-enabled Kubernetes clusters, servers or data services](./defender-for-kubernetes-azure-arc.md) ^{[5](#footnote5)} | Public Preview | Not Available | Not Available |

+| - [Microsoft Defender for Azure SQL database servers](./defender-for-sql-introduction.md) | GA | GA | GA ^{[9](#footnote9)} |

+| - [Microsoft Defender for SQL servers on machines](./defender-for-sql-introduction.md) | GA | GA | Not Available |

+| - [Microsoft Defender for open-source relational databases](./defender-for-databases-introduction.md) | GA | Not Available | Not Available |

+| - [Microsoft Defender for Key Vault](./defender-for-key-vault-introduction.md) | GA | Not Available | Not Available |

+| - [Microsoft Defender for Resource Manager](./defender-for-resource-manager-introduction.md) | GA | GA | GA |

+| - [Microsoft Defender for Storage](./defender-for-storage-introduction.md) ^{[6](#footnote6)} | GA | GA | Not Available |

+| - [Microsoft Defender for Azure Cosmos DB](concept-defender-for-cosmos.md) | Public Preview | Not Available | Not Available |

+| - [Kubernetes workload protection](./kubernetes-workload-protections.md) | GA | GA | GA |

+| - [Bi-directional alert synchronization with Sentinel](../sentinel/connect-azure-security-center.md) | Public Preview | Not Available | Not Available |

+| **Microsoft Defender for servers features** ^{[7](#footnote7)} | | | |

+| - [Just-in-time VM access](./just-in-time-access-usage.md) | GA | GA | GA |

+| - [File integrity monitoring](./file-integrity-monitoring-overview.md) | GA | GA | GA |

+| - [Adaptive application controls](./adaptive-application-controls.md) | GA | GA | GA |

+| - [Adaptive network hardening](./adaptive-network-hardening.md) | GA | Not Available | Not Available |

+| - [Docker host hardening](./harden-docker-hosts.md) | GA | GA | GA |

+| - [Integrated Qualys vulnerability scanner](./deploy-vulnerability-assessment-vm.md) | GA | Not Available | Not Available |

+| - [Regulatory compliance dashboard & reports](./regulatory-compliance-dashboard.md) ^{[8](#footnote8)} | GA | GA | GA |

+| - [Microsoft Defender for Endpoint deployment and integrated license](./integration-defender-for-endpoint.md) | GA | GA | Not Available |

+| - [Connect AWS account](./quickstart-onboard-aws.md) | GA | Not Available | Not Available |

+| - [Connect GCP project](./quickstart-onboard-gcp.md) | GA | Not Available | Not Available |

+| | | | |

+^{<a name="footnote1"></a>1} Partially GA: The ability to disable specific findings from vulnerability scans is in public preview.

+^{<a name="footnote2"></a>2} Vulnerability scans of container registries on the Azure Government cloud can only be performed with the scan on push feature.

+^{<a name="footnote3"></a>3} Requires Microsoft Defender for container registries.

+^{<a name="footnote4"></a>4} Partially GA: Support for Azure Arc-enabled clusters is in public preview and not available on Azure Government.

+^{<a name="footnote5"></a>5} Requires Microsoft Defender for Kubernetes or Microsoft Defender for Containers.

+^{<a name="footnote6"></a>6} Partially GA: Some of the threat protection alerts from Microsoft Defender for Storage are in public preview.

+^{<a name="footnote7"></a>7} These features all require [Microsoft Defender for servers](./defender-for-servers-introduction.md).

+^{<a name="footnote8"></a>8} There may be differences in the standards offered per cloud type.

+

+^{<a name="footnote9"></a>9} Partially GA: Subset of alerts and vulnerability assessment for SQL servers. Behavioral threat protections aren't available.

+^{<a name="footnote4"></a>10} Partially GA: Support for Arc-enabled Kubernetes clusters (and therefore AWS EKS too) is in public preview and not available on Azure Government. Run-time visibility of vulnerabilities in container images is also a preview feature.

+## Next steps

+- Learn how [Defender for Cloud collects data using the Log Analytics Agent](enable-data-collection.md).

+- Learn how [Defender for Cloud manages and safeguards data](data-security.md).

+- Review the [platforms that support Defender for Cloud](security-center-os-coverage.md).

+- [Defender for Cloud's supported endpoint protection solutions](supported-machines-endpoint-solutions-clouds-servers.md#endpoint-supported)

+ Title: Configure a lab to use a remote desktop gateway

+description: Learn how to configure a remote desktop gateway in Azure DevTest Labs for secure access to lab VMs without exposing RDP ports.

+# Configure and use a remote desktop gateway in Azure DevTest Labs

+This article describes how to set up and use a gateway for secure remote desktop access to lab virtual machines (VMs) in Azure DevTest Labs. Using a gateway improves security because you don't expose the VMs' remote desktop protocol (RDP) ports to the internet. This remote desktop gateway solution also supports token authentication.

+DevTest Labs provides a central place for lab users to view and connect to their VMs. Selecting **Connect** > **RDP** on a lab VM's **Overview** page creates a machine-specific RDP file, and users can open the file to connect to the VM.

+With a remote desktop gateway, lab users connect to their VMs through a gateway machine. Users authenticate directly to the gateway machine, and can use company-supplied credentials on domain-joined machines. Token authentication provides an extra layer of security.

+Another way to securely access lab VMs without exposing ports or IP addresses is through a browser with Azure Bastion. For more information, see [Enable browser connection to DevTest Labs VMs with Azure Bastion](enable-browser-connection-lab-virtual-machines.md).

+## Architecture

+The following diagram shows how a remote desktop gateway applies token authentication and connects to DevTest Labs VMs.

+

+1. Selecting **Connect** > **RDP** from a lab VM invokes the [getRdpFileContents](/rest/api/dtl/virtualmachines/getrdpfilecontents) REST command:

+ ```http

+ POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DevTestLab/labs/{labName}/virtualmachines/{name}/getRdpFileContents

+ ```

+1. When the lab has a gateway configured, the `getRdpFileContents` action invokes `https://{gateway-hostname}/api/host/{lab-machine-name}/port/{port-number}` to request an authentication token.

+ - `{gateway-hostname}`, or `{lb-uri}` for a load balancer, is the gateway hostname specified on the **Lab settings** page for the lab.

+ - `{lab-machine-name}` is the name of the VM to connect to.

+ - `{port-number}` is the port to use for the connection. Usually this port is 3389, but if the lab VM uses a [shared IP](devtest-lab-shared-ip.md), the port number is different.

+1. The remote desktop gateway uses `https://{function-app-uri}/api/host/{lab-machine-name}/port/{port-number}` to defer the call to an Azure Functions function app.

+ > [!NOTE]

+ > The request header automatically includes the function key, which it gets from the lab's key vault. The function key secret's name is the **Gateway token secret** on the lab's **Lab settings** page.

+1. The Azure function generates and returns a token for certificate-based authentication on the gateway machine.

+1. The `getRdpFileContents` action returns the complete RDP file, including the authentication token.

+When an RDP connection program opens the RDP file, the remote desktop gateway authenticates the token, and the connection forwards to the lab VM.

+> [!NOTE]

+> Not all RDP connection programs support token authentication.

+> [!IMPORTANT]

+> The Azure function sets an expiration date for the authentication token. A user must connect to the VM before the token expires.

+## Configuration requirements

+

+There are some configuration requirements for gateway machines, Azure Functions, and networks to work with DevTest Labs RDP access and token authentication:

+### Gateway machine requirements

+The gateway machine must have the following configuration:

+- A TLS/SSL certificate to handle HTTPS traffic. The certificate must match the fully qualified domain name (FQDN) of the gateway machine if there's only one machine, or the load balancer of a gateway farm. Wild-card TLS/SSL certificates don't work.

+- A signing certificate. You can create a signing certificate by using the [Create-SigningCertificate.ps1](https://github.com/Azure/azure-devtestlab/blob/master/samples/DevTestLabs/GatewaySample/tools/Create-SigningCertificate.ps1) PowerShell script.

+- A [pluggable authentication module](https://en.wikipedia.org/wiki/Pluggable_authentication_module) that supports token authentication. One example is *RDGatewayFedAuth.msi*, which comes with [System Center Virtual Machine Manager (VMM)](/system-center/vmm/install-console?view=sc-vmm-1807&preserve-view=true) images.

+- The ability to handle requests to `https://{gateway-hostname}/api/host/{lab-machine-name}/port/{port-number}`.

+You can use the [Application Routing Request module for Internet Information Server (IIS)](/iis/extensions/planning-for-arr/using-the-application-request-routing-module) to redirect `https://{gateway-hostname}/api/host/{lab-machine-name}/port/{port-number}` requests to the function app.

+### Azure Functions requirements

+An Azure Functions function app handles requests with the `https://{function-app-uri}/app/host/{lab-machine-name}/port/{port-number}` format, and creates and returns the authentication token based on the gateway machine's signing certificate. The `{function-app-uri}` is the URI used to access the function.

+The request header must pass the function key, which it gets from the lab's key vault.

+For a sample function, see [CreateToken.cs](https://github.com/Azure/azure-devtestlab/blob/master/samples/DevTestLabs/GatewaySample/src/RDGatewayAPI/Functions/CreateToken.cs).

+### Network requirements

+- The DNS for the FQDN associated with the gateway machine's TLS/SSL certificate must direct traffic to the gateway machine or to the load balancer of a gateway machine farm.

+- If the lab VM uses a private IP address, there must be a network path from the gateway machine to the lab machine. The two machines must either share the same virtual network or use peered virtual networks.

+## Create a remote desktop gateway

+The [Azure DevTest Labs GitHub repository](https://github.com/Azure/azure-devtestlab) has Azure Resource Manager (ARM) templates that help set up DevTest Labs token authentication and remote desktop gateway resources. There are templates for gateway machine creation, lab settings, and a function app.

+> By using the sample templates, you agree to the [Remote Desktop Gateway license terms](https://www.microsoft.com/licensing/product-licensing/products).

+Follow these steps to set up a sample remote desktop gateway farm.

+1. Create a signing certificate.

+ Run [Create-SigningCertificate.ps1](https://github.com/Azure/azure-devtestlab/blob/master/samples/DevTestLabs/GatewaySample/tools/Create-SigningCertificate.ps1). Record the thumbprint, password, and Base64 encoding of the created certificate to use later.

+

+1. Get a TLS/SSL certificate. The FQDN associated with the TLS/SSL certificate must be for a domain you control.

+1. Record the password, thumbprint, and Base64 encoding for the TLS/SSL certificate to use later.

+ - To get the thumbprint, use the following PowerShell commands:

+ ```powershell

+ $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate;

+ $cer.Import('path-to-certificate');

+ $hash = $cer.GetCertHashString()

+ ```

+ - To get the Base64 encoding, use the following PowerShell command:

+ ```powershell

+ [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('path-to-certificate'))

+ ```

+1. Download all the files from [https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/GatewaySample/arm/gateway](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/GatewaySample/arm/gateway). Copy all the files and *RDGatewayFedAuth.msi* to a blob container in a storage account.

+1. Open *azuredeploy.json* from [https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/GatewaySample/arm/gateway](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/GatewaySample/arm/gateway), and fill out the following parameters:

+ - `adminUsername` ΓÇô **Required**. Administrator user name for the gateway machines.

+ - `adminPassword` ΓÇô **Required**. Password for the administrator account for the gateway machines.

+ - `instanceCount` ΓÇô Number of gateway machines to create.

+ - `alwaysOn` ΓÇô Whether to keep the created Azure Functions app in a warm state or not. Keeping the Azure Functions app on avoids delays when users first try to connect to their lab VMs, but has cost implications.

+ - `tokenLifetime` ΓÇô The length of time in HH:MM:SS format that the created token will be valid.

+ - `sslCertificate` ΓÇô **Required**. The Base64 encoding of the TLS/SSL certificate for the gateway machine.

+ - `sslCertificatePassword` ΓÇô **Required**. The password of the TLS/SSL certificate for the gateway machine.

+ - `sslCertificateThumbprint` - **Required**. The certificate thumbprint for identification in the local certificate store of the TLS/SSL certificate.

+ - `signCertificate` ΓÇô **Required**. The Base64 encoding for the signing certificate for the gateway machine.

+ - `signCertificatePassword` ΓÇô **Required**. The password for the signing certificate for the gateway machine.

+ - `signCertificateThumbprint` - **Required**. The certificate thumbprint for identification in the local certificate store of the signing certificate.

+ - `_artifactsLocation` ΓÇô **Required**. The URI location to find artifacts this template requires. This value must be a fully qualified URI, not a relative path. The artifacts include other templates, PowerShell scripts, and the Remote Desktop Gateway Pluggable Authentication module, expected to be named *RDGatewayFedAuth.msi*, that supports token authentication.

+ - `_artifactsLocationSasToken` ΓÇô **Required**. The shared access signature (SAS) token to access artifacts, if the `_artifactsLocation` is an Azure storage account.

+1. Deploy *azuredeploy.json* by using the following Azure CLI command:

+ ```azurecli

+ az deployment group create --resource-group {resource-group} --template-file azuredeploy.json --parameters @azuredeploy.parameters.json -ΓÇôparameters _artifactsLocation="{storage-account-endpoint}/{container-name}" -ΓÇôparameters _artifactsLocationSasToken = "?{sas-token}"

+ - Get the `{storage-account-endpoint}` by running

+ `az storage account show --name {storage-account-name} --query primaryEndpoints.blob`.

+ - Get the `{sas-token}` by running

+ `az storage container generate-sas --name {container-name} --account-name {storage-account-name} --https-only ΓÇôpermissions drlw ΓÇôexpiry {utc-expiration-date}`.

+ - `{storage-account-name}` is the name of the storage account that holds the files you uploaded.

+ - `{container-name}` is the container in the `{storage-account-name}` that holds the files you uploaded.

+ - `{utc-expiration-date}` is the date, in UTC, when the SAS token will expire and can no longer be used to access the storage account.

+1. Record the values for `gatewayFQDN` and `gatewayIP` from the template deployment output. Also save the value of the key for the newly created function, which you can find in the function app's [Application settings tab](../azure-functions/functions-how-to-use-azure-function-app-settings.md#settings).

+1. Configure DNS so that the FQDN of the TLS/SSL certificate directs to the `gatewayIP` IP address.

+After you create the remote desktop gateway farm and update DNS, you can configure Azure DevTest Labs to use the gateway.

+## Configure the lab to use token authentication

+Before you update the lab settings, store the key for the authentication token function in the lab's key vault. You can get the function key value on the function's **Function Keys** page in the Azure portal.

+To find the ID of the lab's key vault, run the following Azure CLI command:

+```azurecli

+az resource show --name {lab-name} --resource-type 'Microsoft.DevTestLab/labs' --resource-group {lab-resource-group-name} --query properties.vaultName

+```

+For more information on how to save a secret in a key vault, see [Add a secret to Key Vault](../key-vault/secrets/quick-create-portal.md#add-a-secret-to-key-vault). Record the secret name to use later. This value isn't the function key itself, but the name of the key vault secret that holds the function key.

+To configure a lab's **Gateway hostname** and **Gateway token secret** to use token authentication with the gateway machine(s), follow these steps:

+1. On the lab's **Overview** page, select **Configuration and policies** from the left navigation.

+1. On the **Configuration and policies** page, select **Lab settings** from the **Settings** section of the left navigation.

+1. In the **Remote desktop** section:

+ - For the **Gateway hostname** field, enter the FQDN or IP address of the remote desktop services gateway machine or farm. This value must match the FQDN of the TLS/SSL certificate used on gateway machines.

+ - For **Gateway token**, enter the secret name you recorded earlier. This value isn't the function key itself, but the name of the key vault secret that holds the function key.

+ 

+1. Select **Save**.

+ > [!NOTE]

+ > By selecting **Save**, you agree to [Remote Desktop Gateway license terms](https://www.microsoft.com/licensing/product-licensing/products).

+Once you configure both the gateway and the lab, the RDP connection file created when the lab user selects **Connect** includes the necessary information to connect to the gateway and use token authentication.

+### Configure a lab via automation

+- [Set-DevTestLabGateway.ps1](https://github.com/Azure/azure-devtestlab/blob/master/samples/DevTestLabs/GatewaySample/tools/Set-DevTestLabGateway.ps1) is a sample PowerShell script to automatically set **Gateway hostname** and **Gateway token secret** settings.

+- The [Azure DevTest Labs GitHub repository](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/GatewaySample/arm/lab) has [Gateway sample ARM templates](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/GatewaySample/arm/lab) that create or update a lab with **Gateway hostname** and **Gateway token secret** settings.

+### Configure a network security group

+To further secure the lab, you can add a network security group (NSG) to the virtual network the lab VMs use. For instructions, see [Create, change, or delete a network security group](../virtual-network/manage-network-security-group.md).

+For example, an NSG could allow only traffic that first goes through the gateway to reach lab VMs. The rule source is the IP address of the gateway machine or load balancer for the gateway farm.

+

+- [Remote Desktop Services documentation](/windows-server/remote/remote-desktop-services/Welcome-to-rds)

+- [Deploy your remote desktop environment](/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure)

+- [System Center documentation](/system-center/)

+The information displayed in this tool isn't specific to one Azure Digital instance. After using Service Health to understand what's going with the Azure Digital Twins service in a certain region or subscription, you can take monitoring a step further by using [Azure Resource Health](how-to-monitor-resource-health.md) to drill down into specific instances and see whether they're affected.

+For more on viewing Azure Digital Twins metrics, see [Monitor with metrics](how-to-monitor-metrics.md).

+# Mandatory fields.

+ Title: Monitor with alerts

+description: Learn how to troubleshoot Azure Digital Twins by setting up alerts based on service metrics.

+# Monitor Azure Digital Twins with alerts

+In this article, you'll learn how to set up *alerts* in the [Azure portal](https://portal.azure.com). These alerts will notify you when configurable conditions you've defined based on the metrics of your Azure Digital Twins instance are met, allowing you to take important actions.

+Azure Digital Twins collects [metrics](how-to-monitor-metrics.md) for your service instance that give information about the state of your resources. You can use these metrics to assess the overall health of Azure Digital Twins service and the resources connected to it.

+Alerts proactively notify you when important conditions are found in your metrics data. They allow you to identify and address issues before the users of your system notice them. You can read more about alerts in [Overview of alerts in Microsoft Azure](../azure-monitor/alerts/alerts-overview.md).

+## Turn on alerts

+Here's how to enable alerts for your Azure Digital Twins instance:

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Digital Twins instance. You can find it by typing its name into the portal search bar.

+2. Select **Alerts** from the menu, then **+ New alert rule**.

+ :::image type="content" source="media/how-to-monitor-alerts/alerts-pre.png" alt-text="Screenshot of the Azure portal showing the button to create a new alert rule in the Alerts section of an Azure Digital Twin instance." lightbox="media/how-to-monitor-alerts/alerts-pre.png":::

+3. On the **Create alert rule** page that follows, you can follow the prompts to define conditions, actions to be triggered, and alert details.

+ * **Scope** details should fill automatically with the details for your instance

+ * You'll define **Condition** and **Action group** details to customize alert triggers and responses. For more information about this process, see the [Select conditions](#select-conditions) section later in this article.

+ * In the **Alert rule details** section, enter a name and optional description for your rule.

+ - You can select the **Enable alert rule upon creation** checkbox if you want the alert to become active as soon as it's created.

+ - You can select the **Automatically resolve alerts** checkbox if you want to resolve the alert when the condition isn't met anymore.

+ - This section is also where you select a **subscription**, **resource group**, and **Severity** level.

+4. Select the **Create alert rule** button to create your alert rule.

+ :::image type="content" source="media/how-to-monitor-alerts/create-alert-rule.png" alt-text="Screenshot of the Azure portal showing the Create Alert Rule page with sections for scope, condition, action group, and alert rule details." lightbox="media/how-to-monitor-alerts/create-alert-rule.png":::

+For a guided walkthrough of filling out these fields, see [Overview of alerts in Microsoft Azure](../azure-monitor/alerts/alerts-overview.md). Below are some examples of what the steps will look like for Azure Digital Twins.

+## Select conditions

+Here's an excerpt from the **Select condition** process illustrating what types of alert signals are available for Azure Digital Twins. On this page you can filter the type of signal, and select the signal that you want from a list.

+After selecting a signal, you'll be asked to configure the logic of the alert. You can filter on a dimension, set a threshold value for your alert, and set the frequency of checks for the condition. Here's an example of setting up an alert for when the average Routing Failure Rate metric goes above 5%.

+## Verify success

+After setting up alerts, they'll show up back on the **Alerts** page for your instance.

+

+## Next steps

+* For more information about alerts with Azure Monitor, see [Overview of alerts in Microsoft Azure](../azure-monitor/alerts/alerts-overview.md).

+* For information about the Azure Digital Twins metrics, see [Monitor with metrics](how-to-monitor-metrics.md).

+* To see how to enable diagnostics logging for your Azure Digital Twins metrics, see [Monitor with diagnostics logs](how-to-monitor-diagnostics.md).

+# Mandatory fields.

+ Title: Monitor with diagnostic logs

+description: In this article, learn how to enable logging with diagnostics settings and query the logs for immediate viewing. Also, learn about the log categories and their schemas.

+# Monitor Azure Digital Twins with diagnostics logs

+This article shows you how to configure diagnostic settings in the [Azure portal](https://portal.azure.com), including what types of logs to collect and where to store them (such as Log Analytics or a storage account of your choice). Then, you can query the logs to quickly gather custom insights.

+Azure Digital Twins can collect *logs* for your service instance to monitor its performance, access, and other data. You can use these logs to get an idea of what is happening in your Azure Digital Twins instance, and analyze root causes on issues without needing to contact Azure support.

+This article also contains information about all the log categories that Azure Digital Twins can collect, and their schemas.

+## Turn on diagnostic settings

+Turn on diagnostic settings to start collecting logs on your Azure Digital Twins instance. You can also choose the destination where the exported logs should be stored. Here's how to enable diagnostic settings for your Azure Digital Twins instance.

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Digital Twins instance. You can find it by typing its name into the portal search bar.

+2. Select **Diagnostic settings** from the menu, then **Add diagnostic setting**.

+ :::image type="content" source="media/how-to-monitor-diagnostics/diagnostic-settings.png" alt-text="Screenshot showing the diagnostic settings page in the Azure portal and button to add." lightbox="media/how-to-monitor-diagnostics/diagnostic-settings.png":::

+3. On the page that follows, fill in the following values:

+ * **Diagnostic setting name**: Give the diagnostic settings a name.

+ * **Category details**: Choose which operations you want to monitor, and check the boxes to enable diagnostics for those operations. The operations that diagnostic settings can report on are:

+ - DigitalTwinsOperation

+ - EventRoutesOperation

+ - ModelsOperation

+ - QueryOperation

+ - AllMetrics

+

+ For more details about these categories and the information they contain, see the [Log categories](#log-categories) section below.

+ * **Destination details**: Choose where you want to send the logs. You can select any combination of the three options:

+ - Send to Log Analytics

+ - Archive to a storage account

+ - Stream to an event hub

+ You may be asked to fill in more details if they're necessary for your destination selection.

+

+4. Save the new settings.

+ :::image type="content" source="media/how-to-monitor-diagnostics/diagnostic-settings-details.png" alt-text="Screenshot showing the diagnostic setting page in the Azure portal where the user has filled in a diagnostic setting information." lightbox="media/how-to-monitor-diagnostics/diagnostic-settings-details.png":::

+New settings take effect in about 10 minutes. After that, logs appear in the configured target back on the **Diagnostic settings** page for your instance.

+For more detailed information on diagnostic settings and their setup options, you can visit [Create diagnostic settings to send platform logs and metrics to different destinations](../azure-monitor/essentials/diagnostic-settings.md).

+## View and query logs

+After configuring storage details of your Azure Digital Twins logs, you can write *custom queries* for them to generate insights and troubleshoot issues. The service also provides a few example queries that can help you get started, by addressing common questions that customers may have about their instances.

+Here's how to query the logs for your instance.

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Digital Twins instance. You can find it by typing its name into the portal search bar.

+2. Select **Logs** from the menu to open the log query page. The page opens to a window called **Queries**.

+ :::image type="content" source="media/how-to-monitor-diagnostics/logs.png" alt-text="Screenshot showing the Logs page for an Azure Digital Twins instance in the Azure portal with the Queries window overlaid, showing prebuilt queries." lightbox="media/how-to-monitor-diagnostics/logs.png":::

+ These queries are prebuilt examples written for various logs. You can select one of the queries to load it into the query editor and run it to see these logs for your instance.

+ You can also close the **Queries** window without running anything to go straight to the query editor page, where you can write or edit custom query code.

+3. After exiting the **Queries** window, you'll see the main query editor page. Here you can view and edit the text of the example queries, or write your own queries from scratch.

+ :::image type="content" source="media/how-to-monitor-diagnostics/logs-query.png" alt-text="Screenshot showing the Logs page for an Azure Digital Twins instance in the Azure portal. It includes a list of logs, query code, and Queries History." lightbox="media/how-to-monitor-diagnostics/logs-query.png":::

+ In the left pane,

+ - The **Tables** tab shows the different Azure Digital Twins [log categories](#log-categories) that are available to use in your queries.

+ - The **Queries** tab contains the example queries that you can load into the editor.

+ - The **Filter** tab lets you customize a filtered view of the data that the query returns.

+For more detailed information on log queries and how to write them, you can visit [Overview of log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md).

+## Log categories

+Here are more details about the categories of logs that Azure Digital Twins collects.

+| Log category | Description |

+| | |

+| ADTModelsOperation | Log all API calls related to Models |

+| ADTQueryOperation | Log all API calls related to Queries |

+| ADTEventRoutesOperation | Log all API calls related to to Event Routes and egress of events from Azure Digital Twins to an endpoint service like Event Grid, Event Hubs, and Service Bus |

+| ADTDigitalTwinsOperation | Log all API calls related to individual twins |

+Each log category consists of operations of write, read, delete, and action. These categories map to REST API calls as follows:

+| Event type | REST API operations |

+| | |

+| Write | PUT and PATCH |

+| Read | GET |

+| Delete | DELETE |

+| Action | POST |

+Here's a comprehensive list of the operations and corresponding [Azure Digital Twins REST API calls](/rest/api/azure-digitaltwins/) that are logged in each category.

+>[!NOTE]

+> Each log category contains several operations/REST API calls. In the table below, each log category maps to all operations/REST API calls underneath it until the next log category is listed.

+| Log category | Operation | REST API calls and other events |

+| | | |

+| ADTModelsOperation | Microsoft.DigitalTwins/models/write | Digital Twin Models Update API |

+| | Microsoft.DigitalTwins/models/read | Digital Twin Models Get By ID and List APIs |

+| | Microsoft.DigitalTwins/models/delete | Digital Twin Models Delete API |

+| | Microsoft.DigitalTwins/models/action | Digital Twin Models Add API |

+| ADTQueryOperation | Microsoft.DigitalTwins/query/action | Query Twins API |

+| ADTEventRoutesOperation | Microsoft.DigitalTwins/eventroutes/write | Event Routes Add API |

+| | Microsoft.DigitalTwins/eventroutes/read | Event Routes Get By ID and List APIs |

+| | Microsoft.DigitalTwins/eventroutes/delete | Event Routes Delete API |

+| | Microsoft.DigitalTwins/eventroutes/action | Failure while attempting to publish events to an endpoint service (not an API call) |

+| ADTDigitalTwinsOperation | Microsoft.DigitalTwins/digitaltwins/write | Digital Twins Add, Add Relationship, Update, Update Component |

+| | Microsoft.DigitalTwins/digitaltwins/read | Digital Twins Get By ID, Get Component, Get Relationship by ID, List Incoming Relationships, List Relationships |

+| | Microsoft.DigitalTwins/digitaltwins/delete | Digital Twins Delete, Delete Relationship |

+| | Microsoft.DigitalTwins/digitaltwins/action | Digital Twins Send Component Telemetry, Send Telemetry |

+## Log schemas

+Each log category has a schema that defines how events in that category are reported. Each individual log entry is stored as text and formatted as a JSON blob. The fields in the log and example JSON bodies are provided for each log type below.

+`ADTDigitalTwinsOperation`, `ADTModelsOperation`, and `ADTQueryOperation` use a consistent API log schema. `ADTEventRoutesOperation` extends the schema to contain an `endpointName` field in properties.

+### API log schemas

+This log schema is consistent for `ADTDigitalTwinsOperation`, `ADTModelsOperation`, `ADTQueryOperation`. The same schema is also used for `ADTEventRoutesOperation`, except the `Microsoft.DigitalTwins/eventroutes/action` operation name (for more information about that schema, see the next section, [Egress log schemas](#egress-log-schemas)).

+The schema contains information pertinent to API calls to an Azure Digital Twins instance.

+Here are the field and property descriptions for API logs.

+| Field name | Data type | Description |

+|--||-|

+| `Time` | DateTime | The date and time that this event occurred, in UTC |

+| `ResourceId` | String | The Azure Resource Manager Resource ID for the resource where the event took place |

+| `OperationName` | String | The type of action being performed during the event |

+| `OperationVersion` | String | The API Version used during the event |

+| `Category` | String | The type of resource being emitted |

+| `ResultType` | String | Outcome of the event |

+| `ResultSignature` | String | Http status code for the event |

+| `ResultDescription` | String | Additional details about the event |

+| `DurationMs` | String | How long it took to perform the event in milliseconds |

+| `CallerIpAddress` | String | A masked source IP address for the event |

+| `CorrelationId` | Guid | Customer provided unique identifier for the event |

+| `ApplicationId` | Guid | Application ID used in bearer authorization |

+| `Level` | Int | The logging severity of the event |

+| `Location` | String | The region where the event took place |

+| `RequestUri` | Uri | The endpoint used during the event |

+| `TraceId` | String | `TraceId`, as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). The ID of the whole trace used to uniquely identify a distributed trace across systems. |

+| `SpanId` | String | `SpanId` as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). The ID of this request in the trace. |

+| `ParentId` | String | `ParentId` as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). A request without a parent ID is the root of the trace. |

+| `TraceFlags` | String | `TraceFlags` as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). Controls tracing flags such as sampling, trace level, and so on. |

+| `TraceState` | String | `TraceState` as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). Additional vendor-specific trace identification information to span across different distributed tracing systems. |

+Below are example JSON bodies for these types of logs.

+#### ADTDigitalTwinsOperation

+```json

+{

+ "time": "2020-03-14T21:11:14.9918922Z",

+ "resourceId": "/SUBSCRIPTIONS/BBED119E-28B8-454D-B25E-C990C9430C8F/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.DIGITALTWINS/DIGITALTWINSINSTANCES/MYINSTANCENAME",

+ "operationName": "Microsoft.DigitalTwins/digitaltwins/write",

+ "operationVersion": "2020-10-31",

+ "category": "DigitalTwinOperation",

+ "resultType": "Success",

+ "resultSignature": "200",

+ "resultDescription": "",

+ "durationMs": 8,

+ "callerIpAddress": "13.68.244.*",

+ "correlationId": "2f6a8e64-94aa-492a-bc31-16b9f0b16ab3",

+ "identity": {

+ "claims": {

+ "appId": "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"

+ }

+ },

+ "level": "4",

+ "location": "southcentralus",

+ "uri": "https://myinstancename.api.scus.digitaltwins.azure.net/digitaltwins/factory-58d81613-2e54-4faa-a930-d980e6e2a884?api-version=2020-10-31",

+ "properties": {},

+ "traceContext": {

+ "traceId": "95ff77cfb300b04f80d83e64d13831e7",

+ "spanId": "b630da57026dd046",

+ "parentId": "9f0de6dadae85945",

+ "traceFlags": "01",

+ "tracestate": "k1=v1,k2=v2"

+ }

+}

+```

+#### ADTModelsOperation

+```json

+{

+ "time": "2020-10-29T21:12:24.2337302Z",

+ "resourceId": "/SUBSCRIPTIONS/BBED119E-28B8-454D-B25E-C990C9430C8F/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.DIGITALTWINS/DIGITALTWINSINSTANCES/MYINSTANCENAME",

+ "operationName": "Microsoft.DigitalTwins/models/write",

+ "operationVersion": "2020-10-31",

+ "category": "ModelsOperation",

+ "resultType": "Success",

+ "resultSignature": "201",

+ "resultDescription": "",

+ "durationMs": "80",

+ "callerIpAddress": "13.68.244.*",

+ "correlationId": "9dcb71ea-bb6f-46f2-ab70-78b80db76882",

+ "identity": {

+ "claims": {

+ "appId": "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"

+ }

+ },

+ "level": "4",

+ "location": "southcentralus",

+ "uri": "https://myinstancename.api.scus.digitaltwins.azure.net/Models?api-version=2020-10-31",

+ "properties": {},

+ "traceContext": {

+ "traceId": "95ff77cfb300b04f80d83e64d13831e7",

+ "spanId": "b630da57026dd046",

+ "parentId": "9f0de6dadae85945",

+ "traceFlags": "01",

+ "tracestate": "k1=v1,k2=v2"

+ }

+}

+```

+#### ADTQueryOperation

+```json

+{

+ "time": "2020-12-04T21:11:44.1690031Z",

+ "resourceId": "/SUBSCRIPTIONS/BBED119E-28B8-454D-B25E-C990C9430C8F/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.DIGITALTWINS/DIGITALTWINSINSTANCES/MYINSTANCENAME",

+ "operationName": "Microsoft.DigitalTwins/query/action",

+ "operationVersion": "2020-10-31",

+ "category": "QueryOperation",

+ "resultType": "Success",

+ "resultSignature": "200",

+ "resultDescription": "",

+ "durationMs": "314",

+ "callerIpAddress": "13.68.244.*",

+ "correlationId": "1ee2b6e9-3af4-4873-8c7c-1a698b9ac334",

+ "identity": {

+ "claims": {

+ "appId": "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"

+ }

+ },

+ "level": "4",

+ "location": "southcentralus",

+ "uri": "https://myinstancename.api.scus.digitaltwins.azure.net/query?api-version=2020-10-31",

+ "properties": {},

+ "traceContext": {

+ "traceId": "95ff77cfb300b04f80d83e64d13831e7",

+ "spanId": "b630da57026dd046",

+ "parentId": "9f0de6dadae85945",

+ "traceFlags": "01",

+ "tracestate": "k1=v1,k2=v2"

+ }

+}

+```

+#### ADTEventRoutesOperation

+Here's an example JSON body for an `ADTEventRoutesOperation` that isn't of `Microsoft.DigitalTwins/eventroutes/action` type (for more information about that schema, see the next section, [Egress log schemas](#egress-log-schemas)).

+```json

+ {

+ "time": "2020-10-30T22:18:38.0708705Z",

+ "resourceId": "/SUBSCRIPTIONS/BBED119E-28B8-454D-B25E-C990C9430C8F/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.DIGITALTWINS/DIGITALTWINSINSTANCES/MYINSTANCENAME",

+ "operationName": "Microsoft.DigitalTwins/eventroutes/write",

+ "operationVersion": "2020-10-31",

+ "category": "EventRoutesOperation",

+ "resultType": "Success",

+ "resultSignature": "204",

+ "resultDescription": "",

+ "durationMs": 42,

+ "callerIpAddress": "212.100.32.*",

+ "correlationId": "7f73ab45-14c0-491f-a834-0827dbbf7f8e",

+ "identity": {

+ "claims": {

+ "appId": "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"

+ }

+ },

+ "level": "4",

+ "location": "southcentralus",

+ "uri": "https://myinstancename.api.scus.digitaltwins.azure.net/EventRoutes/egressRouteForEventHub?api-version=2020-10-31",

+ "properties": {},

+ "traceContext": {

+ "traceId": "95ff77cfb300b04f80d83e64d13831e7",

+ "spanId": "b630da57026dd046",

+ "parentId": "9f0de6dadae85945",

+ "traceFlags": "01",

+ "tracestate": "k1=v1,k2=v2"

+ }

+ },

+```

+### Egress log schemas

+The following example is the schema for `ADTEventRoutesOperation` logs specific to the `Microsoft.DigitalTwins/eventroutes/action` operation name. These contain details related to exceptions and the API operations around egress endpoints connected to an Azure Digital Twins instance.

+|Field name | Data type | Description |

+|--||-|

+| `Time` | DateTime | The date and time that this event occurred, in UTC |

+| `ResourceId` | String | The Azure Resource Manager Resource ID for the resource where the event took place |

+| `OperationName` | String | The type of action being performed during the event |

+| `Category` | String | The type of resource being emitted |

+| `ResultDescription` | String | Additional details about the event |

+| `CorrelationId` | Guid | Customer provided unique identifier for the event |

+| `ApplicationId` | Guid | Application ID used in bearer authorization |

+| `Level` | Int | The logging severity of the event |

+| `Location` | String | The region where the event took place |

+| `TraceId` | String | `TraceId`, as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). The ID of the whole trace used to uniquely identify a distributed trace across systems. |

+| `SpanId` | String | `SpanId` as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). The ID of this request in the trace. |

+| `ParentId` | String | `ParentId` as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). A request without a parent ID is the root of the trace. |

+| `TraceFlags` | String | `TraceFlags` as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). Controls tracing flags such as sampling, trace level, and so on. |

+| `TraceState` | String | `TraceState` as part of [W3C's Trace Context](https://www.w3.org/TR/trace-context/). Additional vendor-specific trace identification information to span across different distributed tracing systems. |

+| `EndpointName` | String | The name of egress endpoint created in Azure Digital Twins |

+Below are example JSON bodies for these types of logs.

+#### ADTEventRoutesOperation for Microsoft.DigitalTwins/eventroutes/action

+Here's an example JSON body for an `ADTEventRoutesOperation` that of `Microsoft.DigitalTwins/eventroutes/action` type.

+```json

+{

+ "time": "2020-11-05T22:18:38.0708705Z",

+ "resourceId": "/SUBSCRIPTIONS/BBED119E-28B8-454D-B25E-C990C9430C8F/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.DIGITALTWINS/DIGITALTWINSINSTANCES/MYINSTANCENAME",

+ "operationName": "Microsoft.DigitalTwins/eventroutes/action",

+ "operationVersion": "",

+ "category": "EventRoutesOperation",

+ "resultType": "",

+ "resultSignature": "",

+ "resultDescription": "Unable to send EventHub message to [myPath] for event Id [f6f45831-55d0-408b-8366-058e81ca6089].",

+ "durationMs": -1,

+ "callerIpAddress": "",

+ "correlationId": "7f73ab45-14c0-491f-a834-0827dbbf7f8e",

+ "identity": {

+ "claims": {

+ "appId": "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"

+ }

+ },

+ "level": "4",

+ "location": "southcentralus",

+ "uri": "",

+ "properties": {

+ "endpointName": "myEventHub"

+ },

+ "traceContext": {

+ "traceId": "95ff77cfb300b04f80d83e64d13831e7",

+ "spanId": "b630da57026dd046",

+ "parentId": "9f0de6dadae85945",

+ "traceFlags": "01",

+ "tracestate": "k1=v1,k2=v2"

+ }

+},

+```

+## Next steps

+* For more information about configuring diagnostics, see [Collect and consume log data from your Azure resources](../azure-monitor/essentials/platform-logs-overview.md).

+* For information about the Azure Digital Twins metrics, see [Monitor with metrics](how-to-monitor-metrics.md).

+* To see how to enable alerts for your Azure Digital Twins metrics, see [Monitor with alerts](how-to-monitor-alerts.md).

+# Mandatory fields.

+ Title: Monitor with metrics

+description: Learn how to view Azure Digital Twins metrics in Azure Monitor to troubleshoot and oversee your instance.

+# Optional fields. Don't forget to remove # if you need a field.

+#

+#

+#

+# Monitor Azure Digital Twins with metrics

+The metrics described in this article give you information about the state of Azure Digital Twins resources in your Azure subscription. Azure Digital Twins metrics help you assess the overall health of the Azure Digital Twins service and the resources connected to it. These user-facing statistics help you see what is going on with your Azure Digital Twins and help analyze the root causes of issues without needing to contact Azure support.

+Metrics are enabled by default. You can view Azure Digital Twins metrics from the [Azure portal](https://portal.azure.com).

+## View the metrics

+1. Create an Azure Digital Twins instance. You can find instructions on how to set up an Azure Digital Twins instance in [Set up an instance and authentication](how-to-set-up-instance-portal.md).

+2. Find your Azure Digital Twins instance in the [Azure portal](https://portal.azure.com) (you can open the page for it by typing its name into the portal search bar).

+ From the instance's menu, select **Metrics**.

+

+ :::image type="content" source="media/how-to-monitor-metrics/azure-digital-twins-metrics.png" alt-text="Screenshot showing the metrics page for Azure Digital Twins in the Azure portal.":::

+ This page displays the metrics for your Azure Digital Twins instance. You can also create custom views of your metrics by selecting the ones you want to see from the list.

+

+3. You can choose to send your metrics data to an Event Hubs endpoint or an Azure Storage account by selecting **Diagnostics settings** from the menu, then **Add diagnostic setting**.

+ :::image type="content" source="media/how-to-monitor-diagnostics/diagnostic-settings.png" alt-text="Screenshot showing the diagnostic settings page and button to add in the Azure portal.":::

+ For more information about this process, see [Monitor with diagnostics logs](how-to-monitor-diagnostics.md).

+4. You can choose to set up alerts for your metrics data by selecting **Alerts** from the menu, then **+ New alert rule**.

+ :::image type="content" source="media/how-to-monitor-alerts/alerts-pre.png" alt-text="Screenshot showing the Alerts page and button to add in the Azure portal.":::

+ For more information about this process, see [Monitor with alerts](how-to-monitor-alerts.md).

+## List of metrics

+Azure Digital Twins provides several metrics to give you an overview of the health of your instance and its associated resources. You can also combine information from multiple metrics to paint a bigger picture of the state of your instance.

+The following tables describe the metrics tracked by each Azure Digital Twins instance, and how each metric relates to the overall status of your instance.

+#### Metrics for tracking service limits

+You can configure these metrics to track when you're approaching a [published service limit](reference-service-limits.md#functional-limits) for some aspect of your solution.

+To set up tracking, use the [alerts](how-to-monitor-alerts.md) feature in Azure Monitor. You can define thresholds for these metrics so that you receive an alert when a metric reaches a certain percentage of its published limit.

+| Metric | Metric display name | Unit | Aggregation type| Description | Dimensions |

+| | | | | | |

+| TwinCount | Twin Count (Preview) | Count | Total | Total number of twins in the Azure Digital Twins instance. Use this metric to determine if you're approaching the [service limit](reference-service-limits.md#functional-limits) for max number of twins allowed per instance. | None |

+| ModelCount | Model Count (Preview) | Count | Total | Total number of models in the Azure Digital Twins instance. Use this metric to determine if you're approaching the [service limit](reference-service-limits.md#functional-limits) for max number of models allowed per instance. | None |

+#### API request metrics

+Metrics having to do with API requests:

+| Metric | Metric display name | Unit | Aggregation type| Description | Dimensions |

+| | | | | | |

+| ApiRequests | API Requests | Count | Total | The number of API Requests made for Digital Twins read, write, delete, and query operations. | Authentication, <br>Operation, <br>Protocol, <br>Status Code, <br>Status Code Class, <br>Status Text |

+| ApiRequestsFailureRate | API Requests Failure Rate | Percent | Average | The percentage of API requests that the service receives for your instance that give an internal error (500) response code for Digital Twins read, write, delete, and query operations. | Authentication, <br>Operation, <br>Protocol, <br>Status Code, <br>Status Code Class, <br>Status Text

+| ApiRequestsLatency | API Requests Latency | Milliseconds | Average | The response time for API requests. This value refers to the time from when the request is received by Azure Digital Twins until the service sends a success/fail result for Digital Twins read, write, delete, and query operations. | Authentication, <br>Operation, <br>Protocol |

+#### Billing metrics

+Metrics having to do with billing:

+| Metric | Metric display name | Unit | Aggregation type| Description | Dimensions |

+| | | | | | |

+| BillingApiOperations | Billing API Operations | Count | Total | Billing metric for the count of all API requests made against the Azure Digital Twins service. | Meter ID |

+| BillingMessagesProcessed | Billing Messages Processed | Count | Total | Billing metric for the number of messages sent out from Azure Digital Twins to external endpoints.<br><br>To be considered a single message for billing purposes, a payload must be no larger than 1 KB. Payloads larger than this limit will be counted as additional messages in 1 KB increments (so a message between 1 KB and 2 KB will be counted as 2 messages, between 2 KB and 3 KB will be 3 messages, and so on).<br>This restriction also applies to responsesΓÇöso a call that returns 1.5 KB in the response body, for example, will be billed as 2 operations. | Meter ID |

+| BillingQueryUnits | Billing Query Units | Count | Total | The number of Query Units, an internally computed measure of service resource usage, consumed to execute queries. There's also a helper API available for measuring Query Units: [QueryChargeHelper Class](/dotnet/api/azure.digitaltwins.core.querychargehelper?view=azure-dotnet&preserve-view=true) | Meter ID |

+For more information on the way Azure Digital Twins is billed, see [Azure Digital Twins pricing](https://azure.microsoft.com/pricing/details/digital-twins/).

+#### Ingress metrics

+Metrics having to do with data ingress:

+| Metric | Metric display name | Unit | Aggregation type| Description | Dimensions |

+| | | | | | |

+| IngressEvents | Ingress Events | Count | Total | The number of incoming telemetry events into Azure Digital Twins. | Result |

+| IngressEventsFailureRate | Ingress Events Failure Rate | Percent | Average | The percentage of incoming telemetry events for which the service returns an internal error (500) response code. | Result |

+| IngressEventsLatency | Ingress Events Latency | Milliseconds | Average | The time from when an event arrives to when it's ready to be egressed by Azure Digital Twins, at which point the service sends a success/fail result. | Result |

+#### Routing metrics

+Metrics having to do with routing:

+| Metric | Metric display name | Unit | Aggregation type| Description | Dimensions |

+| | | | | | |

+| MessagesRouted | Messages Routed | Count | Total | The number of messages routed to an endpoint Azure service such as Event Hubs, Service Bus, or Event Grid. | Endpoint Type, <br>Result |

+| RoutingFailureRate | Routing Failure Rate | Percent | Average | The percentage of events that result in an error as they're routed from Azure Digital Twins to an endpoint Azure service such as Event Hubs, Service Bus, or Event Grid. | Endpoint Type, <br>Result |

+| RoutingLatency | Routing Latency | Milliseconds | Average | Time elapsed between an event getting routed from Azure Digital Twins to when it's posted to the endpoint Azure service such as Event Hubs, Service Bus, or Event Grid. | Endpoint Type, <br>Result |

+## Dimensions

+Dimensions help identify more details about the metrics. Some of the routing metrics provide information per endpoint. The table below lists possible values for these dimensions.

+| Dimension | Values |

+| | |

+| Authentication | OAuth |

+| Operation (for API Requests) | Microsoft.DigitalTwins/digitaltwins/delete, <br>Microsoft.DigitalTwins/digitaltwins/write, <br>Microsoft.DigitalTwins/digitaltwins/read, <br>Microsoft.DigitalTwins/eventroutes/read, <br>Microsoft.DigitalTwins/eventroutes/write, <br>Microsoft.DigitalTwins/eventroutes/delete, <br>Microsoft.DigitalTwins/models/read, <br>Microsoft.DigitalTwins/models/write, <br>Microsoft.DigitalTwins/models/delete, <br>Microsoft.DigitalTwins/query/action |

+| Endpoint Type | Event Grid, <br>Event Hubs, <br>Service Bus |

+| Protocol | HTTPS |

+| Result | Success, <br>Failure |

+| Status Code | 200, 404, 500, and so on. |

+| Status Code Class | 2xx, 4xx, 5xx, and so on. |

+| Status Text | Internal Server Error, Not Found, and so on. |

+## Next steps

+To learn more about managing recorded metrics for Azure Digital Twins, see [Monitor with diagnostics logs](how-to-monitor-diagnostics.md).

+# Mandatory fields.

+ Title: Monitor resource health

+description: Learn how to use Azure Resource Health to check the health of your Azure Digital Twins instance.

+# Optional fields. Don't forget to remove # if you need a field.

+#

+#

+#

+# Monitor Azure Digital Twins resource health

+[Azure Service Health](../service-health/index.yml) is a suite of experiences that can help you diagnose and get support for service problems that affect your Azure resources. It contains resource health, service health, and status information, and reports on both current and past health information.

+## Use Azure Resource Health

+[Azure Resource Health](../service-health/resource-health-overview.md) can help you monitor whether your Azure Digital Twins instance is up and running. You can also use it to learn whether a regional outage is impacting the health of your instance.

+To check the health of your instance, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Digital Twins instance. You can find it by typing its name into the portal search bar.

+2. From your instance's menu, select **Resource health** under Support + troubleshooting. This will take you to the page for viewing resource health history.

+ :::image type="content" source="media/how-to-monitor-resource-health/resource-health.png" alt-text="Screenshot showing the 'Resource health' page. There is a 'Health history' section showing a daily report from the last nine days.":::

+In the image above, this instance is showing as **Available**, and has been for the past nine days. To learn more about the Available status and the other status types that may appear, see [Resource Health overview](../service-health/resource-health-overview.md).

+You can also learn more about the different checks that go into resource health for different types of Azure resources in [Resource types and health checks in Azure resource health](../service-health/resource-health-checks-resource-types.md).

+## Use Azure Service Health

+[Azure Service Health](../service-health/service-health-overview.md) can help you check the health of the entire Azure Digital Twins service in a certain region, and be aware of events like ongoing service issues and upcoming planned maintenance.

+To check service health, sign in to the [Azure portal](https://portal.azure.com) and navigate to the **Service Health** service. You can find it by typing "service health" into the portal search bar.

+You can then filter service issues by subscription, region, and service.

+For more information on using Azure Service Health, see [Service Health overview](../service-health/service-health-overview.md).

+## Use Azure status

+The [Azure status](../service-health/azure-status-overview.md) page provides a global view of the health of Azure services and regions. While Azure Service Health and Azure Resource Health are personalized to your specific resource, Azure status has a larger scope and can be useful to understand incidents with wide-ranging impact.

+To check Azure status, navigate to the [Azure status](https://status.azure.com/status/) page. The page displays a table of Azure services along with health indicators per region. You can view Azure Digital Twins by searching for its table entry on the page.

+For more information on using the Azure status page, see [Azure status overview](../service-health/azure-status-overview.md).

+## Next steps

+Read about other ways to monitor your Azure Digital Twins instance in the following articles:

+* [Monitor with metrics](how-to-monitor-metrics.md)

+* [Monitor with diagnostics logs](how-to-monitor-diagnostics.md).

+* [Monitor with alerts](how-to-monitor-alerts.md)

+* Use thresholds and notifications to warn about approaching limits. Some of the service limits for Azure Digital Twins have corresponding [metrics](how-to-monitor-metrics.md) that can be used to track usage in these areas. To configure thresholds and set up an alert on any metric when a threshold is approached, see the instructions in [Monitor with alerts](how-to-monitor-alerts.md). To set up notifications for other limits where metrics aren't provided, consider implementing this logic in your own application code.

+ Title: "Troubleshooting performance"

+# Troubleshooting Azure Digital Twins performance

+Determine whether the delay is coming from Azure Digital Twins or another service in your solution. To investigate this delay, you can use the **API Latency** metric in [Azure Monitor](../azure-monitor/essentials/quick-monitor-azure-resource.md) through the Azure portal. For instructions on how to view Azure Monitor metrics for an Azure Digital Twins instance, see [Monitor with metrics](how-to-monitor-metrics.md).

+Azure Digital Twins can collect logs for your service instance to help monitor its performance, among other data. Logs can be sent to [Log Analytics](../azure-monitor/logs/log-analytics-overview.md) or your custom storage mechanism. To enable logging in your instance, use the instructions in [Monitor with diagnostic logs](how-to-monitor-diagnostics.md). You can analyze the timestamps on the logs to measure latencies, evaluate if they're consistent, and understand their source.

+1. Gather [metrics](how-to-monitor-metrics.md) and [logs](how-to-monitor-diagnostics.md) for your instance.

+Read about other ways to monitor your Azure Digital Twins instance to help with troubleshooting:

+* [Monitor with metrics](how-to-monitor-metrics.md)

+* [Monitor with diagnostics logs](how-to-monitor-diagnostics.md).

+* [Monitor with alerts](how-to-monitor-alerts.md)

+* [Monitor resource health](how-to-monitor-resource-health.md)

+ - Reader role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

+* For backups located on a network share provide the below details of your source SQL Server, source backup location, target database name and Azure storage account for the backup files to be uploaded to.

+* For backups stored in an Azure storage blob container specify the below details of the Target database name,

+Resource group, Azure storage account, Blob container from the corresponding drop-down lists.

+ |Field |Description |

+ ||-|

+ |**Target database name** |The target database name can be modified if you wish to change the database name on the target during the migration process. |

+ |**Storage account details** |The resource group, storage account and container where backup files are located.

+

+zone_pivot_groups: front-door-tiers

+|**Custom domains**| **Description** |

+| [Custom domain and managed TLS certificate](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-custom-domain/) | Creates a Front Door profile with a custom domain and a Microsoft-managed TLS certificate. |

+| [Custom domain and customer-managed TLS certificate](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-custom-domain-customer-certificate/) | Creates a Front Door profile with a custom domain and use your own TLS certificate by using Key Vault. |

+| [Custom domain and Azure DNS](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-custom-domain-azure-dns/) | Creates a Front Door profile with a custom domain and an Azure DNS zone. |

+|**Web Application Firewall**| **Description** |

+| Template | Description |

+| | |

+| [Create a basic Front Door](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-create-basic)| Creates a basic Front Door configuration with a single backend. |

+| [Create a Front Door with multiple backends and backend pools and URL based routing](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-create-multiple-backends)| Creates a Front Door with load balancing configured for multiple backends in ta backend pool and also across backend pools based on URL path. |

+| [Onboard a custom domain and managed TLS certificate with Front Door](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-custom-domain)| Add a custom domain to your Front Door and use a Front Door-managed TLS certificate. |

+| [Onboard a custom domain and customer-managed TLS certificate with Front Door](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-custom-domain-customer-certificate)| Add a custom domain to your Front Door and use your own TLS certificate by using Key Vault. |

+| [Create Front Door with geo filtering](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-geo-filtering)| Create a Front Door that allows/blocks traffic from certain countries/regions. |

+| [Control Health Probes for your backends on Front Door](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-health-probes)| Update your Front Door to change the health probe settings by updating the probe path and also the intervals in which the probes will be sent. |

+| [Create Front Door with Active/Standby backend configuration](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-priority-lb)| Creates a Front Door that demonstrates priority-based routing for Active/Standby application topology, that is, by default send all traffic to the primary (highest-priority) backend until it becomes unavailable. |

+| [Create Front Door with caching enabled for certain routes](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-create-caching)| Creates a Front Door with caching enabled for the defined routing configuration thus caching any static assets for your workload. |

+| [Configure Session Affinity for your Front Door host names](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-session-affinity) | Updates a Front Door to enable session affinity for your frontend host, thereby, sending subsequent traffic from the same user session to the same backend. |

+| [Configure Front Door for client IP allowlisting or blocklisting](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-waf-clientip)| Configures a Front Door to restrict traffic certain client IPs using custom access control using client IPs. |

+| [Configure Front Door to take action with specific http parameters](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-waf-http-params)| Configures a Front Door to allow or block certain traffic based on the http parameters in the incoming request by using custom rules for access control using http parameters. |

+| [Configure Front Door rate limiting](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-rate-limiting)| Configures a Front Door to rate limit incoming traffic for a given frontend host. |

+| | |

+- Learn how to [create a Front Door profile](standard-premium/create-front-door-portal.md).

+zone_pivot_groups: front-door-tiers

+In Azure Front Door Standard/Premium tier, you can configure URL redirect using a Rule Set.

+> [!IMPORTANT]

+> Azure Front Door Standard/Premium (Preview) is currently in public preview.

+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+* Learn how to [create a Front Door](quickstart-create-front-door.md).

+* Learn more about [Azure Front Door Rule Set](front-door-rules-engine.md).

+* Learn [how Front Door works](front-door-routing-architecture.md).

+description: This article helps you understand how URL rewrites works in Azure Front Door.

+zone_pivot_groups: front-door-tiers

+# URL rewrite

+Azure Front Door Standard/Premium supports URL rewrite to change the path of a request that is being routed to your origin. URL rewrite also allows you to add conditions to make sure that the URL or the specified headers gets rewritten only when certain conditions gets met. These conditions are based on the request and response information.

+With this feature, you can redirect users to different origins based on scenarios, device types, or the requested file type.

+URL rewrite settings can be found in the Rule set configuration.

+## Source pattern

+Source pattern is the URL path in the source request to replace. Currently, source pattern uses a prefix-based match. To match all URL paths, use a forward slash (/) as the source pattern value.

+For URL rewrite source pattern, only the path after the route configuration ΓÇ£patterns to matchΓÇ¥ is considered. For example, you have the following incoming URL format `<Frontend-domain>/<route-patterns-to-match-path>/<Rule-URL-Rewrite-Source-pattern>`, only `/<Rule-URL-Rewrite-Source-pattern>` will be considered by the rule engine as the source pattern to be rewritten. Therefore, when you have a URL rewrite rule using source pattern match, the format for the outgoing URL will be `<Frontend-domain>/<route-patterns-to-match-path>/<Rule-URL-Rewrite-destination>`.

+For scenarios, where `/<route-patterns-to-match-path` segment of the URL path must be removed, set the Origin path of the Origin group in route configuration to `/`.

+## Destination

+You can define the destination path to use in the rewrite. The destination path overwrites the source pattern.

+## Preserve unmatched path

+Preserve unmatched path allows you to append the remaining path after the source pattern to the new path.

+For example, if I set **Preserve unmatched path to Yes**.

+* If the incoming request is `www.contoso.com/sub/1.jpg`, the source pattern gets set to `/`, the destination get set to `/foo/`, and the content get served from `/foo/sub/1`.jpg from the origin.

+* If the incoming request is `www.contoso.com/sub/image/1.jpg`, the source pattern gets set to `/sub/`, the destination get set to `/foo/`, the content get served from `/foo/image/1.jpg` from the origin.

+For example, if I set **Preserve unmatched path to No**.

+* If the incoming request is `www.contoso.com/sub/image/1.jpg`, the source pattern gets set to `/sub/`, the destination get set to `/foo/2.jpg`, the content will always be served from `/foo/2.jpg` from the origin no matter what paths followed in `wwww.contoso.com/sub/`.

+The robust part of URL rewrite is that the custom forwarding path will copy any part of the incoming path that matches the wildcard path to the forwarded path (these path segments are the **green** segments in the example below):

+| Hosts | Paths |

+|--|--|

+| www\.contoso.com | /\* |

+| | /foo |

+| | /foo/\* |

+| | /foo/bar/\* |

+| Incoming request | Most-specific match path | / | /fwd/ | /foo/ | /foo/bar/ |

+|--|--|--|--|--|--|

+| www\.contoso.com/ | /\* | / | /fwd/ | /foo/ | /foo/bar/ |

+| www\.contoso.com/**sub** | /\* | /**sub** | /fwd/**sub** | /foo/**sub** | /foo/bar/**sub** |

+| www\.contoso.com/**a/b/c** | /\* | /**a/b/c** | /fwd/**a/b/c** | /foo/**a/b/c** | /foo/bar/**a/b/c** |

+| www\.contoso.com/foo | /foo | / | /fwd/ | /foo/ | /foo/bar/ |

+| www\.contoso.com/foo/ | /foo/\* | / | /fwd/ | /foo/ | /foo/bar/ |

+| www\.contoso.com/foo/**bar** | /foo/\* | /**bar** | /fwd/**bar** | /foo/**bar** | /foo/bar/**bar** |

+> Azure Front Door only supports URL rewrite from a static path to another static path. Preserve unmatched path is supported with Azure Front Door Standard/Premium SKU. For more information, see [Preserve unmatched path](front-door-url-rewrite.md#preserve-unmatched-path).

+There are extra optional settings you can also specify for any given routing rule settings:

+- Learn more about [Azure Front Door Rules engine](front-door-rules-engine.md)

+- Learn about [Azure Front Door routing architecture](front-door-routing-architecture.md).

+Yes. In fact, Azure Front Door supports host, path, query string redirection, and part of URL redirection. Learn more about [URL redirection](../front-door-url-redirect.md).

+- Control which devices can [connect](overview-iot-central-developer.md#how-devices-connect) to your application and how they authenticate.

+- [Device authentication](concepts-device-authentication.md): Create, revoke, and update the security keys that your devices use to establish a connection to your application.

+The [telemetry, properties, and commands](concepts-telemetry-properties-commands.md) that a device implements are collectively known as the device capabilities. You define these capabilities in a model that's shared between the device and the IoT Central application. In IoT Central, this model is part of the device template that defines a specific type of device. To learn more, see [Assign a device to a device template](concepts-device-templates.md#assign-a-device-to-a-device-template).

+ Title: Device authentication in Azure IoT Central | Microsoft Docs

+description: This article introduces key concepts relating to device authentication in Azure IoT Central

+# This article applies to operators and device developers.

+# Device authentication concepts in IoT Central

+This article describes how devices authenticate to an IoT Central application. To learn more about the overall connection process, see [Connect a device](overview-iot-central-developer.md#how-devices-connect).

+Devices authenticate with the IoT Central application by using either a _shared access signature (SAS) token_ or an _X.509 certificate_. X.509 certificates are recommended in production environments.

+You use _enrollment groups_ to manage the device authentication options in your IoT Central application.

+This article describes the following device authentication options:

+- [X.509 enrollment group](#x509-enrollment-group)

+- [SAS enrollment group](#sas-enrollment-group)

+- [Individual enrollment](#individual-enrollment)

+## X.509 enrollment group

+In a production environment, using X.509 certificates is the recommended device authentication mechanism for IoT Central. To learn more, see [Device Authentication using X.509 CA Certificates](../../iot-hub/iot-hub-x509ca-overview.md).

+An X.509 enrollment group contains a root or intermediate X.509 certificate. Devices can authenticate if they have a valid leaf certificate that's derived from the root or intermediate certificate.

+To connect a device with an X.509 certificate to your application:

+1. Create an _enrollment group_ that uses the **Certificates (X.509)** attestation type.

+1. Add and verify an intermediate or root X.509 certificate in the enrollment group.

+1. Generate a leaf certificate from the root or intermediate certificate in the enrollment group. Install the leaf certificate on the device for it to use when it connects to your application.

+To learn more, see [How to connect devices with X.509 certificates](how-to-connect-devices-x509.md)

+### For testing purposes only

+In a production environment, use certificates from your certificate provider. For testing only, you can use the following utilities to generate root, intermediate, and device certificates:

+- [Tools for the Azure IoT Device Provisioning Device SDK](https://github.com/Azure/azure-iot-sdk-node/blob/main/provisioning/tools/readme.md): a collection of Node.js tools that you can use to generate and verify X.509 certificates and keys.

+- [Manage test CA certificates for samples and tutorials](https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md): a collection of PowerShell and Bash scripts to:

+ - Create a certificate chain.

+ - Save the certificates as .cer files to upload to your IoT Central application.

+ - Use the verification code from the IoT Central application to generate the verification certificate.

+ - Create leaf certificates for your devices using your device IDs as a parameter to the tool.

+## SAS enrollment group

+A SAS enrollment group contains group-level SAS keys. Devices can authenticate if they have a valid SAS token that's derived from a group-level SAS key.

+To connect a device with device SAS token to your application:

+1. Create an _enrollment group_ that uses the **Shared Access Signature (SAS)** attestation type.

+1. Copy the group primary or secondary key from the enrollment group.

+1. Use the Azure CLI to generate a device token from the group key:

+ ```azurecli

+ az iot central device compute-device-key --primary-key <enrollment group primary key> --device-id <device ID>

+ ```

+1. Use the generated device token when the device connects to your IoT Central application.

+> [!NOTE]

+> To use existing SAS keys in your enrollment groups, disable the **Auto generate keys** toggle and manually enter your SAS keys.

+## Individual enrollment

+Typically, devices connect by using credentials derived from an enrollment group X.509 certificate or SAS key. However, if your devices each have their own credentials, you can use individual enrollments. An individual enrollment is an entry for a single device that's allowed to connect. Individual enrollments can use either X.509 leaf certificates or SAS tokens (from a physical or virtual trusted platform module) as attestation mechanisms. For more information, see [DPS individual enrollment](../../iot-dps/concepts-service.md#individual-enrollment).

+> [!NOTE]

+> When you create an individual enrollment for a device, it takes precedence over the default enrollment group options in your IoT Central application.

+### Create individual enrollments

+IoT Central supports the following attestation mechanisms for individual enrollments:

+- **Symmetric key attestation:** Symmetric key attestation is a simple approach to authenticating a device with the DPS instance. To create an individual enrollment that uses symmetric keys, open the **Device connection** page for the device, select **Individual enrollment** as the authentication type, and **Shared access signature (SAS)** as the authentication method. Enter the base64 encoded primary and secondary keys, and save your changes. Use the **ID scope**, **Device ID**, and either the primary or secondary key to connect your device.

+ > [!TIP]

+ > For testing, you can use **OpenSSL** to generate base64 encoded keys: `openssl rand -base64 64`

+- **X.509 certificates:** To create an individual enrollment with X.509 certificates, open the **Device Connection** page, select **Individual enrollment** as the authentication type, and **Certificates (X.509)** as the authentication method. Device certificates used with an individual enrollment entry have a requirement that the issuer and subject CN are set to the device ID.

+ > [!TIP]

+ > For testing, you can use [Tools for the Azure IoT Device Provisioning Device SDK for Node.js](https://github.com/Azure/azure-iot-sdk-node/tree/main/provisioning/tools) to generate a self-signed certificate: `node create_test_cert.js device "mytestdevice"`

+- **Trusted Platform Module (TPM) attestation:** A [TPM](../../iot-dps/concepts-tpm-attestation.md) is a type of hardware security module. Using a TPM is one of the most secure ways to connect a device. This article assumes you're using a discrete, firmware, or integrated TPM. Software emulated TPMs are well suited for prototyping or testing, but they don't provide the same level of security as discrete, firmware, or integrated TPMs. Don't use software TPMs in production. To create an individual enrollment that uses a TPM, open the **Device Connection** page, select **Individual enrollment** as the authentication type, and **TPM** as the authentication method. Enter the TPM endorsement key and save the device connection information.

+## Automatically register devices

+This scenario enables OEMs to mass manufacture devices that can connect without first being registered in an application. An OEM generates suitable device credentials, and configures the devices in the factory.

+To automatically register devices that use X.509 certificates:

+1. Generate the leaf-certificates for your devices using the root or intermediate certificate you added to your [X.509 enrollment group](#x509-enrollment-group). Use the device IDs as the `CNAME` in the leaf certificates. A device ID can contain letters, numbers, and the `-` character.

+1. As an OEM, flash each device with a device ID, a generated X.509 leaf-certificate, and the application **ID scope** value. The device code should also send the model ID of the device model it implements.

+1. When you switch on a device, it first connects to DPS to retrieve its IoT Central connection information.

+1. The device uses the information from DPS to connect to, and register with, your IoT Central application.

+1. The IoT Central application uses the model ID sent by the device to [assign the registered device to a device template](concepts-device-templates.md#assign-a-device-to-a-device-template).

+To automatically register devices that use SAS tokens:

+1. Copy the group primary key from the **SAS-IoT-Devices** enrollment group:

+ :::image type="content" source="media/concepts-device-authentication/group-primary-key.png" alt-text="Group primary key from S A S - I o T - Devices enrollment group.":::

+1. Use the `az iot central device compute-device-key` command to generate the device SAS keys. Use the group primary key from the previous step. The device ID can contain letters, numbers, and the `-` character:

+ ```azurecli

+ az iot central device compute-device-key --primary-key <enrollment group primary key> --device-id <device ID>

+ ```

+1. As an OEM, flash each device with the device ID, the generated device SAS key, and the application **ID scope** value. The device code should also send the model ID of the device model it implements.

+1. When you switch on a device, it first connects to DPS to retrieve its IoT Central registration information.

+1. The device uses the information from DPS to connect to, and register with, your IoT Central application.

+1. The IoT Central application uses the model ID sent by the device to [assign the registered device to a device template](concepts-device-templates.md#assign-a-device-to-a-device-template).

+## Next steps

+Some suggested next steps are to:

+- Review [best practices](concepts-device-implementation.md#best-practices) for developing devices.

+- Review some sample code that shows how to use SAS tokens in [Tutorial: Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md)

+- Learn how to [How to connect devices with X.509 certificates using Node.js device SDK for IoT Central Application](how-to-connect-devices-x509.md)

+- Learn how to [Monitor device connectivity using Azure CLI](./howto-monitor-devices-azure-cli.md)

+- Read about [Azure IoT Edge devices and Azure IoT Central](./concepts-iot-edge.md)

+ Title: Device implementation in Azure IoT Central | Microsoft Docs

+description: This article introduces the key concepts and best practices for implementing a device that connects to your IoT Central application.

+# This article applies to device developers.

+# Device implementation and best practices for IoT central

+This article provides information about how to implement devices that connect to your IoT central application. It also includes some best practices. To learn more about the overall connection process, see [Connect a device](overview-iot-central-developer.md#how-devices-connect).

+For sample device implementation code, see [Tutorial: Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md).

+## Implement the device

+Devices that connect to IoT Central should follow the _IoT Plug and Play conventions_. One of these conventions is that a device should send the _model ID_ of the device model it implements when it connects. The model ID enables the IoT Central application to assign the device to the correct device template.

+An IoT Central device template includes a _model_ that specifies the behaviors a device of that type should implement. Behaviors include telemetry, properties, and commands.

+Each model has a unique _device twin model identifier_ (DTMI), such as `dtmi:com:example:Thermostat;1`. When a device connects to IoT Central, it sends the DTMI of the model it implements. IoT Central can then assign the correct device template to the device.

+[IoT Plug and Play](../../iot-develop/overview-iot-plug-and-play.md) defines a set of [conventions](../../iot-develop/concepts-convention.md) that a device should follow when it implements a DTDL model.

+The [Azure IoT device SDKs](#device-sdks) include support for the IoT Plug and Play conventions.

+### Device model

+A device model is defined by using the [DTDL](https://github.com/Azure/opendigitaltwins-dtdl) modeling language. This language lets you define:

+- The telemetry the device sends. The definition includes the name and data type of the telemetry. For example, a device sends temperature telemetry as a double.

+- The properties the device reports to IoT Central. A property definition includes its name and data type. For example, a device reports the state of a valve as a Boolean.

+- The properties the device can receive from IoT Central. Optionally, you can mark a property as writable. For example, IoT Central sends a target temperature as a double to a device.

+- The commands a device responds to. The definition includes the name of the command, and the names and data types of any parameters. For example, a device responds to a reboot command that specifies how many seconds to wait before rebooting.

+A DTDL model can be a _no-component_ or a _multi-component_ model:

+- No-component model: A simple model doesn't use embedded or cascaded components. All the telemetry, properties, and commands are defined a single _root component_. For an example, see the [Thermostat](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/samples/Thermostat.json) model.

+- Multi-component model. A more complex model that includes two or more components. These components include a single root component, and one or more nested components. For an example, see the [Temperature Controller](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/samples/TemperatureController.json) model.

+> [!TIP]

+> You can export the model from an IoT Central device template as a [Digital Twins Definition Language (DTDL) v2](https://github.com/Azure/opendigitaltwins-dtdl) JSON file.

+To learn more, see [IoT Plug and Play modeling guide](../../iot-develop/concepts-modeling-guide.md)

+### Conventions

+A device should follow the IoT Plug and Play conventions when it exchanges data with IoT Central. The conventions include:

+- Send the DTMI when it connects to IoT Central.

+- Send correctly formatted JSON payloads and metadata to IoT Central.

+- Correctly respond to writable properties and commands from IoT Central.

+- Follow the naming conventions for component commands.

+> [!NOTE]

+> Currently, IoT Central does not fully support the DTDL **Array** and **Geospatial** data types.

+To learn more about the format of the JSON messages that a device exchanges with IoT Central, see [Telemetry, property, and command payloads](concepts-telemetry-properties-commands.md).

+To learn more about the IoT Plug and Play conventions, see [IoT Plug and Play conventions](../../iot-develop/concepts-convention.md).

+### Device SDKs

+Use one of the [Azure IoT device SDKs](../../iot-hub/iot-hub-devguide-sdks.md#azure-iot-hub-device-sdks) to implement the behavior of your device. The code should:

+- Register the device with DPS and use the information from DPS to connect to the internal IoT hub in your IoT Central application.

+- Announce the DTMI of the model the device implements.

+- Send telemetry in the format that the device model specifies. IoT Central uses the model in the device template to determine how to use the telemetry for visualizations and analysis.

+- Synchronize property values between the device and IoT Central. The model specifies the property names and data types so that IoT Central can display the information.

+- Implement command handlers for the commands specified in the model. The model specifies the command names and parameters that the device should use.

+For more information about the role of device templates, see [What are device templates?](./concepts-device-templates.md).

+The following table summarizes how Azure IoT Central device features map on to IoT Hub features:

+| Azure IoT Central | Azure IoT Hub |

+| -- | - |

+| Telemetry | [Device-to-cloud messaging](../../iot-hub/iot-hub-devguide-messages-d2c.md) |

+| Offline commands | [Cloud-to-device messaging](../../iot-hub/iot-hub-devguide-messages-c2d.md) |

+| Property | [Device twin reported properties](../../iot-hub/iot-hub-devguide-device-twins.md) |

+| Property (writable) | [Device twin desired and reported properties](../../iot-hub/iot-hub-devguide-device-twins.md) |

+| Command | [Direct methods](../../iot-hub/iot-hub-devguide-direct-methods.md) |

+### Communication protocols

+Communication protocols that a device can use to connect to IoT Central include MQTT, AMQP, and HTTPS. Internally, IoT Central uses an IoT hub to enable device connectivity. For more information about the communication protocols that IoT Hub supports for device connectivity, see [Choose a communication protocol](../../iot-hub/iot-hub-devguide-protocols.md).

+If your device can't use any of the supported protocols, use Azure IoT Edge to do protocol conversion. IoT Edge supports other intelligence-on-the-edge scenarios to offload processing from the Azure IoT Central application.

+## Best practices

+These recommendations show how to implement devices to take advantage of the [built-in high availability, disaster recovery, and automatic scaling](concepts-faq-scalability-availability.md) in IoT Central.

+### Handle connection failures

+For scaling or disaster recovery purposes, IoT Central may update its underlying IoT hubs. To maintain connectivity, your device code should handle specific connection errors by establishing a connection to a new IoT Hub endpoint.

+If the device gets any of the following errors when it connects, it should reprovision the device with DPS to get a new connection string. These errors mean the connection string is no longer valid:

+- Unreachable IoT Hub endpoint.

+- Expired security token.

+- Device disabled in IoT Hub.

+If the device gets any of the following errors when it connects, it should use a back-off strategy to retry the connection. These errors mean the connection string is still valid, but transient conditions are stopping the device from connecting:

+- Operator blocked device.

+- Internal error 500 from the service.

+To learn more about device error codes, see [Troubleshooting device connections](troubleshoot-connection.md).

+### Test failover capabilities

+The Azure CLI lets you test the failover capabilities of your device code. The CLI command works by temporarily switching a device registration to a different internal IoT hub. To verify the device failover worked, check that the device still sends telemetry and responds to commands.

+To run the failover test for your device, run the following command:

+```azurecli

+az iot central device manual-failover \

+ --app-id {Application ID of your IoT Central application} \

+ --device-id {Device ID of the device you're testing} \

+ --ttl-minutes {How to wait before moving the device back to it's original IoT hub}

+```

+> [!TIP]

+> To find the **Application ID**, navigate to **Application > Management** in your IoT Central application.

+If the command succeeds, you see output that looks like the following:

+```output

+Command group 'iot central device' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

+{

+ "hubIdentifier": "6bd4...bafa",

+ "message": "Success! This device is now being failed over. You can check your device'ΓÇÖ's status using 'iot central device registration-info' command. The device will revert to its original hub at Tue, 18 May 2021 11:03:45 GMT. You can choose to failback earlier using device-manual-failback command. Learn more: https://aka.ms/iotc-device-test"

+}

+```

+To learn more about the CLI command, see [az iot central device manual-failover](/cli/azure/iot/central/device#az_iot_central_device_manual_failover).

+You can now check that telemetry from the device still reaches your IoT Central application.

+> [!TIP]

+> To see sample device code that handles failovers in various programing languages, see [IoT Central high availability clients](/samples/azure-samples/iot-central-high-availability-clients/iotc-high-availability-clients/).

+## Next steps

+Some suggested next steps are to:

+- Complete the tutorial [Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md)

+- Review [Device authentication concepts in IoT Central](concepts-device-authentication.md)

+- Learn how to [Monitor device connectivity using Azure CLI](./howto-monitor-devices-azure-cli.md)

+- Read about [Azure IoT Edge devices and Azure IoT Central](./concepts-iot-edge.md)

+- _A device model_. This part of the device template defines how the device interacts with your application. Every device model has a unique ID. A device developer implements the behaviors defined in the model.

+ - _Root component_. Every device model has a root component. The root component's interface describes capabilities that are specific to the device model.

+ - _Components_. A device model may include components in addition to the root component to describe device capabilities. Each component has an interface that describes the component's capabilities. Component interfaces may be reused in other device models. For example, several phone device models could use the same camera interface.

+ - _Inherited interfaces_. A device model contains one or more interfaces that extend the capabilities of the root component.

+## Assign a device to a device template

+For a device to interact with IoT Central, it must be assigned to a device template. This assignment is done in one of four ways:

+- When you register a device on the **Devices** page, you can identify the template the device should use.

+- When you bulk import a list of devices, you can choose the device template all the devices on the list should use.

+- You can manually assign an unassigned device to a device template after it connects.

+- You can automatically assign a device to a device template by sending a model ID when the device first connects to your application.

+### Automatic assignment

+IoT Central can automatically assign a device to a device template when the device connects. A device should send a [model ID](../../iot-fundamentals/iot-glossary.md?toc=/azure/iot-central/toc.json&bc=/azure/iot-central/breadcrumb/toc.json#model-id) when it connects. IoT Central uses the model ID to identify the device template for that specific device model. The discovery process works as follows:

+1. If the device template is already published in the IoT Central application, the device is assigned to the device template.

+1. If the device template isn't already published in the IoT Central application, IoT Central looks for the device model in the [public model repository](https://github.com/Azure/iot-plugandplay-models). If IoT Central finds the model, it uses it to generate a basic device template.

+1. If IoT Central doesn't find the model in the public model repository, the device is marked as **Unassigned**. An operator can either create a device template for the device and then migrate the unassigned device to the new device template, or [autogenerate a device template](howto-set-up-template.md#autogenerate-a-device-template) based on the data the device sends.

+The following screenshot shows you how to view the model ID of a device template in IoT Central. In a device template, select a component, and then select **Edit identity**:

+You can view the [thermostat model](https://github.com/Azure/iot-plugandplay-models/blob/main/dtmi/com/example/thermostat-1.json) in the public model repository. The model ID definition looks like:

+```json

+"@id": "dtmi:com:example:Thermostat;1"

+```

+Use the following DPS payload to assign the device to a device template:

+```json

+{

+ "modelId":"dtmi:com:example:TemperatureController;2"

+}

+```

+To lean more about the DPS payload, see the sample code used in the [Tutorial: Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md).

+

+To learn more about registration and provisioning in IoT Central, see [IoT Central device connectivity guide](overview-iot-central-developer.md#how-devices-connect).

+To learn more about how device firmware should handle connection errors and connect to a different hub, see [Best practices](concepts-device-implementation.md#best-practices).

+To learn more about how to verify your device firmware can handle connection failures, see [Test failover capabilities](concepts-device-implementation.md#test-failover-capabilities).

+IoT Edge devices can use *shared access signature* tokens or X.509 certificates to authenticate with IoT Central. You can manually register your IoT Edge devices in IoT Central before they connect for the first time, or use the Device Provisioning Service to handle the registration. To learn more, see [How devices connect](overview-iot-central-developer.md#how-devices-connect).

+Now that you've learned about device templates, a suggested next steps is to read [IoT Central device connectivity guide](overview-iot-central-developer.md) to learn more about how to register devices with IoT Central and how IoT Central secures device connections.

+IoT Central supports both shared access signatures (SAS) and X.509 certificates to secure the communication between a device and your application. The [Create and connect a client application to your Azure IoT Central application](./tutorial-connect-device.md) tutorial uses SAS. In this article, you learn how to modify the code sample to use X.509 certificates. X.509 certificates are recommended in production environments. For more information, see [Device authentication concepts](concepts-device-authentication.md).

+description: Deploy the IoT Central device bridge to connect other IoT clouds to your IoT Central app. Examples of other IoT clouds include Sigfox, Particle Device Cloud, and The Things Network.

+If your IoT Central application recognizes the device ID in the forwarded message, the telemetry from the device appears in IoT Central. If the device ID isn't recognized by your IoT Central application, the function app attempts to register a new device with the device ID. The new device appears as an **Unassigned** device on the **Devices** page in your IoT Central application. From the **Devices** page, you can assign the new device to a device template and then view the telemetry.

+You can include a `modelId` field in the body. Use this field to assign the device to a device template during provisioning. This functionality is only supported by [V3 applications](howto-faq.yml#how-do-i-get-information-about-my-application-).

+If you don't include the `modelId` field, or if IoT Central doesn't recognize the model ID, then a message with an unrecognized `deviceId` creates a new _unassigned device_ in IoT Central. An operator can manually migrate the device to the correct device template. To learn more, see [Manage devices in your Azure IoT Central application > Migrating devices to a template](howto-manage-devices-individually.md).

+In [V2 applications](howto-faq.yml#how-do-i-get-information-about-my-application-), the new device appears an unassigned device on the **Devices** page. Select **Assign template** and choose a device template to start receiving incoming telemetry from the device.

+> Until the device is assigned to a template, all HTTP calls to the function return a 403 error status.

+The function app runs on a [consumption plan](https://azure.microsoft.com/pricing/details/functions/). While this option doesn't offer dedicated compute resources, it enables the device bridge to handle hundreds of device messages per minute, suitable for smaller fleets of devices or devices that send messages less frequently. If your application depends on streaming a large number of device messages, replace the consumption plan with a dedicated [App service plan](https://azure.microsoft.com/pricing/details/app-service/windows/). This plan offers dedicated compute resources, which give faster server response times. Using a standard App Service Plan, the maximum observed performance of the function from Azure in this repository was around 1,500 device messages per minute. To learn more, see [Azure Functions hosting options](../../azure-functions/functions-scale.md).

+Paste in the **function URL** from your function app, and you see Particle devices appear as unassigned devices in IoT Central. To learn more, see the [Here's how to integrate your Particle-powered projects with Azure IoT Central](https://blog.particle.io/2019/09/26/integrate-particle-with-azure-iot-central/) blog post.

+- Read about [How devices connect](overview-iot-central-developer.md#how-devices-connect)

+- [How devices connect](overview-iot-central-developer.md#how-devices-connect)

+- `templateId`: The ID of the device template assigned to the device.

+- `templateId`: The ID of the device template assigned to the device.

+- `templateId`: The ID of the device template assigned to the device.

+- `templateId`: The ID of the device template assigned to the device.

+- `templateId`: The ID of the device template assigned to the device.

+To register a large number of devices to your application, you can bulk import devices from a CSV file. You can find an example CSV file in the [Azure Samples repository](https://github.com/Azure-Samples/iot-central-docs-samples/tree/master/bulk-upload-devices). The CSV file should include the following column headers:

+If your devices use SAS tokens to authenticate, [export a CSV file from your IoT Central application](#export-devices). The exported CSV file includes the device IDs and the SAS keys.

+If your devices use X.509 certificates to authenticate, generate X.509 leaf certificates for your devices using the root or intermediate certificate in your X.509 enrollment group. Use the device IDs you imported as the `CNAME` value in the leaf certificates.

+For more information about connecting real devices to your IoT Central application, see [How devices connect](overview-iot-central-developer.md#how-devices-connect).

+description: Learn how to manage devices individually in your Azure IoT Central application. Monitor, manage, create, delete, and update devices.

+## Monitor your devices

+USe the **Devices** page to monitor and manage your devices

+### Device status values

+When a device connects to your IoT Central application, its device status changes as follows:

+1. The device status is first **Registered**. This status means the device is created in IoT Central, and has a device ID. A device is registered when:

+ - A new real device is added on the **Devices** page.

+ - A set of devices is added using **Import** on the **Devices** page.

+1. The device status changes to **Provisioned** when the device that connected to your IoT Central application with valid credentials completes the provisioning step. In this step, the device uses DPS to automatically retrieve a connection string from the IoT Hub used by your IoT Central application. The device can now connect to IoT Central and start sending data.

+1. An operator can block a device. When a device is blocked, it can't send data to your IoT Central application. Blocked devices have a status of **Blocked**. An operator must reset the device before it can resume sending data. When an operator unblocks a device the status returns to its previous value, **Registered** or **Provisioned**.

+1. If the device status is **Waiting for Approval**, it means the **Auto approve** option is disabled. An operator must explicitly approve a device before it starts sending data. Devices not registered manually on the **Devices** page, but connected with valid credentials will have the device status **Waiting for Approval**. Operators can approve these devices from the **Devices** page using the **Approve** button.

+1. If the device status is **Unassigned**, it means the device connecting to IoT Central isn't assigned to a device template. This situation typically happens in the following scenarios:

+ - A set of devices is added using **Import** on the **Devices** page without specifying the device template.

+ - A device was registered manually on the **Devices** page without specifying the device template. The device then connected with valid credentials.

+ An operator can assign a device to a device template from the **Devices** page using the **Migrate** button.

+### Device connection status

+When a device or edge device connects using the MQTT protocol, _connected_ and _disconnected_ events for the device are generated. These events are not sent by the device, they are generated internally by IoT Central.

+The following diagram shows how, when a device connects, the connection is registered at the end of a time window. If multiple connection and disconnection events occur, IoT Central registers the one that's closest to the end of the time window. For example, if a device disconnects and reconnects within the time window, IoT Central registers the connection event. Currently, the time window is approximately one minute.

+Watch the following video to learn more about how to monitor device connection status:

+> [!VIDEO https://www.youtube.com/embed/EUZH_6Ihtto]

+You can include connection and disconnection events in [exports from IoT Central](howto-export-data.md#set-up-a-data-export). To learn more, see [React to IoT Hub events > Limitations for device connected and device disconnected events](../../iot-hub/iot-hub-event-grid.md#limitations-for-device-connected-and-device-disconnected-events).

+If you register devices by starting the import under **All devices**, then the devices are created without any device template association. Devices must be assigned to a template to explore the data and other details about the device. Follow these steps to assign devices to a template:

+ :::image type="content" source="media/howto-manage-devices-individually/unassociated-devices-1.png" alt-text="Screenshot showing unassigned devices.":::

+1. Use the filter on the grid to determine if the value in the **Device Template** column is **Unassigned** for any of your devices.

+1. Select the devices you want to assign to a template:

+ :::image type="content" source="media/howto-manage-devices-individually/unassociated-devices-2.png" alt-text="Screenshot showing how to assign a device.":::

+1. The selected devices are assigned to the device template you chose.

+- [X.509 group enrollment](concepts-device-authentication.md#x509-enrollment-group)

+- [SAS group enrollment](concepts-device-authentication.md#sas-enrollment-group)

+description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions. This guide describes how IoT devices connect to your IoT Central application. After a device connects, it uses telemetry to send streaming data and properties to report device state. Iot Central can set device state using writable properties and call commands on a device.

+## How devices connect

+As you connect a device to IoT Central, it goes through the following stages: _registered_, _provisioned_, and _connected_.

+To learn how to monitor the status of a device, see [Monitor your devices](howto-manage-devices-individually.md#monitor-your-devices).

+### Register a device

+When you register a device with IoT Central, you're telling IoT Central the ID of a device that you want to connect to the application. Optionally at this stage, you can assign the device to a [device template](concepts-device-templates.md) that declares the capabilities of the device to your application.

+> [!TIP]

+> A device ID can contain letters, numbers, and the `-` character.

+There are three ways to register a device in an IoT Central application:

+- Use the **Devices** page in your IoT Central application to register devices individually. To learn more, see [Add a device](howto-manage-devices-individually.md#add-a-device).

+- Add devices in bulk from a CSV file. To learn more, see [Import devices](howto-manage-devices-in-bulk.md#import-devices).

+- Automatically register devices when they first try to connect. This scenario enables OEMs to mass manufacture devices that can connect without first being registered. To learn more, see [Automatically register devices](concepts-device-authentication.md#automatically-register-devices).

+ Optionally, you can require an operator to approve the device before it starts sending data.

+ > [!TIP]

+ > On the **Administration > Device connection** page, the **Auto approve** option controls whether an operator must manually approve the device before it can start sending data.

+You only need to register a device once in your IoT Central application.

+### Provision a device

+When a device first tries to connect to your IoT Central application, it starts the process by connecting to the Device Provisioning Service (DPS). DPS checks the device's credentials and, if they're valid, provisions the device with connection string for one of IoT Central's internal IoT hubs. DPS uses the _group enrollment_ configurations in your IoT Central application to manage this provisioning process for you.

+> [!TIP]

+> The device also sends the **ID scope** value that tells DPS which IoT Central application the device is connecting to. You can look up the **ID scope** in your IoT Central application on the **Permissions > Device connection groups** page.

+Typically, a device should cache the connection string it receives from DPS but should be prepared to retrieve new connection details if the current connection fails. To learn more, see [Handle connect failures](concepts-device-implementation.md#handle-connection-failures).

+- IoT Central to onboard and connect devices at scale.

+### Authenticate and connect device

+A device uses its credentials and the connection string it received from DPS to connect to and authenticate with your IoT Central application. A device should also send a [model ID that identifies the device template it's assigned to](concepts-device-templates.md#assign-a-device-to-a-device-template).

+IoT Central supports two types of device credential:

+- Shared access signatures

+- X.509 certificates

+To learn more, see [Device authentication concepts](concepts-device-authentication.md).

+All data exchanged between devices and your Azure IoT Central is encrypted. IoT Hub authenticates every request from a device that connects to any of the device-facing IoT Hub endpoints. To avoid exchanging credentials over the wire, a device uses signed tokens to authenticate. For more information, see, [Control access to IoT Hub](../../iot-hub/iot-hub-devguide-security.md).

+## Connectivity patterns

+Device developers typically use one of the device SDKs to implement devices that connect to an IoT Central application. Some scenarios, such as for devices that can't connect to the internet, also require a gateway.

+Persistent connections are required your solution needs _command and control_ capabilities. In command and control scenarios, the IoT Central application sends commands to devices to control their behavior in near real time. Persistent connections maintain a network connection to the cloud and reconnect whenever there's a disruption. Use either the MQTT or the AMQP protocol for persistent device connections to IoT Central.

+ The device SDKs enable both the MQTT and AMQP protocols for creating persistent connections to IoT Central.

+If you want to learn more about device implementation, see [Device implementation and best practices for IoT central](concepts-device-implementation.md).

+ - When a device connects to an IoT Central, the device is assigned to a device template for the device type. A device template has customizable views that an operator uses to manage individual devices. You can create and customize the available views for each device type. To learn more, see [Add views](howto-set-up-template.md#views).

+| Blocked | The device is blocked from connecting to IoT Central. | Device is blocked from connecting to the IoT Central application. Unblock the device in IoT Central and retry. To learn more, see [Device status values](howto-manage-devices-individually.md#device-status-values). |

+| Unapproved | The device is not approved. | Device isn't approved to connect to the IoT Central application. Approve the device in IoT Central and retry. To learn more, see [Device status values](howto-manage-devices-individually.md#device-status-values) |

+| Unassigned | The device is not assigned to a device template. | Assign the device to a device template so that IoT Central knows how to parse the data. |

+Learn more about [Device status values](howto-manage-devices-individually.md#device-status-values).

+1. Select the **Sensor Controller** device template. By default, the rule automatically applies to all the devices assigned to the device template. To filter for a subset of the devices, select **+ Filter** and use device properties to identify the devices. To disable the rule, toggle the **Enabled/Disabled** button:

+When you connect a downstream device, you can modify the provisioning payload to include the the ID of the gateway device. The model ID lets IoT Central assign the device to the correct downstream device template. The gateway ID lets IoT Central establish the relationship between the downstream device and its gateway. In this case the provisioning payload the device sends looks like the following JSON:

+* [How devices connect to IoT Central](../iot-central/core/overview-iot-central-developer.md)

+- C#, including Azure Functions: [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download/dotnet/3.1)

+To learn more about how devices connect to IoT Central, see [How devices connect](../iot-central/core/overview-iot-central-developer.md).

+- [Supported aggregations](#supported-aggregations)

+- [Cloud to device command metrics](#cloud-to-device-command-metrics)

+- [Cloud to device direct methods metrics](#cloud-to-device-direct-methods-metrics)

+- [Cloud to device twin operations metrics](#cloud-to-device-twin-operations-metrics)

+- [Configurations metrics](#configurations-metrics)

+- [Daily quota metrics](#daily-quota-metrics)

+- [Device metrics](#device-metrics)

+- [Device telemetry metrics](#device-telemetry-metrics)

+- [Device to cloud twin operations metrics](#device-to-cloud-twin-operations-metrics)

+- [Event grid metrics](#event-grid-metrics)

+- [Jobs metrics](#jobs-metrics)

+- [Routing metrics](#routing-metrics)

+- [Twin query metrics](#twin-query-metrics)

+This section lists all the resource log category types and schemas collected for Azure IoT Hub. The resource provider and type for all IoT Hub logs is [Microsoft.Devices/IotHubs](../azure-monitor/essentials/resource-logs-categories.md#microsoftdevicesiothubs). Be aware that events are emitted only for errors in some categories.

+- [Connections](#connections)

+- [Device telemetry](#device-telemetry)

+- [Cloud-to-device commands](#cloud-to-device-commands)

+- [Device identity operations](#device-identity-operations)

+- [File upload operations](#file-upload-operations)

+- [Routes](#routes)

+- [Device-to-cloud twin operations](#device-to-cloud-twin-operations)

+- [Cloud-to-device twin operations](#cloud-to-device-twin-operations)

+- [Twin queries](#twin-queries)

+- [Jobs operations](#jobs-operations)

+- [Direct Methods](#direct-methods)

+- [Distributed Tracing (Preview)](#distributed-tracing-preview)

+ - [IoT Hub D2C (device-to-cloud) logs](#iot-hub-d2c-device-to-cloud-logs)

+ - [IoT Hub ingress logs](#iot-hub-ingress-logs)

+ - [IoT Hub egress logs](#iot-hub-egress-logs)

+- [Configurations](#configurations)

+- [Device Streams (Preview)](#device-streams-preview)

+See [Create diagnostic setting to collect platform logs and metrics in Azure](../azure-monitor/essentials/diagnostic-settings.md) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure IoT Hub are listed under [Resource logs in the Monitoring Azure IoT Hub data reference](monitor-iot-hub-reference.md#resource-logs). Be aware that events are emitted only for errors in some categories.

+All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](../azure-monitor/essentials/resource-logs-schema.md#top-level-common-schema). You can find the schema and categories of resource logs collected for Azure IoT Hub in [Resource logs in the Monitoring Azure IoT Hub data reference](monitor-iot-hub-reference.md#resource-logs). Be aware that events are emitted only for errors in some categories.

+Azure Load Balancer uses health probes to monitor the health of backend instances. In this article, you'll learn how to manage health probes for Azure Load Balancer.

+- [Azure Load Balancer health probes](load-balancer-custom-probe-overview.md)

+You can start your logic app workflow by using the [Recurrence trigger](../connectors/connectors-native-recurrence.md) or [Sliding Window trigger](../connectors/connectors-native-sliding-window.md), which isn't associated with any specific service or system. These triggers start and run your workflow based on your specified recurrence where you select the interval and frequency, such as the number of seconds, minutes, hours, days, weeks, or months. You can also set the start date and time along with the time zone. Each time that a trigger fires, Azure Logic Apps creates and runs a new workflow instance for your logic app.

+ If you select **Day** as the frequency, you can specify the hours of the day and minutes of the hour, for example, every day at 2:30. If you select **Week** as the frequency, you can also select days of the week, such as Wednesday and Saturday. You can also specify a start date and time along with a time zone for your recurrence schedule. For more information about time zone formatting, see [Add a Recurrence trigger](../connectors/connectors-native-recurrence.md#add-the-recurrence-trigger).

+ "name": "[concat('<connection-name>','/','<object-ID>')]",

+## March 9, 2022

+[Data Science Virtual Machine - Windows 2019](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.dsvm-win-2019?tab=Overview)

+Version: 21.12.03

+Windows 2019 DSVM will now be supported under publisher: microsoft-dsvm, offer ID: dsvm-win-2019, plan ID/SKU ID: winserver-2019

+

+Users using ARM template / VMSS to deploy the Windows DSVM machines, should configure the SKU with winserver-2019 instead of server-2019, since we will continue to ship updates to Windows DSVM images on the new SKU from March, 2022.

+Media Reserved Units (MRUs) were previously used in Azure Media Services v2 to control encoding concurrency and performance. You no longer need to manage MRUs or request quota increases for any media services account as the system will automatically scale up and down based on load. You'll also see performance that is equal to or improved in comparison to using MRUs.

+If you have an account that was created using a version prior to the 2020-05-01 API, you'll still have access to APIs for managing MRUs, however none of the MRU configuration that you set will be used to control encoding concurrency or performance. If you donΓÇÖt see the option to manage MRUs in the Azure portal, you have an account that was created with the 2020-05-01 API or later.

+While there were previously charges for Media Reserved Units, as of April 17, 2021 there are no longer any charges for accounts that have configuration for Media Reserved Units. For more information on billing for encoding jobs, see [Encoding video and audio with Media Services](encoding-concept.md)

+For accounts created in with the **2020-05-01** version of the API, that is, the v3 version, or through the Azure portal, scaling and media reserved units are no longer required. Scaling is now automatically handled by the service internally. Media reserved units are no longer needed or supported for any Azure Media Services account. See [Media reserved units (legacy)](concept-media-reserved-units.md) for additional information.

+* [Scale Media Reserved Units with CLI](media-reserved-units-how-to.md)

+- [Encode with a custom Transform - .NET](transform-custom-transform-how-to.md)

+- [Get a signing key from the existing policy - .NET](drm-get-content-key-policy-how-to.md)

+ Title: Add an option to a content key policy

+description: This article shows how to add an option to a content key policy.

+# Add an option to a content key policy

+## Methods

+Use the following methods to add an option to a content key policy.

+## [CLI](#tab/cli/)

+To get to the key, use `GetPolicyPropertiesWithSecretsAsync`, as shown in the [Get a signing key from the existing policy](drm-get-content-key-policy-how-to.md#get-contentkeypolicy-with-secrets) example.

+ Title: Create a content key policy

+description: This article shows how to create a content key policy.

+# Create a content key policy

+## Methods

+Use the following methods to create a content key policy.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+ Title: Delete a content key policy

+description: This article shows how to delete a content key policy.

+# Delete a content key policy

+## Methods

+Use the following methods to delete a content key policy.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+ Title: Get a signing key from a policy

+description: This topic shows how to get a signing key from the existing policy using Media Services v3.

+# Get a signing key from the existing policy

+One of the key design principles of the v3 API is to make the API more secure. v3 APIs do not return secrets or credentials on **Get** or **List** operations. See the detailed explanation here: For more information, see [Azure RBAC and Media Services accounts](security-rbac-concept.md)

+The example in this article shows how to get a signing key from the existing policy.

+## Download

+Clone a GitHub repository that contains the full .NET sample to your machine using the following command:

+ ```bash

+ git clone https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials.git

+ ```

+

+The ContentKeyPolicy with secrets example is located in the [EncryptWithDRM](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/tree/main/AMSV3Tutorials/EncryptWithDRM) folder.

+## [.NET](#tab/net/)

+## Get ContentKeyPolicy with secrets

+To get to the key, use **GetPolicyPropertiesWithSecretsAsync**, as shown in the example below.

+[!code-csharp[Main](../../../media-services-v3-dotnet-tutorials/AMSV3Tutorials/EncryptWithDRM/Program.cs#GetOrCreateContentKeyPolicy)]

+ Title: List the content key policies

+description: This article shows how to list the content key policies.

+# List the content key policies

+## Methods

+Use the following methods to list the content key policies.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+## [.NET](#tab/net/)

+## [.NET](#tab/net/)

+## [.NET](#tab/net/)

+ Title: Remove an option from a content key policy

+description: This article shows how to remove an option from a content key policy.

+# Remove an option from a content key policy

+## Methods

+Use the following methods to remove an option from a content key policy.

+## [CLI](#tab/cli/)

+ Title: Show an existing content key policy

+description: This article shows how to show an existing content key policy.

+# Show an existing content key policy

+## Methods

+Use the following methods to show an existing content key policy.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+ Title: Update an existing content key policy

+description: This article shows how to update an existing content key policy.

+# Update an existing content key policy

+## Methods

+Use the following methods to update an existing content key policy.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+ Title: Update an option in a content key policy

+description: This article shows how to update an option in a content key policy.

+# Update an option in a content key policy

+## Methods

+Use the following methods to update an option in a content key policy.

+## [CLI](#tab/cli/)

+This can be useful for situations where you need to override some properties of your custom defined transforms, or a property on a built-in preset. For example, consider the scenario where you have created a custom transform that uses the [audio analyzer built-in preset](/rest/api/media/transforms/create-or-update#audioanalyzerpreset), but you initially set up that preset to use the audio language setting of "en-us" for English. This would result in a transform where each job submitted would be sent to the speech-to-text transcription engine as US English only. Every job submitted to that transform would be locked to the "en-us" language setting. You could work around this scenario by having a transform defined for every language, but that would be much more difficult to manage and you could hit transform quota limitations in your account.

+A complete example using the .NET SDK for Media Services showing how to use preset override with a basic audio analyzer transform is available in GitHub.

+* [Build a custom preset to target your specific scenario or device requirements](transform-custom-transform-how-to.md).

+You can get started quickly with one of the recommended built-in presets based on industry best practices or you can choose to build a custom preset to target your specific scenario or device requirements. For more information, see [Encode with a custom Transform](transform-custom-transform-how-to.md).

+* [Subclip a video with .NET](transform-subclip-video-how-to.md)

+- [Customize presets with .NET](transform-custom-transform-how-to.md)

+To scale media processing, see [Scale with CLI](media-reserved-units-how-to.md).

+* You can deliver content with or without encryption and DRM using the same MP4 files in storage

+* [Build a custom preset to target your specific scenario or device requirements](transform-custom-transform-how-to.md).

+This article contains a list of the most common import and export file formats that you can use with [StandardEncoderPreset](/rest/api/medi).

+ Title: Cancel a job

+description: This article shows how to cancel a job.

+# Cancel a job

+## Methods

+Use the following methods to cancel a job.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+# Create a job

+## [Portal](#tab/portal/)

+## [REST](#tab/rest/)

+ Title: Delete a job

+description: This article shows how to delete a job.

+# Delete a job

+## Methods

+Use the following methods to delete a job.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+## Methods

+## [.NET](#tab/net/)

+## Code sample

+See the full code sample: [EncodingWithMESPredefinedPreset](https://github.com/Azure-Samples/media-services-v3-dotnet/blob/main/VideoEncoding/Encoding_PredefinedPreset/Program.cs)

+## Methods

+## [.NET](#tab/net/)

+## [.NET](#tab/net/)

+ Title: List jobs

+description: This article shows how to list jobs.

+# List jobs

+## Methods

+Use the following methods to list jobs.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+## [.NET](#tab/net/)

+ Title: Show or get a job

+description: This article shows how to show or get a job.

+# Show the details of a job

+## Methods

+Use the following methods to show or get a job.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+ Title: Update a job

+description: This article shows how to update a job.

+# Update a job

+## Methods

+Use the following methods to update a job.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+* [Subclip your videos](transform-subclip-video-how-to.md).

+ Title: Scale Media Reserved Units (MRUs)

+description: This topic shows how to use to scale media processing with Azure Media Services.

+# How to scale media reserved units (legacy)

+This article shows you how to scale Media Reserved Units (MRUs) for faster encoding.

+> [!WARNING]

+> This command will no longer work for Media Services accounts that are created with the 2020-05-01 (or later) version of the API or later. For these accounts media reserved units are no longer needed as the system will automatically scale up and down based on load. If you donΓÇÖt see the option to manage MRUs in the Azure portal, youΓÇÖre using an account that was created with the 2020-05-01 API or later.

+> The purpose of this article is to document the legacy process of using MRUs

+## Prerequisites

+[Create a Media Services account](./account-create-how-to.md).

+Understand [Media Reserved Units](concept-media-reserved-units.md).

+## [CLI](#tab/cli/)

+## Scale Media Reserved Units with CLI

+Run the `mru` command.

+The following [az ams account mru](/cli/azure/ams/account/mru) command sets Media Reserved Units on the "amsaccount" account using the **count** and **type** parameters.

+```azurecli

+az ams account mru set -n amsaccount -g amsResourceGroup --count 10 --type S3

+```

+## Billing

+ While there were previously charges for Media Reserved Units, as of April 17, 2021 there are no longer any charges for accounts that have configuration for Media Reserved Units.

+## See also

+* [Migrate from Media Services v2 to v3](migrate-v-2-v-3-migration-introduction.md)

+* [How to encode with a custom transform - CLI](transform-custom-transform-how-to.md)

+- [Get a signing key from the existing policy](drm-get-content-key-policy-how-to.md)

+- [How to encode with a custom transform](transform-custom-transform-how-to.md)

+- [How to create an overlay with Media Encoder Standard](transform-create-overlay-how-to.md)

+- [How to generate thumbnails using Encoder Standard](transform-generate-thumbnails-dotnet-how-to.md)

+- [Subclip a video when encoding with Media Services - REST](transform-subclip-video-how-to.md)

+For more information about MRUs, see [Media Reserved Units](concept-media-reserved-units.md) and [How to scale media reserved units](media-reserved-units-how-to.md).

+[How to scale media reserved units](media-reserved-units-how-to.md)

+The Audio Analysis preset now includes a Basic mode pricing tier. The new Basic Audio Analyzer mode provides a low-cost option to extract speech transcription, and format output captions and subtitles. This mode performs speech-to-text transcription and generation of a VTT subtitle/caption file. The output of this mode includes an Insights JSON file including only the keywords, transcription, and timing information. Automatic language detection and speaker diarization are not included in this mode. See the list of [supported languages.](analyze-video-audio-files-concept.md#built-in-presets)

+* [Subclip a video with REST](transform-subclip-video-how-to.md)

+- [az ams account mru](/cli/azure/ams/account/mru) - enables you to manage Media Reserved Units. For more information, see [Scale Media Reserved Units](media-reserved-units-how-to.md).

+- Specify your own container names for Assets.

+- [Get content key policy using Media Services .NET](drm-get-content-key-policy-how-to.md)

+## [.NET](#tab/net/)

+## Create an input asset and upload a local file into it

+You can use a built-in EncoderNamedPreset or use custom presets. For more information, see [How to customize encoder presets](transform-custom-transform-how-to.md).

+## [REST](#tab/rest/)

+This transform allows you to have input video/input audio streams copied from the input asset to the output asset without any changes. This can be of value with multi bitrate encoding output where the input video and/or audio would be part of the output. It simply writes the manifest and other files needed to stream content.

+## [REST](#tab/rest/)

+description: Create a CopyAllBitrateNonInterleaved transform.

+## [REST](#tab/rest/)

+## [.NET](#tab/net/)

+* Read [How to encode with a custom transform - .NET](transform-custom-transform-how-to.md). Follow the steps in that article to set up the .NET needed to work with transforms, then return here to try out an overlays preset sample.

+ Title: How to crop video files with Media Services

+description: Cropping is the process of selecting a rectangular window within the video frame, and encoding just the pixels within that window. This topic shows how to crop video files with Media Services.

+# How to crop video files with Media Services

+You can use Media Services to crop an input video. Cropping is the process of selecting a rectangular window within the video frame, and encoding just the pixels within that window. The following diagram helps illustrate the process.

+## Pre-processing stage

+Cropping is a pre-processing stage, so the *cropping parameters* in the encoding preset apply to the *input* video. Encoding is a subsequent stage, and the width/height settings apply to the *pre-processed* video, and not to the original video. When designing your preset, do the following:

+1. Select the crop parameters based on the original input video

+1. Select your encode settings based on the cropped video.

+> [!WARNING]

+> If you do not match your encode settings to the cropped video, the output will not be as you expect.

+For example, your input video has a resolution of 1920x1080 pixels (16:9 aspect ratio), but has black bars (pillar boxes) at the left and right, so that only a 4:3 window or 1440x1080 pixels contains active video. You can crop the black bars, and encode the 1440x1080 area.

+## [.NET](#tab/net/)

+## Transform code

+The following code snippet illustrates how to write a transform in .NET to crop videos. The code assumes that you have a local file to work with.

+- Left is the left-most location of the crop.

+- Top is the top-most location of the crop.

+- Width is the final width of the crop.

+- Height is the final height of the crop.

+```dotnet

+var preset = new StandardEncoderPreset

+ {

+ Filters = new Filters

+ {

+ Crop = new Rectangle

+ {

+ Left = "200",

+ Top = "200",

+ Width = "1280",

+ Height = "720"

+ }

+ },

+ Codecs =

+ {

+ new AacAudio(),

+ new H264Video()

+ {

+ Layers =

+ {

+ new H264Layer

+ {

+ Bitrate = 1000000,

+ Width = "1280",

+ Height = "720"

+ }

+ }

+ }

+ },

+ Formats =

+ {

+ new Mp4Format

+ {

+ FilenamePattern = "{Basename}_{Bitrate}{Extension}"

+ }

+ }

+ }

+```

+ Title: Encode custom transform

+description: This topic shows how to use Azure Media Services v3 to encode a custom transform.

+# How to encode with a custom transform

+When encoding with Azure Media Services, you can get started quickly with one of the recommended built-in presets based on industry best practices as demonstrated in the [Streaming files](stream-files-tutorial-with-api.md) tutorial. You can also build a custom preset to target your specific scenario or device requirements.

+## Considerations

+When creating custom presets, the following considerations apply:

+* All values for height and width on AVC content must be a multiple of 4.

+* In Azure Media Services v3, all of the encoding bitrates are in bits per second. This is different from the presets with our v2 APIs, which used kilobits/second as the unit. For example, if the bitrate in v2 was specified as 128 (kilobits/second), in v3 it would be set to 128000 (bits/second).

+## Prerequisites

+[Create a Media Services account](./account-create-how-to.md)

+## [CLI](#tab/cli/)

+## Define a custom preset

+The following example defines the request body of a new Transform. We define a set of outputs that we want to be generated when this Transform is used.

+In this example, we first add an AacAudio layer for the audio encoding and two H264Video layers for the video encoding. In the video layers, we assign labels so that they can be used in the output file names. Next, we want the output to also include thumbnails. In the example below we specify images in PNG format, generated at 50% of the resolution of the input video, and at three timestamps - {25%, 50%, 75} of the length of the input video. Lastly, we specify the format for the output files - one for video + audio, and another for the thumbnails. Since we have multiple H264Layers, we have to use macros that produce unique names per layer. We can either use a `{Label}` or `{Bitrate}` macro, the example shows the former.

+We are going to save this transform in a file. In this example, we name the file `customPreset.json`.

+```json

+{

+ "@odata.type": "#Microsoft.Media.StandardEncoderPreset",

+ "codecs": [

+ {

+ "@odata.type": "#Microsoft.Media.AacAudio",

+ "channels": 2,

+ "samplingRate": 48000,

+ "bitrate": 128000,

+ "profile": "AacLc"

+ },

+ {

+ "@odata.type": "#Microsoft.Media.H264Video",

+ "keyFrameInterval": "PT2S",

+ "stretchMode": "AutoSize",

+ "sceneChangeDetection": false,

+ "complexity": "Balanced",

+ "layers": [

+ {

+ "width": "1280",

+ "height": "720",

+ "label": "HD",

+ "bitrate": 3400000,

+ "maxBitrate": 3400000,

+ "bFrames": 3,

+ "slices": 0,

+ "adaptiveBFrame": true,

+ "profile": "Auto",

+ "level": "auto",

+ "bufferWindow": "PT5S",

+ "referenceFrames": 3,

+ "entropyMode": "Cabac"

+ },

+ {

+ "width": "640",

+ "height": "360",

+ "label": "SD",

+ "bitrate": 1000000,

+ "maxBitrate": 1000000,

+ "bFrames": 3,

+ "slices": 0,

+ "adaptiveBFrame": true,

+ "profile": "Auto",

+ "level": "auto",

+ "bufferWindow": "PT5S",

+ "referenceFrames": 3,

+ "entropyMode": "Cabac"

+ }

+ ]

+ },

+ {

+ "@odata.type": "#Microsoft.Media.PngImage",

+ "stretchMode": "AutoSize",

+ "start": "25%",

+ "step": "25%",

+ "range": "80%",

+ "layers": [

+ {

+ "width": "50%",

+ "height": "50%"

+ }

+ ]

+ }

+ ],

+ "formats": [

+ {

+ "@odata.type": "#Microsoft.Media.Mp4Format",

+ "filenamePattern": "Video-{Basename}-{Label}-{Bitrate}{Extension}",

+ "outputFiles": []

+ },

+ {

+ "@odata.type": "#Microsoft.Media.PngFormat",

+ "filenamePattern": "Thumbnail-{Basename}-{Index}{Extension}"

+ }

+ ]

+}

+```

+## Create a new transform

+In this example, we create a **Transform** that is based on the custom preset we defined earlier. When creating a Transform, you should first check if one already exist. If the Transform exists, reuse it. The following `show` command returns the `customTransformName` transform if it exists:

+```azurecli-interactive

+az ams transform show -a amsaccount -g amsResourceGroup -n customTransformName

+```

+The following Azure CLI command creates the Transform based on the custom preset (defined earlier).

+```azurecli-interactive

+az ams transform create -a amsaccount -g amsResourceGroup -n customTransformName --description "Basic Transform using a custom encoding preset" --preset customPreset.json

+```

+For Media Services to apply the Transform to the specified video or audio, you need to submit a Job under that Transform. For a complete example that shows how to submit a job under a transform, see [Quickstart: Stream video files - Azure CLI](stream-files-cli-quickstart.md).

+## [REST](#tab/rest/)

+## Define a custom preset

+The following example defines the request body of a new Transform. We define a set of outputs that we want to be generated when this Transform is used.

+In this example, we first add an AacAudio layer for the audio encoding and two H264Video layers for the video encoding. In the video layers, we assign labels so that they can be used in the output file names. Next, we want the output to also include thumbnails. In the example below we specify images in PNG format, generated at 50% of the resolution of the input video, and at three timestamps - {25%, 50%, 75} of the length of the input video. Lastly, we specify the format for the output files - one for video + audio, and another for the thumbnails. Since we have multiple H264Layers, we have to use macros that produce unique names per layer. We can either use a `{Label}` or `{Bitrate}` macro, the example shows the former.

+```json

+{

+ "properties": {

+ "description": "Basic Transform using a custom encoding preset",

+ "outputs": [

+ {

+ "onError": "StopProcessingJob",

+ "relativePriority": "Normal",

+ "preset": {

+ "@odata.type": "#Microsoft.Media.StandardEncoderPreset",

+ "codecs": [

+ {

+ "@odata.type": "#Microsoft.Media.AacAudio",

+ "channels": 2,

+ "samplingRate": 48000,

+ "bitrate": 128000,

+ "profile": "AacLc"

+ },

+ {

+ "@odata.type": "#Microsoft.Media.H264Video",

+ "keyFrameInterval": "PT2S",

+ "stretchMode": "AutoSize",

+ "sceneChangeDetection": false,

+ "complexity": "Balanced",

+ "layers": [

+ {

+ "width": "1280",

+ "height": "720",

+ "label": "HD",

+ "bitrate": 3400000,

+ "maxBitrate": 3400000,

+ "bFrames": 3,

+ "slices": 0,

+ "adaptiveBFrame": true,

+ "profile": "Auto",

+ "level": "auto",

+ "bufferWindow": "PT5S",

+ "referenceFrames": 3,

+ "entropyMode": "Cabac"

+ },

+ {

+ "width": "640",

+ "height": "360",

+ "label": "SD",

+ "bitrate": 1000000,

+ "maxBitrate": 1000000,

+ "bFrames": 3,

+ "slices": 0,

+ "adaptiveBFrame": true,

+ "profile": "Auto",

+ "level": "auto",

+ "bufferWindow": "PT5S",

+ "referenceFrames": 3,

+ "entropyMode": "Cabac"

+ }

+ ]

+ },

+ {

+ "@odata.type": "#Microsoft.Media.PngImage",

+ "stretchMode": "AutoSize",

+ "start": "25%",

+ "step": "25%",

+ "range": "80%",

+ "layers": [

+ {

+ "width": "50%",

+ "height": "50%"

+ }

+ ]

+ }

+ ],

+ "formats": [

+ {

+ "@odata.type": "#Microsoft.Media.Mp4Format",

+ "filenamePattern": "Video-{Basename}-{Label}-{Bitrate}{Extension}",

+ "outputFiles": []

+ },

+ {

+ "@odata.type": "#Microsoft.Media.PngFormat",

+ "filenamePattern": "Thumbnail-{Basename}-{Index}{Extension}"

+ }

+ ]

+ }

+ }

+ ]

+ }

+}

+```

+## Create a new transform

+In this example, we create a **Transform** that is based on the custom preset we defined earlier. When creating a Transform, you should first use [Get](/rest/api/media/transforms/get) to check if one already exists. If the Transform exists, reuse it.

+In the Postman's collection that you downloaded, select **Transforms and Jobs**->**Create or Update Transform**.

+The **PUT** HTTP request method is similar to:

+```

+PUT https://management.azure.com/subscriptions/:subscriptionId/resourceGroups/:resourceGroupName/providers/Microsoft.Media/mediaServices/:accountName/transforms/:transformName?api-version={{api-version}}

+```

+Select the **Body** tab and replace the body with the json code you [defined earlier](#define-a-custom-preset). For Media Services to apply the Transform to the specified video or audio, you need to submit a Job under that Transform.

+Select **Send**.

+For Media Services to apply the Transform to the specified video or audio, you need to submit a Job under that Transform. For a complete example that shows how to submit a job under a transform, see [Tutorial: Stream video files - REST](stream-files-tutorial-with-rest.md).

+## [.NET](#tab/net/)

+## Download the sample

+Clone a GitHub repository that contains the full .NET Core sample to your machine using the following command:

+ ```bash

+ git clone https://github.com/Azure-Samples/media-services-v3-dotnet.git

+ ```

+

+The custom preset sample is located in the [Encoding with a custom preset using .NET](https://github.com/Azure-Samples/media-services-v3-dotnet/tree/main/VideoEncoding/Encoding_H264) folder.

+## Create a transform with a custom preset

+When creating a new [Transform](/rest/api/media/transforms), you need to specify what you want it to produce as an output. The required parameter is a [TransformOutput](/rest/api/media/transforms/createorupdate#transformoutput) object, as shown in the code below. Each **TransformOutput** contains a **Preset**. The **Preset** describes the step-by-step instructions of video and/or audio processing operations that are to be used to generate the desired **TransformOutput**. The following **TransformOutput** creates custom codec and layer output settings.

+When creating a [Transform](/rest/api/media/transforms), you should first check if one already exists using the **Get** method, as shown in the code that follows. In Media Services v3, **Get** methods on entities return **null** if the entity doesn't exist (a case-insensitive check on the name).

+### Example custom transform

+The following example defines a set of outputs that we want to be generated when this Transform is used. We first add an AacAudio layer for the audio encoding and two H264Video layers for the video encoding. In the video layers, we assign labels so that they can be used in the output file names. Next, we want the output to also include thumbnails. In the example below we specify images in PNG format, generated at 50% of the resolution of the input video, and at three timestamps - {25%, 50%, 75%} of the length of the input video. Lastly, we specify the format for the output files - one for video + audio, and another for the thumbnails. Since we have multiple H264Layers, we have to use macros that produce unique names per layer. We can either use a `{Label}` or `{Bitrate}` macro, the example shows the former.

+[!code-csharp[Main](../../../media-services-v3-dotnet/VideoEncoding/Encoding_H264/Program.cs#EnsureTransformExists)]

+ Title: Generate thumbnails using Media Encoder Standard

+description: This article shows how to encode an asset and generate thumbnails at the same time using Media Encoder Standard.

+# How to generate thumbnails using Encoder Standard

+You can use Media Encoder Standard to generate one or more thumbnails from your input video in [JPEG](https://en.wikipedia.org/wiki/JPEG), [PNG](https://en.wikipedia.org/wiki/Portable_Network_Graphics), or [BMP](https://en.wikipedia.org/wiki/BMP_file_format) image file formats.

+## [REST](#tab/rest/)

+## Recommended reading and practice

+It is recommended that you become familiar with custom transforms by reading [How to encode with a custom transform](transform-custom-transform-how-to.md).

+## Thumbnail parameters

+You should set the following parameters:

+- **start** - The position in the input video from where to start generating thumbnails. The value can be in ISO 8601 format (For example, PT05S to start at 5 seconds), or a frame count (For example, 10 to start at the 10th frame), or a relative value to stream duration (For example, 10% to start at 10% of stream duration). Also supports a macro {Best}, which tells the encoder to select the best thumbnail from the first few seconds of the video and will only produce one thumbnail, no matter what other settings are for Step and Range. The default value is macro {Best}.

+- **step** - The intervals at which thumbnails are generated. The value can be in ISO 8601 format (for example, PT05S for one image every 5 seconds), or a frame count (for example, 30 for one image every 30 frames), or a relative value to stream duration (for example, 10% for one image every 10% of stream duration). Step value will affect the first generated thumbnail, which may not be exactly the one specified at transform preset start time. This is due to the encoder, which tries to select the best thumbnail between start time and step position from start time as the first output. As the default value is 10%, it means that if the stream has long duration, the first generated thumbnail might be far away from the one specified at start time. Try to select a reasonable value for step if the first thumbnail is expected be close to start time, or set the range value to 1 if only one thumbnail is needed at start time.

+- **range** - The position relative to transform preset start time in the input video at which to stop generating thumbnails. The value can be in ISO 8601 format (For example, PT5M30S to stop at 5 minutes and 30 seconds from start time), or a frame count (For example, 300 to stop at the 300th frame from the frame at start time. If this value is 1, it means only producing one thumbnail at start time), or a relative value to the stream duration (For example, 50% to stop at half of stream duration from start time). The default value is 100%, which means to stop at the end of the stream.

+- **layers** - A collection of output image layers to be produced by the encoder.

+## Example of a "single PNG file" preset

+The following JSON preset can be used to produce a single output PNG file from the first few seconds of the input video, where the encoder makes a best-effort attempt at finding an ΓÇ£interestingΓÇ¥ frame. Note that the output image dimensions have been set to 100%, meaning these match the dimensions of the input video. Note also how the ΓÇ£FormatΓÇ¥ setting in "Outputs" is required to match the use of "PngLayers" in the ΓÇ£CodecsΓÇ¥ section.

+```json

+{

+ "properties": {

+ "description": "Basic Transform using a custom encoding preset for thumbnails",

+ "outputs": [

+ {

+ "onError": "StopProcessingJob",

+ "relativePriority": "Normal",

+ "preset": {

+ "@odata.type": "#Microsoft.Media.StandardEncoderPreset",

+ "codecs": [

+ {

+ "@odata.type": "#Microsoft.Media.PngImage",

+ "stretchMode": "AutoSize",

+ "start": "{Best}",

+ "step": "25%",

+ "range": "80%",

+ "layers": [

+ {

+ "width": "50%",

+ "height": "50%"

+ }

+ ]

+ }

+ ],

+ "formats": [

+ {

+ "@odata.type": "#Microsoft.Media.Mp4Format",

+ "filenamePattern": "Video-{Basename}-{Label}-{Bitrate}{Extension}",

+ "outputFiles": []

+ },

+ {

+ "@odata.type": "#Microsoft.Media.PngFormat",

+ "filenamePattern": "Thumbnail-{Basename}-{Index}{Extension}"

+ }

+ ]

+ }

+ }

+ ]

+ }

+}

+```

+## Example of a "series of JPEG images" preset

+The following JSON preset can be used to produce a set of 10 images at timestamps of 5%, 15%, …, 95% of the input timeline, where the image size is specified to be one quarter that of the input video.

+### JSON preset

+```json

+{

+ "Version": 1.0,

+ "Codecs": [

+ {

+ "JpgLayers": [

+ {

+ "Quality": 90,

+ "Type": "JpgLayer",

+ "Width": "25%",

+ "Height": "25%"

+ }

+ ],

+ "Start": "5%",

+ "Step": "10%",

+ "Range": "96%",

+ "Type": "JpgImage"

+ }

+ ],

+ "Outputs": [

+ {

+ "FileName": "{Basename}_{Index}{Extension}",

+ "Format": {

+ "Type": "JpgFormat"

+ }

+ }

+ ]

+}

+```

+## Example of a "one image at a specific timestamp" preset

+The following JSON preset can be used to produce a single JPEG image at the 30-second mark of the input video. This preset expects the input video to be more than 30 seconds in duration (else the job fails).

+### JSON preset

+```json

+{

+ "Version": 1.0,

+ "Codecs": [

+ {

+ "JpgLayers": [

+ {

+ "Quality": 90,

+ "Type": "JpgLayer",

+ "Width": "25%",

+ "Height": "25%"

+ }

+ ],

+ "Start": "00:00:30",

+ "Step": "1",

+ "Range": "1",

+ "Type": "JpgImage"

+ }

+ ],

+ "Outputs": [

+ {

+ "FileName": "{Basename}_{Index}{Extension}",

+ "Format": {

+ "Type": "JpgFormat"

+ }

+ }

+ ]

+}

+```

+## Example of a "thumbnails at different resolutions" preset

+The following preset can be used to generate thumbnails at different resolutions in one task. In the example, at positions 5%, 15%, …, 95% of the input timeline, the encoder generates two images – one at 100% of the input video resolution and the other at 50%.

+Note the use of {Resolution} macro in the FileName; it indicates to the encoder to use the width and height that you specified in the Encoding section of the preset while generating the file name of the output images. This also helps you distinguish between the different images easily.

+### JSON preset

+```json

+{

+ "Version": 1.0,

+ "Codecs": [

+ {

+ "JpgLayers": [

+{

+ "Quality": 90,

+ "Type": "JpgLayer",

+ "Width": "100%",

+ "Height": "100%"

+},

+{

+ "Quality": 90,

+ "Type": "JpgLayer",

+ "Width": "50%",

+ "Height": "50%"

+}

+ ],

+ "Start": "5%",

+ "Step": "10%",

+ "Range": "96%",

+ "Type": "JpgImage"

+ }

+ ],

+ "Outputs": [

+ {

+ "FileName": "{Basename}_{Resolution}_{Index}{Extension}",

+ "Format": {

+"Type": "JpgFormat"

+ }

+ }

+ ]

+}

+```

+## Example of generating a thumbnail while encoding

+While all of the above examples have discussed how you can submit an encoding task that only produces images, you can also combine video/audio encoding with thumbnail generation. The following JSON preset tells Encoder Standard to generate a thumbnail during encoding.

+### JSON preset

+For information about schema, see [this](../previous/media-services-mes-schema.md) article.

+```json

+{

+ "Version": 1.0,

+ "Codecs": [

+ {

+ "KeyFrameInterval": "00:00:02",

+ "SceneChangeDetection": "true",

+ "H264Layers": [

+ {

+ "Profile": "Auto",

+ "Level": "auto",

+ "Bitrate": 4500,

+ "MaxBitrate": 4500,

+ "BufferWindow": "00:00:05",

+ "Width": 1280,

+ "Height": 720,

+ "ReferenceFrames": 3,

+ "EntropyMode": "Cabac",

+ "AdaptiveBFrame": true,

+ "Type": "H264Layer",

+ "FrameRate": "0/1"

+ }

+ ],

+ "Type": "H264Video"

+ },

+ {

+ "JpgLayers": [

+ {

+ "Quality": 90,

+ "Type": "JpgLayer",

+ "Width": "100%",

+ "Height": "100%"

+ }

+ ],

+ "Start": "{Best}",

+ "Type": "JpgImage"

+ },

+ {

+ "Channels": 2,

+ "SamplingRate": 48000,

+ "Bitrate": 128,

+ "Type": "AACAudio"

+ }

+ ],

+ "Outputs": [

+ {

+ "FileName": "{Basename}_{Index}{Extension}",

+ "Format": {

+ "Type": "JpgFormat"

+ }

+ },

+ {

+ "FileName": "{Basename}_{Resolution}_{VideoBitrate}.mp4",

+ "Format": {

+ "Type": "MP4Format"

+ }

+ }

+ ]

+}

+```

+## [.NET](#tab/net/)

+## Recommended reading and practice

+It is recommended that you become familiar with custom transforms by reading [How to encode with a custom transform](transform-custom-transform-how-to.md).

+## Transform code example

+The below code example creates just a thumbnail. You should set the following parameters:

+- **start** - The position in the input video from where to start generating thumbnails. The value can be in ISO 8601 format (For example, PT05S to start at 5 seconds), or a frame count (For example, 10 to start at the 10th frame), or a relative value to stream duration (For example, 10% to start at 10% of stream duration). Also supports a macro {Best}, which tells the encoder to select the best thumbnail from the first few seconds of the video and will only produce one thumbnail, no matter what other settings are for Step and Range. The default value is macro {Best}.

+- **step** - The intervals at which thumbnails are generated. The value can be in ISO 8601 format (for example, PT05S for one image every 5 seconds), or a frame count (for example, 30 for one image every 30 frames), or a relative value to stream duration (for example, 10% for one image every 10% of stream duration). Step value will affect the first generated thumbnail, which may not be exactly the one specified at transform preset start time. This is due to the encoder, which tries to select the best thumbnail between start time and step position from start time as the first output. As the default value is 10%, it means that if the stream has long duration, the first generated thumbnail might be far away from the one specified at start time. Try to select a reasonable value for step if the first thumbnail is expected be close to start time, or set the range value to 1 if only one thumbnail is needed at start time.

+- **range** - The position relative to transform preset start time in the input video at which to stop generating thumbnails. The value can be in ISO 8601 format (For example, PT5M30S to stop at 5 minutes and 30 seconds from start time), or a frame count (For example, 300 to stop at the 300th frame from the frame at start time. If this value is 1, it means only producing one thumbnail at start time), or a relative value to the stream duration (For example, 50% to stop at half of stream duration from start time). The default value is 100%, which means to stop at the end of the stream.

+- **layers** - A collection of output image layers to be produced by the encoder.

+```csharp

+private static Transform EnsureTransformExists(IAzureMediaServicesClient client, string resourceGroupName, string accountName, string transformName)

+{

+ // Does a Transform already exist with the desired name? Assume that an existing Transform with the desired name

+ // also uses the same recipe or Preset for processing content.

+ Transform transform = client.Transforms.Get(resourceGroupName, accountName, transformName);

+ if (transform == null)

+ {

+ // Create a new Transform Outputs array - this defines the set of outputs for the Transform

+ TransformOutput[] outputs = new TransformOutput[]

+ {

+ // Create a new TransformOutput with a custom Standard Encoder Preset

+ // This demonstrates how to create custom codec and layer output settings

+ new TransformOutput(

+ new StandardEncoderPreset(

+ codecs: new Codec[]

+ {

+ // Generate a set of PNG thumbnails

+ new PngImage(

+ start: "25%",

+ step: "25%",

+ range: "80%",

+ layers: new PngLayer[]{

+ new PngLayer(

+ width: "50%",

+ height: "50%"

+ )

+ }

+ )

+ },

+ // Specify the format for the output files for the thumbnails

+ formats: new Format[]

+ {

+ new PngFormat(

+ filenamePattern:"Thumbnail-{Basename}-{Index}{Extension}"

+ )

+ }

+ ),

+ onError: OnErrorType.StopProcessingJob,

+ relativePriority: Priority.Normal

+ )

+ };

+ string description = "A transform that includes thumbnails.";

+ // Create the custom Transform with the outputs defined above

+ transform = client.Transforms.CreateOrUpdate(resourceGroupName, accountName, transformName, outputs, description);

+ }

+ return transform;

+}

+```

+ Title: How to stitch two or more video files | Microsoft Docs

+# How to stitch two or more video files

+## [.NET](#tab/net/)

+ Title: Subclip a video when encoding with Media Services

+description: This topic describes how to subclip a video when encoding with Azure Media Services.

+# Subclip a video

+You can trim or subclip a video when encoding it using a Media Services Job.

+This functionality works with any Transform that is built using either the BuiltInStandardEncoderPreset presets, or the StandardEncoderPreset presets.

+## [REST](#tab/rest/)

+## Subclip a video when encoding with Media Services - REST

+You can trim or subclip a video when encoding it using a [Job](/rest/api/media/jobs). This functionality works with any [Transform](/rest/api/media/transforms) that is built using either the [BuiltInStandardEncoderPreset](/rest/api/media/transforms/createorupdate#builtinstandardencoderpreset) presets, or the [StandardEncoderPreset](/rest/api/media/transforms/createorupdate#standardencoderpreset) presets.

+The REST example in this topic creates a job that trims a video as it submits an encoding job.

+## Prerequisites

+To complete the steps described in this topic, you have to:

+- [Create an Azure Media Services account](./account-create-how-to.md).

+- [Configure Postman for Azure Media Services REST API calls](setup-postman-rest-how-to.md).

+

+ Make sure to follow the last step in the topic [Get Azure AD Token](setup-postman-rest-how-to.md#get-azure-ad-token).

+- Create a Transform and an output Assets. You can see how to create a Transform and an output Assets in the [Encode a remote file based on URL and stream the video - REST](stream-files-tutorial-with-rest.md) tutorial.

+- Review the [Encoding concept](encode-concept.md) topic.

+## Create a subclipping job

+1. In the Postman collection that you downloaded, select **Transforms and jobs** -> **Create Job with Sub Clipping**.

+

+ The **PUT** request looks like this:

+

+ ```

+ https://management.azure.com/subscriptions/:subscriptionId/resourceGroups/:resourceGroupName/providers/Microsoft.Media/mediaServices/:accountName/transforms/:transformName/jobs/:jobName?api-version={{api-version}}

+ ```

+1. Update the value of "transformName" environment variable with your transform name.

+1. Select the **Body** tab and update the "myOutputAsset" with your output Asset name.

+ ```json

+ {

+ "properties": {

+ "description": "A Job with transform cb9599fb-03b3-40eb-a2ff-7ea909f53735 and single clip.",

+

+ "input": {

+ "@odata.type": "#Microsoft.Media.JobInputHttp",

+ "baseUri": "https://nimbuscdn-nimbuspm.streaming.mediaservices.windows.net/2b533311-b215-4409-80af-529c3e853622/",

+ "files": [

+ "Ignite-short.mp4"

+ ],

+ "start": {

+ "@odata.type": "#Microsoft.Media.AbsoluteClipTime",

+ "time": "PT10S"

+ },

+ "end": {

+ "@odata.type": "#Microsoft.Media.AbsoluteClipTime",

+ "time": "PT40S"

+ }

+ },

+

+ "outputs": [

+ {

+ "@odata.type": "#Microsoft.Media.JobOutputAsset",

+ "assetName": "myOutputAsset"

+ }

+ ],

+ "priority": "Normal"

+ }

+ }

+ ```

+1. Press **Send**.

+ You see the **Response** with the info about the job that was created and submitted and the job's status.

+## [.NET](#tab/net/)

+The following C# example creates a job that trims a video in an Asset as it submits an encoding job.

+## Prerequisites

+To complete the steps described in this topic, you have to:

+- [Create an Azure Media Services account](./account-create-how-to.md)

+- Create a Transform and an input and output Assets. You can see how to create a Transform and input and output Assets in the [Upload, encode, and stream videos using .NET](stream-files-tutorial-with-api.md) tutorial.

+- Review the [Encoding concept](encode-concept.md) topic.

+## Example

+```csharp

+/// <summary>

+/// Submits a request to Media Services to apply the specified Transform to a given input video.

+/// </summary>

+/// <param name="client">The Media Services client.</param>

+/// <param name="resourceGroupName">The name of the resource group within the Azure subscription.</param>

+/// <param name="accountName"> The Media Services account name.</param>

+/// <param name="transformName">The name of the transform.</param>

+/// <param name="jobName">The (unique) name of the job.</param>

+/// <param name="inputAssetName">The name of the input asset.</param>

+/// <param name="outputAssetName">The (unique) name of the output asset that will store the result of the encoding job. </param>

+// <SubmitJob>

+private static async Task<Job> JobWithBuiltInStandardEncoderWithSingleClipAsync(

+ IAzureMediaServicesClient client,

+ string resourceGroupName,

+ string accountName,

+ string transformName,

+ string jobName,

+ string inputAssetName,

+ string outputAssetName)

+{

+ var jobOutputs = new List<JobOutputAsset>

+ {

+ new JobOutputAsset(state: JobState.Queued, progress: 0, assetName: outputAssetName)

+ };

+ var clipStart = new AbsoluteClipTime()

+ {

+ Time = new TimeSpan(0, 0, 20)

+ };

+ var clipEnd = new AbsoluteClipTime()

+ {

+ Time = new TimeSpan(0, 0, 30)

+ };

+ var jobInput = new JobInputAsset(assetName: inputAssetName, start: clipStart, end: clipEnd);

+ Job job = await client.Jobs.CreateAsync(

+ resourceGroupName,

+ accountName,

+ transformName,

+ jobName,

+ new Job(input: jobInput, outputs: jobOutputs.ToArray(), name: jobName)

+ {

+ Description = $"A Job with transform {transformName} and single clip.",

+ Priority = Priority.Normal,

+ });

+ return job;

+}

+```

+>

+- If you are still experiencing issues, please [report the issue](https://github.com/Azure/azure-cli/issues).

+2. Using the mysqldump utility to create a logical backup of the table. The backup will retain the table structure and the data within it.

+3. Reloading the table into the database.

+>

+* Use the definer user to execute CREATE VIEW if possible. It's likely that there are many views with different definers having different permissions, so this may not be feasible. OR

+* Edit the dump file or CREATE VIEW script and remove the DEFINER= statement from the dump file. OR

+| TimescaleDB, orafce | Yes | Yes |

+| <b> Initializing | In the process of creating a new standby server. |

+> You can enable high availability during server creation or at a later time as well. If you are enabling or disabling high availability during post-create stage, it is recommended to perform the operation when the primary server activity is low.

+1. Clients connect to the flexible server and perform write operations.

+Unplanned outages include software bugs or infrastructure component failures that impact the availability of the database. If the primary server becomes unavailable, it is detected by the monitoring system and initiates a failover process. The process includes a few seconds of wait time to make sure it is not a false positive. The replication to the standby replica is severed and the standby replica is activated to be the primary database server. That includes the standby to recover any residual WAL files. Once it is fully recovered, DNS for the same end point is updated with the standby server's IP address. Clients can then retry connecting to the database server using the same connection string and resume their operations.

+4. Once the steady-state replication is established, the client application commits and writes are acknowledged after the data is persisted on both sites.

+When executing this feature, the standby server is first prepared to make sure it is caught up with recent transactions allowing the application to continue to perform read/writes. The standby is then promoted and the connections to the primary are severed. Your application can continue to write to the primary while a new standby server is established in the background. The following are the steps involved with planned failover.

+Flexible servers that are configured with high availability, log data is replicated in real time to the standby server. Any user errors on the primary server - such as an accidental drop of a table or incorrect data updates are replicated to the standby replica as well. So, you cannot use standby to recover from such logical errors. To recover from such errors, you have to perform point-in-time restore from the backup. Using flexible server's point-in-time restore capability, you can restore to the time before the error occurred. For databases configured with high availability, a new database server will be restored as a single zone flexible server with a new user-provided server name. You can use the restored server for few use cases:

+ 1. You can use the restored server for production usage and can optionally enable zone-redundant high availability.

+ 2. If you just want to restore an object, you can then export the object from the restored database server and import it to your production database server.

+| [az postgresql server create](/cli/azure/postgres/server/vnet-rule#az-postgres-server-vnet-rule-create) | Creates a PostgreSQL server that hosts the databases. |

+| [az postgresql server vnet-rule create](/cli/azure/postgres/server/vnet-rule#az-postgres-server-vnet-rule-create) | Create a virtual network rule to allows access to a PostgreSQL server. |

+> - East US

+> - North Europe

+> - Australia East

+> - Canada Central

+> - East US

+> - East US 2

+> - North Europe

+> - West Europe

+- Azure SQL Database Managed Instances

+- **Workflow administrator** - a role that allows a user to access the workflow authoring page in the Azure Purview studio, and publish workflows on collections where they have access permissions. Workflow administrator only has access to authoring, and so will need at least Data reader permission on a collection to be able to access the Purview Studio.

+|I need to create workflows for my Azure Purview account | Workflow administrator |

+All other users can only access information within the Azure Purview account if they, or a group they're in, are given one of the above roles. This means, when you create an Azure Purview account, no one but the creator can access or use its APIs until they're [added to one or more of the above roles in a collection](how-to-create-and-manage-collections.md#add-role-assignments).

+Role assignment is managed through the collections. Only a user with the [collection admin role](#roles) can grant permissions to other users on that collection. When new permissions need to be added, a collection admin will access the [Azure Purview Studio](https://web.purview.azure.com/resource/), navigate to data map, then the collections tab, and select the collection where a user needs to be added. From the Role Assignments tab they'll be able to add and manage users who need permissions.

+ Title: Workflows in Azure Purview

+description: This article describes workflows in Azure Purview, the roles they play, and who can create and manage them.

+# Workflows in Azure Purview

+Workflows are automated, repeatable business processes that users can create within Azure Purview to validate and orchestrate CUD (create, update, delete) operations on their data entities. Enabling these processes allow organizations to track changes, enforce policy compliance, and ensure quality data across their data landscape.

+Since the workflows are created and managed within Azure Purview, manual change monitoring or approval are no longer required to ensure quality updates to the data catalog.

+## What are workflows?

+Workflows are automated processes that are made up of [connectors](#workflow-connectors) that contain a common set of pre-established actions and are run when specified operations occur in your data catalog.

+For example: A user attempts to delete a business glossary term that is bound to a workflow. When the user submits this operation, the workflow runs through its actions instead of, or before, the original delete operation.

+Workflow [actions](#workflow-connectors) include things like generating approval requests or sending a notification, that allow users to automate validation and notification systems across their organization.

+Currently, there are two kinds of workflows:

+* **Data governance** - for data policy, access governance, and loss prevention. [Scoped](#workflow-scope) at the collection level.

+* **Data catalog** - to manage approvals for CUD (create, update, delete) operations for glossary terms. [Scoped](#workflow-scope) at the glossary level.

+These workflows can be built from pre-established [workflow templates](#workflow-templates) provided in the Azure Purview studio, but are fully customizable using the available workflow connectors.

+## Workflow templates

+For all the different types of user defined workflows enabled and available for your use, Azure Purview provides templates to help [workflow administrators](#who-can-manage-workflows) create workflows without needing to build them from scratch. The templates are built into the authoring experience and automatically populate based on the workflow being created, so there's no need to search for them.

+Templates are available to launch the workflow authoring experience. However, a workflow admin can customize the template to meet the requirements in their organization.

+## Workflow connectors

+Workflow connectors are a common set of actions applicable across all workflows. They can be used in any workflow in Azure Purview to create processes customized to your organization. Currently, the available connectors are:

+- **Approval connector** ΓÇô Generates approval requests and assign the requests to individual users or Microsoft Azure Active Directory groups.

+ Azure Purview workflow approval connector currently supports two types of approval types:

+ * First to Respond ΓÇô This implies that the first approverΓÇÖs outcome (Approve/Reject) is considered final.

+ * Everyone must approve ΓÇô This implies everyone identified as an approver must approve the request for the request to be considered approved. If one approver rejects the request, regardless of other approvers, the request is rejected.

+- **Task Connector** - Creates, assigns, and tracks a task to a user or Azure AD group as part of a workflow.

+- **Send Email** ΓÇô Sends emails as part of a workflow.

+## Workflow scope

+Once a workflow is created and enabled, it can be bound to a particular scope. This gives you the flexibility to run different workflows for different areas/departments in your organization.

+Data governance workflows are scoped to collections, and can be bound to the root collection to govern the whole Azure Purview catalog, or any subcollection.

+Data catalog workflows are scoped to the glossary and can be bound to the entire glossary, any single term, or any parent term to manage child-terms.

+If there's no workflow directly associated with a scope, the workflow engine will traverse upward in the scope hierarchy to determine closest workflow, and run that workflow for the operation.

+For example, the AdatumCorp Purview account has the following collection hierarchy:

+Root Collection > Sales | Finance | Marketing

+- **Root collection** has the workflow _Self-Service data access default workflow_ defined and bound.

+- **Sales** has _Self-Service data access for sales collection_ defined and bound.

+- **Finance** has _Self-Service data access for finance collection_ defined and bound.

+- **Marketing** has no workflows directly bound.

+In the above setup, when an access request is made for a data asset in Finance collection, the _Self-Service data access for finance collection_ workflow is run.

+However, when a request access is made for a data asset in Marketing collection, _Self-Service data access default workflow_ is triggered. Because there are no workflows bound at the Marketing scope, the workflow engine traverses to the next level in the scope hierarchy, which is Marketing's parent: the root collection. The workflow at the parent scope, the root collection scope, is run.

+## Who can manage workflows?

+A new role, **Workflow Admin** is being introduced with workflow functionality.

+A Workflow admin defined for a collection can create self-service workflows and bind these workflows to the collections they have access to.

+A Workflow admin defined for any collection can create approval workflows for the business glossary. In order to bind the glossary workflows to a term you need to have at least [Data reader permissions](catalog-permissions.md).

+## Next steps

+Now that you understand what workflows are, you can follow these guides to use them in your Azure Purview account:

+- [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)

+- [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)

+- [Manage workflow requests and approvals](how-to-workflow-manage-requests-approvals.md)

+> PowerBI assets can only be [certified in a PowerBI workspace](/power-bi/collaborate-share/service-endorse-content). PowerBI endorsement labels are displayed in Azure Purview's search and browse experiences.

+- [Searching the data catalog](how-to-search-catalog.md)

+ Title: How to create, import, export, and manage glossary terms

+description: Learn how to create, import, export, and manage business glossary terms in Azure Purview.

+To create a new glossary term, follow these steps:

+ - **Draft**: This term isn't yet officially implemented.

+3. Download the csv template and use it to enter your terms you would like to add. Give your template csv file a name that starts with a letter and only includes letters, numbers, spaces, '_', or other non-ascii unicode characters. Special characters in the file name will create an error.

+## Delete terms

+1. Select **Data catalog** in the left navigation on the home page, and then select the **Manage glossary** button in the center of the page.

+ :::image type="content" source="media/how-to-create-import-export-glossary/find-glossary.png" alt-text="Screenshot of the data catalog with the glossary highlighted." border="true":::

+1. Using checkboxes, select the terms you want to delete. You can select a single term, or multiple terms for deletion.

+ :::image type="content" source="media/how-to-create-import-export-glossary/select-terms.png" alt-text="Screenshot of the glossary, with a few terms selected." border="true":::

+1. Select the **Delete** button in the top menu.

+ :::image type="content" source="media/how-to-create-import-export-glossary/select-delete.png" alt-text="Screenshot of the glossary, with the Delete button highlighted in the top menu." border="true":::

+1. You'll be presented with a window that shows all the terms selected for deletion.

+ > [!NOTE]

+ > If a parent is selected for deletion all the children for that parent are automatically selected for deletion.

+ :::image type="content" source="media/how-to-create-import-export-glossary/delete-window.png" alt-text="Screenshot of the glossary delete window, with a list of all terms to be deleted. The Revenue term is a parent to two other terms, and because it was selected to be deleted, its child terms are also in the list to be deleted." border="true":::

+1. Review the list. You can remove the terms you don't want to delete after review by selecting **Remove**.

+ :::image type="content" source="media/how-to-create-import-export-glossary/select-remove.png" alt-text="Screenshot of the glossary delete window, with a list of all terms to be deleted, and the 'Remove' column highlighted on the right." border="true":::

+1. You can also see which terms will require an approval process in the column **Approval Needed**. If Approval needed is **Yes**, the term will go through an approval workflow before deletion. If the value is **No** then the term will be deleted without any approvals.

+ > [!NOTE]

+ > If a parent has an associated approval process, but the child does not, the parent delete term workflow will be triggered. This is because the selection is done on the parent and you are acknowledging to delete child terms along with parent.

+ :::image type="content" source="media/how-to-create-import-export-glossary/approval-needed.png" alt-text="Screenshot of the glossary delete window, with a list of all terms to be deleted, and the 'Approval needed' column highlighted." border="true":::

+1. If there's a least one term that needs to be approved you'll be presented with **Submit for approval** and **Cancel** buttons. Selecting **Submit for approval** will delete all the terms where approval isn't needed and will trigger approval workflows for terms that require it.

+ :::image type="content" source="media/how-to-create-import-export-glossary/yes-approval-needed.png" alt-text="Screenshot of the glossary delete window, with a list of all terms to be deleted, and the 'Approval needed' column highlighted. An item is listed as approval needed, so at the bottom, buttons available are 'Submit for approval' and 'Cancel'." border="true":::

+1. If there are no terms that need to be approved you'll be presented with **Delete** and **Cancel** buttons. Selecting **Delete** will delete all the selected terms.

+ :::image type="content" source="media/how-to-create-import-export-glossary/no-approval-needed.png" alt-text="Screenshot of the glossary delete window, with a list of all terms to be deleted, and the 'Approval needed' column highlighted. All items are listed as no approval needed, so at the bottom, buttons available are 'Delete' and 'Cancel'." border="true":::

+## Business terms with approval workflow enabled

+If [workflows](concept-workflow.md) are enabled on a term, then any creates, updates, or deletes to the term will go through an approval before they're saved in data catalog.

+- **New terms** - when a create approval workflow is enabled on the parent term, during the creation process you'll see **Submit for approval** instead of **Create** after you've entered all the details. Selecting **Submit for approval** will trigger the workflow. You'll receive notification when your request is approved or rejected.

+- **Updates to existing terms** - when an update approval workflow is enabled on parent, you'll see **Submit for approval** instead of **Save** when updating the term. Selecting **Submit for approval** will trigger the workflow. The changes won't be saved in catalog until all the approvals are met.

+- **Deletion** - when a delete approval workflow is enabled on the parent term, you'll see **Submit for approval** instead of **Delete** when deleting the term. Selecting **Submit for approval** will trigger the workflow. However, the term won't be deleted from catalog until all the approvals are met.

+- **Importing terms** - when an import approval workflow enabled for Azure Purview's glossary, you'll see **Submit for approval** instead of **OK** in the Import window when importing terms via csv. Selecting **Submit for approval** will trigger the workflow. However, the terms in the file won't be updated in catalog until all the approvals are met.

+* For more information about glossary terms, see the [glossary reference](reference-azure-purview-glossary.md)

+* For more information about approval workflows of business glossary, see the [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)

+ Title: How to request access to a data source in Azure Purview.

+description: This article describes how a user can request access to a data source from within Azure Purview.

+# How to request access for a data asset

+If you discover a data asset in the catalog that you would like access to, you can request access directly through Azure Purview.

+The request will trigger a workflow that will request that the owners of the data resource grant you access to that data source.

+This article outlines how to make an access request.

+1. To find a data asset, use Azure Purview's [search](how-to-search-catalog.md) or [browse](how-to-browse-catalog.md) functionality.

+ :::image type="content" source="./media/how-to-request-access/search-or-browse.png" alt-text="Screenshot of the Azure Purview studio, with the search bar and browse buttons highlighted.":::

+1. Select the asset to go to asset details.

+1. Select **Request access**.

+

+ :::image type="content" source="./media/how-to-request-access/request-access.png" alt-text="Screenshot of a data asset's overview page, with the Request button highlighted in the mid-page menu.":::

+1. The **Request access** window will open. You can provide comments on why data access is requested.

+1. Select **Send** to trigger the self-service data access workflow.

+ :::image type="content" source="./media/how-to-request-access/send.png" alt-text="Screenshot of a data asset's overview page, with the Request access window overlaid. The Send button is highlighted at the bottom of the Request access window.":::

+ > [!NOTE]

+ > A request access to resource set will actually submit the data access request for the folder one level up which contains all these resource set files.

+1. Data owners will be notified of your request and will either approve or reject the request.

+## Next steps

+- [What are Azure Purview workflows](concept-workflow.md)

+- [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)

+- [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)

+ Title: Business terms approval workflow

+description: This article describes how to create and manage workflows to approve business terms in Azure Purview.

+# Approval workflow for business terms

+This guide will take you through the creation and management of approval workflows for business terms.

+## Create and enable a new approval workflow for business terms

+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/) and select the Management center. You'll see three new icons in the table of contents.

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/workflow-section.png" alt-text="Screenshot showing the management center left menu with the new workflow section highlighted.":::

+1. To create new workflows, select **Authoring** in the workflow section. This will take you to the workflow authoring experiences.

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/workflow-authoring-experience.png" alt-text="Screenshot showing the authoring workflows page, showing a list of all workflows.":::

+ >[!NOTE]

+ >If the authoring tab is greyed out, you don't have the permissions to be able to author workflows. You'll need the [workflow admin role](catalog-permissions.md).

+1. To create a new workflow, select **+New** button.

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/workflow-authoring-select-new.png" alt-text="Screenshot showing the authoring workflows page, with the + New button highlighted.":::

+1. To create **Approval workflows for business terms** Select **Data Catalog** and select **Continue**

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/select-data-catalog.png" alt-text="Screenshot showing the new workflows menu, with Data Catalog selected.":::

+1. In the next screen, you'll see all the templates provided by Azure Purview to create a workflow. Select the template using which you want to start your authoring experiences and select **Continue**. Each of these templates specifies the kind of action that will trigger the workflow. In the screenshot below we've selected **Create glossary term**. The four different templates available for business glossary are:

+ * Create glossary term - when a term is created, approval will be requested.

+ * Update glossary term - when a term is updated, approval will be requested.

+ * Delete glossary term - when a term is deleted, approval will be requested.

+ * Import terms - when terms are imported, approval will be requested.

+

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/create-glossary-term-select-continue.png" alt-text="Screenshot showing the new data catalog workflow menu, showing template options, with the Continue button selected.":::

+1. Next, enter a workflow name and optionally add a description. Then select **Continue**.

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/name-and-continue.png" alt-text="Screenshot showing the new data catalog workflow menu with a name entered into the name textbox.":::

+1. You'll now be presented with a canvas where the selected template is loaded by default.

+

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/workflow-authoring-canvas-inline.png" alt-text="Screenshot showing the workflow authoring canvas, with the selected template workflow populated in the central workspace." lightbox="./media/how-to-workflow-business-terms-approval/workflow-authoring-canvas-expanded.png":::

+1. The default template can be used as it is by populating the approver's email address in **Start and Wait for approval** Connector.

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/add-approver-email-inline.png" alt-text="Screenshot showing the workflow authoring canvas, with the start and wait for an approval step opened, and the Assigned to textbox highlighted." lightbox="./media/how-to-workflow-business-terms-approval/add-approver-email-expanded.png":::

+ The default template has the following steps:

+ 1. Trigger when a glossary term is created/updated/deleted/imported depending on the template selected.

+ 1. Approval connector that specifies a user or group that will be contacted to approve the request.

+ 1. Condition to check approval status

+ - If approved:

+ 1. Create/update/delete/import the glossary term

+ 1. Send an email to requestor that their request is approved, and term CUD (create, update, delete) operation is successful.

+ - If rejected:

+ 1. Send email to requestor that their request is denied.

+1. You can also modify the template by adding more connectors to suit your organizational needs. Add a new step to the end of the template by selecting the **New step** button. Add steps between any already existing steps by selecting the arrow icon between any steps.

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/modify-template-inline.png" alt-text="Screenshot showing the workflow authoring canvas, with a + button highlighted on the arrow between the two top steps, and the Next Step button highlighted at the bottom of the workspace." lightbox="./media/how-to-workflow-business-terms-approval/modify-template-expanded.png":::

+1. Once you're done defining a workflow, you need to bind the workflow to a glossary hierarchy path. The binding implies that this workflow is triggered only for CUD operations within the specified glossary hierarchy path. A workflow can be bound to only one hierarchy path. To bind a workflow or to apply a scope to a workflow, you need to select ΓÇÿApply workflowΓÇÖ. Select the scopes you want this workflow to be associated with and select **OK**.

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/select-apply-workflow.png" alt-text="Screenshot showing the new data catalog workflow menu with the Apply Workflow button highlighted at the top of the workspace.":::

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/select-okay.png" alt-text="Screenshot showing the apply workflow window, showing a list of items that the workflow can be applied to. At the bottom of the window, the O K button is selected.":::

+ >[!NOTE]

+ > - The Azure Purview workflow engine will always resolve to the closest workflow that the term hierarchy path is associated with. In case a direct binding is not found, it will traverse up in the tree to find the workflow associated with the closest parent in the glossary tree.

+ > - Import terms can only be bound to root glossary path as the .CSV can contain terms from different hierarchy paths.

+1. By default, the workflow will be enabled. To disable, toggle the Enable button in the top menu.

+1. Finally select **Save and close** to create and the workflow.

+ :::image type="content" source="./media/how-to-workflow-business-terms-approval/workflow-enabled.png" alt-text="Screenshot showing the workflow authoring page, showing the newly created workflow listed among all other workflows.":::

+## Edit an existing workflow

+To modify an existing workflow, select the workflow and then select **Edit** in the top menu. You'll then be presented with the canvas containing workflow definition. Modify the workflow and select **Save** to commit changes.

+## Disable a workflow

+To disable a workflow, select the workflow and then select **Disable** in the top menu. You can also disable the workflow by selecting **Edit** and changing the enable toggle in workflow canvas.

+## Delete a workflow

+To delete a workflow, select the workflow and then select **Delete** in the top menu.

+## Limitations for business terms with approval workflow enabled

+* Non-approved glossary terms aren't saved in Purview catalog.

+* The behavior of tagging terms to assets/schemas is same as today. That is, previously created draft terms can be tagged to assets/schemas.

+## Next steps

+For more information about workflows, see these articles:

+- [What are Azure Purview workflows](concept-workflow.md)

+- [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)

+- [Manage workflow requests and approvals](how-to-workflow-manage-requests-approvals.md)

+ Title: Manage workflow requests and approvals

+description: This article outlines how to manage requests and approvals generated by a workflow in Azure Purview.

+# Manage workflow requests and approvals

+This article outlines how to manage requests and approvals that generated by a [workflow](concept-workflow.md) in Azure Purview.

+To view requests you've made or request for approvals that have been sent to you by a workflow instance, navigate to management center in the [Azure Purview Studio](https://web.purview.azure.com/resource/), and select **Requests and Approvals**.

+You'll be presented with three tabs:

+* [Waiting for a response](#waiting-for-a-response) - This tab shows the requests (tasks) and approvals that are waiting for you to act on.

+* [Pending requests](#pending-requests) - You can view all the approval requests and tasks you've submitted in this tab.

+* [History](#history) - All the completed approvals and tasks are moved to this tab.

+## Waiting for a response

+This tab shows the requests (tasks) and approvals that are waiting for your action.

+Select the request to take action.

+### Approvals

+1. To approve/reject a request, select the request and you'll be presented with the following window:

+ :::image type="content" source="./media/how-to-workflow-manage-requests-approval/select-request.png" alt-text="Screenshot showing that the Waiting for a response tab is selected, and an open request has been selected. The Respond page is shown with some details, a space for a response, and a space for commentary.":::

+1. An approval activity has the following available responses:

+ - **Approved** ΓÇô An approver can mark the response as **Approved** indicating their approval for the changes proposed by the requestor.

+ - **Rejected** - An approver can mark the response as **Rejected** indicating that they don't approve the changes proposed by the requestor.

+1. Optionally, select the value to see details of the request. In the screenshot below, it shows the term details. If the approval is for a data asset, you'll be able to view the details, as shown below.

+ :::image type="content" source="./media/how-to-workflow-manage-requests-approval/select-value.png" alt-text="Screenshot showing the respond page is open, with the Value detail highlighted.":::

+ :::image type="content" source="./media/how-to-workflow-manage-requests-approval/view-details.png" alt-text="Screenshot showing the request value has been selected, so the request details page is open showing an overview of the request, related information, and contacts.":::

+1. If there are updates, you'll also to be able to see the current value and proposed value.

+1. Choose your response, optionally add comments, and select **Confirm**.

+ :::image type="content" source="./media/how-to-workflow-manage-requests-approval/select-option-and-confirm.png" alt-text="Screenshot showing the Respond page is open, with the response section Highlighted, a response selected, and the confirm button highlighted at the bottom.":::

+### Tasks

+1. To complete a task, select the task request and you'll be presented with the following window:

+ :::image type="content" source="./media/how-to-workflow-manage-requests-approval/task-request.png" alt-text="Screenshot showing the task selected and the Respond page is open, with details, a status, and a place for comments.":::

+1. A task has the following statues:

+ - Not started ΓÇô This is the status of the task when it's initially created by a workflow.

+ - In Progress ΓÇô A task owner can mark the task as **In progress** to indicate that they're currently working on it.

+ - Complete ΓÇô Once the task is complete, a task owner can change the status as **Complete**. This marks the completion of task activity, and the workflow will now move to the next step.

+1. Select the correct status, add any comments, and select **Confirm**.

+## Pending requests

+In this tab you can view all the approval requests and tasks that you've submitted.

+Select the request to see the status and the outcomes for each approver/task owner.

+## History

+All the completed approvals and tasks are moved to this tab.

+Select an approval or task to see details and responses from all approvals or task owners.

+## Email notifications

+Purview approvals and task connectors have in-built email capabilities. Every time an approval/task action is triggered in workflow; it sends email to all the users who need to act on it.

+Users can respond by selecting the links in the email, or by navigating to the Azure Purview studio and viewing their pending tasks.

+## Next steps

+- [What are Azure Purview workflows](concept-workflow.md)

+- [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)

+- [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)

+- [Manage workflow runs](how-to-workflow-manage-runs.md)

+ Title: Manage workflow runs

+description: This article outlines how to manage workflow runs.

+# Manage workflow runs

+This article outlines how to manage workflows that are already running.

+1. To view workflow runs you triggered, sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/), select the Management center, and select **Workflow runs**.

+ :::image type="content" source="./media/how-to-workflow-manage-runs/select-workflow-runs.png" alt-text="Screenshot of the management menu in the Azure Purview studio. The Workflow runs tab is highlighted.":::

+1. You'll be presented with the list of workflow runs and their statuses.

+ :::image type="content" source="./media/how-to-workflow-manage-runs/workflow-runs.png" alt-text="Screenshot of the workflow runs page, showing a list of all workflow runs, their status, and their run IDs.":::

+1. You can filter the results by using workflow name, status, or time.

+ :::image type="content" source="./media/how-to-workflow-manage-runs/filters.png" alt-text="Screenshot of the workflow runs page, with the keyword, name, status, and time filters highlighted above the list of workflows.":::

+1. Select a workflow name to see the details of the workflow run.

+1. This will present a window that shows all the actions that are completed, actions that are in-progress, and the next action for that workflow run.

+ :::image type="content" source="./media/how-to-workflow-manage-runs/workflow-details.png" alt-text="Screenshot of the workflow runs page, with an example workflow name selected, and the workflow details page overlaid, showing workflow run, submission time, run I D, status, and a list of all steps in the request timeline.":::

+1. You can select any of the actions in the request timeline to see the specific status and substep details.

+ :::image type="content" source="./media/how-to-workflow-manage-runs/select-stages.png" alt-text="Screenshot of the workflow runs page, with the workflow details page overlaid. Some workflow run actions in the request timeline have been expanded to show more information and sub steps.":::

+## Next steps

+- [What are Azure Purview workflows](concept-workflow.md)

+- [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)

+- [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)

+- [Manage workflow requests and approvals](how-to-workflow-manage-requests-approvals.md)

+ Title: Self-service hybrid data access workflows

+description: This article describes how to create and manage hybrid self-service data access workflows in Azure Purview.

+# Self-service data access workflows for hybrid data estates

+This guide will take you through the creation and management of self-service data access [workflows](concept-workflow.md) for hybrid data estates.

+## Create and enable self-service data access workflow

+1. Sign in to [Azure Purview Studio](https://web.purview.azure.com/resource/) and select the Management center. You'll see three new icons in the table of contents.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/workflow-section.png" alt-text="Screenshot showing the management center left menu with the new workflow section highlighted.":::

+1. To create new workflows, select Authoring. This will take you to the workflow authoring experience.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/workflow-authoring-experience.png" alt-text="Screenshot showing the authoring workflows page, showing a list of all workflows.":::

+ >[!NOTE]

+ >If the authoring tab is greyed out, you don't have the permissions to be able to author workflows. You'll need the [workflow admin role](catalog-permissions.md).

+1. To create a new self-service workflow, select **+New** button.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/workflow-authoring-select-new.png" alt-text="Screenshot showing the authoring workflows page, with the + New button highlighted.":::

+1. You'll be presented with different categories workflows creatable in Azure Purview. To create **an access request workflow** Select **Governance** and select **Continue**.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/select-governance.png" alt-text="Screenshot showing the new workflow window, with the Governance option selected.":::

+1. In the next screen, you'll see all the templates provided by Azure Purview to create a self-service data access workflow. Select the template **Data access request** and select **Continue**.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/select-data-access-request.png" alt-text="Screenshot showing the new workflow window, with the Data access request option selected.":::

+1. Next, enter workflow a name and optionally add a description. Then select **Continue**.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/name-and-continue.png" alt-text="Screenshot showing the new workflow window, with a name entered in the textbox.":::

+1. You'll now be presented with a canvas where the selected template is loaded by default.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/workflow-canvas-inline.png" alt-text="Screenshot showing the workflow canvas with the selected template workflow steps displayed." lightbox="./media/how-to-workflow-self-service-data-access-hybrid/workflow-canvas-expanded.png":::

+ The template has the following steps:

+ 1. Trigger when a data access request is made.

+ 1. Approval connector that specifies a user or group that will be contacted to approve the request.

+ 1. Condition to check approval status

+ - If approved:

+ 1. Condition to check if data source is registered for use governance (policy)

+ 1. If a data source is registered with policy:

+ 1. Create self-service policy

+ 1. Send email to requestor that access is provided

+ 1. If data source isn't registered with policy:

+ 1. Task connector to assign a task to a user or Microsoft Azure Active Directory group to manually provide access to requestor.

+ 1. Send an email to requestor that access is provided once the task is complete.

+ - If rejected:

+ 1. Send an email to requestor that data access request is denied.

+1. The default template can be used as it is by populating two fields:

+ * Adding an approver's email address or Microsoft Azure Active Directory group in **Start and Wait for approval** Connector

+ * Adding a user's email address or Microsoft Azure Active Directory group in **Create task** connector to denote who is responsible for manually providing access if the source isn't registered with policy.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/required-fields-for-template-inline.png" alt-text="Screenshot showing the workflow canvas with the start and wait for an approval step, and the Create Task and wait for task completion steps highlighted, and the Assigned to textboxes highlighted within those steps." lightbox="./media/how-to-workflow-self-service-data-access-hybrid/required-fields-for-template-expanded.png":::

+ > [!NOTE]

+ > Please configure the workflow to create self-service policies ONLY for sources supported by Azure purview's policy feature. To see what's supported by policy, check the [Data owner policies documentation](tutorial-data-owner-policies-storage.md).

+1. You can also modify the template by adding more connectors to suit your organizational needs.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/more-connectors-inline.png" alt-text="Screenshot showing the workflow authoring canvas, with a + button highlighted on the arrow between the two top steps, and the Next Step button highlighted at the bottom of the workspace." lightbox="./media/how-to-workflow-self-service-data-access-hybrid/more-connectors-expanded.png":::

+1. Once you're done defining a workflow, you need to bind the workflow to a collection hierarchy path. The binding (or scoping) implies that this workflow is triggered only for data access requests in that collection. To bind a workflow or to apply a scope to a workflow, you need to select **Apply workflow**. Select the scope you want this workflow to be associated with and select **OK**.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/apply-workflow.png" alt-text="Screenshot showing the workflow workspace with the Apply workflow button selected at the top of the space, and the Apply workflow menu open, showing a list of items. One item is selected, and the O K button is highlighted at the bottom.":::

+ >[!NOTE]

+ > Purview workflow engine will always resolve to the closest workflow that the collection hierarchy path is associated with. In case a direct binding is not found, it will traverse up in the tree to find the workflow associated with the closest parent in the collection tree.

+1. By default, the workflow will be enabled. You can disable by selecting the Enable toggle.

+1. Finally select **Save and close** to create and enable the workflow.

+ :::image type="content" source="./media/how-to-workflow-self-service-data-access-hybrid/completed-workflows.png" alt-text="Screenshot showing the workflow authoring page with the newly created workflow listed among the other workflows.":::

+## Edit an existing workflow

+To modify an existing workflow, select the workflow and then select the **Edit** button. You'll now be presented with the canvas containing workflow definition. Modify the workflow and select **Save** to commit changes.

+## Disable a workflow

+To disable a workflow, you can select the workflow and then select **Disable**. You can also disable the workflow by selecting **Edit** and changing the enable toggle in workflow canvas then saving.

+## Delete a workflow

+To delete a workflow, select the workflow and then select **Delete**.

+## Next steps

+For more information about workflows, see these articles:

+- [What are Azure Purview workflows](concept-workflow.md)

+- [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)

+- [Manage workflow requests and approvals](how-to-workflow-manage-requests-approvals.md)

+- Windows authentication: You add the **password** as a secret in key vault.

+There are two ways to set up authentication for SQL server on-premises:

+- Windows Authentication

+#### Set up SQL server authentication

+If SQL Authentication is applied, ensure the SQL Server deployment is configured to allow SQL Server and Windows Authentication.

+If Windows Authentication is applied, configure the SQL Server deployment to use Windows Authentication mode.

+The account must have access to the **master** database. This is because the `sys.databases` is in the master database. The Azure Purview scanner needs to enumerate `sys.databases` in order to find all the SQL databases on the server.

+1. Navigate to SQL Server Management Studio (SSMS), connect to the server, navigate to security, select and hold (or right-click) on login and create New login. If Windows Authentication is applied, select "Windows authentication". If SQL Authentication is applied, make sure to select "SQL authentication".

+1. If SQL Authentication is applied, navigate again to the user you created, by selecting and holding (or right-clicking) and selecting **Properties**. Enter a new password and confirm it. Select the 'Specify old password' and enter the old password. **It is required to change your password as soon as you create a new login.**

+1. Finally, [create a new credential](manage-credentials.md#create-a-new-credential) using the **username** and **password** to set up your scan. Make sure the right authentication method is selected when creating a new credential. If SQL Authentication is applied, select "SQL authentication" as the authentication method. If Windows Authentication is applied, then select "Windows authentication".

+1. Select the credential to connect to your data source. The credentials are grouped and listed under different authentication methods.

+ :::image type="content" source="media/register-scan-on-premises-sql-server/on-premises-sql-set-up-scan-win-auth.png" alt-text="Set up scan":::

+> [!IMPORTANT]

+> Additional configuration may be required for your Power BI tenant and Azure Purview account, if you are planning to scan Power BI tenant through private network where either Azure Purview account, Power BI tenant or both are configured with private endpoint with public access denied.

+>

+> For more information related to Power BI network, see [How to configure private endpoints for accessing Power BI](/power-bi/enterprise/service-security-private-links).

+>

+If you are setting up an [Azure SQL indexer](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md) that connects to an Azure SQL managed instance, you'll need to enable a public endpoint on the managed instance as a prerequisite. By default, an indexer connects to a managed instance over a public endpoint.

+With configuration out of the way, you can now specify a [SQL Managed Instance as an indexer data source](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md).

+> [!NOTE]

+> If your indexer has an attached skillset that writes back to Azure Storage (for example, it creates a knowledge store or caches enriched content), a managed identity won't work if the storage account is behind a firewall or has IP restrictions. This is a known limitation that will be lifted when managed identity support for skillset scenarios becomes generally available. The solution is to use a full access connection string instead of a managed identity.

+> This capability is limited to blobs and ADLS Gen2 on Azure Storage. The trusted service exception is not supported for indexer connections to Azure Table Storage and Azure File Storage. It's also not currently supported for indexers that invoke skillsets that write to Azure Storage (knowledge store, enrichment cache, or debug sessions).

+| Azure Storage for text-based indexing (blobs, tables, ADLS Gen 2) | Supported only if the storage account and search service are in different regions. | Supported |

+| Azure Storage for AI enrichment (caching, knowledge store, debug sessions) | Supported only if the storage account and search service are in different regions, and when the search service connects using a full access connection string. Managed identity is not currently supported for write back operations to an IP restricted storage account. | Unsupported |

+> [!IMPORTANT]

+> Fields common to all schemas are described in the [ASIM schema overview](normalization-about-schemas.md#common). The following list mentions only fields that have specific guidelines for DNS events.

+>

+| **EventSubType** | Optional | Enumerated | Either `request` or `response`. <br><br>For most sources, [only the responses are logged](#guidelines-for-collecting-dns-events), and therefore the value is often **response**. |

+| <a name=eventresultdetails></a>**EventResultDetails** | Mandatory | Enumerated | For DNS events, this field provides the [DNS response code](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>**Note**: IANA doesn't define the case for the values, so analytics must normalize the case. If the source provides only a numerical response code and not a response code name, the parser must include a lookup table to enrich with this value. <br><br> If this record represents a request and not a response, set to **NA**. <br><br>Example: `NXDOMAIN` |

+| <a name=responsecodename></a>**DnsResponseCodeName** | Alias | | Alias to [EventResultDetails](#eventresultdetails) |

+> Fields common to all schemas are described in the [ASIM schema overview](normalization-about-schemas.md#common). The following list mentions only fields that have specific guidelines for network session events.

+Azure Service Bus already spreads the risk of catastrophic failures of individual machines or even complete racks across clusters that span multiple failure domains within a datacenter and it implements transparent failure detection and failover mechanisms such that the service will continue to operate within the assured service-levels and typically without noticeable interruptions when such failures occur. If a Service Bus namespace has been created with the enabled option for [availability zones](../availability-zones/az-overview.md), the outage risk is further spread across three physically separated facilities, and the service has enough capacity reserves to instantly cope with the complete, catastrophic loss of the entire facility.

+### How do I abort the migration?

+### What happens when I abort the migration?

+5. Click **View or Edit Capacity Reservation group assignment** to modify the capacity reservation settings. On triggering Failover, the new VM will be created in the assigned Capacity Reservation Group.

+ Capacity Reservation lets you purchase capacity in the recovery region, and then failover to that capacity. You can either create a new Capacity Reservation Group, or use an existing one. For more information on how capacity reservation works, [read here](https://aka.ms/on-demand-capacity-reservations-docs).

+1. Click **Create target resource** > **Enable Replication**.

+1. After the VMs are enabled for replication, you can check the status of VM health under **Replicated items**

+ APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME=true \

+ APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX=<your-agent-node-name> \

+ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-list.png" alt-text="Azure portal screenshot showing the Apps section." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-list.png":::

+ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-overview.png" alt-text="Azure portal screenshot the app's Overview page." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-overview.png":::

+ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-env.png" alt-text="Azure portal screenshot showing the 'Environment variables' section of the app's Configuration page." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-env.png":::

+ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-general.png" alt-text="Azure portal screenshot showing the 'General settings' section of the app's Configuration page, with 'JVM options' highlighted." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-general.png":::

+ "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME" : "true",

+ "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX" : "<your-agent-node-name>",

+ "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME" : "true",

+ "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX" : "<your-agent-node-name>",

+ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-api-gateway.jpg" alt-text="AppDynamics screenshot showing the Application Dashboard for the example api-gateway app." lightbox="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-api-gateway.jpg":::

+ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-customers-service.jpg" alt-text="AppDynamics screenshot showing the Application Dashboard for the example customers-service app." lightbox="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-customers-service.jpg":::

+Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.

+Authorizing blob data operations with Azure AD is supported only for REST API versions 2017-11-09 and later. For more information, see [Versioning for the Azure Storage services](/rest/api/storageservices/versioning-for-the-azure-storage-services#specifying-service-versions-in-requests).

+$container = New-AzStorageContainer -Name "myContainer" -Context $ctx

+$containerName = "myContainer"

+$demoContainer = "myContainer"

+$containerName = "myContainer"

+$blob = Get-AzStorageBlob -Blob "blue-moon.mp3" -Container "myContainer" -Context $ctx

+$container = "myContainer"

+$containerName = "myContainer"

+## Restore a deleted blob

+As mentioned in the [List blobs](#list-blobs) section, you can configure the soft delete data protection option on your storage account. When enabled, it's possible to restore blobs deleted within the associated retention period. You may also use versioning to maintain previous versions of your blobs for each recovery and restoration.

+If blob versioning and blob soft delete are both enabled, then modifying, overwriting, deleting, or restoring a blob automatically creates a new version. The method you'll use to restore a deleted blob will depend upon whether versioning is enabled on your storage account.

+The following code sample restores all soft-deleted blobs or, if versioning is enabled, restores the latest version of a blob. It first determines whether versioning is enabled with the `Get-AzStorageBlobServiceProperty` cmdlet.

+If versioning is enabled, the `Get-AzStorageBlob` cmdlet retrieves a list of all uniquely-named blob versions. Next, the blob versions on the list are retrieved and ordered by date. If no versions are found with the `LatestVersion` attribute value, the `Copy-AzBlob` cmdlet is used to make an active copy of the latest version.

+If versioning is disabled, the `BlobBaseClient.Undelete` method is used to restore each soft-deleted blob in the container.

+Before you can follow this example, you'll need to enable soft delete or versioning on at least one of your storage accounts.

+$accountName ="myStorageAccount"

+$groupName ="myResourceGroup"

+$containerName ="myContainer"

+$blobSvc = Get-AzStorageBlobServiceProperty `

+ -StorageAccountName $accountName `

+ -ResourceGroupName $groupName

+# If soft delete is enabled

+if($blobSvc.DeleteRetentionPolicy.Enabled)

+{

+ # If versioning is enabled

+ if($blobSvc.IsVersioningEnabled -eq $true)

+ {

+ # Set context

+ $ctx = New-AzStorageContext `

+ -StorageAccountName $accountName `

+ -UseConnectedAccount

+ # Get all blobs and versions using -Unique

+ # to avoid processing duplicates/versions

+ $blobs = Get-AzStorageBlob `

+ -Container $containerName `

+ -Context $ctx -IncludeVersion | `

+ Where-Object {$_.VersionId -ne $null} | `

+ Sort-Object -Property Name -Unique

+ # Iterate the collection

+ foreach ($blob in $blobs)

+ {

+ # Process versions

+ if($blob.VersionId -ne $null)

+ {

+

+ # Get all versions of the blob, newest to oldest

+ $delBlob = Get-AzStorageBlob `

+ -Container $containerName `

+ -Context $ctx `

+ -Prefix $blob.Name `

+ -IncludeDeleted -IncludeVersion | `

+ Sort-Object -Property VersionId -Descending

+ # Verify that the newest version is NOT the latest (that the version is "deleted")

+ if (-Not $delBlob[0].IsLatestVersion)

+ {

+ $delBlob[0] | Copy-AzStorageBlob `

+ -DestContainer $containerName `

+ -DestBlob $delBlob[0].Name

+ }

+

+ #Dispose the temporary object

+ $delBlob = $null

+ }

+ }

+ }

+ # Otherwise (if versioning is disabled)

+ else

+ {

+ $blobs = Get-AzStorageBlob `

+ -Container $containerName `

+ -Context $ctx -IncludeDeleted | `

+ Where-Object {$_.IsDeleted}

+ foreach($blob in $blobs)

+ {

+ if($blob.IsDeleted) { $blob.BlobBaseClient.Undelete() }

+ }

+ }

+}

+else

+ echo "Sorry, the delete retention policy is not enabled."

+- [Manage blob containers using PowerShell](blob-containers-powershell.md)

+> [!NOTE]

+> Static websites is an example of a partially supported feature because the configuration page for static websites does not yet appear in the Azure Portal for accounts that have NFS 3.0 support enabled. You can enable static websites only by using PowerShell or Azure CLI.