+## Step 1: Configure an application in eID-Me

+## Step 2: Add a new Identity provider in Azure AD B2C

+## Step 3: Configure an Identity provider

+## Step 4: Configure multi-factor authentication

+## Step 5: Create a user flow policy

+## Step 2: Create a policy key

+## Step 3: Configure eID-Me as an Identity provider

+## Step 4: Add a user journey

+## Step 5: Add the identity provider to a user journey

+## Step 6: Configure the relying party policy

+## Step 7: Upload the custom policy

+## Step 8: Test your custom policy

+|  is a digital ID solution that provides users with passwordless, secure, multifactor authentication. xID-authenticated users obtain their identities verified by a My Number Card, the digital ID card issued by the Japanese government. Organizations can get users verified Personal Identification Information (PII) through the xID API. |

+ Title: Configure Azure Active Directory B2C with xID

+description: Configure Azure Active Directory B2C with xID for passwordless authentication

+# Configure xID with Azure Active Directory B2C for passwordless authentication

+In this sample tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with the xID digital ID solution. The xID app provides users with passwordless, secure, multifactor authentication. xID-authenticated users obtain their identities verified by a My Number Card, the digital ID card issued by the Japanese government. Organizations can get users verified Personal Identification Information (customer content) through the xID API. Furthermore, the xID app generates a private key in a secure area within userΓÇÖs mobile device, which can be used as a digital signing device.

+## Prerequisites

+To get started, you'll need:

+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+- An [Azure AD B2C tenant](./tutorial-create-tenant.md) that's linked to your Azure subscription.

+- Your xID client information provided by xID inc. [Contact xID](https://xid.inc/contact-us) for the xID client information that should include the following parameters:

+ - Client ID

+ - Client Secret

+ - Redirect URL

+ - Scopes

+- Download and install the [xID app](https://x-id.me/) on your mobile device.

+ - To complete registration, you'll need your own My Number Card.

+ - If you use the UAT version of API, you'll also need UAT version of xID app. To install UAT app, [contact xID inc](https://xid.inc/contact-us).

+## Scenario description

+The following architecture diagram shows the implementation.

+

+| Step | Description |

+|:--|:--|

+| 1. |User opens Azure AD B2C's sign in page, and then signs in or signs up by entering their username. |

+| 2. |Azure AD B2C redirects the user to xID authorize API endpoint using an OpenID Connect (OIDC) request. An OIDC endpoint is available containing information about the endpoints. xID Identity provider (IdP) redirects the user to the xID authorization sign in page, allows the user to fill in or select their email address. |

+| 3. |xID IdP sends the push notification to the userΓÇÖs mobile device. |

+| 4. |The user opens the xID app and checks the request, then enters the PIN or authenticates with their biometrics. If PIN or biometrics is successfully verified, xID app activates the private key and creates an electronic signature. |

+| 5. |xID app sends the signature to xID IdP for verification. |

+| 6. |xID IdP shows consent screen to the user, requesting authorization to give their personal information to the service they're signing in. |

+| 7. |xID IdP returns the OAuth authorization code to Azure AD B2C. |

+| 8. |Using the authorization code, Azure AD B2C sends a token request. |

+| 9. |xID IdP checks the token request, and if still valid, returns the OAuth access token and the ID token containing the requested userΓÇÖs identifier and email address. |

+| 10. |In addition, if the user's customer content is needed, Azure AD B2C calls the xID userdata API. |

+| 11. |The xID userdata API returns the userΓÇÖs encrypted customer content. User can decrypt it with their private key, which they create when they request the xID client information. |

+| 12. | User is either granted or denied access to the customer application based on the verification results. |

+## Onboard with xID

+Request for API documents by filling out [the form](https://xid.inc/contact-us). In the message field, indicate that you would like to onboard with Azure AD B2C. The xID sales representatives will contact you. Follow the instructions provided in the xID API document and request a xID API client. xID tech team will send client information to you in 3-4 working days.

+## Step 1: Create a xID policy key

+Store the client secret that you received from xID in your Azure AD B2C tenant.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+2. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ a. Select the **Directories + subscriptions** icon in the portal toolbar.

+ b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select **Switch**.

+3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.

+4. On the Overview page, select **Identity Experience Framework**.

+5. Select **Policy Keys** and then select **Add**.

+6. For **Options**, choose `Manual`.

+7. Enter a **Name** for the policy key. For example, `X-IDClientSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.

+8. In **Secret**, enter your client secret that you previously received from xID.

+9. For **Key usage**, select `Signature`.

+10. Select **Create**.

+>[!NOTE]

+>In Azure AD B2C, [**custom policies**](./user-flow-overview.md) are designed primarily to address complex scenarios.

+## Step 2: Configure xID as an Identity provider

+To enable users to sign in using xID, you need to define xID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated using digital identity available on their device, proving the userΓÇÖs identity.

+Use the following steps to add xID as a claims provider:

+1. Get the custom policy starter packs from GitHub, then update the XML files in the SocialAndLocalAccounts starter pack with your Azure AD B2C tenant name:

+ i. Download the [.zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or [clone the repository](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack).

+

+ ii. In all of the files in the **LocalAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.

+2. Open the `LocalAccounts/ TrustFrameworkExtensions.xml`.

+3. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element.

+4. Add a new **ClaimsProvider** similar to the one shown below:

+ ```xml

+ <ClaimsProvider>

+ <Domain>X-ID</Domain>

+ <DisplayName>X-ID</DisplayName>

+ <TechnicalProfiles>

+ <TechnicalProfile Id="X-ID-Oauth2">

+ <DisplayName>X-ID</DisplayName>

+ <Description>Login with your X-ID account</Description>

+ <Protocol Name="OAuth2" />

+ <Metadata>

+ <Item Key="METADATA">https://oidc-uat.x-id.io/.well-known/openid-configuration</Item>

+ <!-- Update the Client ID below to the X-ID Application ID -->

+ <Item Key="client_id">00000000-0000-0000-0000-000000000000</Item>

+ <Item Key="response_types">code</Item>

+ <Item Key="scope">openid verification</Item>

+ <Item Key="response_mode">query</Item>

+ <Item Key="HttpBinding">POST</Item>

+ <Item Key="UsePolicyInRedirectUri">false</Item>

+ <Item Key="DiscoverMetadataByTokenIssuer">true</Item>

+ <Item Key="token_endpoint_auth_method">client_secret_basic</Item>

+ <Item Key="ClaimsEndpoint">https://oidc-uat.x-id.io/userinfo</Item>

+ </Metadata>

+ <CryptographicKeys>

+ <Key Id="client_secret" StorageReferenceId="B2C_1A_X-IDClientSecret" />

+ </CryptographicKeys>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />

+ <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />

+ <OutputClaim ClaimTypeReferenceId="email" />

+ <OutputClaim ClaimTypeReferenceId="sid" />

+ <OutputClaim ClaimTypeReferenceId="userdataid" />

+ <OutputClaim ClaimTypeReferenceId="X-ID_verified" />

+ <OutputClaim ClaimTypeReferenceId="email_verified" />

+ <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />

+ <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" DefaultValue="https://oidc-uat.x-id.io/" />

+ <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />

+ </OutputClaims>

+ <OutputClaimsTransformations>

+ <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />

+ <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />

+ <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />

+ <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />

+ </OutputClaimsTransformations>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />

+ </TechnicalProfile>

+ <TechnicalProfile Id="X-ID-Userdata">

+ <DisplayName>Userdata (Personal Information)</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://api-uat.x-id.io/v4/verification/userdata</Item>

+ <Item Key="SendClaimsIn">Header</Item>

+ <Item Key="AuthenticationType">Bearer</Item>

+ <Item Key="UseClaimAsBearerToken">identityProviderAccessToken</Item>

+ <!-- <Item Key="AllowInsecureAuthInProduction">true</Item> -->

+ <Item Key="DebugMode">true</Item>

+ <Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item>

+ </Metadata>

+ <InputClaims>

+ <!-- Claims sent to your REST API -->

+ <InputClaim ClaimTypeReferenceId="identityProviderAccessToken" />

+ </InputClaims>

+ <OutputClaims>

+ <!-- Claims parsed from your REST API -->

+ <OutputClaim ClaimTypeReferenceId="last_name" PartnerClaimType="givenName" />

+ <OutputClaim ClaimTypeReferenceId="first_name" PartnerClaimType="surname" />

+ <OutputClaim ClaimTypeReferenceId="previous_name" />

+ <OutputClaim ClaimTypeReferenceId="year" />

+ <OutputClaim ClaimTypeReferenceId="month" />

+ <OutputClaim ClaimTypeReferenceId="date" />

+ <OutputClaim ClaimTypeReferenceId="prefecture" />

+ <OutputClaim ClaimTypeReferenceId="city" />

+ <OutputClaim ClaimTypeReferenceId="address" />

+ <OutputClaim ClaimTypeReferenceId="sub_char_common_name" />

+ <OutputClaim ClaimTypeReferenceId="sub_char_previous_name" />

+ <OutputClaim ClaimTypeReferenceId="sub_char_address" />

+ <OutputClaim ClaimTypeReferenceId="gender" />

+ <OutputClaim ClaimTypeReferenceId="verified_at" />

+ </OutputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ </TechnicalProfiles>

+ </ClaimsProvider>

+ ```

+4. Set **client_id** with your xID Application ID.

+5. Save the changes.

+## Step 3: Add a user journey

+At this point, you've set up the identity provider, but it's not yet available in any of the sign in pages. If you've your own custom user journey continue to [step 4](#step-4-add-the-identity-provider-to-a-user-journey), otherwise, create a duplicate of an existing template user journey as follows:

+1. Open the `TrustFrameworkBase.xml` file from the starter pack.

+2. Find and copy the entire contents of the **UserJourneys** element that includes `ID=SignUpOrSignIn`.

+3. Open the `TrustFrameworkExtensions.xml` and find the UserJourneys element. If the element doesn't exist, add one.

+4. Paste the entire content of the UserJourney element that you copied as a child of the UserJourneys element.

+5. Rename the ID of the user journey. For example, `ID=CustomSignUpSignIn`

+## Step 4: Add the identity provider to a user journey

+Now that you have a user journey, add the new identity provider to the user journey.

+1. Find the orchestration step element that includes Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers that a user can sign in with. The order of the elements controls the order of the sign-in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name, such as `X-IDExchange`.

+2. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID to link the xID button to `X-ID-SignIn` action. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier.

+ The following XML demonstrates orchestration steps of a user journey with the identity provider:

+ ```xml

+ <UserJourney Id="X-IDSignUpOrSignIn">

+ <OrchestrationSteps>

+ <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">

+ <ClaimsProviderSelections>

+ <ClaimsProviderSelection TargetClaimsExchangeId="X-IDExchange" />

+ </ClaimsProviderSelections>

+ </OrchestrationStep>

+ <OrchestrationStep Order="2" Type="ClaimsExchange">

+ <ClaimsExchanges>

+ <ClaimsExchange Id="X-IDExchange" TechnicalProfileReferenceId="X-ID-Oauth2" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <OrchestrationStep Order="3" Type="ClaimsExchange">

+ <ClaimsExchanges>

+ <ClaimsExchange Id="X-ID-Userdata" TechnicalProfileReferenceId="X-ID-Userdata" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <!-- For social IDP authentication, attempt to find the user account in the directory. -->

+ <OrchestrationStep Order="4" Type="ClaimsExchange">

+ <ClaimsExchanges>

+ <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). -->

+ <OrchestrationStep Order="5" Type="ClaimsExchange">

+ <Preconditions>

+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

+ <Value>objectId</Value>

+ <Action>SkipThisOrchestrationStep</Action>

+ </Precondition>

+ </Preconditions>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect

+ from the user. So, in that case, create the user in the directory if one does not already exist

+ (verified using objectId which would be set from the last step if account was created in the directory. -->

+ <OrchestrationStep Order="6" Type="ClaimsExchange">

+ <Preconditions>

+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

+ <Value>objectId</Value>

+ <Action>SkipThisOrchestrationStep</Action>

+ </Precondition>

+ </Preconditions>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

+ </OrchestrationSteps>

+ <ClientDefinition ReferenceId="DefaultWeb" />

+ </UserJourney>

+ ```

+## Step 5: Upload the custom policy

+1. Sign in to the [Azure portal](https://portal.azure.com/#home).

+2. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ a. Select the **Directories + subscriptions** icon in the portal toolbar.

+ b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

+3. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.

+4. Under Policies, select **Identity Experience Framework**.

+5. Select **Upload Custom Policy**, and then upload the files in the **LocalAccounts** starter pack in the following order: the extension policy, for example `TrustFrameworkExtensions.xml`, then the relying party policy, such as `SignUpSignIn.xml`.

+## Step 6: Test your custom policy

+1. In your Azure AD B2C tenant blade, and under **Policies**, select **Identity Experience Framework**.

+1. Under **Custom policies**, select **CustomSignUpSignIn**.

+3. For **Application**, select the web application that you previously registered as part of this article's prerequisites. The **Reply URL** should show `https://jwt.ms`.

+4. Select **Run now**. Your browser should be redirected to the xID sign in page.

+5. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.

+## Next steps

+For additional information, review the following articles:

+- [Custom policies in Azure AD B2C](custom-policy-overview.md)

+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)

+When the sum of all IP ranges specified in location policies exceeds 5,000, user change location flow won't be enforced by CAE in real time. In this case, Azure AD will issue a one-hour CAE token. CAE will continue enforcing [all other events and policies](#critical-event-evaluation) besides client location change events. With this change, you still maintain stronger security posture compared to traditional one-hour tokens, since [other events](#critical-event-evaluation) will be evaluated in near real time.

+1. Browse to **Azure Active Directory** > **Log Analytics**.

+* **Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals aren't blocked by Conditional Access.

+### Subscription activation

+Organizations that use the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to ΓÇ£step-upΓÇ¥ from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy.

+#### Subscription activation

+Organizations that use the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to ΓÇ£step-upΓÇ¥ from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their device compliance policy.

+$certname = "{certificateName}" ## Replace {certificateName}

+$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256

+Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.cer" ## Specify your preferred location

+$certname = "{certificateName}" ## Replace {certificateName}

+$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256

+Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.cer" ## Specify your preferred location

+Export-PfxCertificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.pfx" -Password $mypwd ## Specify your preferred location

+Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {$_.Subject -Match "$certname"} | Select-Object Thumbprint, FriendlyName

+# Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app

+1. Run `Get-AzADServicePrincipal | ForEach-Object {ΓÇïΓÇïΓÇïΓÇïΓÇï Remove-AzADServicePrincipal -ObjectId $_.Id }ΓÇï`.ΓÇïΓÇïΓÇïΓÇï

+1. Fetch the current group settings for the Azure AD organization and display the current group settings.

+ $Setting = $grpUnifiedSetting

+ $grpUnifiedSetting.Values

+ > If no group settings have been created for this Azure AD organization, you will get an empty screen. In this case, you must first create the settings. Follow the steps in [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md) to create group settings for this Azure AD organization.

+

+ > [!NOTE]

+ > If the sensitivity label has been enabled previously, you will see **EnableMIPLabels** = **True**. In this case, you do not need to do anything.

+> For Windows 10, the correct format of the deviceOSVersion attribute is as follows: (device.deviceOSVersion -startsWith "10.0.1"). The formatting can be validated with the Get-MsolDevice PowerShell cmdlet.

+ deviceOSVersion | any string value | (device.deviceOSVersion -eq "9.1")<br>(device.deviceOSVersion -startsWith "10.0.1")

+>This information last updated on March 29th, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Microsoft 365 Business Standard | O365_BUSINESS_PREMIUM | f245ecc8-75af-4f8e-b61f-27d8114de5f3 | CDS_O365_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>KAIZALA_O365_P2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>STREAM_O365_SMB (3c53ea51-d578-46fa-a4c0-fd0a92809a60)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>VIVA_LEARNING_SEEDED (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122)<br/>POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>POWER_VIRTUAL_AGENTS_O365_P2 (041fe683-03e4-45b6-b1af-c0cdc516daee) | Common Data Service for Teams (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>Microsoft 365 Apps for Business (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Forms (Plan E1) (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>Microsoft Kaizala Pro (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project for Office (Plan E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SharePoint (Plan 1) (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Stream for Office 365 (3c53ea51-d578-46fa-a4c0-fd0a92809a60)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Viva Learning Seeded (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>Common Data Service (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>Microsoft Azure Rights Management Service (31cf2cfc-6b0d-4adc-a336-88b724ed8122)<br/>Power Apps for Office 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>Power Automate for Office 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>Power Virtual Agents for Office 365 (041fe683-03e4-45b6-b1af-c0cdc516daee) |

+| Microsoft 365 Business Premium | SPB | cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46 | RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>CDS_O365_P3 (afa73018-811e-46e9-988f-f75d2b1b8430)<br/>BPOS_S_DlpAddOn (9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>OFFICE_BUSINESS (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)<br/>M365_LIGHTHOUSE_CUSTOMER_PLAN1 (6f23d6a9-adbf-481c-8538-b4c095654487)<br/>M365_LIGHTHOUSE_PARTNER_PLAN1 (d55411c9-cfff-40a9-87c7-240f14df7da5)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>MDE_SMB (bfc1bbd9-981b-4f71-9b82-17c35fd0e2a4)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>KAIZALA_O365_P2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OFFICE_SHARED_COMPUTER_ACTIVATION (276d6e8a-f056-4f70-b7e8-4fc27f79f809)<br/>PROJECT_O365_P3 (b21a6b06-1988-436e-a07b-51ec6d9f52ad)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>VIVA_LEARNING_SEEDED (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>UNIVERSAL_PRINT_01 (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>WINBIZ (8e229017-d77b-43d5-9305-903395523b99)<br/>WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>AAD_SMB (de377cbc-0019-4ec2-b77c-3f223947e102)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>DYN365_CDS_O365_P3 (28b0fa46-c39a-4188-89e2-58e979a6b014)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>INTUNE_SMBIZ (8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2)<br/>STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>POWER_VIRTUAL_AGENTS_O365_P3 (ded3d325-1bdc-453e-8432-5bac26d7a014) | Azure Rights Management (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Common Data Service for Teams (afa73018-811e-46e9-988f-f75d2b1b8430)<br/>Data Loss Prevention (9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Exchange Online Archiving (176a09a6-7ec5-4039-ac02-b2791c6ba793)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>Microsoft 365 Apps for Business (094e7854-93fc-4d55-b2c0-3ab5369ebdc1)<br/>Microsoft 365 Lighthouse (Plan 1) (6f23d6a9-adbf-481c-8538-b4c095654487)<br/>Microsoft 365 Lighthouse (Plan 2) (d55411c9-cfff-40a9-87c7-240f14df7da5)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Defender for Business (bfc1bbd9-981b-4f71-9b82-17c35fd0e2a4)<br/>Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>Microsoft Forms (Plan E1) (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>Microsoft Kaizala Pro (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Office Shared Computer Activation (276d6e8a-f056-4f70-b7e8-4fc27f79f809)<br/>Project for Office (Plan E5) (b21a6b06-1988-436e-a07b-51ec6d9f52ad)<br/>SharePoint (Plan 1) (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Viva Learning Seeded (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>Universal Print (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Windows 10/11 Business (8e229017-d77b-43d5-9305-903395523b99)<br/>Windows Update for Business Deployment Service (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>Azure Active Directory (de377cbc-0019-4ec2-b77c-3f223947e102)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Information Protection Premium P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>Common Data Service (28b0fa46-c39a-4188-89e2-58e979a6b014)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Intune (8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2)<br/>Microsoft Stream for Office 365 E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>Power Apps for Office 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>Power Automate for Office 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>Power Virtual Agents for Office 365 (ded3d325-1bdc-453e-8432-5bac26d7a014) |

+| Microsoft 365 E3 | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 | RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>CDS_O365_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>M365_LIGHTHOUSE_CUSTOMER_PLAN1 (6f23d6a9-adbf-481c-8538-b4c095654487)<br/>M365_LIGHTHOUSE_PARTNER_PLAN1 (d55411c9-cfff-40a9-87c7-240f14df7da5)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>MDE_LITE (292cc034-7b7c-4950-aaf5-943befd3f1d4)<br/>FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)<br/>KAIZALA_O365_P3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>VIVA_LEARNING_SEEDED (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>UNIVERSAL_PRINT_01 (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>WIN10_PRO_ENT_SUB (21b439ba-a0ca-424f-a6cc-52f954a5b111)<br/>WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>POWER_VIRTUAL_AGENTS_O365_P2 (041fe683-03e4-45b6-b1af-c0cdc516daee) | Azure Rights Management (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Common Data Service for Teams (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Information Protection and Governance Analytics - Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>Information Protection for Office 365 - Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>Microsoft 365 Apps for Enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft 365 Lighthouse (Plan 1) (6f23d6a9-adbf-481c-8538-b4c095654487)<br/>Microsoft 365 Lighthouse (Plan 2) (d55411c9-cfff-40a9-87c7-240f14df7da5)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Defender for Endpoint Plan 1 (292cc034-7b7c-4950-aaf5-943befd3f1d4)<br/>Microsoft Forms (Plan E3) (2789c901-c14e-48ab-a76a-be334d9d793a)<br/>Microsoft Kaizala Pro (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project for Office (Plan E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Viva Learning Seeded (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>Universal Print (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Windows 10/11 Enterprise (Original) (21b439ba-a0ca-424f-a6cc-52f954a5b111)<br/>Windows Update for Business Deployment Service (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Information Protection Premium P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>Common Data Service (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Power Virtual Agents for Office 365 (041fe683-03e4-45b6-b1af-c0cdc516daee) |

+Enabling the Identity Protection policy requiring multi-factor authentication registration and targeting all of your users, will make sure that they can use Azure AD MFA to self-remediate in the future. Configuring this policy gives your users a 14-day period where they can choose to register and at the end are forced to register.

+When an administrator has configured a policy for sign-in risks, affected users are interrupted when they hit the configured risk level.

+1. The user is informed that something unusual was detected about their sign-in. This could be something like, such as signing in from a new location, device, or app.

+Administrators can choose to block users upon sign-in depending on their risk level. To get unblocked, end users must contact their IT staff, or they can try signing in from a familiar location or device. Self-remediation by performing multi-factor authentication isn't an option in this case.

+Administrators can choose to block users upon sign-in depending on their risk level. To get unblocked, end users must contact their IT staff. Self-remediation by performing multi-factor authentication and self-service password reset isn't an option in this case.

+## High risk technician

+If your organization has users who are delegated access to another tenant and they trigger high risk they may be blocked from signing into those other tenants. For example:

+1. An organization has a managed service provider (MSP) or cloud solution provider (CSP) who takes care of configuring their cloud environment.

+1. One of the MSPs technicians credentials are leaked and triggers high risk. That technician is blocked from signing in to other tenants.

+1. The technician can self-remediate and sign in if the home tenant has enabled the appropriate policies [requiring password change for high risk users](../conditional-access/howto-conditional-access-policy-risk-user.md) or [MFA for risky users](../conditional-access/howto-conditional-access-policy-risk.md).

+ 1. If the home tenant hasn't enabled self-remediation policies, an administrator in the technician's home tenant will have to [remediate the risk](howto-identity-protection-remediate-unblock.md#remediation).

+- [BIG-IP Easy Button for SSO to SAP ERP](f5-big-ip-sap-erp-easy-button.md)

+ az rest -m POST -u https://graph.microsoft.com/v1.0/servicePrincipals/$oidForMI/appRoleAssignments -b "{\"principalId\": \"$oidForMI\", \"resourceId\": \"$serverSPOID\",\"appRoleId\": \"$roleguid\"}"

+| Azure App Services | [How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md) |

+| Azure Import/Export | [Use customer-managed keys in Azure Key Vault for Import/Export service](../../import-export/storage-import-export-encryption-key-portal.md)

+| Azure Media services | [Managed identities](/media-services/latest/concept-managed-identities) |

+| Azure Media services | [Access the Azure Media Services API with Azure AD authentication](/media-services/previous/media-services-use-aad-auth-to-access-ams-api) |

+- Confluence: 7.0.1 to 7.17.0

+- JIRA Core and Software 6.4 to 8.22.1 or JIRA Service Desk 3.0 to 4.22.1 should installed and configured on Windows 64-bit version

+* JIRA Core and Software: 6.4 to 8.22.1

+* JIRA Service Desk 3.0 to 4.22.1

+ >These values aren't real. Update these values with the actual Identifier and Sign on URL. Contact [PolicyStat Client support team](https://rldatix.com/en-apac/customer-success/community/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+ > Message `soft state status is not supported` ΓÇô can be ignored, as no problem.

+Learn more about [Redis Cache Server - RedisCacheNetworkBandwidth (Improve your Cache and application performance when running with high network bandwidth)](/azure/azure-cache-for-redis/cache-troubleshoot-server#server-side-bandwidth-limitation).

+Learn more about [Redis Cache Server - RedisCacheServerLoad (Improve your Cache and application performance when running with high server load)](/azure/azure-cache-for-redis/cache-troubleshoot-client#high-client-cpu-usage).

+Learn more about [Redis Cache Server - RedisCacheUsedMemory (Improve your Cache and application performance when running with high memory pressure)](/azure/azure-cache-for-redis/cache-troubleshoot-client#memory-pressure-on-redis-client).

+Azure Advisor helps you ensure and improve the continuity of your business-critical applications. You can get reliability recommendations on the **Reliability** tab on the Advisor dashboard.

+Based on their names and configuration, we have detected the Azure Cosmos DB accounts below as being potentially used for production workloads. These accounts currently run in a single Azure region. You can increase their availability by configuring them to span at least two Azure regions.

+Learn more about [Cosmos DB account - CosmosDBMongoServerSideRetries (Enable Server Side Retry (SSR) on your Azure Cosmos DB's API for MongoDB account)](/azure/cosmos-db/cassandra/prevent-rate-limiting-errors).

+Learn more about [Media Service - AccountQuotaLimit (Increase Media Services quotas or limits to ensure continuity of service.)](/media-services/latest/limits-quotas-constraints-reference).

+To mitigate the impact of Log4j2 vulnerability, we recommend these steps:

+1) Upgrade Log4j2 to version 2.15.0 on your backend servers. If upgrade isn't possible, follow the system property guidance link below.

+kind: PersistentVolumeClaim

+ Title: Use Scale-down Mode for your Azure Kubernetes Service (AKS) cluster

+# Use Scale-down Mode to delete/deallocate nodes in Azure Kubernetes Service (AKS)

+When an Azure VM is in the `Stopped` (deallocated) state, you will not be charged for the VM compute resources. However, you'll still need to pay for any OS and data storage disks attached to the VM. This also means that the container images will be preserved on those nodes. For more information, see [States and billing of Azure Virtual Machines][state-billing-azure-vm]. This behavior allows for faster operation speeds, as your deployment uses cached images. Scale-down Mode removes the need to pre-provision nodes and pre-pull container images, saving you compute cost.

+This article assumes that you have an existing AKS cluster and the latest version of the Azure CLI installed. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli] or [using the Azure portal][aks-quickstart-portal].

+- [Ephemeral OS][ephemeral-os] disks aren't supported. Be sure to specify managed OS disks via `--node-osdisk-type Managed` when creating a cluster or node pool.

+> [!NOTE]

+> Previously, while Scale-down Mode was in preview, [spot node pools][spot-node-pool] were unsupported. Now that Scale-down Mode is Generally Available, this limitation no longer applies.

+By scaling the node pool and changing the node count to 5, we'll deallocate 15 nodes.

+The default behavior of AKS without using Scale-down Mode is to delete your nodes when you scale-down your cluster. With Scale-down Mode, this behavior can be explicitly achieved by setting `--scale-down-mode Delete`.

+ </otherwise>

+description: Learn how to configure notifications and email templates for events in Azure API Management.

+# How to configure notifications and notification templates in Azure API Management

+API Management provides the ability to configure email notifications for specific events, and to configure the email templates that are used to communicate with the administrators and developers of an API Management instance. This article shows how to configure notifications for the available events, and provides an overview of configuring the email templates used for these events.

+If you don't have an API Management service instance, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).

+## <a name="publisher-notifications"> </a>Configure notifications in the portal

+1. In the left navigation of your API Management instance, select **Notifications** to view the available notifications.

+ - **Subscription requests (requiring approval)** - The specified email recipients and users will receive email notifications about subscription requests for products requiring approval.

+ - **New subscriptions** - The specified email recipients and users will receive email notifications about new product subscriptions.

+ - **Application gallery requests** (deprecated) - The specified email recipients and users will receive email notifications when new applications are submitted to the application gallery on the legacy developer portal.

+ - **New issue or comment** (deprecated) - The specified email recipients and users will receive email notifications when a new issue or comment is submitted on the legacy developer portal.

+ - **Approaching subscription quota limit** - The specified email recipients and users will receive email notifications when subscription usage gets close to usage quota.

+ > Notifications are triggered by the [quota by subscription](api-management-access-restriction-policies.md#SetUsageQuota) policy only. The [quota by key](api-management-access-restriction-policies.md#SetUsageQuotaByKey) policy doesn't generate notifications.

+1. Select a notification, and specify one or more email addresses to be notified:

+ * To add the administrator email address, select **+ Add admin**.

+ * To add another email address, select **+ Add email**, enter an email address, and select **Add**.

+ * Continue adding email addresses as needed.

+ :::image type="content" source="media/api-management-howto-configure-notifications/api-management-email-addresses.png" alt-text="Screenshot showing how to add notification recipients in the portal":::

+API Management provides notification templates for the administrative email messages that are sent automatically to developers when they access and use the service. The following notification templates are provided:

+- Application gallery submission approved (deprecated)

+- Developer welcome letter

+- Email change notification

+- New comment added to an issue (deprecated)

+- New developer account confirmation

+- New issue received (deprecated)

+- Password change confirmation

+- Subscription request declined

+Each email template has a subject in plain text, and a body definition in HTML format. Each item can be customized as desired.

+To view and configure a notification template in the portal:

+1. In the left menu, select **Notification templates**.

+ :::image type="content" source="media/api-management-howto-configure-notifications/api-management-email-templates.png" alt-text="Screenshot of notification templates in the portal":::

+1. Select a notification template, and configure the template using the editor.

+ :::image type="content" source="media/api-management-howto-configure-notifications/api-management-email-template.png" alt-text="Screenshot of notification template editor in the portal":::

+ * The **Parameters** list contains a list of parameters, which when inserted into the subject or body, will be replaced by the designated value when the email is sent.

+ * To insert a parameter, place the cursor where you wish the parameter to go, and select the parameter name.

+1. To save the changes to the email template, select **Save**, or to cancel the changes select **Discard**.

+## Configure email settings

+You can modify general e-mail settings for notifications that are sent from your API Management instance. You can change the administrator email address, the name of the organization sending notification, and the originating email address.

+To modify email settings:

+1. In the left menu, select **Notification templates**.

+1. Select **E-mail settings**.

+1. On the **General email settings** page, enter values for:

+ * **Administrator email** - the email address to receive all system notifications and other configured notifications

+ * **Organization name** - the name of your organization for use in the developer portal and notifications

+ * **Originating email address** - The value of the `From` header for notifications from the API Management instance. API Management sends notifications on behalf of this originating address.

+ :::image type="content" source="media/api-management-howto-configure-notifications/configure-email-settings.png" alt-text="Screenshot of API Management email settings in the portal":::

+1. Select **Save**.

+## Next steps

+* [Overview of the developer portal](api-management-howto-developer-portal.md).

+* [How to create and use groups to manage developer accounts](api-management-howto-create-groups.md)

+* For customers who are already using API Management, another challenge is to extract existing configurations into Resource Manager templates. For those customers, a tool called [Extractor](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/main/src/README.md#Extractor) in the resource kit can help generate templates by extracting configurations from their API Management instances.

+curl -X POST -u <username> --data-binary @"<file-path>" https://<app-name>.scm.azurewebsites.net/api/publish?type=<package-type>

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v1. [App Service Environment v1 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+ Title: Configure App Service Environment v3 network settings

+description: Configure network settings that apply to the entire Azure App Service environment. Learn how to do it with Azure Resource Manager templates.

+keywords: ASE, ASEv3, ftp, remote debug

+# Network configuration settings

+Because App Service Environments are isolated to the individual customer, there are certain configuration settings that can be applied exclusively to App Service Environments. This article documents the various specific network customizations that are available for App Service Environment v3.

+> [!NOTE]

+> This article is about App Service Environment v3, which is used with isolated v2 App Service plans.

+If you don't have an App Service Environment, see [How to Create an App Service Environment v3](./creation.md).

+App Service Environment network customizations are stored in a subresource of the *hostingEnvironments* Azure Resource Manager entity called networking.

+The following abbreviated Resource Manager template snippet shows the **networking** resource:

+```json

+"resources": [

+{

+ "apiVersion": "2021-03-01",

+ "type": "Microsoft.Web/hostingEnvironments",

+ "name": "[parameter('aseName')]",

+ "location": ...,

+ "properties": {

+ "internalLoadBalancingMode": ...,

+ etc...

+ },

+ "resources": [

+ {

+ "type": "configurations",

+ "apiVersion": "2021-03-01",

+ "name": "networking",

+ "dependsOn": [

+ "[resourceId('Microsoft.Web/hostingEnvironments', parameters('aseName'))]"

+ ],

+ "properties": {

+ "remoteDebugEnabled": true,

+ "ftpEnabled": true,

+ "allowNewPrivateEndpointConnections": true

+ }

+ }

+ ]

+}

+```

+The **networking** resource can be included in a Resource Manager template to update the App Service Environment.

+## Configure using Azure Resource Explorer

+Alternatively, you can update the App Service Environment by using [Azure Resource Explorer](https://resources.azure.com).

+1. In Resource Explorer, go to the node for the App Service Environment (**subscriptions** > **{your Subscription}** > **resourceGroups** > **{your Resource Group}** > **providers** > **Microsoft.Web** > **hostingEnvironments** > **App Service Environment name** > **configurations** > **networking**).

+2. Select **Read/Write** in the upper toolbar to allow interactive editing in Resource Explorer.

+3. Select the blue **Edit** button to make the Resource Manager template editable.

+4. Modify one or more of the settings ftpEnabled, remoteDebugEnabled, allowNewPrivateEndpointConnections, that you want to change.

+5. Select the green **PUT** button that's located at the top of the right pane to commit the change to the App Service Environment.

+6. You may need to select the green **GET** button again to see the changed values.

+The change takes effect within a minute.

+## Allow new private endpoint connections

+For apps hosted on both ILB and External App Service Environment, you can allow creation of private endpoints. The setting is default disabled. If private endpoint has been created while the setting was enabled, they won't be deleted and will continue to work. The setting only prevents new private endpoints from being created.

+The following Azure CLI command will enable allowNewPrivateEndpointConnections:

+```azurecli

+ASE_NAME="[myAseName]"

+RESOURCE_GROUP_NAME="[myResourceGroup]"

+az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-new-private-endpoint-connection true

+az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query properties.allowNewPrivateEndpointConnections

+```

+The setting is also available for configuration through Azure portal at the App Service Environment configuration:

+## FTP access

+This ftpEnabled setting allows you to allow or deny FTP connections are the App Service Environment level. Individual apps will still need to configure FTP access. If you enable FTP at the App Service Environment level, you may want to [enforce FTPS](../deploy-ftp.md?tabs=cli#enforce-ftps) at the individual app level. The setting is default disabled.

+If you want to enable FTP access, you can run the following Azure CLI command:

+```azurecli

+ASE_NAME="[myAseName]"

+RESOURCE_GROUP_NAME="[myResourceGroup]"

+az resource update --name $ASE_NAME/configurations/networking --set properties.ftpEnabled=true -g $RESOURCE_GROUP_NAME --resource-type "Microsoft.Web/hostingEnvironments/networkingConfiguration"

+az resource show --name $ASE_NAME/configurations/networking -g $RESOURCE_GROUP_NAME --resource-type "Microsoft.Web/hostingEnvironments/networkingConfiguration" --query properties.ftpEnabled

+```

+In addition to enabling access, you need to ensure that you have [configured DNS if you are using ILB App Service Environment](./networking.md#dns-configuration-for-ftp-access).

+## Remote debugging access

+Remote debugging is default disabled at the App Service Environment level. You can enable network level access for all apps using this configuration. You'll still have to [configure remote debugging](../configure-common.md?tabs=cli#configure-general-settings) at the individual app level.

+Run the following Azure CLI command to enable remote debugging access:

+```azurecli

+ASE_NAME="[myAseName]"

+RESOURCE_GROUP_NAME="[myResourceGroup]"

+az resource update --name $ASE_NAME/configurations/networking --set properties.RemoteDebugEnabled=true -g $RESOURCE_GROUP_NAME --resource-type "Microsoft.Web/hostingEnvironments/networkingConfiguration"

+az resource show --name $ASE_NAME/configurations/networking -g $RESOURCE_GROUP_NAME --resource-type "Microsoft.Web/hostingEnvironments/networkingConfiguration" --query properties.remoteDebugEnabled

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Create an App Service Environment from a template](create-from-template.md)

+> [!div class="nextstepaction"]

+> [Deploy your app to Azure App Service using FTP](../deploy-ftp.md)

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+ After 31 August 2024, if you haven't migrated to App Service Environment v3, your App Service Environment v1/v2s and the apps deployed in them will no longer be available. App Service Environment v1/v2 is hosted on App Service scale units running on [Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) architecture that will be [retired on 31 August 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Because of this, [App Service Environment v1/v2 will no longer be available after that date](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). Migrate to App Service Environment v3 to keep your apps running or save or back up any resources or data that you need to maintain.

+ After 31 August 2024, if you haven't migrated to App Service Environment v3, your App Service Environment v1/v2s and the apps deployed in them will no longer be available. App Service Environment v1/v2 is hosted on App Service scale units running on [Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) architecture that will be [retired on 31 August 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Because of this, [App Service Environment v1/v2 will no longer be available after that date](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). Migrate to App Service Environment v3 to keep your apps running or save or back up any resources or data that you need to maintain.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+|Source / Destination Port(s)|Direction|Source|Destination|Purpose|

+|-|-|-|-|-|

+|* / 80,443|Inbound|VirtualNetwork|App Service Environment subnet range|Allow app traffic and internal health ping traffic|

+|Source / Destination Port(s)|Direction|Source|Destination|Purpose|

+|-|-|-|-|-|

+|* / 80|Inbound|AzureLoadBalancer|App Service Environment subnet range|Allow internal health ping traffic|

+The internal health ping traffic on port 80 is isolated between the Load balancer and the internal servers. No outside traffic can reach the health ping endpoint.

+The normal app access ports inbound are as follows:

+### DNS configuration for FTP access

+For FTP access to Internal Load balancer (ILB) App Service Environment v3 specifically, you need to ensure DNS is configured. Configure an Azure DNS private zone or equivalent custom DNS with the following settings:

+1. Create an Azure DNS private zone named `ftp.appserviceenvironment.net`.

+1. Create an A record in that zone that points `<App Service Environment-name>` to the inbound IP address.

+In addition to setting up DNS, you also need to enable it in the [App Service Environment configuration](./configure-network-settings.md#ftp-access) as well as at the [app level](../deploy-ftp.md?tabs=cli#enforce-ftps).

+## Next steps

+> [!div class="nextstepaction"]

+> [Whitepaper on Using App Service Environment v3 in Compliance-Oriented Industries](https://azure.microsoft.com/resources/using-app-service-environment-v3-in-compliance-oriented-industries/)

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+> This article is about App Service Environment v2 which is used with Isolated App Service plans. [App Service Environment v2 will be retired on 31 August 2024](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v2, please follow the steps in [this article](migration-alternatives.md) to migrate to the new version.

+* For information on how Azure protects your privacy and secures your data, see [Azure Automation data security](/azure/automation/automation-managing-data).

+| [Azure HPC Cache](../hpc-cache/hpc-cache-overview.md) |  |

+| **Products** | **Resiliency** |

+* Monitor the operating system and any workloads running on the machine or server using [VM insights](../../azure-monitor/vm/vminsights-overview.md).

+* Analyze and alert using [Azure Monitor](../../azure-monitor/overview.md).

+This article reviews the deployment methods for the Log Analytics agent VM extension, across multiple production physical servers or virtual machines in your environment, to help you determine which works best for your organization. If you are interested in the new Azure Monitor agent and want to see a detailed comparison, see [Azure Monitor agents overview](../../azure-monitor/agents/agents-overview.md).

+Review the different methods to install the VM extension using one method or a combination and determine which one works best for your scenario.

+### Use Azure Arc-enabled servers

+* Limited automation when using an Azure Resource Manager template.

+### Use Azure Policy

+* The **Configure Log Analytics extension on Azure Arc enabled** *operating system* **servers** policy only installs the Log Analytics VM extension and configures the agent to report to a specified Log Analytics workspace. If you want VM insights to monitor the operating system performance, and map running processes and dependencies on other resources, apply the policy initiative **Enable Azure Monitor for VMs**. It installs and configures both the Log Analytics VM extension and the Dependency agent VM extension, which are required.

+### Use Azure Automation

+The process automation operating environment in Azure Automation and its support for PowerShell and Python runbooks can help you automate the deployment of the Log Analytics agent VM extension at scale to machines in your environment.

+* Must create a runbook based on PowerShell or Python, depending on the target operating system.

+* To manage operating system updates using Azure Automation Update Management, see [Enable from an Automation account](../../automation/update-management/enable-from-automation-account.md) and then follow the steps to enable machines reporting to the workspace.

+* To track changes using Azure Automation Change Tracking and Inventory, see [Enable from an Automation account](../../automation/change-tracking/enable-from-automation-account.md) and then follow the steps to enable machines reporting to the workspace.

+* Use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on servers or machines registered with Arc-enabled servers. See the [Deploy Hybrid Runbook Worker VM extension](../../automation/extension-based-hybrid-runbook-worker-install.md) article.

+* Read the VM insights [Monitor performance](../../azure-monitor/vm/vminsights-performance.md) and [Map dependencies](../../azure-monitor/vm/vminsights-maps.md) articles to see how well your machine is performing and view discovered application components.

+There are scenarios in which you'll want to move your existing Azure Arc-enabled server from one region to another. For example, you might want to move regions to improve manageability, for governance reasons, or because you realized the machine was originally registered in the wrong region.

+> Performing this operation will result in downtime during the migration.

+1. Remove any VM extensions that are installed on the machine. You can do this by using the [Azure portal](manage-vm-extensions-portal.md#remove-extensions), [Azure CLI](manage-vm-extensions-cli.md#remove-extensions), or [Azure PowerShell](manage-vm-extensions-powershell.md#remove-extensions).

+2. Use the **azcmagent** tool with the [Disconnect](manage-agent.md#disconnect) parameter to disconnect the machine from Azure Arc and delete the machine resource from Azure. You can run this manually while logged on interactively, with a Microsoft identity platform [access token](../../active-directory/develop/access-tokens.md), or with the service principal you used for onboarding (or with a [new service principal that you create](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale)).

+ Disconnecting the machine from Azure Arc-enabled servers does not remove the Connected Machine agent, and you don't need to remove the agent as part of this process.

+3. Run the `azcmagent` tool with the [Connect](manage-agent.md#connect) parameter to re-register the Connected Machine agent with Azure Arc-enabled servers in the other region.

+4. Redeploy the VM extensions that were originally deployed to the machine from Azure Arc-enabled servers.

+

+ If you deployed the Azure Monitor for VMs (insights) agent or the Log Analytics agent using an Azure Policy definition, the agents are redeployed after the next [evaluation cycle](../../governance/policy/how-to/get-compliance-data.md#evaluation-triggers).

+Both [in-process](functions-dotnet-class-library.md) and [isolated process](dotnet-isolated-process-guide.md) C# libraries use the `WarmupTrigger` attribute to define the function. C# script instead uses a *function.json* configuration file.

+Use the `WarmupTrigger` attribute to define the function. This attribute has no parameters.

+Use the `WarmupTrigger` attribute to define the function. This attribute has no parameters.

+- Your function must be named `warmup` (case-insensitive) using the `FunctionName` attribute.

+- Your function must be named `warmup` (case-insensitive) using the `FunctionName` attribute.

+- [Microsoft.Extensions.DependencyInjection](https://www.nuget.org/packages/Microsoft.Extensions.DependencyInjection/) (currently, only version 2.x or later supported)

+ "route": "{*route}"

+@app.get("hello/{name}")

+@app.route("hello/<name>", methods=['GET'])

+This section outlines variations and considerations when using **Azure Bot Service**, **Azure Machine Learning**, and **Cognitive Services** in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=machine-learning-service,bot-service,cognitive-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+### [Media Services](/media-services/)

+For Azure Media Services v3 feature variations in Azure Government, see [Azure Media Services v3 clouds and regions availability](/media-services/latest/azure-clouds-regions#us-government-cloud).

+| [Media Services](/media-services/) | &#x2705; | &#x2705; |

+| [Media Services](/media-services/) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+# Azure Maps weather services coverage

+This article provides coverage information for Azure Maps [Weather services][weather-services].

+## Weather information supported

+### Infrared satellite tiles

+<!-- Replace with Minimal Description

+Infrared (IR) radiation is electromagnetic radiation that measures an object's infrared emission, returning information about its temperature. Infrared images can indicate cloud heights (Colder cloud-tops mean higher clouds) and types, calculate land and surface water temperatures, and locate ocean surface features.

+ -->

+Infrared satellite imagery, showing clouds by their temperature, is returned when `tilesetID` is set to `microsoft.weather.infrared.main` when making calls to [Get Map Tile][get-map-tile] and can then be overlaid on the map image.

+### Minute forecast

+The [Get Minute forecast][get-minute-forecast] service returns minute-by-minute forecasts for the specified location for the next 120 minutes.

+### Radar tiles

+<!-- Replace with Minimal Description

+Radar imagery is a depiction of the response returned when microwave radiation is sent into the atmosphere. The pulses of radiation reflect back showing its interactions with any precipitation it encounters. The radar technology visually represents those pulses showing where it's clear, raining, snowing or stormy.

+-->

+Radar tiles, showing areas of rain, snow, ice and mixed conditions, are returned when `tilesetID` is set to `microsoft.weather.radar.main` when making calls to [Get Map Tile][get-map-tile] and can then be overlaid on the map image.

+### Severe weather alerts

+Azure Maps [Severe weather alerts][severe-weather-alerts] service returns severe weather alerts from both official Government Meteorological Agencies and other leading severe weather alert providers. The service can return details such as alert type, category, level and detailed description. Severe weather includes conditions like hurricanes, tornados, tsunamis, severe thunderstorms, and fires.

+### Other

+- **Air quality**. The Air Quality service returns [current][aq-current], [hourly][aq-hourly] or [daily][aq-daily] forecasts that include pollution levels, air quality index values, the dominant pollutant, and a brief statement summarizing risk level and suggested precautions.

+- **Current conditions**. The [Get Current Conditions](/rest/api/maps/weather/get-current-conditions) service returns detailed current weather conditions such as precipitation, temperature and wind for a given coordinate location.

+- **Daily forecast**. The [Get Daily Forecast](/rest/api/maps/weather/get-current-air-quality) service returns detailed weather forecasts such as temperature and wind by day for the next 1, 5, 10, 15, 25, or 45 days for a given coordinate location.

+- **Daily indices**. The [Get Daily Indices](/rest/api/maps/weather/get-daily-indices) service returns index values that provide information that can help in planning activities. For example, a health mobile application can notify users that today is good weather for running or playing golf.

+- **Historical weather**. The Historical Weather service includes Daily Historical [Records][dh-records], [Actuals][dh-actuals] and [Normals][dh-normals] that return climatology data such as past daily record temperatures, precipitation and snowfall at a given coordinate location.

+- **Hourly forecast**. The [Get Hourly Forecast](/rest/api/maps/weather/get-hourly-forecast) service returns detailed weather forecast information by the hour for up to 10 days.

+- **Quarter-day forecast**. The [Get Quarter Day Forecast](/rest/api/maps/weather/get-quarter-day-forecast) Service returns detailed weather forecast by quarter-day for up to 15 days.

+- **Tropical storms**. The Tropical Storm Service provides information about [active storms][tropical-storm-active], tropical storm [forecasts][tropical-storm-forecasts] and [locations][tropical-storm-locations] and the ability to [search][tropical-storm-search] for tropical storms by year, basin ID, or government ID.

+- **Weather along route**. The [Get Weather Along Route](/rest/api/maps/weather/get-weather-along-route) Service returns hyper local (1 kilometer or less), up-to-the-minute weather nowcasts, weather hazard assessments, and notifications along a route described as a sequence of waypoints.

+## Azure Maps Weather coverage tables

+> [!NOTE]

+> Azure Maps doesn't have the same level of detail and accuracy for all countries and regions.

+| Country/Region | Infrared satellite tiles | Minute forecast, Radar tiles | Severe weather alerts | Other* |

+| Country/Region | Infrared satellite tiles | Minute forecast, Radar tiles | Severe weather alerts | Other* |

+|--|::|:-:|::|::|

+| Country/Region | Infrared satellite tiles | Minute forecast, Radar tiles | Severe weather alerts | Other* |

+| Country/Region | Infrared satellite tiles | Minute forecast, Radar tiles | Severe weather alerts | Other* |

+## Next steps

+> [!div class="nextstepaction"]

+> [Weather services in Azure Maps](weather-services-concepts.md)

+> [!div class="nextstepaction"]

+> [Azure Maps weather services frequently asked questions (FAQ)](weather-services-faq.yml)

+[weather-services]: /rest/api/maps/weather

+[get-map-tile]: /rest/api/maps/render-v2/get-map-tile

+[get-minute-forecast]: /rest/api/maps/weather/get-minute-forecast

+[severe-weather-alerts]: /rest/api/maps/weather/get-severe-weather-alerts

+[aq-current]: /rest/api/maps/weather/get-current-air-quality

+[aq-hourly]: /rest/api/maps/weather/get-air-quality-hourly-forecasts

+[aq-daily]: /rest/api/maps/weather/get-air-quality-daily-forecasts

+[current-conditions]: /rest/api/maps/weather/get-current-conditions

+[dh-records]: /rest/api/maps/weather/get-dh-records

+[dh-actuals]: /rest/api/maps/weather/get-dh-actuals

+[dh-normals]: /rest/api/maps/weather/get-dh-normals

+[tropical-storm-active]: /rest/api/maps/weather/get-tropical-storm-active

+[tropical-storm-forecasts]: /rest/api/maps/weather/get-tropical-storm-forecast

+[tropical-storm-locations]: /rest/api/maps/weather/get-tropical-storm-locations

+[tropical-storm-search]: /rest/api/maps/weather/get-tropical-storm-search

+Eventually, the Azure Monitor agent will replace the following legacy monitoring agents that are currently used by Azure Monitor to collect guest data from virtual machines ([view known gaps](../faq.yml)):

+- [Telegraf agent](../essentials/collect-custom-metrics-linux-telegraf.md): Sends data to Azure Monitor Metrics (Linux only).

+**Currently**, the Azure Monitor agent consolidates features from the Telegraf agent and Log Analytics agent, with [a few limitations](#current-limitations).

+In future, it will also consolidate features from the Diagnostic extensions.

+When compared with the legacy agents, this new agent doesn't yet have full parity.

+You can locate the alert rule ID by opening a specific alert rule in the portal, clicking "Properties", and copying the "Resource ID" value. You can also locate it by listing your alert rules from PowerShell or CLI.

+For example, use `resource type contains "MICROSOFT.SQL/SERVERS"` to match both SQL servers and all their child resources, like databases.

+ For example, if you set both `resource type = "Virtual Machines"` and `severity = "Sev0"`, then the rule will apply only for Sev0 alerts on virtual machines in the scope.

+* Make sure both the Java agent jar and the AI-Agent.xml file are placed in the same folder.

+The easiest way to see the billed usage for a single Application Insights resource, which isn't a workspace-based resource is to go to the resource's Overview page and click **View Cost** in the upper right corner. You might need elevated access to Cost Management data ([learn more](../../cost-management-billing/costs/assign-access-acm-data.md)).

+If you have questions about how pricing works for Application Insights, you can post a question in our [Microsoft Q&A question page](/answers/topics/azure-monitor.html).

+## Activity Logs Insights

+Activity log insights let you view information about changes to resources and resource groups in a subscription. The dashboards also present data about which users or services performed activities in the subscription and the activities' status. This article explains how to view Activity log insights in the Azure portal.

+ Title: Activity logs insights

+description: View the overview of Azure Activity logs of your resources

+#Customer intent: As an IT administrator, I want to track changes to resource groups or specific resources in a subscription and to see which administrators or services make these changes.

+

+# Activity logs insights (Preview)

+Activity logs insights let you view information about changes to resources and resource groups in a subscription. The dashboards also present data about which users or services performed activities in the subscription and the activities' status. This article explains how to view Activity log insights in the Azure portal.

+Before using Activity log insights, you'll have to [enable sending logs to your Log Analytics workspace](./diagnostic-settings.md).

+## How does Activity logs insights work?

+Activity logs you send to a [Log Analytics workspace](/articles/azure-monitor/logs/log-analytics-workspace-overview.md) are stored in a table called AzureActivity.

+Activity logs insights are a curated [Log Analytics workbook](/articles/azure-monitor/visualize/workbooks-overview.md) with dashboards that visualize the data in the AzureActivity table. For example, which administrators deleted, updated or created resources, and whether the activities failed or succeeded.

+## View Activity logs insights - Resource group / Subscription level

+To view Activity logs insights on a resource group or a subscription level:

+1. In the Azure portal, select **Monitor** > **Workbooks**.

+1. Select **Activity Logs Insights** in the **Insights** section.

+ :::image type="content" source="media/activity-log/open-activity-log-insights-workbook.png" lightbox="media/activity-log/open-activity-log-insights-workbook.png" alt-text="A screenshot showing how to locate and open the Activity logs insights workbook on a scale level":::

+1. At the top of the **Activity Logs Insights** page, select:

+ 1. One or more subscriptions from the **Subscriptions** dropdown.

+ 1. Resources and resource groups from the **CurrentResource** dropdown.

+ 1. A time range for which to view data from the **TimeRange** dropdown.

+## View Activity logs insights on any Azure resource

+>[!Note]

+> * Currently Applications Insights resources are not supported for this workbook.

+To view Activity logs insights on a resource level:

+1. In the Azure portal, go to your resource, select **Workbooks**.

+1. Select **Activity Logs Insights** in the **Activity Logs Insights** section.

+ :::image type="content" source="media/activity-log/activity-log-resource-level.png" lightbox= "media/activity-log/activity-log-resource-level.png" alt-text="A screenshot showing how to locate and open the Activity logs insights workbook on a resource level":::

+1. At the top of the **Activity Logs Insights** page, select:

+

+ 1. A time range for which to view data from the **TimeRange** dropdown.

+ * **Azure Activity Logs Entries** shows the count of Activity log records in each [activity log category](/articles/azure-monitor/essentials/activity-log-schema#categories).

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-category-value.png" lightbox= "media/activity-log/activity-logs-insights-category-value.png" alt-text="Azure Activity Logs by Category Value":::

+

+ * **Activity Logs by Status** shows the count of Activity log records in each status.

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-status.png" lightbox= "media/activity-log/activity-logs-insights-status.png" alt-text="Azure Activity Logs by Status":::

+

+ * At the subscription and resource group level, **Activity Logs by Resource** and **Activity Logs by Resource Provider** show the count of Activity log records for each resource and resource provider.

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-resource.png" lightbox= "media/activity-log/activity-logs-insights-resource.png" alt-text="Azure Activity Logs by Resource":::

+

+## Next steps

+Learn more about:

+* [Platform logs](./platform-logs-overview.md)

+* [Activity log event schema](activity-log-schema.md)

+* [Creating a diagnostic setting to send Activity logs to other destinations](./diagnostic-settings.md)

+> Resource logs were previously known as diagnostic logs. The name was changed in October 2019 as the types of logs gathered by Azure Monitor shifted to include more than just the Azure resource.

+> This article used to list resource log categories that you can collect. That list is now at [Resource log categories](resource-logs-categories.md).

+| Azure Media Services | [Media Services monitoring schemas](/media-services/latest/monitoring/monitor-media-services-data-reference#schemas) |

+Some services have a curated monitoring experience. That is, Microsoft provides customized functionality meant to act as a starting point for monitoring those services. These experiences are collectively known as **curated visualizations** with the larger more complex of them being called **Insights**.

+The experiences collect and analyze a subset of logs and metrics and depending on the service and might also provide out-of-the-box alerting. They present this telemetry in a visual layout. The visualizations vary in size and scale. Some are considered part of Azure Monitor and follow the support and service level agreements for Azure. They are supported in all Azure regions where Azure Monitor is available. Other curated visualizations provide less functionality, might not scale, and might have different agreements. Some might be based solely on Azure Monitor Workbooks, while others might have an extensive custom experience.

+The table below lists the available curated visualizations and more detailed information about them.

+|Name with docs link| State | [Azure portal Link](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/more)| Description |

+| [Azure Monitor Workbooks for Azure Active Directory](../active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md) | GA (General availability) | [Yes](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Workbooks) | Azure Active Directory provides workbooks to understand the effect of your Conditional Access policies, to troubleshoot sign-in failures, and to identify legacy authentications. |

+| [Azure Backup](../backup/backup-azure-monitoring-use-azuremonitor.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_DataProtection/BackupCenterMenuBlade/backupReportsConfigure/menuId/backupReportsConfigure) | Provides built-in monitoring and alerting capabilities in a Recovery Services vault. |

+| [Azure Monitor for Azure Cache for Redis (preview)](./insights/redis-cache-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/redisCacheInsights) | Provides a unified, interactive view of overall performance, failures, capacity, and operational health |

+| [Azure Cosmos DB Insights](./insights/cosmosdb-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/cosmosDBInsights) | Provides a view of the overall performance, failures, capacity, and operational health of all your Azure Cosmos DB resources in a unified interactive experience. |

+| [Azure Container Insights](/azure/azure-monitor/insights/container-insights-overview) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/containerInsights) | Monitors the performance of container workloads that are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). It gives you performance visibility by collecting metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API. Container logs are also collected. After you enable monitoring from Kubernetes clusters, these metrics and logs are automatically collected for you through a containerized version of the Log Analytics agent for Linux. |

+| [Azure Data Explorer insights](./insights/data-explorer.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/adxClusterInsights) | Azure Data Explorer Insights provides comprehensive monitoring of your clusters by delivering a unified view of your cluster performance, operations, usage, and failures. |

+ | [Azure IoT Edge](../iot-edge/how-to-explore-curated-visualizations.md) | GA | No | Visualize and explore metrics collected from the IoT Edge device right in the Azure portal using Azure Monitor Workbooks based public templates. The curated workbooks use built-in metrics from the IoT Edge runtime. These views don't need any metrics instrumentation from the workload modules. |

+ | [Azure Key Vault Insights (preview)](./insights/key-vault-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/keyvaultsInsights) | Provides comprehensive monitoring of your key vaults by delivering a unified view of your Key Vault requests, performance, failures, and latency. |

+ | [Azure Monitor Application Insights](./app/app-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/applicationsInsights) | Extensible Application Performance Management (APM) service which monitors the availability, performance, and usage of your web applications whether they're hosted in the cloud or on-premises. It leverages the powerful data analysis platform in Azure Monitor to provide you with deep insights into your application's operations. It enables you to diagnose errors without waiting for a user to report them. Application Insights includes connection points to a variety of development tools and integrates with Visual Studio to support your DevOps processes. |

+ | [Azure Monitor Log Analytics Workspace](./logs/log-analytics-workspace-insights-overview.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/lawsInsights) | Log Analytics Workspace Insights (preview) provides comprehensive monitoring of your workspaces through a unified view of your workspace usage, performance, health, agent, queries, and change log. This article will help you understand how to onboard and use Log Analytics Workspace Insights (preview). |

+ | [Azure Service Bus Insights](../service-bus-messaging/service-bus-insights.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/serviceBusInsights) | Azure Service Bus insights provide a view of the overall performance, failures, capacity, and operational health of all your Service Bus resources in a unified interactive experience. |

+ | [Azure Storage Insights](/azure/azure-monitor/insights/storage-insights-overview) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/storageInsights) | Provides comprehensive monitoring of your Azure Storage accounts by delivering a unified view of your Azure Storage services performance, capacity, and availability. |

+ | [Azure Network Insights](./insights/network-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/networkInsights) | Provides a comprehensive view of health and metrics for all your network resource. The advanced search capability helps you identify resource dependencies, enabling scenarios like identifying resource that are hosting your website, by simply searching for your website name. |

+ | [Azure Monitor for Resource Groups](./insights/resource-group-insights.md) | GA | No | Triage and diagnose any problems your individual resources encounter, while offering context as to the health and performance of the resource group as a whole. |

+ | [Azure Stack HCI insights](/azure-stack/hci/manage/azure-stack-hci-insights) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/azureStackHCIInsights) | Azure Monitor Workbook based. Provides health, performance, and usage insights about registered Azure Stack HCI, version 21H2 clusters that are connected to Azure and are enrolled in monitoring. It stores its data in a Log Analytics workspace, which allows it to deliver powerful aggregation and filtering and analyze data trends over time. |

+ | [Azure VM Insights](/azure/azure-monitor/insights/vminsights-overview) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/virtualMachines) | Monitors your Azure virtual machines (VM) and virtual machine scale sets at scale. It analyzes the performance and health of your Windows and Linux VMs, and monitors their processes and dependencies on other resources and external processes. |

+ | [Azure Virtual Desktop Insights](../virtual-desktop/azure-monitor.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/insights/menuId/insights) | Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. |

+| **The following solutions also integrate with parts of Azure Monitor. Note that solutions, are no longer under active development. Use [insights](#insights-and-curated-visualizations) instead.** | |

+| Network - [Network Performance Monitor solution](insights/network-performance-monitor.md) |

+| [Azure Monitor Partners](./partners.md) | A list of partners that integrate with Azure Monitor in some form |

+The following table lists Azure services and the data they collect into Azure Monitor.

+- Metrics - The service automatically collects metrics into Azure Monitor Metrics.

+ | [Azure Media Services](/media-services/) | Microsoft.Medi#microsoftmediamediaservices) | | |

+ | [Azure Media Services](/media-services/) | Microsoft.Medi#microsoftmediamediaservicesliveevents) | No | | |

+ | [Azure Media Services](/media-services/) | Microsoft.Medi#microsoftmediamediaservicesstreamingendpoints) | No | | |

+ | [Azure Media Services](/media-services/) | Microsoft.Medi#microsoftmediavideoanalyzers) | | |

+Currently, VM insights does not support multi-homing.

+> [!NOTE]

+> There is no cost associated with requesting a quota increase. Costs are incurred based on resource usage, not the quotas themselves.

+| Microsoft.Media | [Media Services](/media-services/) |

+For limits specific to Media Services v2 (legacy), see [Media Services v2 (legacy)](/media-services/previous/media-services-quotas-and-limitations)

+> | managedInstances | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br> Can't start or end with hyphen. CanΓÇÖt have hyphen twice in both third and fourth place.<br><br> Can't have any special characters, such as `@`. |

+> | servers | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br>Can't start or end with hyphen. CanΓÇÖt have hyphen twice in both third and fourth place. |

+ Title: Connection string in Azure SignalR Service

+description: An overview of connection string in Azure SignalR Service, how to generate it and how to configure it in app server

+# Connection string in Azure SignalR Service

+Connection string is an important concept that contains information about how to connect to SignalR service. In this article, you'll learn the basics of connection string and how to configure it in your application.

+## What is connection string

+When an application needs to connect to Azure SignalR Service, it will need the following information:

+* The HTTP endpoint of the SignalR service instance

+* How to authenticate with the service endpoint

+Connection string contains such information. To see how a connection string looks like, you can open a SignalR service resource in Azure portal and go to "Keys" tab. You'll see two connection strings (primary and secondary) in the following format:

+```

+Endpoint=https://<resource_name>.service.signalr.net;AccessKey=<access_key>;Version=1.0;

+```

+> [!NOTE]

+> Besides portal, you can also use Azure CLI to get the connection string:

+>

+> ```bash

+> az signalr key list -g <resource_group> -n <resource_name>

+> ```

+You can see in the connection string, there are two main information:

+* `Endpoint=https://<resource_name>.service.signalr.net` is the endpoint URL of the resource

+* `AccessKey=<access_key>` is the key to authenticate with the service. When access key is specified in connection string, SignalR service SDK will use it to generate a token that can be validated by the service.

+>[!NOTE]

+> For more information about how access tokens are generated and validated, see this [article](https://github.com/Azure/azure-signalr/blob/dev/docs/rest-api.md#authenticate-via-azure-signalr-service-accesskey).

+## Other authentication types

+Besides access key, SignalR service also supports other types of authentication methods in connection string.

+### Azure Active Directory Application

+You can use [Azure AD application](/azure/active-directory/develop/app-objects-and-service-principals) to connect to SignalR service. As long as the application has the right permission to access SignalR service, no access key is needed.

+To use Azure AD authentication, you need to remove `AccessKey` from connection string and add `AuthType=aad`. You also need to specify the credentials of your Azure AD application, including client ID, client secret and tenant ID. The connection string will look as follows:

+```

+Endpoint=https://<resource_name>.service.signalr.net;AuthType=aad;ClientId=<client_id>;ClientSecret=<client_secret>;TenantId=<tenant_id>;Version=1.0;

+```

+For more information about how to authenticate using Azure AD application, see this [article](signalr-howto-authorize-application.md).

+### Managed identity

+You can also use [managed identity](/azure/active-directory/managed-identities-azure-resources/overview) to authenticate with SignalR service.

+There are two types of managed identities, to use system assigned identity, you just need to add `AuthType=aad` to the connection string:

+```

+Endpoint=https://<resource_name>.service.signalr.net;AuthType=aad;Version=1.0;

+```

+SignalR service SDK will automatically use the identity of your app server.

+To use user assigned identity, you also need to specify the client ID of the managed identity:

+```

+Endpoint=https://<resource_name>.service.signalr.net;AuthType=aad;ClientId=<client_id>;Version=1.0;

+```

+For more information about how to configure managed identity, see this [article](signalr-howto-authorize-managed-identity.md).

+> [!NOTE]

+> It's highly recommended to use Azure AD to authenticate with SignalR service as it's a more secure way comparing to using access key. If you don't use access key authentication at all, consider to completely disable it (go to Azure portal -> Keys -> Access Key -> Disable). If you still use access key, it's highly recommended to rotate them regularly (more information can be found [here](signalr-howto-key-rotation.md)).

+## Client and server endpoints

+Connection string contains the HTTP endpoint for app server to connect to SignalR service. This is also the endpoint server will return to clients in negotiate response, so client can also connect to the service.

+But in some applications there may be an additional component in front of SignalR service and all client connections need to go through that component first (to gain additional benefits like network security, [Azure Application Gateway](/azure/application-gateway/overview) is a common service that provides such functionality).

+In such case, the client will need to connect to an endpoint different than SignalR service. Instead of manually replace the endpoint at client side, you can add `ClientEndpoint` to connecting string:

+```

+Endpoint=https://<resource_name>.service.signalr.net;AccessKey=<access_key>;ClientEndpoint=https://<url_to_app_gateway>;Version=1.0;

+```

+Then app server will return the right endpoint url in negotiate response for client to connect.

+> [!NOTE]

+> For more information about how clients get service url through negotiate, see this [article](signalr-concept-internals.md#client-connections).

+Similarly, when server wants to make [server connections](signalr-concept-internals.md#server-connections) or call [REST APIs](https://github.com/Azure/azure-signalr/blob/dev/docs/rest-api.md) to service, SignalR service may also be behind another service like Application Gateway. In that case, you can use `ServerEndpoint` to specify the actual endpoint for server connections and REST APIs:

+```

+Endpoint=https://<resource_name>.service.signalr.net;AccessKey=<access_key>;ServerEndpoint=https://<url_to_app_gateway>;Version=1.0;

+```

+## Use connection string generator

+It may be cumbersome and error-prone to compose connection string manually. In Azure portal, there is a tool to help you generate connection string with additional information like client endpoint and auth type.

+To use connection string generator, open the SignalR resource in Azure portal, go to "Connection strings" tab:

+In this page you can choose different authentication types (access key, managed identity or Azure AD application) and input information like client endpoint, client ID, client secret, etc. Then connection string will be automatically generated. You can copy and use it in your application.

+> [!NOTE]

+> Everything you input in this page won't be saved after you leave the page (since they're only client side information), so please copy and save it in a secure place for your application to use.

+## Configure connection string in your application

+There are two ways to configure connection string in your application.

+You can set the connection string when calling `AddAzureSignalR()` API:

+```cs

+services.AddSignalR().AddAzureSignalR("<connection_string>");

+```

+Or you can call `AddAzureSignalR()` without any arguments, then service SDK will read the connection string from a config named `Azure:SignalR:ConnectionString` in your [config providers](/dotnet/core/extensions/configuration-providers).

+In a local development environment, the config is usually stored in file (appsettings.json or secrets.json) or environment variables, so you can use one of the following ways to configure connection string:

+* Use .NET secret manager (`dotnet user-secrets set Azure:SignalR:ConnectionString "<connection_string>"`)

+* Set connection string to environment variable named `Azure__SignalR__ConnectionString` (colon needs to replaced with double underscore in [environment variable config provider](/dotnet/core/extensions/configuration-providers#environment-variable-configuration-provider)).

+In production environment, you can use other Azure services to manage config/secrets like Azure [Key Vault](/azure/key-vault/general/overview) and [App Configuration](/azure/azure-app-configuration/overview). See their documentation to learn how to set up config provider for those services.

+> [!NOTE]

+> Even you're directly setting connection string using code, it's not recommended to hardcode the connection string in source code, so you should still first read the connection string from a secret store like key vault and pass it to `AddAzureSignalR()`.

+### Configure multiple connection strings

+Azure SignalR Service also allows server to connect to multiple service endpoints at the same time, so it can handle more connections which are beyond one service instance's limit. Also if one service instance is down, other service instances can be used as backup. For more information about how to use multiple instances, see this [article](signalr-howto-scale-multi-instances.md).

+There are also two ways to configure multiple instances:

+* Through code

+ ```cs

+ services.AddSignalR().AddAzureSignalR(options =>

+ {

+ options.Endpoints = new ServiceEndpoint[]

+ {

+ new ServiceEndpoint("<connection_string_1>", name: "name_a"),

+ new ServiceEndpoint("<connection_string_2>", name: "name_b", type: EndpointType.Primary),

+ new ServiceEndpoint("<connection_string_3>", name: "name_c", type: EndpointType.Secondary),

+ };

+ });

+ ```

+ You can assign a name and type to each service endpoint so you can distinguish them later.

+* Through config

+ You can use any supported config provider (secret manager, environment variables, key vault, etc.) to store connection strings. Take secret manager as an example:

+ ```bash

+ dotnet user-secrets set Azure:SignalR:ConnectionString:name_a <connection_string_1>

+ dotnet user-secrets set Azure:SignalR:ConnectionString:name_b:primary <connection_string_2>

+ dotnet user-secrets set Azure:SignalR:ConnectionString:name_c:secondary <connection_string_3>

+ ```

+ You can also assign name and type to each endpoint, by using a different config name in the following format:

+ ```

+ Azure:SignalR:ConnectionString:<name>:<type>

+ ```

+ Title: DTU benchmark

+description: Learn about the benchmark for the DTU-based purchasing model for Azure SQL Database.

+ms.devlang:

+# DTU benchmark

+A database transaction unit (DTU) is a unit of measure representing a blended measure of CPU, memory, reads, and writes. Physical characteristics (CPU, memory, IO) associated with each DTU measure are calibrated using a benchmark that simulates real-world database workload. This article summarizes the DTU benchmark and shares information about the schema, transaction types used, workload mix, users and pacing, scaling rules, and metrics associated with the benchmark.

+For general information about the DTU-based purchasing model, see the [DTU-based purchasing model overview](service-tiers-dtu.md).

+## Benchmark summary

+The DTU benchmark measures the performance of a mix of basic database operations that occur most frequently in online transaction processing (OLTP) workloads. Although the benchmark is designed with cloud computing in mind, the database schema, data population, and transactions have been designed to be broadly representative of the basic elements most commonly used in OLTP workloads.

+## Correlating benchmark results to real world database performance

+It's important to understand that all benchmarks are representative and indicative only. The transaction rates achieved with the benchmark application will not be the same as those that might be achieved with other applications. The benchmark comprises a collection of different transaction types run against a schema containing a range of tables and data types. While the benchmark exercises the same basic operations that are common to all OLTP workloads, it doesn't represent any specific class of database or application. The goal of the benchmark is to provide a reasonable guide to the relative performance of a database that might be expected when scaling up or down between compute sizes.

+In reality, databases are of different sizes and complexity, encounter different mixes of workloads, and will respond in different ways. For example, an IO-intensive application may hit IO thresholds sooner, or a CPU-intensive application may hit CPU limits sooner. There is no guarantee that any particular database will scale in the same way as the benchmark under increasing load.

+The benchmark and its methodology are described in more detail in this article.

+## Schema

+The schema is designed to have enough variety and complexity to support a broad range of operations. The benchmark runs against a database comprised of six tables. The tables fall into three categories: fixed-size, scaling, and growing. There are two fixed-size tables; three scaling tables; and one growing table. Fixed-size tables have a constant number of rows. Scaling tables have a cardinality that is proportional to database performance, but doesnΓÇÖt change during the benchmark. The growing table is sized like a scaling table on initial load, but then the cardinality changes in the course of running the benchmark as rows are inserted and deleted.

+The schema includes a mix of data types, including integer, numeric, character, and date/time. The schema includes primary and secondary keys, but not any foreign keys - that is, there are no referential integrity constraints between tables.

+A data generation program generates the data for the initial database. Integer and numeric data is generated with various strategies. In some cases, values are distributed randomly over a range. In other cases, a set of values is randomly permuted to ensure that a specific distribution is maintained. Text fields are generated from a weighted list of words to produce realistic looking data.

+The database is sized based on a ΓÇ£scale factor.ΓÇ¥ The scale factor (abbreviated as SF) determines the cardinality of the scaling and growing tables. As described below in the section Users and Pacing, the database size, number of users, and maximum performance all scale in proportion to each other.

+## Transactions

+The workload consists of nine transaction types, as shown in the table below. Each transaction is designed to highlight a particular set of system characteristics in the database engine and system hardware, with high contrast from the other transactions. This approach makes it easier to assess the impact of different components to overall performance. For example, the transaction ΓÇ£Read HeavyΓÇ¥ produces a significant number of read operations from disk.

+| Transaction Type | Description |

+| | |

+| Read Lite |SELECT; in-memory; read-only |

+| Read Medium |SELECT; mostly in-memory; read-only |

+| Read Heavy |SELECT; mostly not in-memory; read-only |

+| Update Lite |UPDATE; in-memory; read-write |

+| Update Heavy |UPDATE; mostly not in-memory; read-write |

+| Insert Lite |INSERT; in-memory; read-write |

+| Insert Heavy |INSERT; mostly not in-memory; read-write |

+| Delete |DELETE; mix of in-memory and not in-memory; read-write |

+| CPU Heavy |SELECT; in-memory; relatively heavy CPU load; read-only |

+## Workload mix

+Transactions are selected at random from a weighted distribution with the following overall mix. The overall mix has a read/write ratio of approximately 2:1.

+| Transaction Type | % of Mix |

+| | |

+| Read Lite |35 |

+| Read Medium |20 |

+| Read Heavy |5 |

+| Update Lite |20 |

+| Update Heavy |3 |

+| Insert Lite |3 |

+| Insert Heavy |2 |

+| Delete |2 |

+| CPU Heavy |10 |

+## Users and pacing

+The benchmark workload is driven from a tool that submits transactions across a set of connections to simulate the behavior of a number of concurrent users. Although all of the connections and transactions are machine generated, for simplicity we refer to these connections as ΓÇ£users.ΓÇ¥ Although each user operates independently of all other users, all users perform the same cycle of steps shown below:

+1. Establish a database connection.

+2. Repeat until signaled to exit:

+ - Select a transaction at random (from a weighted distribution).

+ - Perform the selected transaction and measure the response time.

+ - Wait for a pacing delay.

+3. Close the database connection.

+4. Exit.

+The pacing delay (in step 2c) is selected at random, but with a distribution that has an average of 1.0 second. Thus each user can, on average, generate at most one transaction per second.

+## Scaling rules

+The number of users is determined by the database size (in scale-factor units). There is one user for every five scale-factor units. Because of the pacing delay, one user can generate at most one transaction per second, on average.

+For example, a scale-factor of 500 (SF=500) database will have 100 users and can achieve a maximum rate of 100 TPS. To drive a higher TPS rate requires more users and a larger database.

+## Measurement duration

+A valid benchmark run requires a steady-state measurement duration of at least one hour.

+## Metrics

+The key metrics in the benchmark are throughput and response time.

+- Throughput is the essential performance measure in the benchmark. Throughput is reported in transactions per unit-of-time, counting all transaction types.

+- Response time is a measure of performance predictability. The response time constraint varies with class of service, with higher classes of service having a more stringent response time requirement, as shown below.

+| Class of Service | Throughput Measure | Response Time Requirement |

+| | | |

+| [Premium](service-tiers-dtu.md#compare-service-tiers) |Transactions per second |95th percentile at 0.5 seconds |

+| [Standard](service-tiers-dtu.md#compare-service-tiers) |Transactions per minute |90th percentile at 1.0 seconds |

+| [Basic](service-tiers-dtu.md#compare-service-tiers) |Transactions per hour |80th percentile at 2.0 seconds |

+> [!NOTE]

+> Response time metrics are specific to the [DTU Benchmark](#dtu-benchmark). Response times for other workloads are workload-dependent and will differ.

+## Next steps

+Learn more about purchasing models and related concepts in the following articles:

+- [DTU-based purchasing model overview](service-tiers-dtu.md)

+- [vCore purchasing model - Azure SQL Database](service-tiers-sql-database-vcore.md)

+- [Compare vCore and DTU-based purchasing models of Azure SQL Database](purchasing-models.md)

+- [Migrate Azure SQL Database from the DTU-based model to the vCore-based model](migrate-dtu-to-vcore.md)

+- [Resource limits for single databases using the DTU purchasing model - Azure SQL Database](resource-limits-dtu-single-databases.md)

+- [Resources limits for elastic pools using the DTU purchasing model](resource-limits-dtu-elastic-pools.md)

+In this article, learn about the DTU-based purchasing model for Azure SQL Database.

+The ratio among these resources is originally determined by an [online transaction processing (OLTP) benchmark workload](dtu-benchmark.md) designed to be typical of real-world OLTP workloads. When your workload exceeds the amount of any of these resources, your throughput is throttled, resulting in slower performance and time-outs.

+If a database is moved to different hardware, workload performance can change. The DTU model guarantees that the throughput and response time of the [DTU benchmark](dtu-benchmark.md) workload will remain substantially identical as the database moves to a different hardware generation, as long as its service objective (the number of DTUs) stays the same.

+However, across the wide spectrum of customer workloads running in Azure SQL Database, the impact of using different hardware for the same service objective can be more pronounced. Different workloads will benefit from different hardware configuration and features. Therefore, for workloads other than the [DTU benchmark](dtu-benchmark.md), it's possible to see performance differences if the database moves from one hardware generation to another.

+Physical characteristics (CPU, memory, IO) associated with each DTU measure are calibrated using a benchmark that simulates real-world database workload.

+Learn about the schema, transaction types used, workload mix, users and pacing, scaling rules, and metrics associated with the [DTU benchmark](dtu-benchmark.md).

+## Compare DTU-based and vCore purchasing models

+While the DTU-based purchasing model is based on a bundled measure of compute, storage, and I/O resources, by comparison the [vCore purchasing model for Azure SQL Database](service-tiers-sql-database-vcore.md) allows you to independently choose and scale compute and storage resources.

+The vCore-based purchasing model also allows you to use [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/) for SQL Server to save costs, and offers [Serverless](serverless-tier-overview.md) and [Hyperscale](service-tier-hyperscale.md) options for Azure SQL Database that are not available in the DTU-based purchasing model.

+Learn more in [Compare vCore and DTU-based purchasing models of Azure SQL Database](purchasing-models.md).

+Learn more about purchasing models and related concepts in the following articles:

+- For information on the benchmark associated with the DTU-based purchasing model, see [DTU benchmark](dtu-benchmark.md).

+- [Compare vCore and DTU-based purchasing models of Azure SQL Database](purchasing-models.md).

+1. On your storage account page, select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | Storage Blob Data Contributor |

+ | Assign access to | User, group, or service principal |

+ | Members | Server or workspace hosting your dedicated SQL pool that you've registered with Azure AD |

+ 

+| [Managed Instance link](managed-instance-link-feature-overview.md)| Online replication of SQL Server databases hosted anywhere to Azure SQL Managed Instance. |

+| [Migrate with Log Replay Service](log-replay-service-migrate.md) | Migrate databases from SQL Server to SQL Managed Instance by using Log Replay Service. |

+|[Distributed transactions](../database/elastic-transactions-overview.md) | November 2021 | Distributed database transactions for Azure SQL Managed Instance allow you to run distributed transactions that span several databases across instances. |

+| **Log Replay Service migration** | Use the Log Replay Service to migrate from SQL Server to Azure SQL Managed Instance. This feature is currently in preview. To learn more, see [Migrate with Log Replay Service](log-replay-service-migrate.md). |

+| **Managed Instance link guidance** | We've published a number of guides for using the [Managed Instance link feature](managed-instance-link-feature-overview.md), including how to [prepare your environment](managed-instance-link-preparation.md), [configure replication by using SSMS](managed-instance-link-use-ssms-to-replicate-database.md), [configure replication via scripts](managed-instance-link-use-scripts-to-replicate-database.md), [fail over your database by using SSMS](managed-instance-link-use-ssms-to-failover-database.md), [fail over your database via scripts](managed-instance-link-use-scripts-to-failover-database.md) and some [best practices](managed-instance-link-best-practices.md) when using the link feature (currently in preview). |

+|**Link feature preview** | Use the link feature for SQL Managed Instance to replicate data from your SQL Server hosted anywhere to Azure SQL Managed Instance, leveraging the benefits of Azure without moving your data to Azure, to offload your workloads, for disaster recovery, or to migrate to the cloud. See the [Link feature for SQL Managed Instance](managed-instance-link-feature-overview.md) to learn more. The link feature is currently in limited public preview. |

+- [Best practices with link feature for Azure SQL Managed Instance](managed-instance-link-best-practices.md)

+ > Using SAS tokens created with permissions set through defining a [stored access policy](/rest/api/storageservices/define-stored-access-policy.md) is not supported at this time. You will need to follow the instructions in this guide on manually specifying Read and List permissions for the SAS token.

+- Using SAS tokens created with permissions set through defining a [stored access policy](/rest/api/storageservices/define-stored-access-policy.md) is not supported at this time. You will need to follow the instructions in this guide on manually specifying Read and List permissions for the SAS token.

+> If you require database to be R/O accessible during the migration, and if you require migration window larger than 36 hours, please consider an alternative online migrations solution [link feature for Managed Instance](managed-instance-link-feature-overview.md) providing such capability.

+- Learn more about [migrating to Managed Instance using the link feature](managed-instance-link-feature-overview.md).

+ Title: The link feature best practices

+description: Learn about best practices when using the link feature for Azure SQL Managed Instance.

+ms.devlang:

+# Best practices with link feature for Azure SQL Managed Instance (preview)

+This article outlines best practices when using the link feature for Azure SQL Managed Instance. The link feature for Azure SQL Managed Instance connects your SQL Servers hosted anywhere to SQL Managed Instance, providing near real-time data replication to the cloud.

+> [!NOTE]

+> The link feature for Azure SQL Managed Instance is currently in preview.

+## Take log backups regularly

+The link feature replicates data using the [Distributed availability groups](/sql/database-engine/availability-groups/windows/distributed-availability-groups) concept based on the Always On availability groups technology stack. Data replication with distributed availability groups is based on replicating transaction log records. No transaction log records can be truncated from the database on the primary instance until they're replicated to the database on the secondary instance. If transaction log record replication is slow or blocked due to network connection issues, the log file keeps growing on the primary instance. Growth speed depends on the intensity of workload and the network speed. If there's a prolonged network connection outage and heavy workload on primary instance, the log file may take all available storage space.

+To minimize the risk of running out of space on your primary instance due to log file growth, make sure to **take database log backups regularly**. By taking log backups regularly, you make your database more resilient to unplanned log growth events. Consider scheduling daily log backup tasks using SQL Server Agent job.

+You can use a Transact-SQL (T-SQL) script to back up the log file, such as the sample provided in this section. Replace the placeholders in the sample script with name of your database, name and path of the backup file, and the description.

+To back up your transaction log, use the following sample Transact-SQL (T-SQL) script on SQL Server:

+```sql

+-- Execute on SQL Server

+USE [<DatabaseName>]

+--Set current database inside job step or script

+--Check that you are executing the script on the primary instance

+if (SELECT role

+ FROM sys.dm_hadr_availability_replica_states AS a

+ JOIN sys.availability_replicas AS b

+ ON b.replica_id = a.replica_id

+WHERE b.replica_server_name = @@SERVERNAME) = 1

+BEGIN

+-- Take log backup

+BACKUP LOG [<DatabaseName>]

+TO DISK = N'<DiskPathandFileName>'

+WITH NOFORMAT, NOINIT,

+NAME = N'<Description>', SKIP, NOREWIND, NOUNLOAD, COMPRESSION, STATS = 1

+END

+```

+Use the following Transact-SQL (T-SQL) command to check the log spaced used by your database on SQL Server:

+```sql

+-- Execute on SQL Server

+DBCC SQLPERF(LOGSPACE);

+```

+The query output looks like the following example below for sample database **tpcc**:

+In this example, the database has used 76% of the available log, with an absolute log file size of approximately 27 GB (27,971 MB). The thresholds for action may vary based on your workload, but it's typically an indication that you should take a log backup to truncate the log file and free up some space.

+## Add startup trace flags

+There are two trace flags (`-T1800` and `-T9567`) that, when added as start up parameters, can optimize the performance of data replication through the link. See [Enable startup trace flags](managed-instance-link-preparation.md#enable-startup-trace-flags) to learn more.

+## Next steps

+To get started with the link feature, [prepare your environment for replication](managed-instance-link-preparation.md).

+For more information on the link feature, see the following articles:

+- [Managed Instance link ΓÇô overview](managed-instance-link-feature-overview.md)

+- [Managed Instance link ΓÇô connecting SQL Server to Azure reimagined](https://aka.ms/mi-link-techblog)

+ Title: The link feature

+description: Learn about the link feature for Azure SQL Managed Instance to continuously replicate data from SQL Server to the cloud, or migrate your SQL Server databases with the best possible minimum downtime.

+ms.devlang:

+# Link feature for Azure SQL Managed Instance (preview)

+The new link feature in Azure SQL Managed Instance connects your SQL Servers hosted anywhere to SQL Managed Instance, providing hybrid flexibility and database mobility. With an approach that uses near real-time data replication to the cloud, you can offload workloads to a read-only secondary in Azure to take advantage of Azure-only features, performance, and scale.

+After a disastrous event, you can continue running your read-only workloads on SQL Managed Instance in Azure. You can also choose to migrate one or more applications from SQL Server to SQL Managed Instance at the same time, at your own pace, and with the best possible minimum downtime compared to other solutions in Azure today.

+To use the link feature, you'll need:

+- SQL Server 2019 Enterprise Edition or Developer Edition with [CU15 (or above)](https://support.microsoft.com/en-us/topic/kb5008996-cumulative-update-15-for-sql-server-2019-4b6a8ee9-1c61-482d-914f-36e429901fb6) installed on-premises, or on an Azure VM.

+- Network connectivity between your SQL Server and managed instance is required. If your SQL Server is running on-premises, use a VPN link or Express route. If your SQL Server is running on an Azure VM, either deploy your VM to the same subnet as your managed instance, or use global VNet peering to connect two separate subnets.

+- Azure SQL Managed Instance provisioned on any service tier.

+> [!NOTE]

+> SQL Managed Instance link feature is available in all public Azure regions.

+> National clouds are currently not supported.

+## Overview

+The underlying technology of near real-time data replication between SQL Server and SQL Managed Instance is based on distributed availability groups, part of the well-known and proven Always On availability group technology stack. Extend your SQL Server on-premises availability group to SQL Managed Instance in Azure in a safe and secure manner.

+There's no need to have an existing availability group or multiple nodes. The link supports single node SQL Server instances without existing availability groups, and also multiple-node SQL Server instances with existing availability groups. Through the link, you can use the modern benefits of Azure without migrating your entire SQL Server data estate to the cloud.

+You can keep running the link for as long as you need it, for months and even years at a time. And for your modernization journey, if or when you're ready to migrate to Azure, the link enables a considerably-improved migration experience with the minimum possible downtime compared to all other options available today, providing a true online migration to SQL Managed Instance.

+## Supported scenarios

+Data replicated through the link feature from SQL Server to Azure SQL Managed Instance can be used with several scenarios, such as:

+- **Use Azure services without migrating to the cloud**

+- **Offload read-only workloads to Azure**

+- **Migrate to Azure**

+

+### Use Azure services

+Use the link feature to leverage Azure services using SQL Server data without migrating to the cloud. Examples include reporting, analytics, backups, machine learning, and other jobs that send data to Azure.

+### Offload workloads to Azure

+You can also use the link feature to offload workloads to Azure. For example, an application could use SQL Server for read-write workloads, while offloading read-only workloads to SQL Managed Instance in any of Azure's 60+ regions worldwide. Once the link is established, the primary database on SQL Server is read/write accessible, while replicated data to SQL Managed Instance in Azure is read-only accessible. This allows for various scenarios where replicated databases on SQL Managed Instance can be used for read scale-out and offloading read-only workloads to Azure. SQL Managed Instance, in parallel, can also host independent read/write databases. This allows for copying the replicated database to another read/write database on the same managed instance for further data processing.

+The link is database scoped (one link per one database), allowing for consolidation and deconsolidation of workloads in Azure. For example, you can replicate databases from multiple SQL Servers to a single SQL Managed Instance in Azure (consolidation), or replicate databases from a single SQL Server to multiple managed instances via a 1 to 1 relationship between a database and a managed instance - to any of Azure's regions worldwide (deconsolidation). The latter provides you with an efficient way to quickly bring your workloads closer to your customers in any region worldwide, which you can use as read-only replicas.

+### Migrate to Azure

+The link feature also facilitates migrating from SQL Server to SQL Managed Instance, enabling:

+- The most performant minimum downtime migration compared to all other solutions available today

+- True online migration to SQL Managed Instance in any service tier

+Since the link feature enables minimum downtime migration, you can migrate to your managed instance while maintaining your primary workload online. While online migration was possible to achieve previously with other solutions when migrating to the general purpose service tier, the link feature now also allows for true online migrations to the business critical service tier as well.

+## How it works

+The underlying technology behind the link feature for SQL Managed Instance is distributed availability groups. The solution supports single-node systems without existing availability groups, or multiple node systems with existing availability groups.

+

+Secure connectivity, such as VPN or Express Route is used between an on-premises network and Azure. If SQL Server is hosted on an Azure VM, the internal Azure backbone can be used between the VM and managed instance ΓÇô such as, for example, global VNet peering. The trust between the two systems is established using certificate-based authentication, in which SQL Server and SQL Managed Instance exchange their public keys.

+There could exist up to 100 links from the same, or various SQL Server sources to a single SQL Managed Instance. This limit is governed by the number of databases that could be hosted on a managed instance at this time. Likewise, a single SQL Server can establish multiple parallel database replication links with several managed instances in different Azure regions in a 1 to 1 relationship between a database and a managed instance . The feature requires CU13 or higher to be installed on SQL Server 2019.

+## Use the link feature

+To help with the initial environment setup, we have prepared the following online guide on how to setup your SQL Server environment to use with the link feature for Managed Instance:

+* [Prepare environment for the link](managed-instance-link-preparation.md)

+Once you have ensured the pre-requirements have been met, you can create the link using the automated wizard in SSMS, or you can choose to setup the link manually using scripts. Create the link using one of the following instructions:

+* [Replicate database with link feature in SSMS](managed-instance-link-use-ssms-to-replicate-database.md), or alternatively

+* [Replicate database with Azure SQL Managed Instance link feature with T-SQL and PowerShell scripts](managed-instance-link-use-scripts-to-replicate-database.md)

+Once the link has been created, ensure that you follow the best practices for maintaining the link, by following instructions described at this page:

+* [Best practices with link feature for Azure SQL Managed Instance](managed-instance-link-best-practices.md)

+If and when you are ready to migrate a database to Azure with a minimum downtime, you can do this using an automated wizard in SSMS, or you can choose to do this manually with scripts. Migrate database to Azure link using one of the following instructions:

+* [Failover database with link feature in SSMS](managed-instance-link-use-ssms-to-failover-database.md), or alternatively

+* [Failover (migrate) database with Azure SQL Managed Instance link feature with T-SQL and PowerShell scripts](managed-instance-link-use-scripts-to-failover-database.md)

+## Limitations

+This section describes the productΓÇÖs functional limitations.

+### General functional limitations

+Managed Instance link has a set of general limitations, and those are listed in this section. Listed limitations are of a technical nature and are unlikely to be addressed in the foreseeable future.

+- Only user databases can be replicated. Replication of system databases isn't supported.

+- The solution doesn't replicate server level objects, agent jobs, nor user logins from SQL Server to Managed Instance.

+- Only one database can be placed into a single Availability Group per one Distributed Availability Group link.

+- Link can't be established between SQL Server and Managed Instance if functionality used on SQL Server isn't support on Managed Instance.

+ - File tables and file streams aren't supported for replication, as Managed Instance doesn't support this.

+ - Replicating Databases using Hekaton (In-Memory OLTP) isn't supported on Managed Instance General Purpose service tier. Hekaton is only supported on Managed Instance Business Critical service tier.

+ - For the full list of differences between SQL Server and Managed Instance, see [this article](./transact-sql-tsql-differences-sql-server.md).

+- In case Change data capture (CDC), log shipping, or service broker are used with database replicated on the SQL Server, and in case of database migration to Managed Instance, on the failover to the Azure, clients will need to connect using instance name of the current global primary replica. you'll need to manually re-configure these settings.

+- In case Transactional Replication is used with database replicated on the SQL Server, and in case of migration scenario, on failover to Azure, transactional replication on Azure SQL Managed instance won't continue. you'll need to manually re-configure Transactional Replication.

+- In case distributed transactions are used with database replicated from the SQL Server, and in case of migration scenario, on the cutover to the cloud, the DTC capabilities won't be transferred. There will be no possibility for migrated database to get involved in distributed transactions with SQL Server, as Managed Instance doesn't support distributed transactions with SQL Server at this time. For reference, Managed Instance today supports distributed transactions only between other Managed Instances, see [this article](../database/elastic-transactions-overview.md#transactions-for-sql-managed-instance).

+- Managed Instance link can replicate database of any size if it fits into chosen storage size of target Managed Instance.

+### Preview limitations

+Some Managed Instance link features and capabilities are limited **at this time**. Details can be found in the following list.

+- SQL Server 2019, Enterprise Edition or Developer Edition, CU15 (or higher) on Windows or Linux host OS is supported.

+- Private endpoint (VPN/VNET) is supported to connect Distributed Availability Groups to Managed Instance. Public endpoint can't be used to connect to Managed Instance.

+- Managed Instance Link authentication between SQL Server instance and Managed Instance is certificate-based, available only through exchange of certificates. Windows authentication between instances isn't supported.

+- Replication of user databases from SQL Server to Managed Instance is one-way. User databases from Managed Instance can't be replicated back to SQL Server.

+- [Auto failover groups](auto-failover-group-sql-mi.md) replication to secondary Managed Instance can't be used in parallel while operating the Managed Instance link with SQL Server.

+- Replicated R/O databases aren't part of auto-backup process on SQL Managed Instance.

+## Next steps

+If you're interested in using Link feature for Azure SQL Managed Instance with versions and editions that are currently not supported, sign-up [here](https://aka.ms/mi-link-signup).

+For more information on the link feature, see the following:

+- [Managed Instance link ΓÇô connecting SQL Server to Azure reimagined](https://aka.ms/mi-link-techblog).

+- [Prepare for SQL Managed Instance link](./managed-instance-link-preparation.md).

+- [Use SQL Managed Instance link via SSMS to replicate database](./managed-instance-link-use-ssms-to-replicate-database.md).

+- [Use SQL Managed Instance link via SSMS to migrate database](./managed-instance-link-use-ssms-to-failover-database.md).

+For other replication scenarios, consider:

+- [Transactional replication with Azure SQL Managed Instance (Preview)](replication-transactional-overview.md)

+This article teaches you how to prepare your environment for a [Managed Instance link](managed-instance-link-feature-overview.md) so that you can replicate databases from SQL Server to Azure SQL Managed Instance.

+This article teaches you how to use Transact-SQL (T-SQL) and PowerShell scripts and a [Managed Instance link](managed-instance-link-feature-overview.md) to fail over (migrate) your database from SQL Server to SQL Managed Instance.

+This article teaches you how to use Transact-SQL (T-SQL) and PowerShell scripts to replicate your database from SQL Server to Azure SQL Managed Instance by using a [Managed Instance link](managed-instance-link-feature-overview.md).

+> - Take regular backups of the log file on SQL Server. If the used log space reaches 100 percent, replication to SQL Managed Instance stops until space use is reduced. We highly recommend that you automate log backups by setting up a daily job. For details, see [Back up log files on SQL Server](managed-instance-link-best-practices.md#take-log-backups-regularly).

+This article teaches you how to fail over a database from SQL Server to Azure SQL Managed Instance by using [the link feature](managed-instance-link-feature-overview.md) in SQL Server Management Studio (SSMS).

+You can validate that the link has been dropped by reviewing the database on SQL Server.

+To learn more, see [Link feature for Azure SQL Managed Instance](managed-instance-link-feature-overview.md).

+This article teaches you how to replicate your database from SQL Server to Azure SQL Managed Instance by using [the link feature](managed-instance-link-feature-overview.md) in SQL Server Management Studio (SSMS).

+To break the link and fail over your database to SQL Managed Instance, see [Fail over a database](managed-instance-link-use-ssms-to-failover-database.md). To learn more, see [Link feature for Azure SQL Managed Instance](managed-instance-link-feature-overview.md).

+Use [Azure Migrate](../../../migrate/migrate-services-overview.md) to assess migration suitability of on-premises servers, perform performance-based sizing, and provide cost estimations for running them in Azure.

+This article covers two of the recommended migration options:

+This guide describes the two most popular options - Azure Database Migration Service (DMS) and native backup and restore.

+For other migration tools, see [Compare migration options](sql-server-to-managed-instance-overview.md#compare-migration-options).

+|[Managed Instance link](../../managed-instance/managed-instance-link-feature-overview.md) | This feature enables online migration to Managed Instance using Always On technology. ItΓÇÖs a migration option for customers who require database on Managed Instance to be accessible in R/O mode while migration is in progress, who need to keep the migration running for prolonged periods of time (weeks or months at the time), who require true online replication to Business Critical service tier, and for customers who require the most performant minimum downtime migration. |

+The following table compares the recommended migration options:

+|[Log Replay Service](../../managed-instance/log-replay-service-migrate.md) | - Migrate individual line-of-business application databases. </br> - More control is needed for database migrations. </br> </br> Supported sources: </br> - SQL Server (2008 to 2019) on-premises or Azure VM </br> - AWS EC2 </br> - AWS RDS </br> - GCP Compute SQL Server VM | - The migration entails making full database backups on SQL Server and copying backup files to Azure Blob Storage. Log Replay Service is used to restore backup files from Azure Blob Storage to SQL Managed Instance. </br> - Databases being restored during the migration process will be in a restoring mode and can't be used for read or write workloads until the process is complete.|

+|[Managed Instance link](../../managed-instance/managed-instance-link-feature-overview.md) | - Migrate individual line-of-business application databases. </br> - More control is needed for database migrations. </br> - Minimum downtime migration is needed. </br> </br> Supported sources: </br> - SQL Server (2016 to 2019) on-premises or Azure VM </br> - AWS EC2 </br> - GCP Compute SQL Server VM | - The migration entails establishing a network connection between SQL Server and SQL Managed Instance, and opening communication ports. </br> - Uses [Always On availability group](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server) technology to replicate database near real-time, making an exact replica of the SQL Server database on SQL Managed Instance. </br> - The database can be used for read-only access on SQL Managed Instance while migration is in progress. </br> - Provides the best performance during migration with minimum downtime. |

+# Compare Azure Media Services v3 presets and Video Analyzer for Media

+This article compares the capabilities of **Video Analyzer for Media (formerly Video Indexer) APIs** and **Media Services v3 APIs**.

+Currently, there is an overlap between features offered by the [Video Analyzer for Media APIs](https://api-portal.videoindexer.ai/) and the [Media Services v3 APIs](https://github.com/Azure/azure-rest-api-specs/blob/master/specification/mediaservices/resource-manager/Microsoft.Media/stable/2018-07-01/Encoding.json). The following table offers the current guideline for understanding the differences and similarities.

+|Media Insights|[Enhanced](video-indexer-output-json-v2.md) |[Fundamentals](/media-services/latest/analyze-video-audio-files-concept)|

+[Media Services v3 overview](/media-services/latest/media-services-overview)

+1. Use the [Azure](https://portal.azure.com/) portal to create an Azure Media Services account, as described in [Create an account](/media-services/previous/media-services-portal-create-account).

+ Make sure the Media Services account was created with the classic APIs.

+4. For Video Analyzer for Media to authenticate with Media Services API, an AD app needs to be created. The following steps guide you through the Azure AD authentication process described in [Get started with Azure AD authentication by using the Azure portal](/media-services/previous/media-services-portal-get-started-with-aad):

+ 2. Select [Service principal authentication method](/media-services/previous/media-services-portal-get-started-with-aad).

+> * The target ARM-Based account needs to be created and available before import is assigned.

+ 5. Click **Import content**

+* If you plan to connect to an existing Media Services account, make sure the Media Services account was created with the classic APIs.

+1. Go to https://videoindexer.ai.azure.us

+1. If you do not have any Video Analyzer for Media accounts in Azure Government that you are an owner or a contributor to, you will get an empty experience from which you can start creating your account.

+ The rest of the flow is as described in above , only the regions to select from will be Government regions in which Video Analyzer for Media is available

+* No manual content moderation available in Government cloud.

+ In the public cloud when content is deemed offensive based on a content moderation, the customer can ask for a human to look at that content and potentially revert that decision.

+* No trial accounts.

+* Bing description - in Gov cloud we will not present a description of celebrities and named entities identified. This is a UI capability only.

+Select the account -> **Settings** -> **Delete this account**.

+When using Azure Video Analyzer for Media (formerly Video Indexer) to index videos and your archive of videos is growing, consider scaling.

+* Sending files using multi-part means high dependency on your network,

+* service reliability,

+* connectivity,

+* upload speed,

+## Automatic Scaling of Media Reserved Units

+Starting August 1st 2021, Azure Video Analyzer for Media (formerly Video Indexer) enabled [Reserved Units](/media-services/latest/concept-media-reserved-units)(MRUs) auto scaling by [Azure Media Services](/media-services/latest/media-services-overview) (AMS), as a result you do not need to manage them through Azure Video Analyzer for Media. That will allow price optimization, e.g. price reduction in many cases, based on your business needs as it is being auto scaled.

+You can add a callback URL as one of the parameters of the [upload video API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video). Check out the code samples in [GitHub repo](https://github.com/Azure-Samples/media-services-video-indexer/tree/master/).

+You might be asking, what video quality do you need for indexing your videos?

+|**Media Services account name**|Select a Media Services that the new Video Analyzer for Media account will use to process the videos. You can select an existing Media Services or you can create a new one. The Media Services must be in the same location you selected.|

+[docs-ms]: /media-services/latest/media-services-overview

+ Title: Deploy Azure Video Analyzer for Media with ARM template

+# Tutorial: deploy Azure Video Analyzer for Media with ARM template

+In this tutorial you will create an Azure Video Analyzer for Media (formerly Video Indexer) account by using Azure Resource Manager (ARM) template (preview).

+* An Azure Media Services (AMS) account. You can create one for free through the [Create AMS Account](/media-services/latest/account-create-how-to).

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fmedia-services-video-indexer%2Fmaster%2FARM-Samples%2FCreate-Account%2Favam.template.json)

+# Index your videos stored on OneDrive

+For a list of file formats that you can use with Video Analyzer for Media, see [Standard Encoder formats and codecs](/media-services/latest/encode-media-encoder-standard-formats-reference).

+1. Click on **enter a file URL** button

+You can use the [Upload Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) API to upload and index your videos based on a URL. The code sample that follows includes the commented-out code that shows how to upload the byte array.

+#### externalID

+Use this parameter to specify a callback URL.

+- `AdvancedVideoAndAudio`: Index and extract insights by using both advanced audio and advanced video analysis.

+> The preceding advanced presets include models that are in public preview. When these models reach general availability, there might be implications for the price.

+After your video is uploaded, Video Analyzer for Media optionally encodes the video. It then proceeds to indexing and analyzing the video. When Video Analyzer for Media is done analyzing, you get a notification with the video ID.

+When you're using the [Upload Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) or [Re-Index Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Re-Index-Video) API, one of the optional parameters is `streamingPreset`. If you set `streamingPreset` to `Default`, `SingleBitrate`, or `AdaptiveBitrate`, the encoding process is triggered.

+The default setting is [content-aware encoding](/media-services/latest/encode-content-aware-concept).

+* API key (`apiKey`): Your personal API management subscription key. It allows you to get an access token in order to perform operations on your Video Analyzer for Media account.

+ - The URL must point at a media file. (HTML pages are not supported.)

+ - The URL must be encoded.

+The result of successfully running the code sample includes an insight widget URL and a player widget URL. They allow you to examine the insights and the uploaded video, respectively.

+ // Take the relevant account. Here we simply take the first.

+After you copy this C# project into your development platform, you need to take the following steps:

+ // Get account-level access token for Azure Video Analyzer for Media

+- The URL must be accessible (for example, a public URL).

+> If you must use an older .NET Framework version, add one line to your code before making the REST API call:

+The audio effects detection capability was improved to have a better detection rate over the following classes:

+* Crowd reactions (cheering, clapping, and booing),

+* Gunshot or explosion,

+Video Analyzer for Media introduces source languages support for STT (speech-to-text), translation, and search in Hebrew (he-IL), Portuguese (pt-PT), and Persian (fa-IR) on the [Video Analyzer for Media](https://www.videoindexer.ai/) website.

+## December 2021

+### New source languages support for STT, translation, and search on API level

+When indexing a video through our advanced video settings, you can view the new matched person detection capability. If there are people observed in your media file, you can now view the specific person who matched each of them through the media player.

+> The Government cloud includes support for CRUD ARM based accounts from Video Analyzer for Media API and from the Azure portal.

+>

+When indexing a video through the advanced video settings, you can view the new **PeopleΓÇÖs clothing detection** capability. If there are people detected in your media file, you can now view the clothing type they are wearing through the media player.

+* account settings and insights views in the [portal](https://www.videoindexer.ai).

+Starting August 1st 2021, Azure Video Analyzer for Media (formerly Video Indexer) enabled [Media Reserved Units (MRUs)](/media-services/latest/concept-media-reserved-units) auto scaling by [Azure Media Services](/media-services/latest/media-services-overview), as a result you do not need to manage them through Azure Video Analyzer for Media. That will allow price optimization, for example price reduction in many cases, based on your business needs as it is being auto scaled.

+Video Analyzer for Media now supports STT, translation, and search in Chinese (Cantonese) ('zh-HK'), Dutch (Netherlands) ('Nl-NL'), Czech ('Cs-CZ'), Polish ('Pl-PL'), Swedish (Sweden) ('Sv-SE'), Norwegian('nb-NO'), Finnish('fi-FI'), Canadian French ('fr-CA'), Thai('th-TH'),

+Arabic: (United Arab Emirates) ('ar-AE', 'ar-EG'), (Iraq) ('ar-IQ'), (Jordan) ('ar-JO'), (Kuwait) ('ar-KW'), (Lebanon) ('ar-LB'), (Oman) ('ar-OM'), (Qatar) ('ar-QA'), (Palestinian Authority) ('ar-PS'), (Syria) ('ar-SY'), and Turkish('tr-TR').

+### New open-source code you can leverage

+### New option to toggle bounding boxes (for observed people) on the player

+### Observed people tracing (preview)

+Azure Video Analyzer for Media now detects observed people in videos and provides information such as the location of the person in the video frame and the exact timestamp (start, end) when a person appears. The API returns the bounding box coordinates (in pixels) for each person instance detected, including its confidence.

+For example, if a video contains a person, the detect operation will list the person appearances together with their coordinates in the video frames. You can use this functionality to determine the person path in a video. It also lets you determine whether there are multiple instances of the same person in a video.

+The newly added observed people tracing feature is available when indexing your file by choosing the **Advanced option** -> **Advanced video** or **Advanced video + audio** preset (under Video + audio indexing). Standard and basic indexing presets will not include this new advanced model.

+When you choose to see Insights of your video on the Video Analyzer for Media website, the Observed People Tracing will show up on the page with all detected people thumbnails. You can choose a thumbnail of a person and see where the person appears in the video player.

+### Audio analysis

+### New developer portal

+Video Analyzer for Media has a new [Developer Portal](https://api-portal.videoindexer.ai/), try out the new Video Analyzer for Media APIs and find all the relevant resources in one place: [GitHub repository](https://github.com/Azure-Samples/media-services-video-indexer), [Stack overflow](https://stackoverflow.com/questions/tagged/video-indexer), [Video Analyzer for Media tech community](https://techcommunity.microsoft.com/t5/azure-media-services/bg-p/AzureMediaServices/label-name/Video%20Indexer) with relevant blog posts, [Video Analyzer for Media FAQs](faq.yml), [User Voice](https://feedback.azure.com/d365community/forum/09041fae-0b25-ec11-b6e6-000d3a4f0858) to provide your feedback and suggest features, and ['CodePen' link](https://codepen.io/videoindexer) with widgets code samples.

+### Advanced customization capabilities for insight widget

+SDK is now available to embed Video Analyzer for Media's insights widget in your own service and customize its style and data. The SDK supports the standard Video Analyzer for Media insights widget and a fully customizable insights widget. Code sample is available in [Video Analyzer for Media GitHub repository](https://github.com/Azure-Samples/media-services-video-indexer/tree/master/Embedding%20widgets/widget-customization). With this advanced customization capabilities, solution developer can apply custom styling and bring customerΓÇÖs own AI data and present that in the insight widget (with or without Video Analyzer for Media insights).

+### Video Analyzer for Media deployed in the US North Central , US West and Canada Central

+### New source languages support for speech-to-text (STT), translation and search

+Video Analyzer for Media now support STT, translation and search in Danish ('da-DK'), Norwegian('nb-NO'), Swedish('sv-SE'), Finnish('fi-FI'), Canadian French ('fr-CA'), Thai('th-TH'), Arabic ('ar-BH', 'ar-EG', 'ar-IQ', 'ar-JO', 'ar-KW', 'ar-LB', 'ar-OM', 'ar-QA', 'ar-S', and 'ar-SY'), and Turkish('tr-TR'). Those languages are available in both API and Video Analyzer for Media website.

+### Search by Topic in Video Analyzer for Media Website

+You can now use the search feature, at the top of the [Video Analyzer for Media website](https://www.videoindexer.ai/account/login) page, to search for videos with specific topics.

+### Multiple account owners

+> This feature is only available in trial accounts.

+Video Analyzer for Media now detects the following audio effects in the non-speech segments of the content: gunshot, glass shatter, alarm, siren, explosion, dog bark, screaming, laughter, crowd reactions (cheering, clapping, and booing) and Silence.

+The newly added audio affects feature is available when indexing your file by choosing the **Advanced option** -> **Advanced audio** preset (under Video + audio indexing). Standard indexing will only include **silence** and **crowd reaction**.

+### Named entities enhancement

+The extracted list of people and location was extended and updated in general.

+In addition, the model now includes people and locations in-context which are not famous, like a ΓÇÿSamΓÇÖ or ΓÇÿHomeΓÇÖ in the video.

+### Video Analyzer for Media is deployed on US Government cloud

+You can now create a Video Analyzer for Media paid account on US government cloud in Virginia and Arizona regions.

+Video Analyzer for Media free trial offering isn't available in the mentioned region. For more information go to Video Analyzer for Media Documentation.

+### Video Analyzer for Media deployed in the India Central region

+You can now create a Video Analyzer for Media paid account in the India Central region.

+The Video Analyzer for Media website experiences is now available in dark mode.

+To enable the dark mode open the settings panel and toggle on the **Dark Mode** option.

+### Animated character identification improvements

+> The Video Analyzer for Media accounts connected to LinkedIn and Facebook will not be accessible after March 1st 2021.

+>

+The Video Analyzer for Media website experience is now supporting mobile devices. The user experience is responsive to adapt to your mobile screen size (excluding customization UIs).

+### Accessibility improvements and bug fixes

+As part of WCAG (Web Content Accessibility guidelines), the Video Analyzer for Media website experiences is aligned with grade C, as part of Microsoft Accessibility standards. Several bugs and improvements related to keyboard navigation, programmatic access, and screen reader were solved.

+Topics is added as part of the `textScope` (optional parameter). See [API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Search-Videos) for details.

+For more information, see the [widget types](video-indexer-embed-widgets.md#widget-types) section.

+You can now update Media Services connection configuration in order to self-help with issues like:

+* Media Services resources were moved between subscriptions

+Configure the custom vision account on paid accounts using the Video Analyzer for Media portal (previously, this was only supported by API). To do that, sign in to the Video Analyzer for Media portal, choose Model Customization > Animated characters > Configure.

+Scenes, shots, and keyframes are now merged into one insight for easier consumption and navigation. When you select the desired scene you can see what shots and keyframes it consists of.

+ Video Analyzer for Media now supports custom language models in Korean (`ko-KR`) in both the API and portal.

+### Improve error handling on upload

+### Player timeline Keyframes preview

+# Upload and index your videos

+This article shows how to upload and index videos by using the Azure Video Analyzer for Media (formerly Video Indexer) website and the Upload Video API.

+- A free trial account. Video Analyzer for Media provides up to 600 minutes of free indexing to website users and up to 2,400 minutes of free indexing to API users.

+- A paid option where you're not limited by a quota. You create a Video Analyzer for Media account that's [connected to your Azure subscription and an Azure Media Services account](connect-to-azure.md). You pay for indexed minutes.

+When you're uploading videos by using the API, you have the following options:

+* Use existing an Azure Media Services asset by providing the [asset ID](/media-services/latest/assets-concept). This option is supported in paid accounts only.

+For a list of file formats that you can use with Video Analyzer for Media, see [Standard Encoder formats and codecs](/media-services/latest/encode-media-encoder-standard-formats-reference).

+You can use the [Upload Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) API to upload and index your videos based on a URL. The code sample that follows includes the commented-out code that shows how to upload the byte array.

+#### externalID

+Use this parameter to specify a callback URL.

+- `AdvancedVideoAndAudio`: Index and extract insights by using both advanced audio and advanced video analysis.

+> The preceding advanced presets include models that are in public preview. When these models reach general availability, there might be implications for the price.

+After your video is uploaded, Video Analyzer for Media optionally encodes the video. It then proceeds to indexing and analyzing the video. When Video Analyzer for Media is done analyzing, you get a notification with the video ID.

+When you're using the [Upload Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) or [Re-Index Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Re-Index-Video) API, one of the optional parameters is `streamingPreset`. If you set `streamingPreset` to `Default`, `SingleBitrate`, or `AdaptiveBitrate`, the encoding process is triggered.

+The default setting is [content-aware encoding](/media-services/latest/encode-content-aware-concept).

+* API key (`apiKey`): Your personal API management subscription key. It allows you to get an access token in order to perform operations on your Video Analyzer for Media account.

+ - The URL must point at a media file. (HTML pages are not supported.)

+ - The URL must be encoded.

+The result of successfully running the code sample includes an insight widget URL and a player widget URL. They allow you to examine the insights and the uploaded video, respectively.

+ // Take the relevant account. Here we simply take the first.

+After you copy this C# project into your development platform, you need to take the following steps:

+ // Get account-level access token for Azure Video Analyzer for Media

+- The URL must be accessible (for example, a public URL).

+> If you must use an older .NET Framework version, add one line to your code before making the REST API call:

+When creating a Video Analyzer for Media account, you can choose a free trial account (where you get a certain number of free indexing minutes) or a paid option (where you are not limited by the quota). With free trial, Video Analyzer for Media provides up to 600 minutes of free indexing to website users and up to 2400 minutes of free indexing to API users. With paid option, you create a Video Analyzer for Media account that is [connected to your Azure subscription and an Azure Media Services account](connect-to-azure.md). You pay for minutes indexed, for more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/).

+See the [input container/file formats](/media-services/latest/encode-media-encoder-standard-formats-reference) article for a list of file formats that you can use with Video Analyzer for Media.

+1. Once your video has been uploaded, Video Analyzer for Media starts indexing and analyzing the video. You see the progress.

+After you upload and index a video, you can start using [Video Analyzer for Media website](video-indexer-view-edit.md) or [Video Analyzer for Media Developer Portal](video-indexer-use-apis.md) to see the insights of the video.

+For detailed introduction please visit our [introduction lab](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/IntroToVideoIndexer.md).

+Any edition of VMware HCX supports 25 site pairings (on-premises to cloud or cloud to cloud). The default is HCX Advanced, but you can open a [support request](https://rc.portal.azure.com/#create/Microsoft.Support) to have HCX Enterprise Edition enabled. Once the service is generally available, you'll have 30 days to decide on your next steps. You can turn off or opt out of the HCX Enterprise Edition service but keep HCX Advanced as it's part of the node cost.

+>

+1. To configure cache headers using Azure portal, refer to [How to Manage Streaming Endpoints](/media-services/previous/media-services-portal-manage-streaming-endpoints) section Configuring the Streaming Endpoint.

+You can use your own certificate to enable the HTTPS feature. This process is done through an integration with Azure Key Vault, which allows you to store your certificates securely. Azure CDN uses this secure mechanism to get your certificate and it requires a few extra steps. When you create your TLS/SSL certificate, you must create a complete certificate chain with an allowed certificate authority (CA) that is part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). If you use a non-allowed CA, your request will be rejected. If a certificate without complete chain is presented, the requests which involve that certificate are not guaranteed to work as expected. For Azure CDN from Verizon, any valid CA will be accepted.

+Azure Content Delivery Network (CDN) includes four products:

+* **Azure CDN Premium from Verizon**.

+ **Security** | **Standard Microsoft** | **Standard Akamai** | **Standard Verizon** | **Premium Verizon** |

+| [Token authentication](cdn-token-auth.md) | | | |**&#x2713;**|

+| **Analytics and reporting** | **Standard Microsoft** | **Standard Akamai** | **Standard Verizon** | **Premium Verizon** |

+| **Ease of use** | **Standard Microsoft** | **Standard Akamai** | **Standard Verizon** | **Premium Verizon** |

+| Easy integration with Azure services, such as [Storage](cdn-create-a-storage-account-with-cdn.md), [Web Apps](cdn-add-to-web-app.md), and [Media Services](/media-services/previous/media-services-portal-manage-streaming-endpoints) | **&#x2713;** |**&#x2713;** |**&#x2713;** |**&#x2713;** |

+For information about migrating an **Azure CDN Standard from Verizon** profile to **Azure CDN Premium from Verizon**, see [Migrate an Azure CDN profile from Standard Verizon to Premium Verizon](cdn-migrate.md).

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.

+The Content Moderator's video moderation capability is available as a free public preview **media processor** in Azure Media Services (AMS). Azure Media Services is a specialized Azure service for storing and streaming video content.

+Follow the instructions in [Create an Azure Media Services account](/media-services/previous/media-services-portal-create-account) to subscribe to AMS and create an associated Azure storage account. In that storage account, create a new Blob storage container.

+For a more thorough walkthrough of the above process, See [Get started with Azure AD authentication](/media-services/previous/media-services-portal-get-started-with-aad).

+1. In Visual Studio, create a new **Console app (.NET Framework)** project and name it **VideoModeration**.

+// Azure Media Services (AMS) associated Storage Account, Key, and the Container that has

+// Azure Media Services authentication.

+// REST API endpoint, for example "https://accountname.restv2.westcentralus.media.azure.net/API".

+ // Get a reference to the storage account associated with a Media Services account.

+ // Get the reference to the list of Blobs

+ // If job state is Error, the event handling

+ // method for job progress should log errors. Here we check

+> [!div class="nextstepaction"]

+> [Learn more about speech synthesis](how-to-speech-synthesis.md)

+description: Learn how to convert speech to text, including object construction, supported audio input formats, and configuration options for speech recognition.

+* [Try the speech to text quickstart](get-started-speech-to-text.md)

+* [Improve recognition accuracy with custom speech](custom-speech-overview.md)

+* [Transcribe audio in batches](batch-transcription.md)

+ Title: "How to synthesize speech from text - Speech service"

+description: Learn how to convert text to speech. Learn about object construction and design patterns, supported audio output formats, and custom configuration options for speech synthesis.

+ms.devlang: cpp, csharp, golang, java, javascript, objective-c, python

+zone_pivot_groups: programming-languages-speech-services

+keywords: text to speech

+# How to synthesize speech from text

+## Get facial pose events

+Speech can be a good way to drive the animation of facial expressions.

+[Visemes](how-to-speech-synthesis-viseme.md) are often used to represent the key poses in observed speech. Key poses include the position of the lips, jaw, and tongue in producing a particular phoneme.

+You can subscribe to viseme events in the Speech SDK. Then, you can apply viseme events to animate the face of a character as speech audio plays.

+Learn [how to get viseme events](how-to-speech-synthesis-viseme.md#get-viseme-events-with-the-speech-sdk).

+## Get position information

+Your project might need to know when a word is spoken by text-to-speech so that it can take specific action based on that timing. For example, if you want to highlight words as they're spoken, you need to know what to highlight, when to highlight it, and for how long to highlight it.

+You can accomplish this by using the `WordBoundary` event within `SpeechSynthesizer`. This event is raised at the beginning of each new spoken word. It provides a time offset within the spoken stream and a text offset within the input prompt:

+* `AudioOffset` reports the output audio's elapsed time between the beginning of synthesis and the start of the next word. This is measured in hundred-nanosecond units (HNS), with 10,000 HNS equivalent to 1 millisecond.

+* `WordOffset` reports the character position in the input string (original text or [SSML](speech-synthesis-markup.md)) immediately before the word that's about to be spoken.

+> [!NOTE]

+> `WordBoundary` events are raised as the output audio data becomes available, which will be faster than playback to an output device. The caller must appropriately synchronize streaming and real time.

+You can find examples of using `WordBoundary` in the [text-to-speech samples](https://aka.ms/csspeech/samples) on GitHub.

+## Next steps

+* [Get started with Custom Neural Voice](how-to-custom-voice.md)

+* [Improve synthesis with SSML](speech-synthesis-markup.md)

+* [Synthesize from long-form text](long-audio-api.md) like books and news articles

+Containers enable you to run Cognitive Services APIs in your own environment, and are great for your specific security and data governance requirements. Disconnected containers enable you to use several of these APIs disconnected from the internet. Currently, the following containers can be run in this manner:

+ * [Sentiment Analysis](../language-service/sentiment-opinion-mining/how-to/use-containers.md)

+ * [Key Phrase Extraction](../language-service/key-phrase-extraction/how-to/use-containers.md)

+ * [Language Detection](../language-service/language-detection/how-to/use-containers.md)

+* [Form Recognizer](../../applied-ai-services/form-recognizer/containers/form-recognizer-container-install-run.md#required-containers)

+* The Docker `pull` command you'll use to download the container.

+Access is limited to customers that meet the following requirements:

+* Your organization must have a Microsoft Enterprise Agreement or an equivalent agreement and should be identified as strategic customer or partner with Microsoft.

+ * Environment or device(s) with zero connectivity to internet.

+ * Remote location that occasionally has internet access.

+ * Organization under strict regulation of not sending any kind of data back to cloud.

+1. Sign into the [Azure portal](https://portal.azure.com/) and select **Create a new resource** for one of the applicable Cognitive Services or Applied AI services listed above.

+ >

+3. Select **Review + Create** at the bottom of the page. Review the information, and select **Create**.

+Now that you've downloaded your container, you'll need to run the container with the `DownloadLicense=True` parameter in your `docker run` command. This parameter will download a license file that will enable your Docker container to run when it isn't connected to the internet. It also contains an expiration date, after which the license file will be invalid to run the container. You can only use a license file with the appropriate container that you've been approved for. For example, you can't use a license file for a speech-to-text container with a form recognizer container.

+>

+> * [**Translator container only**](../translator/containers/translator-how-to-install-container.md):

+> * You must include a parameter to download model files for the [languages](../translator/language-support.md) you want to translate. For example: `-e Languages=en,es`

+> * The container will generate a `docker run` template that you can use to run the container, containing parameters you will need for the downloaded models and configuration file. Make sure you save this template.

+After you've configured the container, use the next section to run the container in your environment with the license, and appropriate memory and CPU allocations.

+Once the license file has been downloaded, you can run the container in a disconnected environment. The following example shows the formatting of the `docker run` command you'll use, with placeholder values. Replace these placeholder values with your own values.

+ `{MEMORY_SIZE}` | The appropriate size of memory to allocate for your container. | `4g` |

+#### Translator container

+If you're using the [Translator container](../translator/containers/translator-how-to-install-container.md), you'll need to add parameters for the downloaded translation models and container configuration. These values are generated and displayed in the container output when you [configure the container](#configure-the-container-to-be-run-in-a-disconnected-environment) as described above. For example:

+The [speech-to-text](../speech-service/speech-container-howto.md?tabs=stt) and [neural text-to-speech](../speech-service/speech-container-howto.md?tabs=ntts) containers provide a default directory for writing the license file and billing log at runtime. When you're mounting these directories to the container with the `docker run -v` command, make sure the local machine directory is set ownership to `user:group nonroot:nonroot` before running the container.

+When operating Docker containers in a disconnected environment, the container will write usage records to a volume where they're collected over time. You can also call a REST endpoint to generate a report about service usage.

+#### Get all records

+It will return JSON similar to the example below.

+Commitment plans for disconnected containers have a calendar year commitment period. When you purchase a plan, you'll be charged the full price immediately. During the commitment period, you can't change your commitment plan, however you can purchase additional unit(s) at a pro-rated price for the remaining days in the year. You have until midnight (UTC) on the last day of your commitment, to end a commitment plan.

+You can choose a different commitment plan in the **Commitment Tier pricing** settings of your resource.

+If you decide that you don't want to continue purchasing a commitment plan, you can set your resource's auto-renewal to **Do not auto-renew**. Your commitment plan will expire on the displayed commitment end date. After this date, you won't be charged for the commitment plan. You'll be able to continue using the Azure resource to make API calls, charged at pay-as-you-go pricing. You have until midnight (UTC) on the last day of the year to end a commitment plan for disconnected containers, and not be charged for the following year.

+[Azure Cognitive Services containers overview](../cognitive-services-container-support.md)

+RTMP & SRT connectivity can be used for both input and output. Using RTMP/SRT input, a videography studio that emits RTMP/SRT can join an Azure Communication Services call. RTMP/SRT output allows you to stream media from Azure Communication Services into [Azure Media Services](/media-services/latest/concepts-overview), YouTube Live, and many other broadcasting channels. The ability to attach industry standard RTMP/SRT emitters and to output content to RTMP/SRT subscribers for broadcasting transforms a small group call into a virtual event that reaches millions of people in real time.

+ In the diagram below, three endpoints are participating actively in a group call and uploading media. Two users, one of which is using Microsoft Teams, are composed using a *presenter layout.* The third endpoint is a television studio that emits RTMP into the call. The Azure Calling client and Teams client will receive the composed media stream instead of a typical grid. Additionally, Azure Media Services is shown here subscribing to the call's RTMP channel and broadcasting content externally.

+ [![SFTP-SSH icon][sftp-ssh-icon]][sftp-ssh-doc]

+ [**SFTP-SSH**][sftp-ssh-doc]<br>(*Standard logic app only*)

+Azure Container Apps deployments are powered by an Azure Resource Manager (ARM) template. Some Container Apps CLI commands also support using a YAML template to specify a resource.

+> [!NOTE]

+> Azure Container Apps resources are in the process of migrating from the `Microsoft.Web` namespace to the `Microsoft.App` namespace. Refer to [Namespace migration from Microsoft.Web to Microsoft.App in March 2022](https://github.com/microsoft/azure-container-apps/issues/109) for more details.

+## Container Apps environment

+The following tables describe the properties available in the Container Apps environment resource.

+### Resource

+A container app resource of the ARM template has the following properties:

+| Property | Description | Data type |

+|||--|

+| `name` | The Container Apps environment name. | string |

+| `location` | The Azure region where the Container Apps environment is deployed. | string |

+| `type` | `Microsoft.App/managedEnvironments` ΓÇô the ARM resource type | string |

+#### `properties`

+A resource's `properties` object has the following properties:

+| Property | Description | Data type | Read only |

+|||||

+| `daprAIInstrumentationKey` | The Application Insights instrumentation key used by Dapr. | string | No |

+| `appLogsConfiguration` | The environment's logging configuration. | Object | No |

+### <a name="container-apps-environment-examples"></a>Examples

+# [ARM template](#tab/arm-template)

+The following example ARM template deploys a Container Apps environment.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "location": {

+ "defaultValue": "canadacentral",

+ "type": "String"

+ },

+ "dapr_ai_instrumentation_key": {

+ "defaultValue": "",

+ "type": "String"

+ },

+ "environment_name": {

+ "defaultValue": "myenvironment",

+ "type": "String"

+ },

+ "log_analytics_customer_id": {

+ "type": "String"

+ },

+ "log_analytics_shared_key": {

+ "type": "SecureString"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "type": "Microsoft.App/managedEnvironments",

+ "apiVersion": "2022-01-01-preview",

+ "name": "[parameters('environment_name')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "daprAIInstrumentationKey": "[parameters('dapr_ai_instrumentation_key')]",

+ "appLogsConfiguration": {

+ "destination": "log-analytics",

+ "logAnalyticsConfiguration": {

+ "customerId": "[parameters('log_analytics_customer_id')]",

+ "sharedKey": "[parameters('log_analytics_shared_key')]"

+ }

+ }

+ }

+ }

+ ]

+}

+```

+# [YAML](#tab/yaml)

+YAML input isn't currently used by Azure CLI commands to specify a Container Apps environment.

+## Container app

+The following tables describe the properties available in the container app resource.

+### Resource

+A container app resource of the ARM template has the following properties:

+| `type` | `Microsoft.App/containerApps` ΓÇô the ARM resource type | string |

+#### `properties`

+/subscriptions/<SUBSCRIPTION_ID>/resourcegroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.App/environmentId/<ENVIRONMENT_NAME>

+#### `properties.configuration`

+| `activeRevisionsMode` | Setting to `single` automatically deactivates old revisions, and only keeps the latest revision active. Setting to `multiple` allows you to maintain multiple revisions. | string |

+| `dapr` | Configuration object that defines the Dapr settings for the container app. | object |

+#### `properties.template`

+### <a name="container-app-examples"></a>Examples

+# [ARM template](#tab/arm-template)

+The following example ARM template deploys a container app.

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "containerappName": {

+ "defaultValue": "mycontainerapp",

+ "type": "String"

+ },

+ "location": {

+ "defaultValue": "canadacentral",

+ "type": "String"

+ },

+ "environment_name": {

+ "defaultValue": "myenvironment",

+ "type": "String"

+ },

+ "container_image": {

+ "type": "String"

+ "registry_password": {

+ "type": "SecureString"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "apiVersion": "2022-01-01-preview",

+ "type": "Microsoft.App/containerApps",

+ "name": "[parameters('containerappName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('environment_name'))]",

+ "configuration": {

+ "secrets": [

+ {

+ "name": "mysecret",

+ "value": "thisismysecret"

+ },

+ {

+ "name": "myregistrypassword",

+ "value": "[parameters('registry_password')]"

+ }

+ ],

+ "ingress": {

+ "external": true,

+ "targetPort": 80,

+ "allowInsecure": false,

+ "traffic": [

+ {

+ "latestRevision": true,

+ "weight": 100

+ }

+ ]

+ },

+ "registries": [

+ {

+ "server": "myregistry.azurecr.io",

+ "username": "[parameters('containerappName')]",

+ "passwordSecretRef": "myregistrypassword"

+ }

+ ],

+ "dapr": {

+ "appId": "[parameters('containerappName')]",

+ "appPort": 80,

+ "appProtocol": "http",

+ "enabled": true

+ }

+ },

+ "template": {

+ "revisionSuffix": "myrevision",

+ "containers": [

+ {

+ "name": "main",

+ "image": "[parameters('container_image')]",

+ "env": [

+ {

+ "name": "HTTP_PORT",

+ "value": "80"

+ {

+ "name": "SECRET_VAL",

+ "secretRef": "mysecret"

+ ],

+ "resources": {

+ "cpu": 0.5,

+ "memory": "1Gi"

+ }

+ ],

+ "scale": {

+ "minReplicas": 1,

+ "maxReplicas": 3

+ }

+ }

+ }

+ ]

+# [YAML](#tab/yaml)

+The following example YAML configuration deploys a container app when used with the `--yaml` parameter in the following Azure CLI commands:

+- [`az containerapp create`](/cli/azure/containerapp?view=azure-cli-latest&preserve-view=true#az-containerapp-create)

+- [`az containerapp update`](/cli/azure/containerapp?view=azure-cli-latest&preserve-view=true#az-containerapp-update)

+- [`az containerapp revision copy`](/cli/azure/containerapp?view=azure-cli-latest&preserve-view=true#az-containerapp-revision-copy)

+type: Microsoft.App/containerApps

+ tagname: value

+ managedEnvironmentId: /subscriptions/mysubscription/resourceGroups/myresourcegroup/providers/Microsoft.App/managedEnvironments/myenvironment

+ configuration:

+ activeRevisionsMode: Multiple

+ secrets:

+ - name: mysecret

+ value: thisismysecret

+ - name: myregistrypassword

+ value: I<3containerapps

+ ingress:

+ external: true

+ allowInsecure: false

+ targetPort: 80

+ traffic:

+ - latestRevision: true

+ weight: 100

+ transport: Auto

+ registries:

+ - passwordSecretRef: myregistrypassword

+ server: myregistry.azurecr.io

+ username: myregistrye

+ dapr:

+ appId: mycontainerapp

+ appPort: 80

+ appProtocol: http

+ enabled: true

+ template:

+ revisionSuffix: myrevision

+ containers:

+ - image: nginx

+ name: nginx

+ env:

+ resources:

+ cpu: 0.5

+ memory: 1Gi

+ scale:

+ minReplicas: 1

+ maxReplicas: 3

+ "type": "Microsoft.App/containerApps",

+ "apiVersion": "2022-01-01-preview",

+ "managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('environment_name'))]",

+LOG_ANALYTICS_WORKSPACE_CLIENT_ID=`az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv`

+$LOG_ANALYTICS_WORKSPACE_CLIENT_ID=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv)

+REGISTRY_SERVER=<REGISTRY_SERVER>

+ --registry-server $REGISTRY_SERVER \

+$REGISTRY_SERVER=<REGISTRY_SERVER>

+ --registry-server $REGISTRY_SERVER `

+ --image <REGISTRY_CONTAINER_NAME> \

+ --image <REGISTRY_CONTAINER_NAME> `

+Before you run this command, replace `<REGISTRY_CONTAINER_NAME>` with the full name the public container registry location, including the registry path and tag. For example, a valid container name is `mcr.microsoft.com/azuredocs/containerapps-helloworld:latest`.

+If you have enabled ingress on your container app, you can add `--query properties.configuration.ingress.fqdn` to the `create` command to return the public URL for the application.

+LOG_ANALYTICS_WORKSPACE_CLIENT_ID=`az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv`

+$LOG_ANALYTICS_WORKSPACE_CLIENT_ID=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv)

+ --query properties.configuration.ingress.fqdn

+ --query properties.configuration.ingress.fqdn

+ --env-vars "QueueName=myqueue" "ConnectionString=secretref:queue-connection-string"

+ --env-vars "QueueName=myqueue" "ConnectionString=secretref:queue-connection-string"

+ Title: "Tutorial: Deploy a Dapr application to Azure Container Apps with an ARM or Bicep template"

+> * Create an Azure Blob Storage for use as a Dapr state store

+> * Deploy a container apps environment to host container apps

+> * Deploy two dapr-enabled container apps: one that produces orders and one that consumes orders and stores them

+In this tutorial, you deploy the same applications from the Dapr [Hello World](https://github.com/dapr/quickstarts/tree/master/tutorials/hello-world) quickstart.

+- A client (Python) container app to generates messages.

+- A service (Node) container app to consume and persist those messages in a state store

+- Install [Azure CLI](/cli/azure/install-azure-cli)

+- [Bicep](../azure-resource-manager/bicep/install.md)

+- An Azure account with an active subscription is required. If you don't already have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+Choose a name for `STORAGE_ACCOUNT`. Storage account names must be _unique within Azure_. Be from 3 to 24 characters in length and contain numbers and lowercase letters only.

+> [!NOTE]

+> If you have worked with earlier versions of Container Apps, make sure to first remove the old extension version by running `az extension remove -n containerapp`.

+az extension add --name containerapp

+az extension add --name containerapp

+Now that the extension is installed, register the `Microsoft.App` namespace.

+az provider register --namespace Microsoft.App

+Register-AzResourceProvider -ProviderNamespace Microsoft.App

+Create a resource group to organize the services related to your container apps.

+- `storage_account_name` is the value of the `STORAGE_ACCOUNT` variable.

+- `storage_container_name` is the value of the `STORAGE_ACCOUNT_CONTAINER` variable.

+### Create Azure Resource Manager (ARM) template

+Create an ARM template to deploy a Container Apps environment including the associated Log Analytics workspace and Application Insights resource for distributed tracing, a dapr component for the state store and the two dapr-enabled container apps.

+Save the following file as _hello-world.json_:

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "environment_name": {

+ "type": "string"

+ },

+ "location": {

+ "defaultValue": "canadacentral",

+ "type": "string"

+ },

+ "storage_account_name": {

+ "type": "string"

+ },

+ "storage_container_name": {

+ "type": "string"

+ }

+ },

+ "variables": {

+ "logAnalyticsWorkspaceName": "[concat('logs-', parameters('environment_name'))]",

+ "appInsightsName": "[concat('appins-', parameters('environment_name'))]"

+ },

+ "resources": [

+ {

+ "type": "Microsoft.OperationalInsights/workspaces",

+ "apiVersion": "2020-03-01-preview",

+ "name": "[variables('logAnalyticsWorkspaceName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "retentionInDays": 30,

+ "features": {

+ "searchVersion": 1

+ "sku": {

+ "name": "PerGB2018"

+ }

+ {

+ "type": "Microsoft.Insights/components",

+ "apiVersion": "2020-02-02",

+ "name": "[variables('appInsightsName')]",

+ "location": "[parameters('location')]",

+ "kind": "web",

+ "dependsOn": [

+ "[resourceId('Microsoft.OperationalInsights/workspaces/', variables('logAnalyticsWorkspaceName'))]"

+ ],

+ "properties": {

+ "Application_Type": "web",

+ "WorkspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', variables('logAnalyticsWorkspaceName'))]"

+ }

+ },

+ {

+ "type": "Microsoft.App/managedEnvironments",

+ "apiVersion": "2022-01-01-preview",

+ "name": "[parameters('environment_name')]",

+ "location": "[parameters('location')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/components/', variables('appInsightsName'))]"

+ ],

+ "properties": {

+ "daprAIInstrumentationKey": "[reference(resourceId('Microsoft.Insights/components/', variables('appInsightsName')), '2020-02-02').InstrumentationKey]",

+ "appLogsConfiguration": {

+ "destination": "log-analytics",

+ "logAnalyticsConfiguration": {

+ "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', variables('logAnalyticsWorkspaceName')), '2020-03-01-preview').customerId]",

+ "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', variables('logAnalyticsWorkspaceName')), '2020-03-01-preview').primarySharedKey]"

+ }

+ }

+ },

+ "resources": [

+ "type": "daprComponents",

+ "name": "statestore",

+ "apiVersion": "2022-01-01-preview",

+ "dependsOn": [

+ "[resourceId('Microsoft.App/managedEnvironments/', parameters('environment_name'))]"

+ ],

+ "properties": {

+ "componentType": "state.azure.blobstorage",

+ "version": "v1",

+ "ignoreErrors": false,

+ "initTimeout": "5s",

+ "secrets": [

+ {

+ "name": "storageaccountkey",

+ "value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts/', parameters('storage_account_name')), '2021-09-01').keys[0].value]"

+ }

+ ],

+ "metadata": [

+ {

+ "name": "accountName",

+ "value": "[parameters('storage_account_name')]"

+ },

+ {

+ "name": "containerName",

+ "value": "[parameters('storage_container_name')]"

+ },

+ {

+ "name": "accountKey",

+ "secretRef": "storageaccountkey"

+ }

+ ],

+ "scopes": ["nodeapp"]

+ }

+ }

+ ]

+ },

+ {

+ "type": "Microsoft.App/containerApps",

+ "apiVersion": "2022-01-01-preview",

+ "name": "nodeapp",

+ "location": "[parameters('location')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.App/managedEnvironments/', parameters('environment_name'))]"

+ ],

+ "properties": {

+ "managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments/', parameters('environment_name'))]",

+ "configuration": {

+ "ingress": {

+ "external": true,

+ "targetPort": 3000

+ },

+ "dapr": {

+ "enabled": true,

+ "appId": "nodeapp",

+ "appProcotol": "http",

+ "appPort": 3000

+ }

+ },

+ "template": {

+ "containers": [

+ {

+ "image": "dapriosamples/hello-k8s-node:latest",

+ "name": "hello-k8s-node",

+ "resources": {

+ "cpu": 0.5,

+ "memory": "1.0Gi"

+ }

+ ],

+ "scale": {

+ "minReplicas": 1,

+ "maxReplicas": 1

+ }

+ }

+ },

+ {

+ "type": "Microsoft.App/containerApps",

+ "apiVersion": "2022-01-01-preview",

+ "name": "pythonapp",

+ "location": "[parameters('location')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.App/managedEnvironments/', parameters('environment_name'))]",

+ "[resourceId('Microsoft.App/containerApps/', 'nodeapp')]"

+ ],

+ "properties": {

+ "managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments/', parameters('environment_name'))]",

+ "configuration": {

+ "dapr": {

+ "enabled": true,

+ "appId": "pythonapp"

+ }

+ },

+ "template": {

+ "containers": [

+ {

+ "image": "dapriosamples/hello-k8s-python:latest",

+ "name": "hello-k8s-python",

+ "resources": {

+ "cpu": 0.5,

+ "memory": "1.0Gi"

+ }

+ }

+ ],

+ "scale": {

+ "minReplicas": 1,

+ "maxReplicas": 1

+ }

+ }

+ }

+ }

+ ]

+Create a bicep template to deploy a Container Apps environment including the associated Log Analytics workspace and Application Insights resource for distributed tracing, a dapr component for the state store and the two dapr-enabled container apps.

+Save the following file as _hello-world.bicep_:

+param location string = 'canadacentral'

+var logAnalyticsWorkspaceName = 'logs-${environment_name}'

+var appInsightsName = 'appins-${environment_name}'

+resource logAnalyticsWorkspace'Microsoft.OperationalInsights/workspaces@2020-03-01-preview' = {

+ name: logAnalyticsWorkspaceName

+ location: location

+ properties: any({

+ retentionInDays: 30

+ features: {

+ searchVersion: 1

+ }

+ sku: {

+ name: 'PerGB2018'

+ }

+ })

+}

+resource appInsights 'Microsoft.Insights/components@2020-02-02' = {

+ name: appInsightsName

+ location: location

+ kind: 'web'

+ properties: {

+ Application_Type: 'web'

+ WorkspaceResourceId: logAnalyticsWorkspace.id

+ }

+}

+resource environment 'Microsoft.App/managedEnvironments@2022-01-01-preview' = {

+ name: environment_name

+ location: location

+ properties: {

+ daprAIInstrumentationKey: reference(appInsights.id, '2020-02-02').InstrumentationKey

+ appLogsConfiguration: {

+ destination: 'log-analytics'

+ logAnalyticsConfiguration: {

+ customerId: reference(logAnalyticsWorkspace.id, '2020-03-01-preview').customerId

+ sharedKey: listKeys(logAnalyticsWorkspace.id, '2020-03-01-preview').primarySharedKey

+ }

+ }

+ }

+ resource daprComponent 'daprComponents@2022-01-01-preview' = {

+ name: 'statestore'

+ properties: {

+ componentType: 'state.azure.blobstorage'

+ version: 'v1'

+ ignoreErrors: false

+ initTimeout: '5s'

+ secrets: [

+ {

+ name: 'storageaccountkey'

+ value: listKeys(resourceId('Microsoft.Storage/storageAccounts/', storage_account_name), '2021-09-01').keys[0].value

+ }

+ ]

+ metadata: [

+ {

+ name: 'accountName'

+ value: storage_account_name

+ }

+ {

+ name: 'containerName'

+ value: storage_container_name

+ }

+ {

+ name: 'accountKey'

+ secretRef: 'storageaccountkey'

+ }

+ ]

+ scopes: [

+ 'nodeapp'

+ ]

+ }

+ }

+}

+resource nodeapp 'Microsoft.App/containerApps@2022-01-01-preview' = {

+ managedEnvironmentId: environment.id

+ dapr: {

+ enabled: true

+ appId: 'nodeapp'

+ appProtocol: 'http'

+ appPort: 3000

+ }

+ memory: '1.0Gi'

+resource pythonapp 'Microsoft.App/containerApps@2022-01-01-preview' = {

+ managedEnvironmentId: environment.id

+ configuration: {

+ dapr: {

+ enabled: true

+ appId: 'pythonapp'

+ }

+ }

+ memory: '1.0Gi'

+ dependsOn: [

+ nodeapp

+ ]

+> [!NOTE]

+> Container Apps does not currently support the native [Dapr components schema](https://docs.dapr.io/operations/components/component-schema/). The above example uses the supported schema.

+## Deploy

+Navigate to the directory in which you stored the ARM template file and run the following command:

+ --template-file ./hello-world.json \

+ -TemplateFile ./hello-world.json `

+ -SkipTemplateParameterPrompt

+Navigate to the directory in which you stored the Bicep template file and run the following command:

+ --template-file ./hello-world.bicep \

+ -TemplateFile ./hello-world.bicep `

+ -SkipTemplateParameterPrompt

+- the container apps environment and associated Log Analytics workspace for hosting the hello world dapr solution

+- an Application Insights instance for Dapr distributed tracing

+- the `nodeapp` app server running on `targetPort: 3000` with dapr enabled and configured using: `"appId": "nodeapp"` and `"appPort": 3000`

+- the `daprComponents` object of `"type": "state.azure.blobstorage"` scoped for use by the `nodeapp` for storing state

+- the headless `pythonapp` with no ingress and dapr enabled that calls the `nodeapp` service via dapr service-to-service communication

+1. Open the [Azure portal](https://portal.azure.com) in your browser.

+1. Navigate to your storage account.

+```azurecli

+LOG_ANALYTICS_WORKSPACE_CLIENT_ID=`az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv`

+```

+ --workspace "$LOG_ANALYTICS_WORKSPACE_CLIENT_ID" \

+```powershell

+$LOG_ANALYTICS_WORKSPACE_CLIENT_ID=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv)

+```

+Create a config file named *statestore.yaml* with the properties that you sourced from the previous steps. This file helps enable your Dapr app to access your state store. The following example shows how your *statestore.yaml* file should look when configured for your Azure Blob Storage account:

+# statestore.yaml for Azure Blob storage component

+componentType: state.azure.blobstorage

+version: v1

+metadata:

+- name: accountName

+ value: "<STORAGE_ACCOUNT>"

+- name: accountKey

+ secretRef: account-key

+- name: containerName

+ value: mycontainer

+secrets:

+- name: account-key

+ value: "<STORAGE_ACCOUNT_KEY>"

+scopes:

+- nodeapp

+To use this file, update the placeholders:

+- Replace `<STORAGE_ACCOUNT>` with the value of the `STORAGE_ACCOUNT` variable you defined. To obtain its value, run the following command:

+ ```azurecli

+ echo $STORAGE_ACCOUNT

+ ```

+- Replace `<STORAGE_ACCOUNT_KEY>` with the storage account key. To obtain its value, run the following command:

+ ```azurecli

+ echo $STORAGE_ACCOUNT_KEY

+ ```

+If you've changed the `STORAGE_ACCOUNT_CONTAINER` variable from its original value, `mycontainer`, replace the value of `containerName` with your own value.

+Navigate to the directory in which you stored the *statestore.yaml* file and run the following command to configure the Dapr component in the Container Apps environment.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp env dapr-component set \

+ --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP \

+ --dapr-component-name statestore \

+ --yaml statestore.yaml

+```

+# [PowerShell](#tab/powershell)

+```powershell

+az containerapp env dapr-component set `

+ --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP `

+ --dapr-component-name statestore `

+ --yaml statestore.yaml

+```

+Your state store is configured using the Dapr component described in *statestore.yaml*. The component is scoped to a container app named `nodeapp` and is not available to other container apps.

+## Deploy the service application (HTTP web server)

+ --dapr-app-id nodeapp

+ --dapr-app-id nodeapp

+LOG_ANALYTICS_WORKSPACE_CLIENT_ID=`az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv`

+$LOG_ANALYTICS_WORKSPACE_CLIENT_ID=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.appLogsConfiguration.logAnalyticsConfiguration.customerId --out tsv)

+ --revision <REVISION_NAME> \

+ --name <CONTAINER_APP_NAME> \

+ --revision <REVISION_NAME> `

+ --name <CONTAINER_APP_NAME> `

+ --revision <REVISION_NAME> \

+ --name <CONTAINER_APP_NAME> \

+ --revision <REVISION_NAME> `

+ --name <CONTAINER_APP_NAME> `

+ --revision <REVISION_NAME> \

+ --name <APPLICATION_NAME> \

+ --revision <REVISION_NAME> `

+ --name <APPLICATION_NAME> `

+The following table describes the parameters used in `containerapp env create`.

+You can use integrated BI experience in Azure Cosmos DB portal, to build BI dashboards using Synapse Link with just a few clicks. To learn more, see [how to build BI dashboards using Synapse Link](integrated-power-bi-synapse-link.md). This integrated experience will create simple T-SQL views in Synapse serverless SQL pools, for your Cosmos DB containers. You can build BI dashboards over these views, which will query your Azure Cosmos DB containers in real-time, using [Direct Query](/power-bi/connect-data/service-dataset-modes-understand#directquery-mode), reflecting latest changes to your data. There is no performance or cost impact to your transactional workloads, and no complexity of managing ETL pipelines.

+If you want to use advance T-SQL views with joins across your containers or build BI dashboards in import](/power-bi/connect-dat) article.

+# Use client-side encryption with Always Encrypted for Azure Cosmos DB

+> [!IMPORTANT]

+> A breaking change has been introduced with the 1.0 release of our encryption packages. If you created data encryption keys and encryption-enabled containers with prior versions, you will need to re-create your databases and containers after migrating your client code to 1.0 packages.

+Before DEKs get stored in Azure Cosmos DB, they are wrapped by a customer-managed key (CMK). By controlling the wrapping and unwrapping of DEKs, CMKs effectively control the access to the data that's encrypted with their corresponding DEKs. CMK storage is designed as an extensible, with a default implementation that expects them to be stored in Azure Key Vault.

+# [.NET](#tab/dotnet)

+To use Always Encrypted, an instance of a `KeyResolver` must be attached to your Azure Cosmos DB SDK instance. This class, defined in the `Azure.Security.KeyVault.Keys.Cryptography` namespace, is used to interact with the key store hosting your CMKs.

+The following snippets use the `DefaultAzureCredential` class to retrieve the Azure AD identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/dotnet/api/overview/azure/identity-readme#credential-classes).

+var keyResolver = new KeyResolver(tokenCredential);

+ .WithEncryption(keyResolver, KeyEncryptionKeyResolverName.AzureKeyVault);

+To use Always Encrypted, an instance of a `KeyEncryptionKeyClientBuilder` must be attached to your Azure Cosmos DB SDK instance. This class, defined in the `com.azure.security.keyvault.keys.cryptography` namespace, is used to interact with the key store hosting your CMKs.

+The following snippets use the `DefaultAzureCredential` class to retrieve the Azure AD identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/java/api/overview/azure/identity-readme#credential-classes).

+KeyEncryptionKeyClientBuilder keyEncryptionKeyClientBuilder =

+ new KeyEncryptionKeyClientBuilder().credential(tokenCredentials);

+CosmosEncryptionAsyncClient cosmosEncryptionAsyncClient =

+ new CosmosEncryptionClientBuilder().cosmosAsyncClient(client).keyEncryptionKeyResolver(keyEncryptionKeyClientBuilder)

+ .keyEncryptionKeyResolverName(CosmosEncryptionClientBuilder.KEY_RESOLVER_NAME_AZURE_KEY_VAULT).buildAsyncClient();

+Before data can be encrypted in a container, a [data encryption key](#data-encryption-keys) must be created in the parent database.

+# [.NET](#tab/dotnet)

+Creating a new data encryption key is done by calling the `CreateClientEncryptionKeyAsync` method and passing:

+- The key identifier of the [CMK](#customer-managed-keys) stored in Azure Key Vault. This parameter is passed in a generic `EncryptionKeyWrapMetadata` object where:

+ - The `type` defines the type of key resolver (for example, Azure Key Vault).

+ - The `name` can be any friendly name you want.

+ - The `value` must be the key identifier.

+ - The `algorithm` defines which algorithm shall be used to wrap the key encryption key with the customer-managed key.

+ DataEncryptionAlgorithm.AeadAes256CbcHmacSha256,

+ KeyEncryptionKeyResolverName.AzureKeyVault,

+ "https://<my-key-vault>.vault.azure.net/keys/<key>/<version>",

+ EncryptionAlgorithm.RsaOaep.ToString()));

+Creating a new data encryption key is done by calling the `createClientEncryptionKey` method and passing:

+- A string identifier that will uniquely identify the key in the database.

+- The encryption algorithm intended to be used with the key. Only one algorithm is currently supported.

+- The key identifier of the [CMK](#customer-managed-keys) stored in Azure Key Vault. This parameter is passed in a generic `EncryptionKeyWrapMetadata` object where:

+ - The `type` defines the type of key resolver (for example, Azure Key Vault).

+ - The `name` can be any friendly name you want.

+ - The `value` must be the key identifier.

+ - The `algorithm` defines which algorithm shall be used to wrap the key encryption key with the customer-managed key.

+CosmosEncryptionAsyncDatabase database =

+ cosmosEncryptionAsyncClient.getCosmosEncryptionAsyncDatabase("my-database");

+EncryptionKeyWrapMetadata metadata = new EncryptionKeyWrapMetadata(

+ cosmosEncryptionAsyncClient.getKeyEncryptionKeyResolverName(),

+ "akvKey",

+ "https://<my-key-vault>.vault.azure.net/keys/<key>/<version>",

+ EncryptionAlgorithm.RSA_OAEP.toString());

+ CosmosEncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256.getName(),

+ metadata);

+path1.setClientEncryptionKeyId("my-key"):

+path1.setPath("/property1");

+path1.setEncryptionType(CosmosEncryptionType.DETERMINISTIC.getName());

+path1.setEncryptionAlgorithm(CosmosEncryptionAlgorithm.AEAES_256_CBC_HMAC_SHA_256.getName());

+path2.setClientEncryptionKeyId("my-key"):

+path2.setPath("/property2");

+path2.setEncryptionType(CosmosEncryptionType.RANDOMIZED.getName());

+path2.setEncryptionAlgorithm(CosmosEncryptionAlgorithm.AEAES_256_CBC_HMAC_SHA_256.getName());

+When writing queries that filter on encrypted properties, a specific method must be used to pass the value of the query parameter. This method takes the following arguments:

+SqlQuerySpecWithEncryption sqlQuerySpecWithEncryption = new SqlQuerySpecWithEncryption(

+ new SqlQuerySpec("SELECT * FROM c where c.property1 = @Property1"));

+sqlQuerySpecWithEncryption.addEncryptionParameter(

+ "/property1", new SqlParameter("@Property1", 1234))

+ KeyEncryptionKeyResolverName.AzureKeyVault,

+ "https://<my-key-vault>.vault.azure.net/keys/<new-key>/<version>",

+ EncryptionAlgorithm.RsaOaep.ToString()));

+EncryptionKeyWrapMetadata metadata = new EncryptionKeyWrapMetadata(

+ cosmosEncryptionAsyncClient.getKeyEncryptionKeyResolverName(),

+ "akvKey",

+ "https://<my-key-vault>.vault.azure.net/keys/<new-key>/<version>",

+ EncryptionAlgorithm.RSA_OAEP.toString());

+database.rewrapClientEncryptionKey(

+ metadata);

+## DEK rotation

+Performing a rotation of a data encryption key isn't offered as a turnkey capability. This is because updating a DEK requires a scan of all containers where this key is used and a re-encryption of all properties encrypted with this key. This operation can only happen client-side as the Azure Cosmos DB service does not store or ever accesses the plain text value of the DEK.

+In practice, a DEK rotation can be done by performing a data migration from the impacted containers to new ones. The new containers can be created the exact same way as the original ones. To help you with such a data migration, you can find [a standalone migration tool on GitHub](https://github.com/Azure/azure-cosmos-dotnet-v3/tree/master/Microsoft.Azure.Cosmos.Samples/Usage/ReEncryption).

+## Adding additional encrypted properties

+Adding additional encrypted properties to an existing encryption policy isn't supported for the same reasons explained in the section just above. This operation requires a full scan of the container to ensure that all instances of the properties are properly encrypted, and this is an operation that can only happen client-side. Just like a DEK rotation, adding additional encrypted properties can be done by performing a data migration to a new container with an appropriate encryption policy.

+If you have flexibility in the way new encrypted properties can be added from a schema standpoint, you can also leverage the schema-agnostic nature of Azure Cosmos DB. If you use a property defined in your encryption policy as a "property bag", you can add more properties below with no constraint. For example, let's imagine that `property1` is defined in your encryption policy and you initially write `property1.property2` in your documents. If, at a later stage, you need to add `property3` as an encrypted property, you can start writing `property1.property3` in your documents and the new property will automatically be encrypted as well. This approach doesn't require any data migration.

+- Get an overview of [secure access to data in Azure Cosmos DB](secure-access-to-data.md).

+- Learn more about [customer-managed keys for encryption-at-rest](how-to-setup-cmk.md)

+* [Use Power BI and serverless Synapse SQL pool to analyze Azure Cosmos DB data with Synapse Link](synapse-link-power-bi.md)

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | Cosmos DB Account Reader |

+ | Assign access to | User, group, or service principal |

+ | Members | The user, group, or application in your directory to which you wish to grant access. |

+ 

+> * Setting the [ConnectionPolicy.EnableEndpointDiscovery](/dotnet/api/microsoft.azure.documents.client.connectionpolicy.enableendpointdiscovery) property in .NET V2 SDK to false.

+> [!Note]

+> You can build Power BI dashboards with just a few clicks using Azure Cosmos DB portal. For more information, see [Integrated Power BI experience in Azure Cosmos DB portal for Synapse Link enabled accounts](integrated-power-bi-synapse-link.md). This will automatically create T-SQL views in Synapse serverless SQL pools on your Cosmos DB containers. You can simply download the .pbids file that connects to these T-SQL views to start building your BI dashboards.

+[Integrated Power BI experience in Azure Cosmos DB portal for Synapse Link enabled accounts](integrated-power-bi-synapse-link.md)

+Use serverless SQL pool to [analyze Azure Open Datasets and visualize the results in Azure Synapse Studio](../synapse-analytics/sql/tutorial-data-analyst.md)

+An alias is used for simple substitution of a user-defined string instead of the subscription GUID. In other words, you can use it as a shortcut. You can learn more about alias at [Alias - Create](/rest/api/subscription/2020-09-01/alias/create). In the following examples, `sampleAlias` is created but you can use any string you like.

+To grant permissions, follow these steps. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::

+1. On the **Members** tab, select **Managed identity**, and then select **Select members**.

+1. Select your Azure subscription.

+1. Under **System-assigned managed identity**, select **Data Factory**, and then select a data factory. You can also use the object ID or data factory name (as the managed-identity name) to find this identity. To get the managed identity's application ID, use PowerShell.

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.

+7. Assign the managed identity for your ADF a **Contributor** role to itself, so Web activities in its pipelines can call REST API to start/stop Azure-SSIS IRs provisioned in it:

+ 1. On your ADF page in the Azure portal, select **Access control (IAM)**.

+ 1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+ 1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | Contributor |

+ | Assign access to | User, group, or service principal |

+ | Members | Your ADF username |

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot that shows Add role assignment page in Azure portal.":::

+ > [!NOTE]

+ > By default, this cmdlet configures the Azure public cloud. To configure a government cloud or non-public cloud, use the parameter `AzureCloudDomainName`.

+To learn how to view and configure telemetry for your DDoS protection plan, continue to the tutorials.

+> [View and configure DDoS protection telemetry](telemetry.md)

+| **Abnormal activity of managed identity associated with Kubernetes (Preview)**<br>(K8S_AbnormalMiAcitivty) | Analysis of Azure Resource Manager operations detected an abnormal behavior of a managed identity used by an AKS addon. The detected activity isn\'t consistent with the behavior of the associated addon. While this activity can be legitimate, such behavior might indicate that the identity was gained by an attacker, possibly from a compromised container in the Kubernetes cluster. | Lateral Movement | Medium |

+| **Abnormal Kubernetes service account operation detected**<br>(K8S_ServiceAccountRareOperation) | Kubernetes audit log analysis detected abnormal behavior by a service account in your Kubernetes cluster. The service account was used for an operation which isn't common for this service account. While this activity can be legitimate, such behavior might indicate that the service account is being used for malicious purposes. | Lateral Movement, Credential Access | Medium |

+### View vulnerabilities for running images

+The recommendation **Running container images should have vulnerability findings resolved** shows vulnerabilities for running images by using the scan results from ACR registeries and information on running images from the Defender security profile/extension. Images that are deployed from a non ACR registry, will appear under the Not applicable tab.

+> [!NOTE]

+> This recommendation is currently supported for Linux containers only, as there's no Defender profile/extension for Windows.

+>

+- Some of our detectors, including an [extended events trace](../azure-sql/database/xevent-db-diff-from-svr.md) named `SQLAdvancedThreatProtectionTraffic`, run on the machine for real-time speed advantages.

+- Other detectors run in the cloud to spare the machine from heavy computational loads.

+When you connect Defender for Cloud to Microsoft Sentinel, the status of Defender for Cloud alerts that get ingested into Microsoft Sentinel is synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, that alert is also shown as closed in Microsoft Sentinel. If you change the status of an alert in Defender for Cloud, the status of the alert in Microsoft Sentinel is also updated, but the statuses of any Microsoft Sentinel **incidents** that contain the synchronized Microsoft Sentinel alert aren't updated.

+You can enable the preview feature **bi-directional alert synchronization** to automatically sync the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of those Defender for Cloud alerts. So, for example, when a Microsoft Sentinel incident that contains a Defender for Cloud alert is closed, Defender for Cloud automatically closes the corresponding original alert.

+- [Connect Windows security events](../sentinel/connect-windows-security-events.md)

+- [Collect data from Linux-based sources using Syslog](../sentinel/connect-syslog.md)

+- [Connect data from Azure Activity log](../sentinel/data-connectors-reference.md#azure-activity)

+> Microsoft Sentinel is billed based on the volume of data that it ingests for analysis in Microsoft Sentinel and stores in the Azure Monitor Log Analytics workspace. Microsoft Sentinel offers a flexible and predictable pricing model. [Learn more at the Microsoft Sentinel pricing page](https://azure.microsoft.com/pricing/details/azure-sentinel/).

+To stream alerts into **ArcSight**, **Splunk**, **QRadar**, **SumoLogic**, **Syslog servers**, **LogRhythm**, **Logz.io Cloud Observability Platform**, and other monitoring solutions, connect Defender for Cloud to Azure monitor using Azure Event Hubs:

+> To stream alerts at the tenant level, use this Azure policy and set the scope at the root management group. You'll need permissions for the root management group as explained in [Defender for Cloud permissions](permissions.md): [Deploy export to an event hub for Microsoft Defender for Cloud alerts and recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fcdfcce10-4578-4ecd-9703-530938e4abcb).

+To view the event schemas of the exported data types, visit the [Event Hubs event schemas](https://aka.ms/ASCAutomationSchemas).

+- **Power BI** - [Connect to the Microsoft Graph Security API in Power BI Desktop](/power-bi/connect-data/desktop-connect-graph-security).

+- **ServiceNow** - [Install and configure the Microsoft Graph Security API application from the ServiceNow Store](https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-sir/secops-integration-ms-graph/task/ms-graph-install.html).

+- **QRadar** - [Use IBM's Device Support Module for Microsoft Defender for Cloud via Microsoft Graph API](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_ms_azure_security_center_overview.html).

+- **Palo Alto Networks**, **Anomali**, **Lookout**, **InSpark**, and more - [Use the Microsoft Graph Security API](https://www.microsoft.com/security/business/graph-security-api#office-MultiFeatureCarousel-09jr2ji).

+| Vulnerability assessment | Registry scan | - | - | - | - | - |

+| Vulnerability assessment | View vulnerabilities for running images | - | - | - | - | - |

+| Vulnerability assessment | Registry scan | - | - | - | - | - |

+| Vulnerability assessment | View vulnerabilities for running images | - | - | - | - | - |

+| Vulnerability assessment | Registry scan | ACR, Private ACR | Preview | Γ£ô (Preview) | Agentless | Defender for Containers |

+| Vulnerability assessment | View vulnerabilities for running images | Arc enabled K8s clusters | Preview | X | Defender extension | Defender for Containers |

+ Title: Attach & detach data disks for lab VMs

+description: Learn how to attach or detach a data disk for a lab virtual machine in Azure DevTest Labs.

+# Attach or detach a data disk for a lab virtual machine in Azure DevTest Labs

+This article explains how to attach and detach a lab virtual machine (VM) data disk in Azure DevTest Labs. You can create, attach, detach, and reattach [data disks](/azure/virtual-machines/managed-disks-overview) for lab VMs that you own. This functionality is useful for managing storage or software separately from individual VMs.

+To attach or detach a data disk, you need to own the lab VM, and the VM must be running. The VM size determines how many data disks you can attach. For more information, see [Sizes for virtual machines](/azure/virtual-machines/sizes).

+## Create and attach a new data disk

+Follow these steps to create and attach a new managed data disk for a DevTest Labs VM.

+1. Select your VM from the **My virtual machines** list on the lab **Overview** page.

+1. On the VM **Overview** page, select **Disks** under **Settings** in the left navigation.

+1. On the **Disks** page, select **Attach new**.

+ :::image type="content" source="./media/devtest-lab-attach-detach-data-disk/devtest-lab-attach-new.png" alt-text="Screenshot of Attach new on the V M's Disk page.":::

+1. Fill out the **Attach new disk** form as follows:

+ - For **Name**, enter a unique name.

+ - For **Disk type**, select a [disk type](/azure/virtual-machines/disks-types) from the drop-down list.

+ - For **Size (GiB)**, enter a size in gigabytes.

+ :::image type="content" source="./media/devtest-lab-attach-detach-data-disk/devtest-lab-attach-new-form.png" alt-text="Screenshot of the Attach new disk form.":::

+1. After the disk is attached, on the **Disks** page, view the new attached disk under **Data disks**.

+ :::image type="content" source="./media/devtest-lab-attach-detach-data-disk/devtest-lab-attached-data-disk.png" alt-text="Screenshot of the new data disk under Data disks on the Disks page.":::

+## Attach an existing data disk

+Follow these steps to attach an existing available data disk to a running VM.

+1. Select your VM from the **My virtual machines** list on the lab **Overview** page.

+1. On the VM **Overview** page, select **Disks** under **Settings** in the left navigation.

+

+1. On the **Disks** page, select **Attach existing**.

+ :::image type="content" source="./media/devtest-lab-attach-detach-data-disk/devtest-lab-attach-existing-button.png" alt-text="Screenshot of Attach existing on the V M's Disk page.":::

+1. On the **Attach existing disk** page, select a disk, and then select **OK**.

+ :::image type="content" source="./media/devtest-lab-attach-detach-data-disk/devtest-lab-attach-existing.png" alt-text="Screenshot of attach existing data disk to a virtual machine.":::

+1. After the disk is attached, on the **Disks** page, view the attached disk under **Data disks**.

+## Detach a data disk

+Detaching removes the lab disk from the VM, but keeps it in storage for later use.

+Follow these steps to detach an attached data disk from a running VM.

+1. Select the VM with the disk from the **My virtual machines** list on the lab **Overview** page.

+1. On the VM **Overview** page, select **Disks** under **Settings** in the left navigation.

+

+1. On the **Disks** page, under **Data disks**, select the data disk you want to detach.

+ :::image type="content" source="./media/devtest-lab-attach-detach-data-disk/devtest-lab-detach-button.png" alt-text="Screenshot of selecting a data disk to detach.":::

+1. On the data disk's page, select **Detach**, and then select **OK**.

+ :::image type="content" source="./media/devtest-lab-attach-detach-data-disk/devtest-lab-detach-data-disk-2.png" alt-text="Screenshot showing Detach on the Data disk page.":::

+The disk is detached, and is available to reattach to this or another VM.

+### Detach or delete a data disk on the lab management page

+You can also detach or delete a data disk without navigating to the VM's page.

+1. In the left navigation for your lab's **Overview** page, select **My data disks** under **My Lab**.

+1. On the **My data disks** page, either:

+ - Select the disk you want to detach, and then on the data disk's page, select **Detach** and then select **OK**.

+ or

+ - Select the ellipsis (**...**) next to the disk you want to detach, select **Detach** from the context menu, and then select **Yes**.

+ :::image type="content" source="./media/devtest-lab-attach-detach-data-disk/devtest-lab-detach-data-disk.png" alt-text="Screenshot of detaching a data disk from the listing's context menu.":::

+You can also delete a detached data disk, by selecting **Delete** from the context menu or from the data disk page. When you delete a data disk, it is removed from storage and can't be reattached anymore.

+For information about transferring data disks for claimable lab VMs, see [Transfer the data disk](devtest-lab-add-claimable-vm.md#transfer-the-data-disk).

+ Title: Configure auto-start settings for a VM

+description: Learn how to configure auto-start settings for VMs in a lab. This setting allows VMs in the lab to be automatically started on a schedule.

+# Automatically start lab VMs with auto-start in Azure DevTest Labs

+This article shows how to configure and apply an auto-start policy for Azure DevTest Labs virtual machines (VMs). Auto-start automatically starts up lab VMs at specified times and days.

+To implement auto-start, you configure an auto-start policy for the lab first. Then, you can enable the policy for individual lab VMs. Requiring individual VMs to enable auto-start helps prevent unnecessary startups that could increase costs.

+You can also configure auto-shutdown policies for lab VMs. For more information, see [Manage auto shutdown policies for a lab in Azure DevTest Labs](devtest-lab-auto-shutdown.md).

+## Configure auto-start for the lab

+To configure auto-start policy for a lab, follow these steps. After configuring the policy, [enable auto-start](#add-vms-to-the-auto-start-schedule) for each VM that you want to auto-start.

+1. On your lab **Overview** page, select **Configuration and policies** under **Settings** in the left navigation.

+ :::image type="content" source="./media/devtest-lab-auto-startup-vm/configuration-policies-menu.png" alt-text="Screenshot that shows selecting Configuration and policies in the left navigation menu.":::

+1. On the **Configuration and policies** page, select **Auto-start** under **Schedules** in the left navigation.

+1. Select **Yes** for **Allow auto-start**.

+1. Enter a **Scheduled start** time, select a **Time zone**, and select the checkboxes next to the **Days of the week** that you want to apply the schedule.

+1. Select **Save**.

+ :::image type="content" source="./media/devtest-lab-auto-startup-vm/auto-start-configuration.png" alt-text="Screenshot of auto-start schedule settings.":::

+## Add VMs to the auto-start schedule

+After you configure the auto-start policy, follow these steps for each VM that you want to auto-start.

+1. On your lab **Overview** page, select the VM under **My virtual machines**.

+ :::image type="content" source="./media/devtest-lab-auto-startup-vm/select-vm.png" alt-text="Screenshot of selecting a VM from the list under My virtual machines.":::

+1. On the VM's **Overview** page, select **Auto-start** under **Operations** in the left navigation.

+1. On the **Auto-start** page, select **Yes** for **Allow this virtual machine to be scheduled for automatic start**, and then select **Save**.

+ :::image type="content" source="./media/devtest-lab-auto-startup-vm/select-auto-start.png" alt-text="Screenshot of selecting Yes on the Auto-start page.":::

+- [Use command lines to start and stop DevTest Labs virtual machines](use-command-line-start-stop-virtual-machines.md)

+ Title: Set up an app for testing on a lab VM

+description: Learn how to publish an app to an Azure file share for testing from a DevTest Labs virtual machine.

+# Set up an app for testing on an Azure DevTest Labs VM

+This article shows how to set up an application for testing from an Azure DevTest Labs virtual machine (VM). In this example, you use Visual Studio to publish an app to an Azure file share. Then you access the file share from a lab VM for testing.

+- A Windows-based [DevTest Labs VM](devtest-lab-add-vm.md) to use for testing the app.

+- [Visual Studio](https://visualstudio.microsoft.com/free-developer-offers/) installed on a different workstation.

+- A [file share](/azure/storage/files/storage-how-to-create-file-share) created in your lab's [Azure Storage Account](encrypt-storage.md).

+- The [file share mounted](/azure/storage/files/storage-how-to-use-files-windows#mount-the-azure-file-share) to your Visual Studio workstation, and to the lab VM you want to use for testing.

+## Publish your app from Visual Studio

+First, publish an app from Visual Studio to your Azure file share.

+1. Open Visual Studio, and choose **Create a new project** in the **Start** window.

+ :::image type="content" source="./media/test-app-in-azure/launch-visual-studio.png" alt-text="Screenshot of the Visual Studio Start page with Create a new project selected.":::

+1. On the **Create a new project** screen, select **Console Application**, and then select **Next**.

+ :::image type="content" source="./media/test-app-in-azure/select-console-application.png" alt-text="Screenshot of choosing Console Application.":::

+1. On the **Configure your new project** page, keep the defaults and select **Next**.

+1. On the **Additional information** page, keep the defaults and select **Create**.

+1. In Visual Studio **Solution Explorer**, right-click your project name, and select **Build**.

+1. When the build succeeds, in **Solution Explorer**, right-click your project name, and select **Publish**.

+ :::image type="content" source="./media/test-app-in-azure/publish-application.png" alt-text="Screenshot of selecting Publish from Solution Explorer.":::

+1. On the **Publish** screen, select **Folder**, and then select **Next**.

+ :::image type="content" source="./media/test-app-in-azure/publish-to-folder.png" alt-text="Screenshot of selecting Folder on the Publish screen.":::

+1. For **Specific target**, select **Folder**, and then select **Next**.

+1. For the **Location** option, select **Browse**, and then select the file share you mounted earlier.

+ :::image type="content" source="./media/test-app-in-azure/selecting-file-share.png" alt-text="Screenshot of browsing and selecting the file share.":::

+1. Select **OK**, and then select **Finish**.

+1. Select **Publish**.

+ :::image type="content" source="./media/test-app-in-azure/final-publish.png" alt-text="Screenshot of selecting Publish.":::

+Visual Studio publishes your application to the file share.

+## Access the app on your lab VM

+1. Connect to your lab test VM.

+1. On the lab VM, start up **File Explorer**, select **This PC**, and find the file share you mounted earlier.

+ :::image type="content" source="./media/test-app-in-azure/find-share-on-vm.png" alt-text="Screenshot of the file share in the V M's File Explorer.":::

+1. Open the file share, and confirm that you see the app you deployed from Visual Studio.

+ :::image type="content" source="./media/test-app-in-azure/open-file-share.png" alt-text="Screenshot of contents of file share.":::

+You can now test your app on your lab VM.

+ Title: Start & stop lab VMs with command lines

+description: Use Azure PowerShell or Azure CLI command lines and scripts to start and stop Azure DevTest Labs virtual machines.

+# Use command lines to start and stop DevTest Labs virtual machines

+This article shows how to start or stop Azure DevTest Labs virtual machines (VMs) by using Azure PowerShell or Azure CLI command lines and scripts.

+You can start, stop, or [restart DevTest Labs VMs](devtest-lab-restart-vm.md) by using the Azure portal. You can also use the portal to configure [automatic startup](devtest-lab-auto-startup-vm.md) and [automatic shutdown](devtest-lab-auto-shutdown.md) schedules and policies for lab VMs.

+When you want to script or automate start or stop for lab VMs, use PowerShell or Azure CLI commands. For example, you can use start or stop commands to:

+- Test a three-tier application, where the tiers need to start in a sequence.

+- Turn off VMs to save costs when they meet custom criteria.

+- Start when a continuous integration and continuous delivery (CI/CD) workflow begins, and stop when it finishes. For an example of this workflow, see [Run an image factory from Azure DevOps](image-factory-set-up-devops-lab.md).

+## Prerequisites

+- A [lab VM in DevTest Labs](devtest-lab-add-vm.md).

+- For Azure PowerShell, the [Az module](/powershell/azure/new-azureps-module-az) installed on your workstation. Make sure you have the latest version. If necessary, run `Update-Module -Name Az` to update the module.

+- For Azure CLI, [Azure CLI ](/cli/azure/install-azure-cli) installed on your workstation.

+## Azure PowerShell script

+The following PowerShell script starts or stops a VM in a lab by using [Invoke-AzResourceAction](/powershell/module/az.resources/invoke-azresourceaction). The `ResourceId` parameter is the fully qualified ID for the lab VM you want to start or stop. The `Action` parameter determines whether to start or stop the VM, depending on which action you need.

+1. From your workstation, use the PowerShell [Connect-AzAccount](/powershell/module/Az.Accounts/Connect-AzAccount) cmdlet to sign in to your Azure account. If you have multiple Azure subscriptions, uncomment the `Set-AzContext` line and fill in the `<Subscription ID>` you want to use.

+ # Set-AzContext -SubscriptionId "<Subscription ID>"

+1. Provide values for the *`<lab name>`* and *`<VM name>`*, and enter which action you want for *`<Start or Stop>`*.

+ $devTestLabName = "<lab name>"

+ $vMToStart = "<VM name>"

+ $vmAction = "<Start or Stop>"

+1. Start or stop the VM, based on the value you passed to `$vmAction`.

+ Write-Error "##[error] Failed to update DTL machine: $vMToStart, Action: $vmAction"

+## Azure CLI script

+The following script provides [Azure CLI](/cli/azure/get-started-with-azure-cli) commands for starting or stopping a lab VM. The variables in this script are for a Windows environment. Bash or other environments have slight variations.

+1. Provide appropriate values for *`<Subscription ID>`*, *`<lab name>`*, *`<VM name>`*, and the *`<Start or Stop>`* action to take.

+ ```azurecli

+ set SUBSCIPTIONID=<Subscription ID>

+ set DEVTESTLABNAME=<lab name>

+ set VMNAME=<VM name>

+ set ACTION=<Start or Stop>

+ ```

+1. Sign in to your Azure account. If you have multiple Azure subscriptions, uncomment the `az account set` line to use the subscription ID you provided.

+ ```azurecli

+ az login

+

+ REM az account set --subscription %SUBSCIPTIONID%

+ ```

+1. Get the name of the resource group that contains the lab.

+ ```azurecli

+ az resource list --resource-type "Microsoft.DevTestLab/labs" --name %DEVTESTLABNAME% --query "[0].resourceGroup"

+ ```

+1. Replace *`<resourceGroup>`* with the value you got from the previous step.

+ ```azurecli

+ set RESOURCEGROUP=<resourceGroup>

+ ```

+1. Run the command line to start or stop the VM, based on the value you passed to `ACTION`.

+ ```azurecli

+ az lab vm %ACTION% --lab-name %DEVTESTLABNAME% --name %VMNAME% --resource-group %RESOURCEGROUP%

+ ```

+- [Azure CLI az lab reference](/cli/azure/lab)

+- [PowerShell Az.DevTestLabs reference](/powershell/module/az.devtestlabs)

+- [Define the startup order for DevTest Labs VMs](start-machines-use-automation-runbooks.md)

+ Title: Use data history with Azure Data Explorer (preview)

+This error will occur if your Azure account doesn't have the required Azure role-based access control (Azure RBAC) permissions set on your Azure Digital Twins instance. In order to access data in your instance, you must have the *Azure Digital Twins Data Reader* or *Azure Digital Twins Data Owner* role on the instance you are trying to read or manage, respectively.

+* [Security for Azure Digital Twins solutions](concepts-security.md)

+ Title: Migrate databases at scale using Azure PowerShell / CLI

+description: Learn how to use Azure PowerShell or CLI to migrate databases at scale using the capabilities of Azure SQL Migration extension in Azure Data Studio with Azure Database Migration Service.

+# Migrate databases at scale using automation (Preview)

+The [Azure SQL Migration extension for Azure Data Studio](/sql/azure-data-studio/extensions/azure-sql-migration-extension) enables you to assess, get Azure recommendations and migrate your SQL Server databases to Azure. Using automation with [Azure PowerShell](/powershell/module/az.datamigration) or [Azure CLI](/cli/azure/datamigration), you can leverage the capabilities of the extension with Azure Database Migration Service to migrate one or more databases at scale (including databases across multiple SQL Server instances).

+The following sample scripts can be referenced to suit your migration scenario using Azure PowerShell or Azure CLI:

+|Scripting language |Migration scenario |Azure Samples link |

+||||

+|PowerShell |SQL Server assessment |[Azure-Samples/data-migration-sql/PowerShell/sql-server-assessment](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-assessment.md) |

+|PowerShell |SQL Server to Azure SQL Managed Instance (using file share) |[Azure-Samples/data-migration-sql/PowerShell/sql-server-to-sql-mi-fileshare](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-to-sql-mi-fileshare.md) |

+|PowerShell |SQL Server to Azure SQL Managed Instance (using Azure storage) |[Azure-Samples/data-migration-sql/PowerShell/sql-server-to-sql-mi-blob](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-to-sql-mi-blob.md) |

+|PowerShell |SQL Server to SQL Server on Azure Virtual Machines (using file share) |[Azure-Samples/data-migration-sql/PowerShell/sql-server-to-sql-vm-fileshare](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-to-sql-vm-fileshare.md) |

+|PowerShell |SQL Server to SQL Server on Azure Virtual Machines (using Azure Storage) |[Azure-Samples/data-migration-sql/PowerShell/sql-server-to-sql-vm-blob](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-to-sql-vm-blob.md) |

+|PowerShell |Sample: End-to-End migration automation |[Azure-Samples/data-migration-sql/PowerShell/scripts/](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/scripts/) |

+|PowerShell |Sample: End-to-End migration automation for multiple databases |[Azure-Samples/data-migration-sql/PowerShell/scripts/multiple%20databases/](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/scripts/multiple%20databases/) |

+|CLI |SQL Server assessment |[Azure-Samples/data-migration-sql/CLI/sql-server-assessment](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-assessment.md) |

+|CLI |SQL Server to Azure SQL Managed Instance (using file share) |[Azure-Samples/data-migration-sql/CLI/sql-server-to-sql-mi-fileshare](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-to-sql-mi-fileshare.md) |

+|CLI |SQL Server to Azure SQL Managed Instance (using Azure storage) |[Azure-Samples/data-migration-sql/CLI/sql-server-to-sql-mi-blob](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-to-sql-mi-blob.md) |

+|CLI |SQL Server to SQL Server on Azure Virtual Machines (using file share) |[Azure-Samples/data-migration-sql/CLI/sql-server-to-sql-vm-fileshare](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-to-sql-vm-fileshare.md) |

+|CLI |SQL Server to SQL Server on Azure Virtual Machines (using Azure Storage) |[Azure-Samples/data-migration-sql/CLI/sql-server-to-sql-vm-blob](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-to-sql-vm-blob.md) |

+|CLI |Sample: End-to-End migration automation |[Azure-Samples/data-migration-sql/CLI/scripts/](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/scripts/) |

+|CLI |Sample: End-to-End migration automation for multiple databases |[Azure-Samples/data-migration-sql/CLI/scripts/multiple%20databases/](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/scripts/multiple%20databases/) |

+## Prerequisites

+Pre-requisites that are common across all supported migration scenarios using Azure PowerShell or Azure CLI are:

+* Have an Azure account that is assigned to one of the built-in roles listed below:

+ - Contributor for the target Azure SQL Managed Instance (and Storage Account to upload your database backup files from SMB network share).

+ - Reader role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

+ - Owner or Contributor role for the Azure subscription.

+ > [!IMPORTANT]

+ > Azure account is only required when running the migration steps and is not required for assessment or Azure recommendation steps process.

+* Create a target [Azure SQL Managed Instance](../azure-sql/managed-instance/create-configure-managed-instance-powershell-quickstart.md) or [SQL Server on Azure Virtual Machine](../azure-sql/virtual-machines/windows/sql-vm-create-powershell-quickstart.md)

+ > [!IMPORTANT]

+ > If you have an existing Azure Virtual Machine, it should be registered with [SQL IaaS Agent extension in Full management mode](../azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management.md#management-modes).

+* Ensure that the logins used to connect the source SQL Server are members of the *sysadmin* server role or have `CONTROL SERVER` permission.

+* Use one of the following storage options for the full database and transaction log backup files:

+ - SMB network share

+ - Azure storage account file share or blob container

+ > [!IMPORTANT]

+ > - If your database backup files are provided in an SMB network share, [Create an Azure storage account](../storage/common/storage-account-create.md) that allows the DMS service to upload the database backup files. Make sure to create the Azure Storage Account in the same region as the Azure Database Migration Service instance is created.

+ > - Azure Database Migration Service does not initiate any backups, and instead uses existing backups, which you may already have as part of your disaster recovery plan, for the migration.

+ > - You should take [backups using the `WITH CHECKSUM` option](/sql/relational-databases/backup-restore/enable-or-disable-backup-checksums-during-backup-or-restore-sql-server).

+ > - Each backup can be written to either a separate backup file or multiple backup files. However, appending multiple backups (i.e. full and t-log) into a single backup media is not supported.

+ > - Use compressed backups to reduce the likelihood of experiencing potential issues associated with migrating large backups.

+* Ensure that the service account running the source SQL Server instance has read and write permissions on the SMB network share that contains database backup files.

+* The source SQL Server instance certificate from a database protected by Transparent Data Encryption (TDE) needs to be migrated to the target Azure SQL Managed Instance or SQL Server on Azure Virtual Machine before migrating data. To learn more, see [Migrate a certificate of a TDE-protected database to Azure SQL Managed Instance](../azure-sql/managed-instance/tde-certificate-migrate.md) and [Move a TDE Protected Database to Another SQL Server](/sql/relational-databases/security/encryption/move-a-tde-protected-database-to-another-sql-server).

+ > [!TIP]

+ > If your database contains sensitive data that is protected by [Always Encrypted](/sql/relational-databases/security/encryption/configure-always-encrypted-using-sql-server-management-studio), migration process using Azure Data Studio with DMS will automatically migrate your Always Encrypted keys to your target Azure SQL Managed Instance or SQL Server on Azure Virtual Machine.

+* If your database backups are in a network file share, provide a machine to install [self-hosted integration runtime](../data-factory/create-self-hosted-integration-runtime.md) to access and migrate database backups. The Azure PowerShell or Azure CLI modules provide the authentication keys to register your self-hosted integration runtime. In preparation for the migration, ensure that the machine where you plan to install the self-hosted integration runtime has the following outbound firewall rules and domain names enabled:

+ | Domain names | Outbound ports | Description |

+ | -- | -- | |

+ | Public Cloud: `{datafactory}.{region}.datafactory.azure.net`<br> or `*.frontend.clouddatahub.net` <br> Azure Government: `{datafactory}.{region}.datafactory.azure.us` <br> China: `{datafactory}.{region}.datafactory.azure.cn` | 443 | Required by the self-hosted integration runtime to connect to the Data Migration service. <br>For new created Data Factory in public cloud, locate the FQDN from your Self-hosted Integration Runtime key, which is in format `{datafactory}.{region}.datafactory.azure.net`. For old Data factory, if you don't see the FQDN in your Self-hosted Integration key, use *.frontend.clouddatahub.net instead. |

+ | `download.microsoft.com` | 443 | Required by the self-hosted integration runtime for downloading the updates. If you have disabled auto-update, you can skip configuring this domain. |

+ | `*.core.windows.net` | 443 | Used by the self-hosted integration runtime that connects to the Azure storage account for uploading database backups from your network share |

+ > [!TIP]

+ > If your database backup files are already provided in an Azure storage account, self-hosted integration runtime is not required during the migration process.

+* When using self-hosted integration runtime, make sure that the machine where the runtime is installed can connect to the source SQL Server instance and the network file share where backup files are located. Outbound port 445 should be enabled to allow access to the network file share.

+* If you're using the Azure Database Migration Service for the first time, ensure that Microsoft.DataMigration resource provider is registered in your subscription. You can follow the steps to [register the resource provider](./quickstart-create-data-migration-service-portal.md#register-the-resource-provider)

+## Automate database migrations

+Using Azure PowerShell [Az.DataMigration](/powershell/module/az.datamigration) or Azure CLI [az datamigration](/cli/azure/datamigration), you can migrate databases by automating the creation of the Azure Database Migration Service, configuring database migrations for online migration and performing a cutover. There are several more commands and functionality that is documented in [Azure Samples](https://github.com/Azure-Samples/data-migration-sql).

+Example of automating migration of a SQL Server database using Azure CLI:

+**Step 1: Create Azure Database Migration Service which will orchestrate all the migration activities for your database.**

+```azurepowershell-interactive

+#STEP 1: Create Database Migration Service

+az datamigration sql-service create --resource-group "myRG" --sql-migration-service-name "myMigrationService" --location "EastUS2"

+```

+**Step 2: Configure and start online database migration from SQL Server on-premises (with backups in Azure storage) to Azure SQL Managed Instance.**

+```azurepowershell-interactive

+#STEP 2: Start Migration

+az datamigration sql-managed-instance create `

+--source-location '{\"AzureBlob\":{\"storageAccountResourceId\":\"/subscriptions/mySubscriptionID/resourceGroups/myRG/providers/Microsoft.Storage/storageAccounts/dbbackupssqlbits\",\"accountKey\":\"myAccountKey\",\"blobContainerName\":\"dbbackups\"}}' `

+--migration-service "/subscriptions/mySubscriptionID/resourceGroups/myRG/providers/Microsoft.DataMigration/SqlMigrationServices/myMigrationService" `

+--scope "/subscriptions/mySubscriptionID/resourceGroups/myRG/providers/Microsoft.Sql/managedInstances/mySQLMI" `

+--source-database-name "AdventureWorks2008" `

+--source-sql-connection authentication="SqlAuthentication" data-source="mySQLServer" password="myPassword" user-name="sqluser" `

+--target-db-name "AdventureWorks2008" `

+--resource-group myRG `

+--managed-instance-name mySQLMI

+```

+**Step 3: Perform a migration cutover once all backups are restored to Azure SQL Managed Instance.**

+```azurepowershell-interactive

+#STEP 3: Get migration ID and perform Cutover

+$migOpId = az datamigration sql-managed-instance show --managed-instance-name "mySQLMI" --resource-group "myRG" --target-db-name "AdventureWorks2008" --expand=MigrationStatusDetails --query "properties.migrationOperationId"

+az datamigration sql-managed-instance cutover --managed-instance-name "mySQLMI" --resource-group "myRG" --target-db-name "AdventureWorks2008" --migration-operation-id $migOpId

+```

+## Next steps

+- For Azure PowerShell reference documentation for SQL Server database migrations, see [Az.DataMigration](/powershell/module/az.datamigration).

+- For Azure CLI reference documentation for SQL Server database migrations, see [az datamigration](/cli/azure/datamigration).

+- For Azure Samples code repository, see [data-migration-sql](https://github.com/Azure-Samples/data-migration-sql)

+Media Services emits the **Job-related** event types described below. There are two categories for the **Job-related** events: "Monitoring Job State Changes" and "Monitoring Job Output State Changes".

+You can register for all of the events by subscribing to the JobStateChange event. Or, you can subscribe for specific events only (for example, final states like JobErrored, JobFinished, and JobCanceled).

+Each **Job** is going to be at a higher level than **JobOutput**, thus job output events get fired inside of a corresponding job.

+Media Services also emits the **Live** event types described below. There are two categories for the **Live** events: stream-level events and track-level events.

+Track-level events are raised per track.

+The following example shows the schema of the **JobStateChange** event:

+The following example shows the schema of the **JobStateChange** event:

+The following example shows the schema of the **LiveEventConnectionRejected** event:

+ "data": {

+| `streamId` | string | Identifier of the stream or connection. Encoder or customer is responsible to add this ID in the ingest URL. |

+| `ingestUrl` | string | Ingest URL provided by the live event. |

+You can find the error result codes in [live Event error codes](/media-services/latest/live-event-error-codes-reference).

+The following example shows the schema of the **LiveEventEncoderConnected** event:

+ {

+The following example shows the schema of the **LiveEventEncoderConnected** event:

+ {

+The following example shows the schema of the **LiveEventEncoderDisconnected** event:

+ {

+The following example shows the schema of the **LiveEventEncoderDisconnected** event:

+ {

+| `streamId` | string | Identifier of the stream or connection. Encoder or customer is responsible to add this ID in the ingest URL. |

+| `ingestUrl` | string | Ingest URL provided by the live event. |

+You can find the error result codes in [live Event error codes](/media-services/latest/live-event-error-codes-reference).

+The following example shows the schema of the **LiveEventIncomingDataChunkDropped** event:

+ "data": {

+The following example shows the schema of the **LiveEventIncomingDataChunkDropped** event:

+ "data": {

+The following example shows the schema of the **LiveEventIncomingStreamReceived** event:

+The following example shows the schema of the **LiveEventIncomingStreamReceived** event:

+The following example shows the schema of the **LiveEventIncomingStreamsOutOfSync** event:

+ "timescaleOfMinLastTimestamp": "10000000",

+ "timescaleOfMaxLastTimestamp": "10000000"

+The following example shows the schema of the **LiveEventIncomingStreamsOutOfSync** event:

+ "timescaleOfMinLastTimestamp": "10000000",

+ "timescaleOfMaxLastTimestamp": "10000000"

+The following example shows the schema of the **LiveEventIncomingVideoStreamsOutOfSync** event:

+ "timescale": "10000000"

+The following example shows the schema of the **LiveEventIncomingVideoStreamsOutOfSync** event:

+ "timescale": "10000000"

+The following example shows the schema of the **LiveEventIngestHeartbeat** event:

+The following example shows the schema of the **LiveEventIngestHeartbeat** event:

+The following example shows the schema of the **LiveEventTrackDiscontinuityDetected** event:

+The following example shows the schema of the **LiveEventTrackDiscontinuityDetected** event:

+[Register for job state change events](/media-services/latest/monitoring/job-state-events-cli-how-to)

+- [Live Event error codes](/media-services/latest/live-event-error-codes-reference)

+

+ terraform {

+ required_providers {

+ azurerm = {

+ source = "hashicorp/azurerm"

+ version = ">= 2.96.0"

+ }

+ }

+ }

+ resource "azurerm_resource_policy_assignment" "auditvms" {

+ name = "audit-vm-manageddisks"

+ resource_id = var.cust_scope

+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"

+ description = "Shows all virtual machines not using managed disks"

+ display_name = "Audit VMs without managed disks assignment"

+ value = azurerm_resource_policy_assignment.auditvms.id

+> **When to use:** As a fully managed service Azure Spring Cloud is a good choice when you're minimizing operational cost running Spring Boot/Spring Cloud based microservices on Azure.

+and [Azure Media Services](/media-services/previous/media-services-dotnet-how-to-use) provide client-side SDKs to let you access services from web and mobile client apps.

+# Azure Industrial IoT Platform Release 2.8.2

+We are pleased to announce the release of version 2.8.2 of our Industrial IoT Platform components as a second patch update of the 2.8 Long-Term Support (LTS) release. This release contains important backward compatibility fixes including Direct Methods API support with version 2.5.x, performance optimizations as well as security updates and bugfixes.

+## Azure Industrial IoT Platform Release 2.8.1

+|[2.8.2](https://github.com/Azure/Industrial-IoT/tree/2.8.2) |Patch release for LTS 2.8|March 2022 |Backwards compatibility with 2.5.x, bug fixes, security updates, performance optimizations for LTS v2.8|

+2. Browse to your Device Provisioning Service.

+4. Select **Add diagnostic setting**.

+5. Configure the desired logs to be collected.

+6. Tick the box **Send to Log Analytics** ([see pricing](https://azure.microsoft.com/pricing/details/log-analytics/)) and save.

+8. Write **AzureDiagnostics** as a query and click **Run** to view recent events.

+| 500 | An internal error occurred. | 500 Internal Server Error|

+## Create a key vault

+Create a key vault using one of these three methods:

+- [Create a key vault using the Azure portal](../general/quick-create-portal.md)

+- [Create a key vault using the Azure CLI](../general/quick-create-cli.md)

+- [Create a key vault using Azure PowerShell](../general/quick-create-powershell.md)

+## Import a certificate to your key vault

+To import a certificate to the vault, you need to have a PEM or PFX certificate file to be on disk. If the certificate is in PEM format, the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.

+> In Azure Key Vault, supported certificate formats are PFX and PEM.

+In this case, we will create a certificate called **ExampleCertificate**, or import a certificate called **ExampleCertificate** with a path of **/path/to/cert.pem". You can import a certificate with the Azure portal, Azure CLI, or Azure PowerShell.

+# [Azure portal](#tab/azure-portal)

+When importing a certificate, Azure Key vault will automatically populate certificate parameters (i.e. validity period, Issuer name, activation date etc.).

+Once you receive the message that the certificate has been successfully imported, you may click on it on the list to view its properties.

+# [Azure CLI](#tab/azure-cli)

+Import a certificate into your key vault using the Azure CLI [az keyvault certificate import](/cli/azure/keyvault/certificate#az-keyvault-certificate-import) command:

+az keyvault certificate import --vault-name "<your-key-vault-name>" -n "ExampleCertificate" -f "/path/to/ExampleCertificate.pem"

+After importing the certificate, you can view the certificate using the Azure CLI [az keyvault certificate show](/cli/azure/keyvault/certificate#az-keyvault-certificate-show) command.

+az keyvault certificate show --vault-name "<your-key-vault-name>" --name "ExampleCertificate"

+# [Azure PowerShell](#tab/azure-powershell)

+You can import a certificate into Key Vault using the Azure PowerShell [Import-AzKeyVaultCertificate](/powershell/module/az.keyvault/import-azkeyvaultcertificate) cmdlet.

+```azurepowershell

+$Password = ConvertTo-SecureString -String "123" -AsPlainText -Force

+Import-AzKeyVaultCertificate -VaultName "<your-key-vault-name>" -Name "ExampleCertificate" -FilePath "C:\path\to\ExampleCertificate.pem" -Password $Password

+After importing the certificate, you can view the certificate using the Azure PowerShell [Import-AzKeyVaultCertificate](/powershell/module/az.keyvault/import-azkeyvaultcertificate) cmdlet

+```azurepowershell

+Get-AzKeyVaultCertificate -VaultName "<your-key-vault-name>" -Name "ExampleCertificate"

+Now, you have created a Key vault, imported a certificate and viewed a certificate's properties.

+- Review the [Key Vault security overview](../general/security-features.md)

+Create a key vault using one of these three methods:

+- [Create a key vault using the Azure portal](../general/quick-create-portal.md)

+- [Create a key vault using the Azure CLI](../general/quick-create-cli.md)

+- [Create a key vault using Azure PowerShell](../general/quick-create-powershell.md)

+- Generate (or import using [BYOK](hsm-protected-keys-byok.md)) keys and use them to encrypt your data at rest in Azure services such as [Azure Storage](../../storage/common/customer-managed-keys-overview.md), [Azure SQL](../../azure-sql/database/transparent-data-encryption-byok-overview.md), [Azure Information Protection](/azure/information-protection/byok-price-restrictions), and [Customer Key for Microsoft 365](/microsoft-365/compliance/customer-key-set-up). For a more complete list of Azure services which work with Managed HSM, see [Data Encryption Models](/azure/security/fundamentals/encryption-models#supporting-services).

+## 2022-03-28

+### Azure Machine Learning SDK for Python v1.40.0

+ + **azureml-automl-dnn-nlp**

+ + We're making the Long Range Text feature optional and only if the customers explicitly opt in for it, using the kwarg "enable_long_range_text"

+ + Adding data validation layer for multi-class classification scenario which leverages the same base class as multilabel for common validations, and a derived class for additional task specific data validation checks.

+ + **azureml-automl-dnn-vision**

+ + Fixing KeyError while computing class weights.

+ + **azureml-contrib-reinforcementlearning**

+ + SDK warning message for upcoming deprecation of RL service

+ + **azureml-core**

+ + * Return logs for runs that went through our new runtime when calling any of the get logs function on the run object, including `run.get_details`, `run.get_all_logs`, etc.

+ + Added experimental method Datastore.register_onpremises_hdfs to allow users to create datastores pointing to on-premises HDFS resources.

+ + Updating the cli documentation in the help command

+ + **azureml-interpret**

+ + For azureml-interpret package, remove shap pin with packaging update. Remove numba and numpy pin after CE env update.

+ + **azureml-mlflow**

+ + Bugfix for MLflow deployment client run_local failing when config object wasn't provided.

+ + **azureml-pipeline-steps**

+ + Remove broken link of deprecated pipeline EstimatorStep

+ + **azureml-responsibleai**

+ + update azureml-responsibleai package to raiwidgets and responsibleai 0.17.0 release

+ + **azureml-train-automl-runtime**

+ + Code generation for automated ML now supports ForecastTCN models (experimental).

+ + Models created via code generation will now have all metrics calculated by default (except normalized mean absolute error, normalized median absolute error, normalized RMSE, and normalized RMSLE in the case of forecasting models). The list of metrics to be calculated can be changed by editing the return value of `get_metrics_names()`. Cross validation will now be used by default for forecasting models created via code generation..

+ + **azureml-training-tabular**

+ + The list of metrics to be calculated can be changed by editing the return value of `get_metrics_names()`. Cross validation will now be used by default for forecasting models created via code generation.

+ + Converting decimal type y-test into float to allow for metrics computation to proceed without errors.

+To run the Bicep template, use the following commands from the `machine-learning-end-to-end-secure` where the `main.bicep` file is:

+To learn more about common secure workspace configurations and input/output requirements, see [Azure Machine Learning secure workspace traffic flow](concept-secure-network-traffic-flow.md).

+- ISV to ensure the SaaS private plan is using the correct tenant ID for the customer - [How to find your Azure Active Directory tenant ID](../active-directory/fundamentals/active-directory-how-to-find-tenant.md). For VMs use the [Azure Subscription ID. (video guide)](/media-services/latest/setup-azure-subscription-how-to?tabs=portal)

+## Metered billing retrieve usage events

+You can call the usage events API to get the list of usage events. ISVs can use this API to see the usage events that have been posted for a certain configurable duration of time and what state these events are at the point of calling the API.

+GET: https://marketplaceapi.microsoft.com/api/usageEvents

+*Query parameters*:

+| Parameter | Recommendation |

+| | - |

+| ApiVersion | Use this format: 2018-08-31 |

+| usageStartDate | DateTime in ISO8601 format. For example, 2020-12-03T15:00 or 2020-12-03 |

+| UsageEndDate (optional) | DateTime in ISO8601 format. Default = current date |

+| offerId (optional) | Default = all available |

+| planId (optional) | Default = all available |

+| dimension (optional) | Default = all available |

+| azureSubscriptionId (optional) | Default = all available |

+| reconStatus (optional) | Default = all available |

+|||

+*Possible values of reconStatus*:

+| ReconStatus | Description |

+| | - |

+| Submitted | Not yet processed by PC Analytics |

+| Accepted | Matched with PC Analytics |

+| Rejected | Rejected in the pipeline. Contact Microsoft support to investigate the cause. |

+| Mismatch | MarketplaceAPI and Partner Center Analytics quantities are both non-zero, however not matching |

+| TestHeaders | Subscription listed with test headers, and therefore not in PC Analytics |

+| DryRun | Submitted with SessionMode=DryRun, and therefore not in PC |

+|||

+*Request headers*:

+| Content type | Use application/json |

+| | - |

+| x-ms-requestid | Unique string value (preferably a GUID), for tracking the request from the client. If this value is not provided, one will be generated and provided in the response headers. |

+| x-ms-correlationid | Unique string value for operation on the client. This parameter correlates all events from client operation with events on the server side. If this value isn't provided, one will be generated and provided in the response headers. |

+| authorization | A unique access token that identifies the ISV that is making this API call. The format is `Bearer <access_token>` when the token value is retrieved by the publisher. For more information, see:<br><ul><li>SaaS in [Get the token with an HTTP POST](./partner-center-portal/pc-saas-registration.md#get-the-token-with-an-http-post)</li><li>Managed application in [Authentication strategies](marketplace-metering-service-authentication.md)</li></ul> |

+|||

+### Responses

+Response payload examples:

+*Accepted**

+```json

+[

+ {

+ "usageDate": "2020-11-30T00:00:00Z",

+ "usageResourceId": "11111111-2222-3333-4444-555555555555",

+ "dimension": "tokens",

+ "planId": "silver",

+ "planName": "Silver",

+ "offerId": "mycooloffer",

+ "offerName": "My Cool Offer",

+ "offerType": "SaaS",

+ "azureSubscriptionId": "12345678-9012-3456-7890-123456789012",

+ "reconStatus": "Accepted",

+ "submittedQuantity": 17.0,

+ "processedQuantity": 17.0,

+ "submittedCount": 17

+ }

+]

+```

+*Submitted*

+```json

+[

+ {

+ "usageDate": "2020-11-30T00:00:00Z",

+ "usageResourceId": "11111111-2222-3333-4444-555555555555",

+ "dimension": "tokens",

+ "planId": "silver",

+ "planName": "",

+ "offerId": "mycooloffer",

+ "offerName": "",

+ "offerType": "SaaS",

+ "azureSubscriptionId": "12345678-9012-3456-7890-123456789012",

+ "reconStatus": "Submitted",

+ "submittedQuantity": 17.0,

+ "processedQuantity": 0.0,

+ "submittedCount": 17

+ }

+]

+```

+*Mismatch*

+```json

+[

+ {

+ "usageDate": "2020-11-30T00:00:00Z",

+ "usageResourceId": "11111111-2222-3333-4444-555555555555",

+ "dimension": "tokens",

+ "planId": "silver",

+ "planName": "Silver",

+ "offerId": "mycooloffer",

+ "offerName": "My Cool Offer",

+ "offerType": "SaaS",

+ "azureSubscriptionId": "12345678-9012-3456-7890-123456789012",

+ "reconStatus": "Mismatch",

+ "submittedQuantity": 17.0,

+ "processedQuantity": 16.0,

+ "submittedCount": 17

+ }

+]

+```

+*Rejected*

+```json

+[

+ {

+ "usageDate": "2020-11-30T00:00:00Z",

+ "usageResourceId": "11111111-2222-3333-4444-555555555555",

+ "dimension": "tokens",

+ "planId": "silver",

+ "planName": "",

+ "offerId": "mycooloffer",

+ "offerName": "",

+ "offerType": "SaaS",

+ "azureSubscriptionId": "12345678-9012-3456-7890-123456789012",

+ "reconStatus": "Rejected",

+ "submittedQuantity": 17.0,

+ "processedQuantity": 0.0,

+ "submittedCount": 17

+ }

+]

+```

+**Status codes**

+Code: 403

+Forbidden. The authorization token isn't provided, is invalid or expired. Or the request is attempting to access a subscription for an offer that was published with a different Azure AD App ID from the one used to create the authorization token.

+For more information on metering service APIs, see [Marketplace metering service APIs FAQ](marketplace-metering-service-apis-faq.yml).