-2. **Actions** - Followed by type of `ClaimsExchange`. The ClaimsExchange contains list of actions. The action is a reference to a technical profile, such as [OAuth2](oauth2-technical-profile.md), [OpenID Connect](openid-connect-technical-profile.md), [claims transformation](claims-transformation-technical-profile.md), or [self-asserted](self-asserted-technical-profile.md). The When a user clicks on one of the buttons, the corresponding action is executed.

-description: Learn about the consent framework in Azure Active Directory and how it makes it easy to develop multi-tenant web and native client applications.

-# Azure Active Directory consent framework

-The Azure Active Directory (Azure AD) consent framework makes it easy to develop multi-tenant web and native client applications. These applications allow sign-in by user accounts from an Azure AD tenant that's different from the one where the application is registered. They may also need to access web APIs such as the Microsoft Graph API (to access Azure AD, Intune, and services in Microsoft 365) and other Microsoft services' APIs, in addition to your own web APIs.

-The framework is based on a user or an administrator giving consent to an application that asks to be registered in their directory, which may involve accessing directory data. For example, if a web client application needs to read calendar information about the user from Microsoft 365, that user is required to consent to the client application first. After consent is given, the client application will be able to call the Microsoft Graph API on behalf of the user, and use the calendar information as needed. The [Microsoft Graph API](https://developer.microsoft.com/graph) provides access to data in Microsoft 365 (like calendars and messages from Exchange, sites and lists from SharePoint, documents from OneDrive, notebooks from OneNote, tasks from Planner, and workbooks from Excel), as well as users and groups from Azure AD and other data objects from more Microsoft cloud services.

-The consent framework is built on OAuth 2.0 and its various flows, such as authorization code grant and client credentials grant, using public or confidential clients. By using OAuth 2.0, Azure AD makes it possible to build many different types of client applications--such as on a phone, tablet, server, or a web application--and gain access to the required resources.

-For more info about using the consent framework with OAuth2.0 authorization grants, see [Authorize access to web applications using OAuth 2.0 and Azure AD](v2-oauth2-auth-code-flow.md) and [Authentication scenarios for Azure AD](./authentication-vs-authorization.md). For info about getting authorized access to Microsoft 365 through Microsoft Graph, see [App authentication with Microsoft Graph](/graph/).

-See [how to convert an app to be multi-tenant](howto-convert-app-to-be-multi-tenant.md)

-These code samples, built and maintained by Microsoft, demonstrate authentication and authorization by using Azure AD and the Microsoft identity platform in several [application types](v2-app-types.md), development languages, and frameworks.

-Each code sample includes a _README.md_ file that describes how to build the project (if applicable) and run the sample application. Comments in the code help you understand critical sections that implementing authentication and authorization using authentication libraries and the identity platform.

-Some permissions require consent from an administrator before they can be granted within a tenant. You can also use the admin consent endpoint to grant permissions to an entire tenant.

-When you sign the user into your app, you can identify the organization to which the admin belongs before asking them to approve the necessary permissions. Although not strictly necessary, it can help you create a more intuitive experience for your organizational users. To sign the user in, follow the [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md).

-> - In the SAML request sent by Azure AD for external federations, the Issuer URL is a tenanted endpoint. For any new federations, we recommend that all our partners set the audience of the SAML or WS-Fed based IdP to a tenanted endpoint. Refer to the [SAML 2.0](#required-saml-20-attributes-and-claims) and [WS-Fed](#required-ws-fed-attributes-and-claims) required attributes and claims sections below. Any existing federations configured with the global endpoint will continue to work, but new federations will stop working if your external IdP is expecting a global issuer URL in the SAML request.

-## End-user experience

-1. If the partner's IdP is one of these allowed IdPs, no DNS changes are needed (this list is subject to change):

- - accounts.google.com

- - pingidentity.com

- - login.pingone.com

- - okta.com

- - oktapreview.com

- - okta-emea.com

- - my.salesforce.com

- - federation.exostar.com

- - federation.exostartest.com

- - idaptive.app

- - idaptive.qa

-2. If the IdP is not one of the allowed providers listed in the previous step, check the partner's IdP passive authentication URL to see if the domain matches the target domain or a host within the target domain. In other words, when setting up federation for `fabrikam.com`:

- - If the authentication URL is `https://fabrikam.com` or `https://sts.fabrikam.com/adfs` (a host in the same domain), no DNS changes are needed.

- - If the authentication URL is `https://fabrikamconglomerate.com/adfs` or `https://fabrikam.com.uk/adfs`, the domain doesn't match the fabrikam.com domain, so the partner will need to add a text record for the authentication URL to their DNS configuration.

-3. If DNS changes are needed based on the previous step, ask the partner to add a TXT record to their domain's DNS records, like the following example:

-> | Characters not allowed for:<br/>Attribute set name<br/>Attribute name | ``<space> ` ~ ! @ # $ % ^ & * ( ) _ - + = { [ } ] \| \ : ; " ' < , > . ? /`` | |

-The audit logs report is available for features for which you have licenses. If you have a license for a specific feature, you also have access to the audit log information for it. A deatiled feature comparison as per [different types of licenses](../fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) can be seen on the [Azure Active Directory pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). For more details, see [Azure Active Directory features and capabilities](../fundamentals/active-directory-whatis.md#which-features-work-in-azure-ad).

-description: Learn how to configure single sign-on between Azure Active Directory and Netsparker Enterprise.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Netsparker Enterprise

-In this tutorial, you'll learn how to integrate Netsparker Enterprise with Azure Active Directory (Azure AD). When you integrate Netsparker Enterprise with Azure AD, you can:

-* Control in Azure AD who has access to Netsparker Enterprise.

-* Enable your users to be automatically signed-in to Netsparker Enterprise with their Azure AD accounts.

-* Netsparker Enterprise single sign-on (SSO) enabled subscription.

-* Netsparker Enterprise supports **SP and IDP** initiated SSO

-* Netsparker Enterprise supports **Just In Time** user provisioning

-## Adding Netsparker Enterprise from the gallery

-To configure the integration of Netsparker Enterprise into Azure AD, you need to add Netsparker Enterprise from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **Netsparker Enterprise** in the search box.

-1. Select **Netsparker Enterprise** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for Netsparker Enterprise

-Configure and test Azure AD SSO with Netsparker Enterprise using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Netsparker Enterprise.

-To configure and test Azure AD SSO with Netsparker Enterprise, perform the following steps:

-1. **[Configure Netsparker Enterprise SSO](#configure-netsparker-enterprise-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create Netsparker Enterprise test user](#create-netsparker-enterprise-test-user)** - to have a counterpart of B.Simon in Netsparker Enterprise that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **Netsparker Enterprise** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:

- > The Reply URL value is not real. Update the value with the actual Reply URL. Contact [Netsparker Enterprise Client support team](mailto:support@netsparker.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. On the **Set up Netsparker Enterprise** section, copy the appropriate URL(s) based on your requirement.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Netsparker Enterprise.

-1. In the applications list, select **Netsparker Enterprise**.

-## Configure Netsparker Enterprise SSO

-1. Log in to Netsparker Enterprise as an Administrator.

-1. Go to the **Settings > Single

-Sign-On**.

- e. Paste the **Reply URL** value, which you have copied from the Azure portal into the **SAML 2.0 Endpoint** field.

- f. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **x.509 Certificate** textbox.

- g. Check **Enable Auto Provisioning** and **Require SAML assertions to be encrypted** as required.

- h. Click **Save Changes**.

-### Create Netsparker Enterprise test user

-In this section, a user called Britta Simon is created in Netsparker Enterprise. Netsparker Enterprise supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Netsparker Enterprise, a new one is created after authentication.

-* Click on **Test this application** in Azure portal. This will redirect to Netsparker Enterprise Sign-on URL where you can initiate the login flow.

-* Go to Netsparker Enterprise Sign-on URL directly and initiate the login flow from there.

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Netsparker Enterprise for which you set up the SSO

-You can also use Microsoft Access Panel to test the application in any mode. When you click the Netsparker Enterprise tile in the Access Panel, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Netsparker Enterprise for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-Once you configure Netsparker Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-[kubernetes-faq]: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#ca-doesnt-work-but-it-used-to-work-yesterday-why

-For clusters using the new Container Storage Interface (CSI) external plugins (preview) the following extra `StorageClasses` are created:

-| **`*:1194`** <br/> *Or* <br/> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - **`AzureCloud.<Region>:1194`** <br/> *Or* <br/> [Regional CIDRs](../virtual-network/service-tags-overview.md#discover-service-tags-by-using-downloadable-json-files) - **`RegionCIDRs:1194`** <br/> *Or* <br/> **`APIServerPublicIP:1194`** `(only known after cluster creation)` | UDP | 1194 | For tunneled secure communication between the nodes and the control plane. This is not required for [private clusters](private-clusters.md)|

-| **`*:9000`** <br/> *Or* <br/> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - **`AzureCloud.<Region>:9000`** <br/> *Or* <br/> [Regional CIDRs](../virtual-network/service-tags-overview.md#discover-service-tags-by-using-downloadable-json-files) - **`RegionCIDRs:9000`** <br/> *Or* <br/> **`APIServerPublicIP:9000`** `(only known after cluster creation)` | TCP | 9000 | For tunneled secure communication between the nodes and the control plane. This is not required for [private clusters](private-clusters.md) |

-| **`*:123`** or **`ntp.ubuntu.com:123`** (if using Azure Firewall network rules) | UDP | 123 | Required for Network Time Protocol (NTP) time synchronization on Linux nodes. |

-| **`APIServerPublicIP:443`** `(if running pods/deployments that access the API Server)` | TCP | 443 | Required if running pods/deployments that access the API Server, those pods/deployments would use the API IP. This is not required for [private clusters](private-clusters.md) |

-| **`*.hcp.<location>.azmk8s.io`** | **`HTTPS:443`** | Required for Node <-> API server communication. Replace *\<location\>* with the region where your AKS cluster is deployed. |

-| **`apt.dockerproject.org`** | **`HTTPS:443`** | This address is used for correct driver installation and operation on GPU-based nodes. |

- az ad sp create-for-rbac --role Contributor -o json

-az ad sp create-for-rbac --name SparkSP --role Contributor

-az ad sp create-for-rbac --role Contributor

-When your API is ready to go and starts to be used by developers, you eventually need to make changes to that API and at the same time not disrupt callers of your API. It's also useful to let developers know about the changes you made.

-In Azure API Management, use *revisions* to make non-breaking API changes so you can model and test changes safely. When ready, you can make a revision current and replace your current API.

-1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to your API Management instance.

-5. Provide a description for your new revision, to help remember what it will be used for.

-6. Select **Create**,

-1. Set your new operation to be **POST**, and the Name, Display Name and URL of the operation as **test**.

-1. Notice that your new operation does not appear in **Revision 1**.

-1. Select the **Post to Public Change log for this API** checkbox, if you want to post notes about this change. Provide a description for your change that developers see, for example: **Testing revisions. Added new "test" operation.**

- The notes you specify appear in the changelog. You can see them in the output of the previous command.

-1. When you create a release, the `--notes` parameter is optional. You can add or change the notes later by using the [az apim api release update](/cli/azure/apim/api/release#az-apim-api-release-update) command:

-1. Notice that your change log entry appears in this list.

-1. In **WSDL specification**, enter the URL to your SOAP API, or click **Select a file** to select a local WSDL file.

- The page displays fields for query parameters and fields for the headers. One of the headers is **Ocp-Apim-Subscription-Key**, for the subscription key of the product that is associated with this API. If you created the API Management instance, you're an administrator already, so the key is filled in automatically.

- az ad sp create-for-rbac -o json > auth.json

- az ad sp create-for-rbac -n "http://mySP" --role Contributor --sdk-auth

-| Windows Authentication | No |

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-For the `--extension-targets` parameter, you need to specify the extension and the latest version available. To find out what the latest version available is, you can get this information from the **Extensions** page for the selected Arc-enabled server in the Azure portal, or by running [az vm extension image list](/cli/azure/vm/extension/image#az-vm-extension-image-list).

-az connectedmachine upgrade-extension --machine-name "myMachineName" --resource-group "myResourceGroup --extension-targets --extension-targets "{\"MicrosoftMonitoringAgent\":{\"targetVersion\":\"1.0.18053.0\"}}""

-`The installed extension `Az.ConnectedMachine` is experimental and not covered by customer support. Please use with discretion.`

-## Update extensions

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

-> [!IMPORTANT]

-> In the interest of ensuring new features are documented no later than their release, this page may include documentation for features that may not yet be publicly available.

- + [Azure CLI](/cli/azure/install-azure-cli) version 2.4 or later.

- az functionapp create --consumption-plan-location westeurope --runtime python --runtime-version 3.8 --functions-version 3 --name <APP_NAME> --os-type linux --storage-account <STORAGE_NAME>

- The [az functionapp create](/cli/azure/functionapp#az-functionapp-create) command creates the function app in Azure. If you are using Python 3.7 or 3.6, change `--runtime-version` to `3.7` or `3.6`, respectively. You must supply `--os-type linux` because Python functions can't run on Windows, which is the default.

- New-AzFunctionApp -Name <APP_NAME> -ResourceGroupName AzureFunctionsQuickstart-rg -StorageAccount <STORAGE_NAME> -FunctionsVersion 3 -RuntimeVersion 3.8 -Runtime python -Location '<REGION>'

- The [New-AzFunctionApp](/powershell/module/az.functions/new-azfunctionapp) cmdlet creates the function app in Azure. If you're using Python 3.7 or 3.6, change `-RuntimeVersion` to `3.7` or `3.6`, respectively.

-# Create a classic metric alert with a Resource Manager template

-> This article describes how to create older classic metric alerts. Azure Monitor now supports [newer near-real time metric alerts and a new alerts experience](./alerts-overview.md). Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users. Classic alerts for Azure Government cloud and Azure China 21Vianet will retire on **29 February 2024**.

-This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) to configure Azure classic metric alerts. This enables you to automatically set up alerts on your resources when they are created to ensure that all resources are monitored correctly.

-1. Create a template as a JSON file that describes how to create the alert.

-Below we describe how to create a Resource Manager template first for an alert alone, then for an alert during the creation of another resource.

-## Resource Manager template for a classic metric alert

-To create an alert using a Resource Manager template, you create a resource of type `Microsoft.Insights/alertRules` and fill in all related properties. Below is a template that creates an alert rule.

-## Resource Manager template for a resource with a classic metric alert

-An alert on a Resource Manager template is most often useful when creating an alert while creating a resource. For example, you may want to ensure that a ΓÇ£CPU % > 80ΓÇ¥ rule is set up every time you deploy a Virtual Machine. To do this, you add the alert rule as a resource in the resource array for your VM template and add a dependency using the `dependsOn` property to the VM resource ID. HereΓÇÖs a full example that creates a Windows VM and adds an alert that notifies subscription admins when the CPU utilization goes above 80%.

- az ad sp create-for-rbac --role Contributor --sdk-auth

- az ad sp create-for-rbac --name $YOURSPNAMEGOESHERE --role Contributor

- $RBAC_SP = az ad sp create-for-rbac --name <YOURSPNAMEGOESHERE> --role Contributor | ConvertFrom-Json

-After creating a [template spec](../templates/template-specs.md), you can link to that template spec in a module. Specify the template spec in the following format:

-[**Microsoft.Resources/templateSpecs**](/azure/templates/microsoft.resources/templatespecs) is the resource type for template specs. It consists of a main template and any number of linked templates. Azure securely stores template specs in resource groups. Both the main template and the linked templates must be in JSON. Template Specs support [versioning](#versioning).

-When designing your deployment, always consider the lifecycle of the resources and group the resources that share similar lifecycle into a single template spec. For instance, your deployments include multiple instances of Cosmos DB with each instance containing its own databases and containers. Given the databases and the containers donΓÇÖt change much, you want to create one template spec to include a Cosmo DB instance and its underlying databases and containers. You can then use conditional statements in your Bicep along with copy loops to create multiple instances of these resources.

-**Microsoft.Resources/templateSpecs** is the resource type for template specs. It consists of a main template and any number of linked templates. Azure securely stores template specs in resource groups. Template Specs support [versioning](#versioning).

-When designing your deployment, always consider the lifecycle of the resources and group the resources that share similar lifecycle into a single template spec. For instance, your deployments include multiple instances of Cosmos DB with each instance containing its own databases and containers. Given the databases and the containers donΓÇÖt change much, you want to create one template spec to include a Cosmo DB instance and its underlying databases and containers. You can then use conditional statements in your templates along with copy loops to create multiple instances of these resources.

-|`oom_per_second`|The rate of out-of-memory (OOM) errors in an elastic pool, which is an indicator of memory pressure. Available in the [sys.dm_resource_governor_resource_pools_history_ex](/sql/relational-databases/system-dynamic-management-views/sys-dm-resource-governor-resource-pools-history-ex-azure-sql-database) view. See [Examples](#examples) for a sample query to calculate this metric. For more information, see resource limits for [elastic pools using DTUs](resource-limits-dtu-elastic-pools.md) or [elastic pools using vCores](resource-limits-vcore-elastic-pools.md), and [Troubleshoot out of memory errors with Azure SQL Database](troubleshoot-memory-errors-issues.md).|0|

-> When executing the **sys.dm_exec_requests** and **sys.dm_exec_sessions views**, if you have **VIEW DATABASE STATE** permission on the database, you see all executing sessions on the database; otherwise, you see only the current session.

-You can use the [sys.dm_db_resource_stats](/sql/relational-databases/system-dynamic-management-views/sys-dm-db-resource-stats-azure-sql-database) view in every database. The **sys.dm_db_resource_stats** view shows recent resource use data relative to the service tier. Average percentages for CPU, data IO, log writes, and memory are recorded every 15 seconds and are maintained for 1 hour.

-Because this view provides a more granular look at resource use, use **sys.dm_db_resource_stats** first for any current-state analysis or troubleshooting. For example, this query shows the average and maximum resource use for the current database over the past hour:

-The [sys.resource_stats](/sql/relational-databases/system-catalog-views/sys-resource-stats-azure-sql-database) view in the **master** database has additional information that can help you monitor the performance of your database at its specific service tier and compute size. The data is collected every 5 minutes and is maintained for approximately 14 days. This view is useful for a longer-term historical analysis of how your database uses resources.

-The database engine exposes consumed resource information for each active database in the **sys.resource_stats** view of the **master** database in each server. The data in the table is aggregated for 5-minute intervals. With the Basic, Standard, and Premium service tiers, the data can take more than 5 minutes to appear in the table, so this data is more useful for historical analysis rather than near-real-time analysis. Query the **sys.resource_stats** view to see the recent history of a database and to validate whether the reservation you chose delivered the performance you want when needed.

-> On Azure SQL Database, you must be connected to the **master** database to query **sys.resource_stats** in the following examples.

-The next example shows you different ways that you can use the **sys.resource_stats** catalog view to get information about how your database uses resources:

-2. To evaluate how well your workload fits the compute size, you need to drill down into each aspect of the resource metrics: CPU, reads, writes, number of workers, and number of sessions. Here's a revised query using **sys.resource_stats** to report the average and maximum values of these resource metrics:

-3. With this information about the average and maximum values of each resource metric, you can assess how well your workload fits into the compute size you chose. Usually, average values from **sys.resource_stats** give you a good baseline to use against the target size. It should be your primary measurement stick. For an example, you might be using the Standard service tier with S2 compute size. The average use percentages for CPU and IO reads and writes are below 40 percent, the average number of workers is below 50, and the average number of sessions is below 200. Your workload might fit into the S1 compute size. It's easy to see whether your database fits in the worker and session limits. To see whether a database fits into a lower compute size with regard to CPU, reads, and writes, divide the DTU number of the lower compute size by the DTU number of your current compute size, and then multiply the result by 100:

-You can get historical statistics on sessions by querying the [sys.resource_stats](/sql/relational-databases/system-catalog-views/sys-resource-stats-azure-sql-database) view and reviewing the **active_session_count** column.

-## See also

-In Premium and Business Critical service tiers, clients also receive an error message if combined storage consumption by data, transaction log, and tempdb for a single database or an elastic pool exceeds maximum local storage size. For more information, see [Storage space governance](#storage-space-governance).

-In rare cases, a sufficiently demanding workload may cause an insufficient memory condition, leading to out-of-memory errors. This can happen at any level of memory utilization between 0% and 100%. This is more likely to occur on smaller compute sizes that have proportionally smaller memory limits, and/or with workloads using more memory for query processing, such as in [dense elastic pools](elastic-pool-resource-management.md).

-For single databases, workload group limits are applied to all storage I/O against the database. For elastic pools, workload group limits apply to each database in the pool. Additionally, the resource pool limit additionally applies to the cumulative I/O of the elastic pool. Tempdb I/O is subject to workload group limits, with the exception of Basic, Standard, and General Purpose service tier, where higher tempdb I/O limits apply. In general, resource pool limits may not be achievable by the workload against a database (either single or pooled), because workload group limits are lower than resource pool limits and limit IOPS/throughput sooner. However, pool limits may be reached by the combined workload against multiple databases in the same pool.

-|`user_data_directory_space_usage_mb`|Current local storage consumption by data files, transaction log files, and tempdb files, in MB. Updated every five minutes.|

-> In Premium and Business Critical service tiers, if the workload attempts to increase combined local storage consumption by data files, transaction log files, and tempdb files over the **maximum local storage** limit, an out-of-space error will occur.

-Because all data is copied to local storage volumes on different machines, moving larger databases may require a substantial amount of time. During that time, if local space consumption by a database or an elastic pool, or by the tempdb database grows rapidly, the risk of running out of space increases. The system initiates database movement in a balanced fashion to minimize out-of-space errors while avoiding unnecessary failovers.

-Size limits for tempdb in Azure SQL Database depend on the purchasing and deployment model.

-To learn more, review tempdb size limits for:

-description: Provides steps to troubleshoot out of memory issues in Azure SQL Database

-In addition to the previous information, it may be helpful to capture a trace of the activities on the server to thoroughly investigate an out of memory issue in Azure SQL Database.

-There are two ways to capture traces in SQL Server; Extended Events (XEvents) and Profiler Traces. However, [SQL Server Profiler](/sql/tools/sql-server-profiler/sql-server-profiler) is deprecated trace technology not supported for Azure SQL Database. [Extended Events](/sql/relational-databases/extended-events/extended-events) is the newer tracing technology that allows more versatility and less impact to the observed system, and its interface is integrated into SQL Server Management Studio (SSMS).

-description: Provides PowerShell and Transact-SQL for a two-phase code sample that demonstrates the Event File target in an extended event on Azure SQL Database. Azure Storage is a required part of this scenario.

-# Event File target code for extended events in Azure SQL Database

-In Microsoft SQL Server, the [Event File target](/previous-versions/sql/sql-server-2016/ff878115(v=sql.130)) is used to store event outputs into a local hard drive file. But such files are not available to Azure SQL Database. Instead we use the Azure Storage service to support the Event File target.

-This topic presents a two-phase code sample:

- You can download the latest ssms.exe from:

- - Topic titled [Download SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms).

- - [A direct link to the download.](https://go.microsoft.com/fwlink/?linkid=616025)

- - The modules provide commands such as - **New-AzStorageAccount**.

-5. The script first starts a new window in which you log in to Azure.

-This PowerShell script assumes you have already installed the Az module. For information, see [Install the Azure PowerShell module](/powershell/azure/install-Az-ps).

-2. Connect to your database in Azure SQL Database.

-3. Click to open a new query pane.

-When the Transact-SQL script completes, click a cell under the **event_data_XML** column header. One **\<event>** element is displayed which shows one UPDATE statement.

- - No Azure Storage account need be involved.

-## More information

- If the workload doesn't have enough memory, the page life expectancy might drop, or the queries might get less memory than they need. In some cases, built-in intelligence in Query Optimizer will fix memory-related problems. See using DMVs to [identify memory grant issues](database/monitoring-with-dmvs.md#identify-memory-grant-wait-performance-issues). For more information and sample queries, see [Troubleshoot out of memory errors with Azure SQL Database](database/troubleshoot-memory-errors-issues.md).

-|[Audit management operations](../database/auditing-overview.md#auditing-of-microsoft-support-operations) | March 2021 | Azure SQL audit capabilities enable you to audit operations done by Microsoft support engineers when they need to access your SQL assets during a support request, enabling more transparency in your workforce. |

-|[Granular permissions for dynamic data masking](../database/dynamic-data-masking-overview.md)| March 2021 | Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. It's now possible to assign granular permissions for data that's been dynamically masked. To learn more, see [Dynamic data masking](../database/dynamic-data-masking-overview.md#permissions). |

-|[Machine Learning Service](machine-learning-services-overview.md) | March 2021 | Machine Learning Services is a feature of Azure SQL Managed Instance that provides in-database machine learning, supporting both Python and R scripts. The feature includes Microsoft Python and R packages for high-performance predictive analytics and machine learning. |

-| **Log Replay Service migration** | Use the Log Replay Service to migrate from SQL Server to Azure SQL Managed Instance. This feature is currently in preview. To learn more, see [Migrate with Log Replay Service](log-replay-service-migrate.md). |

-description: Learn how to migrate databases from SQL Server to SQL Managed Instance by using Log Replay Service

-This article explains how to manually configure database migration from SQL Server 2008-2019 to Azure SQL Managed Instance by using Log Replay Service (LRS), currently in public preview. LRS is a free of charge cloud service enabled for SQL Managed Instance based on SQL Server log-shipping technology.

-[Azure Database Migration Service](../../dms/tutorial-sql-server-to-managed-instance.md) and LRS use the same underlying migration technology and the same APIs. By releasing LRS, we're further enabling complex custom migrations and hybrid architectures between on-premises SQL Server and SQL Managed Instance.

-You might consider using LRS in the following cases:

-The migration consists of making database backups on SQL Server with `CHECKSUM` enabled, and copying backup files to Azure Blob Storage. Full, log, and differential backups are supported. LRS cloud service is used to restore backup files from Azure Blob Storage to SQL Managed Instance. Blob Storage is intermediary storage between SQL Server and SQL Managed Instance.

-LRS monitors Blob Storage for any new differential or log backups added after the full backup has been restored. LRS then automatically restores these new files. You can use the service to monitor the progress of backup files being restored on SQL Managed Instance, and you can stop the process if necessary.

-LRS does not require a specific naming convention for backup files. It scans all files placed on Blob Storage and constructs the backup chain from reading the file headers only. Databases are in a "restoring" state during the migration process. Databases are restored in [NORECOVERY](/sql/t-sql/statements/restore-statements-transact-sql#comparison-of-recovery-and-norecovery) mode, so they can't be used for reading or writing until the migration process is completed.

-You can start LRS in either *autocomplete* or *continuous* mode. When you start it in autocomplete mode, the migration will complete automatically when the last of the specified backup files has been restored. When you start LRS in continuous mode, the service will continuously restore any new backup files added, and the migration will complete on the manual cutover only.

-We recommend that you manually cut over after the final log-tail backup has been taken and is shown as restored on SQL Managed Instance. The final cutover step will make the database come online and available for read and write use on SQL Managed Instance.

-After LRS is stopped, either automatically through autocomplete, or manually through cutover, you can't resume the restore process for a database that was brought online on SQL Managed Instance. For example, once migration has been completed you are no longer able to restore additional differential backups for an online database on Managed Instance. To restore more backup files after the migration completes through autocomplete or cutover, you need to delete the database and perform the migration again from the scratch.

-| **1. Copy database backups from SQL Server to Blob Storage**. | Copy full, differential, and log backups from SQL Server to a Blob Storage container by using [AzCopy](../../storage/common/storage-use-azcopy-v10.md) or [Azure Storage Explorer](https://azure.microsoft.com/features/storage-explorer/). <br /><br />Use any file names. LRS doesn't require a specific file-naming convention.<br /><br />In migrating several databases, you need a separate folder for each database. |

-| **2. Start LRS in the cloud**. | You can restart the service with a choice of cmdlets: PowerShell ([start-azsqlinstancedatabaselogreplay](/powershell/module/az.sql/start-azsqlinstancedatabaselogreplay)) or Azure CLI ([az_sql_midb_log_replay_start cmdlets](/cli/azure/sql/midb/log-replay#az-sql-midb-log-replay-start)). <br /><br /> Start LRS separately for each database that points to a backup folder on Blob Storage. <br /><br /> After you start the service, it will take backups from the Blob Storage container and start restoring them on SQL Managed Instance.<br /><br /> If you started LRS in continuous mode, after all initially uploaded backups are restored, the service will watch for any new files uploaded to the folder. The service will continuously apply logs based on the log sequence number (LSN) chain until it's stopped. |

-| **2.1. Monitor the operation's progress**. | You can monitor progress of the restore operation with a choice of cmdlets: PowerShell ([get-azsqlinstancedatabaselogreplay](/powershell/module/az.sql/get-azsqlinstancedatabaselogreplay)) or Azure CLI ([az_sql_midb_log_replay_show cmdlets](/cli/azure/sql/midb/log-replay#az-sql-midb-log-replay-show)). |

-| **2.2. Stop the operation if needed**. | If you need to stop the migration process, you have a choice of cmdlets: PowerShell ([stop-azsqlinstancedatabaselogreplay](/powershell/module/az.sql/stop-azsqlinstancedatabaselogreplay)) or Azure CLI ([az_sql_midb_log_replay_stop](/cli/azure/sql/midb/log-replay#az-sql-midb-log-replay-stop)). <br /><br /> Stopping the operation will delete the database that you're restoring on SQL Managed Instance. After you stop an operation, you can't resume LRS for a database. You need to restart the migration process from the scratch. |

-| **3. Cut over to the cloud when you're ready**. | Stop the application and the workload. Take the last log-tail backup and upload it to Azure Blob Storage.<br /><br /> Complete the cutover by initiating an LRS `complete` operation with a choice of cmdlets: PowerShell ([complete-azsqlinstancedatabaselogreplay](/powershell/module/az.sql/complete-azsqlinstancedatabaselogreplay)) or Azure CLI [az_sql_midb_log_replay_complete](/cli/azure/sql/midb/log-replay#az-sql-midb-log-replay-complete). This operation will stop LRS and cause the database to come online for read and write use on SQL Managed Instance.<br /><br /> Repoint the application connection string from SQL Server to SQL Managed Instance. You will need to orchestrate this step yourself, either through a manual connection string change in your application, or automatically (for example, if your application can read the connection string from a property, or a database). |

-## Requirements for getting started

-### SQL Server side

-### Azure side

-## Steps to execute

-To manually make full, differential, and log backups of your database on local storage, use the following sample T-SQL scripts. Ensure that the `CHECKSUM` option is enabled, because it's mandatory for LRS.

-In migrating databases to a managed instance by using LRS, you can use the following approaches to upload backups to Blob Storage:

-If your corporate and network policies allow it, an alternative is to make backups from SQL Server directly to Blob Storage by using the SQL Server native [BACKUP TO URL](/sql/relational-databases/backup-restore/sql-server-backup-to-url) option. If you can pursue this option, you don't need to make backups on the local storage and upload them to Blob Storage.

-If migrating multiple databases using the same Azure Blob Storage container, you must place backup files for different databases in separate folders inside the container. All backup files for a single database must be placed in a flat-file structure inside a database folder, and there must not exist nested folders within as this structure is not supported.

-Azure Blob Storage is used as intermediary storage for backup files between SQL Server and SQL Managed Instance. You need to generate an SAS authentication token, with only list and read permissions, for LRS. The token will enable LRS to access Blob Storage and use the backup files to restore them on SQL Managed Instance.

-1. Open Storage Explorer from the Azure portal.

-4. Select the timeframe for token expiration. Ensure that the token is valid for the duration of your migration.

- > The time zone of the token and your managed instance might mismatch. Ensure that the SAS token has the appropriate time validity, taking time zones into consideration. If possible, set the time zone to an earlier and later time of your planned migration window.

- > Don't select any other permissions. If you do, LRS won't start. This security requirement is by design.

- > Using SAS tokens created with permissions set through defining a [stored access policy](/rest/api/storageservices/define-stored-access-policy.md) is not supported at this time. You will need to follow the instructions in this guide on manually specifying Read and List permissions for the SAS token.

-The first part, starting with `https://` until the question mark (`?`), is used for the `StorageContainerURI` parameter that's fed as in input to LRS. It gives LRS information about the folder where database backup files are stored.

-The second part, starting after the question mark (`?`) and going all the way until the end of the string, is the `StorageContainerSasToken` parameter. This part is the actual signed authentication token, which is valid for the duration of the specified time. This part does not necessarily need to start with `sp=` as shown in the example. Your case might differ.

-1. Copy the first part of the token, starting from `https://` all the way until the question mark (`?`). Use it as the `StorageContainerUri` parameter in PowerShell or the Azure CLI for starting LRS.

-2. Copy the second part of the token, starting after the question mark (`?`) all the way until the end of the string. Use it as the `StorageContainerSasToken` parameter in PowerShell or the Azure CLI for starting LRS.

-When you use autocomplete mode, the migration will complete automatically when the last of the specified backup files has been restored. This option requires the start command to specify the filename of the last backup file.

-When you use continuous mode, the service will continuously restore any new backup files that were added. The migration will complete on the manual cutover only.

-To start LRS in autocomplete mode, use the following PowerShell or Azure CLI commands. Specify the last backup file name by using the `-LastBackupName` parameter. Upon restoring the last of the specified backup files, the service will automatically initiate a cutover.

-Here's an example of starting LRS in autocomplete mode by using PowerShell:

-Here's an example of starting LRS in autocomplete mode by using the Azure CLI:

-Here's an example of starting LRS in continuous mode by using PowerShell:

-Here's an example of starting LRS in continuous mode by using the Azure CLI:

-PowerShell and CLI clients to start LRS in continuous mode are synchronous. This means that clients will wait for the API response to report on success or failure to start the job.

-> After you start LRS, any system-managed software patches are halted for 36 hours. After this window, the next automated software patch will automatically stop LRS. If that happens, you can't resume migration and need to restart it from scratch.

-## Monitor the migration progress

-To monitor the progress of the migration through PowerShell, use the following command:

-To monitor the progress of the migration through the Azure CLI, use the following command:

-If you need to stop the migration, use the following cmdlets. Stopping the migration will delete the restoring database on SQL Managed Instance, so resuming the migration won't be possible.

-If you started LRS in continuous mode, after you've ensured that all backups have been restored, initiating the cutover will complete the migration. After the cutover, the database will be migrated and ready for read and write access.

-## Functional limitations

-Functional limitations of LRS are:

-> If you require database to be R/O accessible during the migration, and if you require migration window larger than 36 hours, please consider an alternative online migrations solution [link feature for Managed Instance](managed-instance-link-feature-overview.md) providing such capability.

-After you start LRS, use the monitoring cmdlet (`get-azsqlinstancedatabaselogreplay` or `az_sql_midb_log_replay_show`) to see the status of the operation. If LRS fails to start after some time and you get an error, check for the most common issues:

-As customers modernize their infrastructure, application, and data tiers, they also modernize their identity management capabilities by shifting to Azure AD. Azure SQL offers multiple [Azure AD Authentication](../database/authentication-aad-overview.md) options:

-If you have not yet enabled Windows authentication for Azure AD principals against your managed instance, you may run a trace against a managed instance using an [Azure AD Authentication](../database/authentication-aad-overview.md) option, including:

-|Clients must be joined to AD. The domain must have a functional level of Windows Server 2012 or higher. | You can determine if the client is joined to AD by running the [dsregcmd command](../../active-directory/devices/troubleshoot-device-dsregcmd.md): `dsregcmd.exe /status` |

- If this is the first time you're configuring Azure AD Kerberos settings, the [Get-AzureAdKerberosServer cmdlet](/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#view-and-verify-the-azure-ad-kerberos-server) will display empty information, as in the following sample output:

- Run the [Set-AzureAdKerberosServer PowerShell cmdlet](/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#create-a-kerberos-server-object) to add the Trusted Domain Object. Be sure to include `-SetupCloudTrust` parameter. If there is no Azure AD service account, this command will create a new Azure AD service account. If there is an Azure AD service account already, this command will only create the requested Trusted Domain object.

-1. Identify your [Azure AD tenant ID](../../active-directory/fundamentals/active-directory-how-to-find-tenant.md).

-|Clients must be joined to Azure AD or Hybrid Azure AD. | You can determine if this prerequisite is met by running the [dsregcmd command](../../active-directory/devices/troubleshoot-device-dsregcmd.md): `dsregcmd.exe /status` |

-Customers should first implement [Azure AD Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md) to integrate on-premises directories with Azure AD.

-|Clients must be joined to Azure AD or Hybrid Azure AD. | You can determine if this prerequisite is met by running the [dsregcmd command](../../active-directory/devices/troubleshoot-device-dsregcmd.md): `dsregcmd.exe /status` |

-|Clients must be joined to AD. The domain must have a functional level of Windows Server 2012 or higher. | You can determine if the client is joined to AD by running the [dsregcmd command](../../active-directory/devices/troubleshoot-device-dsregcmd.md): `dsregcmd.exe /status` |

- - [NEW] Frame Patters (Only to Hebrew as of now).

-

-| **Language** | **Code** | **Transcription** | **LID* | **MLID** | **Translation** | **Customization** (Speech custom model) |

-|::|::|:--:|:-:|:-:|:-:|:-:|

-| Afrikaans | `af-ZA` | | | | Γ£ö | Γ£ö |

-* [portal](https://aka.ms/vi-portal-link) experience provided in the settings page

-* [widgets](video-indexer-embed-widgets.md), as provided in the language dropdown in the insights widget

-| **Language** | **Code** | **Web experience** | **Widgets experience** |

-|`widgets` | Strings separated by comma | Allows you to control the insights that you want to render.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?widgets=people,keywords` renders only people and keywords UI insights.<br/>Available options: people, animatedCharacters ,keywords, labels, sentiments, emotions, topics, keyframes, transcript, ocr, speakers, scenes, and namedEntities.|

-1. Sign into the jumpbox VM and extract the contents from the compressed file from the following [location](https://github.com/Azure/ArcOnAVS/releases). The extracted file contains the scripts to install the preview software.

- "resourceGroup": "test-rg ",

-We provide three custom roles to meet your Role-based access controls (RBACs). These roles can be applied to a whole subscription, resource group, or a single resource.

-> Customers need to ensure kubeconfig and SSH remain available as they will be required for log collection, appliance Upgrade, and credential rotation. These parameters will be required at the time of upgrade, log collection, and credential update scenarios.

-2. In the following window, you'll be given a choice to delete or retain the backup data. If you choose **Delete backup data** and then **Stop backup**, the VM backup won't be permanently deleted. Rather, the backup data will be retained for 14 days in the soft deleted state. If **Delete backup data** is chosen, a delete email alert is sent to the configured email ID informing the user that 14 days remain of extended retention for backup data. Also, an email alert is sent on the 12th day informing that there are two more days left to resurrect the deleted data. The deletion is deferred until the 15th day, when permanent deletion will occur and a final email alert is sent informing about the permanent deletion of the data.

-az ad sp create-for-rbac --name <servicePrincipalName> --role Contributor --password <yourSPStrongPassword>

-| English (United States) | `en-US` | Female | `en-US-JennyMultilingualNeural` | General，multi-lingual capabilities available [using SSML](speech-synthesis-markup.md#create-an-ssml-document) |

-> The `en-US-JennyNeuralMultilingual` voice supports multiple languages. Check the [voices list API](rest-text-to-speech.md#get-a-list-of-voices) for a supported languages list.

-All neural voices are multilingual. By default, they are fluent in their own language and English. You can adjust the speaking language per voice at the sentence level and word level by using the `<lang xml:lang>` element.

-The `en-US-JennyMultilingualNeural` neural voice is multilingual in 14 languages (For example: English, Spanish, and Chinese). The supported languages are provided in a table following the `<lang>` syntax and attribute definitions.

-| `lang` | Specifies the language that you want the voice to speak. Speaking different languages are voice specific. | Required if adjusting the speaking language for a neural voice. If you're using `lang xml:lang`, the locale must be provided. |

-az ad sp create-for-rbac --name <application-name> --role Contributor

-* Azure Synapse Analytics SQL Serverless pools can read all data, including the most recent updates, through views, which are updated automatically, or via `SELECT` together with the` OPENROWSET` commands, which always reads the latest status of the data.

-> Your transactional data will be synchronized to analytical store even if your transactional TTL is smaller than 2 minutes.

-For example, letΓÇÖs take the following sample document in the transactional store:

-The leaf property `streetNo` within the nested object `address` will be represented in the analytical store schema as a column `address.object.streetNo.int32`. The datatype is added as a suffix to the column. This way, if another document is added to the transactional store where the value of leaf property `streetNo` is "123" (note itΓÇÖs a string), the schema of the analytical store automatically evolves without altering the type of a previously written column. A new column added to the analytical store as `address.object.streetNo.string` where this value of "123" is stored.

-| Double | ".float64" | 24.99|

-| Array | ".array" | ["a", "b"]|

-|Binary | ".binary" |0|

-|Boolean | ".bool" |True|

-|Int32 | ".int32" |123|

-|Int64 | ".int64" |255486129307|

-|NULL | ".NULL" | NULL|

-|String| ".string" | "ABC"|

-|Timestamp | ".timestamp" | Timestamp(0, 0)|

-|DateTime |".date" | ISODate("2020-08-21T07:43:07.375Z")|

-|ObjectId |".objectId" | ObjectId("5f3f7b59330ec25c132623a2")|

-|Document |".object" | {"a": "a"}|

-* After the analytical store is enabled with an ATTL value, it can be updated to a different valid value later.

-* While TTTL can be set at the container or item level, ATTL can only be set at the container level currently.

-* You can achieve longer retention of your operational data in the analytical store by setting ATTL >= TTTL at the container level.

-* The analytical store can be made to mirror the transactional store by setting ATTL = TTTL.

-* If you have ATTL bigger than TTTL, at some point in time you'll have data that only exists in analytical store. This data is read only.

-Analytical store partitioning is completely independent of partitioning in the transactional store. By default, data in analytical store isn't partitioned. If your analytical queries have frequently used filters, you have the option to partition based on these fields for better query performance. To learn more, see the [introduction to custom partitioning](custom-partitioning-analytical-store.md) and [how to configure custom partitioning](configure-custom-partitioning.md) articles.

-Unlike Azure Cosmos DB, Apache Cassandra does not natively provide precisely defined consistency guarantees. Instead, Apache Cassandra provides a write consistency level and a read consistency level, to enable the high availability, consistency, and latency tradeoffs. When using Azure Cosmos DBΓÇÖs Cassandra API:

-## Multi-region writes vs Single-region writes

-The Azure Cosmos DB platform provides a set of five well-defined, business use-case oriented consistency settings with respect to replication and the tradeoffs defined by the [CAP theorem](https://en.wikipedia.org/wiki/CAP_theorem) and [PACLC theorem](https://en.wikipedia.org/wiki/PACELC_theorem). As this approach differs significantly from Apache Cassandra, we would recommend that you take time to review and understand Azure Cosmos DB consistency settings in our [documentation](../consistency-levels.md), or watch this short [video](https://www.youtube.com/watch?v=t1--kZjrG-o) guide to understanding consistency settings in the Azure Cosmos DB platform.

-Although the approaches to replication consistency in Apache Cassandra and Azure Cosmos DB are similar, it's important to understand how they are different. A [mapping document](apache-cassandra-consistency-mapping.md) compares Apache Cassandra and Azure Cosmos DB approaches to replication consistency. However, we highly recommend that you specifically review [Azure Cosmos DB consistency settings](../consistency-levels.md) or watch a brief [video guide to understanding consistency settings in the Azure Cosmos DB platform](https://www.youtube.com/watch?v=t1--kZjrG-o).

-📺 <B><a href="https://aka.ms/cosmos-db-video-explore-cosmos-db-apis" target="_blank">Video: Explore Azure Cosmos DB APIs</a></b>

-> [!NOTE]

-> Due to short-term capacity constraints, you need to register to enable Synapse Link on your existing containers. Depending on the pending requests, approving this request may take anywhere from a day to a week. Instructions to check the request status are provided below. This step is required once per subscription, and all new database accounts will also have this capability enabled. You need **contributor** or **administrator** Azure built-in roles on your subscription to be able to register your request to use the existing containers feature. If you have any issues or questions, please reach out to [cosmosdbsynapselink@microsoft.com](mailto:cosmosdbsynapselink@microsoft.com).

- Please note the following details when enabling Synapse Link on your existing containers:

-1. Sign in to the [Azure portal](https://portal.azure.com/) or the [Azure Cosmos DB Explorer](https://cosmos.azure.com/).

-2. Navigate to your Azure Cosmos DB account and open the **Synapse Link"** tab in the **Integrations** section. In this tab you can:

-3. Click **Register** to request approval for your subscription. To see the status of request, please come back to this same portal pane.

-4. When approved, you will see your accountΓÇÖs containers list and you will be able to select those that will have analytical store enabled.

-5. Optionally, you can go to the **Power BI** tab, in the **Integrations** section, to create Power BI dashboards on your Synapse Link enabled containers.

-Set the `analytical TTL` property to the required value to create an analytical store enabled container. For the list of allowed values, see the [analytical TTL supported values](analytical-store-introduction.md#analytical-ttl) article.

-Use the following steps to enable analytical store on an existing container by using Azure CLI. Set the `--analytical-storage-ttl` property to the required value in seconds or use `-1` for infinite retention. This setting can be changed later.

-* [Register for approval](/cli/azure/feature/registration) by using `az feature registration create --namespace Microsoft.DocumentDB --name AnalyticalStoreMigration`.

-* [Check the request status](/cli/azure/feature/registration) by using `az feature registration show --namespace Microsoft.DocumentDB --name AnalyticalStoreMigration`.

-* [Update Analytical ttl](/cli/azure/cosmosdb/sql/container#az-cosmosdb-sql-container-update) to `-1` after the request approval.

-Use the following steps to enable analytical store on an existing container by using PowerShell. Set the `-AnalyticalStorageTtl` property to the required value in seconds or use `-1` for infinite retention. This setting can be changed later.

-* [Register for approval](/powershell/module/az.resources/register-azproviderfeature) using `Register-AzProviderFeature -ProviderName "Microsoft.DocumentDB" -FeatureName "AnalyticalStoreMigration"`.

-* [Check the request status](/powershell/module/az.resources/get-azproviderfeature).

-* [Update Analytical ttl](/powershell/module/az.cosmosdb/update-azcosmosdbsqlcontainer) to `-1` after the request approval.

-📺 <B><a href="https://aka.ms/cosmos-db-video-consistency-levels" target="_blank">Video: Explore Consistency levels</a></b>

-📺 <B><a href="https://aka.ms/cosmos-db-video-continuous-backup-restore-intro" target="_blank">Video: Learn more about continuous backup and point-in-time restore</a></b>

-For example, if you have 1-TB of data in two regions then:

-📺 <B><a href="https://aka.ms/cosmos-db-video-overview-pricing-options" target="_blank">Video: Overview of Azure Cosmos DB pricing options</a></b>

-* **Azure Cosmos DB emulator**: Azure Cosmos DB emulator provides a local environment that emulates the Azure Cosmos DB service for development purposes. Emulator is offered at no cost and with high fidelity to the cloud service. Using Azure Cosmos DB emulator, you can develop and test your applications locally, without creating an Azure subscription or incurring any costs. You can develop your applications by using the emulator locally before going into production. After you are satisfied with the functionality of the application against the emulator, you can switch to using the Azure Cosmos DB account in the cloud and significantly save on cost. For more information about emulator, see [Using Azure Cosmos DB for development and testing](local-emulator.md) article for more details.

- * If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)

-📺 <B><a href="https://aka.ms/cosmos-db-video-what-is-cosmos-db" target="_blank">Video: What is Cosmos DB?</a></b>

-📺 <B><a href="https://aka.ms/cosmos-db-video-indexing-best-practices-mongodb-api" target="_blank">Video: Explore indexing best practices for the Azure Cosmos DB API for MongoDB</a></b>

-📺 <B><a href="https://aka.ms/cosmos-db-video-data-partitioning-best-practices" target="_blank">Video: Data partitioning best practices</a></b>

-## <a id="choose-partitionkey"></a>Choosing a partition key

-## Using item ID as the partition key

-📺 <B><a href="https://aka.ms/cosmos-db-video-what-is-request-unit" target="_blank">Video: What is a Request Unit?</a></b>

-The cost to do a point read (i.e. fetching a single item by its ID and partition key value) for a 1 KB item is 1 Request Unit (or 1 RU). All other database operations are similarly assigned a cost using RUs. No matter which API you use to interact with your Azure Cosmos container, costs are always measured by RUs. Whether the database operation is a write, point read, or query, costs are always measured in RUs.

-The type of Azure Cosmos account you're using determines the way consumed RUs get charged. There are 3 modes in which you can create an account:

-Your choice of [consistency model](consistency-levels.md) also affects the throughput. You can get approximately 2x read throughput for the more relaxed consistency levels (e.g., *session*, *consistent prefix* and *eventual* consistency) compared to stronger consistency levels (e.g., *bounded staleness* or *strong* consistency).

-> [!VIDEO https://www.youtube.com/embed/McZIQhZpvew?start=118]

-📺 <B><a href="https://aka.ms/cosmos-db-video-deploy-event-sourcing-solution-with-azure-functions-dotnet" target="_blank">Video: Deploy an event sourcing solution with Azure Functions + .NET in 7 minutes</a></b>

-In many cases, stream processing implementations first receive a high volume of incoming data into a temporary message queue such as Azure Event Hub or Apache Kafka. The change feed is a great alternative due to Azure Cosmos DB's ability to support a sustained high rate of data ingestion with guaranteed low read and write latency. The advantages of the Azure Cosmos DB change feed over a message queue include:

-Data written to Azure Cosmos DB will show up in the change feed and be retained until deleted. Message queues typically have a maximum retention period. For example, [Azure Event Hub](https://azure.microsoft.com/services/event-hubs/) offers a maximum data retention of 90 days.

- * If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

-Interested in watching a video about the solution before getting started, see the following video:

-> [!VIDEO https://www.youtube.com/embed/AYOiMkvxlzo]

-4. **Azure Function:** The Azure Function processes the new data and sends it to an [Azure Event Hub](../../event-hubs/event-hubs-about.md).

-5. **Event Hub:** The Azure Event Hub stores these events and sends them to [Azure Stream Analytics](../../stream-analytics/stream-analytics-introduction.md) to perform further analysis.

-Create the Azure resources - Azure Cosmos DB, Storage account, Event Hub, Stream Analytics required by the solution. You will deploy these resources through an Azure Resource Manager template. Use the following steps to deploy these resources:

-3. Provide values for cosmosdbaccount_name, eventhubnamespace_name, storageaccount_name, parameters as indicated in **parameters.json** file. You'll need to use the names that you give to each of your resources later.

-1. Go to [Azure portal](https://portal.azure.com/) and find the **Azure Cosmos DB Account** thatΓÇÖs created by the template deployment.

-1. Go to [Azure portal](https://portal.azure.com/) and find the **Azure Cosmos DB Account** thatΓÇÖs created by the template deployment.

-An Azure Event Hub receives the event data, stores, processes, and forwards the data. In this lab, the Azure Event Hub will receive a document every time a new event occurs (i.e. an item is viewed by a user, added to a user's cart, or purchased by a user) and then will forward that document to Azure Stream Analytics.

-1. Return to your resource group and open the **Event Hub Namespace** that you created and named in the prelab.

-When a new document is created, or a current document is modified in a Cosmos container, the change feed automatically adds that modified document to its history of collection changes. You will now build and run an Azure Function that processes the change feed. When a document is created or modified in the collection you created, the Azure Function will be triggered by the change feed. Then the Azure Function will send the modified document to the Event Hub.

-To see how change feed processes new actions on an e-commerce site, have to simulate data that represents users viewing items from the product catalog, adding those items to their carts, and purchasing the items in their carts. This data is arbitrary and for the purpose of replicating what data on an Ecommerce site would look like.

-Azure Stream Analytics is a fully managed cloud service for real-time processing of streaming data. In this lab, you will use stream analytics to process new events from the Event Hub (i.e. when an item is viewed, added to a cart, or purchased), incorporate those events into real-time data analysis, and send them into Power BI for visualization.

- * In the **Event Hub namespace** field, enter the name of your Event Hub Namespace that you created during the prelab.

-11. Now return to **streamjob1** and select the **Start** button at the top of the page. Azure Stream Analytics can take a few minutes to start up, but eventually you will see it change from "Starting" to "Running".

- The TOP 5 query calculates the top 5 items, ranked by the number of times that they have been purchased. This metric can help e-commerce companies evaluate which items are most popular and can influence the company's advertising, pricing, and inventory decisions.

- The UNIQUE VISITORS query calculates how many unique visitors are on the site every 5 seconds by detecting unique cart ID's. This metric can help e-commerce companies evaluate their site activity and strategize how to acquire more customers.

-You will now observe how you can use your new data analysis tool to connect with a real e-commerce site. In order to build the e-commerce site, use an Azure Cosmos database to store the list of product categories (Women's, Men's, Unisex), the product catalog, and a list of the most popular items.

-9. Within the `<appSettings>` block, add the **URI** and **PRIMARY KEY** that you saved earlier where indicated. Then add in your **database name** and **collection name** as indicated. (These names should be **changefeedlabdatabase** and **changefeedlabcollection** unless you chose to name yours differently.)

-10. Press **Start** at the top of the page to run the program.

-11. Now you can play around on the e-commerce site. When you view an item, add an item to your cart, change the quantity of an item in your cart, or purchase an item, these events will be passed through the Cosmos DB change feed to Event Hub, ASA, and then Power BI. We recommend continuing to run DataGenerator to generate significant web traffic data and provide a realistic set of "Hot Products" on the e-commerce site.

-📺 <B><a href="https://aka.ms/cosmos-db-video-data-modeling-best-practices" target="_blank">Video: Data modeling best practices</a></b>

-## Embedding data

-## Referencing data

-### How do I model many:many relationships?

-We've now looked at embedding (or denormalizing) and referencing (or normalizing) data which, each have their upsides and compromises as we've seen.

-It doesn't always have to be either or, don't be scared to mix things up a little.

-## Distinguishing between different document types

-While Azure Cosmos DB transactional store is considered row-oriented semi-structured data, analytical store has columnar and structured format. This conversion is automatically made for customers, using the schema inference rules described [here](../analytical-store-introduction.md). There are limits in the conversion process: maximum number of nested levels, maximum number of properties, unsupported data types, and more.

- * Data tiering since analytical ttl (attl) is independent from transactional ttl (tttl). You can keep your transactional data in transactional store for a few days, weeks, months, and keep the data in analytical store for years or for ever. Analytical store columnar format brings a natural data compression, from 50% up to 90%. And its cost per GB is ~10% of transactional store actual price. Please check the [analytical store overview](../analytical-store-introduction.md) to read about the current backup limitations.

-description: Use this Power BI tutorial to import JSON, create insightful reports, and visualize data using the Azure Cosmos DB and Power BI connector.

-# Visualize Azure Cosmos DB data by using the Power BI connector

-[Power BI](https://powerbi.microsoft.com/) is an online service where you can create and share dashboards and reports. Power BI Desktop is a report authoring tool that enables you to retrieve data from various data sources. Azure Cosmos DB is one of the data source that you can use with Power BI Desktop. You can connect Power BI Desktop to Azure Cosmos DB account with the Azure Cosmos DB connector for Power BI. After you import Azure Cosmos DB data to Power BI, you can transform it, create reports, and publish the reports to Power BI.

-Another option is to create near real-time reports using [Azure Synapse Link for Azure Cosmos DB](../synapse-link.md). With Azure Synapse Link, you can connect Power BI to analyze your Azure Cosmos DB data, with no performance or cost impact to your transactional workloads, and no ETL pipelines. You can use either [DirectQuery](/power-bi/connect-dat).

-This article describes the steps required to connect Azure Cosmos DB account to Power BI Desktop. After connecting, you navigate to a collection, extract the data, transform the JSON data into tabular format, and publish a report to Power BI.

-> The Power BI connector for Azure Cosmos DB connects to Power BI Desktop. Reports created in Power BI Desktop can be published to PowerBI.com. Direct extraction of Azure Cosmos DB data cannot be performed from PowerBI.com.

-> [!NOTE]

-> Connecting to Azure Cosmos DB with the Power BI connector is currently supported for Azure Cosmos DB SQL API and Gremlin API accounts only.

-> [!NOTE]

-> Creating near real-time Power BI dashboards using Azure Synapse Link is currently supported for Azure Cosmos DB SQL API and Azure Cosmos DB API for MongoDB.

-* Download the [sample volcano data](https://github.com/Azure-Samples/azure-cosmos-db-sample-data/blob/main/SampleData/VolcanoData.json) from GitHub.

-* [Create an Azure Cosmos database account](create-cosmosdb-resources-portal.md#create-an-azure-cosmos-db-account) and import the volcano data by using the [Azure Cosmos DB data migration tool](../import-data.md). When importing data, consider the following settings for the source and destinations in the data migration tool:

- * **Source parameters**

- * **Import from:** JSON file(s)

- * **Target parameters**

- * **Connection string:** `AccountEndpoint=<Your_account_endpoint>;AccountKey=<Your_primary_or_secondary_key>;Database= <Your_database_name>`

- * **Partition key:** /Country

- * **Collection Throughput:** 1000

-In this tutorial, let's imagine that you are a geologist studying volcanoes around the world. The volcano data is stored in an Azure Cosmos DB account and the JSON document format is as follows:

-```json

-{

- "Volcano Name": "Rainier",

- "Country": "United States",

- "Region": "US-Washington",

- "Location": {

- "type": "Point",

- "coordinates": [

- -121.758,

- 46.87

- ]

- },

- "Elevation": 4392,

- "Type": "Stratovolcano",

- "Status": "Dendrochronology",

- "Last Known Eruption": "Last known eruption from 1800-1899, inclusive"

-}

-```

-You will retrieve the volcano data from the Azure Cosmos DB account and visualize data in an interactive Power BI report.

-1. Run Power BI Desktop.

-2. You can **Get Data**, see **Recent Sources**, or **Open Other Reports** directly from the welcome screen. Select the "X" at the top right corner to close the screen. The **Report** view of Power BI Desktop is displayed.

-

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbireportview.png" alt-text="Power BI Desktop Report View - Power BI connector":::

-3. Select the **Home** ribbon, then click on **Get Data**. The **Get Data** window should appear.

-4. Click on **Azure**, select **Azure Cosmos DB (Beta)**, and then click **Connect**.

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbigetdata.png" alt-text="Power BI Desktop Get Data - Power BI connector":::

-5. On the **Preview Connector** page, click **Continue**. The **Azure Cosmos DB** window appears.

-6. Specify the Azure Cosmos DB account endpoint URL you would like to retrieve the data from as shown below, and then click **OK**. To use your own account, you can retrieve the URL from the URI box in the **Keys** blade of the Azure portal. Optionally you can provide the database name, collection name or use the navigator to select the database and collection to identify where the data comes from.

-

-7. If you are connecting to this endpoint for the first time, you are prompted for the account key. For your own account, retrieve the key from the **Primary Key** box in the **Read-only Keys** blade of the Azure portal. Enter the appropriate key and then click **Connect**.

-

- We recommend that you use the read-only key when building reports. This prevents unnecessary exposure of the primary key to potential security risks. The read-only key is available from the **Keys** blade of the Azure portal.

-

-8. When the account is successfully connected, the **Navigator** pane appears. The **Navigator** shows a list of databases under the account.

-9. Click and expand on the database where the data for the report comes from, select ``volcanodb`` (your database name can be different).

-10. Now, select a collection that contains the data to retrieve, select **volcano1** (your collection name can be different).

-

- The Preview pane shows a list of **Record** items. A Document is represented as a **Record** type in Power BI. Similarly, a nested JSON block inside a document is also a **Record**.

-

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbinavigator.png" alt-text="Power BI tutorial for Azure Cosmos DB Power BI connector - Navigator window":::

-12. Click **Edit** to launch the Query Editor in a new window to transform the data.

-## Flattening and transforming JSON documents

-1. Switch to the Power BI Query Editor window, where the **Document** column in the center pane.

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbiqueryeditor.png" alt-text="Power BI Desktop Query Editor":::

-1. Click on the expander at the right side of the **Document** column header. The context menu with a list of fields will appear. Select the fields you need for your report, for instance, Volcano Name, Country, Region, Location, Elevation, Type, Status and Last Know Eruption. Uncheck the **Use original column name as prefix** box, and then click **OK**.

-

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbiqueryeditorexpander.png" alt-text="Power BI tutorial for Azure Cosmos DB Power BI connector - Expand documents":::

-1. The center pane displays a preview of the result with the fields selected.

-

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbiresultflatten.png" alt-text="Power BI tutorial for Azure Cosmos DB Power BI connector - Flatten results":::

-1. In our example, the Location property is a GeoJSON block in a document. As you can see, Location is represented as a **Record** type in Power BI Desktop.

-1. Click on the expander at the right side of the Document.Location column header. The context menu with type and coordinates fields appear. Let's select the coordinates field, ensure **Use original column name as prefix** is not selected, and click **OK**.

-

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbilocationrecord.png" alt-text="Power BI tutorial for Azure Cosmos DB Power BI connector - Location record":::

-1. The center pane now shows a coordinates column of **List** type. As shown at the beginning of the tutorial, the GeoJSON data in this tutorial is of Point type with Latitude and Longitude values recorded in the coordinates array.

-

- The coordinates[0] element represents Longitude while coordinates[1] represents Latitude.

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbiresultflattenlist.png" alt-text="Power BI tutorial for Azure Cosmos DB Power BI connector - Coordinates list":::

-1. To flatten the coordinates array, create a **Custom Column** called LatLong. Select the **Add Column** ribbon and click on **Custom Column**. The **Custom Column** window appears.

-1. Provide a name for the new column, e.g. LatLong.

-1. Next, specify the custom formula for the new column. For our example, we will concatenate the Latitude and Longitude values separated by a comma as shown below using the following formula: `Text.From([coordinates]{1})&","&Text.From([coordinates]{0})`. Click **OK**.

-

- For more information on Data Analysis Expressions (DAX) including DAX functions, please visit [DAX Basics in Power BI Desktop](/power-bi/desktop-quickstart-learn-dax-basics).

-

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbicustomlatlong.png" alt-text="Power BI tutorial for Azure Cosmos DB Power BI connector - Add Custom Column":::

-1. Now, the center pane shows the new LatLong columns populated with the values.

-

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbicolumnlatlong.png" alt-text="Power BI tutorial for Azure Cosmos DB Power BI connector - Custom LatLong column":::

-

- If you receive an Error in the new column, make sure that the applied steps under Query Settings match the following figure:

- :::image type="content" source="./media/powerbi-visualize/power-bi-applied-steps.png" alt-text="Applied steps should be Source, Navigation, Expanded Document, Expanded Document.Location, Added Custom":::

-

- If your steps are different, delete the extra steps and try adding the custom column again.

-1. Click **Close and Apply** to save the data model.

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_pbicloseapply.png" alt-text="Power BI tutorial for Azure Cosmos DB Power BI connector - Close & Apply":::

-<a id="build-the-reports"></a>

-## Build the reports

-Power BI Desktop Report view is where you can start creating reports to visualize data. You can create reports by dragging and dropping fields into the **Report** canvas.

-In the Report view, you should find:

-1. The **Fields** pane, this is where you can see a list of data models with fields you can use for your reports.

-1. The **Visualizations** pane. A report can contain a single or multiple visualizations. Pick the visual types fitting your needs from the **Visualizations** pane.

-1. The **Report** canvas, this is where you build the visuals for your report.

-1. The **Report** page. You can add multiple report pages in Power BI Desktop.

-The following shows the basic steps of creating a simple interactive Map view report.

-1. For our example, we will create a map view showing the location of each volcano. In the **Visualizations** pane, click on the Map visual type as highlighted in the screenshot above. You should see the Map visual type painted on the **Report** canvas. The **Visualization** pane should also display a set of properties related to the Map visual type.

-1. Now, drag and drop the LatLong field from the **Fields** pane to the **Location** property in **Visualizations** pane.

-1. Next, drag and drop the Volcano Name field to the **Legend** property.

-1. Then, drag and drop the Elevation field to the **Size** property.

-1. You should now see the Map visual showing a set of bubbles indicating the location of each volcano with the size of the bubble correlating to the elevation of the volcano.

-1. You now have created a basic report. You can further customize the report by adding more visualizations. In our case, we added a Volcano Type slicer to make the report interactive.

-

-1. On the File menu, click **Save** and save the file as PowerBITutorial.pbix.

-## Publish and share your report

-To share your report, you must have an account in PowerBI.com.

-1. In the Power BI Desktop, click on the **Home** ribbon.

-1. Click **Publish**. You are be prompted to enter the user name and password for your PowerBI.com account.

-1. Once the credential has been authenticated, the report is published to your destination you selected.

-1. Click **Open 'PowerBITutorial.pbix' in Power BI** to see and share your report on PowerBI.com.

- :::image type="content" source="./media/powerbi-visualize/power_bi_connector_open_in_powerbi.png" alt-text="Publishing to Power BI Success! Open tutorial in Power BI":::

-## Create a dashboard in PowerBI.com

-Now that you have a report, lets share it on PowerBI.com

-When you publish your report from Power BI Desktop to PowerBI.com, it generates a **Report** and a **Dataset** in your PowerBI.com tenant. For example, after you published a report called **PowerBITutorial** to PowerBI.com, you will see PowerBITutorial in both the **Reports** and **Datasets** sections on PowerBI.com.

- :::image type="content" source="./media/powerbi-visualize/powerbi-reports-datasets.png" alt-text="Screenshot of the new Report and Dataset in PowerBI.com":::

-To create a sharable dashboard, click the **Pin Live Page** button on your PowerBI.com report.

- :::image type="content" source="./media/powerbi-visualize/power-bi-pin-live-tile.png" alt-text="Screenshot of how to pin a report to PowerBI.com":::

-Then follow the instructions in [Pin a tile from a report](https://powerbi.microsoft.com/documentation/powerbi-service-pin-a-tile-to-a-dashboard-from-a-report/#pin-a-tile-from-a-report) to create a new dashboard.

-You can also do ad hoc modifications to report before creating a dashboard. However, it's recommended that you use Power BI Desktop to perform the modifications and republish the report to PowerBI.com.

-## Refresh data in PowerBI.com

-There are two ways to refresh data, ad hoc and scheduled.

-For an ad hoc refresh, simply click **Refresh Now** to refresh the data.

-For a scheduled refresh, do the following.

-1. Go to **Settings** and open the **Datasets** tab.

-2. Click on **Scheduled Refresh** and set your schedule.

-* An Azure Functions trigger for Cosmos DB can be used with an output binding to a different Azure Cosmos container. After a function performs an action on an item in the change feed you can write it to another container (writing it to the same container it came from would effectively create a recursive loop). Or, you can use an Azure Functions trigger for Cosmos DB to effectively migrate all changed items from one container to a different container, with the use of an output binding.

-4. This data is then stored in an Azure Cosmos DB which can then be easily retrieved by any front-end application that shows the new user their connected friends.

- >[!VIDEO https://www.youtube.com/embed/iprndNsUeeg]

-* [An Azure Web Site with a Java runtime environment (e.g. Tomcat or Jetty) enabled.](../../app-service/quickstart-java.md)

-1. First, we'll start off by creating a Java project. Start Eclipse, then click **File**, click **New**, and then click **Dynamic Web Project**. If you don't see **Dynamic Web Project** listed as an available project, do the following: click **File**, click **New**, click **Project**…, expand **Web**, click **Dynamic Web Project**, and click **Next**.

-1. Enter a project name in the **Project name** box, and in the **Target Runtime** drop-down menu, optionally select a value (e.g. Apache Tomcat v7.0), and then click **Finish**. Selecting a target runtime enables you to run your project locally through Eclipse.

-1. In Eclipse, in the Project Explorer view, expand your project. Right-click **WebContent**, click **New**, and then click **JSP File**.

-1. In the **New JSP File** dialog box, name the file **index.jsp**. Keep the parent folder as **WebContent**, as shown in the following illustration, and then click **Next**.

-1. In the **Select JSP Template** dialog box, for the purpose of this tutorial select **New JSP File (html)**, and then click **Finish**.

-1. If you set a target runtime in step 2, you can click **Project** and then **Run** to run your JSP application locally:

-1. Right-click your project in the Project Explorer, click **Configure**, click **Convert to Maven Project**.

-1. In the **Create new POM** window, accept the defaults, and click **Finish**.

-1. On the **Dependencies** tab, in the **Dependencies** pane, click **Add**.

-1. Click **OK** and Maven will install the SQL Java SDK or save the pom.xml file.

-1. To invoke the Azure Cosmos DB service, you must instantiate a new `cosmosClient` object. In general, it is best to reuse the `cosmosClient` object rather than constructing a new client for each subsequent request. You can reuse the client by defining it within the `cosmosClientFactory` class. Update the HOST and MASTER_KEY values that you saved in [step 1](#CreateDB). Replace the HOST variable with with your URI and replace the MASTER_KEY with your PRIMARY KEY. Use the following code to create the `CosmosClientFactory` class within the *CosmosClientFactory.java* file:

-Add the *TodoItemController* controller to your application. In this project, you are using [Project Lombok](https://projectlombok.org/) to generate the constructor, getters, setters, and a builder. Alternatively, you can write this code manually or have the IDE generate it.:

-## <a id="Wire"></a>Wire the rest of the of Java app together

-1. To export your application as a WAR file, right-click on your project in **Project Explorer**, click **Export**, and then click **WAR File**.

- * Click **Finish**.

-1. In Eclipse, on the **File** menu, click **Import**.

-1. In the **Import** window, click **Git**, click **Projects from Git**, and then click **Next**.

-1. On the **Select Repository Source** screen, click **Clone URI**.

-1. On the **Source Git Repository** screen, in the **URI** box, enter https://github.com/Azure-Samples/azure-cosmos-java-sql-api-todo-app, and then click **Next**.

-1. On the **Branch Selection** screen, ensure that **main** is selected, and then click **Next**.

-1. On the **Local Destination** screen, click **Browse** to select a folder where the repository can be copied, and then click **Next**.

-1. On the **Select a wizard to use for importing projects** screen, ensure that **Import existing projects** is selected, and then click **Next**.

-1. On the **Import Projects** screen, unselect the **DocumentDB** project, and then click **Finish**. The DocumentDB project contains the Azure Cosmos DB Java SDK, which we will add as a dependency instead.

-1. In **Project Explorer**, right-click the **azure-cosmos-java-sample**, click **Build Path**, and then click **Configure Build Path**.

-1. On the **Java Build Path** screen, in the right pane, select the **Libraries** tab, and then click **Add External JARs**. Navigate to the location of the lombok.jar file, and click **Open**, and then click **OK**.

-1. Use step 12 to open the **Properties** window again, and then in the left pane click **Targeted Runtimes**.

-1. On the **Targeted Runtimes** screen, click **New**, select **Apache Tomcat v7.0**, and then click **OK**.

-1. Use step 12 to open the **Properties** window again, and then in the left pane click **Project Facets**.

-1. On the **Project Facets** screen, select **Dynamic Web Module** and **Java**, and then click **OK**.

-1. On the **Servers** tab at the bottom of the screen, right-click **Tomcat v7.0 Server at localhost** and then click **Add and Remove**.

-1. On the **Add and Remove** window, move **azure-cosmos-java-sample** to the **Configured** box, and then click **Finish**.

-1. In the **Servers** tab, right-click **Tomcat v7.0 Server at localhost**, and then click **Restart**.

-* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

-|**API documentation** |[Java API reference documentation](/java/api/com.microsoft.azure.cosmosdb.rx.asyncdocumentclient) |

-|**Contribute to SDK** | [GitHub](https://github.com/Azure/azure-cosmosdb-java) |

-|**Get started** | [Get started with the Async Java SDK](https://github.com/Azure-Samples/azure-cosmos-db-sql-api-async-java-getting-started) |

-|**Code sample** | [GitHub](https://github.com/Azure/azure-cosmosdb-java#usage-code-sample)|

-|**SDK download**| [Maven](https://mvnrepository.com/artifact/com.azure/azure-spring-data-cosmos) |

-|**API documentation** | [Java API reference documentation](/java/api/overview/azure/spring-data-cosmos-readme?view=azure-java-stable&preserve-view=true) |

-|**Contribute to SDK** | [Azure SDK for Java Central Repo on GitHub](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/cosmos/azure-spring-data-cosmos) |

-|**Get started** | [Quickstart: Build a Spring Data Azure Cosmos DB app to manage Azure Cosmos DB SQL API data](./create-sql-api-spring-data.md) <br> [GitHub repo with quickstart code](https://github.com/Azure-Samples/azure-spring-data-cosmos-java-sql-api-getting-started) |

-|**Basic code samples** | [Azure Cosmos DB: Spring Data Azure Cosmos DB examples for the SQL API](sql-api-spring-data-sdk-samples.md) <br> [GitHub repo with sample code](https://github.com/Azure-Samples/azure-spring-data-cosmos-java-sql-api-samples)|

-|**SDK download**| [Maven](https://mvnrepository.com/artifact/com.azure/azure-cosmos) |

-|**API documentation** | [Java API reference documentation](https://azuresdkdocs.blob.core.windows.net/$web/java/azure-cosmos/latest/https://docsupdatetracker.net/index.html) |

-|**Contribute to SDK** | [Azure SDK for Java Central Repo on GitHub](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/cosmos/azure-cosmos) |

-|**Get started** | [Quickstart: Build a Java app to manage Azure Cosmos DB SQL API data](./create-sql-api-java.md) <br> [GitHub repo with quickstart code](https://github.com/Azure-Samples/azure-cosmos-java-getting-started) |

-|**Basic code samples** | [Azure Cosmos DB: Java examples for the SQL API](sql-api-java-sdk-samples.md) <br> [GitHub repo with sample code](https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples)|

-|**Console app with Change Feed**| [Change feed - Java SDK v4 sample](create-sql-api-java-changefeed.md) <br> [GitHub repo with sample code](https://github.com/Azure-Samples/azure-cosmos-java-sql-app-example)|

-|**Web app sample**| [Build a web app with Java SDK v4](sql-api-java-application.md) <br> [GitHub repo with sample code](https://github.com/Azure-Samples/azure-cosmos-java-sql-api-todo-app)|

-In this article, you will read data from a sample data source and import it into an Azure Cosmos container.

-Open the Windows command prompt or a Terminal window from your local computer. You will run all the commands in the next sections from the command prompt or terminal. Run the following dotnet new command to create a new app with the name *bulk-import-demo*.

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. Navigate to your Azure Cosmos account.

-1. Open the **Keys** pane and copy the **URI** and **PRIMARY KEY** of your account.

-If you are using the Azure Cosmos DB Emulator, obtain the [emulator credentials from this article](../local-emulator.md#authenticate-requests).

-Open the generated `Program.cs` file in a code editor. You will create a new instance of CosmosClient with bulk execution enabled and use it to do operations against Azure Cosmos DB.

-Let's start by overwriting the default `Main` method and defining the global variables. These global variables will include the endpoint and authorization keys, the name of the database, container that you will create, and the number of items that you will be inserting in bulk. Make sure to replace the endpointURL and authorization key values according to your environment.

-LetΓÇÖs start by using "Bogus" data to generate a list of items from our data model. In a real-world application, the items would come from your desired data source.

-* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

-> [!VIDEO https://www.youtube.com/embed/CgYQo6uHyt0]

-(these examples are not accounting for the storage cost, which is the same between the two modes)

-📺 <B><a href="https://aka.ms/cosmos-db-video-top-cosmos-db-use-cases" target="_blank">Video: Top Azure Cosmos DB use cases</a></b>

-For a sample IoT solution using Azure Cosmos DB, EventHubs and Storm, see the [hdinsight-storm-examples repository on GitHub](https://github.com/hdinsight/hdinsight-storm-examples/).

-**Enable change data capture (Preview):** If true, you will get new or changed files only from the last run. Initial load of full snapshot data will always be gotten in the first run, followed by capturing new or changed files only in next runs. For more details, see [Change data capture (preview)](#change-data-capture-preview).

-| servicePrincipalCredential | The service principal credential. <br/> When you use **ServicePrincipalKey** as the credential type, specify the the application's key. Mark this field as **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). <br/> When you use **ServicePrincipalCert** as the credential, reference a certificate in Azure Key Vault. | Yes |

-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure Active Directory application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the the service's cloud environment is used. | No |

-**Enable change data capture (Preview):** If true, you will get new or changed files only from the last run. Initial load of full snapshot data will always be gotten in the first run, followed by capturing new or changed files only in next runs. For more details, see [Change data capture (preview)](#change-data-capture-preview).

-description: Learn how to copy data from and to SFTP server by using Azure Data Factory and Azure Synapse Analytics pipelines.

-# Copy data from and to the SFTP server using Azure Data Factory or Azure Synapse Analytics

-This article outlines how to copy data from and to the secure FTP (SFTP) server. To learn more read the introductory article for [Azure Data Factory](introduction.md) or [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md).

-In mapping data flows, you can read and write to avro format in the following data stores: [Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md#mapping-data-flow-properties) and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#mapping-data-flow-properties), and you can read avro format in [Amazon S3](connector-amazon-simple-storage-service.md#mapping-data-flow-properties).

-In mapping data flows, you can read and write to delimited text format in the following data stores: [Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md#mapping-data-flow-properties) and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#mapping-data-flow-properties), and you can read delimited text format in [Amazon S3](connector-amazon-simple-storage-service.md#mapping-data-flow-properties).

-In mapping data flows, you can read Excel format in the following data stores: [Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#mapping-data-flow-properties), and [Amazon S3](connector-amazon-simple-storage-service.md#mapping-data-flow-properties). You can point to Excel files either using Excel dataset or using an [inline dataset](data-flow-source.md#inline-datasets).

-In [mapping data flows](concepts-data-flow-overview.md), you can read and write to JSON format in the following data stores: [Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md#mapping-data-flow-properties) and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#mapping-data-flow-properties), and you can read JSON format in [Amazon S3](connector-amazon-simple-storage-service.md#mapping-data-flow-properties).

-In mapping data flows, you can read and write to ORC format in the following data stores: [Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md#mapping-data-flow-properties) and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#mapping-data-flow-properties), and you can read ORC format in [Amazon S3](connector-amazon-simple-storage-service.md#mapping-data-flow-properties).

-In mapping data flows, you can read and write to parquet format in the following data stores: [Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md#mapping-data-flow-properties) and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#mapping-data-flow-properties), and you can read parquet format in [Amazon S3](connector-amazon-simple-storage-service.md#mapping-data-flow-properties).

-In mapping data flows, you can read XML format in the following data stores: [Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md#mapping-data-flow-properties), [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#mapping-data-flow-properties), and [Amazon S3](connector-amazon-simple-storage-service.md#mapping-data-flow-properties). You can point to XML files either using XML dataset or using an [inline dataset](data-flow-source.md#inline-datasets).

-

-2. Select **Trigger** on the menu, then select **New/Edit**.

-1. On the **Add Triggers** page, select **Choose trigger...**, then select **+New**.

-1. On the **New Trigger** page, do the following steps:

- 1. Specify the time zone that the trigger will be created in. The time zone setting will apply to **Start Date**, **End Date**, and **Schedule Execution Times** in Advanced recurrence options. Changing Time Zone setting will not automatically change your start date. Make sure the Start Date is correct in the specified time zone. Please note that Scheduled Execution time of Trigger will be considered post the Start Date (Ensure Start Date is atleast 1minute lesser than the Execution time else it will trigger pipeline in next recurrence).

- > For time zones that observe daylight saving, trigger time will auto-adjust for the twice a year change. To opt out of the daylight saving change, please select a time zone that does not observe daylight saving, for instance UTC

- 1. Specify **Recurrence** for the trigger. Select one of the values from the drop-down list (Every minute, Hourly, Daily, Weekly, and Monthly). Enter the multiplier in the text box. For example, if you want the trigger to run once for every 15 minutes, you select **Every Minute**, and enter **15** in the text box.

-1. In the **New Trigger** window, select **Yes** in the **Activated** option, then select **OK**. You can use this checkbox to deactivate the trigger later.

-1. Switch to the **Pipeline runs** tab on the left, then select **Refresh** to refresh the list. You will see the pipeline runs triggered by the scheduled trigger. Notice the values in the **Triggered By** column. If you use the **Trigger Now** option, you will see the manual trigger run in the list.

-

-9. Switch to the **Trigger Runs** \ **Schedule** view.

-

-| **Anomalous pod deployment (Preview)**<br>(K8S_AnomalousPodDeployment) | Kubernetes audit log analysis detected pod deployment which is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored include the container image registry used, the account performing the deployment, day of the week, how often this account performs pod deployments, user agent used in the operation, whether this is a namespace to which pod deployments often occur, and other features. Top contributing reasons for raising this alert as anomalous activity are detailed under the alertΓÇÖs extended properties. | Execution | Medium |

-| **CoreDNS modification in Kubernetes detected**<br>(K8S_CoreDnsModification) ^{[1](#footnote1)} | Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the clusterΓÇÖs DNS server and poison it. | Lateral Movement | Low |

-| **Creation of admission webhook configuration detected**<br>(K8S_AdmissionController) ^{[2](#footnote2)}| Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook). | Credential Access, Persistence | Low |

-| **Excessive role permissions assigned in Kubernetes cluster (Preview)**<br>(K8S_ServiceAcountPermissionAnomaly) | Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. The listed permissions for the assigned roles are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Microsoft Defender for Cloud. | Privilege Escalation | Low |

-| **Exposed Kubeflow dashboard detected**<br>(K8S_ExposedKubeflow) ^{[2](#footnote2)} | The Kubernetes audit log analysis detected exposure of the Istio Ingress by a load balancer in a cluster that runs Kubeflow. This action might expose the Kubeflow dashboard to the internet. If the dashboard is exposed to the internet, attackers can access it and run malicious containers or code on the cluster. Find more details in the following article: https://aka.ms/exposedkubeflow-blog | Initial Access | Medium |

-| **Exposed Kubernetes dashboard detected**<br>(K8S_ExposedDashboard) ^{[2](#footnote2)}| Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboard allows an unauthenticated access to the cluster management and poses a security threat. | Initial Access | High |

-| **Exposed Kubernetes service detected**<br>(K8S_ExposedService) ^{[2](#footnote2)} | The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers. In some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk. | Initial Access | Medium |

-| **Indicators associated with DDOS toolkit detected (Preview)**<br>(K8S.NODE_KnownLinuxDDoSToolkit) | Analysis of processes running within a container detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services, and taking full control over the infected system. This could also possibly be legitimate activity. | Persistence, LateralMovement, Execution, Exploitation | Medium |

-| **K8S API requests from proxy IP address detected**<br>(K8S_TI_Proxy) ^{[2](#footnote2)}| Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP. | Execution | Low |

-| **Kubernetes events deleted**<br>(K8S_DeleteEvents) ^{[1](#footnote1)} ^{[2](#footnote2)} | Defender for Cloud detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster. | Defense Evasion | Low |

-| **Kubernetes penetration testing tool detected**<br>(K8S_PenTestToolsKubeHunter) ^{[2](#footnote2)} | Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the AKS cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes. | Execution | Low |

-| **New container in the kube-system namespace detected**<br>(K8S_KubeSystemContainer) ^{[2](#footnote2)}| Kubernetes audit log analysis detected a new container in the kube-system namespace that isnΓÇÖt among the containers that normally run in this namespace. The kube-system namespaces should not contain user resources. Attackers can use this namespace for hiding malicious components. | Persistence | Low |

-| **New high privileges role detected**<br>(K8S_HighPrivilegesRole) ^{[2](#footnote2)}| Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster. | Persistence | Low |

-| **Role binding to the cluster-admin role detected**<br>(K8S_ClusterAdminBinding) ^{[2](#footnote2)} | Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges. Unnecessary administrator privileges might cause privilege escalation in the cluster. | Persistence | Low |

-^{<a name="footnote2"></a>2}: This alert is supported by Windows.

-With this feature, you can add your own *custom* initiatives. You'll then receive recommendations if your environment doesn't follow the policies you create. Any custom initiatives you create will appear alongside the built-in initiatives in the regulatory compliance dashboard, as described in the tutorial [Improve your regulatory compliance](regulatory-compliance-dashboard.md).

-This example shows you how to assign the built-in Defender for Cloud initiative on a subscription or management group

-|Brand |Protocols |

-|Brand |Protocols |

-Both examples can be implemented with new properties: a `drawingId` property that associates the 3D drawing with the digital twin and an "online" property that indicates whether the conference room is online or not.

-To extend the industry ontology, you create your own interfaces that extend from the interfaces in the industry ontology and add the new capabilities to your extended interfaces. For each interface that you want to extend, you create a new interface. The extended interfaces are written in DTDL (see the DTDL for Extended Interfaces section later in this document).

-After extending the portion of the hierarchy shown above, the extended hierarchy looks like the diagram below. Here the extended Space interface adds the `drawingId` property that will contain an ID that associates the digital twin with the 3D drawing. Additionally, the ConferenceRoom interface adds an "online" property that will contain the online status of the conference room. Through inheritance, the ConferenceRoom interface contains all capabilities from the RealEstateCore ConferenceRoom interface and all capabilities from the extended Space interface.

-When you create digital twins using the extended Space hierarchy, each digital twin's model will be one from the extended Space hierarchy (not the original industry ontology) and will include all the capabilities from the industry ontology and the extended interfaces though interface inheritance.

-Continue on the path for developing models based on ontologies: [Using ontology strategies in a model development path](concepts-ontologies.md#using-ontology-strategies-in-a-model-development-path).

-# Mandatory fields.

-description: See how to set up an instance of the Azure Digital Twins service using Azure PowerShell

-# Optional fields. Don't forget to remove # if you need a field.

-#

-#

-# Set up an Azure Digital Twins instance and authentication (PowerShell)

-This article covers the steps to set up a new Azure Digital Twins instance, including creating the instance and setting up authentication. After completing this article, you'll have an Azure Digital Twins instance ready to start programming against.

-This version of this article goes through these steps manually, one by one, using [Azure PowerShell](/powershell/azure/new-azureps-module-az).

-## Prepare your environment

-1. First, choose where to run the commands in this article. You can choose to run Azure PowerShell commands using a local installation of Azure PowerShell, or in a browser window using [Azure Cloud Shell](https://shell.azure.com).

- * If you choose to use Azure PowerShell locally:

- 1. [Install the Az PowerShell module](/powershell/azure/install-az-ps).

- 1. Open a PowerShell window on your machine.

- 1. Connect to your Azure account using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.

- * If you choose to use Azure Cloud Shell:

- 1. See [Overview of Azure Cloud Shell](../cloud-shell/overview.md) for more information about Cloud Shell.

- 1. [Open a Cloud Shell window in your browser](https://shell.azure.com).

- 1. In the Cloud Shell icon bar, make sure your Cloud Shell is set to run the PowerShell version.

-

- :::image type="content" source="media/how-to-set-up-instance/cloud-shell/cloud-shell-powershell.png" alt-text="Screenshot of the Cloud Shell window in the Azure portal showing selection of the PowerShell version.":::

-

-1. If you have multiple Azure subscriptions, choose the appropriate subscription in which the resources should be billed. Select a specific subscription using the [Set-AzContext](/powershell/module/az.accounts/set-azcontext) cmdlet.

- ```azurepowershell-interactive

- Set-AzContext -SubscriptionId 00000000-0000-0000-0000-000000000000

- ```

-1. If this is your first time using Azure Digital Twins with this subscription, you must register the `Microsoft.DigitalTwins` resource provider. (If you're not sure, it's ok to run it again even if you've done it sometime in the past.)

- ```azurepowershell-interactive

- Register-AzResourceProvider -ProviderNamespace Microsoft.DigitalTwins

- ```

-1. Use the following command to install the `Az.DigitalTwins` PowerShell module.

- ```azurepowershell-interactive

- Install-Module -Name Az.DigitalTwins

- ```

-## Create the Azure Digital Twins instance

-In this section, you'll create a new instance of Azure Digital Twins using Azure PowerShell. You'll need to provide:

-* An [Azure resource group](../azure-resource-manager/management/overview.md) where the instance will be deployed. If you don't already have an existing resource group, you can create one using the [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) cmdlet:

- ```azurepowershell-interactive

- New-AzResourceGroup -Name <name-for-your-resource-group> -Location <region>

- ```

-* A region for the deployment. To see what regions support Azure Digital Twins, visit [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=digital-twins).

-* A name for your instance. The name of the new instance must be unique within the region for your subscription. If your subscription has another Azure Digital Twins instance in the region that's already using the specified name, you'll be asked to pick a different name.

-Use your values in the following command to create the instance:

-```azurepowershell-interactive

-New-AzDigitalTwinsInstance -ResourceGroupName <your-resource-group> -ResourceName <name-for-your-Azure-Digital-Twins-instance> -Location <region>

-```

-### Verify success and collect important values

-If the instance was created successfully, the result looks similar to the following output containing information about the resource you've created:

-```Output

-Location Name Type

-<region> <name-for-your-Azure-Digital-Twins-instance> Microsoft.DigitalTwins/digitalTwinsInstances

-```

-Next, display the properties of your new instance by running `Get-AzDigitalTwinsInstance` and piping to `Select-Object -Property *`, like this:

-```azurepowershell-interactive

-Get-AzDigitalTwinsInstance -ResourceGroupName <your-resource-group> -ResourceName <name-for-your-Azure-Digital-Twins-instance> |

- Select-Object -Property *

-```

-> [!TIP]

-> You can use this command to see all the properties of your instance at any time.

-Note the Azure Digital Twins instance's **host name**, **name**, and **resource group**. These are important values that you may need as you continue working with your Azure Digital Twins instance, to set up authentication, and related Azure resources. If other users will be programming against the instance, you should share these values with them.

-You now have an Azure Digital Twins instance ready to go. Next, you'll give the appropriate Azure user permissions to manage it.

-## Set up user access permissions

-### Prerequisites: Permission requirements

-### Assign the role

-To give a user permissions to manage an Azure Digital Twins instance, you must assign them the **Azure Digital Twins Data Owner** role within the instance.

-First, determine the Object Id for the Azure AD account of the user that should be assigned the role. You can find this value using the [Get-AzAdUser](/powershell/module/az.resources/get-azaduser) cmdlet, by passing in the user principal name on the Azure AD account to retrieve their Object Id (and other user information). In most cases, the user principal name will match the user's email on the Azure AD account.

-```azurepowershell-interactive

-Get-AzADUser -UserPrincipalName <Azure-AD-user-principal-name-of-user-to-assign>

-```

-Next, use the Object Id in the following command to assign the role. The command also requires you to enter the same subscription ID, resource group name, and Azure Digital Twins instance name that you chose earlier when creating the instance. The command must be run by a user with [sufficient permissions](#prerequisites-permission-requirements) in the Azure subscription.

-```azurepowershell-interactive

-$Params = @{

- ObjectId = '<Azure-AD-user-object-ID-of-user-to-assign>'

- RoleDefinitionName = 'Azure Digital Twins Data Owner'

- Scope = '/subscriptions/<subscription-ID>/resourceGroups/<resource-group-name>/providers/Microsoft.DigitalTwins/digitalTwinsInstances/<name-for-your-Azure-Digital-Twins-instance>'

-}

-New-AzRoleAssignment @Params

-```

-The result of this command is outputted information about the role assignment that's been created.

-### Verify success

-You now have an Azure Digital Twins instance ready to go, and have assigned permissions to manage it.

-## Next steps

-See how to connect a client application to your instance with authentication code:

-* [Write app authentication code](how-to-authenticate-client.md)

-description: This article provides a table with links to Azure CLI script samples for Event Grid.

-# Azure CLI samples for Event Grid

-The following table includes links to Azure CLI samples for Event Grid.

-## Event Grid subscriptions

-## Event Grid topics

-* [Azure CLI samples for Event Grid](cli-samples.md)

-| [Azure CLI: subscribe to events for a Blob storage account](./scripts/event-grid-cli-blob.md) | Sample script that subscribes to event for a Blob storage account. It sends the event to a WebHook. |

-description: This article provides a sample Azure CLI script that shows how to subscribe to Azure Event Grid events using Azure CLI.

-# Subscribe to events for an Azure subscription with Azure CLI

-This script creates an Event Grid subscription to the events for an Azure subscription.

-The preview sample script requires the Event Grid extension. To install, run `az extension add --name eventgrid`.

-## Sample script - stable

-[!code-azurecli[main](../../../cli_scripts/event-grid/subscribe-to-azure-subscription/subscribe-to-azure-subscription.sh "Subscribe to Azure subscription")]

-## Sample script - preview extension

-[!code-azurecli[main](../../../cli_scripts/event-grid/subscribe-to-azure-subscription-preview/subscribe-to-azure-subscription-preview.sh "Subscribe to Azure subscription")]

-## Script explanation

-This script uses the following command to create the event subscription. Each command in the table links to command-specific documentation.

-| Command | Notes |

-|||

-| [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) | Create an Event Grid subscription. |

-| [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) - extension version | Create an Event Grid subscription. |

-## Next steps

-* For information about querying subscriptions, see [Query Event Grid subscriptions](../query-event-subscriptions.md).

-* For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-description: This article provides a sample Azure CLI script that shows how to subscribe to events for a Azure Blob Storage account.

-# Subscribe to events for a Blob storage account with Azure CLI

-This script creates an Event Grid subscription to the events for a Blob storage account.

-## Sample script

-[!code-azurecli[main](../../../cli_scripts/event-grid/subscribe-to-blob-storage/subscribe-to-blob-storage.sh "Subscribe to Blob storage")]

-## Script explanation

-This script uses the following command to create the event subscription. Each command in the table links to command-specific documentation.

-| Command | Notes |

-|||

-| [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) | Create an Event Grid subscription. |

-| [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) - extension version | Create an Event Grid subscription. |

-## Next steps

-* For information about querying subscriptions, see [Query Event Grid subscriptions](../query-event-subscriptions.md).

-* For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-description: This article provides a sample Azure CLI script that shows how to create an Azure Event Grid custom topic.

-# Create Event Grid custom topic with Azure CLI

-This script creates an Event Grid custom topic.

-## Sample script

-[!code-azurecli[main](../../../cli_scripts/event-grid/create-custom-topic/create-custom-topic.sh "Create custom topic")]

-## Script explanation

-This script uses the following command to create the custom topic. Each command in the table links to command-specific documentation.

-| Command | Notes |

-|||

-| [az eventgrid topic create](/cli/azure/eventgrid/topic#az-eventgrid-topic-create) | Create an Event Grid custom topic. |

-## Next steps

-* For information about querying subscriptions, see [Query Event Grid subscriptions](../query-event-subscriptions.md).

-* For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-description: This article provides a sample Azure CLI script that shows how to subscribe to Event Grid events for a resource and filter for a resource.

-# Subscribe to events for a resource group and filter for a resource with Azure CLI

-This script creates an Event Grid subscription to the events for a resource group. It uses a filter to get only events for a specified resource in the resource group.

-The preview sample script requires the Event Grid extension. To install, run `az extension add --name eventgrid`.

-## Sample script - stable

-[!code-azurecli[main](../../../cli_scripts/event-grid/filter-events/filter-events.sh "Subscribe to Azure subscription")]

-## Sample script - preview extension

-[!code-azurecli[main](../../../cli_scripts/event-grid/filter-events-preview/filter-events-preview.sh "Subscribe to Azure subscription")]

-## Script explanation

-This script uses the following command to create the event subscription. Each command in the table links to command-specific documentation.

-| Command | Notes |

-|||

-| [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) | Create an Event Grid subscription. |

-| [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) - extension version | Create an Event Grid subscription. |

-## Next steps

-* For information about querying subscriptions, see [Query Event Grid subscriptions](../query-event-subscriptions.md).

-* For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-description: This article provides a sample Azure CLI script that shows how to subscribe to Azure Event Grid events for a resource group.

-# Subscribe to events for a resource group with Azure CLI

-This script creates an Event Grid subscription to the events for a resource group.

-The preview sample script requires the Event Grid extension. To install, run `az extension add --name eventgrid`.

-## Sample script - stable

-[!code-azurecli[main](../../../cli_scripts/event-grid/subscribe-to-resource-group/subscribe-to-resource-group.sh "Subscribe to resource group")]

-## Sample script - preview extension

-[!code-azurecli[main](../../../cli_scripts/event-grid/subscribe-to-resource-group-preview/subscribe-to-resource-group-preview.sh "Subscribe to resource group")]

-## Script explanation

-This script uses the following command to create the event subscription. Each command in the table links to command-specific documentation.

-| Command | Notes |

-|||

-| [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) | Create an Event Grid subscription. |

-| [az eventgrid event-subscription create](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) - extension version | Create an Event Grid subscription. |

-## Next steps

-* For information about querying subscriptions, see [Query Event Grid subscriptions](../query-event-subscriptions.md).

-* For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-description: This article provides a sample Azure CLI script that shows how to subscribe to Event Grid events for a custom topic.

-# Subscribe to events for a custom topic with Azure CLI

-This script creates an Event Grid subscription to the events for a custom topic.

-The preview sample script requires the Event Grid extension. To install, run `az extension add --name eventgrid`.

-## Sample script - stable

-[!code-azurecli[main](../../../cli_scripts/event-grid/subscribe-to-custom-topic/subscribe-to-custom-topic.sh "Subscribe to custom topic")]

-## Sample script - preview extension

-[!code-azurecli[main](../../../cli_scripts/event-grid/subscribe-to-custom-topic-preview/subscribe-to-custom-topic-preview.sh "Subscribe to custom topic")]

-## Script explanation

-|One secured virtual hub per region|You can't have more than one secured virtual hub per region.|Create multiple virtual WANs in a region.|

-|Client Certificates (TLS)|Client certificates are used to build a mutual identity trust between the client and the server. Client certificates are used during a TLS negotiation. Azure firewall renegotiates a connection with the server and has no access to the private key of the client certificates.|None|

-Azure Firewall Premium can intercept outbound HTTP/S traffic and auto-generate a server certificate for `www.website.com`. This certificate is generated using the Intermediate CA certificate that you provide. End-user browser and client applications must trust your organization Root CA certificate or intermediate CA certificate for this procedure to work.

-Encrypted traffic has a possible security risk and can hide illegal user activity and malicious traffic. Azure Firewall Premium terminates and inspects TLS connections to detect, alert, and mitigate malicious activity in HTTPS.

-Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The IDPS signatures are applicable for both application and network level traffic (Layers 4-7), they're fully managed, and continuously updated. IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic.

-Migrate your firewall during a planned maintenance time, as there will be some downtime during the migration.

-# Secure your Origin with Private Link in Azure Front Door Standard/Premium (Preview)

-> [!Note]

-> This documentation is for Azure Front Door Standard/Premium (Preview). Looking for information on Azure Front Door? View [Azure Front Door Docs](front-door-overview.md).

-## Overview

-[Azure Private Link](../private-link/private-link-overview.md) enables you to access Azure PaaS Services and Azure hosted services over a Private Endpoint in your virtual network. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet.

-> [!IMPORTANT]

-> Azure Front Door Standard/Premium (Preview) is currently in public preview.

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-Azure Front Door Premium can connect to your origin via Private Link. Your origin can be hosted in your private VNet or by using a PaaS service such as Azure App Service or Azure Storage. Private Link removing the need for your origin to be publically accessible.

-When you enable Private Link to your origin in Azure Front Door Premium, Front Door creates a private endpoint on your behalf from a regional network managed Front Door's regional private network. This endpoint is managed by Azure Front Door. You'll receive an Azure Front Door private endpoint request for approval message at your origin.

-You must approve the private endpoint connection before traffic will flow to the origin. You can approve private endpoint connections by using the Azure portal, the Azure CLI, or Azure PowerShell. For more information, see [Manage a Private Endpoint connection](../private-link/manage-private-endpoint.md).

-After you enable a Private Link origin and approve the private endpoint connection, it takes a few minutes for the connection to be established. During this time, requests to the origin will receive a Front Door error message. The error message will go away once the connection is established.

-After you approve the request, a private IP address gets assigned from Front Door's virtual network. Traffic between Azure Front Door and your origin traverses the established private link by using Azure's network backbone. Incoming traffic to your origin is now secured when coming from your Azure Front Door.

-## Limitations

-Azure Front Door private endpoints are available in the following regions during public preview: East US, West US 2, South Central US, UK South, and Japan East.

-The backends that support direct private end point connectivity are now limited to Storage (Azure Blobs) and App Services. All other backends will have to be put behind an Internal Load Balancer as explained in the Next Steps below.

-For the best latency, you should always pick an Azure region closest to your origin when choosing to enable Front Door private link endpoint.

-* To connect Azure Front Door Premium to your Web App via Private Link service, see [Connect Azure Front Door Premium to a Web App origin with Private Link](standard-premium/how-to-enable-private-link-web-app.md).

-* To connect Azure Front Door Premium to your Storage Account via private link service, see [Connect Azure Front Door Premium to a storage account origin with Private Link](standard-premium/how-to-enable-private-link-storage-account.md).

-* To connect Azure Front Door Premium to an internal load balancer origin with Private Link service, see [Connect Azure Front Door Premium to an internal load balancer origin with Private Link](standard-premium/how-to-enable-private-link-internal-load-balancer.md).

-## Additional debugging HTTP headers

-You can request Front Door to return additional debugging HTTP response headers. For more details, refer to [optional response headers](front-door-http-headers-protocol.md#optional-debug-response-headers).

-* The failure from Azure Front Door typically shows after about 30 seconds.

-* Intermittent 503 errors with log `ErrorInfo: OriginInvalidResponse`.

-

-* Your origin is taking longer than the timeout configured (default is 30 seconds) to receive the request from Azure Front Door.

-* Client sent a byte range request with `Accept-Encoding header` (compression enabled).

-* Send the request to your backend directly (without going through Azure Front Door). See how long your backend usually takes to respond.

-* If requests going through Azure Front Door results in a 503 error response code, configure the **Origin response timeout (in seconds)** for the endpoint. You can extend the default timeout to up to 4 minutes (240 seconds). The setting can be configured by going to the *Endpoint manager* and selecting **Edit endpoint**.

- :::image type="content" source="./media/troubleshoot-issues/origin-response-timeout-1.png" alt-text="Screenshot of selecting edit endpoint from Endpoint manager.":::

- Then select **Endpoint properties** to configure the **Origin response timeout**:

- :::image type="content" source="./media/troubleshoot-issues/origin-response-timeout-2.png" alt-text="Screenshot of select endpoint properties and Origin response timeout field." lightbox="./media/troubleshoot-issues/origin-response-timeout-2-expanded.png":::

-* If the timeout doesnΓÇÖt resolve the issue, use a tool like Fiddler or your browser's developer tool to check if the client is sending byte range requests with Accept-Encoding headers, leading to the origin responding with different content lengths. If yes, then you can either disable compression on the Origin/Azure Front Door or create a Rules Set rule to remove `accept-encoding` from the request for byte range requests.

- :::image type="content" source="./media/troubleshoot-issues/remove-encoding-rule.png" alt-text="Screenshot of accept-encoding rule in a Rule Set.":::

-* 503 responses are returned only for AFD HTTPS enabled endpoints

-* Regular requests sent to your backend without going through Azure Front Door are succeeding. Going via Azure Front Door results in 503 error responses.

-* Intermittent 503 errors with log `ErrorInfo: OriginInvalidResponse`

-* Backend Pool is an IP address

-* Backend Server is returning a certificate that does not match the FQDN of the AFD backend Pool

-* Backend Pool is an Azure Web Apps server

-* Backend Pool is an IP address

- `EnforceCertificateNameCheck` must be disabled.

- AFD has a switch called "enforceCertificateNameCheck". By default, this setting is enabled. When enabled, AFD checks that the backend pool host name FQDN matches the backend server certificate's Certificate Name (CN) or one of the entries in the Subject Alternative Names (SAN) extension.

- How to disable EnforceCertifiateNameCheck from Portal:

- In the portal there is a toggle button, that will allow you to turn this on/off in the Azure Front Door Design Blade.

- 

-* Backend Server is returning a certificate that does not match the FQDN of the AFD backend Pool

- - To resolve we will either need the certificate returned to match the FQDN (or)

-

- - The EnforceCertificateNameCheck must be disabled

-* Backend Pool is an Azure Web Apps server

- - Check if Azure web app is configured with Ip Based SSL instead of SNI based. If itΓÇÖs configured as IpBased then this should be changed to SNI.

-

- - If the backend is unhealthy due to a certificate failure, we will return a 503. You can verify the health of the backends on port 80 and 443. If only 443 is unhealthy, this is likely an issue with SSL. Since the backend is configured to use the FQDN, we know itΓÇÖs sending SNI.

- Using OPENSSL, verify the certificate that is being returned. To do this, connect to the backend using "-servername" and it should return the SNI which needs to match with the FQDN of the backend pool.

- _openssl s_client -connect backendvm.contoso.com:443 -servername backendvm.contoso.com_

-

-* You created an Azure Front Door instance, but a request to the domain or frontend host is returning an HTTP 400 status code.

-* You created a DNS mapping for a custom domain to the frontend host that you configured. However, sending a request to the custom domain host name returns an HTTP 400 status code. It doesn't appear to route to the backend that you configured.

-The problem occurs if you didn't configure a routing rule for the custom domain that was added as the frontend host. A routing rule needs to be explicitly added for that frontend host. That's true even if a routing rule has already been configured for the frontend host under the Azure Front Door subdomain (*.azurefd.net).

-### Troubleshooting steps

-This behavior can happen if you didn't configure the routing rules correctly for Azure Front Door. Basically, your current configuration isn't specific and might have conflicting rules.

-You created an Azure Front Door Standard/Premium instance and configured a frontend host, an origin group with at least one origin in it, and a routing rule that connects the frontend host to the origin group. Your content doesn't seem to be available when a request goes to the configured frontend host because an HTTP 411 status code gets returned.

-Responses to these requests might also contain an HTML error page in the response body that includes an explanatory statement. For example: `HTTP Error 411. The request must be chunked or have a content length`.

-There are several possible causes for this symptom. The overall reason is that your HTTP request isn't fully RFC-compliant.

-An example of noncompliance is a `POST` request sent without either a `Content-Length` or a `Transfer-Encoding` header (for example, using `curl -X POST https://example-front-door.domain.com`). This request doesn't meet the requirements set out in [RFC 7230](https://tools.ietf.org/html/rfc7230#section-3.3.2). Azure Front Door would block it with an HTTP 411 response.

-This behavior is separate from the Web Application Firewall (WAF) functionality of Azure Front Door. Currently, there's no way to disable this behavior. All HTTP requests must meet the requirements, even if the WAF functionality isn't in use.

-Guest configuration operates in PowerShell 7.1.3 for Windows and PowerShell 7.2

-Or you can get the connection through **Ambari UI > Hive > Configs > Advanced**.

-az ad sp create-for-rbac --name <Service Principal Name> --sdk-auth --role Contributor

-1. Open your IoT Central application and navigate to **Administration** in the left pane and select **Device connection**.

-1. Navigate to **Administration** in the left pane and select **Device connection**.

-2. Select **Enrollment Groups**, and select the group name in the list.

-1. Navigate to **Administration** in the left pane and select **Device connection**.

-2. Select **Enrollment Groups**, and select the group name in the list.

-The IoT Central device bridge is an open-source solution that connects other IoT clouds to your IoT Central application. Examples of other IoT clouds include [Sigfox](https://www.sigfox.com/), [Particle Device Cloud](https://www.particle.io/), and [The Things Network](https://www.thethingsnetwork.org/). The device bridge works by forwarding data from devices connected to other IoT clouds through to your IoT Central application. The device bridge only forwards data to IoT Central, it doesn't send commands or property updates from IoT Central back to the devices.

-To create the Azure Data Explorer destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

- az ad sp create-for-rbac --skip-assignment --name "My SP for IoT Central"

-To create the Azure Data Explorer destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

-To create the Azure Data Explorer destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

-To create the Event Hubs destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

-To create the Event Hubs destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

-To create the Service Bus destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

-To create the Service Bus destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

-To create the Blob Storage destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

-To create the Blob Storage destination in IoT Central on the **Create new destination** page:

-1. Enter a **Destination name**.

- * Do not use debug versions of module images

-### Do not use debug versions of module images

-az ad sp create-for-rbac -n "MyApp" --password "hVFkk965BuUv" --role Contributor

-## Best Practices for individual keys, secrets, and certificates

-1. Assign the [ROLENAME] role to the [USER | GROUP | SERVICEPRINCIPAL | MANAGEDIDENTITY] at [MANAGEMENTGROUP | SUBSCRIPTION | RESOURCEGROUP | RESOURCE] scope.

-A Standard Public Load balancer or the IP configuration of a virtual machine can be chained to a Gateway Load Balancer. Once chained to a Standard Public Load Balancer frontend or IP configuration on a virtual machine, no additional configuration is needed to ensure traffic to and from the application endpoint is sent to the Gateway Load Balancer.

-* **Chain** - A Gateway Load Balancer can be referenced by a Standard Public Load Balancer frontend or a Public IP configuration on a virtual machine. The addition of advanced networking capabilities in a specific sequence is known as service chaining. As a result, this reference is called a chain.

-## Limitations

-> [!TIP]

-> Data stored in a data store that is secured in a virtual network is _not_ sent over the public internet. For example, if your training data is secured on the default storage account for the workspace, and the storage account is in the virtual network.

-You can increase the security of CLI communications with Azure Resource Manager by using Azure Private Link. The following links provide information on using a Private Link for managing Azure resources:

-1. [Secure your Azure Machine Learning workspace inside a virtual network using a private endpoint](how-to-configure-private-link.md).

-2. [Create a Private Link for managing Azure resources](../azure-resource-manager/management/create-private-link-access-portal.md).

-3. [Create a private endpoint](../azure-resource-manager/management/create-private-link-access-portal.md#create-private-endpoint) for the Private Link created in the previous step.

-> [!IMPORTANT]

-> To configure the private link for Azure Resource Manager, you must be the _subscription owner_ for the Azure subscription, and an _owner_ or _contributor_ of the root management group. For more information, see [Create a private link for managing Azure resources](../azure-resource-manager/management/create-private-link-access-portal.md).

-> Examples in this article refer to both 1.0 CLI and 2.0 CLI versions. If no version is specified for a command, it will work with either the 1.0 or 2.0 CLI. The machine learning 2.0 CLI is currently in public preview. This preview version is provided without a service-level agreement, and it's not recommended for production workloads.

-# [Bring existing resources (1.0 CLI)](#tab/bringexistingresources1)

-# [Bring existing resources (2.0 CLI - preview)](#tab/bringexistingresources2)

-# [1.0 CLI](#tab/vnetpleconfigurationsv1cli)

-# [2.0 CLI - preview](#tab/vnetpleconfigurationsv2cli)

-When using private link, your workspace cannot use Azure Container Registry tasks compute for image building. Hence, you must set the image_build_compute property to a CPU compute cluster name to use for Docker image environment building. You can also specify whether the private link workspace should be accessible over the internet using the public_network_access property.

-Below CLI commands provide examples for creating a workspace that uses customer-managed keys for encryption using the 1.0 CLI and 2.0 CLI versions.

-# [1.0 CLI](#tab/vnetpleconfigurationsv1cli)

-# [2.0 CLI - preview](#tab/vnetpleconfigurationsv2cli)

-# [1.0 CLI](#tab/workspaceupdatev1)

-# [2.0 CLI - preview](#tab/workspaceupdatev2)

-# [1.0 CLI](#tab/workspaceupdatev1)

-# [2.0 CLI - preview](#tab/workspaceupdatev2)

-# [1.0 CLI](#tab/workspacesynckeysv1)

-# [2.0 CLI - preview](#tab/workspacesynckeysv2)

-# [1.0 CLI](#tab/workspacedeletev1)

-# [2.0 CLI - preview](#tab/workspacedeletev2)

- az ad sp create-for-rbac --sdk-auth --name ml-auth --role Contributor

-early_termination_policy = TruncationSelectionPolicy(evaluation_interval=1, truncation_percentage=20, delay_evaluation=5)

-In this example, the early termination policy is applied at every interval starting at evaluation interval 5. A run terminates at interval 5 if its performance at interval 5 is in the lowest 20% of performance of all runs at interval 5.

- [!INCLUDE [cli v1](../../includes/machine-learning-cli-v1.md)]

- For more information on the pipeline YAML file, see [Define machine learning pipelines in YAML](reference-yaml-job-pipeline.md).

- For more information on the pipeline YAML file, see [Define machine learning pipelines in YAML](reference-yaml-job-pipeline.md).

- Column headers| Indicates how the headers of the dataset, if any, will be treated.| Use headers from the first file

-If you haven't already done so, create a development and test (DEV) offer to test your offer before publishing your production offer live. To learn more, see [Create a test SaaS offer](create-saas-dev-test-offer.md).

-> We recommend that you create a separate development/test (DEV) offer and a separate production (PROD) offer. This article describes how to create a PROD offer. For details about creating a DEV offer, see [Create a test SaaS offer](create-saas-dev-test-offer.md).

-description: Create a separate development offer for testing your production offer in Azure Marketplace.

-# Create a test SaaS offer

-To develop in a separate environment from your production offer, youΓÇÖll create a separate test and development (DEV) offer and a separate production (PROD) offer. For information about the benefits of using a separate DEV offer, see [Plan a SaaS offer](plan-saas-offer.md#test-offer).

-YouΓÇÖll configure most settings the same in the DEV and PROD offers. For example, the official marketing language and assets, such as screenshots and logos should be the same. In the cases where the configuration is the same, you can copy-and-paste fields from the plans in the DEV offer to the plans in the PROD offer.

-The following sections describe the configuration differences between the DEV and PROD offers.

-## Offer setup page

-We recommend that you use the same alias in the **Alias** box of both offers but append ΓÇ£_testΓÇ¥ to the alias of the DEV offer. For example, if the alias of your PROD offer is ΓÇ£contososolutionΓÇ¥ then the alias of the DEV offer should be ΓÇ£contososolution_testΓÇ¥. This way, you can easily identify which your DEV offer from your PROD offer.

-In the **Customer leads** section, use an Azure table or a test CRM environment for the DEV offer. Use the intended lead management system for the PROD offer.

-## Properties page

-Configure this page the same in both the DEV and PROD offers.

-## Offer listing page

-Configure this page the same in both the DEV and PROD offers.

-## Preview audience

-In the DEV offer, include the Azure Active Directory (AAD) user principal names or Microsoft account (MSA) email addresses of developers and testers, including yourself. The user principal name of a user on AAD can be different than the email of that user. For example, jane.doe@contoso.com will not work but janedoe@contoso.com will. The users you designate will have access to the DEV offer when you share the **Preview** link during the development and testing phase.

-In the PROD offer, include the Azure AD user principal name or Microsoft Account email of the users who will validate the offer before selecting the **Go Live button** to publish the offer live.

-## Technical configuration page

-This table describes the differences between the settings for DEV offers and PROD offers.

-***Table 1: Technical configuration differences***

-| Setting | DEV offer | PROD offer |

-| | - | - |

-| Landing page URL | Enter your dev/test endpoint. | Enter your production endpoint. |

-| Connection webhook | Enter your dev/test endpoint. | Enter your production endpoint. |

-| Azure Active Directory tenant ID | Enter your test app registration tenant ID (AAD directory ID). | Enter your production app registration tenant ID. |

-| Azure Active Directory application ID | Enter your test app registration application ID (client ID). | Enter your production app registration application ID. |

-||||

-## Plan overview page

-When you create your plans, we recommend that you use the same _Plan ID_ and _Plan name_ in both the DEV and PROD offers except append the plan ID in the DEV offer with **_test**. For example, if the Plan ID in the PROD offer is ΓÇ£enterpriseΓÇ¥, then the plan ID in the DEV offer should be ΓÇ£enterprise_testΓÇ¥. This way, you can easily identify which your DEV offer from your PROD offer. YouΓÇÖll create plans in the PROD offer with the pricing models and prices that you decide are best for your offer.

-### Plan listing

-On the **Plan overview** > **Plan listing** tab, enter the same plan description in both the DEV and PROD plans.

-### Pricing and availability page

-This section provides guidance for completing the **Plan overview** > **Pricing and availability** page.

-#### Markets

-Select the same markets for the DEV and PROD offers.

-#### Pricing

-Use the DEV offer to experiment with pricing models. After you verify which pricing model or models work best, youΓÇÖll create the plans in the PROD offer with the pricing models and prices you want.

-The DEV offer should have plans with zero or low prices in the plans. The PROD offer will have the prices you want to charge to customers.

-> [!IMPORTANT]

-> Purchases made in Preview will be processed for both DEV and PROD offers. If an offer has a $100/mo price, your company will be charged $100. If this happens, you can open a [support ticket](support.md) and we will issue a payout for the full amount (and take no store service fee).

-#### Pricing model

-Use the same Pricing model in the plans of the DEV and PROD offers. For example, if the plan in the PROD offer is Flat rate, with a monthly billing term, then configure the plan in the DEV offer using the same model.

-To reduce your cost for testing the pricing models, including Marketplace custom meter dimensions, we recommend that you configure the **Pricing** section of the **Pricing and availability** tab, in the DEV offer with lower prices than the PROD offer. Here are some guidelines you can follow when setting prices for plans in the DEV offer.

-***Table 2: Pricing guidelines***

-| Price | Comment |

-| | - |

-| $0.00 | Set a total transaction cost of zero to have no financial impact. Use this price when making calls to the metering APIs, or to test purchasing plans in your offer while developing your solution. |

-| $0.01 - $49.99 | Use this price range to test analytics, reporting, and the purchase process. |

-| $50.00 - $100.00 | Use this price range to test payout. For information about our payment schedule, see [Payout schedules and processes](/partner-center/payout-policy-details). |

-|||

-> [!IMPORTANT]

-> To avoid being charged a store service fee on your test, open a [support ticket](support.md) within 7 days of the test purchase.

-#### Free trial

-DonΓÇÖt enable a free trial for the DEV offer.

-## Co-sell with Microsoft page

-DonΓÇÖt configure the **Co-sell with Microsoft** tab of the DEV offer.

-## Resell through CSPs

-DonΓÇÖt configure the **Resell through CSPs** tab of the DEV offer.

-## Next steps

-Only one usage event can be emitted for each hour of a calendar day. For example, at 8:15am today, you can emit one usage event. If this event is accepted, the next usage event will be accepted from 9:00 am today. If you send an additional event between 8:15 and 8:59:59 today, it will be rejected as a duplicate. You should accumulate all units consumed in an hour and then emit it in a single event.

-| ApiVersion | Use this format: 2018-08-31 |

-This article explains the different options and requirements for publishing software as a service (SaaS) offers to the Microsoft commercial marketplace. SaaS offers to let you deliver and license software solutions to your customers via online subscriptions. As a SaaS publisher, you manage and pay for the infrastructure required to support your customers' use of your offer. This article will help you prepare your offer for publishing to the commercial marketplace with Partner Center.

-To prevent accidental purchases of the DEV offer, youΓÇÖll never push the **Go live** button to publish the DEV offer live.

-Here are some reasons to create a separate DEV offer for the development team to use for development and testing of the PROD offer:

-### Avoid accidental customer charges

-By using a DEV offer instead of the PROD offer and treating them as development and production environments, you can avoid accidental charges to customers.

-We recommend that you register two different Azure AD apps for calling the marketplace APIs. Developers will use one Azure AD app with the DEV offerΓÇÖs settings, and the operations team will use the PROD app registration. By doing this, you can isolate the development team from making inadvertent mistakes, such as calling the API to cancel a customerΓÇÖs subscription who pays $100K per month. You can also avoid charging a customer for metered usage they didnΓÇÖt consume.

-### Evaluate pricing models

-Testing pricing models in the DEV offer reduces risk when developers experiment with different pricing models.

-Publishers can create the plans they need in the DEV offer to determine which pricing model works best for their offer. Developers might want to create multiple plans in the DEV offer to test different pricing combinations. For example, you might create plans with different sets of custom metered dimensions. You might create a different plan with a mix of flat rate and custom metered dimensions.

-To test multiple pricing options, you need to create a plan for each unique pricing model. To learn more, see [Plans](#plans).

-### Not adding plans that do not target actual customers

-By using a DEV offer for development and testing, you can reduce unnecessary clutter in the PROD offer. For example, you canΓÇÖt delete plans you create to test different pricing models or technical configurations (without filing a support ticket). So by creating plans for testing in the DEV offer, you reduce the clutter in the PROD offer.

-Clutter in the PROD offer frustrates product and marketing teams, as they expect all the plans to target actual customers. Especially with large teams that are disjointed who all want different sandboxes to work with, creating two offers will provide two different environments for DEV and PROD. In some cases, you might want to create multiple DEV offers to support a larger team who have different people running different test scenarios. Letting different team members work in the DEV offer separate from the PROD offer , helps to keep production plans as close to production-ready as possible.

-Testing a DEV offer helps to avoid the 30 custom metered dimensions limit per offer. Developers can try different meter combinations in the DEV offer without affecting the custom metered dimension limit in the PROD offer.

-> DonΓÇÖt ever select **Go live** for a [development/test offer](create-saas-dev-test-offer.md).

-**EXPLAIN** is a handy tool to optimize queries. EXPLAIN statement can be used to get information about how SQL statements are executed. The following output shows an example of the execution of an EXPLAIN statement.

-As can be seen from this example, the value of *key* is NULL. This output means MySQL can't find any indexes optimized for the query and it performs a full table scan. Let's optimize this query by adding an index on the **ID** column.

-The new EXPLAIN shows that MySQL now uses an index to limit the number of rows to 1, which in turn dramatically shortened the search time.

-A covering index consists of all columns of a query in the index to reduce value retrieval from data tables. Here's an illustration in the following **GROUP BY** statement.

-As can be seen from the output, MySQL doesn't use any indexes because no proper indexes are available. It also shows *Using temporary; Using file sort*, which means MySQL creates a temporary table to satisfy the **GROUP BY** clause.

-Creating an index on column **c2** alone makes no difference, and MySQL still needs to create a temporary table:

-In this case, a **covered index** on both **c1** and **c2** can be created, whereby adding the value of **c2**" directly in the index to eliminate further data lookup.

-```sql 

-As the above EXPLAIN shows, MySQL now uses the covered index and avoid creating a temporary table.

-MySQL performs a *file sort* operation that is fairly slow, especially when it has to sort many rows. To optimize this query, a combined index can be created on both columns that are being sorted.

-The EXPLAIN now shows that MySQL can use a combined index to avoid additional sorting since the index is already sorted.

-Using EXPLAIN and different type of Indexes can increase performance significantly. Having an index on the table doesn't necessarily mean MySQL would be able to use it for your queries. Always validate your assumptions using EXPLAIN and optimize your queries using indexes.

-### Create NAT gateway

-In this section, you'll create a NAT gateway and assign it to the subnet in the virtual network you created previously. The NAT gateway is used by the resources in the load balancer virtual network for outbound internet access. If the virtual machines in the backend pool of the load balancer don't require outbound internet access, you can proceed to the next section.

-1. On the upper-left side of the screen, select **Create a resource > Networking > NAT gateway** or search for **NAT gateway** in the search box.

-2. Select **Create**.

-3. In **Create network address translation (NAT) gateway**, enter or select this information in the **Basics** tab:

- | **Setting** | **Value** |

- ||--|

- | **Project Details** | |

- | Subscription | Select your Azure subscription. |

- | Resource Group | Select **CreatePrivLinkService-rg**. |

- | **Instance details** | |

- | Name | Enter **myNATGateway** |

- | Region | Select **(US) East US 2** |

- | Availability Zone | Select **None**. |

- | Idle timeout (minutes) | Enter **10**. |

-4. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

-5. In the **Outbound IP** tab, enter or select the following information:

- | **Setting** | **Value** |

- | -- | |

- | Public IP addresses | Select **Create a new public IP address**. </br> In **Name**, enter **myNATgatewayIP**. </br> Select **OK**. |

-6. Select the **Subnet** tab, or select the **Next: Subnet** button at the bottom of the page.

-7. In the **Subnet** tab, select **myVNet** in the **Virtual network** pull-down.

-8. Check the box next to **myBackendSubnet**.

-9. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

-10. Select **Create**.

-## Delegation of access control responsibility to Azure Purview

-Note:

-1. Once a resource has been enabled for *Data use Governance*, **any** Azure Purview *policy author* will be able to create access policies against it, and **any** Azure Purview *Data source admin* will be able to publish those policies at **any point afterwards**.

-1. **Any** Azure Purview *root collection admin* can create **new** *Data Source Admin* and *Policy author* roles.

-Enable the resource group or the subscription for access policies in Azure Purview by setting the **Data use governance** toggle to **Enabled**, as shown in the picture.

-Follow this link for more information and best practices related to [registering a data resource for Data use governance](./how-to-enable-data-use-governance.md)

-Enable the data source for access policies in Azure Purview by setting the **Data use governance** toggle to **Enabled**, as shown in the picture.

-Follow this link for more information and best practices related to [registering a data resource for Data use governance](./how-to-enable-data-use-governance.md)

-* [Blog: Accessing data when file level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166)

-| Maximum simple fields per index |1000 |100 |1000 |1000 |1000 |1000 |1000 |1000 |

-| Maximum complex collection fields per index |40 |40 |40 |40 |40 |40 |40 |40 |

-| Maximum elements across all complex collections per document&nbsp;² |3000 |3000 |3000 |3000 |3000 |3000 |3000 |3000 |

-² An upper limit exists for elements because having a large number of them significantly increases the storage required for your index. An element of a complex collection is defined as a member of that collection. For example, assume a [Hotel document with a Rooms complex collection](search-howto-complex-data-types.md#indexing-complex-types), each room in the Rooms collection is considered an element. During indexing, the indexing engine can safely process a maximum of 3000 elements across the document as a whole. [This limit](search-api-migration.md#upgrade-to-2019-05-06) was introduced in `api-version=2019-05-06` and applies to complex collections only, and not to string collections or to complex fields.

-> **Microsoft 365 Defender** was formerly known as **Microsoft Threat Protection** or **MTP**.

->

-> **Microsoft Defender for Endpoint** was formerly known as **Microsoft Defender Advanced Threat Protection** or **MDATP**.

->

-> **Microsoft Defender for Office 365** was formerly known as **Office 365 Advanced Threat Protection**.

-Microsoft Sentinel's [Microsoft 365 Defender (M365D)](/microsoft-365/security/mtp/microsoft-threat-protection) connector with incident integration allows you to stream all M365D incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. M365D incidents include all their alerts, entities, and other relevant information, and they are enriched by and group together alerts from M365D's component services **Microsoft Defender for Endpoint**, **Microsoft Defender for Identity**, **Microsoft Defender for Office 365**, and **Microsoft Defender for Cloud Apps**.

-The connector also lets you stream **advanced hunting** events from Microsoft Defender for Endpoint and Microsoft Defender for Office 365 into Microsoft Sentinel, allowing you to copy those Defender components' advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts with the Defender components' raw event data to provide additional insights, and store the logs with increased retention in Log Analytics.

- > When you enable the Microsoft 365 Defender connector, all of the M365D componentsΓÇÖ connectors (the ones mentioned at the beginning of this article) are automatically connected in the background. In order to disconnect one of the componentsΓÇÖ connectors, you must first disconnect the Microsoft 365 Defender connector.

- |

- |

-| **Log Analytics table(s)** | **Alerts:**<br>SecurityAlert<br>SecurityIncident<br>**Defender for Endpoint events:**<br>DeviceEvents<br>DeviceFileEvents<br>DeviceImageLoadEvents<br>DeviceInfo<br>DeviceLogonEvents<br>DeviceNetworkEvents<br>DeviceNetworkInfo<br>DeviceProcessEvents<br>DeviceRegistryEvents<br>DeviceFileCertificateInfo<br>**Defender for Office 365 events:**<br>EmailAttachmentInfo<br>EmailUrlInfo<br>EmailEvents<br>EmailPostDeliveryEvents |

-|**Microsoft DNS Server**<br>Collected by the DNS connector<br> and the Log Analytics Agent | `_ASim_DnsMicrosoftOMS` (regular) <br> `_Im_DnsMicrosoftOMS` (filtering) <br><br> | `ASimDnsMicrosoftOMS` (regular) <br>`vimDnsMicrosoftOMS` (filtering) <br><br> |

-| **Microsoft DNS Server**<br>Collected by NXlog| `_ASim_DnsMicrosoftNXlog` (regular)<br>`_Im_DnsMicrosoftNXlog` (filtering)| `ASimDnsMicrosoftNXlog` (regular)<br> `vimDnsMicrosoftNXlog` (filtering)|

-| **Azure Firewall** | `_ASim_DnsAzureFirewall` (regular)<br> `_Im_DnsAzureFirewall` (filtering) | `ASimDnsAzureFirewall` (regular)<br>`vimDnsAzureFirewall` (filtering) |

-| **Sysmon for Windows** (event 22)<br> Collected by the Log Analytics Agent<br> or the Azure Monitor Agent,<br>supporting both the<br> `Event` and `WindowsEvent` tables | `_ASim_DnsMicrosoftSysmon` (regular)<br> `_Im_DnsMicrosoftSysmon` (filtering) | `ASimDnsMicrosoftSysmon` (regular)<br> `vimDnsMicrosoftSysmon` (filtering) |

-| **Cisco Umbrella** | `_ASim_DnsCiscoUmbrella` (regular)<br> `_Im_DnsCiscoUmbrella` (filtering) | `ASimDnsCiscoUmbrella` (regular)<br> `vimDnsCiscoUmbrella` (filtering) |

-| **Infoblox NIOS**<br><br>The InfoBlox parsers<br>require [configuring the relevant sources](normalization-manage-parsers.md#configure-the-sources-relevant-to-a-source-specific-parser).<br> Use `InfobloxNIOS` as the source type. | `_ASim_DnsInfobloxNIOS` (regular)<br> `_Im_DnsInfobloxNIOS` (filtering) | `ASimDnsInfobloxNIOS` (regular)<br> `vimDnsInfobloxNIOS` (filtering) |

-| **GCP DNS** | `_ASim_DnsGcp` (regular)<br> `_Im_DnsGcp` (filtering) | `ASimDnsGcp` (regular)<br> `vimDnsGcp` (filtering) |

-| **Corelight Zeek DNS events** | `_ASim_DnsCorelightZeek` (regular)<br> `_Im_DnsCorelightZeek` (filtering) | `ASimDnsCorelightZeek` (regular)<br> `vimDnsCorelightZeek` (filtering) |

-| **Zscaler ZIA** |`_ASim_DnsZscalerZIA` (regular)<br> `_Im_DnsZscalerZIA` (filtering) | `AsimDnsZscalerZIA` (regular)<br> `vimDnsSzcalerZIA` (filtering) |

-> **Microsoft 365 Defender** was formerly known as **Microsoft Threat Protection** or **MTP**.

->

-> **Microsoft Defender for Endpoint** was formerly known as **Microsoft Defender Advanced Threat Protection** or **MDATP**.

->

-> **Microsoft Defender for Office 365** was formerly known as **Office 365 Advanced Threat Protection**.

-Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) incident integration allows you to stream all Microsoft 365 Defender incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents from Microsoft 365 Defender (formerly known as Microsoft Threat Protection or MTP) include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Sentinel, Incidents will remain bi-directionally synced with Microsoft 365 Defender, allowing you to take advantage of the benefits of both portals in your incident investigation.

-The Microsoft 365 Defender connector also lets you stream **advanced hunting** events - a type of raw event data - from Microsoft 365 Defender and its component services into Microsoft Sentinel. You can currently collect [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview) events from Microsoft Defender for Endpoint and *(from October 2021)* from Microsoft Defender for Office 365, and stream them straight into purpose-built tables in your Microsoft Sentinel workspace. These tables are built on the same schema that is used in the Microsoft 365 Defender portal, giving you complete access to the full set of advanced hunting events, and allowing you to do the following:

-az ad sp create-for-rbac ΓÇôname $spname --role Contributor

-az ad sp create-for-rbac ΓÇôname $spname --role Contributor

-## Download and open the Unity sample project

-### Configure Unity

-## Download and open the Unity sample project

-### Configure Unity

-## Download and open the Unity sample project

-### Configure Unity

-The Azure Spring Cloud UI delivers information about the status of running applications. There is an **Apps** option for each resource group in a subscription that displays general status of application types. For each application type, there's a display of **Application instances**.

-* **Registered Instance**: Shows how many app instances are registered to Eureka and how many app instances you desire. If you stop the app, this column shows **stopped**. Note that Eureka is not applicable to enterprise tier. For more information if you're using the enterprise tier, see [Use Service Registry](how-to-enterprise-service-registry.md).

-The deployment status is reported as one of the following values:

-| Enum | Definition |

-The provisioning state is accessible only from the CLI. It is reported as one of the following values:

-| Enum | Definition |

-| Creating | The resource is creating. |

-| Updating | The resource is updating. |

-| Succeeded | Successfully supplied resources and deploys the binary. |

-| Deleting | The resource is being deleted. This prevents operation, and the resource is not available in this status. |

-To view the status of a specific instance of a deployed app, select the **Name** of the app in the **Apps** UI. The results will display:

-* **Status**: Whether the instance is running or its state

-* **DiscoveryStatus**: The registered status of the app instance in Eureka server

-| Enum | Definition |

-| Starting | The binary is successfully deployed to the given instance. Instance booting the jar file may fail because jar cannot run properly. |

-| Running | The instance works. |

-| Failed | The app instance failed to start userΓÇÖs binary after several retries. |

-| Terminating | The app instance is shutting down. |

-| Enum | Definition |

-| DOWN | The app instance is not registered to Eureka or is registered but not able to receive traffic. |

-| Supported Azure Functions [runtimes](../azure-functions/supported-languages.md#languages-by-runtime-version)¹ | Node.js 12<br>Node.js 14<br>Node.js 16 (preview)<br>.NET Core 3.1<br>.NET 6.0<br>Python 3.8<br>Python 3.9 | All |

-| <ul><li>Triggers are limited to [HTTP](../azure-functions/functions-bindings-http-webhook.md).</li><li>The Azure Functions app must either be in Node.js 12, Node.js 14, Node.js 16 (preview), .NET Core 3.1, .NET 6.0, Python 3.8, or Python 3.9.</li><li>Some application settings are managed by the service, therefore the following prefixes are reserved by the runtime:<ul><li>*APPSETTING\_, AZUREBLOBSTORAGE\_, AZUREFILESSTORAGE\_, AZURE_FUNCTION\_, CONTAINER\_, DIAGNOSTICS\_, DOCKER\_, FUNCTIONS\_, IDENTITY\_, MACHINEKEY\_, MAINSITE\_, MSDEPLOY\_, SCMSITE\_, SCM\_, WEBSITES\_, WEBSITE\_, WEBSOCKET\_, AzureWeb*</li></ul></li><li>Some application tags are internally used by the service. Therefore, the following tags are reserved:<ul><li> *AccountId, EnvironmentId, FunctionAppId*.</li></ul></li></ul> | <ul><li>You are responsible to manage the Functions app deployment.</li></ul> |

-| V11.3 Release - [KB4539953](https://support.microsoft.com/topic/f68974f6-bfdd-44f4-9659-bf2d8a696c26)| 11.3.0.0 | April 7, 2021 | Supported - Agent version expires on March 28, 2022 |

-| V11.2 Release - [KB4539952](https://support.microsoft.com/topic/azure-file-sync-agent-v11-2-release-february-2021-c956eaf0-cd8e-4511-98c0-e5a1f2c84048)| 11.2.0.0 | February 2, 2021 | Supported - Agent version expires on March 28, 2022 |

-| V11.1 Release - [KB4539951](https://support.microsoft.com/help/4539951)| 11.1.0.0 | November 4, 2020 | Supported - Agent version expires on March 28, 2022 |

-## Agent version 11.3.0.0

-The following release notes are for version 11.3.0.0 of the Azure File Sync agent released April 7, 2021. These notes are in addition to the release notes listed for version 11.1.0.0.

-### Improvements and issues that are fixed

-Fixed a bug that causes data corruption if cloud tiering is enabled and tiered files are copied using Robocopy with the /B parameter.

-## Agent version 11.2.0.0

-The following release notes are for version 11.2.0.0 of the Azure File Sync agent released February 2, 2021. These notes are in addition to the release notes listed for version 11.1.0.0.

-### Improvements and issues that are fixed

-

- - To add a server endpoint path that's allowed, run the following PowerShell commands on the server:

- ```powershell

- Import-Module 'C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll' -verbose

- Add-StorageSyncAllowedServerEndpointPath -Path <path>

- ```

- - To get the list of supported paths, run the following PowerShell command:

-

- ```powershell

- Get-StorageSyncAllowedServerEndpointPath

- ```

- - To remove a path, run the following PowerShell command:

-

- ```powershell

- Remove-StorageSyncAllowedServerEndpointPath -Path <path>

- ```

-## Agent version 11.1.0.0

-The following release notes are for version 11.1.0.0 of the Azure File Sync agent (released November 4, 2020).

-### Improvements and issues that are fixed

- - Initial download mode: you can now choose how you want your files to be initially downloaded onto your new server endpoint. Want all your files tiered or as many files as possible downloaded onto your server by last modified timestamp? You can do that! Can't use cloud tiering? You can now opt to avoid tiered files on your system. To learn more, see [Create a server endpoint](../file-sync/file-sync-deployment-guide.md?tabs=azure-portal%252cproactive-portal#create-a-server-endpoint) section in the Deploy Azure File Sync documentation.

- - Proactive recall mode: whenever a file is created or modified, you can proactively recall it to servers that you specify within the same sync group. This makes the file readily available for consumption in each server you specified. Have teams across the globe working on the same data? Enable proactive recalling so that when the team arrives the next morning, all the files updated by a team in a different time zone are downloaded and ready to go! To learn more, see [Proactively recall new and changed files from an Azure file share](../file-sync/file-sync-deployment-guide.md?tabs=azure-portal%252cproactive-portal#proactively-recall-new-and-changed-files-from-an-azure-file-share) section in the Deploy Azure File Sync documentation.

- You can now exclude applications from last access time tracking. When an application accesses a file, the last access time for the file is updated in the cloud tiering database. Applications that scan the file system like anti-virus cause all files to have the same last access time which impacts when files are tiered.

- To exclude applications from last access time tracking, add the process name to the HeatTrackingProcessNameExclusionList registry setting which is located under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure\StorageSync.

- Example: reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure\StorageSync" /v HeatTrackingProcessNameExclusionList /t REG_MULTI_SZ /d "SampleApp.exe\0AnotherApp.exe" /f

- > [!Note]

- > Data Deduplication and File Server Resource Manager (FSRM) processes are excluded by default (hard coded) and the process exclusion list is refreshed every 5 minutes.

- - Improved change detection performance to detect files that have changed in the Azure file share.

- - Improved sync upload performance.

- - Initial upload is now performed from a VSS snapshot which reduces per-item errors and sync session failures.

- - Sync reliability improvements for certain I/O patterns.

- - Fixed a bug to prevent the sync database from going back-in-time on failover clusters when a failover occurs.

- - Improved recall performance when accessing a tiered file.

-### Evaluation Tool

-Before deploying Azure File Sync, you should evaluate whether it is compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](../file-sync/file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

-### Agent installation and server configuration

-For more information on how to install and configure the Azure File Sync agent with Windows Server, see [Planning for an Azure File Sync deployment](../file-sync/file-sync-planning.md) and [How to deploy Azure File Sync](../file-sync/file-sync-deployment-guide.md).

-### Interoperability

-### Sync limitations

-The following items don't sync, but the rest of the system continues to operate normally:

- > [!Note]

- > Azure File Sync always encrypts data in transit. Data is always encrypted at rest in Azure.

-

-### Server endpoint

-### Cloud endpoint

- > [!Note]

- > When creating the cloud endpoint, the storage sync service and storage account must be in the same Azure AD tenant. Once the cloud endpoint is created, the storage sync service and storage account can be moved to different Azure AD tenants.

-### Cloud tiering

- > [!Warning]

- > Robocopy /B switch is not supported with Azure File Sync. Using the Robocopy /B switch with an Azure File Sync server endpoint as the source may lead to file corruption.

-While the serverless SQL endpoint and development endpoint only accept TLS 1.2 and above, the "Workspace Managed Sql Server Dedicated SQL Minimal" API allows connections using all TLS versions. Starting in December 2021, a requirement for TLS 1.2 has been implemented for new Synapse workspaces only. Login attempts to the newly created Synapse workspace from connections using a TLS version lower than 1.2 will fail.

-Customers can now raise or lower the workspace managed SQL server dedicated SQL minimal TLS version using API for both new Synapse workspaces or existing workspaces. Users previously using lower client version in the new workspace which enforces min1.2 can now lower the TLS version. And customers who have existing workspaces now can raise the minTLS version to meet their security needs. Learn more by reading [minTLS REST API](/rest/api/synapse/sqlserver/workspace-managed-sql-server-dedicated-sql-minimal-tls-settings/update).

-||||

->- Learn how to create a security group in [this article](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).

->- Learn how to add a security group from another security group in [this article](../../active-directory/fundamentals/active-directory-groups-membership-azure-portal.md).

-To create SQL pools, Apache Spark pools and Integration runtimes, users must have at least Azure Contributor role at the workspace. The contributor role also allows these users to manage the resources, including pausing and scaling. If you're using Azure portal or Synapse Studio to create SQL pools, Apache Spark pools and Integration runtimes, then you need Azure Contributor role at the resource group level.

-The workspace creator is automatically set up as the SQL Active Directory Admin for the workspace. Only a single user or group can be granted this role. In this step, you assign the SQL Active Directory Admin on the workspace to the `workspace1_SQLAdmins` security group. Assigning this role gives this group highly privileged admin access to all SQL pools and databases in the workspace.

-## Conclusion

-az ad sp create-for-rbac --name <service_principal_name> --role Contributor

-az ad sp create-for-rbac --name <service_principal_name> --role Contributor

- One Azure Active Directory account, either an individual or security group account, can also be configured as an administrator. It's optional to configure an Azure AD administrator, but an Azure AD administrator **must** be configured if you want to use Azure AD accounts to connect to Synapse SQL.

-> - You can only deploy the scaling plan to US and European regions.

-Schedules let you define when autoscale activates ramp-up and ramp-down modes throughout the day. In each phase of the schedule, autoscale only turns off VMs when a session host has no sessions active. The default values you'll see when you try to create a schedule are the suggested values for weekdays, but you can change them as needed.

- - [Windows 10, version 2004 or later 02C 2022 LXP ISO](https://software-download.microsoft.com/download/sg/LanguageExperiencePack.2202C.iso)

- - [Windows 10, version 2004 or later 03C 2022 LXP ISO](https://software-download.microsoft.com/download/sg/LanguageExperiencePack.2203C.iso)

- Last updated 08/26/2021

-Creation of the snapshots alone might not be sufficient for disaster recovery. You must also copy the snapshots to another region. Please review the instructions in [Copy Azure Managed Disks backups to another region with differential capability of incremental snapshots](https://github.com/Azure-Samples/managed-disks-dotnet-backup-with-incremental-snapshots)

-$diskName = "yourDiskNameHere>"

-## Cross-region snapshot copy (preview)

-You can use the CopyStart option (preview) to initiate a copy of incremental snapshots from one region to any region of your choice. Azure handles the process of copying the incremental snapshots and ensures that only delta changes since the last snapshot are copied to the target region, reducing the data footprint. Customers can check the progress of the copy so they can know when a target snapshot is ready to restore disks in the target region. You can use this process to copy snapshots to another subscription for long-term retention. You can also use this to copy snapshots in the same region, to ensure that snapshots are fully hardened on [zone-redundant storage](disks-redundancy.md#zone-redundant-storage-for-managed-disks) and ensure that snapshots are available in the event of a zonal failure.

-### Pre-requisites

-You need to enable the feature on your subscription to use the preview feature. Use the following command to register the feature:

-```azurecli

-az feature register --namespace Microsoft.Compute --name CreateOptionClone

-```

-It may take a few minutes for registration to complete, you can use the following command to check its status:

-```azurecli

-az feature show --namespace Microsoft.Compute --name CreateOptionClone

-```

-### Restrictions

-### Get started

-az login

-az account set --subscription $subscriptionId

-az deployment group create -g $resourceGroupName \

-az resource show -n $name -g $resourceGroupName --namespace Microsoft.Compute --resource-type snapshots --api-version 2020-12-01 --query [properties.completionPercent] -o tsv

-* [B-series](sizes-b-series-burstable.md)

-* [DCsv2-series](dcv2-series.md)

-* [DSv2-series](dv2-dsv2-series.md)

-* [Dsv3-series](dv3-dsv3-series.md)

-* [Dsv4-series](dv4-dsv4-series.md)

-* [Dasv4-series](dav4-dasv4-series.md)

-* [Ddsv4-series](ddv4-ddsv4-series.md)

-* [Dasv5-series](dasv5-dadsv5-series.md)

-* [Dadsv5-series](dasv5-dadsv5-series.md)

-* [DCasv5-series](dcasv5-dcadsv5-series.md)

-* [DCadsv5-series](dcasv5-dcadsv5-series.md)

-* [Dv5-series](dv5-dsv5-series.md)

-* [Dsv5-series](dv5-dsv5-series.md)

-* [Esv3-series](ev3-esv3-series.md)

-* [Esv4-series](ev4-esv4-series.md)

-* [Easv4-series](eav4-easv4-series.md)

-* [Edsv4-series](edv4-edsv4-series.md)

-* [Easv5-series](easv5-eadsv5-series.md)

-* [Eadsv5-series](easv5-eadsv5-series.md)

-* [ECasv5-series](ecasv5-ecadsv5-series.md)

-* [ECadsv5-series](ecasv5-ecadsv5-series.md)

-* [Edv5-series](edv5-edsv5-series.md)

-* [Edsv5-series](edv5-edsv5-series.md)

-* [Ev5-series](ev5-esv5-series.md)

-* [Esv5-series](ev5-esv5-series.md)

-* [Fsv2-series](fsv2-series.md)

-* [GS-series](sizes-previous-gen.md#gs-series)

-* [HB-series](hb-series.md)

-* [HC-series](hc-series.md)

-* [Ls-series](sizes-previous-gen.md#ls-series)

-* [Lsv2-series](lsv2-series.md)

-* [M-series](m-series.md)

-* [Mv2-series](mv2-series.md)¹

-* [Msv2 and Mdsv2 Medium Memory Series](msv2-mdsv2-series.md)¹

-* [NCv2-series](ncv2-series.md)

-* [NCv3-series](ncv3-series.md)

-* [ND-series](nd-series.md)

-* [ND A100 v4-series](nda100-v4-series.md)

-* [NDv2-series](ndv2-series.md)

-* [NVv3-series](nvv3-series.md)

-* [NVv4-series](nvv4-series.md)

-* [NCasT4_v3-series](nct4-v3-series.md)

-* [NDm A100 v4-series](ndm-a100-v4-series.md)

-Learn about [generation 2 virtual machines in Hyper-V](/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v).

-To try out the Azure Image Builder, see the articles for building [Linux](./linux/image-builder.md) or [Windows](./windows/image-builder.md) images.

-az ad sp create-for-rbac --role Contributor --query "{ client_id: appId, client_secret: password, tenant_id: tenant }"

- az ad sp create-for-rbac --name "ServicePrincipalName" --password "My-AAD-client-secret" --role Contributor

- az ad sp create-for-rbac --name "ServicePrincipalName" --password "My-AAD-client-secret" --role Contributor

-imageResourceGroup=myWinImgBuilderRG

-location=WestUS2

-runOutputName=aibWindows

-imageName=aibWinImage

-Azure Front Door introduces [two new SKUs in preview](../../frontdoor/standard-premium/overview.md): Front Door Standard and Front Door Premium SKU. WAF is natively integrated with Front Door Premium SKU with full capabilities. For Front Door Standard SKU, only [custom rules](#custom-authored-rules) are supported.

-### Bot protection rule set (preview)

-> [!IMPORTANT]

-> The Bot protection rule set is currently in public preview and is provided with a preview service level agreement. Certain features may not be supported or may have constrained capabilities. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details.

-# Configure bot protection for Web Application Firewall (Preview)

-> [!IMPORTANT]

-> Bot protection rule set is currently in public preview and is provided with a preview service level agreement. Certain features may not be supported or may have constrained capabilities. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details.