+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.

+* You need [Domain Services Contributor](../role-based-access-control/built-in-roles.md#contributor) Azure role to create the required Azure AD DS resources.

+[powershell-gallery]: https://www.powershellgallery.com/

+ The user account you specify needs [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS and [Domain Services Contributor](../role-based-access-control/built-in-roles.md#contributor) Azure role to create the required Azure AD DS resources.

+[powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to change the Azure AD DS synchronization scope.

+[Connect-AzureAD]: /powershell/module/azuread/connect-azuread

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to change the Azure AD DS synchronization scope.

+[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.

+[New-AzResourceGroupDeployment]: /powershell/module/Az.Resources/New-AzResourceGroupDeployment

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable secure LDAP.

+[New-SelfSignedCertificate]: /powershell/module/pki/new-selfsignedcertificate

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.

+[network-considerations]: network-considerations.md

+In this tutorial, you create and configure the outbound forest trust from Azure AD DS using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com). You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to modify an Azure AD DS instance.

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.

+<!-- EXTERNAL LINKS -->

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.

+[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix

+To validate the data returned by your OData API endpoint for a specific `personIdExternal`, update the `SuccessFactorsAPIEndpoint` in the API query below with your API data center server URL and use a tool like [Postman](https://www.postman.com/downloads/) to invoke the query. If the "in" filter does not work, you can try the "eq" filter.

+* [Handling worker conversion and rehire scenario](#handling-worker-conversion-and-rehire-scenario)

+* [Retrieving position details](#retrieving-position-details)

+* [Provisioning users in the Onboarding module](#provisioning-users-in-the-onboarding-module)

+### Handling worker conversion and rehire scenario

+**About worker conversion scenario:** Worker conversion is the process of converting an existing full-time employee to a contractor or a contractor to full-time. In this scenario, Employee Central adds a new *EmpEmployment* entity along with a new *User* entity for the same *Person* entity. The *User* entity nested under the previous *EmpEmployment* entity is set to null.

+**About rehire scenario:** In SuccessFactors, there are two options to process rehires:

+* Option 1: Create a new person profile in Employee Central

+* Option 2: Reuse existing person profile in Employee Central

+If your HR process uses Option 1, then no changes are required to the provisioning schema.

+If your HR process uses Option 2, then Employee Central adds a new *EmpEmployment* entity along with a new *User* entity for the same *Person* entity.

+To handle both these scenarios so that the new employment data shows up when a conversion or rehire occurs, you can bulk update the provisioning app schema using the steps listed below:

+ >

+1. In the replace text box, copy, and paste the value `$.employmentNav.results[?(@.assignmentClass == 'ST')]`. Note the whitespace surrounding the == operator, which is important for successful processing of the JSONPath expression.

+1. For guidance regarding JSONPath settings, refer to the section [Handling worker conversion and rehire scenario](#handling-worker-conversion-and-rehire-scenario) to ensure the *userId* value of the active employment record flows into Azure AD.

+>[!NOTE]

+>Future-dated hires in Workday have the Active field set to "0" and it changes to "1" on the hire date. The connector by design queries for future-hire information effective on the date of hire and that is why it always gets future hire Worker profile with Active field set to "1". This allows you to setup the Azure AD profile for future hires in advance with the all the right information pre-populated. If you'd like to delay the enabling of the Azure AD account for future hires, use the transformation function [DateDiff](functions-for-customizing-application-data.md#datediff).

+This section covers how you can customize the provisioning app for the following HR scenarios:

+* [Support for worker conversions](#support-for-worker-conversions)

+* [Retrieving international job assignments and secondary job details](#retrieving-international-job-assignments-and-secondary-job-details)

+1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs.

+- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)

+- [Enabling limited access with Exchange Online](/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-worldwide#limit-access-to-exchange-online-from-outlook-on-the-web)

+1. Under **Access controls** > select **Block Access**, and click **Select**.

+### Network connectivity requirements

+- [Use Conditional Access to require compliant or hybrid Azure AD joined device](../conditional-access/howto-conditional-access-policy-compliant-device.md)

+1. The [sensitivity label scope](/microsoft-365/compliance/sensitivity-labels?preserve-view=true&view=o365-worldwide#label-scopes) must be configured for Groups & Sites.

+4. The current signed-in user must be within the scope of the [sensitivity label publishing policy](/microsoft-365/compliance/sensitivity-labels?preserve-view=true&view=o365-worldwide#what-label-policies-can-do)

+- [Manage groups using PowerShell commands](../enterprise-users/groups-settings-v2-cmdlets.md)

+When you assign licenses directly to individual users, without using group-based licensing, the assignment operation might fail for reasons that are related to business logic. For example, there might be an insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is immediately reported back to you.

+ - **Global privacy contact.** Type the email address for the person to contact for inquiries about personal data privacy. This person is also who Microsoft contacts if there's a data breach related to Azure Active Directory services . If there's no person listed here, Microsoft contacts your global administrators. For Microsoft 365 related privacy incident notifications please see [Microsoft 365 Message center FAQs](/microsoft-365/admin/manage/message-center?preserve-view=true&view=o365-worldwide#frequently-asked-questions)

+- [Add or change profile information for a user in Azure Active Directory](active-directory-users-profile-azure-portal.md)

+* [Log in to a Linux® VM with Azure Active Directory credentials - Azure Virtual Machines ](../devices/howto-vm-sign-in-azure-ad-linux.md)

+* [Integrate with Azure Active Directory (akamai.com)](https://learn.akamai.com/en-us/webhelp/enterprise-application-access/enterprise-application-access/GUID-6B16172C-86CC-48E8-B30D-8E678BF3325F.html)

+[Multi-tenant synchronization from Active Directory](../hybrid/plan-connect-topologies.md#multiple-azure-ad-tenants)

+You can also find the documentation of all the applications from here: [https://aka.ms/AppsTutorial](../saas-apps/tutorial-list.md),

+For listing your application in the Azure AD app gallery, please read the details here: [https://aka.ms/AzureADAppRequest](../manage-apps/v2-howto-app-gallery-listing.md)

+>A best practice is to avoid using on-premises synced accounts for Azure AD role assignments. If the on premises account is compromised, this can be used to compromise your Azure AD resources as well. For a complete list of best practices refer to [Best practices for Azure AD roles](../roles/best-practices.md)

+For more information about other common topics, see [Azure AD Connect sync: Scheduler](how-to-connect-sync-feature-scheduler.md) and [Integrate your on-premises identities with Azure AD](whatis-hybrid-identity.md).

+* It is not supported to configure hybrid experiences that utilize forest level configuration in AD, such as Seamless SSO and Hybrid Azure AD Join (non-targeted approach), with more than one tenant. Doing so would overwrite the configuration of the other tenant, making it no longer usable. You can find additional information in [Plan your hybrid Azure Active Directory join deployment](../devices/hybrid-azuread-join-plan.md#hybrid-azure-ad-join-for-single-forest-multiple-azure-ad-tenants).

+Learn more about [integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

+- Improved Zero trust governance through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+Despite these great value adds, classic VPNs do however remain network orientated, often providing little to zero fine grained access to corporate applications. For this reason, we encourage moving to a more Identity centric approach at achieving Zero Trust [access on a per application basis](../fundamentals/five-steps-to-full-application-integration-with-azure-ad.md).

+Setting up a SAML federation trust between the BIG-IP allows the Azure AD BIG-IP to hand off the pre-authentication and [Conditional Access](../conditional-access/overview.md) to Azure AD, before granting access to the published VPN service.

+- [Five steps to full application integration with Azure AD](../fundamentals/five-steps-to-full-application-integration-with-azure-ad.md)

+- [Microsoft Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

+- Improved Zero Trust governance through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+* [What is Conditional Access?](../conditional-access/overview.md)

+* [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

+- Improved Zero trust governance through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+access](../conditional-access/overview.md) to Azure AD, before granting access to the published service.

+- [What is Conditional Access?](../conditional-access/overview.md)

+ work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

+ * [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)

+For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this F5 knowledge article on [LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html).

+* Improved Zero Trust governance through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+* [What is Conditional Access?](../conditional-access/overview.md)

+* [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

+* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)

+See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

+* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)

+For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this F5 knowledge article on [LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html).

+* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+To learn about all the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

+Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)

+For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this [F5 knowledge article on LDAP Query](https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ldap-query.html).

+* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+To learn about all the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

+Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)

+See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

+* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+To learn about all the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

+> Organizations can also gain remote access to this type of application with [Azure AD Application Proxy](../app-proxy/application-proxy.md).

+See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

+* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)

+See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

+1. Select **Access control (IAM)**.

+1. Choose **Add role assignment**.

+

+ 

+1. In the **Add role assignment** pane, choose the role to assign and choose **Next**.

+1. Choose who should have the role assigned.

+- For guidance on blocking legacy authentication in your environment, see [Block legacy authentication to Azure AD with conditional access](../conditional-access/block-legacy-authentication.md).

+- Many email protocols that once relied on legacy authentication now support more secure modern authentication methods. If you see legacy email authentication protocols in this workbook, consider migrating to modern authentication for email instead. For more information, see [Deprecation of Basic authentication in Exchange Online](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online).

+- Some clients can use both legacy authentication or modern authentication depending on client configuration. If you see ΓÇ£modern mobile/desktop clientΓÇ¥ or ΓÇ£browserΓÇ¥ for a client in the Azure AD logs, it is using modern authentication. If it has a specific client or protocol name, such as ΓÇ£Exchange ActiveSyncΓÇ¥, it is using legacy authentication to connect to Azure AD. The client types in conditional access, and the Azure AD reporting page in the Azure Portal demarcate modern authentication clients and legacy authentication clients for you, and only legacy authentication is captured in this workbook.

+- [AzureAD](https://www.powershellgallery.com/packages/AzureAD) (current version)

+2.0.2.140 AzureAD PSGallery Azure Active Directory V2 General Availability M...

+ Binary 2.0.2.140 AzureAD {Add-AzureADApplicationOwner, Add-AzureADDeviceRegisteredO...

+- [AzureADPreview](https://www.powershellgallery.com/packages/AzureADPreview) (current version)

+2.0.2.149 AzureADPreview PSGallery Azure Active Directory V2 Preview Module. ...

+ Binary 2.0.2.149 AzureADPreview {Add-AzureADAdministrativeUnitMember, Add-AzureADApplicati...

+ Title: 'Tutorial: Azure AD SSO integration with ArcGIS Enterprise'

+# Tutorial: Azure AD SSO integration with ArcGIS Enterprise

+ a. In the **Identifier** text box, type a value using the following pattern:

+ `https://<EXTERNAL_DNS_NAME>/portal/sharing/rest/oauth2/saml/signin`

+* Kion supports **IDP** initiated SSO.

+## Add Kion (formerly cloudtamer.io) from the gallery

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+1. On the **Basic SAML Configuration** section, perform the following steps:

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Kion for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Kion tile in the My Apps, you should be automatically signed in to the Kion for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+ Title: 'Tutorial: Azure AD SSO integration with DocuSign'

+# Tutorial: Azure AD SSO integration with DocuSign

+## Add DocuSign from the gallery

+1. In the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** textbox, type a URL using the following pattern:

+ b. In the **Reply URL** textbox, type a URL using one of the following patterns:

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<subdomain>.docusign.com/organizations/<OrganizationID>/saml2/login/sp/<IDPID>`

+ > These bracketed values are placeholders. Replace them with the values in the actual Identifier, Reply URL and Sign on URL. These details are explained in the "View SAML 2.0 Endpoints" section later in this tutorial.

+ e. For **Send AuthN request by**, select **POST**.

+ f. For **Send logout request by**, select **GET**.

+ g. In the **Custom Attribute Mapping** section, select **ADD NEW MAPPING**.

+ h. Choose the field you want to map to the Azure AD claim. In this example, the **emailaddress** claim is mapped with the value of `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`. That's the default claim name from Azure AD for the email claim. Select **SAVE**.

+ i. In the **Identity Provider Certificates** section, select **ADD CERTIFICATE**, upload the certificate you downloaded from Azure AD portal, and select **SAVE**.

+ j. In the **Identity Providers** section, select **ACTIONS**, and then select **Endpoints**.

+ k. In the **View SAML 2.0 Endpoints** section of the DocuSign admin portal, follow these steps:

+* Click on **Test this application** in Azure portal. This will redirect to DocuSign Sign-on URL where you can initiate the login flow.

+* Go to DocuSign Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the DocuSign tile in the My Apps, you should be automatically signed in to the DocuSign for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+[56]: ./media/docusign-tutorial/request.png

+ Title: 'Tutorial: Azure AD SSO integration with Sage Intacct'

+# Tutorial: Azure AD SSO integration with Sage Intacct

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Sage Intacct from the gallery

+To configure and test Azure AD SSO with Sage Intacct, perform the following steps:

+## Configure Azure AD SSO

+1. On the **Basic SAML Configuration** section, perform the following step:

+ In the **Reply URL** text box, type one of the following URLs:

+ | `https://www-p02.intacct.com/ia/acct/sso_response.phtml` |

+ | `https://www-p03.intacct.com/ia/acct/sso_response.phtml` |

+ | `https://www-p04.intacct.com/ia/acct/sso_response.phtml` |

+ | `https://www-p05.intacct.com/ia/acct/sso_response.phtml` |

+* Click on Test this application in Azure portal and you should be automatically signed in to the Sage Intacct for which you set up the SSO.

+Once you configure Sage Intacct you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with Netskope Administrator Console'

+# Tutorial: Azure AD SSO integration with Netskope Administrator Console

+* Control in Azure AD who has access to Netskope Administrator Console.

+* Enable your users to be automatically signed-in to Netskope Administrator Console with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Netskope Administrator Console single sign-on (SSO) enabled subscription.

+* Netskope Administrator Console supports **SP and IDP** initiated SSO.

+* Netskope Administrator Console supports just-in-time user provisioning.

+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:

+In this section, a user called B.Simon is created in Netskope Administrator Console. Netskope Administrator Console supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Netskope Administrator Console, a new one is created after authentication.

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Netskope Administrator Console Sign on URL where you can initiate the login flow.

+* Go to Netskope Administrator Console Sign-on URL directly and initiate the login flow from there.

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Netskope Administrator Console for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Netskope Administrator Console tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Netskope Administrator Console for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+Once you configure Netskope Administrator Console you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+Executive order [14028, Improving the NationΓÇÖs Cyber Security](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity), directs federal agencies on advancing security measures that dramatically reduce the risk of successful cyber attacks against the federal governmentΓÇÖs digital infrastructure. On January 26, 2022, the [Office of Management and Budget (OMB)](https://www.whitehouse.gov/omb/) released the Federal Zero Trust Strategy [Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) in support of EO 14028.

+| Azure Virtual Desktop| Enable [Azure virtual desktop for Azure AD sign-in](/azure/architecture/example-scenario/wvd/azure-virtual-desktop-azure-active-directory-join) |

+[Securing identity with Zero Trust](/security/zero-trust/deploy/identity)

+Learn more about [Virtual machine - LowUsageVmV2 (Right-size or shutdown underutilized virtual machines)](/azure/advisor/advisor-cost-recommendations#optimize-virtual-machine-spend-by-resizing-or-shutting-down-underutilized-instances).

+Learn more about [Disk - DeleteOrDowngradeUnattachedDisks (You have disks which have not been attached to a VM for more than 30 days. Please evaluate if you still need the disk.)](../virtual-machines/disks-find-unattached-portal.md).

+Learn more about [Cosmos DB account - CosmosDBFreeTierOverage (Review the configuration of your Azure Cosmos DB free tier account)](../cosmos-db/understand-your-bill.md#azure-free-tier).

+Learn more about [Cosmos DB account - CosmosDBAutoscaleRecommendations (Enable autoscale on your Azure Cosmos DB database or container)](../cosmos-db/provision-throughput-autoscale.md).

+Learn more about [Cosmos DB account - CosmosDBMigrateToManualThroughputFromAutoscale (Configure manual throughput instead of autoscale on your Azure Cosmos DB database or container)](../cosmos-db/how-to-choose-offer.md).

+Learn more about [Data explorer resource - ADX Unused resource (Unused/Empty Data Explorer resources)](/azure/data-explorer/azure-advisor#azure-data-explorer-unused-cluster).

+Learn more about [Data explorer resource - Right-size for cost (Right-size Data Explorer resources for optimal cost)](/azure/data-explorer/azure-advisor#correctly-size-azure-data-explorer-clusters-to-optimize-cost).

+Learn more about [Data explorer resource - ReduceCacheForAzureDataExplorerTables (Reduce Data Explorer table cache policy to optimize costs)](/azure/data-explorer/kusto/management/cachepolicy).

+Learn more about [Data explorer resource - StopUnusedClustersWithData (Unused Data Explorer resources with data)](/azure/data-explorer/azure-advisor#azure-data-explorer-clusters-containing-data-with-low-activity).

+Learn more about [Data explorer resource - RunCleanupCommandForAzureDataExplorer (Cleanup unused storage in Data Explorer resources)](/azure/data-explorer/kusto/management/clean-extent-containers).

+Learn more about [Data explorer resource - EnableOptimizedAutoscaleAzureDataExplorer (Enable optimized autoscale for Data Explorer resources)](/azure/data-explorer/manage-cluster-horizontal-scaling#optimized-autoscale).

+Learn more about [Recovery Services vault - Optimize costs of database backup (Use differential or incremental backup for database workloads)](/azure/backup/sap-hana-faq-backup-azure-vm#policy).

+Learn more about [Subscription - CosmosDBReservedCapacity (Consider Cosmos DB reserved instance to save over your pay-as-you-go costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - SQLReservedCapacity (Consider SQL PaaS DB reserved instance to save over your pay-as-you-go costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - AppServiceReservedCapacity (Consider App Service stamp fee reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - MariaDBSQLReservedCapacity (Consider Database for MariaDB reserved instance to save over your pay-as-you-go costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - MySQLReservedCapacity (Consider Database for MySQL reserved instance to save over your pay-as-you-go costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - PostgreSQLReservedCapacity (Consider Database for PostgreSQL reserved instance to save over your pay-as-you-go costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - RedisCacheReservedCapacity (Consider Cache for Redis reserved instance to save over your pay-as-you-go costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - SQLDWReservedCapacity (Consider Azure Synapse Analytics (formerly SQL DW) reserved instance to save over your pay-as-you-go costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - BlobReservedCapacity ((Preview) Consider Blob storage reserved instance to save on Blob v2 and Datalake storage Gen2 costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - DataExplorerReservedCapacity ((Preview) Consider Azure Data explorer reserved capacity to save over your pay-as-you-go costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - AzureDedicatedHostReservedCapacity (Consider Azure Dedicated Host reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - DataFactorybReservedCapacity (Consider Data Factory reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - AzureDataExplorerReservedCapacity (Consider Azure Data Explorer reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - AzureFilesReservedCapacity (Consider Azure Files reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - AzureVMwareSolutionReservedCapacity (Consider Azure VMware Solution reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - DataBricksReservedCapacity ((Preview) Consider Databricks reserved capacity to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - NetAppStorageReservedCapacity (Consider NetApp Storage reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - AzureManagedDiskReservedCapacity (Consider Azure Managed Disk reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - RedHatReservedCapacity (Consider Red Hat reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - RedHatOsaReservedCapacity (Consider RedHat Osa reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - SapHanaReservedCapacity (Consider SapHana reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - SuseLinuxReservedCapacity (Consider SuseLinux reserved instance to save over your on-demand costs)](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Subscription - VMwareCloudSimpleReservedCapacity (Consider VMware Cloud Simple reserved instance )](../cost-management-billing/reservations/reserved-instance-purchase-recommendations.md).

+Learn more about [Synapse workspace - EnableSynapseSparkComputeAutoPauseGuidance (Consider enabling autopause feature on spark compute.)](/dotnet/api/microsoft.azure.management.synapse.models.autopauseproperties).

+Learn more about [Synapse workspace - EnableSynapseSparkComputeAutoScaleGuidance (Consider enabling autoscale feature on spark compute.)](../synapse-analytics/spark/apache-spark-autoscale.md).

+Learn more about [Cost Optimization - Microsoft Azure Well Architected Framework](/azure/architecture/framework/cost/overview)

+Learn more about [Spring Cloud Service - SpringCloudUpgradeOutdatedSDK (Update your outdated Azure Spring Cloud SDK to the latest version)](../spring-cloud/index.yml).

+Learn more about [Spring Cloud Service - UpgradeAzureSpringCloudAPI (Update Azure Spring Cloud API Version)](../spring-cloud/index.yml).

+Learn more about [Automation account - SSV1_Upgrade (Upgrade to Start/Stop VMs v2)](../azure-functions/start-stop-vms/overview.md).

+Learn more about [Batch account - OldPool (Recreate your pool to get the latest node agent features and fixes)](../batch/best-practices.md#pool-lifetime-and-billing).

+Learn more about [Batch account - RecreatePool (Delete and recreate your pool to remove a deprecated internal component)](/azure/batch/best-practices#pool-lifetime-and-billing).

+Learn more about [Batch account - UpgradeAPI (Upgrade to the latest API version to ensure your Batch account remains operational.)](/rest/api/batchservice/batch-api-status#rest-api-deprecation-status-and-upgrade-instructions).

+Learn more about [Batch account - EolImage (Recreate your pool with a new image)](/azure/batch/batch-pool-vm-sizes#supported-vm-images).

+Learn more about [Cognitive Service - ImmersiveReaderSDKRecommendation (Upgrade to the latest version of the Immersive Reader SDK)](../applied-ai-services/immersive-reader/index.yml).

+Learn more about [Virtual machine - IncreaseQuotaExperiment (Increase the number of compute resources you can deploy by 10 vCPU)](../azure-resource-manager/management/azure-subscription-service-limits.md).

+Learn more about [Virtual machine - GetVmListANDisabled (NVA Accelerated Networking enabled but potentially not working.)](../virtual-network/create-vm-accelerated-networking-cli.md).

+Learn more about [Kubernetes service - UpdateServicePrincipal (Update cluster's service principal)](../aks/update-credentials.md).

+Learn more about [Kubernetes service - MonitoringAddonWorkspaceIsDeleted (Monitoring addon workspace is deleted)](/azure/azure-monitor/containers/container-insights-optout#azure-cli).

+Learn more about [Kubernetes service - EnableClusterAutoscaler (Enable the Cluster Autoscaler)](../aks/cluster-autoscaler.md).

+Learn more about [Kubernetes service - NodeSubnetIsFull (The AKS node pool subnet is full)](../aks/use-multiple-node-pools.md#add-a-node-pool-with-a-unique-subnet-preview).

+Learn more about [Kubernetes service - UseEphemeralOSdisk (Use Ephemeral OS disk)](../aks/cluster-configuration.md#ephemeral-os).

+Learn more about [Kubernetes service - UseUptimeSLA (Use Uptime SLA)](../aks/uptime-sla.md).

+Learn more about [Host Pool - ValidationEnvHostPools (No validation environment enabled)](../virtual-desktop/create-validation-host-pool.md).

+Learn more about [Host Pool - ProductionEnvHostPools (Not enough production environments enabled)](../virtual-desktop/create-host-pools-powershell.md).

+Learn more about [Cosmos DB account - CosmosDBAttachments (Migrate Azure Cosmos DB attachments to Azure Blob Storage)](../cosmos-db/attachments.md#migrating-attachments-to-azure-blob-storage).

+Learn more about [Cosmos DB account - CosmosDBMigrateToContinuousBackup (Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup)](../cosmos-db/continuous-backup-restore-introduction.md).

+Learn more about [Alert Rule - ScheduledQueryRulesLogAlert (Repair your log alert rule)](/azure/azure-monitor/alerts/alerts-troubleshoot-log#query-used-in-a-log-alert-is-not-valid).

+Learn more about [Alert Rule - ScheduledQueryRulesRp (Log alert rule was disabled)](/azure/azure-monitor/alerts/alerts-troubleshoot-log#query-used-in-a-log-alert-is-not-valid).

+Learn more about [Managed HSM Service - CreateHSMBackup (Create a backup of HSM)](../key-vault/managed-hsm/best-practices.md#backup).

+Learn more about [Data explorer resource - ReduceCacheForAzureDataExplorerTablesOperationalExcellence (Reduce the cache policy on your Data Explorer tables)](/azure/data-explorer/kusto/management/cachepolicy).

+Learn more about [Application gateway - AppGwAdvisorRecommendationForKeyVaultErrors (Resolve Azure Key Vault issue for your Application Gateway)](../application-gateway/application-gateway-key-vault-common-errors.md).

+Learn more about [Application gateway - AppgwRestrictedSubnetSpace (Application Gateway does not have enough capacity to scale out)](../application-gateway/application-gateway-faq.yml#can-i-change-the-virtual-network-or-subnet-for-an-existing-application-gateway).

+Learn more about [Network Security Group - NSGFlowLogsenableTA (Enable Traffic Analytics to view insights into traffic patterns across Azure resources)](../network-watcher/traffic-analytics.md).

+Learn more about [SQL virtual machine - UpgradeToFullMode (SQL IaaS Agent should be installed in full mode)](../azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management.md?tabs=azure-powershell).

+Learn more about [Storage Account - StorageAccountScaleTarget (Prevent hitting subscription limit for maximum storage accounts)](/azure/storage/blobs/storage-performance-checklist#what-to-do-when-approaching-a-scalability-target).

+Learn more about [Subscription - AzureApplicationService (Set up staging environments in Azure App Service)](../app-service/deploy-staging-slots.md).

+Learn more about [Subscription - AddTagPolicy (Enforce 'Add or replace a tag on resources' using Azure Policy)](../governance/policy/overview.md).

+Learn more about [Subscription - AllowedLocationsPolicy (Enforce 'Allowed locations' using Azure Policy)](../governance/policy/overview.md).

+Learn more about [Subscription - AuditForManagedDisksPolicy (Enforce 'Audit VMs that do not use managed disks' using Azure Policy)](../governance/policy/overview.md).

+Learn more about [Subscription - AllowedVirtualMachineSkuPolicy (Enforce 'Allowed virtual machine SKUs' using Azure Policy)](../governance/policy/overview.md).

+Learn more about [Subscription - InheritTagPolicy (Enforce 'Inherit a tag from the resource group' using Azure Policy)](../governance/policy/overview.md).

+Learn more about [Subscription - OnboardCSPSubscriptionsToLighthouse (Use Azure Lighthouse to simply and securely manage customer subscriptions at scale)](../lighthouse/concepts/cloud-solution-provider.md).

+Learn more about [App service - AzureAppService-StagingEnv (Set up staging environments in Azure App Service)](../app-service/deploy-staging-slots.md).

+Learn more about [Operational Excellence - Microsoft Azure Well Architected Framework](/azure/architecture/framework/devops/overview)

+Learn more about [AVS Private cloud - vSANCapacity (vSAN capacity utilization has crossed critical threshold)](../azure-vmware/concepts-private-clouds-clusters.md).

+Learn more about [Redis Cache Server - RedisCacheConnectedClients (Improve your Cache and application performance when running with many connected clients)](/azure/azure-cache-for-redis/cache-faq#performance-considerations-around-connections).

+Learn more about [Cognitive Service - UpgradeToLatestAPILanguage (Upgrade to the latest API version of Azure Cognitive Service for Language)](../cognitive-services/language-service/overview.md).

+Learn more about [Cognitive Service - UpgradeToLatestSDKLanguage (Upgrade to the latest Cognitive Service Language SDK version)](../cognitive-services/language-service/overview.md).

+Learn more about [Communication service - UpgradeChatSdk (Use recommended version of Chat SDK)](../communication-services/concepts/chat/sdk-features.md).

+Learn more about [Communication service - UpgradeResourceManagerSdk (Use recommended version of Resource Manager SDK)](../communication-services/quickstarts/create-communication-resource.md?pivots=platform-net&tabs=windows).

+Learn more about [Communication service - UpgradeIdentitySdk (Use recommended version of Identity SDK)](../communication-services/concepts/sdk-options.md).

+Learn more about [Communication service - UpgradePhoneNumbersSdk (Use recommended version of Phone Numbers SDK)](../communication-services/concepts/sdk-options.md).

+Learn more about [Communication service - UpgradeCallingSdk (Use recommended version of Calling SDK)](../communication-services/concepts/voice-video-calling/calling-sdk-features.md).

+Learn more about [Communication service - UpgradeServerCallingSdk (Use recommended version of Call Automation SDK)](../communication-services/concepts/voice-video-calling/call-automation-apis.md).

+Learn more about [Communication service - UpgradeTurnSdk (Use recommended version of Network Traversal SDK)](../communication-services/concepts/sdk-options.md).

+Learn more about [Virtual machine - RegionProximitySessionHosts (Improve user experience and connectivity by deploying VMs closer to userΓÇÖs location.)](../virtual-desktop/connection-latency.md).

+Learn more about [Virtual machine - NVAHighCPU (Consider increasing the size of your NVA to address persistent high CPU)](../virtual-machines/sizes.md).

+Learn more about [Virtual machine - ManagedDisksStorageAccount (Use Managed disks to prevent disk I/O throttling)](../virtual-machines/managed-disks-overview.md).

+Learn more about [Virtual machine - AccelNetConfiguration (Enable Accelerated Networking to improve network performance and latency)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - BarracudaNVAAccelNet (Barracuda Networks NextGen Firewall may experience high CPU utilization, reduced throughput and high latency.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - AristaNVAAccelNet (Arista Networks vEOS Router may experience high CPU utilization, reduced throughput and high latency.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - CiscoCSRNVAAccelNet (Cisco Cloud Services Router 1000V may experience high CPU utilization, reduced throughput and high latency.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - PaloAltoNVAAccelNet (Palo Alto Networks VM-Series Firewall may experience high CPU utilization, reduced throughput and high latency.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - NetAppNVAAccelNet (NetApp Cloud Volumes ONTAP may experience high CPU utilization, reduced throughput and high latency.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - AristaVeosANUpgradeRecommendation (Update to the latest version of your Arista VEOS product for Accelerated Networking support.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - BarracudaNgANUpgradeRecommendation (Update to the latest version of your Barracuda NG Firewall product for Accelerated Networking support.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - Cisco1000vANUpgradeRecommendation (Update to the latest version of your Cisco Cloud Services Router 1000V product for Accelerated Networking support.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - F5BigIpANUpgradeRecommendation (Update to the latest version of your F5 BigIp product for Accelerated Networking support.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - NetAppANUpgradeRecommendation (Update to the latest version of your NetApp product for Accelerated Networking support.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - PaloAltoFWANUpgradeRecommendation (Update to the latest version of your Palo Alto Firewall product for Accelerated Networking support.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - CheckPointCGANUpgradeRecommendation (Update to the latest version of your Check Point product for Accelerated Networking support.)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - AccelNetDisengaged (Accelerated Networking may require stopping and starting the VM)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

+Learn more about [Virtual machine - NvaMaxFlowLimit (NVA may see traffic loss due to hitting the maximum number of flows.)](../virtual-network/virtual-machine-network-throughput.md).

+Learn more about [Virtual machine - AzureStorageVmUltraDisk (Take advantage of Ultra Disk low latency for your log disks and improve your database workload performance.)](../virtual-machines/disks-enable-ultra-ssd.md?tabs=azure-portal).

+Learn more about [Kubernetes service - UnsupportedKubernetesVersionIsDetected (Unsupported Kubernetes version is detected)](../aks/supported-kubernetes-versions.md).

+Learn more about [Data factory trigger - ADFThrottledTriggers (Review your throttled Data Factory Triggers)](../data-factory/how-to-create-event-trigger.md).

+Learn more about [MariaDB server - OrcasMariaDBAuditLog (Increase the reliability of audit logs)](../mariadb/concepts-audit-logs.md).

+Learn more about [MySQL server - OrcasMySQLAuditLog (Increase the reliability of audit logs)](../mysql/concepts-audit-logs.md).

+Learn more about [MySQL server - OrcasMySQLConnectionRedirection (Improve MySQL connection latency)](../mysql/howto-redirection.md).

+Learn more about [PostgreSQL server - OrcasPostgreSqlReadReplica (Add a PostgreSQL Read Replica server)](../postgresql/howto-read-replicas-portal.md).

+Learn more about [PostgreSQL server - OrcasPostgreSqlStatStatementsTrack (Optimize query statistics collection on an Azure Database for PostgreSQL)](../postgresql/howto-optimize-query-stats-collection.md).

+Learn more about [PostgreSQL server - OrcasPostgreSqlQueryCaptureMode (Optimize query store on an Azure Database for PostgreSQL when not troubleshooting)](../postgresql/concepts-query-store.md).

+Learn more about [PostgreSQL server - OrcasPostgreSqlFlexibleServerStorageLimit (Increase the storage limit for PostgreSQL Flexible Server)](../postgresql/flexible-server/concepts-limits.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasMeruMeruLogStatement (Optimize log_statement settings for PostgreSQL on Azure Database)](../postgresql/flexible-server/concepts-logging.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasMeruIntelligentTuning (Improve PostgreSQL - Flexible Server performance by enabling Intelligent tuning)](../postgresql/flexible-server/concepts-intelligent-tuning.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasMeruMeruLogDuration (Optimize log_duration settings for PostgreSQL on Azure Database)](../postgresql/flexible-server/concepts-logging.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasMeruMeruLogMinDuration (Optimize log_min_duration settings for PostgreSQL on Azure Database)](../postgresql/flexible-server/concepts-logging.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasMeruMeruQueryCaptureMode (Optimize pg_qs.query_capture_mode settings for PostgreSQL on Azure Database)](../postgresql/flexible-server/concepts-query-store-best-practices.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasMeruOrcasPostgreSQLConnectionPooling (Optimize PostgreSQL performance by enabling PGBouncer)](../postgresql/flexible-server/concepts-pgbouncer.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasMeruMeruLogErrorVerbosity (Optimize log_error_verbosity settings for PostgreSQL on Azure Database)](../postgresql/flexible-server/concepts-logging.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasPostgreSqlMeruMigration (Migrate your database from SSPG to FSPG)](../postgresql/how-to-upgrade-using-dump-and-restore.md).

+Learn more about [Host Pool - RegionProximityHostPools (Improve user experience and connectivity by deploying VMs closer to userΓÇÖs location.)](../virtual-desktop/connection-latency.md).

+Learn more about [Host Pool - ChangeMaxSessionLimitForDepthFirstHostPool (Change the max session limit for your depth first load balanced host pool to improve VM performance )](../virtual-desktop/configure-host-pool-load-balancing.md).

+Learn more about [Cosmos DB account - CosmosDBOrderByHighRUCharge (Add composite indexes to your Azure Cosmos DB container)](../cosmos-db/index-policy.md#composite-indexes).

+Learn more about [Cosmos DB account - CosmosDBDefaultIndexingWithManyPaths (Optimize your Azure Cosmos DB indexing policy to only index what's needed)](../cosmos-db/index-policy.md).

+Learn more about [HDInsight cluster - HBaseMemstoreReadPercentage (Reads happen on most recent data)](../hdinsight/hbase/apache-hbase-advisor.md).

+Learn more about [HDInsight cluster - AccWriteCandidate (Consider using Accelerated Writes feature in your HBase cluster to improve cluster performance.)](../hdinsight/hbase/apache-hbase-accelerated-writes.md).

+Learn more about [HDInsight cluster - ScanQueryTuningcandidate (More than 75% of your queries are full scan queries.)](../hdinsight/hbase/apache-hbase-advisor.md).

+Learn more about [HDInsight cluster - RegionCountCandidate (Check your region counts as you have blocking updates.)](../hdinsight/hbase/apache-hbase-advisor.md).

+Learn more about [HDInsight cluster - FlushQueueCandidate (Consider increasing the flusher threads)](../hdinsight/hbase/apache-hbase-advisor.md).

+Learn more about [HDInsight cluster - CompactionQueueCandidate (Consider increasing your compaction threads for compactions to complete faster)](../hdinsight/hbase/apache-hbase-advisor.md).

+Learn more about [Key vault - UpgradeKeyVaultSDK (Update Key Vault SDK Version)](../key-vault/general/client-libraries.md).

+Learn more about [Managed HSM Service - UpgradeKeyVaultMHSMSDK (Update Key Vault SDK Version)](../key-vault/general/client-libraries.md).

+Learn more about [Data explorer resource - Right-size ADX resource (Right-size Data Explorer resources for optimal performance.)](/azure/data-explorer/azure-advisor#correctly-size-azure-data-explorer-clusters-to-optimize-performance).

+Learn more about [Data explorer resource - UpdateCachePoliciesForAdxTables (Review table cache policies for Data Explorer tables)](/azure/data-explorer/kusto/management/cachepolicy).

+Learn more about [Data explorer resource - ReduceCacheForAzureDataExplorerTablesToImprovePerformance (Reduce Data Explorer table cache policy for better performance)](/azure/data-explorer/kusto/management/cachepolicy).

+Learn more about [Traffic Manager profile - FastFailOverTTL (Configure DNS Time to Live to 20 seconds)](/azure/traffic-manager/traffic-manager-monitoring#endpoint-failover-and-recovery).

+Learn more about [Traffic Manager profile - ProfileTTL (Configure DNS Time to Live to 60 seconds)](../traffic-manager/traffic-manager-monitoring.md).

+Learn more about [ExpressRoute circuit - UpgradeERCircuitBandwidth (Upgrade your ExpressRoute circuit bandwidth to accommodate your bandwidth needs)](../expressroute/about-upgrade-circuit-bandwidth.md).

+Learn more about [Virtual network gateway - HighCPUVNetGateway (Consider increasing the size of your VNet Gateway SKU to address consistently high CPU use)](../virtual-machines/sizes.md).

+Learn more about [Application gateway - HotAppGateway (Make sure you have enough instances in your Application Gateway to support your traffic)](../application-gateway/high-traffic-support.md).

+Learn more about [SQL data warehouse - CreateTableStatisticsSqlDW (Create statistics on table columns)](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables-statistics.md).

+Learn more about [SQL data warehouse - DataSkewSqlDW (Remove data skew to increase query performance)](/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables-distribute#how-to-tell-if-your-distribution-column-is-a-good-choice).

+Learn more about [SQL data warehouse - UpdateTableStatisticsSqlDW (Update statistics on table columns)](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables-statistics.md).

+Learn more about [SQL data warehouse - SqlDwIncreaseCacheCapacity (Scale up to optimize cache utilization with SQL Data Warehouse)](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-how-to-monitor-cache.md).

+Learn more about [SQL data warehouse - SqlDwReduceTempdbContention (Scale up or update resource class to reduce tempdb contention with SQL Data Warehouse)](/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-manage-monitor#monitor-tempdb).

+Learn more about [SQL data warehouse - SqlDwReplicateTable (Convert tables to replicated tables with SQL Data Warehouse)](../synapse-analytics/sql-data-warehouse/design-guidance-for-replicated-tables.md).

+Learn more about [SQL data warehouse - FileSplittingGuidance (Split staged files in the storage account to increase load performance)](/azure/synapse-analytics/sql/data-loading-best-practices#preparing-data-in-azure-storage).

+Learn more about [SQL data warehouse - LoadBatchSizeGuidance (Increase batch size when loading to maximize load throughput, data compression, and query performance)](/azure/synapse-analytics/sql/data-loading-best-practices#increase-batch-size-when-using-sqlbulkcopy-api-or-bcp).

+Learn more about [SQL data warehouse - ColocateStorageAccount (Co-locate the storage account within the same region to minimize latency when loading)](/azure/synapse-analytics/sql/data-loading-best-practices#preparing-data-in-azure-storage).

+Learn more about [Storage Account - StorageCallPutBlob (Use \"Put Blob\" for blobs smaller than 256 MB)](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs#about-block-blobs).

+Learn more about [Storage Account - UpdateStorageDataMovementSDK (Upgrade your Storage Client Library to the latest version for better reliability and performance)](/nuget/consume-packages/install-use-packages-visual-studio).

+Learn more about [Storage Account - PremiumBlobStorageAccount (Use premium performance block blob storage)](../storage/common/storage-account-overview.md).

+Learn more about [Storage Account - EnableSnapshots (No Snapshots Detected)](../backup/azure-file-share-backup-overview.md).

+Learn more about [Synapse workspace - SynapseCCIGuidance (Tables with Clustered Columnstore Indexes (CCI) with less than 60 million rows)](../synapse-analytics/sql/best-practices-dedicated-sql-pool.md#optimize-clustered-columnstore-tables).

+Learn more about [Synapse workspace - UpgradeSynapseManagementClientSDK (Update SynapseManagementClient SDK Version)](/dotnet/api/microsoft.azure.management.synapse.synapsemanagementclient).

+Learn more about [App service - AppServiceMoveToPremiumV2 (Move your App Service Plan to PremiumV2 for better performance)](../app-service/app-service-configure-premium-tier.md).

+Learn more about [App service - AppServiceOutboundConnections (Check outbound connections from your App Service resource)](/azure/app-service/app-service-best-practices#socketresources).

+Learn more about [Performance Efficiency - Microsoft Azure Well Architected Framework](/azure/architecture/framework/scalability/overview)

+Learn more about [Api Management - HostnameCertRotationFail (Hostname certificate rotation failed)](../api-management/configure-custom-domain.md).

+Learn more about [Api Management - TlsRenegotiationBlocked (SSL/TLS renegotiation blocked)](../api-management/api-management-howto-mutual-certificates-for-clients.md).

+Learn more about [Redis Cache Server - RedisCacheMemoryFragmentation (Availability may be impacted from high memory fragmentation. Increase fragmentation memory reservation to avoid potential impact.)](/azure/azure-cache-for-redis/cache-configure#memory-policies).

+Learn more about [Virtual machine (classic) - EnableBackup (Enable Backups on your Virtual Machines)](../backup/backup-overview.md).

+Learn more about [Virtual machine - MigrateStandardStorageAccountToPremium (Upgrade the standard disks attached to your premium-capable VM to premium disks)](/azure/virtual-machines/disks-types#premium-ssd).

+Learn more about [Virtual machine - ASRUnprotectedVMs (Enable virtual machine replication to protect your applications from regional outage)](../site-recovery/azure-to-azure-quickstart.md).

+Learn more about [Virtual machine - UpgradeVMToManagedDisksWithoutAdditionalCost (Upgrade VM from Premium Unmanaged Disks to Managed Disks at no additional cost)](../virtual-machines/managed-disks-overview.md).

+Learn more about [Virtual machine - ASRUpdateOutboundConnectivityProtocolToServiceTags (Update your outbound connectivity protocol to Service Tags for Azure Site Recovery)](/azure/site-recovery/azure-to-azure-about-networking#outbound-connectivity-using-service-tags).

+Learn more about [Availability set - ManagedDisksAvSet (Use Managed Disks to improve data reliability)](../virtual-machines/managed-disks-overview.md).

+Learn more about [Virtual machine - SessionHostNeedsAssistanceForUrlCheck (Access to mandatory URLs missing for your Windows Virtual Desktop environment)](../virtual-desktop/safe-url-list.md).

+Learn more about [PostgreSQL server - OrcasPostgreSqlLogicalReplicationSlots (Improve PostgreSQL availability by removing inactive logical replication slots)](../postgresql/concepts-logical.md).

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasPostgreSqlFlexibleServerLogicalReplicationSlots (Improve PostgreSQL availability by removing inactive logical replication slots)](../postgresql/flexible-server/concepts-logical.md#monitoring).

+Learn more about [IoT hub - UpgradeDeviceClientSdk (Upgrade device client SDK to a supported version for IotHub)](../iot-hub/iot-hub-devguide-sdks.md#azure-iot-hub-device-sdks).

+Learn more about [Cosmos DB account - CosmosDBUpgradeOldSDK (Upgrade your old Azure Cosmos DB SDK to the latest version)](../cosmos-db/index.yml).

+Learn more about [Cosmos DB account - CosmosDBUpgradeOutdatedSDK (Upgrade your outdated Azure Cosmos DB SDK to the latest version)](../cosmos-db/index.yml).

+Learn more about [Cosmos DB account - CosmosDBFixedCollections (Configure your Azure Cosmos DB containers with a partition key)](../cosmos-db/partitioning-overview.md#choose-partitionkey).

+Learn more about [Cosmos DB account - CosmosDBSingleRegionProdAccounts (Add a second region to your production workloads on Azure Cosmos DB)](../cosmos-db/high-availability.md).

+Learn more about [Cosmos DB account - CosmosDBKeyVaultWrap (Your Cosmos DB account is unable to access its linked Azure Key Vault hosting your encryption key)](../cosmos-db/how-to-setup-cmk.md).

+There is a critical bug in version 2.6.13 and lower of the Azure Cosmos DB Async Java SDK v2 causing errors when a Global logical sequence number (LSN) greater than the Max Integer value is reached. This happens transparent to you by the service after a large volume of transactions occur in the lifetime of an Azure Cosmos DB container. Note: This is a critical hotfix for the Async Java SDK v2, however it is still highly recommended you migrate to the [Java SDK v4](../cosmos-db/sql/sql-api-sdk-java-v4.md).

+Learn more about [Cosmos DB account - CosmosDBMaxGlobalLSNReachedV2 (Upgrade to 2.6.14 version of the Async Java SDK v2 to avoid a critical issue or upgrade to Java SDK v4 as Async Java SDK v2 is being deprecated)](../cosmos-db/sql/sql-api-sdk-async-java.md).

+Learn more about [Cosmos DB account - CosmosDBMaxGlobalLSNReachedV4 (Upgrade to the current recommended version of the Java SDK v4 to avoid a critical issue)](../cosmos-db/sql/sql-api-sdk-java-v4.md).

+Learn more about [HDInsight cluster - KafkaVersionRetirement (Deprecation of Kafka 1.1 in HDInsight 4.0 Kafka cluster)](../hdinsight/hdinsight-release-notes.md).

+Learn more about [HDInsight cluster - SparkVersionRetirement (Deprecation of Older Spark Versions in HDInsight Spark cluster)](../hdinsight/spark/migrate-versions.md).

+Learn more about [HDInsight cluster - GCSCertRotation (Enable critical updates to be applied to your HDInsight clusters)](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md).

+Learn more about [HDInsight cluster - GCSCertRotationRound2 (Drop and recreate your HDInsight clusters to apply critical updates)](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md).

+Learn more about [HDInsight cluster - GCSCertRotationR3DropRecreate (Drop and recreate your HDInsight clusters to apply critical updates)](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md).

+Learn more about [HDInsight cluster - GCSCertRotationR3PlanPatch (Apply critical updates to your HDInsight clusters)](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md).

+Learn more about [Machine - Azure Arc - ArcServerAgentVersion (Upgrade to the latest version of the Azure Connected Machine agent)](../azure-arc/servers/manage-agent.md).

+Learn more about [Kubernetes service - PodDisruptionBudgetsRecommended (Pod Disruption Budgets Recommended)](../aks/operator-best-practices-scheduler.md#plan-for-availability-using-pod-disruption-budgets).

+Learn more about [Kubernetes - Azure Arc - Arc-enabled K8s agent version upgrade (Upgrade to the latest agent version of Azure Arc-enabled Kubernetes)](../azure-arc/kubernetes/agent-upgrade.md).

+Learn more about [Media Service - AccountQuotaLimit (Increase Media Services quotas or limits to ensure continuity of service.)](../media-services/latest/limits-quotas-constraints-reference.md).

+Learn more about [Virtual network gateway - BasicVPNGateway (Move to production gateway SKUs from Basic gateways)](/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku).

+Learn more about [Traffic Manager profile - GeneralProfile (Add at least one more endpoint to the profile, preferably in another Azure region)](../traffic-manager/traffic-manager-endpoint-types.md).

+Learn more about [Traffic Manager profile - GeographicProfile (Add an endpoint configured to \"All (World)\")](../traffic-manager/traffic-manager-manage-endpoints.md).

+Learn more about [Traffic Manager profile - ProximityProfile (Add or move one endpoint to another Azure region)](../traffic-manager/traffic-manager-configure-performance-routing-method.md).

+Learn more about [Virtual network gateway - ExpressRouteGatewayRedundancy (Implement multiple ExpressRoute circuits in your Virtual Network for cross premises resiliency)](../expressroute/designing-for-high-availability-with-expressroute.md).

+Learn more about [ExpressRoute circuit - ExpressRouteGatewayE2EMonitoring (Implement ExpressRoute Monitor on Network Performance Monitor for end-to-end monitoring of your ExpressRoute circuit)](../expressroute/how-to-npm.md).

+Learn more about [Application gateway - AppGatewayHostOverride (Avoid hostname override to ensure site integrity)](/azure/application-gateway/troubleshoot-app-service-redirection-app-service-url#alternate-solution-use-a-custom-domain-name).

+Learn more about [ExpressRoute circuit - UseGlobalReachForDR (Use ExpressRoute Global Reach to improve your design for disaster recovery)](../expressroute/about-upgrade-circuit-bandwidth.md).

+Learn more about [Virtual network gateway - VNetGatewayActiveActive (Enable Active-Active gateways for redundancy)](../vpn-gateway/vpn-gateway-highlyavailable.md).

+Learn more about [Recovery Services vault - AB-SoftDeleteRsv (Enable soft delete for your Recovery Services vaults)](../backup/backup-azure-security-feature-cloud.md).

+Learn more about [Recovery Services vault - Enable CRR (Enable Cross Region Restore for your recovery Services Vault)](../backup/backup-azure-arm-restore-vms.md#cross-region-restore).

+Learn more about [Search service - BasicServiceStorageQuota90percent (You are close to exceeding storage quota of 2GB. Create a Standard search service.)](../search/search-limits-quotas-capacity.md).

+Learn more about [Search service - FreeServiceStorageQuota90percent (You are close to exceeding storage quota of 50MB. Create a Basic or Standard search service.)](../search/search-limits-quotas-capacity.md).

+Learn more about [Search service - StandardServiceStorageQuota90percent (You are close to exceeding your available storage quota. Add additional partitions if you need more storage.)](../search/search-limits-quotas-capacity.md).

+Learn more about [Storage Account - StoragePremiumBlobQuotaLimit (Use Managed Disks for storage accounts reaching capacity limit)](/azure/storage/common/scalability-targets-standard-account#premium-performance-page-blob-storage).

+Learn more about [App service - AppServiceCPUExhaustion (Consider scaling out your App Service Plan to avoid CPU exhaustion)](/azure/app-service/app-service-best-practices#CPUresources).

+Learn more about [App service - AppServiceFixBackupDatabaseSettings (Fix the backup database settings of your App Service resource)](/azure/app-service/app-service-best-practices#appbackup.).

+Learn more about [App service - AppServiceMemoryExhaustion (Consider scaling up your App Service Plan SKU to avoid memory exhaustion)](/azure/app-service/app-service-best-practices#memoryresources).

+Learn more about [App service - AppServiceRemoveQuota (Scale up your App Service resource to remove the quota limit)](../app-service/overview-hosting-plans.md).

+Learn more about [App service - AppServiceUseDeploymentSlots (Use deployment slots for your App Service resource)](../app-service/deploy-staging-slots.md).

+Learn more about [App service - AppServiceFixBackupStorageSettings (Fix the backup storage settings of your App Service resource)](/azure/app-service/app-service-best-practices#appbackup.).

+Learn more about [App service - AppServiceStandardOrHigher (Move your App Service resource to Standard or higher and use deployment slots)](../app-service/deploy-staging-slots.md).

+> Alternatively you can use [Pod Identity](./use-azure-ad-pod-identity.md) thought this is in Public Preview. It has a pod (NMI) that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the Azure Instance Metadata Service on each node, redirect them to itself and validates if the pod has access to the identity it's requesting a token for and fetch the token from the Azure AD tenant on behalf of the application.

+[node-image-upgrade]: node-image-upgrade.md

+[dedicated-hosts]: ../virtual-machines/dedicated-hosts.md

+[az-vm-host-group-create]: /cli/azure/vm/host/group#az_vm_host_group_create

+- **Policy sections:** inbound, outbound, backend, on-error

+* [Virtual Network](../../virtual-network/index.yml)

+[Virtual Network]: ../../virtual-network/index.yml

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v1. App Service Environment v1 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+1. Enter the name for your ASE. This name is used in the addressable name for your apps. If the name of the ASE is *appsvcenvdemo*, the domain name is *.appsvcenvdemo.p.azurewebsites.net*. If you create an app named *mytestapp*, it's addressable at mytestapp.appsvcenvdemo.p.azurewebsites.net. You can't use white space in the name. If you use uppercase characters, the domain name is the total lowercase version of that name.

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Migration won't succeed if the App Service Environment's subnet isn't delegated or it's delegated to a different resource.

+- **What will happen to my App Service Environment v1/v2 resources after 31 August 2024?**

+ After 31 August 2024, if you haven't migrated to App Service Environment v3, your App Service Environment v1/v2s and the apps deployed in them will no longer be available. App Service Environment v1/v2 is hosted on App Service scale units running on [Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) architecture that will be [retired on 31 August 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Because of this, App Service Environment v1/v2 will no longer be available after that date. Migrate to App Service Environment v3 to keep your apps running or save or back up any resources or data that you need to maintain.

+> [Manually migrate to App Service Environment v3](migration-alternatives.md)

+## Frequently asked questions

+- **Will I experience downtime during the migration?**

+ Downtime is dependent on your migration process. If you have a different App Service Environment that you can point traffic to while you migrate or if you can use a different subnet to create your new environment, you won't have downtime. However, if you must use the same subnet, there will be downtime resulting from the time it takes to delete the old environment, create the App Service Environment v3, create the new App Service plans, re-create the apps, and update any resources that need to know about the new IP addresses.

+- **Do I need to change anything about my apps to get them to run on App Service Environment v3?**

+ No, apps that run on App Service Environment v1 and v2 shouldn't need any modifications to run on App Service Environment v3.

+- **What if my App Service Environment has a custom domain suffix?**

+ App Service Environment v3 doesn't support custom domain suffixes at this time. You won't be able to migrate until it's supported if you want to continue using this feature.

+- **What if my App Service Environment is zone pinned?**

+ Zone pinning isn't a supported feature on App Service Environment v3. Use [zone redundancy](overview-zone-redundancy.md) instead.

+- **What properties of my App Service Environment will change?**

+ You'll now be on App Service Environment v3 so be sure to review the [features and feature differences](overview.md#feature-differences) compared to previous versions. For ILB App Service Environment, you'll keep the same ILB IP address. For internet facing App Service Environment, the public IP address and the outbound IP address will change. Note for internet facing App Service Environment, previously there was a single IP for both inbound and outbound. For App Service Environment v3, they're separate. For more information, see [App Service Environment v3 networking](networking.md#addresses).

+- **What will happen to my App Service Environment v1/v2 resources after 31 August 2024?**

+ After 31 August 2024, if you haven't migrated to App Service Environment v3, your App Service Environment v1/v2s and the apps deployed in them will no longer be available. App Service Environment v1/v2 is hosted on App Service scale units running on [Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) architecture that will be [retired on 31 August 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Because of this, App Service Environment v1/v2 will no longer be available after that date. Migrate to App Service Environment v3 to keep your apps running or save or back up any resources or data that you need to maintain.

+> [!div class="nextstepaction"]

+> [Migrate to App Service Environment v3 by using the migration feature](migrate.md)

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+In an External ASE, the domain suffix used for app creation is *.&lt;asename&gt;.p.azurewebsites.net*. If your ASE is named *external-ase* and you host an app called *contoso* in that ASE, you reach it at these URLs:

+In an ILB ASE, the domain suffix used for app creation is *.&lt;asename&gt;.appserviceenvironment.net*. If your ASE is named *ilb-ase* and you host an app called *contoso* in that ASE, you reach it at these URLs:

+> [!IMPORTANT]

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. App Service Environment v2 will be retired on 31 August 2024. There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+>

+In this tutorial, you will deploy a data-driven Python web app (**[Django](https://www.djangoproject.com/)** or **[Flask](https://flask.palletsprojects.com/)**) with the **[Azure Database for PostgreSQL](../postgresql/index.yml)** relational database service. The Python app is hosted in a fully managed **[Azure App Service](./overview.md#app-service-on-linux)** which supports [Python 3.7 or higher](https://www.python.org/downloads/) in a Linux server environment. You can start with a basic pricing tier that can be scaled up at any later time.

+> [Configure Python app](configure-language-python.md)

+1. If Internet and private traffic are going though an Azure Firewall hosted in a secured Virtual hub (using Azure Virtual WAN Hub):

+ a. To ensure the application gateway can send traffic directly to the Internet, configure the following user defined route:

+

+ Address prefix: 0.0.0.0/0<br>

+ Next hop: Internet

+ b. To ensure the application gateway can send traffic to the backend pool via an Azure Firewall in the Virtual WAN hub, configure the following user defined route:

+

+ Address Prefix: Backend pool subnet<br>

+ Next hop: Azure Firewall private IP address

+Post your issues and questions about migration to our [Microsoft Q&A page](/answers/topics/azure-virtual-network.html). We recommend posting all your questions on this forum. If you have a support contract, you're welcome to log a support ticket as well.

+ > Custom neural models models are only available in a few regions. If you plan on training a neural model, please select or create a resource in one of [these supported regions](/azure/applied-ai-services/form-recognizer/concept-custom-neural#l).

+> [Learn about accuracy and confidence with custom models](../concept-accuracy-confidence.md)

+> [Access Azure Storage form a web app using managed identities](../../app-service/scenario-secure-app-access-storage.md?bc=%2fazure%2fapplied-ai-services%2fform-recognizer%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fapplied-ai-services%2fform-recognizer%2ftoc.json)

+Microsoft Azure Attestation is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service supports attestation of the platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves, [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) (VBS) enclaves, [Trusted Platform Modules (TPMs)](/windows/security/information-protection/tpm/trusted-platform-module-overview), [Trusted launch for Azure VMs](../virtual-machines/trusted-launch.md) and [Azure confidential VMs](../confidential-computing/confidential-vm-overview.md).

+Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-solutions-amd.md) and aims to improve VM security posture by removing trust in host, hypervisor and Cloud Service Provider (CSP). To achieve this, CVM offers VM OS disk encryption option with platform-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware.

+- [Set up Azure Attestation using PowerShell](quickstart-powershell.md)

+When you create an Automation account, Azure generates two 512-bit automation account access keys for that account. These keys are shared access keys that are used as registration keys for registering [DSC nodes](./automation-dsc-onboarding.md#use-dsc-metaconfiguration-to-register-hybrid-machines) as well as [Windows](./automation-windows-hrw-install.md#manual-deployment) and [Linux](./automation-linux-hrw-install.md#manually-run-powershell-commands) Hybrid runbook workers. These keys are only used while registering DSC nodes and Hybrid workers. Existing machines configured as DSC nodes or hybrid workers wonΓÇÖt be affected after rotation of these keys.

+|[Microsoft.Automation](../role-based-access-control/resource-provider-operations.md#microsoftautomation)/automationAccounts/* | Create and manage resources of all types.|

+|[Microsoft.ResourceHealth](../role-based-access-control/resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read| Gets the availability statuses for all resources in the specified scope.|

+[Learn more](../role-based-access-control/custom-roles.md) about how to create custom role from the Azure portal.

+You can create [Azure custom roles](../role-based-access-control/custom-roles.md) in Automation and grant the following permissions to Hybrid Worker Groups and Hybrid Workers:

+- [Extension-based Hybrid Runbook Worker](./extension-based-hybrid-runbook-worker-install.md?tabs=windows#manage-role-permissions-for-hybrid-worker-groups-and-hybrid-workers)

+- [Agent-based Windows Hybrid Runbook Worker](./automation-windows-hrw-install.md#manage-role-permissions-for-hybrid-worker-groups-and-hybrid-workers)

+ - [Agent-based Linux Hybrid Runbook Worker](./automation-linux-hrw-install.md#manage-role-permissions-for-hybrid-worker-groups-and-hybrid-workers)

+* To start a runbook, see [Start a runbook in Azure Automation](start-runbooks.md).

+[Azure Automation](./overview.md) provides you the platform to orchestrate frequent, time consuming, error-prone infrastructure management and operational tasks, as well as mission-critical operations. This service allows you to execute scripts, known as automation runbooks seamlessly across cloud and hybrid environments.

+1. Follow the principle of least privilege to get the work done when granting access to Automation resources. Implement [Automation granular RBAC roles](./automation-role-based-access-control.md) and avoid assigning broader roles or scopes such as subscription level. When creating the custom roles, only include the permissions users need. By limiting roles and scopes, you limit the resources that are at risk if the security principal is ever compromised. For detailed information on role-based access control concepts, see [Azure role-based access control best practices](../role-based-access-control/best-practices.md).

+1. Configure [Role based access at a runbook level](./automation-role-based-access-control.md) if the user doesn't require access to all the runbooks in the Automation account.

+1. Use [Azure AD Privileged Identity Management](../active-directory/roles/security-planning.md#use-azure-ad-privileged-identity-management) to protect the privileged accounts from malicious cyber-attacks to increase your visibility into their use through reports and alerts.

+1. Install Hybrid workers using the [Hybrid Runbook Worker VM extension](./extension-based-hybrid-runbook-worker-install.md?tabs=windows), that doesn't have any dependency on the Log Analytics agent. We recommend this platform as it leverages Azure AD based authentication.

+ [Hybrid Runbook Worker](./automation-hrw-run-runbooks.md) feature of Azure Automation allows you to execute runbooks directly on the machine hosting the role in Azure or non-Azure machine to execute Automation jobs in the local environment.

+ - Use only high privilege users or [Hybrid worker custom roles](./extension-based-hybrid-runbook-worker-install.md?tabs=windows) for users responsible for managing operations such as registering or unregistering Hybrid workers and hybrid groups and executing runbooks against Hybrid runbook worker groups.

+ Follow the [Azure RBAC best practices](../role-based-access-control/best-practices.md).

+ Use [Hybrid worker custom roles](./extension-based-hybrid-runbook-worker-install.md?tabs=windows) for users responsible to manage Automation runbooks against Hybrid runbook workers and Hybrid runbook worker groups.

+1. [Unregister](./extension-based-hybrid-runbook-worker-install.md?tabs=windows#delete-a-hybrid-runbook-worker) any unused or non-responsive hybrid workers.

+1. For runbook authentication, we recommend that you use [Managed identities](./automation-security-overview.md#managed-identities) instead of Run As accounts. The Run As accounts are an administrative overhead and we plan to deprecate them. A managed identity from Azure Active Directory (Azure AD) allows your runbook to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. For more information about managed identities in Azure Automation, see [Managed identities for Azure Automation](./automation-security-overview.md#managed-identities)

+ Follow the [Managed identity best practice recommendations](../active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md#choosing-system-or-user-assigned-managed-identities) for more details.

+ - [Renew the Run As certificate](./manage-runas-account.md#cert-renewal) periodically.

+ - Follow the RBAC guidelines to limit the permissions assigned to Run As account using this [script](./manage-runas-account.md#limit-run-as-account-permissions). Do not assign high privilege permissions like Contributor, Owner and so on.

+1. Rotate the [Azure Automation keys](./automation-create-standalone-account.md?tabs=azureportal#manage-automation-account-keys) periodically. The key regeneration prevents future DSC or hybrid worker node registrations from using previous keys. We recommend to use the [Extension based hybrid workers](./automation-hybrid-runbook-worker.md) that use Azure AD authentication instead of Automation keys. Azure AD centralizes the control and management of identities and resource credentials.

+1. Secure the assets in Azure Automation including credentials, certificates, connections and encrypted variables. These assets are protected in Azure Automation using multiple levels of encryption. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for encryption of Automation assets. These keys must be present in Azure Key Vault for Automation service to be able to access the keys. See [Encryption of secure assets using customer-managed keys](./automation-secure-asset-encryption.md).

+1. Maintain a valid [backup of Automation](./automation-managing-data.md#data-backup) configuration like runbooks and assets ensuring backups are validated and protected to maintain business continuity after an unexpected event.

+1. Use [Azure Private Link](./how-to/private-link-security.md) to securely connect Hybrid runbook workers to Azure Automation. Azure Private Endpoint is a network interface that connects you privately and securely to a an Azure Automation service powered by Azure Private Link. Private Endpoint uses a private IP address from your Virtual Network (VNet), to effectively bring the Automation service into your VNet.

+Review the Azure Policy recommendations for Azure Automation and act as appropriate. See [Azure Automation policies](./policy-reference.md).

+* For information on how Azure protects your privacy and secures your data, see [Azure Automation data security](./automation-managing-data.md).

+- To learn about Azure VM extensions, see [Azure VM extensions and features for Windows](../virtual-machines/extensions/features-windows.md) and [Azure VM extensions and features for Linux](../virtual-machines/extensions/features-linux.md).

+- To learn about VM extensions for Arc-enabled servers, see [VM extension management with Azure Arc-enabled servers](../azure-arc/servers/manage-vm-extensions.md).

+You can use the new Azure Policy compliance rule to allow creation of jobs, webhooks, and job schedules to run only on Hybrid Worker groups. Read the details in [Use Azure Policy to enforce job execution on Hybrid Runbook Worker](./enforce-job-execution-hybrid-worker.md?tabs=azure-cli)

+If you'd like to contribute to Azure Automation documentation, see the [Docs Contributor Guide](/contribute/).

+To strengthen the overall Azure Automation security posture, the built-in RBAC Reader role would not have access to Automation account keys through the API call - `GET /automationAccounts/agentRegistrationInformation`. Read [here](./automation-role-based-access-control.md#reader) for more information.

+Users can now restore an Automation account deleted within 30 days. Read [here](./delete-account.md?tabs=azure-portal#restore-a-deleted-automation-account) for more information.

+If you'd like to contribute to Azure Automation documentation, see the [Docs Contributor Guide](/contribute/).

+* A basic understanding of [Kubernetes core concepts](../../aks/concepts-clusters-workloads.md).

+* A basic understanding of [Kubernetes core concepts](../../aks/concepts-clusters-workloads.md).

+> [Deploy configurations using GitOps](tutorial-use-gitops-connected-cluster.md)

+| RedHat | [OpenShift Container Platform](https://www.openshift.com/products/container-platform) | [4.7.18+](https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html), [4.9.17+](https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html), [4.10.0+](https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html) |

+For more information, see [Azure services DNS zone configuration](../private-link/private-endpoint-dns.md).

+- To compare various network isolation options for your cache, see [Azure Cache for Redis network isolation options documentation](cache-network-isolation.md).

+Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates don't comply with one of the C).

+If you have more questions, contact us through [support](https://azure.microsoft.com/support/options/).

+The [host.json](functions-host-json.md#eventhub) file contains settings that control Event Hubs trigger behavior. See the [host.json settings](functions-bindings-event-hubs.md#hostjson-settings) section for details regarding available settings.

+## Connections

+The `connection` property is a reference to environment configuration that contains name of an application setting containing a connection string. You can get this connection string by selecting the **Connection Information** button for the [namespace](../event-hubs/event-hubs-create.md#create-an-event-hubs-namespace). The connection string must be for an Event Hubs namespace, not the event hub itself.

+The connection string must have at least "read" permissions to activate the function.

+This connection string should be stored in an application setting with a name matching the value specified by the `connection` property of the binding configuration.

+> [!NOTE]

+> Identity-based connections aren't supported by the IoT Hub trigger. If you need to use managed identities end-to-end, you can instead use IoT Hub Routing to send data to an event hub you control. In that way, outbound routing can be authenticated with managed identity the event can be read [from that event hub using managed identity](functions-bindings-event-hubs-trigger.md?tabs=extensionv5#identity-based-connections).

+NERC CIP compliance requirements can be addressed during a NERC audit and in line with the [shared responsibility model](../security/fundamentals/shared-responsibility.md) for cloud computing. We believe that Azure and Azure Government cloud services can be used in a manner compliant with NERC CIP standards. Microsoft is prepared to assist you with NERC audits by furnishing Azure or Azure Government audit documentation and control implementation details in support of NERC audit requirements. Moreover, Microsoft has developed a **[Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide)**, which is a technical how-to guidance to help you address NERC CIP compliance requirements for your Azure assets. The document contains pre-filled [Reliability Standard Audit Worksheets](https://www.nerc.com/pa/comp/Pages/Reliability-Standard-Audit-Worksheets-(RSAWs).aspx) (RSAWs) narratives that help explain how Azure controls address NERC CIP requirements. It also contains guidance to help you use Azure services to implement controls that you own. The guide is available for download to existing Azure or Azure Government customers under a non-disclosure agreement (NDA) from the Service Trust Portal (STP). You must sign in to access this document on the STP. For more information, see [Get started with the Microsoft Service Trust Portal](/microsoft-365/compliance/get-started-with-service-trust-portal).

+A comparison between the FedRAMP Moderate control baseline and NERC CIP standards requirements reveals that FedRAMP Moderate control baseline encompasses all NERC CIP requirements. Microsoft has developed a **[Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide)** that includes control mappings between the current set of NERC CIP standards requirements and FedRAMP Moderate control baseline as documented in [NIST SP 800-53 Rev 4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53). The Cloud implementation guide for NERC audits contains pre-filled [Reliability Standard Audit Worksheets](https://www.nerc.com/pa/comp/Pages/Reliability-Standard-Audit-Worksheets-(RSAWs).aspx) (RSAWs) narratives that help explain how Azure controls address NERC CIP requirements. It also contains guidance to help you use Azure services to implement controls that you own. You can download the Cloud implementation guide for NERC audits under a non-disclosure agreement (NDA) from the Service Trust Portal (STP). You must sign in to access this document on the STP. For more information, see [Get started with the Microsoft Service Trust Portal](/microsoft-365/compliance/get-started-with-service-trust-portal).

+If you're a registered entity contemplating a NERC audit, you should review MicrosoftΓÇÖs **[Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide)**, which provides detailed technical how-to guidance to help you address NERC CIP compliance requirements for your Azure assets. It contains control mappings between the current set of NERC CIP standards and FedRAMP Moderate control baseline as documented in NIST SP 800-53 Rev 4. Moreover, a complete set of Reliability Standard Audit Worksheets (RSAWs) narratives with Azure control implementation details is provided to explain how Microsoft addresses NERC CIP standards requirements for controls that are part of cloud service providerΓÇÖs responsibility. Also provided is guidance to help you use Azure services to implement controls that you own. The guide is available for download to existing Azure or Azure Government customers under a non-disclosure agreement (NDA) from the Service Trust Portal (STP). You must sign in to access this document on the STP. For more information, see [Get started with the Microsoft Service Trust Portal](/microsoft-365/compliance/get-started-with-service-trust-portal).

+- NERC [registered entities](https://www.nerc.com/pa/comp/Pages/Registration.aspx)

+[Render service V2](/rest/api/maps/render-v2) introduces a new version of the [Get Map Tile V2 API](/rest/api/maps/render-v2/get-map-tile) that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 (where applicable) tile sizes and numerous map types such as road, weather, contour, or map tiles created using Azure Maps Creator. For a complete list see [TilesetID](/rest/api/maps/render-v2/get-map-tile#tilesetid) in the REST API documentation. It's recommended that you use Render service V2 instead of Render service V1. You are required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service V2, either as basemaps or layers, in any third-party map control. For more information see [How to use the Get Map Attribution API](how-to-show-attribution.md).

+ Title: Show the correct map copyright attribution information

+description: The map copyright attribution information must be displayed in any applications that use the Render V2 API, including web and mobile applications. In this article, you'll learn how to display the correct attribution every time you display or update a tile.

+# Show the correct copyright attribution

+When using the [Azure Maps Render service V2](/rest/api/maps/render-v2), either as a basemap or layer, you're required to display the appropriate data provider copyright attribution on the map. This information should be displayed in the lower right-hand corner of the map.

+The above image is an example of a map from the Render service V2, displaying the road style. It shows the copyright attribution in the lower right-hand corner of the map.

+The above image is an example of a map from the Render service V2, displaying the satellite style. note that there's another data provider listed.

+## The Get Map Attribution API

+The [Get Map Attribution API](/rest/api/maps/render-v2/get-map-attribution) enables you to request map copyright attribution information so that you can display in on the map within your applications.

+### When to use the Get Map Attribution API

+The map copyright attribution information must be displayed on the map in any applications that use the Render V2 API, including web and mobile applications.

+The attribution is automatically displayed and updated on the map When using any of the Azure Maps SDKs. This includes the [Web SDK](how-to-use-map-control.md), [Android SDK](how-to-use-android-map-control-library.md) and the [iOS SDK](how-to-use-ios-map-control-library.md).

+When using map tiles from the Render service in a third-party map, you must display and update the copyright attribution information on the map.

+Map content changes whenever an end user selects a different style, zooms in or out, or pans the map. Each of these user actions causes an event to fire. When any of these events fire, you need to call the Get Map Attribution API. Once you have the updated copyright attribution information, you then need to display it in the lower right-hand corner of the map.

+Since the data providers can differ depending on the *region* and *zoom* level, the Get Map Attribution API takes these parameters as input and returns the corresponding attribution text.

+### How to use the Get Map Attribution API

+You'll need the following information to run the `attribution` command:

+| Parameter | Type | Description |

+| -- | | -- |

+| api-version | string | Version number of Azure Maps API. Current version is 2.1 |

+| bounds | array | A string that represents the rectangular area of a bounding box. The bounds parameter is defined by the four bounding box coordinates. The first 2 are the WGS84 longitude and latitude defining the southwest corner and the last 2 are the WGS84 longitude and latitude defining the northeast corner. The string is presented in the following format: [SouthwestCorner_Longitude, SouthwestCorner_Latitude, NortheastCorner_Longitude, NortheastCorner_Latitude]. |

+| tilesetId | TilesetID | A tileset is a collection of raster or vector data broken up into a uniform grid of square tiles at preset zoom levels. Every tileset has a tilesetId to use when making requests. The tilesetId for tilesets created using Azure Maps Creator are generated through the [Tileset Create API](/rest/api/maps/v2/tileset/create). There are ready-to-use tilesets supplied by Azure Maps, such as `microsoft.base.road`, `microsoft.base.hybrid` and `microsoft.weather.radar.main`, a complete list can be found the [Get Map Attribution](/rest/api/maps/render-v2/get-map-attribution#tilesetid) REST API documentation. |

+| zoom | integer | Zoom level for the selected tile. The valid range depends on the tile, see the [TilesetID](/rest/api/maps/render-v2/get-map-attribution#tilesetid) table for valid values for a specific tileset. For more information, see the [Zoom levels and tile grid](zoom-levels-and-tile-grid.md) article. |

+| subscription-key | string | One of the Azure Maps keys provided from an Azure Map Account. For more information, see the [Authentication with Azure Maps](azure-maps-authentication.md) article. |

+Run the following GET request to get the corresponding copyright attribution to display on the map:

+```http

+https://atlas.microsoft.com/map/attribution?subscription-key={Azure-Maps-Primary-Subscription-key}&api-version=2.1&tilesetId=microsoft.base&zoom=6&bounds=-122.414162,47.579490,-122.247157,47.668372

+```

+## Additional information

+* For more information, see the [Azure Maps Render service V2](/rest/api/maps/render-v2) documentation.

+- **Collect guest logs and metrics** from any machine in Azure, in other clouds, or on-premises. [Azure Arc-enabled servers](../../azure-arc/servers/overview.md) are required for machines outside of Azure.

+> - [What are Azure ArcΓÇôenabled servers?](../../azure-arc/servers/overview.md)

+> - [Overview of Azure Arc ΓÇô enabled servers agent](../../azure-arc/servers/agent-overview.md)

+> - [Plan and deploy Azure Arc ΓÇô enabled servers at scale](../../azure-arc/servers/plan-at-scale-deployment.md)

+|**Environment requirements** | Verify that your environment is currently supported by the AMA. For more information, see [Supported operating systems](./agents-overview.md#supported-operating-systems). |

+|**Current and new feature requirements** | While the AMA provides [several new features](#current-capabilities), such as filtering, scoping, and multi-homing, it is not yet at parity with the legacy Log Analytics agent.As you plan your migration, make sure that the features your organization requires are already supported by the AMA. You may decide to continue using the Log Analytics agent for now, and migrate at a later date. See [Supported services and features](./azure-monitor-agent-overview.md#supported-services-and-features) for a current status of features that are supported and that may be in preview. |

+- [Frequently asked questions for AMA migration](/azure/azure-monitor/faq#azure-monitor-agent)

+> [!IMPORTANT]

+> If your firewall is doing CNAME inspections, you need to configure it to allow all domains in the CNAME.

+Post questions to the Microsoft Q&A [answers forum](/answers/topics/24223/azure-monitor.html).

+Post questions to the [answers forum](/answers/topics/24223/azure-monitor.html).

+Both ASP.NET and ASP.NET Core applications deployed to Azure Web Apps run in a special sandbox environment. Applications deployed to Azure App Service can utilize a [Windows container](../../app-service/quickstart-custom-container.md?pivots=container-windows&tabs=dotnet) or be hosted in a sandbox environment. If the application is deployed in a Windows Container all standard performance counters are available in the container image.

+* [Exception tracking](./asp-net-exceptions.md)

+|When using the Snapshot Collector SDK in your application directly (.csproj) and you have enabled the advance option "Interop".| The local Application Insights SDK (including Snapshot Collector telemetry) will be lost, therefore, no Snapshots will be available.<br /><br />Your application could crash at startup with `System.ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.`<br /><br />For more information about the Application Insights feature "Interop", see the [documentation.](./azure-web-apps-net-core.md#troubleshooting) | If you are using the advance option "Interop", use the codeless Snapshot Collector injection (enabled thru the Azure Portal UX) |

+|When using the Snapshot Collector SDK in your application directly (.csproj) and you have enabled the advance option "Interop".| The local Application Insights SDK (including Snapshot Collector telemetry) will be lost, therefore, no Snapshots will be available.<br /><br />Your application could crash at startup with `System.ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.`<br /><br />For more information about the Application Insights feature "Interop", see the [documentation.](./azure-web-apps-net-core.md#troubleshooting) | If you are using the advance option "Interop", use the codeless Snapshot Collector injection (enabled thru the Azure Portal UX) |

+The IPs used by Application Insights Snapshot Debugger are included in the Azure Monitor service tag. For more information, see [Service Tags documentation](../../virtual-network/service-tags-overview.md).

+For more information on Azure Resource Manager templates, see [Resource Manager template overview](../../azure-resource-manager/templates/overview.md)

+- [Autoscale REST API](/rest/api/monitor/autoscalesettings)

+With both the underlying platform and agent deprecations, on March 31, 2025 the [Container Monitoring Solution](./containers.md) will be retired. If you use the Container Monitoring Solution to ingest data to your Log Analytics workspace, make sure to transition to using [Container Insights](./container-insights-overview.md) prior to that date.

+To query the Azure Monitor API, the client application should use the previously created service principal to authenticate. The following example PowerShell script shows one approach, using the [Microsoft Authentication Library (MSAL)](../../active-directory/develop/msal-overview.md) to obtain the authentication token.

+* Review the [Azure Management Library](/previous-versions/azure/reference/mt417623(v=azure.100)).

+az monitor log-analytics workspace table delete ΓÇôsubscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name MySearchTable_SRCH

+ az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name ContainerLog --plan Basic

+ az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name ContainerLog --plan Analytics

+az monitor log-analytics workspace table show --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name Syslog --output table

+Basic Logs tables reduce the cost of ingesting high-volume verbose logs and let you query the data they store using a limited set of log queries. This article explains how to query data from Basic Logs tables.

+For more information, see [Azure log data plans](log-analytics-workspace-overview.md#log-data-plans-preview) and [Configure a table for Basic Logs](basic-logs-configure.md).

+## Limitations

+Queries with Basic Logs must use a workspace for the scope. You can't run queries using another resource for the scope. For more information, see [Log query scope and time range in Azure Monitor Log Analytics](scope.md).

+You canΓÇÖt [purge personal data](personal-data-mgmt.md#how-to-export-and-delete-private-data) from Basic Logs tables.

+## Run a query on a Basic Logs table

+# [Portal](#tab/portal-1)

+In the Azure portal, select **Monitor** > **Logs** > **Tables**.

+In the list of tables, you can identify Basic Logs tables by their unique icon:

+You can also hover over a table name for the table information view, which will specify that the table is configured as Basic Logs:

+# [API](#tab/api-1)

+**Sample Request**

+## Pricing model

+az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name AzureMetrics --retention-time 30 --total-retention-time 730

+az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name Syslog --retention-time -1 --total-retention-time -1

+az monitor log-analytics workspace table show --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name SecurityEvent

+All queries return records generated within a set time range. By default, the query returns records generated in the last 24 hours.

+You can set a different time range using the [where operator](/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor#filter-by-boolean-expression-where-1) in the query, or using the **Time range** dropdown list at the top of the screen.

+LetΓÇÖs change the time range of the query by selecting **Last 12 hours** from the **Time range** dropdown. Select **Run** to return the results.

+> [!NOTE]

+> Changing the time range using the **Time range** dropdown does not change the query in the query editor.

+az monitor log-analytics workspace table restore create --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name Heartbeat_RST --restore-source-table Heartbeat --start-restore-time "2022-01-01T00:00:00.000Z" --end-restore-time "2022-01-08T00:00:00.000Z" --no-wait

+az monitor log-analytics workspace table delete --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name Heartbeat_RST

+az monitor log-analytics workspace table search-job create --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name HeartbeatByIp_SRCH --search-query 'Heartbeat | where ComputerIP has "00.000.00.000"' --limit 1500 --start-search-time "2022-01-01T00:00:00.000Z" --end-search-time "2022-01-08T00:00:00.000Z" --no-wait

+az monitor log-analytics workspace table show --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name HeartbeatByIp_SRCH --output table \

+az monitor log-analytics workspace table delete --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name HeartbeatByIp_SRCH

+Start by registering an Azure Active Directory application to authenticate against the API. Any ARM authentication scheme is supported, but this will follow the [Client Credential Grant Flow scheme](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) for this tutorial.

+Start by registering an Azure Active Directory application to authenticate against the API. Any ARM authentication scheme is supported, but this will follow the [Client Credential Grant Flow scheme](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) for this tutorial.

+- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-overview.md#permissions) in the workspace.

+- [Learn more about writing transformation queries](../essentials/data-collection-rule-transformations.md)

+| [Azure Data Explorer insights](./insights/data-explorer.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/adxClusterInsights) | Azure Data Explorer Insights provides comprehensive monitoring of your clusters by delivering a unified view of your cluster performance, operations, usage, and failures. |

+| [Azure HDInsight (preview)](../hdinsight/log-analytics-migration.md#insights) | Preview | No | An Azure Monitor workbook that collects important performance metrics from your HDInsight cluster and provides the visualizations and dashboards for most common scenarios. Gives a complete view of a single HDInsight cluster including resource utilization and application status|

+ | [Azure IoT Edge](../iot-edge/how-to-explore-curated-visualizations.md) | GA | No | Visualize and explore metrics collected from the IoT Edge device right in the Azure portal using Azure Monitor Workbooks based public templates. The curated workbooks use built-in metrics from the IoT Edge runtime. These views don't need any metrics instrumentation from the workload modules. |

+ | [Azure Key Vault Insights (preview)](./insights/key-vault-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/keyvaultsInsights) | Provides comprehensive monitoring of your key vaults by delivering a unified view of your Key Vault requests, performance, failures, and latency. |

+ | [Azure Monitor Application Insights](./app/app-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/applicationsInsights) | Extensible Application Performance Management (APM) service which monitors the availability, performance, and usage of your web applications whether they're hosted in the cloud or on-premises. It leverages the powerful data analysis platform in Azure Monitor to provide you with deep insights into your application's operations. It enables you to diagnose errors without waiting for a user to report them. Application Insights includes connection points to a variety of development tools and integrates with Visual Studio to support your DevOps processes. |

+ | [Azure Monitor Log Analytics Workspace](./logs/log-analytics-workspace-insights-overview.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/lawsInsights) | Log Analytics Workspace Insights (preview) provides comprehensive monitoring of your workspaces through a unified view of your workspace usage, performance, health, agent, queries, and change log. This article will help you understand how to onboard and use Log Analytics Workspace Insights (preview). |

+ | [Azure Service Bus Insights](../service-bus-messaging/service-bus-insights.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/serviceBusInsights) | Azure Service Bus insights provide a view of the overall performance, failures, capacity, and operational health of all your Service Bus resources in a unified interactive experience. |

+ | [Azure SQL insights](./insights/sql-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/sqlWorkloadInsights) | A comprehensive interface for monitoring any product in the Azure SQL family. SQL insights uses dynamic management views to expose the data you need to monitor health, diagnose problems, and tune performance. Note: If you are just setting up SQL monitoring, use this instead of the SQL Analytics solution. |

+- [Azure Monitor agent overview](./agents/azure-monitor-agent-overview.md)

+- [Manage the Azure Monitor agent](./agents/azure-monitor-agent-manage.md)

+- [How to trigger complex actions with Azure Monitor alerts](./alerts/action-groups-logic-app.md)

+- [Application Monitoring for Azure App Service and Java](./app/azure-web-apps-java.md)

+- [Application Monitoring for Azure App Service and Node.js](./app/azure-web-apps-nodejs.md)

+- [Enable Snapshot Debugger for .NET apps in Azure App Service](./app/snapshot-debugger-appservice.md)

+- [Profile live Azure App Service apps with Application Insights](./app/profiler.md)

+- [Azure Activity log](./essentials/activity-log.md)

+| France/Europe | France Central | West Europe |

+> Want to learn Bicep live from subject matter experts? [Learn Live with our experts every Tuesday (Pacific time) beginning March 8, 2022.](/events/learntv/learnlive-iac-and-bicep/)

+* For suggestions about how to improve your Bicep files, see [Best practices for Bicep](best-practices.md).

+The first step in the process is to capture an initial representation of your Azure resources. If required, you then decompile the JSON file to an initial Bicep file, which you improve upon by refactoring. When you have a working file, you test and deploy using a process that minimizes the risk of breaking changes to your Azure environment.

+1. **Capture a representation of your Azure resources.** If you have an existing JSON template that you're converting to Bicep, the first step is easy - you already have your source template. If you're converting Azure resources that were deployed by using the portal or another tool, you need to capture the resource definitions. You can capture a JSON representation of your resources using the Azure portal, Azure CLI, or Azure PowerShell cmdlets to *export* single resources, multiple resources, and entire resource groups. You can use the **Import Resource** command within Visual Studio Code to import a Bicep representation of your Azure resource.

+1. **If required, convert the JSON representation to Bicep using the _decompile_ command.** [The Bicep tooling includes the `decompile` command to convert templates.](decompile.md) You can invoke the `decompile` command from either the Azure CLI, or from the Bicep CLI. The decompilation process is a best-effort process and doesn't guarantee a full mapping from JSON to Bicep. You may need to revise the generated Bicep file to meet your template best practices before using the file to deploy resources.

+> [!NOTE]

+> You can import a resource by opening the Visual Studio Code command palette. Use <kbd>Ctrl+Shift+P</kbd> on Windows and Linux and <kbd>Γîÿ+Shift+P</kbd> on macOS.

+The test phase consists of two steps, which you complete in sequence:

+Resource tags support all cost-accruing services. You can use Azure Policy to ensure that cost-accruing services are provisioned with a tag by using one of the many different [tag policies](/azure/azure-resource-manager/management/tag-policies).

+description: Describes common deployment errors for Azure resources that are deployed with Azure Resource Manager templates (ARM templates) or Bicep files.

+If your error code isn't listed, submit a GitHub issue. On the right side of the page, select **Feedback**. At the bottom of the page, under **Feedback** select **This page**. Provide your documentation feedback but **don't include confidential information** because GitHub issues are public.

+| PublicIPCountLimitReached | You've reached the limit for the number of running public IPs. Shut down unneeded resources or contact Azure support to request an increase. For example, in Azure Databricks, see [Unexpected cluster termination](/azure/databricks/kb/clusters/termination-reasons) and [IP address limit prevents cluster creation](/azure/databricks/kb/clusters/azure-ip-limit). | [Public IP address limits](../management/azure-subscription-service-limits.md#publicip-address) |

+- For information about validation or deployment errors, see [Find error codes](find-error-code.md).

+- To get more details to troubleshoot a deployment, see [Enable debug logging](enable-debug-logging.md).

+- To isolate the cause of a deployment error, see [Create a troubleshooting template](create-troubleshooting-template.md).

+> The Automation runbook may run from a range of IP addresses at any datacenter in an Azure region. To learn more, see [Automation region DNS records](../../automation/how-to/automation-region-dns-records.md).

+- [My first runbook](../../automation/learn/powershell-runbook-managed-identity.md)

+> The Azure SQL built-in roles in this section apply to a dedicated SQL pool (formerly SQL DW) but are not available for dedicated SQL pools and other SQL resources within Azure Synapse workspaces. For SQL resources in Azure Synapse workspaces, use the available actions for data classification to create custom Azure roles as needed for labelling. For more information on the `Microsoft.Synapse/workspaces/sqlPools` provider operations, see [Microsoft.Synapse](../../role-based-access-control/resource-provider-operations.md#microsoftsynapse).

+- To classify your Azure SQL Databases and Azure Synapse Analytics with Azure Purview labels using T-SQL commands, see [Classify your Azure SQL data using Azure Purview labels](../../sql-database/scripts/sql-database-import-purview-labels.md).

+| ledger_operation_type | tinyint | Contains `1` (**INSERT**) or `2` (**DELETE**). Inserting a row into the ledger table produces a new row in the ledger view that contains `1` in this column. Deleting a row from the ledger table produces a new row in the ledger view that contains `2` in this column. Updating a row in the ledger table produces two new rows in the ledger view. One row contains `2` (**DELETE**), and the other row contains `1` (**INSERT**) in this column. A DELETE shouldn't occur on an append-only ledger table. |

+| ledger_operation_type | tinyint | Contains `1` (**INSERT**) or `2` (**DELETE**). Inserting a row into the ledger table produces a new row in the ledger view that contains `1` in this column. Deleting a row from the ledger table produces a new row in the ledger view that contains `2` in this column. Updating a row in the ledger table produces two new rows in the ledger view. One row contains `2` (**DELETE**), and the other row contains `1` (**INSERT**) in this column. |

+### How do I create Data Sync in Failover group to support Disaster Recovery?

+- To ensure data sync operations in failover region are at par with Primary region, after failover you have to manually re-create the Sync Group in failover region with same settings as primary region.

+- Apart from old backups, transaction log files might also require access to the older TDE Protector. To determine if there are any remaining logs that still require the older key, after performing key rotation, use the [sys.dm_db_log_info](/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-info-transact-sql) dynamic management view (DMV). This DMV returns information on the virtual log file (VLF) of the transantion log along with its encryption key thumbprint of the VLF.

+- Get started with Azure Key Vault integration and Bring Your Own Key support for TDE: [Turn on TDE using your own key from Key Vault using PowerShell](transparent-data-encryption-byok-configure.md).

+If you're new to data virtualization and want to quickly test functionality, start by querying publicly available data sets available in [Azure Open Datasets](../../open-datasets/dataset-catalog.md), like the [Bing COVID-19 dataset](../../open-datasets/dataset-bing-covid-19.md?tabs=azure-storage) allowing anonymous access.

+The following example uses the [NYC yellow taxi trip records open data set](../../open-datasets/dataset-taxi-yellow.md):

+- To learn more about creating external file format, see [CREATE EXTERNAL FILE FORMAT](/sql/t-sql/statements/create-external-file-format-transact-sql)

+|[Misleading error message on Azure portal suggesting recreation of the Service Principal](#misleading-error-message-on-azure-portal-suggesting-recreation-of-the-service-principal)|Sep 2021||Oct 2021|

+Usernames that contain the '@' symbol in the middle (e.g. 'abc@xy') are not able to log in using SQL Server authentication.

+## Resolved

+### Restoring manual backup without CHECKSUM might fail

+In certain circumstances manual backup of databases that was made on a managed instance without CHECKSUM might fail to be restored. In such cases, retry restoring the backup until you're successful.

+**Workaround**: Take manual backups of databases on managed instances with CHECKSUM enabled.

+### Agent becomes unresponsive upon modifying, disabling, or enabling existing jobs

+In certain circumstances, modifying, disabling, or enabling an existing job can cause the agent to become unresponsive. The issue is automatically mitigated upon detection, resulting in a restart of the agent process.

+### Permissions on resource group not applied to SQL Managed Instance

+When the SQL Managed Instance Contributor Azure role is applied to a resource group (RG), it's not applied to SQL Managed Instance and has no effect.

+**Workaround**: Set up a SQL Managed Instance Contributor role for users at the subscription level.

+### SQL Agent jobs can be interrupted by Agent process restart

+**(Resolved in March 2020)** SQL Agent creates a new session each time a job is started, gradually increasing memory consumption. To avoid hitting the internal memory limit, which would block execution of scheduled jobs, Agent process will be restarted once its memory consumption reaches threshold. It may result in interrupting execution of jobs running at the moment of restart.

+### @query parameter not supported in sp_send_db_mail

+The `@query` parameter in the [sp_send_db_mail](/sql/relational-databases/system-stored-procedures/sp-send-dbmail-transact-sql) procedure doesn't work.

+### Misleading error message on Azure portal suggesting recreation of the Service Principal

+_Active Directory admin_ blade of Azure portal for Azure SQL Managed Instance may be showing the following error message even though Service Principal already exists:

+"Managed Instance needs a Service Principal to access Azure Active Directory. Click here to create a Service Principal"

+You can neglect this error message if Service Principal for the managed instance already exists, and/or Azure Active Directory authentication on the managed instance works.

+To check whether Service Principal exists, navigate to the _Enterprise applications_ page on the Azure portal, choose _Managed Identities_ from the _Application type_ dropdown list, select _Apply_ and type the name of the managed instance in the search box. If the instance name shows up in the result list, Service Principal already exists and no further actions are needed.

+If you already followed the instructions from the error message and clicked the link from the error message, Service Principal of the managed instance has been recreated. In that case, please assign Azure AD read permissions to the newly created Service Principal in order for Azure AD authentication to work properly. This can be done via Azure PowerShell by following [instructions](../database/authentication-aad-configure.md?tabs=azure-powershell#powershell).

+To back up your transaction log, use the following sample Transact-SQL (T-SQL) script on SQL Server:

+-- Execute on SQL Server

+Use the following Transact-SQL (T-SQL) command to check the log spaced used by your database on SQL Server:

+-- Execute on SQL Server

+> SQL Managed Instance link feature is now available in all Azure regions.

+## Use the link feature

+To help with the initial environment setup, we have prepared the following online guide on how to setup your SQL Server environment to use with the link feature for Managed Instance:

+* [Prepare environment for the link](managed-instance-link-preparation.md)

+Once you have ensured the pre-requirements have been met, you can create the link using the automated wizard in SSMS, or you can choose to setup the link manually using scripts. Create the link using one of the following instructions:

+* [Replicate database with link feature in SSMS](managed-instance-link-use-ssms-to-replicate-database.md), or alternatively

+* [Replicate database with Azure SQL Managed Instance link feature with T-SQL and PowerShell scripts](managed-instance-link-use-scripts-to-replicate-database.md)

+Once the link has been created, ensure that you follow the best practices for maintaining the link, by following instructions described at this page:

+* [Best practices with link feature for Azure SQL Managed Instance](link-feature-best-practices.md)

+If and when you are ready to migrate a database to Azure with a minimum downtime, you can do this using an automated wizard in SSMS, or you can choose to do this manually with scripts. Migrate database to Azure link using one of the following instructions:

+* [Failover database with link feature in SSMS](managed-instance-link-use-ssms-to-failover-database.md), or alternatively

+* [Failover (migrate) database with Azure SQL Managed Instance link feature with T-SQL and PowerShell scripts](managed-instance-link-use-scripts-to-failover-database.md)

+### Preview limitations

+- [Auto failover groups](auto-failover-group-sql-mi.md) replication to secondary Managed Instance can't be used in parallel while operating the Managed Instance link with SQL Server.

+- Replicated R/O databases aren't part of auto-backup process on SQL Managed Instance.

+The link feature for SQL Managed Instance was introduced in CU15 of SQL Server 2019.

+To check your SQL Server version, run the following Transact-SQL (T-SQL) script on SQL Server:

+-- Execute on SQL Server

+Create database master key in the master database by running the following T-SQL script on SQL Server.

+-- Execute on SQL Server

+To check if you have database master key, use the following T-SQL script on SQL Server.

+-- Execute on SQL Server

+To confirm the Always On availability groups feature is enabled, run the following Transact-SQL (T-SQL) script on SQL Server:

+-- Execute on SQL Server

+-- Execute on SQL Server

+All databases that are to be replicated via instance link must be in full recovery mode and have at least one backup. Execute the following on SQL Server:

+-- Execute on SQL Server

+For the instance link to work, there must be network connectivity between SQL Server and SQL Managed Instance. The network option that you choose depends on where your SQL Server resides - whether it's on-premises or on a virtual machine (VM).

+Use the following PowerShell script on the Windows host of the SQL Server to open ports in the Windows Firewall:

+To check if SQL Server can reach your SQL Managed Instance, use the `tnc` command in PowerShell from the SQL Server host machine. Replace `<ManagedInstanceFQDN>` with the fully qualified domain (FQDN) name of the Azure SQL Managed Instance. You can copy this information from the managed instance overview page in Azure portal.

+To check that the SQL Managed Instance can reach your SQL Server, create a test endpoint on SQL Server, and then use the SQL Agent on Managed Instance to execute a PowerShell script with the `tnc` command pinging SQL Server on port 5022 from Managed Instance.

+Connect to SQL Server and run the following Transact-SQL (T-SQL) script to create a test endpoint:

+-- Execute on SQL Server

+-- Create certificate needed for the test endpoint on SQL Server

+-- Create test endpoint on SQL Server

+To verify that SQL Server endpoint is receiving connections on the port 5022, execute the following PowerShell command on the host OS of your SQL Server:

+```powershell

+tnc localhost -port 5022

+```

+A successful test shows `TcpTestSucceeded : True`. We can then proceed creating an SQL Agent job on Managed Instance to attempt testing the SQL Server test endpoint on port 5022 from the managed instance.

+Next, create a new SQL Agent job on managed instance called `NetHelper`, using the public IP address or DNS name that can be resolved from the SQL Managed Instance for `SQL_SERVER_ADDRESS`.

+To create the SQL Agent Job, run the following Transact-SQL (T-SQL) script on managed instance:

+-- Execute on Managed Instance

+Execute the SQL Agent job by running the following T-SQL command on managed instance:

+-- Execute on Managed Instance

+Execute the following query on managed instance to show the log of the SQL Agent job:

+-- Execute on Managed Instance

+Finally, drop the test endpoint and certificate on SQL Server with the following Transact-SQL (T-SQL) commands:

+-- Execute on SQL Server

+After your environment has been prepared, you're ready to start [replicating your database](managed-instance-link-use-ssms-to-replicate-database.md). To learn more, review [Link feature in Azure SQL Managed Instance](link-feature.md).

+# Execute in Azure Cloud Shell

+Use the following T-SQL script on SQL Server to change the replication mode of Distributed Availability Group on SQL Server from async to sync. Replace `<DAGName>` with the name of Distributed Availability Group, and replace `<AGName>` with the name of Availability Group created on SQL Server. In addition, replace `<ManagedInstanceName>` with the name of your SQL Managed Instance.

+-- Execute on SQL Server

+-- Execute on SQL Server

+-- Execute on SQL Server

+-- Execute on Managed Instance

+# Execute in Azure Cloud Shell

+After breaking the link and migrating database to Azure SQL Managed Instance, consider cleaning up Availability Group and Distributed Availability Group on SQL Server if they aren't used otherwise on SQL Server.

+-- Execute on SQL Server

+- [Use SQL Managed Instance link via SSMS to migrate database](./managed-instance-link-use-ssms-to-failover-database.md).

+-- Execute on SQL Server

+-- Create the SQL Server certificate for the instance link

+Then, use the following T-SQL query on SQL Server to verify the certificate has been created.

+-- Execute on SQL Server

+Now you can get the public key of the generated certificate on SQL Server.

+-- Execute on SQL Server

+# Execute in Azure Cloud Shell

+-- Execute on Managed Instance

+Copy the entire public key from Managed Instance starting with ΓÇ£0xΓÇ¥ shown in the previous step and use it in the below query on SQL Server by replacing `<InstanceCertificate>` with the key value. No quotations need to be used.

+-- Execute on SQL Server

+-- Execute on SQL Server

+If you donΓÇÖt have existing Availability Group nor mirroring endpoint on SQL Server, the next step is to create a mirroring endpoint on SQL Server and secure it with the certificate. If you do have existing Availability Group or mirroring endpoint, go straight to the next section ΓÇ£Altering existing database mirroring endpointΓÇ¥

+-- Execute on SQL Server

+In case that the above query doesn't show there exists a previous database mirroring endpoint, execute the following script on SQL Server to create a new database mirroring endpoint on the port 5022 and secure it with a certificate.

+-- Execute on SQL Server

+-- Execute on SQL Server

+Execute the following query on SQL Server to view details for an existing database mirroring endpoint.

+-- Execute on SQL Server

+The script below is provided as an example of how to alter your existing database mirroring endpoint on SQL Server. Depending on your existing specific configuration, you perhaps might need to customize it further for your scenario. Replace `<YourExistingEndpointName>` with your existing endpoint name. Replace `<CERTIFICATE-NAME>` with the name of the generated SQL Server certificate. You can also use `SELECT * FROM sys.certificates` to get the name of the created certificate on the SQL Server.

+-- Execute on SQL Server

+After running the ALTER endpoint query and setting the dual authentication mode to Windows and Certificate, use again this query on SQL Server to show the database mirroring endpoint details.

+-- Execute on SQL Server

+Use the following script to create a new Availability Group on SQL Server. Replace `<SQLServerName>` with the name of your SQL Server. Find out your SQL Server name with executing the following T-SQL:

+-- Execute on SQL Server

+-- Execute on SQL Server

+-- Execute on SQL Server

+# Execute in Azure Cloud Shell

+-- Execute on SQL Server

+- [Use SQL Managed Instance link via SSMS to migrate database](./managed-instance-link-use-ssms-to-failover-database.md).

+To learn more, review [Link feature in Azure SQL Managed Instance](link-feature.md).

+To break the link and failover your database to the SQL Managed Instance, see [failover database](managed-instance-link-use-ssms-to-failover-database.md). To learn more, see [Link feature in Azure SQL Managed Instance](link-feature.md).

+- [How to set up Windows Authentication for Azure SQL Managed Instance using Azure Active Directory and Kerberos (Preview)](winauth-azuread-setup.md)

+If you have not yet enabled Windows authentication for Azure AD principals against your managed instance, you may run a trace against a managed instance using an [Azure AD Authentication](../database/authentication-aad-overview.md) option, including:

+- [Extended Events](/sql/relational-databases/extended-events/extended-events)

+|Clients must be joined to AD. The domain must have a functional level of Windows Server 2012 or higher. | You can determine if the client is joined to AD by running the [dsregcmd command](../../active-directory/devices/troubleshoot-device-dsregcmd.md): `dsregcmd.exe /status` |

+1. Identify your [Azure AD tenant ID](../../active-directory/fundamentals/active-directory-how-to-find-tenant.md).

+|Clients must be joined to Azure AD or Hybrid Azure AD. | You can determine if this prerequisite is met by running the [dsregcmd command](../../active-directory/devices/troubleshoot-device-dsregcmd.md): `dsregcmd.exe /status` |

+Customers should first implement [Azure AD Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md) to integrate on-premises directories with Azure AD.

+|Clients must be joined to Azure AD or Hybrid Azure AD. | You can determine if this prerequisite is met by running the [dsregcmd command](../../active-directory/devices/troubleshoot-device-dsregcmd.md): `dsregcmd.exe /status` |

+|Clients must be joined to AD. The domain must have a functional level of Windows Server 2012 or higher. | You can determine if the client is joined to AD by running the [dsregcmd command](../../active-directory/devices/troubleshoot-device-dsregcmd.md): `dsregcmd.exe /status` |

+- [Configure Azure SQL Managed Instance for Windows Authentication for Azure Active Directory (Preview)](winauth-azuread-kerberos-managed-instance.md)

+ Title: Deploy Arc for Azure VMware Solution (Preview)

+description: Learn how to set up and enable Arc for your Azure VMware Solution private cloud.

+# Deploy Arc for Azure VMware Solution (Preview)

+In this article, you'll learn how to deploy Arc for Azure VMware Solution. Once you've set up the components needed for this public preview, you'll be ready to execute operations in Azure VMware Solution vCenter from the Azure portal. Operations are related to Create, Read, Update, and Delete (CRUD) virtual machines (VMs) in an Arc-enabled Azure VMware Solution private cloud. Users can also enable guest management and install Azure extensions once the private cloud is Arc-enabled.

+Before you begin checking off the prerequisites, verify the following actions have been done:

+

+- You deployed an Azure VMware Solution private cluster.

+- You have a connection to the Azure VMware Solution private cloud through your on-prem environment or your native Azure Virtual Network.

+- There should be an isolated NSX-T segment for deploying the Arc for Azure VMware Solution Open Virtualization Appliance (OVA). If an isolated NSX-T segment doesn't exist, one will be created.

+## Prerequisites

+The following items are needed to ensure you're set up to begin the onboarding process to deploy Arc for Azure VMware Solution (Preview).

+- A jump box virtual machine (VM) with network access to the Azure VMware Solution vCenter.

+ - From the jump-box VM, verify you have access to [vCenter and NSX-T portals](/azure/azure-vmware/tutorial-configure-networking).

+- Verify that your Azure subscription has been enabled or you have connectivity to Azure end points, mentioned in the [Appendices](#appendices).

+- Resource group in the subscription where you have owner or contributor role.

+- A minimum of three free non-overlapping IPs addresses.

+- Verify that your vCenter Server version is 6.7 or higher.

+- A resource pool with minimum-free capacity of 16 GB of RAM, 4 vCPUs.

+- A datastore with minimum 100 GB of free disk space that is available through the resource pool.

+- On the vCenter Server, allow inbound connections on TCP port 443, so that the Arc resource bridge and VMware cluster extension can communicate with the vCenter server.

+> [!NOTE]

+> Only the default port of 443 is supported. If you use a different port, Appliance VM creation will fail.

+At this point, you should have already deployed an Azure VMware Solution private cluster. You need to have a connection from your on-prem environment or your native Azure Virtual Network to the Azure VMware Solution private cloud.

+For Network planning and setup, use the [Network planning checklist - Azure VMware Solution | Microsoft Docs](/azure/azure-vmware/tutorial-network-checklist)

+### Registration to Arc for Azure VMware Solution feature set

+The following **Register features** are for provider registration using Azure CLI.

+```azurecli

+az provider register --namespace Microsoft.ConnectedVMwarevSphere

+az provider register --namespace Microsoft.ExtendedLocation

+az provider register --namespace Microsoft.KubernetesConfiguration

+az provider register --namespace Microsoft.ResourceConnector

+az provider register --namespace Microsoft.AVS

+```

+Alternately, users can sign into their Subscription, navigate to the **Resource providers** tab, and register themselves on the resource providers mentioned previously.

+For feature registration, users will need to sign into their **Subscription**, navigate to the **Preview features** tab, and search for 'Azure Arc for Azure VMware Solution'. Once registered, no other permissions are required for users to access Arc.

+Users need to ensure they've registered themselves to **Microsoft.AVS/earlyAccess**. After registering, use the following feature to verify registration.

+```azurecli

+az feature show --name AzureArcForAVS --namespace Microsoft.AVS

+```

+## Onboard process to deploy Azure Arc

+Use the following steps to guide you through the process to onboard in Arc for Azure VMware Solution (Preview).

+1. Sign into the jumpbox VM and extract the contents from the compressed file from the following [location](https://github.com/Azure/ArcOnAVS/releases). The extracted file contains the scripts to install the preview software.

+1. Open the 'config_avs.json' file and populate all the variables.

+ **Config JSON**

+ ```json

+ {

+ "subscriptionId": "",

+ "resourceGroup": "",

+ "applianceControlPlaneIpAddress": "",

+ "privateCloud": "",

+ "isStatic": true,

+ "staticIpNetworkDetails": {

+ "networkForApplianceVM": "",

+ "networkCIDRForApplianceVM": "",

+ "k8sNodeIPPoolStart": "",

+ "k8sNodeIPPoolEnd": "",

+ "gatewayIPAddress": ""

+ }

+ }

+ ```

+

+ - Populate the `subscriptionId`, `resourceGroup`, and `privateCloud` names respectively.

+ - `isStatic` is always true.

+ - `networkForApplianceVM` is the name for the segment for Arc appliance VM. One will be created if it doesn't already exist.

+ - `networkCIDRForApplianceVM` is the IP CIDR of the segment for Arc appliance VM. It should be unique and not affect other networks of Azure VMware Solution management IP CIDR.

+ - `GatewayIPAddress` is the gateway for the segment for Arc appliance VM.

+ - `applianceControlPlaneIpAddress` is the IP address for the Kubernetes API server that should be part of the segment IP CIDR provided. It shouldn't be part of the k8s node pool IP range.

+ - `k8sNodeIPPoolStart`, `k8sNodeIPPoolEnd` are the starting and ending IP of the pool of IPs to assign to the appliance VM. Both need to be within the `networkCIDRForApplianceVM`.

+ **Json example**

+ ```json

+ {

+ "subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

+ "resourceGroup": "test-rg ",

+ "applianceControlPlaneIpAddress": "10.14.10.10",

+ "privateCloud": "test-pc",

+ "isStatic": true,

+ "staticIpNetworkDetails": {

+ "networkForApplianceVM": "arc-segment",

+ "networkCIDRForApplianceVM": "10.14.10.1/24",

+ "k8sNodeIPPoolStart": "10.14.10.20",

+ "k8sNodeIPPoolEnd": "10.14.10.30",

+ "gatewayIPAddress": "10.14.10.1"

+ }

+ }

+ ```

+1. Run the installation scripts. We've provided you with the option to set up this preview from a Windows or Linux-based jump box/VM.

+ Run the following commands to execute the installation script.

+ # [Windows based jump box/VM](#tab/windows)

+ Script isn't signed so we need to bypass Execution Policy in PowerShell. Run the following commands.

+ ```

+ Set-ExecutionPolicy -Scope Process -ExecutionPolicy ByPass; .\run.ps1 -Operation onboard -FilePath {config-json-path}

+ ```

+ # [Linux based jump box/VM](#tab/linux)

+ Add execution permission for the script and run the following commands.

+

+ ```

+ $ chmod +x run.sh

+ $ sudo bash run.sh onboard {config-json-path}

+ ```

+4. You'll notice more Azure Resources have been created in your resource group.

+ - Resource bridge

+ - Custom location

+ - VMware vCenter

+> [!IMPORTANT]

+> You can't create the resources in a separate resource group. Make sure you use the same resource group from where the Azure VMware Solution private cloud was created to create the resources.

+

+## Discover and project your VMware infrastructure resources to Azure

+When Arc appliance is successfully deployed on your private cloud, you can do the following actions.

+- View the status from within the private cloud under **Operations > Azure Arc**, located in the left navigation.

+- View the VMware infrastructure resources from the private cloud left navigation under **Private cloud** then select **Azure Arc vCenter resources**.

+- Discover your VMware infrastructure resources and project them to Azure using the same browser experience, **Private cloud > Arc vCenter resources > Virtual Machines**.

+- Similar to VMs, customers can enable networks, templates, resource pools, and data-stores in Azure.

+After you've enabled VMs to be managed from Azure, you can install guest management and do the following actions.

+- Enable customers to install and use extensions.

+ - To enable guest management, customers will be required to use admin credentials

+ - VMtools should already be running on the VM

+> [!NOTE]

+> Azure VMware Solution vCenter will be available in global search but will NOT be available in the list of vCenters for ARc for VMware.

+- Customers can view the list of VM extensions available in public preview.

+ - Change tracking

+ - Log analytics

+ - Update management

+ - Azure policy guest configuration

+ **Azure VMware Solution private cloud with Azure Arc**

+When the script has run successfully, you can check the status to see if Azure Arc has been configured. To verify if your private cloud is Arc-enabled, do the following action:

+- In the left navigation, locate **Operations**.

+- Choose **Azure Arc (preview)**. Azure Arc state will show as **Configured**.

+ :::image type="content" source="media/deploy-arc-for-azure-vmware-solution/arc-private-cloud-configured.png" alt-text="Image showing navigation to Azure Arc state to verify it's configured."lightbox="media/deploy-arc-for-azure-vmware-solution/arc-private-cloud-configured.png":::

+**Arc enabled VMware resources**

+After the private cloud is Arc-enabled, vCenter resources should appear under **Virtual machines**.

+- From the left navigation, under **Azure Arc VMware resources (preview)**, locate **Virtual machines**.

+- Choose **Virtual machines** to view the vCenter resources.

+### Manage access to VMware resources through Azure Role-Based Access Control

+After your Azure VMware Solution vCenter resources have been enabled for access through Azure, there's one final step in setting up a self-service experience for your teams. You'll need to provide your teams with access to: compute, storage, networking, and other vCenter resources used to configure VMs.

+This section will demonstrate how to use custom roles to manage granular access to VMware resources through Azure.

+#### Arc-enabled VMware vSphere custom roles

+We provide three custom roles to meet your Role-based access controls (RBACs). These roles can be applied to a whole subscription, resource group, or a single resource.

+- Azure Arc VMware Administrator role

+- Azure Arc VMware Private Cloud User role

+- Azure Arc VMware VM Contributor role

+The first role is for an Administrator. The other two roles apply to anyone who needs to deploy or manage a VM.

+**Azure Arc Azure VMware Solution Administrator role**

+This custom role gives the user permission to conduct all possible operations for the `Microsoft.ConnectedVMwarevSphere` resource provider. This role should be assigned to users or groups who are administrators that manage Azure Arc-enabled Azure VMware Solution deployment.

+**Azure Arc Azure VMware Solution Private Cloud User role**

+This custom role gives the user permission to use the Arc-enabled Azure VMware Solutions vSphere resources that have been made accessible through Azure. This role should be assigned to any users or groups that need to deploy, update, or delete VMs.

+We recommend assigning this role at the individual resource pool (host or cluster), virtual network, or template that you want the user to deploy VMs with.

+**Azure Arc Azure VMware Solution VM Contributor role**

+This custom role gives the user permission to perform all VMware VM operations. This role should be assigned to any users or groups that need to deploy, update, or delete VMs.

+We recommend assigning this role at the subscription level or resource group you want the user to deploy VMs with.

+**Assign custom roles to users or groups**

+1. Navigate to the Azure portal.

+1. Locate the subscription, resource group, or the resource at the scope you want to provide for the custom role.

+1. Find the Arc-enabled Azure VMware Solution vCenter resources.

+ 1. Navigate to the resource group and select the **Show hidden types** checkbox.

+ 1. Search for "Azure VMware Solution".

+1. Select **Access control (IAM)** in the table of contents located on the left navigation.

+1. Select **Add role assignment** from the **Grant access to this resource**.

+ :::image type="content" source="media/deploy-arc-for-azure-vmware-solution/assign-custom-role-user-groups.png" alt-text="Image showing navigation to access control IAM and add role assignment."lightbox="media/deploy-arc-for-azure-vmware-solution/assign-custom-role-user-groups.png":::

+1. Select the custom role you want to assign, Azure Arc VMware Solution: **Administrator**, **Private Cloud User**, or **VM Contributor**.

+1. Search for **AAD user** or **group name** that you want to assign this role to.

+1. Select the **AAD user** or **group name**. Repeat this step for each user or group you want to give permission to.

+1. Repeat the above steps for each scope and role.

+## Create Arc-enabled Azure VMware Solution virtual machine

+This section shows users how to create a virtual machine (VM) on VMware vCenter using Azure Arc. Before you begin, check the following prerequisite list to ensure you're set up and ready to create an Arc-enabled Azure VMware Solution VM.

+### Prerequisites

+- An Azure subscription and resource group where you have an Arc VMware VM **Contributor role**.

+- A resource pool resource that you have an Arc VMware private cloud resource **User role**.

+- A virtual machine template resource that you have an Arc private cloud resource **User role**.

+- (Optional) a virtual network resource on which you have Arc private cloud resource **User role**.

+### Create VM flow

+- Open the [Azure portal](https://ms.portal.azure.com/)

+- On the **Home** page, search for **virtual machines**. Once you've navigated to **Virtual machines**, select the **+ Create** drop down and select **Azure VMware Solution virtual machine**.

+ :::image type="content" source="media/deploy-arc-for-azure-vmware-solution/deploy-vm-arc-1.2.png" alt-text="Image showing the location of the plus Create drop down menu and Azure VMware Solution virtual machine selection option."lightbox="media/deploy-arc-for-azure-vmware-solution/deploy-vm-arc-1.2.png":::

+Near the top of the **Virtual machines** page, you'll find five tabs labeled: **Basics**, **Disks**, **Networking**, **Tags**, and **Review + create**. Follow the steps or options provided in each tab to create your Azure VMware Solution virtual machine.

+**Basics**

+1. In **Project details**, select the **Subscription** and **Resource group** where you want to deploy your VM.

+1. In **Instance details**, provide the **virtual machine name**.

+1. Select a **Custom location** that your administrator has shared with you.

+1. Select the **Resource pool/cluster/host** where the VM should be deployed.

+1. For **Template details**, pick a **Template** based on the VM you plan to create.

+ - Alternately, you can check the **Override template defaults** box that allows you to override the CPU and memory specifications set in the template.

+ - If you chose a Windows template, you can provide a **Username** and **Password** for the **Administrator account**.

+1. For **Extension setup**, the box is checked by default to **Enable guest management**. If you donΓÇÖt want guest management enabled, uncheck the box.

+1. The connectivity method defaults to **Public endpoint**. Create a **Username**, **Password**, and **Confirm password**.

+

+**Disks**

+ - You can opt to change the disks configured in the template, add more disks, or update existing disks. These disks will be created on the default datastore per the VMware vCenter storage policies.

+ - You can change the network interfaces configured in the template, add Network interface cards (NICs), or update existing NICs. You can also change the network that the NIC will be attached to provided you have permissions to the network resource.

+

+**Networking**

+ - A network configuration is automatically created for you. You can choose to keep it or override it and add a new network interface instead.

+ - To override the network configuration, find and select **+ Add network interface** and add a new network interface.

+

+**Tags**

+ - In this section, you can add tags to the VM resource.

+

+**Review + create**

+ - Review the data and properties you've set up for your VM. When everything is set up how you want it, select **Create**. The VM should be created in a few minutes.

+

+## Enable guest management and extension installation

+The guest management must be enabled on the VMware virtual machine (VM) before you can install an extension. Use the following prerequisite steps to enable guest management.

+**Prerequisite**

+1. Navigate to [Azure portal](https://ms.portal.azure.com/).

+1. Locate the VMware VM you want to check for guest management and install extensions on, select the name of the VM.

+1. Select **Configuration** from the left navigation for a VMware VM.

+1. Verify **Enable guest management** has been checked.

+>[!NOTE]

+> The following conditions are necessary to enable guest management on a VM.

+- The machine must be running a [Supported operating system](/azure/azure-arc/servers/agent-overview).

+- The machine needs to connect through the firewall to communicate over the Internet. Make sure the [URLs](/azure/azure-arc/servers/agent-overview) listed aren't blocked.

+- The machine can't be behind a proxy, it's not supported yet.

+- If you're using Linux VM, the account must not prompt to sign in on pseudo commands.

+

+ Avoid pseudo commands by following these steps:

+

+ 1. Sign into Linux VM.

+ 1. Open terminal and run the following command: `sudo visudo`.

+ 1. Add the line `username` `ALL=(ALL) NOPASSWD:ALL` at the end of the file.

+ 1. Replace `username` with the appropriate user-name.

+If your VM template already has these changes incorporated, you won't need to do the steps for the VM created from that template.

+**Extension installation steps**

+1. Go to Azure portal.

+1. Find the Arc-enabled Azure VMware Solution VM that you want to install an extension on and select the VM name.

+1. Navigate to **Extensions** in the left navigation, select **Add**.

+1. Select the extension you want to install.

+ 1. Based on the extension, you'll need to provide details. For example, `workspace Id` and `key` for LogAnalytics extension.

+1. When you're done, select **Review + create**.

+When the extension installation steps are completed, they trigger deployment and install the selected extension on the VM.

+## Change Arc appliance credential

+Use the following guide to change your Arc appliance credential once you've changed your SDDC credentials.

+Use the **`Set Credential`** command to update the provider credentials for appliance resource. When **cloud admin** credentials are updated, use the following steps to update the credentials in the appliance store.

+1. Log into the jumpbox VM from where onboarding was performed. Change the directory to **onboarding directory**.

+1. Run the following command for Windows-based jumpbox VM.

+

+ `./.temp/.env/Scripts/activate`

+1. Run the following command.

+ `az arcappliance setcredential vmware --kubeconfig kubeconfig`

+1. Run the onboard command again. See step 3 in the [Process to onboard]() in Arc for Azure VMware Preview.

+

+> [!NOTE]

+> Customers need to ensure kubeconfig and SSH remain available as they will be required for log collection, appliance Upgrade, and credential rotation. These parameters will be required at the time of upgrade, log collection, and credential update scenarios.

+**Parameters**

+Required parameters

+`-kubeconfig # kubeconfig of Appliance resource`

+**Examples**

+The following command invokes the set credential for the specified appliance resource.

+` az arcappliance setcredential <provider> --kubeconfig <kubeconfig>`

+## Manual appliance upgrade

+Use the following steps to perform a manual upgrade for Arc appliance virtual machine (VM).

+1. Log into vCenter.

+1. Locate the arc appliance VM, which should be in the resource pool that was configured during onboarding.

+ 1. Power off the VM.

+ 1. Delete the VM.

+1. Delete the download template corresponding to the VM.

+1. Get the previous script `Config_avs` file and add the following configuration item:

+ 1. `"register":false`

+1. Download the latest version of the Azure VMware Solution onboarding script.

+1. Run the new onboarding script with the previous `config_avs.json` from the jump box VM, without changing other config items.

+## Off board from Azure Arc-enabled Azure VMware Solution

+This section demonstrates how to remove your VMware virtual machines (VMs) from Azure management services.

+If you've enabled guest management on your Arc-enabled Azure VMware Solution VMs and onboarded them to Azure management services by installing VM extensions on them, you'll need to uninstall the extensions to prevent continued billing. For example, if you installed an MMA extension to collect and send logs to an Azure Log Analytics workspace, you'll need to uninstall that extension. You'll also need to uninstall the Azure Connected Machine agent to avoid any problems installing the agent in future.

+Use the following steps to uninstall extensions from the portal.

+>[!NOTE]

+>**Steps 2-5** must be performed for all the VMs that have VM extensions installed.

+1. Log into your Azure VMware Solution private cloud.

+1. Select **Virtual machines** in **Private cloud**, found in the left navigation under ΓÇ£Arc-enabled VMware resourcesΓÇ¥.

+1. Search and select the virtual machine where you have **Guest management** enabled.

+1. Select **Extensions**.

+1. Select the extensions and select **Uninstall**.

+To avoid problems onboarding the same VM to **Guest management**, we recommend you do the following steps to cleanly disable guest management capabilities.

+>[!NOTE]

+>**Steps 2-3** must be performed for **all VMs** that have **Guest management** enabled.

+1. Sign into the virtual machine using administrator or root credentials and run the following command in the shell.

+ 1. `azcmagent disconnect --force-local-only`.

+1. Uninstall the `ConnectedMachine agent` from the machine.

+1. Set the **identity** on the VM resource to **none**.

+## Remove Arc-enabled Azure VMware Solution vSphere resources from Azure

+When you activate Arc-enabled Azure VMware Solution resources in Azure, a representation is created for them in Azure. Before you can delete the vCenter resource in Azure, you'll need to delete all of the Azure resource representations you created for your vSphere resources. To delete the Azure resource representations you created, do the following steps:

+1. Go to the Azure portal.

+1. Choose **Virtual machines** from Arc-enabled VMware resources in the private cloud.

+1. Select all the VMs that have an Azure Enabled value as **Yes**.

+1. Select **Remove from Azure**. This step will start deployment and remove these resources from Azure. The resources will remain in your vCenter.

+ 1. Repeat steps 2, 3 and 4 for **Resourcespools/clusters/hosts**, **Templates**, **Networks**, and **Datastores**.

+1. When the deletion completes, select **Overview**.

+ 1. Note the Custom location and the Azure Arc Resource bridge resources in the Essentials section.

+1. Select **Remove from Azure** to remove the vCenter resource from Azure.

+1. Go to vCenter resource in Azure and delete it.

+1. Go to the Custom location resource and select **Delete**.

+1. Go to the Azure Arc Resource bridge resources and select **Delete**.

+At this point, all of your Arc-enabled VMware vSphere resources have been removed from Azure.

+## Delete Arc resources from vCenter

+For the final step, you'll need to delete the resource bridge VM and the VM template that were created during the onboarding process. Once that step is done, Arc won't work on the Azure VMware Solution SDDC. When you delete Arc resources from vCenter, it won't affect the Azure VMware Solution private cloud for the customer.

+## Preview FAQ

+**How do you onboard a customer?**

+

+Fill in the [Customer Enrollment form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR0SUP-7nYapHr1Tk0MFNflVUNEJQNzFONVhVOUlVTVk3V1hNTjJPVDM5WS4u) and we'll be in touch.

+**How does support work?**

+Standard support process for Azure VMware Solution has been enabled to support customers.

+**Does Arc for Azure VMware Solution support private end point?**

+Yes. Arc for Azure VMware Solution will support private end point for general audience. However, it's not currently supported.

+**Is enabling internet the only option to enable Arc for Azure VMware Solution?**

+Yes

+**Is DHCP support available?**

+DHCP support is not available to customers at this time, we only support static IP.

+>[!NOTE]

+> This is Azure VMware Solution 2.0 only. It's not available for Azure VMware Solution by Cloudsimple.

+## Debugging tips for known issues

+Use the following tips as a self-help guide.

+**What happens if I face an error related to Azure CLI?**

+- For windows jumpbox, if you have 32-bit Azure CLI installed, verify that your current version of Azure CLI has been uninstalled. Verification can be done from the Control Panel.

+- To ensure it's uninstalled, try the `az` version to check if it's still installed.

+- If you already installed Azure CLI using MSI, `az` installed by MSI and pip will conflict on PATH. In this case, it's recommended that you uninstall the current Azure CLI version.

+**My script stopped because it timed-out, what should I do?**

+- Retry the script for `create`. A prompt will ask you to select **Y** and rerun it.

+- It could be a cluster extension issue that would result in adding the extension in the pending state.

+- Verify you have the correct script version.

+- Verify the VMware pod is running correctly on the system in running state.

+**Basic trouble-shooting steps if the script run was unsuccessful.**

+- Follow the directions provided in the [Prerequisites](#prerequisites) section of this article to verify that the feature and resource providers are registered.

+**What happens if the Arc for VMware section shows no data?**

+- If the Azure Arc VMware resources in the Azure UI show no data, verify your subscription was added in the global default subscription filter.

+**I see the error:** "`ApplianceClusterNotRunning` Appliance Cluster: `<resource-bridge-id>` expected states to be Succeeded found: Succeeded and expected status to be Running and found: Connected".

+- Run the script again.

+**I'm unable to install extensions on my virtual machine.**

+- Check that **guest management** has been successfully installed.

+- **VMtools** should be installed on the VM.

+**I'm facing Network related issues during on-boarding.**

+- Look for an IP conflict. You need IPs with no conflict or from free pool.

+- Verify the internet is enabled for the network segment.

+**Where can I find more information related to Azure Arc resource bridge?**

+- For more information, go to [Azure Arc resource bridge (preview) overview](/azure/azure-arc/resource-bridge/overview)

+## Appendices

+Appendix 1 shows proxy URLs required by the Azure Arc-enabled private cloud. The URLs will get pre-fixed when the script runs and can be run from the jumpbox VM to ping them.

+| **Azure Arc Service** | **URL** |

+| :-- | :-- |

+| Microsoft container registry | `https://mcr.microsoft.com` |

+| Azure Arc Identity service | `https://*.his.arc.azure.com` |

+| Azure Arc configuration service | `https://*.dp.kubernetesconfiguration.azure.com` |

+| Cluster connect | `https://*.servicebus.windows.net` |

+| Guest Notification service | `https://guestnotificationservice.azure.com` |

+| Resource bridge (appliance) Dataplate service | `https://*.dp.prod.appliances.azure.com` |

+| Resource bridge (appliance) container image download | `https://ecpacr.azurecr.io` |

+| Resource bridge (appliance) image download | `https://.blob.core.windows.net https://*.dl.delivery.mp.microsoft.com https://*.do.dsp.mp.microsoft.com` |

+| Azure Resource Manager | `https://management.azure.com` |

+| Azure Active Directory | `https://login.mirosoftonline.com` |

+**Additional URL resources**

+- [Google Container Registry](http://gcr.io/)

+- [Red Hat Quay.io](http://quay.io/)

+[API reference documentation](/dotnet/api/overview/azure/messaging.webpubsub-readme-pre) |

+[API reference documentation](/javascript/api/overview/azure/webpubsub) |

+[API reference documentation](/javascript/api/overview/azure/web-pubsub-express-readme?view=azure-node-latest) |

+Azure Bastion needs to be able to communicate with certain internal endpoints to successfully connect to target resources. Therefore, you *can* use Azure Bastion with Azure Private DNS Zones as long as the zone name you select doesn't overlap with the naming of these internal endpoints. Before you deploy your Azure Bastion resource, please make sure that the host virtual network is not linked to a private DNS zone with the following exact names:

+* blob.core.windows.net

+* vault.azure.com

+You may use a private DNS zone ending with one of the names listed above (ex: dummy.blob.core.windows.net) as long as it is not one of the recommended DNS zone names for an Azure service listed [here](../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration).

+Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software.

+|Benefit |Description|

+|--|--|

+|RDP and SSH through the Azure portal|You can get to the RDP and SSH session directly in the Azure portal using a single-click seamless experience.|

+|Remote Session over TLS and firewall traversal for RDP/SSH|Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. This enables the traffic to traverse firewalls more securely.|

+|No Public IP address required on the Azure VM| Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM. You don't need a public IP address on your virtual machine.|

+|No hassle of managing Network Security Groups (NSGs)| You don't need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines. For more information about NSGs, see [Network Security Groups](../virtual-network/network-security-groups-overview.md#security-rules).|

+|No need to manage a separate bastion host on a VM |Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity.|

+|Protection against port scanning|Your VMs are protected against port scanning by rogue and malicious users because you don't need to expose the VMs to the internet.|

+|Hardening in one place only|Azure Bastion sits at the perimeter of your virtual network, so you donΓÇÖt need to worry about hardening each of the VMs in your virtual network.|

+|Protection against zero-day exploits |The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.|

+To learn more, see [Azure CLI for Azure IoT](/cli/azure/iot/product?view=azure-cli-latest).

+* To help system builders and their customers capture high quality images which are necessary for high quality outputs from Face API, weΓÇÖre introducing a new quality attribute **QualityForRecognition** to help decide whether an image is of sufficient quality to attempt face recognition. The value is an informal rating of low, medium, or high. The new attribute is only available when using any combinations of detection models `detection_01` or `detection_03`, and recognition models `recognition_03` or `recognition_04`. Only "high" quality images are recommended for person enrollment and quality above "medium" is recommended for identification scenarios. To learn more about the new quality attribute, see [Face detection and attributes](concepts/face-detection.md) and see how to use it with [QuickStart](./quickstarts/client-libraries.md?pivots=programming-language-csharp&tabs=visual-studio).

+You can use conversational language understanding to create a new orchestration project, See the [conversational language understanding documentation](../../language-service/orchestration-workflow/how-to/create-project.md).

+* To change your LUIS authoring resource to the Language resource. You can also optionally export your application from LUIS, and then [import it into conversational language understanding](../../language-service/orchestration-workflow/how-to/create-project.md#export-and-import-a-project).

+* [Conversational language understanding documentation](../../language-service/conversational-language-understanding/how-to/create-project.md)

+| Chinese (Mandarin, Simplified) | `zh-CN` | Female | `zh-CN-XiaoshuangNeural` | Child voice, optimized for child story and chat; multiple voice styles available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles)|

+| French (France) | `fr-FR` | Female | `fr-FR-DeniseNeural` | General, multiple voice styles available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles) ^{Public preview} |

+> Two styles for `fr-FR-DeniseNeural` now are available for public preview: `cheerful` and `sad` in 3 regions: East US, West Europe, and Southeast Asia.

+> Voices/Styles in public preview are only available in three service regions: East US, West Europe, and Southeast Asia.

+> The `en-US-JennyNeuralMultilingual` voice supports multiple languages. Check the [voices list API](rest-text-to-speech.md#get-a-list-of-voices) for a supported languages list.

+> For more information about regional availability, see [regions](regions.md#prebuilt-neural-voices).

+> To learn how you can configure and adjust neural voices, such as Speaking Styles, see [Speech Synthesis Markup Language](speech-synthesis-markup.md#adjust-speaking-styles).

+> The `en-US-JessaNeural` voice has changed to `en-US-AriaNeural`. If you were using "Jessa" before, convert to "Aria." You can continue to use the full service name mapping like "Microsoft Server Speech Text to Speech Voice (en-US, AriaNeural)" in your speech synthesis requests.

+|fr-FR-DeniseNeural |`cheerful` ^{Public preview}, `sad`^{Public preview}|||

+> [!IMPORTANT]

+> Voices/Styles in public preview are only available in three service regions: East US, West Europe, and Southeast Asia.

+> [Access Azure Storage from a web app using managed identities](../../../app-service/scenario-secure-app-access-storage.md?bc=%2fazure%2fcognitive-services%2ftranslator%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fcognitive-services%2ftranslator%2ftoc.json)

+You can reuse some of the content of your existing LUIS applications in [Conversational Language Understanding](../overview.md). When working with Conversational Language Understanding projects, you can:

+* Create LUIS applications that can be connected to [orchestration workflow](../../orchestration-workflow/overview.md) projects.

+## How do I connect conversation language projects to other service applications?

+See the [orchestration workflow documentation](../orchestration-workflow/overview.md) for more information.

+Conversational Language Understanding allows you to create conversation projects. To create orchestration projects, see the [orchestration workflow](../../orchestration-workflow/overview.md) documentation.

+# Deploy and test a conversational language understanding model

+The training times can be anywhere from a few seconds up to a couple of hours when you reach the [maximum limit](../service-limits.md) of utterances. Before training, you will have the option to enable evaluation, which lets you view how your model performs.

+| German | `de` |

+- The only available SKU to access Conversational Language Understanding is the **Language** resource with the **S** sku.

+|Utterances|15,000 per project|

+ Title: Orchestration workflow model evaluation metrics

+description: Learn about evaluation metrics in orchestration workflow

+# Evaluation metrics for orchestration workflow models

+Model evaluation in orchestration workflow uses the following metrics:

+|Metric |Description |Calculation |

+||||

+|Precision | The ratio of successful recognitions to all attempted recognitions. This shows how many times the model's entity recognition is truly a good recognition. | `Precision = #True_Positive / (#True_Positive + #False_Positive)` |

+|Recall | The ratio of successful recognitions to the actual number of entities present. | `Recall = #True_Positive / (#True_Positive + #False_Negatives)` |

+|F1 score | The combination of precision and recall. | `F1 Score = 2 * Precision * Recall / (Precision + Recall)` |

+## Confusion matrix

+A Confusion matrix is an N x N matrix used for model performance evaluation, where N is the number of intents.

+The matrix compares the actual tags with the tags predicted by the model.

+This gives a holistic view of how well the model is performing and what kinds of errors it is making.

+You can use the Confusion matrix to identify intents that are too close to each other and often get mistaken (ambiguity). In this case consider merging these intents together. If that isn't possible, consider adding more tagged examples of both intents to help the model differentiate between them.

+You can calculate the model-level evaluation metrics from the confusion matrix:

+* The *true positive* of the model is the sum of *true Positives* for all intents.

+* The *false positive* of the model is the sum of *false positives* for all intents.

+* The *false Negative* of the model is the sum of *false negatives* for all intents.

+## Next steps

+[Train a model in Language Studio](../how-to/train-model.md)

+ Title: Frequently Asked Questions for orchestration projects

+description: Use this article to quickly get the answers to FAQ about orchestration projects

+# Frequently asked questions for orchestration workflows

+Use this article to quickly get the answers to common questions about orchestration workflows

+## How do I create a project?

+See the [quickstart](./quickstart.md) to quickly create your first project, or the [how-to article](./how-to/create-project.md) for more details.

+## How do I connect other service applications in orchestration workflow projects?

+See [How to create projects and build schemas](./how-to/create-project.md) for information on connecting another project as an intent.

+## Which LUIS applications can I connect to in orchestration workflow projects?

+LUIS applications that use the Language resource as their authoring resource will be available for connection. You can only connect to LUIS applications that are owned by the same resource. This option will only be available for resources in West Europe, as it's the only common available region between LUIS and CLU.

+## Training is taking a long time, is this expected?

+For orchestration projects, long training times are expected. Based on the number of examples you have your training times may vary from 5 minutes to 1 hour or more.

+## Can I add entities to orchestration workflow projects?

+No. Orchestration projects are only enabled for intents that can be connected to other projects for routing.

+<!--

+## Which languages are supported in this feature?

+See the [language support](./language-support.md) article.

+-->

+## How do I get more accurate results for my project?

+Take a look at the [recommended guidelines](./how-to/create-project.md) for information on improving accuracy.

+<!--

+## How many intents, and utterances can I add to a project?

+See the [service limits](./service-limits.md) article.

+-->

+## Can I label the same word as 2 different entities?

+Unlike LUIS, you cannot label the same text as 2 different entities. Learned components across different entities are mutually exclusive, and only one learned span is predicted for each set of characters.

+## Is there any SDK support?

+Yes, only for predictions, and [samples are available](https://aka.ms/cluSampleCode). There is currently no authoring support for the SDK.

+## Are there APIs for this feature?

+Yes, all the APIs [are available](https://aka.ms/clu-apis).

+## Next steps

+[Orchestration workflow overview](overview.md)

+ Title: How to create projects and build schema in orchestration workflow

+description: Use this article to learn how to create projects in orchestration workflow

+# How to create projects in orchestration workflow

+Orchestration workflow allows you to create projects that connect your applications to:

+* Custom Language Understanding

+* Question Answering

+* LUIS

+* QnA maker

+## Sign in to Language Studio

+To get started, you have to first sign in to [Language Studio](https://aka.ms/languageStudio) and create a Language resource. Select **Done** once selection is complete.

+In language studio, find the **Understand questions and conversational language** section, and select **Orchestration workflow**.

+You will see the orchestration workflow projects page.

+<!--:::image type="content" source="../media/projects-page.png" alt-text="A screenshot showing the Conversational Language Understanding projects page." lightbox="../media/projects-page.png":::-->

+## Create an orchestration workflow project

+Select **Create new project**. When creating your workflow project, you need to provide the following details:

+- Name: Project name

+- Description: Optional project description

+- Utterances primary language: The primary language of your utterances.

+## Building schema and adding intents

+Once you're done creating a project, you can connect it to the other projects and services you want to orchestrate to. Each connection is represented by its type and relevant data.

+To create a new intent, click on *+Add* button and start by giving your intent a **name**. You will see two options, to connect to a project or not. You can connect to (LUIS, question answering (QnA), or Conversational Language Understanding) projects, or choose the **no** option.

+> [!NOTE]

+> The list of projects you can connect to are only projects that are owned by the same Language resource you are using to create the orchestration project.

+In Orchestration Workflow projects, the data used to train connected intents isn't provided within the project. Instead, the project pulls the data from the connected service (such as connected LUIS applications, Conversational Language Understanding projects, or Custom Question Answering knowledge bases) during training. However, if you create intents that are not connected to any service, you still need to add utterances to those intents.

+## Export and import a project

+You can export an orchestration workflow project as a JSON file at any time by going to the projects page, selecting a project, and pressing **Export**.

+That project can be reimported as a new project. If you import a project with the exact same name, it replaces the project's data with the newly imported project's data.

+To import a project, select the arrow button on the projects page next to **Create a new project** and select **Import**. Then select the orchestration workflow JSON file.

+## Next Steps

+[Build schema](./train-model.md)

+ Title: How to send a API requests to an orchestration workflow project

+description: Learn about sending a request to orchestration workflow projects.

+ms.devlang: csharp, python

+# Deploy and test model

+After you have [trained a model](./train-model.md) on your dataset, you're ready to deploy it. After deploying your model, you'll be able to query it for predictions.

+> [!Tip]

+> Before deploying a model, make sure to view the model details to make sure that the model is performing as expected.

+> You can only have ten deployment names.

+## Orchestration workflow model deployments

+Deploying a model hosts and makes it available for predictions through an endpoint.

+When a model is deployed, you will be able to test the model directly in the portal or by calling the API associated to it.

+1. From the left side, click on **Deploy model**.

+2. Click on **Add deployment** to submit a new deployment job.

+ In the window that appears, you can create a new deployment name by giving the deployment a name or override an existing deployment name. Then, you can add a trained model to this deployment name and press next.

+3. If you're connecting one or more LUIS applications or conversational language understanding projects, you have to specify the deployment name.

+ No configurations are required for custom question answering or unlinked intents.

+ LUIS projects **must be published** to the slot configured during the Orchestration deployment, and custom question answering KBs must also be published to their Production slots.

+1. Click on **Add deployment** to submit a new deployment job.

+ Like conversation projects, In the window that appears, you can create a new deployment name by giving the deployment a name or override an existing deployment name. Then, you can add a trained model to this deployment name and press next.

+ <!--:::image type="content" source="../media/create-deployment-job-orch.png" alt-text="A screenshot showing deployment job creation in Language Studio." lightbox="../media/create-deployment-job-orch.png":::-->

+2. If you're connecting one or more LUIS applications or conversational language understanding projects, specify the deployment name.

+ No configurations are required for custom question answering or unlinked intents.

+ LUIS projects **must be published** to the slot configured during the Orchestration deployment, and custom question answering KBs must also be published to their Production slots.

+ :::image type="content" source="../media/deploy-connected-services.png" alt-text="A screenshot showing the deployment screen for orchestration workflow projects." lightbox="../media/deploy-connected-services.png":::

+## Send a request to your model

+Once your model is deployed, you can begin using the deployed model for predictions. Outside of the test model page, you can begin calling your deployed model via API requests to your provided custom endpoint. This endpoint request obtains the intent and entity predictions defined within the model.

+You can get the full URL for your endpoint by going to the **Deploy model** page, selecting your deployed model, and clicking on "Get prediction URL".

+Add your key to the `Ocp-Apim-Subscription-Key` header value, and replace the query and language parameters.

+

+> [!TIP]

+> As you construct your requests, see the [quickstart](../quickstart.md?pivots=rest-api#query-model) and REST API [reference documentation](https://aka.ms/clu-apis) for more information.

+### Use the client libraries (Azure SDK)

+You can also use the client libraries provided by the Azure SDK to send requests to your model.

+> [!NOTE]

+> The client library for Orchestration workflow is only available for:

+> * .NET

+> * Python

+1. Go to your resource overview page in the [Azure portal](https://portal.azure.com/#home)

+2. From the menu on the left side, select **Keys and Endpoint**. Use endpoint for the API requests and you will need the key for `Ocp-Apim-Subscription-Key` header.

+ :::image type="content" source="../../custom-classification/media/get-endpoint-azure.png" alt-text="Get the Azure endpoint" lightbox="../../custom-classification/media/get-endpoint-azure.png":::

+3. Download and install the client library package for your language of choice:

+

+ |Language |Package version |

+ |||

+ |.NET | [5.2.0-beta.2](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.2.0-beta.2) |

+ |Python | [5.2.0b2](https://pypi.org/project/azure-ai-textanalytics/5.2.0b2/) |

+

+4. After you've installed the client library, use the following samples on GitHub to start calling the API.

+

+ * [C#](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/cognitivelanguage/Azure.AI.Language.Conversations/samples)

+ * [Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/cognitivelanguage/azure-ai-language-conversations/samples)

+

+5. See the following reference documentation for more information:

+

+ * [C#](/dotnet/api/azure.ai.language.conversations?view=azure-dotnet-preview&preserve-view=true)

+ * [Python](/python/api/azure-ai-language-conversations/azure.ai.language.conversations?view=azure-python-preview&preserve-view=true)

+

+## API response for an orchestration workflow project

+Orchestration workflow projects return with the response of the top scoring intent, and the response of the service it is connected to.

+- Within the intent, the *targetKind* parameter lets you determine the type of response that was returned by the orchestrator's top intent (conversation, LUIS, or QnA Maker).

+- You will get the response of the connected service in the *result* parameter.

+Within the request, you can specify additional parameters for each connected service, in the event that the orchestrator routes to that service.

+- Within the project parameters, you can optionally specify a different query to the connected service. If you don't specify a different query, the original query will be used.

+- The *direct target* parameter allows you to bypass the orchestrator's routing decision and directly target a specific connected intent to force a response for it.

+## Next steps

+* [Orchestration project overview](../overview.md)

+ Title: How to tag utterances in an orchestration workflow project

+description: Use this article to tag utterances

+# How to tag utterances in orchestration workflow projects

+Once you have [built a schema](create-project.md) for your project, you should add training utterances to your project. The utterances should be similar to what your users will use when interacting with the project. When you add an utterance you have to assign which intent it belongs to. You can only add utterances to the created intents within the project and not the connected intents.

+## Filter Utterances

+Clicking on **Filter** lets you view only the utterances associated to the intents you select in the filter pane.

+When clicking on an intent in the [build schema](./create-project.md) page then you'll be moved to the **Tag Utterances** page, with that intent filtered automatically.

+## Next Steps

+* [Train and Evaluate Model](./train-model.md)

+ Title: How to train and evaluate models in orchestration workflow projects

+description: Use this article to train an orchestration model and view its evaluation details to make improvements.

+# Train and evaluate orchestration workflow models

+After you have completed [tagging your utterances](./tag-utterances.md), you can train your model. Training is the act of converting the current state of your project's training data to build a model that can be used for predictions. Every time you train, you have to name your training instance.

+You can create and train multiple models within the same project. However, if you re-train a specific model it overwrites the last state.

+The training times can be anywhere from a few seconds, up to a couple of hours when you reach high numbers of utterances.

+## Train model

+Select **Train model** on the left of the screen. Select **Start a training job** from the top menu.

+Enter a new model name or select an existing model from the **Model Name** dropdown.

+Click the **Train** button and wait for training to complete. You will see the training status of your model in the view model details page. Only successfully completed jobs will generate models.

+## Evaluate model

+After model training is completed, you can view your model details and see how well it performs against the test set in the training step. Observing how well your model performed is called evaluation. The test set is composed of 20% of your utterances, and this split is done at random before training. The test set consists of data that was not introduced to the model during the training process. For the evaluation process to complete there must be at least 10 utterances in your training set.

+In the **view model details** page, you'll be able to see all your models, with their current training status, and the date they were last trained.

+* Click on the model name for more details. A model name is only clickable if you've enabled evaluation before hand.

+* In the **Overview** section you can find the macro precision, recall and F1 score for the collective intents.

+* Under the **Intents** tab you can find the micro precision, recall and F1 score for each intent separately.

+> [!NOTE]

+> If you don't see any of the intents you have in your model displayed here, it is because they weren't in any of the utterances that were used for the test set.

+You can view the [confusion matrix](../concepts/evaluation-metrics.md) for intents by clicking on the **Test set confusion matrix** tab at the top fo the screen.

+## Next steps

+* [Model evaluation metrics](../concepts/evaluation-metrics.md)

+* [Deploy and query the model](./deploy-query-model.md)

+ Title: Orchestration workflows - Azure Cognitive Services

+description: Learn how to use Orchestration workflows.

+# What are orchestration workflows?

+Orchestration workflow is a cloud-based service that enables you to train language models to connect your applications in:

+* Custom Language Understanding

+* Question Answering

+* LUIS

+* QnA maker

+The API is a part of [Azure Cognitive Services](../../index.yml), a collection of machine learning and AI algorithms in the cloud for your development projects. You can use these features with the REST API, or the client libraries.

+## Features

+* Advanced natural language understanding technology using advanced neural networks.

+* Orchestration project types that allow you to connect services including other Conversational Language Understanding projects, custom question answering knowledge bases, and LUIS applications.

+## Reference documentation and code samples

+As you use text summarization in your applications, see the following reference documentation and samples for Azure Cognitive Services for Language:

+|Development option / language |Reference documentation |Samples |

+||||

+|REST API | [REST API documentation](https://westus2.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-2-Preview-2/operations/Analyze) | |

+|C# | [C# documentation](/dotnet/api/azure.ai.textanalytics?view=azure-dotnet-preview&preserve-view=true) | [C# samples](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/textanalytics/Azure.AI.TextAnalytics/samples) |

+| Java | [Java documentation](/java/api/overview/azure/ai-textanalytics-readme?view=azure-java-preview&preserve-view=true) | [Java Samples](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/textanalytics/azure-ai-textanalytics/src/samples) |

+|JavaScript | [JavaScript documentation](/javascript/api/overview/azure/ai-text-analytics-readme?view=azure-node-preview&preserve-view=true) | [JavaScript samples](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/textanalytics/ai-text-analytics/samples/v5) |

+|Python | [Python documentation](/python/api/overview/azure/ai-textanalytics-readme?view=azure-python-preview&preserve-view=true) | [Python samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/textanalytics/azure-ai-textanalytics/samples) |

+## Responsible AI

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which itΓÇÖs deployed. Read the following articles for more information:

+ Title: Quickstart - create an orchestration workflow project

+description: Use this article to quickly get started with orchestration workflows

+zone_pivot_groups: usage-custom-language-features

+# Quickstart: Orchestration workflow (preview)

+Use this article to get started with Orchestration workflow projects using Language Studio and the REST API. Follow these steps to try out an example.

+## Next steps

+* [Learn about orchestration workflows](overview.md)

+- Norway

+- Switzerland

+- United Arab Emirates

+- Get started with a [Closed Captions Quickstart](../../quickstarts/voice-video-calling/get-started-with-closed-captions.md?pivots=platform-iosBD)

+- Register a Client and Server (Web API) applications in Azure Active Directory as part of [On Behalf Of workflow](../../active-directory/develop/v2-oauth2-on-behalf-of-flow.md). Follow instructions on [registrations set up guideline](https://github.com/Azure-Samples/communication-services-authentication-hero-csharp/blob/main/docs/deployment-guides/set-up-app-registrations.md)

+## Trigger recurrence shift and drift (daylight saving time)

+Recurring connection-based triggers where you need to create a connection first, such as the managed SQL Server trigger, differ from built-in triggers that run natively in Azure Logic Apps, such as the [Recurrence trigger](../connectors/connectors-native-recurrence.md). In recurring connection-based triggers, the recurrence schedule isn't the only driver that controls execution, and the time zone only determines the initial start time. Subsequent runs depend on the recurrence schedule, the last trigger execution, *and* other factors that might cause run times to drift or produce unexpected behavior. For example, unexpected behavior can include failure to maintain the specified schedule when daylight saving time (DST) starts and ends.

+To make sure that the recurrence time doesn't shift when DST takes effect, manually adjust the recurrence. That way, your workflow continues to run at the expected or specified start time. Otherwise, the start time shifts one hour forward when DST starts and one hour backward when DST ends. For more information, see [Recurrence for connection-based triggers](../connectors/apis-list.md#recurrence-for-connection-based-triggers).

+## Trigger recurrence shift and drift (daylight saving time)

+To schedule jobs, Azure Logic Apps puts the message for processing into the queue and specifies when that message becomes available, based on the UTC time when the last job ran and the UTC time when the next job is scheduled to run. If you specify a start time with your recurrence, *make sure that you select a time zone* so that your logic app workflow runs at the specified start time. That way, the UTC time for your logic app also shifts to counter the seasonal time change. Recurring triggers honor the schedule that you set, including any time zone that you specify.

+Otherwise, if you don't select a time zone, daylight saving time (DST) events might affect when triggers run. For example, the start time shifts one hour forward when DST starts and one hour backward when DST ends. However, some time windows might cause problems when the time shifts. For more information and examples, see [Recurrence for daylight saving time and standard time](../logic-apps/concepts-schedule-automated-recurring-tasks-workflows.md#daylight-saving-standard-time).

+## Trigger recurrence shift and drift (daylight saving time)

+Recurring connection-based triggers where you need to create a connection first, such as the managed SFTP-SSH trigger, differ from built-in triggers that run natively in Azure Logic Apps, such as the [Recurrence trigger](../connectors/connectors-native-recurrence.md). In recurring connection-based triggers, the recurrence schedule isn't the only driver that controls execution, and the time zone only determines the initial start time. Subsequent runs depend on the recurrence schedule, the last trigger execution, *and* other factors that might cause run times to drift or produce unexpected behavior. For example, unexpected behavior can include failure to maintain the specified schedule when daylight saving time (DST) starts and ends.

+To make sure that the recurrence time doesn't shift when DST takes effect, manually adjust the recurrence. That way, your workflow continues to run at the expected time or specified start time. Otherwise, the start time shifts one hour forward when DST starts and one hour backward when DST ends. For more information, see [Recurrence for connection-based triggers](../connectors/apis-list.md#recurrence-for-connection-based-triggers).

+* Continuous mode restore may not restore throughput setting valid as of restore point.

+Do not verify a Database and/or Container exists by calling `Create...IfNotExistsAsync` and/or `Read...Async` in the hot path and/or before doing an item operation. The validation should only be done on application startup when it is necessary, if you expect them to be deleted (otherwise it's not needed). These metadata operations will generate extra end-to-end latency, have no SLA, and their own separate [limitations](/azure/cosmos-db/sql/troubleshoot-request-rate-too-large#rate-limiting-on-metadata-requests) that do not scale like data operations.

+To learn more about designing your application for scale and high performance, see [Partitioning and scaling in Azure Cosmos DB](../partitioning-overview.md).

+Do not verify a Database and/or Collection exists by calling `Create...IfNotExistsAsync` and/or `Read...Async` in the hot path and/or before doing an item operation. The validation should only be done on application startup when it is necessary, if you expect them to be deleted (otherwise it's not needed). These metadata operations will generate extra end-to-end latency, have no SLA, and their own separate [limitations](/azure/cosmos-db/sql/troubleshoot-request-rate-too-large#rate-limiting-on-metadata-requests) that do not scale like data operations.

+If you need to verify that a database or container exists, don't do so by calling `Create...IfNotExistsAsync` or `Read...Async` before doing an item operation. The validation should only be done on application startup when it's necessary, if you expect them to be deleted. These metadata operations generate extra latency, have no service-level agreement (SLA), and have their own separate [limitations](/azure/cosmos-db/sql/troubleshoot-request-rate-too-large#rate-limiting-on-metadata-requests). They don't scale like data operations.

+* Learn about performance guidelines for [.NET v3](performance-tips-dotnet-sdk-v3-sql.md) and [.NET v2](performance-tips.md).

+> We recommend validating the minimum recommended version of the Java V4 SDK and ensure you are using this version or higher. You can check recommended version [here](./sql-api-sdk-java-v4.md#recommended-version).

+[Azure SNAT (PAT) port exhaustion]: #snat

+## Create the transfer request

+The following procedure has you navigate to **Transfer requests** by selecting a **Billing scope** &gt; **Billing account** &gt; **Billing profile** &gt; **Invoice sections** to **Add a new request**. If you navigate to **Add a new request** from selecting a billing profile, you'll have to select a billing profile and then select an invoice section.

+ :::image type="content" source="./media/mca-request-billing-ownership/billing-search-cost-management-billing.png" alt-text="Screenshot that shows Azure portal search for Cost Management + Billing." lightbox="./media/mca-request-billing-ownership/billing-search-cost-management-billing.png" :::

+ :::image type="content" source="./media/mca-request-billing-ownership/billing-scopes.png" alt-text="Screenshot that shows search in portal for Cost Management + Billing." lightbox="./media/mca-request-billing-ownership/billing-scopes.png" :::

+ The Azure portal remembers the last billing scope that you access and displays the scope the next time you come to Cost Management + Billing page. You won't see the billing scopes page if you have visited Cost Management + Billing earlier. If so, check that you are in the [right scope](#check-for-access). If not, [switch the scope](view-all-accounts.md#switch-billing-scope-in-the-azure-portal) to select the billing account for a Microsoft Customer Agreement.

+1. Select **Billing profiles** from the left-hand side and then select a **Billing profile** from the list. Once you take over the ownership of the subscriptions, their usage will be billed to this billing profile.

+ :::image type="content" source="./media/mca-request-billing-ownership/billing-profile.png" alt-text="Screenshot that shows selecting billing profiles." lightbox="./media/mca-request-billing-ownership/billing-profile.png" :::

+ >[!NOTE]

+1. Select **Invoice sections** from the left-hand side and then select an invoice section from the list. Each billing profile contains on invoice section by default. Select the invoice where you want to move your Azure subscription billing - that's where the Azure subscription consumption is transferred to.

+ :::image type="content" source="./media/mca-request-billing-ownership/invoice-section.png" alt-text="Screenshot that shows selecting invoice sections." lightbox="./media/mca-request-billing-ownership/invoice-section.png" :::

+1. Select **Transfer requests** from the lower-left side and then select **Add a new request**. Enter the email address of the user you're requesting billing ownership from. The user must have an account administrator role for the old subscriptions.

+ :::image type="content" source="./media/mca-request-billing-ownership/transfer-request-add-email.png" alt-text="Screenshot that shows selecting transfer requests." lightbox="./media/mca-request-billing-ownership/transfer-request-add-email.png" :::

+1. Select **Send transfer request**.

+1. The user gets an email with instructions to review your transfer request. Select **Review the request** to open it in the Azure portal.

+ :::image type="content" source="./media/mca-request-billing-ownership/mca-review-transfer-request-email.png" alt-text="Screenshot that shows review transfer request email." lightbox="./media/mca-request-billing-ownership/mca-review-transfer-request-email.png" :::

+1. In the Azure portal, the user selects the billing account that they want to transfer Azure products from. Then they select eligible subscriptions on the **Subscriptions** tab.

+ :::image type="content" source="./media/mca-request-billing-ownership/review-transfer-request-subscriptions-select.png" alt-text="Screenshot showing the Subscriptions tab." lightbox="./media/mca-request-billing-ownership/review-transfer-request-subscriptions-select.png" :::

+ > Disabled subscriptions can't be transferred.

+1. If there are reservations available to transfer, select the **Reservations** tab. Then select them.

+ :::image type="content" source="./media/mca-request-billing-ownership/review-transfer-request-reservations-select.png" alt-text="Screenshot showing the Reservations tab." lightbox="./media/mca-request-billing-ownership/review-transfer-request-reservations-select.png" :::

+1. Select the **Review request** tab and verify the information about the subscriptions and reservations to transfer. If there is Warnings or Failed status messages, see the following information. When you're ready to continue, select **Transfer**.

+ :::image type="content" source="./media/mca-request-billing-ownership/review-transfer-request-complete.png" alt-text="Screenshot showing the Review request tab where you review your transfer selections." lightbox="./media/mca-request-billing-ownership/review-transfer-request-complete.png" :::

+1. You'll briefly see a `Transfer is in progress` message. When the transfer is completed successfully, you'll see the Transfer details page with the `Transfer completed successfully` message.

+ :::image type="content" source="./media/mca-request-billing-ownership/transfer-completed-successfully.png" alt-text="Screenshot showing the Transfer completed successfully page." lightbox="./media/mca-request-billing-ownership/transfer-completed-successfully.png" :::

+On the Review request tab, the following status messages might be displayed.

+* **Ready to transfer** - Validation for this Azure product has passed and can be transferred.

+* **Warnings** - There's a warning for the selected Azure product. While the product can still be transferred, doing so will have some consequence that the user should be aware of in case they want to take mitigating actions. For example, the Azure subscription being transferred is benefitting from an RI. After transfer, the subscription will no longer receive that benefit. To maximize savings, ensure that the RI is associated to another subscription that can use its benefits. Instead, the user can also choose to go back to the selection page and unselect this Azure subscription. Select **Check details** for more information.

+* **Failed** - The selected Azure product can't be transferred because of an error. User will need to go back to the selection page and unselect this product to transfer the other selected Azure products.

+As the user that requested the transfer:

+1. Search for **Cost Management + Billing**.

+1. In the billing scopes page, select the billing account where the transfer request was started and then in the left menu, select **Transfer requests**.

+1. Select the billing profile and invoice section where the transfer request was started and review the status.

+ :::image type="content" source="./media/mca-request-billing-ownership/transfer-requests-status-completed.png" alt-text="Screenshot that shows the list of transfers with their status. " lightbox="./media/mca-request-billing-ownership/transfer-requests-status-completed.png" :::

+The Transfer requests page displays the following information:

+|Column|Definition|

+|||

+|Request date|The date when the transfer request was sent|

+|Recipient|The email address of the user that you sent the request to transfer billing ownership|

+|Expiration date|The date when the request expires|

+|Status|The status of transfer request|

+The transfer request can have one of the following statuses:

+|Status|Definition|

+|||

+|In progress|The user hasn't accepted the transfer request.|

+|Processing|The user approved the transfer request. Billing for subscriptions that the user selected is getting transferred to your invoice section.|

+|Completed| The billing for subscriptions that the user selected is transferred to your invoice section.|

+|Finished with errors|The request completed but billing for some subscriptions that the user selected couldn't be transferred.|

+|Expired|The user didn't accept the request on time and it expired.|

+|Canceled|Someone with access to the transfer request canceled the request.|

+|Declined|The user declined the transfer request.|

+As the user that approved the transfer:

+ :::image type="content" source="./media/mca-request-billing-ownership/transfer-status-success-approver-view.png" alt-text="Screenshot that shows the Transfer status page with example status." lightbox="./media/mca-request-billing-ownership/transfer-status-success-approver-view.png" :::

+|Column |Definition|

+|||

+|Transfer ID|The unique ID for your transfer request. If you submit a support request, share the ID with Azure support to speed up your support request. |

+|Transfer requested date|The date when the transfer request was sent. |

+|Transfer requested by|The email address of the user who sent the transfer request. |

+|Transfer request expires date| Only appears while the transfer status is `Pending`. The date when the transfer request expires. |

+|Transfer link sent to recipient| Only appears while the transfer status is `Pending`. The URL that was sent to the user to review the transfer request. |

+|Transfer completed date|Only appears when the transfer status is `Completed`. The date and time that the transfer was completed. |

+- [Action pack](https://azure.microsoft.com/offers/ms-azr-0025p/)¹

+- [Azure in Open Licensing](https://azure.microsoft.com/offers/ms-azr-0111p/)¹

+- [Azure Pass Sponsorship](https://azure.microsoft.com/offers/azure-pass/)¹

+- [Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/)¹

+- [Microsoft Azure Plan](https://azure.microsoft.com/offers/ms-azr-0017g/)²

+- [Microsoft Azure Sponsored Offer](https://azure.microsoft.com/offers/ms-azr-0036p/)¹

+- [Microsoft Partner Network](https://azure.microsoft.com/offers/ms-azr-0025p/)¹

+- [MSDN Platforms](https://azure.microsoft.com/offers/ms-azr-0062p/)¹

+- [Visual Studio Enterprise (BizSpark) subscribers](https://azure.microsoft.com/offers/ms-azr-0064p/)¹

+- [Visual Studio Enterprise (MPN) subscribers](https://azure.microsoft.com/offers/ms-azr-0029p/)¹

+- [Visual Studio Enterprise subscribers](https://azure.microsoft.com/offers/ms-azr-0063p/)¹

+- [Visual Studio Professional](https://azure.microsoft.com/offers/ms-azr-0059p/)¹

+- [Visual Studio Test Professional subscribers](https://azure.microsoft.com/offers/ms-azr-0060p/)¹

+¹ Any credit available on the subscription won't be available in the new account after the transfer.

+² Only supported for subscriptions in accounts that are created during sign-up on the Azure website.

+| EA | MCA - individual | <ul><li>For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

+| EA | EA | <ul><li>Transferring between EA enrollments requires a [billing support ticket](https://azure.microsoft.com/support/create-ticket/). <li> Self-service reservation transfers are supported. <li> Transfer within the same enrollment is the same action as changing the account owner. For details, see [Change EA subscription or account ownership](ea-portal-administration.md#change-azure-subscription-or-account-ownership). |

+| EA | MCA - Enterprise | <ul><li> Transferring all enrollment products is completed as part of the MCA transition process from an EA. For more information, see [Complete Enterprise Agreement tasks in your billing account for a Microsoft Customer Agreement](mca-enterprise-operations.md). <li> If you want to transfer specific products, not all of the products in an enrollment, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

+| MCA - Enterprise | MCA - individual | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

+| MCA - Enterprise | MCA - Enterprise | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

+| MCA - Enterprise | MPA | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

+| MPA | MPA | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

+When you send or accept a transfer, you agree to terms and conditions. The following information provides more details.

+When you send a transfer request, must select the **Send transfer request** option. By making the selection, you also agree to the following terms and conditions:

+`By sending this transfer request, you acknowledge and agree that the selected items will transfer to your account as of the Transition Date (date when the transfer completed successfully). You will be responsible to Microsoft for all ongoing, scheduled billings related to the transfer items as of the Transition Date; provided that Microsoft will move any prepaid subscriptions (including reserved instances) to your account. You agree that you may not cancel any prepaid subscriptions transferred to your account.`

+When you accept a transfer, must select the **Review + validate** option. By making the selection, you also agree to the following terms and conditions:

+`By accepting this transfer request, you acknowledge and agree that the indicated items will transfer to the nominated destination account as of the Transition Date (date when the transfer completed successfully). Any prepaid subscriptions, if selected, (including reserved instances) will be moved to the destination account and, as of the Transition Date, you will no longer be responsible to Microsoft for ongoing payment obligations (if any) related to the transfer items.`

+ "httpRequestTimeout": "00:01:00"

+url | Target endpoint and path | String (or expression with resultType of string). The activity will timeout at 1 minute with an error if it does not receive a response from the endpoint. You can increase this response timeout up to 10 mins by updating the httpRequestTimeout property | Yes

+httpRequestTimeout | Response timeout duration | hh:mm:ss with the max value as 00:10:00. If not explicitly specified defaults to 00:01:00 | No

+> REST endpoints that the web activity invokes must return a response of type JSON. The activity will timeout at 1 minute with an error if it does not receive a response from the endpoint. You can extend this timeout period to a higher value up to 10 minute by updating the 'httpRequestTimeout' Property in the activity settings.

+| rowDelimiter | For Copy activity, the single character or "\r\n" used to separate rows in a file. The default value is any of the following values **on read: ["\r\n", "\r", "\n"]**; **on write: "\r\n"**. "\r\n" is only supported in copy command.<br>For Mapping data flow, the single or two characters used to separate rows in a file. The default value is any of the following values **on read: ["\r\n", "\r", "\n"]**; **on write: "\n"**.<br>When the row delimiter is set to no delimiter (empty string), the column delimiter must be set as no delimiter (empty string) as well, which means to treat the entire content as a single value.<br>Currently, row delimiter as empty string is only supported for mapping data flow but not Copy activity. | No |

+ >[!Note]

+ > Run the script again every time you restart the VMs behind the load balancer.

+* Inspect the as-received equipment for damages. If the equipment enclosure is damaged, [contact Microsoft Support](./index.yml) to obtain a replacement. DonΓÇÖt attempt to operate the device.

+* If you suspect the device is malfunctioning, [contact Microsoft Support](./index.yml) to obtain a replacement. DonΓÇÖt attempt to service the equipment.

+* Parts enclosed within panels containing this symbol  contain no user-serviceable parts. Hazardous voltage, current, and energy levels are present inside. DonΓÇÖt open. Return to manufacturer for servicing. </br>Open a ticket with [Microsoft Support](./index.yml).

+ 

+> Learn how to [integrate Microsoft Sentinel and Microsoft Defender for IoT](../../sentinel/iot-solution.md?bc=%2fazure%2fdefender-for-iot%2fbreadcrumb%2ftoc.json&tabs=use-out-of-the-box-analytics-rules-recommended&toc=%2fazure%2fdefender-for-iot%2forganizations%2ftoc.json)

+[Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) defines DevTest Labs access and roles. DevTest Labs has three roles that define lab member permissions: Owner, Contributor, and DevTest Labs User.

+- For more information about how to set up, use, and manage virtual networks, see the [Azure virtual network documentation](../virtual-network/index.yml).

+- You can deploy [Azure Bastion](https://azure.microsoft.com/services/azure-bastion) in a new or existing virtual network to enable browser connection to your lab VMs. For more information, see [Enable browser connection to DevTest Labs VMs with Azure Bastion](enable-browser-connection-lab-virtual-machines.md).

+- At least [Contributor](../role-based-access-control/built-in-roles.md#contributor) access to an Azure subscription. If you don't have an Azure account, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+> [Create and add virtual machines to a lab in Azure DevTest Labs](devtest-lab-add-vm.md)

+- When migrating to SQL Server on Azure Virtual Machines, SQL Server 2014 and below as target versions are not supported currently.

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+### Event Grid schema

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+ Title: Transition from Event Grid on Azure IoT Edge to Azure IoT Edge

+description: This article explains transition from Event Grid on Azure IoT Edge to Azure IoT Edge MQTT Broker or IoT Hub message routing.

+# Transition from Event Grid on Azure IoT Edge to Azure IoT Edge native capabilities

+On March 31, 2023, Event Grid on Azure IoT Edge will be retired, so make sure to transition to IoT Edge native capabilities prior to that date.

+## Why are we retiring?

+There are multiple reasons for deciding to retire Event Grid on IoT Edge, which is currently in Preview, in March 2023.

+- Event Grid has been evolving in the cloud native space to provide more robust capabilities not only in Azure but also in on-prem scenarios with [Kubernetes with Azure Arc](../kubernetes/overview.md).

+- We've seen an increase of adoption of MQTT brokers in the IoT space, this adoption has been the motivation to allow IoT Edge team to build a new native MQTT broker that provides a better integration for pub/sub messaging scenarios. With the new MQTT broker provided natively on IoT Edge, you'll be able to connect to this broker, publish, and subscribe to messages over user-defined topics, and use IoT Hub messaging primitives. The IoT Edge MQTT broker is built in the IoT Edge hub.

+Here's the list of the features that will be removed with the retirement of Event Grid on Azure IoT Edge and a list of the new IoT Edge native capabilities.

+| Event Grid on Azure IoT Edge | MQTT broker on Azure IoT Edge |

+| - | -- |

+| - Publishing and subscribing to events locally/cloud<br/>- Forwarding events to Event Grid<br/>- Forwarding events to IoT Hub<br/>- React to Blob Storage events locally | - Connectivity to IoT Edge hub<br/>- Publish and subscribe on user-defined topics<br/>- Publish and subscribe on IoT Hub topics<br/>- Publish and subscribe between MQTT brokers |

+## How to transition to Azure IoT Edge features

+To transition to use the Azure IoT Edge features, follow these steps.

+1. Learn about the feature differences between [Event Grid on Azure IoT Edge](overview.md#when-to-use-event-grid-on-iot-edge) and [Azure IoT Edge](../../iot-edge/how-to-publish-subscribe.md).

+2. Identify your scenario based on the feature table in the next section.

+3. Follow the documentation to change your architecture and make code changes based on the scenario you want to transition.

+4. Validate your updated architecture by sending and receiving messages/events.

+## Event Grid on Azure IoT Edge vs. Azure IoT Edge

+The following table highlights the key differences during this transition.

+| Event Grid on Azure IoT Edge | Azure IoT Edge |

+| | -- |

+| Publish, subscribe and forward events locally or cloud | You can use Azure IoT Edge MQTT broker to publish and subscribe messages. To learn how to connect to this broker, publish and subscribe to messages over user-defined topics, and use IoT Hub messaging primitives, see [publish and subscribe with Azure IoT Edge](../../iot-edge/how-to-publish-subscribe.md). The IoT Edge MQTT broker is built in the IoT Edge hub. For more information, see [the brokering capabilities of the IoT Edge hub](../../iot-edge/iot-edge-runtime.md). </br> </br> If you're subscribing to IoT Hub, itΓÇÖs possible to create an event to publish to Event Grid if you need. For details, see [Azure IoT Hub and Event Grid](../../iot-hub/iot-hub-event-grid.md). |

+| Forward events to IoT Hub | You can use IoT Hub message routing to send device-cloud messages to different endpoints. For details, see [Understand Azure IoT Hub message routing](../../iot-hub/iot-hub-devguide-messages-d2c.md). |

+| React to Blob Storage events on IoT Edge (Preview) | You can use Azure Function Apps to react to blob storage events on cloud when a blob is created or updated. For more information, see [Azure Blob storage trigger for Azure Functions](../../azure-functions/functions-bindings-storage-blob-trigger.md) and [Tutorial: Deploy Azure Functions as modules - Azure IoT Edge](../../iot-edge/tutorial-deploy-function.md). Blob triggers in IoT Edge blob storage module aren't supported. |

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> [!IMPORTANT]

+> On March 31, 2023, Event Grid on Azure IoT Edge support will be retired, so make sure to transition to IoT Edge native capabilities prior to that date. For more information, see [Transition from Event Grid on Azure IoT Edge to Azure IoT Edge ](transition.md).

+> For more information, see [Azure Event Grid event schema properties](./event-schema.md#event-properties).

+(FHIR&#174;) is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+|IDPS Bypass list|If you enable IDPS (either ΓÇÿAlertΓÇÖ or ΓÇÿAlert and DenyΓÇÖ mode) and actively delete one or more existing rules in IDPS Bypass list, you may be subject to packet loss which is correlated to the deleted rules source/destination IP addresses. |A fix is being investigated.<br><br>You may respond to this issue by taking one of the following actions:<br><br>- Do a start/stop procedure as explained [here](firewall-faq.yml#how-can-i-stop-and-start-azure-firewall).<br>- Open a support ticket and we will re-image your affected firewall virtual machines.|

+(see [examples](../../../virtual-machines/extensions/dsc-template.md)),

+[extension for the guest configuration feature](../../../virtual-machines/extensions/guest-configuration.md).

+ [compliance details for guest configuration](./determine-non-compliance.md#compliance-details-for-guest-configuration) assignments.

+provide the following abilities:

+- Query resources with complex filtering, grouping, and sorting by resource properties.

+- Explore resources iteratively based on governance requirements.

+- Assess the impact of applying policies in a vast cloud environment.

+- [Query changes made to resource properties](./how-to/get-resource-changes.md)

+> Azure Resource Graph powers Azure portal's search bar, the new browse **All resources** experience,

+Resource Manager currently supports queries over basic resource fields, specifically:

+- Resource name

+- ID

+- Type

+- Resource Group

+- Subscription

+- Location

+Resource Manager also provides

+> Resource Graph uses a `GET` to the latest non-preview application programming interface (API) of each resource provider to gather

+> In the **preview** REST API version `2020-04-01-preview`, the subscription list may be omitted.

+large-scale and frequent queries, use portal **Feedback** from the

+Provide your business case and select the **Microsoft can email you about your feedback** checkbox in

+Starting from March 01, 2022, HDInsight will only support manual scale for HBase, there's no impact on running clusters. New HBase clusters won't be able to enable schedule based Autoscaling. For more information on how to  manually scale your HBase cluster, refer our documentation on [Manually scaling Azure HDInsight clusters](./hdinsight-scaling-best-practices.md)

+Customers who are on Azure HDInsight 3.6 clusters will continue to get [Basic support](./hdinsight-component-versioning.md#support-options-for-hdinsight-versions) until September 30, 2022. After September 30, 2022 customers won't be able to create new HDInsight 3.6 clusters.

+If you want to submit topology that contains Java spouts or bolts, first compile them to produce JAR files. Then specify the Java classpath that contains the JAR files when you submit topology. Here's an example:

+The **FHIR to Synapse Sync Agent** is a Microsoft OSS project released under MIT License. It's an Azure function that extracts data from a FHIR server using FHIR Resource APIs, converts it to hierarchical Parquet files, and writes it to Azure Data Lake in near real time. This also contains a script to create external tables and views in [Synapse Serverless SQL pool](https://docs.microsoft.com/azure/synapse-analytics/sql/on-demand-workspace-overview) pointing to the Parquet files.

+The **FHIR to CDM pipeline generator** is a Microsoft OSS project released under MIT License. It's a tool to generate an ADF pipeline for copying a snapshot of data from a FHIR server using $export API, transforming it to csv format, and writing to a [CDM folder](/common-data-model/data-lake) in Azure Data Lake Storage Gen 2. The tool requires a user-created configuration file containing instructions to project and flatten FHIR Resources and fields into tables. You can also follow the instructions for creating a downstream pipeline in Synapse workspace to move data from CDM folder to Synapse dedicated SQL pool.

+>[Exporting de-identified data](de-identified-export.md)

+>[Assign roles for the DICOM service](../configure-azure-rbac.md#assign-roles-for-the-dicom-service)

+>[Using DICOMweb&trade;Standard APIs with DICOM services](dicomweb-standard-apis-with-dicom-services.md)

+* [Connect to a FHIR service from Power Query Desktop](/power-query/connectors/fhir/fhir): After provisioning DICOM service, FHIR service and synchronizing imaging study for a given patient via DICOM cast, you can use the POWER Query connector for FHIR to import and shape data from the FHIR server including imaging study resource.

+ > - [What are managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md)

+ > - [What is Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md)

+(FHIR&#174;) is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+ Title: Copy data from FHIR service in Azure Health Data Services to Azure Synapse Analytics

+In this article, youΓÇÖll learn three ways to copy data from the FHIR service in Azure Health Data Services to [Azure Synapse Analytics](https://azure.microsoft.com/services/synapse-analytics/), which is a limitless analytics service that brings together data integration, enterprise data warehousing, and big data analytics.

+* Use the [FHIR to Synapse Sync Agent](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToDataLake/docs/Deployment.md) OSS tool

+* Use the [FHIR to CDM pipeline generator](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToCdm/docs/fhir-to-cdm.md) OSS tool

+* Use $export and load data to Synapse using T-SQL

+## Using the FHIR to Synapse Sync Agent OSS tool

+> [!Note]

+> [FHIR to Synapse Sync Agent](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToDataLake/docs/Deployment.md) is an open source tool released under MIT license, and is not covered by the Microsoft SLA for Azure services.

+The **FHIR to Synapse Sync Agent** is a Microsoft OSS project released under MIT License. It's an Azure function that extracts data from a FHIR server using FHIR Resource APIs, converts it to hierarchical Parquet files, and writes it to Azure Data Lake in near real time. This also contains a script to create external tables and views in [Synapse Serverless SQL pool](https://docs.microsoft.com/azure/synapse-analytics/sql/on-demand-workspace-overview) pointing to the Parquet files.

+This solution enables you to query against the entire FHIR data with tools such as Synapse Studio, SSMS, and Power BI. You can also access the Parquet files directly from a Synapse Spark pool. You should consider this solution if you want to access all of your FHIR data in near real time, and want to defer custom transformation to downstream systems.

+Follow the OSS [documentation](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToDataLake/docs/Deployment.md) for installation and usage instructions.

+## Using the FHIR to CDM pipeline generator OSS tool

+> [!Note]

+> [FHIR to CDM pipeline generator](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToCdm/docs/fhir-to-cdm.md) is an open source tool released under MIT license, and is not covered by the Microsoft SLA for Azure services.

+The **FHIR to CDM pipeline generator** is a Microsoft OSS project released under MIT License. It's a tool to generate an ADF pipeline for copying a snapshot of data from a FHIR server using $export API, transforming it to csv format, and writing to a [CDM folder](https://docs.microsoft.com/common-data-model/data-lake) in Azure Data Lake Storage Gen 2. The tool requires a user-created configuration file containing instructions to project and flatten FHIR Resources and fields into tables. You can also follow the instructions for creating a downstream pipeline in Synapse workspace to move data from CDM folder to Synapse dedicated SQL pool.

+This solution enables you to transform the data into tabular format as it gets written to CDM folder. You should consider this solution if you want to transform FHIR data into a custom schema after it's extracted from the FHIR server.

+Follow the OSS [documentation](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToCdm/docs/fhir-to-cdm.md) for installation and usage instructions.

+## Loading exported data to Synapse using T-SQL

+In this approach, you use the FHIR `$export` operation to copy FHIR resources into a **Azure Data Lake Gen 2 (ADL Gen 2) blob storage** in `NDJSON` format. Subsequently, you load the data from the storage into **serverless or dedicated SQL pools** in Synapse using T-SQL. You can convert these steps into a robust data movement pipeline using [Synapse pipelines](../../synapse-analytics/get-started-pipelines.md).

+### Using `$export` to copy data

+#### Configuring `$export` in the FHIR server

+The FHIR server in Azure Health Data Services implements the `$export` operation defined by the FHIR specification to export all or a filtered subset of FHIR data in `NDJSON` format. In addition, it supports [de-identified export](./de-identified-export.md) to anonymize FHIR data during the export.

+To export FHIR data to Azure blob storage, you first need to configure your FHIR server to export data to the storage account. You'll need to (1) enable Managed Identity, (2) go to Access Control in the storage account and add role assignment, (3) select your storage account for `$export`. More step by step can be found [here](./configure-export-data.md).

+You can also use `_type` parameter in the `$export` call above to restrict the resources that you want to export. For example, the following call will export only `Patient`, `MedicationRequest`, and `Observation` resources:

+### Using Synapse for Analytics

+#### Creating a Synapse workspace

+Before using Synapse, you'll need a Synapse workspace. You'll create an Azure Synapse Analytics service on Azure portal. More step-by-step guide can be found [here](../../synapse-analytics/get-started-create-workspace.md). You need an `ADLSGEN2` account to create a workspace. Your Azure Synapse workspace will use this storage account to store your Synapse workspace data.

+After creating a workspace, you can view your workspace in Synapse Studio by signing into your workspace on [https://web.azuresynapse.net](https://web.azuresynapse.net), or launching Synapse Studio in the Azure portal.

+To copy your data to Synapse, you need to create a linked service that connects your Azure Storage account, where you've exported your data, with Synapse. More step-by-step instructions can be found [here](../../synapse-analytics/data-integration/data-integration-sql-pool.md#create-linked-services).

+1. In Synapse Studio, browse to the **Manage** tab and under **External connections**, select **Linked services**.

+Now that you have a linked service between your ADL Gen 2 storage and Synapse, you're ready to use Synapse SQL pools to load and analyze your FHIR data.

+#### Decide between serverless and dedicated SQL pool

+Since it's serverless, there's no infrastructure to setup or clusters to maintain. You can start querying data from Synapse Studio as soon as the workspace is created.

+The simplest and fastest way to load data from your storage to a dedicated SQL pool is to use the **`COPY`** command in T-SQL, which can read CSV, Parquet, and ORC files. As in the example query below, use the `COPY` command to load the `NDJSON` rows into a tabular structure.

+Once you have the JSON rows in the `StagingPatient` table above, you can create different tabular formats of the data using the `OPENJSON` function and storing the results into tables. Here's a sample SQL query to create a `Patient` table by extracting a few fields from the `Patient` resource:

+ ResourceId VARCHAR(64) '$.id',

+ FullName VARCHAR(100) '$.name[0].text',

+ FamilyName VARCHAR(50) '$.name[0].family',

+ GivenName VARCHAR(50) '$.name[0].given[0]',

+ Gender VARCHAR(20) '$.gender',

+ DOB DATETIME2 '$.birthDate',

+ MaritalStatus VARCHAR(20) '$.maritalStatus.coding[0].display',

+ LanguageOfCommunication VARCHAR(20) '$.communication[0].language.text'

+In this article, you learned three different ways to copy your FHIR data into Synapse.

+Next, you can learn about how you can de-identify your FHIR data while exporting it to Synapse in order to protect PHI.

+**Linked services**

+**Incremental changes to the FHIR service**

+* **Support for transactions**: In Azure Health Data Services, the FHIR service supports transaction bundles. For more information about transaction bundles, visit [HL7.org](http://www.hl7.org/) and refer to batch/transaction interactions.

+- **Continual updates** A device should enable the Over-the-Air (OTA) feature, such as the [Device Update for IoT Hub](../iot-hub-device-update/device-update-azure-real-time-operating-system.md) to push the firmware that contains the patches or bug fixes.

+- **Security monitoring and responses** A device should be able to proactively report the security postures for the solution builder to monitor the potential threats for a large number of devices. The [Microsoft Defender for IoT](../defender-for-iot/device-builders/concept-rtos-security-module.md) can be used for that purpose.

+**Application**: Make use of logging libraries and your cloud service's client SDK to push error logs to the cloud where they can be stored and analyzed safely without using valuable device storage space. Integration with [Microsoft Defender for IoT](https://azure.microsoft.com/services/azure-defender-for-iot/) would provide this functionality and more. Microsoft Defender for IoT provides agent-less monitoring of devices in an IoT solution. Monitoring can be enhanced by including the [Microsoft Defender for IOT micro-agent for Azure RTOS](../defender-for-iot/device-builders/iot-security-azure-rtos.md) on your device. For more information, see the [Runtime security monitoring and threat detection](#runtime-security-monitoring-and-threat-detection) recommendation.

+**Application**: The [Microsoft Defender for IOT micro-agent for Azure RTOS](../defender-for-iot/device-builders/iot-security-azure-rtos.md) provides a comprehensive security solution for Azure RTOS devices. The module provides security services via a small software agent that is built into your deviceΓÇÖs firmware and comes as part of Azure RTOS. The service includes detection of malicious network activities, device behavior baselining based on custom alerts, and recommendations that will help to improve the security hygiene of your devices. Whether you're using Azure RTOS in combination with Azure Sphere or not, the Microsoft Defender for IoT micro-agent provides an additional layer of security that is built right into the RTOS by default.

+FIPS 140 is a US government program that standardizes cryptographic algorithms and implementations used in US government and military applications. Along with documented standards, certified laboratories provide FIPS certification to guarantee specific cryptographic implementations adhere to regulations.

+- You can retain a CSR from each device and use that to get a new device certificate from the PKI CA. In this case, you'll need to push the new certificate to each device in a firmware update using a secure OTA update service like [Device Update for IoT Hub](../iot-hub-device-update/index.yml).

+- To learn about how to use the portal to create an enrollment group, see [Managing device enrollments with Azure portal](how-to-manage-enrollments.md).

+ Title: Configure module build options

+description: Learn how to use the module.json file to configure build and deployment options for a module

+# Configure IoT Edge module build options

+The *module.json* file controls how modules are built and deployed. IoT Edge module Visual Studio

+and Visual Studio Code projects include the *module.json* file. The file contains IoT Edge module

+configuration details including the version and platform that is used when building an IoT Edge

+module.

+## *module.json* settings

+The *module.json* file includes the following settings:

+| Setting | Description |

+|||

+| image.repository | The repository of the module. |

+| image.tag.version | The version of the module. |

+| image.tag.platforms | A list of supported platforms and their corresponding dockerfile. Each entry is a platform key and dockerfile pair `<platform key>:<dockerfile>`. |

+| image.buildOptions | The build arguments used when running `docker build`. |

+| image.contextPath | The context path used when running `docker build`. By default, it's the current folder of the *module.json* file. If your Docker build needs files not included in the current folder such as a reference to an external package or project, set the **contextPath** to the root path of all necessary files. Verify the files are copied in the dockerfile. |

+| language | The programming language of the module. |

+For example, the following *module.json* file is for a C# IoT Edge module:

+```json

+{

+ "$schema-version": "0.0.1",

+ "description": "",

+ "image": {

+ "repository": "localhost:5000/edgemodule",

+ "tag": {

+ "version": "0.0.1",

+ "platforms": {

+ "amd64": "./Dockerfile.amd64",

+ "amd64.debug": "./Dockerfile.amd64.debug",

+ "arm32v7": "./Dockerfile.arm32v7",

+ "arm32v7.debug": "./Dockerfile.arm32v7.debug",

+ "arm64v8": "./Dockerfile.arm64v8",

+ "arm64v8.debug": "./Dockerfile.arm64v8.debug",

+ "windows-amd64": "./Dockerfile.windows-amd64"

+ }

+ },

+ "buildOptions": ["--add-host=docker:10.180.0.1"],

+ "contextPath": "./"

+ },

+ "language": "csharp"

+}

+```

+Once the module is built, the final tag of the image is combined with both version and platform as

+`<repository>:<version>-<platform key>`. For this example, the image tag for `amd64.debug` is

+`localhost:5000/csharpmod:0.0.1-amd64.debug`.

+## Next steps

+[Understand the requirements and tools for developing IoT Edge modules](module-development.md)

+* **RestartPolicy**: When and if the IoT Edge agent should restart the module if it stops. If the module is stopped without any errors, it won't start automatically. For more information, see [Docker Docs - Start containers automatically](https://aka.ms/docker-container-restart-policy). Required.

+* [Support for additional protocols](../iot-edge/iot-edge-as-gateway.md)

+The token service pattern is the recommended way to implement a custom identity registry/authentication scheme with IoT Hub. This pattern is recommended because IoT Hub continues to handle most of the solution traffic. However, if the custom authentication scheme is so intertwined with the protocol, you may require a *custom gateway* to process all the traffic. An example of such a scenario is using [Transport Layer Security (TLS) and pre-shared keys (PSKs)](https://tools.ietf.org/html/rfc4279). For more information, see [How an IoT Edge device can be used as a gateway](../iot-edge/iot-edge-as-gateway.md).

+At the end of this tutorial, you have a Java console device app and a Java console back-end app:

+#Customer intent: As a developer, I want to be able to add information to messages sent from a device to my IoT hub, based on the destination endpoint.

+*Message enrichments* is the ability of an IoT hub to *stamp* messages with additional information before the messages are sent to the designated endpoint. One reason to use message enrichments is to include data that can be used to simplify downstream processing. For example, enriching device telemetry messages with a device twin tag can reduce load on customers to make device twin API calls for this information.

+You can add enrichments to messages that are going to the built-in endpoint of an IoT hub, or to messages that are being routed to custom endpoints such as Azure Blob storage, a Service Bus queue, or a Service Bus topic.

+Enrichments can be configured using the following methods:

+* You can add up to 10 enrichments per IoT hub for those hubs in the standard or basic tier. For IoT hubs in the free tier, you can add up to 2 enrichments.

+* In some cases, if you're applying an enrichment with a value set to a tag or property in the device twin, the value will be stamped with the specified device twin path. For example, if an enrichment value is set to $twin.tags.field, the messages will be stamped with the string "$twin.tags.field", rather than the value of that field from the twin. This behavior happens in the following cases:

+ * Your IoT hub is in the basic tier. Basic tier IoT hubs do not support device twins.

+ * Your IoT hub is in the standard tier, but the device sending the message has no device twin.

+ * Your IoT hub is in the standard tier, but the device twin path used for the value of the enrichment does not exist. For example, if the enrichment value is set to $twin.tags.location, and the device twin does not have a location property under tags, the message is stamped with the string "$twin.tags.location".

+ * Your IoT hub is in the standard tier, but the device twin path used for the value of the enrichment resolves to an object, rather than a simple property. For example, if the enrichment value is set to $twin.tags.location, and the location property under tags is an object that contains child properties like `{"building": 43, "room": 503}`, the message is stamped with the string "$twin.tags.location".

+* The total message size, including the enrichments, can't exceed 256 KB. If a message size exceeds 256 KB, the IoT hub will drop the message. You can use [IoT Hub metrics](monitor-iot-hub-reference.md#metrics) to identify and debug errors when messages are dropped. For example, you can monitor the *telemetry messages incompatible* (*d2c.telemetry.egress.invalid*) metric in the [routing metrics](monitor-iot-hub-reference.md#routing-metrics). To learn more, see [Monitor IoT Hub](monitor-iot-hub.md).

+Message enrichments are available for no additional charge. Currently, you are charged when you send a message to an IoT hub. You are only charged once for that message, even if the message goes to multiple endpoints.

+Check out these articles for more information about routing messages to an IoT hub:

+* [Support additional protocols](../iot-edge/iot-edge-as-gateway.md)

+>[!NOTE]

+>The Azure IoT protocol gateway is no longer the recommended method for protocol adaptation. Instead, consider using Azure IoT Edge as a gateway.

+>

+>For more information, see [How an IoT Edge device can be used as a gateway](../iot-edge/iot-edge-as-gateway.md).

+* [Azure IoT protocol gateway repository on GitHub](https://github.com/Azure/azure-iot-protocol-gateway/blob/master/README.md)

+## Add location tag to the device twin

+One of the message enrichments configured on your IoT hub specifies a key of DeviceLocation with its value determined by the following device twin path: `$twin.tags.location`. If your device twin doesn't have a location tag, the twin path, `$twin.tags.location`, will be stamped as a string for the DeviceLocation value in the message enrichments.

+Follow these steps to add a location tag to your device's twin with the portal.

+1. Go to your IoT hub by selecting **Resource groups**. Then select the resource group set up for this tutorial (**ContosoResourcesMsgEn**). Find the IoT hub in the list, and select it. Select **Devices** on the left-pane of the IoT hub, then select your device (**Contoso-Test-Device**).

+1. Select the **Device twin** tab at the top of the device page and add the following line just before the closing brace at the bottom of the device twin. Then select **Save**.

+ ```json

+ , "tags": {"location": "Plant 43"}

+ ```

+

+ :::image type="content" source="./media/tutorial-message-enrichments/add-location-tag-to-device-twin.png" alt-text="Screenshot of adding location tag to device twin in Azure portal":::

+1. Wait about five minutes before continuing to the next section. It can take up to that long for updates to the device twin to be reflected in message enrichment values.

+To learn more about how device twin paths are handled with message enrichments, see [Message enrichments limitations](iot-hub-message-enrichments-overview.md#limitations). To learn more about device twins, see [Understand and use device twins in IoT Hub](iot-hub-devguide-device-twins.md).

+{"EnqueuedTimeUtc":"2019-05-10T06:06:32.7220000Z","Properties":{"level":"storage","myIotHub":"contosotesthubmsgen3276","DeviceLocation":"Plant 43","customerID":"6ce345b8-1e4a-411e-9398-d34587459a3a"},"SystemProperties":{"connectionDeviceId":"Contoso-Test-Device","connectionAuthMethod":"{\"scope\":\"device\",\"type\":\"sas\",\"issuer\":\"iothub\",\"acceptingIpFilterRule\":null}","connectionDeviceGenerationId":"636930642531278483","enqueuedTime":"2019-05-10T06:06:32.7220000Z"},"Body":"eyJkZXZpY2VJZCI6IkNvbnRvc28tVGVzdC1EZXZpY2UiLCJ0ZW1wZXJhdHVyZSI6MjkuMjMyMDE2ODQ4MDQyNjE1LCJodW1pZGl0eSI6NjQuMzA1MzQ5NjkyODQ0NDg3LCJwb2ludEluZm8iOiJUaGlzIGlzIGEgc3RvcmFnZSBtZXNzYWdlLiJ9"}

+Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, you may review the [Overview](../general/overview.md).

+**Limits**: See [Azure Private Link limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#private-link-limits)

+- Learn more about [Azure Key Vault](overview.md)

+Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, you may review the [Overview](../general/overview.md).

+ Title: 'Quickstart: Create a basic public load balancer - Azure CLI'

+description: Learn how to create a public basic SKU Azure Load Balancer in this quickstart using the Azure CLI.

+# Quickstart: Create a basic public load balancer using the Azure CLI

+Get started with Azure Load Balancer by using the Azure portal to create a basic public load balancer and two virtual machines.

+- This quickstart requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+>[!NOTE]

+>Standard SKU load balancer is recommended for production workloads. For more information about SKUs, see **[Azure Load Balancer SKUs](../skus.md)**.

+## Create a resource group

+An Azure resource group is a logical container into which Azure resources are deployed and managed.

+Create a resource group with [az group create](/cli/azure/group#az_group_create):

+```azurecli

+ az group create \

+ --name CreatePubLBQS-rg \

+ --location eastus

+```

+## Create a virtual network

+Before you deploy VMs and test your load balancer, create the supporting virtual network and subnet.

+Create a virtual network using [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create). The virtual network and subnet will contain the resources deployed later in this article.

+```azurecli

+ az network vnet create \

+ --resource-group CreatePubLBQS-rg \

+ --location eastus \

+ --name myVNet \

+ --address-prefixes 10.1.0.0/16 \

+ --subnet-name myBackendSubnet \

+ --subnet-prefixes 10.1.0.0/24

+```

+## Create a public IP address

+To access your web app on the Internet, you need a public IP address for the load balancer.

+Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create the public IP for the load balancer frontend.

+```azurecli

+ az network public-ip create \

+ --resource-group CreatePubLBQS-rg \

+ --name myPublicIP \

+ --sku Basic

+```

+## Create a load balancer

+This section details how you can create and configure the following components of the load balancer:

+ * A frontend IP pool that receives the incoming network traffic on the load balancer

+ * A backend IP pool where the frontend pool sends the load balanced network traffic

+ * A health probe that determines health of the backend VM instances

+ * A load balancer rule that defines how traffic is distributed to the VMs

+### Create the load balancer resource

+Create a public load balancer with [az network lb create](/cli/azure/network/lb#az_network_lb_create):

+```azurecli

+ az network lb create \

+ --resource-group CreatePubLBQS-rg \

+ --name myLoadBalancer \

+ --sku Basic \

+ --public-ip-address myPublicIP \

+ --frontend-ip-name myFrontEnd \

+ --backend-pool-name myBackEndPool

+```

+### Create the health probe

+A health probe checks all virtual machine instances to ensure they can send network traffic.

+A virtual machine with a failed probe check is removed from the load balancer. The virtual machine is added back into the load balancer when the failure is resolved.

+Create a health probe with [az network lb probe create](/cli/azure/network/lb/probe#az_network_lb_probe_create):

+```azurecli

+ az network lb probe create \

+ --resource-group CreatePubLBQS-rg \

+ --lb-name myLoadBalancer \

+ --name myHealthProbe \

+ --protocol tcp \

+ --port 80

+```

+### Create the load balancer rule

+A load balancer rule defines:

+* Frontend IP configuration for the incoming traffic

+* The backend IP pool to receive the traffic

+* The required source and destination port

+Create a load balancer rule with [az network lb rule create](/cli/azure/network/lb/rule#az_network_lb_rule_create):

+```azurecli

+ az network lb rule create \

+ --resource-group CreatePubLBQS-rg \

+ --lb-name myLoadBalancer \

+ --name myHTTPRule \

+ --protocol tcp \

+ --frontend-port 80 \

+ --backend-port 80 \

+ --frontend-ip-name myFrontEnd \

+ --backend-pool-name myBackEndPool \

+ --probe-name myHealthProbe \

+ --idle-timeout 15

+```

+## Create a network security group

+For a standard load balancer, the VMs in the backend address for are required to have network interfaces that belong to a network security group.

+Use [az network nsg create](/cli/azure/network/nsg#az_network_nsg_create) to create the network security group:

+```azurecli

+ az network nsg create \

+ --resource-group CreatePubLBQS-rg \

+ --name myNSG

+```

+### Create a network security group rule

+Create a network security group rule using [az network nsg rule create](/cli/azure/network/nsg/rule#az_network_nsg_rule_create):

+```azurecli

+ az network nsg rule create \

+ --resource-group CreatePubLBQS-rg \

+ --nsg-name myNSG \

+ --name myNSGRuleHTTP \

+ --protocol '*' \

+ --direction inbound \

+ --source-address-prefix '*' \

+ --source-port-range '*' \

+ --destination-address-prefix '*' \

+ --destination-port-range 80 \

+ --access allow \

+ --priority 200

+```

+## Create a bastion host

+In this section, you'll create te resources for Azure Bastion. Azure Bastion is used to securely manage the virtual machines in the backend pool of the load balancer.

+### Create a public IP address

+Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create a public ip address for the bastion host. The public IP is used by the bastion host for secure access to the virtual machine resources.

+```azurecli

+ az network public-ip create \

+ --resource-group CreatePubLBQS-rg \

+ --name myBastionIP \

+ --sku Standard \

+ --zone 1 2 3

+```

+### Create a bastion subnet

+Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) to create a bastion subnet. The bastion subnet is used by the bastion host to access the virtual network.

+```azurecli

+ az network vnet subnet create \

+ --resource-group CreatePubLBQS-rg \

+ --name AzureBastionSubnet \

+ --vnet-name myVNet \

+ --address-prefixes 10.1.1.0/27

+```

+### Create bastion host

+Use [az network bastion create](/cli/azure/network/bastion#az_network_bastion_create) to create a bastion host. The bastion host is used to connect securely to the virtual machine resources created later in this article.

+```azurecli

+ az network bastion create \

+ --resource-group CreatePubLBQS-rg \

+ --name myBastionHost \

+ --public-ip-address myBastionIP \

+ --vnet-name myVNet \

+ --location eastus

+```

+It can take a few minutes for the Azure Bastion host to deploy.

+## Create backend servers

+In this section, you create:

+* Two network interfaces for the virtual machines

+* Two virtual machines to be used as backend servers for the load balancer

+### Create network interfaces for the virtual machines

+Create two network interfaces with [az network nic create](/cli/azure/network/nic#az_network_nic_create):

+```azurecli

+ array=(myNicVM1 myNicVM2)

+ for vmnic in "${array[@]}"

+ do

+ az network nic create \

+ --resource-group CreatePubLBQS-rg \

+ --name $vmnic \

+ --vnet-name myVNet \

+ --subnet myBackEndSubnet \

+ --network-security-group myNSG

+ done

+```

+### Create availability set for virtual machines

+Create the availability set with [az vm availability-set create](/cli/azure/vm/availability-set#az_vm_availability_set_create):

+```azurecli

+ az vm availability-set create \

+ --name myAvSet \

+ --resource-group CreatePubLBQS-rg \

+ --location eastus

+

+```

+### Create virtual machines

+Create the virtual machines with [az vm create](/cli/azure/vm#az_vm_create):

+```azurecli

+ az vm create \

+ --resource-group CreatePubLBQS-rg \

+ --name myVM1 \

+ --nics myNicVM1 \

+ --image win2019datacenter \

+ --admin-username azureuser \

+ --availability-set myAvSet \

+ --no-wait

+```

+```azurecli

+ az vm create \

+ --resource-group CreatePubLBQS-rg \

+ --name myVM2 \

+ --nics myNicVM2 \

+ --image win2019datacenter \

+ --admin-username azureuser \

+ --availability-set myAvSet \

+ --no-wait

+```

+It may take a few minutes for the VMs to deploy. You can continue to the next steps while the VMs are creating.

+### Add virtual machines to load balancer backend pool

+Add the virtual machines to the backend pool with [az network nic ip-config address-pool add](/cli/azure/network/nic/ip-config/address-pool#az_network_nic_ip_config_address_pool_add):

+```azurecli

+ array=(myNicVM1 myNicVM2)

+ for vmnic in "${array[@]}"

+ do

+ az network nic ip-config address-pool add \

+ --address-pool myBackendPool \

+ --ip-config-name ipconfig1 \

+ --nic-name $vmnic \

+ --resource-group CreatePubLBQS-rg \

+ --lb-name myLoadBalancer

+ done

+```

+## Install IIS

+Use [az vm extension set](/cli/azure/vm/extension#az_vm_extension_set) to install IIS on the virtual machines and set the default website to the computer name.

+```azurecli

+ array=(myVM1 myVM2)

+ for vm in "${array[@]}"

+ do

+ az vm extension set \

+ --publisher Microsoft.Compute \

+ --version 1.8 \

+ --name CustomScriptExtension \

+ --vm-name $vm \

+ --resource-group CreatePubLBQS-rg \

+ --settings '{"commandToExecute":"powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path \"C:\\inetpub\\wwwroot\\Default.htm\" -Value $($env:computername)"}'

+ done

+```

+## Test the load balancer

+To get the public IP address of the load balancer, use [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show).

+Copy the public IP address, and then paste it into the address bar of your browser.

+```azurecli

+ az network public-ip show \

+ --resource-group CreatePubLBQS-rg \

+ --name myPublicIP \

+ --query ipAddress \

+ --output tsv

+```

+## Clean up resources

+When no longer needed, use the [az group delete](/cli/azure/group#az_group_delete) command to remove the resource group, load balancer, and all related resources.

+```azurecli

+ az group delete \

+ --name CreatePubLBQS-rg

+```

+## Next steps

+In this quickstart:

+* You created a basic public load balancer

+* Attached two virtual machines

+* Configured the load balancer traffic rule and health probe

+* Tested the load balancer

+To learn more about Azure Load Balancer, continue to:

+> [!div class="nextstepaction"]

+> [What is Azure Load Balancer?](../load-balancer-overview.md)

+ Title: 'Quickstart: Create a basic public load balancer - Azure portal'

+description: Learn how to create a public basic SKU Azure Load Balancer in this quickstart.

+# Quickstart: Create a basic public load balancer using the Azure portal

+Get started with Azure Load Balancer by using the Azure portal to create a basic public load balancer and two virtual machines.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+>[!NOTE]

+>Standard SKU load balancer is recommended for production workloads. For more information about SKUs, see **[Azure Load Balancer SKUs](../skus.md)**.

+## Sign in to Azure

+Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

+## Create the virtual network

+In this section, you'll create a virtual network and subnet.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual Networks** in the search results.

+2. In **Virtual networks**, select **+ Create**.

+3. In **Create virtual network**, enter or select the following information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **Create new**. </br> In **Name** enter **CreatePubLBQS-rg**. </br> Select **OK**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet** |

+ | Region | Select **West US 3** |

+4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+5. In the **IP Addresses** tab, enter this information:

+ | Setting | Value |

+ |--|-|

+ | IPv4 address space | Enter **10.1.0.0/16** |

+6. Under **Subnet name**, select the word **default**.

+7. In **Edit subnet**, enter the following information:

+ | Setting | Value |

+ |--|-|

+ | Subnet name | Enter **myBackendSubnet** |

+ | Subnet address range | Enter **10.1.0.0/24** |

+8. Select **Save**.

+9. Select the **Security** tab.

+10. Under **BastionHost**, select **Enable**. Enter this information:

+ | Setting | Value |

+ |--|-|

+ | Bastion name | Enter **myBastionHost** |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/27** |

+ | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

+11. Select the **Review + create** tab or select the **Review + create** button.

+12. Select **Create**.

+## Create load balancer

+In this section, you create a load balancer that load balances virtual machines.

+During the creation of the load balancer, you'll configure:

+* Frontend IP address

+* Backend pool

+* Inbound load-balancing rules

+1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+2. In the **Load balancer** page, select **+ Create**.

+3. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information:

+ | Setting | Value |

+ | | |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **CreatePubLBQS-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myLoadBalancer** |

+ | Region | Select **West US 3**. |

+ | SKU | Select **Basic**. |

+ | Type | Select **Public**. |

+

+4. Select **Next: Frontend IP configuration** at the bottom of the page.

+5. In **Frontend IP configuration**, select **+ Add a frontend IP**.

+6. Enter **myFrontend** in **Name**.

+7. Select **IPv4** or **IPv6** for the **IP version**.

+8. Select **Create new** in **Public IP address**.

+9. In **Add a public IP address**, enter **myPublicIP** for **Name**.

+10. In **Assignment**, select **Static**.

+11. Select **OK**.

+12. Select **Add**.

+13. Select **Next: Backend pools** at the bottom of the page.

+14. In the **Backend pools** tab, select **+ Add a backend pool**.

+15. Enter or select the following information in **Add backend pool**.

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **myBackendPool**. |

+ | Virtual network | Select **myVNet (CreatePubLBQS-rg)**. |

+ | Associated to | Select **Virtual machines**. |

+ | IP version | Select **IPv4** or **IPv6**. |

+16. Select **Add**.

+17. Select the **Next: Inbound rules** button at the bottom of the page.

+18. In **Load balancing rule** in the **Inbound rules** tab, select **+ Add a load balancing rule**.

+19. In **Add load balancing rule**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **myHTTPRule** |

+ | IP Version | Select **IPv4** or **IPv6** depending on your requirements. |

+ | Frontend IP address | Select **myFrontend**. |

+ | Backend pool | Select **myBackendPool**. |

+ | Protocol | Select **TCP**. |

+ | Port | Enter **80**. |

+ | Backend port | Enter **80**. |

+ | Health probe | Select **Create new**. </br> In **Name**, enter **myHealthProbe**. </br> Select **TCP** in **Protocol**. </br> Leave the rest of the defaults, and select **OK**. |

+ | Session persistence | Select **None**. |

+ | Idle timeout (minutes) | Enter or select **15**. |

+ | Floating IP | Select **Disabled**. |

+20. Select **Add**.

+21. Select the blue **Review + create** button at the bottom of the page.

+22. Select **Create**.

+## Create virtual machines

+In this section, you'll create two VMs (**myVM1** and **myVM2**).

+The two VMs will be added to an availability set named **myAvailabilitySet**.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. In **Virtual machines**, select **+ Create** > **Virtual machine**.

+

+3. In **Create a virtual machine**, type or select the values in the **Basics** tab:

+ | Setting | Value |

+ |--|-|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **CreatePubLBQS-rg** |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM1** |

+ | Region | Select **West US 3** |

+ | Availability Options | Select **Availability set** |

+ | Availability set | Select **Create new**. </br> Enter **myAvailabilitySet** in **Name**. </br> Select **OK** |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter - Gen2** |

+ | Azure Spot instance | Leave the default of unchecked. |

+ | Size | Choose VM size or take default setting |

+ | **Administrator account** | |

+ | Username | Enter a username |

+ | Password | Enter a password |

+ | Confirm password | Reenter password |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+4. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

+

+5. In the Networking tab, select or enter:

+ | Setting | Value |

+ |-|-|

+ | **Network interface** | |

+ | Virtual network | Select **myVNet** |

+ | Subnet | Select **myBackendSubnet** |

+ | Public IP | Select **None** |

+ | NIC network security group | Select **Advanced**|

+ | Configure network security group | Select **Create new**. </br> In the **Create network security group**, enter **myNSG** in **Name**. </br> Under **Inbound rules**, select **+Add an inbound rule**. </br> In **Source port ranges**, enter **80**. </br> In **Service**, select **HTTP**. </br> Under **Priority**, enter **100**. </br> In **Name**, enter **myNSGRule** </br> Select **Add** </br> Select **OK** |

+ | **Load balancing** | |

+ | Place this virtual machine behind an existing load-balancing solution? | Select the box |

+ | **Load balancing settings** | |

+ | Load balancing options | Select **Azure Load Balancer**. |

+ | Select a load balancer | Select **myLoadBalancer**. |

+ | Select a backend pool | Select **myBackendPool**. |

+6. Select **Review + create**.

+

+7. Review the settings, and then select **Create**.

+8. Follow the steps 1 through 7 to create one more VM with the following values and all the other settings the same as **myVM1**:

+ | Setting | VM 2 |

+ | - | -- |

+ | Name | **myVM2** |

+ | Availability set | Select **myAvailabilitySet** |

+ | Network security group | Select the existing **myNSG** |

+## Install IIS

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **myVM1**.

+3. On the **Overview** page, select **Connect**, then **Bastion**.

+4. Select **Use Bastion**.

+5. Enter the username and password entered during VM creation.

+6. Select **Connect**.

+7. On the server desktop, navigate to **Windows Administrative Tools** > **Windows PowerShell**.

+8. In the PowerShell Window, run the following commands to:

+ * Install the IIS server

+ * Remove the default iisstart.htm file

+ * Add a new iisstart.htm file that displays the name of the VM:

+ ```powershell

+ # Install IIS server role

+ Install-WindowsFeature -name Web-Server -IncludeManagementTools

+

+ # Remove default htm file

+ Remove-Item C:\inetpub\wwwroot\iisstart.htm

+

+ # Add a new htm file that displays server name

+ Add-Content -Path "C:\inetpub\wwwroot\iisstart.htm" -Value $("Hello World from " + $env:computername)

+ ```

+9. Close the bastion session with **myVM1**.

+10. Repeat steps 1 to 9 to install IIS and the updated iisstart.htm file on **myVM2**.

+## Test the load balancer

+1. In the search box at the top of the page, enter **Load balancer**. Select **Load balancers** in the search results.

+2. Find the public IP address for the load balancer on the **Overview** page under **Public IP address**.

+3. Copy the public IP address, and then paste it into the address bar of your browser. The custom VM page of the IIS Web server is displayed in the browser.

+## Clean up resources

+When no longer needed, delete the resource group, load balancer, and all related resources. To do so, select the resource group **CreatePubLBQS-rg** that contains the resources and then select **Delete**.

+## Next steps

+In this quickstart, you:

+* Created a basic public load balancer.

+* Attached 2 VMs to the load balancer.

+* Tested the load balancer.

+To learn more about Azure Load Balancer, continue to:

+> [!div class="nextstepaction"]

+> [What is Azure Load Balancer?](../load-balancer-overview.md)

+* Gateway Load Balancer does not currently support IPv6

+Get started with Azure Load Balancer by using Azure CLI to create a public load balancer and two virtual machines.

+```azurecli

+## Create a virtual network

+Before you deploy VMs and test your load balancer, create the supporting virtual network and subnet.

+Create a virtual network using [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create). The virtual network and subnet will contain the resources deployed later in this article.

+```azurecli

+## Create a public IP address

+Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create the public IP for the load balancer frontend.

+```azurecli

+ --sku Standard \

+ --zone 1 2 3

+To create a zonal public IP address in Zone 1, use the following command:

+```azurecli

+## Create a load balancer

+ * A frontend IP pool that receives the incoming network traffic on the load balancer

+ * A backend IP pool where the frontend pool sends the load balanced network traffic

+ * A health probe that determines health of the backend VM instances

+ * A load balancer rule that defines how traffic is distributed to the VMs

+```azurecli

+ --backend-pool-name myBackEndPool

+```azurecli

+ --port 80

+* Frontend IP configuration for the incoming traffic

+* The backend IP pool to receive the traffic

+* The required source and destination port

+Create a load balancer rule with [az network lb rule create](/cli/azure/network/lb/rule#az_network_lb_rule_create):

+```azurecli

+## Create a network security group

+For a standard load balancer, the VMs in the backend address for are required to have network interfaces that belong to a network security group.

+Use [az network nsg create](/cli/azure/network/nsg#az_network_nsg_create) to create the network security group:

+```azurecli

+ az network nsg create \

+ --name myNSG

+### Create a network security group rule

+Create a network security group rule using [az network nsg rule create](/cli/azure/network/nsg/rule#az_network_nsg_rule_create):

+```azurecli

+ az network nsg rule create \

+ --nsg-name myNSG \

+ --name myNSGRuleHTTP \

+ --protocol '*' \

+ --direction inbound \

+ --source-address-prefix '*' \

+ --source-port-range '*' \

+ --destination-address-prefix '*' \

+ --destination-port-range 80 \

+ --access allow \

+ --priority 200

+## Create a bastion host

+In this section, you'll create te resources for Azure Bastion. Azure Bastion is used to securely manage the virtual machines in the backend pool of the load balancer.

+Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create a public ip address for the bastion host. The public IP is used by the bastion host for secure access to the virtual machine resources.

+```azurecli

+ az network public-ip create \

+ --sku Standard \

+ --zone 1 2 3

+Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) to create a bastion subnet. The bastion subnet is used by the bastion host to access the virtual network.

+```azurecli

+ az network vnet subnet create \

+ --address-prefixes 10.1.1.0/27

+Use [az network bastion create](/cli/azure/network/bastion#az_network_bastion_create) to create a bastion host. The bastion host is used to connect securely to the virtual machine resources created later in this article.

+```azurecli

+ az network bastion create \

+## Create backend servers

+* Two network interfaces for the virtual machines

+* Two virtual machines to be used as backend servers for the load balancer

+Create two network interfaces with [az network nic create](/cli/azure/network/nic#az_network_nic_create):

+```azurecli

+ array=(myNicVM1 myNicVM2)

+```azurecli

+ --zone 1 \

+```azurecli

+ --zone 2 \

+It may take a few minutes for the VMs to deploy. You can continue to the next steps while the VMs are creating.

+### Add virtual machines to load balancer backend pool

+Add the virtual machines to the backend pool with [az network nic ip-config address-pool add](/cli/azure/network/nic/ip-config/address-pool#az_network_nic_ip_config_address_pool_add):

+```azurecli

+ array=(myNicVM1 myNicVM2)

+ for vmnic in "${array[@]}"

+ do

+ az network nic ip-config address-pool add \

+ --address-pool myBackendPool \

+ --ip-config-name ipconfig1 \

+ --nic-name $vmnic \

+ --resource-group CreatePubLBQS-rg \

+ --lb-name myLoadBalancer

+ done

+## Create NAT gateway

+To provide outbound internet access for resources in the backend pool, create a NAT gateway.

+### Create public IP

+Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create a single IP for the outbound connectivity.

+```azurecli

+ az network public-ip create \

+ --name myNATgatewayIP \

+ --sku Standard \

+ --zone 1 2 3

+To create a zonal redundant public IP address in Zone 1:

+```azurecli

+ az network public-ip create \

+ --name myNATgatewayIP \

+ --sku Standard \

+ --zone 1

+### Create NAT gateway resource

+Use [az network nat gateway create](/cli/azure/network/nat#az_network_nat_gateway_create) to create the NAT gateway resource. The public IP created in the previous step is associated with the NAT gateway.

+```azurecli

+ az network nat gateway create \

+ --name myNATgateway \

+ --public-ip-addresses myNATgatewayIP \

+ --idle-timeout 10

+### Associate NAT gateway with subnet

+Configure the source subnet in virtual network to use a specific NAT gateway resource with [az network vnet subnet update](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_update).

+```azurecli

+ az network vnet subnet update \

+ --resource-group CreatePubLBQS-rg \

+ --vnet-name myVNet \

+ --name myBackendSubnet \

+ --nat-gateway myNATgateway

+```azurecli

+ array=(myVM1 myVM2)

+```azurecli

+```azurecli

+In this quickstart:

+* You created a standard public load balancer

+* Attached two virtual machines

+* Configured the load balancer traffic rule and health probe

+* Tested the load balancer

+ Title: Schedules for recurring triggers in workflows

+description: An overview about scheduling recurring automated workflows in Azure Logic Apps.

+# Schedules for recurring triggers in Azure Logic Apps workflows

+Azure Logic Apps helps you create and run automated recurring workflows on a schedule. By creating a logic app workflow that starts with a built-in Recurrence trigger or Sliding Window trigger, which are Schedule-type triggers, you can run tasks immediately, at a later time, or on a recurring interval. You can call services inside and outside Azure, such as HTTP or HTTPS endpoints, post messages to Azure services such as Azure Storage and Azure Service Bus, or get files uploaded to a file share. With the Recurrence trigger, you can also set up complex schedules and advanced recurrences for running tasks. To learn more about the built-in Schedule triggers and actions, see [Schedule triggers](#schedule-triggers) and [Schedule actions](#schedule-actions).

+To schedule jobs, Azure Logic Apps puts the message for processing into the queue and specifies when that message becomes available, based on the UTC time when the last job ran and the UTC time when the next job is scheduled to run. If you specify a start time with your recurrence, *make sure that you select a time zone* so that your logic app workflow runs at the specified start time. That way, the UTC time for your logic app also shifts to counter the seasonal time change. Recurring triggers honor the schedule that you set, including any time zone that you specify.

+Otherwise, if you don't select a time zone, daylight saving time (DST) events might affect when triggers run. For example, the start time shifts one hour forward when DST starts and one hour backward when DST ends.

+## When to use AutoML: classification, regression, forecasting, computer vision & NLP

+ML professionals and developers across industries can use automated ML to:

+Support for computer vision tasks allows you to easily generate models trained on image data for scenarios like image classification and object detection.

+<a name="nlp"></a>

+### Natural language processing: NLP (preview)

+Support for natural language processing (NLP) tasks in automated ML allows you to easily generate models trained on text data for text classification and named entity recognition scenarios. Authoring automated ML trained NLP models is supported via the Azure Machine Learning Python SDK. The resulting experimentation runs, models, and outputs can be accessed from the Azure Machine Learning studio UI.

+The NLP capability supports:

+* End-to-end deep neural network NLP training with the latest pre-trained BERT models

+* Seamless integration with [Azure Machine Learning data labeling](how-to-create-text-labeling-projects.md)

+* Use labeled data for generating NLP models

+* Multi-lingual support with 104 languages

+* Distributed training with Horovod

+Learn how to [set up AutoML training for NLP models](how-to-auto-train-nlp-models.md).

+ Title: Set up AutoML for NLP

+description: Set up Azure Machine Learning automated ML to train natural language processing models with the Azure Machine Learning Python SDK.

+# Customer intent: I'm a data scientist with ML knowledge in the natural language processing space, looking to build ML models using language specific data in Azure Machine Learning with full control of the model algorithm, hyperparameters, and training and deployment environments.

+# Set up AutoML to train a natural language processing model with Python (preview)

+In this article, you learn how to train natural language processing (NLP) models with [automated ML](concept-automated-ml.md) in the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/).

+Automated ML supports NLP which allows ML professionals and data scientists to bring their own text data and build custom models for tasks such as, multi-class text classification, multi-label text classification, and named entity recognition (NER).

+You can seamlessly integrate with the [Azure Machine Learning data labeling](how-to-create-text-labeling-projects.md) capability to label your text data or bring your existing labeled data. Automated ML provides the option to use distributed training on multi-GPU compute clusters for faster model training. The resulting model can be operationalized at scale by leveraging Azure MLΓÇÖs MLOps capabilities.

+## Prerequisites

+* Azure subscription. If you don't have an Azure subscription, sign up to try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/) today.

+* An Azure Machine Learning workspace with a GPU training compute. To create the workspace, see [Create an Azure Machine Learning workspace](how-to-manage-workspace.md). See [GPU optimized virtual machine sizes](../virtual-machines/sizes-gpu.md) for more details of GPU instances provided by Azure.

+ > [!Warning]

+ > Support for multilingual models and the use of models with longer max sequence length is necessary for several NLP use cases, such as non-english datasets and longer range documents. As a result, these scenarios may require higher GPU memory for model training to succeed, such as the NC_v3 series or the ND series.

+

+* The Azure Machine Learning Python SDK installed.

+ To install the SDK you can either,

+ * Create a compute instance, which automatically installs the SDK and is pre-configured for ML workflows. See [Create and manage an Azure Machine Learning compute instance](how-to-create-manage-compute-instance.md) for more information.

+ * [Install the `automl` package yourself](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/README.md#setup-using-a-local-conda-environment), which includes the [default installation](/python/api/overview/azure/ml/install#default-install) of the SDK.

+ [!INCLUDE [automl-sdk-version](../../includes/machine-learning-automl-sdk-version.md)]

+

+ > [!WARNING]

+ > Python 3.8 is not compatible with `automl`.

+* This article assumes some familiarity with setting up an automated machine learning experiment. Follow the [tutorial](tutorial-auto-train-models.md) or [how-to](how-to-configure-auto-train.md) to see the main automated machine learning experiment design patterns.

+## Select your NLP task

+Determine what NLP task you want to accomplish. Currently, automated ML supports the follow deep neural network NLP tasks.

+Task |AutoMLConfig syntax| Description

+-|-|

+Multi-class text classification | `task = 'text-classification'`| There are multiple possible classes and each sample can be classified as exactly one class. The task is to predict the correct class for each sample. <br> <br> For example, classifying a movie script as "Comedy" or "Romantic".

+Multi-label text classification | `task = 'text-classification-multilabel'`| There are multiple possible classes and each sample can be assigned any number of classes. The task is to predict all the classes for each sample<br> <br> For example, classifying a movie script as "Comedy", or "Romantic", or "Comedy and Romantic".

+Named Entity Recognition (NER)| `task = 'text-ner'`| There are multiple possible tags for tokens in sequences. The task is to predict the tags for all the tokens for each sequence. <br> <br> For example, extracting domain-specific entities from unstructured text, such as contracts or financial documents

+## Preparing data

+For NLP experiments in automated ML, you can bring an Azure Machine Learning dataset with `.csv` format for multi-class and multi-label classification tasks. For NER tasks, two-column `.txt` files that use a space as the separator and adhere to the CoNLL format are supported. The following sections provide additional detail for the data format accepted for each task.

+### Multi-class

+For multi-class classification, the dataset can contain several text columns and exactly one label column. The following example has only one text column.

+```python

+text,labels

+"I love watching Chicago Bulls games.","NBA"

+"Tom Brady is a great player.","NFL"

+"There is a game between Yankees and Orioles tonight","NFL"

+"Stephen Curry made the most number of 3-Pointers","NBA"

+```

+### Multi-label

+For multi-label classification, the dataset columns would be the same as multi-class, however there are special format requirements for data in the label column. The two accepted formats and examples are in the following table.

+|Label column format options |Multiple labels| One label | No labels

+||||

+|Plain text|`"label1, label2, label3"`| `"label1"`| `""`

+|Python list with quotes| `"['label1','label2','label3']"`| `"['label1']"`|`"[]"`

+> [!IMPORTANT]

+> Different parsers are used to read labels for these formats. If you are using the plaint text format, only use alphabetical, numerical and `'_'` in your labels. All other characters are recognized as the separator of labels.

+>

+> For example, if your label is `"cs.AI"`, it's read as `"cs"` and `"AI"`. Whereas with the Python list format, the label would be `"['cs.AI']"`, which is read as `"cs.AI"` .

+Example data for multi-label in plain text format.

+```python

+text,labels

+"I love watching Chicago Bulls games.","basketball"

+"The four most popular leagues are NFL, MLB, NBA and NHL","football,baseball,basketball,hockey"

+"I like drinking beer.",""

+```

+Example data for multi-label in Python list with quotes format.

+``` python

+text,labels

+"I love watching Chicago Bulls games.","['basketball']"

+"The four most popular leagues are NFL, MLB, NBA and NHL","['football','baseball','basketball','hockey']"

+"I like drinking beer.","[]"

+```

+### Named entity recognition (NER)

+Unlike multi-class or multi-label, which takes `.csv` format datasets, named entity recognition requires [CoNLL](https://www.clips.uantwerpen.be/conll2003/ner/) format. The file must contain exactly two columns and in each row, the token and the label is separated by a single space.

+For example,

+``` python

+Hudson B-loc

+Square I-loc

+is O

+a O

+famous O

+place O

+in O

+New B-loc

+York I-loc

+City I-loc

+Stephen B-per

+Curry I-per

+got O

+three O

+championship O

+rings O

+```

+### Data validation

+Before training, automated ML applies data validation checks on the input data to ensure that the data can be preprocessed correctly. If any of these checks fail, the run fails with the relevant error message. The following are the requirements to pass data validation checks for each task.

+> [!Note]

+> Some data validation checks are applicable to both the training and the validation set, whereas others are applicable only to the training set. If the test dataset could not pass the data validation, that means that automated ML couldn't capture it and there is a possibility of model inference failure, or a decline in model performance.

+Task | Data validation check

+|

+All tasks | At least 50 training samples are required

+Multi-class and Multi-label | The training data and validation data must have <br> - The same set of columns <br>- The same order of columns from left to right <br>- The same data type for columns with the same name <br>- At least two unique labels <br> - Unique column names within each dataset (For example, the training set can't have multiple columns named **Age**)

+Multi-class only | None

+Multi-label only | - The label column format must be in [accepted format](#multi-label) <br> - At least one sample should have 0 or 2+ labels, otherwise it should be a `multiclass` task <br> - All labels should be in `str` or `int` format, with no overlapping. You should not have both label `1` and label `'1'`

+NER only | - The file should not start with an empty line <br> - Each line must be an empty line, or follow format `{token} {label}`, where there is exactly one space between the token and the label and no white space after the label <br> - All labels must start with `I-`, `B-`, or be exactly `O`. Case sensitive <br> - Exactly one empty line between two samples <br> - Exactly one empty line at the end of the file

+

+## Configure experiment

+Automated ML's NLP capability is triggered through `AutoMLConfig`, which is the same workflow for submitting automated ML experiments for classification, regression and forecasting tasks. You would set most of the parameters as you would for those experiments, such as `task`, `compute_target` and data inputs.

+However, there are key differences include:

+* You can ignore `primary_metric`, as it is only for reporting purpose. Currently, automated ML only trains one model per run for NLP and there is no model selection.

+* The `label_column_name` parameter is only required for multi-class and multi-label text classification tasks.

+```python

+automl_settings = {

+ "verbosity": logging.INFO,

+}

+automl_config = AutoMLConfig(

+ task="text-classification",

+ debug_log="automl_errors.log",

+ compute_target=compute_target,

+ training_data=train_dataset,

+ validation_data=val_dataset,

+ label_column_name=target_column_name,

+ **automl_settings

+)

+```

+### Language settings

+As part of the NLP functionality, automated ML supports 104 languages leveraging language specific and multilingual pre-trained text DNN models, such as the BERT family of models. Currently, language selection defaults to English.

+ The following table summarizes what model is applied based on task type and language. See the full list of [supported languages and their codes](/python/api/azureml-automl-core/azureml.automl.core.constants.textdnnlanguages#azureml-automl-core-constants-textdnnlanguages-supported).

+ Task type |Syntax for `dataset_language` | Text model algorithm

+-|-|

+Multi-label text classification| `'eng'` <br> `'deu'` <br> `'mul'`| English&nbsp;BERT&nbsp;[uncased](https://huggingface.co/bert-base-uncased) <br> [German BERT](https://huggingface.co/bert-base-german-cased)<br> [Multilingual BERT](https://huggingface.co/bert-base-multilingual-cased) <br><br>For all other languages, automated ML applies multilingual BERT

+Multi-class text classification| `'eng'` <br> `'deu'` <br> `'mul'`| English&nbsp;BERT&nbsp;[cased](https://huggingface.co/bert-base-cased)<br> [Multilingual BERT](https://huggingface.co/bert-base-multilingual-cased) <br><br>For all other languages, automated ML applies multilingual BERT

+Named entity recognition (NER)| `'eng'` <br> `'deu'` <br> `'mul'`| English&nbsp;BERT&nbsp;[cased](https://huggingface.co/bert-base-cased) <br> [German BERT](https://huggingface.co/bert-base-german-cased)<br> [Multilingual BERT](https://huggingface.co/bert-base-multilingual-cased) <br><br>For all other languages, automated ML applies multilingual BERT

+You can specify your dataset language in your `FeaturizationConfig`. BERT is also used in the featurization process of automated ML experiment training, learn more about [BERT integration and featurization in automated ML](how-to-configure-auto-features.md#bert-integration-in-automated-ml).

+```python

+from azureml.automl.core.featurization import FeaturizationConfig

+featurization_config = FeaturizationConfig(dataset_language='{your language code}')

+automl_config = AutomlConfig("featurization": featurization_config)

+```

+## Distributed training

+You can also run your NLP experiments with distributed training on an Azure ML compute cluster. This is handled automatically by automated ML when the parameters `max_concurrent_iterations = number_of_vms` and `enable_distributed_dnn_training = True` are provided in your `AutoMLConfig` during experiment set up.

+```python

+max_concurrent_iterations = number_of_vms

+enable_distributed_dnn_training = True

+```

+Doing so, schedules distributed training of the NLP models and automatically scales to every GPU on your virtual machine or cluster of virtual machines. The max number of virtual machines allowed is 32. The training is scheduled with number of virtual machines that is in powers of two.

+## Example notebooks

+See the sample notebooks for detailed code examples for each NLP task.

+* [Multi-class text classification](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/automl-nlp-multiclass/automl-nlp-text-classification-multiclass.ipynb)

+* [Multi-label text classification](

+https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/automl-nlp-multilabel/automl-nlp-text-classification-multilabel.ipynb)

+* [Named entity recognition](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/automl-nlp-ner/automl-nlp-ner.ipynb)

+## Next steps

+[BERT](https://techcommunity.microsoft.com/t5/azure-ai/how-bert-is-integrated-into-azure-automated-machine-learning/ba-p/1194657) is used in the featurization layer of automated ML. In this layer, if a column contains free text or other types of data like timestamps or simple numbers, then featurization is applied accordingly.

+Learn how to [set up natural language processing (NLP) experiments that also use BERT with automated ML](how-to-auto-train-nlp-models.md).

+Automated ML takes the following steps for BERT.

+Before you begin your experiment, you should determine the kind of machine learning problem you are solving. Automated machine learning supports task types of `classification`, `regression`, and `forecasting`. Learn more about [task types](concept-automated-ml.md#when-to-use-automl-classification-regression-forecasting-computer-vision--nlp).

+> Support for computer vision tasks: image classification (multi-class and multi-label), object detection, and instance segmentation is available in public preview. [Learn more about computer vision tasks in automated ML](concept-automated-ml.md#computer-vision-preview).

+>

+>Support for natural language processing (NLP) tasks: image classification (multi-class and multi-label) and named entity recognition is available in public preview. [Learn more about NLP tasks in automated ML](concept-automated-ml.md#nlp).

+>

+> These preview capabilities are provided without a service-level agreement. Certain features might not be supported or might have constrained functionality. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+2. [Create a Private Link for managing Azure resources](../azure-resource-manager/management/create-private-link-access-portal.md).

+3. [Create a private endpoint](../azure-resource-manager/management/create-private-link-access-portal.md#create-private-endpoint) for the Private Link created in the previous step.

+> To configure the private link for Azure Resource Manager, you must be the _subscription owner_ for the Azure subscription, and an _owner_ or _contributor_ of the root management group. For more information, see [Create a private link for managing Azure resources](../azure-resource-manager/management/create-private-link-access-portal.md).

+- [Explore Azure Machine Learning with examples](samples-notebooks.md)

+ * Use the SDK to upload the data to a datastore. For more information, see the [Upload the data](./tutorial-1st-experiment-bring-data.md#upload) section of the tutorial.

+* [Working in secure environments](./how-to-secure-training-vnet.md#compute-cluster)

+* If you create a compute instance and plan to use the no public IP address configuration, your Azure Machine Learning workspace's managed identity must be assigned the __Reader__ role for the virtual network that contains the workspace. For more information on assigning roles, see [Steps to assign an Azure role](../role-based-access-control/role-assignments-steps.md).

+> When creating a compute instance with no public IP, the managed identity for your workspace must be assigned the __Owner__ role on the virtual network. For more information on assigning roles, see [Steps to assign an Azure role](../role-based-access-control/role-assignments-steps.md).

+* [Use a firewall](how-to-access-azureml-behind-firewall.md)

+> If your Azure Container Registry uses a private endpoint or service endpoint to communicate with the virtual network, you cannot use a managed identity with an Azure Machine Learning compute cluster.

+> Azure Monitor supports using Azure Private Link to connect to a VNet. However, you must use the open Private Link mode in Azure Monitor. For more information, see [Private Link access modes: Private only vs. Open](../azure-monitor/logs/private-link-security.md#private-link-access-modes-private-only-vs-open).

+* [Use a firewall](how-to-access-azureml-behind-firewall.md)

+Add `--help` and/or `--debug` to commands to see more information.

+## Request tracing

+There are three supported tracing headers:

+- `x-request-id` is reserved for server tracing. We override this header to ensure it's a valid GUID.

+ > [!Note]

+ > When you create a support ticket for a failed request, attach the failed request ID to expedite investigation.

+

+- `x-ms-request-id` and `x-ms-client-request-id` are available for client tracing scenarios. We sanitize these headers to remove non-alphanumeric symbols. These headers are truncated to 72 characters.

+1. On the **Task type and settings** form, select the task type: classification, regression, or forecasting. See [supported task types](concept-automated-ml.md#when-to-use-automl-classification-regression-forecasting-computer-vision--nlp) for more information.

+Yes, it provides full backups to Azure Storage and restores to a new cluster. For more information, see [here](management-operations.md#backup-and-restore).

+> Backups can be restored to the same VNet/subnet as your existing cluster, but they cannot be restored to the *same cluster*. Backups can only be restored to **new clusters**. Backups are intended for accidental deletion scenarios, and are not geo-redundant. They are therefore not recommended for use as a disaster recovery (DR) strategy in case of a total regional outage. To safeguard against region-wide outages, we recommend a multi-region deployment. Take a look at our [quickstart for multi-region deployments](create-multi-region-cluster.md).

+For more information on security features, see our article [here](security.md).

+If your workload truly needs a normalized data model, consider a scalable relational store like Azure's [Hyperscale PostgreSQL](../postgresql/hyperscale/index.yml).

+* [Manage Azure Managed Instance for Apache Cassandra resources using Azure CLI](manage-resources-cli.md)

+description: Create plans for an Azure application offer in Partner Center | Azure Marketplace.

+1. In the **Plan name** box, enter a unique name for this plan. Customers will see this name when deciding which plan to select within your offer. Use a maximum of 2,000 characters.

+1. In the **Plan name** box, the name you provided earlier for this plan appears here. You can change it at any time. This name will appear in the commercial marketplace as the title of your offer's software plan and is limited to 200 characters.

+1. In the **Plan description** box, explain what makes this software plan unique and any differences from other plans within your offer. Don't describe the offer, just the plan. This description may contain up to 3,000 characters.

+1. The **Name** box is pre-filled with the name you entered earlier in the **New offer** dialog box, but you can change it at any time. This name will appear as the title of your offer listing on the online store.

+3. In the **Description** field, describe your consulting service offer. You can use HTML tags to format your description. You can enter up to 5,000 characters of text in this box, including HTML tags and spaces. For information about HTML formatting, see [HTML tags supported in the offer descriptions](./supported-html-tags.md).

+1. In the **Description** box, enter a description for your offer. This text box has rich text editor controls that you can use to make your description more engaging. You can also use HTML tags to format your description. You can enter up to 5,000 characters of text in this box, which includes HTML markup and spaces. For information about HTML formatting, see [HTML tags supported in the commercial marketplace offer descriptions](supported-html-tags.md).

+1. In the **Plan name** box, enter a unique name for this plan. Use a maximum of 200 characters.

+1. In the **Plan description** box, explain what makes this software plan unique and any differences from other plans within your offer. This description may contain up to 3,000 characters.

+- **Name** ΓÇô The name will appear as the title of your offer listing in the commercial marketplace. The name may be trademarked. It cannot contain emojis (unless they are the trademark and copyright symbols) and is limited to 200 characters.

+- **Name** ΓÇô The name will appear as the title of your offer listing in the commercial marketplace. The name may be trademarked. It cannot contain emojis (unless they are the trademark and copyright symbols) and is limited to 200 characters.

+- **Name**: This name will appear as the title of your offer listing in the commercial marketplace. The name may be trademarked. It cannot contain emojis (unless they are the trademark and copyright symbols) and must be limited to 200 characters.

+ This text box has rich text editor controls that you can use to make your description more engaging. You can also use HTML tags to format your description. You can enter up to 5,000 characters of text in this box, including HTML markup. For additional tips, see [Write a great app description](/windows/uwp/publish/write-a-great-app-description).

+| Offers | An ISV can now specify time-bound margins for CSP partners to incentivize them to sell it to their customers. When their partner makes a sale to a customer, Microsoft will pay the ISV the wholesale price. See [ISV to CSP Partner private offers](./isv-csp-reseller.md) and [the FAQs](./isv-csp-faq.yml). | 2022-02-15 |

+| Analytics | We added a new [Customer Retention Dashboard](./customer-retention-dashboard.md) that provides vital insights into customer retention and engagement. See the [FAQ article](./analytics-faq.yml). | 2022-02-15 |

+| Analytics | We added a Quality of Service (QoS) report query to the [List of system queries](./analytics-system-queries.md) used in the Create Report API. | 2022-01-27 |

+| Policy | The SaaS customer [refund window](/marketplace/refund-policies) is now [72 hours](./marketplace-faq-publisher-guide.yml) for all offers. | 2021-09-01 |

+| Analytics | Added questions and answers to the [Commercial marketplace analytics FAQ](./analytics-faq.yml), such as enrolling in the commercial marketplace, where to create a marketplace offer, getting started with programmatic access to commercial marketplace analytics reports, and more. | 2022-01-07 |

+|

+- Changing your encoder configuration after it has started pushing has negative effects on the event. Configuration changes can cause the event to become unstable. If you change your encoder configuration, you need to reset [Live Events](/rest/api/media/live-events/reset) and restart the live event in order for the change to take place. If you stop and start the live event without resetting it, the live event will preserve the previous configuration.

+> If you change any encoder configurations, reset [Live Events](/rest/api/media/live-events/reset) the channels and the live event for the change to take place. If you stop and start the live event without resetting it, the live event will preserve the previous configuration.

+[How to verify your encoder](encode-on-premises-encoder-partner.md)

+Azure Storage block blog limits apply to storage accounts used with Media Services. See [Azure Blob Storage limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-blob-storage-limits).

+[Overview](media-services-overview.md)

+- Create an Azure [Static Web App](../../static-web-apps/get-started-portal.md?tabs=vanilla-javascript).

+The below sample code illustrates connection pooling in Java.

+1. The Elastic Stack from version 5.0 and above requires Java 8. Run the command `java -version` to check your version. If you do not have Java installed, refer to documentation on the [Azure-suppored JDKs](/azure/developer/java/fundamentals/java-support-on-azure).

+1. The Elastic Stack from version 5.0 and above requires Java 8. Run the command `java -version` to check your version. If you do not have Java installed, refer to documentation on the [Azure-suppored JDKs](/azure/developer/java/fundamentals/java-support-on-azure).

+ms.devlang: rust

+Using [Azure CLI](/cli/azure/):

+ Using [ARM Template](../../azure-resource-manager/templates/index.yml):

+Using [Azure CLI](/cli/azure/):

+If you don't see an extension that you'd like to use, let us know. Vote for existing requests or create new feedback requests in our [feedback forum](https://feedback.azure.com/d365community/forum/c5e32b97-ee24-ec11-b6e6-000d3a4f0da0).

+ms.devlang: python

+ms.devlang: azurecli

+ms.devlang: azurecli

+ms.devlang: azurepowershell

+ms.devlang: azurecli

+ms.devlang: azurecli

+ms.devlang: azurepowershell