-The authorization code flow begins with the client directing the user to the `/authorize` endpoint. This is the interactive part of the flow, where the user takes action. In this request, the client indicates in the `scope` parameter the permissions that it needs to acquire from the user. The following three examples (with line breaks for readability) each use a different user flow. If you're testing this GET HTTP request, use your browser.

-| code_challenge | recommended / required | Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). Required if `code_challenge_method` is included. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is now recommended for all application types - native apps, SPAs, and confidential clients like web apps. |

-| `code_challenge_method` | recommended / required | The method used to encode the `code_verifier` for the `code_challenge` parameter. This *SHOULD* be `S256`, but the spec allows the use of `plain` if for some reason the client cannot support SHA256. <br/><br/>If excluded, `code_challenge` is assumed to be plaintext if `code_challenge` is included. Microsoft identity platform supports both `plain` and `S256`. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is required for [single page apps using the authorization code flow](tutorial-register-spa.md).|

-| code |Required |The authorization code that you acquired in the first leg of the flow. |

-| code_verifier | recommended | The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). |

-12. The browser will be redirected to the BindID login page. Enter the account name registered during User registration. The user will receive a push notification to the registered user mobile device for a Fast Identity Online (FIDO2) certified authentication. It can be a user finger print, biometric or decentralized pin.

-To determine which policy was used to sign a token (and where to go to request the metadata), you have two options. First, the policy name is included in the `tfp` (default) or `acr` claim (as configured) in the token. You can parse claims out of the body of the JWT by base-64 decoding the body and deserializing the JSON string that results. The `tfp` or `acr` claim is the name of the policy that was used to issue the token. The other option is to encode the policy in the value of the `state` parameter when you issue the request, and then decode it to determine which policy was used. Either method is valid.

-## November 2021

-### Updated articles

-## October 2021

-### New articles

-### Updated articles

-## September 2021

-### Updated articles

-## August 2021

-### New articles

-### Updated articles

-## July 2021

-### New articles

-### Updated articles

-## June 2021

-### New articles

-### Updated articles

-## May 2021

-### New articles

-### Updated articles

-## April 2021

-### New articles

-### Updated articles

-## March 2021

-### New articles

-### Updated articles

-## February 2021

-### New articles

-### Updated articles

->

->

-Support for Active Directory Authentication Library (ADAL) will end on June 30, 2022. Apps using ADAL on existing OS versions will continue to work, but technical support and security updates will end. Without continued security updates, apps using ADAL will become increasingly vulnerable to the latest security attack patterns. This article provides guidance on how to use Azure Monitor workbooks to obtain a list of all apps that use ADAL in your tenant.

-> If you choose not to migrate to MSAL before ADAL support ends on June 30, 2022, you put your app's security at risk. Existing apps that use ADAL will continue to work after the end-of-support date, but Microsoft will no longer release security fixes on ADAL.

-|Security fixes beyond June 30, 2022|![Security fixes beyond June 30, 2022 - MSAL provides the feature][y]|![Security fixes beyond June 30, 2022 - ADAL doesn't provide the feature][n]|

-| `response_mode` | recommended | Specifies the method that should be used to send the resulting token back to your app. It can be one of the following values:<br/><br/>- `query`<br/>- `fragment`<br/>- `form_post`<br/><br/>`query` provides the code as a query string parameter on your redirect URI. If you're requesting an ID token using the implicit flow, you can't use `query` as specified in the [OpenID spec](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations). If you're requesting just the code, you can use `query`, `fragment`, or `form_post`. `form_post` executes a POST containing the code to your redirect URI. |

-|`response_mode`| recommended | Specifies the method that should be used to send the resulting token back to your app. Default value is `query` for just an authorization code, but `fragment` if the request includes an `id_token` `response_type`. We recommend apps use `form_post`, especially when using `http://localhost` as a redirect URI. |

-This article explains how the local administrators membership update works and how you can customize it during an Azure AD Join. The content of this article doesn't apply to a **hybrid Azure AD joined** devices.

-[Configure cross-tenant access settings for B2B collaboration](cross-tenant-access-settings-b2b-collaboration.md)

-If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. We recommend that if the account is expired, a workflow action should trigger a PowerShell script that disables the user's Azure AD account (use the [Set-AzureADUser](/powershell/module/azuread/set-azureaduser) cmdlet). Conversely, when the account is turned on, the Azure AD instance should be turned on.

-As our AD infrastructure is based on a .com domain suffix used both, internally and externally, we donΓÇÖt require any additional attributes to achieve a functional KCD SSO implementation. See the [advanced tutorial](f5-big-ip-kerberos-advanced.md) for cases where you have multiple domains or userΓÇÖs login using an alternate suffix.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Allocadia

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Allocadia supports **IDP** initiated SSO

-* Allocadia supports **Just In Time** user provisioning

-## Adding Allocadia from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for Allocadia

-To configure and test Azure AD SSO with Allocadia, complete the following building blocks:

- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

- * **[Create Allocadia test user](#create-allocadia-test-user)** - to have a counterpart of B.Simon in Allocadia that is linked to the Azure AD representation of user.

-1. In the [Azure portal](https://portal.azure.com/), on the **Allocadia** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:

- a. In the **Identifier** text box, type a URL using the following pattern:

- For test environment - `https://na2standby.allocadia.com`

- For production environment - `https://na2.allocadia.com`

- b. In the **Reply URL** text box, type a URL using the following pattern:

- For test environment - `https://na2standby.allocadia.com/allocadia/saml/SSO`

- For production environment - `https://na2.allocadia.com/allocadia/saml/SSO`

- > [!NOTE]

- > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Allocadia Client support team](mailto:support@allocadia.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- | | |

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Allocadia tile in the Access Panel, you should be automatically signed in to the Allocadia for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-## Setup Meta Networks Connector for provisioning

-2. Click on the plus sign on the upper right side of the screen to create a new **API Key**.

-3. Set the **API Key Name** and **API Key Description**.

-4. Turn on **Write** privileges for **Groups** and **Users**.

-5. Click on **Add**. Copy the **SECRET** and save it as this will be the only time you can view it. This value will be entered in the Secret Token field in the Provisioning tab of your Meta Networks Connector application in the Azure portal.

-6. Add an IdP by navigating to **Administration > Settings > IdP > Create New**.

-7. In the **IdP Configuration** page you can **Name** your IdP configuration and choose an **Icon**.

-8. Under **Configure SCIM** select the API key name created in the previous steps. Click on **Save**.

-9. Navigate to **Administration > Settings > IdP tab**. Click on the name of the IdP configuration created in the previous steps to view the **IdP ID**. This **ID** is added to the end of **Tenant URL** while entering the value in **Tenant URL** field in the Provisioning tab of your Meta Networks Connector application in the Azure portal.

-## Add Meta Networks Connector from the gallery

-Before configuring Meta Networks Connector for automatic user provisioning with Azure AD, you need to add Meta Networks Connector from the Azure AD application gallery to your list of managed SaaS applications.

-**To add Meta Networks Connector from the Azure AD application gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Azure Active Directory**.

- 

-2. Go to **Enterprise applications**, and then select **All applications**.

- 

-3. To add a new application, select the **New application** button at the top of the pane.

- 

-4. In the search box, enter **Meta Networks Connector**, select **Meta Networks Connector** in the results panel, and then click the **Add** button to add the application.

- 

-## Configuring automatic user provisioning to Meta Networks Connector

-2. In the applications list, select **Meta Networks Connector**.

-3. Select the **Provisioning** tab.

-4. Set the **Provisioning Mode** to **Automatic**.

-5. Under the **Admin Credentials** section, input `https://api.metanetworks.com/v1/scim/<IdP ID>` in **Tenant URL**. Input the **SCIM Authentication Token** value retrieved earlier in **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to Meta Networks Connector. If the connection fails, ensure your Meta Networks Connector account has Admin permissions and try again.

-6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**.

-7. Click **Save**.

-8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Meta Networks Connector**.

-9. Review the user attributes that are synchronized from Azure AD to Meta Networks Connector in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Meta Networks Connector for update operations. Select the **Save** button to commit any changes.

- 

-10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Meta Networks Connector**.

-11. Review the group attributes that are synchronized from Azure AD to Meta Networks Connector in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Meta Networks Connector for update operations. Select the **Save** button to commit any changes.

- 

-12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-13. To enable the Azure AD provisioning service for Meta Networks Connector, change the **Provisioning Status** to **On** in the **Settings** section.

-14. Define the users and/or groups that you would like to provision to Meta Networks Connector by choosing the desired values in **Scope** in the **Settings** section.

-15. When you are ready to provision, click **Save**.

-For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md).

-## Additional resources

-* When assigning users and groups to Oracle Cloud Infrastructure Console, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.

-# Tutorial: Azure Active Directory integration with Reviewsnap

-In this tutorial, you learn how to integrate Reviewsnap with Azure Active Directory (Azure AD).

-Integrating Reviewsnap with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Reviewsnap.

-* You can enable your users to be automatically signed-in to Reviewsnap (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)

-* Reviewsnap single sign-on enabled subscription

-* Reviewsnap supports **SP and IDP** initiated SSO

-## Adding Reviewsnap from the gallery

-To configure the integration of Reviewsnap into Azure AD, you need to add Reviewsnap from the gallery to your list of managed SaaS apps.

-**To add Reviewsnap from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **Reviewsnap**, select **Reviewsnap** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Reviewsnap based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Reviewsnap needs to be established.

-To configure and test Azure AD single sign-on with Reviewsnap, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Reviewsnap Single Sign-On](#configure-reviewsnap-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Reviewsnap test user](#create-reviewsnap-test-user)** - to have a counterpart of Britta Simon in Reviewsnap that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Reviewsnap, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Reviewsnap** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- a. In the **Identifier** text box, type a URL:

- 

- In the **Sign-on URL** text box, type a URL:

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Reviewsnap Single Sign-On

-To configure single sign-on on **Reviewsnap** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Reviewsnap support team](mailto:support@reviewsnap.com). They set this setting to have the SAML SSO connection set properly on both sides.

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`

- For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Reviewsnap.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Reviewsnap**.

- 

-2. In the applications list, select **Reviewsnap**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Create Reviewsnap test user

-In this section, you create a user called Britta Simon in Reviewsnap. Work with [Reviewsnap support team](mailto:support@reviewsnap.com) to add the users in the Reviewsnap platform. Users must be created and activated before you use single sign-on.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Reviewsnap tile in the Access Panel, you should be automatically signed in to the Reviewsnap for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Azure Active Directory integration with RolePoint

-In this tutorial, you'll learn how to integrate RolePoint with Azure Active Directory (Azure AD).

-This integration provides these benefits:

-* You can use Azure AD to control who has access to RolePoint.

-* You can enable your users to be automatically signed in to RolePoint (single sign-on) with their Azure AD accounts.

-* You can manage your accounts in one central location: the Azure portal.

-To learn more about SaaS app integration with Azure AD, see [Single sign-on to applications in Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-To set up the integration of RolePoint into Azure AD, you need to add RolePoint from the gallery to your list of managed SaaS apps.

-1. In the [Azure portal](https://portal.azure.com), in the left pane, select **Azure Active Directory**:

- 

-2. Go to **Enterprise applications** > **All applications**:

- 

-3. To add an application, select **New application** at the top of the window:

- 

-4. In the search box, enter **RolePoint**. Select **RolePoint** in the search results and then select **Add**.

- 

-## Configure and test Azure AD single sign-on

-In this section, you'll configure and test Azure AD single sign-on with RolePoint by using a test user named Britta Simon.

-To enable single sign-on, you need to establish a relationship between an Azure AD user and the corresponding user in RolePoint.

-To configure and test Azure AD single sign-on with RolePoint, you need to complete these steps:

-1. **[Configure Azure AD single sign-on](#configure-azure-ad-single-sign-on)** to enable the feature for your users.

-2. **[Configure RolePoint single sign-on](#configure-rolepoint-single-sign-on)** on the application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable Azure AD single sign-on for the user.

-5. **[Create a RolePoint test user](#create-a-rolepoint-test-user)** that's linked to the Azure AD representation of the user.

-6. **[Test single sign-on](#test-single-sign-on)** to verify that the configuration works.

-### Configure Azure AD single sign-on

-In this section, you'll enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with RolePoint, take these steps:

-1. In the [Azure portal](https://portal.azure.com/), on the RolePoint application integration page, select **Single sign-on**:

- 

-2. In the **Select a single sign-on method** dialog box, select **SAML/WS-Fed** mode to enable single sign-on:

- 

-3. On the **Set up Single Sign-On with SAML** page, select the **Edit** icon to open the **Basic SAML Configuration** dialog box:

- 

-4. In the **Basic SAML Configuration** dialog box, take the following steps.

- 

- 1. In the **Sign on URL** box, enter a URL in this pattern:

- `https://<subdomain>.rolepoint.com/login`

- 1. In the **Identifier (Entity ID)** box, enter a URL in this pattern:

- `https://app.rolepoint.com/<instancename>`

- > These values are placeholders. You need to use the actual sign-on URL and identifier. We suggest that you use a unique string value in the identifier. Contact the [RolePoint support team](mailto:info@rolepoint.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** dialog box in the Azure portal.

- 1. **Login URL**.

- 1. **Azure AD Identifier**.

- 1. **Logout URL**.

-### Configure RolePoint single sign-on

-To set up single sign-on on the RolePoint side, you need to work with the [RolePoint support team](mailto:info@rolepoint.com). Send this team the Federation Metadata XML file and the URLs that you got from the Azure portal. They'll configure RolePoint to ensure the SAML SSO connection is set properly on both sides.

-In this section, you'll create a test user named Britta Simon in the Azure portal.

-1. In the Azure portal, select **Azure Active Directory** in the left pane, select **Users**, and then select **All users**:

- 

-2. Select **New user** at the top of the window:

- 

-3. In the **User** dialog box, take the following steps.

- 

- 1. In the **Name** box, enter **BrittaSimon**.

-

- 1. In the **User name** box, enter **BrittaSimon@\<yourcompanydomain>.\<extension>**. (For example, BrittaSimon@contoso.com.)

- 1. Select **Show Password**, and then write down the value that's in the **Password** box.

- 1. Select **Create**.

-In this section, you'll enable Britta Simon to use Azure single sign-on by granting her access to RolePoint.

-1. In the Azure portal, select **Enterprise applications**, select **All applications**, and then select **RolePoint**.

- 

-2. In the list of applications, select **RolePoint**.

- 

-3. In the left pane, select **Users and groups**:

- 

-4. Select **Add user**, and then select **Users and groups** in the **Add Assignment** dialog box.

- 

-5. In the **Users and groups** dialog box, select **Britta Simon** in the users list, and then click the **Select** button at the bottom of the window.

-6. If you expect a role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list. Click the **Select** button at the bottom of the window.

-7. In the **Add Assignment** dialog box, select **Assign**.

-### Create a RolePoint test user

-### Test single sign-on

-Now you need to test your Azure AD single sign-on configuration by using the Access Panel.

-When you select the RolePoint tile in the Access Panel, you should be automatically signed in to the RolePoint instance for which you set up SSO. For more information about the Access Panel, see [Access and use apps on the My Apps portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory integration with Shuccho Navi

-In this tutorial, you learn how to integrate Shuccho Navi with Azure Active Directory (Azure AD).

-Integrating Shuccho Navi with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Shuccho Navi.

-* You can enable your users to be automatically signed-in to Shuccho Navi (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-To configure Azure AD integration with Shuccho Navi, you need the following items:

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)

-* Shuccho Navi single sign-on enabled subscription

-* Shuccho Navi supports **SP** initiated SSO

-## Adding Shuccho Navi from the gallery

-To configure the integration of Shuccho Navi into Azure AD, you need to add Shuccho Navi from the gallery to your list of managed SaaS apps.

-**To add Shuccho Navi from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **Shuccho Navi**, select **Shuccho Navi** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Shuccho Navi based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Shuccho Navi needs to be established.

-To configure and test Azure AD single sign-on with Shuccho Navi, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Shuccho Navi Single Sign-On](#configure-shuccho-navi-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Shuccho Navi test user](#create-shuccho-navi-test-user)** - to have a counterpart of Britta Simon in Shuccho Navi that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Shuccho Navi, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Shuccho Navi** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

-4. On the **Basic SAML Configuration** section, perform the following steps:

- 

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Shuccho Navi Single Sign-On

-To configure single sign-on on **Shuccho Navi** side, you need to send the downloaded **Metadata XML** and appropriate copied URLs from Azure portal to [Shuccho Navi support team](mailto:sys_ntabtm@nta.co.jp). They set this setting to have the SAML SSO connection set properly on both sides.

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**

- For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Shuccho Navi.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Shuccho Navi**.

- 

-2. In the applications list, select **Shuccho Navi**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog, click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Shuccho Navi tile in the Access Panel, you should be automatically signed in to the Shuccho Navi for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Azure Active Directory integration with Soonr Workplace

-In this tutorial, you learn how to integrate Soonr Workplace with Azure Active Directory (Azure AD).

-Integrating Soonr Workplace with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Soonr Workplace.

-* You can enable your users to be automatically signed-in to Soonr Workplace (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)

-* Soonr Workplace single sign-on enabled subscription

-* Soonr Workplace supports **SP and IDP** initiated SSO

-## Adding Soonr Workplace from the gallery

-**To add Soonr Workplace from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add a new application, click the **New application** button at the top of the dialog.

- 

-4. In the search box, type **Soonr Workplace**, select **Soonr Workplace** from the result panel then click the **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Soonr Workplace based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Soonr Workplace needs to be established.

-To configure and test Azure AD single sign-on with Soonr Workplace, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Soonr Workplace Single Sign-On](#configure-soonr-workplace-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Soonr Workplace test user](#create-soonr-workplace-test-user)** - to have a counterpart of Britta Simon in Soonr Workplace that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Soonr Workplace, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Soonr Workplace** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- 

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Soonr Workplace Single Sign-On

-To configure single sign-on on **Soonr Workplace** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Soonr Workplace support team](https://awp.autotask.net/help/). They set this setting to have the SAML SSO connection set properly on both sides.

-> [!Note]

-> If you require assistance with configuring Autotask Workplace, please see [this page](https://awp.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to get assistance with your Workplace account.

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Soonr Workplace.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Soonr Workplace**.

- 

-2. In the applications list, select **Soonr Workplace**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Create Soonr Workplace test user

-In this section, you create a user called Britta Simon in Soonr Workplace. Work with [Soonr Workplace support team](https://awp.autotask.net/help/) to add the users in the Soonr Workplace platform. Users must be created and activated before you use single sign-on.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Soonr Workplace tile in the Access Panel, you should be automatically signed in to the Soonr Workplace for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory integration with TonicDM

-In this tutorial, you learn how to integrate TonicDM with Azure Active Directory (Azure AD).

-Integrating TonicDM with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to TonicDM.

-* You can enable your users to be automatically signed-in to TonicDM (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)

-* TonicDM single sign-on enabled subscription

-* TonicDM supports **SP** initiated SSO

-* TonicDM supports **Just In Time** user provisioning

-## Adding TonicDM from the gallery

-To configure the integration of TonicDM into Azure AD, you need to add TonicDM from the gallery to your list of managed SaaS apps.

-**To add TonicDM from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **TonicDM**, select **TonicDM** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with TonicDM based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in TonicDM needs to be established.

-To configure and test Azure AD single sign-on with TonicDM, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure TonicDM Single Sign-On](#configure-tonicdm-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create TonicDM test user](#create-tonicdm-test-user)** - to have a counterpart of Britta Simon in TonicDM that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with TonicDM, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **TonicDM** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- a. In the **Sign on URL** text box, type a URL:

- b. In the **Identifier (Entity ID)** text box, type a URL:

- `https://tonicdm.com/saml/metadata`

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure TonicDM Single Sign-On

-To configure single sign-on on **TonicDM** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [TonicDM support team](mailto:support@tonicdm.com). They set this setting to have the SAML SSO connection set properly on both sides.

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to TonicDM.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **TonicDM**.

- 

-2. In the applications list, select **TonicDM**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the TonicDM tile in the Access Panel, you should be automatically signed in to the TonicDM for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Integrate Way We Do with Azure Active Directory

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-To get started, you need the following items:

-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).

-* Way We Do single sign-on (SSO) enabled subscription.

-* Way We Do supports **SP** initiated SSO

-* Way We Do supports **Just In Time** user provisioning

-## Adding Way We Do from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on

-To configure and test Azure AD SSO with Way We Do, complete the following building blocks:

-2. **[Configure Way We Do SSO](#configure-way-we-do-sso)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Way We Do test user](#create-way-we-do-test-user)** - to have a counterpart of Britta Simon in Way We Do that is linked to the Azure AD representation of user.

-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.

-### Configure Azure AD SSO

-1. In the [Azure portal](https://portal.azure.com/), on the **Way We Do** application integration page, find the **Manage** section and select **Single sign-on**.

-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Basic SAML Configuration** page, enter the values for the following fields:

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- `https://<SUBDOMAIN>.waywedo.com/Authentication/ExternalSignIn`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Way We Do Client support team](mailto:support@waywedo.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-### Configure Way We Do SSO

- 

- 

- 

-### Create an Azure AD test user

-In this section, you'll create a test user in the Azure portal called B.Simon.

-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

-1. Select **New user** at the top of the screen.

-1. In the **User** properties, follow these steps:

- 1. In the **Name** field, enter `B.Simon`.

- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

- 1. Click **Create**.

-### Assign the Azure AD test user

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Way We Do.

-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

-1. In the applications list, select **Way We Do**.

-1. In the app's overview page, find the **Manage** section and select **Users and groups**.

- 

-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

- 

-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

-1. In the **Add Assignment** dialog, click the **Assign** button.

-### Test SSO

-When you select the Way We Do tile in the Access Panel, you should be automatically signed in to the Way We Do for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Azure Active Directory integration with Zwayam

-In this tutorial, you learn how to integrate Zwayam with Azure Active Directory (Azure AD).

-Integrating Zwayam with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Zwayam.

-* You can enable your users to be automatically signed-in to Zwayam (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)

-* Zwayam single sign-on enabled subscription

-* Zwayam supports **SP** initiated SSO

-## Adding Zwayam from the gallery

-To configure the integration of Zwayam into Azure AD, you need to add Zwayam from the gallery to your list of managed SaaS apps.

-**To add Zwayam from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **Zwayam**, select **Zwayam** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Zwayam based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Zwayam needs to be established.

-To configure and test Azure AD single sign-on with Zwayam, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Zwayam Single Sign-On](#configure-zwayam-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Zwayam test user](#create-zwayam-test-user)** - to have a counterpart of Britta Simon in Zwayam that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Zwayam, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Zwayam** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- b. In the **Identifier (Entity ID)** text box, type a URL:

- `https://sso.zwayam.com/zwayam-saml/saml/metadata`

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Zwayam Single Sign-On

-To configure single sign-on on **Zwayam** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Zwayam support team](mailto:opendoors@zwayam.com). They set this setting to have the SAML SSO connection set properly on both sides.

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Zwayam.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Zwayam**.

- 

-2. In the applications list, select **Zwayam**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Zwayam tile in the Access Panel, you should be automatically signed in to the Zwayam for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-| Europe | https://beta.eu.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request |

-| Non-EU | https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request |

-## How to access cost recommendations in Azure Advisor

-## Optimize spend for MariaDB, MySQL, and PostgreSQL servers by right-sizing

-Advisor analyses your usage and evaluates whether your MariaDB, MySQL, or PostgreSQL database server resources have been underutilized for an extended time over the past seven days. Low resource utilization results in unwanted expenditure that you can fix without significant performance impact. To reduce your costs and efficiently manage your resources, we recommend that you reduce the compute size (vCores) by half.

-## Reduce costs by eliminating unprovisioned ExpressRoute circuits

-Advisor identifies Azure ExpressRoute circuits that have been in the provider status of **Not provisioned** for more than one month. It recommends deleting the circuit if you aren't planning to provision the circuit with your connectivity provider.

-## Reduce costs by deleting or reconfiguring idle virtual network gateways

-Advisor identifies virtual network gateways that have been idle for more than 90 days. Because these gateways are billed hourly, you should consider reconfiguring or deleting them if you don't intend to use them anymore.

-## Buy reserved virtual machine instances to save money over pay-as-you-go costs

-Advisor reviews your virtual machine usage over the past 30 days to determine if you could save money by purchasing an Azure reservation. Advisor shows you the regions and sizes where the potential for savings is highest and the estimated savings from purchasing reservations. With Azure reservations, you can pre-purchase the base costs for your virtual machines. Discounts automatically apply to new or existing VMs that have the same size and region as your reservations. [Learn more about Azure Reserved VM Instances.](https://azure.microsoft.com/pricing/reserved-vm-instances/)

-Advisor also notifies you of your reserved instances that will expire in the next 30 days. It recommends that you purchase new reserved instances to avoid pay-as-you-go pricing.

-## Buy reserved instances for several resource types to save over your pay-as-you-go costs

-Advisor analyzes usage patterns for the past 30 days for the following resources and recommends reserved capacity purchases that optimize costs.

-### Azure Cosmos DB reserved capacity

-Advisor analyzes your Azure Cosmos DB usage patterns for the past 30 days and recommends reserved capacity purchases to optimize costs. By using reserved capacity, you can pre-purchase Azure Cosmos DB hourly usage and save over your pay-as-you-go costs. Reserved capacity is a billing benefit and automatically applies to new and existing deployments. Advisor calculates savings estimates for individual subscriptions by using 3-year reservation pricing and by extrapolating the usage patterns observed over the past 30 days. Shared scope recommendations are available for reserved capacity purchases and can increase savings.

-### SQL Database and SQL Managed Instance reserved capacity

-Advisor analyzes SQL Database and SQL Managed Instance usage patterns over the past 30 days. It then recommends reserved capacity purchases that optimize costs. By using reserved capacity, you can pre-purchase SQL DB hourly usage and save over your SQL compute costs. Your SQL license is charged separately and isn't discounted by the reservation. Reserved capacity is a billing benefit and automatically applies to new and existing deployments. Advisor calculates savings estimates for individual subscriptions by using 3-year reservation pricing and by extrapolating the usage patterns observed over the past 30 days. Shared scope recommendations are available for reserved capacity purchases and can increase savings. For details, see [Azure SQL Database & SQL Managed Instance reserved capacity](../azure-sql/database/reserved-capacity-overview.md).

-### App Service Stamp Fee reserved capacity

-Advisor analyzes the Stamp Fee usage pattern for your Azure App Service isolated environment over the past 30 days and recommends reserved capacity purchases that optimize costs. By using reserved capacity, you can pre-purchase hourly usage for the isolated environment Stamp Fee and save over your pay-as-you-go costs. Note that reserved capacity applies only to the Stamp Fee and not to App Service instances. Reserved capacity is a billing benefit and automatically applies to new and existing deployments. Advisor calculates saving estimates for individual subscriptions by using 3-year reservation pricing based on usage patterns over the past 30 days.

-### Blob storage reserved capacity

-Advisor analyzes your Azure Blob storage and Azure Data Lake storage usage over the past 30 days. It then calculates reserved capacity purchases that optimize costs. With reserved capacity, you can pre-purchase hourly usage and save over your current on-demand costs. Blob storage reserved capacity applies only to data stored on Azure Blob general-purpose v2 and Azure Data Lake Storage Gen2 accounts. Reserved capacity is a billing benefit and automatically applies to new and existing deployments. Advisor calculates savings estimates for individual subscriptions by using 3-year reservation pricing and the usage patterns observed over the past 30 days. Shared scope recommendations are available for reserved capacity purchases and can increase savings.

-### MariaDB, MySQL, and PostgreSQL reserved capacity

-Advisor analyzes your usage patterns for Azure Database for MariaDB, Azure Database for MySQL, and Azure Database for PostgreSQL over the past 30 days. It then recommends reserved capacity purchases that optimize costs. By using reserved capacity, you can pre-purchase MariaDB, MySQL, and PostgreSQL hourly usage and save over your current costs. Reserved capacity is a billing benefit and automatically applies to new and existing deployments. Advisor calculates savings estimates for individual subscriptions by using 3-year reservation pricing and the usage patterns observed over the past 30 days. Shared scope recommendations are available for reserved capacity purchases and can increase savings.

-### Azure Synapse Analytics reserved capacity

-Advisor analyzes your Azure Synapse Analytics usage patterns over the past 30 days and recommends reserved capacity purchases that optimize costs. By using reserved capacity, you can pre-purchase Synapse Analytics hourly usage and save over your on-demand costs. Reserved capacity is a billing benefit and automatically applies to new and existing deployments. Advisor calculates savings estimates for individual subscriptions by using 3-year reservation pricing and the usage patterns observed over the past 30 days. Shared scope recommendations are available for reserved capacity purchases and can increase savings.

-## Delete unassociated public IP addresses to save money

-Advisor identifies public IP addresses that aren't associated with Azure resources like load balancers and VMs. A nominal charge is associated with these public IP addresses. If you don't plan to use them, you can save money by deleting them.

-## Delete Azure Data Factory pipelines that are failing

-Advisor detects Azure Data Factory pipelines that repeatedly fail. It recommends that you resolve the problems or delete the pipelines if you don't need them. You're billed for these pipelines even if though they're not serving you while they're failing.

-## Use standard snapshots for managed disks

-To save 60% of cost, we recommend storing your snapshots in standard storage, regardless of the storage type of the parent disk. This option is the default option for managed disk snapshots. Advisor identifies snapshots that are stored in premium storage and recommends migrating then from premium to standard storage. [Learn more about managed disk pricing.](https://aka.ms/aa_manageddisksnapshot_learnmore)

-## Use lifecycle management

-By using intelligence about your Azure Blob storage object count, total size, and transactions, Advisor detects whether you should enable lifecycle management to tier data on one or more of your storage accounts. It prompts you to create lifecycle management rules to automatically tier your data to cool or archive storage to optimize your storage costs while retaining your data in Azure Blob storage for application compatibility.

-## Create an Ephemeral OS Disk recommendation

-[Ephemeral OS Disk](../virtual-machines/ephemeral-os-disks.md) allows you to:

-It's preferable to use Ephemeral OS Disk for short-lived IaaS VMs or VMs with stateless workloads. Advisor provides recommendations for resources that can benefit from Ephemeral OS Disk.

-## Reduce Azure Data Explorer table cache-period (policy) for cluster cost optimization (Preview)

-Advisor identifies resources where reducing the table cache policy will free up Azure Data Explorer cluster nodes having low CPU utilization, memory, and a high cache size configuration.

-## Configure manual throughput instead of autoscale on your Azure Cosmos DB database or container

-Based on your usage in the past 7 days, you can save by using manual throughput instead of autoscale. Manual throughput is more cost-effective when average utilization of your max throughput (RU/s) is greater than 66% or less than or equal to 10%. Cost savings amount represents potential savings from using the recommended manual throughput, based on usage in the past 7 days. Your actual savings may vary depending on the manual throughput you set and whether your average utilization of throughput continues to be similar to the time period analyzed. The estimated savings do not account for any discount that may apply to your account.

-## Enable autoscale on your Azure Cosmos DB database or container

-Based on your usage in the past 7 days, you can save by enabling autoscale. For each hour, we compared the RU/s provisioned to the actual utilization of the RU/s (what autoscale would have scaled to) and calculated the cost savings across the time period. Autoscale helps optimize your cost by scaling down RU/s when not in use.

-* [Advisor performance recommendations](advisor-performance-recommendations.md)

-* [Advisor reliability recommendations](advisor-high-availability-recommendations.md)

-* [Advisor operational excellence recommendations](advisor-operational-excellence-recommendations.md)

-* [Advisor cost recommendations](advisor-cost-recommendations.md)

-* [Advisor performance recommendations](advisor-performance-recommendations.md)

-* [Advisor reliability recommendations](advisor-high-availability-recommendations.md)

-* [Advisor operational excellence recommendations](advisor-operational-excellence-recommendations.md)

-For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/). TLS Bootstrapping is currently available in the following regions:

-* eastus2euap

-* centraluseuap

-* westcentralus

-* uksouth

-* eastus

-* australiacentral

-* australiaest

-description: Install Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on using Azure CLI

-# Install the Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on using Azure CLI

-This article shows you how to install the OSM add-on on an AKS cluster and verify it is installed and running.

-## Install the OSM AKS add-on on your cluster

-To install the OSM AKS add-on, use `--enable-addons open-service-mesh` when creating or updating a cluster.

-The following example creates a *myResourceGroup* resource group. Then creates a *myAKSCluster* cluster with a three nodes and the OSM add-on.

-For existing clusters, use `az aks enable-addons`. For example:

-Get the credentials for your AKS cluster using the `az aks get-credentials` command. The following example command gets the credentials for the *myAKSCluster* in the *myResourceGroup* resource group.

-## Verify the OSM add-on is installed on your cluster

-To see if the OSM add-on is enabled on your cluster, verify the *enabled* value shows a *true* for *openServiceMesh* under *addonProfiles*. The following example shows the status of the OSM add-on for the *myAKSCluster* in *myResourceGroup*.

-## Verify the OSM mesh is running on your cluster

-In addition to verifying the OSM add-on has been enabled on your cluster, you can also verify the version, status, and configuration of the OSM mesh running on your cluster.

-To verify the version of the OSM mesh running on your cluster, use `kubectl` to display the image version of the *osm-controller* deployment. For example:

-To verify the status of the OSM components running on your cluster, use `kubectl` to show the status of the *app.kubernetes.io/name=openservicemesh.io* deployments, pods, and services. For example:

-> If any pods have a status other than *Running*, such as *Pending*, your cluster may not have enough resources to run OSM. Review the sizing for your cluster, such as the number of nodes and the VM SKU, before continuing to use OSM on your cluster.

-The following sample output shows the configuration of an OSM mesh:

-The above example output shows `enablePermissiveTrafficPolicyMode: true`, which means OSM has a permissive traffic policy mode enabled. With permissive traffic mode enabled in your OSM mesh:

-When the cluster is no longer needed, use the `az group delete` command to remove the resource group, cluster, and all related resources.

-Alternatively, you can uninstall the OSM add-on and the related resources from your cluster. For more information, see [Uninstall the Open Service Mesh (OSM) add-on from your AKS cluster][osm-uninstall].

-This article showed you how to install the OSM add-on on an AKS cluster and verify it is installed and running. With the OSM add-on on your cluster you can [Deploy a sample application][osm-deploy-sample-app] or [Onboard an existing application][osm-onboard-app] to work with your OSM mesh.

-description: Deploy Open Service Mesh on Azure Kubernetes Service (AKS) using Bicep

-# Deploy Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on using Bicep

-This article will discuss how to deploy the OSM add-on to AKS using a [Bicep](../azure-resource-manager/bicep/index.yml) template.

-[Bicep](../azure-resource-manager/bicep/overview.md) is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. Bicep can be used in place of creating Azure [ARM](../azure-resource-manager/templates/overview.md) templates for deploying your infrastructure-as-code Azure resources.

-## Install the OSM AKS add-on for a new AKS cluster using Bicep

-For a new AKS cluster deployment scenario, start with a brand new deployment of an AKS cluster with the OSM add-on enabled at the cluster create operation. The following set of directions will use a generic Bicep template that deploys an AKS cluster using ephemeral disks, using the [`kubenet`](./configure-kubenet.md) CNI, and enabling the AKS OSM add-on. For more advanced deployment scenarios visit the [Bicep](../azure-resource-manager/bicep/overview.md) documentation.

-In Azure, you can associate related resources using a resource group. Create a resource group by using [az group create](/cli/azure/group#az_group_create). The following example is used to create a resource group named in a specified Azure location (region):

-Using Visual Studio Code with a bash terminal open, create a directory to store the necessary Bicep deployment files. The following example creates a directory named `bicep-osm-aks-addon` and changes to the directory

-Next create both the main and parameters files, as shown in the following example.

-Open the `osm.aks.bicep` file and copy the following example content to it, then save the file.

-Open the `osm.aks.parameters.json` file and copy the following example content to it. Add the deployment-specific parameters, then save the file.

-> The `osm.aks.parameters.json` is an example template parameters file needed for the Bicep deployment. You will have to update the specified parameters specifically for your deployment environment. The specific parameter values used by this example needs the following parameters to be updated. They are the _clusterName_, _clusterDNSPrefix_, _k8Version_, and _sshPubKey_. To find a list of supported Kubernetes version in your region, please use the `az aks get-versions --location <region>` command.

-### Deploy the Bicep file

-To deploy the previously created Bicep files, open the terminal and authenticate to your Azure account for the Azure CLI using the `az login` command. Once authenticated to your Azure subscription, run the following commands for deployment.

-When the deployment finishes, you should see a message indicating the deployment succeeded.

-## Validate the AKS OSM add-on installation

-There are several commands to run to check all of the components of the AKS OSM add-on are enabled and running:

-First we can query the add-on profiles of the cluster to check the enabled state of the add-ons installed. The following command should return "true".

-The following `kubectl` commands will report the status of the osm-controller.

-## Accessing the AKS OSM add-on configuration

-Currently you can access and configure the OSM controller configuration via the OSM MeshConfig resource, and you can view the OSM controller configuration settings via the CLI use the **kubectl** get command as shown below.

-Output of the MeshConfig is shown in the following:

-Notice the **enablePermissiveTrafficPolicyMode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh. The discovered services will have traffic policy rules programed on each Envoy proxy sidecar to allow communications between these services.

-> Before proceeding please verify that your permissive traffic policy mode is set to true, if not please change it to **true** using the command below

-```OSM Permissive Mode to True

-kubectl patch meshconfig osm-mesh-config -n kube-system -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":true}}}' --type=merge

-```

-When the Azure resources are no longer needed, use the Azure CLI to delete the deployment test resource group.

-Alternatively, you can uninstall the OSM add-on and the related resources from your cluster. For more information, see [Uninstall the Open Service Mesh (OSM) add-on from your AKS cluster][osm-uninstall].

-This article showed you how to install the OSM add-on on an AKS cluster and verify it is installed and running. With the OSM add-on on your cluster you can [Deploy a sample application][osm-deploy-sample-app] or [Onboard an existing application][osm-onboard-app] to work with your OSM mesh.

- * Because of the urgent nature of patch versions, they can be introduced into the service as they become available.

- * Users have **30 days** from a patch release's removal from AKS to upgrade into a supported patch and continue receiving support.

-* Import limitations, organized by the import format of the API.

-* How OpenAPI export works.

-You can create SOAP pass-through and SOAP-to-REST APIs with WSDL files.

-### WSDL:Import

-Not supported. Instead, merge the imports into one document.

-The minimum number of replicas suitable for production is two.

-description: Learn how to import a standard XML representation of a SOAP API, and then test the API in the Azure and Developer portals.

-# Import SOAP API

-This article shows how to import a standard XML representation of a SOAP API. The article also shows how to test the API Management API.

-> * Import SOAP API

-## <a name="create-api"> </a>Import and publish a back-end API

-1. Navigate to your API Management service in the Azure portal and select **APIs** from the menu.

-2. Select **WSDL** from the **Add a new API** list.

- 

-3. In the **WSDL specification**, enter the URL to where your SOAP API resides.

-4. The **SOAP pass-through** radio button is selected by default. With this selection, the API is going to be exposed as SOAP. Consumer has to use SOAP rules. If you want to "restify" the API, follow the steps in [Import a SOAP API and convert it to REST](restify-soap-api.md).

- 

-5. Press tab.

- The following fields get filled up with the info from the SOAP API: Display name, Name, Description.

-6. Add an API URL suffix. The suffix is a name that identifies this specific API in this API Management instance. It has to be unique in this API Management instance.

-7. Publish the API by associating the API with a product. In this case, the "*Unlimited*" product is used. If you want for the API to be published and be available to developers, add it to a product. You can do it during API creation or set it later.

- Products are associations of one or more APIs. You can include a number of APIs and offer them to developers through the developer portal. Developers must first subscribe to a product to get access to the API. When they subscribe, they get a subscription key that is good for any API in that product. If you created the API Management instance, you are an administrator already, so you are subscribed to every product by default.

- By default, each API Management instance comes with two sample products:

- * **Starter**

- * **Unlimited**

-8. Enter other API settings. You can set the values during creation or configure them later by going to the **Settings** tab. The settings are explained in the [Import and publish your first API](import-and-publish.md#import-and-publish-a-backend-api) tutorial.

-9. Select **Create**.

-Operations can be called directly from the administrative portal, which provides a convenient way to view and test the operations of an API.

- The page displays fields for query parameters and fields for the headers. One of the headers is "Ocp-Apim-Subscription-Key", for the subscription key of the product that is associated with this API. If you created the API Management instance, you are an administrator already, so the key is filled in automatically.

- Backend responds with **200 OK** and some data.

-description: Learn how to import a SOAP API, convert it to REST with API Management, and then test the API in the Azure and Developer portals.

-# Import a SOAP API and convert to REST

-This article shows how to import a SOAP API and convert it to REST. The article also shows how to test the APIM API.

-> * Test the API in the Developer portal

-1. Select **APIs** from under **API MANAGEMENT**.

-2. Select **WSDL** from the **Add a new API** list.

-3. In the **WSDL specification**, enter the URL to where your SOAP API resides.

-4. Click **SOAP to REST** radio button. When this option is clicked, APIM attempts to make an automatic transformation between XML and JSON. In this case consumers should be calling the API as a RESTful API, which returns JSON. APIM is converting each request into a SOAP call.

-5. Press tab.

- The following fields get filled up with the info from the SOAP API: Display name, Name, Description.

-6. Add an API URL suffix. The suffix is a name that identifies this specific API in this APIM instance. It has to be unique in this APIM instance.

-9. Publish the API by associating the API with a product. In this case, the "*Unlimited*" product is used. If you want for the API to be published and be available to developers, add it to a product. You can do it during API creation or set it later.

- Products are associations of one or more APIs. You can include a number of APIs and offer them to developers through the developer portal. Developers must first subscribe to a product to get access to the API. When they subscribe, they get a subscription key that is good for any API in that product. If you created the APIM instance, you are an administrator already, so you are subscribed to every product by default.

- By default, each API Management instance comes with two sample products:

- * **Starter**

- * **Unlimited**

-10. Select **Create**.

-2. Press the **Test** tab.

-3. Select some operation.

- The page displays fields for query parameters and fields for the headers. One of the headers is "Ocp-Apim-Subscription-Key", for the subscription key of the product that is associated with this API. If you created the APIM instance, you are an administrator already, so the key is filled in automatically.

- Backend responds with **200 OK** and some data.

-az webapp list-runtimes --linux | grep DOTNET

-az webapp list-runtimes | grep java

-az webapp list-runtimes --linux | grep "JAVA\|TOMCAT\|JBOSSEAP"

-

-To deploy .jar files to Java SE, use the `/api/publish/` endpoint of the Kudu site. For more information on this API, see [this documentation](./deploy-zip.md#deploy-warjarear-packages).

-> Your .jar application must be named `app.jar` for App Service to identify and run your application. The Maven Plugin (mentioned above) will automatically rename your application for you during deployment. If you do not wish to rename your JAR to *app.jar*, you can upload a shell script with the command to run your .jar app. Paste the absolute path to this script in the [Startup File](./faq-app-service-linux.yml) textbox in the Configuration section of the portal. The startup script does not run from the directory into which it is placed. Therefore, always use absolute paths to reference files in your startup script (for example: `java -jar /home/myapp/myapp.jar`).

-Azure Blob Storage logging for Linux based App Services can only be configured using [Azure Monitor](./troubleshoot-diagnostic-logs.md#send-logs-to-azure-monitor)

-> You do not need to create a web.config file when using Tomcat on Windows App Service.

-

-

-

-> If you already have an environment variable for `JAVA_OPTS` or `CATALINA_OPTS`, append the `-javaagent:/...` option to the end of the current value.

-> If you already have an environment variable for `JAVA_OPTS` or `CATALINA_OPTS`, append the `-javaagent:/...` option to the end of the current value.

-Tomcat installations on App Service on Windows exist in shared space on the App Service Plan. You can't directly modify a Tomcat installation for server-wide configuration. To make server-level configuration changes to your Tomcat installation, you must copy Tomcat to a local folder, in which you can modify Tomcat's configuration.

-1. Obtain your database's JDBC driver.

-1. Create a startup script, `startup_script.sh` that calls the JBoss CLI commands. The example below shows how to call your `jboss-cli-commands.cli`. Later you will configure App Service to run this script when the container starts.

-\* In following releases, Java 8 on Linux will be distributed from Adoptium builds of the OpenJDK.

-Tomcat 8.0 has reached [End of Life (EOL) as of September 30, 2018](https://tomcat.apache.org/tomcat-80-eol.html). While the runtime is still available on Azure App Service, Azure will not apply security updates to Tomcat 8.0. If possible, migrate your applications to Tomcat 8.5 or 9.0. Both Tomcat 8.5 and 9.0 are available on Azure App Service. See the [official Tomcat site](https://tomcat.apache.org/whichversion.html) for more information.

-Community support for Java 7 will terminate on July 29th, 2022 and [Java 7 will be retired from App Service](https://azure.microsoft.com/updates/transition-to-java-11-or-8-by-29-july-2022/) at that time. If you have a web app runnning on Java 7, please upgrade to Java 8 or 11 before July 29th.

-az webapp list-runtimes | grep node

-az webapp list-runtimes --linux | grep NODE

-> [!NOTE]

->

-You can debug your Node.js app remotely in [Visual Studio Code](https://code.visualstudio.com/) if you configure it to [run with PM2](#run-with-pm2), except when you run it using a *.config.js, *.yml, or *.yaml*.

-This agent will monitor your server-side Node.js application. To monitor your client-side JavaScript, [add the JavaScript SDK to your project](../azure-monitor/app/javascript.md).

- - Depending on your *package.json*, different packages may be installed for production mode (`dependencies` vs. `devDependencies`).

- - Certain web frameworks may deploy static files differently in production mode.

- - Certain web frameworks may use custom startup scripts when running in production mode.

-The generated *web.config* is tailored to the detected start script. For other deployment methods, add this *web.config* manually. Make sure the file is formatted properly.

-az webapp list-runtimes | grep php

-az webapp list-runtimes --linux | grep PHP

-If you want App Service to run popular automation tools at deployment time, such as Grunt, Bower, or Gulp, you need to supply a [custom deployment script](https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script). App Service runs this script when you deploy with Git, or with [Zip deployment](deploy-zip.md) with [with build automation enabled](deploy-zip.md#enable-build-automation-for-zip-deploy).

-To customize the site root, set the virtual application path for the app by using the [`az resource update`](/cli/azure/resource#az_resource_update) command. The following example sets the site root to the *public/* subdirectory in your repository.

-By default, Azure App Service points the root virtual application path (_/_) to the root directory of the deployed application files (_sites\wwwroot_).

-Create a directory in `d:\home\site` called `ini`, then create an *.ini* file in the `d:\home\site\ini` directory (for example, *settings.ini)* with the directives you want to customize. Use the same syntax you would use in a *php.ini* file.

-Create a directory in `/home/site` called `ini`, then create an *.ini* file in the `/home/site/ini` directory (for example, *settings.ini)* with the directives you want to customize. Use the same syntax you would use in a *php.ini* file.

-> In the built-in Linux containers in App Service, */home* is used as persisted shared storage.

- - Depending on your *composer.json*, different packages may be installed for production mode (`require` vs. `require-dev`).

- - Certain web frameworks may deploy static files differently in production mode.

- - Certain web frameworks may use custom startup scripts when running in production mode.

- - Run commands in the [Azure Cloud Shell](../cloud-shell/overview.md).

- - Run commands locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az_login).

-

- - Show the current Python version with [az webapp config show](/cli/azure/webapp/config#az_webapp_config_show):

-

- ```azurecli

- az webapp config show --resource-group <resource-group-name> --name <app-name> --query linuxFxVersion

- ```

-

- Replace `<resource-group-name>` and `<app-name>` with the names appropriate for your web app.

-

- - Set the Python version with [az webapp config set](/cli/azure/webapp/config#az_webapp_config_set)

-

- ```azurecli

- az webapp config set --resource-group <resource-group-name> --name <app-name> --linux-fx-version "PYTHON|3.7"

- ```

-

- - Show all Python versions that are supported in Azure App Service with [az webapp list-runtimes](/cli/azure/webapp#az_webapp_list_runtimes):

-

- ```azurecli

- az webapp list-runtimes --linux | grep PYTHON

- ```

-

-By default, the `PRE_BUILD_COMMAND`, `POST_BUILD_COMMAND`, and `DISABLE_COLLECTSTATIC` settings are empty.

-For additional settings that customize build automation, see [Oryx configuration](https://github.com/microsoft/Oryx/blob/master/doc/configuration.md).

->

- 1. Your *requirements.txt* file must be at the root of your repository for App Service to automatically install the necessary packages.

-1. Consider using environment variables (for local development) and App Settings (when deploying to the cloud) to dynamically set the Django `STATIC_URL` and `STATIC_ROOT` variables. For example:

- - You can provide configuration settings for Gunicorn through a *gunicorn.conf.py* file in the project root, as described on [Gunicorn configuration overview](https://docs.gunicorn.org/en/stable/configure.html#configuration-file) (docs.gunicorn.org). You can alternately [customize the startup command](#customize-startup-command).

- - To protect your web app from accidental or deliberate DDOS attacks, Gunicorn is run behind an Nginx reverse proxy as described on [Deploying Gunicorn](https://docs.gunicorn.org/en/latest/deploy.html) (docs.gunicorn.org).

-

-If the App Service doesn't find a custom command, a Django app, or a Flask app, then it runs a default read-only app, located in the _opt/defaultsite_ folder and shown in the following image.

-

-

- ```

- ```bash

- ```

-

-

-

-

- - Restart the App Service, wait 15-20 seconds, and check the app again.

-

- - Be sure you're using App Service for Linux rather than a Windows-based instance. From the Azure CLI, run the command `az webapp show --resource-group <resource-group-name> --name <app-name> --query kind`, replacing `<resource-group-name>` and `<app-name>` accordingly. You should see `app,linux` as output; otherwise, recreate the App Service and choose Linux.

-

- - Use [SSH](#open-ssh-session-in-browser) to connect directly to the App Service container and verify that your files exist under *site/wwwroot*. If your files don't exist, use the following steps:

-

- - If your files exist, then App Service wasn't able to identify your specific startup file. Check that your app is structured as App Service expects for [Django](#django-app) or [Flask](#flask-app), or use a [custom startup command](#customize-startup-command).

- - Refresh the browser, especially if you're using the lowest pricing tiers in your App Service Plan. The app may take longer to start up when using free tiers, for example, and becomes responsive after you refresh the browser.

- - Check that your app is structured as App Service expects for [Django](#django-app) or [Flask](#flask-app), or use a [custom startup command](#customize-startup-command).

- - Examine the [app log stream](#access-diagnostic-logs) for any error messages. The logs will show any errors in the app code.

- - Connect to the web app's container via [SSH](#open-ssh-session-in-browser) and verify that *requirements.txt* is named correctly and exists directly under *site/wwwroot*. If it doesn't exist, make site the file exists in your repository and is included in your deployment. If it exists in a separate folder, move it to the root.

-## More resources:

-az webapp list-runtimes --linux | grep RUBY

-1. Run `bundle clean`.

-App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.

-With App Service, you pay for the Azure compute resources you use. The compute resources you use are determined by the _App Service plan_ that you run your apps on. For more information, see [Azure App Service plans overview](overview-hosting-plans.md).

-App Service on Linux supports a number of language specific built-in images. Just deploy your code. Supported languages include: Node.js, Java (JRE 8 & JRE 11), PHP, Python, .NET Core, and Ruby. Run [`az webapp list-runtimes --linux`](/cli/azure/webapp#az_webapp_list_runtimes) to view the latest languages and supported versions. If the runtime your application requires is not supported in the built-in images, you can deploy it with a custom container.

-Outdated runtimes are periodically removed from the Web Apps Create and Configuration blades in the Portal. These runtimes are hidden from the Portal when they are deprecated by the maintaining organization or found to have significant vulnerabilities. These options are hidden to guide customers to the latest runtimes where they will be the most successful.

-The following example creates a Node.js app. Replace `<app-name>` with a name that's unique within your cluster (valid characters are `a-z`, `0-9`, and `-`). To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp).

-Navigate to the [Log Analytics workspace that's configured with your App Service extension](manage-create-arc-environment.md#install-the-app-service-extension), then click Logs in the left navigation. Run the following sample query to show logs over the past 72 hours. Replace `<app-name>` with your web app name. If there's an error when running a query, try again in 10-15 minutes (there may be a delay for Log Analytics to start receiving logs from your application).

-The application logs for all the apps hosted in your Kubernetes cluster are logged to the Log Analytics workspace in the custom log table named `AppServiceConsoleLogs_CL`.

-1. In a terminal window, clone the sample application to your local machine, and navigate to the directory containing the sample code.

-

-1. Create a [web app](overview.md#app-service-on-linux) in the `myAppServicePlan` App Service plan.

- In the Cloud Shell, you can use the [`az webapp create`](/cli/azure/webapp) command. In the following example, replace `<app-name>` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `RUBY|2.6`. To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp).

-

-In Windows Explorer, navigate to _custom-font-win-container-master/CustomFontSample_, right-click _FrederickatheGreat-Regular.ttf_, and select **Install**.

-Type `Ctrl+F5` to run the app without debugging. The app is displayed in your default browser.

-You can find _InstallFont.ps1_ in the **CustomFontSample** project. It's a simple script that installs the font. You can find a more complex version of the script in the [Script Center](https://gallery.technet.microsoft.com/scriptcenter/fb742f92-e594-4d0c-8b79-27564c575133).

-Sign in to the Azure portal at https://portal.azure.com.

-> * Push a custom Docker image to Azure Container Registry

-> * Deploy the custom image to App Service

-> * Configure environment variables

-> * Pull image into App Service using a managed identity

-> * Access diagnostic logs

-> * Enable CI/CD from Azure Container Registry to App Service

-> * Connect to the container using SSH

-Instead of using git clone, you can visit [https://github.com/Azure-Samples/docker-django-webapp-linux](https://github.com/Azure-Samples/docker-django-webapp-linux), select **Clone**, and then select **Download ZIP**.

-Unpack the ZIP file into a folder named *docker-django-webapp-linux*.

-The file in the sample named _Dockerfile_ that describes the docker image and contains configuration instructions:

- && apt-get install -y --no-install-recommends openssh-server \

- && echo "$SSH_PASSWD" | chpasswd

-

-* The first group of commands installs the app's requirements in the environment.

-* The second group of commands create an [SSH](https://www.ssh.com/ssh/protocol/) server for secure communication between the container and the host.

-* The last line, `ENTRYPOINT ["init.sh"]`, invokes `init.sh` to start the SSH service and Python server.

->

-

-

-

-

-

-

- ```

-

- The output should show the name of your image.

-

-1. Use [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) to set the `WEBSITES_PORT` environment variable as expected by the app code:

-

- ```

-

-

- Replace `<app-name>` with the name of your web app and replace `<registry-name>` in two places with the name of your registry.

-

-

-

-Port 2222 is an internal port accessible only by containers within the bridge network of a private virtual network.

-

-> * Deploy a custom image to a private container registry

-> * Deploy and the custom image in App Service

-> * Update and redeploy the image

-> * Access diagnostic logs

-> * Connect to the container using SSH

-> * Push a custom Docker image to Azure Container Registry

-> * Deploy the custom image to App Service

-> * Configure environment variables

-> * Pull image into App Service using a managed identity

-> * Access diagnostic logs

-> * Enable CI/CD from Azure Container Registry to App Service

-> * Connect to the container using SSH

-> You can't recover your Automation account if the resource group is deleted.

-* Oracle Linux 7 (x64)

-Installing, updating, and removing the Connected Machine agent will not require you to restart your server.

-Installing, updating, and removing the Connected Machine agent will not require you to restart your server.

-The Azure Connected Machine agent for Windows and Linux can be upgraded to the latest release manually or automatically depending on your requirements. Installing, upgrading, and uninstalling the Azure Connected Machine Agent will not require you to restart your server.

-* The Hybrid Instance Metadata Service (himds) service is responsible for all core functionality of Arc. This includes sending heartbeats to Azure, exposing a local instance metadata service for other apps to learn about the machineΓÇÖs Azure resource ID, and retrieve Azure AD tokens to authenticate to other Azure services. This service runs as an unprivileged virtual service account on Windows, and as the **himds** user on Linux.

-* The Guest Configuration Extension service (ExtensionService) is responsible for installing, updating, and deleting extensions (agents, scripts, or other software) on the machine.

- - Hardware OATH tokens are not available in Azure Government.

- - Trusted IPs are not supported in Azure Government. Instead, use Conditional Access policies with named locations to establish when multifactor authentication should and should not be required based off the user's current IP address.

- - Enterprise state roaming for Windows 10 devices is not available

-description: Information on configuring continuous deployment to your applications hosted with a subscription in Azure Government by connecting from Azure Pipelines.

-This article helps you use Azure Pipelines to set up continuous integration (CI) and continuous deployment (CD) of your web app running in Azure Government. CI/CD automates the build of your code from a repo along with the deployment (release) of the built code artifacts to a service or set of services in Azure Government. In this tutorial, you will build a web app and deploy it to an Azure Governments app service. This build and release process is triggered by a change to a code file in the repo.

-> [!NOTE]

-> For special considerations when deploying apps to Azure Government, see **[Deploy apps to Azure Government Cloud](/azure/devops/pipelines/library/government-cloud).**

-Before starting this tutorial, you must have the following:

-If you don't have an active Azure Government subscription, create a [free account](https://azure.microsoft.com/overview/clouds/government/) before you begin.

-AzureUSGovernment." This sets the service principal to be created in Azure Government.

- When you are asked whether you want to change the execution policy, enter "A" (for "Yes to All").

-8. After providing your Azure Government subscription credentials, you should see the following:

-9. After the script has run, you should see your service connection values. Copy these values as we will need them when setting up our endpoint.

-**I use Team Foundation Server on-premises. Can I configure CD on my server to target Azure Government?** <br/>

-Currently, Team Foundation Server cannot be used to deploy to an Azure Government Cloud.

-The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community's Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST). The CJIS Security Policy is updated periodically to reflect evolving security requirements.

-The CJIS Security Policy defines 13 areas that private contractors such as cloud service providers must evaluate to determine if their use of cloud services can be consistent with CJIS requirements. These areas correspond closely to control families in [NIST SP 800-53](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53), which is also the basis for the US Federal Risk and Authorization Management Program (FedRAMP). The FBI CJIS Information Security Officer (ISO) Program Office has published a [security control mapping of CJIS Security Policy requirements to NIST SP 800-53](https://www.fbi.gov/file-repository/csp-v5_5-to-nist-controls-mapping-1.pdf/view). The corresponding NIST SP 800-53 controls are listed for each CJIS Security Policy section.

-All private contractors who process CJI must sign the CJIS Security Addendum, a uniform agreement approved by the US Attorney General that helps ensure the security and confidentiality of CJI required by the Security Policy. It commits the contractor to maintaining a security program consistent with federal and state laws, regulations, and standards. The addendum also limits the use of CJI to the purposes for which a government agency provided it.

-### Azure and CJIS Security Policy

-Microsoft will sign the CJIS Security Addendum in states with CJIS Information Agreements. These agreements tell state law enforcement authorities responsible for compliance with CJIS Security Policy how Microsoft's cloud security controls help protect the full lifecycle of data and ensure appropriate background screening of operating personnel with potential access to CJI.

-Microsoft has agreements signed with nearly all 50 states and the District of Columbia except for the following states: Delaware, Louisiana, Maryland, New Mexico, Ohio, and South Dakota. Microsoft continues to work with state governments to enter into CJIS Information Agreements.

-Microsoft's commitment to meeting the applicable CJIS regulatory controls help criminal justice organizations be compliant with the CJIS Security Policy when implementing cloud-based solutions. Microsoft can accommodate customers subject to the CJIS Security Policy requirements in:

-Microsoft has assessed the operational policies and procedures of Microsoft Azure Government, Dynamics 365 US Government, and Office 365 GCC, and will attest to their ability in the applicable services agreements to meet FBI requirements. For more information about Azure support for CJIS, see [Azure CJIS compliance offering](/azure/compliance/offerings/offering-cjis).

-The remainder of this article discusses technologies that you can use to safeguard CJI stored or processed in Azure cloud services. These technologies can help you establish sole control over CJI that you're responsible for.

-| January 2021 | <ul><li>Syslog RFC compliance for Linux</li><li>Fixed issue for Linux perf counters not flowing on restart</li><li>Fixed installation failure on Windows Server 2008 R2 SP1</li></ul> | 1.1.5.1^Hotfix | 1.15.2.0^Hotfix |

- - *.ods.opinsights.azure.com

- - *.ingest.monitor.azure.com

- - *.control.monitor.azure.com

-*C#*

-Ideally, flush() method should be used in the shutdown activity of the Application.

-## Application Change Analysis in the Diagnose and solve problems tool

-From your app service's overview page in Azure portal, select **Diagnose and solve problems** the left menu. As you enter the Diagnose and Solve Problems tool, the **Microsoft.ChangeAnalysis** resource provider will automatically be registered. Enable web app in-guest change tracking with the following instructions:

-## Diagnose and Solve Problems tool

-Change Analysis displays as an insight card in a virtual machine's **Diagnose and solve problems** tool. The insight card displays the number of changes or issues a resource experiences within the past 72 hours.

-Under **Common problems**, select **View change details** to view the filtered view from Change Analysis standalone UI.

-## Virtual Machine Diagnose and Solve Problems

-Every 4 hours, Change Analysis captures the deployment and configuration state of an application. For example, it can detect changes in the application environment variables. The tool computes the differences and presents the changes.

-Currently all text-based files under site root **wwwroot** with the following extensions are supported:

-For web app in-guest changes, separate enablement is required for scanning code files within a web app. For more information, see [Change Analysis in the Diagnose and solve problems tool](change-analysis-visualizations.md#application-change-analysis-in-the-diagnose-and-solve-problems-tool) section.

-After your app is onboarded to App Center, it needs to be modified to send custom event telemetry using the App Center SDK. Custom events are the only type of App Center telemetry that is exported to Application Insights.

-> [Understand how customers are using your app](../app/usage-overview.md)

-The Node.js SDK can automatically monitor incoming and outgoing HTTP requests, exceptions, and some system metrics. Beginning in version 0.20, the SDK also can monitor some common [third-party packages](https://github.com/microsoft/node-diagnostic-channel/tree/master/src/diagnostic-channel-publishers#currently-supported-modules), like MongoDB, MySQL, and Redis. All events related to an incoming HTTP request are correlated for faster troubleshooting.

-### <a name="sdk"></a> Set up the Node.js SDK

-2. Add the Node.js SDK library to your app's dependencies via package.json. From the root folder of your app, run:

-You can track any request, event, metric, or exception by using the Application Insights Node.js SDK. The following code example demonstrates some of the APIs that you can use:

-Windows provides a wide variety of [performance counters](/windows/desktop/perfctrs/about-performance-counters) such as CPU occupancy, memory, disk, and network usage. You can also define your own performance counters. Performance counters collection is supported as long as your application is running under IIS on an on-premises host, or virtual machine to which you have administrative access. Though applications running as Azure Web Apps don't have direct access to performance counters, a subset of available counters are collected by Application Insights.

- appInsights.trackEvent("ExpandDetailTab", {DetailTab: tabName});

-By default, two data types - `Usage` and `AzureActivity` - are retained for a minimum of 90 days at no charge. If the workspace retention is increased to more than 90 days, the retention of these data types is also increased. These data types are also free from data ingestion charges.

-// Set these parameters before running query

-// Pricing details available at https://azure.microsoft.com/pricing/details/monitor/

-The snapshot tools can be used in the following scenarios.

-See [Supported scenarios for HANA Large Instances](../virtual-machines/workloads/sap/hana-supported-scenario.md)

-The Azure portal how-to video series showcases how to work with Azure services in the Azure portal. Each week the Azure portal team adds to the video playlist. These interactive demos can help you be more efficient and productive.

-In this featured video, we show you how to build tabs and alerts in Azure workbooks.

-> [!VIDEO https://www.youtube.com/embed/3XY3lYgrRvA]

-[How to build tabs and alerts in Azure workbooks](https://www.youtube.com/watch?v=3XY3lYgrRvA)

-Catch up on these recent videos you may have missed:

-While you may be inclined to use `dependsOn` to map relationships between your resources, it's important to understand why you're doing it. For example, to document how resources are interconnected, `dependsOn` isn't the right approach. You can't query which resources were defined in the `dependsOn` element after deployment. Setting unnecessary dependencies slows deployment time because Resource Manager can't deploy those resources in parallel.

-While you may be inclined to use `dependsOn` to map relationships between your resources, it's important to understand why you're doing it. For example, to document how resources are interconnected, `dependsOn` isn't the right approach. You can't query which resources were defined in the `dependsOn` element after deployment. Setting unnecessary dependencies slows deployment time because Resource Manager can't deploy those resources in parallel.

-For best practices using auto-failover groups, see [Best practices for Azure SQL Database](auto-failover-group-overview.md#best-practices-for-sql-database) and [Best practices for Azure SQL Managed Instance](auto-failover-group-overview.md#best-practices-for-sql-managed-instance).

-description: Learn how to configure an auto-failover group for an Azure SQL Database (both single and pooled) and SQL Managed Instance, using the Azure portal, the Azure CLI, and PowerShell.

-# Configure a failover group for Azure SQL Database

-This topic teaches you how to configure an [auto-failover group](auto-failover-group-overview.md) for Azure SQL Database and Azure SQL Managed Instance.

-## Single database

-Create the failover group and add a single database to it using the Azure portal or PowerShell.

-### Prerequisites

-Consider the following prerequisites:

-### Create failover group

-# [Portal](#tab/azure-portal)

-Create your failover group and add your single database to it using the Azure portal.

-1. Select **Azure SQL** in the left-hand menu of the [Azure portal](https://portal.azure.com). If **Azure SQL** is not in the list, select **All services**, then type Azure SQL in the search box. (Optional) Select the star next to **Azure SQL** to favorite it and add it as an item in the left-hand navigation.

-1. Select the database you want to add to the failover group.

-1. Select the name of the server under **Server name** to open the settings for the server.

- 

-1. Select **Failover groups** under the **Settings** pane, and then select **Add group** to create a new failover group.

- 

-1. On the **Failover Group** page, enter or select the required values, and then select **Create**.

- - **Databases within the group**: Choose the database you want to add to your failover group. Adding the database to the failover group will automatically start the geo-replication process.

- 

-# [PowerShell](#tab/azure-powershell)

-Create your failover group and add your database to it using PowerShell.

- ```powershell-interactive

- $subscriptionId = "<SubscriptionID>"

- $resourceGroupName = "<Resource-Group-Name>"

- $location = "<Region>"

- $adminLogin = "<Admin-Login>"

- $password = "<Complex-Password>"

- $serverName = "<Primary-Server-Name>"

- $databaseName = "<Database-Name>"

- $drLocation = "<DR-Region>"

- $drServerName = "<Secondary-Server-Name>"

- $failoverGroupName = "<Failover-Group-Name>"

- # Create a secondary server in the failover region

- Write-host "Creating a secondary server in the failover region..."

- $drServer = New-AzSqlServer -ResourceGroupName $resourceGroupName `

- -ServerName $drServerName `

- -Location $drLocation `

- -SqlAdministratorCredentials $(New-Object -TypeName System.Management.Automation.PSCredential `

- -ArgumentList $adminlogin, $(ConvertTo-SecureString -String $password -AsPlainText -Force))

- $drServer

- # Create a failover group between the servers

- $failovergroup = Write-host "Creating a failover group between the primary and secondary server..."

- New-AzSqlDatabaseFailoverGroup `

- ResourceGroupName $resourceGroupName `

- -ServerName $serverName `

- -PartnerServerName $drServerName `

- FailoverGroupName $failoverGroupName `

- FailoverPolicy Automatic `

- -GracePeriodWithDataLossHours 2

- $failovergroup

- # Add the database to the failover group

- Write-host "Adding the database to the failover group..."

- Get-AzSqlDatabase `

- -ResourceGroupName $resourceGroupName `

- -ServerName $serverName `

- -DatabaseName $databaseName | `

- Add-AzSqlDatabaseToFailoverGroup `

- -ResourceGroupName $resourceGroupName `

- -ServerName $serverName `

- -FailoverGroupName $failoverGroupName

- Write-host "Successfully added the database to the failover group..."

- ```

-### Test failover

-Test failover of your failover group using the Azure portal or PowerShell.

-# [Portal](#tab/azure-portal)

-Test failover of your failover group using the Azure portal.

-1. Select **Azure SQL** in the left-hand menu of the [Azure portal](https://portal.azure.com). If **Azure SQL** is not in the list, select **All services**, then type "Azure SQL" in the search box. (Optional) Select the star next to **Azure SQL** to favorite it and add it as an item in the left-hand navigation.

-1. Select the database you want to add to the failover group.

- 

-1. Select **Failover groups** under the **Settings** pane and then choose the failover group you just created.

-

- 

-1. Review which server is primary and which server is secondary.

-1. Select **Failover** from the task pane to fail over your failover group containing your database.

-1. Select **Yes** on the warning that notifies you that TDS sessions will be disconnected.

- 

-1. Review which server is now primary and which server is secondary. If failover succeeded, the two servers should have swapped roles.

-1. Select **Failover** again to fail the servers back to their original roles.

-# [PowerShell](#tab/azure-powershell)

-Test failover of your failover group using PowerShell.

-Check the role of the secondary replica:

- ```powershell-interactive

- # Set variables

- $resourceGroupName = "<Resource-Group-Name>"

- $serverName = "<Primary-Server-Name>"

- $failoverGroupName = "<Failover-Group-Name>"

- # Check role of secondary replica

- Write-host "Confirming the secondary replica is secondary...."

- (Get-AzSqlDatabaseFailoverGroup `

- -FailoverGroupName $failoverGroupName `

- -ResourceGroupName $resourceGroupName `

- -ServerName $drServerName).ReplicationRole

- ```

-Fail over to the secondary server:

- ```powershell-interactive

- # Set variables

- $resourceGroupName = "<Resource-Group-Name>"

- $serverName = "<Primary-Server-Name>"

- $failoverGroupName = "<Failover-Group-Name>"

- # Failover to secondary server

- Write-host "Failing over failover group to the secondary..."

- Switch-AzSqlDatabaseFailoverGroup `

- -ResourceGroupName $resourceGroupName `

- -ServerName $drServerName `

- -FailoverGroupName $failoverGroupName

- Write-host "Failed failover group to successfully to" $drServerName

- ```

-Revert failover group back to the primary server:

- ```powershell-interactive

- # Set variables

- $resourceGroupName = "<Resource-Group-Name>"

- $serverName = "<Primary-Server-Name>"

- $failoverGroupName = "<Failover-Group-Name>"

- # Revert failover to primary server

- Write-host "Failing over failover group to the primary...."

- Switch-AzSqlDatabaseFailoverGroup `

- -ResourceGroupName $resourceGroupName `

- -ServerName $serverName `

- -FailoverGroupName $failoverGroupName

- Write-host "Failed failover group successfully to back to" $serverName

- ```

-> [!IMPORTANT]

-> If you need to delete the secondary database, remove it from the failover group before deleting it. Deleting a secondary database before it is removed from the failover group can cause unpredictable behavior.

-## Elastic pool

-Create the failover group and add an elastic pool to it using the Azure portal, or PowerShell.

-### Prerequisites

-Consider the following prerequisites:

-### Create the failover group

-Create the failover group for your elastic pool using the Azure portal or PowerShell.

-# [Portal](#tab/azure-portal)

-Create your failover group and add your elastic pool to it using the Azure portal.

-1. Select **Azure SQL** in the left-hand menu of the [Azure portal](https://portal.azure.com). If **Azure SQL** is not in the list, select **All services**, then type "Azure SQL" in the search box. (Optional) Select the star next to **Azure SQL** to favorite it and add it as an item in the left-hand navigation.

-1. Select the elastic pool you want to add to the failover group.

-1. On the **Overview** pane, select the name of the server under **Server name** to open the settings for the server.

-

- 

-1. Select **Failover groups** under the **Settings** pane, and then select **Add group** to create a new failover group.

- 

-1. On the **Failover Group** page, enter or select the required values, and then select **Create**. Either create a new secondary server, or select an existing secondary server.

-1. Select **Databases within the group** then choose the elastic pool you want to add to the failover group. If an elastic pool does not already exist on the secondary server, a warning appears prompting you to create an elastic pool on the secondary server. Select the warning, and then select **OK** to create the elastic pool on the secondary server.

- 

-1. Select **Select** to apply your elastic pool settings to the failover group, and then select **Create** to create your failover group. Adding the elastic pool to the failover group will automatically start the geo-replication process.

-# [PowerShell](#tab/azure-powershell)

-Create your failover group and add your elastic pool to it using PowerShell.

- ```powershell-interactive

- $subscriptionId = "<SubscriptionID>"

- $resourceGroupName = "<Resource-Group-Name>"

- $location = "<Region>"

- $adminLogin = "<Admin-Login>"

- $password = "<Complex-Password>"

- $serverName = "<Primary-Server-Name>"

- $databaseName = "<Database-Name>"

- $poolName = "myElasticPool"

- $drLocation = "<DR-Region>"

- $drServerName = "<Secondary-Server-Name>"

- $failoverGroupName = "<Failover-Group-Name>"

- # Create a failover group between the servers

- Write-host "Creating failover group..."

- New-AzSqlDatabaseFailoverGroup `

- ResourceGroupName $resourceGroupName `

- -ServerName $serverName `

- -PartnerServerName $drServerName `

- FailoverGroupName $failoverGroupName `

- FailoverPolicy Automatic `

- -GracePeriodWithDataLossHours 2

- Write-host "Failover group created successfully."

- # Add elastic pool to the failover group

- Write-host "Enumerating databases in elastic pool...."

- $FailoverGroup = Get-AzSqlDatabaseFailoverGroup `

- -ResourceGroupName $resourceGroupName `

- -ServerName $serverName `

- -FailoverGroupName $failoverGroupName

- $databases = Get-AzSqlElasticPoolDatabase `

- -ResourceGroupName $resourceGroupName `

- -ServerName $serverName `

- -ElasticPoolName $poolName

- Write-host "Adding databases to failover group..."

- $failoverGroup = $failoverGroup | Add-AzSqlDatabaseToFailoverGroup `

- -Database $databases

- Write-host "Databases added to failover group successfully."

- ```

-### Test failover

-Test failover of your elastic pool using the Azure portal or PowerShell.

-# [Portal](#tab/azure-portal)

-Fail your failover group over to the secondary server, and then fail back using the Azure portal.

-1. Select **Azure SQL** in the left-hand menu of the [Azure portal](https://portal.azure.com). If **Azure SQL** is not in the list, select **All services**, then type "Azure SQL" in the search box. (Optional) Select the star next to **Azure SQL** to favorite it and add it as an item in the left-hand navigation.

-1. Select the elastic pool you want to add to the failover group.

-1. On the **Overview** pane, select the name of the server under **Server name** to open the settings for the server.

- 

-1. Select **Failover groups** under the **Settings** pane and then choose the failover group you created in section 2.

-

- 

-1. Review which server is primary, and which server is secondary.

-1. Select **Failover** from the task pane to fail over your failover group containing your elastic pool.

-1. Select **Yes** on the warning that notifies you that TDS sessions will be disconnected.

- 

-1. Review which server is primary, which server is secondary. If failover succeeded, the two servers should have swapped roles.

-1. Select **Failover** again to fail the failover group back to the original settings.

-# [PowerShell](#tab/azure-powershell)

-Test failover of your failover group using PowerShell.

-Check the role of the secondary replica:

- ```powershell-interactive

- # Set variables

- $resourceGroupName = "<Resource-Group-Name>"

- $serverName = "<Primary-Server-Name>"

- $failoverGroupName = "<Failover-Group-Name>"

- # Check role of secondary replica

- Write-host "Confirming the secondary replica is secondary...."

- (Get-AzSqlDatabaseFailoverGroup `

- -FailoverGroupName $failoverGroupName `

- -ResourceGroupName $resourceGroupName `

- -ServerName $drServerName).ReplicationRole

- ```

-Fail over to the secondary server:

- ```powershell-interactive

- # Set variables

- $resourceGroupName = "<Resource-Group-Name>"

- $serverName = "<Primary-Server-Name>"

- $failoverGroupName = "<Failover-Group-Name>"

- # Failover to secondary server

- Write-host "Failing over failover group to the secondary..."

- Switch-AzSqlDatabaseFailoverGroup `

- -ResourceGroupName $resourceGroupName `

- -ServerName $drServerName `

- -FailoverGroupName $failoverGroupName

- Write-host "Failed failover group to successfully to" $drServerName

- ```

-> [!IMPORTANT]

-> If you need to delete the secondary database, remove it from the failover group before deleting it. Deleting a secondary database before it is removed from the failover group can cause unpredictable behavior.

-## SQL Managed Instance

-Create a failover group between two managed instances in Azure SQL Managed Instance by using the Azure portal or PowerShell.

-You will need to either configure [ExpressRoute](../../expressroute/expressroute-howto-circuit-portal-resource-manager.md) or create a gateway for the virtual network of each SQL Managed Instance, connect the two gateways, and then create the failover group.

-Deploy both managed instances to [paired regions](../../availability-zones/cross-region-replication-azure.md) for performance reasons. Managed instances residing in geo-paired regions have much better performance compared to unpaired regions.

-### Prerequisites

-Consider the following prerequisites:

-### Create primary virtual network gateway

-If you have not configured [ExpressRoute](../../expressroute/expressroute-howto-circuit-portal-resource-manager.md), you can create the primary virtual network gateway with the Azure portal, or PowerShell.

-> [!NOTE]

-> The SKU of the gateway affects throughput performance. This article deploys a gateway with the most basic SKU (`HwGw1`). Deploy a higher SKU (example: `VpnGw3`) to achieve higher throughput. For all available options, see [Gateway SKUs](../../vpn-gateway/vpn-gateway-about-vpngateways.md#benchmark)

-# [Portal](#tab/azure-portal)

-Create the primary virtual network gateway using the Azure portal.

-1. In the [Azure portal](https://portal.azure.com), go to your resource group and select the **Virtual network** resource for your primary managed instance.

-1. Select **Subnets** under **Settings** and then select to add a new **Gateway subnet**. Leave the default values.

- 

-1. Once the subnet gateway is created, select **Create a resource** from the left navigation pane and then type `Virtual network gateway` in the search box. Select the **Virtual network gateway** resource published by **Microsoft**.

- 

-1. Fill out the required fields to configure the gateway your primary managed instance.

- The following table shows the values necessary for the gateway for the primary managed instance:

- | **Field** | Value |

- | | |

- | **Subscription** | The subscription where your primary managed instance is. |

- | **Name** | The name for your virtual network gateway. |

- | **Region** | The region where your primary managed instance is. |

- | **Gateway type** | Select **VPN**. |

- | **VPN Type** | Select **Route-based** |

- | **SKU**| Leave default of `VpnGw1`. |

- | **Location**| The location where your secondary managed instance and secondary virtual network is. |

- | **Virtual network**| Select the virtual network for your secondary managed instance. |

- | **Public IP address**| Select **Create new**. |

- | **Public IP address name**| Enter a name for your IP address. |

- | &nbsp; | &nbsp; |

-1. Leave the other values as default, and then select **Review + create** to review the settings for your virtual network gateway.

- 

-1. Select **Create** to create your new virtual network gateway.

-# [PowerShell](#tab/azure-powershell)

-Create the primary virtual network gateway using PowerShell.

- ```powershell-interactive

- $primaryResourceGroupName = "<Primary-Resource-Group>"

- $primaryVnetName = "<Primary-Virtual-Network-Name>"

- $primaryGWName = "<Primary-Gateway-Name>"

- $primaryGWPublicIPAddress = $primaryGWName + "-ip"

- $primaryGWIPConfig = $primaryGWName + "-ipc"

- $primaryGWAsn = 61000

- # Get the primary virtual network

- $vnet1 = Get-AzVirtualNetwork -Name $primaryVnetName -ResourceGroupName $primaryResourceGroupName

- $primaryLocation = $vnet1.Location

- # Create primary gateway

- Write-host "Creating primary gateway..."

- $subnet1 = Get-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet1

- $gwpip1= New-AzPublicIpAddress -Name $primaryGWPublicIPAddress -ResourceGroupName $primaryResourceGroupName `

- -Location $primaryLocation -AllocationMethod Dynamic

- $gwipconfig1 = New-AzVirtualNetworkGatewayIpConfig -Name $primaryGWIPConfig `

- -SubnetId $subnet1.Id -PublicIpAddressId $gwpip1.Id

- $gw1 = New-AzVirtualNetworkGateway -Name $primaryGWName -ResourceGroupName $primaryResourceGroupName `

- -Location $primaryLocation -IpConfigurations $gwipconfig1 -GatewayType Vpn `

- -VpnType RouteBased -GatewaySku VpnGw1 -EnableBgp $true -Asn $primaryGWAsn

- $gw1

- ```

-### Create secondary virtual network gateway

-Create the secondary virtual network gateway using the Azure portal or PowerShell.

-# [Portal](#tab/azure-portal)

-Repeat the steps in the previous section to create the virtual network subnet and gateway for the secondary managed instance. Fill out the required fields to configure the gateway for your secondary managed instance.

-The following table shows the values necessary for the gateway for the secondary managed instance:

- | **Field** | Value |

- | | |

- | **Subscription** | The subscription where your secondary managed instance is. |

- | **Name** | The name for your virtual network gateway, such as `secondary-mi-gateway`. |

- | **Region** | The region where your secondary managed instance is. |

- | **Gateway type** | Select **VPN**. |

- | **VPN Type** | Select **Route-based** |

- | **SKU**| Leave default of `VpnGw1`. |

- | **Location**| The location where your secondary managed instance and secondary virtual network is. |

- | **Virtual network**| Select the virtual network that was created in section 2, such as `vnet-sql-mi-secondary`. |

- | **Public IP address**| Select **Create new**. |

- | **Public IP address name**| Enter a name for your IP address, such as `secondary-gateway-IP`. |

- | &nbsp; | &nbsp; |

- 

-# [PowerShell](#tab/azure-powershell)

-Create the secondary virtual network gateway using PowerShell.

- ```powershell-interactive

- $secondaryResourceGroupName = "<Secondary-Resource-Group>"

- $secondaryVnetName = "<Secondary-Virtual-Network-Name>"

- $secondaryGWName = "<Secondary-Gateway-Name>"

- $secondaryGWPublicIPAddress = $secondaryGWName + "-IP"

- $secondaryGWIPConfig = $secondaryGWName + "-ipc"

- $secondaryGWAsn = 62000

- # Get the secondary virtual network

- $vnet2 = Get-AzVirtualNetwork -Name $secondaryVnetName -ResourceGroupName $secondaryResourceGroupName

- $secondaryLocation = $vnet2.Location

- # Create the secondary gateway

- Write-host "Creating secondary gateway..."

- $subnet2 = Get-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet2

- $gwpip2= New-AzPublicIpAddress -Name $secondaryGWPublicIPAddress -ResourceGroupName $secondaryResourceGroupName `

- -Location $secondaryLocation -AllocationMethod Dynamic

- $gwipconfig2 = New-AzVirtualNetworkGatewayIpConfig -Name $secondaryGWIPConfig `

- -SubnetId $subnet2.Id -PublicIpAddressId $gwpip2.Id

- $gw2 = New-AzVirtualNetworkGateway -Name $secondaryGWName -ResourceGroupName $secondaryResourceGroupName `

- -Location $secondaryLocation -IpConfigurations $gwipconfig2 -GatewayType Vpn `

- -VpnType RouteBased -GatewaySku VpnGw1 -EnableBgp $true -Asn $secondaryGWAsn

- $gw2

- ```

-### Connect the gateways

-Create connections between the two gateways using the Azure portal or PowerShell.

-Two connections need to be created - the connection from the primary gateway to the secondary gateway, and then the connection from the secondary gateway to the primary gateway.

-The shared key used for both connections should be the same for each connection.

-# [Portal](#tab/azure-portal)

-Create connections between the two gateways using the Azure portal.

-1. Select **Create a resource** from the [Azure portal](https://portal.azure.com).

-1. Type `connection` in the search box and then press enter to search, which takes you to the **Connection** resource, published by Microsoft.

-1. Select **Create** to create your connection.

-1. On the **Basics** tab, select the following values and then select **OK**.

- 1. Select `VNet-to-VNet` for the **Connection type**.

- 1. Select your subscription from the drop-down.

- 1. Select the resource group for your managed instance in the drop-down.

- 1. Select the location of your primary managed instance from the drop-down.

-1. On the **Settings** tab, select or enter the following values and then select **OK**:

- 1. Choose the primary network gateway for the **First virtual network gateway**, such as `Primary-Gateway`.

- 1. Choose the secondary network gateway for the **Second virtual network gateway**, such as `Secondary-Gateway`.

- 1. Select the checkbox next to **Establish bidirectional connectivity**.

- 1. Either leave the default primary connection name, or rename it to a value of your choice.

- 1. Provide a **Shared key (PSK)** for the connection, such as `mi1m2psk`.

- 

-1. On the **Summary** tab, review the settings for your bidirectional connection and then select **OK** to create your connection.

-# [PowerShell](#tab/azure-powershell)

-Create connections between the two gateways using PowerShell.

- ```powershell-interactive

- $vpnSharedKey = "mi1mi2psk"

- $primaryResourceGroupName = "<Primary-Resource-Group>"

- $primaryGWConnection = "<Primary-connection-name>"

- $primaryLocation = "<Primary-Region>"

- $secondaryResourceGroupName = "<Secondary-Resource-Group>"

- $secondaryGWConnection = "<Secondary-connection-name>"

- $secondaryLocation = "<Secondary-Region>"

-

- # Connect the primary to secondary gateway

- Write-host "Connecting the primary gateway"

- New-AzVirtualNetworkGatewayConnection -Name $primaryGWConnection -ResourceGroupName $primaryResourceGroupName `

- -VirtualNetworkGateway1 $gw1 -VirtualNetworkGateway2 $gw2 -Location $primaryLocation `

- -ConnectionType Vnet2Vnet -SharedKey $vpnSharedKey -EnableBgp $true

- $primaryGWConnection

- # Connect the secondary to primary gateway

- Write-host "Connecting the secondary gateway"

- New-AzVirtualNetworkGatewayConnection -Name $secondaryGWConnection -ResourceGroupName $secondaryResourceGroupName `

- -VirtualNetworkGateway1 $gw2 -VirtualNetworkGateway2 $gw1 -Location $secondaryLocation `

- -ConnectionType Vnet2Vnet -SharedKey $vpnSharedKey -EnableBgp $true

- $secondaryGWConnection

- ```

-### Create the failover group

-Create the failover group for your managed instances by using the Azure portal or PowerShell.

-# [Portal](#tab/azure-portal)

-Create the failover group for your SQL Managed Instances by using the Azure portal.

-1. Select **Azure SQL** in the left-hand menu of the [Azure portal](https://portal.azure.com). If **Azure SQL** is not in the list, select **All services**, then type Azure SQL in the search box. (Optional) Select the star next to **Azure SQL** to favorite it and add it as an item in the left-hand navigation.

-1. Select the primary managed instance you want to add to the failover group.

-1. Under **Settings**, navigate to **Instance Failover Groups** and then choose to **Add group** to open the **Instance Failover Group** page.

- 

-1. On the **Instance Failover Group** page, type the name of your failover group and then choose the secondary managed instance from the drop-down. Select **Create** to create your failover group.

- 

-1. Once failover group deployment is complete, you will be taken back to the **Failover group** page.

-# [PowerShell](#tab/azure-powershell)

-Create the failover group for your managed instances using PowerShell.

- ```powershell-interactive

- $primaryResourceGroupName = "<Primary-Resource-Group>"

- $failoverGroupName = "<Failover-Group-Name>"

- $primaryLocation = "<Primary-Region>"

- $secondaryLocation = "<Secondary-Region>"

- $primaryManagedInstance = "<Primary-Managed-Instance-Name>"

- $secondaryManagedInstance = "<Secondary-Managed-Instance-Name>"

- # Create failover group

- Write-host "Creating the failover group..."

- $failoverGroup = New-AzSqlDatabaseInstanceFailoverGroup -Name $failoverGroupName `

- -Location $primaryLocation -ResourceGroupName $primaryResourceGroupName -PrimaryManagedInstanceName $primaryManagedInstance `

- -PartnerRegion $secondaryLocation -PartnerManagedInstanceName $secondaryManagedInstance `

- -FailoverPolicy Automatic -GracePeriodWithDataLossHours 1

- $failoverGroup

- ```

-### Test failover

-Test failover of your failover group using the Azure portal or PowerShell.

-# [Portal](#tab/azure-portal)

-Test failover of your failover group using the Azure portal.

-1. Navigate to your _secondary_ managed instance within the [Azure portal](https://portal.azure.com) and select **Instance Failover Groups** under settings.

-1. Review which managed instance is the primary, and which managed instance is the secondary.

-1. Select **Failover** and then select **Yes** on the warning about TDS sessions being disconnected.

- 

-1. Review which manged instance is the primary and which instance is the secondary. If failover succeeded, the two instances should have switched roles.

- 

-1. Go to the new _secondary_ managed instance and select **Failover** once again to fail the primary instance back to the primary role.

-# [PowerShell](#tab/azure-powershell)

-Test failover of your failover group using PowerShell.

- ```powershell-interactive

- $primaryResourceGroupName = "<Primary-Resource-Group>"

- $secondaryResourceGroupName = "<Secondary-Resource-Group>"

- $failoverGroupName = "<Failover-Group-Name>"

- $primaryLocation = "<Primary-Region>"

- $secondaryLocation = "<Secondary-Region>"

- $primaryManagedInstance = "<Primary-Managed-Instance-Name>"

- $secondaryManagedInstance = "<Secondary-Managed-Instance-Name>"

- # Verify the current primary role

- Get-AzSqlDatabaseInstanceFailoverGroup -ResourceGroupName $primaryResourceGroupName `

- -Location $secondaryLocation -Name $failoverGroupName

- # Failover the primary managed instance to the secondary role

- Write-host "Failing primary over to the secondary location"

- Get-AzSqlDatabaseInstanceFailoverGroup -ResourceGroupName $secondaryResourceGroupName `

- -Location $secondaryLocation -Name $failoverGroupName | Switch-AzSqlDatabaseInstanceFailoverGroup

- Write-host "Successfully failed failover group to secondary location"

- # Verify the current primary role

- Get-AzSqlDatabaseInstanceFailoverGroup -ResourceGroupName $primaryResourceGroupName `

- -Location $secondaryLocation -Name $failoverGroupName

- # Fail primary managed instance back to primary role

- Write-host "Failing primary back to primary role"

- Get-AzSqlDatabaseInstanceFailoverGroup -ResourceGroupName $primaryResourceGroupName `

- -Location $primaryLocation -Name $failoverGroupName | Switch-AzSqlDatabaseInstanceFailoverGroup

- Write-host "Successfully failed failover group to primary location"

- # Verify the current primary role

- Get-AzSqlDatabaseInstanceFailoverGroup -ResourceGroupName $primaryResourceGroupName `

- -Location $secondaryLocation -Name $failoverGroupName

- ```

-## Use Private Link

-Using a private link allows you to associate a logical server to a specific private IP address within the virtual network and subnet.

-To use a private link with your failover group, do the following:

-1. Ensure your primary and secondary servers are in a [paired region](../../availability-zones/cross-region-replication-azure.md).

-1. Create the virtual network and subnet in each region to host private endpoints for primary and secondary servers such that they have non-overlapping IP address spaces. For example, the primary virtual network address range of 10.0.0.0/16 and the secondary virtual network address range of 10.0.0.1/16 overlaps. For more information about virtual network address ranges, see the blog [designing Azure virtual networks](https://devblogs.microsoft.com/premier-developer/understanding-cidr-notation-when-designing-azure-virtual-networks-and-subnets/).

-1. Create a [private endpoint and Azure Private DNS zone for the primary server](../../private-link/create-private-endpoint-portal.md#create-a-private-endpoint).

-1. Create a private endpoint for the secondary server as well, but this time choose to reuse the same Private DNS zone that was created for the primary server.

-1. Once the private link is established, you can create the failover group following the steps outlined previously in this article.

-## Locate listener endpoint

-Once your failover group is configured, update the connection string for your application to the listener endpoint. This will keep your application connected to the failover group listener, rather than the primary database, elastic pool, or instance database. That way, you don't have to manually update the connection string every time your database entity fails over, and traffic is routed to whichever entity is currently primary.

-The listener endpoint is in the form of `fog-name.database.windows.net`, and is visible in the Azure portal, when viewing the failover group:

-

-## Remarks

-## Next steps

-For detailed steps configuring a failover group, see the following tutorials:

-For an overview of Azure SQL Database high availability options, see [geo-replication](active-geo-replication-overview.md) and [auto-failover groups](auto-failover-group-overview.md).

-description: Auto-failover groups let you manage geo-replication and automatic / coordinated failover of a group of databases on a server, or all databases on a managed instance.

-# Use auto-failover groups to enable transparent and coordinated geo-failover of multiple databases

-The auto-failover groups feature allows you to manage the replication and failover of a group of databases on a server or all databases in a managed instance to another region. It is a declarative abstraction on top of the existing [active geo-replication](active-geo-replication-overview.md) feature, designed to simplify deployment and management of geo-replicated databases at scale. You can initiate a geo-failover manually or you can delegate it to the Azure service based on a user-defined policy. The latter option allows you to automatically recover multiple related databases in a secondary region after a catastrophic failure or other unplanned event that results in full or partial loss of the SQL Database or SQL Managed Instance availability in the primary region. A failover group can include one or multiple databases, typically used by the same application. Additionally, you can use the readable secondary databases to offload read-only query workloads.

-> [!NOTE]

-> Auto-failover groups support geo-replication of all databases in the group to only one secondary server or instance in a different region. If you need to create multiple Azure SQL Database geo-secondary replicas (in the same or different regions) for the same primary replica, use [active geo-replication](active-geo-replication-overview.md).

->

-When you are using auto-failover groups with automatic failover policy, an outage that impacts one or several of the databases in the group will result in an automatic geo-failover. Typically, these are outages that cannot be automatically mitigated by the built-in high availability infrastructure. Examples of geo-failover triggers include an incident caused by a SQL Database tenant ring or control ring being down due to an OS kernel memory leak on compute nodes, or an incident caused by one or more tenant rings being down because a wrong network cable was accidentally cut during routine hardware decommissioning. For more information, see [SQL Database High Availability](high-availability-sla.md).

-In addition, auto-failover groups provide read-write and read-only listener end-points that remain unchanged during geo-failovers. Whether you use manual or automatic failover activation, a geo-failover switches all secondary databases in the group to the primary role. After the geo-failover is completed, the DNS record is automatically updated to redirect the endpoints to the new region. For geo-failover RPO and RTO, see [Overview of Business Continuity](business-continuity-high-availability-disaster-recover-hadr-overview.md).

-When you are using auto-failover groups with automatic failover policy, an outage that impacts databases on a server or managed instance results in an automatic geo-failover.

-You can manage auto-failover group using:

-When configuring a failover group, ensure that authentication and network access on the secondary is set up to function correctly after geo-failover, when the geo-secondary becomes the new primary. For details, see [SQL Database security after disaster recovery](active-geo-replication-security-configure.md).

-To achieve full business continuity, adding regional database redundancy is only part of the solution. Recovering an application (service) end-to-end after a catastrophic failure requires recovery of all components that constitute the service and any dependent services. Examples of these components include the client software (for example, a browser with a custom JavaScript), web front ends, storage, and DNS. It is critical that all components are resilient to the same failures and become available within the recovery time objective (RTO) of your application. Therefore, you need to identify all dependent services and understand the guarantees and capabilities they provide. Then, you must take adequate steps to ensure that your service functions during the failover of the services on which it depends. For more information about designing solutions for disaster recovery, see [Designing Cloud Solutions for Disaster Recovery Using active geo-replication](designing-cloud-solutions-for-disaster-recovery.md).

-## <a name="terminology-and-capabilities"></a> Failover group terminology and capabilities

- A failover group is a named group of databases managed by a single server or within a managed instance that can fail over as a unit to another region in case all or some primary databases become unavailable due to an outage in the primary region. When it's created for SQL Managed Instance, a failover group contains all user databases in the instance and therefore only one failover group can be configured on an instance.

-

- > [!IMPORTANT]

- > The name of the failover group must be globally unique within the `.database.windows.net` domain.

- Some or all of the user databases on a logical server can be placed in a failover group. Also, a server supports multiple failover groups on a single server.

- The server or managed instance that hosts the primary databases in the failover group.

- The server or managed instance that hosts the secondary databases in the failover group. The secondary cannot be in the same region as the primary.

- You can put several single databases on the same server into the same failover group. If you add a single database to the failover group, it automatically creates a secondary database using the same edition and compute size on secondary server. You specified that server when the failover group was created. If you add a database that already has a secondary database in the secondary server, that geo-replication link is inherited by the group. When you add a database that already has a secondary database in a server that is not part of the failover group, a new secondary is created in the secondary server.

- > [!IMPORTANT]

- > Make sure that the secondary server doesn't have a database with the same name unless it is an existing secondary database. In failover groups for SQL Managed Instance, all user databases are replicated. You cannot pick a subset of user databases for replication in the failover group.

- You can put all or several databases within an elastic pool into the same failover group. If the primary database is in an elastic pool, the secondary is automatically created in the elastic pool with the same name (secondary pool). You must ensure that the secondary server contains an elastic pool with the same exact name and enough free capacity to host the secondary databases that will be created by the failover group. If you add a database in the pool that already has a secondary database in the secondary pool, that geo-replication link is inherited by the group. When you add a database that already has a secondary database in a server that is not part of the failover group, a new secondary is created in the secondary pool.

-

- When adding databases, elastic pools, or managed instances to a failover group, there is an initial seeding phase before data replication starts. The initial seeding phase is the longest and most expensive operation. Once initial seeding completes, data is synchronized, and then only subsequent data changes are replicated. The time it takes for the initial seeding to complete depends on the size of your data, number of replicated databases, the load on primary databases, and the speed of the link between the primary and secondary. Under normal circumstances, possible seeding speed is up to 500 GB an hour for SQL Database, and up to 360 GB an hour for SQL Managed Instance. Seeding is performed for all databases in parallel.

- For SQL Managed Instance, consider the speed of the Express Route link between the two instances when estimating the time of the initial seeding phase. If the speed of the link between the two instances is slower than what is necessary, the time to seed is likely to be noticeably impacted. You can use the stated seeding speed, number of databases, total size of data, and the link speed to estimate how long the initial seeding phase will take before data replication starts. For example, for a single 100 GB database, the initial seed phase would take about 1.2 hours if the link is capable of pushing 84 GB per hour, and if there are no other databases being seeded. If the link can only transfer 10 GB per hour, then seeding a 100 GB database will take about 10 hours. If there are multiple databases to replicate, seeding will be executed in parallel, and, when combined with a slow link speed, the initial seeding phase may take considerably longer, especially if the parallel seeding of data from all databases exceeds the available link bandwidth. If the network bandwidth between two instances is limited and you are adding multiple managed instances to a failover group, consider adding multiple managed instances to the failover group sequentially, one by one. Given an appropriately sized gateway SKU between the two managed instances, and if corporate network bandwidth allows it, it's possible to achieve speeds as high as 360 GB an hour.

- A unique ID that is automatically generated when a new SQL Managed Instance is created. A multi-domain (SAN) certificate for this instance is provisioned to authenticate the client connections to any instance in the same DNS zone. The two managed instances in the same failover group must share the DNS zone.

-

- > [!NOTE]

- > A DNS zone ID is not required or used for failover groups created for SQL Database.

- A DNS CNAME record that points to the current primary. It is created automatically when the failover group is created and allows the read-write workload to transparently reconnect to the primary when the primary changes after failover. When the failover group is created on a server, the DNS CNAME record for the listener URL is formed as `<fog-name>.database.windows.net`. When the failover group is created on a SQL Managed Instance, the DNS CNAME record for the listener URL is formed as `<fog-name>.<zone_id>.database.windows.net`.

- A DNS CNAME record that points to the current secondary. It is created automatically when the failover group is created and allows the read-only SQL workload to transparently connect to the secondary when the secondary changes after failover. When the failover group is created on a server, the DNS CNAME record for the listener URL is formed as `<fog-name>.secondary.database.windows.net`. When the failover group is created on a SQL Managed Instance, the DNS CNAME record for the listener URL is formed as `<fog-name>.secondary.<zone_id>.database.windows.net`.

- By default, a failover group is configured with an automatic failover policy. The system triggers a geo-failover after the failure is detected and the grace period has expired. The system must verify that the outage cannot be mitigated by the built-in [high availability infrastructure](high-availability-sla.md), for example due to the scale of the impact. If you want to control the geo-failover workflow from the application or manually, you can turn off automatic failover policy.

-

- > [!NOTE]

- > Because verification of the scale of the outage and how quickly it can be mitigated involves human actions, the grace period cannot be set below one hour. This limitation applies to all databases in the failover group regardless of their data synchronization state.

- By default, the failover of the read-only listener is disabled. It ensures that the performance of the primary is not impacted when the secondary is offline. However, it also means the read-only sessions will not be able to connect until the secondary is recovered. If you cannot tolerate downtime for the read-only sessions and can use the primary for both read-only and read-write traffic at the expense of the potential performance degradation of the primary, you can enable failover for the read-only listener by configuring the `AllowReadOnlyFailoverToPrimary` property. In that case, the read-only traffic will be automatically redirected to the primary if the secondary is not available.

- > [!NOTE]

- > The `AllowReadOnlyFailoverToPrimary` property only has effect if automatic failover policy is enabled and an automatic geo-failover has been triggered. In that case, if the property is set to True, the new primary will serve both read-write and read-only sessions.

- Planned failover performs full data synchronization between primary and secondary databases before the secondary switches to the primary role. This guarantees no data loss. Planned failover is used in the following scenarios:

- - Perform disaster recovery (DR) drills in production when data loss is not acceptable

- - Relocate the databases to a different region

- - Return the databases to the primary region after the outage has been mitigated (failback)

- Unplanned or forced failover immediately switches the secondary to the primary role without waiting for recent changes to propagate from the primary. This operation may result in data loss. Unplanned failover is used as a recovery method during outages when the primary is not accessible. When the outage is mitigated, the old primary will automatically reconnect and become a new secondary. A planned failover may be executed to fail back, returning the replicas to their original primary and secondary roles.

- You can initiate a geo-failover manually at any time regardless of the automatic failover configuration. During an outage that impacts the primary, if automatic failover policy is not configured, a manual failover is required to promote the secondary to the primary role. You can initiate a forced (unplanned) or friendly (planned) failover. A friendly failover is only possible when the old primary is accessible, and can be used to relocate the primary to the secondary region without data loss. When a failover is completed, the DNS records are automatically updated to ensure connectivity to the new primary.

- Because the secondary databases are synchronized using asynchronous replication, an automatic geo-failover may result in data loss. You can customize the automatic failover policy to reflect your applicationΓÇÖs tolerance to data loss. By configuring `GracePeriodWithDataLossHours`, you can control how long the system waits before initiating a forced failover, which may result in data loss.

- You can configure multiple failover groups for the same pair of servers to control the scope of geo-failovers. Each group fails over independently. If your tenant-per-database application is deployed in multiple regions and uses elastic pools, you can use this capability to mix primary and secondary databases in each pool. This way you may be able to reduce the impact of an outage to only some tenant databases.

- > [!NOTE]

- > SQL Managed Instance does not support multiple failover groups.

-

-## Permissions

-Permissions for a failover group are managed via [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). The [SQL Server Contributor](../../role-based-access-control/built-in-roles.md#sql-server-contributor) role has all the necessary permissions to manage failover groups.

-### <a name="create-failover-group"></a> Create a failover group

-To create a failover group, you need Azure RBAC write access to both the primary and secondary servers, and to all databases in the failover group. For a SQL Managed Instance, you need Azure RBAC write access to both the primary and secondary SQL Managed Instance, but permissions on individual databases are not relevant, because individual SQL Managed Instance databases cannot be added to or removed from a failover group.

-### Update a failover group

-To update a failover group, you need Azure RBAC write access to the failover group, and all databases on the current primary server or managed instance.

-### Fail over a failover group

-To fail over a failover group, you need Azure RBAC write access to the failover group on the new primary server or managed instance.

-## <a name="best-practices-for-sql-database"></a> Failover group best practices for SQL Database

-The auto-failover group must be configured on the primary server and will connect it to the secondary server in a different Azure region. The groups can include all or some databases in these servers. The following diagram illustrates a typical configuration of a geo-redundant cloud application using multiple databases and auto-failover group.

-

-> [!NOTE]

-> See [Add SQL Database to a failover group](failover-group-add-single-database-tutorial.md) for a detailed step-by-step tutorial adding a database in SQL Database to a failover group.

-When designing a service with business continuity in mind, follow these general guidelines:

-### <a name="using-one-or-several-failover-groups-to-manage-failover-of-multiple-databases"></a> Use one or several failover groups to manage failover of multiple databases

-One or many failover groups can be created between two servers in different regions (primary and secondary servers). Each group can include one or several databases that are recovered as a unit in case all or some primary databases become unavailable due to an outage in the primary region. Creating a failover group creates geo-secondary databases with the same service objective as the primary. If you add an existing geo-replication relationship to a failover group, make sure the geo-secondary is configured with the same service tier and compute size as the primary.

-

-### <a name="using-read-write-listener-for-oltp-workload"></a> Use the read-write listener to connect to primary

-For read-write workloads, use `<fog-name>.database.windows.net` as the server name in the connection string. Connections will be automatically directed to the primary. This name does not change after failover. Note the failover involves updating the DNS record so the client connections are redirected to the new primary only after the client DNS cache is refreshed. The time to live (TTL) of the primary and secondary listener DNS record is 30 seconds.

-### <a name="using-read-only-listener-for-read-only-workload"></a> Use the read-only listener to connect to geo-secondary

-If you have logically isolated read-only workloads that are tolerant to data latency, you can run them on the geo-secondary. For read-only sessions, use `<fog-name>.secondary.database.windows.net` as the server name in the connection string. Connections will be automatically directed to the geo-secondary. It is also recommended that you indicate read intent in the connection string by using `ApplicationIntent=ReadOnly`.

-> [!NOTE]

-> In Premium, Business Critical, and Hyperscale service tiers, SQL Database supports the use of [read-only replicas](read-scale-out.md) to offload read-only query workloads, using the `ApplicationIntent=ReadOnly` parameter in the connection string. When you have configured a geo-secondary, you can use this capability to connect to either a read-only replica in the primary location or in the geo-replicated location.

->

-> - To connect to a read-only replica in the primary location, use `ApplicationIntent=ReadOnly` and `<fog-name>.database.windows.net`.

-> - To connect to a read-only replica in the secondary location, use `ApplicationIntent=ReadOnly` and `<fog-name>.secondary.database.windows.net`.

-### <a name="preparing-for-performance-degradation"></a> Potential performance degradation after geo-failover

-A typical Azure application uses multiple Azure services and consists of multiple components. The automatic geo-failover of the failover group is triggered based on the state the Azure SQL components alone. Other Azure services in the primary region may not be affected by the outage and their components may still be available in that region. Once the primary databases switch to the secondary (DR) region, the latency between the dependent components may increase. To avoid the impact of higher latency on the application's performance, ensure the redundancy of all the application's components in the DR region, follow these [network security guidelines](#failover-groups-and-network-security), and orchestrate the geo-failover of relevant application components together with the database.

-### <a name="preparing-for-data-loss"></a> Potential data loss after geo-failover

-If an outage occurs in the primary region, recent transactions may not be able to replicate to the geo-secondary. If the automatic failover policy is configured, the system waits for the period you specified by `GracePeriodWithDataLossHours` before initiating an automatic geo-failover. The default value is 1 hour. This favors database availability over no data loss. Setting `GracePeriodWithDataLossHours` to a larger number, such as 24 hours, or disabling automatic geo-failover lets you reduce the likelihood of data loss at the expense of database availability.

-> [!IMPORTANT]

-> Elastic pools with 800 or fewer DTUs or 8 or fewer vCores, and more than 250 databases may encounter issues including longer planned geo-failovers and degraded performance. These issues are more likely to occur for write intensive workloads, when geo-replicas are widely separated by geography, or when multiple secondary geo-replicas are used for each database. A symptom of these issues is an increase in geo-replication lag over time, potentially leading to a more extensive data loss in an outage. This lag can be monitored using [sys.dm_geo_replication_link_status](/sql/relational-databases/system-dynamic-management-views/sys-dm-geo-replication-link-status-azure-sql-database). If these issues occur, then mitigation includes scaling up the pool to have more DTUs or vCores, or reducing the number of geo-replicated databases in the pool.

-### <a name="changing-secondary-region-of-the-failover-group"></a> Change the secondary region of a failover group

-To illustrate the change sequence, we will assume that server A is the primary server, server B is the existing secondary server, and server C is the new secondary in the third region. To make the transition, follow these steps:

-1. Create additional secondaries of each database on server A to server C using [active geo-replication](active-geo-replication-overview.md). Each database on server A will have two secondaries, one on server B and one on server C. This will guarantee that the primary databases remain protected during the transition.

-2. Delete the failover group. At this point login attempts using failover group endpoints will be failing.

-3. Re-create the failover group with the same name between servers A and C.

-4. Add all primary databases on server A to the new failover group. At this point the login attempts will stop failing.

-5. Delete server B. All databases on B will be deleted automatically.

-### <a name="changing-primary-region-of-the-failover-group"></a> Change the primary region of a failover group

-To illustrate the change sequence, we will assume server A is the primary server, server B is the existing secondary server, and server C is the new primary in the third region. To make the transition, follow these steps:

-1. Perform a planned geo-failover to switch the primary server to B. Server A will become the new secondary server. The failover may result in several minutes of downtime. The actual time will depend on the size of failover group.

-2. Create additional secondaries of each database on server B to server C using [active geo-replication](active-geo-replication-overview.md). Each database on server B will have two secondaries, one on server A and one on server C. This will guarantee that the primary databases remain protected during the transition.

-3. Delete the failover group. At this point login attempts using failover group endpoints will be failing.

-4. Re-create the failover group with the same name between servers B and C.

-5. Add all primary databases on B to the new failover group. At this point the login attempts will stop failing.

-6. Perform a planned geo-failover of the failover group to switch B and C. Now server C will become the primary and B the secondary. All secondary databases on server A will be automatically linked to the primaries on C. As in step 1, the failover may result in several minutes of downtime.

-7. Delete server A. All databases on A will be deleted automatically.

-> [!IMPORTANT]

-> When the failover group is deleted, the DNS records for the listener endpoints are also deleted. At that point, there is a non-zero probability of somebody else creating a failover group or a server DNS alias with the same name. Because failover group names and DNS aliases must be globally unique, this will prevent you from using the same name again. To minimize this risk, don't use generic failover group names.

-## <a name="best-practices-for-sql-managed-instance"></a> Failover group best practices for SQL Managed Instance

-The auto-failover group must be configured on the primary instance and will connect it to the secondary instance in a different Azure region. All user databases in the instance will be replicated to the secondary instance. System databases like _master_ and _msdb_ will not be replicated.

-The following diagram illustrates a typical configuration of a geo-redundant cloud application using managed instance and auto-failover group.

-

-> [!NOTE]

-> See [Add managed instance to a failover group](../managed-instance/failover-group-add-instance-tutorial.md) for a detailed step-by-step tutorial adding a SQL Managed Instance to use failover group.

-> [!IMPORTANT]

-> If you deploy auto-failover groups in a hub-and-spoke network topology cross-region, replication traffic should go directly between the two managed instance subnets rather than be directed through the hub networks.

-If your application uses SQL Managed Instance as the data tier, follow these general guidelines when designing for business continuity:

-### <a name="creating-the-secondary-instance"></a> Create the geo-secondary managed instance

-To ensure non-interrupted connectivity to the primary SQL Managed Instance after failover, both the primary and secondary instances must be in the same DNS zone. It will guarantee that the same multi-domain (SAN) certificate can be used to authenticate client connections to either of the two instances in the failover group. When your application is ready for production deployment, create a secondary SQL Managed Instance in a different region and make sure it shares the DNS zone with the primary SQL Managed Instance. You can do it by specifying an optional parameter during creation. If you are using PowerShell or the REST API, the name of the optional parameter is `DNSZonePartner`. The name of the corresponding optional field in the Azure portal is *Primary Managed Instance*.

-> [!IMPORTANT]

-> The first managed instance created in the subnet determines DNS zone for all subsequent instances in the same subnet. This means that two instances from the same subnet cannot belong to different DNS zones.

-For more information about creating the secondary SQL Managed Instance in the same DNS zone as the primary instance, see [Create a secondary managed instance](../managed-instance/failover-group-add-instance-tutorial.md#create-a-secondary-managed-instance).

-### <a name="using-geo-paired-regions"></a> Use paired regions

-Deploy both managed instances to [paired regions](../../availability-zones/cross-region-replication-azure.md) for performance reasons. SQL Managed Instance failover groups in paired regions have better performance compared to unpaired regions.

-### <a name="enabling-replication-traffic-between-two-instances"></a> Enable geo-replication traffic between two managed instances

-Because each managed instance is isolated in its own VNet, two-directional traffic between these VNets must be allowed. See [Azure VPN gateway](../../vpn-gateway/vpn-gateway-about-vpngateways.md)

-### <a name="creating-a-failover-group-between-managed-instances-in-different-subscriptions"></a> Create a failover group between managed instances in different subscriptions

-You can create a failover group between SQL Managed Instances in two different subscriptions, as long as subscriptions are associated to the same [Azure Active Directory Tenant](../../active-directory/fundamentals/active-directory-whatis.md#terminology). When using PowerShell API, you can do it by specifying the `PartnerSubscriptionId` parameter for the secondary SQL Managed Instance. When using REST API, each instance ID included in the `properties.managedInstancePairs` parameter can have its own Subscription ID.

-

-> [!IMPORTANT]

-> Azure portal does not support creation of failover groups across different subscriptions. Also, for the existing failover groups across different subscriptions and/or resource groups, failover cannot be initiated manually via portal from the primary SQL Managed Instance. Initiate it from the geo-secondary instance instead.

-### <a name="managing-failover-to-secondary-instance"></a> Manage geo-failover to a geo-secondary instance

-The failover group will manage geo-failover of all databases on the primary managed instance. When a group is created, each database in the instance will be automatically geo-replicated to the geo-secondary instance. You cannot use failover groups to initiate a partial failover of a subset of databases.

-> [!IMPORTANT]

-> If a database is dropped on the primary managed instance, it will also be dropped automatically on the geo-secondary managed instance.

-### <a name="using-read-write-listener-for-oltp-workload"></a> Use the read-write listener to connect to the primary managed instance

-For read-write workloads, use `<fog-name>.zone_id.database.windows.net` as the server name. Connections will be automatically directed to the primary. This name does not change after failover. The geo-failover involves updating the DNS record, so the client connections are redirected to the new primary only after the client DNS cache is refreshed. Because the secondary instance shares the DNS zone with the primary, the client application will be able to reconnect to it using the same server-side SAN certificate. The read-write listener and read-only listener cannot be reached via [public endpoint for managed instance](../managed-instance/public-endpoint-configure.md).

-### <a name="using-read-only-listener-to-connect-to-the-secondary-instance"></a> Use the read-only listener to connect to the geo-secondary managed instance

-If you have logically isolated read-only workloads that are tolerant to data latency, you can run them on the geo-secondary. To connect directly to the geo-secondary, use `<fog-name>.secondary.<zone_id>.database.windows.net` as the server name. The read-write listener and read-only listener cannot be reached via [public endpoint for managed instance](../managed-instance/public-endpoint-configure.md).

-> [!NOTE]

-> In the Business Critical tier, SQL Managed Instance supports the use of [read-only replicas](read-scale-out.md) to offload read-only query workloads, using the `ApplicationIntent=ReadOnly` parameter in the connection string. When you have configured a geo-replicated secondary, you can use this capability to connect to either a read-only replica in the primary location or in the geo-replicated location.

->

-> - To connect to a read-only replica in the primary location, use `ApplicationIntent=ReadOnly` and `<fog-name>.<zone_id>.database.windows.net`.

-> - To connect to a read-only replica in the secondary location, use `ApplicationIntent=ReadOnly` and `<fog-name>.secondary.<zone_id>.database.windows.net`.

-### Potential performance degradation after failover to the geo-secondary managed instance

-A typical Azure application uses multiple Azure services and consists of multiple components. The automatic geo-failover of the failover group is triggered based on the state the Azure SQL components alone. Other Azure services in the primary region may not be affected by the outage and their components may still be available in that region. Once the primary databases switch to the secondary region, the latency between the dependent components may increase. To avoid the impact of higher latency on the application's performance, ensure the redundancy of all the application's components in the secondary region and fail over application components together with the database. At configuration time, follow [network security guidelines](#failover-groups-and-network-security) to ensure connectivity to the database in the secondary region.

-### Potential data loss after failover to the geo-secondary managed instance

-If an outage occurs in the primary region, recent transactions may not be able to replicate to the geo-secondary. If the automatic failover policy is configured, a geo-failover is triggered if there is zero data loss, to the best of our knowledge. Otherwise, failover is deferred for the period you specify using `GracePeriodWithDataLossHours`. If you configured the automatic failover policy, be prepared for data loss. In general, during outages, Azure favors availability. Setting `GracePeriodWithDataLossHours` to a larger number, such as 24 hours, or disabling automatic geo-failover lets you reduce the likelihood of data loss at the expense of database availability.

-The DNS update of the read-write listener will happen immediately after the failover is initiated. This operation will not result in data loss. However, the process of switching database roles can take up to 5 minutes under normal conditions. Until it is completed, some databases in the new primary instance will still be read-only. If a failover is initiated using PowerShell, the operation to switch the primary replica role is synchronous. If it is initiated using the Azure portal, the UI will indicate completion status. If it is initiated using the REST API, use standard Azure Resource ManagerΓÇÖs polling mechanism to monitor for completion.

-> [!IMPORTANT]

-> Use manual planned failover to move the primary back to the original location once the outage that caused the geo-failover is mitigated.

-

-### Change the secondary region of the managed instance failover group

-Let's assume that instance A is the primary instance, instance B is the existing secondary instance, and instance C is the new secondary instance in the third region. To make the transition, follow these steps:

-1. Create instance C with same size as A and in the same DNS zone.

-2. Delete the failover group between instances A and B. At this point the logins will be failing because the SQL aliases for the failover group listeners have been deleted and the gateway will not recognize the failover group name. The secondary databases will be disconnected from the primaries and will become read-write databases.

-3. Create a failover group with the same name between instance A and C. Follow the instructions in [failover group with SQL Managed Instance tutorial](../managed-instance/failover-group-add-instance-tutorial.md). This is a size-of-data operation and will complete when all databases from instance A are seeded and synchronized.

-4. Delete instance B if not needed to avoid unnecessary charges.

-> [!NOTE]

-> After step 2 and until step 3 is completed the databases in instance A will remain unprotected from a catastrophic failure of instance A.

-### Change the primary region of the managed instance failover group

-Let's assume instance A is the primary instance, instance B is the existing secondary instance, and instance C is the new primary instance in the third region. To make the transition, follow these steps:

-1. Create instance C with same size as B and in the same DNS zone.

-2. Connect to instance B and manually failover to switch the primary instance to B. Instance A will become the new secondary instance automatically.

-3. Delete the failover group between instances A and B. At this point login attempts using failover group endpoints will be failing. The secondary databases on A will be disconnected from the primaries and will become read-write databases.

-4. Create a failover group with the same name between instance A and C. Follow the instructions in the [failover group with managed instance tutorial](../managed-instance/failover-group-add-instance-tutorial.md). This is a size-of-data operation and will complete when all databases from instance A are seeded and synchronized. At this point login attempts will stop failing.

-5. Delete instance A if not needed to avoid unnecessary charges.

-> [!CAUTION]

-> After step 3 and until step 4 is completed the databases in instance A will remain unprotected from a catastrophic failure of instance A.

-> [!IMPORTANT]

-> When the failover group is deleted, the DNS records for the listener endpoints are also deleted. At that point, there is a non-zero probability of somebody else creating a failover group with the same name. Because failover group names must be globally unique, this will prevent you from using the same name again. To minimize this risk, don't use generic failover group names.

-### Enable scenarios dependent on objects from the system databases

-System databases are **not** replicated to the secondary instance in a failover group. To enable scenarios that depend on objects from the system databases, make sure to create the same objects on the secondary instance and keep them synchronized with the primary instance.

-For example, if you plan to use the same logins on the secondary instance, make sure to create them with the identical SID.

-```SQL

-CREATE LOGIN foo WITH PASSWORD = '<enterStrongPasswordHere>', SID = <login_sid>;

-```

-### Synchronize instance properties and retention policies between primary and secondary instance

-Instances in a failover group remain separate Azure resources, and no changes made to the configuration of the primary instance will be automatically replicated to the secondary instance. Make sure to perform all relevant changes both on primary _and_ secondary instance. For example, if you change backup storage redundancy or long-term backup retention policy on primary instance, make sure to change it on secondary instance as well.

-## Failover groups and network security

-For some applications the security rules require that the network access to the data tier is restricted to a specific component or components such as a VM, web service, etc. This requirement presents some challenges for business continuity design and the use of failover groups. Consider the following options when implementing such restricted access.

-### <a name="using-failover-groups-and-virtual-network-rules"></a> Use failover groups and virtual network service endpoints

-If you are using [Virtual Network service endpoints and rules](vnet-service-endpoint-rule-overview.md) to restrict access to your database in SQL Database or SQL Managed Instance, be aware that each virtual network service endpoint applies to only one Azure region. The endpoint does not enable other regions to accept communication from the subnet. Therefore, only the client applications deployed in the same region can connect to the primary database. Since a geo-failover results in the SQL Database client sessions being rerouted to a server in a different (secondary) region, these sessions will fail if originated from a client outside of that region. For that reason, the automatic failover policy cannot be enabled if the participating servers or instances are included in the Virtual Network rules. To support manual failover, follow these steps:

-1. Provision the redundant copies of the front-end components of your application (web service, virtual machines etc.) in the secondary region.

-2. Configure the [virtual network rules](vnet-service-endpoint-rule-overview.md) individually for primary and secondary server.

-3. Enable the [front-end failover using a Traffic manager configuration](designing-cloud-solutions-for-disaster-recovery.md#scenario-1-using-two-azure-regions-for-business-continuity-with-minimal-downtime).

-4. Initiate manual geo-failover when the outage is detected. This option is optimized for the applications that require consistent latency between the front-end and the data tier and supports recovery when either front end, data tier or both are impacted by the outage.

-> [!NOTE]

-> If you are using the **read-only listener** to load-balance a read-only workload, make sure that this workload is executed in a VM or other resource in the secondary region so it can connect to the secondary database.

-### Use failover groups and firewall rules

-If your business continuity plan requires failover using groups with automatic failover, you can restrict access to your database in SQL Database by using public IP firewall rules. To support automatic failover, follow these steps:

-1. [Create a public IP](../../virtual-network/ip-services/virtual-network-public-ip-address.md#create-a-public-ip-address)

-2. [Create a public load balancer](../../load-balancer/quickstart-load-balancer-standard-public-portal.md) and assign the public IP to it.

-3. [Create a virtual network and the virtual machines](../../load-balancer/quickstart-load-balancer-standard-public-portal.md) for your front-end components.

-4. [Create network security group](../../virtual-network/network-security-groups-overview.md) and configure inbound connections.

-5. Ensure that the outbound connections are open to Azure SQL Database in a region by using an `Sql.<Region>` [service tag](../../virtual-network/network-security-groups-overview.md#service-tags).

-6. Create a [SQL Database firewall rule](firewall-configure.md) to allow inbound traffic from the public IP address you create in step 1.

-For more information on how to configure outbound access and what IP to use in the firewall rules, see [Load balancer outbound connections](../../load-balancer/load-balancer-outbound-connections.md).

-The above configuration will ensure that an automatic geo-failover will not block connections from the front-end components and assumes that the application can tolerate the longer latency between the front end and the data tier.

-> [!IMPORTANT]

-> To guarantee business continuity during regional outages you must ensure geographic redundancy for both front-end components and databases.

-## <a name="enabling-geo-replication-between-managed-instances-and-their-vnets"></a> Enabling geo-replication between managed instance virtual networks

-When you set up a failover group between primary and secondary SQL Managed Instances in two different regions, each instance is isolated using an independent virtual network. To allow replication traffic between these VNets ensure these prerequisites are met:

- > [!IMPORTANT]

- > [On 9/22/2020 support for global virtual network peering for newly created virtual clusters was announced](https://azure.microsoft.com/updates/global-virtual-network-peering-support-for-azure-sql-managed-instance-now-available/). It means that global virtual network peering is supported for SQL managed instances created in empty subnets after the announcement date, as well for all the subsequent managed instances created in those subnets. For all the other SQL managed instances peering support is limited to the networks in the same region due to the [constraints of global virtual network peering](../../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints). See also the relevant section of the [Azure Virtual Networks frequently asked questions](../../virtual-network/virtual-networks-faq.md#what-are-the-constraints-related-to-global-vnet-peering-and-load-balancers) article for more details. To be able to use global virtual network peering for SQL managed instances from virtual clusters created before the announcement date, consider configuring non-default [maintenance window](./maintenance-window.md) on the instances, as it will move the instances into new virtual clusters that support global virtual network peering.

- > [!IMPORTANT]

- > Misconfigured NSG security rules leads to stuck database seeding operations.

- > [!NOTE]

- > For a detailed tutorial on configuring failover groups with SQL Managed Instance, see [add a SQL Managed Instance to a failover group](../managed-instance/failover-group-add-instance-tutorial.md).

-## <a name="upgrading-or-downgrading-primary-database"></a> Scale primary database

-You can scale up or scale down the primary database to a different compute size (within the same service tier) without disconnecting any geo-secondaries. When scaling up, we recommend that you scale up the geo-secondary first, and then scale up the primary. When scaling down, reverse the order: scale down the primary first, and then scale down the secondary. When you scale a database to a different service tier, this recommendation is enforced.

-This sequence is recommended specifically to avoid the problem where the geo-secondary at a lower SKU gets overloaded and must be re-seeded during an upgrade or downgrade process. You could also avoid the problem by making the primary read-only, at the expense of impacting all read-write workloads against the primary.

-> [!NOTE]

-> If you created a geo-secondary as part of the failover group configuration it is not recommended to scale down the geo-secondary. This is to ensure your data tier has sufficient capacity to process your regular workload after a geo-failover.

-## <a name="preventing-the-loss-of-critical-data"></a> Prevent loss of critical data

-Due to the high latency of wide area networks, geo-replication uses an asynchronous replication mechanism. Asynchronous replication makes the possibility of data loss unavoidable if the primary fails. To protect critical transactions from data loss, an application developer can call the [sp_wait_for_database_copy_sync](/sql/relational-databases/system-stored-procedures/active-geo-replication-sp-wait-for-database-copy-sync) stored procedure immediately after committing the transaction. Calling `sp_wait_for_database_copy_sync` blocks the calling thread until the last committed transaction has been transmitted and hardened in the transaction log of the secondary database. However, it does not wait for the transmitted transactions to be replayed (redone) on the secondary. `sp_wait_for_database_copy_sync` is scoped to a specific geo-replication link. Any user with the connection rights to the primary database can call this procedure.

-> [!NOTE]

-> `sp_wait_for_database_copy_sync` prevents data loss after geo-failover for specific transactions, but does not guarantee full synchronization for read access. The delay caused by a `sp_wait_for_database_copy_sync` procedure call can be significant and depends on the size of the not yet transmitted transaction log on the primary at the time of the call.

-## Failover groups and point-in-time restore

-For information about using point-in-time restore with failover groups, see [Point in Time Recovery (PITR)](recovery-using-backups.md#point-in-time-restore).

-## Limitations of failover groups

-Be aware of the following limitations:

-## <a name="programmatically-managing-failover-groups"></a> Programmatically manage failover groups

-As discussed previously, auto-failover groups can also be managed programmatically using Azure PowerShell, Azure CLI, and REST API. The following tables describe the set of commands available. Active geo-replication includes a set of Azure Resource Manager APIs for management, including the [Azure SQL Database REST API](/rest/api/sql/) and [Azure PowerShell cmdlets](/powershell/azure/). These APIs require the use of resource groups and support Azure role-based access control (Azure RBAC). For more information on how to implement access roles, see [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).

-### <a name="manage-sql-database-failover"></a> Manage SQL Database geo-failover

-# [PowerShell](#tab/azure-powershell)

-| Cmdlet | Description |

-| | |

-| [New-AzSqlDatabaseFailoverGroup](/powershell/module/az.sql/new-azsqldatabasefailovergroup) |This command creates a failover group and registers it on both primary and secondary servers|

-| [Remove-AzSqlDatabaseFailoverGroup](/powershell/module/az.sql/remove-azsqldatabasefailovergroup) | Removes a failover group from the server |

-| [Get-AzSqlDatabaseFailoverGroup](/powershell/module/az.sql/get-azsqldatabasefailovergroup) | Retrieves a failover group's configuration |

-| [Set-AzSqlDatabaseFailoverGroup](/powershell/module/az.sql/set-azsqldatabasefailovergroup) |Modifies configuration of a failover group |

-| [Switch-AzSqlDatabaseFailoverGroup](/powershell/module/az.sql/switch-azsqldatabasefailovergroup) | Triggers failover of a failover group to the secondary server |

-| [Add-AzSqlDatabaseToFailoverGroup](/powershell/module/az.sql/add-azsqldatabasetofailovergroup)|Adds one or more databases to a failover group|

-# [Azure CLI](#tab/azure-cli)

-| Command | Description |

-| | |

-| [az sql failover-group create](/cli/azure/sql/failover-group#az-sql-failover-group-create) |This command creates a failover group and registers it on both primary and secondary servers|

-| [az sql failover-group delete](/cli/azure/sql/failover-group#az-sql-failover-group-delete) | Removes a failover group from the server |

-| [az sql failover-group show](/cli/azure/sql/failover-group#az-sql-failover-group-show) | Retrieves a failover group configuration |

-| [az sql failover-group update](/cli/azure/sql/failover-group#az-sql-failover-group-update) |Modifies a failover group's configuration and/or adds one or more databases to a failover group|

-| [az sql failover-group set-primary](/cli/azure/sql/failover-group#az-sql-failover-group-set-primary) | Triggers failover of a failover group to the secondary server |

-# [REST API](#tab/rest-api)

-| API | Description |

-| | |

-| [Create or Update Failover Group](/rest/api/sql/failovergroups/createorupdate) | Creates or updates a failover group |

-| [Delete Failover Group](/rest/api/sql/failovergroups/delete) | Removes a failover group from the server |

-| [Failover (Planned)](/rest/api/sql/failovergroups/failover) | Triggers failover from the current primary server to the secondary server with full data synchronization.|

-| [Force Failover Allow Data Loss](/rest/api/sql/failovergroups/forcefailoverallowdataloss) | Triggers failover from the current primary server to the secondary server without synchronizing data. This operation may result in data loss. |

-| [Get Failover Group](/rest/api/sql/failovergroups/get) | Retrieves a failover group's configuration. |

-| [List Failover Groups By Server](/rest/api/sql/failovergroups/listbyserver) | Lists the failover groups on a server. |

-| [Update Failover Group](/rest/api/sql/failovergroups/update) | Updates a failover group's configuration. |

-### <a name="manage-sql-managed-instance-failover"></a> Manage SQL Managed Instance geo-failover

-# [PowerShell](#tab/azure-powershell)

-| Cmdlet | Description |

-| | |

-| [New-AzSqlDatabaseInstanceFailoverGroup](/powershell/module/az.sql/new-azsqldatabaseinstancefailovergroup) |This command creates a failover group and registers it on both primary and secondary instances|

-| [Set-AzSqlDatabaseInstanceFailoverGroup](/powershell/module/az.sql/set-azsqldatabaseinstancefailovergroup) |Modifies configuration of a failover group|

-| [Get-AzSqlDatabaseInstanceFailoverGroup](/powershell/module/az.sql/get-azsqldatabaseinstancefailovergroup) |Retrieves a failover group's configuration|

-| [Switch-AzSqlDatabaseInstanceFailoverGroup](/powershell/module/az.sql/switch-azsqldatabaseinstancefailovergroup) |Triggers failover of a failover group to the secondary instance|

-| [Remove-AzSqlDatabaseInstanceFailoverGroup](/powershell/module/az.sql/remove-azsqldatabaseinstancefailovergroup) | Removes a failover group|

-# [Azure CLI](#tab/azure-cli)

-| Command | Description |

-| | |

-| [az sql failover-group create](/cli/azure/sql/failover-group#az-sql-failover-group-create) |This command creates a failover group and registers it on both primary and secondary servers|

-| [az sql failover-group delete](/cli/azure/sql/failover-group#az-sql-failover-group-delete) | Removes a failover group from the server |

-| [az sql failover-group show](/cli/azure/sql/failover-group#az-sql-failover-group-show) | Retrieves a failover group configuration |

-| [az sql failover-group update](/cli/azure/sql/failover-group#az-sql-failover-group-update) |Modifies a failover group's configuration and/or adds one or more databases to a failover group|

-| [az sql failover-group set-primary](/cli/azure/sql/failover-group#az-sql-failover-group-set-primary) | Triggers failover of a failover group to the secondary server |

-# [REST API](#tab/rest-api)

-| API | Description |

-| | |

-| [Create or Update Failover Group](/rest/api/sql/instancefailovergroups/createorupdate) | Creates or updates a failover group's configuration |

-| [Delete Failover Group](/rest/api/sql/instancefailovergroups/delete) | Removes a failover group from the instance |

-| [Failover (Planned)](/rest/api/sql/instancefailovergroups/failover) | Triggers failover from the current primary instance to this instance with full data synchronization. |

-| [Force Failover Allow Data Loss](/rest/api/sql/instancefailovergroups/forcefailoverallowdataloss) | Triggers failover from the current primary instance to the secondary instance without synchronizing data. This operation may result in data loss. |

-| [Get Failover Group](/rest/api/sql/instancefailovergroups/get) | retrieves a failover group's configuration. |

-| [List Failover Groups - List By Location](/rest/api/sql/instancefailovergroups/listbylocation) | Lists the failover groups in a location. |

-## Next steps

- - [Add SQL Database to a failover group](failover-group-add-single-database-tutorial.md)

- - [Add an elastic pool to a failover group](failover-group-add-elastic-pool-tutorial.md)

- - [Add a SQL Managed Instance to a failover group](../managed-instance/failover-group-add-instance-tutorial.md)

- - [Use PowerShell to configure active geo-replication for Azure SQL Database](scripts/setup-geodr-and-failover-database-powershell.md)

- - [Use PowerShell to configure active geo-replication for a pooled database in Azure SQL Database](scripts/setup-geodr-and-failover-elastic-pool-powershell.md)

- - [Use PowerShell to add an Azure SQL Database to a failover group](scripts/add-database-to-failover-group-powershell.md)

-Configure a failover group for an Azure SQL Database elastic pool and test failover using the Azure portal. In this tutorial, you'll learn how to:

-> - Create a [failover group](auto-failover-group-overview.md) for two elastic pools between two servers.

-description: Add a database in Azure SQL Database to an autofailover group using the Azure portal, PowerShell, or the Azure CLI.

-# Tutorial: Add an Azure SQL Database to an autofailover group

-A [failover group](auto-failover-group-overview.md) is a declarative abstraction layer that allows you to group multiple geo-replicated databases. Learn to configure a failover group for an Azure SQL Database and test failover using either the Azure portal, PowerShell, or the Azure CLI. In this tutorial, you'll learn how to:

-|Managed Instance|[Invoke-AzSqlInstanceFailover](/powershell/module/az.sql/Invoke-AzSqlInstanceFailover/)|[Managed Instances - Failover](/rest/api/sql/managed%20instances%20-%20failover/failover)|[az sql mi failover](/cli/azure/sql/mi/#az-sql-mi-failover)|

- Replication of all added databases will be initiated automatically. For more information, see [Best practices for using failover groups with single databases](auto-failover-group-overview.md#best-practices-for-sql-database).

- Replication of the added databases will be initiated automatically. For more information, see [Best practices for failover groups with elastic pools](auto-failover-group-overview.md#best-practices-for-sql-database).

-Clients connect to SQL Managed Instance by using a host name that has the form `<mi_name>.<dns_zone>.database.windows.net`. This host name resolves to a private IP address, although it's registered in a public Domain Name System (DNS) zone and is publicly resolvable. The `zone-id` is automatically generated when you create the cluster. If a newly created cluster hosts a secondary managed instance, it shares its zone ID with the primary cluster. For more information, see [Use auto failover groups to enable transparent and coordinated failover of multiple databases](../database/auto-failover-group-overview.md#enabling-geo-replication-between-managed-instances-and-their-vnets).

-Azure SQL Managed Instance enables you to execute T-SQL queries that read data from files stored in Azure Data Lake Storage Gen2 or Azure Blob Storage, and to combine it in queries with locally stored relational data via joins. This way you can transparently access external data still allowing it to stay in its original format and location using the concept of data virtualization.

-There are two ways of querying external files, intended for different scenarios:

-File formats directly supported are parquet and delimited text (CSV). JSON file format is supported indirectly by specifying CSV file format and queries returning every document as a separate row. Rows can be further parsed using JSON_VALUE and OPENJSON.

-Location of the file(s) to be queried needs to be provided in a specific format, with location prefix corresponding to the type of the external source and endpoint/protocol used:

-> Usage of the generic https:// prefix is discouraged and will be disabled in the future. Make sure you use endpoint-specific prefixes to avoid interruptions.

-The feature needs to be explicitly enabled before using it. Run the following commands to enable the data virtualization capabilities:

-```sql

-exec sp_configure 'polybase_enabled', 1;

-go

-reconfigure;

-go

-```

-If you're new to the data virtualization and want to quickly test functionality, start from querying publicly available data sets available in [Azure Open Datasets](https://docs.microsoft.com/azure/open-datasets/dataset-catalog), like the [Bing COVID-19 dataset](https://docs.microsoft.com/azure/open-datasets/dataset-bing-covid-19?tabs=azure-storage) allowing anonymous access:

-Once you have first queries executing successfully, you may want to switch to private data sets that require configuring specific access rights or firewall rules.

-To access a private location, you need to authenticate to the storage account using Shared Access Signature (SAS) key with proper access permissions and validity period. The SAS key isn't provided directly in each query. It's used for creation of a database-scoped credential, which is in turn provided as a parameter of an External Data Source.

-All the concepts outlined so far are described in detail in the following sections.

-External Data Source is an abstraction intended for easier management of file locations across multiple queries and for referencing authentication parameters encapsulated in database-scoped credential.

-Public locations are described in an external data source by providing the file location path:

-Private locations beside path require also reference to a credential to be provided:

-[OPENROWSET](https://docs.microsoft.com/sql/t-sql/functions/openrowset-transact-sql) syntax enables instant and ad-hoc querying with minimal required database objects created. DATA_SOURCE parameter value is automatically prepended to the BULK parameter to form full path to the file. Format of the file also needs to be provided:

-While in the previous example OPENROWSET command queried a single file, it can also query multiple files or folders by using wildcards in the BULK path.

-Here's an example using [NYC yellow taxi trip records open data set](https://docs.microsoft.com/azure/open-datasets/dataset-taxi-yellow):

-When you're querying multiple files or folders, all files accessed with the single OPENROWSET must have the same structure, that is, number of columns and their data types. Folders can't be traversed recursively.

-The automatic schema inference helps you quickly write queries and explore data without knowing file schemas, as seen in previous sample scripts.

-The cost of the convenience is that inferred data types may be larger than the actual data types, affecting the performance of queries. This happens when there's no enough information in the source files to make sure the appropriate data type is used. For example, parquet files don't contain metadata about maximum character column length, so instance infers it as varchar(8000).

-> [!NOTE]

-> Schema inference works only with files in the parquet format.

-You can use sp_describe_first_results_set stored procedure to check the resulting data types of your query:

-Once you know the data types, you can specify them using WITH clause to improve the performance:

-For CSV files the schema canΓÇÖt be automatically determined, and you need to explicitly specify columns using WITH clause:

-When querying multiple files or folders, you can use Filepath and Filename functions to read file metadata and get part of the path or full path and name of the file that the row in the result set originates from:

-When called without a parameter, filepath function returns the file path that the row originates from. When DATA_SOURCE is used in OPENROWSET, it returns path relative to DATA_SOURCE, otherwise it returns full file path.

-Filepath function can also be used for filtering and aggregating rows:

-You can create and use views to wrap OPENROWSET for easy reusing of underlying query:

-ItΓÇÖs also convenient to add columns with file location data to a view, using filepath function for easier and more performant filtering. It can reduce the number of files and the amount of data the query on top of the view needs to read and process when filtered by any of those columns:

-Views also enable reporting and analytic tools like Power BI to consume results of OPENROWSET.

-External tables encapsulate access to the files making the querying experience almost identical to querying local relational data stored in user tables. Creation of an external table requires external data source and external file format objects to exist:

-Once external table is created, you can query it just like any other table:

-Just like OPENROWSET, external tables allow querying multiple files and folders by using wildcards. Schema inference and filepath/filename functions aren't supported with external tables.

-There's no hard limit in terms of number of files or amount of data that can be queried, but query performance will depend on the amount of data, data format, and complexity of queries and joins.

-Collecting statistics on your external data is one of the most important things you can do for query optimization. The more instance knows about your data, the faster it can execute queries.

-Single-column statistics for OPENROWSET path can be created using sp_create_openrowset_statistics

-stored procedure, by passing the select query with a single column as a parameter:

-By default instance uses 100% of the data provided in the dataset for creating statistics. You can optionally specify sample size as a percentage using TABLESAMPLE options. To create single-column statistics for multiple columns, you should execute stored procedure for each of the columns. You canΓÇÖt create multi-column statistics for OPENROWSET path.

-To update existing statistics, drop them first using sp_drop_openrowset_statistics stored procedure, and then recreate them:

-Syntax for creating stats on external tables resembles the one used for ordinary user tables. To create statistics on a column, provide a name for the statistics object and the name of the column:

-Provided WITH options are mandatory, and for the sample size allowed options are FULLSCAN and SAMPLE n percent.

-To create single-column statistics for multiple columns, execute stored procedure for each of the columns. You canΓÇÖt create multi-column statistics.

-|[Endpoint policies](../../azure-sql/managed-instance/service-endpoint-policies-configure.md) | Configure which Azure Storage accounts can be accessed from a SQL Managed Instance subnet. Grants an extra layer of protection against inadvertent or malicious data exfiltration.

-| [Query Store hints](/sql/relational-databases/performance/query-store-hints?view=azuresqldb-mi-current&preserve-view=true) | Use query hints to optimize your query execution via the OPTION clause. |

-### November 2021

-| | |

-### October 2021

-| Changes | Details |

-| | |

-| | |

-### June 2021

-| Changes | Details |

-| | |

-| | |

-### April 2021

-| Changes | Details |

-| | |

-| | |

-### March 2021

-| Changes | Details |

-| | |

-|||

-| **Global VNet peering support** | Global virtual network peering support has been added to SQL Managed Instance, improving the geo-replication experience. See [geo-replication between managed instances](../database/auto-failover-group-overview.md?tabs=azure-powershell#enabling-geo-replication-between-managed-instances-and-their-vnets). |

-Add managed instances of Azure SQL Managed Instance to a failover group. In this article, you will learn how to:

-> - Create a secondary managed instance as part of a [failover group](../database/auto-failover-group-overview.md).

-In a [failover group](failover-group-add-instance-tutorial.md), system databases are not replicated to the secondary instance (see [Limitations of failover groups](../database/auto-failover-group-overview.md#limitations-of-failover-groups) for more information).

-If the Managed Instance you're using is part of a failover group, do the following:

-| Data/Log IOPS (approximate) | Up to 30-40 K IOPS per instance*, 500 - 7500 per file<br/>\*[Increase file size to get more IOPS](#file-io-characteristics-in-general-purpose-tier)| 16 K - 320 K (4000 IOPS/vCore)<br/>Add more vCores to get better IO performance. |

-| Max concurrent workers | 105 * number of vCores + 800 | 105 * vCore count + 800 |

- You can create another readable replica in a different Azure region using [auto-failover groups](../database/auto-failover-group-configure.md)

-## SQL Assessment (Preview)

-Use the **SQL Assessment** page of the SQL virtual machines resource to assess the health of your SQL Server VM. Once the feature is enabled, your SQL Server instances and databases are scanned and recommendations are surfaced to improve performance (indexes, statistics, trace flags, and so on) and identify missing best practices configurations. SQL Assessment is currently in preview.

-To learn more, see [SQL Assessment for SQL Server on Azure VMs](sql-assessment-for-sql-vm.md).

-To learn more, see the other articles in this series:

-For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).

-To learn more, see the other articles in this series:

-To learn more about performance best practices, see the other articles in this series:

-To learn more, see the other articles in this series:

-In addition to the practices described in this topic, we recommend that you review and implement the security best practices from both traditional on-premises security practices, as well as virtual machine security best practices.

-[Microsoft Defender for SQL](../../../security-center/defender-for-sql-introduction.md) enables Microsoft Defender for Cloud security features such as vulnerability assessments and security alerts. See [enable Microsoft Defender for SQL](../../../security-center/defender-for-sql-usage.md) to learn more.

-Additionally, after you've enabled [Microsoft Defender for SQL](../../../security-center/defender-for-sql-usage.md) you can view Defender for Cloud features directly within the [SQL virtual machines resource](manage-sql-vm-portal.md) in the Azure portal, such as vulnerability assessments and security alerts.

-## Azure Key Vault integration

-There are multiple SQL Server encryption features, such as transparent data encryption (TDE), column level encryption (CLE), and backup encryption. These forms of encryption require you to manage and store the cryptographic keys you use for encryption. The Azure Key Vault service is designed to improve the security and management of these keys in a secure and highly available location. The SQL Server Connector enables SQL Server to use these keys from Azure Key Vault.

-For comprehensive details, see the other articles in this series: [Checklist](performance-guidelines-best-practices-checklist.md), [VM size](performance-guidelines-best-practices-vm-size.md), [Storage](performance-guidelines-best-practices-storage.md), [HADR configuration](hadr-cluster-best-practices.md), [Collect baseline](performance-guidelines-best-practices-collect-baseline.md).

-See [Azure Key Vault integration](azure-key-vault-integration-configure.md) to learn more.

-## Access control

-When you create your SQL Server virtual machine, consider how to carefully control who has access to the machine and to SQL Server. In general, you should do the following:

-The following sections provide suggestions on thinking through these points.

-## Secure connections

-When you create a SQL Server virtual machine with a gallery image, the **SQL Server Connectivity** option gives you the choice of **Local (inside VM)**, **Private (within Virtual Network)**, or **Public (Internet)**.

-Finally, consider enabling encrypted connections for the instance of the SQL Server Database Engine in your Azure virtual machine. Configure SQL server instance with a signed certificate. For more information, see [Enable Encrypted Connections to the Database Engine](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) and [Connection String Syntax](/dotnet/framework/data/adonet/connection-string-syntax).

-## Encryption

-Managed disks offer Server-Side Encryption, and Azure Disk Encryption. [Server-Side Encryption](../../../virtual-machines/disk-encryption.md) provides encryption-at-rest and safeguards your data to meet your organizational security and compliance commitments. [Azure Disk Encryption](../../../security/fundamentals/azure-disk-encryption-vms-vmss.md) uses either BitLocker or DM-Crypt technology, and integrates with Azure Key Vault to encrypt both the OS and data disks.

-## Non-default port

-By default, SQL Server listens on a well-known port, 1433. For increased security, configure SQL Server to listen on a non-default port, such as 1401. If you provision a SQL Server gallery image in the Azure portal, you can specify this port in the **SQL Server settings** blade.

-To configure this after provisioning, you have two options:

- 

-> [!IMPORTANT]

-> Specifying a non-default port is a good idea if your SQL Server port is open to public internet connections.

-When SQL Server is listening on a non-default port, you must specify the port when you connect. For example, consider a scenario where the server IP address is 13.55.255.255 and SQL Server is listening on port 1401. To connect to SQL Server, you would specify `13.55.255.255,1401` in the connection string.

-If you are also interested in best practices around performance, see [Performance Best Practices for SQL Server on Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md).

-To learn more, see the other articles in this series:

-<iframe src="https://aka.ms/docs/player?id=13b2bf63-485c-4ec2-ab14-a1217734ad9f" width="640" height="370" style="border: 0; max-width: 100%; min-width: 100%;"></iframe>

-| **SQL Assessment (Preview)** | Enables you to assess the health of your SQL Server VMs using configuration best practices. For more information, see [SQL Assessment](sql-assessment-for-sql-vm.md). <br/> Management mode: Full|

->Make sure ports UDP 500/4500 are open between your on-premises VMware HCX Connector 'uplink' network profile addresses and the Azure VMware Solution HCX Cloud 'uplink' network profile addresses.

- :::image type="content" source="./media/backup-azure-vms-enhanced-policy/select-enhanced-backup-policy-sub-type.png" alt-text="Screenshot showing to select backup policies sub-type as enhanced.":::

- By default, enhanced backup schedule is set to **Hourly**, with **8 AM** as start time, **Every 4 hours** as schedule, and **24 Hours** as duration. You can choose to modify the settings as needed.

-Multiple Backups Per Day | Supported, using _Enhanced policy_ (in preview). To enroll your subscription for this feature, write to us at [askazurebackupteam@microsoft.com](mailto:askazurebackupteam@microsoft.com). <br><br> Learn about how to [back up an Azure VM using Enhanced policy](backup-azure-vms-enhanced-policy.md).

-<a name="tvm-backup">Trusted Launch VM</a> | Backup supported (in preview) <br><br> Backup of Trusted Launch VM is supported through [Enhanced policy](backup-azure-vms-enhanced-policy.md). You can enable backup through [Recovery Services vault](./backup-azure-arm-vms-prepare.md), [VM Manage blade](./backup-during-vm-creation.md#start-a-backup-after-creating-the-vm), and [Create VM blade](backup-during-vm-creation.md#create-a-vm-with-backup-configured). <br><br> **Feature details** <br> <ul><li> Migration of an existing [Generation 2](../virtual-machines/generation-2.md) VM (protected with Azure Backup) to Trusted Launch VM is currently not supported. Learn about how to [create a Trusted Launch VM](../virtual-machines/trusted-launch-portal.md?tabs=portal#deploy-a-trusted-vm). </li><li> Configurations of Backup, Alerts, and Monitoring for Trusted Launch VM are currently not supported through Backup center. </li><li> Currently, you can restore as [Create VM](./backup-azure-arm-restore-vms.md#create-a-vm), or [Restore disk](./backup-azure-arm-restore-vms.md#restore-disks) only. </li><li> Backup is supported in all regions where Trusted Launch VM is available. </li></ul>

-Azure PowerShell is used to deploy the ARM template in this quickstart. The [Azure portal](../azure-resource-manager/templates/deploy-portal.md), [Azure CLI](../azure-resource-manager/templates/deploy-cli.md), and [Rest API](../azure-resource-manager/templates/deploy-rest.md) can also be used to deploy templates.

-* Learn how to [manage Azure file shares backup using Rest API](manage-azure-file-share-rest-api.md).

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine scale set that you want to connect to.

-2. Navigate to the virtual machine scale set instance that you want to connect to, then select **Connect**. When using an RDP connection, the virtual machine scale set should be a Windows virtual machine scale set.

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. In the Azure portal, navigate to your Bastion host.

-1. In the [Azure portal](https://portal.azure.com), navigate to your Azure Bastion resource and select **Diagnostics settings** from the Azure Bastion page.

-2. As you navigate to inside the container, you see various folders in your blob. These folders indicate the resource hierarchy for your Azure Bastion resource.

-1. To view metrics, navigate to your bastion host.

-1. In the portal, navigate to the VM to which you want to connect. The values from the virtual network in which this VM resides will be used to create the Bastion deployment.

-1. In the [Azure portal](https://portal.azure.com), navigate to your Azure Bastion resource and select **Sessions** from the Azure Bastion page.

-1. In the Azure portal, navigate to your Bastion host.

-| Microsoft.DocumentDb/databaseAccounts (CosmosDB, service-direct) | Microsoft-CosmosDB | Cosmos DB Operator |

-| Microsoft.Cache/Redis (service-direct) | Microsoft-AzureCacheForRedis | Redis Cache Contributor |

- - Get the template using [Portal](../azure-resource-manager/templates/export-template-portal.md), [PowerShell](../azure-resource-manager/management/manage-resource-groups-powershell.md#export-resource-groups-to-templates), [CLI](../azure-resource-manager/management/manage-resource-groups-cli.md#export-resource-groups-to-templates), and [Rest API](/rest/api/resources/resourcegroups/exporttemplate)

- - Get the .csdef file using [PowerShell](/powershell/module/az.cloudservice/?preserve-view=true&view=azps-5.4.0#cloudservice) or [Rest API](/rest/api/compute/cloudservices/rest-get-package).

- - Get the .cscfg file using [PowerShell](/powershell/module/az.cloudservice/?preserve-view=true&view=azps-5.4.0#cloudservice) or [Rest API](/rest/api/compute/cloudservices/rest-get-package).

-As a standard practice to manage your certificates, all the valid .pfx certificate files should be added to certificate store in Key Vault and update would work perfectly fine via any client - Portal, PowerShell or Rest API.

->[!NOTE]

->The February Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the February Guest OS. This list is subject to change.

->

-| Rel 22-02 | [5010351] | Latest Cumulative Update(LCU) | 6.41 | Feb 8, 2022 |

-| Rel 22-02 | [5006671] | IE Cumulative Updates | 2.120, 3.107, 4.100 | Oct 12, 2021 |

-| Rel 22-02 | [5010354] | Latest Cumulative Update(LCU) | 7.9 | Feb 8, 2022 |

-| Rel 22-02 | [5010359] | Latest Cumulative Update(LCU) | 5.65 | Feb 8, 2022 |

-| Rel 22-02 | [5008867] | .NET Framework 3.5 Security and Quality Rollup | 2.120 | Jan 11, 2022 |

-| Rel 22-02 | [5008860] | .NET Framework 4.5.2 Security and Quality Rollup | 2.120 | Jan 11, 2022 |

-| Rel 22-02 | [5008868] | .NET Framework 3.5 Security and Quality Rollup | 4.100 | Jan 11, 2022 |

-| Rel 22-02 | [5008870] | .NET Framework 4.5.2 Security and Quality Rollup | 4.100 | Jan 11, 2022 |

-| Rel 22-02 | [5008865] | .NET Framework 3.5 Security and Quality Rollup | 3.107 | Jan 11, 2022 |

-| Rel 22-02 | [5008869] | . NET Framework 4.5.2 Security and Quality Rollup | 3.107 | Jan 11, 2022 |

-| Rel 22-02 | [5008873] | . NET Framework 3.5 and 4.7.2 Cumulative Update | 6.41 | Jan 11, 2022 |

-| Rel 22-02 | [5008882] | .NET Framework 4.8 Security and Quality Rollup | 7.9 | Jan 11, 2022 |

-| Rel 22-02 | [5010404] | Monthly Rollup | 2.120 | Feb 8, 2022 |

-| Rel 22-02 | [5010392] | Monthly Rollup | 3.107 | Feb 8, 2022 |

-| Rel 22-02 | [5010419] | Monthly Rollup | 4.100 | Feb 8, 2022 |

-| Rel 22-02 | [5001401] | Servicing Stack update | 3.107 | Apr 13, 2021 |

-| Rel 22-02 | [5001403] | Servicing Stack update | 4.100 | Apr 13, 2021 |

-| Rel 22-02 | [4578013] | Standalone Security Update | 4.100 | Aug 19, 2020 |

-| Rel 22-02 | [5005698] | Servicing Stack update | 5.65 | Sep 14, 2021 |

-| Rel 22-02 | [5010451] | Servicing Stack update | 2.120 | Feb 8, 2022 |

-| Rel 22-02 | [4494175] | Microcode | 5.65 | Sep 1, 2020 |

-| Rel 22-02 | [4494174] | Microcode | 6.41 | Sep 1, 2020 |

-| WA-GUEST-OS-7.6_202112-01 | January 10, 2022 | Post 7.9 |

-| WA-GUEST-OS-6.38_202112-01 | January 10, 2022 | Post 6.41 |

-| WA-GUEST-OS-5.62_202112-01 | January 10, 2022 | Post 5.67 |

-| WA-GUEST-OS-4.97_202112-01 | January 10 , 2022 | Post 4.100 |

-| WA-GUEST-OS-3.104_202112-01 | January 10, 2022 | Post 3.107 |

-| WA-GUEST-OS-2.119_202201-02 | February 11, 2022 | Post 2.119 |

-| WA-GUEST-OS-2.117_202112-01 | January 10, 2022 | Post 2.120 |

- <ReservedIP name="<reserved-ip-name>"/>

-[Cloud Service (classic) Configuration Schema](schema-cscfg-file.md)

-If a model expires that is used by a [custom speech endpoint](how-to-custom-speech-train-model.md), then the service will automatically fall back to using the latest base model for the language you are using. To update a model you are using, you can select **Deployment** in the **Custom Speech** menu at the top of the page and then click on the endpoint name to see its details. At the top of the details page, you will see an **Update Model** button that lets you seamlessly update the model used by this endpoint without downtime. You can also make this change programmatically by using the [**Update Model**](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/UpdateModel) Rest API.

-| Assamese | `as` |Γ£ö|Γ£ö||||

-| Malayalam | `ml` |Γ£ö|Γ£ö||||

-| Odia | `or` |Γ£ö|Γ£ö||||

-| Tamil | `ta` |Γ£ö|Γ£ö|||Γ£ö|

-| Telugu | `te` |Γ£ö|Γ£ö||||

-Analysis is performed upon receipt of the request. For information on the size and number of requests you can send per minute and second, see the data limits below.

-Using entity linking synchronously is stateless. No data is stored in your account, and results are returned immediately in the response.

-## Data limits

-> [!NOTE]

-> * If you need to analyze larger documents than the limit allows, you can break the text into smaller chunks of text before sending them to the API.

-> * A document is a single string of text characters.

-| Limit | Value |

-|||

-| Maximum size of a single document | 5,120 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum number of characters per request (asynchronous) | 125K characters across all submitted documents, as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum size of entire request | 1 MB |

-| Max Documents Per Request | 5 |

-If a document exceeds the character limit, the API will behave differently depending on whether you're using it synchronously or asynchronously:

-* Asynchronous: The API will reject the entire request and return a `400 bad request` error if any document within it exceeds the maximum size.

-* Synchronous: The API won't process a document that exceeds the maximum size, and will return an invalid document error for it. If an API request has multiple documents, the API will continue processing them if they are within the character limit.

-### Rate limits

-Your rate limit will vary with your [pricing tier](https://aka.ms/unifiedLanguagePricing).

-| Tier | Requests per second | Requests per minute |

-||||

-| S / Multi-service | 1000 | 1000 |

-| S0 / F0 | 100 | 300 |

-Analysis is performed upon receipt of the request. For information on the size and number of requests you can send per minute and second, see the data limits below.

-Using the key phrase extraction feature synchronously is stateless. No data is stored in your account, and results are returned immediately in the response.

-## Data limits

-> [!NOTE]

-> * If you need to analyze larger documents than the limit allows, you can break the text into smaller chunks of text before sending them to the API.

-> * A document is a single string of text characters.

-| Limit | Value |

-|||

-| Maximum size of a single document (synchronous) | 5,120 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum number of characters per request (asynchronous) | 125K characters across all submitted documents, as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum size of entire request | 1 MB. |

-| Max Documents Per Request | 10 |

-If a document exceeds the character limit, the API will behave differently depending on the endpoint you're using:

-* Asynchronous: The API will reject the entire request and return a `400 bad request` error if any document within it exceeds the maximum size.

-* Synchronous: The API won't process a document that exceeds the maximum size, and will return an invalid document error for it. If an API request has multiple documents, the API will continue processing them if they are within the character limit.

-### Rate limits

-Your rate limit will vary with your [pricing tier](https://aka.ms/unifiedLanguagePricing).

-| Tier | Requests per second | Requests per minute |

-||||

-| S / Multi-service | 1000 | 1000 |

-| S0 / F0 | 100 | 300 |

-> * The free account is limited to 5,000 text records per month and only the **Free** and **Standard** [pricing tiers](https://azure.microsoft.com/pricing/details/cognitive-services/text-analytics) are valid for containers. For more information on transaction request rates, see [Data Limits](call-api.md#data-limits).

-Analysis is performed upon receipt of the request. For information on the size and number of requests you can send per minute and second, see the data limits below.

-Using the language detection feature synchronously is stateless. No data is stored in your account, and results are returned immediately in the response.

-## Data limits

-> [!NOTE]

-> * If you need to analyze larger documents than the limit allows, you can break the text into smaller chunks of text before sending them to the API.

-> * A document is a single string of text characters.

-| Limit | Value |

-|||

-| Maximum size of a single document (synchronous) | 5,120 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum number of characters per request (asynchronous) | 125K characters across all submitted documents, as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum size of entire request | 1 MB. |

-| Max Documents Per Request | 1000 |

-If a document exceeds the character limit, the API will behave differently depending on the endpoint you're using:

-* Asynchronous: The API will reject the entire request and return a `400 bad request` error if any document within it exceeds the maximum size.

-* Synchronous: The API won't process a document that exceeds the maximum size, and will return an invalid document error for it. If an API request has multiple documents, the API will continue processing them if they are within the character limit.

-### Rate limits

-Your rate limit will vary with your [pricing tier](https://aka.ms/unifiedLanguagePricing).

-| Tier | Requests per second | Requests per minute |

-||||

-| S / Multi-service | 1000 | 1000 |

-| S0 / F0 | 100 | 300 |

-Analysis is performed upon receipt of the request. For information on the size and number of requests you can send per minute and second, see the data limits section below.

-Using the NER feature synchronously is stateless. No data is stored in your account, and results are returned immediately in the response.

-## Data limits

-> [!NOTE]

-> * If you need to analyze larger documents than the limit allows, you can break the text into smaller chunks of text before sending them to the API.

-> * A document is a single string of text characters.

-| Limit | Value |

-|||

-| Maximum size of a single document (synchronous) | 5,120 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum number of characters per request (asynchronous) | 125K characters across all submitted documents, as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum size of entire request | 1 MB. |

-| Max documents per request | 5 |

-If a document exceeds the character limit, the API will behave differently depending on the feature you're using:

-* Asynchronous:

- * The API will reject the entire request and return a `400 bad request` error if any document within it exceeds the maximum size.

-* Synchronous:

- * The API won't process a document that exceeds the maximum size, and will return an invalid document error for it. If an API request has multiple documents, the API will continue processing them if they are within the character limit.

-Exceeding the maximum number of documents you can send in a single request will generate an HTTP 400 error code.

-### Rate limits

-Your rate limit will vary with your [pricing tier](https://aka.ms/unifiedLanguagePricing).

-| Tier | Requests per second | Requests per minute |

-||||

-| S / Multi-service | 1000 | 1000 |

-| S0 / F0 | 100 | 300 |

-Analysis is performed upon receipt of the request. For information on the size and number of requests you can send per minute and second, see the data limits section below.

-Using the PII detection feature synchronously is stateless. No data is stored in your account, and results are returned immediately in the response.

-## Data limits

-> [!NOTE]

-> * If you need to analyze larger documents than the limit allows, you can break the text into smaller chunks of text before sending them to the API.

-> * A document is a single string of text characters.

-| Limit | Value |

-|||

-| Maximum size of a single document (synchronous) | 5,120 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum number of characters per request (asynchronous) | 125K characters across all submitted documents, as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum size of entire request | 1 MB. |

-| Max documents per request | 5 |

-If a document exceeds the character limit, the API will behave differently depending on the feature you're using:

-* Asynchronous:

- * The API will reject the entire request and return a `400 bad request` error if any document within it exceeds the maximum size.

-* Synchronous:

- * The API won't process a document that exceeds the maximum size, and will return an invalid document error for it. If an API request has multiple documents, the API will continue processing them if they are within the character limit.

-Exceeding the maximum number of documents you can send in a single request will generate an HTTP 400 error code.

-### Rate limits

-Your rate limit will vary with your [pricing tier](https://aka.ms/unifiedLanguagePricing).

-| Tier | Requests per second | Requests per minute |

-||||

-| S / Multi-service | 1000 | 1000 |

-| S0 / F0 | 100 | 300 |

-Analysis is performed upon receipt of the request. For information on the size and number of requests you can send per minute and second, see the data limits section below.

-Using the sentiment analysis and opinion mining features synchronously is stateless. No data is stored in your account, and results are returned immediately in the response.

-## Data limits

-> [!NOTE]

-> * If you need to analyze larger documents than the limit allows, you can break the text into smaller chunks of text before sending them to the API.

-> * A document is a single string of text characters.

-| Limit | Value |

-|||

-| Maximum size of a single document (synchronous) | 5,120 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum number of characters per request (asynchronous) | 125K characters across all submitted documents, as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum size of entire request | 1 MB. |

-| Max documents per request | 10 |

-If a document exceeds the character limit, the API will behave differently depending on the feature you're using:

-* Asynchronous:

- * The API will reject the entire request and return a `400 bad request` error if any document within it exceeds the maximum size.

-* Synchronous:

- * The API won't process a document that exceeds the maximum size, and will return an invalid document error for it. If an API request has multiple documents, the API will continue processing them if they are within the character limit.

-Exceeding the maximum number of documents you can send in a single request will generate an HTTP 400 error code.

-### Rate limits

-Your rate limit will vary with your [pricing tier](https://aka.ms/unifiedLanguagePricing).

-| Tier | Requests per second | Requests per minute |

-||||

-| S / Multi-service | 1000 | 1000 |

-| S0 / F0 | 100 | 300 |

-Analysis is performed upon receipt of the request. For information on the size and number of requests you can send per minute and second, see the data limits below.

-If you send a request using the REST API or client library, the results will be returned asynchronously. If you're using the Docker container, they will be returned synchronously.

-## Data limits

-> [!NOTE]

-> * If you need to analyze larger documents than the limit allows, you can break the text into smaller chunks of text before sending them to the API. For best results, split text between sentences.

-> * A document is a single string of text characters.

-| Limit | Value |

-|||

-| Maximum size of a single document | 30,720 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). |

-| Maximum size of entire request | 1 MB |

-| Max Documents Per Request | 10 for the web-based API, 1000 for the container. |

-If a document exceeds the character limit, the API won't process a document that exceeds the maximum size, and will return an invalid document error for it. If an API request has multiple documents, the API will continue processing them if they are within the character limit.

-When you send a document larger than 5,120 characters, it will be split by Text Analytics for health into chunks of 5,120 characters. If two entities are present on either side of a split that are related, the model will not be able to detect the relation. To prevent potential relations from being undetected, consider splitting your text into documents of 5,120 characters or less, consisting only of full sentences.

-### Rate limits

-Your rate limit will vary with your [pricing tier](https://aka.ms/unifiedLanguagePricing). These limits are the same for both versions of the API. These rate limits don't apply to the Text Analytics for health container, which does not have a set rate limit.

-| Tier | Requests per second | Requests per minute |

-||||

-| S / Multi-service | 1000 | 1000 |

-| F0 | 100 | 300 |

-* Text Analytics for health takes raw unstructured text for analysis. See the [data and service limits](how-to/call-api.md#data-limits) in the how-to guide for more information.