-* If you haven't created an DevOps organization, create one by following the instructions in [Sign up, sign in to Azure DevOps](/azure/devops/user-guide/sign-up-invite-teammates).

- $response = Invoke-RestMethod -Uri $graphuri -Method Put -Body $content -Headers $headers

-1. Search for and select **PowerShell**. Do not select "Azure PowerShell," "PowerShell on target machines," or another PowerShell entry.

-* Integrations with other Azure products such as [Azure Files][azure-files], [HD Insights][hd-insights], and [Windows Virtual Desktop][wvd].

-[wvd]: ../virtual-desktop/overview.md

-| **macOS** | ![Chrome supports USB on macOS for AAD accounts.][y] | ![Chrome does not support NFC on macOS for AAD accounts.][n] | ![Chrome does not support BLE on macOS for AAD accounts.][n] | ![Edge supports USB on macOS for AAD accounts.][y] | ![Edge does not support NFC on macOS for AAD accounts.][n] | ![Edge does not support BLE on macOS for AAD accounts.][n] | ![Firefox does not support USB on macOS for AAD accounts.][n] | ![Firefox does not support NFC on macOS for AAD accounts.][n] | ![Firefox does not support BLE on macOS for AAD accounts.][n] |

-| ChromeOS | Chrome |

-1. Create a resource group with [az group create](/cli/azure/group#az_group_create).

-1. Create a VM with [az vm create](/cli/azure/vm#az_vm_create&preserve-view=true) using a supported distribution in a supported region.

-1. Install the Azure AD login VM extension with [az vm extension set](/cli/azure/vm/extension#az_vm_extension_set).

-The following example uses [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. The username of your current Azure account is obtained with [az account show](/cli/azure/account#az_account_show), and the scope is set to the VM created in a previous step with [az vm show](/cli/azure/vm#az_vm_show). The scope could also be assigned at a resource group or subscription level, normal Azure RBAC inheritance permissions apply.

-> If your Azure AD domain and logon username domain do not match, you must specify the object ID of your user account with the `--assignee-object-id`, not just the username for `--assignee`. You can obtain the object ID for your user account with [az ad user list](/cli/azure/ad/user#az_ad_user_list).

-1. Create a resource group with [az group create](/cli/azure/group#az_group_create).

-1. Create a VM with [az vm create](/cli/azure/vm#az_vm_create) using a supported distribution in a supported region.

-Finally, install the Azure AD login VM extension to enable Azure AD login for Windows VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. Use [az vm extension](/cli/azure/vm/extension#az_vm_extension_set) set to install the AADLoginForWindows extension on the VM named `myVM` in the `myResourceGroup` resource group:

-The following example uses [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. The username of your active Azure account is obtained with [az account show](/cli/azure/account#az_account_show), and the scope is set to the VM created in a previous step with [az vm show](/cli/azure/vm#az_vm_show). The scope could also be assigned at a resource group or subscription level, and normal Azure RBAC inheritance permissions apply. For more information, see [Log in to a Linux virtual machine in Azure using Azure Active Directory authentication](../../virtual-machines/linux/login-using-aad.md).

-> If your AAD domain and logon username domain do not match, you must specify the object ID of your user account with the `--assignee-object-id`, not just the username for `--assignee`. You can obtain the object ID for your user account with [az ad user list](/cli/azure/ad/user#az_ad_user_list).

-For more information, see [az login](/cli/azure/reference-index#az_login) command reference, [az account](/cli/azure/account) command reference, or [az account tenant](/cli/azure/account/tenant) command reference.

- You also have the option to add an additional stage for a three-stage approval process. For example, you might want an employeeΓÇÖs manager to be the first stage approver for an access package. But, one of the resources in the access package contains confidential information. In this case, you could designate the resource owner as a second approver and a security reviewer as the third approver (Preview).

-1. Add the **Third Approver (Preview)**:

- If the users aren't in your directory, select **Internal sponsor** or **External sponsor** as the third approver. After selecting the approver, add the fallback approvers.

-1. Specify the number of days the third approver (Preview) has to approve the request in the box under **Decision must be made in how many days?**.

-Use the [az identity create](/cli/azure/identity#az_identity_create) command to create a user-assigned managed identity. The `-g` parameter specifies the resource group where to create the user-assigned managed identity. The `-n` parameter specifies its name. Replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values.

-To list user-assigned managed identities, use the [az identity list](/cli/azure/identity#az_identity_list) command. Replace the `<RESOURCE GROUP>` value with your own value.

-To delete a user-assigned managed identity, use the [az identity delete](/cli/azure/identity#az_identity_delete) command. The -n parameter specifies its name. The -g parameter specifies the resource group where the user-assigned managed identity was created. Replace the `<USER ASSIGNED IDENTITY NAME>` and `<RESOURCE GROUP>` parameter values with your own values.

-1. Obtain an access token by using [az account get-access-token](/cli/azure/account#az_account_get_access_token).

-1. In this example, we are giving an Azure virtual machine access to a storage account. First we use [az resource list](/cli/azure/resource/#az_resource_list) to get the service principal for the virtual machine named myVM:

-1. Once you have the service principal ID, use [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) to give the virtual machine or virtual machine scale set "Reader" access to a storage account called "myStorageAcct":

- - Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az_login).

-Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<UAMI NAME>` parameter values with your own values:

-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az_group_create). You can skip this step if you already have resource group you would like to use instead:

-1. Create a VM using [az vm create](/cli/azure/vm/#az_vm_create). The following example creates a VM named *myVM* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:

-1. If you're using the Azure CLI in a local console, first sign in to Azure using [az login](/cli/azure/reference-index#az_login). Use an account that is associated with the Azure subscription that contains the VM.

-1. You can skip this step if you already have a resource group you would like to use. Create a [resource group](~/articles/azure-resource-manager/management/overview.md#terminology) for containment and deployment of your user-assigned managed identity, using [az group create](/cli/azure/group/#az_group_create). Be sure to replace the `<RESOURCE GROUP>` and `<LOCATION>` parameter values with your own values. :

-2. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name.

-3. Create a VM using [az vm create](/cli/azure/vm/#az_vm_create). The following example creates a VM associated with the new user-assigned identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VM NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values.

-1. Create a user-assigned identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:

-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az_group_create). You can skip this step if you already have a resource group you would like to use instead:

-1. [Create](/cli/azure/vmss/#az_vmss_create) a virtual machine scale set. The following example creates a virtual machine scale set named *myVMSS* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:

-If you need to [Enable](/cli/azure/vmss/identity/#az_vmss_identity_assign) the system-assigned managed identity on an existing Azure virtual machine scale set:

-1. You can skip this step if you already have a resource group you would like to use. Create a [resource group](~/articles/azure-resource-manager/management/overview.md#terminology) for containment and deployment of your user-assigned managed identity, using [az group create](/cli/azure/group/#az_group_create). Be sure to replace the `<RESOURCE GROUP>` and `<LOCATION>` parameter values with your own values. :

-2. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:

-3. [Create](/cli/azure/vmss/#az_vmss_create) a virtual machine scale set. The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VMSS NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY>` parameter values with your own values.

-1. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:

-To [remove](/cli/azure/vmss/identity#az_vmss_identity_remove) a user-assigned managed identity from a virtual machine scale set use `az vmss identity remove`. If this is the only user-assigned managed identity assigned to the virtual machine scale set, `UserAssigned` will be removed from the identity type value. Be sure to replace the `<RESOURCE GROUP>` and `<VIRTUAL MACHINE SCALE SET NAME>` parameter values with your own values. The `<USER ASSIGNED IDENTITY>` will be the user-assigned managed identity's `name` property, which can be found in the identity section of the virtual machine scale set using `az vmss identity show`:

-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az_group_create). You can skip this step if you already have resource group you would like to use instead:

-2. Create a [network interface](/cli/azure/network/nic#az_network_nic_create) for your VM:

-2. Create a [network interface](/cli/azure/network/nic#az_network_nic_create) for your VM:

-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az_group_create). You can skip this step if you already have resource group you would like to use instead:

-2. Create a [network interface](/cli/azure/network/nic#az_network_nic_create) for your virtual machine scale set:

-2. Create a [network interface](/cli/azure/network/nic#az_network_nic_create) for your virtual machine scale set:

- - Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az_login). Use an account associated with the Azure subscription in which you'd like to create resources.

-Create a VM using [az vm create](/cli/azure/vm/#az_vm_create). The following example creates a VM named *myVM* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:

-* An AWS single sign-on (SSO) enabled subscription.

-# Tutorial: Azure Active Directory integration with Clarizen One

-4. On the **Set up Single Sign-On with SAML** page, perform the following steps:

- b. In the **Reply URL** text box, type the URL:

- `https://.clarizen.com/Clarizen/Pages/Integrations/SAML/SamlResponse.aspx`

-Once you configure Clarizen One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with iAuditor

- `https://safetyculture.au.auth0.com/login/callback?connection=<CustomerName>`

-To configure single sign-on on **iAuditor** side, you need to send the **Certificate (PEM)** to [iAuditor support team](mailto:support@safetyculture.com). They set this setting to have the SAML SSO connection set properly on both sides.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with IntSights

-* IntSights supports **SP and IDP** initiated SSO

-* IntSights supports **Just In Time** user provisioning

-## Adding IntSights from the gallery

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:

- `https://<SUBDOMAIN>.intsights.com/auth/saml-callback/azure`

- `https://<SUBDOMAIN>.intsights.com/auth/saml-callback/azure`

- `https://<SUBDOMAIN>.intsights.com/auth/saml-callback/azure`

- > These values are not real. Update these values with the actual Sign-on URL, Identifier and Reply URL. Contact [IntSights Client support team](mailto:supportteam@intsights.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-description: Learn how to configure single sign-on between Azure Active Directory and Mimecast Admin Console.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Mimecast Admin Console

-In this tutorial, you'll learn how to integrate Mimecast Admin Console with Azure Active Directory (Azure AD). When you integrate Mimecast Admin Console with Azure AD, you can:

-* Control in Azure AD who has access to Mimecast Admin Console.

-* Enable your users to be automatically signed-in to Mimecast Admin Console with their Azure AD accounts.

-* Manage your accounts in one central location - the Azure portal.

-## Prerequisites

-To get started, you need the following items:

-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

-* Mimecast Admin Console single sign-on (SSO) enabled subscription.

-## Scenario description

-In this tutorial, you configure and test Azure AD SSO in a test environment.

-* Mimecast Admin Console supports **SP and IDP** initiated SSO

-## Add Mimecast Admin Console from the gallery

-To configure the integration of Mimecast Admin Console into Azure AD, you need to add Mimecast Admin Console from the gallery to your list of managed SaaS apps.

-1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

-1. On the left navigation pane, select the **Azure Active Directory** service.

-1. Navigate to **Enterprise Applications** and then select **All Applications**.

-1. To add new application, select **New application**.

-1. In the **Add from the gallery** section, type **Mimecast Admin Console** in the search box.

-1. Select **Mimecast Admin Console** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for Mimecast Admin Console

-Configure and test Azure AD SSO with Mimecast Admin Console using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mimecast Admin Console.

-To configure and test Azure AD SSO with Mimecast Admin Console, perform the following steps:

-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

-1. **[Configure Mimecast Admin Console SSO](#configure-mimecast-admin-console-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create Mimecast Admin Console test user](#create-mimecast-admin-console-test-user)** - to have a counterpart of B.Simon in Mimecast Admin Console that is linked to the Azure AD representation of user.

-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

-## Configure Azure AD SSO

-Follow these steps to enable Azure AD SSO in the Azure portal.

-1. In the Azure portal, on the **Mimecast Admin Console** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Select a single sign-on method** page, select **SAML**.

-1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Basic SAML Configuration** section, if you wish to configure the application in IDP initiated mode, perform the following steps:

- a. In the **Identifier** textbox, type the URL using the following pattern:

- | Region | Value |

- | | |

- | Europe | `https://eu-api.mimecast.com/sso/<accountcode>`|

- | United States | `https://us-api.mimecast.com/sso/<accountcode>`|

- | South Africa | `https://za-api.mimecast.com/sso/<accountcode>`|

- | Australia | `https://au-api.mimecast.com/sso/<accountcode>`|

- | Offshore | `https://jer-api.mimecast.com/sso/<accountcode>`|

- > [!NOTE]

- > You will find the `accountcode` value in the Mimecast Admin Console under **Account** > **Settings** > **Account Code**. Append the `accountcode` to the Identifier.

- b. In the **Reply URL** textbox, type the URL:

- | Region | Value |

- | | |

- | Europe | `https://eu-api.mimecast.com/login/saml`|

- | United States | `https://us-api.mimecast.com/login/saml`|

- | South Africa | `https://za-api.mimecast.com/login/saml`|

- | Australia | `https://au-api.mimecast.com/login/saml`|

- | Offshore | `https://jer-api.mimecast.com/login/saml`|

-1. If you wish to configure the application in **SP** initiated mode:

- In the **Sign-on URL** textbox, type the URL:

- | Region | Value |

- | | |

- | Europe | `https://login-eu.mimecast.com/administration/app/#/administration-dashboard`|

- | United States | `https://login-us.mimecast.com/administration/app/#/administration-dashboard`|

- | South Africa | `https://login-za.mimecast.com/administration/app/#/administration-dashboard`|

- | Australia | `https://login-au.mimecast.com/administration/app/#/administration-dashboard`|

- | Offshore | `https://login-jer.mimecast.com/administration/app/#/administration-dashboard`|

-1. Click **Save**.

-1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

- 

-### Create an Azure AD test user

-In this section, you'll create a test user in the Azure portal called B.Simon.

-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

-1. Select **New user** at the top of the screen.

-1. In the **User** properties, follow these steps:

- 1. In the **Name** field, enter `B.Simon`.

- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

- 1. Click **Create**.

-### Assign the Azure AD test user

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mimecast Admin Console.

-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

-1. In the applications list, select **Mimecast Admin Console**.

-1. In the app's overview page, find the **Manage** section and select **Users and groups**.

-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

-1. In the **Add Assignment** dialog, click the **Assign** button.

-## Configure Mimecast Admin Console SSO

-1. In a different web browser window, sign into Mimecast Administration Console.

-1. Navigate to **Administration** > **Services** > **Applications**.

- 

-1. Click **Authentication Profiles** tab.

-

- 

-1. Click **New Authentication Profile** tab.

- 

-1. Provide a valid description in the **Description** textbox and select **Enforce SAML Authentication for Administration Console** checkbox.

- 

-1. On the **SAML Configuration for Administration Console** page, perform the following steps:

- 

- a. For **Provider**, select **Azure Active Directory** from the Dropdown.

- b. In the **Metadata URL** textbox, paste the **App Federation Metadata URL** value, which you have copied from the Azure portal.

- c. Click **Import**. After importing the Metadata URL, the fields will be populated automatically, no need to perform any action on these fields.

- d. Make sure you uncheck **Use Password protected Context** and **Use Integrated Authentication Context** checkboxes.

- e. Click **Save**.

-### Create Mimecast Admin Console test user

-1. In a different web browser window, sign into Mimecast Administration Console.

-1. Navigate to **Administration** > **Directories** > **Internal Directories**.

- 

-1. Select on your domain, if the domain is mentioned below, otherwise please create a new domain by clicking on the **New Domain**.

- 

-1. Click **New Address** tab.

- 

-1. Provide the required user information on the following page:

- 

- a. In the **Email Address** textbox, enter the email address of the user like `B.Simon@yourdomainname.com`.

- b. In the **Global Name** textbox, enter the **Full name** of the user.

- c. In the **Password** and **Confirm Password** textboxes, enter the password of the user.

- d. Select **Force Change at Login** checkbox.

- e. Click **Save**.

- f. To assign roles to the user, click on **Role Edit** and assign the required role to user as per your organization requirement.

- 

-## Test SSO

-In this section, you test your Azure AD single sign-on configuration with following options.

-#### SP initiated:

-* Click on **Test this application** in Azure portal. This will redirect to Mimecast Admin Console Sign on URL where you can initiate the login flow.

-* Go to Mimecast Admin Console Sign-on URL directly and initiate the login flow from there.

-#### IDP initiated:

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Mimecast Admin Console for which you set up the SSO

-You can also use Microsoft My Apps to test the application in any mode. When you click the Mimecast Admin Console tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Mimecast Admin Console for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Next steps

-Once you configure Mimecast Admin Console you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

- >![NOTE]

- >**Schema Discovery** is enabled on this app. Hence you might see more attributes in the application than mentioned in the table above.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Azure AD SAML Toolkit

-* Azure AD SAML Toolkit supports **SP** initiated SSO

-## Adding Azure AD SAML Toolkit from the gallery

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Basic SAML Configuration** page, enter the values for the following fields:

- a. In the **Sign on URL** text box, type the URL:

- `https://samltoolkit.azurewebsites.net/`

- b. In the **Reply URL** text box, type the URL:

-1. Open a new web browser window, if you have not registered in the Azure AD SAML Toolkit website, first register by clicking on the **Register**. If you have registered already, sign into your Azure AD SAML Toolkit company site using the registered sign in credentials.

-1. Click on **Test this application** in Azure portal. This will redirect to SAML Toolkit Sign-on URL where you can initiate the login flow.

-2. Go to SAML Toolkit Sign-on URL directly and initiate the login flow from there.

-3. You can use Microsoft Access Panel. When you click the SAML Toolkit tile in the Access Panel, you should be automatically signed in to the SAML Toolkit for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Next Steps

-Once you configure Azure AD SAML Toolkit you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-# Tutorial: Azure Active Directory integration with SECURE DELIVER

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- `https://<companyname>.i-securedeliver.jp/sd/<tenantname>/jsf/login/sso`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- > [!NOTE]

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [SECURE DELIVER Client support team](mailto:iw-sd-support@fujifilm.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.

- 

-6. On the **Set up SECURE DELIVER** section, copy the appropriate URL(s) as per your requirement.

- 

-To configure single sign-on on **SECURE DELIVER** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [SECURE DELIVER support team](mailto:iw-sd-support@fujifilm.com). They set this setting to have the SAML SSO connection set properly on both sides.

-Once you configure SECURE DELIVER you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-Azure Advisor determines that you do not have a validation environment enabled in current subscription. When creating your host pools, you have selected \"No\" for \"Validation environment\" in the properties tab. Having at least one host pool with a validation environment enabled ensures the business continuity through Windows Virtual Desktop service deployments with early detection of potential issues. [Learn more](../virtual-desktop/create-validation-host-pool.md)

-Azure Advisor detects that too many of your host pools have validation environment enabled. In order for validation environments to best serve their purpose, you should have at least one, but never more than half of your host pools in validation environment. By having a healthy balance between your host pools with validation environment enabled and those with it disabled, you will best be able to utilize the benefits of the multistage deployments that Windows Virtual Desktop offers with certain updates. To fix this issue, open your host pool's properties and select \"No\" next to the \"Validation Environment\" setting.

-## Improve user experience and connectivity by deploying VMs closer to Windows Virtual Desktop deployment location

-We have determined that your VMs are located in a region different or far from where your users are connecting from, using Windows Virtual Desktop (WVD). This may lead to prolonged connection response times and will impact overall user experience on WVD. When creating VMs for your host pools, you should attempt to use a region closer to the user. Having close proximity ensures continuing satisfaction with the WVD service and a better overall quality of experience. [Learn more about connection latency here](../virtual-desktop/connection-latency.md).

-To learn more about load balancing in Windows Virtual Desktop, see [Configure the Windows Virtual Desktop load-balancing method](../virtual-desktop/troubleshoot-set-up-overview.md).

-We have determined that you do not have a validation environment enabled in current subscription. When creating your host pools, you have selected "No" for "Validation environment" in the properties tab. Having at least one host pool with a validation environment enabled ensures the business continuity through Windows Virtual Desktop service deployments with early detection of potential issues.

-We have determined that too many of your host pools have Validation Environment enabled. In order for Validation Environments to best serve their purpose, you should have at least one, but never more than half of your host pools in Validation Environment. By having a healthy balance between your host pools with Validation Environment enabled and those with it disabled, you will best be able to utilize the benefits of the multistage deployments that Windows Virtual Desktop offers with certain updates. To fix this issue, open your host pool's properties and select "No" next to the "Validation Environment" setting.

-We have determined that your VMs are located in a region different or far from where your users are connecting from, using Windows Virtual Desktop (WVD). This may lead to prolonged connection response times and will impact overall user experience on WVD.

-We have determined that your VMs are located in a region different or far from where your users are connecting from, using Windows Virtual Desktop (WVD). This may lead to prolonged connection response times and will impact overall user experience on WVD. When creating VMs for your host pools, you should attempt to use a region closer to the user. Having close proximity ensures continuing satisfaction with the WVD service and a better overall quality of experience.

-### Access to mandatory URLs missing for your Windows Virtual Desktop environment

-In order for a session host to deploy and register to WVD properly, you need to add a set of URLs to allowed list in case your virtual machine runs in restricted environment. After visiting "Learn More" link, you will be able to see the minimum list of URLs you need to unblock to have a successful deployment and functional session host. For specific URL(s) missing from allowed list, you may also search Application event log for event 3702.

-Learn more about [Virtual machine - SessionHostNeedsAssistanceForUrlCheck (Access to mandatory URLs missing for your Windows Virtual Desktop environment)](../virtual-desktop/safe-url-list.md).

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-provider-register]: /cli/azure/provider#az_provider_register

-[az-aks-create]: /cli/azure/aks#az_aks_create

-[az-extension-add]: /cli/azure/extension#az_extension_add

-[az-extension-update]: /cli/azure/extension#az_extension_update

-[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add

-[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials

-[az-aks-show]: /cli/azure/aks#az_aks_show

-[az-extension-add]: /cli/azure/extension#az_extension_add

-[az-extension-update]: /cli/azure/extension#az_extension_update

-[az-aks-create]: /cli/azure/aks#az_aks_create

-[az-aks-update]: /cli/azure/aks#az_aks_update

-[az-aks-scale]: /cli/azure/aks#az_aks_scale

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-provider-register]: /cli/azure/provider#az_provider_register

-* Run the [az aks check-acr](/cli/azure/aks#az_aks_check_acr) command to validate that the registry is accessible from the AKS cluster.

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-provider-register]: /cli/azure/provider#az_provider_register

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-provider-register]: /cli/azure/provider#az_provider_register

-[az-extension-add]: /cli/azure/extension#az_extension_add

-[az-extension-update]: /cli/azure/extension#az_extension_update

-[az-aks-create]: /cli/azure/aks#az_aks_create

-[az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons

-[az-aks-disable-addons]: /cli/azure/aks#az_aks_disable_addons

-[az-aks-show]: /cli/azure/aks#az_aks_show

-[az-extension-add]: /cli/azure/extension#az_extension_add

-[az-extension-update]: /cli/azure/extension#az_extension_update

-[az-aks-create]: /cli/azure/aks#az_aks_create

-[az-aks-update]: /cli/azure/aks#az_aks_update

-[az-aks-scale]: /cli/azure/aks#az_aks_scale

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-provider-register]: /cli/azure/provider#az_provider_register

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-provider-register]: /cli/azure/provider#az_provider_register

-[az-aks-create]: /cli/azure/aks#az_aks_create

-It might take several minutes for the status to show as **Registered**. You can check the registration status by using the [az feature list](/cli/azure/feature#az_feature_list) command:

-When the status shows as registered, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register](/cli/azure/provider#az_provider_register) command:

- Create a resource group called *java-liberty-project-postgresql* using the [az group create](/cli/azure/group#az_group_create) command in the *eastus* location.

- Use the [az postgres server create](/cli/azure/postgres/server#az_postgres_server_create) command to create the DB server. The following example creates a DB server named *youruniquedbname*. Make sure *youruniqueacrname* is unique within Azure.

-To avoid Azure charges, you should clean up unnecessary resources. When the cluster is no longer needed, use the [az group delete](/cli/azure/group#az_group_delete) command to remove the resource group, container service, container registry, and all related resources.

-Create a resource group called *java-liberty-project* using the [az group create](/cli/azure/group#az_group_create) command in the *eastus* location. This resource group will be used later for creating the Azure Container Registry (ACR) instance and the AKS cluster.

-Use the [az acr create](/cli/azure/acr#az_acr_create) command to create the ACR instance. The following example creates an ACR instance named *youruniqueacrname*. Make sure *youruniqueacrname* is unique within Azure.

-Use the [az aks create](/cli/azure/aks#az_aks_create) command to create an AKS cluster. The following example creates a cluster named *myAKSCluster* with one node. This will take several minutes to complete.

-To manage a Kubernetes cluster, you use [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/), the Kubernetes command-line client. If you use Azure Cloud Shell, `kubectl` is already installed. To install `kubectl` locally, use the [az aks install-cli](/cli/azure/aks#az_aks_install_cli) command:

-To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials](/cli/azure/aks#az_aks_get_credentials) command. This command downloads credentials and configures the Kubernetes CLI to use them.

-To avoid Azure charges, you should clean up unnecessary resources. When the cluster is no longer needed, use the [az group delete](/cli/azure/group#az_group_delete) command to remove the resource group, container service, container registry, and all related resources.

-[az-aks-create]: /cli/azure/aks#az_aks_create

-[az-aks-show]: /cli/azure/aks#az_aks_show

-[az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons

-[az aks install-cli]: /cli/azure/aks#az_aks_install_cli

-[az aks get-credentials]: /cli/azure/aks#az_aks_get_credentials

-[az-network-dns-record-set-a-add-record]: /cli/azure/network/dns/record-set/#az_network_dns_record_set_a_add_record

-[helm-install]: https://docs.helm.sh/using_helm/#installing-helm

-You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) by using the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). You can run this command using [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.

-description: Configure Monitoring and Observability with Open Service Mesh on Azure Kubernetes Service (AKS)

-# Configure Monitoring and Observability with Open Service Mesh on Azure Kubernetes Service (AKS)

-Both Azure Monitor and Azure Application Insights assist with maximizing the availability and performance of your applications and services. These services deliver a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.

-The OSM AKS add-on will have deep integrations into both of these Azure services, and provide a seamless Azure experience for viewing and responding to critical KPIs provided by OSM metrics.

-## Enable Azure Monitor

-Once the OSM AKS add-on has been enabled on the AKS cluster, Azure Monitor needs to be enabled in the cluster via Azure portal. Click on the AKS cluster, navigate to the "Insights" tab under "Monitoring," and select "Enable."

-Once Azure Monitor has been enabled, you should be able to see the following pods in the kube-system namespace:

-```

-kube-system omsagent-5pn4c 1/1 Running 0 24m

-kube-system omsagent-6r6zt 1/1 Running 0 24m

-kube-system omsagent-j8xrh 1/1 Running 0 24m

-kube-system omsagent-rs-74b8f7dfd8-rp5vx 1/1 Running 1 24m

-```

-## Enable metrics in OSM monitored namespaces

-For metrics to be scraped from a particular namespace monitored by the mesh, the following command needs to be run:

-```sh

-osm metrics enable --namespace <namespace>

-```

-For instance, if you are running the [bookstore demo](https://docs.openservicemesh.io/docs/getting_started/install_apps/), you would run the `osm metrics enable` command on the following namespaces:

-```sh

-osm metrics enable --namespace bookbuyer

-osm metrics enable --namespace bookstore

-osm metrics enable --namespace bookthief

-osm metrics enable --namespace bookwarehouse

-```

-## Apply ConfigMap

-Create the following ConfigMap in `kube-system`, which will tell Azure Monitor what namespaces should be monitored. For instance, for the bookbuyer / bookstore demo, the ConfigMap would look as follows:

-```yaml

-kind: ConfigMap

-apiVersion: v1

-data:

- schema-version: v1

- config-version: ver1

- osm-metric-collection-configuration: |-

- # OSM metric collection settings

- [osm_metric_collection_configuration]

- [osm_metric_collection_configuration.settings]

- # Namespaces to monitor

- monitor_namespaces = ["bookstore", "bookbuyer", "bookthief", "bookwarehouse"]

-metadata:

- name: container-azm-ms-osmconfig

- namespace: kube-system

-```

-## View metrics in the Azure portal

-In Azure portal, select the Kubernetes cluster and then the "Logs" tab under "Monitoring." You should be now able to query the `InsightsMetrics` table to view metrics in the enabled namespaces. For instance, if you wanted to see the envoy metrics for `bookbuyer`, you would use the following query:

-```sh

-InsightsMetrics

-| where Name contains "envoy"

-| extend t=parse_json(Tags)

-| where t.app == "bookbuyer"

-```

-## Additional information

-For more information on how to enable and configure Azure Monitor and Azure Application Insights for the OSM AKS add-on, visit the [Azure Monitor for OSM](https://aka.ms/azmon/osmpreview) page.

-In addition, there are open source tools you can use with OSM for observability. For more information, see the [OSM Observability][osm-observeability].

-[osm-observeability]: https://docs.openservicemesh.io/docs/guides/observability/

-In Azure, you can associate related resources by using a resource group. Create a resource group by using [az group create](/cli/azure/group#az_group_create). The following example creates a resource group named *my-osm-bicep-aks-cluster-rg* in a specified Azure location (region):

-[az-provider-register]: /cli/azure/provider#az_provider_register

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-group-delete]: /cli/azure/group#az_group_delete

-description: Learn about the access restriction policies available for use in Azure API Management.

-This topic provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).

-> This policy can be used only once per policy document.

->

-> [Policy expressions](api-management-policy-expressions.md) cannot be used in any of the policy attributes for this policy.

-> Due to the distributed nature of throttling architecture, rate limiting is never completely accurate. The difference between configured and the real number of allowed requests vary based on request volume and rate, backend latency, and other factors.

-> [!NOTE]

-> To understand the difference between rate limits and quotas, [see Rate limits and quotas.](./api-management-sample-flexible-throttling.md#rate-limits-and-quotas)

-> [!NOTE]

-> To understand the difference between rate limits and quotas, [see Rate limits and quotas.](./api-management-sample-flexible-throttling.md#rate-limits-and-quotas)

-> This policy can be used only once per policy document.

->

-> [Policy expressions](api-management-policy-expressions.md) cannot be used in any of the policy attributes for this policy.

-> [!NOTE]

-> To understand the difference between rate limits and quotas, [see Rate limits and quotas.](./api-management-sample-flexible-throttling.md#rate-limits-and-quotas)

-> [!NOTE]

-> To understand the difference between rate limits and quotas, [see Rate limits and quotas.](./api-management-sample-flexible-throttling.md#rate-limits-and-quotas)

-For more information about custom CA certificates and certificate authorities, see [How to add a custom CA certificate in Azure API Management](api-management-howto-ca-certificates.md).

-## Next steps

-For more information working with policies, see:

-description: Learn about the advanced policies available for use in Azure API Management. See examples and view additional available resources.

-This topic provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).

-> [!NOTE]

-> Removing this policy results in the request not being forwarded to the backend service and the policies in the outbound section are evaluated immediately upon the successful completion of the policies in the inbound section.

-This operation level policy explicitly forwards all requests to the backend service with a timeout of 120 and does not inherit the parent API level backend policy. If the backend service responds with a error status code from 400 to 599 inclusive, [on-error](api-management-error-handling-policies.md) section will be triggered.

-| buffer-request-body="false &#124; true" | When set to "true" request is buffered and will be reused on [retry](api-management-advanced-policies.md#Retry). | No | false |

-| buffer-response="false &#124; true" | Affects processing of chunked responses. When set to "false", each chunk received from the backend is immediately returned to the caller. When set to "true", chunks are buffered (8KB, unless end of stream is detected) and only then returned to the caller.<br/><br/>Set to "false" with backends such as those implementing [server-sent events (SSE)](how-to-server-sent-events.md) that require content to be returned or streamed immediately to the caller. | No | true |

-| fail-on-error-status-code="false &#124; true" | When set to true triggers [on-error](api-management-error-handling-policies.md) section for response codes in the range from 400 to 599 inclusive. | No | false |

-The `limit-concurrency` policy prevents enclosed policies from executing by more than the specified number of requests at any time. Upon exceeding that number, new requests will fail immediately with 429 Too Many Requests status code.

-## <a name="log-to-eventhub"></a> Log to Event Hub

-The `log-to-eventhub` policy sends messages in the specified format to an Event Hub defined by a Logger entity. As its name implies, the policy is used for saving selected request or response context information for online or offline analysis.

-This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes) . Note that child policy usage restrictions will be inherited by this policy.

-In the following example there are two `choose` policies as immediate child policies of the `wait` policy. Each of these `choose` policies executes in parallel. Each `choose` policy attempts to retrieve a cached value. If there is a cache miss, a backend service is called to provide the value. In this example the `wait` policy does not complete until all of its immediate child policies complete, because the `for` attribute is set to `all`. In this example the context variables (`execute-branch-one`, `value-one`, `execute-branch-two`, and `value-two`) are declared outside of the scope of this example policy.

-## Next steps

-For more information working with policies, see:

-### Unsupported directives

-`wsdl:import`, `xsd:import`, and `xsd:include` aren't supported. Instead, merge the dependencies into one document.

-For an open-source tool to resolve and merge `wsdl:import`, `xsd:import`, and `xsd:include` dependencies in a WSDL file, see this [GitHub repo](https://github.com/Azure-Samples/api-management-schema-import).

-description: Learn about the authentication policies available for use in Azure API Management.

-This topic provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).

-Both system-assigned identity and any of the multiple user-assigned identity can be used to request token. If `client-id` is not provided system-assigned identity is assumed. If the `client-id` variable is provided token is requested for that user-assigned identity from Azure Active Directory

-## Next steps

-For more information working with policies, see:

-+ [Policies in API Management](api-management-howto-policies.md)

-+ [Transform APIs](transform-api.md)

-+ [Policy Reference](./api-management-policies.md) for a full list of policy statements and their settings

-+ [Policy samples](./policy-reference.md)

-description: Learn about the caching policies available for use in Azure API Management. See examples and view additional available resources.

-This article provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).

- - [Get from cache](#GetFromCache) - Perform cache look up and return a valid cached responses when available.

-Use the `cache-lookup` policy to perform cache look up and return a valid cached response when available. This policy can be applied in cases where response content remains static over a period of time. Response caching reduces bandwidth and processing requirements imposed on the backend web server and lowers latency perceived by API consumers.

-> The operation of storing the value in cache performed by this policy is asynchronous. The stored value can be retrieved using [Get value from cache](#GetFromCacheByKey) policy. However, the stored value may not be immediately available for retrieval since the asynchronous operation that stores the value in cache may still be in progress.

-## Next steps

-For more information working with policies, see:

-+ [Policies in API Management](api-management-howto-policies.md)

-+ [Transform APIs](transform-api.md)

-+ [Policy Reference](./api-management-policies.md) for a full list of policy statements and their settings

-+ [Policy samples](./policy-reference.md)

-description: Learn about the cross domain policies available for use in Azure API Management.

-This topic provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).

-If you call the method without the callback parameter ?cb=XXX it will return plain JSON (without a function call wrapper).

-If you add the callback parameter `?cb=XXX` it will return a JSONP result, wrapping the original JSON results around the callback function like `XYZ('<json result goes here>');`

-## Next steps

-For more information working with policies, see:

-+ [Policies in API Management](api-management-howto-policies.md)

-+ [Transform APIs](transform-api.md)

-+ [Policy Reference](./api-management-policies.md) for a full list of policy statements and their settings

-+ [Policy samples](./policy-reference.md)

-description: Learn about Azure API Management policies for interacting with Dapr microservices extensions.

-This topic provides a reference for Dapr integration API Management policies. Dapr is a portable runtime for building stateless and stateful microservices-based applications with any language or framework. It codifies the common microservice patterns, like service discovery and invocation with build-in retry logic, publish-and-subscribe with at-least-once delivery semantics, or pluggable binding resources to ease composition using external services. Go to [dapr.io](https://dapr.io) for detailed information and instruction on how to get started with Dapr. For information on adding and configuring policies, see [Policies in API Management](api-management-howto-policies.md).

-To see all your version sets, run the [az apim api versionset list](/cli/azure/apim/api/versionset#az_apim_api_versionset_list) command:

-To see details about a version set, run the [az apim api versionset show](/cli/azure/apim/api/versionset#az_apim_api_versionset_show) command:

-1. Run the [az apim api list](/cli/azure/apim/api#az_apim_api_list) command to see your API IDs:

-1. To create the release, with a release note, run the [az apim api release create](/cli/azure/apim/api/release#az_apim_api_release_create) command:

-1. To see your releases, use the [az apim api release list](/cli/azure/apim/api/release#az_apim_api_release_list) command:

-1. When you create a release, the `--notes` parameter is optional. You can add or change the notes later by using the [az apim api release update](/cli/azure/apim/api/release#az_apim_api_release_update) command:

-You can remove any release by running the [az apim api release delete ](/cli/azure/apim/api/release#az_apim_api_release_delete) command:

-To create a product, run the [az apim product create](/cli/azure/apim/product#az_apim_product_create) command:

-To see your current products, use the [az apim product list](/cli/azure/apim/product#az_apim_product_list) command:

-You can delete a product by using the [az apim product delete](/cli/azure/apim/product#az_apim_product_delete) command:

-1. To see your managed APIs, use the [az apim api list](/cli/azure/apim/api#az_apim_api_list) command:

-1. To add an API to your product, run the [az apim product api add](/cli/azure/apim/product/api#az_apim_product_api_add) command:

-1. Verify the addition by using the [az apim product api list](/cli/azure/apim/product/api#az_apim_product_api_list) command:

-You can remove an API from a product by using the [az apim product api delete](/cli/azure/apim/product/api#az_apim_product_api_delete) command:

-description: Learn how to create, edit, and configure policies in API Management. See code examples and other available resources.

-In Azure API Management, API publishers can change API behavior through configuration using policies. Policies are a collection of statements executed sequentially on the request or response of an API. Popular statements include:

-* Format conversion from XML to JSON.

-* Call rate limiting to restrict the number of incoming calls from a developer.

-Many more policies are available out of the box.

-Unless the policy specifies otherwise, policy expressions can be used as attribute values or text values in any of the API Management policies. Some policies are based on policy expressions, such as the [Control flow][Control flow] and [Set variable][Set variable]. For more information, see the [Advanced policies][Advanced policies] and [Policy expressions][Policy expressions] articles.

-Policy definitions are simple XML documents that describe a sequence of inbound and outbound statements. You can edit the XML directly in the definition window, which also provides:

-* A list of statements to the right.

-* Statements applicable to the current scope enabled and highlighted.

-Clicking an enabled statement will add the appropriate XML at the cursor in the definition view.

-> [!NOTE]

-> If the policy that you want to add is not enabled, ensure that you are in the correct scope for that policy. Each policy statement is designed for use in certain scopes and policy sections. To review the policy sections and scopes for a policy, check the **Usage** section in the [Policy Reference][Policy Reference].

-The configuration is divided into `inbound`, `backend`, `outbound`, and `on-error`. This series of specified policy statements is executed in order for a request and a response.

-For more information, see [Error handling in API Management policies](./api-management-error-handling-policies.md) for error codes for:

-* Built-in steps

-* Errors that may occur during the processing of policy statements.

-## <a name="scopes"> </a>How to configure policies

-For information on how to configure policies, see [Set or edit policies](set-edit-policies.md).

-## Policy Reference

-See the [Policy reference](./api-management-policies.md) for a full list of policy statements and their settings.

-## Policy samples

-See [Policy samples](./policy-reference.md) for more code examples.

-If you have a policy at the global level and a policy configured for an API, both policies will be applied whenever that particular API is used. API Management allows for deterministic ordering of combined policy statements via the `base` element.

-* The `cross-domain` statement would execute before any higher policies.

-* The `find-and-replace` policy would execute after any higher policies.

-> If you remove the `<base />` tag at the API scope, only policies configured at the API scope will be applied. Neither product nor global scope policies would be applied.

-### Restrict incoming requests

-To add a new statement to restrict incoming requests to specified IP addresses, place the cursor just inside the content of the `inbound` XML element and click the **Restrict caller IPs** statement.

-![Restriction policies][policies-restrict]

-This will add an XML snippet to the `inbound` element that provides guidance on how to configure the statement.

-<ip-filter action="allow | forbid">

- <address>address</address>

- <address-range from="address" to="address"/>

-</ip-filter>

-```

-To limit inbound requests and accept only those from an IP address of 1.2.3.4 modify the XML as follows:

-```xml

-<ip-filter action="allow">

- <address>1.2.3.4</address>

-</ip-filter>

-## Next steps

-For more information working with policies, see:

-+ [Transform APIs](transform-api.md)

-+ [Policy Reference](./api-management-policies.md) for a full list of policy statements and their settings

-+ [Policy samples](./policy-reference.md)

-[policies-restrict]: ./media/api-management-howto-policies/api-management-policies-restrict.png

-To add a named value, use the [az apim nv create](/cli/azure/apim/nv#az_apim_nv_create) command:

-After you create a named value, you can update it by using the [az apim nv update](/cli/azure/apim/nv#az_apim_nv_update) command. To see all your named values, run the [az apim nv list](/cli/azure/apim/nv#az_apim_nv_list) command:

-To see the details of the named value you created for this example, run the [az apim nv show](/cli/azure/apim/nv#az_apim_nv_show) command:

-This example is a secret value. The previous command does not return the value. To see the value, run the [az apim nv show-secret](/cli/azure/apim/nv#az_apim_nv_show_secret) command:

-To delete a named value, use the [az apim nv delete](/cli/azure/apim/nv#az_apim_nv_delete) command:

-description: Learn about the policies available for use in Azure API Management. Policies allow the publisher to change API behavior through configuration.

-# API Management policies

-This section provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](api-management-howto-policies.md).

- Policies are a powerful capability of the system that allow the publisher to change the behavior of the API through configuration. Policies are a collection of Statements that are executed sequentially on the request or response of an API. Popular Statements include format conversion from XML to JSON and call rate limiting to restrict the amount of incoming calls from a developer. Many more policies are available out of the box.

- Policy expressions can be used as attribute values or text values in any of the API Management policies, unless the policy specifies otherwise. Some policies such as the [Control flow](api-management-advanced-policies.md#choose) and [Set variable](api-management-advanced-policies.md#set-variable) policies are based on policy expressions. For more information, see [Advanced policies](api-management-advanced-policies.md#AdvancedPolicies) and [Policy expressions](api-management-policy-expressions.md).

-## <a name="ProxyPolicies"></a> Policies

- - [Check HTTP header](api-management-access-restriction-policies.md#CheckHTTPHeader) - Enforces existence and/or value of an HTTP Header.

- - [Limit call rate by subscription](api-management-access-restriction-policies.md#LimitCallRate) - Prevents API usage spikes by limiting call rate, on a per subscription basis.

- - [Limit call rate by key](api-management-access-restriction-policies.md#LimitCallRateByKey) - Prevents API usage spikes by limiting call rate, on a per key basis.

- - [Restrict caller IPs](api-management-access-restriction-policies.md#RestrictCallerIPs) - Filters (allows/denies) calls from specific IP addresses and/or address ranges.

- - [Set usage quota by subscription](api-management-access-restriction-policies.md#SetUsageQuota) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.

- - [Set usage quota by key](api-management-access-restriction-policies.md#SetUsageQuotaByKey) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.

- - [Validate JWT](api-management-access-restriction-policies.md#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.

- - [Validate client certificate](api-management-access-restriction-policies.md#validate-client-certificate) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.

- - [Control flow](api-management-advanced-policies.md#choose) - Conditionally applies policy statements based on the evaluation of Boolean expressions.

- - [Forward request](api-management-advanced-policies.md#ForwardRequest) - Forwards the request to the backend service.

- - [Limit concurrency](api-management-advanced-policies.md#LimitConcurrency) - Prevents enclosed policies from executing by more than the specified number of requests at a time.

- - [Log to Event Hub](api-management-advanced-policies.md#log-to-eventhub) - Sends messages in the specified format to a message target defined by a Logger entity.

- - [Emit metrics](api-management-advanced-policies.md#emit-metrics) - Sends custom metrics to Application Insights at execution.

- - [Mock response](api-management-advanced-policies.md#mock-response) - Aborts pipeline execution and returns a mocked response directly to the caller.

- - [Retry](api-management-advanced-policies.md#Retry) - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.

- - [Return response](api-management-advanced-policies.md#ReturnResponse) - Aborts pipeline execution and returns the specified response directly to the caller.

- - [Send one way request](api-management-advanced-policies.md#SendOneWayRequest) - Sends a request to the specified URL without waiting for a response.

- - [Send request](api-management-advanced-policies.md#SendRequest) - Sends a request to the specified URL.

- - [Set HTTP proxy](api-management-advanced-policies.md#SetHttpProxy) - Allows you to route forwarded requests via an HTTP proxy.

- - [Set variable](api-management-advanced-policies.md#set-variable) - Persist a value in a named context variable for later access.

- - [Set request method](api-management-advanced-policies.md#SetRequestMethod) - Allows you to change the HTTP method for a request.

- - [Set status code](api-management-advanced-policies.md#SetStatus) - Changes the HTTP status code to the specified value.

- - [Trace](api-management-advanced-policies.md#Trace) - Adds custom traces into the [API Inspector](./api-management-howto-api-inspector.md) output, Application Insights telemetries, and Resource Logs.

- - [Wait](api-management-advanced-policies.md#Wait) - Waits for enclosed [Send request](api-management-advanced-policies.md#SendRequest), [Get value from cache](api-management-caching-policies.md#GetFromCacheByKey), or [Control flow](api-management-advanced-policies.md#choose) policies to complete before proceeding.

- - [Authenticate with Basic](api-management-authentication-policies.md#Basic) - Authenticate with a backend service using Basic authentication.

- - [Authenticate with client certificate](api-management-authentication-policies.md#ClientCertificate) - Authenticate with a backend service using client certificates.

- - [Authenticate with managed identity](api-management-authentication-policies.md#ManagedIdentity) - Authenticate with a backend service using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md).

- - [Get from cache](api-management-caching-policies.md#GetFromCache) - Perform cache look up and return a valid cached response when available.

- - [Store to cache](api-management-caching-policies.md#StoreToCache) - Caches response according to the specified cache control configuration.

- - [Get value from cache](api-management-caching-policies.md#GetFromCacheByKey) - Retrieve a cached item by key.

- - [Store value in cache](api-management-caching-policies.md#StoreToCacheByKey) - Store an item in the cache by key.

- - [Remove value from cache](api-management-caching-policies.md#RemoveCacheByKey) - Remove an item in the cache by key.

- - [Allow cross-domain calls](api-management-cross-domain-policies.md#AllowCrossDomainCalls) - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.

- - [CORS](api-management-cross-domain-policies.md#CORS) - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.

- - [JSONP](api-management-cross-domain-policies.md#JSONP) - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.

- - [Convert JSON to XML](api-management-transformation-policies.md#ConvertJSONtoXML) - Converts request or response body from JSON to XML.

- - [Convert XML to JSON](api-management-transformation-policies.md#ConvertXMLtoJSON) - Converts request or response body from XML to JSON.

- - [Find and replace string in body](api-management-transformation-policies.md#Findandreplacestringinbody) - Finds a request or response substring and replaces it with a different substring.

- - [Mask URLs in content](api-management-transformation-policies.md#MaskURLSContent) - Re-writes (masks) links in the response body so that they point to the equivalent link via the gateway.

- - [Set backend service](api-management-transformation-policies.md#SetBackendService) - Changes the backend service for an incoming request.

- - [Set body](api-management-transformation-policies.md#SetBody) - Sets the message body for incoming and outgoing requests.

- - [Set HTTP header](api-management-transformation-policies.md#SetHTTPheader) - Assigns a value to an existing response and/or request header or adds a new response and/or request header.

- - [Set query string parameter](api-management-transformation-policies.md#SetQueryStringParameter) - Adds, replaces value of, or deletes request query string parameter.

- - [Rewrite URL](api-management-transformation-policies.md#RewriteURL) - Converts a request URL from its public form to the form expected by the web service.

- - [Transform XML using an XSLT](api-management-transformation-policies.md#XSLTransform) - Applies an XSL transformation to XML in the request or response body.

- - [Send request to a service](api-management-dapr-policies.md#invoke) - uses Dapr runtime to locate and reliably communicate with a Dapr microservice.

- - [Send message to Pub/Sub topic](api-management-dapr-policies.md#pubsub) - uses Dapr runtime to publish a message to a Publish/Subscribe topic.

- - [Trigger output binding](api-management-dapr-policies.md#bind) - uses Dapr runtime to invoke an external system via output binding.

- - [Validate content](validation-policies.md#validate-content) - Validates the size or JSON schema of a request or response body against the API schema.

-.

- - [Validate parameters](validation-policies.md#validate-parameters) - Validates the request header, query, or path parameters against the API schema.

- - [Validate headers](validation-policies.md#validate-headers) - Validates the response headers against the API schema.

- - [Validate status code](validation-policies.md#validate-status-code) - Validates the HTTP status codes in responses against the API schema.

- - [Validate GraphQL request](graphql-validation-policies.md#validate-graphql-request) - Validates and authorizes a request to a GraphQL API.

-For more information working with policies, see:

-+ [Policies in API Management](api-management-howto-policies.md)

-+ [Transform APIs](transform-api.md)

-+ [Policy samples](./policy-reference.md)

-* **Product** - Disable **Requires subscription** on the **Settings** page of the product.

-* **API** - Disable **Subscription required** on the **Settings** page of the API.

-After disabling the subscription requirement, the selected API or APIs can be accessed without a subscription key.

-+ Learn how API Management [policies](set-edit-policies.md#configure-scope) get applied at different scopes.

-description: Learn about the transformation policies available for use in Azure API Management.

-This topic provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).

-|sf-service-instance-name|Only applicable when the backend is a Service Fabric service. Allows to change service instances at runtime. |No|N/A|

-|set-body|Root element. Contains the body text or an expressions that returns a body.|Yes|

- Inserts a list of HTTP headers into an HTTP message. When placed in an inbound pipeline, this policy sets the HTTP headers for the request being passed to the target service. When placed in an outbound pipeline, this policy sets the HTTP headers for the response being sent to the gatewayΓÇÖs client.

-## Next steps

-For more information, see the following topics:

-+ [Policies in API Management](api-management-howto-policies.md)

-+ [Policy Reference](./api-management-policies.md) for a full list of policy statements and their settings

-+ [Policy samples](./policy-reference.md)

-We've minimized impacts of this upgrade on your operation of your API Management instance. However, if your instance is connected to an [Azure virtual network](virtual-network-concepts.md), you'll need to change some network configuration settings when the instance upgrades to the `stv2` platform version.

-## Compute platform versions

-| Version | Description | Architecture | API Management tiers |

-| -| -| -- | - |

-| `stv2` | Single-tenant v2 | [Virtual machine scale sets](../virtual-machine-scale-sets/overview.md) | Developer, Basic, Standard, and Premium |

-| `stv1` | Single-tenant v1 | [Cloud Service (classic)](../cloud-services/cloud-services-choose-me.md) | Developer, Basic, Standard, and Premium |

-| `mtv1` | Multi-tenant v1 | [App service](../app-service/overview.md) | Consumption |

-### Developer, Basic, Standard, and Premium tiers

-* Instances with virtual network connections created or updated using the Azure portal after **April 2021**, or using the API Management REST API version **2021-01-01-preview** or later, are hosted on the `stv2` platform

-* If you enabled [zone redundancy](zone-redundancy.md) in your Premium tier instance, it's hosted on the `stv2` platform

-* Otherwise, the instance is hosted on the `stv1` platform

-> [!TIP]

-> Starting with API version `2021-04-01-preview`, the API Management instance has a read-only `PlatformVersion` property that shows this platform information.

-### Consumption tier

-* All instances are hosted on the `mtv1` platform

-## How do I upgrade to the `stv2` platform?

-Update is only possible for an instance in the Developer, Basic, Standard, or Premium tier.

-Create or update the virtual network connection, or availability zone configuration, in an API Management instance using:

-* [Azure portal](https://portal.azure.com)

-* Azure REST API, or ARM template, specifying API version **2021-01-01-preview** or later

-> [!IMPORTANT]

-> When you update the compute platform version of an instance connected to an Azure [virtual network](virtual-network-concepts.md):

-> * You must provide a Standard SKU [public IPv4 address](../virtual-network/ip-services/public-ip-addresses.md#sku) resource

-First, create a resource group named *myResourceGroup* in the Central US location with the following [az group create](/cli/azure/group#az_group_create) command:

-Now that you have a resource group, you can create an API Management service instance. Create one by using the [az apim create](/cli/azure/apim#az_apim_create) command and provide a service name and publisher details. The service name must be unique within Azure.

-Check the status of the deployment by running the [az apim show](/cli/azure/apim#az_apim_show) command:

-When no longer needed, you can use the [az group delete](/cli/azure/group#az_group_delete) command to remove the resource group and the API Management service instance.

-description: Learn about a new policy you can use in Azure API Management to validate and authorize GraphQL requests.

-For more information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).

-## Next steps

-For more information about working with policies, see:

-To deploy the sample app, you can use the Azure CLI, Azure PowerShell, or the Azure portal. The following example uses the [az deployment group create](/cli/azure/deployment/group#az_deployment_group_create) command in the Azure CLI.

-To add an operation to your test API, run the [az apim api operation create](/cli/azure/apim/api/operation#az_apim_api_operation_create) command:

-Run the [az apim api operation list](/cli/azure/apim/api/operation#az_apim_api_operation_list) command to see all your operations for an API:

-To remove an operation, use the [az apim api operation delete](/cli/azure/apim/api/operation#az_apim_api_operation_delete) command. Get the operation ID from the previous command.

-description: Learn how to set or edit Azure API Management policies. These policies are XML documents that describe a sequence of inbound and outbound statements.

-The policy definition is an XML document that describes a sequence of inbound and outbound statements. The XML can be edited directly in the definition window. You can also select a predefined policy from the list that is provided to the right of the policy window. The statements applicable to the current scope are enabled and highlighted. Clicking an enabled statement adds the appropriate XML at the location of the cursor in the definition view.

-For detailed information about policies, see [Policies in Azure API Management](api-management-howto-policies.md).

-## Set or edit a policy

-To set or edit a policy, follow the following steps:

-1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

-2. Browse to your APIM instance.

-3. Click the **APIs** tab.

- 

-4. Select one of the APIs that you previously imported.

-5. Select the **Design** tab.

-6. Select an operation to which you want to apply the policy. If you want to apply the policy to all operations, select **All operations**.

-7. Select the **</>** (code editor) icon in the **Inbound processing** or **Outbound processing** section.

-8. Paste the desired policy code into one of the appropriate blocks.

-

-## Configure scope

-Policies can be configured globally or at the scope of a Product, API, or Operation. To begin configuring a policy, you must first select the scope at which the policy should apply.

-Policy scopes are evaluated in the following order:

-1. Global scope

-2. Product scope

-3. API scope

-4. Operation scope

-The statements within policies are evaluated according to the placement of the `base` element, if it is present. Global policy has no parent policy and using the `<base>` element in it has no effect.

-To see the policies in the current scope in the policy editor, click **Recalculate effective policy for selected scope**.

-Global scope is configured for **All APIs** in your APIM instance.

-1. Sign in to the [Azure portal](https://portal.azure.com/) and navigate to your APIM instance.

-2. Click **All APIs**.

- 

-3. Click the triangle icon.

-4. Select **Code editor**.

-5. Add or edit policies.

-6. Press **Save**.

- The changes are propagated to the API Management gateway immediately.

-Product scope is configured for the selected product.

-1. Click **Products**.

- 

-2. Select the product to which you want to apply policies.

-3. Click **Policies**.

-4. Add or edit policies.

-5. Press **Save**.

-API scope is configured for **All Operations** of the selected API.

-1. Select the **API** you want to apply policies to.

- 

-2. Select **All operations**

-3. Click the triangle icon.

-4. Select **Code editor**.

-5. Add or edit policies.

-6. Press **Save**.

-Operation scope is configured for the selected operation.

-1. Select an **API**.

-2. Select the operation you want to apply policies to.

- 

-3. Click the triangle icon.

-4. Select **Code editor**.

-5. Add or edit policies.

-6. Press **Save**.

-See the following related topics:

-+ [Transform APIs](transform-api.md)

-+ [Policy Reference](./api-management-policies.md) for a full list of policy statements and their settings

-+ [Policy samples](./policy-reference.md)

-In this tutorial, you'll learn how to transform your API so it doesn't reveal private backend info. Transforming an API might help you hide the technology stack info that's running in the backend. It also helps you hide the original URLs that appear in the body of the API's HTTP response.

-The tutorial also explains how to add protection to your backend API by configuring a rate limit with Azure API Management. You might want to limit the rate of API calls so the API isn't overused by developers. For more information, see [API Management policies](api-management-policies.md).

-1. In the **Outbound processing** section, select the code editor (**</>**) icon.

-1. Position the cursor inside the **&lt;outbound&gt;** element, and then select **Show snippets** at the top-right corner of the screen.

- :::image type="content" source="media/transform-api/show-snippets.png" alt-text="Show snippets":::

-1. In the right window, under **Transformation policies**, select **Set HTTP header** twice (to insert two policy snippets).

-1. Modify your **\<outbound>** code to the following code:

- ```

- <set-header name="X-Powered-By" exists-action="delete" />

- <set-header name="X-AspNet-Version" exists-action="delete" />

- ```

-1. Select **Save**.

-This section shows how to hide original URLs that appear in the body of the API's HTTP response and instead redirect them to the API Management gateway.

- :::image type="content" source="media/transform-api/outbound-policy.png" alt-text="Navigate to outbound policy" border="false":::

-1. Position the cursor inside the **&lt;outbound&gt;** element, and then select **Show snippets** at the top-right corner of the screen.

-1. In the right window, under **Transformation policies**, select **Mask URLs in content**.

-This section shows how to add protection to your backend API by configuring rate limits. You might also want to limit the rate of API calls so that the API isn't overused by developers. In this example, the limit is set to three calls per 15 seconds for each subscription ID. After 15 seconds, a developer can retry calling an API.

- :::image type="content" source="media/transform-api/inbound-policy.png" alt-text="Navigate to inbound policy":::

-1. Position the cursor inside the **&lt;inbound&gt;** element, and then select **Show snippets** at the top-right corner of the screen.

-1. In the right window, under **Access restriction policies**, select **Limit call rate per key**.

-1. Modify your **rate-limit-by-key** code in the **\<inbound\>** element to the following code:

-description: Learn about policies you can use in Azure API Management to validate requests and responses.

-This article provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).

-Use validation policies to validate REST or SOAP API requests and responses against schemas defined in the API definition or supplementary JSON or XML schemas. Validation policies protect from vulnerabilities such as injection of headers or payload or leaking sensitive data.

-The `validate-status-code` policy validates the HTTP status codes in responses against the API schema. This policy may be used to prevent leakage of backend errors, which can contain stack traces.

-## Next steps

-For more information about working with policies, see:

-You'll need to authenticate with a service principal for the resource deployment script to work. You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.

-You'll need to authenticate with a service principal for the resource deployment script to work. You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.

- To restore app content only and not the app configuration, use the `--restore-content-only` parameter. For more information, see [az webapp config snapshot restore](/cli/webapp/config/snapshot#az_webapp_config_snapshot_restore).

-In the Cloud Shell, enable CORS to your client's URL by using the [`az webapp cors add`](/cli/azure/webapp/cors#az_webapp_cors_add) command. Replace the _&lt;app-name>_ placeholder.

-Using the Azure CLI, view the current middleware version with the [az webapp auth show](/cli/azure/webapp/auth#az_webapp_auth_show) command.

-Using the Azure CLI, you can update the `runtimeVersion` setting in the app with the [az webapp auth update](/cli/azure/webapp/auth#az_webapp_auth_update) command.

-You can run this command from the [Azure Cloud Shell](../cloud-shell/overview.md) by choosing **Try it** in the preceding code sample. You can also use the [Azure CLI locally](/cli/azure/install-azure-cli) to execute this command after executing [az login](/cli/azure/reference-index#az_login) to sign in.

- |Allowed Token Audiences| If this is a cloud or server app and you want to allow authentication tokens from a web app, add the **Application ID URI** of the web app here. The configured **Client ID** is *always* implicitly considered to be an allowed audience.|

-Add or edit an app setting with [az webapp config app settings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set):

-Show all settings and their values with [az webapp config appsettings list](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_list):

-Remove one or more settings with [az webapp config app settings delete](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_delete):

-Run [az webapp config app settings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) with the name of the JSON file.

-For convenience, you can save existing settings into a JSON file with [az webapp config appsettings list](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_list). The following example can be run in Bash.

-Add or edit an app setting with [az webapp config connection-string set](/cli/azure/webapp/config/connection-string#az_webapp_config_connection_string_set):

-Replace `<string-name>` with the name of the connection string, and `<value>` with the value to assign to it. For possible values of `<type>` (for example, `SQLAzure`), see the [CLI command documentation](/cli/azure/webapp/config/connection-string#az_webapp_config_connection_string_set).

-Show all connection strings and their values with [az webapp config connection-string list](/cli/azure/webapp/config/connection-string#az_webapp_config_connection_string_list):

-Remove one or more connection strings with [az webapp config connection-string delete](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_delete):

-Run [az webapp config connection-string set](/cli/azure/webapp/config/connection-string#az_webapp_config_connection_string_set) with the name of the JSON file.

-For convenience, you can save existing connection strings into a JSON file with [az webapp config connection-string list](/cli/azure/webapp/config/connection-string#az_webapp_config_connection_string_list). The following example can be run in Bash.

-You can set many of the common configurable options using [az webapp config set](/cli/azure/webapp/config#az_webapp_config_set). The following example shows a subset of the configurable options.

-To show the existing settings, use the [az webapp config show](/cli/azure/webapp/config#az_webapp_config_show) command.

-Add a default document by using [az resource update](/cli/azure/resource#az_resource_update):

-Use the [`az webapp config storage-account add`](/cli/azure/webapp/config/storage-account#az_webapp_config_storage_account_add) command. For example:

-1. Enable [the system-assigned managed identity](./overview-managed-identity.md) for the web app by using the [`az webapp identity assign`](/cli/azure/webapp/identity#az_webapp_identity-assign) command:

-Enable persistent storage by setting the `WEBSITES_ENABLE_APP_SERVICE_STORAGE` app setting, using the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in [Cloud Shell](https://shell.azure.com).

-1. Use the following [`az keyvault create`](/cli/azure/keyvault#az_keyvault_create) command to create a Key Vault instance.

-1. Use the following [`az keyvault secret set`](/cli/azure/keyvault/secret#az_keyvault_secret_set) command to add your external URL as a secret in your key vault:

-1. Use the following [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command to create the `WEBSITE_RUN_FROM_PACKAGE` application setting with the value as a Key Vault reference to the external URL:

-Enable [application logging](troubleshoot-diagnostic-logs.md#enable-application-logging-windows) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az_webapp_log_config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. Logging to the local App Service filesystem instance is disabled 12 hours after it is configured. If you need longer retention, configure the application to write output to a Blob storage container. Your Java and Tomcat app logs can be found in the */home/LogFiles/Application/* directory.

-Enable [application logging](troubleshoot-diagnostic-logs.md#enable-application-logging-linuxcontainer) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az_webapp_log_config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. If you need longer retention, configure the application to write output to a Blob storage container. Your Java and Tomcat app logs can be found in the */home/LogFiles/Application/* directory.

-If you use [ZIP deployment](deploy-zip.md) (through Visual Studio Code, for example), be sure to [enable build automation](deploy-zip.md#enable-build-automation-for-zip-deploy) because it's not enabled by default. [`az webapp up`](/cli/azure/webapp#az_webapp_up) uses ZIP deployment with build automation enabled.

-To customize the site root, set the virtual application path for the app by using the [`az resource update`](/cli/azure/resource#az_resource_update) command. The following example sets the site root to the *public/* subdirectory in your repository.

- - Run commands locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az_login).

- - Show the current Python version with [az webapp config show](/cli/azure/webapp/config#az_webapp_config_show):

- - Set the Python version with [az webapp config set](/cli/azure/webapp/config#az_webapp_config_set)

- - Show all Python versions that are supported in Azure App Service with [az webapp list-runtimes](/cli/azure/webapp#az_webapp_list_runtimes):

-Open a remote connection to your app using the [az webapp create-remote-connection](/cli/azure/webapp#az_webapp_create_remote_connection) command. Specify _\<subscription-id>_, _\<group-name>_ and _\<app-name>_ for your app.

-**Generate** a service principal with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). In the following example, replace *\<subscription-id>*, *\<group-name>*, and *\<app-name>* with your own values. **Save** the entire JSON output for the next step, including the top-level `{}`.

-To configure the container registry and the Docker image, **run** [az webapp config container set](/cli/azure/webapp/config/container#az_webapp_config_container_set).

-To configure a multi-container (Docker Compose) app, **prepare** a Docker Compose file locally, then **run** [az webapp config container set](/cli/azure/webapp/config/container#az_webapp_config_container_set) with the `--multicontainer-config-file` parameter. If your Docker Compose file contains private images, **add** `--docker-registry-server-*` parameters as shown in the previous example.

-To configure CI/CD from the container registry to your app, **run** [az webapp deployment container config](/cli/azure/webapp/deployment/container#az_webapp_deployment-container-config) with the `--enable-cd` parameter. The command outputs the webhook URL, but you must create the webhook in your registry manually in a separate step. The following example enables CI/CD on your app, then uses the webhook URL in the output to create the webhook in Azure Container Registry.

-Run the [az webapp deployment user set](/cli/azure/webapp/deployment/user#az_webapp_deployment_user_set) command. Replace \<username> and \<password> with a deployment user username and password.

-Get the application-scope credentials using the [az webapp deployment list-publishing-profiles](/cli/azure/webapp/deployment#az_webapp_deployment_list_publishing_profiles) command. For example:

-For [local Git deployment](deploy-local-git.md), you can also use the [az webapp deployment list-publishing-credentials](/cli/azure/webapp/deployment#az_webapp_deployment_list_publishing_credentials) command to get a Git remote URI for your app, with the application-scope credentials already embedded. For example:

-Reset the application-scope credentials using the [az resource invoke-action](/cli/azure/resource#az_resource_invoke_action) command:

-You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.

-1. Generate a service principal by using the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). In the following example, replace \<subscription-id>, \<group-name>, and \<app-name> with your own values:

-Run the [az webapp deployment list-publishing-profiles](/cli/azure/webapp/deployment#az_webapp_deployment_list_publishing_profiles) command. The following example uses a [JMES path](https://jmespath.org/) to extract the FTP/S endpoints from the output.

-Run the [az webapp config set](/cli/azure/webapp/deployment#az_webapp_deployment_list_publishing_profiles) command with the `--ftps-state` argument.

-You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.

-Run [`az webapp create`](/cli/azure/webapp#az_webapp_create) with the `--deployment-local-git` option. For example:

-Run [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config_local_git). For example:

-The easiest way to run a package in your App Service is with the Azure CLI [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config_zip) command. For example:

- > You can also use the [`az webapp traffic-routing set`](/cli/azure/webapp/traffic-routing#az_webapp_traffic_routing_set) command in the Azure CLI to set the routing percentages from CI/CD tools like GitHub Actions, DevOps pipelines, or other automation systems.

-Deploy a ZIP package to your web app by using the [az webapp deploy](/cli/azure/webapp#az_webapp_deploy) command. The CLI command uses the [Kudu publish API](#kudu-publish-api-reference) to deploy the files and can be fully customized.

-Deploy a WAR package to Tomcat or JBoss EAP by using the [az webapp deploy](/cli/azure/webapp#az_webapp_deploy) command. Specify the path to your local Java package for `--src-path`.

-Deploy a startup script, library, and static file to your web app by using the [az webapp deploy](/cli/azure/webapp#az_webapp_deploy) command with the `--type` parameter.

-App Service on Linux supports a number of language specific built-in images. Just deploy your code. Supported languages include: Node.js, Java (JRE 8 & JRE 11), PHP, Python, .NET Core, and Ruby. Run [`az webapp list-runtimes --linux`](/cli/azure/webapp#az_webapp_list_runtimes) to view the latest languages and supported versions. If the runtime your application requires is not supported in the built-in images, you can deploy it with a custom container.

-To create a custom containerized app, run [az webapp create](/cli/azure/webapp#az_webapp_create) with `--deployment-container-image-name`. For a private repository, add `--docker-registry-server-user` and `--docker-registry-server-password`.

-<li><a href="/cli/azure/webapp#az_webapp_create">Create an <abbr title="The representation of your web app, which contains your app code, DNS hostnames, certificates, and related resources.">App Service app</abbr></a> with the specified name.</li>

- <li>You can optionally include the argument <code>--location &lt;location-name&gt;</code> where <code>&lt;location-name&gt;</code> is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the <a href="/cli/azure/appservice#az_appservice_list_locations"><code>az account list-locations</code></a> command.</li>

- <li><a href="/cli/azure/webapp#az_webapp_create">Create an App Service app</a> with the specified name.</li>

-1. Sign into your Azure account by using the [`az login`](/cli/azure/reference-index#az_login) command and following the prompt:

-1. Deploy the code in your local *MyFirstAzureWebApp* directory using the [`az webapp up`](/cli/azure/webapp#az_webapp_up) command:

- - You can optionally include the argument `--location <location-name>` where `<location-name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az_appservice_list_locations) command.

-<li><a href="/cli/azure/webapp#az_webapp_create">Create an App Service app</a> with the specified name.</li>

-In the Cloud Shell, create a resource group with the [`az group create`](/cli/azure/group#az_group_create) command. The following example creates a resource group named *myResourceGroup* in the *South Central US* location. To see all supported locations for App Service on Linux in **Standard** tier, run the [`az appservice list-locations --sku S1 --linux-workers-enabled`](/cli/azure/appservice#az_appservice_list_locations) command.

-In the Cloud Shell, create an App Service plan in the resource group with the [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) command.

-In your Cloud Shell terminal, create a multi-container [web app](overview.md#app-service-on-linux) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp#az_webapp_create) command. Don't forget to replace _\<app_name>_ with a unique app name (valid characters are `a-z`, `0-9`, and `-`).

-To stream logs, run the [az webapp log tail](/cli/azure/webapp/log#az_webapp_log_tail) command:

-1. In the Cloud Shell, create a web app in the `myAppServicePlan` App Service plan with the [`az webapp create`](/cli/azure/webapp#az_webapp_create) command.

- In the following example, replace `<app-name>` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.4`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp#az_webapp_list_runtimes).

-To stream logs, run the [az webapp log tail](/cli/azure/webapp/log#az_webapp_log_tail) command:

-First, you need to configure Azure App Service to output logs to the App Service filesystem using the [az webapp log config](/cli/azure/webapp/log#az_webapp_log_config) command.

-To stream logs, use the [az webapp log tail](/cli/azure/webapp/log#az_webapp_log_tail) command.

-Delete the resource group by using the [az group delete](/cli/azure/group#az_group_delete) command.

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az storage account create`](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |

-| [`az storage container create`](/cli/azure/storage/container#az_storage_container_create) | Creates an Azure storage container. |

-| [`az storage container generate-sas`](/cli/azure/storage/container#az_storage_container_generate_sas) | Generates an SAS token for an Azure storage container. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp config backup create`](/cli/azure/webapp/config/backup#az_webapp_config_backup_create) | Creates a backup for an App Service app. |

-| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az_webapp_config_backup_list) | Gets a list of backups for an App Service app. |

-| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az_webapp_config_backup_list) | Gets a list of backups for a web app. |

-| [`az webapp config backup restore`](/cli/azure/webapp/config/backup#az_webapp_config_backup_restore) | Restores a web app from a backup. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az storage account create`](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |

-| [`az storage container create`](/cli/azure/storage/container#az_storage_container_create) | Creates an Azure storage container. |

-| [`az storage container generate-sas`](/cli/azure/storage/container#az_storage_container_generate_sas) | Generates an SAS token for an Azure storage container. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp config backup update`](/cli/azure/webapp/config/backup#az_webapp_config_backup_update) | Configures a new backup schedule for an App Service app. |

-| [`az webapp config backup show`](/cli/azure/webapp/config/backup#az_webapp_config_backup_show) | Shows the backup schedule for an App Service app. |

-| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az_webapp_config_backup_list) | Gets a list of backups for an App Service app. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp config hostname add`](/cli/azure/webapp/config/hostname#az_webapp_config_hostnam_eadd) | Maps a custom domain to an App Service app. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp config hostname add`](/cli/azure/webapp/config/hostname#az_webapp_config_hostname_add) | Maps a custom domain to an App Service app. |

-| [`az webapp config ssl upload`](/cli/azure/webapp/config/ssl#az_webapp_config_ssl_upload) | Uploads a TLS/SSL certificate to an App Service app. |

-| [`az webapp config ssl bind`](/cli/azure/webapp/config/ssl#az_webapp_config_ssl_bind) | Binds an uploaded TLS/SSL certificate to an App Service app. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az cosmosdb create`](/cli/azure/cosmosdb#az_cosmosdb_create) | Creates a Cosmos DB account. |

-| [`az cosmosdb list-connection-strings`](/cli/azure/cosmosdb#az_cosmosdb_list_connection_strings) | Lists connection strings for the specified Cosmos DB account. |

-| [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) | Creates or updates an app setting for an App Service app. App settings are exposed as environment variables for your app (see [Environment variables and app settings reference](../reference-app-settings.md)). |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az redis create`](/cli/azure/redis#az_redis-create) | Create new Azure Cache for Redis instance. |

-| [`az redis list-keys`](/cli/azure/redis#az_redis_list_keys) | Lists the access keys for the Azure Cache for Redis instance. |

-| [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) | Creates or updates an app setting for an App Service app. App settings are exposed as environment variables for your app. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az sql server create`](/cli/azure/sql/server#az_sql_server_create) | Creates a server. |

-| [`az sql db create`](/cli/azure/sql/db#az_sql_db_create) | Creates a new database. |

-| [`az sql db show-connection-string`](/cli/azure/sql/db#az_sql_db_show-connection_string) | Generates a connection string to a database. |

-| [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) | Creates or updates an app setting for an App Service app. App settings are exposed as environment variables for your app. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az storage account create`](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |

-| [`az storage account show-connection-string`](/cli/azure/storage/account#az_storage_account_show_connection_string) | Get the connection string for a storage account. |

-| [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) | Creates or updates an app setting for an App Service app. App settings are exposed as environment variables for your app. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config) | Associates an App Service app with a Git or Mercurial repository. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config) | Associates an App Service app with a Git or Mercurial repository. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp deployment list-publishing-profiles`](/cli/azure/webapp/deployment#az_webapp_deployment_list_publishing_profiles) | Get the details for available app deployment profiles. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config) | Associates an App Service app with a Git or Mercurial repository. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp deployment user set`](/cli/azure/webapp/deployment/user#az_webapp_deployment_user_set) | Sets the account-level deployment credentials for App Service. |

-| [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config_local_git) | Creates a source control configuration for a local Git repository. |

-Create an App Service Plan with [az appservice plan create](/cli/azure/appservice/plan#az_appservice_plan_create).

-Create a Web App with [az webapp create](/cli/azure/webapp#az_webapp_create).

-You need to update the subnet to disable private endpoint network policies. Update a subnet configuration named *mySubnet* with [az network vnet subnet update](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_update):

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp deployment slot create`](/cli/azure/webapp/deployment/slot#az_webapp_deployment_slot_create) | Create a deployment slot. |

-| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config) | Associates an App Service app with a Git or Mercurial repository. |

-| [`az webapp deployment slot swap`](/cli/azure/webapp/deployment/slot#az_webapp_deployment_slot_swap) | Swap a specified deployment slot into production. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az network vnet create`](/cli/azure/network/vnet#az_network_vnet_create) | Creates a virtual network. |

-| [`az network public-ip create`](/cli/azure/network/public-ip#az_network_public_ip_create) | Creates a public IP address. |

-| [`az network public-ip show`](/cli/azure/network/public-ip#az_network_public_ip_show) | Show details of a public IP address. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service web app. |

-| [`az webapp show`](/cli/azure/webapp#az_webapp_show) | Show details of an App Service web app. |

-| [`az webapp config access-restriction add`](/cli/azure/webapp/config/access-restriction#az_webapp_config_access_restriction_add) | Adds an access restriction to the App Service web app. |

-| [`az network application-gateway create`](/cli/azure/network/application-gateway#az_network_application_gateway_create) | Creates an Application Gateway. |

-| [`az network application-gateway http-settings update`](/cli/azure/network/application-gateway/http-settings#az_network-application-gateway-http_settings_update) | Updates Application Gateway HTTP settings. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp config container set`](/cli/azure/webapp/config/container#az_webapp_config_container_set) | Sets the Docker container for the App Service app. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp config container set`](/cli/azure/webapp/config/container#az_webapp_config_container_set) | Sets the Docker container for the App Service app. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az webapp log config`](/cli/azure/webapp/log#az_webapp_log_config) | Configures which logs an App Service app persists. |

-| [`az webapp log download`](/cli/azure/webapp/log#az_webapp_log_download) | Downloads the logs of an App Service app to your local machine. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az network traffic-manager profile create`](/cli/azure/network/traffic-manager/profile#az_network_traffic_manager_profile_create) | Creates an Azure Traffic Manager profile. |

-| [`az network traffic-manager endpoint create`](/cli/azure/network/traffic-manager/endpoint#az_network_traffic-manager_endpoint_create) | Adds an endpoint to an Azure Traffic Manager Profile. |

-| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |

-| [`az appservice plan update`](/cli/azure/appservice/plan#az_appservice_plan_update) | Updates properties of the App Service plan. |

-1. Since you're deploying the `main` branch, you need to set the default deployment branch for your two App Service apps to `main` (see [Change deployment branch](deploy-local-git.md#change-deployment-branch)). In the Cloud Shell, set the `DEPLOYMENT_BRANCH` app setting with the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command.

-In the Cloud Shell, enable CORS to your client's URL by using the [`az webapp cors add`](/cli/azure/webapp/cors#az_webapp_cors_add) command. Replace the _\<back-end-app-name>_ and _\<front-end-app-name>_ placeholders.

-1. Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az_ad_user_list) and replace *\<user-principal-name>*. The result is saved to a variable.

-1. Add this Azure AD user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix).

-To enable a managed identity for your Azure app, use the [az webapp identity assign](/cli/azure/webapp/identity#az_webapp_identity_assign) command in the Cloud Shell. In the following command, replace *\<app-name>*.

-Azure App Service uses the Docker container technology to host both built-in images and custom images. To see a list of built-in images, run the Azure CLI command, ['az webapp list-runtimes--linux'](/cli/azure/webapp#az_webapp_list_runtimes). If those images don't satisfy your needs, you can build and deploy a custom image.

-Run the [az group create](/cli/azure/group#az_group_create) command to create a resource group:

-1. Run the [`az acr create`](/cli/azure/acr#az_acr_create) command to create an Azure Container Registry:

-1. Run the [`az acr show`](/cli/azure/acr#az_acr_show) command to retrieve credentials for the registry:

-1. Create an App Service plan using the [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) command:

-1. Create the web app with the [`az webpp create`](/cli/azure/webapp#az_webapp_create) command:

-1. Use [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) to set the `WEBSITES_PORT` environment variable as expected by the app code:

-1. Enable [the system-assigned managed identity](./overview-managed-identity.md) for the web app by using the [`az webapp identity assign`](/cli/azure/webapp/identity#az_webapp_identity-assign) command:

-1. Retrieve your subscription ID with the [`az account show`](/cli/azure/account#az_account_show) command, which you need in the next step:

-1. Use the [`az webapp config container set`](/cli/azure/webapp/config/container#az_webapp_config_container_set) command to specify the container registry and the image to deploy for the web app:

-First, create a resource group using the [az group create](/cli/azure/group#az_group_create) command. The resource group acts as a container for all of the Azure resources related to this application.

-Next, create an App Service plan using the [az appservice plan create](/cli/azure/appservice/plan#az_appservice_plan_create) command.

-Finally, create the App Service web app using the [az webapp create](/cli/azure/webapp#az_webapp_create) command.

-First, create an Azure SQL Server to host the database. A new Azure SQL Server is created by using the [az sql server create ](/cli/azure/sql/server#az_sql_server_create) command.

-Setting up an SQL Server might take a few minutes. When the resource is available, we can create a database with the [az sql db create](/cli/azure/sql/db#az_sql_db_create) command.

-We can retrieve the Connection String for our database using the [az sql db show-connection-string](/cli/azure/sql/db#az_sql_db_show_connection_string) command. This command allows us to add the Connection String to our App Service configuration settings. Copy this Connection String value for later use.

-Run the [az sql server firewall-rule create](/cli/azure/sql/server/firewall-rule#az_sql_server_firewall_rule_create) command to add a firewall rule to your SQL Server instance.

-You can configure Azure App Service to output logs to the App Service filesystem using the [az webapp log config](/cli/azure/webapp/log#az_webapp_log_config) command.

-You can also stream logs directly to the console using the [az webapp log tail](/cli/azure/webapp/log#az_webapp_log_tail) command.

-You can delete the resource group you created by using the [az group delete](/cli/azure/group#az_group_delete) command. Deleting the resource group deletes all of the resources contained within it.

-In Cloud Shell, create a resource group with the [`az group create`](/cli/azure/group#az_group_create) command. The following example creates a resource group named *myResourceGroup* in the *South Central US* location. To see all supported locations for App Service on Linux in **Standard** tier, run the [`az appservice list-locations --sku S1 --linux-workers-enabled`](/cli/azure/appservice#az_appservice_list_locations) command.

-In Cloud Shell, create an App Service plan in the resource group with the [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) command.

-In your Cloud Shell, create a multi-container [web app](overview.md) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp#az_webapp_create) command. Don't forget to replace _\<app-name>_ with a unique app name.

-Create an Azure Database for MySQL server with the [`az mysql server create`](/cli/azure/mysql/server#az_mysql_server_create) command.

-Create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule#az_mysql_server_firewall_rule_create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.

-To make these changes, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in Cloud Shell. App settings are case-sensitive and space-separated.

-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az_webapp_config_container_set) command. Don't forget to replace _\<app-name>_ with the name of the web app you created earlier.

-To use persistent storage, you'll enable this setting within App Service. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in Cloud Shell. App settings are case-sensitive and space-separated.

-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az_webapp_config_container_set) command. Don't forget to replace _\<app-name>_ with a unique app name.

-To use Redis, you'll enable this setting, `WP_REDIS_HOST`, within App Service. This is a *required setting* for WordPress to communicate with the Redis host. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in Cloud Shell. App settings are case-sensitive and space-separated.

-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az_webapp_config_container_set) command. Don't forget to replace _\<app-name>_ with a unique app name.

-In the Cloud Shell, create a server in Azure Database for MySQL with the [`az mysql server create`](/cli/azure/mysql/server#az_mysql_server_create) command.

-1. In the Cloud Shell, create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule#az_mysql_server_firewall_rule_create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.

-In App Service, you set environment variables as _app settings_ by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command.

-1. In the Cloud Shell, set the application key in the App Service app by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command. Replace the placeholders _&lt;app-name>_ and _&lt;outputofphpartisankey:generate>_.

-In the Cloud Shell, set the virtual application path by using the [`az resource update`](/cli/azure/resource#az_resource_update) command. Replace the _&lt;app-name>_ placeholder.

-To start log streaming, use the [`az webapp log tail`](/cli/azure/webapp/log#az_webapp_log_tail) command in the Cloud Shell.

-1. Create the Postgres database in Azure with the [`az postgres up`](/cli/azure/postgres#az_postgres_up) command, as shown in the following example. Replace *\<postgresql-name>* with a *unique* name (the server endpoint is *https://\<postgresql-name>.postgres.database.azure.com*). For *\<admin-username>* and *\<admin-password>*, specify credentials to create an administrator user for this Postgres server.

- > `--location <location-name>`, can be set to any one of the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). You can get the regions available to your subscription with the [`az account list-locations`](/cli/azure/account#az_account_list_locations) command. For production apps, put your database and your app in the same location.

-In App Service, you set environment variables as _app settings_ by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in the Cloud Shell.

-1. Since you're deploying the `main` branch, you need to set the default deployment branch for your App Service app to `main` (see [Change deployment branch](deploy-local-git.md#change-deployment-branch)). In the Cloud Shell, set the `DEPLOYMENT_BRANCH` app setting with the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command.

-**Backend Health** page on the Azure portal. Or, you can use [Azure PowerShell](/powershell/module/az.network/get-azapplicationgatewaybackendhealth), [CLI](/cli/azure/network/application-gateway#az_network_application_gateway_show_backend_health), or [REST API](/rest/api/application-gateway/applicationgateways/backendhealth).

-You can use [az network application-gateway create](/cli/azure/network/application-gateway#az_network_application_gateway_create) to create the application gateway named *myAppGateway*. When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings.

-You can use [az network application-gateway frontend-port create](/cli/azure/network/application-gateway/frontend-port#az_network-application_gateway_frontend_port_create) to add the HTTP port to the application gateway.

-You can use [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az_network_application_gateway_http_listener_create) to add the listener named *myListener* to the application gateway.

-Add the HTTP to HTTPS redirection configuration to the application gateway using [az network application-gateway redirect-config create](/cli/azure/network/application-gateway/redirect-config#az_network_application_gateway_redirect_config_create).

-Add the routing rule named *rule2* with the redirection configuration to the application gateway using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az_network_application_gateway_rule_create).

-In this example, you create a virtual machine scale set named *myvmss* that provides servers for the backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, you can use [az vmss create](/cli/azure/vmss#az_vmss_create).

-Create the virtual network named *myVNet* and the subnet named *myAGSubnet* using [az network vnet create](/cli/azure/network/vnet). You can then add the subnet named *myBackendSubnet* that's needed by the backend pool of servers using [az network vnet subnet create](/cli/azure/network/vnet/subnet). Create the public IP address named *myAGPublicIPAddress* using [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create).

-Add the backend listeners that are needed to route traffic using [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az_network_application_gateway_http_listener_create).

-Add the redirection configuration that sends traffic from *www\.consoto.org* to the listener for *www\.contoso.com* in the application gateway using [az network application-gateway redirect-config create](/cli/azure/network/application-gateway/redirect-config#az_network_application_gateway_redirect_config_create).

-In this example, you create two new rules and delete the default rule that was created. You can add the rule using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az_network_application_gateway_rule_create).

-After the application gateway is created with its public IP address, you can get the DNS address and use it to create a CNAME record in your domain. You can use [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show) to get the DNS address of the application gateway. Copy the *fqdn* value of the DNSSettings and use it as the value of the CNAME record that you create. The use of A-records is not recommended because the VIP may change when the application gateway is restarted.

-| [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) | Creates a subnet in a virtual network. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create) | Creates a virtual network. |

-| [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) | Creates a subnet in a virtual network. |

-| [az vmss create](/cli/azure/vmss#az_vmss_create) | Creates a virtual machine scale set. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |

-| [az monitor diagnostic-settings create](/cli/azure/monitor/diagnostic-settings#az_monitor_diagnostic_settings_create) | Creates a storage account. |

-| [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show) | Gets the public IP address of the application gateway. |

-In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az_group_create). The following example creates a resource group named *myResourceGroup* in the *canadacentral* location (region).

-To configure additional parameters for the `az aks create` command, visit references [here](/cli/azure/aks#az_aks_create).

-In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az_group_create). The following example creates a resource group named *myResourceGroup* in the *canadacentral* location (region):

-To configure additional parameters for the `az aks create` command, see [these references](/cli/azure/aks#az_aks_create).

-A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group using [az group create](/cli/azure/group#az_group_create).

-In this example, you create a virtual machine scale set that provides servers for the backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, use [az vmss create](/cli/azure/vmss#az_vmss_create).

-You can use [az network application-gateway create](/cli/azure/network/application-gateway#az_network_application_gateway_create) to create the application gateway. When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings. The application gateway is assigned to *myAGSubnet* and *myAGPublicIPAddress* that you previously created.

-Add the backend pools that are needed to contain the backend servers using [az network application-gateway address-pool create](/cli/azure/network/application-gateway/address-pool#az_network_application_gateway_address-pool_create)

-Add listeners that are needed to route traffic using [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az_network_application_gateway_http_listener_create).

-In this example, you create two new rules and delete the default rule created when you deployed the application gateway. You can add the rule using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az_network_application_gateway_rule_create).

-After the application gateway is created with its public IP address, you can get the DNS address and use it to create a CNAME record in your domain. You can use [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show) to get the DNS address of the application gateway. Copy the *fqdn* value of the DNSSettings and use it as the value of the CNAME record that you create.

-In this example, you create a virtual machine scale set that provides servers for the default backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, you can use [az vmss create](/cli/azure/vmss#az_vmss_create).

-To get the public IP address of the application gateway, use [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show). Copy the public IP address, and then paste it into the address bar of your browser. Such as, `http://40.121.222.19`, `http://40.121.222.19:8080/images/test.htm`, `http://40.121.222.19:8080/video/test.htm`, or `http://40.121.222.19:8081/images/test.htm`.

-1. Call the [az storage container generate-sas](/cli/azure/storage/container#az_storage_container_generate_sas) command.

-1. Register the Microsoft.Attestation resource provider in the subscription with the [az provider register](/cli/azure/provider#az_provider_register) command:

-1. Create a resource group for the attestation provider. You can put other Azure resources in the same resource group, including a virtual machine with a client application instance. Run the [az group create](/cli/azure/group#az_group_create) command to create a resource group, or use an existing resource group:

-1. Run the [az attestation create](/cli/azure/attestation#az_attestation_create) command to create an attestation provider without policy signing requirement:

-1. Run the [az attestation show](/cli/azure/attestation#az_attestation_show) command to retrieve attestation provider properties such as status and AttestURI:

-You can delete an attestation provider by using the [az attestation delete](/cli/azure/attestation#az_attestation_delete) command:

-The [az attestation policy show](/cli/azure/attestation/policy#az_attestation_policy_show) command returns the current policy for the specified TEE:

-Use the [az attestation policy set](/cli/azure/attestation/policy#az_attestation_policy_set) command to set a new policy for the specified attestation type.

- The command creates a policy definition named **Audit Enforce Jobs on Automation Hybrid Runbook Workers**. For more information about other parameters that you can use, see [az policy definition create](/cli/azure/policy/definition#az_policy_definition_create).

-|Windows client | Client operating systems (such as Windows 7 and Windows 10) aren't supported.<br> For Azure Windows Virtual Desktop (WVD), the recommended method<br> to manage updates is [Microsoft Endpoint Configuration Manager](../../virtual-desktop/configure-automatic-updates.md) for Windows 10 client machine patch management. |

-> Learn more about the [export command](/cli/azure/appconfig/kv#az_appconfig_kv_export).

-1. Enable logs by using the az monitor [diagnostic-settings create command](/cli/azure/monitor/diagnostic-settings#az_monitor_diagnostic_settings_create).

-A system-assigned identity can be removed by disabling the feature by using the [az appconfig identity remove](/cli/azure/appconfig/identity#az_appconfig_identity_remove) command in the Azure CLI. User-assigned identities can be removed individually. Removing a system-assigned identity in this way will also delete it from Azure AD. System-assigned identities are also automatically removed from Azure AD when the app resource is deleted.

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az appconfig create](/cli/azure/appconfig#az_appconfig_create) | Creates an App Configuration store resource. |

-| [az appconfig credential list](/cli/azure/appconfig/credential#az_appconfig_credential_list) | List access keys for an App Configuration store. |

-| [az appconfig delete](/cli/azure/appconfig#az_appconfig_delete) | Deletes an App Configuration store resource. |

-| [az appconfig kv export](/cli/azure/appconfig/kv#az_appconfig_kv_export) | Exports from an App Configuration store resource. |

-| [az appconfig kv import](/cli/azure/appconfig/kv#az_appconfig_kv_import) | Imports to an App Configuration store resource. |

-| [az appconfig kv set](/cli/azure/appconfig/kv#az_appconfig_kv_set) | Create or update a key-value pair. |

-| [az appconfig kv list](/cli/azure/appconfig/kv#az_appconfig_kv_list) | List key-value pairs in an App Configuration store. |

-| [az appconfig kv delete](/cli/azure/appconfig/kv#az_appconfig_kv_delete) | Delete a key-value pair. |

-1. In this tutorial, you use a service principal for authentication to Key Vault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command:

-After installing the client tools, you need access to a Kubernetes cluster. You can create Kubernetes cluster with [`az aks create`](/cli/azure/aks#az_aks_create), or you can follow the steps below to create the cluster in the Azure portal.

- For command details, see [az aks create](/cli/azure/aks#az_aks_create).

-description: Learn how to connect and register your hybrid machine with Azure Arc-enabled servers.

-[Azure Arc-enabled servers](../overview.md) enables you to manage and govern your Windows and Linux machines hosted across on-premises, edge, and multicloud environments. In this quickstart, you'll deploy and configure the Connected Machine agent on your Windows or Linux machine hosted outside of Azure for management by Azure Arc-enabled servers.

-## Prerequisites

-* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-* Deploying the Azure Arc-enabled servers Hybrid Connected Machine agent requires that you have administrator permissions on the machine to install and configure the agent. On Linux, by using the root account, and on Windows, with an account that is a member of the Local Administrators group.

-* Before you get started, be sure to review the agent [prerequisites](../prerequisites.md) and verify the following:

- * Your target machine is running a supported [operating system](../prerequisites.md#supported-operating-systems).

- * Your account is granted assignment to the [required Azure roles](../prerequisites.md#required-permissions).

- * If the machine connects through a firewall or proxy server to communicate over the Internet, make sure the URLs [listed](../network-requirements.md#urls) are not blocked.

- * Azure Arc-enabled servers supports only the regions specified [here](../overview.md#supported-regions).

-> [!WARNING]

-> The Linux hostname or Windows computer name cannot use one of the reserved words or trademarks in the name, otherwise attempting to register the connected machine with Azure will fail. See [Resolve reserved resource name errors](../../../azure-resource-manager/templates/error-reserved-resource-name.md) for a list of the reserved words.

-## Register Azure resource providers

-Azure Arc-enabled servers depends on the following Azure resource providers in your subscription in order to use this service:

-* Microsoft.HybridCompute

-* Microsoft.GuestConfiguration

-* Microsoft.HybridConnectivity

-Register them using the following commands:

-```azurepowershell-interactive

-Login-AzAccount

-Set-AzContext -SubscriptionId [subscription you want to onboard]

-Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute

-Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration

-Register-AzResourceProvider -ProviderNamespace Microsoft.HybridConnectivity

-```

-```azurecli-interactive

-az account set --subscription "{Your Subscription Name}"

-az provider register --namespace 'Microsoft.HybridCompute'

-az provider register --namespace 'Microsoft.GuestConfiguration'

-az provider register --namespace 'Microsoft.HybridConnectivity'

-```

-The script to automate the download, installation, and establish the connection with Azure Arc, is available from the Azure portal. To complete the process, do the following:

-1. Launch the Azure Arc service in the Azure portal by clicking **All services**, then searching for and selecting **Servers - Azure Arc**.

- :::image type="content" source="./media/quick-enable-hybrid-vm/search-machines.png" alt-text="Search for Azure Arc-enabled servers in All Services" border="false":::

-1. On the **Servers - Azure Arc** page, select **Add** at the upper left.

-1. On the **Select a method** page, select the **Add servers using interactive script** tile, and then select **Generate script**.

-1. On the **Generate script** page, select the subscription and resource group where you want the machine to be managed within Azure. Select an Azure location where the machine metadata will be stored. This location can be the same or different, as the resource group's location.

-1. On the **Prerequisites** page, review the information and then select **Next: Resource details**.

- 1. In the **Resource group** drop-down list, select the resource group the machine will be managed from.

- 1. In the **Region** drop-down list, select the Azure region to store the servers metadata.

- 1. In the **Operating system** drop-down list, select the operating system that the script be configured to run on.

- 1. If the machine is communicating through a proxy server to connect to the internet, specify the proxy server IP address or the name and port number that the machine will use to communicate with the proxy server. Enter the value in the format `http://<proxyURL>:<proxyport>`.

- 1. Select **Next: Tags**.

-1. On the **Tags** page, review the default **Physical location tags** suggested and enter a value, or specify one or more **Custom tags** to support your standards.

-1. Select **Next: Download and run script**.

-1. On the **Download and run script** page, review the summary information, and then select **Download**. If you still need to make changes, select **Previous**.

-1. Change to the folder or share that you copied the script to, and execute it on the server by running the `./OnboardingScript.ps1` script.

- * If the target machine communicates through a proxy server, run the following command:

- ```bash

- bash ~/Install_linux_azcmagent.sh --proxy "{proxy-url}:{proxy-port}"

- ```

-To enable a VM extension on your Azure Arc-enabled server, use [az connectedmachine extension create](/cli/azure/connectedmachine/extension#az_connectedmachine_extension_create) with the `--machine-name`, `--extension-name`, `--location`, `--type`, `settings`, and `--publisher` parameters.

-To get a list of the VM extensions on your Azure Arc-enabled server, use [az connectedmachine extension list](/cli/azure/connectedmachine/extension#az_connectedmachine_extension_list) with the `--machine-name` and `--resource-group` parameters.

-Some VM extensions require configuration settings in order to install them on the Arc-enabled server, like the Custom Script Extension and the Log Analytics agent VM extension. To upgrade the configuration of an extension, use [az connectedmachine extension update](/cli/azure/connectedmachine/extension#az_connectedmachine_extension_update).

-For the `--extension-targets` parameter, you need to specify the extension and the latest version available. To find out what the latest version available is, you can get this information from the **Extensions** page for the selected Arc-enabled server in the Azure portal, or by running [az vm extension image list](/cli/azure/vm/extension/image#az_vm_extension_image_list).

-You can review the version of installed VM extensions at any time by running the command [az connectedmachine extension list](/cli/azure/connectedmachine/extension#az_connectedmachine_extension_list). The `typeHandlerVersion` property value represents the version of the extension.

-To remove an installed VM extension on your Azure Arc-enabled server, use [az connectedmachine extension delete](/cli/azure/connectedmachine/extension#az_connectedmachine_extension_delete) with the `--extension-name`, `--machine-name`, and `--resource-group` parameters.

-```console

-#### Rely on hostname not public IP address

-The public IP address assigned to your cache can change as a result of a scale operation or backend improvement. We recommend relying on the hostname, in the form `<cachename>.redis.cache.windows.net`, instead of an explicit public IP address.

-Use the `az monitor diagnostic-settings create` command to create a diagnostic setting with the Azure CLI. For more for information on command and parameter descriptions, see [Create diagnostic settings to send platform logs and metrics to different destinations](/cli/azure/monitor/diagnostic-settings#az_monitor_diagnostic_settings_create).

-| [Create a cache](./scripts/create-cache.md) | Creates a resource group and a basic tier Azure Cache for Redis. |

-| [Create a premium cache with clustering](./scripts/create-premium-cache-cluster.md) | Creates a resource group and a premium tier cache with clustering enabled.|

-| [Get cache details](./scripts/show-cache.md) | Gets details of an Azure Cache for Redis instance, including provisioning status. |

-| [Get the hostname, ports, and keys](./scripts/cache-keys-ports.md) | Gets the hostname, ports, and keys for an Azure Cache for Redis instance. |

-|**Web app plus cache**| **Description**|

-| [Connect a web app to an Azure Cache for Redis](./../app-service/scripts/cli-connect-to-redis.md) | Creates an Azure web app and an Azure Cache for Redis, then adds the redis connection details to the app settings. |

-|**Delete cache**| **Description** |

-| [Delete a cache](./scripts/delete-cache.md) | Deletes an Azure Cache for Redis instance |

-description: This Azure CLI code sample shows how to get the hostname, ports, and keys for an Azure Cache for Redis instance.

-tags: azure-service-management

-# Get the hostname, ports, and keys for Azure Cache for Redis

-In this scenario, you learn how to retrieve the hostname, ports, and keys used to connect to an Azure Cache for Redis instance.

-## Sample script

-[!code-azurecli[main](../../../cli_scripts/redis-cache/cache-keys-ports/cache-keys-ports.sh "Azure Cache for Redis")]

-## Script explanation

-This script uses the following commands to retrieve the hostname, keys, and ports of an Azure Cache for Redis instance. Each command in the table links to command specific documentation.

-| Command | Notes |

-|||

-| [az redis show](/cli/azure/redis) | Retrieve details of an Azure Cache for Redis instance. |

-| [az redis list-keys](/cli/azure/redis) | Retrieve access keys for an Azure Cache for Redis instance. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional Azure Cache for Redis CLI script samples can be found in the [Azure Cache for Redis documentation](../cli-samples.md).

-description: This Azure CLI code sample shows how to create an Azure Cache for Redis instance using the command az redis create.

-tags: azure-service-management

-# Create an Azure Cache for Redis

-In this scenario, you learn how to create an Azure Cache for Redis.

-## Sample script

-[!code-azurecli[main](../../../cli_scripts/redis-cache/create-cache/create-cache.sh "Azure Cache for Redis")]

-## Script explanation

-This script uses the following commands to create a resource group and an Azure Cache for Redis. Each command in the table links to command specific documentation.

-| Command | Notes |

-|||

-| [az group create](/cli/azure/group) | Creates a resource group in which all resources are stored. |

-| [az redis create](/cli/azure/redis) | Create Azure Cache for Redis instance. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional Azure Cache for Redis CLI script samples can be found in the [Azure Cache for Redis documentation](../cli-samples.md).

-description: This Azure CLI code sample shows how to create a 6 GB Premium tier Azure Cache for Redis with clustering enabled and two shards.

-tags: azure-service-management

-# Create a Premium Azure Cache for Redis with clustering

-In this scenario, you learn how to create a 6 GB Premium tier Azure Cache for Redis with clustering enabled and two shards.

-## Sample script

-[!code-azurecli[main](../../../cli_scripts/redis-cache/create-premium-cache-cluster/create-premium-cache-cluster.sh "Azure Cache for Redis")]

-## Script explanation

-This script uses the following commands to create a resource group and a Premium tier Azure Cache for Redis with clustering enable. Each command in the table links to command specific documentation.

-| Command | Notes |

-|||

-| [az group create](/cli/azure/group) | Creates a resource group in which all resources are stored. |

-| [az redis create](/cli/azure/redis) | Create Azure Cache for Redis instance. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional Azure Cache for Redis CLI script samples can be found in the [Azure Cache for Redis documentation](../cli-samples.md).

-description: This Azure CLI code sample shows how to delete an Azure Cache for Redis instance using the command az redis delete.

-tags: azure-service-management

-# Delete an Azure Cache for Redis

-In this scenario, you learn how to delete an Azure Cache for Redis.

-## Sample script

-[!code-azurecli[main](../../../cli_scripts/redis-cache/delete-cache/delete-cache.sh "Azure Cache for Redis")]

-## Script explanation

-This script uses the following commands to delete an Azure Cache for Redis instance. Each command in the table links to command specific documentation.

-| Command | Notes |

-|||

-| [az redis delete](/cli/azure/redis) | Delete Azure Cache for Redis instance. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional Azure Cache for Redis CLI script samples can be found in the [Azure Cache for Redis documentation](../cli-samples.md).

-description: This Azure CLI code sample shows how to retrieve the details of an Azure Cache for Redis instance, including its provisioning status.

-tags: azure-service-management

-# Get details of an Azure Cache for Redis

-In this scenario, you learn how to retrieve the details of an Azure Cache for Redis instance, including its provisioning status.

-## Sample script

-[!code-azurecli[main](../../../cli_scripts/redis-cache/show-cache/show-cache.sh "Azure Cache for Redis")]

-## Script explanation

-This script uses the following commands to retrieve the details of an Azure Cache for Redis instance. Each command in the table links to command specific documentation.

-| Command | Notes |

-|||

-| [az redis show](/cli/azure/redis) | Retrieve details of an Azure Cache for Redis instance. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional Azure Cache for Redis CLI script samples can be found in the [Azure Cache for Redis documentation](../cli-samples.md).

-After you created the storage account and file share, use the [az webapp config storage-account add](/cli/azure/webapp/config/storage-account#az_webapp_config_storage_account_add) command to attach the file share to your functions app, as shown in the following example.

-1. Use the following [`az keyvault create`](/cli/azure/keyvault#az_keyvault_create) command to create a Key Vault instance.

-1. Use the following [`az keyvault secret set`](/cli/azure/keyvault/secret#az_keyvault_secret_set) command to add your external URL as a secret in your key vault:

-1. Use the following [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command to create the `WEBSITE_RUN_FROM_PACKAGE` application setting with the value as a Key Vault reference to the external URL:

-Use the [az storage account create](/cli/azure/storage/account#az_storage_account_create) command to create a general-purpose storage account in your resource group and region:

-Run the [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command to create a new function app in the environment.

-Use the [az storage account create](/cli/azure/storage/account#az_storage_account_create) command to create a general-purpose storage account in your resource group and region:

-Run the [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command to create a new function app in the environment.

-The *deployment-container-image-name* parameter specifies the image to use for the function app. You can use the [az functionapp config container show](/cli/azure/functionapp/config/container#az_functionapp_config_container_show) command to view information about the image used for deployment. You can also use the [az functionapp config container set](/cli/azure/functionapp/config/container#az_functionapp_config_container_set) command to deploy from a different image.

- The [az group create](/cli/azure/group#az_group_create) command creates a resource group. You generally create your resource group and resources in a <abbr title="A geographical reference to a specific Azure datacenter in which resources are allocated.">region</abbr> near you, using an available region returned from the `az account list-locations` command.

- The [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command creates the function app in Azure.

- The [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command creates the function app in Azure.

- The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.

- The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.

- The [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command creates the function app in Azure. If you're using Node.js 16, also change `--runtime-version` to `16`.

- The [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command creates the function app in Azure.

- The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.

- The [az group create](/cli/azure/group#az_group_create) command creates a resource group. You generally create your resource group and resources in a <abbr title="A geographical reference to a specific Azure datacenter in which resources are allocated.">region</abbr> near you, using an available region returned from the `az account list-locations` command.

- The [az storage account create](/cli/azure/storage/account#az_storage_account_create) command creates the storage account.

- The [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command creates the function app in Azure. If you are using Python 3.7 or 3.6, change `--runtime-version` to `3.7` or `3.6`, respectively.

- The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.

- The [az group create](/cli/azure/group#az_group_create) command creates a resource group. In the above command, replace `<REGION>` with a region near you, using an available region code returned from the [az account list-locations](/cli/azure/account#az_account_list_locations) command.

- The [az storage account create](/cli/azure/storage/account#az_storage_account_create) command creates the storage account.

- The [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command creates the function app in Azure. If you are using Python 3.7 or 3.6, change `--runtime-version` to `3.7` or `3.6`, respectively. You must supply `--os-type linux` because Python functions can't run on Windows, which is the default.

- The [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command creates the function app in Azure. If you're using Node.js 16, also change `--runtime-version` to `16`.

-You can use Azure CLI to trigger a push deployment. Push deploy a .zip file to your function app by using the [az functionapp deployment source config-zip](/cli/azure/functionapp/deployment/source#az_functionapp_deployment_source_config_zip) command. To use this command, you must use Azure CLI version 2.0.21 or later. To see what Azure CLI version you are using, use the `az --version` command.

-To create a subscription by using [the Azure CLI](/cli/azure/get-started-with-azure-cli), use the [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az_eventgrid_event_subscription_create) command.

-When you're done testing, you can use the same subscription for production by updating the endpoint. Use the [az eventgrid event-subscription update](/cli/azure/eventgrid/event-subscription#az_eventgrid_event_subscription_update) Azure CLI command.

-> If your account can access multiple subscriptions, use [az account set](/cli/azure/account#az_account_set) to set the default subscription for this session.

- The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.

- The [az group create](/cli/azure/group#az_group_create) command creates a resource group. In the above command, replace `<REGION>` with a region near you, using an available region code returned from the [az account list-locations](/cli/azure/account#az_account_list_locations) command.

- The [az storage account create](/cli/azure/storage/account#az_storage_account_create) command creates the storage account.

- In the [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command, the *deployment-container-image-name* parameter specifies the image to use for the function app. You can use the [az functionapp config container show](/cli/azure/functionapp/config/container#az_functionapp_config_container_show) command to view information about the image used for deployment. You can also use the [az functionapp config container set](/cli/azure/functionapp/config/container#az_functionapp_config_container_set) command to deploy from a different image. NOTE: If you are using a custom container registry then the *deployment-container-image-name* parameter will refer to the registry URL.

- The [az functionapp config appsettings set](/cli/azure/functionapp/config/appsettings#az_functionapp_config_ppsettings_set) command creates the setting.

- The [az functionapp deployment container config](/cli/azure/functionapp/deployment/container#az_functionapp_deployment_container_config) command enables continuous deployment and returns the deployment webhook URL. You can retrieve this URL at any later time by using the [az functionapp deployment container show-cd-url](/cli/azure/functionapp/deployment/container#az_functionapp_deployment_container_show_cd_url) command.

-1. Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az_ad_user_list) and replace *\<user-principal-name>*. The result is saved to a variable.

-1. Add this Azure AD user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix).

-To request a specific Python version when you create your function app in Azure, use the `--runtime-version` option of the [`az functionapp create`](/cli/azure/functionapp#az_functionapp_create) command. The Functions runtime version is set by the `--functions-version` option. The Python version is set when the function app is created and can't be changed.

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates an Azure Storage account. |

-| [az functionapp plan create](/cli/azure/functionapp/plan#az_functionapp_plan_create) | Creates a Premium plan. |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app in the App Service plan. |

-| [az group create](/cli/azure/group#az_group_create) | Create a resource group with location |

-| [az storage accounts create](/cli/azure/storage/account#az_storage_account_create) | Create a storage account |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app in the serverless [Consumption plan](../consumption-plan.md). |

-| [az cosmosdb create](/cli/azure/cosmosdb#az_cosmosdb_create) | Create an Azure Cosmos DB database. |

-| [az cosmosdb show](/cli/azure/cosmosdb#az_cosmosdb_show)| Gets the database account connection. |

-| [az cosmosdb list-keys](/cli/azure/cosmosdb#az_cosmosdb_list_keys)| Gets the keys for the database. |

-| [az functionapp config appsettings set](/cli/azure/functionapp/config/appsettings#az_functionapp_config_appsettings_set) | Sets the connection string as an app setting in the function app. |

-| [az group create](/cli/azure/group#az_group_create) | Create a resource group with location. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Create a storage account. |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app in the serverless [Consumption plan](../consumption-plan.md). |

-| [az storage account show-connection-string](/cli/azure/storage/account#az_storage_account_show_connection_string) | Gets the connection string for the account. |

-| [az functionapp config appsettings set](/cli/azure/functionapp/config/appsettings#az_functionapp_config_appsettings_set) | Sets the connection string as an app setting in the function app. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates the storage account required by the function app. |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app in the serverless [Consumption plan](../consumption-plan.md) and associates it with a Git or Mercurial repository. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates the storage account required by the function app. |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app in the serverless [Consumption plan](../consumption-plan.md). |

-| [az functionapp deployment source config](/cli/azure/functionapp/deployment/source#az_functionapp_deployment_source_config) | Associates a function app with a Git or Mercurial repository. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates an Azure Storage account. |

-| [az functionapp plan create](/cli/azure/functionapp/plan#az_functionapp_plan_create) | Creates a Premium plan in a [specific SKU](../functions-premium-plan.md#available-instance-skus). |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app in the App Service plan. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates an Azure Storage account. |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates an Azure Storage account. |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates an Azure Storage account. |

-| [az functionapp create](/cli/azure/functionapp#az_functionapp_create) | Creates a function app. |

-| [az storage share create](/cli/azure/storage/share#az_storage_share_create) | Creates an Azure Files share in storage account. |

-| [az storage directory create](/cli/azure/storage/directory#az_storage_directory_create) | Creates a directory in the share. |

-| [az webapp config storage-account add](/cli/azure/webapp/config/storage-account#az_webapp_config_storage_account_add) | Mounts the share to the function app. |

-| [az webapp config storage-account list](/cli/azure/webapp/config/storage-account#az_webapp_config_storage_account_list) | Shows file shares mounted to the function app. |

-description: Learn whether Azure Maps renders various regions with detailed or simplified data. See the level it uses for raster-tile and vector-tile maps in those regions.

-Azure Maps uses both raster tiles and vector tiles to create maps. At the lowest resolution, the entire world fits in a single tile. At the highest resolution, a single tile represents 38 square meters. You'll see more details about continents, regions, cities, and individual streets as you zoom in the map. For more information about tiles, see [Zoom levels and tile grid](zoom-levels-and-tile-grid.md).

-However, Maps doesn't have the same level of information and accuracy for all regions. The following tables detail the level of information you can render for each region.

-| Country is missing | Country data is not provided. |

-## Additional information

-Azure Maps provides rich traffic information in the form of traffic **flow** and **incidents**. This data can be visualized on maps or used to generate smarter routes that factor in real driving conditions.

-## Additional information

-Use the [Traffic](/rest/api/maps/traffic) REST API to incorporate Azure Maps traffic data into your mapping applications.

-The Azure CLI can be used to deploy the Azure Diagnostics extension to an existing virtual machine using [az vm extension set](/cli/azure/vm/extension#az_vm_extension_set) as in the following example.

-1. Get the existing rule ([metric alerts](/cli/azure/monitor/metrics/alert#az_monitor_metrics_alert_show), [activity log alerts](/cli/azure/monitor/activity-log/alert#az_monitor_activity_log-alert_list)).

-2. Update the rule scope directly ([metric alerts](/cli/azure/monitor/metrics/alert#az_monitor_metrics_alert_update), [activity log alerts](/cli/azure/monitor/activity-log/alert/scope))

- <InstrumentationKey>Copy connection string from Application Insights Resource Overview</InstrumentationKey>

- <InstrumentationKey>Copy connection string from Application Insights Resource Overview</InstrumentationKey>

- <InstrumentationKey>Copy connection string from Application Insights Resource Overview</InstrumentationKey>

-To see a list of the possible metrics, run the [az monitor metrics list-definitions](/cli/azure/monitor/metrics#az_monitor_metrics_list_definitions) command. The `--output` parameter displays the values in a readable format.

-For an existing cluster, run this [Bash script in the Azure CLI](/cli/azure/openshift#az_openshift_create&preserve-view=true).

-7. Edit the values for **workspaceResourceId** using the value you copied in step 3, and for **workspaceRegion** copy the **Region** value after running the Azure CLI command [az monitor log-analytics workspace show](/cli/azure/monitor/log-analytics/workspace#az_monitor-log-analytics-workspace-list&preserve-view=true).

-Log query alerts can perform two different measurements of the result of a log query, each of which support distinct scenarios for monitoring virtual machines.

-[Metric measurement](../alerts/alerts-unified-log.md#calculation-of-a-value) create a separate alert for each record in the query results that has a numeric value that exceeds a threshold defined in the alert rule. These are ideal for numeric data such as CPU.

-[Number of results](../alerts/alerts-unified-log.md#result-count) create a single alert when a query returns at least a specified number of records. These are ideal for non-numeric data such or for analyzing performance trends across multiple computers. You may also choose this strategy if you want to minimize your number of alerts or possibly create an alert only when multiple components have the same error condition.

-> [!NOTE]

-> Resource-centric log alert rules, currently in public preview, will simplify log query alerts and replace the functionality currently provided by metric measurement queries. You can use the AKS cluster as a target for the rule which will better identify it as the affected resource. When resource-center log query alerts become generally available, the guidance in this scenario will be updated.

-[Comparison of log query alert measures](../vm/monitor-virtual-machine-alerts.md#example-log-query-alert) provides a complete walkthrough of log query alert rules for each type of measurement, including a comparison of the log queries supporting each. You can use these same processes to create alert rules for AKS clusters using queries similar to the ones in this article.

-The following query returns cluster nodes disks which exceed 90% free space used. To get the cluster ID, first run the following query and copy the value from the `ClusterId` property:

-Use the [az aks disable-addons](/cli/azure/aks#az_aks_disable_addons) command to disable Container insights. The command removes the agent from the cluster nodes, it does not remove the solution or the data already collected and stored in your Azure Monitor resource.

-If you don't already have a resource group and workspace, create them by using [az group create](/cli/azure/group#az_group_create) and [az monitor log-analytics workspace create](/cli/azure/monitor/log-analytics/workspace#az_monitor_log_analytics_workspace_create):

-To create a component, run the [az monitor app-insights component create](/cli/azure/monitor/app-insights/component#az_monitor_app_insights_component_create) command. The [az monitor app-insights component show](/cli/azure/monitor/app-insights/component#az_monitor_app_insights_component_show) command displays the component.

-This example connects your component to a webapp. You can create a webapp by using the [az appservice plan create](/cli/azure/appservice/plan#az_appservice_plan_create) and [az webapp create](/cli/azure/webapp#az_webapp_create) commands:

-Run the [az monitor app-insights component connect-webapp](/cli/azure/monitor/app-insights/component#az_monitor_app_insights_component_connect_webapp) command to connect your component to the webapp:

-You can instead connect to an Azure function by using the [az monitor app-insights component connect-function](/cli/azure/monitor/app-insights/component#az_monitor_app_insights_component_connect_function) command.

-You can link a component to a storage account. To create a storage account, use the [az storage account create](/cli/azure/storage/account#az_storage_account_create) command:

-To link your component to the storage account, run the [az monitor app-insights component linked-storage link](/cli/azure/monitor/app-insights/component/linked-storage#az_monitor_app_insights_component_linked_storage_link) command. You can see the existing links by using the [az monitor app-insights component linked-storage show](/cli/azure/monitor/app-insights/component/linked-storage#az_monitor_app_insights_component_linked_storage_show) command:

-To unlink the storage, run the [az monitor app-insights component linked-storage unlink](/cli/azure/monitor/app-insights/component/linked-storage#az_monitor_app_insights_component_linked_storage_unlink) command:

-To create a storage container, run the [az storage container create](/cli/azure/storage/container#az_storage_container_create) command.

-You need access for the container to be write only. Run the [az storage container policy create](/cli/azure/storage/container/policy#az_storage_container_policy_create) cmdlet:

-Create an SAS key by using the [az storage container generate-sas](/cli/azure/storage/container#az_storage_container_generate_sas) command. Be sure to use the `--output tsv` parameter value to save the key without unwanted formatting like quotation marks. For more information, see [Use Azure CLI effectively](/cli/azure/use-cli-effectively).

-To create a continuous export, run the [az monitor app-insights component continues-export create](/cli/azure/monitor/app-insights/component/continues-export#az_monitor_app_insights_component_continues_export_create) command:

-You can delete a configured continuous export by using the [az monitor app-insights component continues-export delete](/cli/azure/monitor/app-insights/component/continues-export#az_monitor_app_insights_component_continues_export_delete) command:

-If you created a resource group to test these commands, you can remove the resource group and all its contents by using the [az group delete](/cli/azure/group#az_group_delete) command:

-Run the [az group create](/cli/azure/group#az_group_create) command to create a resource group or use an existing resource group. To create a workspace, use the [az monitor log-analytics workspace create](/cli/azure/monitor/log-analytics/workspace#az_monitor_log_analytics_workspace_create) command.

-To see the tables in your workspace, use the [az monitor log-analytics workspace table list](/cli/azure/monitor/log-analytics/workspace/table#az_monitor_log_analytics_workspace_table_list) command:

-To change the retention time for a table, run the [az monitor log-analytics workspace table update](/cli/azure/monitor/log-analytics/workspace/table#az_monitor_log_analytics_workspace_table_update) command:

-You can continuously export data from selected tables to an Azure storage account or Azure Event Hubs. Use the [az monitor log-analytics workspace data-export create](/cli/azure/monitor/log-analytics/workspace/data-export#az_monitor_log_analytics_workspace_data_export_create) command:

-To see your data exports, run the [az monitor log-analytics workspace data-export list](/cli/azure/monitor/log-analytics/workspace/data-export#az_monitor_log_analytics_workspace_data_export_list) command.

-To delete a data export, run the [az monitor log-analytics workspace data-export delete](/cli/azure/monitor/log-analytics/workspace/data-export#az_monitor_log_analytics_workspace_data_export_delete) command. The `--yes` parameter skips confirmation.

-To create a linked service, run the [az monitor log-analytics workspace linked-service create](/cli/azure/monitor/log-analytics/workspace/linked-service#az_monitor_log_analytics_workspace_linked_service_create) command:

-To remove a linked service relation, run the [az monitor log-analytics workspace linked-service delete](/cli/azure/monitor/log-analytics/workspace/linked-service#az_monitor_log_analytics_workspace_linked_service_delete) command:

-To link your workspace to a storage account, run the [az monitor log-analytics workspace linked-storage create](/cli/azure/monitor/log-analytics/workspace/linked-storage#az_monitor_log_analytics_workspace_linked_storage_create) command:

-To remove the link to a storage account, run the [az monitor log-analytics workspace linked-storage delete](/cli/azure/monitor/log-analytics/workspace/linked-storage#az_monitor_log_analytics_workspace_linked_storage_delete) command:

-To see the available intelligence packs, run the [az monitor log-analytics workspace pack list](/cli/azure/monitor/log-analytics/workspace/pack#az_monitor_log_analytics_workspace_pack_list) command. The command also tells you whether the pack is enabled.

-Use the [az monitor log-analytics workspace pack enable](/cli/azure/monitor/log-analytics/workspace/pack#az_monitor_log_analytics_workspace_pack_enable) or [az monitor log-analytics workspace pack disable](/cli/azure/monitor/log-analytics/workspace/pack#az_monitor_log_analytics_workspace_pack_disable) commands:

-To create a saved search, run the [az monitor log-analytics workspace saved-search](/cli/azure/monitor/log-analytics/workspace/saved-search#az_monitor_log_analytics_workspace_saved_search_create) command:

-View your saved search by using the [az monitor log-analytics workspace saved-search show](/cli/azure/monitor/log-analytics/workspace/saved-search#az_monitor_log_analytics_workspace_saved_search_show) command. See all saved searches by using [az monitor log-analytics workspace saved-search list](/cli/azure/monitor/log-analytics/workspace/saved-search#az_monitor_log_analytics_workspace_saved_search_list).

-To delete a saved search, run the [az monitor log-analytics workspace saved-search delete](/cli/azure/monitor/log-analytics/workspace/saved-search#az_monitor_log_analytics_workspace_saved_search_delete) command:

-If you want to remove a new workspace from an existing resource group, run the [az monitor log-analytics workspace delete](/cli/azure/monitor/log-analytics/workspace#az_monitor_log_analytics_workspace_delete) command:

-Log analytics workspaces have a soft delete option. You can recover a deleted workspace for two weeks after deletion. Run the [az monitor log-analytics workspace recover](/cli/azure/monitor/log-analytics/workspace#az_monitor_log_analytics_workspace_recover) command:

- | [Azure Virtual Desktop Insights](../virtual-desktop/azure-monitor.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/insights/menuId/insights) | Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Windows Virtual Desktop environments. |

- | [Microsoft Windows Virtual Desktop](../virtual-desktop/index.yml) | Microsoft.DesktopVirtualization/applicationgroups | No | [**Yes**](./essentials/resource-logs-categories.md#microsoftdesktopvirtualizationapplicationgroups) | [Windows Virtual Desktop Insights](../virtual-desktop/azure-monitor.md) | |

- | [Microsoft Windows Virtual Desktop](../virtual-desktop/index.yml) | Microsoft.DesktopVirtualization/hostpools | No | [**Yes**](./essentials/resource-logs-categories.md#microsoftdesktopvirtualizationhostpools) | [Windows Virtual Desktop Insights](../virtual-desktop/azure-monitor.md) | |

- | [Microsoft Windows Virtual Desktop](../virtual-desktop/index.yml) | Microsoft.DesktopVirtualization/workspaces | No | [**Yes**](./essentials/resource-logs-categories.md#microsoftdesktopvirtualizationworkspaces) | | |

-[Log alerts](../alerts/alerts-unified-log.md) can measure two different things, each of which supports distinct scenarios for monitoring virtual machines:

-To create resource-centric alerts at scale for a subscription or resource group, you can use the **Split by dimensions** section of the condition to split alerts into separate alerts by grouping unique combinations using numerical or string columns. When you want to monitor the same condition on multiple Azure resources, splitting on Azure resource ID column will change the target of the alert to the specified resource.

-2. Create a new resource group by using the [az group create](/cli/azure/group#az_group_create) command:

-3. Create Azure NetApp Files account with [az netappfiles account create](/cli/azure/netappfiles/account#az_netappfiles_account_create) command:

-2. Create a new capacity pool by using the [az netappfiles pool create](/cli/azure/netappfiles/pool#az_netappfiles_pool_create)

-1. Create virtual network without subnet by using the [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create) command.

-2. Create a delegated subnet by using [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) command.

-3. Create the volume by using the [az netappfiles volume create](/cli/azure/netappfiles/volume#az_netappfiles_volume_create) command.

-1. Delete resource group by using the [az group delete](/cli/azure/group#az_group_delete) command.

-| Issues deleting a capacity pool | Make sure that you remove all Azure NetApp Files volumes and snapshots in the subscription where you are trying to delete the capacity pool. <br> If you already removed all volumes and snapshots and you still cannot delete the capacity pool, references to resources might still exist without showing in the portal. In this case, file a support ticket, and specify that you have performed the above recommended steps. |

-| Changing the capacity pool for a volume is not permitted. | You might not be authorized yet to use this feature. <br> The feature to move a volume to another capacity pool is currently in preview. If you are using this feature for the first time, you need to register the feature first and set `-FeatureName ANFTierChange`. See the registration steps in [Dynamically change the service level of a volume](dynamic-change-volume-service-level.md). |

-The following examples use the commands to [show](/cli/azure/netappfiles/volume#az_netappfiles_volume_show) and [update](/cli/azure/netappfiles/volume#az_netappfiles_volume_update) the size of a volume:

-The following examples use the commands to [show](/cli/azure/netappfiles/pool#az_netappfiles_pool_show) and [update](/cli/azure/netappfiles/pool#az_netappfiles_pool_update) the size of a capacity pool:

-Run the [az portal dashboard create](/cli/azure/portal/dashboard#az_portal_dashboard_create) command to create a dashboard based on your template:

-You can update a dashboard by using the [az portal dashboard update](/cli/azure/portal/dashboard#az_portal_dashboard_update) command:

-See the details of a dashboard by running the [az portal dashboard show](/cli/azure/portal/dashboard#az_portal_dashboard_show) command:

-To see all the dashboards for the current subscription, use [az portal dashboard list](/cli/azure/portal/dashboard#az_portal_dashboard_list):

-To remove only the dashboard, use the [az portal dashboard delete](/cli/azure/portal/dashboard#az_portal_dashboard_delete) command:

-To [publish](bicep-cli.md#publish) modules to a private module registry or to [restore](bicep-cli.md#restore) external modules to the local cache, the account must have the correct permissions to access the registry. You can configure the credential precedence for authenticating to the registry. By default, Bicep uses the credentials from the user authenticated in Azure CLI or Azure PowerShell. To customize the credential precedence, add `cloud` and `credentialPrecedence` elements to the config file.

-```json

-{

- "cloud": {

- "credentialPrecedence": [

- "AzureCLI",

- "AzurePowerShell"

- ]

- }

-}

-```

-The available credentials are:

-Bicep supports a configuration file named **bicepconfig.json**. Within this file, you can add values that customize your Bicep development experience. If you don't add this file, Bicep uses default values.

-To customize values, create this file in the directory where you store Bicep files. You can add bicepconfig.json files in multiple directories. The closest configuration file in the directory hierarchy is used.

-When working with [modules](modules.md), you can add aliases for module paths. These aliases simplify your Bicep file because you don't have to repeat complicated paths. You can also configure the credential precedence for authenticating to the registry. The credential is used to restore external modules to the local cache. For more information, see [Add module settings to Bicep config](bicep-config-modules.md).

-When working with the [Bicep linter](linter.md), you can override the default settings for the Bicep file validation. For more information, see [Add linter settings to Bicep config](bicep-config-linter.md).

-The Bicep extension for Visual Studio Code supports intellisense for your **bicepconfig.json** file. Use the intellisense to discover available properties and values.

-Your GitHub action runs under an identity. Use the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command to create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) for the identity.

-Currently, Azure PowerShell doesn't support deploying remote Bicep files. Use [Bicep CLI](./install.md#vs-code-and-bicep-extension) to [build](/cli/azure/bicep#az_bicep_build) the Bicep file to a JSON template, and then load the JSON file to the remote location.

-For Azure CLI, use [az deployment mg create](/cli/azure/deployment/mg#az_deployment_mg_create):

-For Azure CLI, use [az deployment tenant create](/cli/azure/deployment/tenant#az_deployment_tenant_create):

-* [az deployment group what-if](/cli/azure/deployment/group#az_deployment_group_what_if) for resource group deployments

-* [az deployment sub what-if](/cli/azure/deployment/sub#az_deployment_sub_what_if) for subscription level deployments

-* [az deployment mg what-if](/cli/azure/deployment/mg#az_deployment_mg_what_if) for management group deployments

-* [az deployment tenant what-if](/cli/azure/deployment/tenant#az_deployment_tenant_what_if) for tenant deployments

-* [az deployment group create](/cli/azure/deployment/group#az_deployment_group_create)

-* [az deployment sub create](/cli/azure/deployment/sub#az_deployment_sub_create).

-* [az deployment mg create](/cli/azure/deployment/mg#az_deployment_mg_create)

-* [az deployment tenant create](/cli/azure/deployment/tenant#az_deployment_tenant_create)

- - Pass the service principal credentials as secure environment variables, and then can call [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) or [az login](/cli/azure/reference-index#az_login) in the deployment script.

- To get the login server name, use [az acr show](/cli/azure/acr#az_acr_show).

-Azure CLI examples use `az rest` for `REST` requests. For more information, see [az rest](/cli/azure/reference-index#az_rest).

-This example prompts you to enter a resource group, location, and provider's function app name. The names are stored in variables that are used in other commands. The [az group create](/cli/azure/group#az_group_create) and [az deployment group create](/cli/azure/deployment/group#az_deployment_group_create) commands deploy the resources.

-| [az managedapp definition create](/cli/azure/managedapp/definition#az_managedapp_definition_create) | Create a managed application definition. Provide the package that contains the required files. |

-| Microsoft.DesktopVirtualization | [Windows Virtual Desktop](../../virtual-desktop/index.yml) |

-To list all the subscription's preview features, use the [az feature list](/cli/azure/feature#az_feature_list) command.

-To filter output for a specific preview feature, use the [az feature show](/cli/azure/feature#az_feature_show) command.

-To register a preview feature, use the [az feature register](/cli/azure/feature#az_feature_register) command.

-To unregister a preview feature, use the [az feature unregister](/cli/azure/feature#az_feature_unregister) command. The `RegistrationState` state changes to **Unregistered**.

-* [az deployment group list](/cli/azure/deployment/group#az_deployment_group_list)

-* [az deployment group delete](/cli/azure/deployment/group#az_deployment_group_delete)

-* [az group list](/cli/azure/group#az_group_list)

-* [az group delete](/cli/azure/group#az_group_delete)

-* [az tag list](/cli/azure/tag#az_tag_list)

-* [az tag delete](/cli/azure/tag#az_tag_delete)

-You can create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.

-For Azure CLI, use [az deployment mg create](/cli/azure/deployment/mg#az_deployment_mg_create):

-For Azure CLI, use [az deployment tenant create](/cli/azure/deployment/tenant#az_deployment_tenant_create):

-For Azure CLI, use [az feature register](/cli/azure/feature#az_feature_register).

-To reenable automatic deletions, use [az feature unregister](/cli/azure/feature#az_feature_unregister).

- - Pass the service principal credentials as secure environment variables, and then can call [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) or [az login](/cli/azure/reference-index#az_login) in the deployment script.

-To export all resources in a resource group, use [az group export](/cli/azure/group#az_group_export) and provide the resource group name.

-To get a template from a resource group deployment, use the [az deployment group export](/cli/azure/deployment/group#az_deployment_group_export) command. You specify the name of the deployment to retrieve. For help with getting the name of a deployment, see [View deployment history with Azure Resource Manager](deployment-history.md).

-* [az deployment sub export](/cli/azure/deployment/sub#az_deployment_sub_export) for deployments to subscriptions

-* [az deployment mg export](/cli/azure/deployment/mg#az_deployment_mg_export) for deployments to management groups

-* [az deployment tenant export](/cli/azure/deployment/tenant#az_deployment_tenant_export) for deployments to tenants

-description: Learn how to create your first Azure Resource Manager template (ARM template) using the Azure portal, and how to deploy it.

-Learn how to generate an Azure Resource Manager template (ARM template) using the Azure portal, and the process of editing and deploying the template from the portal. ARM templates are JSON files that define the resources you need to deploy for your solution. To understand the concepts associated with deploying and managing your Azure solutions, see [template deployment overview](overview.md).

-Creating an ARM template from scratch is not an easy task, especially if you are new to Azure deployment and you are not familiar with the JSON format. Using the Azure portal, you can configure a resource, for example an Azure Storage account. Before you deploy the resource, you can export your configuration into a template. You can save the template and reuse it in the future.

-Many experienced template developers use this method to generate templates when they try to deploy Azure resources that they are not familiar with. For more information about exporting templates by using the portal, see [Export resource groups to templates](../management/manage-resource-groups-portal.md#export-resource-groups-to-templates). The other way to find a working template is from [Azure Quickstart templates](https://azure.microsoft.com/resources/templates/).

-1. Select **Review + create** on the bottom of the screen. Do not select **Create** in the next step.

- The main pane shows the template. It is a JSON file with six top-level elements - `schema`, `contentVersion`, `parameters`, `variables`, `resources`, and `output`. For more information, see [Understand the structure and syntax of ARM templates](./syntax.md)

- You can see the deployment status was successful, and there is only one storage account in the resource group. The storage account name is a unique string generated by the template. To learn more about using Azure storage accounts, see [Quickstart: Upload, download, and list blobs using the Azure portal](../../storage/blobs/storage-quickstart-blobs-portal.md).

-In this tutorial, you learned how to generate a template from the Azure portal, and how to deploy the template using the portal. The template used in this Quickstart is a simple template with one Azure resource. When the template is complex, it is easier to use Visual Studio Code or Visual Studio to develop the template. To learn more about template development, see our new beginner tutorial series:

-The following example shows how to use the `pickZones` function to enable zone redundancy for Cosmos DB.

-For Azure CLI, use [az ts create](/cli/azure/ts#az_ts_create) and provide the form in the `--ui-form-definition` parameter.

-The following ARM template and Bicep file get information from an existing storage account. You run the deployment with Azure PowerShell [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment) or Azure CLI [az deployment group create](/cli/azure/deployment/group#az_deployment_group_create). Specify the storage account's name and resource group. The output is an object with the storage account's property names and values.

-Use the [az deployment group delete](/cli/azure/deployment/group#az_deployment_group_delete) command to delete deployments from the history.

-Get the deployment operations with the [az deployment operation group list](/cli/azure/deployment/operation/group#az_deployment_operation_group_list) command:

-If you're using PowerShell or Azure CLI, check that you're running commands in the subscription that contains the resource. You can change the subscription with [Set-AzContext](/powershell/module/Az.Accounts/Set-AzContext) or [az account set](/cli/azure/account#az_account_set). Many commands provide a subscription parameter that lets you specify a different subscription than the current context.

-To get more information about a policy definition, use [az policy definition show](/cli/azure/policy/definition#az_policy_definition_show).

-To get more information about a policy assignment, use [az policy assignment show](/cli/azure/policy/assignment#az_policy_assignment_show).

-Use [az provider list](/cli/azure/provider#az_provider_list) to display the registration status for your subscription's resource providers. The examples use the `--output table` parameter to filter the output for readability. You can omit the parameter to see all properties.

-To register a resource provider, use the [az provider register](/cli/azure/provider#az_provider_register) command, and specify the _namespace_ to register.

-To get a resource type's supported locations, use [az provider show](/cli/azure/provider#az_provider_show):

-For Azure CLI, use the [az vm list-usage](/cli/azure/vm#az_vm_list_usage) command to find virtual machine quotas.

-This article describes how to resolve errors when a SKU isn't available in an Azure subscription's region or availability zones. Examples of resource SKUs are virtual machine (VM) size or storage account types. Errors occur during deployments with an Azure Resource Manager template (ARM template) or Bicep file. The error also occurs with commands like [New-AzVM](/powershell/module/az.compute/new-azvm) or [az vm create](/cli/azure/vm#az_vm_create) that specify a **size** parameter for a SKU that's not available.

-To determine which SKUs are available in a location or zone, use the [az vm list-skus](/cli/azure/vm#az_vm_list_skus) command.

-You can use [az rest](/cli/azure/reference-index#az_rest) to run the list operation. Replace `<subscription ID>` including the angle brackets with your subscription ID. The output is a large data set that you can save to a JSON file.

-To validate an ARM template before deployment, run [az deployment group validate](/cli/azure/deployment/group#az_deployment_group_validate).

-To see a deployment's operations messages with Azure CLI, use [az deployment operation group list](/cli/azure/deployment/operation/group#az_deployment_operation_group_list).

-To get a deployment's result, use [az deployment group show](/cli/azure/deployment/group#az_deployment_group_show).

-When you deploy, you can find the cause of errors from the Azure portal in a resource group's **Deployments** or **Activity log**. If you're using Azure PowerShell, use commands like [Get-AzResourceGroupDeploymentOperation](/powershell/module/az.resources/get-azresourcegroupdeploymentoperation) and [Get-AzActivityLog](/powershell/module/az.monitor/get-azactivitylog). For Azure CLI, use commands like [az deployment operation group](/cli/azure/deployment/operation/group) and [az monitor activity-log list](/cli/azure/monitor/activity-log#az_monitor_activity_log_list).

-description: Availability zones support in Azure SignalR Service

-# Availability zones support in Azure SignalR Service

-[Availability zones](../availability-zones/az-overview.md#availability-zones) are unique physical locations within an Azure region. To ensure resiliency, there's a minimum of three separate zones in all enabled regions. Each zone has one or more datacenters equipped with independent power, cooling, and networking.

-## Zone redundancy

-Azure SignalR Service leverages availability zones in a Zone Redundant manner. That means, the service doesn't spin to a specific zone. Instead workloads are evenly distributed across multiple zones in a region. When a single zone fails, traffic are automatically routed to other zones, keeping the service available.

-## Region support

-Not all Azure regions support availability zones. For the regions list, see [regions that support availability zones](../availability-zones/az-region.md).

-## Tier support

-Zone redundancy is a Premium tier feature. It is implicitly enabled when you create or upgrade to a Premium tier resource. Standard tier resources can be upgraded to Premium tier without downtime.

-* Learn more about building for [reliability](/azure/architecture/framework/resiliency/app-design) in Azure.

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az signalr create](/cli/azure/signalr#az_signalr_create) | Creates an Azure SignalR Service resource. |

-| [az signalr key list](/cli/azure/signalr/key#az_signalr_key_list) | List the keys, which will be used by your application when pushing real-time content updates with SignalR. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az signalr create](/cli/azure/signalr#az_signalr_create) | Creates an Azure SignalR Service resource. |

-| [az signalr key list](/cli/azure/signalr/key#az_signalr_key_list) | List the keys, which will be used by your application when pushing real-time content updates with SignalR. |

-| [az appservice plan create](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an Azure App Service Plan for hosting web apps. |

-| [az webapp create](/cli/azure/webapp#az_webapp_create) | Creates an Azure Web app using the App Service hosting plan. |

-| [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) | Adds new app settings for the web app. These app settings are used to store the SignalR connection string and GitHub OAuth app secrets. |

-| [az webapp deployment user set](/cli/azure/webapp/deployment/user#az_webapp_deployment_user_set) | Update deployment credentials. |

-| [az webapp deployment source config-local-git](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config_local_git) | Get a URL for a git repository endpoint to clone and push to for web app deployment. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az signalr create](/cli/azure/signalr#az_signalr_create) | Creates an Azure SignalR Service resource. |

-| [az signalr key list](/cli/azure/signalr/key#az_signalr_key_list) | List the keys, which will be used by your application when pushing real-time content updates with SignalR. |

-| [az appservice plan create](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an Azure App Service Plan for hosting web apps. |

-| [az webapp create](/cli/azure/webapp#az_webapp_create) | Creates an Azure Web app using the App Service hosting plan. |

-| [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) | Adds a new app setting for the web app. This app setting is used to store the SignalR connection string. |

-You can also use the Azure CLI to get compliance data. For example, use the [az policy assignment list](/cli/azure/policy/assignment#az_policy_assignment_list) command in the CLI to get the policy IDs of the Azure SignalR Service policies that are applied:

-Then run [az policy state list](/cli/azure/policy/state#az_policy_state_list) to return the JSON-formatted compliance state for all resources under a specific resource group:

-Or run [az policy state list](/cli/azure/policy/state#az_policy_state_list) to return the JSON-formatted compliance state of a specific SignalR resource:

-You also can regenerate keys by using the [Azure CLI](/cli/azure/signalr/key#az_signalr_key_renew).

-Run the [az sql db replica create](/cli/azure/sql/db/replica#az_sql_db_replica_create) command.

-When the deployment is complete, you can check the status of the secondary database by running the [az sql db replica list-links](/cli/azure/sql/db/replica#az_sql_db_replica_list-links) command:

-Run the [az sql db replica set-primary](/cli/azure/sql/db/replica#az_sql_db_replica_set-primary) command.

-Run the [az sql db replica delete-link](/cli/azure/sql/db/replica#az_sql_db_replica_delete-link) command.

-Write-Output "_subscriptionId:" (az account show --query "id")

-|[az sql mi ad-admin create](/cli/azure/sql/mi/ad-admin#az_sql_mi_ad_admin_create) | Provisions an Azure Active Directory administrator for the SQL Managed Instance (must be from the current subscription). |

-|[az sql mi ad-admin delete](/cli/azure/sql/mi/ad-admin#az_sql_mi_ad_admin_delete) | Removes an Azure Active Directory administrator for the SQL Managed Instance. |

-|[az sql mi ad-admin list](/cli/azure/sql/mi/ad-admin#az_sql_mi_ad_admin_list) | Returns information about an Azure Active Directory administrator currently configured for the SQL Managed Instance. |

-|[az sql mi ad-admin update](/cli/azure/sql/mi/ad-admin#az_sql_mi_ad_admin_update) | Updates the Active Directory administrator for the SQL Managed Instance. |

-|[az sql server ad-admin create](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_create) | Provisions an Azure Active Directory administrator for the server hosting SQL Database or Azure Synapse. (Must be from the current subscription) |

-|[az sql server ad-admin delete](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_delete) | Removes an Azure Active Directory administrator for the server hosting SQL Database or Azure Synapse. |

-|[az sql server ad-admin list](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_list) | Returns information about an Azure Active Directory administrator currently configured for the server hosting SQL Database or Azure Synapse. |

-|[az sql server ad-admin update](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_update) | Updates the Active Directory administrator for the server hosting SQL Database or Azure Synapse. |

-For more information, see [az sql server create](/cli/azure/sql/server#az_sql_server_create).

-For more information, see [az sql mi create](/cli/azure/sql/mi#az_sql_mi_create).

-For more information, see [az sql server create](/cli/azure/sql/server#az_sql_server_create).

-For more information, see [az sql db create](/cli/azure/sql/db#az_sql_db_create) and [az sql db update](/cli/azure/sql/db#az_sql_db_update).

-For syntax details, see [az sql db copy](/cli/azure/sql/db#az_sql_db_copy). For an overview of database copy, visit [Copy a transactionally consistent copy of a database in Azure SQL Database](database-copy.md).

-T-SQL CRUD operations can be blocked via Azure portal, [PowerShell](/powershell/module/az.resources/register-azproviderfeature), or [Azure CLI](/cli/azure/feature#az_feature_register).

-You can create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.

-The database copy is an asynchronous operation but the target database is created immediately after the request is accepted. If you need to cancel the copy operation while still in progress, drop the the target database using the [az sql db delete](/cli/azure/sql/db#az_sql_db_delete) command.

-Use the [az-sql-db-import](/cli/azure/sql/db#az_sql_db_import) command to submit an import database request to Azure. Depending on database size, the import may take some time to complete. The DTU based provisioning model supports select database max size values for each tier. When importing a database [use one of these supported values](/sql/t-sql/statements/create-database-transact-sql).

-|[az sql elastic-pool create](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_create)|Creates an elastic pool.|

-|[az sql elastic-pool list](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_list)|Returns a list of elastic pools in a server.|

-|[az sql elastic-pool list-dbs](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_list_dbs)|Returns a list of databases in an elastic pool.|

-|[az sql elastic-pool list-editions](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_list_editions)|Also includes available pool DTU settings, storage limits, and per database settings. In order to reduce verbosity, additional storage limits and per database settings are hidden by default.|

-|[az sql elastic-pool update](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_update)|Updates an elastic pool.|

-|[az sql elastic-pool delete](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_delete)|Deletes the elastic pool.|

-* [Azure CLI](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_update)

-Use the [az sql db update](/cli/azure/sql/db#az_sql_db_update) command to add a database to an elastic pool.

-| [az sql db update](/cli/azure/sql/db#az_sql_db_update) | Updates a database|

-Use the [az sql server create](/cli/azure/sql/server#az_sql_server_create) command to create a secondary server.

-Use the [az sql failover-group create](/cli/azure/sql/failover-group#az_sql_failover_group_create) command to create a failover group.

-Use the [az sql failover-group update](/cli/azure/sql/failover-group#az_sql_failover_group_update) command to add a database to the failover group.

-| [az sql server create](/cli/azure/sql/server#az_sql_server_create) | Creates a server that hosts databases and elastic pools. |

-| [az sql failover-group create](/cli/azure/sql/failover-group#az_sql_failover_group_create) | Creates a failover group. |

-| [az sql failover-group update](/cli/azure/sql/failover-group#az_sql_failover_group_update) | Updates a failover group.|

-Use the [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) command to confirm the roles of each server in the failover group.

-Use the [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) command to fail over to the secondary server. Use the [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) command to verify a successful failover.

-Use the [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) command to fail back to the primary server.

-| [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) | Gets the failover groups in a server. |

-| [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) | Set the primary of the failover group by failing over all databases from the current primary server. |

-| [az group delete](/cli/azure/vm/extension#az_vm_extension_set) | Deletes a resource group including all nested resources. |

-Use the [az sql server create](/cli/azure/sql/server#az_sql_server_create) command to create a secondary server with .

-Use the [az sql failover-group create](/cli/azure/sql/failover-group#az_sql_failover_group_create) command to create a failover group.

-| [az sql server create](/cli/azure/sql/server#az_sql_server_create) | Creates a server that hosts databases and elastic pools. |

-| [az sql failover-group create](/cli/azure/sql/failover-group#az_sql_failover_group_create) | Creates a failover group. |

-| [az sql failover-group update](/cli/azure/sql/failover-group#az_sql_failover_group_update) | Updates a failover group.|

-Use the [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) command to confirm the roles of each server.

-Use the [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) to fail over to the secondary server. Use the [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) command to verify a successful failover.

-Use the [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) command to fail back to the primary server.

-| [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) | Gets the failover groups in a server. |

-| [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) | Set the primary of the failover group by failing over all databases from the current primary server. |

-| [az group delete](/cli/azure/vm/extension#az_vm_extension_set) | Deletes a resource group including all nested resources. |

-| [az account set](/cli/azure/account#az_account_set) | Sets a subscription to be the current active subscription. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az sql server create](/cli/azure/sql/server#az_sql_server_create) | Creates a server that hosts single databases and elastic pools in Azure SQL Database. |

-| [az sql failover-group create](/cli/azure/sql/failover-group#az_sql_failover_group_create) | Creates a failover group in Azure SQL Database. |

-| [az sql failover-group show](/cli/azure/sql/failover-group#az_sql_failover_group_show) | Lists the failover groups in a server in Azure SQL Database. |

-| [az sql failover-group set-primary](/cli/azure/sql/failover-group#az_sql_failover_group_set_primary) | Set the primary of the failover group by failing over all databases from the current primary server. |

-| [az group delete](/cli/azure/vm/extension#az_vm_extension_set) | Deletes a resource group including all nested resources. |

-Run the [az sql db ltr-policy set](/cli/azure/sql/db/ltr-policy#az_sql_db_ltr_policy_set) command to create an LTR policy. The following example sets a long-term retention policy for 12 weeks for the weekly backup.

-Run the [az sql db ltr-policy show](/cli/azure/sql/db/ltr-policy#az_sql_db_ltr_policy_show) command to view the LTR policy for a single database on your server.

-Use the [az sql db ltr-backup list](/cli/azure/sql/db/ltr-backup#az_sql_db_ltr_backup_list) command to list the LTR backups for a database. You can use this command to find the `name` parameter for use in other commands.

-Run the [az sql db ltr-backup delete](/cli/azure/sql/db/ltr-backup#az_sql_db_ltr_backup_delete) command to remove an LTR backup. You can use [az sql db ltr-backup list](/cli/azure/sql/db/ltr-backup#az_sql_db_ltr_backup_list) to find the backup `name`.

-Run the [az sql db ltr-backup restore](/cli/azure/sql/db/ltr-backup#az_sql_db_ltr_backup_restore) command to restore your database from an LTR backup. You can run [az sql db ltr-backup show](/cli/azure/sql/db/ltr-backup#az_sql_db_ltr_backup_show) to get the `backup-id`.

-For more information, see [set active subscription](/cli/azure/account#az_account_set) or [log in interactively](/cli/azure/reference-index#az_login)

-](/cli/azure/maintenance/public-configuration#az_maintenance_public_configuration_list) command. For databases and elastic pools, set `maintenanceScope` to `SQLDB`.

-](/cli/azure/maintenance/public-configuration#az_maintenance_public_configuration_list) command. For managed instances, set `maintenanceScope` to `SQLManagedInstance`.

-The following example creates a new database and sets the maintenance window using the [az sql db create](/cli/azure/sql/db#az_sql_db_create) command. The `--maint-config-id` (or `-m`) must be set to a valid value for your database's region. To get valid values for your region, see [Discover available maintenance windows](#discover-available-maintenance-windows).

-The following example creates a new elastic pool and sets the maintenance window using the [az sql elastic-pool create](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_create) cmdlet. The maintenance window is set on the elastic pool, so all databases in the pool have the pool's maintenance window schedule. The `--maint-config-id` (or `-m`) must be set to a valid value for your pool's region. To get valid values for your region, see [Discover available maintenance windows](#discover-available-maintenance-windows).

-The following example creates a new managed instance and sets the maintenance window using [az sql mi create](/cli/azure/sql/mi#az_sql_mi_create). The maintenance window is set on the instance, so all databases in the instance have the instance's maintenance window schedule. *MaintenanceConfigName* must be a valid value for your instance's region. To get valid values for your region, see [Discover available maintenance windows](#discover-available-maintenance-windows).

-The following example sets the maintenance window on an existing database using the [az sql db update](/cli/azure/sql/db#az_sql_db_update) command. The `--maint-config-id` (or `-m`) must be set to a valid value for your database's region. To get valid values for your region, see [Discover available maintenance windows](#discover-available-maintenance-windows).

-The following example sets the maintenance window on an existing elastic pool using the [az sql elastic-pool update](/cli/azure/sql/elastic-pool#az_sql_elastic_pool_update) command.

-The following example sets the maintenance window using [az sql mi update](/cli/azure/sql/mi#az_sql_mi_update). The maintenance window is set on the instance, so all databases in the instance have the instance's maintenance window schedule. For `-MaintenanceConfigurationId`, the *MaintenanceConfigName* must be a valid value for your instance's region. To get valid values for your region, see [Discover available maintenance windows](#discover-available-maintenance-windows).

-This article assumes that you have already worked through the Azure SQL Database [database advisor recommendations](database-advisor-implement-performance-recommendations.md) and the Azure SQL Database [auto-tuning recommendations](automatic-tuning-overview.md), if applicable. It also assumes that you have reviewed [An overview of monitoring and tuning](monitor-tune-overview.md) and its related articles related to troubleshooting performance issues. Additionally, this article assumes that you do not have a CPU resources, running-related performance issue that can be resolved by increasing the compute size or service tier to provide more resources to your database.

-If you use Azure SQL Database, you can execute an open-source T-SQL [script](https://aka.ms/sqldbtips) to analyze your database on demand and provide tips to improve database performance and health. Some tips suggest configuration and operational changes based on best practices, while other tips recommend design changes suitable for your workload, such as enabling advanced database engine features.

-To learn more about the script and get started, visit the [wiki](https://aka.ms/sqldbtipswiki) page.

-| [az sql db copy](/cli/azure/sql/db#az_sql_db_copy) | Creates a copy of a database that uses the snapshot at the current time. |

-| [az sql server](/cli/azure/sql/server#az_sql_server_create) | Server commands |

-| [az sql server firewall](/cli/azure/sql/server/firewall-rule#az_sql_server_firewall_rule_create) | Server firewall commands. |

-| [az sql db](/cli/azure/sql/db#az_sql_db_create) | Database commands. |

-| [az sql db import](/cli/azure/sql/db#az_sql_db_import) | Database import command. |

-> Use [az sql db op list](/cli/azure/sql/db/op?#az_sql_db_op_list) to get a list of operations performed on the database, and use [az sql db op cancel](/cli/azure/sql/db/op#az_sql_db_op_cancel) to cancel an update operation on the database.

-| [az sql db show-usage](/cli/azure/sql#az_sql_show_usage) | Shows the size usage information for a database. |

-| [az sql db restore](/cli/azure/sql/db#az_sql_db_restore) | Restore database command. |

-| [az sql failover-group create](/cli/azure/sql/failover-group#az_sql_failover_group_create) | Creates a failover group. |

-The Azure CLI code blocks in this section use the [az sql up](/cli/azure/sql#az_sql_up) command to simplify the database creation process. With it, you can create a database and all of its associated resources with a single command. This includes the resource group, server name, server location, database name, and login information. The database is created with a default pricing tier of General Purpose, Provisioned, Gen5, 2 vCores.

-> [az sql up](/cli/azure/sql#az_sql_up) is currently in preview and does not currently support the serverless compute tier. Also, the use of non-alphabetic and non-numeric characters in the database name are not currently supported.

-Use the [az sql up](/cli/azure/sql#az_sql_up) command to create and configure a [logical server](logical-servers.md) for Azure SQL Database for immediate use. Make sure to record the generated resource group and server names, so you can manage these resources later.

-Use the following command to remove the resource group and all resources associated with it using the [az group delete](/cli/azure/vm/extension#az_vm_extension_set) command - unless you have an ongoing need for these resources. Some of these resources may take a while to create, as well as to delete.

-|[az sql db create](/cli/azure/sql/db#az_sql_db_create) |Creates a database|

-|[az sql db list](/cli/azure/sql/db#az_sql_db_list)|Lists all databases and data warehouses in a server, or all databases in an elastic pool|

-|[az sql db list-editions](/cli/azure/sql/db#az_sql_db_list_editions)|Lists available service objectives and storage limits|

-|[az sql db list-usages](/cli/azure/sql/db#az_sql_db_list_usages)|Returns database usages|

-|[az sql db show](/cli/azure/sql/db#az_sql_db_show)|Gets a database or data warehouse|

-|[az sql db update](/cli/azure/sql/db#az_sql_db_update)|Updates a database|

-|[az sql db delete](/cli/azure/sql/db#az_sql_db_delete)|Removes a database|

-|[az group create](/cli/azure/group#az_group_create)|Creates a resource group|

-|[az sql server create](/cli/azure/sql/server#az_sql_server_create)|Creates a server|

-|[az sql server list](/cli/azure/sql/server#az_sql_server_list)|Lists servers|

-|[az sql server list-usages](/cli/azure/sql/server#az_sql_server_list-usages)|Returns server usages|

-|[az sql server show](/cli/azure/sql/server#az_sql_server_show)|Gets a server|

-|[az sql server update](/cli/azure/sql/server#az_sql_server_update)|Updates a server|

-|[az sql server delete](/cli/azure/sql/server#az_sql_server_delete)|Deletes a server|

-|[az sql server firewall-rule create](/cli/azure/sql/server/firewall-rule#az_sql_server_firewall_rule_create)|Creates a server firewall rule|

-|[az sql server firewall-rule list](/cli/azure/sql/server/firewall-rule#az_sql_server_firewall_rule_list)|Lists the firewall rules on a server|

-|[az sql server firewall-rule show](/cli/azure/sql/server/firewall-rule#az_sql_server_firewall_rule_show)|Shows the detail of a firewall rule|

-|[az sql server firewall-rule update](/cli/azure/sql/server/firewall-rule##az_sql_server_firewall_rule_update)|Updates a firewall rule|

-|[az sql server firewall-rule delete](/cli/azure/sql/server/firewall-rule#az_sql_server_firewall_rule_delete)|Deletes a firewall rule|

-| [az security va sql baseline delete](/cli/azure/security/va/sql/baseline#az_security_va_sql_baseline_delete) | Delete Sql Vulnerability Assessment rule baseline. |

-| [az security va sql baseline list](/cli/azure/security/va/sql/baseline#az_security_va_sql_baseline_list) | View Sql Vulnerability Assessment baseline for all rules. |

-| [az security va sql baseline set](/cli/azure/security/va/sql/baseline#az_security_va_sql_baseline_set) | Sets Sql Vulnerability Assessment baseline. Replaces the current baseline. |

-| [az security va sql baseline show](/cli/azure/security/va/sql/baseline#az_security_va_sql_baseline_show) | View Sql Vulnerability Assessment rule baseline. |

-| [az security va sql baseline update](/cli/azure/security/va/sql/baseline#az_security_va_sql_baseline_update) | Update Sql Vulnerability Assessment rule baseline. Replaces the current rule baseline. |

-| [az security va sql results list](/cli/azure/security/va/sql/results#az_security_va_sql_results_list) | View all Sql Vulnerability Assessment scan results. |

-| [az security va sql results show](/cli/azure/security/va/sql/results#az_security_va_sql_results_show) | View Sql Vulnerability Assessment scan results. |

-| [az security va sql scans list](/cli/azure/security/va/sql/scans#az_security_va_sql_scans_list) | List all Sql Vulnerability Assessment scan summaries. |

-| [az security va sql scans show](/cli/azure/security/va/sql/scans#az_security_va_sql_scans_show) | View Sql Vulnerability Assessment scan summaries. |

-Use the [az keyvault key create](/cli/azure/keyvault/key#az_keyvault_key_create), [az sql server key create](/cli/azure/sql/server/key#az_sql_server_key_create), and [az sql server tde-key set](/cli/azure/sql/server/tde-key#az_sql_server_tde_key_set) commands.

-1. Create a [new key in Key Vault](/cli/azure/keyvault/key#az_keyvault_key_create). Make sure this new key is created in a separate key vault from the potentially compromised TDE protector, since access control is provisioned on a vault level.

-A script can also create virtual network rules by using the PowerShell cmdlet `New-AzSqlServerVirtualNetworkRule` or [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create). For more information, see [PowerShell to create a virtual network service endpoint and rule for SQL Database][sql-db-vnet-service-endpoint-rule-powershell-md-52d].

-|[az sql mi create](/cli/azure/sql/mi#az_sql_mi_create) |Creates a managed instance.|

-|[az sql mi list](/cli/azure/sql/mi#az_sql_mi_list)|Lists available managed instances.|

-|[az sql mi show](/cli/azure/sql/mi#az_sql_mi_show)|Gets the details for a managed instance.|

-|[az sql mi update](/cli/azure/sql/mi#az_sql_mi_update)|Updates a managed instance.|

-|[az sql mi delete](/cli/azure/sql/mi#az_sql_mi_delete)|Removes a managed instance.|

-|[az sql mi op list](/cli/azure/sql/mi/op#az_sql_mi_op_list)|Gets a list of management operations performed on the managed instance.|

-|[az sql mi op show](/cli/azure/sql/mi/op#az_sql_mi_op_show)|Gets the specific management operation performed on the managed instance.|

-|[az sql mi op cancel](/cli/azure/sql/mi/op#az_sql_mi_op_cancel)|Cancels the specific management operation performed on the managed instance.|

-|[az sql midb create](/cli/azure/sql/midb#az_sql_midb_create) |Creates a managed database.|

-|[az sql midb list](/cli/azure/sql/midb#az_sql_midb_list)|Lists available managed databases.|

-|[az sql midb restore](/cli/azure/sql/midb#az_sql_midb_restore)|Restores a managed database.|

-|[az sql midb delete](/cli/azure/sql/midb#az_sql_midb_delete)|Removes a managed database.|

-For more information, see [az sql mi create](/cli/azure/sql/mi#az_sql_mi_create).

-|[When using SQL Server authentication, usernames with '@' are not supported](#when-using-sql-server-authentication-usernames-with--are-not-supported)|Oct 2021|||

-### When using SQL Server authentication, usernames with '@' are not supported

-Usernames that contain the '@' symbol in the middle (e.g. 'abc@xy') are not able to log in using SQL Server authentication.

-|[az sql instance-pool create](/cli/azure/sql/instance-pool#az_sql_instance_pool_create) | Creates a SQL Managed Instance pool. |

-|[az sql instance-pool show](/cli/azure/sql/instance-pool#az_sql_instance_pool_show) | Returns information about an instance pool. |

-|[az sql instance-pool update](/cli/azure/sql/instance-pool#az_sql_instance_pool_update) | Sets or updates properties for an instance pool in SQL Managed Instance. |

-|[az sql instance-pool delete](/cli/azure/sql/instance-pool#az_sql_instance_pool_delete) | Removes an instance pool in SQL Managed Instance. |

-| **2. Start LRS in the cloud**. | You can restart the service with a choice of cmdlets: PowerShell ([start-azsqlinstancedatabaselogreplay](/powershell/module/az.sql/start-azsqlinstancedatabaselogreplay)) or Azure CLI ([az_sql_midb_log_replay_start cmdlets](/cli/azure/sql/midb/log-replay#az_sql_midb_log_replay_start)). <br /><br /> Start LRS separately for each database that points to a backup folder on Blob Storage. <br /><br /> After you start the service, it will take backups from the Blob Storage container and start restoring them on SQL Managed Instance.<br /><br /> If you started LRS in continuous mode, after all initially uploaded backups are restored, the service will watch for any new files uploaded to the folder. The service will continuously apply logs based on the log sequence number (LSN) chain until it's stopped. |

-| **2.1. Monitor the operation's progress**. | You can monitor progress of the restore operation with a choice of cmdlets: PowerShell ([get-azsqlinstancedatabaselogreplay](/powershell/module/az.sql/get-azsqlinstancedatabaselogreplay)) or Azure CLI ([az_sql_midb_log_replay_show cmdlets](/cli/azure/sql/midb/log-replay#az_sql_midb_log_replay_show)). |

-| **2.2. Stop the operation if needed**. | If you need to stop the migration process, you have a choice of cmdlets: PowerShell ([stop-azsqlinstancedatabaselogreplay](/powershell/module/az.sql/stop-azsqlinstancedatabaselogreplay)) or Azure CLI ([az_sql_midb_log_replay_stop](/cli/azure/sql/midb/log-replay#az_sql_midb_log_replay_stop)). <br /><br /> Stopping the operation will delete the database that you're restoring on SQL Managed Instance. After you stop an operation, you can't resume LRS for a database. You need to restart the migration process from the scratch. |

-| **3. Cut over to the cloud when you're ready**. | Stop the application and the workload. Take the last log-tail backup and upload it to Azure Blob Storage.<br /><br /> Complete the cutover by initiating an LRS `complete` operation with a choice of cmdlets: PowerShell ([complete-azsqlinstancedatabaselogreplay](/powershell/module/az.sql/complete-azsqlinstancedatabaselogreplay)) or Azure CLI [az_sql_midb_log_replay_complete](/cli/azure/sql/midb/log-replay#az_sql_midb_log_replay_complete). This operation will stop LRS and cause the database to come online for read and write use on SQL Managed Instance.<br /><br /> Repoint the application connection string from SQL Server to SQL Managed Instance. You will need to orchestrate this step yourself, either through a manual connection string change in your application, or automatically (for example, if your application can read the connection string from a property, or a database). |

-1. Run the [az sql midb show](/cli/azure/sql/midb#az_sql_midb_show) command to get the details for the Managed Instance database.

-2. Run the [az sql midb ltr-policy set](/cli/azure/sql/midb/ltr-policy#az_sql_midb_ltr_policy_set) command to create an LTR policy. The following example sets a long-term retention policy for 12 weeks for the weekly backup.

-Run the [az sql midb ltr-policy show](/cli/azure/sql/midb/ltr-policy#az_sql_midb_ltr_policy_show) command to view the LTR policy for a single database within an instance.

-Use the [az sql midb ltr-backup list](/cli/azure/sql/midb/ltr-backup#az_sql_midb_ltr_backup_list) command to view the LTR backups within an instance.

-Run the [az sql midb ltr-backup delete](/cli/azure/sql/midb/ltr-backup#az_sql_midb_ltr_backup_delete) command to remove an LTR backup. You can run [az sql midb ltr-backup list](/cli/azure/sql/midb/ltr-backup#az_sql_midb_ltr_backup_list) to get the backup `name`.

-Run the [az sql midb ltr-backup restore](/cli/azure/sql/midb/ltr-backup#az_sql_midb_ltr_backup_restore) command to restore your database from an LTR backup. You can run [az sql midb ltr-backup show](/cli/azure/sql/midb/ltr-backup#az_sql_midb_ltr_backup_show) to get the `backup-id`.

-For a detailed explanation of the available parameters, see the [CLI documentation for restoring a database in a SQL Managed Instance](/cli/azure/sql/midb#az_sql_midb_restore).

-As an alternative to manual creation of SQL Managed Instance, you can use [PowerShell](scripts/create-configure-managed-instance-powershell.md), [PowerShell with Resource Manager template](./create-template-quickstart.md), or [Azure CLI](/cli/azure/sql/mi#az_sql_mi_create) to script and automate this process.

-For more details, check [az sql mi update](/cli/azure/sql/mi#az_sql_mi_update) command.

-Use Azure CLI command [az resource invoke-action](/cli/azure/resource#az_resource_invoke_action) to synchronize DNS servers configuration for all the virtual clusters in the subnet.

-Use the Azure CLI [az sql mi update](/cli/azure/sql/mi#az_sql_mi_update) command to move your instance to another subnet.

-The Azure CLI [az sql vm group](/cli/azure/sql/vm/group) command group manages the metadata of the Windows Server Failover Cluster (WSFC) service that hosts the availability group. Cluster metadata includes the Active Directory domain, cluster accounts, storage accounts to be used as the cloud witness, and SQL Server version. Use [az sql vm group create](/cli/azure/sql/vm/group#az_sql_vm_group_create) to define the metadata for WSFC so that when the first SQL Server VM is added, the cluster is created as defined.

-Adding the first SQL Server VM to the cluster creates the cluster. The [az sql vm add-to-group](/cli/azure/sql/vm#az_sql-vm_add_to_group) command creates the cluster with the name previously given, installs the cluster role on the SQL Server VMs, and adds them to the cluster. Subsequent uses of the `az sql vm add-to-group` command add more SQL Server VMs to the newly created cluster.

-After you manually create the availability group, you can create the listener by using [az sql vm ag-listener](/cli/azure/sql/vm/group/ag-listener#az_sql_vm_group_ag_listener_create).

-There's an added layer of complexity when you're deploying an availability group to SQL Server VMs hosted in Azure. The resource provider and the virtual machine group now manage the resources. As such, when you're adding or removing replicas in the availability group, there's an additional step of updating the listener metadata with information about the SQL Server VMs. When you're modifying the number of replicas in the availability group, you must also use the [az sql vm group ag-listener update](/cli/azure/sql/vm/group/ag-listener#az_sql_vm_group_ag_listener_update) command to update the listener with the metadata of the SQL Server VMs.

-To unregister your SQL Server VM from the extension with the Azure CLI, use the [az sql vm delete](/cli/azure/sql/vm#az_sql_vm_delete) command. This removes the SQL Server VM *resource* but does not delete the virtual machine.

-You can also use the Azure CLI to get compliance data. For example, use the [az policy assignment list](/cli/azure/policy/assignment#az_policy_assignment_list) command in the CLI to get the policy IDs of the Azure Web PubSub Service policies that are applied:

-Then run [az policy state list](/cli/azure/policy/state#az_policy_state_list) to return the JSON-formatted compliance state for all resources under a specific resource group:

-Or run [az policy state list](/cli/azure/policy/state#az_policy_state_list) to return the JSON-formatted compliance state of a specific Web PubSub resource:

-Use the Azure CLI [az webpubsub hub create](/cli/azure/webpubsub/hub#az_webpubsub_hub_update) command to create the event handler settings for the chat hub

-1. A vault is placed in a resource group. If you donΓÇÖt have an existing resource group, create a new one with [az group create](/cli/azure/group#az_group_create) . In this tutorial, we create the new resource group *azurefiles* in the East US region.

-1. Use the [az backup vault create](/cli/azure/backup/vault#az_backup_vault_create) cmdlet to create the vault. Specify the same location for the vault as was used for the resource group.

-This section assumes that you already have an Azure file share for which you want to configure backup. If you don't have one, create an Azure file share using the [az storage share create](/cli/azure/storage/share#az_storage_share_create) command.

-To enable backup for file shares, you need to create a protection policy that defines when a backup job runs and how long recovery points are stored. You can create a backup policy using the [az backup policy create](/cli/azure/backup/policy#az_backup_policy_create) cmdlet.

-The following example uses the [az backup protection enable-for-azurefileshare](/cli/azure/backup/protection#az_backup_protection_enable_for_azurefileshare) cmdlet to enable backup for the *azurefiles* file share in the *afsaccount* storage account using the *schedule 1* backup policy:

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your **enable backup** operation. To track status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-If you want to trigger an on-demand backup for your file share instead of waiting for the backup policy to run the job at the scheduled time, use the [az backup protection backup-now](/cli/azure/backup/protection#az_backup_protection_backup_now) cmdlet.

-* **--container-name** is the name of the storage account hosting the file share. To retrieve the **name** or **friendly name** of your container, use the [az backup container list](/cli/azure/backup/container#az_backup_container_list) command.

-* **--item-name** is the name of the file share for which you want to trigger an on-demand backup. To retrieve the **name** or **friendly name** of your backed-up item, use the [az backup item list](/cli/azure/backup/item#az_backup_item_list) command.

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your ΓÇ£on-demand backupΓÇ¥ operation. To track the status of a job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-Before creating a Backup vault, choose the storage redundancy of the data within the vault. Then proceed to create the Backup vault with that storage redundancy and the location. In this article, we'll create a Backup vault _TestBkpVault_, in the region _westus_, under the resource group _testBkpVaultRG_. Use the [az dataprotection vault create](/cli/azure/dataprotection/backup-vault#az_dataprotection_backup_vault_create) command to create a Backup vault. Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).

-To understand the inner components of a Backup policy for Azure Blobs backup, retrieve the policy template using the [az dataprotection backup-policy get-default-policy-template](/cli/azure/dataprotection/backup-policy#az_dataprotection_backup_policy_get_default_policy_template) command. This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.

-Once the policy JSON has all the required values, proceed to create a new policy from the policy object using the [az dataprotection backup-policy create](/cli/azure/dataprotection/backup-policy#az_dataprotection_backup_policy_create) command.

-Once all the relevant permissions are set, the configuration of backup is performed in 2 steps. First, we prepare the relevant request by using the relevant vault, policy, storage account using the [az dataprotection backup-instance initialize](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_initialize) command. Then, we submit the request to protect the disk using the [az dataprotection backup-instance create](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_create) command.

-Before you create a Backup vault, choose the storage redundancy of the data within the vault. Then proceed to create the Backup vault with that storage redundancy and the location. In this article, we'll create a Backup vault _TestBkpVault_, in the region _westus_, under the resource group _testBkpVaultRG_. Use the [az dataprotection vault create](/cli/azure/dataprotection/backup-vault#az_dataprotection_backup_vault_create) command to create a Backup vault. Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).

-To understand the inner components of a Backup policy for Azure Disk Backup, retrieve the policy template using the [az dataprotection backup-policy get-default-policy-template](/cli/azure/dataprotection/backup-policy#az_dataprotection_backup_policy_get_default_policy_template) command. This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.

-Once the template is downloaded as a JSON file, you can edit it for scheduling and retention as required. Then create a new policy with the resulting JSON. If you want to edit the hourly frequency or the retention period, use the [az dataprotection backup-policy trigger set](/cli/azure/dataprotection/backup-policy/trigger#az_dataprotection_backup_policy_trigger_set) and/or [az dataprotection backup-policy retention-rule set](/cli/azure/dataprotection/backup-policy/retention-rule#az_dataprotection_backup_policy_retention_rule_set) commands. Once the policy JSON has all the required values, proceed to create a new policy from the policy object using the [az dataprotection backup-policy create](/cli/azure/dataprotection/backup-policy#az_dataprotection_backup_policy_create) command.

-The Backup vaults require permissions on the disk and the snapshot resource group to be able to trigger snapshots and manage their lifecycle. The system-assigned managed identity of the vault is used for assigning such permissions. Use the [az dataprotection backup-vault update](/cli/azure/dataprotection/backup-vault#az_dataprotection_backup_vault_update) command to enable system-assigned managed identity for the Recovery Services Vault.

-Once all the relevant permissions are set, the configuration of backup is performed in two steps. First, we prepare the relevant request by using the relevant vault, policy, disk, and snapshot resource group using the [az dataprotection backup-instance initialize](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_initialize) command. The initialize command will return a JSON file, and then you have to update the snapshot resource group value. Then, we submit the request to protect the disk using the [az dataprotection backup-instance create](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_create) command.

-List all backup instances within a vault using [az dataprotection backup-instance list](/cli/azure/dataprotection/backup-instance) command, and then fetch the relevant instance using the [az dataprotection backup-instance show](/cli/azure/dataprotection/backup-instance) command. Alternatively, for at-scale scenarios, you can list backup instances across vaults and subscriptions using the [az dataprotection backup-instance list-from-resourcegraph](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list_from_resourcegraph) command.

-Trigger an on-demand backup using the [az dataprotection backup-instance adhoc-backup](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_adhoc_backup) command.

-Track all the jobs using the [az dataprotection job list](/cli/azure/dataprotection/job#az_dataprotection_job_list) command. You can list all jobs and fetch a particular job detail.

-You can also use Az.ResourceGraph to track all jobs across all Backup vaults. Use the [az dataprotection job list-from-resourcegraph](/cli/azure/dataprotection/job#az_dataprotection_job_list_from_resourcegraph) command to get the relevant job that can be across any Backup vault.

-In this article, we'll create a Backup vault _TestBkpVault_, in the region _westus_, under the resource group _testBkpVaultRG_. Use the [az dataprotection vault create](/cli/azure/dataprotection/backup-vault#az_dataprotection_backup_vault_create) command to create a Backup vault. Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).

-To understand the inner components of a Backup policy for Azure PostgreSQL database backup, retrieve the policy template using the [az dataprotection backup-policy get-default-policy-template](/cli/azure/dataprotection/backup-policy#az_dataprotection_backup_policy_get_default_policy_template) command. This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.

-The default policy template offers a backup once per week. You can modify the schedule for the backup to happen multiple days per week. To modify the schedule, use the [az dataprotection backup-policy trigger set](/cli/azure/dataprotection/backup-policy/trigger#az_dataprotection_backup_policy_trigger_set) command.

-The default template will have a lifecycle for the initial datastore under the default retention rule. In this scenario, the rule says to delete the backup data after three months. You should add a new retention rule that defines when the data is *moved* to *archive* datastore, that is, backup data is first copied to archive datastore, and then deleted in vault datastore. Also, the rule should define for how long the data is kept in the *archive* datastore. Use the [az dataprotection backup-policy retention-rule create-lifecycle](/cli/azure/dataprotection/backup-policy/retention-rule#az_dataprotection_backup_policy_retention_rule_create_lifecycle) command to create new lifecycles and use the [az dataprotection backup-policy retention-rule set](/cli/azure/dataprotection/backup-policy/retention-rule#az_dataprotection_backup_policy_retention_rule_set) command to associate them with the new rules or to the existing rules.

-Once a retention rule is created, you've to create a corresponding *tag* in the *Trigger* property of the Backup policy. Use the [az dataprotection backup-policy tag create-absolute-criteria](/cli/azure/dataprotection/backup-policy/tag#az_dataprotection_backup_policy_tag_create_absolute_criteria) command to create a new tagging criteria and use the [az dataprotection backup-policy tag set](/cli/azure/dataprotection/backup-policy/tag#az_dataprotection_backup_policy_tag_set) command to update the existing tag or create a new tag.

-Suppose if the schedule is multiple backups per week (every Sunday, Wednesday, Thursday as specified in the above example) and you want to archive the Sunday and Friday backups, then the tagging criteria can be changed as follows, using the [az dataprotection backup-policy tag create-generic-criteria](/cli/azure/dataprotection/backup-policy/tag#az_dataprotection_backup_policy_tag_create_generic_criteria) command.

-Once the template is modified as per the requirements, use the [az dataprotection backup-policy create](/cli/azure/dataprotection/backup-policy#az_dataprotection_backup_policy_create) command to create a policy using the modified template.

-1. We prepare the relevant request by using the relevant vault, policy, PostgreSQL database using the [az dataprotection backup-instance initialize](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_initialize) command.

-1. We submit the request to protect the database using the [az dataprotection backup-instance create](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_create) command.

-To trigger an on-demand backup, use the [az dataprotection backup-instance adhoc-backup](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_adhoc_backup) command.

-Track all jobs using the [az dataprotection job list](/cli/azure/dataprotection/job#az_dataprotection_job_list) command. You can list all jobs and fetch a particular job detail.

-You can also use _Az.ResourceGraph_ to track all jobs across all Backup vaults. Use the [az dataprotection job list-from-resourcegraph](/cli/azure/dataprotection/job#az_dataprotection_job_list_from_resourcegraph) command to fetch the relevant jobs that are across Backup vaults.

-| Restore | Cross-region restore | Supported <br><br> [See the examples](./backup-azure-vms-automation.md#restore-disks-to-a-secondary-region). | Supported <br><br> [See the examples](/cli/azure/backup/restore#az_backup_restore_restore_disks). | Supported <br><br> [See the examples](./backup-azure-arm-userestapi-restoreazurevms.md#cross-region-restore). | N/A | N/A | N/A | N/A |

-| Manage | Stop protection and retain backup data | Supported <br><br> [See the examples](./backup-azure-vms-automation.md#retain-data). | Supported <br><br> [See the examples](/cli/azure/backup/protection#az_backup_protection_disable). | Supported <br><br> [See the examples](./backup-azure-arm-userestapi-backupazurevms.md#stop-protection-but-retain-existing-data). | N/A | N/A | N/A | N/A |

-| Manage | Stop protection and delete backup data | Supported <br><br> [See the examples](./backup-azure-vms-automation.md#delete-backup-data). | Supported <br><br> [See the examples](/cli/azure/backup/protection#az_backup_protection_disable). | Supported <br><br> [See the examples](./backup-azure-arm-userestapi-backupazurevms.md#stop-protection-and-delete-data). | N/A | N/A | N/A | N/A |

-| Manage | Resume protection | Supported <br><br> [See the examples](./backup-azure-vms-automation.md#resume-backup). | Supported <br><br> [See the examples](/cli/azure/backup/protection#az_backup_protection_resume). | Supported <br><br> [See the examples](./backup-azure-arm-userestapi-backupazurevms.md#undo-the-deletion) | N/A | N/A | N/A | N/A |

-Use the [az ad sp list](/cli/azure/ad/sp#az_ad_sp_list) command to get the principal ID of the Recovery Services vault, and then use this ID in the [az keyvault set-policy](/cli/azure/keyvault#az_keyvault_set_policy) command to set an access policy for the Key vault.

-Use the [az backup vault encryption update](/cli/azure/backup/vault/encryption#az_backup_vault_encryption_update) command to enable encryption using customer-managed keys, and to assign or update the encryption key to be used.

-Use the [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks) command with the parameter [`-DiskEncryptionSetId <string>`] to [specify the DES](/cli/azure/disk-encryption-set) to be used for encrypting the restored disk.

-When you trigger backup or restore operations, the backup service creates a job for tracking. To monitor completed or currently running jobs, use the [az backup job list](/cli/azure/backup/job#az_backup_job_list) cmdlet. With the CLI, you also can [suspend a currently running job](/cli/azure/backup/job#az_backup_job_stop) or [wait until a job finishes](/cli/azure/backup/job#az_backup_job_wait).

-You can create a backup policy by executing the [az backup policy create](/cli/azure/backup/policy#az_backup_policy_create) command with the following parameters:

-You can modify a backup policy to change backup frequency or retention range by using [az backup item set-policy](/cli/azure/backup/item#az_backup_item_set_policy).

-* **--container-name**: The name of the storage account that hosts the file share. To retrieve the **name** or **friendly name** of your container, use the [az backup container list](/cli/azure/backup/container#az_backup_container_list) command.

-* **--name**: The name of the file share for which you want to change the policy. To retrieve the **name** or **friendly name** of your backed-up item, use the [az backup item list](/cli/azure/backup/item#az_backup_item_list) command.

-* **--policy-name**: The name of the backup policy you want to set for your file share. You can use [az backup policy list](/cli/azure/backup/policy#az_backup_policy_list) to view all the policies for your vault.

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your change policy operation. To track the status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-* **--container-name**: The name of the storage account that hosts the file share. To retrieve the **name** or **friendly name** of your container, use the [az backup container list](/cli/azure/backup/container#az_backup_container_list) command.

-* **--item-name**: The name of the file share for which you want to stop protection. To retrieve the **name** or **friendly name** of your backed-up item, use the [az backup item list](/cli/azure/backup/item#az_backup_item_list) command.

-To stop protection while retaining data, use the [az backup protection disable](/cli/azure/backup/protection#az_backup_protection_disable) cmdlet.

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your stop protection operation. To track the status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-To stop protection without retaining recovery points, use the [az backup protection disable](/cli/azure/backup/protection#az_backup_protection_disable) cmdlet with the **delete-backup-data** option set to **true**.

-* **--container-name**: The name of the storage account that hosts the file share. To retrieve the **name** or **friendly name** of your container, use the [az backup container list](/cli/azure/backup/container#az_backup_container_list) command.

-* **--item-name**: The name of the file share for which you want to resume protection. To retrieve the **name** or **friendly name** of your backed-up item, use the [az backup item list](/cli/azure/backup/item#az_backup_item_list) command.

-The following example uses the [az backup protection resume](/cli/azure/backup/protection#az_backup_protection_resume) cmdlet to resume protection for the *azurefiles* file share by using the *schedule1* backup policy.

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your resume protection operation. To track the status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-You need to provide a container name to unregister the storage account. To retrieve the **name** or the **friendly name** of your container, use the [az backup container list](/cli/azure/backup/container#az_backup_container_list) command.

-The following example unregisters the *afsaccount* storage account from *azurefilesvault* by using the [az backup container unregister](/cli/azure/backup/container#az_backup_container_unregister) cmdlet.

-1. Execute the [az backup policy show](/cli/azure/backup/policy#az_backup_policy_show) command to retrieve the details of policy you want to update.

-1. Execute the [az backup policy set](/cli/azure/backup/policy#az_backup_policy_set) command and pass the complete path of the updated JSON file as the value for the **

->You can also retrieve the sample JSON policy by executing the [az backup policy get-default-for-vm](/cli/azure/backup/policy#az_backup_policy_get_default_for_vm) command.

-Create a Recovery Services vault with [az backup vault create](/cli/azure/backup/vault#az_backup_vault_create). Specify the same resource group and location as the VM you wish to protect. If you used the [VM quickstart](../virtual-machines/linux/quick-create-cli.md), then you created:

-By default, the Recovery Services vault is set for Geo-Redundant storage. Geo-Redundant storage ensures your backup data is replicated to a secondary Azure region that's hundreds of miles away from the primary region. If the storage redundancy setting needs to be modified, use [az backup vault backup-properties set](/cli/azure/backup/vault/backup-properties#az_backup_vault_backup_properties_set) cmdlet.

-Create a protection policy to define: when a backup job runs, and how long the recovery points are stored. The default protection policy runs a backup job each day and retains recovery points for 30 days. You can use these default policy values to quickly protect your VM. To enable backup protection for a VM, use [az backup protection enable-for-vm](/cli/azure/backup/protection#az_backup_protection_enable_for_vm). Specify the resource group and VM to protect, then the policy to use:

-To start a backup now rather than wait for the default policy to run the job at the scheduled time, use [az backup protection backup-now](/cli/azure/backup/protection#az_backup_protection_backup_now). This first backup job creates a full recovery point. Each backup job after this initial backup creates incremental recovery points. Incremental recovery points are storage and time-efficient, as they only transfer changes made since the last backup.

-To monitor the status of backup jobs, use [az backup job list](/cli/azure/backup/job#az_backup_job_list):

-When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services vault, then delete the resource group and associated VM resources. If you used an existing VM, you can skip the final [az group delete](/cli/azure/group#az_group_delete) command to leave the resource group and VM in place.

-Use the [az backup recoverypoint list](/cli/azure/backup/recoverypoint#az_backup_recoverypoint_list) cmdlet to list all recovery points for the backed-up file share.

-* **--container-name**: The name of the storage account that hosts the backed-up original file share. To retrieve the name or friendly name of your container, use the [az backup container list](/cli/azure/backup/container#az_backup_container_list) command.

-* **--item-name**: The name of the backed-up original file share you want to use for the restore operation. To retrieve the name or friendly name of your backed-up item, use the [az backup item list](/cli/azure/backup/item#az_backup_item_list) command.

-The following example uses the [az backup restore restore-azurefileshare](/cli/azure/backup/restore#az_backup_restore_restore_azurefileshare) cmdlet with restore mode set to *originallocation* to restore the *azurefiles* file share in the original location. You use the recovery point 932883129628959823, which you obtained in [Fetch recovery points for the Azure file share](#fetch-recovery-points-for-the-azure-file-share):

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your restore operation. To track the status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-The following example uses [az backup restore restore-azurefileshare](/cli/azure/backup/restore#az_backup_restore_restore_azurefileshare) with restore mode as *alternatelocation* to restore the *azurefiles* file share in the *afsaccount* storage account to the *azurefiles1"* file share in the *afaccount1* storage account.

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your restore operation. To track the status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-* **--container-name**: The name of the storage account that hosts the backed-up original file share. To retrieve the name or friendly name of your container, use the [az backup container list](/cli/azure/backup/container#az_backup_container_list) command.

-* **--item-name**: The name of the backed-up original file share you want to use for the restore operation. To retrieve the name or friendly name of your backed-up item, use the [az backup item list](/cli/azure/backup/item#az_backup_item_list) command.

-* **SourceFilePath**: The absolute path of the file, to be restored within the file share, as a string. This path is the same path used in the [az storage file download](/cli/azure/storage/file#az_storage_file_download) or [az storage file show](/cli/azure/storage/file#az_storage_file_show) CLI commands.

-Use the [az backup restore restore-azurefiles](/cli/azure/backup/restore#az_backup_restore_restore_azurefiles) cmdlet with restore mode set to *originallocation* to restore specific files or folders to their original location.

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your restore operation. To track the status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-To restore specific files or folders to an alternate location, use the [az backup restore restore-azurefiles](/cli/azure/backup/restore#az_backup_restore_restore_azurefiles) cmdlet with restore mode set to *alternatelocation* and specify the following target-related parameters:

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your restore operation. To track the status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-The **Name** attribute in the output corresponds to the name of the job that's created by the backup service for your restore operation. To track the status of the job, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-First, we need to fetch the relevant backup instance ID. List all backup instances within a vault using the [az dataprotection backup-instance list](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list) command, and then fetch the relevant instance using [az dataprotection backup-instance show](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_show) command. Alternatively, for at-scale scenarios, you can list backup instances across vaults and subscriptions using the [az dataprotection backup-instance list-from-resourcegraph](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list_from_resourcegraph) command.

-Once the instance is identified, fetch the relevant recovery range using the [az dataprotection restorable-time-range find](/cli/azure/dataprotection/restorable-time-range#az_dataprotection_restorable_time_range_find) command.

-Using this option, you can restore all block blobs in the storage account by rolling them back to the selected point in time. Storage accounts containing large amounts of data or witnessing a high churn may take longer times to restore. To restore all block blobs, use the [az dataprotection backup-instance restore initialize-for-data-recovery](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_initialize_for_data_recovery) command. The restore location and the target resource ID will be the same as the protected storage account.

-Using this option, you can browse and select up to 10 containers to restore. To restore selected containers, use the [az dataprotection backup-instance restore initialize-for-item-recovery](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_initialize_for_item_recovery) command.

-To restore selected containers, use the [az dataprotection backup-instance restore initialize-for-item-recovery](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_initialize_for_item_recovery) command.

-Use the [az dataprotection backup-instance restore trigger](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_trigger) command to trigger the restore with the request prepared above.

-Track all the jobs using the [az dataprotection job list](/cli/azure/dataprotection/job#az_dataprotection_job_list) command. You can list all jobs and fetch a particular job detail.

-You can also use Az.ResourceGraph to track all jobs across all Backup vaults. Use the [az dataprotection job list-from-resourcegraph](/cli/azure/dataprotection/job#az_dataprotection_job_list_from_resourcegraph) command to get the relevant job which can be across any Backup vault.

-List all backup instances within a vault using [az dataprotection backup-instance list](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list) command, and then fetch the relevant instance using the [az dataprotection backup-instance show](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_show) command. Alternatively, for at-scale scenarios, you can list backup instances across vaults and subscriptions using the [az dataprotection backup-instance list-from-resourcegraph](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list_from_resourcegraph)

-Once the instance is identified, fetch the relevant recovery point using the [az dataprotection recovery-point list](/cli/azure/dataprotection/recovery-point#az_dataprotection_recovery_point_list) command.

-Use the [az dataprotection backup-instance restore initialize-for-data-recovery](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_initialize_for_data_recovery) command to prepare the restore request with all relevant details.

-You can also validate if the JSON file will succeed in creating new resources using the [az dataprotection backup-instance validate-for-restore](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_validate_for_restore) command.

-Use the [az dataprotection backup-instance restore trigger](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_trigger) command to trigger the restore with the request prepared above.

-Track all jobs using the [az dataprotection job list](/cli/azure/dataprotection/job#az_dataprotection_job_list) command. You can list all jobs and fetch a particular job detail.

-You can also use Az.ResourceGraph to track all jobs across all Backup vaults. Use the [az dataprotection job list-from-resourcegraph](/cli/azure/dataprotection/job#az_dataprotection_job_list_from_resourcegraph) command to get the relevant job that can be across any Backup vault.

-To list all backup instances within a vault, use [az dataprotection backup-instance list](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list) command. Then fetch the relevant instance using the [az dataprotection backup-instance show](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_show) command. Alternatively, for _at-scale_ scenarios, you can list backup instances across vaults and subscriptions using the [az dataprotection backup-instance list-from-resourcegraph](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_list_from_resourcegraph) command.

-Once the instance is identified, fetch the relevant recovery point using the [az dataprotection recovery-point list](/cli/azure/dataprotection/recovery-point#az_dataprotection_recovery_point_list) command.

-Use the [az dataprotection backup-instance restore initialize-for-data-recovery](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_initialize_for_data_recovery) command to prepare the restore request with all relevant details.

-Use the [az dataprotection backup-instance restore initialize-for-data-recovery-as-files](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_initialize_for_data_recovery_as_files) command to prepare the restore request with all relevant details.

-To validate if the JSON file will succeed to create new resources, use the [az dataprotection backup-instance validate-for-restore](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_validate_for_restore) command.

-Use the [az dataprotection backup-instance restore trigger](/cli/azure/dataprotection/backup-instance/restore#az_dataprotection_backup_instance_restore_trigger) command to trigger the restore operation with the previously prepared request.

-Track all jobs using the [az dataprotection job list](/cli/azure/dataprotection/job#az_dataprotection_job_list) command. You can list all jobs and fetch a particular job detail.

-You can also use _Az.ResourceGraph_ to track jobs across all Backup vaults. Use the [az dataprotection job list-from-resourcegraph](/cli/azure/dataprotection/job#az_dataprotection_job_list_from_resourcegraph) command to get the relevant job that is across all Backup vaults.

-To see a list of available recovery points, use [az backup recoverypoint list](/cli/azure/backup/recoverypoint#az_backup_recoverypoint_list). The recovery point **name** is used to recover disks. In this tutorial, we want the most recent recovery point available. The `--query [0].name` parameter selects the most recent recovery point name as follows:

-1. To create a storage account, use [az storage account create](/cli/azure/storage/account#az_storage_account_create). The storage account name must be all lowercase, and be globally unique. Replace *mystorageaccount* with your own unique name:

-2. Restore the disk from your recovery point with [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks). Replace *mystorageaccount* with the name of the storage account you created in the preceding command. Replace *myRecoveryPointName* with the recovery point name you obtained in the output from the previous [az backup recoverypoint list](/cli/azure/backup/recoverypoint#az_backup_recoverypoint_list) command. ***Also provide the target resource group to which the managed disks are restored into***.

-To restore disks to the secondary region, use the `--use-secondary-region` flag in the [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks) command. Ensure that you specify a target storage account that's located in the secondary region.

-To restore a VM to another zone, specify the `TargetZoneNumber` parameter in the [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks) command.

-1. To create a storage account, use [az storage account create](/cli/azure/storage/account#az_storage_account_create). The storage account name must be all lowercase, and be globally unique. Replace *mystorageaccount* with your own unique name:

-2. Restore the disk from your recovery point with [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks). Replace *mystorageaccount* with the name of the storage account you created in the preceding command. Replace *myRecoveryPointName* with the recovery point name you obtained in the output from the previous [az backup recoverypoint list](/cli/azure/backup/recoverypoint#az_backup_recoverypoint_list) command:

-To monitor the status of restore job, use [az backup job list](/cli/azure/backup/job#az_backup_job_list):

-If you wish to use the vault's system assigned managed identity to restore disks, pass an additional flag ***--mi-system-assigned*** to the [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks) command. If you wish to use a user-assigned managed identity, pass a parameter ***--mi-user-assigned*** with the Azure Resource Manager ID of the vault's managed identity as the value of the parameter. Refer to [this article](encryption-at-rest-with-cmk.md#enable-managed-identity-for-your-recovery-services-vault) to learn how to enable managed identity for your vaults.

-To confirm that your VM has been created from your recovered disk, list the VMs in your resource group with [az vm list](/cli/azure/vm#az_vm_list) as follows:

-1. To connect to your VM, obtain the IP address of your VM with [az vm show](/cli/azure/vm#az_vm_show):

-1. To list recovery points for your VM, use [az backup recoverypoint list](/cli/azure/backup/recoverypoint#az_backup_recoverypoint_list). In this example, we select the most recent recovery point for the VM named *myVM* that's protected in *myRecoveryServicesVault*:

-2. To obtain the script that connects, or mounts, the recovery point to your VM, use [az backup restore files mount-rp](/cli/azure/backup/restore/files#az_backup_restore_files_mount_rp). The following example obtains the script for the VM named *myVM* that's protected in *myRecoveryServicesVault*.

- As the script runs, you're prompted to enter a password to access the recovery point. Enter the password shown in the output from the previous [az backup restore files mount-rp](/cli/azure/backup/restore/files#az_backup_restore_files_mount_rp) command that generated the recovery script.

-7. Unmount the recovery point from your VM with [az backup restore files unmount-rp](/cli/azure/backup/restore/files#az_backup_restore_files_unmount_rp). The following example unmounts the recovery point from the VM named *myVM* in *myRecoveryServicesVault*.

-Create a Recovery Services vault with [az backup vault create](/cli/azure/backup/vault#az_backup_vault_create). Specify the same resource group and location as the VM you wish to protect. Learn how to create a VM using Azure CLI with this [VM quickstart](../virtual-machines/linux/quick-create-cli.md).

-By default, the Recovery Services vault is set for Geo-Redundant storage. Geo-Redundant storage ensures your backup data is replicated to a secondary Azure region that's hundreds of miles away from the primary region. If the storage redundancy setting needs to be modified, use the [az backup vault backup-properties set](/cli/azure/backup/vault/backup-properties#az_backup_vault_backup_properties_set) cmdlet.

-To see if your vault was successfully created, use the [az backup vault list](/cli/azure/backup/vault#az_backup_vault_list) cmdlet. You'll see the following response:

-Once the script is run, the SAP HANA instance can be registered with the Recovery Services vault we created earlier. To register the instance, use the [az backup container register](/cli/azure/backup/container#az_backup_container_register) cmdlet. *VMResourceId* is the resource ID of the VM that you created to install SAP HANA.

-To check if the SAP HANA instance is successfully registered with your vault, use the [az backup container list](/cli/azure/backup/container#az_backup_container_list) cmdlet. You'll see the following response:

-The [az backup protectable-item list](/cli/azure/backup/protectable-item#az_backup_protectable_item_list) cmdlet lists out all the databases discovered on the SAP HANA instance that you registered in the previous step.

-To protect and configure backup on a database, one at a time, we use the [az backup protection enable-for-azurewl](/cli/azure/backup/protection#az_backup_protection_enable_for_azurewl) cmdlet. Provide the name of the policy that you want to use. To create a policy using CLI, use the [az backup policy create](/cli/azure/backup/policy#az_backup_policy_create) cmdlet. For this tutorial, we'll be using the *sapahanaPolicy* policy.

-You can check if the above backup configuration is complete using the [az backup job list](/cli/azure/backup/job#az_backup_job_list) cmdlet. The output will display as follows:

-The [az backup job list](/cli/azure/backup/job#az_backup_job_list) cmdlet lists out all the backup jobs (scheduled or on-demand) that have run or are currently running on the protected database, in addition to other operations like register, configure backup, and delete backup data.

-While the section above details how to configure a scheduled backup, this section talks about triggering an on-demand backup. To do this, we use the [az backup protection backup-now](/cli/azure/backup/protection#az_backup_protection_backup_now) cmdlet.

-The response will give you the job name. This job name can be used to track the job status using the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-To monitor completed or currently running jobs (backup or restore), use the [az backup job list](/cli/azure/backup/job#az_backup_job_list) cmdlet. CLI also allows you to [suspend a currently running job](/cli/azure/backup/job#az_backup_job_stop) or [wait until a job completes](/cli/azure/backup/job#az_backup_job_wait).

-To change the policy underlying the SAP HANA backup configuration, use the [az backup policy set](/cli/azure/backup/policy#az_backup_policy_set) cmdlet. The name parameter in this cmdlet refers to the backup item whose policy we want to change. For this tutorial, we'll be replacing the policy of our SAP HANA database *saphanadatabase;hxe;hxe* with a new policy *newsaphanaPolicy*. New policies can be created using the [az backup policy create](/cli/azure/backup/policy#az_backup_policy_create) cmdlet.

-To create an incremental backup policy, execute the [az backup policy create](/cli/azure/backup/policy#az_backup_policy_create) command with the following parameters:

-However, in cases when new databases are added to the SAP HANA instance later, use the [az backup protectable-item initialize](/cli/azure/backup/protectable-item#az_backup_protectable_item_initialize) cmdlet. This cmdlet discovers the new databases added.

-Then use the [az backup protectable-item list](/cli/azure/backup/protectable-item#az_backup_protectable_item_list) cmdlet to list all the databases that have been discovered on your SAP HANA instance. This list, however, excludes those databases on which backup has already been configured. Once the database to be backed-up is discovered, refer to [Enable backup on SAP HANA database](tutorial-sap-hana-backup-cli.md#enable-backup-on-sap-hana-database).

-To stop protection with retain data, use the [az backup protection disable](/cli/azure/backup/protection#az_backup_protection_disable) cmdlet.

-To check the status of this operation, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-To stop protection without retain data, use the [az backup protection disable](/cli/azure/backup/protection#az_backup_protection_disable) cmdlet.

-To check the status of this operation, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-To resume protection, use the [az backup protection resume](/cli/azure/backup/protection#az_backup_protection_resume) cmdlet.

-To check the status of this operation, use the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-To view the list of all the recovery points for a database, use the [az backup recoverypoint list](/cli/azure/backup/recoverypoint#az_backup_recoverypoint_show_log_chain) cmdlet as follows:

->You can also view the start and end points of every unbroken log backup chain, using the [az backup recoverypoint show-log-chain](/cli/azure/backup/recoverypoint#az_backup_recoverypoint_show_log_chain) cmdlet.

-To restore a database, use the [az restore restore-azurewl](/cli/azure/backup/restore#az_backup_restore_restore_azurewl) cmdlet, which requires a recovery config object as one of the inputs. This object can be generated using the [az backup recoveryconfig show](/cli/azure/backup/recoveryconfig#az_backup_recoveryconfig_show) cmdlet. The recovery config object contains all the details to perform a restore. One of them being the restore mode ΓÇô **OriginalWorkloadRestore** or **AlternateWorkloadRestore**.

-Using the above restore point name and the restore mode, let's create the recovery config object using the [az backup recoveryconfig show](/cli/azure/backup/recoveryconfig#az_backup_recoveryconfig_show) cmdlet. Let's look at what each of the remaining parameters in this cmdlet mean:

-Now, to restore the database run the [az restore restore-azurewl](/cli/azure/backup/restore#az_backup_restore_restore_azurewl) cmdlet. To use this command, we'll enter the above json output that's saved to a file named *recoveryconfig.json*.

-The response will give you the job name. This job name can be used to track the job status using [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-For this tutorial, we'll choose the previous point-in-time ΓÇ£28-11-2019-09:53:00ΓÇ¥ to restore to. You can provide this restore point in the following formats: dd-mm-yyyy, dd-mm-yyyy-hh:mm:ss. To choose a valid point-in-time to restore to, use the [az backup recoverypoint show-log-chain](/cli/azure/backup/recoverypoint#az_backup_recoverypoint_show_log_chain) cmdlet, which lists the intervals of unbroken log chain backups.

-Now, to restore the database run the [az restore restore-azurewl](/cli/azure/backup/restore#az_backup_restore_restore_azurewl) cmdlet. To use this command, we'll enter the above json output that's saved to a file named *recoveryconfig.json*.

-The response will give you the job name. This job name can be used to track the job status using the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-Use this recovery configuration in the [az restore restore-azurewl](/cli/azure/backup/restore#az_backup_restore_restore_azurewl) cmdlet. Select the `--use-secondary-region` flag to restore the database to the secondary region.

-For this tutorial, we'll choose the previous point-in-time `28-11-2019-09:53:00` to restore to, and the location to dump backup files as `/home/saphanlet, which lists the intervals of unbroken log chain backups.

-Using the restore point name above and the restore mode, let's create the recovery config object using the [az backup recoveryconfig show](/cli/azure/backup/recoveryconfig#az_backup_recoveryconfig_show) cmdlet. Let's look at what each of the remaining parameters in this cmdlet mean:

-Now, to restore the database as files run the [az restore restore-azurewl](/cli/azure/backup/restore#az_backup_restore_restore_azurewl) cmdlet. To use this command, we'll enter the json output above which is saved to a file named *recoveryconfig.json*.

-The response will give you the job name. This job name can be used to track the job status using the [az backup job show](/cli/azure/backup/job#az_backup_job_show) cmdlet.

-Sign in to the Azure subscription you use for the BareMetal instance deployment through the Azure CLI. Register the `BareMetalInfrastructure` resource provider with the [az provider register](/cli/azure/provider#az_provider_register) command:

-You can use the [az provider list](/cli/azure/provider#az_provider_list) command to see all available providers.

-To see all your BareMetal instances, run the [az baremetalinstance list](/cli/azure/baremetalinstance#az_baremetalinstance_list) command for your resource group:

-To see details of a BareMetal instance, run the [az baremetalinstance show](/cli/azure/baremetalinstance#az_baremetalinstance_show) command:

-To add tags to a BareMetal instance, run the [az baremetalinstance update](/cli/azure/baremetalinstance#az_baremetalinstance_update) command:

-To restart a BareMetal instance, use the [az baremetalinstance restart](/cli/azure/baremetalinstance#az_baremetalinstance_restart) command:

-Next, sign in to your Batch account in the Azure CLI using the [az batch account login](/cli/azure/batch/account#az_batch_account_login) command. This step gives you access to Batch service commands. Then, you can manage Batch resources like pools, jobs, and tasks.

-Batch pools in the Virtual Machine configuration support almost all [VM sizes](../virtual-machines/sizes.md). The supported VM sizes in a region can be obtained via [Batch Management APIs](batch-apis-tools.md#batch-management-apis), as well as the [command line tools](batch-apis-tools.md#batch-command-line-tools) (PowerShell cmdlets and Azure CLI). For example, the [Azure Batch CLI command](/cli/azure/batch/location#az_batch_location_list_skus) to list supported VM sizes in a region is:

-Create a resource group with the [az group create](/cli/azure/group#az_group_create) command. An Azure resource group is a logical container into which Azure resources are deployed and managed.

-You can link an Azure Storage account with your Batch account. Although not required for this quickstart, the storage account is useful to deploy applications and store input and output data for most real-world workloads. Create a storage account in your resource group with the [az storage account create](/cli/azure/storage/account#az_storage_account_create) command.

-Create a Batch account with the [az batch account create](/cli/azure/batch/account#az_batch_account_create) command. You need an account to create compute resources (pools of compute nodes) and Batch jobs.

-To create and manage compute pools and jobs, you need to authenticate with Batch. Log in to the account with the [az batch account login](/cli/azure/batch/account#az_batch_account_login) command. After you log in, your `az batch` commands use this account context.

-Now that you have a Batch account, create a sample pool of Linux compute nodes using the [az batch pool create](/cli/azure/batch/pool#az_batch_pool_create) command. The following example creates a pool named *mypool* of two *Standard_A1_v2* nodes running Ubuntu 16.04 LTS. The suggested node size offers a good balance of performance versus cost for this quick example.

-Batch creates the pool immediately, but it takes a few minutes to allocate and start the compute nodes. During this time, the pool is in the `resizing` state. To see the status of the pool, run the [az batch pool show](/cli/azure/batch/pool#az_batch_pool_show) command. This command shows all the properties of the pool, and you can query for specific properties. The following command gets the allocation state of the pool:

-Now that you have a pool, create a job to run on it. A Batch job is a logical group for one or more tasks. A job includes settings common to the tasks, such as priority and the pool to run tasks on. Create a Batch job by using the [az batch job create](/cli/azure/batch/job#az_batch_job_create) command. The following example creates a job *myjob* on the pool *mypool*. Initially the job has no tasks.

-Now use the [az batch task create](/cli/azure/batch/task#az_batch_task_create) command to create some tasks to run in the job. In this example, you create four identical tasks. Each task runs a `command-line` to display the Batch environment variables on a compute node, and then waits 90 seconds. When you use Batch, this command line is where you specify your app or script. Batch provides several ways to deploy apps and scripts to compute nodes.

-Use the [az batch task show](/cli/azure/batch/task#az_batch_task_show) command to view the status of the Batch tasks. The following example shows details about *mytask1* running on one of the pool nodes.

-You are charged for pools while the nodes are running, even if no jobs are scheduled. When you no longer need a pool, delete it with the [az batch pool delete](/cli/azure/batch/pool#az_batch_pool_delete) command. When you delete the pool, all task output on the nodes is deleted.

-When no longer needed, you can use the [az group delete](/cli/azure/group#az_group_delete) command to remove the resource group, Batch account, pools, and all related resources. Delete the resources as follows:

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |

-| [az batch account create](/cli/azure/batch/account#az_batch_account_create) | Creates the Batch account. |

-| [az batch account login](/cli/azure/batch/account#az_batch_account_login) | Authenticates against the specified Batch account for further CLI interaction. |

-| [az batch application create](/cli/azure/batch/application#az_batch-application-create) | Creates an application. |

-| [az batch application package create](/cli/azure/batch/application/package#az_batch-application-package-create) | Adds an application package to the specified application. |

-| [az batch application set](/cli/azure/batch/application#az_batch-application-set) | Updates properties of an application. |

-| [az group delete](/cli/azure/group#az_group_delete) | Deletes a resource group including all nested resources. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az batch account create](/cli/azure/batch/account#az_batch_account_create) | Creates the Batch account. |

-| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |

-| [az batch account set](/cli/azure/batch/account#az_batch_account_set) | Updates properties of the Batch account. |

-| [az batch account show](/cli/azure/batch/account#az_batch_account_show) | Retrieves details of the specified Batch account. |

-| [az batch account keys list](/cli/azure/batch/account/keys#az_batch_account_keys_list) | Retrieves the access keys of the specified Batch account. |

-| [az batch account login](/cli/azure/batch/account#az_batch_account_login) | Authenticates against the specified Batch account for further CLI interaction. |

-| [az group delete](/cli/azure/group#az_group_delete) | Deletes a resource group including all nested resources. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az keyvault create](/cli/azure/keyvault#az_keyvault_create) | Creates a key vault. |

-| [az keyvault set-policy](/cli/azure/keyvault#az_keyvault_set_policy) | Update the security policy of the specified key vault. |

-| [az batch account create](/cli/azure/batch/account#az_batch_account_create) | Creates the Batch account. |

-| [az batch account login](/cli/azure/batch/account#az_batch_account_login) | Authenticates against the specified Batch account for further CLI interaction. |

-| [az group delete](/cli/azure/group#az_group_delete) | Deletes a resource group including all nested resources. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az batch account create](/cli/azure/batch/account#az_batch_account_create) | Creates the Batch account. |

-| [az batch account login](/cli/azure/batch/account#az_batch_account_login) | Authenticates against the specified Batch account for further CLI interaction. |

-| [az batch pool create](/cli/azure/batch/pool#az_batch_pool_create) | Creates a pool of compute nodes. |

-| [az batch pool resize](/cli/azure/batch/pool#az_batch_pool_resize) | Resizes the number of running VMs in the specified pool. |

-| [az batch pool show](/cli/azure/batch/pool#az_batch_pool_show) | Displays the properties of a pool. |

-| [az batch node list](/cli/azure/batch/node#az_batch_node_list) | Lists all the compute node in the specified pool. |

-| [az batch node reboot](/cli/azure/batch/node#az_batch_node_reboot) | Reboots the specified compute node. |

-| [az batch node delete](/cli/azure/batch/node#az_batch_node_delete) | Deletes the listed nodes from the specified pool. |

-| [az group delete](/cli/azure/group#az_group_delete) | Deletes a resource group including all nested resources. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az batch account create](/cli/azure/batch/account#az_batch_account_create) | Creates the Batch account. |

-| [az batch account login](/cli/azure/batch/account#az_batch_account_login) | Authenticates against the specified Batch account for further CLI interaction. |

-| [az batch pool create](/cli/azure/batch/pool#az_batch_pool_create) | Creates a pool of compute nodes. |

-| [az batch pool set](/cli/azure/batch/pool#az_batch_pool_set) | Updates the properties of a pool. |

-| [az batch pool autoscale enable](/cli/azure/batch/pool/autoscale#az_batch_pool_autoscale_enable) | Enables auto-scaling on a pool and applies a formula. |

-| [az batch pool show](/cli/azure/batch/pool#az_batch_pool_show) | Displays the properties of a pool. |

-| [az batch pool autoscale disable](/cli/azure/batch/pool/autoscale#az_batch_pool_autoscale_disable) | Disables auto-scaling on a pool. |

-| [az group delete](/cli/azure/group#az_group_delete) | Deletes a resource group including all nested resources. |

-| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |

-| [az batch account create](/cli/azure/batch/account#az_batch_account_create) | Creates the Batch account. |

-| [az batch account login](/cli/azure/batch/account#az_batch_account_login) | Authenticates against the specified Batch account for further CLI interaction. |

-| [az batch pool create](/cli/azure/batch/pool#az_batch_pool_create) | Creates a pool of compute nodes. |

-| [az batch job create](/cli/azure/batch/job#az_batch_job_create) | Creates a Batch job. |

-| [az batch task create](/cli/azure/batch/task#az_batch_task_create) | Adds a task to the specified Batch job. |

-| [az batch job set](/cli/azure/batch/job#az_batch_job_set) | Updates properties of a Batch job. |

-| [az batch job show](/cli/azure/batch/job#az_batch_job_show) | Retrieves details of a specified Batch job. |

-| [az batch task show](/cli/azure/batch/task#az_batch_task_show) | Retrieves the details of a task from the specified Batch job. |

-| [az group delete](/cli/azure/group#az_group_delete) | Deletes a resource group including all nested resources. |

-When no longer needed, you can use the [az group delete](/cli/azure/group#az_group_delete) command to remove the resource group and all resources contained within.

-#az_vm_list_skus) command.

-* The new Recognition 04 model is the most accurate recognition model currently available. If you're a new customer, we recommend using this model for verification and identification. It improves upon the accuracy of Recognition 03, including improved recognition for enrolled users wearing face covers (surgical masks, N95 masks, cloth masks). Now customers can build safe and seamless user experiences that detect whether an enrolled user is wearing a face cover with the latest Detection 03 model, and recognize who they are with the latest Recognition 04 model. See [Specify a face recognition model](./face-api-how-to-topics/specify-recognition-model.md) for more details.

-* Deprecated the V0 endpoint of Face API on June 30, 2016.

-* [Azure CLI](/cli/azure/cognitiveservices#az_cognitiveservices_list)

-You can adjust speaking languages for neural voices at the sentence level and word level.

-Enable one voice to speak different languages fluently (like English, Spanish, and Chinese) by using the `<lang xml:lang>` element. This optional element is unique to the Speech service. Without this element, the voice speaks its primary language.

-Speaking language adjustments are only supported for the `en-US-JennyMultilingualNeural` neural voice. The preceding changes are applied at the sentence level and word level. If a language isn't supported, the service won't return an audio stream.

-> [!NOTE]

-> The `<lang xml:lang>` element is incompatible with the `prosody` and `break` elements. You can't adjust pause and prosody like pitch, contour, rate, or volume in this element.

-| `lang` | Specifies the speaking languages. Speaking different languages are voice specific. | Required if adjusting the speaking language for a neural voice. If you're using `lang xml:lang`, the locale must be provided. |

-Use this table to determine which speaking languages are supported for each neural voice. If a language isn't supported, the service won't return an audio stream.

-This SSML snippet shows how to use `<lang xml:lang>` to change the speaking languages to `en-US`, `es-MX`, and `de-DE`.

- I am looking forward to the exciting things.

- Estoy deseando que lleguen las cosas emocionantes.

- <lang xml:lang="de-DE">

- Ich freue mich auf die spannenden Dinge.

-Install the [Azure CLI](/cli/azure/install-azure-cli). To sign into your local installation of the CLI, run the [az login](/cli/azure/reference-index#az_login) command:

-To create a resource, you'll need one of the Azure locations available for your subscription. You can retrieve a list of available locations with the [az account list-locations](/cli/azure/account#az_account_list_locations) command. Most Cognitive Services can be accessed from several locations. Choose the one closest to you, or see which locations are available for the service.

-After you have your Azure location, create a new resource group in the Azure CLI using the [az group create](/cli/azure/group#az_group_create) command.

-You can find a list of available Cognitive Service "kinds" with the [az cognitiveservices account list-kinds](/cli/azure/cognitiveservices/account#az_cognitiveservices_account_list_kinds) command:

-To create and subscribe to a new Cognitive Services resource, use the [az cognitiveservices account create](/cli/azure/cognitiveservices/account#az_cognitiveservices_account_create) command. This command adds a new billable resource to the resource group created earlier. When creating your new resource, you will need to know the "kind" of service you want to use, along with its pricing tier (or sku) and an Azure location:

-To log into your local installation of the Command-Line Interface(CLI), use the [az login](/cli/azure/reference-index#az_login) command.

-Use the [az cognitiveservices account keys list](/cli/azure/cognitiveservices/account/keys#az_cognitiveservices_account_keys_list) command to get the keys for your Cognitive Service resource.

-Use the [az cognitiveservices account list-usage](/cli/azure/cognitiveservices/account#az_cognitiveservices_account_list_usage) command to get the usage for your Cognitive Service resource.

-Otherwise, when you're finished with the resources created in this article, use the Azure CLI [az group delete](/cli/azure/group?#az_group_delete) command to delete the resource group and all its contained resources:

-The template requires a principal ID. You can obtain your principal ID my running the Azure CLI [az ad sp list](/cli/azure/ad/sp#az_ad_sp_list) command, with the `--show-mine` flag:

-Create a resource group with the [az group create](/cli/azure/group#az_group_create) command:

-Deploy the container group with the [az container create](/cli/azure/container#az_container_create) command, passing the YAML file as an argument.

-To view the state of the deployment, use the following [az container show](/cli/azure/container#az_container_show) command:

-[az-group-create]: /cli/azure/group#az_group_create

-[az-deployment-group-create]: /cli/azure/deployment/group#az_deployment_group_create

-First, create a resource group named *myResourceGroup* in the *eastus* location with the following [az group create](/cli/azure/group#az_group_create) command:

-Use the [az keyvault create](/cli/azure/keyvault#az_keyvault_create) command to create a key vault. Be sure to specify a unique key vault name.

-Store a sample secret in the key vault using the [az keyvault secret set](/cli/azure/keyvault/secret#az_keyvault_secret_set) command:

-First create an identity in your subscription using the [az identity create](/cli/azure/identity#az_identity_create) command. You can use the same resource group used to create the key vault, or use a different one.

-To use the identity in the following steps, use the [az identity show](/cli/azure/identity#az_identity_show) command to store the identity's service principal ID and resource ID in variables.

-Run the following [az container create](/cli/azure/container#az_container_create) command to create a container instance based on Microsoft's `azure-cli` image. This example provides a single-container group that you can use interactively to run the Azure CLI to access other Azure services. In this section, only the base operating system is used. For an example to use the Azure CLI in the container, see [Enable system-assigned identity on a container group](#enable-system-assigned-identity-on-a-container-group).

-Within a few seconds, you should get a response from the Azure CLI indicating that the deployment has completed. Check its status with the [az container show](/cli/azure/container#az_container_show) command.

-Run the following [az container create](/cli/azure/container#az_container_create) command to create a container instance based on Microsoft's `azure-cli` image. This example provides a single-container group that you can use interactively to run the Azure CLI to access other Azure services.

-Within a few seconds, you should get a response from the Azure CLI indicating that the deployment has completed. Check its status with the [az container show](/cli/azure/container#az_container_show) command.

-To verify that the container has been deleted, execute the [az container list](/cli/azure/container#az_container_list) command:

-To verify the image is stored in your registry, run the [az acr repository show](/cli/azure/acr/repository#az_acr_repository_show) command:

-[az-identity-show]: /cli/azure/identity#az_identity_show

-[az-identity-create]: /cli/azure/identity#az_identity_create

-By default, the allow trusted services setting is enabled in a new Azure container registry. Disable or enable the setting by running the [az acr update](/cli/azure/acr#az_acr_update) command.

-Update a registry using the [az acr update](/cli/azure/acr#az_acr_update) command and pass the `--anonymous-pull-enabled` parameter. By default, anonymous pull is disabled in the registry.

-As a recommended one-time step, [import](container-registry-import-images.md) base images and other public content to your Azure container registry. The [az acr import](/cli/azure/acr#az_acr_import) command in the Azure CLI supports image import from public registries such as Docker Hub and Microsoft Container Registry and from other private container registries.

-> You can regenerate the password (client secret) of a service principal by running the [az ad sp credential reset](/cli/azure/ad/sp/credential#az_ad_sp_credential_reset) command.

-Create an identity in your subscription using the [az identity create](/cli/azure/identity#az_identity_create) command. You can use the same resource group you used previously to create the container registry or virtual machine, or a different one.

-When working with your registry directly, such as pulling images to and pushing images from a development workstation to a registry you created, authenticate by using your individual Azure identity. Sign in to the [Azure CLI](/cli/azure/install-azure-cli) with [az login](/cli/azure/reference-index#az_login), and then run the [az acr login](/cli/azure/acr#az_acr_login) command:

-To enable the admin user for an existing registry, you can use the `--admin-enabled` parameter of the [az acr update](/cli/azure/acr#az_acr_update) command in the Azure CLI:

-You can also use the Azure CLI to get compliance data. For example, use the [az policy assignment list](/cli/azure/policy/assignment#az_policy_assignment_list) command in the CLI to get the policy IDs of the Azure Container Registry policies that are applied:

-Then run [az policy state list](/cli/azure/policy/state#az_policy_state_list) to return the JSON-formatted compliance state for all resources under a specific policy ID:

-Or run [az policy state list](/cli/azure/policy/state#az_policy_state_list) to return the JSON-formatted compliance state of a specific registry resource, such as *myregistry*:

-| Individual identity | A developer pulling images to or pushing images from their development machine. | [az acr login](/cli/azure/acr#az_acr_login) |

-Alternatively, use [Azure RBAC for Key Vault](../key-vault/general/rbac-guide.md) to assign permissions to the identity to access the key vault. For example, assign the Key Vault Crypto Service Encryption role to the identity using the [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) command:

-If this issue occurs with a user-assigned identity, first reassign the identity using the [az acr identity assign](/cli/azure/acr/identity/#az_acr_identity_assign) command. Pass the identity's resource ID, or use the identity's name when it is in the same resource group as the registry. For example:

-After you've configured a replica for your registry, you can delete it at any time if it's no longer needed. Delete a replica using the Azure portal or other tools such as the [az acr replication delete](/cli/azure/acr/replication#az_acr_replication_delete) command in the Azure CLI.

-The recommended method when working in a command line is with the Azure CLI command [az acr login](/cli/azure/acr#az_acr_login). For example, to log in to a registry named *myregistry*, log into the Azure CLI and then authenticate to your registry:

-To remove images from your Azure container registry, you can use the Azure CLI command [az acr repository delete](/cli/azure/acr/repository#az_acr_repository_delete). For example, the following command deletes the manifest referenced by the `samples/nginx:latest` tag, any unique layer data, and all other tags referencing the manifest.

-Then, use the Azure CLI command [az acr login](/cli/azure/acr#az_acr_login) to access the registry. For example, to authenticate to a registry named *myregistry*:

-Run the [az acr build](/cli/azure/acr#az_acr_build) command to build the hello-world image using the new artifact as build context:

-If needed, run the [az group create](/cli/azure/group#az_group_create) command to create a resource group for the registry.

-Preview support for ORAS Artifacts requires Zone Redundancy, which requires a Premium service tier, in the South Central US region. Run the [az acr create](/cli/azure/acr#az_acr_create) command to create an ORAS Artifacts enabled registry. See the `az acr create` command help for more registry options.

-Then, use the Azure CLI command [az acr login](/cli/azure/acr#az_acr_login) to access the registry.

-> Starting October 2021, new container registries allow a maximum of 200 private endpoints. Registries created earlier allow a maximum of 10 private endpoints. Use the [az acr show-usage](/cli/azure/acr#az_acr_show_usage) command to see the limit for your registry.

-* To verify DNS settings in the virtual network that route to a private endpoint, run the [az acr check-health](/cli/azure/acr#az_acr_check_health) command with the `--vnet` parameter. For more information, see [Check the health of an Azure container registry](container-registry-check-health.md)