+&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6%20offline_access%20https://{tenant-name}/{app-id-uri}/{scope}

+|`SIGN_UP_SIGN_IN_POLICY_AUTHORITY`|The **Sign in and sign up** user flow authority such as `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<sign-in-sign-up-user-flow-name>`. Replace `<your-tenant-name>` with the name of your tenant and `<sign-in-sign-up-user-flow-name>` with the name of your Sign in and Sign up user flow such as `B2C_1_susi`. Learn how to [Get your tenant name](tenant-management.md#get-your-tenant-name). |

+|`LOGOUT_ENDPOINT`| The Azure AD B2C sign out endpoint such as `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<sign-in-sign-up-user-flow-name>/oauth2/v2.0/logout?post_logout_redirect_uri=http://localhost:3000`. Replace `<your-tenant-name>` with the name of your tenant and `<sign-in-sign-up-user-flow-name>` with the name of your Sign in and Sign up user flow such as `B2C_1_susi`.|

+1. After the page with the **Sign in** button completes loading, select **Sign in**. You're prompted to sign in.

+ Title: Set up direct sign in using Azure Active Directory B2C

+description: Learn how to prepopulate the sign in name or redirect straight to a social identity provider.

+# Set up direct sign in using Azure Active Directory B2C

+When you set up sign-in for your application using Azure Active Directory B2C (Azure AD B2C), you can prepopulate the sign-in name or directly sign in to a specific social identity provider, such as Facebook, LinkedIn, or a Microsoft account.

+## Prepopulate the sign in name

+To support sign in hint parameter, override the `SelfAsserted-LocalAccountSignin-Email` technical profile. In the `<InputClaims>` section, set the DefaultValue of the signInName claim to `{OIDC:LoginHint}`. The `{OIDC:LoginHint}` variable contains the value of the `login_hint` parameter. Azure AD B2C reads the value of the signInName claim and pre-populates the signInName textbox.

+## Redirect sign in to a social provider

+If you configured the sign-in journey for your application to include social accounts, such as Facebook, LinkedIn, or Google, you can specify the `domain_hint` parameter. This query parameter provides a hint to Azure AD B2C about the social identity provider that should be used for sign-in. For example, if the application specifies `domain_hint=facebook.com`, sign in goes directly to the Facebook sign in page.

+ Title: Single-page application sign in using the OAuth 2.0 implicit flow in Azure Active Directory B2C

+description: Learn how to add single-page sign in using the OAuth 2.0 implicit flow with Azure Active Directory B2C.

+# Single-page application sign in using the OAuth 2.0 implicit flow in Azure Active Directory B2C

+Some frameworks, like [MSAL.js 1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core), only support the implicit grant flow. In these cases, Azure Active Directory B2C (Azure AD B2C) supports the OAuth 2.0 authorization implicit grant flow. The flow is described in [section 4.2 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749). In implicit flow, the app receives tokens directly from the Azure AD B2C authorize endpoint, without any server-to-server exchange. All authentication logic and session handling is done entirely in the JavaScript client with either a page redirect or a pop-up box.

+Azure AD B2C extends the standard OAuth 2.0 implicit flow to more than simple authentication and authorization. Azure AD B2C introduces the [policy parameter](user-flow-overview.md). With the policy parameter, you can use OAuth 2.0 to add policies to your app, such as sign up, sign in, and profile management user flows. In the example HTTP requests in this article, we use **{tenant}.onmicrosoft.com** for illustration. Replace `{tenant}` with [the name of your tenant](tenant-management.md#get-your-tenant-name) if you have one. Also, you need to have [created a user flow](tutorial-create-user-flows.md?pivots=b2c-user-flow).

+We use the following figure to illustrate implicit sign in flow. Each step is described in detail later in the article.

+When your web application needs to authenticate the user and run a user flow, it directs the user to the Azure AD B2C's `/authorize` endpoint. The user takes action depending on the user flow.

+In this request, the client indicates the permissions that it needs to acquire from the user in the `scope` parameter and the user flow to run. To get a feel for how the request works, try pasting the request into a browser and running it. Replace:

+- `{tenant}` with the name of your Azure AD B2C tenant.

+- `90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6` with the app ID of the application you've registered in your tenant.

+- `{policy}` with the name of a policy you've created in your tenant, for example `b2c_1_sign_in`.

+The parameters in the HTTP GET request are explained in the table below.

+| response_type | Yes | Must include `id_token` for OpenID Connect sign in. It can also include the response type `token`. If you use `token`, your app can immediately receive an access token from the authorize endpoint, without making a second request to the authorize endpoint. If you use the `token` response type, the `scope` parameter must contain a scope that indicates which resource to issue the token for. |

+| redirect_uri | No | The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs that you added to a registered application in the portal, except that it must be URL-encoded. |

+| state | No | A value included in the request that also is returned in the token response. It can be a string of any content that you want to use. Usually, a randomly generated, unique value is used, to prevent cross-site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred, for example, the page the user was on, or the user flow that was being executed. |

+This is the interactive part of the flow. The user is asked to complete the policy's workflow. The user might have to enter their username and password, sign in with a social identity, sign up for a local account, or any other number of steps. User actions depend on how the user flow is defined.

+After the user completes the user flow, Azure AD B2C returns a response to your app via the `redirect_uri`. It uses the method specified in the `response_mode` parameter. The response is exactly the same for each of the user action scenarios, independent of the user flow that was executed.

+| access_token | The access token that the app requested from Azure AD B2C.|

+| token_type | The token type value. The only type that Azure AD B2C supports is Bearer. |

+Azure AD B2C has an OpenID Connect metadata endpoint. An app can use the endpoint to fetch information about Azure AD B2C at runtime. This information includes endpoints, token contents, and token signing keys. There is a JSON metadata document for each user flow in your Azure AD B2C tenant. For example, the metadata document for a user flow named `b2c_1_sign_in` in a `fabrikamb2c.onmicrosoft.com` tenant is located at:

+To determine which user flow was used to sign an ID token (and where to fetch the metadata from), you can use any of following options:

+- Encode the user flow in the value of the `state` parameter when you issue the request. Then, decode the `state` parameter to determine which user flow was used.

+If the only thing your web apps needs to do is execute user flows, you can skip the next few sections. The information in the following sections is applicable only to web apps that need to make authenticated calls to a web API that is protected by Azure AD B2C itself.

+By setting the `prompt=none` parameter, this request either succeeds or fails immediately, and returns to your application. A successful response is sent to your app via the redirect URI, by using the method specified in the `response_mode` parameter.

+## Send a sign out request

+When you want to sign the user out of the app, redirect the user to Azure AD B2C's sign out endpoint. You can then clear the user's session in the app. If you don't redirect the user, they might be able to reauthenticate to your app without entering their credentials again because they have a valid single sign-on session with Azure AD B2C.

+| {tenant} | Yes | Name of your Azure AD B2C tenant. |

+| {policy} | Yes | The user flow that you want to use to sign the user out of your application. This needs to be the same user flow that the app used to sign the user in. |

+> Directing the user to the `end_session_endpoint` clears some of the user's single sign-on state with Azure AD B2C. However, it doesn't sign the user out of the user's social identity provider session. If the user selects the same identity provider during a subsequent sign in, the user is re-authenticated, without entering their credentials. If a user wants to sign out of your Azure AD B2C application, it does not necessarily mean they want to completely sign out of their Facebook account, for example. However, for local accounts, the user's session will be ended properly.

+| [auth-code-flow-nodejs](https://github.com/Azure-Samples/active-directory-b2c-msal-node-sign-in-sign-out-webapp) | A Node.js app that shows how to enable authentication (sign in, sign out and profile edit) in a Node.js web application using Azure Active Directory B2C. The web app uses MSAL-node.|

+In this sample tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with [Transmit Security's](https://www.transmitsecurity.com/bindid) passwordless authentication solution **BindID**. BindID is a passwordless authentication service that uses strong Fast Identity Online (FIDO2) biometric authentication for a reliable omni-channel authentication experience. The solution ensures a smooth sign in experience for all customers across every device and channel, and it eliminates fraud, phishing, and credential reuse.

+| 1. | User opens Azure AD B2C's sign in page, and then signs in or signs up by entering their username.

+| 2. | Azure AD B2C redirects the user to BindID using an OpenID Connect (OIDC) request.

+| 6. | User is either granted or denied access to the customer application based on the verification results.

+- If you haven't already done so, [register](./tutorial-register-applications.md) a web application in the Azure portal.

+- Ability to use Azure AD B2C custom policies. If you can't, complete the steps in [Get started with custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy) to learn how to use custom policies.

+## Step 1: Register an app in BindID

+Follow the steps in [Configure Your Application](https://developer.bindid.io/docs/guides/quickstart/topics/quickstart_web#step-1-configure-your-application) to add you an application in [BindID Admin Portal](https://admin.bindid-sandbox.io/console/). The following information is needed:

+| Name | Name of your application such as `Azure AD B2C BindID app`|

+| Domain | Enter `your-B2C-tenant-name.onmicrosoft.com`. Replace `your-B2C-tenant` with the name of your Azure AD B2C tenant.|

+| Redirect URIs | [https://jwt.ms/](https://jwt.ms/)

+| Redirect URLs | Enter `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-B2C-tenant` with the name of your Azure AD B2C tenant. If you use a custom domain, replace `your-B2C-tenant-name.b2clogin.com` with your custom domain such as `contoso.com`.|

+After you register the app in BindID, you'll get a **Client ID** and a **Client Secret**. Record the values as you'll need them later to configure BindID as an identity provider in Azure AD B2C.

+## Step 2: Configure BindID as an identity provider in Azure AD B2C

+1. Sign in to the [Azure portal](https://portal.azure.com/#home) as the global administrator of your Azure AD B2C tenant.

+1. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ 1. Select the **Directories + subscriptions** icon in the portal toolbar.

+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

+1. In the top-left corner of the Azure portal, select **All services**, and then search for and select **Azure AD B2C**.

+1. Select **Identity providers**, and then select **New OpenID Connect provider**.

+1. Enter a **Name**. For example, enter `Login with BindID`.

+1. For **Metadata url**, enter `https://signin.bindid-sandbox.io/.well-known/openid-configuration`.

+1. For **Client ID**, enter the client ID that you previously recorded in [step 1](#step-1-register-an-app-in-bindid).

+1. For **Client secret**, enter the Client secret that you previously recorded in [step 1](#step-1-register-an-app-in-bindid).

+1. For the **Scope**, enter the `openid email`.

+1. For **Response type**, select **code**.

+1. For **Response mode**, select **form_post**.

+1. Under **Identity provider claims mapping**, select the following claims:

+

+ 1. **User ID**: `sub`

+ 1. **Email**: `email`

+1. Select **Save**.

+## Step 3: Create a user flow

+1. In your Azure AD B2C tenant, under **Policies**, select **User flows**.

+1. Select **New user flow**.

+1. Select **Sign up and sign in** user flow type,and then select **Create**.

+1. Enter a **Name** for your user flow such as `signupsignin`.

+1. Under **Identity providers**:

+

+ 1. For **Local Accounts**, select **None** to disable email and password-based authentication.

+

+ 1. For **Custom identity providers**, select your newly created BindID Identity provider such as **Login with BindID**.

+1. Select **Create**

+## Step 4: Test your user flow

+1. In your Azure AD B2C tenant, select **User flows**.

+1. Select the newly created user flow such as **B2C_1_signupsignin**.

+1. For **Application**, select the web application that you previously registered as part of this article's prerequisites. The **Reply URL** should show `https://jwt.ms`.

+1. Select the **Run user flow** button. Your browser should be redirected to the BindID sign in page.

+1. Enter the registered account email and authenticates using appless FIDO2 biometrics, such as fingerprint. Once the authentication challenge is accepted, your browser should be redirect to `https://jwt.ms` which displays the contents of the token returned by Azure AD B2C.

+## Step 2: Create a BindID policy key

+Add your BindID application's client Secret as a policy key:

+1. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ 1. Select the **Directories + subscriptions** icon in the portal toolbar.

+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

+1. On the Overview page, under **Policies**, select **Identity Experience Framework**.

+1. Select **Policy Keys** and then select **Add**.

+1. For **Options**, choose `Manual`.

+1. Enter a **Name** for the policy key. For example, `BindIDClientSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.

+1. In **Secret**, enter your client secret that you previously recorded in [step 1](#step-1-register-an-app-in-bindid).

+1. For **Key usage**, select `Signature`.

+1. Select **Create**.

+## Step 3: Configure BindID as an Identity provider

+To enable users to sign in using BindID, you need to define BindID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated using digital identity available on their device, proving the userΓÇÖs identity.

+Use the following steps to add BindID as a claims provider:

+1. Get the custom policy starter packs from GitHub, then update the XML files in the SocialAndLocalAccounts starter pack with your Azure AD B2C tenant name:

+

+ 1. [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository:

+ ```

+ git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack

+ ```

+

+ 1. In all of the files in the **LocalAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.

+1. Open the `LocalAccounts/ TrustFrameworkExtensions.xml`.

+1. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element.

+1. Add a new **ClaimsProvider** similar to the one shown below:

+ ```xml

+ <ClaimsProvider>

+ <Domain>signin.bindid-sandbox.io</Domain>

+ <TechnicalProfiles>

+ <TechnicalProfile Id="BindID-OpenIdConnect">

+ <DisplayName>BindID</DisplayName>

+ <Protocol Name="OpenIdConnect" />

+ <Metadata>

+ <Item Key="METADATA">https://signin.bindid-sandbox.io/.well-known/openid-configuration</Item>

+ <!-- Update the Client ID below to the BindID Application ID -->

+ <Item Key="client_id">00000000-0000-0000-0000-000000000000</Item>

+ <Item Key="response_types">code</Item>

+ <Item Key="scope">openid email</Item>

+ <Item Key="response_mode">form_post</Item>

+ <Item Key="HttpBinding">POST</Item>

+ <Item Key="UsePolicyInRedirectUri">false</Item>

+ <Item Key="AccessTokenResponseFormat">json</Item>

+ </Metadata>

+ <CryptographicKeys>

+ <Key Id="client_secret" StorageReferenceId="B2C_1A_BindIDClientSecret" />

+ </CryptographicKeys>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />

+ <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />

+ <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />

+ <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />

+ </OutputClaims>

+ <OutputClaimsTransformations>

+ <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />

+ <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />

+ <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />

+ </OutputClaimsTransformations>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />

+ </TechnicalProfile>

+ </TechnicalProfiles>

+ </ClaimsProvider>

+ ```

+1. Set **client_id** with the BindID Application ID that you previously recorded in [step 1](#step-1-register-an-app-in-bindid).

+1. Save the changes.

+## Step 4: Add a user journey

+At this point, you've set up the identity provider, but it's not yet available in any of the sign in pages. If you've your own custom user journey continue to [step 5](#step-5-add-the-identity-provider-to-a-user-journey), otherwise, create a duplicate of an existing template user journey as follows:

+1. Open the `LocalAccounts/ TrustFrameworkBase.xml` file from the starter pack.

+1. Find and copy the entire contents of the **UserJourney** element that includes `Id=SignUpOrSignIn`.

+1. Open the `LocalAccounts/ TrustFrameworkExtensions.xml` and find the **UserJourneys** element. If the element doesn't exist, add one.

+1. Paste the entire content of the UserJourney element that you copied as a child of the UserJourneys element.

+1. Rename the `Id` of the user journey. For example, `Id=CustomSignUpSignIn`

+## Step 5: Add the identity provider to a user journey

+1. Find the orchestration step element that includes `Type=CombinedSignInAndSignUp`, or `Type=ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers that a user can sign in with. The order of the elements controls the order of the sign in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name, such as `BindIDExchange`.

+1. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID to link the BindID button to `BindID-SignIn` action. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier while adding the claims provider.

+ <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">

+ <ClaimsProviderSelections>

+ ...

+ <ClaimsProviderSelection TargetClaimsExchangeId="BindIDExchange" />

+ </ClaimsProviderSelections>

+ ...

+ </OrchestrationStep>

+

+ <OrchestrationStep Order="2" Type="ClaimsExchange">

+ ...

+ <ClaimsExchanges>

+ <ClaimsExchange Id="BindIDExchange" TechnicalProfileReferenceId="BindID-OpenIdConnect" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+## Step 6: Configure the relying party policy

+The relying party policy, for example [SignUpOrSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/LocalAccounts/SignUpOrSignin.xml), specifies the user journey which Azure AD B2C will execute. You can also control what claims are passed to your application by adjusting the **OutputClaims** element of the **PolicyProfile** TechnicalProfile element. In this sample, the application receives the user attributes such as display name, given name, surname, email, objectId, identity provider, and tenantId.

+## Step 7: Upload the custom policy

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ 1. Select the **Directories + subscriptions** icon in the portal toolbar.

+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

+1. In the [Azure portal](https://portal.azure.com), search for and select **Azure AD B2C**.

+1. Under **Policies**, select **Identity Experience Framework**.

+1. Select **Upload Custom Policy**, and then upload the files in the **LocalAccounts** starter pack in the following order: the base policy, for example `TrustFrameworkBase.xml`, the localization policy, for example `TrustFrameworkLocalization.xml`, the extension policy, for example `TrustFrameworkExtensions.xml`, and the relying party policy, such as `SignUpOrSignIn.xml`.

+## Step 8: Test your custom policy

+1. In your Azure AD B2C tenant blade, and under **Policies**, select **Identity Experience Framework**.

+

+1. Under **Custom policies**, select **B2C_1A_signup_signin**.

+1. For **Application**, select the web application that you previously registered as part of this article's prerequisites. The **Reply URL** should show `https://jwt.ms`.

+1. Select **Run now**. Your browser should be redirected to the BindID sign in page.

+1. Enter the registered account email and authenticates using appless FIDO2 biometrics, such as fingerprint. Once the authentication challenge is accepted, your browser should be redirect to `https://jwt.ms` which displays the contents of the token returned by Azure AD B2C.

+- [Sample custom policies for BindID and Azure AD B2C integration](https://github.com/TransmitSecurity/azure-ad-b2c-bindid-integration)

+After you register your app, it communicates with Azure AD B2C by sending requests to the endpoint:

+* The **authorization server** is the Azure AD B2C endpoint. It securely handles anything related to user information and access. It also handles the trust relationships between the parties in a flow. It is responsible for verifying the user's identity, granting and revoking access to resources, and issuing tokens. It is also known as the identity provider.

+Azure AD B2C extends the standard OAuth 2.0 and OpenID Connect protocols by introducing policies. These allow Azure AD B2C to perform much more than simple authentication and authorization.

+To help you set up the most common identity tasks, the Azure AD B2C portal includes predefined, configurable policies called **user flows**. User flows fully describe consumer identity experiences, including sign up, sign in, and profile editing. User flows can be defined in an administrative UI. They can be executed by using a special query parameter in HTTP authentication requests.

+The bearer is any party that can present the token. Azure AD B2C must first authenticate a party before it can receive a bearer token. But if the required steps are not taken to secure the token in transmission and storage, it can be intercepted and used by an unintended party.

+More information about the different types of tokens that are used in Azure AD B2C are available in [the Azure AD B2C token reference](tokens-overview.md).

+> Make sure you include the header row in your CSV file.

+| CA Certificate Info |= |Downloaded CRL Info|

+### Example 1 prompt for all credentials

+### Example 2 prompt for cloud credential

+### Example 3 prompt for all credentials using modern authentication

+### Example 4 prompt for cloud credentials using modern authentication

+ > [!NOTE]

+ > If you are working on a domain-joined machine with an account that has domain administrator privileges and your organization protects password-based sign-in and enforces modern authentication methods such as multifactor authentication, FIDO2, or smart card technology, you must use the `-UserPrincipalName` parameter with the User Principal Name (UPN) of a global administrator. And you can skip the "-DomainCredential" parameter.

+ > - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.

+ > - Replace `administrator@contoso.onmicrosoft.com` in the following example with the UPN of a global administrator.

+ ```powershell

+ # Specify the on-premises Active Directory domain. A new Azure AD

+ # Kerberos Server object will be created in this Active Directory domain.

+ $domain = "contoso.corp.com"

+ # Enter a UPN of an Azure Active Directory global administrator

+ $userPrincipalName = "administrator@contoso.onmicrosoft.com"

+ # Create the new Azure AD Kerberos Server object in Active Directory

+ # and then publish it to Azure Active Directory.

+ # Open an interactive sign-in prompt with given username to access the Azure AD.

+ Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName

+ ```

+### What if I have a CloudTGT but it never gets exchange for a OnPremTGT when I am using Windows Hello for Business Cloud Trust?

+Make sure that the user you are signed in as, is a member of the groups of users that can use FIDO2 as an authentication method, or enable it for all users.

+> [!NOTE]

+> Even if you are not explicitly using a security key to sign-in to your device, the underlying technology is dependent on the FIDO2 infrastructure requirements.

+3. If there's a firewall between your servers and Azure AD, configure see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.

+>[!NOTE]

+> Installing the cloud provisioning agent on Windows Server Core is not supported.

+## Firewall and Proxy requirements

+If there's a firewall between your servers and Azure AD, configure the following items:

+- Ensure that agents can make *outbound* requests to Azure AD over the following ports:

+ | Port number | How it's used |

+ | | |

+ | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate. |

+ | **443** | Handles all outbound communication with the service. |

+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |

+

+- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.

+- If your firewall or proxy allows you to specify safe suffixes, add connections:

+#### [Public Cloud](#tab/public-cloud)

+ |URL |How it's used|

+ |--|--|

+ |&#42;.msappproxy.net</br>&#42;.servicebus.windows.net|The agent uses these URLs to communicate with the Azure AD cloud service. |

+ |&#42;.microsoftonline.com</br>&#42;.microsoft.com</br>&#42;.msappproxy.com</br>&#42;.windowsazure.com|The agent uses these URLs to communicate with the Azure AD cloud service. |

+ |`mscrl.microsoft.com:80` </br>`crl.microsoft.com:80` </br>`ocsp.msocsp.com:80` </br>`www.microsoft.com:80`| The agent uses these URLs to verify certificates.|

+ |login.windows.net</br>|The agent uses these URLs during the registration process.

+#### [U.S. Government Cloud](#tab/us-government-cloud)

+ |URL |How it's used|

+ |--|--|

+ |&#42;.msappproxy.us</br>&#42;.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Azure AD cloud service. |

+ |`mscrl.microsoft.us:80` </br>`crl.microsoft.us:80` </br>`ocsp.msocsp.us:80` </br>`www.microsoft.us:80`| The agent uses these URLs to verify certificates.|

+ |login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctldl.windowsupdate.us:80| The agent uses these URLs during the registration process.

+- If you are unable to add connections, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.

+If the key is being stored somewhere or hardcoded in your application, you can manually retrieve the key and update it accordingly by performing a manual rollover as per the instructions at the end of this guidance document. **It is strongly encouraged that you enhance your application to support automatic rollover** using any of the approaches outline in this article to avoid future disruptions and overhead if the Microsoft identity platform increases its rollover cadence or has an emergency out-of-band rollover.

+You can validate whether your application supports automatic key rollover by using the following PowerShell scripts.

+To check and update signing keys with PowerShell, you'll need the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module.

+1. Install the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module:

+ ```powershell

+ Install-Module -Name MSIdentityTools

+ ```

+1. Sign in by using the Connect-MgGraph command with an admin account to consent to the required scopes:

+ ```powershell

+ Connect-MgGraph -Scope "Application.ReadWrite.All"

+ ```

+1. Get the list of available signing key thumbprints:

+ ```powershell

+ Get-MsIdSigningKeyThumbprint

+ ```

+1. Pick any of the key thumbprints and configure Azure Active Directory to use that key with your application (get the app ID from the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)):

+ ```powershell

+ Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -KeyThumbprint <Thumbprint>

+ ```

+1. Test the web application by signing in to get a new token. The key update change is instantaneous, but make sure you use a new browser session (using, for example, Internet Explorer's "InPrivate," Chrome's "Incognito," or Firefox's "Private" mode) to ensure you are issued a new token.

+1. For each of the returned signing key thumbprints, run the `Update-MsIdApplicationSigningKeyThumbprint` cmdlet and test your web application sign-in process.

+1. If the web application signs you in properly, it supports automatic rollover. If it doesn't, modify your application to support manual rollover. Check out [Establishing a manual rollover process](#how-to-perform-a-manual-rollover-if-your-application-does-not-support-automatic-rollover) for more information.

+1. Run the following script to revert to normal behavior:

+ ```powershell

+ Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -Default

+ ```

+If your application doesn't support automatic rollover, you need to establish a process that periodically monitors Microsoft identity platform's signing keys and performs a manual rollover accordingly.

+To check and update signing keys with PowerShell, you'll need the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module.

+1. Install the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module:

+ ```powershell

+ Install-Module -Name MSIdentityTools

+ ```

+1. Get the latest signing key (get the tenant ID from the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)):

+ ```powershell

+ Get-MsIdSigningKeyThumbprint -Tenant <tenandId> -Latest

+ ```

+1. Compare this key against the key your application is currently hardcoded or configured to use.

+1. If the latest key is different from the key your application is using, download the latest signing key:

+ ```powershell

+ Get-MsIdSigningKeyThumbprint -Latest -DownloadPath <DownloadFolderPath>

+ ```

+1. Update your application's code or configuration to use the new key.

+1. Configure Azure Active Directory to use that latest key with your application (get the app ID from the [portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)):

+ ```powershell

+ Get-MsIdSigningKeyThumbprint -Latest | Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId>

+ ```

+1. Test the web application by signing in to get a new token. The key update change is instantaneous, but make sure you use a new browser session (using, for example, Internet Explorer's "InPrivate," Chrome's "Incognito," or Firefox's "Private" mode) to ensure you are issued a new token.

+1. If you experience any issues, revert to the previous key you were using and contact Azure support:

+ ```powershell

+ Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -KeyThumbprint <PreviousKeyThumbprint>

+ ```

+1. After you update your application to support manual rollover, revert to normal behavior:

+ ```powershell

+ Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -Default

+ ```

+- The user performing verification must sign in using [multi-factor authentication](../authentication/howto-mfa-getstarted.md).

+If you're unable to complete the process or are experiencing unexpected behavior with [publisher verification](publisher-verification-overview.md), you should start by doing the following if you're receiving errors or seeing unexpected behavior:

+1. Review the [requirements](publisher-verification-overview.md#requirements) and ensure they've all been met.

+ 1. If an MPN account already exists, this will be recognized and you'll be added to the account

+ 1. Select the desired admin role

+ 1. Go to the [MPN tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the instructions [here](/partner-center/multi-tenant-account). Be aware that all Global Admins of any tenant you add will be granted Global Admin privileges on your Partner Center account.

+ 1. Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Admin, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions [here](/partner-center/create-user-accounts-and-set-permissions).

+ Your app registrations may have been created using a different user account in this tenant, a personal/consumer account, or in a different tenant. Ensure you're signed in with the correct account in the tenant where your app registrations were created.

+ Ensure [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) is enabled and **required** for the user you're signing in with and for this scenario. For example, MFA could be:

+ - Always required for the user you're signing in with

+ - [Required for the type of administrator](../conditional-access/howto-conditional-access-policy-admin-mfa.md) you're signing in with.

+If you're having an issue but unable to understand why based on what you are seeing in the UI, it may be helpful to perform further troubleshooting by using Microsoft Graph calls to perform the same operations you can perform in the App Registration portal.

+The easiest way to make these requests is to use [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). You may also consider other options like using [Postman](https://www.postman.com/), or using PowerShell to [invoke a web request](/powershell/module/microsoft.powershell.utility/invoke-webrequest).

+The MPN ID you provided (`MPNID`) doesn't exist, or you don't have access to it. Provide a valid MPN ID and try again.

+The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again.

+The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again.

+The MPN ID (`MPNID`) you provided hasn't completed the vetting process. Complete this process in Partner Center and try again.

+Most commonly caused by when the MPN account hasn't completed the [verification](/partner-center/verification-responses) process.

+The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again.

+The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again.

+The target application (`AppId`) canΓÇÖt be found. Provide a valid application ID and try again.

+This capability isn't supported in an Azure AD B2C tenant.

+This capability isn't supported in an email verified tenant.

+Occurs when a [Publisher Domain](howto-configure-publisher-domain.md) isn't configured on the app.

+The target application's Publisher Domain (`publisherDomain`) doesn't match the domain used to perform email verification in Partner Center (`pcDomain`). Ensure these domains match and try again.

+You aren't authorized to set the verified publisher property on application (<`AppId`)

+The MPN ID wasn't provided in the request body or the request content type wasn't "application/json".

+This feature isn't supported for Microsoft consumer accounts. Only applications registered in Azure AD by an Azure AD user are supported.

+Occurs when multi-factor authentication hasn't been performed before attempting to add a verified publisher to the app. See [common issues](#common-issues) for more information. Note: MFA must be performed in the same session when attempting to add a verified publisher. If MFA is enabled but not required to be performed in the session, the request will fail.

+The error message displayed will be: "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to proceed."

+One of these error messages are displayed: "A verified publisher canΓÇÖt be added to this application. Contact your administrator for assistance.", or "You're unable to add a verified publisher to this application. Contact your administrator for assistance."

+When a request to add a verified publisher is made, many signals are used to make a security risk assessment. If the request is determined to be risky an error will be returned. For security reasons, Microsoft doesn't disclose the specific criteria used to determine whether a request is risky or not. If you received this error and believe the "risky" assessment is incorrect, try waiting and resubmitting the verification request. Some customers have reported success after multiple attempts.

+If you've reviewed all of the previous information and are still receiving an error from Microsoft Graph, gather as much of the following information as possible related to the failing request and [contact Microsoft support](developer-support-help-options.md#create-an-azure-support-request).

+## Client limitations

+As of May 2018, some implicit-flow derived `id_token` can't be used for OBO flow. Single-page apps (SPAs) should pass an **access** token to a middle-tier confidential client to perform OBO flows instead.

+If a client uses the implicit flow to get an id_token, and that client also has wildcards in a reply URL, the id_token can't be used for an OBO flow. However, access tokens acquired through the implicit grant flow can still be redeemed by a confidential client even if the initiating client has a wildcard reply URL registered.

+Additionally, applications with custom signing keys cannot be used as middle-tier API's in the OBO flow (this includes enterprise applications configured for single sign-on). This will result in an error because tokens signed with a key controlled by the client cannot be safely accepted.

+<!-- _This article was originally contributed by [Umesh Barapatre](https://github.com/umeshbarapatre)._ -->

+> [!NOTE]

+> Search SharePoint Site by site name or an exact URL as the search box is case sensitive.

+[Delegate access governance to access package managers](entitlement-management-delegate-managers.md)

+> [!IMPORTANT]

+> The following guidance applies only to the following:

+> - the pass-through authentication agent

+> - [Azure AD Application Proxy connector](../app-proxy/what-is-application-proxy.md)

+>

+> For information on URLS for the Azure Active Directory Connect Provisioning Agent see the [installation pre-requisites](../cloud-sync/how-to-prerequisites.md) for cloud sync.

+ Title: Sign-ins using legacy authentication workbook in Azure AD | Microsoft Docs

+description: Learn how to use the sign-ins using legacy authentication workbook.

+documentationcenter: ''

+editor: ''

+# Sign-ins using legacy authentication workbook

+Have you ever wondered how you can determine whether it is safe to turn off legacy authentication in your tenant? The sign-ins using legacy authentication workbook helps you to answer this question.

+This article gives you an overview of this workbook.

+## Description

+

+Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to basic authentication, which was once a widely used industry-standard method for passing user name and password information through a client to an identity provider.

+Examples of applications that commonly or only use legacy authentication are:

+- Microsoft Office 2013 or older.

+- Apps using legacy auth with mail protocols like POP, IMAP, and SMTP AUTH.

+Single-factor authentication (for example, username and password) doesnΓÇÖt provide the required level of protection for todayΓÇÖs computing environments. Passwords are bad as they are easy to guess and humans are bad at choosing good passwords.

+Unfortunately, legacy authentication:

+- Does not support multi-factor authentication (MFA) or other strong authentication methods.

+- Makes it impossible for your organization to move to passwordless authentication.

+To improve the security of your Azure AD tenant and experience of your users, you should disable legacy authentication. However, important user experiences in your tenant might depend on legacy authentication. Before shutting off legacy authentication, you may want to find those cases so you can migrate them to more secure authentication.

+The sign-ins using legacy authentication workbook lets you see all legacy authentication sign-ins in your environment so you can find and migrate critical workflows to more secure authentication methods before you shut off legacy authentication.

+

+

+## Sections

+With this workbook, you can distinguish between interactive and non-interactive sign-ins. This workbook highlights which legacy authentication protocols are used throughout your tenant.

+The data collection consists of three steps:

+1. Select a legacy authentication protocol, and then select an application to filter by users accessing that application.

+2. Select a user to see all their legacy authentication sign-ins to the selected app.

+3. View all legacy authentication sign-ins for the user to understand how legacy authentication is being used.

+

+## Filters

+This workbook supports multiple filters:

+- Time range (up to 90 days)

+- User principal name

+- Application

+- Status of the sign-in (success or failure)

+

+## Best practices

+- **[Enable risky sign-in policies](../identity-protection/concept-identity-protection-policies.md)** - To prompt for multi-factor authentication (MFA) on medium risk or above. Enabling the policy reduces the proportion of active real-time risk detections by allowing legitimate users to self-remediate the risk detections with MFA.

+- **[Enable a risky user policy](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-with-conditional-access)** - To enable users to securely remediate their accounts when they are high risk. Enabling the policy reduces the number of active at-risk users in your organization by returning the userΓÇÖs credentials to a safe state.

+## Next steps

+- To learn more about identity protection, see [What is identity protection](../identity-protection/overview-identity-protection.md).

+- For more information about Azure AD workbooks, see [How to use Azure AD workbooks](howto-use-azure-monitor-workbooks.md).

+Note that the Resource Health for an AKS cluster is different than the Resource Health of its individual resources (*Virtual Machines, ScaleSet Instances, Load Balancer, etc...*).

+Run checks on your cluster to further troubleshoot cluster issues by using [AKS Diagnostics](./concepts-diagnostics.md).

+AKS provides a managed Kubernetes service that reduces the complexity of deployment and core management tasks, like upgrade coordination. The Azure platform manages the AKS control plane, and you only pay for the AKS nodes that run your applications.

+ nginx.ingress.kubernetes.io/rewrite-target: /$2

+ ingressClassName: nginx

+ ingressClassName: nginx

+ingress.networking.k8s.io/hello-world-ingress created

+ingress.networking.k8s.io/hello-world-ingress-static created

+ nginx.ingress.kubernetes.io/rewrite-target: /$2

+ ingressClassName: nginx

+ingress.networking.k8s.io/hello-world-ingress created

+kubectl run -it --rm aks-ingress-test --image=mcr.microsoft.com/dotnet/runtime-deps:6.0 --namespace ingress-basic

+ ingressClassName: nginx

+ingress.networking.k8s.io/hello-world-ingress created

+ nginx.ingress.kubernetes.io/rewrite-target: /$2

+ ingressClassName: nginx

+ingress.networking.k8s.io/hello-world-ingress created

+ nginx.ingress.kubernetes.io/rewrite-target: /$2

+ ingressClassName: nginx

+ ingressClassName: nginx

+| `WEBSITE_PROACTIVE_AUTOHEAL_ENABLED` | By default, a VM instance is proactively "autohealed" when it's using more than 90% of allocated memory for more than 30 seconds, or when 80% of the total requests in the last two minutes take longer than 200 seconds. If a VM instance has triggered one of these rules, the recovery process is an overlapping restart of the instance. Set to `false` to disable this recovery behavior. The default is `true`. For more information, see [Proactive Auto Heal](https://azure.github.io/AppService/2017/08/17/Introducing-Proactive-Auto-Heal.html). ||

+The custom template or custom form model relies on a consistent visual template to extract the labeled data. The accuracy of your model is affected by variances in the visual structure of your documents. Structured forms such as questionnaires or applications are examples of consistent visual templates.

+Your training set will consist of structured documents where the formatting and layout are static and constant from one document instance to the next. Custom template models support key-value pairs, selection marks, tables, signature fields, and regions. Template models and can be trained on documents in any of the [supported languages](language-support.md). For more information, *see* [custom template models](concept-custom-template.md ).

+The custom neural (custom document) model uses deep learning models and base model trained on a large collection of documents. This model is then fine-tuned or adapted to your data when you train the model with a labeled dataset. Custom neural models support structured, semi-structured, and unstructured documents to extract fields. Custom neural models currently support English-language documents. When you're choosing between the two model types, start with a neural model if it meets your functional needs. See [neural models](concept-custom-neural.md) to learn more about custom document models.

+* Neural models support documents that have the same information, but different page structures. Examples of these documents include United States W2 forms, which share the same information, but may vary in appearance across companies. Neural models currently only support English text.

+| Feature | Resources | Model ID|

+|||:|

+|Custom model| <ul><li>[Form Recognizer labeling tool](https://fott-2-1.azurewebsites.net)</li><li>[REST API](quickstarts/try-sdk-rest-api.md?pivots=programming-language-rest-api#analyze-forms-with-a-custom-model)</li><li>[Client library SDK](quickstarts/try-sdk-rest-api.md)</li><li>[Form Recognizer Docker container](containers/form-recognizer-container-install-run.md?tabs=custom#run-the-container-with-the-docker-compose-up-command)</li></ul>|***custom-model-id***|

+| Feature | Resources | Model ID|

+|||:|

+|Custom model| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/customform/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/try-v3-csharp-sdk.md)</li><li>[Python SDK](quickstarts/try-v3-python-sdk.md)</li></ul>|***custom-model-id***|

+<!-- markdownlint-disable MD036 -->

+**Add the following code sample to the Program.cs file. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+___

+**Add the following code sample to the Program.cs file. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+**Add the following code sample to your Program.cs file. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+## Next step

+> [Learn more about Form Recognizer REST API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)

+[Reference documentation](/jav)

+### Create a new Gradle project

+### Install the client library

+ implementation(group = "com.azure", name = "azure-ai-formrecognizer", version = "4.0.0-beta.4")

+### Create a Java application

+To interact with the Form Recognizer service, you'll need to create an instance of the `DocumentAnalysisClient` class. To do so, you'll create an `AzureKeyCredential` with your key from the Azure portal and a `DocumentAnalysisClient` instance with the `AzureKeyCredential` and your Form Recognizer `endpoint`.

+1. Navigate to the `java` directory and create a file named **`FormRecognizer.java`**.

+1. Open the `FormRecognizer.java` file and select one of the following code samples to copy and paste into your application:

+ * [**General document**](#general-document-model)

+ * [**Layout**](#layout-model)

+ * [**Prebuilt Invoice**](#prebuilt-model)

+**Add the following code sample to the `FormRecognizer.java` file. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+ import com.azure.ai.formrecognizer.*;

+ import com.azure.ai.formrecognizer.models.AnalyzeResult;

+ import com.azure.ai.formrecognizer.models.DocumentLine;

+ import com.azure.ai.formrecognizer.models.AnalyzedDocument;

+ import com.azure.ai.formrecognizer.models.DocumentOperationResult;

+ import com.azure.ai.formrecognizer.models.DocumentWord;

+ import com.azure.ai.formrecognizer.models.DocumentTable;

+ import com.azure.core.credential.AzureKeyCredential;

+ import com.azure.core.util.polling.SyncPoller;

+ import java.util.List;

+ import java.util.Arrays;

+ public class FormRecognizer {

+ // set `<your-endpoint>` and `<your-key>` variables with the values from the Azure portal

+ private static final String endpoint = "<your-endpoint>";

+ private static final String key = "<your-key>";

+ public static void main(String[] args) {

+ // create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+ DocumentAnalysisClient client = new DocumentAnalysisClientBuilder()

+ .credential(new AzureKeyCredential(key))

+ .endpoint(endpoint)

+ .buildClient();

+ // sample document

+ String documentUrl = "https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-layout.pdf";

+ String modelId = "prebuilt-document";

+ SyncPoller < DocumentOperationResult, AnalyzeResult> analyzeDocumentPoller =

+ client.beginAnalyzeDocumentFromUrl(modelId, documentUrl);

+ AnalyzeResult analyzeResult = analyzeDocumentPoller.getFinalResult();

+ // pages

+ analyzeResult.getPages().forEach(documentPage -> {

+ System.out.printf("Page has width: %.2f and height: %.2f, measured with unit: %s%n",

+ documentPage.getWidth(),

+ documentPage.getHeight(),

+ documentPage.getUnit());

+ // lines

+ documentPage.getLines().forEach(documentLine ->

+ System.out.printf("Line %s is within a bounding box %s.%n",

+ documentLine.getContent(),

+ documentLine.getBoundingBox().toString()));

+ // words

+ documentPage.getWords().forEach(documentWord ->

+ System.out.printf("Word %s has a confidence score of %.2f%n.",

+ documentWord.getContent(),

+ documentWord.getConfidence()));

+ });

+ // tables

+ List <DocumentTable> tables = analyzeResult.getTables();

+ for (int i = 0; i < tables.size(); i++) {

+ DocumentTable documentTable = tables.get(i);

+ System.out.printf("Table %d has %d rows and %d columns.%n", i, documentTable.getRowCount(),

+ documentTable.getColumnCount());

+ documentTable.getCells().forEach(documentTableCell -> {

+ System.out.printf("Cell '%s', has row index %d and column index %d.%n",

+ documentTableCell.getContent(),

+ documentTableCell.getRowIndex(), documentTableCell.getColumnIndex());

+ });

+ System.out.println();

+ }

+ // Entities

+ analyzeResult.getEntities().forEach(documentEntity -> {

+ System.out.printf("Entity category : %s, sub-category %s%n: ",

+ documentEntity.getCategory(), documentEntity.getSubCategory());

+ System.out.printf("Entity content: %s%n: ", documentEntity.getContent());

+ System.out.printf("Entity confidence: %.2f%n", documentEntity.getConfidence());

+ });

+ // Key-value pairs

+ analyzeResult.getKeyValuePairs().forEach(documentKeyValuePair -> {

+ System.out.printf("Key content: %s%n", documentKeyValuePair.getKey().getContent());

+ System.out.printf("Key content bounding region: %s%n",

+ documentKeyValuePair.getKey().getBoundingRegions().toString());

+ if (documentKeyValuePair.getValue() != null) {

+ System.out.printf("Value content: %s%n", documentKeyValuePair.getValue().getContent());

+ System.out.printf("Value content bounding region: %s%n", documentKeyValuePair.getValue().getBoundingRegions().toString());

+ }

+### General document model output

+Visit the Azure samples repository on GitHub to view the [general document model output](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/jav).

+**Add the following code sample to the `FormRecognizer.java` file. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+ import com.azure.ai.formrecognizer.*;

+ import com.azure.ai.formrecognizer.models.AnalyzeResult;

+ import com.azure.ai.formrecognizer.models.DocumentLine;

+ import com.azure.ai.formrecognizer.models.AnalyzedDocument;

+ import com.azure.ai.formrecognizer.models.DocumentOperationResult;

+ import com.azure.ai.formrecognizer.models.DocumentWord;

+ import com.azure.ai.formrecognizer.models.DocumentTable;

+ import com.azure.core.credential.AzureKeyCredential;

+ import com.azure.core.util.polling.SyncPoller;

+ import java.util.List;

+ import java.util.Arrays;

+ public class FormRecognizer {

+ // set `<your-endpoint>` and `<your-key>` variables with the values from the Azure portal

+ private static final String endpoint = "<your-endpoint>";

+ private static final String key = "<your-key>";

+ public static void main(String[] args) {

+ // create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+ DocumentAnalysisClient client = new DocumentAnalysisClientBuilder()

+ .credential(new AzureKeyCredential(key))

+ .endpoint(endpoint)

+ .buildClient();

+ // sample document

+ String documentUrl = "https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-layout.pdf";

+ String modelId = "prebuilt-layout";

+ SyncPoller < DocumentOperationResult, AnalyzeResult > analyzeLayoutResultPoller =

+ client.beginAnalyzeDocumentFromUrl(modelId, documentUrl);

+ AnalyzeResult analyzeLayoutResult = analyzeLayoutResultPoller.getFinalResult();

+ // pages

+ analyzeLayoutResult.getPages().forEach(documentPage -> {

+ System.out.printf("Page has width: %.2f and height: %.2f, measured with unit: %s%n",

+ documentPage.getWidth(),

+ documentPage.getHeight(),

+ documentPage.getUnit());

+ // lines

+ documentPage.getLines().forEach(documentLine ->

+ System.out.printf("Line %s is within a bounding box %s.%n",

+ documentLine.getContent(),

+ documentLine.getBoundingBox().toString()));

+ // words

+ documentPage.getWords().forEach(documentWord ->

+ System.out.printf("Word '%s' has a confidence score of %.2f.%n",

+ documentWord.getContent(),

+ documentWord.getConfidence()));

+ // selection marks

+ documentPage.getSelectionMarks().forEach(documentSelectionMark ->

+ System.out.printf("Selection mark is %s and is within a bounding box %s with confidence %.2f.%n",

+ documentSelectionMark.getState().toString(),

+ documentSelectionMark.getBoundingBox().toString(),

+ documentSelectionMark.getConfidence()));

+ // tables

+ List < DocumentTable > tables = analyzeLayoutResult.getTables();

+ for (int i = 0; i < tables.size(); i++) {

+ DocumentTable documentTable = tables.get(i);

+ System.out.printf("Table %d has %d rows and %d columns.%n", i, documentTable.getRowCount(),

+ documentTable.getColumnCount());

+ documentTable.getCells().forEach(documentTableCell -> {

+ System.out.printf("Cell '%s', has row index %d and column index %d.%n", documentTableCell.getContent(),

+ documentTableCell.getRowIndex(), documentTableCell.getColumnIndex());

+ });

+ System.out.println();

+ }

+### Layout model output

+Visit the Azure samples repository on GitHub to view the [layout model output](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/jav).

+Analyze and extract common fields from specific document types using a prebuilt model. In this example, we'll analyze an invoice using the **prebuilt-invoice** model.

+**Add the following code sample to the `FormRecognizer.java` file. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+ import com.azure.ai.formrecognizer.*;

+ import com.azure.ai.formrecognizer.models.AnalyzeResult;

+ import com.azure.ai.formrecognizer.models.DocumentLine;

+ import com.azure.ai.formrecognizer.models.AnalyzedDocument;

+ import com.azure.ai.formrecognizer.models.DocumentOperationResult;

+ import com.azure.ai.formrecognizer.models.DocumentWord;

+ import com.azure.ai.formrecognizer.models.DocumentTable;

+ import com.azure.core.credential.AzureKeyCredential;

+ import com.azure.core.util.polling.SyncPoller;

+ import java.util.List;

+ import java.util.Arrays;

+ public class FormRecognizer {

+ // set `<your-endpoint>` and `<your-key>` variables with the values from the Azure portal

+ private static final String endpoint = "<your-endpoint>";

+ private static final String key = "<your-key>";

+ public static void main(final String[] args) throws IOException {

+

+ // create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+ DocumentAnalysisClient client = new DocumentAnalysisClientBuilder()

+ .credential(new AzureKeyCredential(key))

+ .endpoint(endpoint)

+ .buildClient();

+

+ // sample document

+ String invoiceUrl = "https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf";

+ SyncPoller < DocumentOperationResult, AnalyzeResult > analyzeInvoicePoller = client.beginAnalyzeDocumentFromUrl(modelId, invoiceUrl);

+ AnalyzeResult analyzeInvoiceResult = analyzeInvoicePoller.getFinalResult();

+ for (int i = 0; i < analyzeInvoiceResult.getDocuments().size(); i++) {

+ AnalyzedDocument analyzedInvoice = analyzeInvoiceResult.getDocuments().get(i);

+ Map < String, DocumentField > invoiceFields = analyzedInvoice.getFields();

+ System.out.printf("-- Analyzing invoice %d --%n", i);

+ System.out.printf("Analyzed document has doc type %s with confidence : %.2f%n.",

+ analyzedInvoice.getDocType(), analyzedInvoice.getConfidence());

+ DocumentField vendorNameField = invoiceFields.get("VendorName");

+ if (vendorNameField != null) {

+ if (DocumentFieldType.STRING == vendorNameField.getType()) {

+ String merchantName = vendorNameField.getValueString();

+ Float confidence = vendorNameField.getConfidence();

+ System.out.printf("Vendor Name: %s, confidence: %.2f%n",

+ merchantName, vendorNameField.getConfidence());

+ }

+ }

+ DocumentField vendorAddressField = invoiceFields.get("VendorAddress");

+ if (vendorAddressField != null) {

+ if (DocumentFieldType.STRING == vendorAddressField.getType()) {

+ String merchantAddress = vendorAddressField.getValueString();

+ System.out.printf("Vendor address: %s, confidence: %.2f%n",

+ merchantAddress, vendorAddressField.getConfidence());

+ }

+ }

+ DocumentField customerNameField = invoiceFields.get("CustomerName");

+ if (customerNameField != null) {

+ if (DocumentFieldType.STRING == customerNameField.getType()) {

+ String merchantAddress = customerNameField.getValueString();

+ System.out.printf("Customer Name: %s, confidence: %.2f%n",

+ merchantAddress, customerNameField.getConfidence());

+ }

+ }

+ DocumentField customerAddressRecipientField = invoiceFields.get("CustomerAddressRecipient");

+ if (customerAddressRecipientField != null) {

+ if (DocumentFieldType.STRING == customerAddressRecipientField.getType()) {

+ String customerAddr = customerAddressRecipientField.getValueString();

+ System.out.printf("Customer Address Recipient: %s, confidence: %.2f%n",

+ customerAddr, customerAddressRecipientField.getConfidence());

+ }

+ }

+ DocumentField invoiceIdField = invoiceFields.get("InvoiceId");

+ if (invoiceIdField != null) {

+ if (DocumentFieldType.STRING == invoiceIdField.getType()) {

+ String invoiceId = invoiceIdField.getValueString();

+ System.out.printf("Invoice ID: %s, confidence: %.2f%n",

+ invoiceId, invoiceIdField.getConfidence());

+ }

+ }

+ DocumentField invoiceDateField = invoiceFields.get("InvoiceDate");

+ if (customerNameField != null) {

+ if (DocumentFieldType.DATE == invoiceDateField.getType()) {

+ LocalDate invoiceDate = invoiceDateField.getValueDate();

+ System.out.printf("Invoice Date: %s, confidence: %.2f%n",

+ invoiceDate, invoiceDateField.getConfidence());

+ }

+ }

+ DocumentField invoiceTotalField = invoiceFields.get("InvoiceTotal");

+ if (customerAddressRecipientField != null) {

+ if (DocumentFieldType.FLOAT == invoiceTotalField.getType()) {

+ Float invoiceTotal = invoiceTotalField.getValueFloat();

+ System.out.printf("Invoice Total: %.2f, confidence: %.2f%n",

+ invoiceTotal, invoiceTotalField.getConfidence());

+ }

+ }

+ DocumentField invoiceItemsField = invoiceFields.get("Items");

+ if (invoiceItemsField != null) {

+ System.out.printf("Invoice Items: %n");

+ if (DocumentFieldType.LIST == invoiceItemsField.getType()) {

+ List < DocumentField > invoiceItems = invoiceItemsField.getValueList();

+ invoiceItems.stream()

+ .filter(invoiceItem -> DocumentFieldType.MAP == invoiceItem.getType())

+ .map(formField -> formField.getValueMap())

+ .forEach(formFieldMap -> formFieldMap.forEach((key, formField) -> {

+ // See a full list of fields found on an invoice here:

+ // https://aka.ms/formrecognizer/invoicefields

+ if ("Description".equals(key)) {

+ if (DocumentFieldType.STRING == formField.getType()) {

+ String name = formField.getValueString();

+ System.out.printf("Description: %s, confidence: %.2fs%n",

+ name, formField.getConfidence());

+ }

+ if ("Quantity".equals(key)) {

+ if (DocumentFieldType.FLOAT == formField.getType()) {

+ Float quantity = formField.getValueFloat();

+ System.out.printf("Quantity: %f, confidence: %.2f%n",

+ quantity, formField.getConfidence());

+ }

+ if ("UnitPrice".equals(key)) {

+ if (DocumentFieldType.FLOAT == formField.getType()) {

+ Float unitPrice = formField.getValueFloat();

+ System.out.printf("Unit Price: %f, confidence: %.2f%n",

+ unitPrice, formField.getConfidence());

+ }

+ if ("ProductCode".equals(key)) {

+ if (DocumentFieldType.FLOAT == formField.getType()) {

+ Float productCode = formField.getValueFloat();

+ System.out.printf("Product Code: %f, confidence: %.2f%n",

+ productCode, formField.getConfidence());

+ }

+ }));

+ }

+ }

+ }

+ }

+### Prebuilt model output

+Visit the Azure samples repository on GitHub to view the [prebuilt invoice model output](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/jav)

+## Next step

+> [Learn more about Form Recognizer REST API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)

+> Form Recognizer v3.0 is currently in public preview. Some features may not be supported or have limited capabilities.

+[Reference documentation](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer?view=azure-python-preview&preserve-view=true) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/) | [Package (PyPi)](https://pypi.org/project/azure-ai-formrecognizer/3.2.0b3/) | [Samples](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/samples/README.md)

+pip install azure-ai-formrecognizer==3.2.0b3

+To interact with the Form Recognizer service, you'll need to create an instance of the `DocumentAnalysisClient` class. To do so, you'll create an `AzureKeyCredential` with your key from the Azure portal and a `DocumentAnalysisClient` instance with the `AzureKeyCredential` and your Form Recognizer `endpoint`.

+1. Create a new Python file called **form_recognizer_quickstart.py** in your preferred editor or IDE.

+1. Open the **form_recognizer_quickstart.py** file and select one of the following code samples to copy and paste into your application:

+<!-- markdownlint-disable MD036 -->

+**Add the following code sample to your form_recognizer_quickstart.py application. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+# import libraries

+import os

+from azure.ai.formrecognizer import DocumentAnalysisClient

+from azure.core.credentials import AzureKeyCredential

+# set `<your-endpoint>` and `<your-key>` variables with the values from the Azure portal

+endpoint = "<your-endpoint>"

+key = "<your-key>"

+ # sample document

+ # create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+### General document model output

+Visit the Azure samples repository on GitHub to view the [general document model output](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/FormRecognizer/v3-python-sdk-general-document-output.md)

+___

+**Add the following code sample to your form_recognizer_quickstart.py application. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+# import libraries

+import os

+from azure.ai.formrecognizer import DocumentAnalysisClient

+from azure.core.credentials import AzureKeyCredential

+# set `<your-endpoint>` and `<your-key>` variables with the values from the Azure portal

+endpoint = "<your-endpoint>"

+key = "<your-key>"

+ # create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+### Layout model output

+Visit the Azure samples repository on GitHub to view the [layout model output](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/FormRecognizer/v3-python-sdk-layout-output.md)

+___

+Analyze and extract common fields from specific document types using a prebuilt model. In this example, we'll analyze an invoice using the **prebuilt-invoice** model.

+**Add the following code sample to your form_recognizer_quickstart.py application. Make sure you update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal:**

+# import libraries

+import os

+from azure.ai.formrecognizer import DocumentAnalysisClient

+from azure.core.credentials import AzureKeyCredential

+# set `<your-endpoint>` and `<your-key>` variables with the values from the Azure portal

+endpoint = "<your-endpoint>"

+key = "<your-key>"

+ # create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+### Prebuilt model output

+Visit the Azure samples repository on GitHub to view the [prebuilt invoice model output](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/FormRecognizer/v3-python-sdk-prebuilt-invoice-output.md)

+That's it, congratulations!

+## Next step

+> [Learn more about Form Recognizer REST API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)

+## Limitation

+When you use [SQL Server Management Studio Object Explorer to create a database](/sql/relational-databases/databases/create-a-database#SSMSProcedure), the application returns an error. You can [create new databases with T-SQL](/sql/relational-databases/databases/create-a-database#TsqlProcedure).

+Azure Cache for Redis publishes runtime maintenance notifications on a publish/subscribe (pub/sub) channel called `AzureRedisEvents`. Many popular Redis client libraries support subscribing to pub/sub channels. Receiving notifications from the `AzureRedisEvents` channel is usually a simple addition to your client application. For more information about maintenance events, please see [AzureRedisEvents](https://github.com/Azure/AzureCacheForRedis/blob/main/AzureRedisEvents.md).

+> [!NOTE]

+> The `AzureRedisEvents` channel isn't a mechanism that can notify you days or hours in advance. The channel can notify clients of any upcoming planned server maintenance events that might affect server availability.

+| [Standard replication](#standard-replication)| Dual-node replicated configuration in a single data center with automatic failover | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |Γ£ö|Γ£ö|-|

+| [Geo-replication](#geo-replication) | Linked cache instances in two regions, with user-controlled failover | Premium; Enterprise (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Passive|Active|

+Also, Azure Cache for Redis provides more replica nodes in the Premium tier. A [multi-replica cache](cache-how-to-multi-replicas.md) can be configured with up to three replica nodes. Having more replicas generally improves resiliency because you have nodes backing up the primary. Even with more replicas, an Azure Cache for Redis instance still can be severely impacted by a data center- or AZ-level outage. You can increase cache availability by using multiple replicas with [zone redundancy](#zone-redundancy).

+Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A [zone redundant cache](cache-how-to-zone-redundancy.md) can place its nodes across different [Azure Availability Zones](../availability-zones/az-overview.md) in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.

+| Data encryption in transit |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

+- **Memory**: The Basic and Standard tiers offer 250 MB ΓÇô 53 GB; the Premium tier 6 GB - 1.2 TB; the Enterprise tiers 12 GB - 14 TB. To create a Premium tier cache larger than 120 GB, you can use Redis OSS clustering. For more information, see [Azure Cache for Redis Pricing](https://azure.microsoft.com/pricing/details/cache/). For more information, see [How to configure clustering for a Premium Azure Cache for Redis](cache-how-to-premium-clustering.md).

+- **Performance**: Caches in the Premium and Enterprise tiers are deployed on hardware that has faster processors, giving better performance compared to the Basic or Standard tier. Premium tier Caches have higher throughput and lower latencies. For more information, see [Azure Cache for Redis performance](./cache-planning-faq.yml#azure-cache-for-redis-performance).

+- **Dedicated core for Redis server**: All caches except C0 run dedicated VM cores. Redis, by design, uses only one thread for command processing. Azure Cache for Redis uses other cores for I/O processing. Having more cores improves throughput performance even though it may not produce linear scaling. Furthermore, larger VM sizes typically come with higher bandwidth limits than smaller ones. That helps you avoid network saturation, which will cause timeouts in your application.

+- **Network performance**: If you have a workload that requires high throughput, the Premium or Enterprise tier offers more bandwidth compared to Basic or Standard. Also within each tier, larger size caches have more bandwidth because of the underlying VM that hosts the cache. For more information, see [Azure Cache for Redis performance](./cache-planning-faq.yml#azure-cache-for-redis-performance).

+- **Maximum number of client connections**: The Premium and Enterprise tiers offer the maximum numbers of clients that can connect to Redis, offering higher numbers of connections for larger sized caches. Clustering increases the total amount of network bandwidth available for a clustered cache.

+- **High availability**: Azure Cache for Redis provides multiple [high availability](cache-high-availability.md) options. It guarantees that a Standard, Premium, or Enterprise cache is available according to our [SLA](https://azure.microsoft.com/support/legal/sla/cache/v1_0/). The SLA only covers connectivity to the cache endpoints. The SLA doesn't cover protection from data loss. We recommend using the Redis data persistence feature in the Premium and Enterprise tiers to increase resiliency against data loss.

+- **Data persistence**: The Premium and Enterprise tiers allow you to persist the cache data to an Azure Storage account and a Managed Disk respectively. Underlying infrastructure issues might result in potential data loss. We recommend using the Redis data persistence feature in these tiers to increase resiliency against data loss. Azure Cache for Redis offers both RDB and AOF (preview) options. Data persistence can be enabled through Azure portal and CLI. For the Premium tier, see [How to configure persistence for a Premium Azure Cache for Redis](cache-how-to-premium-persistence.md).

+- **Network isolation**: Azure Private Link and Virtual Network (VNET) deployments provide enhanced security and traffic isolation for your Azure Cache for Redis. VNET allows you to further restrict access through network access control policies. For more information, see [Azure Cache for Redis with Azure Private Link](cache-private-link.md) and [How to configure Virtual Network support for a Premium Azure Cache for Redis](cache-how-to-premium-vnet.md).

+- **Redis Modules**: Enterprise tiers support [RediSearch](https://docs.redislabs.com/latest/modules/redisearch/), [RedisBloom](https://docs.redislabs.com/latest/modules/redisbloom/) and [RedisTimeSeries](https://docs.redislabs.com/latest/modules/redistimeseries/). These modules add new data types and functionality to Redis.

+- Your Azure subscription has a valid payment instrument. Azure credits or free MSDN subscriptions aren't supported.

+- Your organization allows [Azure Marketplace purchases](../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases).

+- If you use a private Marketplace, it must contain the Redis Labs Enterprise offer.

+- [Create an open-source Redis cache](quickstart-create-redis.md)

+- [Create a Redis Enterprise cache](quickstart-create-redis-enterprise.md)

+- [Use Azure Cache for Redis in an ASP.NET web app](cache-web-app-howto.md)

+- [Use Azure Cache for Redis in .NET Core](cache-dotnet-core-quickstart.md)

+- [Use Azure Cache for Redis in .NET Framework](cache-dotnet-how-to-use-azure-redis-cache.md)

+- [Use Azure Cache for Redis in Node.js](cache-nodejs-get-started.md)

+- [Use Azure Cache for Redis in Java](cache-java-get-started.md)

+- [Use Azure Cache for Redis in Python](cache-python-get-started.md)

+Configuration settings for [Event Hub triggers and bindings](functions-bindings-event-hubs.md?tabs=functionsv1#hostjson-settings).

+## Migration

+If you have an existing function app, you can use Azure CLI commands to migrate your app between a Consumption plan and a Premium plan on Windows. The specific commands depend on the direction of the migration. To learn more, see [Plan migration](functions-how-to-use-azure-function-app-settings.md#plan-migration).

+This migration isn't supported on Linux.

+ var features = map.layers.getRenderedShapes(e.position, "unit");

+ Title: Geocoding in Azure Maps Power BI visual

+description: In this article, you'll learn about geocoding in Azure Maps Power BI visual.

+# Geocoding in Azure Maps Power BI Visual

+Azure Maps uses the latitude and longitude coordinate system to locate places on the map. The Azure Maps Power BI Visual provides latitude and longitude fields to pinpoint a specific location on the map, however most data sources use an address to pinpoint a location as opposed to latitude and longitude values.

+The Azure Maps Power BI Visual now provides a **Location** field that accepts address values that can be used to pinpoint a location on the map using geocoding.

+Geocoding is the process of taking an address and returning the corresponding latitude/longitude coordinate. The address determines the granularity it's possible to geocode, such as a city as opposed to a specific street address.

+## The location field

+The **Location** field in the Azure Maps Power BI Visual can accept multiple values, such as country, region, state, city, street address and zip code. By providing multiple sources of location information in the Location field, you help to guarantee more accurate results and eliminate ambiguity that would prevent a specific location to be determined. For example, there are over 20 different cities in the United States named *Franklin*.

+## Use geo-hierarchies to drill down

+When entering multiple values into the **Location** field, you create a geo-hierarchy. Geo-hierarchies enable the hierarchical drill-down features in the map, allowing you to drill down to different "levels" of location.

+| Button | Description |

+|:-:|-|

+| 1 | The drill button on the far right, called Drill Mode, allows you to select a map Location and drill down into that specific location one level at a time. For example, if you turn on the drill-down option and select North America, you move down in the hierarchy to the next level--states in North America. For geocoding, Power BI sends Azure Maps country and state data for North America only. The button on the left goes back up one level. |

+| 2 | The double arrow drills to the next level of the hierarchy for all locations at once. For example, if you're currently looking at countries and then use this option to move to the next level, states, Power BI displays state data for all countries. For geocoding, Power BI sends Azure Maps state data (no country data) for all locations. This option is useful if each level of your hierarchy is unrelated to the level above it. |

+| 3 | Similar to the drill-down option, except that you don't need to click on the map. It expands down to the next level of the hierarchy remembering the current level's context. For example, if you're currently looking at countries and select this icon, you move down in the hierarchy to the next level--states. For geocoding, Power BI sends data for each state and its corresponding country to help Azure Maps geocode more accurately. In most maps, you'll either use this option or the drill-down option on the far right. This will send Azure as much information as possible and result in more accurate location information. |

+## Categorize geographic fields in Power BI

+To ensure fields are correctly geocoded, you can set the Data Category on the data fields in Power BI. In Data view, select the desired column. From the ribbon, select the Modeling tab and then set the Data Category to one of the following: Address, City, Continent, Country, Region, County, Postal Code, State, or Province. These data categories help Azure correctly encode the data. To learn more, see [Data categorization in Power BI Desktop](/power-bi/transform-model/desktop-data-categorization). If you're live connecting to SQL Server Analysis Services, you'll need to set the data categorization outside of Power BI using [SQL Server Data Tools (SSDT)](/sql/ssdt/download-sql-server-data-tools-ssdt).

+## Next steps

+Learn more about the Azure Maps Power BI visual:

+> [!div class="nextstepaction"]

+> [Get started with Azure Maps Power BI visual (Preview)](power-bi-visual-get-started.md)

+> [!div class="nextstepaction"]

+> [Understanding layers in the Azure Maps Power BI visual](power-bi-visual-understanding-layers.md)

+Learn about the Azure Maps Power BI visual Pie Chart layer that uses geocoding:

+> [!div class="nextstepaction"]

+> [Add a pie chart layer](power-bi-visual-add-pie-chart-layer.md)

+*Why do transaction detail durations not add up to the top-request duration?*

+Time not explained in the gantt chart, is time that is not covered by a tracked dependency.

+This can be due to either external calls that were not instrumented (automatically or manually), or that the time taken was in process rather than because of an external call.

+If all calls were instrumented, in process is the likely root cause for the time spent. A useful tool for diagnosing the process is the [Application Insights profiler](./profiler.md).

+| Retention | Configure retention from 30 days to 730 days. | Retention fixed at 8 days. |

+Data export in Log Analytics workspace lets you continuously export data per selected tables in your workspace, to an Azure Storage Account or Azure Event Hubs as it arrives to Azure Monitor pipeline. This article provides details on this feature and steps to configure data export in your workspaces.

+* Integration with Azure services and other tools ΓÇô export to Event Hubs as it arrives and processed in Azure Monitor.

+- Configure Diagnostic Settings in Azure resources. Logs is sent to destination directly and has lower latency compared to data export in Log Analytics.

+* The Azure NetApp Files delegated subnet must be able to reach all Active Directory Domain Services (AD DS) domain controllers in the domain, including all local and remote domain controllers. Otherwise, service interruption can occur.

+Azure NetApp Files supports both [Active Directory Domain Services](/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology) (AD DS) and Azure Active Directory Domain Services (AADDS) for AD connections. Before you create an AD connection, you need to decide whether to use AD DS or AADDS.

+You can use your preferred [Active Directory Sites and Services](/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology) scope for Azure NetApp Files. This option enables reads and writes to Active Directory Domain Services (AD DS) domain controllers that are [accessible by Azure NetApp Files](azure-netapp-files-network-topologies.md). It also prevents the service from communicating with domain controllers that are not in the specified Active Directory Sites and Services site.

+To find your site name when you use AD DS, you can contact the administrative group in your organization that is responsible for Active Directory Domain Services. The example below shows the Active Directory Sites and Services plugin where the site name is displayed:

+ * <a name="aes-encryption"></a>**AES Encryption**

+ * <a name="encrypted-smb-connection"></a>**Encrypted SMB connection to domain controller**

+ Select this checkbox to enable SMB encryption for communication between the Azure NetApp Files service and the domain controller (DC). When you enable this functionality, SMB3 protocol will be used for encrypted DC connections, because encryption is supported only by SMB3. SMB, Kerberos, and LDAP enabled volume creation will fail if the DC doesn't support the SMB3 protocol.

+ 

+ See [Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes](configure-ldap-over-tls.md) for information about this option.

+ See [Configure AD DS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md#ldap-search-scope) for information about these options.

+ * <a name="backup-policy-users"></a>**Backup policy users**

+ 

+* [Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes](configure-ldap-over-tls.md)

+* [AD DS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md)

+| Kerberos Realm: KDC IP | Specifies the IP address of the Kerberos Distribution Center (KDC) server. KDC in Azure NetApp Files is an Active Directory server | Yes | None | A new KDC IP address will be used |

+## General errors for volume creation or management

+| Error conditions | Resolutions |

+|-|-|

+| Error during SMB, LDAP, or Kerberos volume creation: <br> `Failed to create the Active Directory machine account "PAKA-5755". Reason: SecD Error: no server available Details: Error: Machine account creation procedure failed [ 34] Loaded the preliminary configuration. [ 80] Created a machine account in the domain [ 81] Successfully connected to ip 10.193.169.25, port 445 using TCP [ 83] Unable to connect to LSA service on win-2bovaekb44b.harikrb.com (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR) [ 83] No servers available for MS_LSA, vserver: 251, domain: http://contoso.com/. **[ 83] FAILURE: Unable to make a connection (LSA:CONTOSO.COM), ** result: 6940 [ 85] Could not find Windows SID 'S-1-5-21-192389270-1514950320-2551433173-512' [ 133] Deleted existing account 'CN=PAKA-5755,CN=Computers,DC=contoso,DC=com' .` | SMB3 is disabled on the domain controller. <br> Enable SMB3 on the domain controller and then try creating the volume. See [How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows](/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3) for details about enabling SMB3. |

+| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available."}]}` | This error indicates that the DNS is not reachable. <br> Consider the following solutions: <ul><li>Check if AD DS and the volume are being deployed in same region.</li> <li>Check if AD DS and the volume are using the same VNet. If they are using different VNETs, make sure that the VNets are peered with each other. See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md). </li> <li>The DNS server might have network security groups (NSGs) applied. As such, it does not allow the traffic to flow. In this case, open the NSGs to the DNS or AD to connect to various ports. For port requirements, see [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections). </li></ul> <br>The same solutions apply for Azure AD DS. Azure AD DS should be deployed in the same region. The VNet should be in the same region or peered with the VNet used by the volume. |

+| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-C1C8\". Reason: Kerberos Error: Invalid credentials were given Details: Error: Machine account creation procedure failed\n [ 563] Loaded the preliminary configuration.\n**[ 670] FAILURE: Could not authenticate as 'test@contoso.com':\n** Unknown user (KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)\n. "}]}` | <ul><li>Make sure that the username entered is correct. </li> <li>Make sure that the user is part of the Administrator group that has the privilege to create machine accounts. </li> <li> If you use Azure AD DS, make sure that the user is part of the Azure AD group `Azure AD DC Administrators`. </li></ul> |

+| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError","message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-D9A2\". Reason: SecD Error: ou not found Details: Error: Machine account creation procedure failed\n [ 561] Loaded the preliminary configuration.\n [ 665] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ 1039] Successfully connected to ip 10.x.x.x, port 389 using TCP\n**[ 1147] FAILURE: Specifed OU 'OU=AADDC Com' does not exist in\n** contoso.com\n. "}]}` | Make sure that the OU path specified for joining the AD connection is correct. If you use Azure AD DS, make sure that the organizational unit path is `OU=AADDC Computers`. |

+| Error when updating the ldapEnabled parameter value for an existing volume: <br> `Error Message: ldapEnabled parameter is not allowed to update` | You cannot modify the LDAP option setting after creating a volume. <br> Do not update the LDAP option setting on a created volume. See [Configure AD DS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md) for details. |

+## March 2022

+* [Encrypted SMB connection to domain controller](create-active-directory-connections.md#encrypted-smb-connection)

+ You can now enable SMB encryption for communication between the Azure NetApp Files service and the Active Directory Domain Services domain controller (DC). When you enable this functionality, SMB3 protocol will be used for encrypted DC connections.

+* Features that are now generally available (GA)

+ The following features are now GA. You no longer need to register the features before using them.

+ * [Backup policy users](create-active-directory-connections.md#backup-policy-users)

+ * [AES encryption for AD authentication](create-active-directory-connections.md#aes-encryption)

+* [Active Directory Domain Services (AD DS) LDAP user-mapping with NFS extended groups](configure-ldap-extended-groups.md) now generally available (GA)

+ The AD DS LDAP user-mapping with NFS extended groups feature is now generally available. You no longer need to register the feature before using it.

+ * [Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes](configure-ldap-over-tls.md)

+* [Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes](configure-ldap-over-tls.md) (Preview)

+ By default, LDAP communications between client and server applications are not encrypted. This means that it is possible to use a network-monitoring device or software to view the communications between an LDAP client and server computers. This scenario might be problematic in non-isolated or shared VNets when an LDAP simple bind is used, because the credentials (username and password) used to bind the LDAP client to the LDAP server are passed over the network unencrypted. LDAP over TLS (also known as LDAPS) is a protocol that uses TLS to secure communication between LDAP clients and LDAP servers. Azure NetApp Files now supports the secure communication between an Active Directory Domain Server (AD DS) using LDAP over TLS. Azure NetApp Files can now use LDAP over TLS for setting up authenticated sessions between the Active Directory-integrated LDAP servers. You can enable the LDAP over TLS feature for NFS, SMB, and dual-protocol volumes. By default, LDAP over TLS is disabled on Azure NetApp Files.

+* [Active Directory Domain Services (AD DS) LDAP user-mapping with NFS extended groups](configure-ldap-extended-groups.md) (Preview)

+ By default, Azure NetApp Files supports up to 16 group IDs when handling NFS user credentials, as defined in [RFC 5531](https://tools.ietf.org/html/rfc5531). With this new capability, you can now increase the maximum up to 1,024 if you have users who are members of more than the default number of groups. To support this capability, NFS volumes can now also be added to AD DS LDAP, which enables Active Directory LDAP users with extended groups entries (with up to 1024 groups) to access the volume.

+As customers modernize their infrastructure, application, and data tiers, they also modernize their identity management capabilities by shifting to Azure AD. Azure SQL offers multiple [Azure AD Authentication](../database/authentication-aad-overview.md) options:

+ Title: 'View virtual machine session full screen in browser'

+# Change to full screen view for a VM session

+This article helps you change the virtual machine view to full screen and back in your browser when connected to a VM using Azure Bastion.

+This article helps you configure your Bastion deployment, and then connect to a VM in the VNet using the native client (SSH or RDP) on your local computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). Additionally with this feature, you can now also upload or download files, depending on the connection type and client.

+ Title: 'About VM connections and features'

+description: Learn about VM connections and features when connecting using Azure Bastion.

+# About VM connections and features

+The sections in this article show you various features and settings that are available when you connect to a VM using Azure Bastion.

+## <a name="connect"></a>Connect to a VM

+You can use a variety of different methods to connect to a target VM. Some connection types require Bastion to be configured with the Standard SKU. Use the following articles to connect.

+## <a name="copy-paste"></a>Copy and paste

+For browsers that support the advanced Clipboard API access, you can copy and paste text between your local device and the remote session in the same way you copy and paste between applications on your local device. For other browsers, you can use the Bastion clipboard access tool palette. Only text copy/paste is supported.

+For steps and more information, see [Copy and paste - Windows VMs](bastion-vm-copy-paste.md).

+## <a name="full-screen"></a>Full screen view

+You can change to full screen view and back using your browser. For steps and more information, see [Change to full screen view](bastion-vm-full-screen.md).

+## <a name="upload-download"></a>Upload or download files

+Azure Bastion offers support for file transfer between your target VM and local computer using Bastion and a native RDP or native SSH client. It may also be possible to use certain third-party clients and tools to upload and download files.

+For steps and more information, see [Upload or download files to a VM using a native client](vm-upload-download-native.md).

+## <a name="audio"></a>Remote audio

+You can enable remote audio output for your VM. Some VMs automatically enable this setting, others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.

+For steps, see the [Deploy Bastion](tutorial-create-host-portal.md#audio) tutorial.

+## Next steps

+For frequently asked questions, see the VM section of the [Azure Bastion FAQ](bastion-faq.md).

+ Title: 'Upload or download files using a native client connection'

+description: Learn how to upload or download files using Azure Bastion and a native client when connected to a VM using Azure Bastion.

+# File upload and download to a VM using a native client (Preview)

+ Add `show-all-intents=true` to the end of the querystring to **show all intents**, and `verbose=true` to return all detailed information for entities.

+|Custom voice |Custom neural voice |

+| Custom voice¹ requires a large volume of voice data to produce a more human-like voice model. With fewer recorded lines, a standard custom voice model will tend to sound more obviously robotic. |The custom neural voice capability enables you to create a unique brand voice in multiple languages and styles by using a small set of recordings.|

+¹ When creating a custom voice model, the maximum number of data files allowed to be imported per subscription is 10 .zip files for free subscription (F0) users, and 500 for standard subscription (S0) users.

+## Custom voice details (deprecated)

+## Standard voice details (deprecated)

+# Language identification (preview)

+Language identification is used to identify languages spoken in audio when compared against a list of [supported languages](language-support.md#language-identification).

+* [Speech-to-text recognition](#speech-to-text) when you need to identify the language in an audio source and then transcribe it to text.

+* [Speech translation](#speech-translation) when you need to identify the language in an audio source and then translate it to another language.

+Note that for speech recognition, the initial latency is higher with language identification. You should only include this optional feature as needed.

+Whether you use language identification [on its own](#standalone-language-identification), with [speech-to-text](#speech-to-text), or with [speech translation](#speech-translation), there are some common concepts and configuration options.

+Then you make a [recognize once or continuous recognition](#recognize-once-or-continuous) request to the Speech service.

+You provide candidate languages, at least one of which is expected be in the audio. You can include up to 4 languages for [at-start LID](#at-start-and-continuous-language-identification) or up to 10 languages for [continuous LID](#at-start-and-continuous-language-identification).

+You must provide the full 4-letter locale, but language identification only uses one locale per base language. Do not include multiple locales (e.g., "en-US" and "en-GB") for the same language.

+For more information, see [supported languages](language-support.md#language-identification).

+Speech supports both at-start and continuous language identification (LID).

+- Continuous LID can identify multiple languages for the duration of the audio. Use continuous LID if the language in the audio could change. Continuous LID does not support changing languages within the same sentence. For example, if you are primarily speaking Spanish and insert some English words, it will not detect the language change per word.

+You can choose to prioritize accuracy or latency with language identification.

+Prioritize `Latency` if you need a low-latency result such as during live streaming. Set the priority to `Accuracy` if the audio quality may be poor, and more latency is acceptable. For example, a voicemail could have background noise, or some silence at the beginning. Allowing the engine more time will improve language identification results.

+* **At-start:** With at-start LID in `Latency` mode the result is returned in less than 5 seconds. With at-start LID in `Accuracy` mode the result is returned within 30 seconds. You set the priority for at-start LID with the `SpeechServiceConnection_SingleLanguageIdPriority` property.

+* **Continuous:** With continuous LID in `Latency` mode the results are returned every 2 seconds for the duration of the audio. With continuous LID in `Accuracy` mode the results are returned within no set time frame for the duration of the audio. You set the priority for continuous LID with the `SpeechServiceConnection_ContinuousLanguageIdPriority` property.

+Speech uses at-start LID with `Latency` prioritization by default. You need to set a priority property for any other LID configuration.

+Language identification is completed with recognition objects and operations. You will make a request to the Speech service for recognition of audio.

+- Continuous recognition with continuous LID

+The `SpeechServiceConnection_ContinuousLanguageIdPriority` property is always required for continuous LID. Without it the speech service defaults to at-start lid.

+You use standalone language identification when you only need to identify the language in an audio source.

+| Neural Text-to-speech, Speech language identification | `http://localhost:5000` | HTTP |

+### Neural Text-to-Speech

+docker run --rm -it -p 5000:5000 --memory 12g --cpus 4 \

+mcr.microsoft.com/azure-cognitive-services/translator/text-translation:1.0.018950002-amd64-preview

+* Fix container start issue that may occur when customer runs it in some RHEL environments.

+The [Translator][tr-containers] container image can be found on the `mcr.microsoft.com` container registry syndicate. It resides within the `azure-cognitive-services/translator` repository and is named `text-translation`. The fully qualified container image name is `mcr.microsoft.com/azure-cognitive-services/translator/text-translation:1.0.018950002-amd64-preview`.

+| `1.0.018950002-amd64-preview` | |

+> [!Tip]

+> Before deploying a model, make sure to view the model details to make sure that the model is performing as expected.

+Deploying a model hosts and makes it available for predictions through an endpoint.

+### Conversation projects deployments

+1. Click on *Add deployment* to submit a new deployment job

+ :::image type="content" source="../media/add-deployment-model.png" alt-text="A screenshot showing the model deployment button in Language Studio." lightbox="../media/add-deployment-model.png":::

+2. In the window that appears, you can create a new deployment name by giving the deployment a name or override an existing deployment name. Then, you can add a trained model to this deployment name.

+ :::image type="content" source="../media/create-deployment-job.png" alt-text="A screenshot showing the add deployment job screen in Language Studio." lightbox="../media/create-deployment-job.png":::

+#### Swap deployments

+If you would like to swap the models between two deployments, simply select the two deployment names you want to swap and click on **Swap deployments**. From the window that appears, select the deployment name you want to swap with.

+#### Delete deployment

+To delete a deployment, select the deployment you want to delete and click on **Delete deployment**.

+> [!NOTE]

+> You can only have ten deployment names.

+### Orchestration workflow projects deployments

+1. Click on **Add deployment** to submit a new deployment job.

+ Like conversation projects, In the window that appears, you can create a new deployment name by giving the deployment a name or override an existing deployment name. Then, you can add a trained model to this deployment name and press next.

+ :::image type="content" source="../media/create-deployment-job-orch.png" alt-text="A screenshot showing deployment job creation in Language Studio." lightbox="../media/create-deployment-job-orch.png":::

+2. If you're connecting one or more LUIS applications or conversational language understanding projects, specify the deployment name.

+ No configurations are required for custom question answering or unlinked intents.

+ LUIS projects **must be published** to the slot configured during the Orchestration deployment, and custom question answering KBs must also be published to their Production slots.

+ :::image type="content" source="../media/deploy-connected-services.png" alt-text="A screenshot showing the deployment screen for orchestration workflow projects." lightbox="../media/deploy-connected-services.png":::

+Deploying a model hosts it and makes it available for predictions through an endpoint.

+When a model is deployed, you will be able to test the model directly in the portal or by calling the API associated with it.

+> [!NOTE]

+> You can only have ten deployment names.

+

+### Delete deployment

+To delete a deployment, select the deployment you want to delete and click **Delete deployment**

+6. Copy the retrieve request and replace `<OPERATION-ID>` with `jobId` received from the last step and submit the request.

+Deploying a model hosts it, and makes it available for predictions through an endpoint.

+When a model is deployed, you will be able to test the model directly in the portal or by calling the API associated with it.

+> [!NOTE]

+> You can only have ten deployment names

+

+### Delete deployment

+To delete a deployment, select the deployment you want to delete and select **Delete deployment**

+* extractive summarization returns sentences together with a rank score, and. Top ranked sentences will be returned per request

+* extractive summarization also returns the following positional information:

+ * offset: The start position of each extracted sentence, and

+ * Length: is the length of each extracted sentence.

+* **Positional information**: The start position and length of extracted sentences.

+| [Chat Hero Sample](./chat-hero-sample.md) | Provides a sample of creating a chat application. | [Web](https://github.com/Azure-Samples/communication-services-web-chat-hero) |

+An example that demonstrates how to read status attribute from Gremlin Java client:

+# Store credentials in Azure Key Vault

+Spark jobs are more extensible than Pig/Hive jobs. For Spark jobs, you can provide multiple dependencies such as jar packages (placed in the Java CLASSPATH), Python files (placed on the PYTHONPATH), and any other files.

+| ./jars | All files under this folder are uploaded and placed on the Java classpath of the cluster | No | Folder |

+The Spark activity doesn't support an inline script as Pig and Hive activities do. Spark jobs are also more extensible than Pig/Hive jobs. For Spark jobs, you can provide multiple dependencies such as jar packages (placed in the Java CLASSPATH), Python files (placed on the PYTHONPATH), and any other files.

+ <td><b>Integration Runtime</b></td>

+ <td>Express VNet injection for SSIS integration runtime (Public Preview)</td>

+ <td>The SSIS integration runtime now supports express VNet injection.<br>

+ Learn more:<br>

+ <a href="join-azure-ssis-integration-runtime-virtual-network.md">Overview of VNet injection for SSIS integration runtime</a><br>

+ <a href="azure-ssis-integration-runtime-virtual-network-configuration.md">Standard vs. express VNet injection for SSIS integration runtime</a><br>

+ <a href="azure-ssis-integration-runtime-express-virtual-network-injection.md">Express VNet injection for SSIS integration runtime</a>

+ </td>

+</tr>

+- approximately **four emails per day** for **high-severity** alerts

+- approximately **two emails per day** for **medium-severity** alerts

+- approximately **one email per day** for **low-severity** alerts

+- [Moved the recommendation Vulnerabilities in container security configurations should be remediated from the secure score to best practices](#moved-the-recommendation-vulnerabilities-in-container-security-configurations-should-be-remediated-from-the-secure-score-to-best-practices)

+### Moved the recommendation Vulnerabilities in container security configurations should be remediated from the secure score to best practices

+The recommendation `Vulnerabilities in container security configurations should be remediated` has been moved from the secure score section to best practices section.

+The current user experience only provides the score when all compliance checks have passed. Most customers have difficulties with meeting all the required checks. We are working on an improved experience for this recommendation, and once released the recommendation will be moved back to the secure score.

+> - The dead letter blobs created will contain one or more events in an array. An important behavior to consider when processing dead letters.

+ Title: 'Connect Azure Front Door Premium to an app service origin with Private Link'

+# Connect Azure Front Door Premium to a App Service origin with Private Link

+This article will guide you through how to configure Azure Front Door Premium SKU to connect to your App Service privately using the Azure Private Link service.

+## Enable Private Link to an App Service in Azure Front Door Premium

+1. Select the origin group that contains the App Service origin you want to enable Private Link for.

+1. Select **+ Add an origin** to add a new app service origin or select a previously created app service origin from the list.

+## Approve Azure Front Door Premium private endpoint connection from App Service

+1. Go to the App Service you configured Private Link for in the last section. Select **Networking** under **Settings**.

+1. Once approved, it should look like the screenshot below. It will take a few minutes for the connection to fully establish. You can now access your app service from Azure Front Door Premium. Direct access to the App Service from the public internet gets disabled after private endpoint gets enabled.

+description: New Zealand ISM Restricted Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.

+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).

+2. Then copy and paste the Java code below into the new file. Then close the file.

+ Then copy and paste the Java code below into the new file. Then close the file.

+Then copy and paste the Java code below into the new file. Then close the file.

+Then copy and paste the Java code below into the new file. Then close the file.

+Then copy and paste the Java code below into the new file. Then close the file.

+To verify that your upgrade was successful, check that the relevant HBase processes are started using the appropriate Java version - for instance for region server check as:

+1. Create a Java keystore and get a signed certificate for the broker. Then copy the certificate to the VM where the CA is running.

+1. Create a Java keystore and create a certificate signing request.

+The above logs should provide high-level understanding of the file system operations. If the above logs are still not providing useful information, or if you want to investigate blob storage api calls, add `fs.azure.storage.client.logging=true` to the `core-site`. This setting will enable the Java sdk logs for wasb storage driver and will print each call to blob storage server. Remove the setting after investigations because it could fill up the disk quickly and could slow down the process.

+Then copy and paste the Java code below into the new file. Then close the file.

+Then copy and paste the Java code below into the new file. Then close the file.

+Then copy and paste the Java code below into the new file. Then close the file.

+Then copy and paste the Java code below into the new file. Then close the file.

+## February 2022

+### **Features and enhancements**

+|Enhancements &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |Related information |

+| :-- | : |

+|Added 429 retry and logging in BundleHandler |We sometimes encounter 429 errors when processing a bundle. If the FHIR service receives a 429 at the BundleHandler layer, we abort processing of the bundle and skip the remaining resources. We've added an additional retry (in addition to the retry present in the data store layer) that will execute one time per resource that encounters a 429. For more about this feature enhancement, see [PR #2400](https://github.com/microsoft/fhir-server/pull/2400).|

+|Billing for $convert-data and $de-id |Azure API for FHIR's data conversion and de-identified export features are now Generally Available. Billing for $convert-data and $de-id operations in Azure API for FHIR has been enabled. Billing meters were turned on March 1, 2022. |

+### **Bug fixes**

+|Bug fixes |Related information |

+| :-- | : |

+|Update compartment search index |There was a corner case where the compartment search index wasn't being set on resources. Now we use the same index as the main search for compartment search to ensure all data is being returned. For more about the code fix, see [PR #2430](https://github.com/microsoft/fhir-server/pull/2430).|

+Azure Health Data Services now supports multiple health data standards for the exchange of structured data. A single collection of Azure Health Data Services enables you to deploy multiple instances of different service types (FHIR, DICOM, and MedTech) that seamlessly work with one another. Services deployed within a workspace also share a compliance boundary and common configuration settings. The product scales automatically to meet the varying demands of your workloads, so you spend less time managing infrastructure and more time generating insights from health data.

+Azure Health Data Services now includes support for DICOM service. DICOM enables the secure exchange of image data and its associated metadata. DICOM is the international standard to transmit, store, retrieve, print, process, and display medical imaging information, and is the primary medical imaging standard accepted across healthcare. For more information about the DICOM service, see [Overview of DICOM](./dicom/dicom-services-overview.md).

+For the secure exchange of FHIR data, Azure Health Data Services offers a few incremental capabilities that aren't available in Azure API for FHIR.

+

+* **Support for Transactions**: In Azure Health Data Services, the FHIR service supports transaction bundles. For more information about transaction bundles, visit [HL7.org](http://www.hl7.org/) and refer to batch/transaction interactions.

+* [Chained Search Improvements](./././fhir/overview-of-search.md#chained--reverse-chained-searching): Chained Search & Reserve Chained Search are no longer limited by 100 items per sub query.

+* The $convert-data operation can now transform JSON objects to FHIR R4.

+* Events: Trigger new workflows when resources are created, updated, or deleted in a FHIR service.

+>[!Note]

+> Azure Health Data Services is Generally Available.

+>

+>For more information about Azure Health Data Services Service Level Agreements, see [SLA for Azure Health Data Services](https://azure.microsoft.com/support/legal/sla/health-data-services/v1_1/).

+ Title: Use the REST API to manage organizations in Azure IoT Central

+description: How to use the IoT Central REST API to manage organizations in an application

+# How to use the IoT Central REST API to manage organizations

+The IoT Central REST API lets you develop client applications that integrate with IoT Central applications. You can use the REST API to manage organizations in your IoT Central application.

+> [!TIP]

+> The [organizations feature](howto-create-organizations.md) is currently available in [preview API](/rest/api/iotcentral/1.1-previewdataplane/users).

+Every IoT Central REST API call requires an authorization header. To learn more, see [How to authenticate and authorize IoT Central REST API calls](howto-authorize-rest-api.md).

+For the reference documentation for the IoT Central REST API, see [Azure IoT Central REST API reference](/rest/api/iotcentral/).

+To learn more about organizations in IoT Central Application, see [Manage IoT Central organizations](howto-create-organizations.md).

+## Organizations REST API

+The IoT Central REST API lets you:

+* Add an organization to your application

+* Get an organization by ID

+* Update an organization in your application

+* Get a list of the organizations in the application

+* Delete an organization in your application

+### Create organizations

+The REST API lets you create organizations in your IoT Central application. Use the following request to create an organization in your application:

+```http

+PUT https://{subdomain}.{baseDomain}/api/organizations/{organizationId}?api-version=1.1-preview

+```

+* organizationId - Unique ID of the organization

+The following example shows a request body that adds an organization to a IoT Central application.

+```json

+{

+ "displayName": "Seattle",

+}

+```

+The request body has some required fields:

+* `@displayName`: Display name of the organization.

+The request body has some optional fields:

+* `@parent`: ID of the parent of the organization.

+ If you don't specify a parent, then the organization gets the default top-level organization as its parent.

+The response to this request looks like the following example:

+```json

+{

+ "id": "seattle",

+ "displayName": "Seattle"

+}

+```

+You can create an organization with hierarchy, for example you can create a sales organization with a parent organization.

+The following example shows a request body that adds an organization to a IoT Central application.

+```json

+{

+ "displayName": "Sales",

+ "parent":"seattle"

+}

+```

+The response to this request looks like the following example:

+```json

+{

+ "id": "sales",

+ "displayName": "Sales",

+ "parent":"Seattle"

+}

+```

+### Get an organization

+Use the following request to retrieve details of an individual organization from your application:

+```http

+GET https://{subdomain}.{baseDomain}/api/organizations/{organizationId}?api-version=1.1-preview

+```

+The response to this request looks like the following example:

+```json

+{

+ "id": "seattle",

+ "displayName": "Seattle",

+ "parent": "washington"

+}

+```

+### Update an organization

+Use the following request to update details of an organization in your application:

+```http

+PATCH https://{subdomain}.{baseDomain}/api/organizations/{organizationId}?api-version=1.1-preview

+```

+The following example shows a request body that updates an organization.

+```json

+{

+ "id": "seattle",

+ "displayName": "Seattle Sales",

+ "parent": "washington"

+}

+```

+The response to this request looks like the following example:

+```json

+{

+ "id": "seattle",

+ "displayName": "Seattle Sales",

+ "parent": "washington"

+}

+```

+### List organizations

+Use the following request to retrieve a list of organizations from your application:

+```http

+GET https://{your app subdomain}.azureiotcentral.com/api/organizations?api-version=1.1-preview

+```

+The response to this request looks like the following example.

+```json

+{

+ "value": [

+ {

+ "id": "washington",

+ "displayName": "Washington"

+ },

+ {

+ "id": "redmond",

+ "displayName": "Redmond"

+ },

+ {

+ "id": "bellevue",

+ "displayName": "Bellevue"

+ },

+ {

+ "id": "spokane",

+ "displayName": "Spokane",

+ "parent": "washington"

+ },

+ {

+ "id": "seattle",

+ "displayName": "Seattle",

+ "parent": "washington"

+ }

+ ]

+}

+```

+ The organizations Washington, Redmond, and Bellevue will automatically have the application's default top-level organization as their parent.

+### Delete an organization

+Use the following request to delete an organization:

+```http

+DELETE https://{your app subdomain}.azureiotcentral.com/api/organizations/{organizationId}?api-version=1.1-preview

+```

+## Next steps

+Now that you've learned how to manage organizations with the REST API, a suggested next step is to [How to use the IoT Central REST API to manage data exports.](howto-manage-data-export-with-rest-api.md)

+Now that you've learned how to manage users and roles with the REST API, a suggested next step is to [How to use the IoT Central REST API to manage organizations.](howto-manage-organizations-with-rest-api.md)

+> [!VIDEO https://aka.ms/docs/player?id=94a7d988-4a35-4590-9dd8-a511cdd68bee]

+<a href="https://aka.ms/docs/player?id=94a7d988-4a35-4590-9dd8-a511cdd68bee" target="_blank">IoT Edge integration with Azure Monitor</a>(4:06)

+A Microsoft-supplied metrics-collector module can be added to an IoT Edge deployment to collect module metrics and send them to Azure Monitor. The module code is open-source and available in the [IoT Edge GitHub repo](https://github.com/Azure/iotedge/tree/release/1.1/edge-modules/metrics-collector).

+This command tests connections over MQTTS (port 8883). If you're using a different protocol, adjust the command as necessary for AMQPS (5671) or HTTPS (443)

+This article contains security recommendations for IoT. Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model. For more information on what Microsoft does to fulfill service provider responsibilities, read [Shared responsibilities for cloud computing](../security/fundamentals/shared-responsibility.md).

+1.1.1 | [msi](https://www.microsoft.com/en-us/download/details.aspx?id=104015) [nuget](https://www.nuget.org/packages/Microsoft.Azure.Kinect.BodyTracking/1.1.1)

+### v1.1.1

+* [Feature] Added cmake support to all body tracking samples

+* [Feature] NuGet package returns. Developed new NuGet package that includes Microsoft developed body tracking dlls and headers, and ONNX runtime dependencies. The package no longer includes the NVIDIA CUDA and TRT dependencies. These continue to be included in the MSI package.

+* [Feature] Upgraded to ONNX Runtime v1.10. Recommended NVIDIA driver version is 472.12 (Game Ready) or 472.84 (Studio). There are OpenGL issues with later drivers.

+* [Bug Fix] CPU mode no longer requires NVIDIA CUDA dependencies [Link](https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1154)

+* [Bug Fix] Verified samples compile with Visual Studio 2022 and updated samples to use this release [Link] (https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1250)

+* [Bug Fix] Added const qualifier to APIs [Link] (https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1365)

+* [Bug Fix] Added check for nullptr handle in shutdown() [Link] (https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1373)

+* [Bug Fix] Improved dependencies checks [Link] (https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1510)

+* [Bug Fix] Updated REDIST.TXT file [Link](https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1541)

+* [Bug Fix] Improved DirectML performance [Link] (https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1546)

+* [Bug Fix] Fixed exception declaration in frame::get_body() [Link] (https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1573)

+* [Bug Fix] Fixed memory leak [Link] (https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1576)

+* [Bug Fix] Updated dependencies list [Link] (https://github.com/microsoft/Azure-Kinect-Sensor-SDK/issues/1644)

+keywords: kinect, azure, sensor, access, depth, sdk, body, tracking, joint, setup, onnx, directml, cuda, trt, nvidia

+## Specifying ONNX Runtime execution environment

+The Body Tracking SDK supports CPU, CUDA, DirectML (Windows only) and TensorRT execution environments to inference the pose estimation model. The `K4ABT_TRACKER_PROCESSING_MODE_GPU` defaults to CUDA execution on Linux and DirectML execution on Windows. Three additional modes have been added to select specific execution environments: `K4ABT_TRACKER_PROCESSING_MODE_GPU_CUDA`, `K4ABT_TRACKER_PROCESSING_MODE_GPU_DIRECTML`, and `K4ABT_TRACKER_PROCESSING_MODE_GPU_TENSORRT`.

+> [!NOTE]

+> ONNX Runtime displays warnings for opcodes that are not accelerated. These may be safely ignored.

+ONNX Runtime includes environment variables to control TensorRT model caching. The recommended values are:

+- ORT_TENSORRT_ENGINE_CACHE_ENABLE=1

+- ORT_TENSORRT_CACHE_PATH="pathname"

+The folder must be created prior to starting body tracking.

+> [!IMPORTANT]

+> TensorRT pre-processes the model prior to inference resulting in extended start up times when compared to other execution environments. Engine caching limits this to first execution however it is experimental and is specific to the model, ONNX Runtime version, TensorRT version and GPU model.

+The TensorRT execution environment supports both FP32 (default) and FP16. FP16 trades ~2x performance increase for minimal accuracy decrease. To specify FP16:

+- ORT_TENSORRT_FP16_ENABLE=1

+## Required DLLs for ONNX Runtime execution environments

+|Mode | ORT 1.10 | CUDA 11.4.3 | CUDNN 8.2.2.26 | TensorRT 8.0.3.4 |

+|-|--|-|||

+| CPU | msvcp140 | - | - | - |

+| | onnxruntime | | | |

+| CUDA | msvcp140 | cudart64_110 | cudnn64_8 | - |

+| | onnxruntime | cufft64_10 | cudnn_ops_infer64_8 | |

+| | onnxruntime_providers_cuda | cublas64_11 | cudnn_cnn_infer64_8 | |

+| | onnxruntime_providers_shared | cublasLt64_11 | | |

+| DirectML | msvcp140 | - | - | - |

+| | onnxruntime | | | |

+| | directml | | | |

+| TensorRT | msvcp140 | cudart64_110 | - | nvinfer |

+| | onnxruntime | cufft64_10 | | nvinfer_plugin |

+| | onnxruntime_providers_cuda | cublas64_11 | | |

+| | onnxruntime_providers_shared | cublasLt64_11 | | |

+| | onnxruntime_providers_tensorrt | nvrtc64_112_0 | | |

+| | | nvrtc-builtins64_114 | | |

+2. To find the reset button, remove the screw that's located in the tripod mount lock.

+3. Reconnect the power cable.

+4. Insert the tip of a straightened paperclip into the empty screw hole, in the tripod mount lock.

+ >[!CAUTION]

+ >Never use a sharp ended tool like a pushpin to press the reset button. Instead use a flat ended tool like a paperclip to avoid damaging the reset button.

+5. Use the paperclip to gently press and hold the reset button.

+6. While you hold the reset button, reconnect the USB cable.

+7. After about 3 seconds, the power indicator light changes to amber. After the light changes, release the reset button.

+8. Wait for the power indicator light to become solid white.

+9. Replace the screw in the tripod mount lock, over the reset button.

+10. Use Azure Kinect Viewer to verify that the firmware was reset. To do this, launch the [Azure Kinect Viewer](azure-kinect-viewer.md), and then select **Device firmware version info** to see the firmware version that is installed on your Azure Kinect DK.

+## Changes to contents of Body Tracking packages

+Both the MSI and NuGet packages no longer include the Microsoft Visual C++ Redistributable Package files. Download the latest package [here](https://docs.microsoft.com/cpp/windows/latest-supported-vc-redist).

+The NuGet package is back however it no longer includes Microsoft DirectML, or NVIDIA CUDA and TensorRT files.

+[More support information](support.md)

+Get started with Azure Load Balancer by using the Azure portal to create a public load balancer and two virtual machines.

+In this section, you'll create a virtual network, subnet, and Azure Bastion host. The virtual network and subnet contains the load balancer and virtual machines. The bastion host is used to securely manage the virtual machines and install IIS to test the load balancer.

+3. In **Create virtual network**, enter or select the following information in the **Basics** tab:

+ | Region | Select **West Europe** |

+4. Select the **IP Addresses** tab or select **Next: IP Addresses** at the bottom of the page.

+6. Under **Subnet name**, select the word **default**. If a subnet isn't present, select **+ Add subnet**.

+8. Select **Save** or **Add**.

+

+ > [!NOTE]

+ > The virtual network and subnet are created immediately. The Bastion host creation is submitted as a job and will complete within 10 minutes. You can proceed to the next steps while the Bastion host is created.

+## Create load balancer

+* Health probe

+2. In the **Load balancer** page, select **+ Create**.

+3. In the **Basics** tab of the **Create load balancer** page, enter or select the following information:

+ | Region | Select **West Europe**. |

+ | Type | Select **Public**. |

+5. In **Frontend IP configuration**, select **+ Add a frontend IP configuration**.

+6. Enter **myFrontend** in **Name**.

+22. Select **Next: Inbound rules** at the bottom of the page.

+ | Frontend IP address | Select **myFrontend**. |

+ | Backend pool | Select **myBackendPool**. |

+ > In this example we'll create a NAT gateway to provide outbound Internet access. The outbound rules tab in the configuration is bypassed as it's optional isn't needed with the NAT gateway. For more information on Azure NAT gateway, see [What is Azure Virtual Network NAT?](../virtual-network/nat-gateway/nat-overview.md)

+## Create NAT gateway

+In this section, you'll create a NAT gateway for outbound internet access for resources in the virtual network.

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+2. In **NAT gateways**, select **+ Create**.

+3. In **Create network address translation (NAT) gateway**, enter or select the following information:

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **CreatePubLBQS-rg**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select **West Europe**. |

+ | Availability zone | Select **None**. |

+ | Idle timeout (minutes) | Enter **15**. |

+4. Select the **Outbound IP** tab or select **Next: Outbound IP** at the bottom of the page.

+5. In **Outbound IP**, select **Create a new public IP address** next to **Public IP addresses**.

+6. Enter **myNATgatewayIP** in **Name**.

+7. Select **OK**.

+8. Select the **Subnet** tab or select the **Next: Subnet** button at the bottom of the page.

+9. In **Virtual network** in the **Subnet** tab, select **myVNet**.

+10. Select **myBackendSubnet** under **Subnet name**.

+11. Select the blue **Review + create** button at the bottom of the page, or select the **Review + create** tab.

+In this section, you'll create two VMs (**myVM1** and **myVM2**) in two different zones (**Zone 1**, and **Zone 2**).

+These VMs are added to the backend pool of the load balancer that was created earlier.

+3. In **Create a virtual machine**, enter or select the following values in the **Basics** tab:

+ | Availability Options | Select **Availability zones** |

+ | Availability zone | Select **Zone 1** |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter: Azure Edition - Gen2** |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None** |

+5. In the Networking tab, select or enter the following information:

+ | - | -- |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Advanced** |

+ | Configure network security group | Select **Create new**. </br> In the **Create network security group**, enter **myNSG** in **Name**. </br> Under **Inbound rules**, select **+Add an inbound rule**. </br> Under **Service**, select **HTTP**. </br> Under **Priority**, enter **100**. </br> In **Name**, enter **myNSGRule** </br> Select **Add** </br> Select **OK** |

+ | Delete NIC when VM is deleted | Leave the default of **unselected**. |

+ | Accelerated networking | Leave the default of **selected**. |

+ | Place this virtual machine behind an existing load-balancing solution? | Select the check box. |

+ | **Load balancing settings** |

+ | Load-balancing options | Select **Azure load balancer** |

+ | Select a load balancer | Select **myLoadBalancer** |

+ | Select a backend pool | Select **myBackendPool** |

+

+6. Select **Review + create**.

+7. Review the settings, and then select **Create**.

+8. Follow the steps 1 through 7 to create another VM with the following values and all the other settings the same as **myVM1**:

+ | Setting | VM 2

+ | Name | **myVM2** |

+ | Availability zone | **Zone 2** |

+ | Network security group | Select the existing **myNSG** |

+3. On the **Overview** page, select **Connect**, then **Bastion**.

+

+ ```

+9. Repeat steps 1 to 8 to install IIS and the updated iisstart.htm file on **myVM2**.

+1. In the search box at the top of the page, enter **Public IP**. Select **Public IP addresses** in the search results.

+2. In **Public IP addresses**, select **myPublicIP**.

+3. Copy the item in **IP address**. Paste the public IP into the address bar of your browser. The custom VM page of the IIS Web server is displayed in the browser.

+* Created an Azure Load Balancer

+* Attached 2 VMs to the load balancer

+* Tested the load balancer

+| IP based LB outbound IP | IP based LB leverages Azure's Default Outbound Access IP for outbound | In order to prevent outbound access from this IP, please leverage NAT Gateway for a predictable IP address and to prevent SNAT port exhaustion |

+| Managed connector (**Preview**) | Single-authentication: <br>- Azure Automation <br>- Azure Event Grid <br>- Azure Key Vault <br>- Azure Resource Manager <br>- HTTP with Azure AD <p>Multi-authentication: <br>- Azure Blob Storage <br>- Azure Event Hubs <br>- Azure Service Bus <br>- SQL Server |

+| Managed connector (**Preview**) | Single-authentication: <br>- Azure Automation <br>- Azure Event Grid <br>- Azure Key Vault <br>- Azure Resource Manager <br>- HTTP with Azure AD <p>Multi-authentication: <br>- Azure Blob Storage <br>- Azure Event Hubs <br>- Azure Service Bus <br>- SQL Server |

+ * **Multi-authentication**: These connectors show multiple authentication types, but you still can select only one type. From the **Authentication type** list, select **Logic Apps Managed Identity** > **Create**, for example:

+In an ARM template, the underlying connector resource definition differs based on whether you have a Consumption or Standard logic app and whether the [connector shows single-authentication or multi-authentication options](#managed-connectors-managed-identity).

+

+The following examples apply to Consumption logic apps and show how the underlying connector resource definition differs between a single-authentication connector, such as Azure Automation, and a multi-authentication connector, such as Azure Blob Storage.

+#### Single-authentication

+This example shows the underlying connection resource definition for an Azure Automation action in a Consumption logic app that uses a managed identity where the definition includes the attributes:

+* The `apiVersion` property is set to `2016-06-01`.

+* The `kind` property is set to `V1` for a Consumption logic app.

+* The `parameterValueType` property is set to `Alternative`.

+

+ "name": "[variables('connections_azureautomation_name')]",

+ "apiVersion": "2016-06-01",

+ "displayName": "[variables('connections_azureautomation_name')]",

+ "parameterValueType": "Alternative"

+ }

+},

+```

+#### Multi-authentication

+This example shows the underlying connection resource definition for an Azure Blob Storage action in a Consumption logic app that uses a managed identity where the definition includes the following attributes:

+* The `apiVersion` property is set to `2018-07-01-preview`.

+* The `kind` property is set to `V1` for a Consumption logic app.

+* The `parameterValueSet` object includes a `name` property that's set to `managedIdentityAuth` and a `values` property that's set to an empty object.

+```json

+{

+ "type": "Microsoft.Web/connections",

+ "apiVersion": "2018-07-01-preview",

+ "name": "[variables('connections_azureblob_name')]",

+ "location": "[parameters('location')]",

+ "kind": "V1",

+ "properties": {

+ "alternativeParameterValues":{},

+ "api": {

+ "id": "[subscriptionResourceId('Microsoft.Web/locations/managedApis', parameters('location'), 'azureblob')]"

+ },

+ "customParameterValues": {},

+ "displayName": "[variables('connections_azureblob_name')]",

+The following examples apply to Standard logic apps and show how the underlying connector resource definition differs between a single-authentication connector, such as Azure Automation, and a multi-authentication connector, such as Azure Blob Storage.

+#### Single-authentication

+

+This example shows the underlying connection resource definition for an Azure Automation action in a Standard logic app that uses a managed identity where the definition includes the following attributes:

+* The `apiVersion` property is set to `2016-06-01`.

+* The `kind` property is set to `V2` for a Standard logic app.

+* The `parameterValueType` property is set to `Alternative`.

+

+ "name": "[variables('connections_azureautomation_name')]",

+ },

+ "customParameterValues": {},

+ "displayName": "[variables('connections_azureautomation_name')]",

+ "parameterValueType": "Alternative"

+ }

+},

+```

+#### Multi-authentication

+This example shows the underlying connection resource definition for an Azure Blob Storage action in a Standard logic app that uses a managed identity where the definition includes the following attributes:

+* The `apiVersion` property is set to `2018-07-01-preview`.

+* The `kind` property is set to `V2` for a Standard logic app.

+* The `parameterValueSet` object includes a `name` property that's set to `managedIdentityAuth` and a `values` property that's set to an empty object.

+```json

+{

+ "type": "Microsoft.Web/connections",

+ "apiVersion": "2018-07-01-preview",

+ "name": "[variables('connections_azureblob_name')]",

+ "location": "[parameters('location')]",

+ "kind": "V2",

+ "properties": {

+ "alternativeParameterValues":{},

+ "api": {

+ "id": "[subscriptionResourceId('Microsoft.Web/locations/managedApis', parameters('location'), 'azureblob')]"

+ },

+ "customParameterValues": {},

+ "displayName": "[variables('connections_azureblob_name')]",

+ "parameterValueSet":{

+ "name": "managedIdentityAuth",

+ "values": {}

+| <*connection-name*> | The name for your API connection, for example, `azureblob` |

+| [Managed identity](#managed-identity-authentication) | **Consumption logic app**: <br><br>- **Built-in**: Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP Webhook <p><p>- **Managed connector** (preview): <p><p> **Single-authentication**: Azure AD Identity Protection, Azure Automation, Azure Container Instance, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure Key Vault, Azure Resource Manager, Microsoft Sentinel, HTTP with Azure AD <p><p> **Multi-authentication**: Azure Blob Storage, Azure Event Hubs, Azure Service Bus, SQL Server <p><p>___________________________________________________________________________________________<p><p>**Standard logic app**: <p><p>- **Built-in**: HTTP, HTTP Webhook <p><p>- **Managed connector** (preview): <p> **Single-authentication**: Azure AD Identity Protection, Azure Automation, Azure Container Instance, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure Key Vault, Azure Resource Manager, Microsoft Sentinel, HTTP with Azure AD <p><p> **Multi-authentication**: Azure Blob Storage, Azure Event Hubs, Azure Service Bus, SQL Server |

+ > - The File System connector currently supports only Windows file systems on Windows operating systems.

+ > - The gateway machine and the file server must exist in the same Windows domain.

+ > - Mapped network drives aren't supported.

+1. In the **Description** box, enter a description for your offer. This text box has rich text editor controls that you can use to make your description more engaging. You can also use HTML tags to format your description. You can enter up to 5,000 characters of text in this box, which includes HTML markup and spaces. For information about HTML formatting, see [HTML tags supported in the commercial marketplace offer descriptions](supported-html-tags.md).

+- Must be 200 characters or less.

+This field is automatically filled with the name that you gave your plan when you created it. This name appears on Azure Marketplace as the title of this plan. It is limited to 200 characters.

+Describe what makes this software plan unique, and describe any differences between plans within your offer. Describe the plan only, not the offer. The plan description can contain up to 3,000 characters.

+- **Remote desktop or SSH disabled**: Enable this property if any of the following conditions are true:

+ - Virtual machines deployed with these images don't allow customers to access it using Remote Desktop or SSH. Learn more about [locked VM images](./azure-vm-certification-faq.yml#locked-down-or-ssh-disabled-offer).

+ - Image does not support _sampleuser_ while deploying.

+ - Image has limited access.

+ - Image does not comply with the [Certification Test Tool](azure-vm-image-test.md#use-certification-test-tool-for-azure-certified).

+ - Image requires setup during initial login which causes automation to not connect to the virtual machine.

+ - Image does not support port 22.

+**Description** ΓÇô Describe your test drive, what will be demonstrated, features to explore, objectives for the user to experiment with, and other relevant information to help them determine if your offer is right for them (up to 5,000 characters).

+4. In the **Description** field, describe your Managed Service offer. You can enter up to 5,000 characters of text in this box, including HTML tags and spaces. For information about HTML formatting, see [HTML tags supported in the offer descriptions](./supported-html-tags.md).

+3. In the **Plan name** box, enter a unique name for this plan. Use a maximum of 200 characters. This name will be visible to your customers.

+- Must be 200 characters or less.

+- Must be 200 characters or less.

+ "resourceUri": "<fullyqualifiedname>", // Unique identifier of the resource against which usage is emitted.

+- **Name** ΓÇô The name will appear as the title of your offer listing in the commercial marketplace. The name may be trademarked. It cannot contain emojis (unless they are the trademark and copyright symbols) and is limited to 200 characters.

+ "quantity": 20,

+- **Name**: This name will appear as the title of your offer listing in the commercial marketplace. The name may be trademarked. It cannot contain emojis (unless they are the trademark and copyright symbols) and must be limited to 200 characters.

+ This text box has rich text editor controls that you can use to make your description more engaging. You can also use HTML tags to format your description. You can enter up to 5,000 characters of text in this box, which includes HTML markup and spaces. For additional tips, see [Write a great app description](/windows/uwp/publish/write-a-great-app-description) and [HTML tags supported in the commercial marketplace offer descriptions](supported-html-tags.md).

+**Name**: This name will appear as the title of your offer listing in the commercial marketplace. The name may be trademarked. It can't contain emojis (unless they're the trademark and copyright symbols) and must be limited to 200 characters. The name must include the duration and service type of the offer to maximize search engine optimization (SEO). The required format is *Name: Duration + type*. DonΓÇÖt include your company name unless itΓÇÖs also the product name. Here are some examples:

+You can use HTML tags to format your description. You can enter up to 5,000 characters of text in this box, including HTML tags and spaces. For information about HTML formatting, see [HTML tags supported in the commercial marketplace offer descriptions](./supported-html-tags.md).

+* Configure [binlog_expire_logs_seconds](./concepts-server-parameters.md#binlog_expire_logs_seconds) on the source server to ensure that binlogs arenΓÇÖt purged before the replica commit the changes. Post successful cutover you can reset the value.

+ North Central US

+ North Europe

+ UAE Central

+ UK West

+ USGov Arizona

+ West US 2

+ West US 3

+ Canada East

+ China East 2

+ China North

+ China North 2

+ Korea Central

+ Korea South

+ South India

+ USGov Arizona

+ USGov Texas

+ West US 3

+|[Tech Mahindra](https://www.techmahindra.com/en-in/network-services/)|[Tech Mahindra End to End Managed Network Services](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/techm.techm-network-transformstrategy?tab=Overview)|||[Azure Private LTE MSP](https://azuremarketplace.microsoft.com/marketplace/apps/techm.private_5g_network)|

+The following table provides a high-level features and capabilities comparisons between Single Server and Flexible Server. For most new deployments, we recommend using Flexible Server. However, you should consider your own requirements against the comparison table below.

+Each Azure Purview account comes with an optional fully managed event hub, accessible via the Atlas Kafka endpoint found via the Azure portal > Azure Purview Account > Properties. Azure Purview events can be monitored by consuming messages from the event hub. External systems can also use the event hub to publish events to Azure Purview as they occur.

+* [Azure Purview REST API](/rest/api/purview)

+Whenever a data consumer requests access to a dataset, the notification is sent to the workflow approver(s). The approver(s) can view the request and approve it either from Azure purview portal or from within the email notification. When the request is approved, a policy is auto-generated and applied against the respective data source. Self-service data access policy gets auto-generated only if the data source is registered for **data use governance**. The pre-requisites mentioned within the [data use governance](./how-to-enable-data-use-governance.md) have to be satisfied.

+- [Azure Synapse Workspace](register-scan-synapse-workspace.md#authentication-for-registration)

+- [Azure Synapse dedicated SQL pools (formerly SQL DW)](register-scan-azure-synapse-analytics.md#authentication-for-registration)

+ Title: Learn about prerequisites to successfully deploy an Azure Purview account

+description: This tutorial lists prerequisites to deploy an Azure Purview account.

+# Customer Intent: As a Data and Data Security administrator, I want to deploy Azure Purview as a unified data governance solution.

+# Azure Purview deployment checklist

+This article lists prerequisites that help you get started quickly on Azure Purview planning and deployment.

+|No. |Prerequisite / Action |Required Permission |Additional guidance and recommendations |

+|:|:|:|:|

+|1 | Azure Active Directory Tenant |N/A |An [Azure Active Directory tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md) should be associated with your subscription. <ul><li>*Global Administrator* or *Information Protection Administrator* role is required, if you plan to [extend Microsoft 365 Sensitivity Labels to Azure Purview for files and db columns](create-sensitivity-label.md)</li><li> *Global Administrator* or *Power BI Administrator* role is required, if you're planning to [scan Power BI tenants](register-scan-power-bi-tenant.md).</li></ul> |

+|2 |An active Azure Subscription |*Subscription Owner* |An Azure subscription is needed to deploy Azure Purview and its managed resources. If you don't have an Azure subscription, create a [free subscription](https://azure.microsoft.com/free/) before you begin. |

+|3 |Define whether you plan to deploy an Azure Purview with managed Event Hub | N/A |A managed Event Hub is created as part of Azure Purview account creation, see Azure Purview account creation. You can publish messages to the Event Hub kafka topic ATLAS_HOOK and Azure Purview will consume and process it. Azure Purview will notify entity changes to Event Hub kafka topic ATLAS_ENTITIES and user can consume and process it.This quickstart uses the new Azure.Messaging.EventHubs library. |

+|4 |Register the following resource providers: <ul><li>Microsoft.Storage</li><li>Microsoft.EventHub (optional)</li><li>Microsoft.Purview</li></ul> |*Subscription Owner* or custom role to register Azure resource providers (_/register/action_) | [Register required Azure Resource Providers](/azure-resource-manager/management/resource-providers-and-types.md) in the Azure Subscription that is designated for Azure Purview Account. Review [Azure resource provider operations](../role-based-access-control/resource-provider-operations.md). |

+|5 |Update Azure Policy to allow deployment of the following resources in your Azure subscription: <ul><li>Azure Purview</li><li>Azure Storage</li><li>Azure Event Hub (optional)</li></ul> |*Subscription Owner* |Use this step if an existing Azure Policy prevents deploying such Azure resources. If a blocking policy exists and needs to remain in place, please follow our [Azure Purview exception tag guide](create-azure-purview-portal-faq.md) and follow the steps to create an exception for Azure Purview accounts. |

+|6 | Define your network security requirements. | Network and Security architects. |<ul><li> Review [Azure Purview network architecture and best practices](concept-best-practices-network.md) to define what scenario is more relevant to your network requirements. </li><li>If private network is needed, use [Azure Purview Managed IR](catalog-managed-vnet.md) to scan Azure data sources when possible to reduce complexity and administrative overhead. </li></ul> |

+|7 |An Azure Virtual Network and Subnet(s) for Azure Purview private endpoints. | *Network Contributor* to create or update Azure VNet. |Use this step if you're planning to set up[private endpoint connectivity with Azure Purview](catalog-private-link.md): <ul><li>Private endpoints for **ingestion**.</li><li>Private endpoint for Azure Purview **Account**.</li><li>Private endpoint for Azure Purview **Portal**.</li></ul> <br> Deploy [Azure Virtual Network](../virtual-network/quick-create-portal.md) if you need to. |

+|8 |Deploy private endpoint for Azure data sources. |*Network Contributor* to set up Private endpoints for each data source. |perform this step if you're planning to use [Private Endpoint for Ingestion](catalog-private-link-end-to-end.md). |

+|9 |Define whether to deploy new or use existing Azure Private DNS Zones. |Required [Azure Private DNS Zones](catalog-private-link-name-resolution.md) can be created automatically during Purview Account deployment using Subscription Owner / Contributor role |Use this step if you're planning to use Private Endpoint connectivity with Azure Purview. Required DNS Zones for Private Endpoint: <ul><li>privatelink.purview.azure.com</li><li>privatelink.purviewstudio.azure.com</li><li>privatelink.blob.core.windows.net</li><li>privatelink.queue.core.windows.net</li><li>privatelink.servicebus.windows.net</li></ul> |

+|10 |A management machine in your CorpNet or inside Azure VNet to launch Azure Purview Studio. |N/A |Use this step if you're planning to set **Allow Public Network** to **deny** on you Azure Purview Account. |

+|11 |Deploy an Azure Purview Account |Subscription Owner / Contributor |Purview account is deployed with 1 Capacity Unit and will scale up based [on demand](concept-elastic-data-map.md). |

+|12 |Deploy a Managed Integration Runtime and Managed private endpoints for Azure data sources. |*Data source admin* to setup Managed VNet inside Azure Purview. <br> *Network Contributor* to approve managed private endpoint for each Azure data source. |Perform this step if you're planning to use [Managed VNet](catalog-managed-vnet.md). within your Azure Purview account for scanning purposes. |

+|13 |Deploy Self-hosted integration runtime VMs inside your network. |Azure: *Virtual Machine Contributor* <br> On-prem: Application owner |Use this step if you're planning to perform any scans using Self-hosted Integration Runtime. |

+|14 |Create a Self-hosted integration runtime inside Azure Purview. |Data curator <br> VM Administrator or application owner |Use this step if you're planning to use Self-hosted Integration Runtime instead of Managed Integration Runtime or Azure Integration Runtime. <br><br> <br> [download](https://www.microsoft.com/en-us/download/details.aspx?id=39717) |

+|15 |Register your Self-hosted integration runtime | Virtual machine administrator |Use this step if you have **on-premises** or **VM-based data sources** (e.g. SQL Server). <br> Use this step are using **Private Endpoint** to scan to **any** data sources. |

+|16 |Grant Azure RBAC **Reader** role to **Azure Purview MSI** at data sources' Subscriptions |*Subscription owner* or *User Access Administrator* |Use this step if you're planning to register **multiple** or **any** of the following data sources: <ul><li>Azure Blob Storage</li><li>Azure Data Lake Storage Gen1</li><li>Azure Data Lake Storage Gen2</li><li>Azure SQL Database</li><li>Azure SQL Database Managed Instance</li><li>Azure Synapse Analytics</li></ul> |

+|17 |Grant Azure RBAC **Storage Blob Data Reader** role to **Azure Purview MSI** at data sources Subscriptions. |*Subscription owner* or *User Access Administrator* | **Skip** this step if you are using Private Endpoint to connect to data sources. Use this step if you have these data sources:<ul><li>Azure Blob Storage</li><li>Azure Data Lake Storage Gen1</li></ul> |

+|18 |Enable network connectivity to allow AzureServices to access data sources: <br> e.g. Enable "**Allow trusted Microsoft services to access this storage account**". |*Owner* or *Contributor* at Data source |Use this step if **Service Endpoint** is used in your data sources. (Don't use this step if Private Endpoint is used) |

+|19 |Enable **Azure Active Directory Authentication** on **Azure SQL Servers**, **Azure SQL Database Managed Instance** and **Azure Synapse Analytics** |Azure SQL Server Contributor |Use this step if you have **Azure SQL DB** or **Azure SQL Database Managed Instance** or **Azure Synapse Analytics** as data source. **Skip** this step if you are using **Private Endpoint** to connect to data sources. |

+|20 |Grant **Azure Purview MSI** account with **db_datareader** role to Azure SQL databases and Azure SQL Database Managed Instance databases |Azure SQL Administrator |Use this step if you have **Azure SQL DB** or **Azure SQL Database Managed Instance** as data source. **Skip** this step if you are using **Private Endpoint** to connect to data sources. |

+|21 |Grant Azure RBAC **Storage Blob Data Reader** to **Synapse SQL Server** for staging Storage Accounts |Owner or User Access Administrator at data source |Use this step if you have **Azure Synapse Analytics** as data sources. **Skip** this step if you are using Private Endpoint to connect to data sources. |

+|22 |Grant Azure RBAC **Reader** role to **Azure Purview MSI** at **Synapse workspace** resources |Owner or User Access Administrator at data source |Use this step if you have **Azure Synapse Analytics** as data sources. **Skip** this step if you are using Private Endpoint to connect to data sources. |

+|23 |Grant Azure **Purview MSI account** with **db_datareader** role |Azure SQL Administrator |Use this step if you have **Azure Synapse Analytics (Dedicated SQL databases)**. <br> **Skip** this step if you are using **Private Endpoint** to connect to data sources. |

+|24 |Grant **Azure Purview MSI** account with **sysadmin** role |Azure SQL Administrator |Use this step if you have Azure Synapse Analytics (Serverless SQL databases). **Skip** this step if you are using **Private Endpoint** to connect to data sources. |

+|25 |Create an app registration or service principal inside your Azure Active Directory tenant | Azure Active Directory *Global Administrator* or *Application Administrator* | Use this step if you're planning to perform an scan on a data source using Delegated Auth or [Service Principal](create-service-principal-azure.md).|

+|26 |Create an **Azure Key Vault** and a **Secret** to save data source credentials or service principal secret. |*Contributor* or *Key Vault Administrator* |Use this step if you have **on-premises** or **VM-based data sources** (e.g. SQL Server). <br> Use this step are using **ingestion private endpoints** to scan a data source. |

+|27 |Grant Key **Vault Access Policy** to Azure Purview MSI: **Secret: get/list** |*Key Vault Administrator* |Use this step if you have **on-premises** / **VM-based data sources** (e.g. SQL Server) <br> Use this step if **Key Vault Permission Model** is set to [Vault Access Policy](../key-vault/general/assign-access-policy.md). |

+|28 |Grant **Key Vault RBAC role** Key Vault Secrets User to Azure Purview MSI. | *Owner* or *User Access Administrator* |Use this step if you have **on-premises** or **VM-based data sources** (e.g. SQL Server) <br> Use this step if **Key Vault Permission Model** is set to [Azure role-based access control](../key-vault/general/rbac-guide.md). |

+|29 | Create a new connection to Azure Key Vault from Azure Purview Studio | *Data source admin* | Use this step if you are planing to use any of the following authentication options to scan a data source in Azure Purview: <ul><li>Account key</li><li>Basic Authentication</li><li>Delegated Auth</li><li>SQL Authentication</li><li>Service Principal</li><li>Consumer Key</li></ul>

+|30 |Deploy a private endpoint for Power BI tenant |*Power BI Administrator* <br> *Network contributor* |Use this step if you're planning to register a Power BI tenant as data source and your Azure Purview Purview account is set to **deny public access**. <br> For more information, see [How to configure private endpoints for accessing Power BI](/power-bi/enterprise/service-security-private-links). |

+|31 |Connect Azure Data Factory to Azure Purview from Azure Data Factory Portal. **Manage** -> **Azure Purview**. Select **Connect to a Purview account**. <br> Validate if Azure resource tag **catalogUri** exists in ADF Azure resource. |Azure Data Factory Contributor / Data curator |Use this step if you have **Azure Data Factory**. |

+|32 |Verify if you have at least one **Microsoft 365 required license** in your Azure Active Directory tenant to use sensitivity labels in Azure Purview. |Azure Active Directory *Global Reader* |Perform this step if you're planning in extending **Sensitivity Labels from Microsoft 365 to Azure Purview** <br> |

+|33 |Consent "**Extend labeling to assets in Azure Purview**" |Compliance Administrator <br> Azure Information Protection Administrator |Use this step if you are interested in extending Sensitivity Labels from Microsoft 365 to Azure Purview. <br> Use this step if you are interested in extending **Sensitivity Labels** from Microsoft 365 to Azure Purview. |

+|34 |Create new collections and assign roles in Azure Purview |*Collection admin* | [Create a collection and assign permissions in Azure Purview](/quickstart-create-collection.md). |

+|36 |Register and scan Data Sources in Azure Purview |*Data Source admin* <br> *Data Reader* or *Data Curator* | For more information, see [supported data sources and file types](azure-purview-connector-overview.md) |

+|35 |Grant access to data roles in the organization |*Collection admin* |Provide access to other teams to use Azure Purview: <ul><li> Data curator</li><li>Data reader</li><li>Collection admin</li><li>Data source admin</li><li>Policy Author</li><li>Workflow admin</li></ul> <br> For more information, see [Access control in Azure Purview](catalog-permissions.md). |

+## Next steps

+- [Review Azure Purview deployment best practices](./deployment-best-practices.md)

+| West US 3 | June 02, 2021 or later |

+[3]: ./media/search-performance-optimization/geo-search-traffic-mgr.png

+ $filter=Rooms/any(room: room/Tags/any(tag: search.in(tag, 'wifi, tub')))

+- [Search Documents &#40;Azure Cognitive Search REST API&#41;](/rest/api/searchservice/Search-Documents)

+### Clean up DNS pointers or Re-claim the DNS

+Upon deletion of the classic cloud service resource, the corresponding DNS is reserved for 7 days. During the reservation period, re-use of the DNS will be forbidden EXCEPT for subscriptions belonging to the AAD tenant of the subscription originally owning the DNS. After the reservation expires, the DNS is free to be claimed by any subscription. By taking DNS reservations, the customer is afforded some time to either 1) clean up any associations/pointers to said DNS or 2) re-claim the DNS in Azure. The DNS name being reserved can be derived by appending the cloud service name to the DNS zone for that cloud.

+

+Public - cloudapp.net

+Mooncake - chinacloudapp.cn

+Fairfax - usgovcloudapp.net

+BlackForest - azurecloudapp.de

+

+i.e. a hosted service in Public named ΓÇ£testΓÇ¥ would have DNS ΓÇ£test.cloudapp.netΓÇ¥

+Example:

+Subscription ΓÇÿAΓÇÖ and subscription ΓÇÿBΓÇÖ are the only subscriptions belonging to AAD tenant ΓÇÿABΓÇÖ. Subscription ΓÇÿAΓÇÖ contains a classic cloud service ΓÇÿtestΓÇÖ with DNS name ΓÇÿtest.cloudapp.netΓÇÖ. Upon deletion of the cloud service, a reservation is taken on DNS name ΓÇÿtest.cloudapp.netΓÇÖ. During the 7 day reservation period, only subscription ΓÇÿAΓÇÖ or subscription ΓÇÿBΓÇÖ will be able to claim the DNS name ΓÇÿtest.cloudapp.netΓÇÖ by creating a classic cloud service named ΓÇÿtestΓÇÖ. No other subscriptions will be allowed to claim it. After the 7 days is up, any subscription in Azure can now claim ΓÇÿtest.cloudapp.netΓÇÖ.

+1. From the Microsoft Sentinel navigation menu, under **Configuration**, select **Settings**.

+1. In the **Settings** pane, select the **Settings** tab.

+1. Locate and expand the **Remove Microsoft Sentinel** expander (at the bottom of the list of expanders).

+ :::image type="content" source="media/offboard/locate-remove-sentinel.png" alt-text="Screenshot to find the setting to remove Microsoft Sentinel from your workspace.":::

+1. Read the **Know before you go...** section and the rest of this document carefully, making sure that you understand the implications of removing Microsoft Sentinel, and that you take all the necessary actions before proceeding.

+1. Before you remove Microsoft Sentinel, please mark the relevant checkboxes to let us know why you're removing it. Enter any additional details in the space provided, and indicate whether you want Microsoft to email you in response to your feedback.

+ :::image type="content" source="media/offboard/remove-sentinel-reasons.png" alt-text="Screenshot to remove the Microsoft Sentinel solution from your workspace and specify reasons.":::

+- Microsoft services security alerts: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps (*formerly Microsoft Cloud App Security*) including Cloud Discovery Shadow IT reporting, Azure AD Identity Protection, Microsoft Defender for Endpoint, security alerts from Microsoft Defender for Cloud (*formerly Azure Defender*)

+Within the first 48 hours, the data and analytics rules (including real-time automation configuration) will no longer be accessible or queryable in Microsoft Sentinel.

+- Analytics rules

+After you remove the service, there is a grace period of 30 days during which you can re-enable the solution. Your data and analytics rules will be restored, but the configured connectors that were disconnected must be reconnected.

+ Title: How to configure Azure Service Fabric managed cluster for Azure active directory client access

+description: Learn how to configure an Azure Service Fabric managed cluster for Azure active directory client access

+# How to configure Azure Service Fabric managed cluster for Active Directory client access

+Cluster security is configured when the cluster is first set up and can't be changed later. Before setting up a cluster, read [Service Fabric cluster security scenarios](service-fabric-cluster-security.md). In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. Azure Active Directory is also recommended to secure access to management endpoints. Azure AD tenants and users must be created before creating the cluster. For more information, read Set up Azure AD to authenticate clients.

+You add the Azure AD configuration to a cluster resource manager template by referencing the key vault that contains the certificate keys. Add those Azure AD parameters and values in a Resource Manager template parameters file (*azuredeploy.parameters.json*).

+> [!NOTE]

+> On Azure AD tenants and users must be created before creating the cluster. For more information, read [Set up Azure AD to authenticate clients](service-fabric-cluster-creation-setup-aad.md).

+```json

+{

+"type": "Microsoft.ServiceFabric/managedClusters",

+"apiVersion": "2022-01-01",

+"properties": {

+ "azureActiveDirectory": {

+ "tenantId": "[parameters('aadTenantId')]",

+ "clusterApplication": "[parameters('aadClusterApplicationId')]",

+ "clientApplication": "[parameters('aadClientApplicationId')]"

+ },

+ }

+}

+```

+

+> * The max value of InstanceCloseDelayDuration that can be configured in the service description or the InstanceCloseDelayDurationSec in the upgrade description can't be greater than cluster config FailoverManager.MaxInstanceCloseDelayDurationInSeconds, which defaults to 1800 seconds. To update the max value, the cluster level config should to be updated. This configuration is only available in the runtime version 9.0 or later.

+* Service Fabric SDK and Tools 5.2.1571

+* Service Fabric runtime 8.2.1571

+| 8.2 CU2.1<br>8.2.1571.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 5.2 | .NET 5.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |

+| 8.2 CU2.1<br>8.2.1397.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

+| 8.2 CU2.1 | 8.2.1571.9590 | 8.2.1397.1 |

+The following table describes the different types of storage accounts that are supported for Blob Storage:

+You canΓÇÖt change a storage account to a different type after it's created. To move your data to a storage account of a different type, you must create a new account and copy the data to the new account.

+| Dedicated SQL pool | Available | Only Parquet tables are available in **public preview**. |

+| Supported formats | Delimited/CSV, Parquet, ORC, Hive RC, and RC | Serverless SQL pool: Delimited/CSV, Parquet, and [Delta Lake](query-delta-lake-format.md)<br/>Dedicated SQL pool: Parquet (preview) |

+| [Folder partition elimination](#folder-partition-elimination) | No | Only for partitioned tables synchronized from Apache Spark pools in Synapse workspace to serverless SQL pools |

+| [File elimination](#file-elimination) (predicate pushdown) | No | Yes in serverless SQL pool. For the string pushdown, you need to use `Latin1_General_100_BIN2_UTF8` collation on the `VARCHAR` columns to enable pushdown. |

+| Storage authentication | Storage Access Key(SAK), AAD passthrough, Managed identity, Custom application Azure AD identity | [Shared Access Signature(SAS)](develop-storage-files-storage-access-control.md?tabs=shared-access-signature), [AAD passthrough](develop-storage-files-storage-access-control.md?tabs=user-identity), [Managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity), [Custom application Azure AD identity](develop-storage-files-storage-access-control.md?tabs=service-principal). |

+> The native external tables are the recommended solution in the pools where they are generally available. If you need to access external data, always use the native tables in serverless pools. In dedicated pools, you should switch to the native tables for reading Parquet files once they are in GA. Use the Hadoop tables only if you need to access some types that are not supported in native external tables (for example - ORC, RC), or if the native version is not available.

+> When used in conjunction with the [CREATE TABLE AS SELECT](../sql-data-warehouse/sql-data-warehouse-develop-ctas.md?context=/azure/synapse-analytics/context/context) statement, selecting from an external table imports data into a table within the **dedicated** SQL pool.

+>

+> If performance of Hadoop external tables in the dedicated pools do not satisfy your performance goals, consider loading external data into the Datawarehouse tables using the [COPY statement](/sql/t-sql/statements/copy-into-transact-sql?view=azure-sqldw-latest&preserve-view=true).

+

+### Folder partition elimination

+The native external tables in Synapse pools are able to ignore the files placed in the folders that are not relevant for the queries. If your files are stored in a folder hierarchy (for example - **/year=2020/month=03/day=16**) and the values for **year**, **month**, and **day** are exposed as the columns, the queries that contain filters like `year=2020` will read the files only from the subfolders placed within the **year=2020** folder. The files and folders placed in other folders (**year=2021** or **year=2022**) will be ignored in this query. This elimination is known as **partition elimination**.

+The folder partition elimination is available in the native external tables that are synchronized from the Synapse Spark pools. If you have partitioned data set and you would like to leverage the partition elimination with the external tables that you create, use [the partitioned views](create-use-views.md#partitioned-views) instead of the external tables.

+### File elimination

+Some data formats such as Parquet and Delta contain file statistics for each column (for example, min/max values for each column). The queries that filter data will not read the files where the required column values do not exist. The query will first explore min/max values for the columns used in the query predicate to find the files that do not contain the required data. These files will be ignored and eliminated from the query plan.

+This technique is also known as filter predicate pushdown and it can improve the performance of your queries. Filter pushdown is available in the serverless SQL pools on Parquet and Delta formats. To leverage filter pushdown for the string types, use the VARCHAR type with the `Latin1_General_100_BIN2_UTF8` collation.

+ > TSI applies some flattening and escaping when persisting columns in Parquet files. See these links for more details: [flattening and escaping rules](concepts-json-flattening-escaping-rules.md), [ingestion rules updates](ingestion-rules-update.md).

+1. **Option 1: Ingest All Data**. For smaller environments, you can ingest all of the data with a single command.

+1. **Option 2: Ingest Data by Year or Month**. For larger environments or to test on a smaller data set you can filter the Lightingest command further.

+ 1. By Year: Change your -prefix parameter

+

+ - Before: `-prefix:"V=1/PT=Time"`

+ - After: `-prefix:"V=1/PT=Time/Y=<Year>"`

+ - Example: `-prefix:"V=1/PT=Time/Y=2021"`

+ 1. By Month: Change your -prefix parameter

+ - Before: `-prefix:"V=1/PT=Time"`

+ - After: `-prefix:"V=1/PT=Time/Y=<Year>/M=<month #>"`

+ - Example: `-prefix:"V=1/PT=Time/Y=2021/M=03"`

+- Read-access to the Azure resource groups that hold your Azure Virtual Desktop resources

+- To see what's new in each version update, see [What's new in Azure Monitor for Azure Virtual Desktop](whats-new-azure-monitor.md).

+4. Use [the MSI installer (MsMmrHostMri)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4QWrF) to install both the host native component and the multimedia redirection extensions for your internet browser on your Azure VM.

+ - General bug fixes and agent improvements.

+We've updated the required URL list for Azure Virtual Desktop to accommodate Azure Virtual Desktop agent traffic. For more information, see [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop/important-new-changes-in-required-urls/m-p/3094897#M8529).

+ Title: Create zonal VMs with the Azure portal

+description: Create VMs in an availability zone with the Azure portal

+# Create virtual machines in an availability zone using the Azure portal

+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs

+This article steps through using the Azure portal to create highly resilient virtual machines in [availability zones](../availability-zones/az-overview.md). Azure availability zones are physically separate locations within each Azure region that are tolerant to local failures. Use availability zones to protect your applications and data against unlikely datacenter failures.

+To use availability zones, create your virtual machines in a [supported Azure region](../availability-zones/az-region.md).

+Some users will now see the option to create VMs in multiple zones. If you see the following message, please use the **Preview** tab below.

+### [Standard](#tab/standard)

+1. Sign in to the Azure portal at https://portal.azure.com.

+1. Click **Create a resource** > **Compute** > **Virtual machine**.

+3. Enter the virtual machine information. The user name and password or SSH key is used to sign in to the virtual machine.

+4. Choose a region such as East US 2 that supports availability zones.

+5. Under **Availability options**, select **Availability zone** dropdown.

+1. Under **Availability zone**, select a zone from the drop-down list.

+

+4. Choose a size for the VM. Select a recommended size, or filter based on features. Confirm the size is available in the zone you want to use.

+6. Finish filling in the information for your VM. When you are done, select **Review + create**.

+7. Once the information is verified, select **Create**.

+1. After the VM is created, you can see the availability zone listed in the **Essentials section** on the page for the VM.

+### [Preview](#tab/preview)

+1. Sign in to the Azure portal at https://portal.azure.com.

+1. Click **Create a resource** > **Compute** > **Virtual machine**.

+1. In the **Virtual machines** page, select **Create** and then **Virtual machine**. The **Create a virtual machine** page opens.

+1. In the **Basics** tab, under **Project details**, make sure the correct subscription is selected and then choose a resource group or create a new one.

+1. Under **Instance details**, type a name for the **Virtual machine name**.

+1. For **Availability options**, leave the default of **Availability zone**.

+1. For **Availability zone**, the drop-down defaults to *Zone 1*. If you choose multiple zones, a new VM will be created in each zone. For example, if you select all three zones, then three VMs will be created. The VM names are the original name you entered, with **-1**, **-2**, and **-3** appended to the name based on number of zones selected. If you want, you can edit each of the default VM names.

+ :::image type="content" source="media/zones/3-vm-names.png" alt-text="Screenshot showing that there are now 3 virtual machines that will be created.":::

+1. Complete the rest of the page as usual. If you want to create a load balancer, go to the **Networking** tab > **Load Balancing** > **Load balancing options**. You can choose either an Azure load balancer or an Application gateway.

+

+ For a **Azure load balancer**:

+ 1. You can select an existing load balancer or select **Create a load balancer**.

+ 2. To create a new load balancer, for **Load balancer name** type a load balancer name.

+ 3. Select the **Type** of load balancer, either Public or Internal.

+ 4. Select the **Protocol**, either **TCP** or **UDP**.

+ 5. You can leave the default **Port** and **Backend port**, or change them if needed. The backend port you select will be opened up on the Network Security Group (NSG) of the VM.

+ 6. When you are done, select **Create**.

+

+ For an **Application Gateway**:

+ 1. Select either an existing application gateway or **Create an application gateway**.

+ 2. To create a new gateway, type the name for the application gateway. The Application Gateway can load balance multiple applications. Consider naming the Application Gateway according to the workloads you wish to load balance, rather than specific to the virtual machine name.

+ 3. In **Routing rule**, type a rule name. The rule name should describe the workload you are load balancing.

+ 4. For HTTP load balancing, you can leave the defaults and then select **Create**. For HTTPS load balancing, you have two options:

+

+ - Upload a certificate and add the password (application gateway will manage certificate storage). For certificate name, type a friendly name for the certificate.

+ - Use a key vault (application gateway will pull a defined certificate from a defined key vault). Select your **Managed identity**, **Key Vault**, and **Certificate**.

+

+ > [!IMPORTANT]

+ > After the VMs and application gateway are deployed, log in to the VMs to ensure that either the application gateway certificate is uploaded onto the VMs or the domain name of the VM certificate matches with the domain name of the application gateway.

+ > [!NOTE]

+ > A separate subnet will be defined for Application Gateway upon creation. For more information, see [Application Gateway infrastructure configuration](../application-gateway/configuration-infrastructure.md).

+1. Leave the remaining defaults and then select the **Review + create** button at the bottom of the page.

+1. On the **Create a virtual machine** page, you can see the details about the VM you are about to create. When you are ready, select **Create**.

+1. If you are creating a Linux VM and the **Generate new key pair** window opens, select **Download private key and create resource**. Your key file will be download as **myKey.pem**.

+1. When the deployment is finished, select **Go to resource**.

+

+**Next steps**

+In this article, you learned how to create a VM in an availability zone. Learn more about [availability](availability.md) for Azure VMs.

+ Title: Deploy Ephemeral OS disks

+description: Learn to deploy ephemeral OS disks for Azure VMs.

+# How to deploy Ephemeral OS disks for Azure VMs

+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

+This article shows you how to create a virtual machine or virtual machine scale sets with Ephemeral OS disks through Portal, ARM template deployment, CLI and PowerShell.

+## Portal

+In the Azure portal, you can choose to use ephemeral disks when deploying a virtual machine or virtual machine scale sets by opening the **Advanced** section of the **Disks** tab. For choosing placement of Ephemeral OS disk, select **OS cache placement** or **Temp disk placement**.

+

+

+If the option for using an ephemeral disk or OS cache placement or Temp disk placement is greyed out, you might have selected a VM size that doesn't have a cache/temp size larger than the OS image or that doesn't support Premium storage. Go back to the **Basics** page and try choosing another VM size.

+## Scale set template deployment

+The process to create a scale set that uses an ephemeral OS disk is to add the `diffDiskSettings` property to the

+`Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile` resource type in the template. Also, the caching policy must be set to `ReadOnly` for the ephemeral OS disk. placement can be changed to `CacheDisk` for OS cache disk placement.

+```json

+{

+ "type": "Microsoft.Compute/virtualMachineScaleSets",

+ "name": "myScaleSet",

+ "location": "East US 2",

+ "apiVersion": "2019-12-01",

+ "sku": {

+ "name": "Standard_DS2_v2",

+ "capacity": "2"

+ },

+ "properties": {

+ "upgradePolicy": {

+ "mode": "Automatic"

+ },

+ "virtualMachineProfile": {

+ "storageProfile": {

+ "osDisk": {

+ "diffDiskSettings": {

+ "option": "Local" ,

+ "placement": "ResourceDisk"

+ },

+ "caching": "ReadOnly",

+ "createOption": "FromImage"

+ },

+ "imageReference": {

+ "publisher": "Canonical",

+ "offer": "UbuntuServer",

+ "sku": "16.04-LTS",

+ "version": "latest"

+ }

+ },

+ "osProfile": {

+ "computerNamePrefix": "myvmss",

+ "adminUsername": "azureuser",

+ "adminPassword": "P@ssw0rd!"

+ }

+ }

+ }

+}

+```

+## VM template deployment

+You can deploy a VM with an ephemeral OS disk using a template. The process to create a VM that uses ephemeral OS disks is to add the `diffDiskSettings` property to Microsoft.Compute/virtualMachines resource type in the template. Also, the caching policy must be set to `ReadOnly` for the ephemeral OS disk. placement option can be changed to `CacheDisk` for OS cache disk placement.

+```json

+{

+ "type": "Microsoft.Compute/virtualMachines",

+ "name": "myVirtualMachine",

+ "location": "East US 2",

+ "apiVersion": "2019-12-01",

+ "properties": {

+ "storageProfile": {

+ "osDisk": {

+ "diffDiskSettings": {

+ "option": "Local" ,

+ "placement": "ResourceDisk"

+ },

+ "caching": "ReadOnly",

+ "createOption": "FromImage"

+ },

+ "imageReference": {

+ "publisher": "MicrosoftWindowsServer",

+ "offer": "WindowsServer",

+ "sku": "2016-Datacenter-smalldisk",

+ "version": "latest"

+ },

+ "hardwareProfile": {

+ "vmSize": "Standard_DS2_v2"

+ }

+ },

+ "osProfile": {

+ "computerNamePrefix": "myvirtualmachine",

+ "adminUsername": "azureuser",

+ "adminPassword": "P@ssw0rd!"

+ }

+ }

+ }

+```

+## CLI

+To use an ephemeral disk for a CLI VM deployment, set the `--ephemeral-os-disk` parameter in [az vm create](/cli/azure/vm#az_vm_create) to `true` and the `--ephemeral-os-disk-placement` parameter to `ResourceDisk` for temp disk placement or `CacheDisk` for cache disk placement and the `--os-disk-caching` parameter to `ReadOnly`.

+```azurecli-interactive

+az vm create \

+ --resource-group myResourceGroup \

+ --name myVM \

+ --image UbuntuLTS \

+ --ephemeral-os-disk true \

+ --ephemeral-os-disk-placement ResourceDisk \

+ --os-disk-caching ReadOnly \

+ --admin-username azureuser \

+ --generate-ssh-keys

+```

+For scale sets, you use the same `--ephemeral-os-disk true` parameter for [az-vmss-create](/cli/azure/vmss#az_vmss_create) and set the `--os-disk-caching` parameter to `ReadOnly` and the `--ephemeral-os-disk-placement` parameter to `ResourceDisk` for temp disk placement or `CacheDisk` for cache disk placement.

+## Reimage a VM using REST

+You can reimage a Virtual Machine instance with ephemeral OS disk using REST API as described below and via Azure portal by going to Overview pane of the VM. For scale sets, reimaging is already available through PowerShell, CLI, and the portal.

+```

+POST https://management.azure.com/subscriptions/{sub-

+id}/resourceGroups/{rgName}/providers/Microsoft.Compute/VirtualMachines/{vmName}/reimage?a pi-version=2019-12-01"

+```

+## PowerShell

+To use an ephemeral disk for a PowerShell VM deployment, use [Set-AzVMOSDisk](/powershell/module/az.compute/set-azvmosdisk) in your VM configuration. Set the `-DiffDiskSetting` to `Local` and `-Caching` to `ReadOnly` and `-DiffDiskPlacement` to `ResourceDisk`.

+```powershell

+Set-AzVMOSDisk -DiffDiskSetting Local -DiffDiskPlacement ResourceDisk -Caching ReadOnly

+```

+To use an ephemeral disk on cache disk for a PowerShell VM deployment, use [Set-AzVMOSDisk](/powershell/module/az.compute/set-azvmosdisk) in your VM configuration. Set the `-DiffDiskSetting` to `Local` , `-Caching` to `ReadOnly` and `-DiffDiskPlacement` to `CacheDisk`.

+```PowerShell

+Set-AzVMOSDisk -DiffDiskSetting Local -DiffDiskPlacement CacheDisk -Caching ReadOnly

+```

+For scale set deployments, use the [Set-AzVmssStorageProfile](/powershell/module/az.compute/set-azvmssstorageprofile) cmdlet in your configuration. Set the `-DiffDiskSetting` to `Local` , `-Caching` to `ReadOnly` and `-DiffDiskPlacement` to `ResourceDisk` or `CacheDisk`.

+```PowerShell

+Set-AzVmssStorageProfile -DiffDiskSetting Local -DiffDiskPlacement ResourceDisk -OsDiskCaching ReadOnly

+```

+## Next steps

+For more information on [Ephemeral OS disk](ephemeral-os-disks.md).

+| **Size limit for OS disk** | 2 TiB | Cache size or temp size for the VM size or 2040 GiB, whichever is smaller. For the **cache or temp size in GiB**, see [DS](sizes-general.md), [ES](sizes-memory.md), [M](sizes-memory.md), [FS](sizes-compute.md), and [GS](sizes-previous-gen.md#gs-series) |

+| **VM sizes supported** | All | VM sizes that support Premium storage such as DSv1, DSv2, DSv3, Esv3, Fs, FsV2, GS, M, Mdsv2, Bs, Dav4, Eav4 |

+## Placement options for Ephemeral OS disks

+Ephemeral OS disk can be stored either on VM's OS cache disk or VM's temp/resource disk.

+## Unsupported features

+- Capturing VM images

+- Disk snapshots

+- Azure Disk Encryption

+- Azure Backup

+- Azure Site Recovery

+- OS Disk Swap

+ ## Trusted Launch for Ephemeral OS disks (Preview)

+Ephemeral OS disks can be created with Trusted launch. Not all VM sizes and regions are supported for trusted launch. Please check [limitations of trusted launch](trusted-launch.md#limitations) for supported sizes and regions.

+VM guest state (VMGS) is specific to trusted launch VMs. It is a blob that is managed by Azure and contains the unified extensible firmware interface (UEFI) secure boot signature databases and other security information. While using trusted launch by default **1 GiB** from the **OS cache** or **temp storage** based on the chosen placement option is reserved for VMGS.The lifecycle of the VMGS blob is tied to that of the OS Disk.

+For example, If you try to create a Trusted launch Ephemeral OS disk VM using OS image of size 56 GiB with VM size [Standard_DS4_v2](dv2-dsv2-series.md) using temp disk placement you would get an error as

+**"OS disk of Ephemeral VM with size greater than 55 GB is not allowed for VM size Standard_DS4_v2 when the DiffDiskPlacement is ResourceDisk."**

+This is because the temp storage for [Standard_DS4_v2](dv2-dsv2-series.md) is 56 GiB, and 1 GiB is reserved for VMGS when using trusted launch.

+For the same example above if you create a standard Ephemeral OS disk VM you would not get any errors and it would be a successful operation.

+> [!NOTE]

+>

+> While using ephemeral disks for Trusted Launch VMs, keys and secrets generated or sealed by the vTPM after VM creation may not be persisted for operations like reimaging and platform events like service healing.

+>

+For more information on [how to deploy a trusted launch VM](trusted-launch-portal.md)

+Create a VM with ephemeral OS disk using [Azure Portal/CLI/Powershell/ARM template](ephemeral-os-disks-deploy.md).

+The Azure VM Agent for Windows is automatically upgraded on images deployed from the Azure Marketplace. The new versions are stored in Azure Storage, so please ensure you don't have firewalls blocking access. As new VMs are deployed to Azure, they receive the latest VM agent at VM provision time. If you have installed the agent manually or are deploying custom VM images you will need to manually update to include the new VM agent at image creation time.

+- FreeBSD 11.3 on the Azure Marketplace

+The following FreeBSD versions also include the [Azure VM Guest Agent](https://github.com/Azure/WALinuxAgent/), however, they are offered as images by the FreeBSD Foundation:

+- FreeBSD 11.4 on the Azure Marketplace

+- FreeBSD 12.2 on the Azure Marketplace

+- FreeBSD 13.0 on the Azure Marketplace

+ Title: 'Quickstart: Use a Bicep file to create an Ubuntu Linux VM'

+description: In this quickstart, you learn how to use a Bicep file to create a Linux virtual machine

+tags: azure-resource-manager, bicep

+# Quickstart: Create an Ubuntu Linux virtual machine using a Bicep file

+**Applies to:** :heavy_check_mark: Linux VMs

+This quickstart shows you how to use a Bicep file to deploy an Ubuntu Linux virtual machine (VM) in Azure.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/vm-simple-linux/).

+Several resources are defined in the Bicep file:

+- [**Microsoft.Network/virtualNetworks/subnets**](/azure/templates/Microsoft.Network/virtualNetworks/subnets): create a subnet.

+- [**Microsoft.Storage/storageAccounts**](/azure/templates/Microsoft.Storage/storageAccounts): create a storage account.

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/Microsoft.Network/networkInterfaces): create a NIC.

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/Microsoft.Network/networkSecurityGroups): create a network security group.

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/Microsoft.Network/virtualNetworks): create a virtual network.

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/Microsoft.Network/publicIPAddresses): create a public IP address.

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/Microsoft.Compute/virtualMachines): create a virtual machine.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminUsername=<admin-username>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -adminUsername "<admin-username>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<admin-username\>** with a unique username. You'll also be prompted to enter adminPasswordOrKey.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the VM and all of the resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+In this quickstart, you deployed a simple virtual machine using a Bicep file. To learn more about Azure virtual machines, continue to the tutorial for Linux VMs.

+> [!div class="nextstepaction"]

+> [Azure Linux virtual machine tutorials](./tutorial-manage-vm.md)

+[Ephemeral OS Disks](ephemeral-os-disks.md): Supported <br>

+² Local NVMe disks are ephemeral, data will be lost on these disks if you stop/deallocate your VM. Local NVMe disks aren't encrypted by [Azure Storage encryption](disk-encryption.md), even if you enable [encryption at host](disk-encryption.md#supported-vm-sizes).

+More information on Disks Types: [Disk Types](./disks-types.md#ultra-disks)

+- [Premium Storage caching](premium-storage-performance.md)

+| Standard_NC24ads_A100_v4 | 24 | 220 | 1123 | 1 | 80 | 12 | 30000/1000 | 2/20,000 |

+| Standard_NC48ads_A100_v4 | 48 | 440 | 2246 | 2 | 160 | 24 | 60000/2000 | 4/40,000 |

+| Standard_NC96ads_A100_v4 | 96 | 880 | 4492 | 4 | 320 | 32 | 120000/4000 | 8/80,000 |

+1. [Create a Load Balancer](../../../load-balancer/quickstart-load-balancer-standard-public-portal.md#create-load-balancer) to access the ports of the RHEL VM. Provide the required details to deploy the external Load Balancer and leave other configurations as default. Leave the SKU as Basic for the ELB configuration.

+2. Add Load Balancer rules - once the Load balancer has been created successfully, [create Load Balancer resources](../../../load-balancer/quickstart-load-balancer-standard-public-portal.md#create-load-balancer), then add Load Balancer rules to access ports 8080 and 9990 of the RHEL VM.

+* Expose the application using an [External Load Balancer](../../../load-balancer/quickstart-load-balancer-standard-public-portal.md#create-load-balancer) (ELB).

+As a pre-read to this document, you should have read the document [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md) plus other guides in the [SAP workload on Azure documentation](./get-started.md).

+| VM Name / Size |Db2 mount point |Azure Premium Disk |# of Disks |IOPS |Through-<br />put [MB/s] |Size [GB] |Burst IOPS |Burst Through-<br />put [GB] | Stripe size | Caching |

+|vCPU: 4 |/db2/```<SID>```/sapdata |P10 |2 |1,000 |200 |256 |7,000 |340 |256<br />KB |ReadOnly |

+| |/db2/```<SID>```/log_dir |P6 |2 |480 |100 |128 |7,000 |340 |64<br />KB ||

+| VM Name / Size |Db2 mount point |Azure Premium Disk |# of Disks |IOPS |Through-<br />put [MB/s] |Size [GB] |Burst IOPS |Burst Through-<br />put [GB] | Stripe size | Caching |

+| |/db2/```<SID>```/log_dir |P15 |2 |2,200 |250 |512 |7,000 |340 |64<br />KB ||

+| VM Name / Size |Db2 mount point |Azure Premium Disk |# of Disks |IOPS |Through-<br />put [MB/s] |Size [GB] |Burst IOPS |Burst Through-<br />put [GB] | Stripe size | Caching |

+| |/db2/```<SID>```/log_dir |P20 |2 |4,600 |300 |1.024 |7,000 |340 |64<br />KB ||

+| VM Name / Size |Db2 mount point |Azure Premium Disk |# of Disks |IOPS |Through-<br />put [MB/s] |Size [GB] |Burst IOPS |Burst Through-<br />put [GB] | Stripe size | Caching |

+| |/db2/```<SID>```/log_dir |P20 |4 |9,200 |600 |2.048 |14,000 |680 |64<br />KB ||

+| VM Name / Size |Db2 mount point |Azure Premium Disk |# of Disks |IOPS |Through-<br />put [MB/s] |Size [GB] |Burst IOPS |Burst Through-<br />put [GB] | Stripe size | Caching |

+| |/db2/```<SID>```/log_dir |P30 |4 |20,000 |800 |4.096 |20,000 |800 |64<br />KB |Write-<br />Accelerator |

+mount -t nfs -o rw,hard,sync,rsize=262144,wsize=262144,sec=sys,vers=4.1,tcp 172.17.10.4:/db2shared /mnt

+mount -t nfs -o rw,hard,sync,rsize=262144,wsize=262144,sec=sys,vers=4.1,tcp 172.17.10.4:/db2data /mnt

+mount -t nfs -o rw,hard,sync,rsize=262144,wsize=262144,sec=sys,vers=4.1,tcp 172.17.10.4:/db2log /mnt

+mount -t nfs -o rw,hard,sync,rsize=262144,wsize=262144,sec=sys,vers=4.1,tcp 172.17.10.4:/db2backup /mnt

+- March 15, 2022: Corrected rsize and wsize mount option settings for ANF in [IBM Db2 Azure Virtual Machines DBMS deployment for SAP workload](./dbms_guide_ibm.md)